RE: DNS Flag Day: I had to open the TCP/53 port

[Stephan Lagerholm]

Hi Roberto,

You are correct in that the DNS Flag day tester at https://dnsflagday.net/
is reporting the closed TCP port as a serious problem. Given that the TCP
port is closed, obviously the EDNS test over TCP fails too and the error
given by the site would be something like: edns512tcp=timeout

To be RFC compliant you should have both UDP and TCP. Timeouts over UDP
can happen due to natural causes and it is good to give a resolver the
opportunity to fallback to TCP if needed even if you never expect your
server to respond with the Truncate bit set. But I would say the flag day
site is a little bit misleading since the question if TCP should be open
or not is somewhat of an orthogonal problem to EDNS compliance.

Hope this helps explaining the error you are seeing.

Stephan






On Mon, 4 Feb 2019, Salih CIRGAN wrote:

> rfc6891 states that it uses TCP to avoid truncated UDP responses. It is all 
> about packet size,fragmentation and network load.
>
>
>
> EDNS(0) specifies a way to advertise additional features such as
>
>larger response size capability, which is intended to help avoid
>
>truncated UDP responses, which in turn cause retry over TCP.  It
>
>therefore provides support for transporting these larger packet sizes
>
>without needing to resort to TCP for transport.
>
>
>
> Announcing UDP buffer sizes that are too small may result in fallback
>
>to TCP with a corresponding load impact on DNS servers.  This is
>
>especially important with DNSSEC, where answers are much larger.
>
>
>
>
>
>
>
>
>
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
> Roberto Carna
> Sent: Monday, February 4, 2019 4:46 PM
> To: ML BIND Users 
> Subject: DNS Flag Day: I had to open the TCP/53 port
>
>
>
> Dear, I have a BIND 9.10 public server and I have delegated some public 
> domains.
>
>
>
> When I test these domains with the EDNS tool offered in the DNS Flag Day 
> webpage, the test was wrong wit just UDP/53 port opened to Internet.
>
>
>
> After that, when I opened also TCP/53 port, the test was succesful.
>
>
>
> Please can you explain me the reason I have to open TCP/53 port to Internet 
> from February 1st to the future???
>
>
>
> Really thanks, regards.
>
>

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: incorrect section name: $ORIGIN

[Alan Clegg]

On 2/4/19 9:47 AM, Alan Clegg wrote:
> On 2/4/19 7:03 AM, @lbutlr wrote:
> 
>> # nsupdate -d -v -l example.com
>> Creating key...
>> namefromtext
>> keycreate
>> incorrect section name: $ORIGIN
> 
> I'd recommend that you use nsupdate in interactive mode first.


The point of this which I had forgotten by the time I got done with the
examples was:

The file that you pass in to `nsupdate` is the "update add" and "update
delete" commands that I gave samples of in the previous mail.

Also, you probably don't want/need the "-v" command line option on nsupdate.

AlanC
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: incorrect section name: $ORIGIN

[Alan Clegg]

On 2/4/19 7:03 AM, @lbutlr wrote:

> # nsupdate -d -v -l example.com
> Creating key...
> namefromtext
> keycreate
> incorrect section name: $ORIGIN

I'd recommend that you use nsupdate in interactive mode first.

--SNIP--
root@svlg-gateway:/etc/namedb# nsupdate -l
> update add funnyrecord.boat 3600 in a 1.1.1.1
> send
> quit
--SNIP--

Here, I've added an A record "funnyrecord.boat" to the local nameserver.
 It was accepted (no error message) and the record was signed:

--SNIP--
root@svlg-gateway:/etc/namedb# dig funnyrecord.boat +dnssec

; <<>> DiG 9.13.5 <<>> funnyrecord.boat +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35274
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 840786d22b259dd36f9300b85c584de5adea6d3ab34b6fde (good)
;; QUESTION SECTION:
;funnyrecord.boat.  IN  A

;; ANSWER SECTION:
funnyrecord.boat.   3600IN  A   1.1.1.1
funnyrecord.boat.   3600IN  RRSIG   A 8 2 3600 20190306143508 
20190204133508
27363 boat. ULJiOVWd3jordtZZnp/1wUZul8Y6xLcEu0kh8mtCDFXGG2QlsKdyeZxb
dO54X241NOJRN6dI2RKH05DtErlhFHjLpnrus4BahuZKbWeuOXApCZ4r
+XPqManyq+3hyEFCJ8QM1fHSBbuDIyz7nKjr+T+xh/8pUowqNgMoBx+Y 08c=

;; Query time: 1 msec
;; SERVER: 44.127.8.1#53(44.127.8.1)
;; WHEN: Mon Feb 04 14:36:21 UTC 2019
;; MSG SIZE  rcvd: 253
--SNIP--

