RE: Testing KASP, CDS, and .ch
On April 9, 2021 8:21:33 PM UTC, "John W. Blue via bind-users" wrote: >Sorry .. clicked send too soon. > >Found this via google: > >https://docs.gandi.net/en/domain_names/advanced_users/dnssec.html > >"You can not add DS keys as we compute it for you with the KSK or ZSK, then we >send it to the registry." > >So it looks like the owner of domainmail.ch must get the DS from Gandi??? I >wouldn't know how that would work exactly but clearly a conversation is needed >with Gandi. > >Good hunting. Thanks for trying but i think you're missing the point of this thread. I'm not asking about how to configure DNSSEC the traditional way. Btw, one *can* manually setup a DS RR at Gandi, but they take and decode the actual key data not the DS. -Jim P ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Testing KASP, CDS, and .ch
On April 9, 2021 8:23:48 PM UTC, Hugo Salgado wrote: >Switch has a website to test the CDS processing for .ch: > https://www.nic.ch/security/cds/ > >for domainmail.ch it says "The CDS configuration of the domain name >domainmail.ch will not be processed. >[ ... ] >The DNS query returned: "Server failed to complete the DNS request". >" > >You should check the requirements. You'd need to answer for three >consecutive days, be consistent in all NS IP addresses, etc. > >Hugo > >On 15:11 09/04, Jim Popovitch via bind-users wrote: >> On Fri, 2021-04-09 at 19:05 +, John W. Blue via bind-users wrote: >> > So the issue here is that the DS record that sit in .ch has an ID of 22048 >> > but the domainmail.ch servers are telling the world that the correct ID is >> > 17870. >> > >> > Thus the DNSSEC breakage. >> >> Of course, however there is no 22048 id in Gandi (the Registrar), yet it >> appears in .ch, and 17870 is still Active (as of this moment in time). >> >> What I can't figure out is how/when does .ch query the CDS/CDNSKEY data. >> >> I know that I can make the domain validate by manually putting a >> keyid+data in Gandi, but the whole purpose of CDS/CDNSKEY is to not have >> to do that, no? >> >> -Jim P. >> >> >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> Thanks Hugo! That helps. -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: underscores in A queries
Those are qname minimization queries. Because DNS implementations (especially in load-balancers) are so broken, the qname minimizing resolver can’t ask for: IN NS because that often doesn’t work, but when it asks: _. IN A the resolver will get the correct answer. Unfortunately, this is the world we are living in... Ondrej -- Ondřej Surý (He/Him) ond...@isc.org > On 9. 4. 2021, at 20:28, Kevin K wrote: > > Hi, > > I've been parsing my query logs to watch for unusual/unexpected lookups, and > I notice quite a few A queries with underscores, often in patterns like > > _.domainname.com > > often followed by > > _.xyz.domainname.com > > or > > _.domainname.com.mydomain.com > > Can someone tell me what these are and what the underscores mean? > > > thanks > > Kevin > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: Message signed with OpenPGP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Testing KASP, CDS, and .ch
Switch has a website to test the CDS processing for .ch: https://www.nic.ch/security/cds/ for domainmail.ch it says "The CDS configuration of the domain name domainmail.ch will not be processed. [ ... ] The DNS query returned: "Server failed to complete the DNS request". " You should check the requirements. You'd need to answer for three consecutive days, be consistent in all NS IP addresses, etc. Hugo On 15:11 09/04, Jim Popovitch via bind-users wrote: > On Fri, 2021-04-09 at 19:05 +, John W. Blue via bind-users wrote: > > So the issue here is that the DS record that sit in .ch has an ID of 22048 > > but the domainmail.ch servers are telling the world that the correct ID is > > 17870. > > > > Thus the DNSSEC breakage. > > Of course, however there is no 22048 id in Gandi (the Registrar), yet it > appears in .ch, and 17870 is still Active (as of this moment in time). > > What I can't figure out is how/when does .ch query the CDS/CDNSKEY data. > > I know that I can make the domain validate by manually putting a > keyid+data in Gandi, but the whole purpose of CDS/CDNSKEY is to not have > to do that, no? > > -Jim P. > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > signature.asc Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Testing KASP, CDS, and .ch
