Re: Inline signing fails dnsviz test.
I would recommend starting here:
https://bind9.readthedocs.io/en/latest/dnssec-guide.html
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 10. 5. 2021, at 7:19, Dan Egli wrote:
>
> I tried to setup inline signing on my DNS server, and after reading the
> results from DNSVIZ, i'd say I was PARTIALLY successful, but there still
> seems to be a lot missing.
>
> You can check the status on dnsviz yourself with the names eglifamily.name
> and newideatest.site. Both resulted in nearly identical responses, wtih a lot
> of warning and some errors. A few of those errors I could blame on my backup
> DNS provider. You get what you pay for and they are free. But not everything
> could be blamed on them.
>
> I've attached a PNG of the output. Hopefully it comes through. Meanwhile,
> here's the zone statements from my named.conf:
>
> view "standard" IN {
> zone "eglifamily.name" {
> type master;
> file "pri/eglifamily.zone";
> allow-query { any; };
> allow-transfer {
> 108.61.224.67; 116.203.6.3; 107.191.99.111; 185.22.172.112;
> 103.6.87.125; 192.184.93.99; 119.252.20.56; 31.220.30.73; 185.34.136.178;
> 185.136.176.247; 45.77.29.133; 116.203.0.64; 167.88.161.228; 199.195.249.208;
> 104.244.78.122; 2605:6400:30:fd6e::3; 2605:6400:10:65::3;
> 2605:6400:20:d5e::3; 2a01:4f8:1c0c:8122::3; 2001:19f0:7001:381::3;
> 2a06:fdc0:fade:2f7::1; 2a00:dcc7:d3ff:88b2::1; 2a04:bdc7:100:1b::3;
> 2401:1400:1:1201::1:7853:1a5; 2604:180:1:92a::3; 2403:2500:4000::f3e;
> 2a00:1838:20:2::cd5e:68e9; 2604:180:2:4cf::3; 2a01:4f8:1c0c:8115::3;
> 2001:19f0:6400:8642::3;
> };
> // also-notify { 1.2.3.4; }; // none for now
> allow-update { trusted; };
> key-directory "/var/bind/pri/keys";
> auto-dnssec maintain;
> inline-signing yes;
> };
>
> zone "newideatest.site" {
> type master;
> file "pri/newideatest.zone";
> allow-query { any; };
> allow-transfer {
> 108.61.224.67; 116.203.6.3; 107.191.99.111; 185.22.172.112;
> 103.6.87.125; 192.184.93.99; 119.252.20.56; 31.220.30.73; 185.34.136.178;
> 185.136.176.247; 45.77.29.133; 116.203.0.64; 167.88.161.228; 199.195.249.208;
> 104.244.78.122; 2605:6400:30:fd6e::3; 2605:6400:10:65::3;
> 2605:6400:20:d5e::3; 2a01:4f8:1c0c:8122::3; 2001:19f0:7001:381::3;
> 2a06:fdc0:fade:2f7::1; 2a00:dcc7:d3ff:88b2::1; 2a04:bdc7:100:1b::3;
> 2401:1400:1:1201::1:7853:1a5; 2604:180:1:92a::3; 2403:2500:4000::f3e;
> 2a00:1838:20:2::cd5e:68e9; 2604:180:2:4cf::3; 2a01:4f8:1c0c:8115::3;
> 2001:19f0:6400:8642::3;
> };
> // also-notify { 1.2.3.4; }; // none for now
> allow-update { trusted; };
> key-directory "/var/bind/pri/keys";
> auto-dnssec maintain;
> inline-signing yes;
> };
>
> --
>
> Dan Egli
> From my Test Server
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: where are the testing docs ?
On 06 May 2021, at 09:57, Dennis Clarke via bind-users wrote: > I do NOT trust a build result where I had to go hacking into all the > Makefiles just to get it to build. You install without doing testing? That's a very strange definition of "hacking". Setting makefile [preferences and options is not in and way "hacking". -- I started playing Myst at 4:30 in the afternoon and looked up suddenly and realized it was February. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Update DNSSEC Zone
Hi Peter ..
