bind 9.11.2 - domain and subdomain with one zone does not work
Good morning, we try to use in our zone files for easy including of new sub domains. While it worked on my test system, in production we get either NXDOMAIN or SERVFAIL, both use bind 9.11.2 from the distro. Level 10 debug with all possible logs enabled did gave no answer. Maybe someone on this list will find our problem, like in the past. named.conf from test system, besides of the amount of zones the same as production: --- options { allow-transfer { none;}; check-names master ignore; check-names slave ignore; check-names response ignore; directory "/var/lib/named"; managed-keys-directory "/var/lib/named/dyn/"; dump-file "/var/log/named_dump.db"; statistics-file "/var/log/named.stats"; listen-on-v6 { any; }; notify no; forward only; forwarders { 127.0.0.1; }; allow-recursion { 127.0.0.1; }; allow-query { 127.0.0.1; }; response-policy { zone "testoverride" log no; zone "logoverride" log yes; }; disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; }; acl AllowDDNS { 127.0.0.1/32; }; include "/etc/rndc.key"; controls { inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; }; view public { zone "." in { type hint; file "db.hint"; }; zone "localhost" in { type master; file "localhost.zone"; }; zone "0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; }; zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "127.0.0.zone"; }; zone "test.local" IN { type master; file "db.test.local"; }; zone "testoverride" { type master; file "Multistuff"; allow-query { AllowDDNS; }; allow-update { AllowDDNS; }; }; zone "logoverride" { type master; file "LogStuff"; allow-query { AllowDDNS; }; allow-update { AllowDDNS; }; }; }; logging { channel default_syslog { # Send most of the named messages to syslog. syslog local2; severity debug; }; channel audit_log { #Send the security related messages to a separate file. syslog local2; severity debug; print-time yes; }; channel null { null; }; category default { default_syslog; }; category config { default_syslog; }; category dispatch { default_syslog; }; category network { default_syslog; }; category general { default_syslog; }; category resolver { default_syslog; }; category cname { default_syslog; }; category delegation-only { default_syslog; }; category lame-servers { default_syslog; }; category edns-disabled { default_syslog; }; category dnssec { default_syslog; }; category notify { default_syslog; }; category xfer-in { default_syslog; }; category xfer-out { default_syslog; }; category update{ default_syslog; }; category update-security { default_syslog; }; category client{ default_syslog; }; category security { default_syslog; }; category rate-limit { default_syslog; }; category spill { default_syslog; }; category database { default_syslog; }; category rpz { default_syslog; }; category dnstap { default_syslog; }; category queries { default_syslog; }; category query-errors { default_syslog; }; }; --- The zone file: --- $ORIGIN . $TTL 604800 ; 1 week test.local IN SOA mytest.test.local. root.test.local. ( 2020040123 ; serial 1800 ; refresh (30 minutes) 900; retry (15 minutes) 2592000; expire (4 weeks 2 days) 604800 ; minimum (1 week) ) NS test.local. NS test.local. A 127.0.0.1 MX 10 test.local. MX 20 test.local. TXT "AD buc" $ORIGIN test.local. t1 A 127.0.0.3 sub NS test.local. NS test.local. MX 10 test.local. MX 20 test.local. $ORIGIN sub.test.local. localhost A 127.0.0.
