Re: Correct response to NS request in case of dual delegation when one delegation returns REFUSED

2022-05-19 Thread Tony Finch
ur parent zone. If these devices allow you to configure DNS servers for readiness checks separately from general-purpose DNS, then you might be able to work around the problem by pointing the readiness checks at an authoritative-only server, if the devices are willing to find their answer in the

Re: Fwd: Request to use "Canonical/Mirror"

2022-05-17 Thread Tony Finch
eading, because the DNS protocol does not allow a master to tell a slave to do anything. (The closest is NOTIFY which is a hint not a command.) > You just have to give yourself time to get used to them. Indeed :-) -- Tony Finch(he/they) Cambridge, England Fitzroy, Sole: South or southwes

Re: "Length"-output in DNSSEC-Policy state-files vs. "Key Length"-output on dnsviz.net

2022-05-10 Thread Tony Finch
rd. (The public exponent is usually 65537, which is why RSA keys typically start AwEAA rather than being completely random.) -- Tony Finch(he/they) Cambridge, England Trafalgar: Northerly or northeasterly 3 to 5, but easterly 5 to 7 in far southeast. Slight or moderate, occasionally rough lat

Re: Determining Which Authoritative Sever to Use

2022-05-08 Thread Tony Finch
each zone. On the other hand, anycast is a good way to improve the availability and maintainability of your resolvers, because your users' devices talk directly to them, and if they don't work there might as well not be an Internet connection. -- Tony Finch(he/they) Cambridge, England Se

Re: Transitioning to new algorithm for DNSSEC

2022-05-05 Thread Tony Finch
st, that's the way I did it before dnssec-policy made things even more automatic.) -- Tony Finch(he/they) Cambridge, England Trafalgar: Northerly or northeasterly 4 or 5, occasionally 3 in far southeast. Moderate, but slight in far southeast. Fair. Good. -- Visit https://lists.isc.org/mailman/li

Re: Supporting LOC RR's

2022-05-03 Thread Tony Finch
test record by the keepalived health check scripts. Cambridge has a residency rule for students that requires them to live within 3 miles of the city centre, so the 10km diameter in the LOC record is in some sense correct and reasonably accurate. cam.ac.uk LOC 52 12 19.000 N 0 7 5.000 E 18

Re: DNSSEC and forwarding

2022-03-30 Thread Tony Finch
ht happen). If they both validate then I would expect the problems to go away. -- Tony Finch(he/they) Cambridge, England Rockall, Malin, Hebrides: North or northeast 4 to 6, occasionally 7 at first. Moderate or rough. Wintry showers. Good, occasionally poor. -- Visit https://lists.isc.org/mai

Re: Using nsupdate in scripts

2022-03-16 Thread Tony Finch
I should not be sarcastic about. It isn't clear to me exactly how configurable or hardcoded your script needs to be. If you know it will always run in a v4-only environment, or in either v4-only or dual-stack environments, you might as well hardcode -4 -l and you'll only need to change it if you have

Re: Using nsupdate in scripts

2022-03-14 Thread Tony Finch
ff IPv6, they can add -4 to the variable, or they can get more creative with the -k option. (Sadly you have to set the server address in the update script, not on the command line.) -- Tony Finch(he/they) Cambridge, England Rockall: West or southwest 7 to severe gale 9, decreasing 4 to 6 later.

Re: NOTAUTH on dynamic update followed by approved update

2022-03-14 Thread Tony Finch
a zone apex then the negative response will contain the SOA record for the correct zone in its AUTHORITY section. (PS. you get the prize for my first message to this list with my new email address!) -- Tony Finch(he/they) Cambridge, England Viking, North Utsire, South Utsire: Southerly or

Re: Capabilities and limitations of catalog zones

2022-02-09 Thread Tony Finch
John Thurston wrote: > Are we not able to use catalog zones to propagate zone-configuration for > anything other than 'master' zones? It is only for configuring authoritative secondary zones. You are right that this isn't completely clear in the documentation, uless you read the whole section

Re: DNSSEC validation via AD bit?

