RE: BIND 9.14.2 configure problem

[greg.rabil]

Hi Ondrej,
My intent is to build BIND 9.14 as a statically linked binary.
 
The details of the config.log reveal that the OpenSSL tests are using dlopen, 
and since I have only a static library, those tests fail.  I worked around the 
problem by specifying LDFLAGS=-ldl.

Thanks,
Greg

-Original Message-
From: Ondřej Surý [mailto:ond...@isc.org] 
Sent: Friday, June 7, 2019 11:16 AM
To: Rabil,AG,A Gregory,JTK2 R 
Cc: d...@dotat.at; bind-us...@isc.org
Subject: Re: BIND 9.14.2 configure problem

The script reports everything is missing.

You’ll need to check config.log for more details what’s happening.

Anyway it should work with stock OpenSSL, so why don’t you just use that?

Cheers,
Ondrej
--
Ondřej Surý — ISC

> On 7 Jun 2019, at 17:12,   wrote:
> 
> That makes sense, but unfortunately it does not resolve the problem.  I've 
> tried specifying LD_RUN_PATH and LD_LIBRARY_PATH, and exporting them both as 
> well, but BIND 9.14 configure script still complains about lack of ECDSA 
> support in OpenSSL.
> 
> Greg
> 
> -Original Message-
> From: Tony Finch [mailto:d...@dotat.at]
> Sent: Friday, June 7, 2019 11:03 AM
> To: Rabil,AG,A Gregory,JTK2 R 
> Cc: bind-us...@isc.org
> Subject: Re: BIND 9.14.2 configure problem
> 
> greg.ra...@bt.com  wrote:
> 
>> However when I specify this freshly built OpenSSL 1.1.1c install 
>> location when configuring BIND 9.14.2, it still complains:
> 
> Try
> 
> LD_RUN_PATH=/opt/tmp/openssl/lib ./configure 
> --with-openssl=/opt/tmp/openssl
> 
> What's probably happening is that the configure script's OpenSSL test 
> programs are not being correctly linked to the OpenSSL that you specified on 
> the command line.
> 
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/ Viking, North Utsire: 
> Variable 4 or less, becoming northeasterly 3 to 5 later.
> Slight, occasionally moderate in north. Fog patches, rain later. Moderate, 
> occasionally very poor.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND 9.14.2 configure problem

[greg.rabil]

That makes sense, but unfortunately it does not resolve the problem.  I've 
tried specifying LD_RUN_PATH and LD_LIBRARY_PATH, and exporting them both as 
well, but BIND 9.14 configure script still complains about lack of ECDSA 
support in OpenSSL.

Greg

-Original Message-
From: Tony Finch [mailto:d...@dotat.at] 
Sent: Friday, June 7, 2019 11:03 AM
To: Rabil,AG,A Gregory,JTK2 R 
Cc: bind-us...@isc.org
Subject: Re: BIND 9.14.2 configure problem

greg.ra...@bt.com  wrote:

> However when I specify this freshly built OpenSSL 1.1.1c install 
> location when configuring BIND 9.14.2, it still complains:

Try

LD_RUN_PATH=/opt/tmp/openssl/lib ./configure --with-openssl=/opt/tmp/openssl

What's probably happening is that the configure script's OpenSSL test programs 
are not being correctly linked to the OpenSSL that you specified on the command 
line.

Tony.
--
f.anthony.n.finchhttp://dotat.at/ Viking, North Utsire: 
Variable 4 or less, becoming northeasterly 3 to 5 later.
Slight, occasionally moderate in north. Fog patches, rain later. Moderate, 
occasionally very poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.14.2 configure problem

[greg.rabil]

Hi Folks,
I am attempting to build BIND 9.14.2 on a CentOS 7 machine, and having problems 
with "configure: error: ECDSA support in OpenSSL is mandatory."

