Re: Problem upgrading to 9.18 - important feature being removed

[Carsten Strotmann via bind-users]

Hi Ondřej,

> On 27. Feb 2024, at 16:43, Ondřej Surý  wrote:
> 
> Carsten, could you please fill a feature request in the GitLab?


Done, #4606.

Greetings

Carsten

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem upgrading to 9.18 - important feature being removed

[Carsten Strotmann via bind-users]

Hi Jim,

> On 27. Feb 2024, at 16:39, Jim P. via bind-users  
> wrote:
> 
> There should also be an option to display the current configuration in
> specific detail to easily create a new KASP (side question: why does DNS
> need a new acronym?)

The term “KASP” for “Key-and-signing-policy” has been around in the DNS 
community for many years. I remember first hearing that term when .SE (Sweden) 
started signing their TLD in 2005. 

In the beginning of DNSSEC deployment, the KASP was a document that defines how 
DNSSEC is implemented for a given DNS zone (that is still a good practice, 
writing down DNSSEC algorithms used, key sizes and rollover intervals etc). 

In the last years, improvements in the DNS server software (OpenDNSSEC, Knot 
DNS, but also BIND 9) made it possible to define the KASP in the software, 
which makes it easier to match the KASP document with the KASP configuration on 
the server itself.

From my view, this is a good development.

Greetings

Carsten

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem upgrading to 9.18 - important feature being removed

[Carsten Strotmann via bind-users]

Hi Matthijs,

On 27 Feb 2024, at 15:54, Matthijs Mekking wrote:

> - When migrating to dnssec-policy, make sure the configuration matches your 
> existing keys.

the most problems I've seen so far have to do with this step: admins "think" 
they have created a configuration that matches the current keys, but they 
haven't (for one reason or other, it happens for me, despite working a lot with 
DNSSEC and BIND 9).

It would be nice to have a "dry-run" mode in BIND 9, where BIND 9 would report 
steps it would do because of "dnssec-policy", but will not execute the changes.

That way, admins can create a configuration with "dry-run" mode enabled, check 
the logfiles, and if the actions in the log-file match the expectations, the 
"dry-run" mode can be removed and the new configuration will become active.

Greetings

Carsten
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Old ZSK refuses to retire

[Carsten Strotmann via bind-users]

Hi,

I have a situation where in a BIND 9 zone with dnssec-policy and 
inline-signing, after a ZSK rollover, the (old) ZSK is refusing to retire. 
Although the timing metadata shows the retire and deletion dates in the past, 
the ZSK is still in the zone and is signing the records (along with the new 
ZSK, so there are two ZSK RRSigs on each RRSet).

Setting new retire/inactive + deletion times with dnssec-settime (with 
parameter -s to update the state file) does not help either.

Removing the key files will stop the key being active (there are no new RRSigs 
generated from this key), but the DNSKEY record still stays in the zone. 

Any idea how to recover from such a situation (other than removing the signed 
zone and journals and re-signing the zone again)?

Greetings

Carsten

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

KASP: sharing policy and keys between views

[Carsten Strotmann via bind-users]

Hi,

(please do not start a discussion on the usefulness of views. I'm not in favor 
of views, but sometimes I have to work with them).

I have a client that runs a split horizon (internal / external view of the same 
domain namespace) setup with BIND 9 on Linux.

Both the internal and external views of the domain are DNSSEC signed.

In the past, the setup was using "auto-dnssec maintain;" on a common, shared 
key directory with manually created keys. Both zones in both views fetched the 
keys and did the signing. This setup was stable and working fine.

Because "auto-dnssec maintain;" is deprecated, we're evaluating to change the 
setup to use a shared DNSSEC KASP definition, pointing to the same key 
directory (using shared keys and a shared state file).

The test setup runs without issues for one month now and has successfully done 
3 ZSK rollovers in the time (KSK rollovers are manual). So it *seems* like a 
working configuration. We have not seen errors or race-conditions (but we might 
have been lucky).

Does anyone here has experience with a similar setup, or deeper insight into 
the code and can tell me if this is a possible solution to operate a DNSSEC 
signed split horizon setup?

Greetings

Carsten Strotmann


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSTAP overload condition logging

[Carsten Strotmann]

Hi Chris,

Chris Buxton  writes:


[[PGP Signed Part:Undecided]]
Hi Carsten,

From our reading of the code, it appears that when the buffer 
fills

up, it refuses to accept new entries. Older events are not
overwritten, but newer events are refused. The 
fstrm_iothr_submit()
function can return success, failure, or “fstrm_res_again”, 
which

indicates the queue is full.

BIND stats reports two counters, dnstapSuccess and 
dnstapDropped. It
appears that the dropped counter is incremented for either 
failure

condition.



Thanks, that's what I was looking for :)

Greetings from Iceland

Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSTAP overload condition logging

[Carsten Strotmann]

Hi,

how can a BIND 9 operator detect an DNSTAP overload condition?

My understanding is that BIND 9 worker threads write DNSTAP 
information
into a circular buffer in memory, which is that read by a 
different

thread to write out the data (to file or socket).

Is there any indication to the user (log message, marker in DNSTAP 
data)
in the situation where BIND 9 receives more DNSTAP events than it 
could

write out, so that older events get overwritten in the buffer?

I've read dnstap.c and I could not find a hint, but I've could 
missed

it.

Greetings

Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to measure use of forwarders?

[Carsten Strotmann]

Hello Richard,

"Parkin, Richard (R.)"  writes:


Hello!

 

We recently re-addressed some of our external-facing cache 
servers into a new network and discovered that our IPs
appear to be blackholed going to certain third-party auth 
servers, either intentionally or unintentionally.  Our
workaround while we sort through these issues is implementing 
forwarders.


 

I’d like to understand how much traffic is flowing to each 
forwarder (QPS, etc) and monitor that for any issues.  Is
there a way to do that effectively in Bind without putting some 
kind of network device on the outbound path to

measure it?  If not, does anyone have any suggestions?



I've done a webinar this week for ISC on the topic of 
"Instrumenting BIND 9
on Linux with BCC/eBPF". In this webinar, I've used logging of 
forwarding
decisions as one example to instrument BIND 9 with eBPF. The 
bpftrace
script I've presented might work as a starting point to create 
custom
BIND 9 logging for forwarding operations, which does not slow down 
the operation of

the BIND 9 server itself.

A recording of the webinar is available at


Greetings

Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Status of zytrax.com "DNS for Rocket Scientists" website

[Carsten Strotmann]

Hi,

does anyone know about the status of the zytrax.com website and the 
excellent "DNS for Rocket Scientists" guide?


The webpage first had a x509 certificate error (expired) in December 
2020 and now the web server is unreachable.


I (and colleagues) have tried to reach Ron Aitchison by mail and other 
communication means, but no success.


Greetings

Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Wildcard DNS records

[Carsten Strotmann]

Hello Stefano,

Chiesa, Stefano  writes:

> Hello all.
> I manage several BIND 9.10.4-P8 servers with more of less 600 DNS zones.
> Anyway I never used wildcard DNS record and I hope you can help me to 
> understand.
>
> The need is:
> * I have a dns zone i.e. example.com
> * this zone will have an unknown number of sub domains, let's say 
> siteA.example.com, siteB.example.com, siteC.example.com with other record 
> inside
>
> I need to know if it is possible create an A record valid for all the sub 
> domains, WWW for instance.
>
> I thought that a record like this:
> www.* IN A 1.2.3.4
>
> could work and if I'd query www.siteA.example.com it would return 1.2.3.4 ... 
> but it does not work.
>
> Can you tell me if it is possible and how?

I've did a webinar for Men & Mice a while ago explaining DNS wildcards
and their limits. Video and Slides are online:


Slides:


> I thought that a record like this:
> www.* IN A 1.2.3.4

DNS Wildcards only work on the leftmost label, not "inside" a domain
name.

See also RFC 4592 for a good discussion on DNS wildcards.

Best regards

Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TLD Registries supporting RFC 7344/8078

[Carsten Strotmann]

Hello Stephane,

Stephane Bortzmeyer <bortzme...@nic.fr> writes:

> On Tue, Mar 13, 2018 at 10:52:50AM +0100,
>  Carsten Strotmann <c...@strotmann.de> wrote
>  a message of 19 lines which said:
>
>> is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078)
>> already support at the TLD level somewhere? I know it is implemented
>> in BIND 9.11+ and Knot, but can it be used in the real Internet :)
>
> I believe that .cz does it, you have to ask your neighbors.

Thanks, I've got a ".cz" domain and will start some testing ;)

I hope there will be more adoption of this protocol from other TLDs.

Greetings

Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

TLD Registries supporting RFC 7344/8078

[Carsten Strotmann]

Hi,

is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078) already
support at the TLD level somewhere? I know it is implemented in BIND
9.11+ and Knot, but can it be used in the real Internet :)

I searched the usual places but cannot find any information indicating
support at TLD level.

Greetings

Carsten

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SOA Minimum comment in "dig" output

[Carsten Strotmann]

Hi,
 
here is a question I've got during a DNS training, and I still do not
have a good answer:
 


RFC 2308 "DNS NCACHE" defines the last field of the SOA RR as "the TTL of
negative responses".
 
; <<   DiG 9.10.3-P4-Ubuntu <<   +noall +answer +multi +cmd soa
example.com ;; global options: +cmd
example.com. 86326 IN SOA dns1.example.com.
hostmaster.example.com. ( 2018013002 ; serial
 900; refresh (15 minutes)
 300; retry (5 minutes)
 604800 ; expire (1 week)
 900; minimum (15 minutes)
  )
   
Why is dig still showing the old description "minimum" about the meaning
of the field?
 

 
Is there a good answer? This behaviour of "dig" is irritating users.
 
Best regards
 
Carsten

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.10 IPv6 performance

[Carsten Strotmann]

Hi,

I'm doing some performance tests on some modern Haswell CPU machines (20
cores) using Ubuntu Linux 14.04 (Kernel 3.13.0-46-generic) using BIND
9.10.1-P2 compiled with --with-tuning=large.

With using 8 worker threads I get near 400K QPS via IPv4 UDP (from a hot
cache without resolving), which is a good. CPU utilization as seen by
top is near 800%, as expected (8 cores fully used).

When I switch BIND 9 to listen on IPv6 only, the performance drops to
less than 60K QPS.

When I run the tests using Unbound (same machine, same OS, 8 threads), I
do not see a significant difference between the IPv4 and IPv6
performance, which should rule out an issue in the kernel or with the
DNS load generation.

Testing with 9.9.6-P2 shows a similar pattern.

The configuration is simple:

options {
 directory /var/named;
 listen-on { none; };
 listen-on-v6 { any; };
 recursive-clients 1;
 tcp-clients 1000;
 allow-recursion { 2001:db8::/48; };
};

zone . {
 type hint;
 file root.hint;
};


Has anyone seen such an performance drop on IPv6?

Carsten


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: size limit on RDATA in nsupdate

[Carsten Strotmann]

Hello Shumon,

Shumon Huque shu...@gmail.com writes:

 On Sat, Feb 21, 2015 at 7:35 AM, Carsten Strotmann c...@strotmann.de
 wrote:

   Hi,

   I'm trying to build an automated update system for OPENPGPKEY records
   with BIND 9 9.9.6-P2 and nsupate.

   I've verified the TSIG keys, I can add and remove TXT records with the
   key under the domain name.

   Adding a 6K PGP key as OPENPGPKEY does fail with

   21-Feb-2015 13:24:19.714 dns_rdata_fromtext: buffer-0x7f04662e14f0:1:
   near eof: unexpected end of input
   invalid rdata format: unexpected end of input

   Below is the debug output from nsupdate:

 I also encountered this limit in nsupdate when I attempted to create my
 OPENPGPKEY record a while back (I should have sent in a bug report then).
 Until the bug is fixed, I'd suggest using alternative dynamic update
 tools. Here's a snippet of python code I used for myself (needs the
 dnspython module):

thanks, this is very useful. 