2022-01-31 Thread Tony Finch
Gregory Shapiro via bind-users wrote: > > Two questions: Slightly expanding on Mark's answers... > 1. Is there a reason when BIND is running as both a recursive server and > an authoritative server for a domain, it doesn't set the AD bit when > answering resolver queries for one of its

Re: BIND 9.16.25 "file descriptor exceeds limit" messages

2022-01-28 Thread Tony Finch
Anand Buddhdev wrote: > > The server has many IP addresses. In named.conf, there are 129 IPv6 addresses > in the "listen-on-v6" option and 128 IPv4 addresses in the "listen-on" option. > The server begins running, but then repeatedly emits this log: > > general: error: socket: file descriptor

Re: Problems with (unsigned) forward zones, dnssec-validation auto and validate-except on BIND 9.16 and 9.17

2022-01-27 Thread Tony Finch
Gehrkens.IT GmbH | Heiko Wundram wrote: > > From what I gather, this behaviour sounds almost like what RFC 8020 proposes > (NXDOMAIN cut), but at least according to the corresponding ticket, that > isn't implemented in BIND. The other things that can cause the behaviour you observed are

Re: AW: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

2022-01-24 Thread Tony Finch
egoitz--- via bind-users wrote: > > These are the contents of a cat of the private file I have renamed to > samename.private-OLD : > > Created: 20211031230338 > Publish: 2020220241 > Activate: 2020220341 > Inactive: 20211215230338 > Delete: 20211217230338 Yes, it can be confusing when

Re: Best practice for forwarding Dnstap (unix socket) traffic to another address

2022-01-12 Thread Tony Finch
Fred Morris wrote: > > What I'm looking at is trying to build a BIND kernel, like a nanokernel. Socat > won't work in this case, because because there's no "IPC" layer, because there > is only one process in the kernel. Sounds fun. I think your solution must be to modify BIND's dnstap sender so

Re: your mail

2022-01-12 Thread Tony Finch
Diego Garcia wrote: > > Each 20/30 minutes and lasting about 5 minutes i got 'timeout' in bind > querys. After that time everything works fine again. > > My bind server got response (from 0.1 to 2 seconds) but reply with a ICMP > 'port unreachable'. > > Any idea the problem or what i can check? >

Re: How to show run the active configuration on bind

2022-01-05 Thread Tony Finch
Mik J via bind-users wrote: > How can I check which variables are loaded in memory and considered as active. As Ray said, usually it isn't ambiguous. But there are a couple of semi-relevant tools that are worth knowing about: You can use `named-checkconf -p` to canonicalize your configuration

Re: transfer-source / notify-source warnings if a port is specified

2021-12-29 Thread Tony Finch
Duncan wrote: > > Is there any option to suppress warnings if using transfer-source / > notify-source specifying ports ? There are good reasons for these warnings. NOTIFY uses UDP, and source port randomization in UDP is important to protect against spoofing. Spoofing NOTIFY is relatively

Re: Spurious failures in a dynamically updated to a sub /24 reverse DNS domain P.S.

2021-12-29 Thread Tony Finch
Mirsad Goran Todorovac wrote: > Please excuse me, as I am a bit confused ... > > I have tried to verify your findings, but I've found something awkward: Something has changed, because earlier I got: ; <<>> DiG 9.10.6 <<>> soa 192/27.186.198.193.in-addr.arpa @193.0.9.6 ;; global options: +cmd

Re: Spurious failures in a dynamically updated to a sub /24 reverse DNS domain

2021-12-29 Thread Tony Finch
Mirsad Goran Todorovac wrote: > > I have recently implemented dynamic updates to a sub /24 reverse DNS > domain, 193.198.186.192/27. > I had upstream domain 192/27.186.198.193.in-addr.arpa. delegated from > authoritative servers. > > However, something still isn't right. In some reverse PTR

Re: DNS cache poisoning - am I safe if I limit recursion to trusted local networks?

2021-12-29 Thread Tony Finch
Danilo Godec via bind-users wrote: > > I have an authoritative DNS server for a domain, but I was also going to > use the same server as a recursive DNS for my internal network, limiting > recursion by the IP. Apparently, this is a bad idea that can lead to > cache poisoning... Sort of. It's

Re: Millions of './ANY/IN' queries denied

2021-12-17 Thread Tony Finch
Ondřej Surý wrote: > FTR RRL will not help on this case. There’s no difference between > response with TC and response with REFUSED. Yes and no :-) RRL uses a mixture of "slip" (i.e. truncation) and dropping responses, so it will attenuate REFUSED spam. (The documentatin is not very clear about

Re: Recommendations for replacing a master server without breaking DNSSEC

2021-11-24 Thread Tony Finch
Ralph Seichter via bind-users wrote: > > How would you go about moving all functionality from Alpha to Beta, > ideally with minimal downtime, and with the hard requirement of not > breaking DNSSEC? How would one need to handle key material, zone > signatures, journals, etc.? There was this time

Re: named failed to resolve forwarding queries(with global forwarders specified with "forward only") when "server section statement" has forwarder IP

