Re: DNSSEC DSSET KEYSET

2010-01-30 Thread Michael Milligan 

prock...@yahoo.com wrote:

Is there a tool/process to verify if the parenet domain has DSSET, KEYSET, or 
keys in place for the child domain?  Thanks.



You can use 'dig' or 'drill' for this, which are available as part of 
the BIND9 distribution (contrib) or from NLNet Labs, respectively.


First, make sure you have the DNSKEY for the parent zone (since the root 
zone is just now starting to roll out with DNSSEC info, there is no 
trusted root yet).  If it's a TLD, you can find the trust anchors at 
https://itar.iana.org/ with instructions to validate and store DNSKEYs 
for the signed TLDs.  Dig/drill need to be fed trusted DNSKEYs to function.


If you save the above trusted DNSKEY into a file called 'trusted-keys', 
then you can use either:


  dig +sigchase +trusted-key=trusted-keys your.domain.tld

or

  drill -TD -k trusted-keys your.domain.tld

and the output will show you if all the right things are in place and 
that there is (or is not) a chain of trust from your trusted anchor 
(DNSKEY) to your domain, and if not, where the chain is broken.


Regards,
Mike

--
Michael Milligan   - mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Moving an AD Zone from Windows to BIND

2009-07-28 Thread Michael Milligan 
bsfin...@anl.gov wrote:
 I am not worried about the DHCP piece.  There are two zones I have to
 convert.  One is mostly static and contains Windows Servers.  The
 other is dynamic, with client machines under the control of a Windows
 DHCP server.  For this zone, we will change DHCP to static leases
 before the conversion, and all new machines will be registered via
 our host database, which will automatically update DHCP.

Alright, that's one way to do it.

 I do not want any dynamic DNS to my BIND servers, as I am not sure
 how that DDNS would interface with DNSSEC.

BIND 9.6 has support for automatically re-signing the zone (incremental
signing) as dynamic updates are processed.

Regards,
Mike

-- 
Michael Milligan   - mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SPF/TXT records

2009-06-18 Thread Michael Milligan 
This is a bit OT, but...

You specify in an SPF (TXT) record your outbound MTAs, the ones that
everybody outside of your organization will see your mail sourced from.
 If it goes through a third-party outsourced provider, you put the
provider's MTAs in your record (best via an include:).  If your
marketing people use a third-party spammer^H^H^H^H^H^H^H provider for
sending e-mail blasts, you also put those MTAs in your record (again,
best via an include:).  Leave your internal relays out of the record,
nobody outside sees them or cares about them.  (This is a specific
short-coming of SPF, it doesn't really work with forwarding and
relaying.)  If you can't work around your forwarding / relaying issues,
think about using DKIM to sign your messages.  DKIM doesn't care how
mail gets delivered as it's not tied to MTA IP addresses like SPF is and
is thus forwarding and relaying insensitive.

See openspf.org and dkim.org for more details.

Regards,
Mike

-- 
Michael Milligan   - mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Questions about DNAME records

2009-06-16 Thread Michael Milligan 
Chris Buxton wrote:
 On Jun 15, 2009, at 2:37 AM, Braebaum, Neil wrote:
 Now, ignoring that invalid www record, the zone above has an apex
 (example.com itself) and then essentially infinite ghostly children. Any
 valid query that lands in that domain (i.e. the qname ends in
 example.com) but is not for example.com itself will be answered by a
 synthetic CNAME record, like this:
 
 qname.example.com.CNAMEqname.example2.com.
 
 If that alias points to a valid name in example2.com, then the query is
 answered positively. If it points to a CNAME record in the example2.com
 domain, then you have a CNAME chain (an alias of an alias of a third,
 referenced name), which then causes resolution to continue with the
 referenced name. (Is this what you meant by forwarding?)

Don't forget that the DNAME record is also included in the answer as
well as the synthesized CNAME record(s).  I say records since DNAME
chains are possible here too (though not recommended of course).

Regards,
Mike

-- 
Michael Milligan   - mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: weight for RR

2009-06-04 Thread Michael Milligan 
Scott Haneda wrote:
 Maybe cheat with round robin? Add 3 copies of one record and 1 of the
 other. That should give you 75/25 roughly.

BIND won't let you do that, it'll throw away the duplicates when it
loads the zone.

You need some other piece of software or hardware that can do that
(insert vendor name here).  Or a BIND patch, e.g, to enhance rrset-order
{} functionality (I don't know of a public one).  Or use SRV records
instead if this is for an application you are developing.

Regards,
Mike

-- 
Michael Milligan   - mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone transfers

2009-06-03 Thread Michael Milligan 
Michael Di Martino wrote:
 
 I have a Master BIND9 server with 2 active (up) interfaces eth0 and eth1.
 
