Re: paypal.com DNSKEY no valid signature found
On 18/03/2022 14:36, Daniel Stirnimann wrote: You might use an operating system / crypto library which do not support SHA1 anymore. paypal.com is signed with RSASHA1. See warnings on https://dnsviz.net/d/paypal.com/YjSWxg/dnssec/ Just curious what answer to you get from your resolver? servfail or a missing ad-bit? Daniel On 18.03.22 15:25, lejeczek via bind-users wrote: Hi guys how to troubleshoot that? ... 18-Mar-2022 14:17:41.725 warning: EVP_VerifyFinal failed (verify failure) 18-Mar-2022 14:17:41.725 info: error:0398:digital envelope routines::invalid digest:crypto/evp/pmeth_lib.c:959: 18-Mar-2022 14:17:41.725 info: validating paypal.com/DNSKEY: no valid signature found ... I'd imagine must some up-the-chain servers doing something there - my local 'bind' does not point/use any specific forwarders. many thanks, L. It is SERVFAIL 9.16.23-RH on centOS 9 many thanks, L -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
paypal.com DNSKEY no valid signature found
Hi guys how to troubleshoot that? ... 18-Mar-2022 14:17:41.725 warning: EVP_VerifyFinal failed (verify failure) 18-Mar-2022 14:17:41.725 info: error:0398:digital envelope routines::invalid digest:crypto/evp/pmeth_lib.c:959: 18-Mar-2022 14:17:41.725 info: validating paypal.com/DNSKEY: no valid signature found ... I'd imagine must some up-the-chain servers doing something there - my local 'bind' does not point/use any specific forwarders. many thanks, L. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
On 13/11/2021 07:16, Erich Eckner wrote: On Sat, 13 Nov 2021, Reindl Harald wrote: > Am 12.11.21 um 18:55 schrieb lejeczek via bind-users: >> On 12/11/2021 17:14, Reindl Harald wrote: >>> wouldn't it be easier to setup two different subdomains in which case you don't need delegation at all - your local named would hist the internal subdomain and doing recursion for everything else >>> >>> i mean when it's private and not www why does the world need to know about the subdomain? >>> >> Because I might not be able to control nor have input into local-private bind(s) and thus... >> clients/nodes on private networks would query www/public bind and only then would learn of 'priv.zone.top' and then, via that delegation to my own binds, 'priv.zone.top' would be served to local-private networks. >> - here is where 'views' come to mind, on my binds... > don't get me wrong but when you a) control a local bind where b) a public resolver delegates a subzone you should also be able to control that clients in this network use your named via dhcp The problem arises, as soon as you have some clients *outside* of this local net (inside some other local net), which should also resolve the internal ips - this is, what I have, and why I use a public zone for my private addresses: Most hosts are within my lan behind my own dns server, but some are "outside", but reachable via vpn - but I do not want to route all dns traffic for those through vpn, neither do I want to deploy dns servers for each of those machines. @Erich So that's allowed (& will work?) by bind protocols? On my own bind facing www & serving my subdomain (delegated from public registrar) I resolve to & serve private IPs? That's the easiest way out I was hoping for, in my tricky situation (being a part of large org it's often bureaucracy which defeats everybody) I too employ vpn and for similar reasons I'd prefer my www-facing bind to resolve my private IPs for... who should give a toss but me only? To me it's very basic logic - if a user cannot get to a site - URLs of which only informed regular users should know in the first place - that is my business, right? (and precisely what I want) many thanks, L ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
On 12/11/2021 17:14, Reindl Harald wrote: Am 12.11.21 um 17:48 schrieb lejeczek via bind-users: Hi guys. I'm looking to setup my subdomin in-house and I'm hoping for some wise advises from experts, it's my first foray into this thus go easy on me please. zone.top - is hosted by a public registrar priv.zone.top - I want to delegate to my own bind I'd hope for some generic recipe and pointer to docs, thanks. needs to be done in the parent zone by whoever hosts it Now what I think might be the tricky part though I get that an expert might say - trivial. I am thinking of 'views' or split-horizon or whatever other nomenclature applies, though I hear that that/those are discouraged by experts? Or! might that above be unnecessary(?) if, it's possible and allowed that such public, mine bind will resolve to IPs which are 'private' - all that so my 'priv.zone.top' will resolve to whole www but resources of the zone/domain will be available, as they are, only in/via private networks. Does that make sense? wouldn't it be easier to setup two different subdomains in which case you don't need delegation at all - your local named would hist the internal subdomain and doing recursion for everything else i mean when it's private and not www why does the world need to know about the subdomain? Because I might not be able to control nor have input into local-private bind(s) and thus... clients/nodes on private networks would query www/public bind and only then would learn of 'priv.zone.top' and then, via that delegation to my own binds, 'priv.zone.top' would be served to local-private networks. - here is where 'views' come to mind, on my binds... but to make it even more tricky - but some expert may still say, trivial - currently deployed binds of mine do not support "split-horizon" So.. the easiest way out of which I can think would be to have my binds to simply point to those private/local IPs - here I wonder, as a newbie has to, if that would make DNS protocols unhappy or perhaps I get kicked in the teeth right at start. thanks, L. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
host your subdomain on your own ?
Hi guys. I'm looking to setup my subdomin in-house and I'm hoping for some wise advises from experts, it's my first foray into this thus go easy on me please. zone.top - is hosted by a public registrar priv.zone.top - I want to delegate to my own bind I'd hope for some generic recipe and pointer to docs, thanks. Now what I think might be the tricky part though I get that an expert might say - trivial. I am thinking of 'views' or split-horizon or whatever other nomenclature applies, though I hear that that/those are discouraged by experts? Or! might that above be unnecessary(?) if, it's possible and allowed that such public, mine bind will resolve to IPs which are 'private' - all that so my 'priv.zone.top' will resolve to whole www but resources of the zone/domain will be available, as they are, only in/via private networks. Does that make sense? many thanks for all the help. L ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
sub-zone on the same server but in different backend - how?
Hi guys. To experts that most likely be silly easy but my brain got tangled up and cannot get around it now(also being a novice) