Signatures expired?

2022-04-10 Thread @lbutlr via bind-users 
In the process of setting u a new domain I noticed that some existing domains 
are logging and error into /var/log/messages

domain.tld.signed:120: signature has expired

Each domain that is expired shows the same :120

The lines in question do refer to old ALG-7 signatures but shouldn’t those go 
away from the signed file (O've been using ALG 13 for a couple of years.
 
-- 
"Are you pondering what I'm pondering?"
"Yes, Brain, I think so, but do nuts go with pudding?"

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

A record for @?

2021-11-05 Thread @lbutlr via bind-users 
I have a domain that I hot DNS and email for, but not web. I set the A record 
for www.example.com to the IP of the web server with nsupdate, removing the old 
CNAME the pointed to the local webserver, but the web monkey for the new 
website is saying that www has to be a CNAME and the @ record should be the A 
record pointing to the IP.

I don't think this is right, and if it is I am not sure how to use nsupdate to 
make this change.


-- 
'Yes, but humans are more important than animals,' said Brutha. 'This
is a point of view often expressed by humans,' said Om. (Small
Gods)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Any interest in a write-up showing how to configure BIND 9.17x with DoH and LetsEncrypt?

2021-05-31 Thread @lbutlr via bind-users 
On 30 May 2021, at 12:23, Grant Taylor via bind-users 
 wrote:
> On 5/30/21 9:24 AM, Richard T.A. Neal wrote:
>> I spent a little time this weekend setting-up BIND 9.17.13 on Ubuntu 21.04 
>> and configuring the system as a recursive resolver offering DNS over HTTPS 
>> using a LetsEncrypt certificate.
> 
> Nice work.
> 
>> Is there any interest in me writing this up as a web article, or has 
>> everyone who’s interested in DoH already got it running comfortably in their 
>> test environment?
> 
> Yes!

+1

Or, perhaps, +100


-- 
NO ONE WANTS TO HEAR FROM MY ARMPITS Bart chalkboard Ep. 3F01

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dnssec-policy Purge-keys

2021-04-12 Thread @lbutlr via bind-users 
Doe anyone know the syntax for using purge-keys in 9.16.13? I've search and all 
I can find is notes that it was added. I've tried a couple of things, but I am 
shooting in the dark. I cannot redefine the "default" policy as that gives and 
error and simply putting "purge-keys P90D;" or "dnssec-policy purge-keys P90D;" 
in options files.

I'm sure it's simple, but simply what?

-- 
So, the apocalypse is happening and whatever and this little piggy comes all
this way, but you won’t accept my help because I’m a woman?
Pig: Quite right.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dnssec delegation NS RRset

2021-03-27 Thread @lbutlr via bind-users 
I am getting the following warning:

The following NS name(s) were found in the authoritative NS RRset, but not in 
the delegation NS RRset (i.e., in the com zone): (a DNS server)

The DNS server exists and is used by other domains, so This is something 
specific to this one domain and not to the DNS servers, so I think it must be 
something on the registrar.

Missing glue records?

-- 
You have the effrontery to be squeamish, it thought at him. But we
were dragons. We were supposed to be cruel, cunning, heartless,
and terrible. But this much I can tell you, you ape - the great
face pressed even closer, so that Wonse was staring into the
pitiless depths of his eyes - we never burned and tortured and
ripped one another apart and called it morality. --Guards!
Guards!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

unknown option 'trust-anchors'

2020-07-05 Thread @lbutlr via bind-users 
In named.conf I have 
dnssec-enable yes;
dnssec-validation auto;

# rndc managed-keys status
view: _default
next scheduled event: Sun, 05 Jul 2020 20:43:00 GMT

name: .
keyid: 20326
algorithm: RSASHA256
flags: SEP
next refresh: Sun, 05 Jul 2020 20:43:00 GMT
trusted since: Mon, 21 Jan 2019 14:53:55 GMT
 mail # rndc reload
rndc: 'reload' failed: failure
 mail # tail /var/log/messages
Jul  5 07:41:24 mail.covisp.net named[53940] 
/usr/local/etc/namedb/bind.keys:29: unknown option 'trust-anchors'
Jul  5 07:41:24 mail.covisp.net named[53940] reloading configuration failed: 
failure

Bind is currently running just fine and has been since 8 June.

