Re: Instructions to use delv to test DNS configured domain before DS uploaded to parent
and to answer my own question as I finally found the section in the manual here: https://bind9.readthedocs.io/en/latest/dnssec-guide.html#verification On Wed, 13 Dec 2023, Brett Delmage via bind-users wrote: Sorry, I pasted the wrong version (too many remote shells open today) Should be: ii bind9 1:9.18.19-1~deb12u1 amd64Internet Domain Name Server ii bind9-utils1:9.18.19-1~deb12u1 amd64Utilities for BIND 9 On Wed, 13 Dec 2023, Brett Delmage wrote: I previously used delv with a manually made trust/key file to test that a DNSSEC-enabled zone was generated correctly. Despite sarching for all kinds of terms I cannot find those instructions (in readthedocs I believe). Could someone please point me there? bind9, bind9-dnsutils: 9.18.15 Thanks. Brett -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Instructions to use delv to test DNS configured domain before DS uploaded to parent
Sorry, I pasted the wrong version (too many remote shells open today) Should be: ii bind9 1:9.18.19-1~deb12u1 amd64Internet Domain Name Server ii bind9-utils1:9.18.19-1~deb12u1 amd64Utilities for BIND 9 On Wed, 13 Dec 2023, Brett Delmage wrote: I previously used delv with a manually made trust/key file to test that a DNSSEC-enabled zone was generated correctly. Despite sarching for all kinds of terms I cannot find those instructions (in readthedocs I believe). Could someone please point me there? bind9, bind9-dnsutils: 9.18.15 Thanks. Brett -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Instructions to use delv to test DNS configured domain before DS uploaded to parent
I previously used delv with a manually made trust/key file to test that a DNSSEC-enabled zone was generated correctly. Despite sarching for all kinds of terms I cannot find those instructions (in readthedocs I believe). Could someone please point me there? bind9, bind9-dnsutils: 9.18.15 Thanks. Brett -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Best DNSSEC documentation for current version?
On Mon, 21 Jun 2021, John W. Blue via bind-users wrote: Have you seen the webinar videos on ISC's youtube channel? https://www.youtube.com/user/ISCdotorg/search?query=DNSSEC No! I would not have thought to look there for this -- although I learn all kinds of other things on YT. Many thanks for pointing this out to us all. I will definitely look at this. It looks extensive! Brett ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Best DNSSEC documentation for current version?
On Mon, 21 Jun 2021, Ondřej Surý wrote: you haven’t said the version, but readthedocs.io has a version picker, so you can go with the version you are interested in (v9.16 and up) with “latest” referring to the latest stable branch (v9.16.xx). Thanks for letting me know about this. I seem to have missed that because I accessed the DNSSEC Guide directly from a duckduckgo search and so did not realize this docs listing site worked this way. (i thought it was just another ISC domain; I never thought to look at the root.) Brett Ondřej___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Best DNSSEC documentation for current version?