I can also remove records:

--SNIP--
root@svlg-gateway:/etc/namedb# nsupdate -l
> update delete funnyrecord.boat
> send
> quit
root@svlg-gateway:/etc/namedb# dig funnyrecord.boat +dnssec

; <<>> DiG 9.13.5 <<>> funnyrecord.boat +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16202
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 044b781a89250d108be3c3345c584e25b636b5386f74056a (good)
;; QUESTION SECTION:
;funnyrecord.boat.  IN  A

;; AUTHORITY SECTION:
boat.   300 IN  SOA admin. ns1.boat. 169 3600 600 
86400 300
boat.   300 IN  RRSIG   SOA 8 1 8600 20190306143720 
20190204133720 27363
boat. rx9ZfD6u9O5Hz1+1KkUnr0kqq8k45ljYmTQj1kFb6xQ7HFG13XkMkzbl
DDzjAoO1BIymYm8S1Kxq5lMXPNvAnPEChlhRW6xWVnWg4UyWnkzkzRCc
hME2NdE4WxSDZ3MMAnEELk29whmYcPIKVQJPgYjtHFJ7KS23PgoWb0qp ciA=
boat.   300 IN  NSECalans-time-capsule.boat. NS SOA 
RRSIG NSEC DNSKEY
TYPE65534
boat.   300 IN  RRSIG   NSEC 8 1 300 20190222045229 
20190123035229 27363
boat. AevHxXgaJkotnUTv1jUJnBigUjkUO4gcI/V5AieuCR4cBdxMiRYa1WYS
pI+qPQcAzgTf7p/0RCXq45CVrjiXCoh/eEaQgxlqASSCTabCgVE9i0Dw
eVgE6NDXe4gtu3GEjhecCj3x3Xd2q6DEWYYQNJkg6fjjZr8xYCsjdYhw V88=
canboat.boat.   300 IN  NSECGoogle-Home-Mini.boat. A TXT 
RRSIG NSEC
canboat.boat.   300 IN  RRSIG   NSEC 8 2 300 20190306143720 
20190204133720
27363 boat. RGLL6h/nX4/MMt+b2w9BA8LAg3R+5oXn73KG6DAKP57Q1Ak+NyFBYeil
4Pkz5w7qgA4k4nRrriTJ0kmckTlaODfx1KWZEOR33nqctK37lOIaenmx
Rd7d98qP7/+A0v68T5DSXI9ZNlx5688isxXo2ZTLP2bKFEWYbDZXBEtr DdM=

;; Query time: 1 msec
;; SERVER: 44.127.8.1#53(44.127.8.1)
;; WHEN: Mon Feb 04 14:37:25 UTC 2019
;; MSG SIZE  rcvd: 741
--SNIP--

Those are the basic things you can do with nsupdate... add and delete.
Changes are done by deleting the old and then adding the new.

The SOA record is updated automatically and all is well with the world.

AlanC
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS Flag Day: I had to open the TCP/53 port

[Salih CIRGAN]

rfc6891 states that it uses TCP to avoid truncated UDP responses. It is all 
about packet size,fragmentation and network load.

 

EDNS(0) specifies a way to advertise additional features such as

   larger response size capability, which is intended to help avoid

   truncated UDP responses, which in turn cause retry over TCP.  It

   therefore provides support for transporting these larger packet sizes

   without needing to resort to TCP for transport.

 

Announcing UDP buffer sizes that are too small may result in fallback

   to TCP with a corresponding load impact on DNS servers.  This is

   especially important with DNSSEC, where answers are much larger.

 

 

 

 

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Roberto 
Carna
Sent: Monday, February 4, 2019 4:46 PM
To: ML BIND Users 
Subject: DNS Flag Day: I had to open the TCP/53 port

 

Dear, I have a BIND 9.10 public server and I have delegated some public domains.

 

When I test these domains with the EDNS tool offered in the DNS Flag Day 
webpage, the test was wrong wit just UDP/53 port opened to Internet.

 

After that, when I opened also TCP/53 port, the test was succesful.

 

Please can you explain me the reason I have to open TCP/53 port to Internet 
from February 1st to the future???

 

Really thanks, regards.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Flag Day: I had to open the TCP/53 port

[Jeronimo L. Cabral]

Ben, thanks a lot !!!

