Re: Change in zone file formatting after enabling allow-update (lot´s of $ORIGIN)
After the first automated name change, my zone file was unformatted. I lost the comments and more than 500 occurrences of the ORIGIN parameter were inserted. Configuring dynamic DNS updates on a zone means that named takes control over how the zone file is (periodically) rewritten to disk. There is no way to inhibit this. Note also, that the zone file must not be edited by hand without prior `rndc freeze' and subsequent `rndc thaw', and note that freezing a zone forbids updates. As a side note I'd like to recommend using the much more granular `update policy' on the zone. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: help me with the ipv6 PTR generation
IPv6 PTR records are simply reversed. easier said than done, for some of us. I use BIND's arpaname(1) utility which does the work for me: $ arpaname 2001:db8::1 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question about DNSSEC with PKCS11
1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more insecure to convert the key(s) from HSM to .private file with dnssec-keyfromlabel ? keys are not actually 'converted' with this utility; instead the .private file links to the corresponding private (and typically unexportable) key on the HSM. (If you look inside the .private key you'll see a "Label:" which contains the base64-encoded "pointer" to the key on the HSM. In other words, use of dnssec-keyfromlabel(1) is not a security issue per se. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Catalog zone failure
Apr 30 05:33:48 keef named[7473]: catz: zone 'gshapiro.net' uses an invalid primary (no IP address assigned) Apr 30 05:33:48 keef named[7473]: catz: error "failure" while trying to generate config for zone 'gshapiro.net' The way I read this is it's complaining about `gshapiro.net', i.e. one of the member zones in the catalog (and not the catalog itself). Does gshapiro.net have an NS RRset and corresponding addresses? -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is it possible to move a zone between catalogs on the same secondary? It is.
And yes, you can automate this with nsupdate to old and new catalog, Brilliant, Petr, thank you. I saw some of the loviest log messages this week during coo from k-catz to t-catz: zone t-catz/IN: transferred serial 10: TSIG 't' catz: t-catz: reload start catz: updating catalog zone 't-catz' with serial 10 catz: deleting zone 'z10.aa' from catalog 'k-catz' - success catz: adding zone 'z10.aa' from catalog 't-catz' - success catz: t-catz: reload done: success catz: catz_delzone_cb: zone 'z10.aa' deleted zone z10.aa/IN: Transfer started. zone z10.aa/IN: transferred serial 1: TSIG 't' The spec says: "The old owner may remove the member zone containing the coo property from $OLDCATZ once it has been established that all its consumers have processed the Change of Ownership." however, when I stop and restart the consumer server, I have sometimes (not always) seen catz: catz_addmodzone_cb: zone 'z10.aa' will not be added because another catalog zone already contains an entry with that zone which is true, but it doesn't _seem_ to cause issues. Once I remove the offending zone from the 'giving' catalog, the diagnostic doesn't reappear. All this is with today's git version. Best regards, -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is it possible to move a zone between catalogs on the same secondary?
Any ideas? is this the point at which I confess I've only now read about Change of Ownership (coo) [1]? -JP [1] https://bind9.readthedocs.io/en/latest/chapter6.html#change-of-ownership-coo -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Is it possible to move a zone between catalogs on the same secondary?
I'm in the process of migrating a modest number of zones from one signer
(OpenDNSSEC) to another (Knot-DNS). (The KSKs are identical so that should not
be an issue for this question.)
Each of the signers have a catalog (manually maintained for ODS, automatically
for Knot) which is transferred and consumed by BIND 9.18 secondaries; each of
these have two catalog{} stanzas on each server.
The trouble I'm going to be running into is when a zone should move from catz-A
to catz-B: in this case the zone must be removed from catz-A (whereupon it'll
be deleted when the catalog is notified/transferred) and added to catz-B
(whereupon it will be populated when the catalog is notified/transferred).
During this (possibly quite short) time, the zone will not be available on the
secondaries (REFUSED).
Is there a clever/elegant solution to this problem?
My first idea was to use the same zones-directory for each of the catalogs, but
a) I don't know whether that's actually a supported configuration and b) it
would likely not solve the issue because the catalog name is embedded in the
__catz__...*.db zone filename.
Adding the zone to both catalogs won't work either (obviously) because the zone would
"exist twice"; BIND catches that error and correctly logs it.
Any ideas? Bonus points if the solution can be automated. :)
Thank you,
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Catalog zones and disabling notifies
I'd like to stop them from sending notifies when they transfer in a
zone. Neither "notify no;" nor "notify primary-only;" seems to do
it.
Maybe set `notify no' (or `notify explit') globally in options{} and then
enable notify on a case-by-case on statically configured zones on the
secondary?
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Fully automated DNSSEC with BIND 9.16
1. Everytime I restart the service, it seems all these files are recreated. How did you observe this? Just by file timestamps or actual content? And just to be sure to ask the obvious: you are not manually removing these files are you? :) -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen not available in Bind9.16-utils package?
Have you checked whether there is a bind.*dnssec-utils package? I stumbled across this with a RHEL-type Linux recently... -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Correlation between NOTIFY-Source and AXFR-Source
I always was quite sure that Bind will request XFR from the Primary that sent the NOTIFY. my understanding has always been that the primaries are tried in configured order. Looking forward to hear which is actually correct. :) -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Restrict dynamic updates to one domain - disallow subdomains
is it possible to restrict dynamic dns updates to one domain? I think 'name' is what you're after: grant key-name name host1.example.de. A; You will be aware that the type list can take multiple space-separated values. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Requesting Update-Policy Statements Sanity Check, Please
You would probably need to attach your entire named.conf file (with sensitive bits (keys and the like) redacted named-checkconf -px is your friend: prints out the named.conf and included files in canonical form if no errors were detected and obscures shared secrets by replacing them with strings of question marks (?) -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: converting from opendnssec/openhsm?