2021-11-24 Thread Tony Finch
Nagesh Thati wrote: > > Can anyone tell me why I am getting tsig errors and SERVFAIL errors for > non managed zones? Why named using the "server statement" TSIG key in > forwarding queries instead of using this TSIG only for ixfr/axfr? TSIG is a bit confusing to set up because there are a bunch

Re: DNSSEC implementation on IPv6 PTR Zones

2021-11-22 Thread Tony Finch
Divya wrote: > How to create DS for 2409::/28 The fun / maddening part of managing reverse DNS is getting to know how your RIR handles it, and the weird differences from common-or-garden forward domain registrations. In your case, 2409::/28 is allocated by APNIC. They have a bit of

Re: Possible to condition a view based on the interface the query comes in on?

2021-11-18 Thread Tony Finch
Fred Morris wrote: > > Didn't see any reason that it had to be separate instances of BIND, > thought maybe I could do it with views, but I've run into a couple of > roadblocks: > > 1. listen-on isn't supported in views. Right, listen-on is for the server as a whole. To control which view is

Re: RPZ rule to apply to NS record requests?

2021-11-16 Thread Tony Finch
John Thurston wrote: > If I have a Reverse Policy Zone (RPZ) defined, I can define a specific answer > to be sent for a specific record-type for a specific name: > >foo.bar.com IN A 10.11.12.13 >foo.bar.com IN TXT "Hello World" > > But I can't seen to define one for the record-type

Re: host your subdomain on your own ?

2021-11-13 Thread Tony Finch
Grant Taylor via bind-users wrote: > On 11/13/21 7:29 AM, Tony Finch wrote: > > You should make sure that your public nameservers return a definite nodata > > or NXDOMAIN reply for your private names, not REFUSED, nor a referral to an > > RFC 1918 address. The latter two

Re: host your subdomain on your own ?

2021-11-13 Thread Tony Finch
A couple of generaal points about private names and addresses: If you have a private subdomain, e.g. private.cam.ac.uk, and a non-negligible number of users, the names *will* leak into the outside world and your public nameservers will get queries for them. You should make sure that your public

Re: A record for @?

2021-11-05 Thread Tony Finch
@lbutlr via bind-users wrote: > I have a domain that I hot DNS and email for, but not web. I set the A > record for www.example.com to the IP of the web server with nsupdate, > removing the old CNAME the pointed to the local webserver, but the web > monkey for the new website is saying that www

Re: consolidating Reverse Zones

2021-10-21 Thread Tony Finch
Edwardo Garcia wrote: > > I guess bind can not consolidate like this and we have to put up with a > million /24 zone files ? I was thinking because we can do classless dele > with smaller than /24, it would work on bigger :) It is possible! The basic idea (very briefly) is: With classless

Re: CNAME query

2021-09-23 Thread Tony Finch
Sonal Pahuja wrote: > > We are sending a CNAME query but currently we don't have any CNAME > record, just have NS info. What should be the Bind9 response for this > CNAME query? Will it return NS Record in Authority/Answer section? In general, applications should not make CNAME queries because

Re: How to measure use of forwarders?

2021-09-23 Thread Tony Finch
Parkin, Richard (R.) wrote: > > I’d like to understand how much traffic is flowing to each forwarder > (QPS, etc) and monitor that for any issues. Is there a way to do that > effectively in Bind without putting some kind of network device on the > outbound path to measure it? If not, does

Re: KSK signing zone records

2021-09-01 Thread Tony Finch
raf via bind-users wrote: > On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton > wrote: > > > What algorithm(s) are you using for ZSK and KSK? If they’re not the > > same algorithm, then both will be used to sign the entire zone. > > Just out of curiosity, why is that? > Isn't having the

Re: debian11 + bind-9.16.15 + dnssec-policy = lost zonefiles + crashes

2021-08-15 Thread Tony Finch
raf via bind-users wrote: > > But that means that it applies to all of the zones in > /etc/bind/named.conf.default-zones which is not helpful. It also applies > to the zones in /etc/bind/zones.rfc1918 if that is included in > /etc/bind/named.conf.local (which a comment there suggested). That's

Re: Switching key types for authorizing updates

2021-08-12 Thread Tony Finch
John Thurston wrote: > > But as far as I can tell, the name of the key needs to match the hostname in > the update-policy statement. I can define a new aes-256 key, but it can't have > the name "foo.bar.baz.com" while the current md5 key is defined. Nor can I > find a way to craft an

