Re: forwarding zone setup from a BIND slave (without recursion?)

2021-04-07 Thread Tony Finch
Mark Andrews wrote: > > On 8 Apr 2021, at 00:37, Tony Finch wrote: > > > > Forward zones require the upstream server to be recursive too. > > More correctly, the upstream server has to serve the entire namespace being > forwarded if it does not off recursion t

Re: forwarding zone setup from a BIND slave (without recursion?)

2021-04-07 Thread Tony Finch
Chuck Aurora wrote: > > A stub or static-stub zone would not require recursion. In that case > named is asking for authoritative data from upstream. But type > forward zones indeed cannot work if recursion is disabled. Be careful in this kind of situation to be very clear about which client or

RE: replication time for dynamic records from primary to secondary servers

2021-04-03 Thread Tony Finch
Cuttler, Brian R (HEALTH) via bind-users wrote: > > I don't think the issue I'm having is related to notify message not > being reacted to nor zone transfer requests not being sent to answered. It's worth checking the logs to make sure that they agree with what you expect. > What I think I'm

Re: Local resolution first and then public resolution for "google.com" domain

2021-03-31 Thread Tony Finch
Matus UHLAR - fantomas wrote: > > note that for this kind setup, using dnsmasq with two forwarders and > www.google.com > overriden through /etc/hosts would be easier solution. Or a response policy zone, if you don't want to switch software

Re: resolv.conf question / timeout behaviour

2021-03-31 Thread Tony Finch
Tom Preissler wrote: > > at my work place we have a three resolver setup in /etc/resolv.conf. > > We had sometimes, though rarely, response times for DNS like 14000ms, > due to the fact that the *first* listed resolver is down for maintenance > reasons. Sadly the traditional unix stub resolver

Re: replication time for dynamic records from primary to secondary servers

2021-03-31 Thread Tony Finch
Cuttler, Brian R (HEALTH) via bind-users wrote: > > We are seeing a delay in the primary DNS server updating the secondary > and would like to shorten that interval. This is probably due to NOTIFY messages not working. NOTIFY is the mechanism that allows primary servers to tell secondaries to

Re: BIND 9.16.13 and Mac OS X 10.13.6 - problems with ./configure

2021-03-29 Thread Tony Finch
alcol alcol wrote: > seriously? is like linux/unix FAQ  Please, if you can't be helpful, don't reply at all. We all have to learn somehow, and the best way to show your knowledge is to share it generously. Tony. -- f.anthony.n.finchhttps://dotat.at/ Trafalgar: Easterly 6 to gale 8 in

Re: BIND 9.16.13 and Mac OS X 10.13.6 - problems with ./configure

2021-03-26 Thread Tony Finch
Paul Cizmas wrote: > ~$ named -v > BIND 9.9.7-P3 (Extended Support Version) What's probably happening here is that the BIND on your $PATH isn't necessarily the BIND that homebrew installed and (hopefully) is running. You can run `dig @localhost version.bind ch txt` to see what the running

Re: how to stop and remove BIND 9.9.7-P3 on Mac OS X High Sierra 10.13.6?

2021-03-25 Thread Tony Finch
Paul Cizmas wrote: > > but it appears that “service” must be replaced by something else Yes: init on macOS is called launchd, and the service control program is called launchctl, which has a reasonably useful man page. Tony. -- f.anthony.n.finchhttps://dotat.at/ Mull of Galloway to Mull of

Re: Temporarily no name resolution using second/virtual ip address

2021-03-25 Thread Tony Finch
Jonathan via bind-users wrote: > It makes no difference from which subnet the queries come from. For > testing I used a server in the same subnet like my DNS is, so there is > no firewall or NAT in between. I also captured the network traffic of > the DNS-Server and -Client. All I can see is,

Re: Zone transfer is happening intermittently between slave and master bind

2021-03-17 Thread Tony Finch
Prasanna Mathivanan (pmathiva) via bind-users wrote: > > I couldn’t find anything from logs (checked both xfer and messages) The best way to find out if a secondary server thinks a zone is out-of-date is to look at the notify log messages. On the primary you'll see something like 17-Mar-2021

Re: sub-zone on the same server but in different backend - how?