What is possible is to have BIND use PKCS#11 to use the keys stored in SoftHSM. I should have added that a key rollover is possible from one to another. The basic idea is to create new keypairs in BIND (dnssec-keygen) and then import them key into SoftHSM for a rollover in OpenDNSSEC. Once that has completed, the zone can be migrated from the latter to the former. (requires many amounts of ) -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: converting from opendnssec/openhsm?
is there a known hack to extract keys from opendnssec/openhsm to use for bind bitw inline-signing? Assuming you mean SoftHSM (i/o openhsm), no, I don't think so, at least not when using its default settings. (That is one of the main features of an HSM -- to keep the keys safe -- although there are devices which permit exporting private keys...) What is possible is to have BIND use PKCS#11 to use the keys stored in SoftHSM. Lots of *cough* fun in doing that. (BTW, this is irrespective of inline- or other forms of signing.) -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Correct way to change DNSKEY TTL in inline-signed, auto-dnssec zone?
I'm stumped. I have a zone which had a default $TTL of 86400 and I want to
reduce it to 3600. This is normally not a problem, but the TTL of the DNSKEY
RRset won't budge from 86400.
What is the correct method to change a zone's DNSKEY TTL when it's already been
signed with inline-signing yes; auto-dnssec maintain; ?
zone "udp53.org." IN {
type primary;
file "udp53.org";
dnssec-dnskey-kskonly yes;
inline-signing yes;
auto-dnssec maintain;
update-policy {
grant local-ddns zonesub ANY;
};
};
I've tried changing the zone's default $TTL with a freeze/edit/thaw dance
followed by `rndc loadkeys' and `rndc sign', but that doesn't alter the zone's
DNSKEY TTL. I thought maybe $TTL would be the problem, so I set the SOA TTL
explicitly and redid the dance; no change.
Then I used `dnssec-settime -L ' to change the TTL in the .key file (and
verified the ttl was actually set there), but neither of `rndc sign zone',
`loadkeys', 'freeze/edit/thaw' cause the new TTL to be published in the DNSKEY
RR.
I've not found an issue in BIND gitlab, and none of the solutions in a 2016
thread by somebody who had the same problem seem sane. (One of the ideas by a
person who's name I won't mention I think suggested editing the signed zone
file ;)
I think the only way I'll be able to solve this is to stop the daemon, remove
the *.signed* files, and restart to have the signer kick off anew.
Is there something else I can try? I'm out of ideas.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: 'inline-signing' might go away and be replaced by dnssec-policy ?
Retried my named.conf with BIND 9.19.7-dev (Development Release)
which reports:
26-Oct-2022 21:31:42.021 /private/tmp/b/named.conf:11: 'inline-signing
yes;' must also be configured explicitly for zones using dnssec-policy without
a configured 'allow-update' or 'update-policy'. See
https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
If I add an allow-update{} or inline-signing{} stanza, the server starts and
neither combination overwrites the primary zone file.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: dig +norecurse behaviour changed with 9.16.33
The change is that with 9.16, if the requested name is a CNAME, only the CNAME value is returned by dig, while with 9.11 dig would return both the CNAME value and the IP of the CNAME. as others have said, this needs more details, but I wonder whether you might now be querying a server which has `minimal-responses yes' configured which it didn't previously. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 'inline-signing' might go away and be replaced by dnssec-policy ?
the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in order to
_not_ overwrite original zone files/data on signing.
I cannot confirm that (9.17.22):
% ls -1
example.aa
named.conf
% cat named.conf
options {
directory ".";
listen-on port 5301 { 127.0.0.2; };
recursion no;
dnssec-validation no;
};
zone "example.aa" in {
type primary;
file "example.aa";
dnssec-policy "default";
};
% named -g -c named.conf &
% ls -1
Kexample.aa.+013+11677.key
Kexample.aa.+013+11677.private
Kexample.aa.+013+11677.state
example.aa
example.aa.jbk
example.aa.signed
example.aa.signed.jnl
named.conf
The .signed has the signed zone from which BIND serves data, and the original
source file is unchanged.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: A beginner's guide to DNSSEC with BIND 9
The inline-signing feature will not go away. Thanks, Matthijs, I stand corrected. I believe I had seen that in ISC documentation and/or issues, but I will now stop saying that. :) -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A beginner's guide to DNSSEC with BIND 9
A Beginner's Guide to DNSSEC with BIND 9.
Well done! A few comments, if I may:
1. in your zone stanzas you use the term "master" (type: master, ... masters
{}). BIND has been updated already a while ago to support the term primary, e.g. `type
primary;' and `primaries {};' (likewise for 'secondary'). It might be a good time to
switch to the new nomenclature, particularly as you rightly call the primary primary and
secondary a secondary :)
2. I tend to use `rndc reconfig' for re-configuration (after adding a new zone,
say) rather than `reload', which I used when I wish named to load a modified
primary zone.
3. on your primary you have an allow-transfer{} ACL for your secondary using its IP address. You might wish to look into using TSIG for that.
4. note that `inline-signing' might go away and be replaced by dnssec-policy
which you may wish to look into at some point.
5. I'm not familiar with the paths used by your Ubuntu distro, but the command
at #6 appears to be incorrect:
sudo ./etc/bind/named-checkconf named.conf.local
named-checkconf(8) is likely in /usr/sbin and it will use a compiled-in
default configuration file.
6. just as a FYI: instead of "and if you quickly type tail var/log/syslog" I
typically `tail -f' (follow) the log file in a second window/pane/console or even in the
same session in order to have logs show up immediately. :)
7. Instead of querying for the SOA (dig ... SOA +dnssec), I like querying for
the DNSKEY RRset so that I see the key tags (key IDs): `dig @::1 example.com
DNSKEY +dnssec +multi' (the +multi flag shows me the key types and tags, or use
+nocrypto to omit the base64-encdoded stuff)
8. in the section on externally validating, I'd love to recommend dnsviz.net: I
cannot think of another testing site which I would *pay* to use. These chaps
are grand!
Feel free to talk to me off-list if I've not made sense.