I am looking to read the best documentation on DNSSEC configuration for the current versions on BIND. Is this comprehensive and up to date? https://bind9.readthedocs.io/en/latest/dnssec-guide.html This doc does not refer to any version - Am I missing that? It seems that this is an important detail to know when attempting to apply such a document. Is there anything else I have missed that isn't misleading, especially with regard to key management, on the ISC site or elsewhere? Right now I am feeling there are gaps in my knowledge and/or comprehension. I don ;t want to get further confused. Thanks for your tips! Brett ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: No more support for windows - Yay
On Sat, 5 Jun 2021, Reindl Harald wrote: besides that - i didn't hear a serious reasoning for a native named binary on windows these days and given there are tons of ways running a linux binary compared to 20 years ago i call it a waste of time * more complex code implies more errors some errors being security-related, which in the case of BIND servers used by MANY users is a very bad situation. Furthermore, are there even any 'important' Windows primary servers, that serve the open internet or many users (authoritative or resolving) - but rather only serve closed/internal private or commercial interests? If some entity is already wasting money on MS software and licenses and BIND is important to them, then they should also support development and pay for support just like they pay MS. I do believe ISC should be more clear about the intended platforms for BIND. It's not a crime to not support one corporation's specific and different platform. Brett ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
no _smtp_tls in published zone
I have added the following two records _mta-sts.BrettDelmage.ca. 180 IN TXT"v=STSv1; id=2021060102;" _smtp._tls.BrettDelmage.ca. 180 IN TXT"TLSRPTv1; rua=mailto:br...@brettdelmage.ca; to a signed zone to enable Mail Transfer Agent Strict Transport Security. When I run /var/lib/bind/master# named-compilezone -k warn -o - BrettDelmage.ca BrettDelmage.ca I get the expected error for the leading _, but only for _mta_sts. BrettDelmage.ca:21: mta_sts.BrettDelmage.ca: bad owner name (check-names) zone BrettDelmage.ca/IN: loaded serial 2021060110 BrettDelmage.ca. 180 IN SOA cacloud.brettdelmage.ca. hostmaster.BrettDelmage.ca. 2021060110 180 300 1814400 3600 ... _mta-sts.BrettDelmage.ca. 180 IN TXT"v=STSv1; id=2021060102;" _smtp._tls.BrettDelmage.ca. 180 IN TXT"TLSRPTv1; rua=mailto:br...@brettdelmage.ca; ... OK When I load the zone I can fetch _mta-sts.BrettDelmage.ca dig @127.0.0.1 _mta-sts.brettdelmage.ca txt +short "v=STSv1; id=2021060102;" but not _smtp._tls.BrettDelmage.ca.: dig @127.0.0.1 _smtp._tls.brettdelmage.ca txt ; <<>> DiG 9.16.16-Ubuntu <<>> @127.0.0.1 _smtp._tls.brettdelmage.ca txt ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37893 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: a70534bd6a80a8c7010060b70dbd54a4db11f1a5b7d1 (good) ;; QUESTION SECTION: ;_smtp._tls.brettdelmage.ca.IN TXT ;; AUTHORITY SECTION: BrettDelmage.ca.180 IN SOA cacloud.brettdelmage.ca. hostmaster.BrettDelmage.ca. 2021060110 180 300 1814400 3600 - named -v BIND 9.16.16-Ubuntu (Stable Release) What am I doing wrong here? Thanks! Brett ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Trying again on SERVFAIL
The internet isn’t always on and it isn’t only composed of big tech companies with lots of resources. like Google's gmail, which has had hours-long service outages from time to time? ;-)___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get nsupdate to work (for letsencrypt acme.sh client)
On Wed, 5 Aug 2020, Mark Andrews wrote: If I use the example zone on that page *no* errors are reported. If I modify restarchitect.com to have a A record at _acme-challenge.restarchitect.com then errors will be reported. I certainly did get an error originally. I would not have found this page if I didn't have the error message to search for. After reviewing my command history I have concluded that it is possible that I originally tested with an A, not TXT record, thusa causing the error. Then I switched it, unaware of the difference to check-names. Thanks for the in-depth 'proof'. I have removed check-names now and it works as it should. Brett ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get nsupdate to work (for letsencrypt acme.sh client)