When I build OpenSSL 1.1.1c, I have tried to explicitly enable ECDSA when 
running config (first attempt was to just leave the defaults):

./config no-shared enable-ecdsa -prefix=/opt/tmp/openssl
make
make install

However when I specify this freshly built OpenSSL 1.1.1c install location when 
configuring BIND 9.14.2, it still complains:

checking for openssl/ssl.h in /opt/tmp/openssl/... yes
checking whether compiling and linking against OpenSSL works... yes
checking for OpenSSL >= 1.0.0 or LibreSSL... yes
checking for CRYPTO_zalloc... yes
checking for EVP_CIPHER_CTX_new... no
checking for EVP_CIPHER_CTX_free... no
checking for EVP_MD_CTX_new... no
checking for EVP_MD_CTX_free... no
checking for EVP_MD_CTX_reset... no
checking for HMAC_CTX_new... no
checking for HMAC_CTX_free... no
checking for HMAC_CTX_reset... no
checking for HMAC_CTX_get_md... no
checking for ECDSA_sign... no
configure: error: in `/tmp/bind-9.14.2':
configure: error: ECDSA support in OpenSSL is mandatory.

Hoping that someone can point me in the right direction to resolve this issue.

Thanks,
Greg Rabil

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.14 configure error

[greg.rabil]

Having trouble running 'configure' script for BIND 9.14.2 on CentOS 7 system.  
I have python 2.7.5 installed, but not the PLY package.  The configure script 
complains:

configure: error: Python >= 2.7 or >= 3.2 and the PLY package are required for 
dnssec-keymgr and other Python-based tools. PLY may be available from your OS 
package manager as python-ply or python3-ply; it can also be installed via pip. 
To build without Python/PLY, use --disable-python.

However, running './configure -disable-python' results in the same error.

Is this a known issue?

Regards,
Greg Rabil
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.11.6-P1 build fails on Solaris

[greg.rabil]

BIND 9.11.5-P4 built fine on this Solaris 10 environment with same configure 
settings:

--enable-ipv6 \
--enable-filter- \
--enable-largefile \
--enable-fixed-rrset \
--enable-threads \
--disable-shared \
--with-dlopen=no \
--with-openssl=/opt/bind911/openssl \
--with-geoip=/opt/bind911/geoip \
--without-gssapi --without-python \
--prefix=/opt/bind911

However, now the build fails for BIND 9.11.6-P1 with the following:

Undefined  first referenced
symbolin file
isc_atomic_xadd client.o
ld: fatal: symbol referencing errors. No output written to namedtmp0
*** Error code 1
make: Fatal error: Command failed for target `named'


Thanks,
Greg
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.11.4 dnstap not capturing updates

[greg.rabil]

> I could see it being useful to extend the enum to 
> AUTH_QUERY_UPDATE/AUTH_QUERY_RESPONSE

That should read:
I could see it being useful to extend the enum to 
AUTH_QUERY_UPDATE/AUTH_RESPONSE_UPDATE

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND 9.11.4 dnstap not capturing updates

[greg.rabil]

I had started down the path of adding a new enum.  However, Robert's comment 
made sense that the granularity of the enums is really for the QR bit and the 
various points along the query resolution path, so I just used AUTH_QUERY for 
prototyping purposes.

I could see it being useful to extend the enum to 
AUTH_QUERY_UPDATE/AUTH_QUERY_RESPONSE, for example, and then extend the filters 
accordingly.  E.g. dnstap { auth query update; };

Regards,
Greg

-Original Message-
From: Evan Hunt [mailto:e...@isc.org] 
Sent: Friday, August 3, 2018 4:34 PM
To: Robert Edmonds 
Cc: Rabil,AG,A Gregory,JTK2 R ; d...@dotat.at; 
bind-us...@isc.org
Subject: Re: BIND 9.11.4 dnstap not capturing updates

On Fri, Aug 03, 2018 at 04:18:45PM -0400, Robert Edmonds wrote:
> greg.ra...@bt.com wrote:
> > Thanks Robert.  I've added a few lines of code to BIND's client.c 
> > source module to call dns_dt_send for updates with a type of 
> > AUTH_QUERY, and it works as expected.
>
> > Is there any reason that you can think that it should not be part of 
> > the standard BIND dnstap support?  If not, I will gladly contribute 
> > my change to the ISC.
> 
> I can't think of any reason not to have support for dnstap logging of 
> UPDATEs on the server side in BIND. It just wasn't a focus for the 
> original dnstap design work, which was very STD13 focused.