Regards

On Mon, Feb 4, 2019 at 11:04 AM Ben Croswell  wrote:

> When a DNS response is too large to fit in a single UDP packet, 512 bytes
> up to 4k with edns, the DNS server will respond with as much as it can fit
> in the UDP packet. It will also set the truncate, TC, bit to let the client
> doing the query that the answer is truncated and the client should query
> again over TCP for the full answer.
>
> The TC bit is also used in conjunction with RRL.
>
> On Mon, Feb 4, 2019, 8:57 AM Roberto Carna  wrote:
>
>> Thanks Ben for your response, can you tell me the types of TCP traffic I
>> have to expect in BIND, excepting Zone Tansfer?
>>
>> Thans a lot again!!!
>>
>> El lun., 4 feb. 2019 a las 10:50, Ben Croswell ()
>> escribió:
>>
>>> BIND has always required UDP and TCP 53 for proper functionality. It
>>> sometimes mistakenly believed that TCP is only for zone transfers but that
>>> is not the case.
>>>
>>> On Mon, Feb 4, 2019, 8:46 AM Roberto Carna >> wrote:
>>>
 Dear, I have a BIND 9.10 public server and I have delegated some public
 domains.

 When I test these domains with the EDNS tool offered in the DNS Flag
 Day webpage, the test was wrong wit just UDP/53 port opened to Internet.

 After that, when I opened also TCP/53 port, the test was succesful.

 Please can you explain me the reason I have to open TCP/53 port to
 Internet from February 1st to the future???

 Really thanks, regards.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

>>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Flag Day: I had to open the TCP/53 port

[Ben Croswell]

When a DNS response is too large to fit in a single UDP packet, 512 bytes
up to 4k with edns, the DNS server will respond with as much as it can fit
in the UDP packet. It will also set the truncate, TC, bit to let the client
doing the query that the answer is truncated and the client should query
again over TCP for the full answer.

The TC bit is also used in conjunction with RRL.

On Mon, Feb 4, 2019, 8:57 AM Roberto Carna  Thanks Ben for your response, can you tell me the types of TCP traffic I
> have to expect in BIND, excepting Zone Tansfer?
>
> Thans a lot again!!!
>
> El lun., 4 feb. 2019 a las 10:50, Ben Croswell ()
> escribió:
>
>> BIND has always required UDP and TCP 53 for proper functionality. It
>> sometimes mistakenly believed that TCP is only for zone transfers but that
>> is not the case.
>>
>> On Mon, Feb 4, 2019, 8:46 AM Roberto Carna > wrote:
>>
>>> Dear, I have a BIND 9.10 public server and I have delegated some public
>>> domains.
>>>
>>> When I test these domains with the EDNS tool offered in the DNS Flag Day
>>> webpage, the test was wrong wit just UDP/53 port opened to Internet.
>>>
>>> After that, when I opened also TCP/53 port, the test was succesful.
>>>
>>> Please can you explain me the reason I have to open TCP/53 port to
>>> Internet from February 1st to the future???
>>>
>>> Really thanks, regards.
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Flag Day: I had to open the TCP/53 port

[Ron Hall]

Just about anything (if it is large enough).


r

On 2019-02-04 08:56 AM, Roberto Carna wrote:
Thanks Ben for your response, can you tell me the types of TCP traffic I have 
to expect in BIND, excepting Zone Tansfer?

Thans a lot again!!!

El lun., 4 feb. 2019 a las 10:50, Ben Croswell 
(mailto:ben.crosw...@gmail.com>>) escribió:
BIND has always required UDP and TCP 53 for proper functionality. It sometimes 
mistakenly believed that TCP is only for zone transfers but that is not the 
case.

On Mon, Feb 4, 2019, 8:46 AM Roberto Carna 
mailto:robertocarn...@gmail.com> wrote:
Dear, I have a BIND 9.10 public server and I have delegated some public domains.

When I test these domains with the EDNS tool offered in the DNS Flag Day 
webpage, the test was wrong wit just UDP/53 port opened to Internet.

After that, when I opened also TCP/53 port, the test was succesful.

Please can you explain me the reason I have to open TCP/53 port to Internet 
from February 1st to the future???

Really thanks, regards.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--

Ron Hall
Senior System Administrator, NCS - Core Infrastructure Applications
IT Services
T: +1 514 398 3718
ron.h...@mcgill.ca | 
www.mcgill.ca/it

[cid:part7.AFA911F1.FD188252@mcgill.ca]
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Flag Day: I had to open the TCP/53 port

[Roberto Carna]

Thanks Ben for your response, can you tell me the types of TCP traffic I
have to expect in BIND, excepting Zone Tansfer?

Thans a lot again!!!

El lun., 4 feb. 2019 a las 10:50, Ben Croswell ()
escribió:

> BIND has always required UDP and TCP 53 for proper functionality. It
> sometimes mistakenly believed that TCP is only for zone transfers but that
> is not the case.
>
> On Mon, Feb 4, 2019, 8:46 AM Roberto Carna  wrote:
>
>> Dear, I have a BIND 9.10 public server and I have delegated some public
>> domains.
>>
>> When I test these domains with the EDNS tool offered in the DNS Flag Day
>> webpage, the test was wrong wit just UDP/53 port opened to Internet.
>>
>> After that, when I opened also TCP/53 port, the test was succesful.
>>
>> Please can you explain me the reason I have to open TCP/53 port to
>> Internet from February 1st to the future???
>>
>> Really thanks, regards.
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Flag Day: I had to open the TCP/53 port

[Ben Croswell]

BIND has always required UDP and TCP 53 for proper functionality. It
sometimes mistakenly believed that TCP is only for zone transfers but that
is not the case.