 I need my zone update notifications and zone transfer to use eth1
 instead of eth0 which is currently using.
 
 How can I change this behavior while still having the server listen on
 eth0?

Given your problem statement (incompletely supplied), the only answer
for you is to change the system routing table(s) to suite your needs.
BIND9 has no control over that, only what interfaces to listen on and
what source addresses to use for various activities (listen-on,
query-source, transfer-source, notify-source, and friends.)

Regards,
Mike

-- 
Michael Milligan   - mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DR bind

2009-04-22 Thread Michael Milligan 
Sandy Mackenzie wrote:
 Hi,
 
 I was wondering if anyone see any issues with the following scenario?  
 
 DNS1 primary
 DNS2 secondary
 
 In the event we lose the site where DNS1 exists permanently.
 
 Can we simply convert the DNS2 configuration file to a become a primary for 
 the zones it was set to be a secondary for, to ensure the zones do not become 
 stale?  

You can, but there are likely bigger issues at play.

 
 I am trying to think of some implications.
 

Do you have a DR site?  Is DNS2 at the DR site?  I'm keying off your
subject line... If so, you should re-think where the primary is.  When
there is a DR site in the picture, I often deploy the DNS primary server
at the DR site, after all, it is supposed to go live (hot) should you
lose one of the sites it is DR for.  This, of course, only works if the
DR site is warm (or even hot), i.e., online all the time.  If the DR
site is cold and offline most of the time, or as is sometimes the
case, has servers and LAN segments duplicated from the live sites,
addressing and all, then you can't put a live primary there.  You have
to work out some out-of-band backup and transport of the live primary
zone files to the DR site DNS server.

The other benefit of having the primary at the DR site is you haven't
lost your seat of administration during a DR event, and don't have to
worry about converting a secondary to a primary and reconfiguring other
secondaries to get it back...  you are in all likelihood going to need
to make a bunch of emergency DNS changes to get everything online and
working with the DR site.  Makes it easy if the primary is already at
the DR facility.

This also doesn't interfere much when you do DR failover tests as the
secondaries will be resilient to connectivity loss to the primary.
About the only thing you have to worry about is dynamic updates during
those times, but those are usually re-tried later (typically from DHCP
servers or Microsoft DCs).

Some food for thought.

Regards,
Mike

-- 
Michael Milligan   - mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Windows/BIND integration [was: Combined master + forward zone]

2009-04-22 Thread Michael Milligan 
b19...@anl.gov wrote:
 
 There have been lots of posts on Windows AD/BIND integration over the
 years.  Check the list archives.  What I suggest is placing the six AD
 zones
 
  DomainDNSZones.example.com
  ForestDNSZones.example.com
  _msdcs.example.com
  _sites.example.com
  _tcp.example.com
  _udp.example.com
 
 on a MS Windows DNS Server on one Domain Controller and slaving those
 zones on your BIND servers.  That way Windows handles the GSS-TSIG
 secure updates, and the BIND slaves will transfer the zones if and when
 they are updated.

And don't forget to set a group policy on all DCs to not update the A
records in the apex zone.  Otherwise the DCs will complain in the Event
logs forever... this assumes the BIND servers are authoritative for
example.com, in this example.

See http://support.microsoft.com/kb/246804 for Windows 2000

See http://support.microsoft.com/kb/267855 for Windows 2003 and later,
specifically under Netlogon fix and tell it not to register the
LdapIPAddress.

(There is also more information there on preventing all the DCs from
creating NS records in the zone, which becomes problematic when there
are more than about 10 DCs.  I had one customer with 100s of DCs, and
each one put in an NS record in the zone for itself...  ugh.  With a
little magic, dropped that back to a handful of DCs at big data centers.)

Regards,
Mike

-- 
Michael Milligan   - mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Max. Number of char in a TXT Record

2009-03-30 Thread Michael Milligan 
Darvin Denmian wrote:
 Hello,
 
 I have some questions:
 
 1) Anybody know the maximum number of characters allowed in a TXT field?

255 for each string.  E.g.,

@  TXT  v=spf1 mx ip4:216.208.1.1 a:mail01.mydomain.com
a:mail02.mydomain.com   a:mail03.mydomain.com
include:something.else.com -all

Notice there are two sets of quoted text here to simulate the entire TXT
string being longer than 255 chars.  You'd just split it up into
multiple quoted strings that each are not longer than 255 chars.

Note that there is a leading space in the second string.  For SPF
processing, these TXT strings are concatenated together as-is and
without the leading space in the second string, it would generate a
syntax error.

 
 2) What is the maximum number of includes inside a SFP field?
 

Don't chain them more than 2 or 3 times, you'll run into SPF processing
limits.  If you have to use more than that, then you need to rethink
you're matching approach.