2021-03-15 Thread Tony Finch
lejeczek via bind-users wrote: > > Have a zone on a server, say: > > - the.zone > > with "flat" files being the backend for it. Now wanting to have: > > - sub.the.zone > > served by the same BIND server, but stored in.. "SQL" backend. > > How... well how to make that work if at all possible? >

Re: Authority and forwarding, but not recursion/iteration

2021-03-12 Thread Tony Finch
Marki wrote: > > But if you need granular filtering, that could become a lot of views... Yes, I think RPZ is really designed to be a ban hammer for dealing with abuse, rather than a general-purpose access control mechanism. If you need to get really fancy then you should look at dnsdist which

Re: Authority and forwarding, but not recursion/iteration

2021-03-09 Thread Tony Finch
Marki wrote: > > Concerning static-stub: Using a (bogus) forwarder together with "forward > first" (default) seems to work (Note: using "forward only" gives SERVFAIL). > All outside requests get a SERVFAIL even with "forward first" but that's an > esthetic problem. Yes, SERVFAIL is ugly - I

Re: Authority and forwarding, but not recursion/iteration

2021-03-09 Thread Tony Finch
Marki wrote: > > I am seeking a combination of either a combined configuration on one, or a > config of several different DNS servers together to achieve the following: > > * Some clients should be able to resolve authoritative local zones as well as > some forwarded zones. > > * Other clients

Re: BIND server; dig vs dig +trace on failing lookup.

2021-03-04 Thread Tony Finch
Gregory Sloop wrote: > Would you mind showing me how you got there? I like https://dnsviz.net/ and https://zonemaster.net/ - dnsviz is better at showing DNSSEC issues, and zonemaster has a bigger collection of general DNS checks, so it's worth using them both. Tony. -- f.anthony.n.finch

Re: How bind select NS record during recursive queries

2020-11-19 Thread Tony Finch
Duleep Thilakarathne wrote: > > How does bind select NS entry during recursive queries , when the answer > section has multiple NS entries. It's roughly based on measuring the smoothed round trip time (SRTT) to each nameserver and picking the closest, with a lot of randomness in the mix. Try

Re: Logging on a Bind server

2020-10-22 Thread Tony Finch
senthan.sivasunda...@szkb.ch wrote: > One Day it came an alert from Cybereason (Antivirus-Software), that our > Bind server tried to Connect to a suspicious domain "ns2.honeybot.us". > But I couldn't find the log, which domain the BIND server was searching > for, so that the BIND server has to

Re: Why are no notifies send?

2020-10-22 Thread Tony Finch
Axel Rau wrote: > > Has anybody a working IPv6 notify address in use? Notifies from my primary to my on-site servers go over IPv6 with a TSIG key. They are all dual-stack. Tony. -- f.anthony.n.finchhttp://dotat.at/ Sole: Variable 4 at first in east, otherwise westerly or southwesterly 4 to

Re: Why are no notifies send?

2020-10-18 Thread Tony Finch
Axel Rau wrote: > > I can’t see any notifies to 2001:470:100::2 in the logs. > > What am I doing wrong? Normally BIND only logs "sending notifies" without saying anything about where it is sending them. You need to increase the log level using `rndc trace 3` (or more than 3) to get the

Re: negative caching ttl question

2020-10-13 Thread Tony Finch
Veaceslav Revutchi wrote: > Given this soa: > > fe80.info. 3600 IN SOA ns-538.awsdns-03.net. > awsdns-hostmaster.amazon.com. 1 7200 900 1209600 60 > > I see bind caching negative answers for 3600 instead of 60. The rfc > and my google searches suggest that it should pick the MIN(soa ttl, > soa

Re: RRSIG and TTL

2020-09-17 Thread Tony Finch
Scott Nicholas wrote: > > Primary nameserver is behind a cache/proxy on enterprise network such that > all external traffic hits this. Zone went bogus. I blame policy but on > further inspection 2/3 proxys had differing TTL between the DNSKEY and it's > RRSIG. Hmm, that's suspicious. In the DNS,

Re: "minimal-any" configuration query

2020-09-17 Thread Tony Finch
ShubhamGoyal wrote: > We have enabled " minimal-any yes;" in our Bind DNS Sever, Yet an ANY > query provides complete details instead of providing reduced details . Testing minimal-any with dig is tricky and very obscure! For an example of how to test it, try: dig cam.ac.uk any

Re: /etc/bind.keys in a chrooted environment

2020-07-22 Thread Tony Finch
Anand Buddhdev wrote: > On 22/07/2020 15:06, Josef Moellers wrote: > > > named complains about the missing file /etc/bind.keys if run chrooted: > > unable to open '/etc/bind.keys' using built-in keys > > > > What is the preferred way around this? Add "/etc/bind-keys" to > >