Best regards,
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DS keys with 2 digest algorithms
Maybe in the future dnssec-signzone won't generate the deprecated entry to begin with. BIND 9.16.0 stopped generating SHA1 digests [1] : "DS and CDS records are now generated with SHA-256 digests only, instead of both SHA-1 and SHA-256. This affects the default output of dnssec-dsfromkey, the dsset files generated by dnssec-signzone, the DS records added to a zone by dnssec-signzone based on keyset files, the CDS records added to a zone by named and dnssec-signzone based on “sync” timing parameters in key files, and the checks performed by dnssec-checkds." -JP [1] https://bind9.readthedocs.io/en/v9_16_6/notes.html -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delete/update MX record
Using nsupdate when I try to delete an MX record for a domain, I get REFSUED. REFUSED is also reported when attempting to update a non-dynamic zone. Are you sure the zone you're trying to update is actually dynamic? How do I remove and replace the MX record for a domain with nsupdate? del ownernamne. MX [rdata] should do it. Without [rdata] all MX for the owner will be removed, but specify rdata to indicate you wish to delete just the one. As Mark said: best demonstrate what you are doing. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Splitting long strings in RRs using parentheses
20220317-a4qe._domainkeyTXT ( v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAA ^ begin comment OCAQ8AMIIBCgKCAQEAmEsWuQCj+OenaSQ3dM6WItExor The bit from the first semicolon to the end of the line was missing. Is that expected behavior? A semicolon begins a comment in a zone file [1], so yes. -JP [1] https://jpmens.net/2015/10/28/the-semicolon-in-zone-master-files-some-history/ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Primary zone not fully maintained by BIND
26-May-2022 10:06:14.458 debug 3: zone penguinpee.nl/IN/external: zone_rekey failure: unexpected error (retry in 600 seconds) One of the first things BIND does, if I'm reading lib/dns/zone.c correctly, is to attempt to lock the keys, and if it fails it emits that diagnostic. Assuming the signing is being attempted simultaneously in both views, I wonder if that goes hand-in-hand with what Matthijs writes: Since 9.16.18 you should not be able to set the same key-directory for the same zone in different views. So maybe using the same key directory (from the same dnssec-policy) is actually causing the issue? -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bugs for cname can not be working properly with bind 9.11.4
(putting this back on list) thank you for the feedback,now I have already start the slave server [root@bind-master-centos7 ~]# dig kaixinduole.com +nssearch SOA ns1.kaixinduole.com. shawn.kaixinduole.com. 2022041566 3600 900 604800 86400 from server 52.130.145.30 in 0 ms. SOA ns1.kaixinduole.com. shawn.kaixinduole.com. 2022041584 3600 900 604800 86400 from server 139.217.99.188 in 1 ms. You'll note that the two servers have a differing SOA serial: 2022041566 vs 2022041584. Something has changed, because the zone now SERVFAILs: $ dig @9.9.9.9 kaixinduole.com ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56297 When queried directly, I get a response: $ dig @52.130.145.30 ns1.kaixinduole.com +norec ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 I can't get rid of the feeling that we're not seeing the same server you are... -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bugs for cname can not be working properly with bind 9.11.4
2. [image: image.png] In this screenshot you've shown the result of `cat named.conf', but where's the zone definition for kaixinduole.com? What we are seeing here is a recursive server. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bugs for cname can not be working properly with bind 9.11.4
I just modified the serial number this is not currently a problem, but please note that you've changed the first four digits which are likely to 2023. Also if the zone is reloaded there's no need to restart named. Actually nothing changed , Indeed. Are you doing these changes on the server we know as NS1.kaixinduole.com with the IP address shown below? As Bob mentions, the second NS2 is not responding: $ dig kaixinduole.com +nssearch SOA ns1.kaixinduole.com. shawn.kaixinduole.com. 2022041566 3600 900 604800 86400 from server 52.130.145.30 in 343 ms. From here we're still seeing the unchanged SOA serial number. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: There are some prombles in the query log
All queries are from the same client whose ip is 192.168.100.126, but why the port which each query from is so different? The source port is random and it should be different. I disabled the recursion of bind 9 ,but all the Recursion Desired flag was set '+', this confused me. > If you add the +norec (no recursion) flag to dig, it will not request recursion The client object identifiers are not the same although all queries are from the same client. That is correct, and you can safely ignore them. BIND developers can use those for intense debugging. One more thing, I use dlz to allows zone data to be retrieved from postgresql. I think (actually I'm pretty sure) that DLZ at you have been using it is meanwhile deprecated, so I would consider migrating to something else, i.e. plain zone master files. (Please do not confuse DLZ as you've been using it with the new DLZ loadable modules.) -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bugs for cname can not be working properly with bind 9.11.4
the domain name is kaixinduole.com Querying the SOA record for kaixinduole.com shows the SOA serial number is less than what you showed in the screenshot: ;; ANSWER SECTION: kaixinduole.com.21600 IN SOA ns1.kaixinduole.com. shawn.kaixinduole.com. ( 2022041566 ; serial 3600 ; refresh (1 hour) 900; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) I just create a cname record for testing, which is www cname to www.baidu.com. please see the below : When you update the zone file and add the CNAME, you must increase the SOA serial number to anything higher than what it currently is. The zone seems to use MMDDnn format, but you can also just increment the current number. After storing the zone file, I recommend you use named-checkconf -z to make sure you see no error messages, and then you should be able to load the zone with an rndc reload kaixinduole.com Good luck, -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bugs for cname can not be working properly with bind 9.11.4
(I've tried to reformat some of this; it was illegible to me and I'm probably misreading some of it) www IN CNAME www.baidu.com. [root@centos7 ~]# dig www.kaixinduole.com# it should be cname to You've not specified an address for dig to use so it's using your system's resolver, likely querying a caching server which is responding with a cached entry. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Primary zone not fully maintained by BIND
dnssec-policy default;
Slightly off-topic, but I believe ISC reccomend using a custom policy instead
of `default' in case the default changes in future.
view "internal" {
zone "penguinpee.nl" {
typeprimary;
file"dynamic/penguinpee.nl.internal.zone";
};
};
view "external" {
zone "penguinpee.nl" {
typeprimary;
file"master/penguinpee.nl.zone";
};
};
Using delv, the internal view of the zone fully validated, for SOA, A,
etc.