Re: AW: AW: Deprecating auto-dnssec and inline-signing in 9.18+

2021-08-10 Thread Tony Finch
Klaus Darilion via bind-users wrote: > > By reading this KB I do not know how the user will be informed which DS > (or DNSKEY) must be submitted to the parent zone. I know you to convert > a DNSKEY to DS, but IMO the KB is very good but missest hat point. I would expect the zone's apex CDS and

Re: Bind doesn't stop contacting global ROOT DNS servers after commenting(#) the the root hint zone in named.conf

2021-08-02 Thread Tony Finch
Ramesh wrote: > > I commented the root hint zone section(default) in the named.conf file to > stop bind from communicating to the global root DNS servers and it should > only use the internal forwarders available in the options{} section. I think the config option you want is `forward only`. The

Re: response policy zones (rpz) and views - memory consumption

2021-07-31 Thread Tony Finch
Jiri Hromadka wrote: > > Is there any way to reuse already loaded rpz zone in memory for other > views ? I know in-view is not an option for rpz, using one master / > slave zones has same memory effect. Yeah, in-view would be perfect, if only :-) You might try setting up a view that only does

Re: named UDP retransmit timeouts ?

2021-07-23 Thread Tony Finch
Jason Vas Dias wrote: > > Please can anyone advise the best way to optimize named's > UDP timeout settings for caching-only local resolver usage > over a slow network link - I can't seem to find any in the > Bv9ARM document specifically describing how named > implements UDP re-transmits -

Re: named-checkzone as library?

2021-06-30 Thread Tony Finch
Felipe Gasper wrote: > > Is there any public code interface that exposes named-checkzone’s > functionality? > I’d specifically like to have numeric error codes rather than strings. It isn't easy to do that, I'm afraid. There are two places that don't do what you want. The source for

Re: Managing localhost

2021-06-25 Thread Tony Finch
Grant Taylor via bind-users wrote: > On 6/21/21 11:00 AM, Tony Finch wrote: > > That advice is out of date: nowadays you should not put any localhost > > entries in the DNS, because it can cause problems for web browser security. > > Modern software should suppress que

Re: Managing localhost

2021-06-21 Thread Tony Finch
techli...@phpcoderusa.com wrote: > > This book : > https://www.oreilly.com/library/view/dns-and-bind/0596100574/ch04.html says I > should manage the localhost within my zone (SOA) and reverse lookup / PTR. That advice is out of date: nowadays you should not put any localhost entries in the

Re: BIND RPz with IPv6

2021-06-20 Thread Tony Finch
Manish Rane wrote: > > Would be keen to know if BIND RPZ supports IPv6? Yes, see https://bind9.readthedocs.io/en/v9_16_6/reference.html#rpz Tony. -- f.anthony.n.finchhttps://dotat.at/ sovereignty rests with the people and authority in a democracy derives from the people

Re: Using RRL to for TC=1 on all queries

2021-06-20 Thread Tony Finch
John Kristoff wrote: > Has anyone configured BIND to force TC=1 responses on all queries using > RRL?I'd like to do this for some experimentation and measurement > work, but maybe this just isn't the right tool for that job? > > I've tried a number of configurations (e.g. slip=1, rate=0) and

Re: hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?

2021-06-16 Thread Tony Finch
PGNet Dev wrote: > > With a NOTIFY, something like _your_ old listener > > nsnotifyd: handle DNS NOTIFY messages by running a command > https://dotat.at/prog/nsnotifyd/ > > Don't know yet how dusty that is, or relevant to current bind 9.16+, etc. -- > -- but the general 'respond immediately to

Re: hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?

2021-06-15 Thread Tony Finch
Matthijs Mekking wrote: > > A brief summary. Folks that are interested in the reasons why can read > up and discuss here: > >https://gitlab.isc.org/isc-projects/bind9/-/issues/1890#note_220217 So the fundamental design issue here is related to edge-triggered vs. level-triggered activities,

Re: DOH or DOT Forwarder in BIND and is DOH GA?

2021-06-13 Thread Tony Finch
Walter H. via bind-users wrote: > > DOH/DOT is dead; > > use DNSSEC instead and no troubles; No. DNSSEC is about data integrity. It allows me to host my zones with a collection of semi-trusted third parties without having to worry about them changing my DNS records. It allows clients to be sure

Re: hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?

2021-06-10 Thread Tony Finch
PGNet Dev wrote: > > fyi, perhaps keep an eye on this: > > https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11 hmm, maybe, but it's my Spock eye with a single arched eyebrow Tony. -- f.anthony.n.finchhttps://dotat.at/ Thames, Dover: Southwest 4 to 6. Smooth or slight becoming

Re: hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?

