numerous nsec3 bad cache hits

2014-10-29 Thread Antonio Querubin 
On one of my servers I'm seeing numerous log entries of the following 
type:


Oct 29 07:40:14 mx2 named[14747]:   validating @0x7f3378be05b0: fema.net 
SOA: bad cache hit (fema.net/DNSKEY)
Oct 29 07:40:15 mx2 named[14747]:   validating @0x7f3378be05b0: 
6o978dethbt4s0cg8sfb1jsts4ssimsc.fema.net NSEC3: bad cache hit 
(fema.net/DNSKEY)
Oct 29 07:40:15 mx2 named[14747]:   validating @0x7f3378be05b0: 
jkkfnbb4eep0h0ltjf1cisf4eo2lgnm5.fema.net NSEC3: bad cache hit 
(fema.net/DNSKEY)
Oct 29 07:40:15 mx2 named[14747]:   validating @0x7f3378be05b0: fema.net 
SOA: bad cache hit (fema.net/DNSKEY)
Oct 29 07:40:15 mx2 named[14747]:   validating @0x7f3378be05b0: 
6o978dethbt4s0cg8sfb1jsts4ssimsc.fema.net NSEC3: bad cache hit 
(fema.net/DNSKEY)
Oct 29 07:40:15 mx2 named[14747]:   validating @0x7f3378be05b0: 
jkkfnbb4eep0h0ltjf1cisf4eo2lgnm5.fema.net NSEC3: bad cache hit 
(fema.net/DNSKEY)
Oct 29 07:40:15 mx2 named[14747]:   validating @0x7f3378be05b0: fema.net 
SOA: bad cache hit (fema.net/DNSKEY)
Oct 29 07:40:20 mx2 named[14747]:   validating @0x7f3378be05b0: fema.net 
SOA: bad cache hit (fema.net/DNSKEY)
Oct 29 07:40:20 mx2 named[14747]:   validating @0x7f3378be05b0: 
6o978dethbt4s0cg8sfb1jsts4ssimsc.fema.net NSEC3: bad cache hit 
(fema.net/DNSKEY)
Oct 29 07:40:20 mx2 named[14747]:   validating @0x7f3378be05b0: fema.net 
SOA: bad cache hit (fema.net/DNSKEY)
Oct 29 07:40:20 mx2 named[14747]:   validating @0x7f3378be05b0: 
6o978dethbt4s0cg8sfb1jsts4ssimsc.fema.net NSEC3: bad cache hit 
(fema.net/DNSKEY)


I'm guessing this is some kind of brute force attack on BIND trying to 
take advantage of a broken dnssec configuration for fema.net?  The problem 
is that the syslog is filled with these messages.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Antonio Querubin 

On Thu, 11 Sep 2014, Matus UHLAR - fantomas wrote:


If you point www CNAME @, the 'www' will have both MX and NS records same as
example.com.  Which may e.g. cause rejectd on backup MX hosts, apparently
not designed to receive mail for www.example.com.


Actually no.  All other RRs are supposed to be ignored (except for RRSIG, 
etc) once the CNAME exists.  Ie. the MX and NS RRs exist only for 
example.com, but not www.example.com.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Serial numbers for inline signing

2013-12-18 Thread Antonio Querubin 
Is there a way to keep the serial numbers synced between the primary and 
slaves for auto-maintained zones?  Every once in a while the primary and 
slaves somehow get out of sync and the logs start generating error 
messages about the mis-match.  The mis-match also gets noticed by various 
DNS sanity checkers.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com
On Dec 18, 2013, at 10:17 AM, Thomas Schulz sch...@adi.com wrote:

 I have a question about the serial number as modified by inline signing.
 I have a static zone, adi.com, that I am setting up for dnssec. I added
inline-signing yes;
key-directory dnssec;
auto-dnssec maintain;
 to my named.conf file after generating the keys and then did a rndc restart.
 After that I did a
 rndc signing -nsec3param 1 0 10 aef7db3a adi.com
 to switch to nsec3. Checking the resulting serial number, I find that it is
 2013120423. The serial number in the static zone file is 2013120400.
 Why did it bump it up to 23? I expected something like 02.

I can’t tell you why you got an exact number, but the best rule about this is 
“don’t worry about the signed serial number”, as BIND will take care of it for 
you.  As long as you continue to increment the static zone serial number as you 
always have, the serial in the signed zone will be maintained correctly.

There are a number of things that are happening all the time with the signed 
zone that you are not aware of, for example, re-signing as signatures reach 
expiration, re-signing when you change from NSEC to NSEC3, etc.

All of these will keep the signed serial number ‘bumping up’ even when your 
zone isn’t changing.

AlanC
-- 
Alan Clegg | +1-919-355-8851 | a...@clegg.com



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig and IPV6 server

2013-08-26 Thread Antonio Querubin 

On Mon, 26 Aug 2013, hugo hugoo wrote:


C:\digdig @fe80::a6b1:e9ff:fe68:c8 www.google.be
dig: couldn't get address for 'fe80::a6b1:e9ff:fe68:c8': address family not 
supported


Try adding the interface to the link-local, eg.:

dig @fe80::a6b1:e9ff:fe68:c8%eth0 www.google.be

Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

tools for searching/removing stale keys

2011-02-24 Thread Antonio Querubin 
Has anyone come up with scripts/tools for removing stale zone-signing keys 
but leaving key-signing keys which are in the same directory alone?


Antonio Querubin
e-mail/xmpp:  t...@lava.net
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

need to disable dnssec for pseudo TLD zone

2010-10-28 Thread Antonio Querubin 
When I recently installed the root dnssec initial key on our DNS it broke 
it's ability to accept responses for forwarded requests for a DNS block 
list zone served by another system.  Other queries aren't affected.  The 
config for the forwarded zone looks like:


zone dnsbl {
type forward;
forward only;
forwarders {
10.0.0.124;
};
};

The server at 10.0.0.124 is running rbldnsd.  Queries to our main resolver 
DNS for anything in the 'dnsbl' zone generate a SERVFAIL and BIND logs 
messages similar to the following:


error (chase DS servers) resolving 'sbl.dnsbl/DS/IN': 10.0.0.124#53

If I disable the root initial key, the forwarded queries work again.  I 
think the problem is that our pseudo TLD 'dnsbl' isn't a signed zone or 
something like that.  The RRs for the zone are retrieved from various spam 
BL repositories.


Is there a way to disable dnssec validation on a per-zone basis for 
internal pseudo TLDs?


Antonio Querubin
808-545-5282 x3003
e-mail/xmpp:  t...@lava.net
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users