That surprises me a bit; I've always maintained BIND will not validate a
DNSSEC-signed zone it is authoritative for. Unless you mean RRSIGs were
still valid.
I thought that with 'dnssec-policy default' BIND would take care of
it. Upon updating the zone, increase the serial number and tell named
with 'rndc reload zone'. What am I missing?
BIND should be signing the zone(s) with dnssec-policy, yes, and the
dynamically-updateable zone will be signed on update and SOA serial
increased automatically.
I wonder whether it's getting confused (can software get confused? I suppose
so) with the two identically-named zones. If this were my installation and
I had to use views, I'd try specifying distinct policies for the zones
to see if that makes a difference.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic A records similar to nip.io or xip
Does the $GENERATE directive in BIND zone files do what you need? The $GENERATE statement is executed when loading the zone file results in an expanded in-memory version of the zone being used. That can get quite large. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic A records similar to nip.io or xip
DLZ are loadable modules I should have pointed to the documentation [1] and some example modules [2]. -JP [1] https://github.com/isc-projects/bind9/tree/main/contrib/dlz/example [2] https://github.com/isc-projects/bind9/tree/main/contrib/dlz/modules -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic A records similar to nip.io or xip
Does anyone know whether it's possible to generate with Bind these kind of A records automatically on the authoritative side BIND has DLZ, Dynamically Loadable Zones, which is an extension which allows zone data to be retrieved from basically anywhere. DLZ are loadable modules written in the C language [1]. So the answer is yes, but it entails a non-trivial bit of programming. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Only one DS key comes back in query
I am ridiculed by an ISC member for using a reserved domain according to For the record, assuming you mean me, I am not affiliated with the gold folk at ISC. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Only one DS key comes back in query
Suppose I was working on a problem for Barclays Bank In that case I would think Barclays Bank's Platinum Enterprise BIND Support contract would cover answering such questions. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Only one DS key comes back in query
The values in the file dsset-example.com generated by signing the zone are not good. If they are 'not good' then it's possible you are using an outdated dsset file. (And you are hiding domain names; I doubt example.com has been delegated to you.) dnssec-signzone creates dsset- files when signing a zone manually/semi-automatically. If you are signing with, say, autodnssec-maintain, then no dsset- file is created and you use dnssec-dsfromkey to determine the DS which you then submit to your parent zone. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Transitioning to new algorithm for DNSSEC
Is there a guide on transitioning the DNSSEC signing algorithm, One of the best concise instructions on doing this was written by Tony Finch while at Cambridge, and I have used this [1] successfully a few times. My recommendation: print it out, and use a red pen to tick off the individual points as you complete them. The most difficult phases are where the document says 'wait'. Not only should you wait but also wait 'a bit more'. Timing is of the essence. Good luck! -JP [1] https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Supporting LOC RR's
Fun is a sufficient reason. Definitely. IATA airport codes to LOC: % dig +short CDG.air.jpmens.net LOC 49 0 46.073 N 2 33 0.000 E 119.00m 1m 1m 10m and more fun with an associated TXT: % dig +short CDG.air.jpmens.net TXT "cc:FR; m:Paris; t:large, n:Charles de Gaulle International Airport" with more at https://jpmens.net/2020/10/04/airports-of-the-world/ -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using Ansible to manage bind installation/basic setup.
Ansible's template module is what you'd probably use for #1, the service module (with handlers) for #2, and #3 comes out of the box when you use Ansible. While you might find existing roles and playbooks on the internets, I would strongly recommend to vet them carefully in a test environment before using them in production; just because something works for me doesn't mean it will satisfy you. :) Good luck, -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using different OS for Master and Slaves
give or take some kludgery in the scripts that manage the config files as Warren pointed out, configuration management can go a long way in helping to get that set up; judicious use of templating, for instance, can actually produce configs for NSD, BIND, and Knot. :) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Loading all zone files in a directory
include /etc/nginx/conf.d/*.conf; Bind seems to lack an equivalent syntax. That means that even if I copy a self-contained zone file to the zones directory, I still have to manually register the zone in the named.conf.local file. That should be pretty trivial to template together with Ansible and/or use 'assemble' to create the final version. Alternatively, look at `rndc addzone'. (Also, have you looked at existing roles of which there are several?) Is there a way to get Bind to automatically include config files in a directory? If not, might it make sense to place a feature request for this with the Bind developers? Please no: this is trivial to accomplish with scripting; I think BIND is featureful enough as it stands. ;-) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sending extra info in bind dns query packet
I did not get this... am I posting this to wrong mailing list? This has been discussed several times on this list within the past few weeks. You should check the archives. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sending extra info in bind dns query packet
Is there an echo in here? More like an endless loop. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Writeable file already in use
> Change the filenames on the slave, or just don't have a "file" option > in the slave zone configuration. I was going to yell "TIL from Evan, that 'file' is optional for a slave", but /etc/named.conf:545: zone 'example.com': missing 'file' entry This is on 9.10.3. Did I misunderstand you? -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Writeable file already in use
> but I believe it's optional otherwise. You are correct (of course). I had inline signing enabled. For a non-signed zone I note the transfer indeed works without a 'file' specification, and I note it's not stored on file anywhere (just in core). Thanks for clarifying. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Writeable file already in use
> This might make you sad if you have lots of zones or large zones. .. or even just want to look at what was transferred (whitout having to recurse to a `dig axfr'). I see no reason to omit 'file' (except on a diskless slave ;-) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
Mark, > may want to add a "_dns-update._udp.example.net SRV" record pointing > to the nameservers as someone convinced the router vendor(s) that > this is how you do it Is this a standard? Other than [1], which insinuates it's an Apple-only thing, the Goog turns up only 55 hits for "_dns-update" and SRV. ;-) Can you mention any other vendors which support the SRV RR for directing updates? -JP [1] http://fmepnet.org/osx_dyndns.html ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Testing RFC 5011 key roll
My lesson is - besides just working out the configuration - testing RFC5011 takes more patience than just about any other feature of DNS/DNSSEC. RFC5011 is the most wall-clock driven mechanism we have. Yup. I learned that as well. As a side note: can you imagine my surprise when, after waiting all that time BIND then crashed on me after being fed OpenDNSSEC keys? Had to start all over and explain excessive hair loss to the missus ... It's thanks to Warren's keyroll.systems that I actually persisted testing, and only then did I report the crash to ISC, whereupon I was forced to wait a full rollover period until I was allowed to talk about it. ;-) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Testing RFC 5011 key roll
Edward, the subject of this message piqued my interest ;-) 17-Apr-2015 10:17:02.083 starting BIND 9.10.0 -g -c rfc5011.conf Very ouch. Much pain. Lots frustration. Many hairpulls. Mucho crash. ;) Upgrade to 9.10.2 [1] in which Evan fixes the CVE we discovered on RFC5011 rolls and, thankfully, adds comments to BIND's managed-keys.db in which BIND then tells us nice things, e.g. whether key is trusted, revoked, etc. -JP [1] https://kb.isc.org/article/AA-01257/0/BIND-9.10.2-Release-Notes.html ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Why log a failed transfer successfully?