Re: DNS_RRL_MAX_RATE defines 1000

2020-07-09 Thread Tony Finch
Zhiyong Cheng wrote: > > We are using named cluster in our internal network as the authoritative > DNS. So there are no cache servers between clients and named cluster. > Maybe we should add one but it is just another story. Sorry, I wasn't completely clear: I was not saying that your

Re: DNS_RRL_MAX_RATE defines 1000

2020-07-08 Thread Tony Finch
程智勇 wrote: > > So could anybody tell me why DNS_RRL_MAX_RATE defined 1000? RRL is designed for authoritative DNS servers. Legitimate queries come from recursive resolvers with caches. There should not be more than one query for each RRset from each resolver per TTL. So a normal response rate

Re: How to prepublish additional DNSKEY

2020-07-08 Thread Tony Finch
Klaus Darilion wrote: > > A signed zone shall be moved to another DNS provider. Hence I want to > add the public KSK of the gaining DNS provider as additional DNSKEY to > the zone. I guess you might already have seen this draft - it discusses long-term multi-provider setups rather than

Re: DNS security, amplification attacks and recursion

2020-07-07 Thread Tony Finch
Brett Delmage wrote: > On Tue, 7 Jul 2020, Tony Finch wrote: > > > > minimal-any yes; > > Why only reduce and not eliminate? The reason is a bit subtle. If an ANY query comes via a recursive resolver, it is much better to give the resolver an answer so that it will put

Re: DNS security, amplification attacks and recursion

2020-07-07 Thread Tony Finch
@lbutlr wrote: > > > rate-limit { responses-per-second 10; }; > > Does that apply to local queries as well (for example, a mail server may > easily make a whole lot of queries to 127.0.0.1, and rate limiting it > would at the very least affect logging and could delay mail if the MTA > cannot

Re: Fun with nsudpate and ac1.nstld.com

2020-07-07 Thread Tony Finch
@lbutlr wrote: > > The latest surprise was that dnssec-enable yes; is obsolete in Bind 9.16. `dnssec-enable yes` has been the default since 2007, so that directive has been useless for quite a long time :-) What changed in 9.16 is that you now can't turn DNSSEC off. (Specifically, support for

Re: DNS security, amplification attacks and recursion

2020-07-07 Thread Tony Finch
Michael De Roover wrote: > > Said friend said to me that he tested my authoritative name servers and > found them to be not vulnerable. [snip] They do not respond to recursive > queries. It appears that the test of whether a server is "vulnerable" or > not has to do with this. The command used to

Re: Hints for forwarding a subdomain on a authoritative server

2020-07-06 Thread Tony Finch
Tom wrote: > > But: The zone-forwarding is only working, when I enable "recursion" on the > authoritative server. Does this means, that zone-forwarding really requires > recursion? Yes, forwarding is completely specific to recursive servers. That is, the server doing the forwarding must be

Re: $INCLUDE Kexamle.com.+007...

2020-07-05 Thread Tony Finch
@lbutlr wrote: > When a domain configuration file contains an include line for the key, > where is that include looking for the key file? ... good question, I have avoided having to find that out ... > I'm in a situation where the keys seems to work fine for updating > DNSSEC, but nsdiff

Re: Steps to reload zone files automatically?

2020-07-02 Thread Tony Finch
Chuck Aurora wrote: nice domain name :-) > On 2020-07-01 00:55, Harshith Mulky wrote: > > > Any methods or links which can be shared to help us reload the zone > > files automatically once we make changes to the zone files ( cron > > methods or shell scripts) > > A different paradigm which

Re: unexpected behaviour of rndc dnstap -roll

2020-06-21 Thread Tony Finch
Jakob Dhondt wrote: > > I am generating dnstap files using bind and regularly roll them using > 'rndc dnstap -roll [number]'. The way I understand the documentation is > that there should be max [number] old dnstap files after executing this > command but what actually happens is that all files

Re: BIND 9.16 incoming TCP connection errors

2020-06-16 Thread Tony Finch
Anand Buddhdev wrote: > > 16-Jun-2020 15:21:58.815 general: Accepting TCP connection failed: socket is > not connected > > What does this log message mean? I think this error comes from getpeername() and it can occur if the connection is closed between accept() and getpeername(), which I

Re: [Non-DoD Source] Re: BIND Masters and slaves

2020-06-15 Thread Tony Finch
Kevin Darcy wrote: > > The "master" nomenclature is appropriate from a *data*dependency* > standpoint. The "master" holds the "master copy" of the zone contents ( > https://www.collinsdictionary.com/us/dictionary/english/master-copy). All > other copies are duplicates of that. There isn't in

Re: BIND Masters and slaves

2020-06-15 Thread Tony Finch
Vinícius Ferrão via bind-users wrote: > > But the prevalence of terms are still master and slave. And I really > hope this thing of changing nomenclatures doesn’t go any further due to > political correctness. "Political correctness" just means being considerate for other people, especially

Re: bind 9.11 resolving PTR record only after a few tries, +trace always, no CNAME involved?

2020-06-15 Thread Tony Finch
Steffen Breitbach via bind-users wrote: > > I am having issues with my bind server setup. When I try to resolve the PTR > for 130.248.154.166 or 172.82.233.25, I will get the proper result only after > a few tries so. After that, resolving will work. Looks like there are some discrepancies with

Re: VS: DNS Misconfiguration on- http://cyberia.net.sa/

2020-06-05 Thread Tony Finch
Jukka Pakkanen wrote: > Thx for the info, had missed this one and actually we have that minor > misconfiguration too. Have had since 1995 when started our nameservers > and never noticed... Yes, it used to be recommended - https://tools.ietf.org/html/rfc1537#section-10 But not any more,

Re: can bind support DOH and DoT (and broken mailing list archive)

2020-06-02 Thread Tony Finch
ShubhamGoyal wrote: > > 1. Can bind support DoH and DoT It isn't built in, you need to run a proxy in front. See this thread from a month ago - https://lists.isc.org/mailman/htdig/bind-users/2020-April/103075.html There was more discussion in May but unfortunately the mailing list archive seems

Re: CAA iodef clarification

2020-05-14 Thread Tony Finch
rams wrote: > > On the CAA record iodef filed, do we force this to be unique or can it > match a CNAME? The specification says the iodef field contains a URL so normal URL resolution applies. https://tools.ietf.org/html/rfc8659#section-4.4 Questions about CNAMEs are at the wrong layer. HTTP

Re: DoH plugin for BIND

2020-05-04 Thread Tony Finch
Erich Eckner wrote: > > Will there be client-side DoT/DoH support in bind, too? E.g. will my recursive > (or forwarding) resolver be able to resolve upstream dns via those? At the moment the specifications are not yet done for encrypted DNS between recursive and authoritative servers. It's very

Re: DoH plugin for BIND

2020-04-29 Thread Tony Finch
Michael De Roover wrote: > On that subject, how about DoT? DoT is easier since you only need a raw TLS reverse proxy, and there are lots of those, for example, nginx: http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48 Note that if you enable DoT on port 853 on

Re: DoH plugin for BIND

2020-04-29 Thread Tony Finch
Walter Peng wrote: > > Does BIND have a DoH plugin official? > Or is there any guide to customize that one? You'll need to run a DoH proxy in front of BIND, for example https://dnsdist.org/ - my DoH service uses https://dotat.at/cgi/git/doh101.git Tony. -- f.anthony.n.finchhttp://dotat.at/

Re: Cannot build on macOS 10.15 (Catalina)

2020-04-28 Thread Tony Finch
Ondřej Surý wrote: > > On Linux, just put the path to /etc/ld.so.conf.d/local.conf and that should > do the trick. I'm usually using per-build install paths for experimentation or for easy rollback, so I prefer not to fiddle with the global path. I make things difficult for myself :-) Tony. --

Re: Cannot build on macOS 10.15 (Catalina)

2020-04-28 Thread Tony Finch
In my experience getting rpaths to work properly is a massive pain because most autoconf/libtool build systems don't automatically set the rpath as required for the --with-libwhatever=PATH options to work properly, and they often prevent attempts to set rpath linker flags. In BIND there has been a

Re: validating ... bad cache hit

2020-04-24 Thread Tony Finch
Havard Eidnes via bind-users wrote: > > If it was due to validation failure, I would have thought that it > would be more persistent than only last for 10 minutes. Looking for vaguely plausible causes I guess what might have happened is there was a DNSKEY lookup failure (transient network

Re: validating ... bad cache hit

2020-04-24 Thread Tony Finch
Havard Eidnes via bind-users wrote: > > Looking at the code in BIND 9.14.10 (BIND 9.16.2 doesn't appear to be > significantly different in this regard), there appears to be a "cache > of bad records" implemented by lib/dns/badcache.c. There are two > invocations of dns_resolver_addbadcache() in

Re: Question about expected recursive resolver behavior

2020-04-23 Thread Tony Finch
Sarah Newman wrote: > What should happen when for a given domain: > > - The domain resolves via TCP but not UDP - UDP for this domain had no > response at all. I would expect the domain to be completely unresolvable: the resolver will only try TCP if it gets a truncated reaponse over UDP. > -

Re: Strange log messages

2020-04-23 Thread Tony Finch
Lars Kollstedt wrote: > One of the arpa-Nameservers 192.5.5.241, 2001:500:2::c which is the C-Root- > Server is shown to be not responsive for queries over UDP by DNSviz for a long > time. This is due to a stupid peering disagreement between a couple of very stubborn tier 1 transit providers.

Re: Vim Syntax, New Release for ISC Bind named.conf 5.16

2020-04-23 Thread Tony Finch
Steve Egbert wrote: > I haven't worked on the zone syntax file yet. It hasn't changed since v9.5 > days. That should be my next subproject. That will be great! when I use nsvi, vim gets bright red and angry about lots of fun records like DS, SSHFP, URI, EUI48, and RFC 3597 custom records.

Re: Nsupdate and TTL

2020-04-23 Thread Tony Finch
Mark Andrews wrote: > > On 23 Apr 2020, at 07:20, Evan Hunt wrote: > > > > As far as I can recall, the only way to change a TTL in nsupdate is to > > delete the whole RRset and then add it back in the same transaction: There's actually a standard shortcut for TTL changes which is a consequence

Re: Strange log messages

2020-04-22 Thread Tony Finch
Lars Kollstedt wrote: > > what do the following messages in loose combination mean?: > > Apr 22 09:23:01 resolver1 named[1201]: validating ip6.arpa/SOA: got insecure > response; parent indicates it should be secure This means there is a DS record for ip6.arpa in the .arpa zone, but there were

Re: Chaining NOTIFY and slave servers - is it supported?

2020-04-21 Thread Tony Finch
Petr Bena wrote: > > So when someone changes zone on A via nsupdate, NOTIFY and subsequent IXFR > goes like this: A -> B -> C instead of: > > A -> B >   -> C Chaining NOTIFY like A -> B -> C is very common - I would guess most TLDs do it. In many cases, A is a secure hidden primary, B are zone

Re: Batch updating all DNS records on my Bind server

2020-04-18 Thread Tony Finch
@lbutlr wrote: > > Is it possible to batch update all the domains? Looking at nsupdate it > looks like I have to step through and do every domain individually. An UPDATE request can change many records, so long as they are all in the same zone, and so long as they fit in the 64KB limit of DNS

Re: NAT and Question Section Mismatch

2020-04-17 Thread Tony Finch
John Wiles wrote: > > I am running into a problem that I think is caused by either a > misconfiguration in Bind9, our Cisco NAT, or perhaps both. > > When I am on our internal network, I am able to query both servers and > get the appropriate external ip address. However, when I try to do the >

Re: BIND9 DoT/DoH - request for comments

2020-04-16 Thread Tony Finch
Witold Kręcicki wrote: > I'm currently working on DoH/DoT design - most specifically, the configuration > syntax that will be used to set up DoH/DoT. Since removing or modifying > options in named.conf is very hard I want it to be done properly - hence this > request for comments. The current

Re: checkzone from stdin?

2020-04-08 Thread Tony Finch
Matthew Pounsett wrote: > > I like your suggestion of using /dev/stdin as the file though.. I bet I can > make that work until 9.18 is out. Anand's trick has worked for me for many years :-) nsdiff has used `named-compilezone /dev/stdin` since I originally wrote it in 2011... Tony. --

Re: dnssec-signzone

2020-04-06 Thread Tony Finch
David Alexandre M. de Carvalho wrote: > So I'm still fighting with dnssec in BIND 9.8.2 (oracle linux 6). > Unfortunately no automatic sigining before Bind 9.9, from what I read. BIND 9.8 has automatic signing, but not inline signing. However nsdiff is almost as good as inline signing, and I

Re: Can we provide recursion for forward zones in response to iterative queries?