---

Carsten Strotmann
Email: c...@strotmann.de
Blog: strotmann.de
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: size limit on RDATA in nsupdate

[Carsten Strotmann]

Hello Mukund,

Mukund Sivaraman m...@isc.org writes:

 On Sun, Feb 22, 2015 at 12:20:28AM +1100, Mark Andrews wrote:
 
 I doubt that it is a buffer issue.  The input text buffer is 128K which
 should be big enough for a 64K rdata.

 At the top of nsupdate.c, MAXCMD is (128 * 1024) in master and v9_10
 whereas it is (4 * 1024) in v9_9. This is probably causing it.

 Carsten: Can you mail bind9-bugs@ so that a ticket is created (and we'll
 follow up on that)?


will do.

the same update works with nsupdate from 9.9.7rc2, using the OPENPGPKEY RR
Type (not the generic RR representation).

-- 
Carsten Strotmann
Email: c...@strotmann.de
Blog: strotmann.de
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: size limit on RDATA in nsupdate

[Carsten Strotmann]

Addition: this is how the nsupdate line for the record looks like

add
f437b55d4fb40f93bbfa04802a6a2bcf8b69d5ee93d1b53259e6e4fc._openpgpkey.sys4.de. IN
TYPE61 \# 3340 99020d[]

The RDATA size after \# seems to be correct.

-- 
Carsten Strotmann
Email: c...@strotmann.de
Blog: strotmann.de

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

size limit on RDATA in nsupdate

[Carsten Strotmann]

Hi,

I'm trying to build an automated update system for OPENPGPKEY records
with BIND 9 9.9.6-P2 and nsupate.

I've verified the TSIG keys, I can add and remove TXT records with the
key under the domain name.

Adding a 6K PGP key as OPENPGPKEY does fail with 

21-Feb-2015 13:24:19.714 dns_rdata_fromtext: buffer-0x7f04662e14f0:1:
near eof: unexpected end of input
invalid rdata format: unexpected end of input

Below is the debug output from nsupdate:

setup_system()
Creating key...
namefromtext
keycreate
reset_system()
user_interaction()
do_next_command()
do_next_command()
do_next_command()
update_addordelete()
do_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; -HEADER- opcode: QUERY, status: NOERROR, id:  44542
;; flags: qr aa; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;f437b55d4fb40f93bbfa04802a6a2bcf8b69d5ee93d1b53259e6e4fc._openpgpkey.sys4.de. 
IN
SOA

;; AUTHORITY SECTION:
_openpgpkey.sys4.de.900 IN  SOA
danens1.sys4.de. hostmaster.sys4.de. 103 7200 3600 3542400 900

;; TSIG PSEUDOSECTION:
f437b55d4fb40f93bbfa04802a6a2bcf8b69d5ee93d1b53259e6e4fc._openpgpkey.sys4.de. 0
ANY TSIG hmac-sha256. 1424521459 300 32
1e+FXn+fpeSOtiwXfC4KsDQwyGYO8q5VtS95aqhwJGw= 44542 NOERROR 0 

Found zone name: _openpgpkey.sys4.de
The master is: danens1.sys4.de
send_update()
Sending update to 5.45.109.212#53
show_message()
Outgoing update query:
;; -HEADER- opcode: UPDATE, status: NOERROR, id:  10928
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
f437b55d4fb40f93bbfa04802a6a2bcf8b69d5ee93d1b53259e6e4fc._openpgpkey.sys4.de. 0
ANY ANY

;; TSIG PSEUDOSECTION:
f437b55d4fb40f93bbfa04802a6a2bcf8b69d5ee93d1b53259e6e4fc._openpgpkey.sys4.de. 0
ANY TSIG hmac-sha256. 1424521459 300 32
BoYO8mOklQiZXgOvcM0zGpw+wzuhVQj0Qx1yOBvCu3s= 10928 NOERROR 0 

Out of recvsoa
update_completed()
tsig verification successful
show_message()

Reply from update query:
;; -HEADER- opcode: UPDATE, status: NOERROR, id:  10928
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;_openpgpkey.sys4.de.   IN  SOA

;; TSIG PSEUDOSECTION:
f437b55d4fb40f93bbfa04802a6a2bcf8b69d5ee93d1b53259e6e4fc._openpgpkey.sys4.de. 0
ANY TSIG hmac-sha256. 1424521459 300 32
LAa1ANz/k/B+TwEfMSjw2A+OMPxQQgHZRuvM6uY8WMY= 10928 NOERROR 0 

done_update()
reset_system()
user_interaction()
do_next_command()
update_addordelete()
21-Feb-2015 13:24:19.714 dns_rdata_fromtext: buffer-0x7f04662e14f0:1:
near eof: unexpected end of input
invalid rdata format: unexpected end of input
syntax error

Is there an error in the generic RR syntax (generated by
hash-slinger)?
 
Might this be an buffer issue?


-- 
Carsten Strotmann
Email: c...@strotmann.de
Blog: strotmann.de

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind and ZSK-Rollovers: Changing salt automatically?

[Carsten Strotmann]

Hello Mark,

Mark Andrews ma...@isc.org writes:

 Actually it is useless to change the salt regularly.  Changing the
 salt provides no real benefit against discovering the names in a
 zone which is the reason people were saying to change the salt.

 The attacker uses cached NSEC3 records.  When it gets a cache miss
 it asks the servers for the zone, puts the answer in the cache and
 continues.  When the salt changes it just maintains multiple nsec3
 chains eventually discarding the old nsec3 chain eventually.  I
 would wait until the new NSEC3 chain has as many cached records as
 the old NSEC3 chain.  Changing the salt slows things up miniminally
 for a very short period of time after the change.  Additionally
 once you have some names you ask for those names for a non-exisisting
 type to quickly pull in part of the new NSEC3 chain you know exists.

 The only reason to change the salt is if you have a collision of
 the hashed names.  This will be a very very very rare event. 


this is new for me (must somehow missed it if this was previously
discussed). I do not want to give useless or misguiding advice.

I do not understand how the NSEC3 hash can be defeated by an
attacker. Could you give a link to additional information or could you
explain the issue with NSEC3 salt in other words?

Best regards

Carsten

-- 
Carsten Strotmann
Email: c...@strotmann.de
Blog: strotmann.de
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind and ZSK-Rollovers: Changing salt automatically?

[Carsten Strotmann]

Hello Johannes,

Johannes Kastl m...@ojkastl.de writes:

 Hi everyone,

 I read quite a bit on DNSSEC in the last couple of weeks, and found
 that BIND can automatically rollover the ZSK without manual intervention.

 I also found the recommendation, to change the NSEC3 salt each time
 the key is rolled over.

 What I did not find is, if BIND can also automatically change the salt
 each time it does a ZSK rollover. Cos that would be quite handy...


I'm not aware that BIND 9 can do a ZSK rollover all on its own, it is
however possible to set the timing values on the ZSK key files in a away
that BIND 9 will execute the rollover at the set times. It is also possible
to create a direct successor ZSK from an existing ZSK.

But the creation of the new ZSK, as well as setting the timing values,
need to be done outside BIND 9. It is relaive strightforward to script
this in a cron job, and there are ready-made tools that can help.

In the same cron job, it is then possible to create a new NSEC3 salt and
inject that into the zone. Doing so at the exact moment of the ZSK key
rollover (to prevent unecessary re-generation of all RRSIGs) is 
tricky.

If the zone is no too big (e.g. re-generating all RRSIGs is not a
problem), I would recommend to roll the salt in the same intervals, but
independent from the ZSK rollover.

-- 
Carsten Strotmann
Email: c...@strotmann.de
Blog: dnsworkshop.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS slave not synced after successfully zone transfer

[Carsten Strotmann]

John Miller johnm...@brandeis.edu writes:

 On Linux, at least, nslookup is a deprecated tool: dig is better in
 many ways.  In Windows, obviously, nslookup is all you#39;ve got by
 default :-(John

in the latest Windows releases (8.1, 2012R2 Server), nslookup has been
replaced by PowerShell Resolve-DnsName  
http://technet.microsoft.com/en-us/library/jj590781.aspx 

So even Windows Admins need to plan for a future without nslookup 
(which is a good thing, believe me).

An there is dig for Windows as part of the BIND 9 for Windows
package from ISC -- ftp://ftp.isc.org/isc/bi…-P2/BIND9.10.0-P2.x64.zip

-- 
Carsten Strotmann
Email: c...@strotmann.de
Blog: dnsworkshop.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can someone please translate entries from query.log file?

[Carsten Strotmann]

Mark Andrews ma...@isc.org writes:

 Truly, you need to upgrade.  The latest BIND 9 should still build
 and run on Solaris 8 though that hasn't been tested in years.  You
 will need to install a C99 or later based compiler.


Hi Samad Agha,

I've a working Solaris 8 develop environment where I can build BIND 9
installer packages. The latest I've build is 9.9.3-P2 with
Response-Rate-Limiting patches, but I can build the latest 9.9.5 version
for you next week if you do not have your own build environment.

You can find 9.9.3-P2 at
http://support.menandmice.com/download/bind/solaris/9/sparc/9.9.3-P2/

Best regards

Carsten 
-- 
Carsten Strotmann
Email: c...@strotmann.de
Blog: strotmann.de
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What means -EDC in bind9 logs ?

[Carsten Strotmann]

 Jean-François Leroux leroux.jeanfranc...@gmail.com writes:
  Hi, 
  must be a stupid question but I hadn't noticed before that some
  queries in my server are labelled like that
 
  query  IN A -ED (or EDC, or EC)
 
  What does this mean ?
 you'll find the documentation for query-log entries in the BIND
 Administrators Reference Manual (ARM), search for The category phrase.
 - : query received was an iterative query (no-recursion, RD flag
 clear)
 E : query indicated support for EDNS0 on the sender side
 D : query had DO flag (DNSSEC OK) set, sender understands DNSSEC
 C : query had CD flag set (DNSSEC checking disabled), requestor
 wants to see all DNSSEC data, even if it does not validate
 Best regards
 Carsten
Date: Thu, 24 Apr 2014 11:35:00 +0200
Message-ID: 87d2g7oyt7@csgate4.strotmann.de
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: All client resolvers support DNSSEC compatible queries ???

[Carsten Strotmann]

Hello Jeronimo,

Jeronimo L. Cabral jelocab...@gmail.com writes:

 Dear, we have several hosts in our LAN that ask our BIND DNS: Debian,
 Windows 7, Red Hat and CentOS.

 If we implement DNSSEV validation support in our BIND9 server...how
 can I know if our hosts' resolvers are compatible with DNSSEC queries
 ???


client host resolvers are usually not DNSSEC aware today. Certain
applications (Browser with a DNSSEC validator plugin, postfix MTA ...)
running on a client can be DNSSEC aware.

You can enable DNSSEC validation support on a BIND 9 caching server that
is used as a resolver by your clients. BIND 9 9.9.x already comes with
DNSSEC validation enabled, for older versions you need to enable it
manually in the configuration.

Legacy (non DNSSEC aware) clients will send just regular DNS queries
towards the BIND 9 caching resolver. BIND 9 will send queries with the
DO-Flag (DNSSEC OK) towards the authoritative DNS server in the
network. For DNSSEC signed zones, BIND 9 will validate the DNSSEC
data. If the data is validating without issues, the data is returned to
the client as normal DNS (no DNSSEC). If the data fails to validate, the
bad data is not send to the clients, instead a SERVFAIL error message
is send to the client.

