Advice on Bind9/ISC DHCP cluster

2021-03-25 Thread Olivier 
Hello,

I would like to implement a 3 hosts cluster with the following features:

1- host1 is a bind9 master
2- host2 is a bind9 slave/ISC DHCP primary
3- host3 is a bind9 slave/ISC DHCP secondary
4- primary ISC DHCP instance sends dynamic updates to bind9 master
5- secondary ISC DHCP instance sends dynamic updates to bind9 master
6- DNS clients queries Bind9 slaves (hosts 2 and 3)
7- DNS updates are made on Bind9 master

I can accept to loose (either static or dynamic) updates if host1 is down

1. Is it possible to implement both 4 and 5 ?
2. Any alternative architecture (I can use up to 5 hosts) ?

Best regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Authoritative for one domain, caching for the rest

2021-03-24 Thread Olivier 
Hello

After reading [1]and many trials, I couldn't figure how to set a Bind9
(9.11.5 on Debian Buster) server to operate this way:

- server has two Ethernet interfaces, one connected to foo.lan/
192.168.51.0/24 domain/network, the other connected to bar.lan/
192.168.43.0/24 domain/network
- I want it to resolve for bar.lan and for anything to query a DNS server
available on foo.lan.

My anonymized /etc/bind/named.conf.local content is:

acl "good-guys" {
   localnets;
};

zone "bar.lan" {
   type master;
   file "/etc/bind/db.bar.lan";
   forwarders {};
   allow-query { "good-guys"; };
};

zone "43.168.192-in-addr.arpa" {
   type master;
   file "/etc/bind/rev.43.168.192.in-addr.arpa";
   forwarders {};
};

zone "foo.lan" {
   type master;
   file "/etc/bind/db.foo.lan";
   forwarders { 192.168.51.1; };
};

zone "51.168.192-in-addr.arpa" {
   type master;
   file "/etc/bind/rev.51.168.192.in-addr.arpa";
   forwarders { 192.168.51.1; };


Resolution works for:
bar.lan,
google.com
host1.foo.lan if entry present in /etc/bind/db.foo.lan
but it does not work for:
host2.foo.lan if entry not present in /etc/bind/db.foo.lan

[1]
https://bind9.readthedocs.io/en/latest/configuration.html#sample-configurations

Best regards

PS: Bind9 9.16.11 is present in Buster Backports. Is worth installing it ?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How to compute db.192.168.x names from network addresses ?

2020-10-01 Thread Olivier 
Hello,

Here or there, you can read configuration files named like db.192.168.42
when holding data for a 192.168.42.0/24 network.
For networks with a /24 mask, simply striping  ending 0/24 substring from
192.168.42.0/24 is enough.
But what about network with a different prefix ?

1. How can you compute this "db.192.168.whatever" from 192.168.x.y/z
network address ?
Example in Python would be appreciated.

2. Instead of using short "db.192.168.42" names, I used a long
"db.192.168.42.0". I didn't notice any issue. Did I overlooked something ?

Best regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AppArmor, DHCP, Bind9 issue [SOLVED]

2020-10-01 Thread Olivier 
Hello,

Thank you all for replying !

Thanks to your suggestions, creating an /etc/bind/subdir directory, and
tweaking /etc/apparmor.d/usr.sbin.named allowed me to let ISC DHCP update
Bind9 entries.

1. I'm hesitant to file a bug on Debian about this.  As this both involves
Bind9 and AppArmor, would you say it deserves to be implemented and
documented in default Bind9 installation or that it is too specific for
this ?

2. If it deserves to to be implemented, how would you name this
/etc/bind/subdir directory ?
I personally used "/etc/bind/ddns-zones" but surely there exist
alternatives that better describe the purpose of this directory (hosting
config that bind9 needs to rewrite) such as :
writable_conf
rw_conf
rwconf

Detailed steps I followed on Debian Buster to work around the issue were:

mkdir /etc/bind/ddns-zones
chown root:bind /etc/bind/ddns-zones
# I don't know if plain  775 better fits. Comments welcome
chmod 2775 /etc/bind/ddns-zones

Adding into /etc/apparmor.d/usr.sbin.named, a line:
/etc/bind/ddns-zones/** rw,

before line
/etc/bind/** r,

Best regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

AppArmor, DHCP, Bind9 issue

2020-09-22 Thread Olivier 
Hello,

I've got one ISC-DHCP server instance (4.4.1) and one Bind9 (9.11.5)
instance installed on a Debian Buster box.
Both come from Debian stable repo.

I would like my DHCP server to update Bind9 database when leases are
allocated to DHCP clients.

I followed instructions from [1].
I then met the following error:
Sep 21 16:17:54 foo kernel: [ 8867.630002] audit: type=1400
audit(1600697874.163:25): apparmor="DENIED" operation="mknod"
profile="/usr/sbin/named" name="/etc/bind/db.bar.com.jnl" pid=1482
comm="isc-worker" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
Sep 21 16:17:54 foo named[1482]: /etc/bind/db.bar.com.jnl: create:
permission denied

I edited /etc/apparmor.d/usr.sbin.named and it now includes the following
content:
 ...
  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of
it.
  # See /usr/share/doc/bind9/README.Debian.gz
  # Next line added to work around apparmor issue
  /etc/bind/*.jnl rw,
  # End of addition
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,
...