The terminology's a little misleading since the QUERY and UPDATE opcodes are 
two different things. But I guess the implication here is that for dnstap 
purposes, we don't care about opcodes, and "query" is the same as "request".

I can't think of any reason not to tap update requests, but I do wonder whether 
an extension to the type enum would reduce confusion.

--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND 9.11.4 dnstap not capturing updates

[greg.rabil]

Thanks Robert.  I've added a few lines of code to BIND's client.c source module 
to call dns_dt_send for updates with a type of AUTH_QUERY, and it works as 
expected.

Is there any reason that you can think that it should not be part of the 
standard BIND dnstap support?  If not, I will gladly contribute my change to 
the ISC.

Regards,
Greg

-Original Message-
From: Robert Edmonds [mailto:edmo...@mycre.ws] 
Sent: Friday, August 3, 2018 3:08 PM
To: Tony Finch 
Cc: Rabil,AG,A Gregory,JTK2 R ; bind-us...@isc.org
Subject: Re: BIND 9.11.4 dnstap not capturing updates

Tony Finch wrote:
> greg.ra...@bt.com  wrote:
> 
> > I use nsupdate to send a DDNS update to my zone, which is added 
> > successfully.  However, the dnstap.output does not record the DNS 
> > update.
> 
> I think (arguably) this is a limitation of the dnstap specification. 
> It's defined in a Protocol Buffers declaration file (see the link 
> below) and it only specifies message types for normal queries and 
> responses. The types correspond roughly to tap points in the code - it 
> isn't as low-level as you might expect, if you are imagining something 
> that hooks into the network IO layer.
> 
> If you want to record other kinds of messages (UPDATE, NOTIFY, etc.) 
> it would probably be best to extend the dnstap `Type` enum, and add 
> corresponding dns_dt_send() calls to BIND's code. But you should check 
> with Robert Edmonds first :-)
> 
> https://gitlab.isc.org/isc-projects/bind9/blob/master/lib/dns/dnstap.p
> roto#L69

The dnstap `Type` enum values specify where the message is being observed and 
whether it's an inbound or outbound message. The _QUERY and _RESPONSE variants 
are there as an optimization to avoid having to read the QR bit from the 
header, which I now think may have been a premature optimization [0]. (IIRC, in 
theory the definition of the flag bits are opcode-dependent, but I believe in 
practice every known opcode defines a QR flag bit.) That is, the *_QUERY `Type` 
values mean QR=1, not OPCODE=QUERY.

For UPDATE, I don't think you need to add any new `Type` values. The responder 
(an authoritative nameserver?) can record the inbound queries as AUTH_QUERY and 
the outbound responses as AUTH_RESPONSE. The initiator (usually a dedicated 
tool like nsupdate?) can record the outbound queries as TOOL_QUERY and the 
inbound responses as TOOL_RESPONSE.

dnstap doesn't have any `Type` values for an authoritative nameserver that is 
an initiator. For NOTIFY, we might need to add AUTH_CLIENT_QUERY and 
AUTH_CLIENT_RESPONSE in order to distinguish the initiator and responder in a 
NOTIFY transaction between two authoritative nameservers.


[0] Probably 'query_message' and 'response_message' didn't need to be separate 
fields either, since no more than one should be set in any given payload.

--
Robert Edmonds
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND 9.11.4 dnstap not capturing updates

[greg.rabil]

That would be the update response, but not the update request.

Regards,
Greg

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Darcy, 
Kevin
Sent: Friday, August 3, 2018 12:56 PM
To: bind-us...@isc.org
Subject: Re: BIND 9.11.4 dnstap not capturing updates

I'm no expert in DNSTAP, but I see this in the output:

opcode: UPDATE

along with proper reinterpretations of the sections:

ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

How is that "not record[ing} the DNS update"? Are you looking for something 
prettier? More detailed?