On Wed, 5 Aug 2020, Mark Andrews wrote: Your key name usage is not consistent. acmesh-ottawatch != ottawatch-acmesh Thank you! Fixed and working. Why are you adding `check-names warn;`? check-names does NOT apply to TXT records. Previously I was getting the error "bad owner name (check-names)". So a search for that error led me to this page https://linux.m2osw.com/setting-bind-get-letsencrypt-wildcards-work-your-system-using-rfc-2136 which states "The check-names option is required in case the name letsencrypt adds _acme-challenge to your list of known sub-domains. The underscore character is not liked by BIND9. This is because it is not part of the domain name specification. It is not allowed at all. By default BIND will generate an error and log it and skip over that entry entirely (i.e. it will not serve that zone at all, albeit all the other zones will work just fine.) You can also set this parameter to ignore. In that case, no warning is emitted in your logs. Here is the error you get ("bad owner name") when a name uses characters that are not supposed to be used in a domain name: 09-Feb-2019 03:02:31.988 general: error: /var/lib/bind/restarchitect.com.zone:31: _acme-challenge.restarchitect.com: bad owner name (check-names) The check-names option is currently the only way to fix this problem (i.e. you can't use an escape for that one specific letter.)" --- Is this incorrect? My same error went away when I added it. I certainly was not familar with the option earlier. I am running BIND 9.16.5 from Ondřej's PPA for Ubuntu 18.04 That page's "Create and Setup an HMAC Key" uses dnssec-keygen to create the dynamic key, which I understand has been deprecated in newer versions. Is that correct? (as I mentioned, I used ddns-confgen.) Thanks for full details. Thank you for looking at them! Often, preparing a complete help request helps me see something I am overlooking that is incorrect, so then I don't need to send a help plea and look like an idiot. Just not in this report, although an earlier version led me to seeing another problem, which was good. Brett Mark On 5 Aug 2020, at 08:44, Brett Delmage wrote: I'm having a problem getting nsupdate to work, as shown below. (Despite reading the man pages I'm not 100% clear about the exact scope of the grant options and it may not be right. Examples would be helpful.) I generated the key: ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca # To activate this key, place the following in named.conf, and # in a separate keyfile on the system or systems from which nsupdate # will be run: key "acmesh-ottawatch." { algorithm hmac-sha256; secret ; }; - this is included in my named.conf My config file zone entry has the statements check-names warn; update-policy { grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. txt; }; to permit the update and limit the scope. As I understand, I need check-names (warn | ignore) because _acme-challenge has an underscore. (How the heck did LE come up with an incompatible name?) Here's my nsupdate script: # cat test-acme server cacloud.ottawatch.ca zone ottawatch.ca debug update add _acme-challenge.ottawatch.ca. 999 TXT "test 1" send # nsupdate -k acmesh-ottawatch.ca test-acme Sending update to 2607:7b00:7200:1::281a:5de2#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42504 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; ZONE SECTION: ;ottawatch.ca. IN SOA ;; UPDATE SECTION: _acme-challenge.ottawatch.ca. 999 INTXT "test 1" ;; TSIG PSEUDOSECTION: acmesh-ottawatch. 0 ANY TSIGhmac-sha256. 1596580550 300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 42504 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;ottawatch.ca. IN SOA ;; TSIG PSEUDOSECTION: acmesh-ottawatch. 0 ANY TSIGhmac-sha256. 1596580550 300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0 Sending update to 2607:7b00:7200:1::281a:5de2#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 32884 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;ottawatch.ca. IN SOA ;; TSIG PSEUDOSECTION: acmesh-ottawatch. 0 ANY TSIGhmac-sha256. 1596580550 300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0 # dig _acme-challenge.ottawatch.ca. txt - the TXT RR has not been added ; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status