2020-04-06 Thread Tony Finch
> Because the AD domain controllers already own 10.in-addr.arpa, they > refuse to allow us to configure conditional forwarding for its > subdomains. So we delegated the subdomains to the inbound endpoints. > Because they are delegations, the domain controllers set the recursion > desired flag to 0

Re: DNSSEC - many doubts

2020-04-02 Thread Tony Finch
David Alexandre M. de Carvalho wrote: > A few hints and tips... > my named.conf already has the following: > > dnssec-enable yes; You don't need this because it's on by default :-) > dnssec-lookaside auto; You want to remove this because the DNSSEC lookaside validation

Re: update-policy wildcard grant

2020-04-01 Thread Tony Finch
Jim Popovitch via bind-users wrote: > >update-policy {grant webserver-tsig-key wildcard _acme-challenge.* TXT;}; Sadly in the DNS a wildcard * can only occur as the leftmost label in a name. RFC 4592 has more than you ever wanted to know about DNS wildcards. It's not pretty. Tony. --

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread Tony Finch
Shumon Huque wrote: > > The implication is that "ignore" also means set the response code to > NOERROR. Although, I suppose CNAME related UPDATE processing could have > been special cased to return an error code like YXRRSET (even without a > specified prerequisite clause). Ah, yes, now you

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread Tony Finch
Petr Bena wrote: > > The problem with this approach is that it's not atomic. That's the point of the prerequisite section! You can package up the atomicity checks and updates into one request. You will have to deal with concurrent update clashes in some way, but that's true for any system that

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread Tony Finch
Petr Bena wrote: > I think your approach of using standard protocols (DNS queries and updages) to edit zones is very good! > Is there any alternative to nsupdate, something that can work with XML > or JSON payloads or provide output in such machine parseable format? I've done a lot with

Re: DNSSEC Private OIDs RR

2020-03-30 Thread Tony Finch
Gabriel Gbs wrote: > In case that this is not possible out of the box, where should I start in > source code doing some modifications or workarounds? Have a look in lib/dns/dst_* and lib/dns/openssl_* Tony. -- f.anthony.n.finchhttp://dotat.at/ a world in which all people share the same

Re: Changes BIND 9.15+ source distribution (gz -> xz, and SHA1 deprecation)

2020-03-05 Thread Tony Finch
Alan Batie wrote: > > I'm letting named do the automatic signing/generation of RRSIG records, > but unless I'm missing something, you still have to generate the DNSKEY > records manually. dnssec-verify is the tool in question complaining > about not including RSASHA1 keys and signatures. Oh

Re: Changes BIND 9.15+ source distribution (gz -> xz, and SHA1 deprecation)

2020-03-03 Thread Tony Finch
Alan Batie wrote: > > That was my thought, but the tools complain about not having both... [snip] > Still working out which ones it thinks are missing, as both appear to be > there - it would be nice if the tool was more specific... If you are doing an algorithm rollover, you should have 2

Re: How to throttle misconfigured clients?

2020-03-03 Thread Tony Finch
von Dein, Thomas wrote: > > we're seeing a lot of malformed dns queries to our recursive nameservers > like these: [snip queries for notification. / antivirusix. / kubeinspect. / organization. / history. / go-kms. ] > Obviously these clients (there are many) are misconfigured in some weird >

Re: Changes BIND 9.15+ source distribution (gz -> xz, and SHA1 deprecation)

2020-03-03 Thread Tony Finch
Alan Batie wrote: > > This is timely as I was about to ask if there's any reason to generate > SHA1 DNSKEY records? I should think that anything I care about can > handle SHA256 these days... There are extremely strong reasons for NOT generating SHA1 DNSKEY records!

Re: delv 9.16.0, failed to add trusted key '.': ran out of space

2020-02-28 Thread Tony Finch
Shaun via bind-users wrote: > > The 9.16.0 version of delv seems to have trouble reading the root trust > anchor from the bind.keys file. I see this too. The bug is that dns_client_addtrustedkey() has a buffer for parsing DNSKEY or DS records, but it's only big enough for DS. diff --git

Re: bind as "reverse-proxy"

2020-02-26 Thread Tony Finch
Erich Eckner wrote: > > is it possible to set up a zone in bind similar to a http(s) reverse > proxy: You're looking for dnsdist https://dnsdist.org/ Tony. -- f.anthony.n.finchhttp://dotat.at/ Fitzroy: West 5, increasing 6 to gale 8. Rough or very rough. Rain or showers. Good, occasionally

Re: NS failover as opposed to A record failover

2020-02-26 Thread Tony Finch
Scott A. Wozny wrote: > > Failures aside, I’m worried about creating a bad user experience EVERY > time I need to take a DNS server down for patching. I generally let resolvers handle retry/failover when I'm patching my authoritative servers. Each resolver that encounters an authoritative server