   - Kevin

On Fri, Aug 3, 2018 at 7:36 AM, Tony Finch 
mailto:d...@dotat.at>> wrote:
greg.ra...@bt.com 
mailto:greg.ra...@bt.com>> wrote:

> I use nsupdate to send a DDNS update to my zone, which is added
> successfully.  However, the dnstap.output does not record the DNS
> update.

I think (arguably) this is a limitation of the dnstap specification. It's
defined in a Protocol Buffers declaration file (see the link below) and it
only specifies message types for normal queries and responses. The types
correspond roughly to tap points in the code - it isn't as low-level as
you might expect, if you are imagining something that hooks into the
network IO layer.

If you want to record other kinds of messages (UPDATE, NOTIFY, etc.) it
would probably be best to extend the dnstap `Type` enum, and add
corresponding dns_dt_send() calls to BIND's code. But you should check
with Robert Edmonds first :-)

https://gitlab.isc.org/isc-projects/bind9/blob/master/lib/dns/dnstap.proto#L69

Tony.
--
f.anthony.n.finch  mailto:d...@dotat.at>>  http://dotat.at/
Sole, Lundy, Fastnet, Irish Sea: Variable 3 or 4. Smooth or slight. Fog
patches. Moderate, occasionally very poor, becoming good for a time.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND 9.11.4 dnstap not capturing updates

[greg.rabil]

Thanks Tony, I see in the code now where it is not calling dns_dt_send() for 
the update request.

Regards,
Greg

> I use nsupdate to send a DDNS update to my zone, which is added 
> successfully.  However, the dnstap.output does not record the DNS 
> update.

I think (arguably) this is a limitation of the dnstap specification. It's 
defined in a Protocol Buffers declaration file (see the link below) and it only 
specifies message types for normal queries and responses. The types correspond 
roughly to tap points in the code - it isn't as low-level as you might expect, 
if you are imagining something that hooks into the network IO layer.

If you want to record other kinds of messages (UPDATE, NOTIFY, etc.) it would 
probably be best to extend the dnstap `Type` enum, and add corresponding 
dns_dt_send() calls to BIND's code. But you should check with Robert Edmonds 
first :-)

https://gitlab.isc.org/isc-projects/bind9/blob/master/lib/dns/dnstap.proto#L69

Tony.
--
f.anthony.n.finchhttp://dotat.at/ Sole, Lundy, Fastnet, 
Irish Sea: Variable 3 or 4. Smooth or slight. Fog patches. Moderate, 
occasionally very poor, becoming good for a time.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.11.4 dnstap not capturing updates

[greg.rabil]

Hello BIND users,
(my apologies if this gets posted twice, I first sent to 
bind-us...@isc.org instead of 
bind-users@lists.isc.org)

I am running BIND 9.11.4 on CentOS 7, built with support for dnstap.  I am 
testing capturing of all DNS packets, including DNS update packets, but they 
don't seem to be captured.  Here are my named.conf options:

   dnstap-output   file "/tmp/dnstap.output"   ;
   dnstap {   all  ; };

I use nsupdate to send a DDNS update to my zone, which is added successfully.  
However, the dnstap.output does not record the DNS update.  I see only the 
following three packets captured:

02-Aug-2018 16:24:37.365 AQ ::1:8145 -> ::1:0 UDP 38b 
test1.dnstaptest.com/IN/SOA
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  18817
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;test1.dnstaptest.com.  IN  SOA

02-Aug-2018 16:24:37.365 AR ::1:8145 <- ::1:0 UDP 104b 
test1.dnstaptest.com/IN/SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  18817
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test1.dnstaptest.com.  IN  SOA

;; AUTHORITY SECTION:
dnstaptest.com. 0   IN  SOA centos7-dns-test1. 
dnsadmin.dnstaptest.com. 6 10800 3600 604800 86400

02-Aug-2018 16:24:37.367 AR ::1:8145 <- ::1:0 UDP 32b dnstaptest.com/IN/SOA
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  22809
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;dnstaptest.com.IN  SOA


Why is the DNS Update packet not captured/logged?