2001:67c:2e8:5::c100:c6#53: Transfer completed: 0 messages, 0 records, 0 Is there any logic to this that I'm missing? s/completed/failed/ on error cannot be particularly difficult to implement. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: com.google how did they do that
I'm sure it was not cheap. Peanuts compared to their buying .app for $25m. [1] Here's a list of the other TLDs they've got so far: [2] Brace yourself! There are many here now, and more coming. The list of delegated strings [3] increases almost daily, yes. (And I can't stop laughing.) -JP [1] http://www.wired.com/2015/02/is-googles-latest-tld-purchase-a-game-changer/ [2] http://www.google.com/registry/ [3] http://newgtlds.icann.org/en/program-status/delegated-strings ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help debugging my zone file
carter bind # named-checkzone espersunited.com db.espersunited.com dns_master_load: db.espersunited.com:37: www.espersunited.com: CNAME and other data zone espersunited.com/IN: loading from master file db.espersunited.com failed: CNAME and other data zone espersunited.com/IN: not loaded due to errors. checkzone is telling you where the problem is: it's on line 37 of that file. Furthermore, the zone is not being loaded because it's erroneous. www.espersunited.com. IN A 192.168.0.2 [...] ;CNAME records www.espersunited.com. IN CNAME carter.espersunited.com. You have a CNAME for www and an A record for it; that's illegal, which is why BIND is saying 'CNAME and other data'. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help debugging my zone file
(*shamefaced*) Your message popped up as 'new' which is why I answered before noticing it had been answered already. :( -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc addzone gets permission denied
but getting rndc: 'addzone' failed: permission denied, nothing on the logs,
only received control channel command 'addzone zone.local { type slave;
file slaves/zone.local; masters { 172.31.199.154; }; };' even after rndc
trace 99.
allow-new-zones yes;
tried with chmod 777 for /var/named, /etc/named, /usr/lib64/bind but
nothing helps.
named must be able to write into the directory it will create the file
in. Assuming your `directory` option is set to `/var/named`, and seeing
your `file` statement above contains `slaves/zone.local`, the path to
which named will write is
/var/named/slaves
which must be writeable by the user named is running as.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: FW: subscribe in bind-developer
how can I subscribe in bind-developer channel ? (bind9 version ),,, because I want to modify bind code bind-workers ? [1] -JP [1] https://lists.isc.org/mailman/listinfo/bind-workers ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reinstall after modifying
how can I install bind as a named server after I have made my modification to it's source code without using yum First you ./configure, specifying the options you want to use; pay particular attention to installation paths. (The best way to determine how your existing BIND was configured is to locate a SRC RPM file and look at its .spec file and patches.) Then you `make'. If all goes well, you either `make install', in which case the files and programs are copied to the paths you specified in the first step, or if you just want to test `named', you can run `bin/named/named' from the top-level directory of the source distribution. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9 statistics-server: JSON?
{ text: snipped }
;-)
Evan has merged this into master
I know -- he's kept me busy looking and testing, and it looks very good.
and it will go out in 9.10, sometime
later this year. (We're also putting it into our new subscription
branch, which should be available for subscription customers in a few
weeks.)
I pleaded and begged for it to be in 9.9.3b3, but, oh, well. (No
worries: I'm grossly exaggerating.)
Thanks Jan-Piet!!!
Thank you all for accepting the idea and implementing it cleanly!
Looking very much forward to seeing this.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: spf ent txt records.
Does our DNS-server support SPF-type records? Or do we put SPF-info in a TXT-record? BIND has supported SPF records since 9.4 I think, so yes. Their functionality is identical (i.e. define both if you want/need both) name ttl class TXT text name ttl class SPF text Regards, -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: newstats XSL broken?
Shane, Yes, we had discovered and fixed this in the master branch (patch attached). Apologies for the brokenness! I've applied that, and it does indeed look better, but not good enough :) See screen shot [1]. No worries, though: I'll wait until you release (and I'm more looking forward to your implementing the JSON suggestion I sent over... ;-) Regards, -JP [1] http://d.pr/i/MVo1 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: newstats XSL broken?
That just means there's no data to graph yet. Send your server a few queries and try it again. Duh. Didn't occur to me, because I was looking for the list of authoritative zones served by named. Other than that, the output looks very sexy. (Are people really interested in the 'Tasks' list? I think that's a lot of data which could be omitted from the stats...) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND9 statistics-server: JSON?