How do you know your DNSSEC is working to begin with?
Here is a URL that I prefer to use that will help answer that question:
https://dnsviz.net/
What you are looking for is your to zone to be “secure”.
Since you are an experienced BIND admin .. any clues to be found in the logs?
grep for “unsigned”.
One option that appears to be missing from your conf file is:
zone "supercoolzonehere.com" IN {
inline-signing yes;
};
Which would achieve the result that you described below wherein a record is
added and “rndc reload” is executed.
Good hunting.
John
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Peter
Fraser
Sent: Sunday, May 09, 2021 8:49 PM
To: bind-users@lists.isc.org
Subject: Update DNSSEC Zone
HI All,
I really would appreciate a pointer in the right direction. I took over a bind
server recently. I am not new to bind. I have used it many times and honestly
prefer it to windows dns but I have never worked with DNSSEC. I have been
reading all day and I still can’t figure out how to update the DNSSEC zone. Can
anyone assist me please? I did see one site that said I could just put in
regular A record entries and run rndc reload and that would resign the zone. I
tried that but it didn’t work.
I am using bind-9.14.x and here are the DNSSEC related entries in the zone.
auto-dnssec maintain;
update-policy local;
key-directory “zones/domain-keys”;
Best Regards,
SI
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Update DNSSEC Zone
HI All, I really would appreciate a pointer in the right direction. I took over a bind server recently. I am not new to bind. I have used it many times and honestly prefer it to windows dns but I have never worked with DNSSEC. I have been reading all day and I still can’t figure out how to update the DNSSEC zone. Can anyone assist me please? I did see one site that said I could just put in regular A record entries and run rndc reload and that would resign the zone. I tried that but it didn’t work. I am using bind-9.14.x and here are the DNSSEC related entries in the zone. auto-dnssec maintain; update-policy local; key-directory “zones/domain-keys”; Best Regards, SI ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [UNSOLVED] Re: Strange DNS behaviour
On 09.05.21 14:35, Xavier Humbert via bind-users wrote: But on one machine, it fails : [xavier@feanor ~]$ dig @numenor dns.google.com +trace are you aware that +trace sends queries across the servers from root to leaf, it doesn't go through the server numenor? couldn't get address for 'm.root-servers.net': not found None of the root servers can't be found. My root hint file is up to date. Sorry, typed too quickly. Problem stands. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[UNSOLVED] Re: Strange DNS behaviour
On 09/05/2021 13:44, Xavier Humbert via bind-users wrote: On 09/05/2021 12:32, Xavier Humbert via bind-users wrote: Hi, My DNS system if perfectly working : [xavier@numenor ~]$ dig dns.google.com ; <<>> DiG 9.16.15 <<>> dns.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12276 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 7b606d7c32a9990601006097b6d7f61894ea0a92dac2 (good) ;; QUESTION SECTION: ;dns.google.com. IN A ;; ANSWER SECTION: dns.google.com. 880 IN A 8.8.4.4 dns.google.com. 880 IN A 8.8.8.8 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Sun May 09 12:17:59 CEST 2021 ;; MSG SIZE rcvd: 103 On other hosts in my home, it works, too. But on one machine, it fails : [xavier@feanor ~]$ dig @numenor dns.google.com +trace ; <<>> DiG 9.16.8-Ubuntu <<>> @numenor dns.google.com +trace ; (1 server found) ;; global options: +cmd . 