Sorry .. clicked send too soon. Found this via google: https://docs.gandi.net/en/domain_names/advanced_users/dnssec.html "You can not add DS keys as we compute it for you with the KSK or ZSK, then we send it to the registry." So it looks like the owner of domainmail.ch must get the DS from Gandi??? I wouldn't know how that would work exactly but clearly a conversation is needed with Gandi. Good hunting. John -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jim Popovitch via bind-users Sent: Friday, April 09, 2021 2:12 PM To: bind-users@lists.isc.org Subject: Re: Testing KASP, CDS, and .ch On Fri, 2021-04-09 at 19:05 +, John W. Blue via bind-users wrote: > So the issue here is that the DS record that sit in .ch has an ID of 22048 > but the domainmail.ch servers are telling the world that the correct ID is > 17870. > > Thus the DNSSEC breakage. Of course, however there is no 22048 id in Gandi (the Registrar), yet it appears in .ch, and 17870 is still Active (as of this moment in time). What I can't figure out is how/when does .ch query the CDS/CDNSKEY data. I know that I can make the domain validate by manually putting a keyid+data in Gandi, but the whole purpose of CDS/CDNSKEY is to not have to do that, no? -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Testing KASP, CDS, and .ch
The owner of domainmail.ch will need to give .ch an updated copy of the DS record that contains 17870. Once that has been accomplished .ch will start telling the open internet to expect 17870 when talking to domainmail.ch. When the open internet matches what it expects with what it gets then DNSSEC will be validated. John -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jim Popovitch via bind-users Sent: Friday, April 09, 2021 2:12 PM To: bind-users@lists.isc.org Subject: Re: Testing KASP, CDS, and .ch On Fri, 2021-04-09 at 19:05 +, John W. Blue via bind-users wrote: > So the issue here is that the DS record that sit in .ch has an ID of 22048 > but the domainmail.ch servers are telling the world that the correct ID is > 17870. > > Thus the DNSSEC breakage. Of course, however there is no 22048 id in Gandi (the Registrar), yet it appears in .ch, and 17870 is still Active (as of this moment in time). What I can't figure out is how/when does .ch query the CDS/CDNSKEY data. I know that I can make the domain validate by manually putting a keyid+data in Gandi, but the whole purpose of CDS/CDNSKEY is to not have to do that, no? -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: underscores in A queries
On 4/9/21, John W. Blue via bind-users wrote: > It would seem that underscores is one of those characters in DNS that leads > a double life. > > RFC’s say that underscores are disallowed for use in hostnames Right. But it's **hostnames** and not everyone enforces that rule :( > but SRV > records use it to indicate service type et al. SRV records aren't hostnames, nor are CNAME records, TXT, etc. I've got this bit in my notes re "check-names response fail;" # also see dns-operati...@lists.dns-oarc.net # [dns-operations] about the underline in hostname # where the consensus is to not do this check on resolvers Regards, Lee ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Testing KASP, CDS, and .ch
On Fri, 2021-04-09 at 19:05 +, John W. Blue via bind-users wrote: > So the issue here is that the DS record that sit in .ch has an ID of 22048 > but the domainmail.ch servers are telling the world that the correct ID is > 17870. > > Thus the DNSSEC breakage. Of course, however there is no 22048 id in Gandi (the Registrar), yet it appears in .ch, and 17870 is still Active (as of this moment in time). What I can't figure out is how/when does .ch query the CDS/CDNSKEY data. I know that I can make the domain validate by manually putting a keyid+data in Gandi, but the whole purpose of CDS/CDNSKEY is to not have to do that, no? -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Testing KASP, CDS, and .ch