DNSSEC is backwards compatible in the sense that you can enable DNSSEC
validation without the need to make changes to legacy clients.

Windows 7 and Windows 8 clients can build a special trust relationship
with an AD integrated Windows DNS Server to secure the last mile
between the client and the resolving DNS cache. However to my knowledge
this is not possible with Windows and a BIND 9 DNS.

Best regards

Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

[Carsten Strotmann]

Hello Evan,

Evan Hunt e...@isc.org writes:

 On Thu, Mar 06, 2014 at 11:34:45AM +0100, Carsten Strotmann wrote:
 there could be a hard-link from a name like tsig-keygen to
 dnssec-keygen which changes the type of key created to -n HOST. That
 would not require any change to the existing interface. Just an idea.
 
 I'm not suggesting to change the existing interface, as it will break
 existing stuff.

 FYI, the tsig-keygen command is now available in 9.10.0b2.  (Published
 to the FTP site, should be on the web site shortly.)

Nice, thank you. I will test it.

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

[Carsten Strotmann]

Hi Evan,

Evan Hunt e...@isc.org writes:

 On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote:
 I agree that it might be nice to change dnssec-keygen to make the tool
 more userfriendly. The current state-of-things is because of historic
 developments in how DNSSEC came to birth.

 ...and lots of people dealing with dnssec-keygen's user-unfriendliness
 by writing shell scripts to run it, which will break if we change its
 interface now.  A lot of old mistakes have gotten chiseled into stone
 by that.

there could be a hard-link from a name like tsig-keygen to
dnssec-keygen which changes the type of key created to -n HOST. That
would not require any change to the existing interface. Just an idea.

I'm not suggesting to change the existing interface, as it will break
existing stuff.

-- Carsten

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

[Carsten Strotmann]

Hello Evan,

Evan Hunt e...@isc.org writes:

 there could be a hard-link from a name like tsig-keygen to
 dnssec-keygen which changes the type of key created to -n HOST. That
 would not require any change to the existing interface. Just an idea.

 Thanks, Carsten. I had actually had the same thought after writing my post
 last night, though I was thinking of making it a hard link to ddns-confgen
 rather than dnssec-keygen.

a link to ddns-confgen would work well


 (Question: is ddns-confgen -q an appropriate and useful format?
 I've never understood why anybody would want TSIG keys in .key/.private
 form, but there may be a use case for it that I've overlooked.)

Yes, it is most useful. I do not have a use-case for the .key/.private
form (except existing scripts that expect these formats).

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

[Carsten Strotmann]

Gaurav Kansal gaurav.kan...@nic.in writes:


 I was wondering if HMAC* keys are not used for zone then why the same
 is displayed when we use dnssec-keygen -h.

the tool dnssec-keygen can be used to create both zone keys (with
-n ZONE) for DNSSEC zone signing, and host keys (with -n HOST) for
TSIG signing of the communication between hosts.

Keys of type zone are public/private key pairs
(https://en.wikipedia.org/wiki/Public-key_cryptography), whereas key of
type host are symmetric keys
(https://en.wikipedia.org/wiki/Symmetric-key_algorithm). 

To add to the confusion, dnssec-keygen generates two files when used
with -n HOST:

shell dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ns1.example.com
Kns1.example.com.+157+16495
shell ls -l Kns1.example.com.+157+16495.*
-rw---  1 cas  staff  124 Mar  6 08:48
Kns1.example.com.+157+16495.key
-rw---  1 cas  staff  229 Mar  6 08:48
Kns1.example.com.+157+16495.private

These are symmetric TSIG keys, both files contain the same secret key
(although the filename-extensions migh indicate a public-private key
pair)!

To create a DNSSEC zone key, use:

shell dnssec-keygen -a RSASHA512 -b 2048 -n ZONE example.com
Generating key pair...+++ ..+++ 
Kexample.com.+010+18335
shell ls -l Kexample.com.+010+18335.* 
-rw-r--r--  1 cas  staff   607 Mar  6 08:51 Kexample.com.+010+18335.key
-rw---  1 cas  staff  1777 Mar  6 08:51
Kexample.com.+010+18335.private

This time the file with the extension .key contains the public key
(DNSKEY) resource record, and the file with the extension .private
contains the private key.

I agree that it might be nice to change dnssec-keygen to make the tool
more userfriendly. The current state-of-things is because of historic
developments in how DNSSEC came to birth.

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Monitoring Zonefiletransfer

[Carsten Strotmann]

Hi Markus,

Markus Weber bumpemacve...@googlemail.com writes:

  Choose sane SOA values.  refresh and retry  expire

 I will check these values, i thought they were kind of standard values


the default SOA values on a MS DNS Server are well and good for
dynamic, internal, AD integrated DNS zones. 

For use in the Internet, you might want to adjust the values, esp. the
expire value should be not too low.

This document gives some guidance on SOA values for DNS zones that are
used in the Internet 
http://meetings.ripe.net/ripe-55/presentations/koch-ripe203bis.pdf

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Non-responsive name servers when started during boot on OS X Mavericks 10.9

[Carsten Strotmann]

Hi Chris,

Chris Buxton cli...@buxtonfamily.us writes:

 I’d bet that the package from Men  Mice includes this script or an
 equivalent workaround. When I wrote the original script I wrote about
 above, I worked at Men  Mice.

Your script or the sleep timer is not in the package anymore, but maybe
it should be. I did some testing on our MacOS X Systems, and we also did
not receive issue reports from customers using the MacOS X installer
packages. Thanks for reminding me (us).

However I will look into the issue and put the sleep back in if needed
(or find a better patch to inform BIND on changes of the network config).

@Larry: let me know if your are using the Men  Mice compiled BIND
installer packages, and if the issue still appears.

Best regards

Carsten (now building the BIND packages @ Men  Mice)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Allow recursion for esternal resources in a authoritative zone on a not open dns server

[Carsten Strotmann]

Hello Stefano,

the standard query path for DNS is

client - caching DNS - authoritative DNS

Your BIND Server is probably on the very right of that picture, the
authoritative (only) server. Such an authoritative only server only
answers with data it is authoritative for (like you described). In case
of the CNAME pointing to an domain-name the server is not authoritative
for, the authoritative server will send the CNAME to the caching server.

The caching server should be able to resolve any domain name that is
reachable via the normal (iterative) name resolution, starting at the
root-server system. On receiving the CNAME record, it is the task of the
caching DNS Server to resolve the CNAME to an final record (A,  or
whatever has been requested by the client) and then return the full
final answer (all CNAMEs + final record with data) to the client.

There is nothing special to configure in BIND, only you need a BIND DNS
Server acting as a cache server. A client should never directly talk to
a authoritative (only) DNS Server. It should always go through an
intermediate caching.

Best regards

Carsten Strotmann

 
Chiesa Stefano stefano.chi...@wki.it writes:

 Hello all.

 I have a closed bind dns server. It answers only to queries related to
 zones it is authoritative for (a normal behaviour... right?).
 I have dns zones that contain cname that points to hostnames in domains
 not managed by that server.
 So it won't resolve that names returning the cname to the client.

 I'd like to know if there is a way to tell to BIND if the external
 resource is in a domain managed by you, resolve (do recourse)

 Do you know if it is possible?

 Thanks in advance,
 Stefano.

 
 Stefano Chiesa
 Wolters Kluwer Italia
 Network Specialist
 Strada 1, Palazzo F6
 20090 Milanofiori Assago (Mi) - Italia
 Phone +39 0282476279 (20279 Voip)
 Fax +39 0282476815


  
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MAcOS X 10.9 upgrade removes BIND

[Carsten Strotmann]

Hi Sean,

Sean Channel schan...@isc.org writes:

 Thanks for the MM package, this is fantastic!  On the critical side,
 the package BOM only lists an extinct tarball instead of the actual
 files and directories in the package. Just a nit pick, apologies:

yes, that is a historical artifact from the time where our installers
detected PPC vs. Intel machines and installed an optimized (not
fat-binary) for BIND.

I need to redesign the installer now that PPC is not so much requested
anymore, it is on my to-do list.

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrade Bind documentation

[Carsten Strotmann]

Hello Donald,

Davis, Donald W donald.da...@unisys.com writes:

 Does anyone have any advice or perhaps documentation for upgrading
 Bind? I currently have two AIX servers running as Master/Slave. I need
 to upgrade from v9.8.1-P1 to v9.8.6.   I will need to document an
 implementation plan for change control and was hoping someone else may
 have something they can share.

 I’ve browsed the ISC web site looking for release notes,
 install/compile instructions, migration plans, etc without much
 success.


The BIND release notes give a good overview of changes between
releases. Jeremy has posted the links to the notes. Inside a major
version number, there should be no drastic changes to BIND (so 9.8.1 -
9.8.6 should be save).

If you want to compile BIND yourself, I recommend compiling on a
separate development machine and then transferring the compiled BIND
binaries over to the DNS servers.

named -V gives you the compile switches used to compile your current
BIND. If you use the very same switches during compiling 9.8.6, you
should get a new BIND that matches your existing setup and is a
drop-in replacement.

Best regards

Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrade Bind documentation

[Carsten Strotmann]

Eduardo Bonsi beart...@pacbell.net writes:

 Menandmice have some pre-compiled packages updates for these systems.

 http://support.menandmice.com/download/bind/

 GNU-kfreebsd/
 illumian/
 kGNUfreebsd/
 linux/
 macosx/
 solaris/

(as the one compiling the BIND packages @ Men  Mice):

unfortunatntly we do not have an AIX machine available to provide AIX
installation packages today. 

If someone could donate a AIX development machine running an up-to-date
AIX version, we would use that machine to provide BIND AIX packages the
same way as we do for the other systems listed above.

Also, anyone is looking for BIND packages for an operating-system not in
the above list, please contact me. We are building the packages based on
the requsts and demand.

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

MAcOS X 10.9 upgrade removes BIND

[Carsten Strotmann]

Hi BIND users on MacOS,

it looks like the upgrade to MacOS X 10.9 Mavericks removes
BIND. Early reports also indicate that the upgrade process also removes
the BIND configuration file /etc/named.conf and all zonefiles in
/var/named. It happend on my machine, and there are reports coming in
from other users, but I need to confirm this on a lab environment.

The Men  Mice BIND MacOS X installers at currently fail on MacOS X
10.9, because /var/named is not there. I'm working on updating the Men 
Mice packages to work on MacOS X 10.9.

Best regards

Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MAcOS X 10.9 upgrade removes BIND

[Carsten Strotmann]

Hello Eduardo,

thanks for confirming that MacOS X removed BIND.

Our new BIND installers for MacOS X 10.9 are now available at 
http://support.menandmice.com/download/bind/macosx/10.9-Mavericks/

I've build BIND 9.9.4 (with and without RRL) and BIND 9.8.6. If anyone
need 9.6-ESV let me know.

Please report any issues with this installers to me.

Best regards

Carsten Strotmann

Eduardo Bonsi beart...@pacbell.net writes:

 I want to confirm what Carsten said here;

 I just performed an upgrade from Snow Leopard, 10.6.8 one day before
 Yesterday. The upgrade itself went fine except for BIND and Apache.

 After upgrading to OS X Mavericks, 10.9, the upgrade removed all the
 files mentioned bellow plus all the Websites on Apache configuration
 as well. OS X Mavericks no longer have the web sharing. So it is
 highly advisable to backup your BIND and Apache configuration files
 before upgrade. Fortunately I had a copy of all these files in a
 backup mirror server. So, for me was just a matter of connecting and
 copying all these files back to OS X Mavericks and set the nrdc key
 again.

 Here is the files to backup;

 Full path to the named.conf file   /etc/named.conf
 Full path to the named executable  /usr/sbin/named
 Full path to whois command whois  
 Full path to ndc command   ndc
 Full path to rndc command  rndc   
 Full path to rndc-confgen command  rndc-confgen
 Full path to the rndc.conf file/etc/rndc.conf 
 Full path to named-checkzone command   named-checkzone
 Full path to named-checkconf command   named-checkconf
 Full path to dnssec-keygen command dnssec-keygen  
 Full path to dnssec-signzone command   dnssec-signzone

 In addition do not forget to back-up the PID file location in your
 system whatever the PID file it is located;

 Default PID file location  ———? Your location

 On 10/25/13, 12:36 AM, Carsten Strotmann wrote:
 Hi BIND users on MacOS,

 it looks like the upgrade to MacOS X 10.9 Mavericks removes
 BIND. Early reports also indicate that the upgrade process also removes
 the BIND configuration file /etc/named.conf and all zonefiles in
 /var/named. It happend on my machine, and there are reports coming in
 from other users, but I need to confirm this on a lab environment.

 The Men  Mice BIND MacOS X installers at currently fail on MacOS X
 10.9, because /var/named is not there. I'm working on updating the Men 
 Mice packages to work on MacOS X 10.9.

 Best regards

 Carsten Strotmann
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Performance Tuning RHEL 5 and Bind

[Carsten Strotmann]

Hi,

Kevin Darcy k...@chrysler.com writes:

 Are these queries mostly for names in an Active Directory domain? The
 default for Active Directory is for *every* Domain Controller to
 register NS records at the apex of the AD domain. Pretty soon, for any
 reasonably-sized AD infrastructure, all of those NSes cause *all*
 queries for *any* name in the domain to trigger a TCP retry (because
 the Answer + Authority Sections overflow 512 bytes), if EDNS0 is not
 in effect. I sat down with our AD folks a few years ago and impressed
 upon them how important it is to be selective about which Domain
 Controllers are registered at the apex. They appreciated the negative
 consequences of being awash in TCP retries, and it's been managed for
 some time now (at least for our *main* AD domain; don't get me started
 on the business partner that still has 92 NS records at the apex of
 their AD domain. Sigh)


good point. 

Increasing the EDNS0 UDP size might also be an option (default is 1280
for Windows DNS) -
http://technet.microsoft.com/en-us/library/cc783893%28v=ws.10%29.aspx

It is possible to tell some less critical DC to not register themself in
DNS:
http://support.microsoft.com/kb/198767
and
http://technet.microsoft.com/en-us/library/cc782946%28v=ws.10%29.aspx

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: chroot /var/run permissions

[Carsten Strotmann]

Hello John,

jo...@primebuchholz.com writes:


 What I am I missing here?  /var/named/var/run and
 /var/named/var/run/named 
 have group write permissions, so it seems it *shouldn't* be
 complaining, 
 and the resulting files should've been owned by named, shouldn't they?


If you are running BIND on some flavor of Linux with SELinux enabled,
you might need to adjust the SELinux ruleset (recommended) or disable
SELinux (not-recommended). SELinux can prevent named from writing
files, even if the file-system permissions look correct.

-- Carsten

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [users@httpd] webservers not responding properly after hardware change

[Carsten Strotmann]

Hi Normal,

Norman Fournier nor...@normanfournier.com writes:



 ns2:~ norman$ apachectl -t
 Syntax OK
 ns2:~ norman$ apachectl restart
 launchctl: CFURLWriteDataAndPropertiesToResource
 (/System/Library/LaunchDaemons/org.apache.httpd.plist) failed: -10
 ns2:~ norman$ apachectl start
 launchctl: CFURLWriteDataAndPropertiesToResource
 (/System/Library/LaunchDaemons/org.apache.httpd.plist) failed: -10
 org.apache.httpd: Already loaded
 ns2:~ norman$ 


Please check:

* you need to be the administrative super-user (root) to start Apache:
  sudo apachectl restart
* if the error still presists, check if the harddrive is full 
* the file /System/Library/LaunchDaemons/org.apache.httpd.plist might be
  corrupt, that would be a MacOS X problem that is best solved in a
  MacOS X Forum/Support page

Best regards

Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [users@httpd] webservers not responding properly after hardware change

[Carsten Strotmann]

Hello Norman,

Norman Fournier nor...@normanfournier.com writes:


 I posted this to httpd.apache.org but have not had any response, so I
 think it may be more related to BIND than DNS. Apologies for the
 cross-post.

the information you give is not enough to debug the problem or even to
have a sense if it is a DNS problem.

The network diagram shows UDP 53/53 for the DNS server. DNS can use both 
UDP and TCP, so the connection towards and from the DNS server should
allow both UDP and TCP connections.

Can you share the domain names for the web-sites with us? That might
help to isolate the cause of the issue, or at least to rule out DNS as
the cause.

Best regards

Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [Architecture discussion] IPv6 and best practices for DNS naming and the MX/SMTP problem

[Carsten Strotmann]

Hello Andreas,

Andreas Meile mailingli...@andreas-meile.ch writes:


 First question for discussion: Is it recommended to replace example.local
 into intra.example.com for example because it's now possible to restore
 the public DNS hierarchy? See the following:

In my view, using a namespace that you own (intra.example.com, where
example.com is you domain name that you own in the Internet) is always
preferred over a non-existing TLD (such as .local, .corp or
.intra). This is also the case when using split-DNS with IPv4
only. 

Many problems go away when using a proper delegated DNS name, and the
Internet DNS servers (the root-dns servers) are not polluted by
requests for non-existing TLDs that escape improper configured internal
networks.

The non-public part of the owned namespace (intra.example.com) should be
delegated to internal DNS servers. This can be done with split-DNS in
a way that private IP addresses do not appear in the Internet, but are
used internally only.


 $ORIGIN example.com.
 intraIN  NSfileserv.intra.example.com.
 ; Glue record
 fileserver.intra  IN    2001:db8:0:2::12
 ; fileserver.intra  IN  A 10.0.0.12 would violate some RFCs because of
 ; publishing non-routed IPv4 addresses but omit it breaks the worldwide
 ; hierarchy, i.e. intra.example.com from IPv4 sight is flying free
 somewhere...

 ; assume a /56 from ISP and delegated from ISP
 $ORIGIN 0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 1.0IN   NS  webserv.example.com.
 2.0IN   NS  fileserv.intra.example.com.
 $ORIGIN 1.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 1.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0  IN  PTR  webserv.example.com.
 0.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0  IN  PTR  vpn.example.com.

 ; managed by ActiveDirectory (or BIND, too)
 $ORIGIN 2.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  IN  PTR  vpn.intra.example.com.
 2.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0  IN  PTR  fileserv.intra.example.com.

 Because of confidence reasons: Is it wise the setup a query restriction for
 intra.example.com as well as 2.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa to
 allow dns querys for trusted networks only? Is there a not allowed answer
 in DNS standard to avoid waiting until timeout for an external host doing
 gethostbyaddr()? (the firewall might disallow DNS from extern to
 fileserv.intra.example.com so blocking may be problematic)

The not allowed answer is the DNS refused return code, and that will
be send back whenever you restrict queries using allow-query. Only if
you put IP addresses into an blackhole
(http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2564022)
(or if you block DNS queries in the firewall) the BIND DNS server will
not send any responses back and the client has to wait for a timeout.


 Another problem: e-mails/SMTP and MTA. Assume a mail server inside the
 corporate network (or even a DMZ behind a NAT!)

 Early before dual-stacking:
 mailserv.example.local  10.0.0.14
 Now after dual-stacking:
 mailserv.intra.example.com  10.0.0.14 + 2001:db8:0:2::14

 In the past, something like

 define(`confDOMAIN_NAME', `vpn.example.com')dnl

 (Sendmail) was common to get a matching visible host name to outside MTAs
 and spam filters (beware of the IPv4 NAT) and for incoming mail

 $ORIGIN example.com.
 @INMX10vpn.example.com.

 was very common. With the removal of NAT in IPv6, we don't longer need an
 overwritten MTA's domain name, instead we can use

 $ORIGIN example.com.
 @INMX10mailserv.intra.example.com.

 directly in that case. But this causes the next problem: not dual-stack
 compliant (IPv4 MTA gets an non-routed IP address). A workaround may be
 announce both hosts:

 $ORIGIN example.com.
 ; for IPv4
 @INMX10vpn.example.com.
 ; for IPv6
 @INMX10mailserv.intra.example.com.

 but this may cause timeouts (IPv6 host is trying to connect to the firewall
 instead the mail server). Another way might be

 $ORIGIN example.com.
 @INMX10mailmx.example.com.
 mailmx  IN   A 192.0.2.30
 mailmx  IN     2001:db8:0:2::14

 but this violates the RFCs saying that A/ entries should have a
 corresponding PTR entry.


I don't see this violating an RFC. Both address entries for mailmx can (and 
should) have a
proper PTR record (one in in-addr.arpa, and one in ip6.arpa.)

 A third way might be to use smart relay hosts so the actual outgoing mail
 server always runs with public IPv4 address, the same for the incoming way.


That is a good idea, for multiple reasons.

I don't had time to prepare examples for my suggestions here, but I
could come up with config examples if you would like to see them.

Best regards

Carsten Strotmann


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RSA warnings errors in 9.8.4

[Carsten Strotmann]

Hello Jay,

Jay Ford jay-f...@uiowa.edu writes:

 I just upgraded BIND on a Linux-based server from 9.8.3-P3 to 9.8.4.

 I started getting a bunch of RSA_verify errors, as has been
 discussed on this list.  Is there a 9.8 release which quells those
 messages, or is hacking
 the source post-download still the recommended fix?

not fixed in the -P1 releases of 9.8.4 and 9.9.2, should be fixed with
the next regular BIND 9 release.

So hacking the source post-download is still what you want to do if
you do not like the messages.

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Ubuntu 12.04 BIND 9.9.2-P1

[Carsten Strotmann]

Hello Rusty,

Rusty L Vaughn rusty.l.vau...@gmail.com writes:

 I am getting the following error with a compiled version of BIND with
 Ubuntu 12.04. The file at the path does exist.  I think I am missing a
 package but I am not sure what could be missing.  Thanks

 error:25066067:DSO support routines:DLFCN_LOAD:could not load the
 shared library:dso_dlfcn.c:185:filename
 (/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so):
 /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so: cannot
 open shared object file: No such file or directory

 error:25070067:DSO support routines:DSO_load:could not load the shared
 library:dso_lib.c:244:

 error:260B6084:engine routines:DYNAMIC_LOAD:dso not
 found:eng_dyn.c:450:

 error:2606A074:engine routines:ENGINE_by_id:no such
 engine:eng_list.c:417:id=gost

 initializing DST: crypto failure

 exiting (due to fatal error)

Are you running BIND in a chroot environment? If yes, you need to
re-create the path and copy the file(s) mentioned in the error message
into the chroot. libgost ist an OpenSSL crypto-engine that implements
the GOST algorithm that can be used for DNSSEC.

OpenSSL loads the crypto-engines after BIND has entered the chroot
environment, so it looks for the files inside the chroot.

if your chroot is /var/named (start BIND with named -t /var/named),
then the file should be located in 
/var/named/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so

Be prepared that you need to copy multiple file. Fix one error and then
look for the next.

Best regards

Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone files in bind-9.9

[Carsten Strotmann]

Hello Feng,

Feng He fen...@nsbeta.info writes:

 I upgraded my BIND from 9.7 to 9.9.
 For BIND 9.7 all zone files under /var/cache/bind are clear textes.
 But under BIND 9.9 it seems the zone files are binary format.
 So how can we check the content of zone files now?

you can use named-compilezone to convert from RAW-Format to Text-Format.