Cannot get nsupdate to work (for letsencrypt acme.sh client)
I'm having a problem getting nsupdate to work, as shown below. (Despite reading the man pages I'm not 100% clear about the exact scope of the grant options and it may not be right. Examples would be helpful.) I generated the key: ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca # To activate this key, place the following in named.conf, and # in a separate keyfile on the system or systems from which nsupdate # will be run: key "acmesh-ottawatch." { algorithm hmac-sha256; secret ; }; - this is included in my named.conf My config file zone entry has the statements check-names warn; update-policy { grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. txt; }; to permit the update and limit the scope. As I understand, I need check-names (warn | ignore) because _acme-challenge has an underscore. (How the heck did LE come up with an incompatible name?) Here's my nsupdate script: # cat test-acme server cacloud.ottawatch.ca zone ottawatch.ca debug update add _acme-challenge.ottawatch.ca. 999 TXT "test 1" send # nsupdate -k acmesh-ottawatch.ca test-acme Sending update to 2607:7b00:7200:1::281a:5de2#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42504 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; ZONE SECTION: ;ottawatch.ca. IN SOA ;; UPDATE SECTION: _acme-challenge.ottawatch.ca. 999 INTXT "test 1" ;; TSIG PSEUDOSECTION: acmesh-ottawatch. 0 ANY TSIGhmac-sha256. 1596580550 300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 42504 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;ottawatch.ca. IN SOA ;; TSIG PSEUDOSECTION: acmesh-ottawatch. 0 ANY TSIGhmac-sha256. 1596580550 300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0 Sending update to 2607:7b00:7200:1::281a:5de2#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 32884 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;ottawatch.ca. IN SOA ;; TSIG PSEUDOSECTION: acmesh-ottawatch. 0 ANY TSIGhmac-sha256. 1596580550 300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0 # dig _acme-challenge.ottawatch.ca. txt - the TXT RR has not been added ; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: f735fda5ecb9479301005f29e1bed617055d59cb5d75 (good) ;; QUESTION SECTION: ;_acme-challenge.ottawatch.ca. IN TXT ;; AUTHORITY SECTION: ottawatch.ca. 900 IN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 04 18:31:26 EDT 2020 ;; MSG SIZE rcvd: 140 What am I missing ort doing wrong, please? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate apparently not working for me. What am I overlooking / doing wrong?
On Wed, 29 Jul 2020, Mark Andrews wrote: Make sure you are using the CORRECT name in the dig query. You used ddns-key.ottawatch.ca instead of ddns-update.ottawatch.ca. Thanks Mark... so tired I didn't see that when staring at it. (Blame grass allergies and terrible heat lately.) Also you can delete and add in the same UPDATE operation. Remove the first “send” in nsupdate.script. Yes, thanks for the tip. I did man nsupdate :-) I had nsupdate debug enabled earlier, so split this it up while testing. Also ottawatch.ca has DS records but the zone is not signed. You need to fix this as lookups are failing for anyone that is validating responses. Again, testing artifact. Domain is actually signed but I disabled that and took it out of the config to simplify while testing. Domain is not live for anything now but my kicking around so no harm done except to eagle eyes like yours who look up DNSSEC chain of trust :-) Thanks for your second look and premiere response. Brett p.s. this Mailman list is slightly misconfigured. I have DKIM signing and a DMARC policy, so get lots of failure reports when I post to this list. Any chance you guys could toggle that flag so the list doesn't break DKIM signing? It's a straight-forward toggle; I use it on Mailman lists I run.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
nsupdate apparently not working for me. What am I overlooking / doing wrong?
