BIND 9.6.1-P3 Vulnerabilities
BIND 9.6.1-P3 seems to be a somewhat old release of BIND, and yet, I can find no vulnerabilities listed on the ISC Security Advisories pages. Am I missing something? Regards, Joe Joseph A. Borgia, Jr. Network Services Team Lead Team Rome IT - NCI Information Systems CompTIA - Security+ Certified Oracle Solaris Certified Professional U.S. Air Force Research Laboratory/Rome Research Site/RIOS COMM: 315-330-3952 DSN: 587-3952 FAX: 315-330-8258 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Dynamic DNS and Slave Servers
Should running a rndc freeze and thaw on the slave server also push the data from the .jnl files directly to the tables as they do on the master server? For some weird reason, running a rndc freeze and thaw on the slave runs successfully, but it does not push the updates to the zone tables there, and the .jnl files still exist after it. This is unexpected behavior. Joseph A. Borgia, Jr. Sr. UNIX/SAN Engineer Team Rome IT - Rome Research Corporation U.S. Air Force Research Laboratory/Rome Research Site/RIOS COMM: 315-330-3952 DSN: 587-3952 FAX: 315-330-8258 -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Borgia, Joe A CTR USAF AFMC AFRL/RIOS Sent: Thursday, June 18, 2009 9:59 AM To: bind-users@lists.isc.org Subject: Dynamic DNS and Slave Servers I'm trying to learn DDNS at break-neck speed over here. I guess I'm a little surprised that there are .jnl files on my slave server. I have no allow-update statements on that server, unless maybe these files are coming from zone transfer? Also, is it normal for the master zone tables to turn into files that look like slave zone tables after you enable DDNS? Thanks, Joe Joseph A. Borgia, Jr. Sr. UNIX/SAN Engineer Team Rome IT - Rome Research Corporation U.S. Air Force Research Laboratory/Rome Research Site/RIOS COMM: 315-330-3952 DSN: 587-3952 FAX: 315-330-8258 smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Dynamic DNS and Slave Servers
That's exactly what I was seeing when I tried that: rndc: 'freeze' failed: not found. You folks have all been so helpful. Like one of the other posters said, we've done non-dynamic DNS for so long here (years and years) the dynamic DNS, especially when combined with a mainly Windows environment has been a little bit like black magic. And, we're being forced to implement over such a short period of time. It's been a little much to take it all in. Joseph A. Borgia, Jr. Sr. UNIX/SAN Engineer Team Rome IT - Rome Research Corporation U.S. Air Force Research Laboratory/Rome Research Site/RIOS COMM: 315-330-3952 DSN: 587-3952 FAX: 315-330-8258 -Original Message- From: Chris Thompson [mailto:c...@hermes.cam.ac.uk] On Behalf Of Chris Thompson Sent: Friday, June 19, 2009 10:25 AM To: Borgia, Joe A CTR USAF AFMC AFRL/RIOS Cc: Bind Users Mailing List Subject: RE: Dynamic DNS and Slave Servers On Jun 19 2009, Borgia, Joe A CTR USAF AFMC AFRL/RIOS wrote: Should running a rndc freeze and thaw on the slave server also push the data from the .jnl files directly to the tables as they do on the master server? For some weird reason, running a rndc freeze and thaw on the slave runs successfully, but it does not push the updates to the zone tables there, and the .jnl files still exist after it. This is unexpected behavior. Not really. Freezing is only meaningful for zones of type master. If you use rndc freeze [zonename] and the zone is of type slave, you will get an error message rndc: 'freeze' failed: not found (by which it means, not found among the zones of type master). rndc freeze without a zone name means freeze all zones of type master, and so it is always going to run successfully, even if there aren't any. (I don't actually much like syntax like this, when leaving out an argument has such a wide-ranging effect that might not have been intended. rndc freezeall, say, would have been a better idea.) -- Chris Thompson Email: c...@cam.ac.uk smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Dynamic DNS and Slave Servers