Or you can use dig with axfr to get a zone-transfer from the server
(dig @server axfr zone.tld).

You can change the format for writing zone files in the named.conf if
you prefer the text format files.

-- Carsten

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: difference between default views in named_statistics.txt

[Carsten Strotmann]

Hello Ben,

benjamin fernandis benjo11...@gmail.com writes:

 Resolver Statistics for View _default

 and

 Resolver Statistics for View _bind

 what is the difference between these two views which also same in
 named_Statistics file.

BIND 9 has this unique feature called views (see the BIND 9 ARM
document for a in detail discussion of views).

Even if no views are configured in the BIND 9 configuration file
named.conf, BIND 9 has two internal views that always exist:
_default and _bind. The view _default contains all DNS zones that
are defined in named.conf and do not belong to any extra configured
view.

The view _bind contains all the build-in special zones that BIND 9
uses to report internal information in the CHAOS (CH) network class and
top level domain bind (authors.bind, version.bind, hostname.bind).

try: dig @ip-of-your-dns-server ch tx hostname.bind

So the statistics output give you information how many queries are
received for normal DNS zones (view _default) and the special build in
zone (view _bind).

Best regards

Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc reconfig does not work

[Carsten Strotmann]

Hello Ben,

benjamin fernandis benjo11...@gmail.com writes:

 Hi,

 As per my understanding, if we change anything in named.conf and then
 if we require to enable changes without service restart, we go with
 rndc reconfig.

 So i tried it but it does not work.


rndc reconfig does only very specific tasks as documented in the ARM:

-Reload the configuration file and load new zones, but do not reload
-existing zone files even if they have changed. This is faster than a
-full reload when there is a large number of zones because it avoids the
-need to examine the modification times of the zones files.

rndc reload does more (reloads the configuration file named.conf and
all zones that have changed), but takes a long time on a system with many
many zones ( 10.000). On systems with not so many zones, I prefer to
always do rndc reload. But that is a matter of taste.

For some configuration changes (for example change of IP addresses to
listen on, change of fundamental operations, new log-file entries) the
BIND nameserver requires a full restart, esp. if BIND is running as an
non-privileged user (not root), as some configuration steps require
root access (like opening network sockets on port 53).

I looks like as if the change you are applying falls in the third
category, however I currently do no have the time to verify that
myself. Maybe someone with knowledge on the inner workings of BIND 9 can
comment on this.

Best regards
and a happy new year 2013!

-- Carsten



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate for default TTL

[Carsten Strotmann]

Hello Feng He,

Feng He fen...@nsbeta.info writes:

 Is there a way to dynamic update the zone's default TTL by nsupdate?

A default TTL (example $TTL 3600) is a property of a zone file on disk,
it is a control statement read by the BIND name server when loading the
zone file.

The default TTL is applied to all resource records that do not have a
dedicated TTL defined. After loading the zone, every resource record
will have a dedicated TTL and there is no default TTL in a loaded zone
(in memory).

Because there is no concept of a default TTL in a loaded zone, you
can only change the dedicated TTLs on each individual resource record
using the nsupdate tool.

Best regards and a good new year!

Carsten Strotmann

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query regarding 'UPDATE' field in log entries

[Carsten Strotmann]

Hello,

Gaurav Kansal gaurav.kan...@nic.in writes:


 I am getting the below mentioned log continuously in my log file.

 client 2001:db8:0:196:feed:feed:feed:dc#54458: update
 'test-zone.in/IN' denied
 Does it means that someone is claiming for the authority of the
 test-zone.in for which I am the master?

it does mean that the client is trying to update the test-zone.in using
a dynamic update DNS message. This is probably because the client is
running a Windows OS and is configured (manually or by DHCP) to be in
the local domain / DNS suffix of test-zone.in and tries to add an
Address record (A and/or ) of its own IP Address into the zone. That
is a default behavior of some client operating systems.

As dynamic updates are not enabled by default, the BIND DNS server
denies the updates, and you see the log entry. If you want to allow
clients to automatically update the zone, you need to configure the zone
as a dynamic zone (using update-policy or allow-update statements).

If the client is not in your own networks, someone in the remote network
has (mis-)configured the client to be inside the test-zone.in domain.

Best regards

Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upstart job for BIND9

[Carsten Strotmann]

Hello Alexander,

Alexander Gurvitz a...@net-me.net writes:

 Carsten,

 The script in my original question (it's in the P.S. at the bottom of
 my first mail) seem to work for me. 

Ahh, thanks, my Emacs was hiding that :)


 (I can't decide which one is better: bind.conf, bind9.conf or
 named.conf :)

I would vote for bind9-upstart.conf.

named.conf is already the default name for the BIND 9 configuration

bind.conf is not specific once BIND 10 will be used on the same
machine.


-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Performance tuning

[Carsten Strotmann]

Adamiec, Lawrence ladam...@kentlaw.iit.edu writes:

Hello Lawrence,

you problems might not be related to the configuration of your DNS
Server software (BIND), but it can be related to your internal name
resolution inside your organisation (forwarders, caches, mixed
caching/authoritative DNS etc). 

Do you see the speed difference on the two websites (URLs for the
Websites) from within your organisation, or when using an outside
view (from home etc)?

Of course we here in this mailing list can only have the look from
outside, and that looks ok.

Optimizing an internal DNS name resolution infrastructure requires
someone that has knowledge on  all possible name lookup path in a
network (DNS, WINS, NetBT ...) and a good DNS knowledge. 

I would recommend to get an expert onsite for an DNS audit if you see
the performance problem inside your organizations network. The BIND
configuration is usually not the issue.

Best regards

Carsten Strotmann 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: User wanting to use a .local domain to host DNS

[Carsten Strotmann]

Phil Mayers p.may...@imperial.ac.uk writes:

 On 14/11/12 15:02, King, Harold Clyde (Hal) wrote:
 I'm a bit confused by a user request. I think he is trying to keep some
 hosts on the private side of DNS, but he wants to use a DNS name like
 host.sub.local. I do not know of the use of the .local TLD except in
 bonjure. Can anyone shed some light on the use of the .local TLD?

 Pick a private sub-domain of a *real* domain that *you* own e.g. if
 you are example.com, pick:

 sub.private.example.com

From my experience I recommend the solution Phil is describing. While
using a private top level domain is technical possible, I have seen too
many DNS admins that do not understand the implications and end up with
a system that is a burden for the local network and as well a burden for
the root-server system in the Internet.

Look at the DSC graphs of l.root-servers.net for invalid TLDs requested
http://dns.icann.org/cgi-bin/dsc-grapher.pl?window=86400node=ams01plot=qtype_vs_invalid_tldserver=L-root-Europe

'.local is the 4th most queried domain name (after localhost, com and
net), but it should not exist at all in the Internet (or queries should
not reach the root server system). You see corp, intern and intra
as well in the top 20 list.

Failing to operate a private TLD correctly is causing internal data
leaking to the Internet, which could be a security risk but in all cases
is a burden on the root server system.

A private subdomain of a delegated DNS domain owned by the company
(organization, individual) is much more save, and simpler to setup, and
serves the same purpose. 

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Bind in Active Directory

[Carsten Strotmann]

Hello Phil,

Phil Mayers p.may...@imperial.ac.uk writes:

 On 10/24/2012 10:17 PM, Carsten Strotmann wrote:

 my experience is that it is safe to place clients in either a DNS domain
 with the same name as the AD domain, or in a subdomain of the AD
 domain.

 What does place mean, exactly?

configure the clients DNS-Suffix (local domain name) to be a subdomain
of the AD-Domain. Example:

Base DNS domain delegated: example.com

DC-Server: 
  AD-Domain: ad.example.com
  DNS-Suffix: ad.example.com

Client:
  AD-Domain: ad.example.com
  DNS-Suffix: client.ad.example.com


 Bear in mind that, unfortunately, Microsoft chose to embed DNS names
 in a lot of places when they retrofitted Kerberos, DNS and LDAP to the
 NT domain protocols.

 You've got:

  1. The clients own idea of its main hostname
  2. Global DNS search suffixes
  3. Connection-specific DNS suffixes
  4. The value of the dNSHostName AD attribute
  5. The suffixes to qualified servicePrincipalNAme AD attribute(s)
  6. The value of msDS-AllowedDNSSuffixes on the domain OU
  7. Finally, DNS names which point to the clients addresses

 ...and that's just off the top of my head. Telling me it's safe to
 put the client in another DNS zone doesn't really tell me anything
 about the interaction of those things, I'm afraid ;o)

Unfortunatly, to my knowledge there is no single documentation available
on all the different interactions of AD and name services (DNS and
others).

 Using a subdomain has the benefit of seperating infrastructure

 Yes, obviously it's desirable. The question is, how do you
 appropriately configure all of the above (and anything else besides)
 in a safe, scalable and supported way, that won't cause odd things to
 break, in such a way as to achieve that?

I've used DHCP for that, Group Policy is also an option.


 This is largely a dead issue to me - we just live with the massive
 inconsistency of clients believing they're one thing, and DNS saying
 another - so my knowledge is a bit rusty, but from what I recall, it's
 a huge pain configuring clients into sub-domains of the AD domain,
 because there are so many places you have to get it right. And
 *renaming* is even harder.

Not at all. To my knowledge it is just the one option in DHCP. It is not
renaming the machine (hostname), just the DNS-Suffix (local domain name).

 So we just stopped trying. All clients think they live in
 example.com, and we use DNS names as we like
 e.g. dept.example.com, building.example.com. The problems it
 causes are less hassle than a mass reconfiguration of 20k machines...

 AD-Domain DNS-Zone. Putting AD-Clients into a DNS-Suffix (aka local
 domain) that is a different branch of the DNS namespace than the
 AD-Domain DNS name creates problems and is not
 recommended.

 Why? And again, putting means what here?

See above.


 Using connection-specific DNS-Suffixes to my knowledge are used in the
 case that one machine has network connections into mutliple AD-networks
 (a gateway machine, or a common server that servers multiple, disjoint
 AD domains).

 I don't think this is everything. IIRC, connection-specfic DNS
 suffixes are candidates for the client to perform DDNS updates,
 depending on your configuration. And this, of course, is where the
 thread has spent much of it's time.


connection specific DNS suffixes are influencing the DDNS updates, but
they are not required. If connection specific DNS suffixes are not
configured, the global DNS suffix will be used to create the FQDN name
of the client combining the hostname and the global DNS suffix.


 I think the issue is that AD servers and clients make it EXTREMELY
 DIFFICULT to run what you and I would describe as a best-practice DNS,
 due to the above mentioned plethora of things you have to get just
 right, and the extremely awkward ways of doing so.

Not my experience. I have worked with clients having existing AD
environments, as well as green field deployments. And we were able to
clean up DNS in these environments, and nothing broke (it requires
careful planning and a good knowledge of the DNS traffic towards the DNS
servers to be able to fix misconfigurations before the cleanup).


 Hell, if you've got WINS running and broadcast netbios, I think it's
 still possible to log in with *no* working DNS at all.

I would recommend to shutdown or isolate other nameing services in the
network (except DNS) if all possible. Troubleshooting name lookup issues
in a network with DNS, WINS, LLMNR and NetBIOS is not implossible, but
close to impossible.

 If someone can give pointers to comprehensible docs about how to make
 all this work in *all* the places it needs to, I'd be really
 interested. Because it'd be great to have a subdomain at our site that
 clients just register themselves into, and it all just work.