Now, /var/log/syslog includes:
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key
ddns_update: signer "ddns_update" approved
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key
ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' A
192.168.42.104
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key
ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com'
TXT "0097d51fa2194acbea0809316da0885aa0"
Sep 22 08:43:25 foo named[449]: /etc/bind/db.bar.com.jnl: create:
permission denied

ls -l /etc
drwxr-sr-x 2 root bind  4096 sept. 21 16:01 bind

ls -l /var/cache
drwxrwxr-x  2 root bind 4096 sept. 22 16:25 bind

ls -l /var/cache/bind
lrwxrwxrwx 1 root root  23 sept. 21 14:29 db.192.168.42 ->
/etc/bind/db.192.168.42
lrwxrwxrwx 1 root root  29 sept. 21 14:28 db.bar.com -> /etc/bind/db.bar.com
-rw-r--r-- 1 root root   0 sept. 21 16:36 db.bar.com.jnl
...

How can I solve this ?

[1] https://wiki.debian.org/DDNS

Best regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding a subzone of a master zone

2011-04-20 Thread Olivier Cherrier 
On Tue, Apr 19, 2011 at 01:37:23AM -0700, chris.p.bux...@gmail.com wrote:
 You're getting a bit confused, because your configuration is complex. Some of 
 your observations are in contradiction with your disabling of recursion, so I 
 believe you are partially mistaken.
 
 - You're mixing authoritative and recursive service in one config. This often 
 leads to confusion.
 - Your recursion algorithm must be able to track down a particular domain 
 while not being able to resolve from the Internet root.
 
 Rather than turning off recursion, why not just set up your own root zone 
 (type master)? That way, your server can recurse to sub.example.com based on 
 the delegation, while returning immediate negative answers for anything 
 unknown. Just make sure you delegate example.com (and all other zones) from 
 your private root zone.
 
 A forwarders list in example.com or a zone of type forward named 
 sub.example.com will not have any effect so long as recursion is disabled. 
 Forwarding is a configuration aspect of the recursion algorithm.
 

Hi Chris,

Thank you very much for the clarification.

With your help and this message
http://fixunix.com/dns/549124-re-disable-root-hints.html
(from you too ;-), I get it working now!

Thanks,
Have a nice day.

-- 
Olivier Cherrier - Symacx.com
mailto:o...@symacx.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Forwarding a subzone of a master zone

2011-04-19 Thread Olivier Cherrier 
Hi,

I am experiencing problems to get a working forwarding configuration.


I am using BIND 9.3.6-P1 and the server has the global recursion parameter
on. The server is not on a public network (not on Internet -- no access
to root servers).


I have a zone called example.com for which the server is master.
A delegation called sub.example.com is in place and is working well.

I want to change the recursion parameter from 'yes' to 'no' in order to
get rid of the timeouts we get when we query something that is not
defined in our DNS server (like www.google.com).
Doing this breaks the delegation sub.example.com, meaning the server
doesn't do the research anymore for the subzone.
So I deleted the delegation and configured a forward zone to the right
IP addresses.  The problem is named doesn't even try to query those
forwarders and directly reply: No answer

While it works for some other forwarded zones (reverse and non-reverse),
I fail to understand why it doesn't work for that particular zone.
The only difference I see is that this forwarded zone is a subzone of
example.com for which the server is master.

So my question: Is there any limitation to forward a subzone while we
are master for the parent zone?


Thanks a lot!
Best regards.

-- 
Olivier Cherrier - Symacx.com
mailto:o...@symacx.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reverse dns issue

2011-03-23 Thread Olivier Destras 

Hi,

I'm using a software which uses bind and I'm experiencing a problem with 
the reverse dns function of bind.
I only have private adresses on my network but the nodes also have dns 
names. There is a server on this network, which is also a name server, 
that has internet through a gateway.
When my nodes are doing a dns query to the server, eveything is ok and 
they get their corresponding (private) IP address.
The problem occurs when a node is sending a reverse dns query to the 
server. The server should return the name that matches the IP address 
but instead I have this error in the bind log


21-Mar-2011 14:53:44.389 security: warning: client 10.100.2.129#61940:
view internal: RFC 1918 response from Internet for 5.2.100.10.in-
addr.arpa

In this case 10.100.2.5 (or 5.2.100.10) is the server itself so it 
should able to get his own name


This response from Internet seems weird to me because it should not 
ask an internet name server since it is private address. I checked with 
tcpdump and I didn't see any dns query going out of the server so it's 
not doing recursive lookups



Anyone can help with this? Does bind have a special option for private 
addresses?
I've seen that there is a reverse folder in /etc/namedb with files names 
like this 10.0.252.db, are these files used for the reverse dns 
resolution? I tried to add a file for the subnetwork I use (10.100.2) 
but this didn't change anything


Here is a tcpdump of the communication between the node and the server 
showing the failing query


10:42:35.494523 IP 10.100.2.129.60331  boss.vlan100.domain: 42377+ PTR? 
5.2.100.10.in-addr.arpa. (41)
10:42:35.494691 IP boss.vlan100.domain  10.100.2.129.60331: 42377 
NXDomain 0/1/0 (118)
10:42:35.495019 IP 10.100.2.129.54934  boss.vlan100.domain: 42378+ A? 
UNKNOWN.vlan100. (33)
10:42:35.495090 IP boss.vlan100.domain  10.100.2.129.54934: 42378 
NXDomain* 0/1/0 (86)
10:42:35.495416 IP 10.100.2.129.64666  boss.vlan100.domain: 42379+ A? 
UNKNOWN. (25)
10:42:35.495469 IP boss.vlan100.domain  10.100.2.129.64666: 42379 
NXDomain 0/1/0 (100)



Thanks in advance
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users