Re: DNSSEC will eventually generate Identical Key ID's

[Warren Kumari]

On Mon, Sep 10, 2018 at 4:45 AM Ray Bellis  wrote:

> On 09/09/2018 18:51, Mark Elkins wrote:
> > Just for the record, although I do look from a curiosity point of view
> > for Identical Key ID's once every few month - I've never seen them -
> > until now.
> >
> > Now I have them - generated by BIND within a few days of each other...
> >
> > I've been running DNSSEC for 7 years and have around 400 DNSSEC keys for
> > 133 signed Domains.
> > I'm a smallish Registrar for ZA domains.
> >
> > Never assume a KeyID is unique.  :-)
>
> It's inevitable that they won't be.
>
> With only a 16 bit key tag space (and in 2016 Roy Arends discovered that
> the effective space is only 15 bits) then due to the birthday collision
> paradox you only need of the order of sqrt(32k) different keys to get a
> 50% chance of a collision.
>
>
This reminds me of some interesting (well, interesting to me :-)) related
research Ben Laurie and I did around that time -- while looking at the
distribution of generated keys I noticed that OpenSSL / GnuTLS generate a
different distribution than e.g mbedTLS.
OpenSSL / GnuTLS optimize the generation of primes by setting the least
significant bits (fair, they have to be odd to be primes :-)) but also
clear the most significant bits of both P and Q (to ensure that the product
of P & Q do not overflow) -- this results in a key with less bits of
"security" than most would expect...

W





> Ray
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error parsing file

[BARAJAS BERMEJO, Sergio]

Hi,

It's solved!! thanks




De: Anand Buddhdev 
Enviado: miércoles, 12 de septiembre de 2018 21:42
Para: BARAJAS BERMEJO, Sergio; bind-users@lists.isc.org
Asunto: Re: Error parsing file

On 12/09/2018 20:22, BARAJAS BERMEJO, Sergio wrote:

Hi Sergio,

> $TTL2d
> @   IN  SOA sergiobarajas (
>  17 ; Serial
>  604800 ; Refresh
>   86400 ; Retry
> 2419200 ; Expire
>   86400 )   ; Negative Cache TTL

Your SOA record is incomplete. The SOA record's RDATA section needs 7
elements, the first two of which are the MNAME (master name server) and
RNAME (responsible person). Your SOA record only has one of those
elements, "sergiobarajas".
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error parsing file

[BARAJAS BERMEJO, Sergio]

I'm sorry,

The data that I have posted is not real.

It is an example, I can't suppose that hosting.com is a real domain.

I promise you, that i will be more careful



De: Rob Foehl 
Enviado: miércoles, 12 de septiembre de 2018 22:07
Para: BARAJAS BERMEJO, Sergio
Asunto: Re: Error parsing file

On Wed, 12 Sep 2018, BARAJAS BERMEJO, Sergio wrote:

> IN  NS  ns1.hosting.com.
> IN  NS  ns2.hosting.com.

I'm the operator of the infrastructure that happens to have these names,
and I'd appreciate it if you would stop posting a bunch of invalid noise
about them on a public list.

The example.com namespace exists for a reason.

-Rob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error parsing file

[Anand Buddhdev]

On 12/09/2018 20:22, BARAJAS BERMEJO, Sergio wrote:

Hi Sergio,

> $TTL2d
> @   IN  SOA sergiobarajas (
>  17 ; Serial
>  604800 ; Refresh
>   86400 ; Retry
> 2419200 ; Expire
>   86400 )   ; Negative Cache TTL

Your SOA record is incomplete. The SOA record's RDATA section needs 7
elements, the first two of which are the MNAME (master name server) and
RNAME (responsible person). Your SOA record only has one of those
elements, "sergiobarajas".
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Issues configuring delegated subdomain zone

[BARAJAS BERMEJO, Sergio]

Thanks this is solver, now I have another problem.

I will send a new message





De: Bob Harold 
Enviado: miércoles, 12 de septiembre de 2018 16:47
Para: BARAJAS BERMEJO, Sergio
Cc: bind-users@lists.isc.org
Asunto: Re: Issues configuring delegated subdomain zone


On Wed, Sep 12, 2018 at 5:49 AM BARAJAS BERMEJO, Sergio 
mailto:sergio.bara...@econocom.com>> wrote:
Hello,
I have an issue configuring delegated subdomain zone from one NS to another one.
For security reasons I will obviously not put real domain data (I imagine you 
will understand).

Let's suppose that the delegated subdomain is: 
midominio.principal.hosting.com
If we make a "dig" query, putting the hosting server's NS as the domain name 
server:

dig @ns1.hosting.com 
midominio.principal.hosting.com

; <<>> DiG 9.10.3-P4-Debian <<>> @ns1.hosting.com 
midominio.principal.hosting.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40831
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;midominio.principal.hosting.com. IN A

;; AUTHORITY SECTION:
midominio.principal.hosting.com. 125 IN 
NS sb2.principal.hosting.com.
midominio.principal.hosting.com. 125 IN 
NS sb1.principal.hosting.com.