2021-06-10 Thread Tony Finch
PGNet Dev wrote: > > Has anyone here on-list figured out how to hook bind's internal signing > process to *trigger* and external script to exec those API pushes? I have not, and I also want to be able to do this, and I also want scripting hooks for whenever any keys change so that I can stash

Re: reverse lookup for RFC1918 in view failed

2021-06-06 Thread Tony Finch
MAYER Hans wrote: > I can see why the behaviour of your server is confusing! I'll explain what is happening in detail below, but here's the basic idea: Each view in a configuration is separate from the others: `named` first chooses which view to use (based on match-clients etc.) then handles

Re: BIND9 Feature Request: inheritance-policy

2021-05-27 Thread Tony Finch
JW λ John Woodworth wrote: > Greetings, I would like to request a new feature which I hope will make > management of the 'allow' match-lists a tad easier.In short, an option > such as 'allow-transfer' in view or zone contexts could extend the > match-list as defined in the options section. You

RE: ISC Bind as secondary to Windows Server: bad bitmap error on named xfer.

2021-05-11 Thread Tony Finch
Stoffel, John (TAI) wrote: > > And it does dump some errors too, which hopefully will give me an idea > of where my crappy bad record is located, and no use hiding crap: yuck, this looks like no fun... > www.cisco.toshiba.com. 3600IN CNAME redirect.toshiba.com. >

Re: ISC Bind as secondary to Windows Server: bad bitmap error on named xfer.

2021-05-11 Thread Tony Finch
Stoffel, John (TAI) wrote: > failed while receiving responses: bad bitmap > > None of my googling has given me any hints on what this error could be. I had to look at the source, which told me it's to do with NXT records which are super obsolete, so I wonder what weird stuff is in the zone that

Re: Inline signing fails dnsviz test.

2021-05-10 Thread Tony Finch
Dan Egli wrote: > > Still not working for me. The dig doesn't report anything, and I don't HAVE a > keyfile since i'm using inline signing. Or does inline signing still require a > key to be generated? Yes, you need to do your own key management with inline-signing using dnssec-keygen. The new

Re: Inline signing fails dnsviz test.

2021-05-10 Thread Tony Finch
Dan Egli wrote: > > Where do I get the DS record, since i'm using bind's inline signing? Use the dnssec-dsfromkey tool, e.g. from a key file (make sure it's the KSK file) $ grep This Kcam.ac.uk.+013+32840.key ; This is a key-signing key, keyid 32840, for cam.ac.uk. $

Re: Update DNSSEC Zone

2021-05-10 Thread Tony Finch
Peter Fraser wrote: > > I am using bind-9.14.x and here are the DNSSEC related entries in the zone. > > auto-dnssec maintain; > update-policy local; > key-directory “zones/domain-keys”; How you go about this depends on whether your configuration enables `inline-signing` or not. If it has

Re: Log queried forwarder IP address

2021-05-06 Thread Tony Finch
Levente Birta wrote: > > I have a caching resolver. Is it possible to log the IP address of the queried > forwarder without too much overhead? dnstap might be what you want, but it's a bit intricate. Tony. -- f.anthony.n.finchhttps://dotat.at/ Irish Sea: Northwesterly 4 to 6, occasionally

Re: where are the testing docs ?

2021-05-06 Thread Tony Finch
Dennis Clarke via bind-users wrote: > > Hey there. I looked in the README and I dont see an INSTALL file at all > so I have to assume that the testing docs exist somewhere. Have a look at https://gitlab.isc.org/isc-projects/bind9/-/tree/main/bin/tests/system There are some more notes in:

Re: How to return REFUSED

2021-05-06 Thread Tony Finch
Axel Rau wrote: > I have, > > allow-query { any; }; > allow-query-cache { recursive-users; }; > allow-recursion { recursive-users; }; > > How can I make sure that none recursive-users get a REFUSED if query is > recursive? Weird! I think your config should do what you want so

Re: REST API for recursive queries

2021-05-05 Thread Tony Finch
Roee Mayerowicz wrote: > I have ~700k (and growing) domain names that should be resolved daily. > I'm trying to make it efficient as possible using the recursive BIND > server (do you know a better option?), the goal is to get 2000 queries > per second with minimum server\s cost. I do bulk

Re: REST API for recursive queries

2021-05-04 Thread Tony Finch
Petr Menšík wrote: > Because BIND uses DNS protocol only and not any dbus or former lwres > protocol, you can count only querying -t ANY for single name as > something similar. ANY queries don't necessarily give you all the records :-) In situations where a DNS client wants to do multiple