nsupdate works according to updated contents of a dynamic zonefile but dig does not report the added A record. What am I doing stupidly here? BIND version 1:9.16.5-1+ubuntu18.04.1 - both authoritative and local recursive zone config: zone "ottawatch.ca" { type master; file "/var/lib/bind/master/ottawatch.ca"; allow-transfer { key "pannier-xfer"; }; notify yes; update-policy { grant ddns-key.ottawatch.ca subdomain ottawatch.ca.; }; }; [do I have the correct update-policy syntax?] (I also tried "update-policy local" with nsupdate -l, with same results.) # nsupdate -D -k ddns-key.ottawatch.ca nsupdate.script nsupdate.script: server 127.0.0.1 zone ottawatch.ca. update del ddns-update.ottawatch.ca. a send update add ddns-update.ottawatch.ca. 999 a 3.4.5.8 send zone DB after update and "rndc sync" executed to incorporate .jnl: $ORIGIN . $TTL 900; 15 minutes ottawatch.caIN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. ( 2020072808 ; serial 900; refresh (15 minutes) 180; retry (3 minutes) 2419200; expire (4 weeks) 900; minimum (15 minutes) ) NS cacloud.ottawatch.ca. NS pannier.ottawatch.ca. A 206.248.172.47 MX 10 mail1.ottawajazzscene.ca. TXT "v=spf1 a ip4:206.248.172.47 -all" $ORIGIN ottawatch.ca. cacloud A 23.111.69.176 2607:7b00:7200:1::281a:5de2 $TTL 999; 16 minutes 39 seconds ddns-update A 3.4.5.8 <--- nsupdate worked (it seems) $TTL 900; 15 minutes pannier A 206.248.172.47 2607:f2c0:a000:1d1::73:1 # dig -4 @cacloud.ottawatch.ca cacloud.ottawatch.ca. a ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca cacloud.ottawatch.ca. a ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1862 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 195a1192604da78e01005f20daf7193b36ec5545d879 (good) ;; QUESTION SECTION: ;cacloud.ottawatch.ca. IN A ;; ANSWER SECTION: cacloud.ottawatch.ca. 900 IN A 23.111.69.176 ;; Query time: 0 msec ;; SERVER: 23.111.69.176#53(23.111.69.176) ;; WHEN: Tue Jul 28 22:12:07 EDT 2020 ;; MSG SIZE rcvd: 93 BUT dig does not report the nsupdate-added a record (NXDOMAIN): # dig -4 @cacloud.ottawatch.ca ddns-key.ottawatch.ca. a ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca ddns-key.ottawatch.ca. a ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49598 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 6db0ccbd0085ecca01005f20db0f7cdb769b038236f9 (good) ;; QUESTION SECTION: ;ddns-key.ottawatch.ca. IN A ;; AUTHORITY SECTION: ottawatch.ca. 900 IN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072808 900 180 2419200 900 ;; Query time: 0 msec ;; SERVER: 23.111.69.176#53(23.111.69.176) ;; WHEN: Tue Jul 28 22:12:31 EDT 2020 ;; MSG SIZE rcvd: 133 A record added to the dynamic zone file manually works: dig -4 @cacloud.ottawatch.ca bb.ottawatch.ca. a ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca bb.ottawatch.ca. a ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8033 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 8feed7fd82821e9a01005f20dc3de1670c37be1dadbc (good) ;; QUESTION SECTION: ;bb.ottawatch.ca. IN A ;; ANSWER SECTION: bb.ottawatch.ca.900 IN A 3.4.5.9 ;; Query time: 0 msec ;; SERVER: 23.111.69.176#53(23.111.69.176) ;; WHEN: Tue Jul 28 22:17:33 EDT 2020 ;; MSG SIZE rcvd: 88 END OF DETAILS ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND, nsupdate and acme.sh DNS authentication
On Thu, 23 Jul 2020, Michael De Roover wrote: For example I don't trust Manjaro's maintainers, since they screwed up their TLS certificate renewal no less than 3 times. That's complete and utter incompetence on their part. How they didn't already put certbot in a cron job after the first time is beyond me. To get this topic back on topic for this list: When you are creating Let's Encrypt wildcard certificates you must use a DNS authenticiation protocol with letsencrypt. I am using the acme.sh client which was recommended for wildcard certificates. https://github.com/acmesh-official/acme.sh If you are running your own nameserver you also need to enable dynamic updates so that the acme.sh client can create TXT records during certificate acqusition and renewal. However I have found that getting zone dynamic updates (authentication, specifically) working with nsupdate (which acme.sh uses) and BIND have been a PITA. I haven't been overly impressed with the debug capabilities to help get nsupdate working properly. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: root.hints access errors with Ubuntu BIND 9.16.4 16.04 PPA