;; ADDITIONAL SECTION:
sb1.principal.hosting.com. 125 IN A 
xxx.xxx.xxx.52
sb2.principal.hosting.com. 125 IN A 
xxx.xxx.xxx.53

;; Query time: 12 msec
;; SERVER: 31.193.224.20#53(31.193.224.20)
;; WHEN: Wed Sep 12 08:09:36 CEST 2018
;; MSG SIZE rcvd: 133

>From which we deduce several things:


  1.  That in the zone principal.hosting.com of 
the main server of the hosting there are created two registers of type A:
 *   sb1.principal.hosting.com. 125 IN A 
xxx.xxx.xxx.52
sb2.principal.hosting.com. 125 IN A 
xxx.xxx.xxx.53
  2.  That the authorized DNS servers on the subdomain 
midominio.principal.hosting.com are:
sb1.principal.hosting.com y el 
sb2.principal.hosting.com

Having said that, in my vps I have defined the following:

; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;

$TTL 86400
@ IN SOA sb1. sb2. mail. (

The first field after "SOA" is the *ONE* master server for the  domain.  You 
cannot list two.  Should be:
@ IN SOA sb1. mail. (

--
Bob Harold

10 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
; REGISTROS
NS sb1.principal.hosting.com.
NS sb2.principal.hosting.com.
IN MX 10 
mail.midominio.principal.hosting.com.
sb1 IN A xxx.xxx.xxx.52
sb2 IN A xxx.xxx.xxx.53
www IN A xxx.xxx.xxx.53
mail IN A xxx.xxx.xxx.53
webmail IN CNAME mail
* IN A xxx.xxx.xxx.53


However I can not get it to solve for example 
www.midominio.principal.hosting.com 
What am I doing wrong?.
Thank you very much in advance

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrade help with Bind 9.12

[Matus UHLAR - fantomas]

On 12.09.18 13:01, Spears, Luke wrote:

I'm not sure how to go about requesting this but I am looking for information 
on upgrading from BIND 9.8 to 9.11 or 12 depending if it's ESV or not.  We are 
running Ubuntu 14.04


if you use ubuntu *-LTS, you should be safe with the version in ubuntu.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Issues configuring delegated subdomain zone

[Bob Harold]

On Wed, Sep 12, 2018 at 5:49 AM BARAJAS BERMEJO, Sergio <
sergio.bara...@econocom.com> wrote:

> Hello,
> I have an issue configuring delegated subdomain zone from one NS to
> another one.
> For security reasons I will obviously not put real domain data (I imagine
> you will understand).
>
> Let's suppose that the delegated subdomain is:
> midominio.principal.hosting.com
> If we make a "dig" query, putting the hosting server's NS as the domain
> name server:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *dig @ns1.hosting.com 
> midominio.principal.hosting.com  ;
> <<>> DiG 9.10.3-P4-Debian <<>> @ns1.hosting.com 
> midominio.principal.hosting.com  ;
> (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<-
> opcode: QUERY, status: NOERROR, id: 40831 ;; flags: qr rd; QUERY: 1,
> ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but
> not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION: ;midominio.principal.hosting.com
> . IN A ;; AUTHORITY SECTION:
> midominio.principal.hosting.com .
> 125 IN NS sb2.principal.hosting.com .
> midominio.principal.hosting.com .
> 125 IN NS sb1.principal.hosting.com . ;;
> ADDITIONAL SECTION: sb1.principal.hosting.com
> . 125 IN A xxx.xxx.xxx.52
> sb2.principal.hosting.com . 125 IN A
> xxx.xxx.xxx.53 ;; Query time: 12 msec ;; SERVER:
> 31.193.224.20#53(31.193.224.20) ;; WHEN: Wed Sep 12 08:09:36 CEST 2018 ;;
> MSG SIZE rcvd: 133*
>
> From which we deduce several things:
>
>
>1. That in the zone principal.hosting.com of the main server of the
>hosting there are created two registers of type A:
>1.
> *sb1.principal.hosting.com . 125 IN A
>   xxx.xxx.xxx.52 sb2.principal.hosting.com
>   . 125 IN A xxx.xxx.xxx.53*
>2. That the authorized DNS servers on the subdomain
>midominio.principal.hosting.com are:
>*sb1.principal.hosting.com * y el 
> *sb2.principal.hosting.com
>*
>
> Having said that, in my vps I have defined the following:
>
>
>
>
>
>
> *; BIND reverse data file for empty rfc1918 zone ; ; DO NOT EDIT THIS FILE
> - it is used for multiple zones. ; Instead, copy it, edit named.conf, and
> use that copy. ; *
> *$TTL 86400*
>
> *@ IN SOA sb1. sb2. mail. (*
>

The first field after "SOA" is the *ONE* master server for the  domain.
You cannot list two.  Should be:
@ IN SOA sb1. mail. (