Re: DNSSEC upgrade

2021-05-01 Thread Tony Finch
Edwardo Garcia wrote: > > So you mean to say when it print out > > IN DS 45701 13 1 5422E9... > IN DS 45701 13 2 qwertyE9... > > we never needed 45701 13 1 5422E9 only 45701 13 2 qwertyE9 ? Exactly, yes! > and we only need run > > dig @ns0 dnskey guiltyparty.net | dnssec-dsfromkey -2 -f -

Re: DNSSEC upgrade

2021-05-01 Thread Tony Finch
Edwardo Garcia wrote: > One thing I note, all check say everything is good, but when using dnsviz, > it says secure, shows the ecd... but also puts up warnings that I am using > alg 13 but digest 1 (sha1), which is not allowed, I guess the "digest 1" is referring to your DS records. In my

Re: DNSSEC upgrade

2021-04-30 Thread Tony Finch
@lbutlr wrote: > > I update the last of my zones over a month ago and they are still > showing alg-7. > > I'm sure I missed a step on these specific domains, but there are only a > handful that are still using alg-7 and many more that are now on alg-13 > only. Hmm, curious! If you have swapped

Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported)

2021-04-30 Thread Tony Finch
Robert M. Stockmann wrote: > > Does bind 9 need C11 atomics ? Yes. BIND used to have its own atomic implementation but that kind of code is tricky and arcane, so it's better to use the standard implementations in the C library. It is not just a matter of the hardware BIND runs on: atomics rely

Re: DNSSEC upgrade

2021-04-30 Thread Tony Finch
Edwardo Garcia wrote: > > One question however it talk about longest TTL, does this mean also root > TLD zones (.com, .net) which from memory are 48 hours, so before we delete > old keys we need wait 48 hours, even though our zone TTL was 24 ? When you are waiting after adding and signing with

Re: DNSSEC upgrade

2021-04-27 Thread Tony Finch
Edwardo Garcia wrote: > > Many year ago we set up DNSSEC, our key were generated with sha1 as was > recommended way back all them years. We too are not DNSSEC guru, so some > answer may be simple Well, you are going to do an algorithm rollover, which is one of the more tricky things you can do

Re: Per server instance vs central / shared / redundant instances of BIND

2021-04-27 Thread Tony Finch
Grant Taylor via bind-users wrote: > > Do you think that per (mail) server instances of BIND are worth the additional > administrative overhead as compared to more central shared instances? Yes, that's what I did when I was doing mail things. There are a few reasons: reduce load on the shared

Re[2]: Configuring the location of named .jnl files

2021-04-27 Thread Tony Finch
Anders Löwinger wrote: > Ivan Avery Frey wrote: > > > >We are only using update to provision the acme challenge as described > >by RFC 8555 8.4. Nothing else. > > Acme follows CNAMEs. I've redirected all challenges to my domains to a > separate subdomain, which allows dynamic updates. Works

Re: Configuring the location of named .jnl files

2021-04-26 Thread Tony Finch
Ivan Avery Frey wrote: > I'm trying to obtain certificates from Let's Encrypt using the DNS-01 > challenge method. > > I just want to confirm that there is no option to configure the > directory for the .jnl files independently of the zone files. You have had a bunch of helpful replies already,

Re: Using RNDC to control remote access to my BIND server

2021-04-26 Thread Tony Finch
Anand Buddhdev wrote: > Anand's advice is good, as usual :-) But a small pedantic point: > The DNS protocol itself has recently been updated to allow for > encryption, using DTLS (DNS-over-TLS). DTLS usually means "datagram TLS", i.e. TLS-over-UDP (RFC 6347). There's a spec for DNS-over-DTLS

Re: nsupdate and zone files, was Re: Using RNDC to control remote access to my BIND server

2021-04-25 Thread Tony Finch
Paul Kosinski via bind-users wrote: > A couple of years ago, I tried using nsupdate to modify a dynamic (DHCP) > IP address for my very simple domain. It worked, except that it totally > messed up the organization of the zone file. Since the file only has 44 > active lines (which are organized

Re: Using RNDC to control remote access to my BIND server

2021-04-22 Thread Tony Finch
Greg Donohoe wrote: > I have created a CI/CD pipeline in order to amend zone files using nsupdate > based on a front end user request. This portion of the pipeline is working > as expected so now I want to be able to connect from my pipeline runner to > my remote BIND staging server and update