Re: managed-keys update when outgoing UDP is blocked

2020-02-25 Thread Tony Finch
Branko Mijuskovic wrote: > > But I'm curious, do you know does BIND failover to TCP if UDP timeouts > during DNSKEY fetching? Dunno. I have blocked both UDP and TCP on my hidden primary, and it is refreshing its trust anchors via my recursive servers OK, so it is not something I have had to

Re: managed-keys update when outgoing UDP is blocked

2020-02-24 Thread Tony Finch
Branko Mijuskovic wrote: > > We have an authoritative DNS hidden master (bind-9.11.4-9) running behind > the network where outgoing UDP traffic to unlisted IPs is blocked. > > We are using DNSSEC and I've noticed that we are getting following errors > in the bind9 logfile:

Re: Bind 9.11.13 - inline re-signing stops

2020-02-19 Thread Tony Finch
Matthew Richardson wrote: > Having upgraded to 9.11.15 I am still seeing similar problems, where some > zones stop updating their signatures. I recently had a signing problem on my toy server which I think was caused by a cockup with `rndc freeze`. It was not easy to get named to re-start

Re: Using $INCLUDE in zones

2020-02-17 Thread Tony Finch
mail-list-us...@materna.de wrote: > > I am trying to use $INCLUDE in zones, but getting the error > "dns_master_load: file not found". My main zone: The problem might be that the $INCLUDE file name is relative to the server's working directory, not relative to the main zone file. Tony. --

Re: Unable to completely transfer root zone

2020-02-14 Thread Tony Finch
Matus UHLAR - fantomas wrote: > > unfortunately this happens when you decide to mirror root zone and it fails. > > you should use more primary servers when possible and change root zone > type from secondary to hint if it fails. In this particular case, adding more primaries would not have

Re: Weird behaviour in wildcard CNAME - is this feature or bug? Can it be changed?

2020-02-11 Thread Tony Finch
Petr Bena wrote: > > Why is this? Is that normal or a bug? It's because wildcards in the DNS are crazy and totally abnormal, but sadly ossified tradition means it cannot be considered a bug. (It's also intimately tied up with the subtle semantics of NXDOMAIN, and rigidly enforced by DNSSEC.)

Re: Unable to completely transfer root zone

2020-02-11 Thread Tony Finch
Warren Kumari wrote: > von Dein, Thomas wrote: > > > > Does anyone have an idea, what's wrong here and how I could possibly fix > > this? > > This sounds very much like a path MTU issue -- it starts the transfer, > gets part of the way and then a big packet doesn't make it through... I

Re: BIND - in loop rewrite zone serial no.

2020-01-30 Thread Tony Finch
Milan Jeskynka Kazatel wrote: > > could someone, please, help me with diagnostics, how can I check how many > records are signed per cycle? I looked at my zone transfer logs, which give the size of each IXFR following a zone update. If you don't have any ixfr logs, then you can use

Re: BIND - in loop rewrite zone serial no.

2020-01-28 Thread Tony Finch
Milan Jeskynka Kazatel wrote: > > Then how to achieve to resign the whole zone in one step? Which config > option should be affected? I don't believe that is possible with automatic signing. You can do it yourself with `dnssec-signzone` but that's fiddly and error-prone. Tony. --

Re: BIND - in loop rewrite zone serial no.

2020-01-28 Thread Tony Finch
Milan Jeskynka Kazatel wrote: > > Why does Bind keep resign zone in a loop over and over in a few minutes? It only signs a few records at a time to avoid eating all your CPU (my server seems to average 53 records at a time, coincidentally). It spreads out re-signing according to the

Re: securing bind in todays hostile environment

2020-01-22 Thread Tony Finch
Grant Taylor via bind-users wrote: > On 1/20/20 9:06 AM, N. Max Pierson wrote: > > > I was not aware there was anything built in that would let you > > add/remove/change the zone itself from the master. > > Yes, Catalog Zones. I think it's only a few years old. Catalog zones are for automatic

Re: "overlay" views

2020-01-20 Thread Tony Finch
Brian J. Murrell wrote: > > But the hosts on Network 1 and Network 2 need to resolve the same name > (let's call it "gateway") to the address of their interface on Router. > So that is, hosts on Network 1 want a query of "gateway." to resolve to > 192.168.1.254 and hosts on Network 2 want a query

Re: Edit cache eviction policy

2020-01-03 Thread Tony Finch
Itay Alayoff wrote: > > There is something I can't figure out, What the Red Black Tree DB is used > for and what the ADB is used for? Is there a relationship between the two? The rbtdb holds authoritative zone files and the resolver cache. The adb is used for dynamic information about other

Re: Edit cache eviction policy

2019-12-30 Thread Tony Finch
Itay Alayoff wrote: > I'd like to know where is the policy eviction currently implemented? The way I answer questions like this is to start from the configuration options, and working my way from bin/named/server.c (where the parsed config file is processed) I trace through to find the code

Re: Options for build configure documented anywhere?