518400 IN NS m.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS a.root-servers.net. . 518400 IN RRSIG NS 8 0 518400 2021052117 2021050816 14631 . IgUiqHrRXT5hTAa5wnubyCL0T9iq+iRAQIUQlIStRYqZh6Qp5W3sZLum 6O+EkYZALJda6RJwQY8oPEgQVQymGmGyAxcZBekX5vsMm8MgovQIA+Ev SroSeV9yXDURHqt8af+25bw 6YyUQEOblPehxyUYYkF9cP8FlieAUw1Fn HMvqpQlEn2sYS4UjA+euhcS2k7jnyEdBNbXbEZVq56zHK1aHPQIp2f4/ byHaC55zPJ5rgLwMUh+8JuP47wb4NWAKIj76EUlqcidfI8hxZI5KPoNZ vmIcEtQSfRYqVxoc+BiEEgalw5afAmXjEtvJaWm4v5383uatiQ1s9AgC MPQFHw== couldn't get address for 'm.root-servers.net': not found None of the root servers can't be found. My root hint file is up to date. The network configuration on this machine : [xavier@feanor ~]$ nmcli device show enp10s0 GENERAL.DEVICE: enp10s0 GENERAL.TYPE: ethernet GENERAL.HWADDR: 04:7D:7B:02:68:67 GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: Wired GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/3 WIRED-PROPERTIES.CARRIER: on IP4.ADDRESS[1]: 192.168.100.25/24 IP4.GATEWAY: 192.168.100.254 IP4.ROUTE[1]: dst = 0.0.0.0/0, nh = 192.168.100.254, mt = 100 IP4.ROUTE[2]: dst = 192.168.100.0/24, nh = 0.0.0.0, mt = 100 IP4.ROUTE[3]: dst = 169.254.0.0/16, nh = 0.0.0.0, mt = 1000 IP4.DNS[1]: 192.168.100.144 IP4.DNS[2]: 192.168.100.254 This is not an ACL problem, the whole subnet is allowed. Nmap and/or telnet shows no blocked port problem Trying on the secondary leads to the same behaviour Eventually, I am lost. Sorry, typed too quickly. Problem stands. -- Xavier Humbert CRT Supervision et Exploitation de Niveau 1 Rectorat de Nancy-Metz 03 83 86 27 39 OpenPGP_0x90B78A89BCC49C10.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[SOLVED] Re: Strange DNS behaviour
On 09/05/2021 12:32, Xavier Humbert via bind-users wrote: Hi, My DNS system if perfectly working : [xavier@numenor ~]$ dig dns.google.com ; <<>> DiG 9.16.15 <<>> dns.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12276 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 7b606d7c32a9990601006097b6d7f61894ea0a92dac2 (good) ;; QUESTION SECTION: ;dns.google.com. IN A ;; ANSWER SECTION: dns.google.com. 880 IN A 8.8.4.4 dns.google.com. 880 IN A 8.8.8.8 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Sun May 09 12:17:59 CEST 2021 ;; MSG SIZE rcvd: 103 On other hosts in my home, it works, too. But on one machine, it fails : [xavier@feanor ~]$ dig @numenor dns.google.com +trace ; <<>> DiG 9.16.8-Ubuntu <<>> @numenor dns.google.com +trace ; (1 server found) ;; global options: +cmd . 518400 IN NS m.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS a.root-servers.net. . 518400 IN RRSIG NS 8 0 518400 2021052117 2021050816 14631 . IgUiqHrRXT5hTAa5wnubyCL0T9iq+iRAQIUQlIStRYqZh6Qp5W3sZLum 6O+EkYZALJda6RJwQY8oPEgQVQymGmGyAxcZBekX5vsMm8MgovQIA+Ev SroSeV9yXDURHqt8af+25bw 6YyUQEOblPehxyUYYkF9cP8FlieAUw1Fn HMvqpQlEn2sYS4UjA+euhcS2k7jnyEdBNbXbEZVq56zHK1aHPQIp2f4/ byHaC55zPJ5rgLwMUh+8JuP47wb4NWAKIj76EUlqcidfI8hxZI5KPoNZ vmIcEtQSfRYqVxoc+BiEEgalw5afAmXjEtvJaWm4v5383uatiQ1s9AgC MPQFHw== couldn't get address for 'm.root-servers.net': not found None of the root servers can't be found. My root hint file is up to date. The network configuration on this machine : [xavier@feanor ~]$ nmcli device show enp10s0 GENERAL.DEVICE: enp10s0 