Thanks,
Greg Rabil


A. Gregory Rabil | Principal Software Architect| BT Diamond IP |
Tel: +1 (610) 321-9016 | Fax: +1 (610) 321-9004 |
greg.ra...@bt.com | http://www.btdiamondip.com
This email contains BT information which may be privileged or confidential. It 
is meant only for the individual(s) or entity named above. If you are not the 
intended recipient, note that disclosing, copying, distributing or using this 
information is prohibited. If you have received this email in error, please let 
me know immediately on the email above. Thank you. We monitor our email system 
and may record your emails.
BT Americas Inc. 415 Eagleview Blvd., Suite 112, Exton, PA 19341
BT Americas Inc. is a wholly owned subsidiary of British Telecommunications plc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.11.4 dnstap not capturing updates

[greg.rabil]

Hello BIND users,
I am running BIND 9.11.4 on CentOS 7, built with support for dnstap.  I am 
testing capturing of all DNS packets, including DNS update packets, but they 
don't seem to be captured.  Here are my named.conf options:

   dnstap-output   file "/tmp/dnstap.output"   ;
   dnstap {   all  ; };

I use nsupdate to send a DDNS update to my zone, which is added successfully.  
However, the dnstap.output does not record the DNS update.  I see only the 
following three packets captured:

02-Aug-2018 16:24:37.365 AQ ::1:8145 -> ::1:0 UDP 38b 
test1.dnstaptest.com/IN/SOA
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  18817
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;test1.dnstaptest.com.  IN  SOA

02-Aug-2018 16:24:37.365 AR ::1:8145 <- ::1:0 UDP 104b 
test1.dnstaptest.com/IN/SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  18817
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test1.dnstaptest.com.  IN  SOA

;; AUTHORITY SECTION:
dnstaptest.com. 0   IN  SOA centos7-dns-test1. 
dnsadmin.dnstaptest.com. 6 10800 3600 604800 86400

02-Aug-2018 16:24:37.367 AR ::1:8145 <- ::1:0 UDP 32b dnstaptest.com/IN/SOA
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  22809
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;dnstaptest.com.IN  SOA


What is going on here?  Why is the DNS Update packet not captured/logged?

Thanks,
Greg Rabil

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Unable to build BIND 9.11.1 with dnstap support

[greg.rabil]

Thanks Mark!  I thought it would somehow know to search the 'bin' folder of the 
packages, but now it makes sense to simply add them to the path.

Thanks again,
Greg

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark 
Andrews
Sent: Thursday, May 4, 2017 8:34 PM
To: Carl Byington 
Cc: bind-us...@isc.org
Subject: Re: Unable to build BIND 9.11.1 with dnstap support


When testing DNSTAP I use the following

PATH=$PATH:$HOME/opt/protobuf-c/bin:$HOME/opt/fstrm/bin ./configure 
--enable-dnstap --enable-developer --with-protobuf-c=$HOME/opt/protobuf-c/ 
--with-libfstrm=$HOME/opt/fstrm CFLAGS=-g


In message <1493932859.31410.8.ca...@ns.five-ten-sg.com>, Carl Byington writes:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On Thu, 2017-05-04 at 18:01 +, greg.ra...@bt.com wrote:
> > I am trying to build BIND 9.11.1 on a CentOS 7 64-bit system, 
> > including dnstap support.
> 
> You might try my .spec file, extracted from the source rpm:
> 
> http://www.five-ten-sg.com/util/bind-9.11.1-0.1.el6.src.rpm
> 
> 
> BuildRequires: GeoIP-devel, python-argparse, python-ply, perl-Net-DNS- 
> Nameserver, fstrm-devel
> 
> Requires:  portreserve, GeoIP, GeoIP-update, python-argparse,
> python-ply, fstrm
> 
> 
>   --with-tuning=large \
>   --with-geoip \
>   --with-python \
>   --with-dnstap \
> 
> 
> Or just rebuild that source rpm on el7 with:
> 
> rpmbuild --rebuild --define 'dist .el7' \ bind-9.11.1-0.1.el6.src.rpm
> 
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.14 (GNU/Linux)
> 
> iEYEAREKAAYFAlkLmzQACgkQL6j7milTFsHOzQCaAkDBZ2qWR7eUT8PkkOvV/JjP
> mWwAn08WZp8Pj01t8/DcntrWyWSslywG
> =swBT
> -END PGP SIGNATURE-
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Unable to build BIND 9.11.1 with dnstap support