As a fan of BIND's statistics-server I was tempted to see if I could
reduce the size of the data (XML) named produces by adding an option to
produce JSON. The patch [1] (which is terribly quick and dirty) does that.
[1] https://gist.github.com/jpmens/4958763
Accessing the URI /json on named would produce something like this:
{
views: {
_default: [
{
name: 0.IN-ADDR.ARPA,
class: IN,
serial: 0
},
{
name: B.E.F.IP6.ARPA,
class: IN,
serial: 0
},
[...]
{
name: ww.mens.de,
class: IN,
serial: 201211565
}
],
_bind: [
{
name: authors.bind,
class: CH,
serial: 0
},
[...]
]
}
}
Which of course is trivial to parse, with say,
#!/usr/bin/env python
import sys, json urllib2
BINDURI = 'http://127.0.0.1:8053/json'
f = urllib2.urlopen(BINDURI)
# print f.headers
doc = json.loads(f.read())
views = doc['views']
for viewname, zonelist in views.iteritems():
print viewname
for zone in zonelist:
print \t%s %-40s %s % (zone['class'], zone['name'],
zone['serial'])
which in turn makes this:
_default
IN 0.IN-ADDR.ARPA 0
IN B.E.F.IP6.ARPA 0
IN ww.mens.de 201211565
[...]
_bind
CH authors.bind 0
[...]
I haven't yet conducted tests as to which is actually faster to
produce/transport/consume, but I _suspect_ it's JSON. :)
If I cleaned this up appropriately and attempted to add some (all?) of
the counters (I'm mostly interested in the list of zones which is why I
started with that) would there be a chance of ISC adding this to stock
BIND9? Even better: would ISC take on the work of doing it? ;-)
Regards,
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: odd compile error in a lib
I installed FreeBSD 9.1 on 3 virtually identical HP rack servers. ^^^ It seems this box is missing a Kerberos (krb5) library, but I don't know what it's called on FreeBSD. Maybe compare a list of installed packages on the servers and install what's missing on the system where linkage breaks. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: newstats XSL broken?
Evan, On Sat Jan 26 2013 at 03:51:17 CET, Evan Hunt wrote: I'd love it if you'd try it, actually, find out how hard it is to modify your tools to use the new schema, and send feedback. I think the XSL is broken (see attached patch), at least Chrome Safari say the document is empty and Firefox shows a bunch of '0' ... -JP *** bind9.xsl.orig 2013-02-03 13:26:48.0 +0100 --- bind9.xsl 2013-02-03 13:26:51.0 +0100 *** *** 20,26 xsl:stylesheet version=1.0 xmlns:xsl=http://www.w3.org/1999/XSL/Transform; xmlns=http://www.w3.org/1999/xhtml; ! xsl:template html head style type=text/css --- 20,26 xsl:stylesheet version=1.0 xmlns:xsl=http://www.w3.org/1999/XSL/Transform; xmlns=http://www.w3.org/1999/xhtml; ! xsl:template match=statistics html head style type=text/css ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc addzone|delzone: some questions
Evan, On Sun Jan 27 2013 at 00:10:28 CET, Evan Hunt wrote: Delzone just means delete the zone from named, not delete the zone file from the filesystem. (And I reckon we can do a good deal more harm by deleting files you wanted to keep than by leaving files for you to delete yourself...) What named giveth named may taketh :) I understand your reasoning. I just wanted to avoid writing a cleanup process. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc addzone|delzone: some questions
Hello, we have a few BIND (9.9) slave servers, each slaving a couple of hundred thousand small zones (a dozen records in each). A file included into named.conf is periodically generated from a database, and named is reconfigured (rndc reconfig) to load new slave zones. I'm considering replacing this scheme of doing things by calls to `rndc addzone' to add the slave zone to named on the fly, because we're seeing NOTIFYs going unanswered (for existing zones) while BIND is reloading. I'd appreciate if you could help me clarify a few things, please. 1. Is named 'deaf' during an `rndc addzone'? I don't think so, but I'm finding it hard to determine definitely. I'm primarily concerned with named being able to handle any NOTIFYs it gets. 2. When I `rndc addzone ... type slave; ...' named immediately picks that up, transfers the zone and creates the specified file. However, `rndc delzone', while it drops the zone from named, does not remove the zone file from the file system. Is that a bug or was that implemented intentionally? It seems a bit illogical to me that the zone file isn't removed from the file system, but perhaps I'm interpreting 'delzone' too strongly? :) 3. If I direct `rndc addzone|delzone' to the same named instance from multiple processes (from the same source IP address), is there any danger of the .nzf file being corrupted? Thank you for your time. Regards, -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What causes 'zone transfer setup failed' ?
Note that the log message related to outgoing zone transfers from named, The shame! That's what I get for being at it 17 hours non-stop. I overlooked the -out. Sorry and thank you, Tony. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: what do you use for logging?