On Fri, 10 Jul 2020, Mark Andrews wrote: The file names in named.conf. "/etc/bind/dns” is a directory. Directories are not zone files. Telling named to read a directory as a zone file is not useful. Search for ‘"/etc/bind/dns”’ and the correct the file name. Thanks Mark. Sometimes one can stare at the obvious and not see it (and maybe it's also that it's pushing 30C here today, with no aircon adn I almost fell asleep this afternoon). Duh. All is (s)well. cheers Brett___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
root.hints access errors with Ubuntu BIND 9.16.4 16.04 PPA
I installed BIND 9.16.4-Ubuntu (Stable Release) from the Ubuntu stable PPA linked to on the ISC site. https://launchpad.net/~isc/+archive/ubuntu/bind After restart, BIND failed with this status: service bind9 status ● bind9.service - BIND Domain Name Server Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2020-07-09 15:18:38 EDT; 5s ago Docs: man:named(8) Process: 4834 ExecStart=/usr/sbin/named -f -u bind (code=exited, status=1/FAILURE) Main PID: 4834 (code=exited, status=1/FAILURE) ... Jul 09 15:18:38 pannier named[4834]: generating session key for dynamic DNS Jul 09 15:18:38 pannier named[4834]: sizing zone task pool based on 31 zones Jul 09 15:18:38 pannier named[4834]: could not configure root hints from '/usr/share/dns/root.hints': permission denied Jul 09 15:18:38 pannier named[4834]: loading configuration: permission denied Jul 09 15:18:38 pannier named[4834]: exiting (due to fatal error) Jul 09 15:18:38 pannier systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE Jul 09 15:18:38 pannier systemd[1]: bind9.service: Failed with result exit-code'. but permissions seemed readable: find /usr/share/dns -ls 1577746 4 drwxr-xr-x 2 root root 4096 Nov 27 2019 /usr/share/dns 1575480 4 -rw-r--r-- 1 root root 166 Jan 31 2018 /usr/share/dns/root.ds 1575840 4 -rw-r--r-- 1 root root 864 Jan 31 2018 /usr/share/dns/root.key 1575770 4 -rw-r--r-- 1 root bind 3315 Jan 31 2018 /usr/share/dns/root.hints I thought it might be an apparmor profile issue, so I added the path to profile usr.sbin.named for read permission and restarted apparmor without change. Next, I copied /usr/share/dns/ to /etc/bind/dns which should already be readable. Now I get this very odd error: named.service - BIND Domain Name Server Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2020-07-09 15:25:49 EDT; 2s ago Docs: man:named(8) Process: 5742 ExecStart=/usr/sbin/named -f $OPTIONS (code=exited, status=1/FAILURE) Main PID: 5742 (code=exited, status=1/FAILURE) Jul 09 15:25:49 pannier named[5742]: generating session key for dynamic DNS Jul 09 15:25:49 pannier named[5742]: sizing zone task pool based on 31 zones Jul 09 15:25:49 pannier named[5742]: dns_master_load: /etc/bind/dns:1: isc_lex_gettoken() failed: I/O error Jul 09 15:25:49 pannier named[5742]: dns_master_load: /etc/bind/dns:1: I/O error Jul 09 15:25:49 pannier named[5742]: could not configure root hints from '/etc/bind/dns': I/O error Jul 09 15:25:49 pannier named[5742]: loading configuration: I/O error Jul 09 15:25:49 pannier named[5742]: exiting (due to fatal error) Jul 09 15:25:49 pannier systemd[1]: named.service: Main process exited, code=exited, status=1/FAILURE Jul 09 15:25:49 pannier systemd[1]: named.service: Failed with result 'exit-code'. Permissions on /etc/bind/dns: 278669 4 drwxr-sr-x 2 root root 4096 Nov 27 2019 dns 271737 4 -rw-r--r-- 1 root root 166 Jan 31 2018 dns/root.ds 272958 4 -rw-r--r-- 1 root root 864 Jan 31 2018 dns/root.key 272932 4 -rw-r--r-- 1 root bind 3315 Jan 31 2018 dns/root.hints I'm puzzled at this point. What to check next, please? Brett___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS security, amplification attacks and recursion