Unfortunatly I do not know a single comprehensible documentation.  All
books on the topic are unfortunatly too old (Windows 2003) or not really
helpful :(

But starting with a
good

Re: Spotty Lookups on One of Our Networks

[Carsten Strotmann]

Hello Martin,

Martin McCormick mar...@dc.cis.okstate.edu writes:

 I described a case where one of our remote campuses can't
 resolve a number of remote domains. One example is noaa.gov. It
 also successfully resolves random remote domains without
 seemingly any rime or reason.

   Here is a bad dig trace for noaa.gov

[...]

http://www.zonecut.net/dns shows that
nameserver ns-e.noaa.gov is not responding

The dig +trace might hang if that authoritative DNS server is selected
for the query. 

ns-mw.noaa.gov and ns-nw.noaa.gov operate fine. ns-e could mean
east coast.

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Bind in Active Directory

[Carsten Strotmann]

Hello Aaron,

Aaron Thompson athomp...@berklee.edu writes:


 I have little experience in the AD arena for DNS/DHCP.  Without being
 a too loaded question, with your experience is it possible or common
 to have a very knowledgeable understanding of the performance and
 health of an AD system similar to a BIND system? (redundant, process,
 snmp, logging, trouble shooting, cacti integration, ect..)

possible: yes
common: less so. 

I found some very very knowledgeable people in larger
Microsoft dominated networks (AD networks), that know a lot about 
DNS and AD, at the same level as some people do in the BIND community. 

However there are a couple of system administrators in Microsoft
networks that think that having a GUI does not require them to learn
what is going on under the hood. Not good.

The challenge is that sometimes the Microsoft community (and Microsoft
themselves) are using the same words as people in the Unix community,
but they describe different things, or the other way around (using
different terms for the same stuff). Keeping a sane mind is not always
easy in that respect.

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Bind in Active Directory

[Carsten Strotmann]

Hello Phil,

Phil Mayers p.may...@imperial.ac.uk writes:


 Our experience is that this can cause (minor) problems.

 The basic issue is that, if you have an AD realm:

 EXAMPLE.COM

 ...and a machine:

 foo

 ...then windows tries very hard to stick its fingers in its ears,
 shout la la I am not listening and assume its hostname is:

 foo.example.com

 You have to fiddle around extensively to make the client *think* it's
 name is what it really is, and it has never been clear to me what the
 implications of doing so are.

 This can matter if you have systems that trust the clients own idea of
 the hostname (e.g. vPro/AMT enterprise provisioning) or if you have
 support staff who want to be able to right-click on a machine from the
 AD users  computers snap-in and click manage.

 If people have any insight into an easy way of updating clients with
 the correct idea of their own DNS hostnames, and can explain how this
 interacts with the per-connection DNS suffix stuff in the IP stack, I
 would be very grateful!

my experience is that it is safe to place clients in either a DNS domain
with the same name as the AD domain, or in a subdomain of the AD
domain. 

Using a subdomain has the benefit of seperating infrastructure
information (SRV records, server A/ records) from client
information. These DNS zones can have a different dynamic update
policy/ACL, can even be delegated to different DNS servers.

Example: 
DNS-Domain: example.com
Ad-Domain: ad.example.com
Client-DNS Zone: client.ad.example.com

all with proper delegations.

Clients will follow the DNS hierarchy to find the SRV records in the
AD-Domain DNS-Zone. Putting AD-Clients into a DNS-Suffix (aka local
domain) that is a different branch of the DNS namespace than the
AD-Domain DNS name creates problems and is not
recommended. (e.g. AD-Domain example.com, clients in ad.example.)

Using connection-specific DNS-Suffixes to my knowledge are used in the
case that one machine has network connections into mutliple AD-networks
(a gateway machine, or a common server that servers multiple, disjoint
AD domains).

As always, DNS (also Microsoft based DNS for AD) works best if there is
a un-interrupted delegation chain from the root (can be an internal root
or the Internet DNS root) to the authoritative DNS servers, and if
resolving DNS servers are separated from the authoritative DNS
servers. Important is a unified DNS namespace from every machine in the
AD network. There should be only one DNS namespace.

A general observation:
If find a high number of DNS admins in AD networks that have the
preception that the earth, pardon DNS, is flat. It is not, it is a
hierarchy :). And every attempt too make it appear flat creates problems.

-- 
Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Bind in Active Directory

[Carsten Strotmann]

Hello Aaron,

Aaron Thompson athomp...@berklee.edu writes:

 I'm hopping to get some feedback from people who use ISC Bind and
 DHCPD in Active Directory environments.
[...]

 If you have any relevant feed back I would appreciate it.  I'm looking
 for information on experience with Active Directory integration with
 ISC or if anyone has had problems/stability issues with AD doing
 DNS/DHCP or AD working with ISC.


I've seen and worked in a number of Active Directory installations
during the last 12 years that were using non Microsoft DNS and DHCP
components.

My experience is that if implemented correctly, it is possible to run
Microsoft Active Directory with DNS and DHCP provided by BIND and ISC
DHCP. However, doing that successfully requires that the administrator
has a good understanding of:

* the way how DNS dynamic updates work. I found that many Administrators
  do not understand the inner workings of DNS dynamic update. It is
  important to understand how a machine sending dynamic updates (in AD
  case an AD client or a domain controller) finds the DNS zone to be
  updated. Proper DNS delegation and a clean DNS design is
  key. Seperating caching/resolving DNS and authoritative DNS helps much.

* the mechanics how the Windows operating system updates the SRV a A
  records in an DNS domain that is the foundation of an Active Directory
  domain. Also important is the knowledge which records are expected in DNS
  for successfull AD operations. The knowldegde is available on the
  Internet, but the pages are often outdated (Windows 2000 is different
  to Windows 2008 is different to 2012 is details) and the information
  is scattered across many places. Finding it all can be difficult and
  can take time. The new AD best practice analyzer that come with
  Windows 2008R8 and Windows 2012 can help here.

Microsoft extenstions like Aging and Scavenging support the
Administrator to operate Active directory, but are not essential.

Getting communication between MS DNS - ISC DHCP or MS DHCP - BIND
DNS secured (TSIG vs. GSS-TSIG) can be challenging. But it is possible.

My general experience is: working in a all Windows OS environment where
all components of AD is supplied by Microsoft products require less
detail knowledge and less arguing (with Management and Microsoft
oriented consultans).  But running BIND and ISC DHCP gives more
flexibility and control. 

Pick you choice -- easy live vs. understanding
and fun :)

Carsten Strotmann
Men  Mice
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error Resolving / EDNS

[Carsten Strotmann]

Hello James,

James Tingler james.ting...@contr.netl.doe.gov writes:

  
 E.g. 
  
 Sep 17 15:32:01 PROD55-DNS2 named[27503]: error (network unreachable)
 resolving 'www.amazon.com/A/IN': 2610:a1:1017::1#53
 Sep 17 15:32:08 PROD55-DNS2 named[27503]: error (network unreachable)
 resolving 'www.amazon.com/A/IN': 2001:502:f3ff::1#53
 Sep 17 15:32:08 PROD55-DNS2 named[27503]: error (network unreachable)
 resolving 'www.amazon.com/A/IN': 2610:a1:1016::1#53
 Sep 17 15:32:11 PROD55-DNS2 named[27503]: error (network unreachable)
 resolving 'www.amazon.com/A/IN': 2610:a1:1015::1#53
 Sep 17 15:32:11 PROD55-DNS2 named[27503]: error (network unreachable)
 resolving 'www.amazon.com/A/IN': 2001:502:4612::1#53
 Sep 17 15:32:11 PROD55-DNS2 named[27503]: error (network unreachable)
 resolving 'www.amazon.com/A/IN': 2610:a1:1014::1#53
 Sep 17 15:32:14 PROD55-DNS2 named[27503]: success resolving
 'www.amazon.com/A' (in 'www.amazon.com'?) after disabling EDNS
  

The issue might be that BIND is trying to use IPv6, but you do not have
IPv6 connectivity. Try start named with the -4 parameter to disable
IPv6, and see if the problem is solved.

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error Resolving / EDNS

[Carsten Strotmann]

Hello James,

James Tingler james.ting...@contr.netl.doe.gov writes:

 Thanks for the reply Carsten.  This didn't make a difference but
 potentially I'm using the parameter incorrectly (no errors though).
  
 /etc/rc.d/init.d/named start -4
  

no, it does not work that way. /etc/rc.d/init.d/named is a startscript,
and that usually only reads the first parameter (start) and ignores all
other arguments. For a quick test (given that you have more than one
resolving DNS server for your clients):

1) use ps -ef, look for the named process, write down all
 commandline arguments that are listed after the process name

2) stop the BIND DNS Server from
the start-script: /etc/rc.d/init.d/named stop

3) on the commandline as user root, start the BIND nameserver with
named -4 all other arguments from 1)

4) test

5a) if it works, find out how to configure extra parameters for the BIND
DNS Server on your operating system, add the the -4 parameter

5b) stop the running BIND process with rndc stop (if RNDC is
configured correct [it should!]), else do a hard killall named

6) start the BIND nameserver again from the startscript

-- Carsten

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6-ESV-R7-P3 is now available

[Carsten Strotmann]

Ayca Taskin (Garanti Teknoloji) ayc...@garanti.com.tr writes:

 Hi,

 Im using BIND 9.6.1-P3 and want to upgrade BIND 9.9.1-P3 on Solaris. What are 
 your advices about upgrade and migration, to 9.9.1-P3, is there any guide for 
 this? 

Whenever you upgrade to a new version of BIND (esp. when it is a new
major version, and if you jumping forward multiple version numbers), I
would recommend to read the change logs for the new version (you can
find the changelogs in the CHANGES file in the source directory on
ftp.isc.org).

Also it might be good to read over new sections in the BIND 9 Reference
Manual (BIND9ARM).

You can find binary installer packages of BIND for Solaris 10 on
http://support.menandmice.com/download/bind/solaris/
(BIND 9.9.1-P3 will be available there later today).

depending on the installation location of the new BIND versions, you
need to adapt your startscript (Solaris 7/8/9) or the SMF manifest
(Solaris 10/11).

Best regards

Carsten 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: install BIND on Mac OS X

[Carsten Strotmann]

pangj pa...@riseup.net writes:

 Thanks.

 bogon:~ pro$ named -v
 BIND 9.7.3-P3

 This does have been installed.

For a more recent version of BIND (9.8.x or 9.9.x), there are MacOS X 
installers of new
versions at
http://support.menandmice.com/download/bind/macosx/

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Sunos 5.8 Error:EDNS not supported by your namesever

[Carsten Strotmann]

Ryan Novosielski novos...@umdnj.edu writes:

 FWIW, 9.6 ships with Solaris 10.

current BIND release installer packages for Solaris 10 (Sparc and i86pc)
can be found at http://support.menandmice.com/download/bind/solaris/

I'm also willing to build current BIND 9 packages for Solaris 8 or 9, but only 
if
a good case can be made. 

Being lazy to update is not a good case.

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Version statement...

[Carsten Strotmann]

Jeff Justice listacco...@starionline.com writes:

Hi Jeff,

 I am trying to mask our DNS servers version output to a custom string,
 but it doesn't seem to be working for me.  In a nutshell, I have added
 this to my options block of my named.conf:

version [DNS Server];

 But when I do a query, it still shows the actual version number
 i.e. BIND 9.9.1-P2, both from the command line and from an outside
 query tool.

 What am I missing?

make sure BIND can load the changed configuration file named.conf,
test with named-checkconf and check the BIND nameserver logfiles for
errors. The issue here is probably that the running nameserver does not
read the configuration file. Also check if there is more than one
named process running (should be only one in most installations).

-- Carsten
 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: security BIND

[Carsten Strotmann]

Hello Alberto,

On Sat, 4 Aug 2012, Alberto Rasillo wrote:


Hi what are recomendations regarding security and DNS service?Thnks


it is difficult (impossible?) to answer such a generic question.