So the issue here is that the DS record that sit in .ch has an ID of 22048 but the domainmail.ch servers are telling the world that the correct ID is 17870. Thus the DNSSEC breakage. John -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jim Popovitch via bind-users Sent: Friday, April 09, 2021 1:58 PM To: bind-users@lists.isc.org Subject: Testing KASP, CDS, and .ch Hello! I've read the "Schacher 20200622 Support for and adoption of CDS in .ch and .li", and studied https://kb.isc.org/docs/dnssec-key-and-signing-policy, however I've hita brick wall: https://dnsviz.net/d/domainmail.ch/dnssec/ What am I missing? I'm using the following policy and zone config: dnssec-policy "test" { keys { csk lifetime P30D algorithm ECDSAP256SHA256; }; }; zone "domainmail.ch" { type master; file "/etc/bind/zone/domainmail.ch"; dnssec-policy "test"; }; Here are the info of the active keys: /etc/bind/keys/Kdomainmail.ch.+013+22048.key ; This is a key-signing key, keyid 22048, for domainmail.ch. ; Created: 20210208192710 (Mon Feb 8 19:27:10 2021) ; Publish: 20210208192710 (Mon Feb 8 19:27:10 2021) ; Activate: 20210208222710 (Mon Feb 8 22:27:10 2021) ; Inactive: 20210310222710 (Wed Mar 10 22:27:10 2021) ; Delete: 20210320233210 (Sat Mar 20 23:32:10 2021) ; SyncPublish: 20210208222710 (Mon Feb 8 22:27:10 2021) /etc/bind/keys/Kdomainmail.ch.+013+17870.key ; This is a key-signing key, keyid 17870, for domainmail.ch. ; Created: 20210310202210 (Wed Mar 10 20:22:10 2021) ; Publish: 20210310202210 (Wed Mar 10 20:22:10 2021) ; Activate: 20210310222710 (Wed Mar 10 22:27:10 2021) ; Inactive: 20210409222710 (Fri Apr 9 22:27:10 2021) ; Delete: 20210419233210 (Mon Apr 19 23:32:10 2021) ; SyncPublish: 20210310222710 (Wed Mar 10 22:27:10 2021) /etc/bind/keys/Kdomainmail.ch.+013+04319.key ; This is a key-signing key, keyid 4319, for domainmail.ch. ; Created: 20210220012755 (Sat Feb 20 01:27:55 2021) ; Publish: 20210220012755 (Sat Feb 20 01:27:55 2021) ; Activate: 20210220012755 (Sat Feb 20 01:27:55 2021) ; Inactive: 20210221040633 (Sun Feb 21 04:06:33 2021) ; Delete: 20210303051133 (Wed Mar 3 05:11:33 2021) ; SyncPublish: 20210221023255 (Sun Feb 21 02:32:55 2021) -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Testing KASP, CDS, and .ch
Hello! I've read the "Schacher 20200622 Support for and adoption of CDS in .ch and .li", and studied https://kb.isc.org/docs/dnssec-key-and-signing-policy, however I've hita brick wall: https://dnsviz.net/d/domainmail.ch/dnssec/ What am I missing? I'm using the following policy and zone config: dnssec-policy "test" { keys { csk lifetime P30D algorithm ECDSAP256SHA256; }; }; zone "domainmail.ch" { type master; file "/etc/bind/zone/domainmail.ch"; dnssec-policy "test"; }; Here are the info of the active keys: /etc/bind/keys/Kdomainmail.ch.+013+22048.key ; This is a key-signing key, keyid 22048, for domainmail.ch. ; Created: 20210208192710 (Mon Feb 8 19:27:10 2021) ; Publish: 20210208192710 (Mon Feb 8 19:27:10 2021) ; Activate: 20210208222710 (Mon Feb 8 22:27:10 2021) ; Inactive: 20210310222710 (Wed Mar 10 22:27:10 2021) ; Delete: 20210320233210 (Sat Mar 20 23:32:10 2021) ; SyncPublish: 20210208222710 (Mon Feb 8 22:27:10 2021) /etc/bind/keys/Kdomainmail.ch.+013+17870.key ; This is a key-signing key, keyid 17870, for domainmail.ch. ; Created: 20210310202210 (Wed Mar 10 20:22:10 2021) ; Publish: 20210310202210 (Wed Mar 10 20:22:10 2021) ; Activate: 20210310222710 (Wed Mar 10 22:27:10 2021) ; Inactive: 20210409222710 (Fri Apr 9 22:27:10 2021) ; Delete: 20210419233210 (Mon Apr 19 23:32:10 2021) ; SyncPublish: 20210310222710 (Wed Mar 10 22:27:10 2021) /etc/bind/keys/Kdomainmail.ch.+013+04319.key ; This is a key-signing key, keyid 4319, for domainmail.ch. ; Created: 20210220012755 (Sat Feb 20 01:27:55 2021) ; Publish: 20210220012755 (Sat Feb 20 01:27:55 2021) ; Activate: 20210220012755 (Sat Feb 20 01:27:55 2021) ; Inactive: 20210221040633 (Sun Feb 21 04:06:33 2021) ; Delete: 20210303051133 (Wed Mar 3 05:11:33 2021) ; SyncPublish: 20210221023255 (Sun Feb 21 02:32:55 2021) -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: underscores in A queries
It would seem that underscores is one of those characters in DNS that leads a double life. RFC’s say that underscores are disallowed for use in hostnames but SRV records use it to indicate service type et al. And then you have the acm-validations.aws geniuses who use it their hostnames to validate domain ownership to issue SSL certs never mind it that the format completely screws up the design and architecture of your subzones. :/ (not a fan of Route53 BTW .. and now they say they can “do” DNSSEC. lol) So while there is more to talk about with underscores the real answer to your question is what do those records resolve to? SIP or TCP or whatever? Using the DNS query answer will provide the clue as to why those questions are being asked. John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin K Sent: Friday, April 09, 2021 1:28 PM To: bind-users@lists.isc.org Subject: underscores in A queries Hi, I've been parsing my query logs to watch for unusual/unexpected lookups, and I notice quite a few A queries with underscores, often in patterns like _.domainname.com often followed by _.xyz.domainname.com or _.domainname.com.mydomain.com Can someone tell me what these are and what the underscores mean? thanks Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