On Tue, 7 Jul 2020, Tony Finch wrote: Brett Delmage wrote: On Tue, 7 Jul 2020, Tony Finch wrote: minimal-any yes; Why only reduce and not eliminate? The reason is a bit subtle. If an ANY query comes via a recursive resolver, it is much better to give the resolver an answer so that it will put an entry in its cache... This is a very interesting and clear explanation. Thanks for taking the time to share this Tony. TIL :-) Brett ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS security, amplification attacks and recursion
On Tue, 7 Jul 2020, Shumon Huque wrote: Cloudflare themselves now implement the "minimal any" behavior described in this spec: https://tools.ietf.org/html/rfc8482 cloudflare.com. 3789 IN HINFO "RFC8482" "" Gee, that's a pretty minimal answer! Thanks.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS security, amplification attacks and recursion
On Tue, 7 Jul 2020, Tony Finch wrote: Reduce the size of responses to ANY queries, which are a favourite tool of amplification attacks. There's basically no downside to this one, in my opinion, but I'm biased because I implemented it. minimal-any yes; Why only reduce and not eliminate? Can ANY responses be disabled completely with an option? This article at cloudflare https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/ states that they have deprecated it because it wasn't being used. They should know! This was posted over 5 years ago, in 2015. Brett ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Canadian registrars that properly support ipv6 and DNSSEC ?
Not quite on-topic, but consider this an essential element of making my BIND signing, authoritative server and name service work well. Does anyone know of or ideally have experience with Canadian (CIRA-authorized) and ideally _Canadian-based_ .ca registrars that handle DNSSEC and ipv6 properly? I've been using namespro.ca for years. They are friendly and responsive, but I still have to file a ticket to submit an ipv6 nameserver address or DS record. They have not moved ahead on this. Thankfully, these are not frequent activities. It would be nice to be able to automate it with an API, especially with newer support for key rotation. I guess I could automate sending of an email request to support using a BIND hook... :-p Brett ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about Recommended stress test tools for bind.
On Thu, 25 Jun 2020, Chuck Aurora wrote: On 2020-06-25 04:10, Techs-yama wrote: Hi, bind forks ! I'm a spoon, not a fork! :) 418 I'm a teapot! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Latest BIND ARM is missing from docs page?
On Mon, 15 Jun 2020, Evan Hunt wrote: On Sun, Jun 14, 2020 at 06:38:38PM -0400, Brett Delmage wrote: Is this ARM the most recent version? No, the current stable release is 9.16. The "primary" and "secondary" keywords were added in 9.12. Then is the ISC ARM directory page https://kb.isc.org/docs/aa-01031 outdated? The most recent version listed here is 9.14 - which is now EOL according to your own page at https://www.isc.org/bind/ What am I missing, other than those two controversial words in the most recent ARM version you list? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Masters and slaves
After I feel I have mastered DNS and BIND after slaving over the docs and code for years (I'm not there yet, and I have not) how am I going to communicate this to people? How will I be able to master anything technical anymore? Should I just stop trying? Thesaurus.com suggests that one could call one type of DNS server the "crackerjack" server instead. I guess that's an improvement over "cracked". "Ace" server is a suggested alternative too, and it's nicely terse. https://www.thesaurus.com/browse/master?s=t ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Masters and slaves
On Sun, 14 Jun 2020, Vinícius Ferrão wrote: ISC had a statement about it a time ago: https://twitter.com/ISCdotORG/status/942815837299253248 Thanks. I vaguely recalled something but my search didn't turn this up. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND Masters and slaves