The RFCs on the subject limit DNS lookups to 10, that includes the TXT
record itself, any A, MX and PTR records that have to be looked up by
name, and any further include: lookups and associated records.  A
Permanent Error will be returned if you exceed the 10 lookup limit.

See http://www.openspf.org/, there are tools, tips and tricks to help you.

Regards,
Mike

-- 
Michael Milligan   - mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hostname Naming Compliance

2009-03-01 Thread Michael Milligan 
Kevin Darcy wrote:
 Mark Andrews wrote:
 W_h_e_r_e_ _i_s_ _t__h_e_
 _h_o_s_t_._n_a_m_e__ _i_n_
 _t_h_i___s_ ___l_i_n__e.
   
 The ironic thing is, I don't think that *aesthetically* I favor
 underscores any more than Mark does.
 
 But, to me, it's like a Free Speech thing -- I may disagree with what
 someone says (analogous to not liking their use of underscores in
 names), but at the same time vigorously defend their right to say it.
 
 Since there seems to be no practical problem with using underscores,
 only aesthetic differences, I think they should be allowed, even though
 I personally find them to be ugly.

I would like to see normalized UTF-8 work in DNS across the globe (as it
is/was working fine in several country TLDs) and avoid punycode for IDN,
but that ain't gonna happen.  That horse was beat dead in the IDN
meetings for fear of crashing buggy hardware/software/firmware and
having to update resolvers and rebuild applications built directly with
resolver libraries.  If that's FUD enough to kill UTF-8 in DNS, that's
enough to keep away underscores, right?  ;-)

(Don't answer that, unless you want to take the bait.)

Regards,
Mike

-- 
Michael Milligan   - mi...@acmeps.com

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward Unknown Lookups

2009-02-27 Thread Michael Milligan 
Josh Durham wrote:
 Forgive me if this has been asked before -
 
 I'm trying to set up bind to have A records for a zone, but forward
 requests for that zone to another known server if lookups fail.
 
 For example, on my server, I would create a record for the zone
 example.com:
 serverINA 10.0.1.1

You can do this by creating multiple zones with these names, so for you
example, you would _not_ create an example.com zone, you would create a
zone for server.example.com and put in an A record at the apex.  This
way you can override/add names under example.com but have your resolving
server follow the normal resolution path and talk to the example.com
auth servers for other names under example.com, e.g., lookups for
www.example.com.

This can cause problems though, if the example.com authoritative server
uses/references any of the names you want to override (like as the
target of an MX record), then the view from your perspective will look
different and may have unintended consequences.  Just think it through
and test if you're not sure.

And don't forget about what you've done when it comes time to
troubleshoot a problem in 6 months!

Regards,
Mike

-- 
Michael Milligan   - mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [OT] Is it possible to set a ddns hostname to access a name-based virtual host?

2009-02-23 Thread Michael Milligan 
hongyi.z...@gmail.com wrote:
 
 You *must* reference the location using the same URI if you expect to
 see the same expected results.
 
 Thanks  for  your  detailed  explanations.  Another issue: what do you
 mean by saying URI?  What's the differences between URI and URL?

Just being more general.  A URL is a HTTP URI... Google has plenty of
explanations.

 
 Regards,
 Mike
 
 PS:  There are other maintenance problems with your approach too, but
 
 What for example?

This biggest problem is when the IP of the original server changes, you
have to track that and periodically update your name.  Unless you take a
proxy approach.

Regards,
Mike

-- 
Michael Milligan   - mi...@acmeps.com

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hostname Naming Compliance

2009-02-23 Thread Michael Milligan 
Ah yes, the perennial rathole...

Eric C. Davis wrote:
 I know the option to use this compliance checker is present, but I'm
 curious to know if there are plans to make it mandatory to comply.  We

RFC 1123 has always been mandatory for Internet connected hosts.  Valid
characters for a hostname are very clearly defined in that ancient
document.  Enforcement (or lack there of) is another issue.  DNS is not
the right place to enforce it IMHO, it's a host-level thing, an
operating system thing.  Blame Apple and Microsoft (and others) for not
getting it right, most especially in regards to underscores.  Until they
change, we all are stuck with the mess.

Regards,
Mike

-- 
Michael Milligan   - mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [OT] Is it possible to set a ddns hostname to access a name-based virtual host?

2009-02-20 Thread Michael Milligan 
This is actually off topic for BIND-users...

hongyi.z...@gmail.com wrote:
 On Friday, February 20, 2009 at 19:51, serge.fonvi...@gmail.com wrote:
 Hi,
 
 Is it possible to set a ddns hostname, say through
 http://www.changeip.net/ , without using *some_domain* itself, to 
 access this file? 
 
 Not entirely sure what you are actually trying to achieve.
 Could you provide a concrete example of the situations you are trying to 
 achieve?
 