Is using syslog a sane default for new installations or when using official vendor packages with their startup scripts? I for one would not want to miss BIND9's logging to auto-rotated files: file /var/named/log/named.log versions 10 size 5m; Other than that, I'd say logging via syslog is a sane default, and it allows people to easily forward syslog to log hosts (or Logstash, etc.). By the way, all of the BIND10 logging messages are unique and we provide a paragraph or more documentation for each of its 933 possible log identifiers!) I haven't checked whether you have that, but that screams for a CLI utility to show the paragraph without having to browse documentation. :) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MNAME not a listed NS record
Is there anything technically wrong with having a SOA MNAME field that isn't listed as a NS record? Not at all; that works fine. The server listed as MNAME will host the zone and is authoritative for the zone, but out of latency concerns it isn't ideal to have other resolvers querying this server. Just omit the server listed as MNAME from the NS RRset. Various online DNS diagnostic tools throw warnings, but as far as I can tell from the RFCs, this is a valid configuration. Is it valid? Yes, it is valid. (And most of the online diagnostic tools I know suck: for example, they complain about SOA serial numbers not being in MMDDn format.) Are there any operational gotchas to be aware of or can I ignore the warnings? You should be aware of DNS Updates which will, by default, be directed at the server listed in SOA MNAME. If you don't do DHCP, say, then it's fine to ignore that. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: gitnamed, a project to manage name server by git
GitNamed is a project that manage name server by git. you can clone the git repo to any workstation, edit zone file, commit and push it. the data will push to the master and slave name server on the fly. Very interesting; thanks for sharing. I hear the Fedora Project does something along similar lines. Code 'docs' are at [1]. -JP [1] http://infrastructure.fedoraproject.org/infra/dns/README ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change in statistics format
Thanks, Phil. Those were my thoughts as well. For the present, I'll write my own monitoring plugin to parse the XML data. If you need some inspiration, I wrote a bit of C code [1] which does that rather effectively. It doesn't do what you want, but it may get you started. ;-) -JP [1] http://jpmens.net/2010/10/21/using-binds-statistics-server-to-list-zones-and-axfr-the-list/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using BIND-DLZ for a hidden master [was: Re: dns master-slave transfer]
Chris, Can one use BIND 9.9 inline signing with the unsigned version provided by a DLZ interface? there's no reason why you shouldn't be able to. Your BIND 9.9 inline signer would AXFR from BIND DLZ without trouble, but your signer won't be notified by DLZ; you'd have to manually issue NOTIFY (e.g. dnsnotify.pl) via cron or from a MySQL trigger (that's how I'd do it, anyway :) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegations
YPYMAYTYP Zero results from my favorite search engine -- congratulations. ;-) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about connections to BIND and tcp 443
They are currently being block from connecting to 443 since these servers are only DNS. Is there any reason for clients to connect to tcp 443 for any type of DNS resolution? Sounds a bit as though your clients think the BIND box is a HTTP origin server... I'd look into what programs they're running and how those are configured. Other than that, no: there is no reason for a typical DNS client to attempt TCP/443 unless your clients are running dnssec-trigger [1] -JP [1] http://www.nlnetlabs.nl/projects/dnssec-trigger/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig: Transfer failed
Check the 'allow-transfer' option in your named.conf. I don't have this option. Should I include it? If you want to provide zone transfers, you include it. If you don't, leave it out. (You might also want to glance at BIND's Administrator's Reference [ARM] while you're at it ...) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to check data file's content in DNS secondary server?
After upgrade to Bind V9.9.1-P2: [root@localhost ~]# file /var/named/zzy4.com.dom /var/named/zzy4.com.dom: data Use named-compilezone to convert from one to the other. You can force the previous text-transfers by setting this option on a per/zone or globally: masterfile-format text; (ISC: This is turning into a very FAQ...) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error: already exists previous definition
20-Jul-2012 15:26:40.181 config: error: /var/named/etc/namedb/conf/zone_0.conf:1529: zone 'x.net': already exists previous definition: /var/named/etc/namedb/conf/zone_0.conf:1529 20-Jul-2012 15:26:46.270 general: error: reloading configuration failed: failure That looks very suspiciously like a file which has been included twice. Check again. And again. :) This has never ever happened before and the problem only started a few days day, and we did not make any changes to our BIND servers. Are you quite sure? What are the modification times of named.conf and *all files* it includes? [ls -l] What does `named-checkconf' report? Oh, and while you're at it, you should upgrade BIND -- the version you are using is pretty old. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave DNS
I find it realy annoying, if I have ask every time the owner of the Slave, to add a new zone. Assuming your version of BIND is new enough, look at `rndc addzone' with which you can add and remove zones at run-time w/out having to edit `named.conf'. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave DNS
Which mean, my DNS partner need his own rndc key which let him add/remove zones as slave? You are the master. He is the slave. You have an rndc key for his slave server, so that you can add a slave zone on his server. [Substitute he/his by she/hers if required.] And vice versa. :) Grab a recent copy of the ARM for the documentation and an example use, and make sure you understand the security implications of opening up a channel for rndc on each of the servers. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave DNS
IIRC that will add the zone to the master, the question, as I heard it,
was to add it to the slave server, to avoid disturbing the owner of
the slave to manually editing the slave config.
With `rndc addzone' you specify whether you are adding a master or slave
zone, just as you would in named.conf, with all required options.
I don't recall any possibility to do this, a new zone on the master may
have it's own set of slaves, unlike any previous, so there is no way to
automagically stuff a new zone into some slaves.
There is:
rndc addzone fff.aa in internal '{type slave; file fff.aa;
masters { 192.168.1.10; };};'
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Weird stuff with one host... :-S
no A record, but if I log into my samba server, where I have: Is your name server configured to use views? Looks to me as though a view is hiding your answer. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I set the interface used to transfer zones?
Is it possible to configure my slave to receive zones using an
specific interface from master?
Your slave's zone stanza looks like this:
zone example.net {
type slave;
file ...;
masters { 10.1.1.1; };
};
The `masters' statement defines the address of the master server, so you
specify the private IP address of your master here.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I set the interface used to transfer zones?
Yes. That´s the problem. I have this statement defined, but it still try to connect using the wrong IP. Any ideas? I misunderstood then. Try `transfer-source'. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I set the interface used to transfer zones?
That's really odd...