Generic security advice for a DNS service:
* read your DNS servers documentation carefully
* understand every bit of your configuration
* don't use configuration settings you don't fully understand
* understand hos DNS works (read a good book or visit a good DNS training)
* run recent software (not old software that has know security issues)
* monitor your DNS server (DNS server logfiles, DNS traffic-patterns)
* don't run an 'open resolver' 
(https://otrs.menandmice.com/otrs/public.pl?Action=PublicFAQZoom;ItemID=59)


Anything more specific your would like to know?

-- Carsten

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with DNSSEC signing zone

[Carsten Strotmann]

Hello Thierry SAMEN,

On Fri, 20 Jul 2012, William Thierry SAMEN wrote:


Hi all Bind users,
i just have a problem with my zone signing output i made all the steps to 
obtain a good result.
 1.  Generated KSK and ZSK
 2. Add both of keys at the end of my zone file
 3. signing my zone with dnssec-signzone command
 4. enable dnssec in named options
 5. change the name of my zone in the named by namezone.signed
 6. I got the root DNSKEY RR set before with dig command and redirect the 
outpout in root-dnskey file
 7. I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey command.



Did you send the DS RR to the operator of the parent zone, and did you 
wait for the DS record to appear in the parent zone?


To see an AD flag, you need to send the query towards a caching DNSSEC 
validating server that is _not_ the same server that is hosting the zone 
(see 
http://strotmann.de/roller/dnsworkshop/entry/dns_name_resolution_design_for 
).


The chain of trust from the trust-anchor of the caching 
validating DNS server until the signatures in the zone must be complete, 
including the DS record for your zone which must be hosted in the parent 
zone (co.uk.).


Please also make sure that the serial number in the SOA record on the 
authoritative server is the same number that you see in the signed zone 
file. Do not forget to increment the SOA serial before or during the 
signing process ( dnssec-signzone -N INCREMENT ... ).


I cannot test your domain from here, it seems the domain is not delegated 
(I'm seeing an NXDOMAIN from co.uk.).


csmobile :: ~ » drill -k root.key -SD willzik.co.uk
;; Number of trusted keys: 1
;; Chasing: willzik.co.uk. A


DNSSEC Trust tree:
willzik.co.uk. (A)
|---Existence is denied by:
|---G9F1KIIHM8M9VHJK7LRVETBQCEOGJIQP.co.uk. (NSEC3)
|---Existence is denied by:
|---QLR2IB6LOCI8AIL6L2NH50RQV809BNEG.co.uk. (NSEC3)
|---Existence is denied by:
|---22SDTUJH764RHEGKI5GU51QAU3T7947V.co.uk. (NSEC3)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.

(the negative answer here is not DNSSEC validated, but that is another 
issue).


Best regards

Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Operation Cancelled Error

[Carsten Strotmann (private)]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Ben,

On 7/12/12 10:32 AM, Ben wrote:

 Still, my question is open..

I'm not from ISC, but I have an idea what causes this (but I'm not an
authoritative source). You can look up the BIND source code.

Every caching DNS Server (BIND or other products) can only work an a
finite number of outstanding queries to other (authoritative) DNS
servers.

If an outstanding query to an external server takes too long (answer
does not come in), the DNS server needs to cancel the operation in
order to free up resources, that can be better used for new queries.
Without this mechanism, it would be possible to one client to eat up
all resources and block the whole server.

The log messages you are seeing are from these long queries that never
got an answer.

This might be because you are abusing a public DNS server for load
testing. That is not good. It is possible that the Google DNS is
rate-limiting or even blacklisting your server (and no-one can blame
them for doing that).

For proper DNS caching benchmarking, you should:

* create a closed DNS system (not connected to any production network
or the Internet), containing authoritative servers with a root zone,
TLD zones (com, net, org ...) and all second level (and further down
level) zones you like to query. The data in the zone doesn't matter,
you can make up data, but make sure that you get the delegation correct.

* Use more than one IP address on each of these servers (or more
physical servers) to give BIND some round trip time work to do. Use
high TTLs on the records you are testing, so that they stay in cache.

* load a root-hint zone into your caching DNS BIND server that points
to the root server in the lab.

* make sure the network link between the authoritative servers and the
caching server is fast (if you use cheap 100MBit Ethernet switches,
your are possibly not testing the caching server, you are benchmarking
the switches)

* then start benchmarking with one client, just to fill the cache.
Throw away that result. Now your cache is hot, it contains the
cached information.

* do more test runs. add more clients for every test run. measure the
queries per second you see from the caching server on every client.
Add up all results. Once the total QPS you see on all clients does not
go up when you add a new client, you have reached the maximum QPS of
that caching server.

* if you use just one client to generate load, you are testing the
speed of one client. That is not realistic. caching servers can often
do a higher total QPS when using multiple clients. I often use 4-6
fast client machines to saturate one caching server.

* use different tools to generate the load traffic (queryperf,
resperf, perf from Unbound ...). Compare the results. make suer they
make sense to you. Do not believe benchmarking tools until you
understand the results. read the source. make sure you are not
benchmarking the load generation tool.

Proper load testing and benchmarking is an art. It requires time and
work. And more time. And more work.

- -- Carsten
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/+7akACgkQsUJ3c+pomYFqhwCfZqaV+dDqIpak8Ngf7sPhr4Kq
Mq8AoKrfkjiysncAxx3kGHCX5kp+xZZG
=Owgv
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND, DNSSEC AD

[Carsten Strotmann (private)]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello John,

On 6/29/12 4:52 PM, John Williams wrote:
 The purpose behind this is not to protect the internal AD DNS from 
 hijacking.  But rather to allow internal clients to run DNSSEC
 related queries without having to reference external resolvers.
 
 dig +dnssec somedomain
 

I have documented the steps to enable DNSSEC validation on Windows
2012 in my Blog:
http://strotmann.de/roller/dnsworkshop/entry/dnssec_validation_in_microsoft_dns

Keep in mind that DNSSEC requires that the authoritative and the
resolving/caching DNS servers to be separate.

Clients will not see the AD-Flag (Authenticated Data) for a zone that
is hosted on the same DNS Server you've sending a recursive query to.
Applications that depend on the AD flag will fail in this scenario.

This is a change for many people in the Windows AD world, as often the
Windows DNS server is used as both authoritative and resolving at the
same time.

So a hybrid (both authoritative and caching/resolving) DNS Server can
DNSSEC validate all domains except the domains it hosts itself (which
are in case of AD the internal AD domains). This is true for BIND as
well as for Windows 2012 DNS.

The resolving DNS Servers can be Windows 2012 or BIND 9.6+. There is
no issue having BIND resolvers in an AD environment. It is however
simpler to have the AD authoritative DNS Servers on Windows Server OS.

Windows 2008R2 cannot validate the DNSSEC in the Internet, as is lacks
support for NSEC3 and SHA256. But Windows 2012 is now full DNSSEC enabled.

- -- Carsten
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/u0oUACgkQsUJ3c+pomYEaDgCgoLx/K10NVFxW671qy6sQQebo
JMQAn17H7Rf8EJpTA24znwdrEJH/iCzB
=gK1h
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND, DNSSEC AD

[Carsten Strotmann]

Hello JT,

I'm currently working on integrating MS DNSSEC (on Windows 2012) and 
BIND here @ Men  Mice for another customer.


I might have a solution for you, but I need more detail information about 
your setup. I will contact you by E-Mail on Monday (I hope that is not too 
late).


-- Carsten Strotmann

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Understanding cause of DNS format error (FORMERR)

[Carsten Strotmann (private)]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Gabriele,

On 6/24/12 5:57 AM, Gabriele Paggi wrote:
 Hello Carsten,
 
 Thanks for your reply!
 about the FORMERR. This might be caused by a Firewall or other 
 middlebox that truncates the large answer containing the NS
 record set for this domain.
 
 I see the same if I try to fetch the delegation NS records from
 the parent domain (microsoft.com) for
 partners.extranet.microsoft.com:
 That doesn't explain why I get a correct reply to my query if I use
 a Windows DNS or one of the Google DNS (what software do they run?)
 or my home ISP DNS (UPC, Netherlands).

what we see is that we get different responses for the NS record set
for partners.extranet.microsoft.com:

1) a list of 4 NS records (dns10/11/12/13.one.microsoft.com) with
public route-able IPv4 addresses, answer size is around 200 byte

2) a list of 18 NS records
(-ptnr-dc-02.partners.extranet.microsoft.com.) with private RFC
1918 addresses and an answer size of above 800 byte. These are
internal domain controllers.

The answer size of 800 bytes can create the FORMERR issue.

I'm using BIND 9.9.1(-P1) and Unbound 1.4.17 here. Today I'm getting
answer type 1) from my home and also from a machine in the datacenter,
yesterday I'm seen answer type 2) and the FORMERR.

The FORMERR I'm seeing is also quite odd, as it has the AD flag set,
which should normally not appear in an error type of response, but
might be caused by a mangled DNS packet:

;; -HEADER- opcode: QUERY, status: FORMERR, id: 30679
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

I have no explanation of this issue at the moment.

To my knowledge Google is using a homegrown DNS resolver, not BIND.

Best regards

Carsten Strotmann

-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/mxZ4ACgkQsUJ3c+pomYHc6QCfeONcluurcPOX4dMqMWDm4pnf
SlgAnAxlJ1UQRSdE+WgN28RYVBmo/N03
=DT/n
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Understanding cause of DNS format error (FORMERR)

[Carsten Strotmann (private)]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Jeffry,

On 6/22/12 1:25 PM, Spain, Dr. Jeffry A. wrote:
 From what I observed I would conclude that dns11.one.microsoft.com
 is a Windows DNS server since it behaves like mine except for the
 AA flag not being set in theirs.

It might even be a new Windows 2012 DNS server, and it might be an
issue with this new version. This is just speculation, but if it is an
issue with Windows 2012 DNS, it might be good to be able to isolate
that issue soon (so that it can be fixed before Windows 2012 is released).

 The missing AA flag and lack of authority and additional records in
 their response seems like improper behavior to me, but I don't know
 whether or not the DNS protocol actually requires this. Apparently
 BIND 9.9.1-P1 is able to handle this situation.

my BIND 9.9.1-P1 showed FORMERR yesterday, but shows the same good
answers that you report today.

What is see today when I send a direct query to
dns10.one.microsoft.com. (or dns11/12/13) is that both AA
(Authoritative Answer) and AD (Authenticated Data) flags are set, but
the zone does not seem to be DNSSEC signed (no RRSIGs, no DNSKEY):

bash-3.2# dig partners.extranet.microsoft.com. INNS
@dns11.one.microsoft.com. +dnssec

;  DiG 9.9.1-P1  partners.extranet.microsoft.com. IN NS
@dns11.one.microsoft.com. +dnssec
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 40230
;; flags: qr aa ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;partners.extranet.microsoft.com. INNS

;; ANSWER SECTION:
partners.extranet.microsoft.com. 10 IN  NS  dns11.one.microsoft.com.
partners.extranet.microsoft.com. 10 IN  NS  dns10.one.microsoft.com.
partners.extranet.microsoft.com. 10 IN  NS  dns13.one.microsoft.com.
partners.extranet.microsoft.com. 10 IN  NS  dns12.one.microsoft.com.
dns11.one.microsoft.com. 10 IN  A   94.245.124.49
dns10.one.microsoft.com. 10 IN  A   131.107.125.65
dns13.one.microsoft.com. 10 IN  A   65.55.31.17
dns12.one.microsoft.com. 10 IN  A   207.46.55.10

;; Query time: 37 msec
;; SERVER: 94.245.124.49#53(94.245.124.49)
;; WHEN: Sun Jun 24 10:00:54 2012
;; MSG SIZE  rcvd: 228


Having AD-Flag set on an non-DNSSEC zone might be a protocol
violation, and that might be the cause of FORMERR.