Re: DNSSEC - many doubts
David Alexandre M. de Carvalho wrote: > A few hints and tips... > my named.conf already has the following: > > dnssec-enable yes; You don't need this because it's on by default :-) > dnssec-lookaside auto; You want to remove this because the DNSSEC lookaside validation service has been decommissioned. > bindkeys-file "/etc/named.iscdlv.key"; I prefer not to configure this or install the file, instead relying on BIND's compiled-in copy because that means one less thing to maintain. > 2) I have one global "hosts" file and 3 reverse zone files, each for the > respective IP network. Can I use the same Keypair in all of them? Each zone should have its own zsk and ksk (two K*.key and K*.private files for each zone). Tony. -- f.anthony.n.finchhttp://dotat.at/ Mull of Galloway to Mull of Kintyre including the Firth of Clyde and North Channel: Northwesterly 4 to 6 backing westerly 3 to 5, then southwesterly 2 to 4 later. Smooth or slight in far north, but elsewhere slight or moderate. Showers, wintry at first. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC - many doubts
> On 2 Apr 2020, at 17:58, Warren Kumari wrote: > > If you are running an older machine and older kernel, the > /dev/random source is blocking Then just use /dev/urandom, both random and urandom are CSPRNG. Ondrej -- Ondřej Surý ond...@isc.org signature.asc Description: Message signed with OpenPGP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC - many doubts
On Thu, Apr 2, 2020 at 11:14 AM David Alexandre M. de Carvalho wrote: > > Hello, good afternoon. > My first post in this list :) > > I'm running BIND Chroot for many years (currently version 9.8.2) on some old > hardware running Oracle Linux 6. > I believe it was last year when I was reading about implementing DNSSEC, and > I think I've even tried to generate a > keypair in the slowest server, which after more than a day, wasn't ready yet. > Maybe I was doing something wrong, I > honestly don't know. You almost definitely were -- even a really really slow machine should be able to generate keys in a small number of seconds -- you didn't list what commands you used, but I'm going to assume you were trying to generate an rsa key - you should be able to get a feel for how long this takes by running: time openssl genrsa -out private.key 2048 or time openssl genrsa -out private.key 4096 (note that this is very different to running 'openssl speed rsa2048 rsa4096', which benchmarks RSA operations, not key generations). I'm fairly sure that your issue was a lack of entropy -- in order to generate crypograohically good keys, you need good a good source of randomness. If you are running an older machine and older kernel, the /dev/random source is blocking, and if you try and read too much from it it will just hang until it has enough entropy to give "safe" output. Newer kernels do a better job of mixing in external event noise, but there are a number of modules which help with this - haveged being the best known (http://www.issihosts.com/haveged/ ). You could also test if this is the issue by using /dev/urandom, which doesn't block, or 'while true; do cat /proc/sys/kernel/random/entropy_avail; sleep 2; done' and see if the available entropy drops to zero during key generation... W > So now I had some time and reading about this again. > > If I query either of my servers about my domain: > dig @dns di.ubi.pt DNSKEY > I do get the DNSKEY, but I have no records when querying about +dnssec. My > topdomain (ubi.pt) doesn't have DNSSEC yet > either. > > my named.conf already has the following: > > dnssec-enable yes; > dnssec-validation auto; > dnssec-lookaside auto; > bindkeys-file "/etc/named.iscdlv.key"; > managed-keys-directory "/var/named/dynamic"; > > Outside the configuration file I also have a /etc/named.root.key > > My questions: > 1) Will my old servers (1GB RAM) become much slower with DNSSEC? Is it worth > it? > 2) I have one global "hosts" file and 3 reverse zone files, each for the > respective IP network. Can I use the same > Keypair in all of them? > 3) Are the files /etc/named.root.key file and /etc/named.iscdlv.key already > being used? I compared them to the result > of the DNSKEY dig query but they are different. > > Thank you so much for your time! > Best regards > > Os melhores cumprimentos > David Alexandre M. de Carvalho > --- > Especialista de Informática > Departamento de Informática > Universidade da Beira Interior > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC - many doubts
Hello, good afternoon. My first post in this list :) I'm running BIND Chroot for many years (currently version 9.8.2) on some old hardware running Oracle Linux 6. I believe it was last year when I was reading about implementing DNSSEC, and I think I've even tried to generate a keypair in the slowest server, which after more than a day, wasn't ready yet. Maybe I was doing something wrong, I honestly don't know. So now I had some time and reading about this again. If I query either of my servers about my domain: dig @dns di.ubi.pt DNSKEY I do get the DNSKEY, but I have no records when querying about +dnssec. My topdomain (ubi.pt) doesn't have DNSSEC yet either. my named.conf already has the following: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; Outside the configuration file I also have a /etc/named.root.key My questions: 1) Will my old servers (1GB RAM) become much slower with DNSSEC? Is it worth it? 2) I have one global "hosts" file and 3 reverse zone files, each for the respective IP network. Can I use the same Keypair in all of them? 3) Are the files /etc/named.root.key file and /etc/named.iscdlv.key already being used? I compared them to the result of the DNSKEY dig query but they are different. Thank you so much for your time! Best regards Os melhores cumprimentos David Alexandre M. de Carvalho --- Especialista de Informática Departamento de Informática Universidade da Beira Interior ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users