underscores in A queries
Hi, I've been parsing my query logs to watch for unusual/unexpected lookups, and I notice quite a few A queries with underscores, often in patterns like _.domainname.com often followed by _.xyz.domainname.com or _.domainname.com.mydomain.com Can someone tell me what these are and what the underscores mean? thanks Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to start name
Am 09.04.21 um 08:07 schrieb rams: Apr 09 05:19:38 named[1354]: generating session key for dynamic DNS Apr 09 05:19:38 named[1354]: could not create /var/run/named/session.key Apr 09 05:19:38 named[1354]: failed to generate session key for dynamic DNS: permi...ied /var/run point to /run which is tmpfs and subfolders needs to be re-created at boot, normally there should be a config which ensures that and be part of the package cat /usr/lib/tmpfiles.d/named.conf d /run/named 0755 named named - if that's missing "/etc/tmpfiles.d" is the location where you place manual stuff - /usr/lib is apckage area, /etc is admin-area ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to start name
Thank you Stuart for your reply. When I run named-checkconf seeing as below and also status shows always failed. I have looked into the below zones and not seen any issue with those. [dev][root@xtld2.usiad42 log]# named-checkconf -z /etc/named.conf zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: loaded serial 0 [dev][root@xtld2.usiad42 log]# service named status rndc: connect failed: 127.0.0.1#953: connection refused ● named.service - LSB: start|stop|status|restart|try-restart|reload|force-reload DNS server Loaded: loaded (/etc/rc.d/init.d/named; bad; vendor preset: disabled) Active: failed (Result: timeout) since Fri 2021-04-09 04:49:29 UTC; 1h 15min ago Docs: man:systemd-sysv-generator(8) Process: 23987 ExecStop=/etc/rc.d/init.d/named stop (code=exited, status=1/FAILURE) Process: 1345 ExecStart=/etc/rc.d/init.d/named start (code=killed, signal=TERM) Apr 09 05:19:38 named[1354]: generating session key for dynamic DNS Apr 09 05:19:38 named[1354]: could not create /var/run/named/session.key Apr 09 05:19:38 named[1354]: failed to generate session key for dynamic DNS: permi...ied Apr 09 05:19:38 named[1354]: sizing zone task pool based on 583 zones Apr 09 05:19:38 named[1354]: none:100: 'max-cache-size 90%' - setting to 115894MB ...MB) Apr 09 05:19:39 named[1354]: none:100: 'max-cache-size 90%' - setting to 115894MB ...MB) Apr 09 05:19:39 named[1354]: configuring command channel from '/etc/rndc.key' Apr 09 05:19:39 named[1354]: configuring command channel from '/etc/rndc.key' Apr 09 05:19:39 named[1354]: reloading configuration succeeded Apr 09 05:19:39 named[1354]: zone 5.0.0.0.0.0.0.0.8.1.6.0.1.0.a.2.ip6.arpa/IN: ref...led Hint: Some lines were ellipsized, use -l to show in full. [dev][root@xtld2.usiad42 log]# On Fri, Apr 9, 2021 at 11:16 AM Stuart@registry.godaddy wrote: > > > > From: bind-users on behalf of rams < > brames...@gmail.com> > > Date: Friday, 9 April 2021 at 2:56 pm > > To: bind-users > > Subject: Unable to start name > > > Hi > > We are using bind 9.11.28.1 on centos7.8. We have large number of zones > > on disk. When we stop/start , we are not getting successful message and > > seeing below error. But in log we see named is running and doing > > axfr/ixfr. Do we need to add any configuration paameter to avoid below > > error. > > > > Starting named (via systemctl): Job for named.service failed because a > timeout was exceeded. See "systemctl status named.service" and "journalctl > -xe" for details > > You mentioned that you have a large number of zones. If there are no error > messages generated by NAMED starting other than the exceeding of a timeout, > it could just be the system service-start timing out. > > Have a look at TimeoutSec in the service unit definition: > > > https://www.freedesktop.org/software/systemd/man/systemd.service.html#TimeoutSec= > > You may also want to try "named-checkconf -z /etc/named.conf" and see how > long > it takes (as this does a similar sort of validation as starting the > service does). > > Stuart > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users