GENERAL.TYPE: ethernet GENERAL.HWADDR: 04:7D:7B:02:68:67 GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: Wired GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/3 WIRED-PROPERTIES.CARRIER: on IP4.ADDRESS[1]: 192.168.100.25/24 IP4.GATEWAY: 192.168.100.254 IP4.ROUTE[1]: dst = 0.0.0.0/0, nh = 192.168.100.254, mt = 100 IP4.ROUTE[2]: dst = 192.168.100.0/24, nh = 0.0.0.0, mt = 100 IP4.ROUTE[3]: dst = 169.254.0.0/16, nh = 0.0.0.0, mt = 1000 IP4.DNS[1]: 192.168.100.144 IP4.DNS[2]: 192.168.100.254 This is not an ACL problem, the whole subnet is allowed. Nmap and/or telnet shows no blocked port problem Trying on the secondary leads to the same behaviour Eventually, I am lost. Sorry for the disturbance, it was caused by faulty remnants of a VPN connection. I fixed that in /etc/systemd/resolved.conf Cheers -- Xavier Humbert CRT Supervision et Exploitation de Niveau 1 Rectorat de Nancy-Metz 03 83 86 27 39 OpenPGP_0x90B78A89BCC49C10.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Strange DNS behaviour
Hi, My DNS system if perfectly working : [xavier@numenor ~]$ dig dns.google.com ; <<>> DiG 9.16.15 <<>> dns.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12276 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 7b606d7c32a9990601006097b6d7f61894ea0a92dac2 (good) ;; QUESTION SECTION: ;dns.google.com. IN A ;; ANSWER SECTION: dns.google.com. 880 IN A 8.8.4.4 dns.google.com. 880 IN A 8.8.8.8 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Sun May 09 12:17:59 CEST 2021 ;; MSG SIZE rcvd: 103 On other hosts in my home, it works, too. But on one machine, it fails : [xavier@feanor ~]$ dig @numenor dns.google.com +trace ; <<>> DiG 9.16.8-Ubuntu <<>> @numenor dns.google.com +trace ; (1 server found) ;; global options: +cmd . 518400 IN NS m.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS a.root-servers.net. . 518400 IN RRSIG NS 8 0 518400 2021052117 2021050816 14631 . IgUiqHrRXT5hTAa5wnubyCL0T9iq+iRAQIUQlIStRYqZh6Qp5W3sZLum 6O+EkYZALJda6RJwQY8oPEgQVQymGmGyAxcZBekX5vsMm8MgovQIA+Ev SroSeV9yXDURHqt8af+25bw 6YyUQEOblPehxyUYYkF9cP8FlieAUw1Fn HMvqpQlEn2sYS4UjA+euhcS2k7jnyEdBNbXbEZVq56zHK1aHPQIp2f4/ byHaC55zPJ5rgLwMUh+8JuP47wb4NWAKIj76EUlqcidfI8hxZI5KPoNZ vmIcEtQSfRYqVxoc+BiEEgalw5afAmXjEtvJaWm4v5383uatiQ1s9AgC MPQFHw== couldn't get address for 'm.root-servers.net': not found None of the root servers can't be found. My root hint file is up to date. The network configuration on this machine : [xavier@feanor ~]$ nmcli device show enp10s0 GENERAL.DEVICE: enp10s0 GENERAL.TYPE: ethernet GENERAL.HWADDR: 04:7D:7B:02:68:67 GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: Wired GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/3 WIRED-PROPERTIES.CARRIER: on IP4.ADDRESS[1]: 192.168.100.25/24 IP4.GATEWAY: 192.168.100.254 IP4.ROUTE[1]: dst = 0.0.0.0/0, nh = 192.168.100.254, mt = 100 IP4.ROUTE[2]: dst = 192.168.100.0/24, nh = 0.0.0.0, mt = 100 IP4.ROUTE[3]: dst = 169.254.0.0/16, nh = 0.0.0.0, mt = 1000 IP4.DNS[1]: 192.168.100.144 IP4.DNS[2]: 192.168.100.254 This is not an ACL problem, the whole subnet is allowed. Nmap and/or telnet shows no blocked port problem Trying on the secondary leads to the same behaviour Eventually, I am lost. Could anyone help ? Thanks, Regards -- Xavier Humbert CRT Supervision et Exploitation de Niveau 1 Rectorat de Nancy-Metz 03 83 86 27 39 OpenPGP_0x90B78A89BCC49C10.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