The bind.keys file has:

# See https://data.iana.org/root-anchors/root-anchors.xml for current trust
# anchor information for the root zone.

But that URL does not load and gives an XML error.



-- 
-=> 

 <=-

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Nsupdate and TTL

2020-04-22 Thread @lbutlr via bind-users 
What is the proper syntax gor changing the TTL on a zone with nsupdate?

Does the existence of $TTL 86400 in the domain.conf file override nssupdate’s 
attempts to change the TTL?

# nsupdate -k /path/to/key
> zone example.com
> ttl 3600
> send
> ^d

No errors, but no change in the TTL.



-- 
"I know she's in there," said Verence, holding his crown in his hands
in the famous Ai-Se-or-Mexican-Bandits-Have-Raided-Our-Village
position


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Advice on balancing web traffic using geoip ACls

2020-02-23 Thread @lbutlr via bind-users 
On 23 Feb 2020, at 07:57, @lbutlr  wrote:
> (9.11.6 should be coming really soon)

9.11.16, and I appear to be behind a touch, it is already released.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Freeze/thaw and signed zone files

2019-02-22 Thread @lbutlr via bind-users 
On 22 Feb 2019, at 09:54, Tony Finch  wrote:
> You might want a config like
> 
>   zone "example.com" {
>   type master;
>   file "master/example.com”;

Not example.com.signed?

>   update-policy local;
>   auto-dnssec maintain;
>   inline-signing yes;
>   };
> 
> Alternatively, with your current config you can update the zone using
> https://dotat.at/prog/nsdiff/ like this:
> 
>   nsdiff example.com master/example.com | nsupdate -l

Where the second one of those is my example.com.signed file?

Is nsdiff a separate package? It’s not on my FereeBSD 11.2 system with Bind 9.12

-- 
Well boys, we got three engines out, we got more holes in us than a
horse trader's mule, the radio is gone and we're leaking fuel and if we
was flying any lower why we'd need sleigh bells on this thing... but we
got one little budge on those Roosskies. At this height why they might
harpoon us but they dang sure ain't gonna spot us on no radar screen!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Freeze/thaw and signed zone files

2019-02-22 Thread @lbutlr via bind-users 
On 21 Feb 2019, at 20:43, Grant Taylor via bind-users 
 wrote:
> 
> On 2/21/19 6:28 PM, @lbutlr wrote:
>> rndc reload did not recreate (or at least update the time stamp) on the 
>> .signed file.
> 
> Hum.  Maybe it's something different about how you're doing DNSSEC than I am.
> 
> I have BIND managing DNSSEC for me via "auto-dnssec maintain;".  So I don't 
> get .signed files.

the .signed files were created when I first signed the zones with 
dnssec-signzone which is what gave me the dsset file containing the information 
I needed to add DNSSEC to my domain's registrar.

dnssec-signzone -3 $(head -c 1000 /dev/random | shasum | cut -b 1-16) -A -N 
INCREMENT -o ZONE -t ZONEFILE

I was assuming, perhaps wrongly, that these ,signed files continue to be 
required, as they were placed alongside the regular zone files.

> I was just able to do the following:
> 
> rndc freeze $ZONE
> rndc sync -clean $ZONE
> $EDITOR $ZONEFILE
> rndc thaw $ZONE
> rndc sign $ZONE
> 
> I did have to manually do the "rndc sign" for DNSViz to be happy with the new 
> test entry.  I don't know if that's expected or not.

Overnight, many of my zones have new zone.signed.jnl files

> Does your actual zone file have the DNSSEC records in it?  That's where mine 
> are.  I don't have a separate unsigned zone file.

I have three files for each zone:

example.com (less than 2K, unsigned, no DNSSEC info, contains $INCLUDE lines at 
the end for the two public keys.

example.com.signed (12K, All the DNSSEC info)

example.com.signed.jnl (Created by bind, about double the size of .signed and a 
binary file) This file is updated when I issue the rind sign ZONE command.

> I believe so.  Do you have a "managed-keys-directory" entry in your 
> named.conf file?  (I do.  My .key and .private files are in the specified 
> directory.)