[greg.rabil]

Hello Bind Users,
I am trying to build BIND 9.11.1 on a CentOS 7 64-bit system, including dnstap 
support.  I have followed the instructions here - 
https://kb.isc.org/article/AA-01342/0/Using-DNSTAP-with-BIND-9.11.html to build 
protobuf, protobuf-c, and fstrm.  I am also building with support for OpenSSL 
and GeoIP.  Each of the dependent packages have been configured with a 
non-standard location using -prefix in the respective configure scripts.  All 
packages built and installed correctly in the following directories on my build 
machine:

/opt/work/test/protobuf  (v3.3.0)
/opt/work/test/protobuf-c  (v1.2.1)
/opt/work/test/fstrm  (v0.3.2)
/opt/work/test/ssl (v1.0.2k)
/opt/work/test/geoip (v1.6.10)


Here are the configure options I am providing for BIND 9.11.1:

./configure --enable-ipv6 --enable-filter- --enable-largefile 
--enable-fixed-rrset --enable-threads --enable-dnstap --enable-shared=no 
--enable-full-report --with-dlopen=no --with-openssl=/opt/work/test/ssl 
--with-geoip=/opt/work/test/geoip --with-protobuf-c=/opt/work/test/protobuf-c 
--with-libfstrm=/opt/work/test/fstrm --without-gssapi 
--prefix=/opt/work/test/dns

This configure fails with the following:
<...snip...>
checking architecture type for atomic operations... x86_64
checking compiler support for inline assembly code... gcc
checking compiler support for __builtin_expect... yes
checking compiler support for __builtin_clz... yes
checking if asm("rep; nop"); works... yes
checking for fstrm_capture... no
checking for protoc-c... no
configure: error: The protoc-c program was not found.

Even though I have specified the proper locations for protobuf-c and fstrm, it 
does not seem to find the binaries that exist:

# ls /opt/work/test/fstrm/
bin  include  lib

# ls /opt/work/test/fstrm/bin
fstrm_capture  fstrm_dump

# ls /opt/work/test/protobuf-c
bin  include  lib

# ls /opt/work/test/protobuf-c/bin
protoc-c


Has anyone else been successful building BIND 9.11.1 with dnstap support with 
dependencies installed in non-standard location?  I have tried this on both a 
CentOS 7 and RHEL 7 machine with the same results.  Any suggestions to resolve 
this build problem would be welcome.

Thanks,
Greg
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Unable to build BIND 9.11.0-P3 on RHEL 6.0 64-bit

[greg.rabil]

Hi folks,
I am having trouble getting BIND 9.11.0-P3 to build on RHEL 6.0 64-bit.  I am 
linking it with static OpenSSL (1.0.2j) and GeoIP (1.6.6) libraries.  Here are 
my configure options:

--enable-ipv6
--enable-filter-
--enable-largefile
--enable-fixed-rrset
--enable-threads
--enable-shared=no   (I have also tried --disable-shared)
--enable-full-report
--with-openssl=/opt/ssl(this is where OpenSSL was configured with --prefix, 
and installed)
--with-geoip=/opt/geoip(this is where GeoIP was configured with --prefix, 
and installed)
--without-gssapi


Here is the configuration summary:
===
Configuration summary:
---
Optional features enabled:
Multiprocessing support (--enable-threads)
Mutex lock type: adaptive
GeoIP access control (--with-geoip)
Algorithm: aes
IPv6 support (--enable-ipv6)
OpenSSL cryptography/DNSSEC (--with-openssl)
XML statistics (--with-libxml2)
HTTP zlib compression (--with-zlib)
GOST algorithm support (encoding: raw) (--with-gost)
ECDSA algorithm support (--with-ecdsa)
Allow 'fixed' rrset-order (--enable-fixed-rrset)
 filtering (--enable-filter-)
Print backtrace on crash (--enable-backtrace)
Use symbol table for backtrace, named only (--enable-symtable)
Dynamically loadable zone (DLZ) drivers:
None