On Mon, Feb 4, 2019, 8:46 AM Roberto Carna  Dear, I have a BIND 9.10 public server and I have delegated some public
> domains.
>
> When I test these domains with the EDNS tool offered in the DNS Flag Day
> webpage, the test was wrong wit just UDP/53 port opened to Internet.
>
> After that, when I opened also TCP/53 port, the test was succesful.
>
> Please can you explain me the reason I have to open TCP/53 port to
> Internet from February 1st to the future???
>
> Really thanks, regards.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS Flag Day: I had to open the TCP/53 port

[Roberto Carna]

Dear, I have a BIND 9.10 public server and I have delegated some public
domains.

When I test these domains with the EDNS tool offered in the DNS Flag Day
webpage, the test was wrong wit just UDP/53 port opened to Internet.

After that, when I opened also TCP/53 port, the test was succesful.

Please can you explain me the reason I have to open TCP/53 port to Internet
from February 1st to the future???

Really thanks, regards.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: incorrect section name: $ORIGIN

[Tony Finch]

@lbutlr  wrote:
>
> # nsupdate -d -v -l example.com

nsupdate doesn't take zone files as input; instead it takes a list of
(incremental) changes. The "invalid section" error refers to keywords in
nsupdate syntax which refer to parts of DNS UPDATE messages: the prereq
section, the update section, etc. See the INPUT FORMAT part of the
nsupdate man page for details.

You are trying to do what nsdiff does: http://dotat.at/prog/nsdiff/
which turns the difference between two zone files into an nsupdate script.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Channel Islands: South to southwest 6 to gale 8 decreasing 3 to 4 by dusk
across west of area veering northwest then north this evening, locally
variable 2 by midnight across east of area, after dusk backing southeast after
dawn all areas, southeast to south 4 to 5. Rather rough to rough, decreasing
moderate during afternoon, further decreasing slight to moderate during the
evening slight overnight then slight to moderate by noon. Periods of rain and
drizzle, especially south of area occasional mist with fog patches from
mid-afternoon. Moderate to poor, locally very poor from mid-afternoon.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

incorrect section name: $ORIGIN

[@lbutlr]

Here is a domain zone file for example.com which is hosted by covisp.net:

$ORIGIN .
$TTL 86400  ; 1 day
example.com. IN SOA  ns1.covisp.net. admin.example.com. (
2019020100 ; serial
300; refresh (5 minutes)
300; retry (5 minutes)
18000  ; expire (5 hours)
604800 ; minimum (1 week)
)
NS  ns1.covisp.net.
NS  ns2.covisp.net.
NS  ns3.covisp.net.
A   65.121.55.45
MX  10 mail.covisp.net.
$ORIGIN example.com.
webdav  CNAME   www.covisp.net.
www CNAME   www.covisp.net.

$INCLUDE Kexample.com.+007+16695.key
$INCLUDE Kexample.com.+007+34313.key

named.conf:
zone "example.com" { 
type master;
file "master/example.com.signed";
update-policy local; 
auto-dnssec maintain; 
};


# nsupdate -d -v -l example.com
Creating key...
namefromtext
keycreate
incorrect section name: $ORIGIN
syntax error

So, what is wrong with $ORIGIN? Bind itself doesn't complain.

-- 
THE PLEDGE OF ALLEGIANCE DOES NOT END WITH HAIL SATAN Bart chalkboard
Ep. 1F16

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Refresh of the .signed DNSSEC file?

[Tony Finch]

@lbutlr  wrote:

> Based having update-policy local; auto-dnssec maintain; in the zone,
> when I make changed to example.com I was expecting that
> example.com.signed will be refreshed.
>
> This doesn’t seem to be happening.

Are you doing `rndc freeze` and `rndc thaw` before and after editing the
unsigned zone file?

How are you checking the signed zone? By querying the name server or by
looking at the file directly? If the latter, are you using
named-compilezone with the -j flag to include the journal, or are you
using named-journalprint?

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Shetland Isles: Southwesterly 5 or 6 at first in east, otherwise northwesterly
3 or 4, increasing 5 or 6 later, then veering northeasterly 3 or 4 later in
east. Moderate or rough, but slight in sheltered east at first. Rain or
showers. Good, occasionally moderate.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users