I just read GitHub, Android, Python, Go: More Software Adopts Race-Neutral Terminology at https://developers.slashdot.org/story/20/06/14/173/github-android-python-go-more-software-adopts-race-neutral-terminology The BIND 9.11 Administrator Reference Manual at https://kb.isc.org/docs/aa-01493 still refers to masters and slaves. Is this ARM the most recent version? Are there any discussions about changing terms? Anyway, when one is talking abut BDSM^H^H^H^H BIND, "master" and "slave" are the established terms, I believe? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On Sat, 2 May 2020, Michael De Roover wrote: Even if your ISP allows it, chances are that other mail servers will reject it Nope, not always. My residential-class static IP mail server has never had problems delivering mail. I've checked it many times over the years on many blacklist checkers and never had anything but green lights. Of course I have met all the email best practices for years: SPF, DKIM, reverse pointer, etc. Even though email is not secure, I still feel better knowing that emails end up in MY server via opportunistic TLS transport. and not in some Yahoo's or surveillance capitalist's data store. Underlying all this are my own DNSSEC-enabled BIND servers, of course. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On Sat, 2 May 2020, Paul Kosinski via bind-users wrote: How many ISPs allow traffic on port 25? My impression is that even many (non-enterprise) business customers can't use port 25. Mine does. It's a major Canadian independent ISP. They allow servers too. I run postfix and secondary DNS (bind) and apache servers on my static-IP residential line . I could even order a netblock again if I want to. My monthly rate is the same or lower than big telecom's offerings.. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Security sssues with Ubuntu bind9 11.9.3 ?
9.14.10 is the current stable release and 9.11.15 is the current extended support release. Unless you know something is broken in 9.14.10 (unlikely) that would be the version to $ You absolutely should not be running a bind version several years old, as 9.11.4 is. But 1:9.11.3+dfsg-1ubuntu1.1 is the version that Ubuntu 18.04 LTS supports, and will continue to for 2 more years. Clearly, it is earlier than 9.11.4 Has Ubuntu properly patched it for relevant security updates? Is it safe to run? Of course it will be missing the latest features and software defects (which I am exploring on a test server sing a version I compiled myself). Brett ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Options for build configure documented anywhere?
On Mon, 23 Dec 2019, Dns Admin wrote: Hi Brett, ./configure -h Will give you list of the available options. Thanks Peter! Duh, I don't know why I never tried -h here. I use/try it (or --help) everywhere else... I guess I didn't think that configure would report any domain specific help. Today I learned something. Brett ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Options for build configure documented anywhere?
I'm building bind-9.15.7 on Ubuntu 18.04, so I can try some of the newest features. I have never built bind before. I configured and compiled using the default options just fine, after installing a few reqiasite libraries. I was pleasantly suprised. Next, I would like to build with the same options as the distro default bind9-9.11.3+dfsg uses as a starting point. So I ran named -V to get the as-built options, below. Are the build configure switches for 9.15 documented clearly anywhere? I've looked all over and cannot find descriptions anywhere to help me decide which ones I need. Thank you. Brett --build=x86_64-linux-gnu \ --prefix=/usr/local \ --includedir=/usr/local/include \ --mandir=/usr/local/share/man \ --infodir=/usr/local/share/info \ --sysconfdir=/etc/bind915 \ --localstatedir=/var \ --localstatedir=/ \ --disable-silent-rules \ --libdir=/usr/lib/x86_64-linux-gnu \ --libexecdir=/usr/lib/x86_64-linux-gnu \ --disable-maintainer-mode \ --disable-dependency-tracking \ --sysconfdir=/etc/bind- \ --with-python=python3 \ --enable-threads \ --enable-largefile \ --with-libtool \ --enable-shared \ --enable-static \ --with-gost=no \ --with-openssl=/usr \ --with-gssapi=/usr \ --with-libjson=/usr \ --without-lmdb \ --with-gnu-ld \ --with-geoip=/usr \ --with-atf=no \ --enable-ipv6 \ --enable-rrl \ --enable-filter- \ --enable-native-pkcs11 \ --with-pkcs11=/usr/lib/softhsm/libsofthsm2.so \ --with-randomdev=/dev/urandom \ --with-eddsa=no \ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users