My private files are in that directory, I have the public ones in both the 
directory and the master/ directory Which is what seems to be needed (probably 
because of the include statement).

In named.conf I have


zone "example.com" { type master; file "master/example.com.signed"; 
update-policy local; auto-dnssec maintain; };


-- 
"Alas, earwax."

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Freeze/thaw and signed zone files

2019-02-21 Thread @lbutlr via bind-users 
On 21 Feb 2019, at 18:28, @lbutlr  wrote:
> Is the original random key that was generated at the time of signing kept 
> somewhere? NSEC3 seems to contain a 16 character hex sting that recurs 
> throughout the file.

OK, I moved aside the signed file, resigned the domain using the 16 character 
string I found repeated in the original .signed file and the dsset file 
contained the same strings, and the signed file was created anew and it 
contains the new subdomains. So, that immediate problem is solved.

First instance is on NSEC3PARAM parma line, so awk '/NSEC3PARAM 1/{ print $NF}’ 
zone.signed

-- 
people didn't seem to be able to remember what it was like with the
elves around. Life was certainly more interesting then, but usually
because it was shorter. And it was more colourful, if you liked the
colour of blood. --Lords and Ladies

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Freeze/thaw and signed zone files

2019-02-21 Thread @lbutlr via bind-users 


> On 21 Feb 2019, at 13:41, Grant Taylor via bind-users 
>  wrote:
> 
> On 02/21/2019 01:34 PM, @lbutlr via bind-users wrote:
>> I edited a zone file after issuing a rndc freeze command, added two new sub 
>> zones, changed the serial number, saved the file, and then did an rndc thaw.
> 
> I don't see an "rndc flush " in there.

OK, but rndc flush example.com results in:

rndc: 'flush' failed: not found

> rndc freeze $ZONE
> rndc flush $ZONE
> $EDITOR $ZONE
> rndc thaw $ZONE

Other than the flush, that is what I did.

> I don't recall if reloading or thawing will automatically re-sign the zone or 
> if you need to also explicitly "rndc sign $ZONE”.

Sign recreates the .jnl file, but doesn’t touch the .signed file.

Doing the following recreated the .signed file, but still didn’t add the new 
subdomains.

Freeze, flush, edit, thaw, 

Then service named stop, service named start.

Had a previous subdomain gallery and it is listed in both the zone file and the 
signed file 

Zone:
gallery CNAME   www

zone.signed:
gallery CNAME   www

Added a new sub zone, cam

Zone:
cam CNAME   www

zone.signed:


This matches up with the results from dig. So, now I do have a .signed file 
that has the serial number updated to match the zone file, but still doesn’t 
contain the new sub zones.

So, I did the whole dance again. Freeze, flush, edit (change serial, add 
another subdomain, thaw, stop/start). Nothing. But the time stamp on the 
.signed file changes. 

And I misspoke earlier, the serial number in the signed file’s SOA didn’t 
change, but the serial numbers/dates in the RRSIG did update.

-- 
This wasn't a proper land. The sky was blue, not flaming with all the
colours of the aurora. And time was passing. To a creature not born
subject to time, it was a sensation not unakin to falling. --Lords and
Ladies

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Freeze/thaw and signed zone files

2019-02-21 Thread @lbutlr via bind-users 
I edited a zone file after issuing a rndc freeze command, added two new sub 
zones, changed the serial number, saved the file, and then did an rndc thaw.

In var/log.messages I get

zone serial (2019020105) unchanged. zone may fail to transfer to slaves.

which is the previous serial number.

So, I tried to move the .signed file aside, thinking maybe thaw might recreate 
it, But no, it complains the file doesn’t exist, so I put it back. 

Is it possible for me to edit the zone file (as in with vim) and have bind 
update, or do I have to do everything through nsupdate and never access the 
zone files directly?

At this point, how do I get the zone updated?

If I try to dig for the new subdomains that are in the zone, they do not 
resolve, and all the information in DNS is the information that was there on 
21090201.

I am currently updating to bind912-9.12.3P1_3 to see if anything changes.

-- 
If you think that Mick Jagger will still be doing the whole rock star
thing at age fifty, well, then, you are sorely, sorely mistaken.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users