-- 
Bob Harold


>
>
>
>
>
>
> * 10 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ;
> Negative Cache TTL ; REGISTROS NS sb1.*
> *principal.hosting.com . NS sb2.*
> *principal.hosting.com . IN MX 10 mail.*
> *midominio.principal.hosting.com .
> sb1 IN A *
> *xxx.xxx.xxx.52 sb2 IN A *
> *xxx.xxx.xxx.53 www IN A *
> *xxx.xxx.xxx.53 mail IN A *
>
> *xxx.xxx.xxx.53 webmail IN CNAME mail * IN A **xxx.xxx.xxx.53*
>
>
> However I can not get it to solve for example
> www.midominio.principal.hosting.com What am I doing wrong?.
> Thank you very much in advance
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Upgrade help with Bind 9.12

[Spears, Luke]

I'm not sure how to go about requesting this but I am looking for information 
on upgrading from BIND 9.8 to 9.11 or 12 depending if it's ESV or not.  We are 
running Ubuntu 14.04

v\r
==
CONFIDENTIALITY NOTICE:

This e-mail communication and any attachments may 
contain confidential and privileged information for the use 
of the designated recipients named above. If you are not 
the intended recipient, you are hereby notified that you 
have received this communication in error and that any 
review, disclosure, dissemination, distribution, or copying 
of it or its contents is prohibited. If you have received 
this communication in error, please notify the sender 
immediately and destroy all copies of this communication 
and any attachments.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Issues configuring delegated subdomain zone

[BARAJAS BERMEJO, Sergio]

Hello,
I have an issue configuring delegated subdomain zone from one NS to another one.
For security reasons I will obviously not put real domain data (I imagine you 
will understand).

Let's suppose that the delegated subdomain is: midominio.principal.hosting.com
If we make a "dig" query, putting the hosting server's NS as the domain name 
server:

dig @ns1.hosting.com midominio.principal.hosting.com

; <<>> DiG 9.10.3-P4-Debian <<>> @ns1.hosting.com 
midominio.principal.hosting.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40831
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;midominio.principal.hosting.com. IN A

;; AUTHORITY SECTION:
midominio.principal.hosting.com. 125 IN NS sb2.principal.hosting.com.
midominio.principal.hosting.com. 125 IN NS sb1.principal.hosting.com.

;; ADDITIONAL SECTION:
sb1.principal.hosting.com. 125 IN A xxx.xxx.xxx.52
sb2.principal.hosting.com. 125 IN A xxx.xxx.xxx.53

;; Query time: 12 msec
;; SERVER: 31.193.224.20#53(31.193.224.20)
;; WHEN: Wed Sep 12 08:09:36 CEST 2018
;; MSG SIZE rcvd: 133

>From which we deduce several things:


  1.  That in the zone principal.hosting.com of the main server of the hosting 
there are created two registers of type A:
 *   sb1.principal.hosting.com. 125 IN A xxx.xxx.xxx.52
sb2.principal.hosting.com. 125 IN A xxx.xxx.xxx.53
  2.  That the authorized DNS servers on the subdomain 
midominio.principal.hosting.com are:
sb1.principal.hosting.com y el sb2.principal.hosting.com

Having said that, in my vps I have defined the following:

; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;

$TTL 86400
@ IN SOA sb1. sb2. mail. (
10 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
; REGISTROS
NS sb1.principal.hosting.com.
NS sb2.principal.hosting.com.
IN MX 10 mail.midominio.principal.hosting.com.
sb1 IN A xxx.xxx.xxx.52
sb2 IN A xxx.xxx.xxx.53
www IN A xxx.xxx.xxx.53
mail IN A xxx.xxx.xxx.53
webmail IN CNAME mail
* IN A xxx.xxx.xxx.53


However I can not get it to solve for example 
www.midominio.principal.hosting.com What am I doing wrong?.
Thank you very much in advance
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and secondary DNS servers

[@lbutlr]

On 9 Sep 2018, at 14:58, Mark Elkins  wrote:
> Umm... this initially looks great but something is seriously strange. The 
> first numerical value after DS should be the Key ID (or Key Tag). I really 
> doubt that you would (randomly) create two different DNSKEY records with 
> sequential Key-ID's (Tags) starting from "1"... its usually a relatively 
> random value between 1 and 2^16

Yes, that was a mistake in the configuration.

> Also as an aside - many people are no longer putting the SHA-1 Digest type DS 
> record in their parent, just the longer (more secure?) SHA-256 (Digest Type 
> 2) record.

Thanks, I keep that in mind.

> As the root uses Algorithm 8 - many people also use algorithm 8 - you are 
> using algorithm 7. Algorithm roll-overs are a pain so if you can - move 
> straight to 8.


And that.

> I also can not detect a DNSKEY in your zone?
> dig covisp.net dnskey +cd
> ...gives your SOA.
> Without the "+cd" (ignore any DNSSEC validation) - I get a SERVFAIL.

Yes, I was in the midst of futzing with things at the time.

> Adding DS records into your parent should be the last part of the process in 
> securing your Zone with DNSSEC.

I've pulled the DNSSEC entirely for right now as there is still some research I 
need to do (things like renewal, automating the process for other domains, etc).

-- 
"I've had a perfectly wonderful evening. But this wasn't it." - Groucho
Marx

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users