Features disabled or unavailable on this platform:
Large-system tuning (--with-tuning)
Allow 'dnstap' packet logging (--enable-dnstap)
GSS-API (--with-gssapi)
PKCS#11/Cryptoki support (--with-pkcs11)
Native PKCS#11/Cryptoki support (--enable-native-pkcs11)
Use libseccomp system call filtering (--enable-seccomp)
Very verbose query trace logging (--enable-querytrace)
Use GNU libtool (--with-libtool)
Automated Testing Framework (--with-atf)
Python tools (--with-python)
JSON statistics (--with-libjson)
LMDB database to store configuration for 'addzone' zones (--with-lmdb)
===


Make fails with this error, which seems to indicate that it is still trying to 
build a shared-library, even though I have explicitly disabled that feature.  
Again, I've tried both --disable-shared and --enable-shared=no.


gcc -shared -o sample.so db.o driver.o instance.o lock.o log.o syncptr.o zone.o 
\

   ../../../../../lib/dns/libdns.a ../../../../../lib/isc/libisc.a  
-L/opt/ssl/lib -lcrypto -ldl ../../../../../lib/dns/libdns.a 
../../../../../lib/isc/libisc.a -ldl -lrt -lpthread -lm -lGeoIP  
-L/opt/geoip/lib -lxml2 -lz -lm

/usr/bin/ld: /opt/ssl/lib/libcrypto.a(cryptlib.o): relocation R_X86_64_32 
against `OPENSSL_ia32cap_P' can not be used when making a shared object; 
recompile with -fPIC

/opt/ssl/lib/libcrypto.a: could not read symbols: Bad value

collect2: ld returned 1 exit status

make[5]: *** [sample.so] Error 1


Any help is appreciated.


Thanks,
Greg
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.10 also-notify syntax

[greg.rabil]

Hello BIND users,
According to the BIND 9.10.3 ARM, the syntax for 'also-notify' in the options 
section of the named.conf file is:

[ also-notify { ip_addr
[port ip_port] [dscp ip_dscp] [key keyname] ;
[ ip_addr [port ip_port] [dscp ip_dscp] [key keyname] ; ... ] };

However, specifying the optional 'dscp' keyword and integer value causes named 
to abort at startup.  My understanding is that the DSCP value is for *source* 
ports, whereas the syntax above indicates that the DSCP value goes with the 
*target* port of the notify.  Interestingly, the grammar for this option from 
the BIND 9.10.3 source is as follows:

also-notify [ port  ] [ dscp  ] { (  | 
 [ port  ] |  [ port  ] ) [ key 
 ]; ... };

Which corresponds to my understanding where the optional 'dscp' keyword and 
value would be associated with the source.

Can someone please confirm if the BIND 9.10 ARM documentation is wrong?

Thanks,
Greg Rabil
This email contains BT information which may be privileged or confidential. It 
is meant only for the individual(s) or entity named above. If you are not the 
intended recipient, note that disclosing, copying, distributing or using this 
information is prohibited. If you have received this email in error, please let 
me know immediately on the email above. Thank you. We monitor our email system 
and may record your emails.
BT Americas Inc. 415 Eagleview Blvd., Suite 112, Exton, PA 19341
BT Americas Inc. is a wholly owned subsidiary of British Telecommunications plc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.10.2-P3 with GeoIP on Solaris

[greg.rabil]

Hi folks,
I am attempting to build BIND 9.10.2-P3 with support for GeoIP on Solaris, but 
I want a statically linked version of the 'named' binary.  On Linux, when I 
build the GeoIP library, I specify the '-disable-shared' configure flag, and 
then when I use the GeoIP install directory as the value for the '-with-geoip' 
when building BIND, all works fine and, as expected, I end up with a 'named' 
binary that is statically linked with the GeoIP library.  However, if I follow 
this process on Solaris, the BIND configure step fails with:

checking GeoIP.h usability... yes
checking GeoIP.h presence... yes
checking for GeoIP.h... yes
checking for library containing GeoIP_open... no
configure: error: GeoIP library not found

If I rebuild GeoIP library without '-disable-shared', then BIND configure and 
make complete successfully, but then I have a runtime dependency on the GeoIP 
library, which I'm trying to avoid.