I note that on the master zone you have
allow-query { local; };
Does local contain the slave's address? It must be allowed to query
the SOA record of the zone to transfer.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RPM [was: Re: bind dies with assertion failure]
While it's always better to compile and install from the latest stable version, it's also nice to use their package management system especially when you have to deal with multiple systems. Building BIND is easy; turning it into an installable RPM not so. I highly recommend fpm [1] which makes building an RPM trivial. :) -JP [1] https://github.com/jordansissel/fpm/wiki/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPM [was: Re: bind dies with assertion failure]
Building BIND is easy; turning it into an installable RPM not so. I highly recommend fpm [1] which makes building an RPM trivial. :) Any advice or tricks for making a DEB for Ubuntu? Yes: use fpm. :) So far my plan was to copy the source directory to each server and just run make install on each. I'm only looking at 8 to 10 servers. fpm makes rpm, dep, solaris, puppet modules, and a couple others, IIRC. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND ignores changes in zonefiles
We have a script that generates the zonefiles for bind. This script is working correct, i.e. the files are correctly generated and have no syntax errors. When adding e.g a CNAME to our database, the script generates a correct file, including this CNAME. BIND reloads this file with its correct serial number, but when I dig the CNAME it is not found. This also does not work with A records. You've possibly checked all this, but let me ask anyway: 1. Are you monitoring named logs when reload the zones? Any errors? 2. Have you run your generated zonefiles through `named-checkzone'? Errors? Warnings? (e.g. an underscore in a name?) 3. You say named is realoding the file with its correct SOA serial number. Have you verified by querying named? dig @127.0.0.1 zone SOA 4. Is the CNAME at the zone apex? (i.e. #2 will have found this) Regards, -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND ignores changes in zonefiles
The serialnumber in the SOA record is lower than the serial number BIND pretends to load in the logs. But why would BIND log to load the right zone, but use an old one? Because it's loading the wrong file? Have you (or somebody else) changed `directory' option or path to master zone file? -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Corrupted zone files on 9.9.1 slave, temp files with text contents...
Probably nothing. I believe the default format for slave zones is now compiled rather than text. Remove all the zone files on the slave and reload it. ... after defining `masterfile-format text;' :-) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: VMware Bind
2) When I tried a test master BIND in a VM, there was not enough entropy to generate DNSSEC keys. Entropy has been discussed frequently on this list. As a quick workaround, I recommend running http://www.issihosts.com/haveged/ -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: different between views and having multiple instances
I need to understand the difference between configuring bind views and having multiple instances of bind. I have 5 network interfaces on my server and I want to have 2 instances of DNS server (just for testing) and I don't know which one to do ? BIND views are powerful, but configuring them can become complex. If your machine has the resources for doing so, I'd recommend running multiple instances of BIND, which will enable you to stop/start your test-instances at will. Furthermore you'll probably find configuration of individual BIND name servers easier to create and manage. On the down-side you'll need monitoring for the N instances, you'll probably have N logs, etc. Knowing what I do from your description, I would chose the N instances. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Checking for zone expiration?
Warren, I wrote a tool to do this a while back -- http://code.google.com/p/dns-slave-expire-checker/ Cool stuff and very useful. I took it for a tiny spin, and here are my EUR 0.02 :) 1. Doesn't seem to grok all RRtypes in slave zones, due probably to missing functionality of dnspython; the following diagnostic on a zone containing a KEY RR: Unable to parse /var/named/jpmens.org: /var/named/jpmens.org:107: generic rdata does not start with \# 2. The program should perhaps ignore non-zone files (e.g. *.key, *.jnl, *.jbk), although that can be influenced with `-f'... In particular, directories ought to either be skipped or descended into. 3. Parsing of large zone files takes quite a while... (dnspython) 4. I spent a bit of time debugging becausse a slave zone wouldn't parse: dnspython raised a dns.zone.NoSOA exception. Only *after* debugging, did I read the FM to discover that zone file-names are origin names; maybe add this a bit more prominently to the top of the fine manual? :) Regards, -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate fails on CNAME but A and PTR goes through
server 127.0.0.1 zone ccnr.biotechnology. update add second 86400 in cname first send update failed: NOTZONE Have you tried specifying qualified names? update add second.ccnr.biotechnology. 86400 in cname first.ccnr.biotechnology. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on TTL Value
rd1.ramesh40finalround.com. 98400 INA 11.11.11.11 rd1.ramesh40finalround.com. 96400 INA 12.12.12.12 rd1.ramesh40finalround.com. 99 IN A 13.13.13.13 rd1.ramesh40finalround.com. 1 INA 14.14.14.14 RFC 2181, section 5.2 specifies: the use of differing TTLs in an RRSet is hereby deprecated, the TTLs of all RRs in an RRSet must be the same. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
Comcast has taken a pragmatic view. I'm glad to see they've turned on validation, but I can see why they need to configure exceptions. Without being able to manage exceptions, large ISPs are not going to turn on validation. Indeed, which brings on the question why BIND (still) doesn't have the a negative trust anchor feature. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
So how do we implement one? Create a separate caching server with DNSSEC validation turned off and forward all queries for the broken domain to it? Unbound can be configured (on the fly) to ignore DNSSEC for individual zones. From the unbound.conf(5) page: domain-insecure: domain name Sets domain name to be insecure, DNSSEC chain of trust is ignored towards the domain name. So a trust anchor above the domain name can not make the domain secure with a DS record, such a DS record is then ignored. Also keys from DLV are ignored for the domain. Can be given multiple times to specify multiple domains that are treated as if unsigned. If you set trust anchors for the domain they override this setting (and the domain is secured). I assume it would be possible to implement something along the lines of `rndc insecure domain`, but I wouldn't know... -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring CNAME for nosslsearch.google.com
-%- @ IN SOA localhost root@localhost. ( 2012041100 7200 1800 1209600 300 ) IN A 216.239.32.20 #nosslsearch.google.com. -%- What's the hash doing there? ...^ That's not a comment. Replace that whole line by nosslsearch.google.com. IN A 216.239.32.20 Assuming you've configured the zone correctly, that ought to do the trick. (It has been pointed out to you previously, that this IP address is bound to change -- you should monitor the real domain name frequently and then update (dynamically?) your zone. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about KSK
When the shared KSK needed to be rolled over, you would have to process DS records in the parents of your few dozen zones all at the same time. *If* you want to roll the KSK, a.k.a. when did you last roll your SSH keys? :-) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about KSK
I was mistakenly thinking the KSK also had an expiration as the the ZSK does. Keys don't expire; signatures (RRSIGs) do. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