2019-12-30 Thread Tony Finch
Dns Admin wrote: > > ./configure -h > > Will give you list of the available options. Yes, and there's a bit more information in the README https://gitlab.isc.org/isc-projects/bind9/blob/master/README.md#opts Tony. -- f.anthony.n.finchhttp://dotat.at/ Forth, Tyne, Dogger: Northwest 4 to 6,

Re: Peculiar DNS queries

2019-12-30 Thread Tony Finch
Fred Morris wrote: > Regarding case, in any case (pardon the pun) case is not guaranteed. > Especially regarding dynamic updates, your case will not be preserved > (and maybe I fat-fingered and left caps lock on once upon a time without > realizing it) in the authoritative zone. Well, it's a

Re: Peculiar DNS queries

2019-12-30 Thread Tony Finch
Lars Kollstedt wrote: > > for more information about this see > > https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 > > and > > https://indico.dns-oarc.net/event/20/contributions/265/attachments/254/471/ISC-case-sensitivity.pdf Yes. And one prominent resolver that implements this is

Re: catalog zone function

2019-12-10 Thread Tony Finch
Champion Xie wrote: > > When I use the catalogzone function to automatically add zones, I found > from the slave server that the zone files are not stored according to the > custom path, but are stored in the directory defined in options. the > service is started by chroot I have options {

Re: nsupdate with respone-policy zone

2019-11-20 Thread Tony Finch
mail-list-us...@materna.de wrote: > > server 127.0.0.1 > debug no > zone testoverride > update add zzz.google.de 604800 A 127.0.0.1 > send The problem is that nsupdate needs fully-qualified domain names - you can't omit the zone name like you can in zone files. So your script needs to be zone

Re: Resolve DNS Queries Based on Source IPs in BIND (NEED ADVISE)

2019-11-19 Thread Tony Finch
Md. abdullah Al naser via bind-users wrote: > But I want to do like this, the dns queries from 192.168.10.0/24 blocks > will be matched with RPZ zone and other requests from rest of IPs will > bypass the RPZ configuration and will match my general "allow-query > {any;}" statement mentioned in

Re: The signed domain file rewritten

2019-11-12 Thread Tony Finch
Alessandro Vesely wrote: > > It doesn't seem to happen every day, but can happen again on the next day. > Can > the period be controlled? It depends on the size of the zone (bigger zone -> more frequent upates), how widely scattered the RRSIG expiry times are (which depends on how the zone is

Re: .onion and dnssec

2019-11-12 Thread Tony Finch
Erich Eckner wrote: > > To my understanding, the difference between "forward first;" and "forward > only;" is, that the former caches and the latter forwards all queries. > However, I see the same behaviour in the log for both. Where is my mistake? My understanding is that first vs. only is

Re: .onion and dnssec

2019-11-12 Thread Tony Finch
Erich Eckner wrote: > I have also a hard time, generating some useful debug output > - setting `-d 9` does not give additional information in the system log. You might find it is being written to the file named.run in named's working directory (this is the default_debug logging channel

Re: .onion and dnssec

2019-11-11 Thread Tony Finch
Erich Eckner wrote: > > However, I encounter the issue here: > https://lists.isc.org/mailman/htdig/bind-users/2011-November/085536.html If you are running 9.14 (or newer) you can use the validate-except configuration option. In older versions you can use `rndc nta` but that is very inconvenient

Re: Debug logging for auto-dnssec inline signing

2019-11-11 Thread Tony Finch
Matthew Richardson wrote: > What "category" should one be logging in order to get details of DNSSEC > inline signing when running Bind 9.8.11? I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has been unsupported for ages. Yes, there is not very much logging automatic zone

Re: Query failed (timed out)

2019-11-07 Thread Tony Finch
Chris Thompson wrote: > > Don't hold your breath. Indeed, I put those Barclays nameservers in our noedns list on 2017-07-14 (tho I have also not really tried to get them fixed, despite Barclays being our bank) Tony. -- f.anthony.n.finchhttp://dotat.at/ Bailey: Northeast veering southeast

  1   2   3   4   5   6   7   8   9   10   >