Re: Ask for automated KSK roll with DS checking

2021-04-15 Thread Tony Finch
Matthijs Mekking wrote: > On 15-04-2021 16:35, Bob Harold wrote: > > > > If BIND holds both the child and parent zone, will it add the DS record > > at the correct time?  Or do I still need to write scripts to update the > > DS records in all my sub-zones?  And is there some signal from BIND at >

Re: Preventing a particular type of nameserver abuse

2021-04-14 Thread Tony Finch
Peter Coghlan wrote: > > I wouldn't describe it as background radiation or probes. It doesn't seem > to be caused by misconfigured or faulty resolvers or anything of that nature. Hmm, maybe air pollution would be a better metaphor? What I mean is the kind of continuous low levels of abuse

Re: Preventing a particular type of nameserver abuse

2021-04-14 Thread Tony Finch
sth...@nethelp.no wrote: > > Agree that you should be able to ignore them. But as a practical matter, > ignoring them *may* result in the question being asked again and again, > while REFUSED *may* stop the client from asking more. REFUSED leads to retries too: if the client is a legit resolver

Re: Preventing a particular type of nameserver abuse

2021-04-13 Thread Tony Finch
Anand Buddhdev wrote: > > A legitimate client, following a normal chain of referrals, has *no* > reason to query a server for zones it is not authoritative for. That's true for cases like .sl and other domains whose delegations are set up correctly, but if a server is accidentally lame then it's

Re: Preventing a particular type of nameserver abuse

2021-04-13 Thread Tony Finch
Peter Coghlan wrote: > > I have a nameserver which is authoritative for three or four domain names. > It receives around 1000 queries per day that could be regarded as plausably > legitimate. It receives around ten times that number of absive queries per > day from presumably spoofed ip

Re: forwarding zone setup from a BIND slave (without recursion?)

2021-04-07 Thread Tony Finch
Mark Andrews wrote: > > On 8 Apr 2021, at 00:37, Tony Finch wrote: > > > > Forward zones require the upstream server to be recursive too. > > More correctly, the upstream server has to serve the entire namespace being > forwarded if it does not off recursion t

Re: forwarding zone setup from a BIND slave (without recursion?)

2021-04-07 Thread Tony Finch
Chuck Aurora wrote: > > A stub or static-stub zone would not require recursion. In that case > named is asking for authoritative data from upstream. But type > forward zones indeed cannot work if recursion is disabled. Be careful in this kind of situation to be very clear about which client or

RE: replication time for dynamic records from primary to secondary servers

2021-04-03 Thread Tony Finch
Cuttler, Brian R (HEALTH) via bind-users wrote: > > I don't think the issue I'm having is related to notify message not > being reacted to nor zone transfer requests not being sent to answered. It's worth checking the logs to make sure that they agree with what you expect. > What I think I'm

Re: Local resolution first and then public resolution for "google.com" domain

2021-03-31 Thread Tony Finch
Matus UHLAR - fantomas wrote: > > note that for this kind setup, using dnsmasq with two forwarders and > www.google.com > overriden through /etc/hosts would be easier solution. Or a response policy zone, if you don't want to switch software

Re: resolv.conf question / timeout behaviour

2021-03-31 Thread Tony Finch
Tom Preissler wrote: > > at my work place we have a three resolver setup in /etc/resolv.conf. > > We had sometimes, though rarely, response times for DNS like 14000ms, > due to the fact that the *first* listed resolver is down for maintenance > reasons. Sadly the traditional unix stub resolver

Re: replication time for dynamic records from primary to secondary servers

2021-03-31 Thread Tony Finch
Cuttler, Brian R (HEALTH) via bind-users wrote: > > We are seeing a delay in the primary DNS server updating the secondary > and would like to shorten that interval. This is probably due to NOTIFY messages not working. NOTIFY is the mechanism that allows primary servers to tell secondaries to

Re: BIND 9.16.13 and Mac OS X 10.13.6 - problems with ./configure

2021-03-29 Thread Tony Finch
alcol alcol wrote: > seriously? is like linux/unix FAQ  Please, if you can't be helpful, don't reply at all. We all have to learn somehow, and the best way to show your knowledge is to share it generously. Tony. -- f.anthony.n.finchhttps://dotat.at/ Trafalgar: Easterly 6 to gale 8 in

Re: BIND 9.16.13 and Mac OS X 10.13.6 - problems with ./configure

2021-03-26 Thread Tony Finch
Paul Cizmas wrote: > ~$ named -v > BIND 9.9.7-P3 (Extended Support Version) What's probably happening here is that the BIND on your $PATH isn't necessarily the BIND that homebrew installed and (hopefully) is running. You can run `dig @localhost version.bind ch txt` to see what the running

Re: how to stop and remove BIND 9.9.7-P3 on Mac OS X High Sierra 10.13.6?