Best regards

Carsten Strotmann
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/myqQACgkQsUJ3c+pomYGzyQCdF6q+TeWUmA4TWYgiOn6pA0ha
HHgAn2Amo54kuiNEIJ4hU1kXOwjnY7Pb
=7x6l
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Understanding cause of DNS format error (FORMERR)

[Carsten Strotmann (private)]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,

On 6/24/12 10:07 AM, Carsten Strotmann (private) wrote:

 It might even be a new Windows 2012 DNS server, and it might be an 
 issue with this new version. This is just speculation, but if it is
 an issue with Windows 2012 DNS, it might be good to be able to
 isolate that issue soon (so that it can be fixed before Windows
 2012 is released).

I did some tests with the release candidate version of Windows 2012,
and I could not reproduce the error. Windows 2012 internal version
number is 6.2 (6.2.8400) and it does not implement the version.bind
request (returns a NOTIMPL error).

However the dns11.one.microsoft.com DNS server returns

bash-3.2# dig @94.245.124.49 txt ch version.bind
;; Warning: query response not set
;; Warning: Message parser reports malformed message packet.

;  DiG 9.9.1-P1  @94.245.124.49 txt ch version.bind
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 11512
;; flags: aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;version.bind.  CH  TXT

;; ANSWER SECTION:
version.bind.   1476526080 IN   TXT Microsoft DNS
6.1.7601 (1DB14556)

;; Query time: 36 msec
;; SERVER: 94.245.124.49#53(94.245.124.49)
;; WHEN: Sun Jun 24 10:26:11 2012
;; MSG SIZE  rcvd: 76

which is

Version Product Milestone   Service branch
6.1.7600.16xxx  Windows Server 2008 R2  RTM GDR

I'm now setting up a Windows 2008R2 DNS Server with the latest patches
in the test lab to see if I can recreate the issue.

Best regards

Carsten Strotmann

-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/m1ioACgkQsUJ3c+pomYEXWQCfYge8Sjqa4YIhztZLZt5Z9PRp
WuYAnjxfbhVJPRm9y31CKPiO/7wCp/fv
=oS8C
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Understanding cause of DNS format error (FORMERR)

[Carsten Strotmann (private)]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Gabriele,

On 6/22/12 11:22 AM, Gabriele Paggi wrote:
 I'm a BIND novice and I'm trying to understand what causes my
 BIND9 resolver (bind97-9.7.0-10.P2) to return an error when queried
 for the A record of vlasext.partners.extranet.microsoft.com:
 

At Men  Mice I've investigated this issue a few weeks ago for one of
our customers. At that point of time, we've seen NS records with
private addresses:

dig ns partners.extranet.microsoft.com.

;  DiG 9.9.1  ns partners.extranet.microsoft.com.
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 53053
;; flags: qr rd ra; QUERY: 1, ANSWER: 18, AUTHORITY: 0, ADDITIONAL: 19

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;partners.extranet.microsoft.com. INNS

;; ANSWER SECTION:
partners.extranet.microsoft.com. 2311 IN NS
db3-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
tk5-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
by1-ptnr-dc-03.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
co2-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
co2-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
sinxtdnsz01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
kaw-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
ph1-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
tk5-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
tk5-ptnr-dc-05.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
rno-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
tk5-ptnr-dc-03.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
sin-ptnr-dc-03.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
sin-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
by1-ptnr-dc-04.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
kaw-ptnr-dc-03.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
db3-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
ph1-ptnr-dc-02.partners.extranet.microsoft.com.

;; ADDITIONAL SECTION:
db3-ptnr-dc-01.partners.extranet.microsoft.com. 1406 IN A 10.251.138.15
tk5-ptnr-dc-02.partners.extranet.microsoft.com. 26 IN A 10.251.51.102
by1-ptnr-dc-03.partners.extranet.microsoft.com. 3505 IN A 10.251.94.15
co2-ptnr-dc-02.partners.extranet.microsoft.com. 2941 IN A 10.251.152.89
co2-ptnr-dc-01.partners.extranet.microsoft.com. 2679 IN A 10.251.152.173
sinxtdnsz01.partners.extranet.microsoft.com. 171 IN A 10.251.168.142
kaw-ptnr-dc-02.partners.extranet.microsoft.com. 1101 IN A 10.251.162.20
ph1-ptnr-dc-01.partners.extranet.microsoft.com. 1417 IN A 10.251.26.11
tk5-ptnr-dc-01.partners.extranet.microsoft.com. 2872 IN A 10.251.51.13
tk5-ptnr-dc-05.partners.extranet.microsoft.com. 137 IN A 10.251.52.143
rno-ptnr-dc-01.partners.extranet.microsoft.com. 1375 IN A 10.251.64.113
tk5-ptnr-dc-03.partners.extranet.microsoft.com. 1564 IN A 10.251.52.124
sin-ptnr-dc-03.partners.extranet.microsoft.com. 882 IN A 10.251.168.67
sin-ptnr-dc-02.partners.extranet.microsoft.com. 505 IN A 10.251.169.47
by1-ptnr-dc-04.partners.extranet.microsoft.com. 2270 IN A 10.251.94.16
kaw-ptnr-dc-03.partners.extranet.microsoft.com. 3461 IN A 10.251.162.193
db3-ptnr-dc-02.partners.extranet.microsoft.com. 1690 IN A 10.251.138.59
ph1-ptnr-dc-02.partners.extranet.microsoft.com. 3018 IN A 10.251.26.12

;; Query time: 1314 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 30 18:57:27 2012
;; MSG SIZE  rcvd: 867

The issue seem to differ from the point in the network you are sending
the query, and if the resolving DNS server has only IPv4 or is
dual-stack (IPv4 + IPv6). It seems that the resolution is sometimes
broken, but we have not found the root cause of the issue.

This forward zone proved to be an (ugly, but working) workaround:

zone partners.extranet.microsoft.com IN {
type forward;
forwarders { 131.107.125.65;
 94.245.124.49;
 207.46.55.10;
 65.55.31.17; };
};

We've also informed Microsoft about the issue.

Best regards

Carsten Strotmann
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/le38ACgkQsUJ3c+pomYEwDACgit4MdoFl4rfSCcapx1NMr9cB
1bUAn1QNRM2Gw//EsLYnH1jw1g25IvFl
=hB+P
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: Understanding cause of DNS format error (FORMERR)

[Carsten Strotmann (private)]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Gabriele,

On 6/22/12 11:22 AM, Gabriele Paggi wrote:

 I'm a BIND novice and I'm trying to understand what causes my
 BIND9 resolver (bind97-9.7.0-10.P2) to return an error when queried
 for the A record of vlasext.partners.extranet.microsoft.com:

about the FORMERR. This might be caused by a Firewall or other
middlebox that truncates the large answer containing the NS record set
for this domain.

I see the same if I try to fetch the delegation NS records from the
parent domain (microsoft.com) for partners.extranet.microsoft.com:

# dig @ns1.msft.net. partners.extranet.microsoft.com ns

;  DiG 9.9.1-P1  ns @ns1.msft.net. partners.extranet.microsoft.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: FORMERR, id: 30679
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;partners.extranet.microsoft.com. INNS

;; Query time: 167 msec
;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1)
;; WHEN: Sat Jun 23 10:47:33 2012
;; MSG SIZE  rcvd: 60

If some other members of this mailing list also see the same FORMERR
(I'm seeing it over IPv4+IPv6), that is is very likely a firewall or
middlebox on the Microsoft side.

Best regards

Carsten Strotmann
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/lhEsACgkQsUJ3c+pomYE8RwCgldVhiIiwuavJGy0VEQAbek5M
d7sAoKg1ny9dN6UMhuXyF1a6diylGyzz
=+PcU
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MS AD 2008R2 and bind

[Carsten Strotmann (private)]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Christian,

On 1/3/12 11:00 AM, Melbinger Christian wrote:
 
 So this is presumably not a problem of the bind servers themselves,
 but still, does anyone have an idea how to get rid of the error
 messages?
 
 Anyone know the checkbox to unset? I didn?t find one?

from the error message you've seeing, the problem is that the domain
controller has already found DNS entries for itself in the DNS, but
the entries are pointing to a different IP Address than the domain
controller has.

The domain controller will not overwrite the existing entries. You
have to remove the wrong, stale entries and after that the domain
controller should be able to register (update) the address records
with the correct IP addresses. You can force this with a reboot or
with ipconfig /registerdns from the commandline.

The old IP addresses might be leftovers from a test, and have not been
properly removed when the IP addresses of the domain controller has
been changed.

Best regards

Carsten Strotmann

-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX
yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl
=uRxM
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc addzone|delzone

[Carsten Strotmann (private)]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 1/1/12 1:18 PM, DNSbed.com wrote:
 On Sun, 1 Jan 2012 13:05:41 +0100, Jan-Piet Mens
 jpmens@gmail.com wrote:
 Has anyone tried the new features of rndc addzone|delzone with 
 BIND-9.7? Will the zone added|deleted get transfered between
 master and slaves?
 
 No, the newly added (or deleted) zone will not be automatcially
 added to (deleted from) slave servers. (Slaves require a
 different zone definition containing at least the master
 servers.)
 
 
 Thanks for the info. If the result can't be transfered between
 master/slaves, I doubt it has the practical use.

It can be used in scripting solutions on a hidden master, for example:

1) script creates new master zone file and named.conf zone
definition, reloads hidden master DNS

2) script uses rndc addzone to add the new zone to all secondary/slave
servers

This is an improvement over the situation without rndc addzone, where
one had to use some kind of remote access to change the named.conf on
the secondaries.

- -- Carsten
Happy New Year
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8AU/kACgkQsUJ3c+pomYEfsgCdEQ5vnIsDl5eVvToUmzJM2c0d
+PoAoJPjuNFOWBYXlQxie5N9irGjsycd
=dPbN
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc reload has no effect?

[Carsten Strotmann (private)]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/31/11 8:09 AM, Ken Peng wrote:
 Today I setup a new name system, BIND 9.7.3 with multi-views, zone 
 transfer are going based on different TSIG-Keys. I have found a
 strange problem that when I edited the zone file, anded a record,
 increased the serial number, then run rndc reload, but nothing is
 happened. the new added record can't be queried on both the master
 and the slaves. It seems rndc reload doesn't make effect on views
 with TSIG-Keys?
 
 Please help, thanks.

Hello Ken,

this might be a problem of multiple instances of BIND running. Check
with ps aux | grep named if you have more than one BIND process.

- -- Carsten
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAk7+1ccACgkQsUJ3c+pomYGcvACfbDVXDKlYZUapJTosXIV0SB5u
ZZYAmKpmEX3rwekYGpCIuQYre7kW5sY=
=ygZC
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Take your DNSSEC with a grain of salt ...

[Carsten Strotmann (private)]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

because it was a recurring question in the ISC/Men  Mice DNSSEC
trainings this year, I've taken some time to write down my knowledge
on NSEC3 use of the salt and iteration parameters:

http://strotmann.de/roller/dnsworkshop/entry/take_your_dnssec_with_a

Please let me know if you find something missing or wrong.

Happy new year 2012 to all DNS admins out there

- -- Carsten
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7+2l8ACgkQsUJ3c+pomYHb8ACeKIqb33q1z5Af45YpfEDwlfsG
Rx8An14+czuhe9Gxj85rMqkUeiFOMIwS
=ZvxX
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users