Although, I should be able to add static data to a dynamic data zone either with nsupdate or with freezing and thawing the zone, correct? Joseph A. Borgia, Jr. Sr. UNIX/SAN Engineer Team Rome IT - Rome Research Corporation U.S. Air Force Research Laboratory/Rome Research Site/RIOS COMM: 315-330-3952 DSN: 587-3952 FAX: 315-330-8258 -Original Message- From: Joseph S D Yao [mailto:j...@tux.org] Sent: Thursday, June 18, 2009 12:10 PM To: Chris Buxton Cc: Borgia, Joe A CTR USAF AFMC AFRL/RIOS; bind-users@lists.isc.org Subject: Re: Dynamic DNS and Slave Servers On Thu, Jun 18, 2009 at 07:50:49AM -0700, Chris Buxton wrote: ... Yes. Once a zone is dynamic, you're no longer allowed to edit the zone file directly (unless you make it static again, for example by use of ... For which reason, of course, dynamic data should always be in a separate subdomain from static data, which may someday need to be updated. Apologies if this was obvious. There exist people for whom it was not. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Windows AD, Windows DHCP, BIND, and DDNS
I'm not an AD guy at all, so I have to ask the following: Will un-checking that still allow the host to register itself in the AD namespace? Joseph A. Borgia, Jr. Sr. UNIX/SAN Engineer Team Rome IT - Rome Research Corporation U.S. Air Force Research Laboratory/Rome Research Site/RIOS COMM: 315-330-3952 DSN: 587-3952 FAX: 315-330-8258 -Original Message- From: Frank Pikelner [mailto:frank.pikel...@netcraftcommunications.com] Sent: Monday, June 15, 2009 12:52 PM To: Borgia, Joe A CTR USAF AFMC AFRL/RIOS; bind-users@lists.isc.org Subject: RE: Windows AD, Windows DHCP, BIND, and DDNS Joe, On your Windows DHCP server, use DHCP MMC, right click on DHCP server name, and select options. In Options, select DNS tab and uncheck the required DNS registration options. Best, Frank -Original Message- From: bind-users-boun...@lists.isc.org on behalf of Borgia, Joe A CTR USAF AFMC AFRL/RIOS Sent: Mon 6/15/2009 10:27 AM To: bind-users@lists.isc.org Subject: Windows AD, Windows DHCP, BIND, and DDNS Folks, I need some help. At my site, I am running Windows AD, Windows DHCP, and BIND version 9.6.0-P1. The AD namespace that my customer implemented is different from the BIND namespace. The majority of the clients here are Windows XP/Vista-based systems that receive their IP via Windows DHCP. We'd like to have these systems register themselves manually via DDNS to our BIND namespace. Just for proof-of-concept before we even try to tackle TSIG to secure it, we're using the allow-update directive. DHCP Server: 10.10.10.10 We setup allow-update for 10.10.10.10 for both the forward lookup hosts file and reverse lookup hosts.rev file. Our BIND namespace is bind.domain.mil Our AD namespace is our.ds.domain.mil When a client gets an IP with the BIND server configured to allow the Windows DHCP server to do the updating, rather than registering that client as host.bind.domain.mil, it registers it only in the reverse lookup table as host.our.ds.domain.mil, which is undesirable. We want the host to be host.bind.domain.mil on the BIND servers, both forward and reverse. When I setup an ACL called dynamic-update for 10.10.0.0/16 and allow all of that network to perform the updates on the BIND server, it works better, but not completely because to make that work, we had to go into the client's TCP/IP settings, and tell it to register specifically as bind.domain.mil. Doing that caused the client to register itself properly in both forward and reverse lookup zones. However, apparently, the DHCP server is also registering the reverse lookup IP with host.our.ds.domain.mil. When you do a reverse lookup on the client, you get both FQDNs back in the response. The two problems with this are first, to make this work, each client has to be touched to configure that DNS namespace to register it properly and second, we need to get the DHCP server to stop doing this registration for AD in the BIND servers. It'd be ideal if we could just have the Windows DHCP server update the BIND servers with the proper DNS suffix. I've looked around the Internet and it doesn't seem as if there are too many people with different namespaces between BIND and AD trying to do what we're doing. If the namespaces matched, this would work perfectly. Unfortunately, we are not in a position to change either namespace, so we have to make this work somehow. Anyone have any ideas? Thanks in advance, Joe Joseph A. Borgia, Jr. Sr. UNIX/SAN Engineer Team Rome IT - Rome Research Corporation U.S. Air Force Research Laboratory/Rome Research Site/RIOS COMM: 315-330-3952 DSN: 587-3952 FAX: 315-330-8258 smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users