2021-03-25 Thread Tony Finch
Paul Cizmas wrote: > > but it appears that “service” must be replaced by something else Yes: init on macOS is called launchd, and the service control program is called launchctl, which has a reasonably useful man page. Tony. -- f.anthony.n.finchhttps://dotat.at/ Mull of Galloway to Mull of

Re: Temporarily no name resolution using second/virtual ip address

2021-03-25 Thread Tony Finch
Jonathan via bind-users wrote: > It makes no difference from which subnet the queries come from. For > testing I used a server in the same subnet like my DNS is, so there is > no firewall or NAT in between. I also captured the network traffic of > the DNS-Server and -Client. All I can see is,

Re: Zone transfer is happening intermittently between slave and master bind

2021-03-17 Thread Tony Finch
Prasanna Mathivanan (pmathiva) via bind-users wrote: > > I couldn’t find anything from logs (checked both xfer and messages) The best way to find out if a secondary server thinks a zone is out-of-date is to look at the notify log messages. On the primary you'll see something like 17-Mar-2021

Re: sub-zone on the same server but in different backend - how?

2021-03-15 Thread Tony Finch
lejeczek via bind-users wrote: > > Have a zone on a server, say: > > - the.zone > > with "flat" files being the backend for it. Now wanting to have: > > - sub.the.zone > > served by the same BIND server, but stored in.. "SQL" backend. > > How... well how to make that work if at all possible? >

Re: Authority and forwarding, but not recursion/iteration

2021-03-12 Thread Tony Finch
Marki wrote: > > But if you need granular filtering, that could become a lot of views... Yes, I think RPZ is really designed to be a ban hammer for dealing with abuse, rather than a general-purpose access control mechanism. If you need to get really fancy then you should look at dnsdist which

Re: Authority and forwarding, but not recursion/iteration

2021-03-09 Thread Tony Finch
Marki wrote: > > Concerning static-stub: Using a (bogus) forwarder together with "forward > first" (default) seems to work (Note: using "forward only" gives SERVFAIL). > All outside requests get a SERVFAIL even with "forward first" but that's an > esthetic problem. Yes, SERVFAIL is ugly - I

Re: Authority and forwarding, but not recursion/iteration

2021-03-09 Thread Tony Finch
Marki wrote: > > I am seeking a combination of either a combined configuration on one, or a > config of several different DNS servers together to achieve the following: > > * Some clients should be able to resolve authoritative local zones as well as > some forwarded zones. > > * Other clients

Re: BIND server; dig vs dig +trace on failing lookup.

2021-03-04 Thread Tony Finch
Gregory Sloop wrote: > Would you mind showing me how you got there? I like https://dnsviz.net/ and https://zonemaster.net/ - dnsviz is better at showing DNSSEC issues, and zonemaster has a bigger collection of general DNS checks, so it's worth using them both. Tony. -- f.anthony.n.finch

Re: How bind select NS record during recursive queries

2020-11-19 Thread Tony Finch
Duleep Thilakarathne wrote: > > How does bind select NS entry during recursive queries , when the answer > section has multiple NS entries. It's roughly based on measuring the smoothed round trip time (SRTT) to each nameserver and picking the closest, with a lot of randomness in the mix. Try

Re: Logging on a Bind server

2020-10-22 Thread Tony Finch
senthan.sivasunda...@szkb.ch wrote: > One Day it came an alert from Cybereason (Antivirus-Software), that our > Bind server tried to Connect to a suspicious domain "ns2.honeybot.us". > But I couldn't find the log, which domain the BIND server was searching > for, so that the BIND server has to

Re: Why are no notifies send?

2020-10-22 Thread Tony Finch
Axel Rau wrote: > > Has anybody a working IPv6 notify address in use? Notifies from my primary to my on-site servers go over IPv6 with a TSIG key. They are all dual-stack. Tony. -- f.anthony.n.finchhttp://dotat.at/ Sole: Variable 4 at first in east, otherwise westerly or southwesterly 4 to

Re: Why are no notifies send?

2020-10-18 Thread Tony Finch
Axel Rau wrote: > > I can’t see any notifies to 2001:470:100::2 in the logs. > > What am I doing wrong? Normally BIND only logs "sending notifies" without saying anything about where it is sending them. You need to increase the log level using `rndc trace 3` (or more than 3) to get the

  1   2   3   4   5   6   7   8   9   10   >