 Let me give an example to illustrate my problem:
 
 In the following url, the prola.aps.org is a name-based  virtual host:
 
 http://prola.aps.org/pdf/PRB/v1/i1/p1_1
 
 On  the other hand, my institute has subscribed to prola and many other
 journals, so I want to use some self-made and easy-to-memory hostnames for
 each  of them.  For example, I want to use the following url to access
 the above one:
 
 http://myprola.myddns.org/pdf/PRB/v1/i1/p1_1

I fail to see how the later is more easy-to-memory than the former, but...

 
 Is this possible?
 

Generally, no.  Virtual hosting involves setting, in almost all cases, a
unique document root for each virtual host.  If you reference a file or
location via a URI that uses a different hostname, then it either
matches a different virtual host, or matches the default virtual host,
but in either case the document root is almost certainly different, and
thus the relative path (/pdf/PRB/v1/i1/P1_1 in your case) almost certain
does not translate to the correct absolute path to get the right file or
get you to the right generator, whatever the location references and/or
triggers to send back content.

You *must* reference the location using the same URI if you expect to
see the same expected results.

Regards,
Mike

PS:  There are other maintenance problems with your approach too, but
you avoid those by just not even trying to do what you asked.

-- 
Michael Milligan   - mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal

2009-02-02 Thread Michael Milligan 
David Sparks wrote:
 
 There are plenty of ways to get a mail loop that don't involve DNS
 mis-configuration.  As such pretty much every major MTA detects and stops mail
 loops.

Not if you (accidentally) fat-finger the MTA configuration.  It is
completely possible to still mis-configure a MTA to deliver to itself as
fast as possible.  A DNS configuration with CNAMEs in the mix
short-circuits delivery loop detection at the MX level and just sets up
more potential for a loop.

 
 So mail loops are a non-issue ... next?
 

That is the _entire_ issue here.

Regards,
Mike

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal

2009-01-30 Thread Michael Milligan 
You just don't get it.  You are off wandering around in the weeds.

Read the tail end of Chapter 5 in the book DNS and BIND describing the
MX selection algorithm in layman's terms to (perhaps) understand why
having MX records referencing CNAMEs is bad.

It may work right now for you, but referencing CNAMEs in MX records
eventually _will_ cause delivery loops the next time you accidentally
fat-finger a config.  If you continue to be hard-headed about this and
not listen to the 100s of years of collective wisdom dispensed, then go
ahead and leave yourself set up for a potential DoS against yourself,
we're not going to stop you...  and we're not going to feel sorry for
you either.

FIN

Regards,
Mike

Al Stu wrote:
 Analyze this.
 
 Query MX dns.com
 
 Response MX nullmx.domainmanager.com
 
 Query A nullmx.domainmanager.com
 
 Response CNAME mta.dewile.net, A 64.40.103.249
 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding but no recursion?

2009-01-21 Thread Michael Milligan 
etirado@orange-ftgroup.com wrote:
 Hello,
 
 Is this possible to disable recursion for all incoming queries except
 for those listed in zone statement with a forwarder.
 
 I know that no forwarding is allowed if we disable recursion.
 
 Something like this ( but this doesn't work I know ):
 
 I can't match people so I can't create a view.

 options {

   allow-query { any; };
   allow-query-cache { none; };
   allow-recursion { none; };

 };

 zone example.fr {

   type forward;
   forwarders { x.x.x.x; };
   forward only;
 };

Then what you really have is an architectural issue you need to sort out.

Recursion is needed on name servers so dumb resolvers (end systems...
e.g., PCs and laptops) can use them, which also means it will ask
questions of other authoritative name servers and cache intermediate
data.  Forward-type zones are essentially an extension of this, just for
jump-starting recursive resolution at a different starting point that is
not visible following the usual delegation path.  You should only ever
need to use a forward-type zone to get around a firewall.

If you have recursion turned off, then you have caching turned off and
thus can only be serving authoritative data (and no other data is
retrieved elsewhere via queries, via forwarding or recursion).

These two situations serve two very different functions.  If you are
trying to mix these two functions (resolving server, authoritative
server), then you have to be able to either segment each into either a
view (where queries come in on the same interface), or segment by using
multiple interfaces for receiving/sending queries and run two instances
of named for each function, or (most commonly) just run these functions
on two completely different machines.

If I were to guess, it looks like you are constructing an authoritative
server, because of allow-recursion { none; };.  Why can't you do this
to get the data for the example.fr zone?

zone example.fr {
type slave;
masters { x.x.x.x; };
};

If you really are trying to get around a firewall, then this server is a
resolving server anyway (serving end systems) and thus you would need
recursion turned on...

Regards,
Mike

-- 
Michael Milligan   - mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users