I am hoping someone on the list has a workaround or other suggestion to 
accomplish this?

Thanks,
Greg
This email contains BT information which may be privileged or confidential. It 
is meant only for the individual(s) or entity named above. If you are not the 
intended recipient, note that disclosing, copying, distributing or using this 
information is prohibited. If you have received this email in error, please let 
me know immediately on the email above. Thank you. We monitor our email system 
and may record your emails.
BT Americas Inc. 415 Eagleview Blvd., Suite 112, Exton, PA 19341
BT Americas Inc. is a wholly owned subsidiary of British Telecommunications plc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Enterprise IPAM/DNS Solutions

[greg.rabil]

Josh,
In addition to the appliance-only vendor solutions you mention below, you may 
wish look into the BT Diamond IP product line.  This is an enterprise and 
service provider IPAM solution with full support for DNS and DHCP.  It is 
available as software-only, with a centralized management component and Agents 
that are installed on your DNS and/or DHCP servers.  It is also available in a 
turnkey offering on hardened, proprietary Linux-based appliances.  Lastly, it 
is also available as either a hosted or managed service.  Please see 
http://btdiamondip.com for more information.  Full disclosure -- I am the 
Principal Software Architect for BT Diamond IP.

Regards,
Greg


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Baird, Josh
Sent: Monday, April 28, 2014 12:40 PM
To: Ray Van Dolson
Cc: bind-users@lists.isc.org
Subject: RE: Enterprise IPAM/DNS Solutions

Ray,

Overall, MM has worked quite nicely for us.  The CLI leaves a lot to be 
desired though and we have found several bugs in the application throughout the 
past several years (who doesn't have bugs, though?).  I have also had a hard 
time getting someone on their Sales team to answer my questions lately.  I do 
really like the fact that it doesn't require some third party appliance and it 
can run alongside BIND.  

At this point - I'm just looking to see what else is available in this same 
space (Infoblox, Bluecat, etc).  Any feedback from users of these various 
platforms is appreciated!

(apologies for the top-post)

Thanks,

Josh

-Original Message-
From: Ray Van Dolson [mailto:rvandol...@esri.com]
Sent: Monday, April 28, 2014 12:35 PM
To: Baird, Josh
Cc: bind-users@lists.isc.org
Subject: Re: Enterprise IPAM/DNS Solutions

On Mon, Apr 28, 2014 at 04:31:28PM +, Baird, Josh wrote:
 Hi,
 
 We currently use the Men  Mice DNS/IPAM/DHCP suite which is 
 essentially a front-end wrapper for BIND.  We deploy our own BIND 
 boxes and simply install the Men  Mice agent on them which allows us 
 to centrally manage the zones from a GUI (or CLI) based interface.
 
 I'm curious about the other enterprise solutions that are on the 
 market.  Bluecat is the first one that comes to mind, but I'm 
 completely unfamiliar with their product.  Does their product run 
 alongside native BIND (like MM) or do I need to purchase their own 
 appliances and place them all over my network?
 
 Are there any other suggestions for products similar to Men  Mice and 
 Bluecat that I should be looking at?  I'm looking for DNS and IPAM and 
 central management.
 
 Thanks,
 
 Josh

Josh, I'm curious what shortcomings you're finding with the MM suite?

We've looked at BlueCat recently and my recollection is that it required their 
DNS appliances.  Quite costly and in our case, overkill.

MM has worked pretty well for us, but we're a corporate type use case, not a 
provider or ISP.

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: dnssec-keyfromlabel out of memory

[Greg.Rabil]

  
  dnssec-keyfromlabel -a RSASHA1 -l pkcs11:foobar foobar

 This assumes you have already created a RSA key called foobar in the HSM.


Thanks Mark,

So, can I assume that the out of memory error really means it just can't find 
the key?

Regards,
Greg
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users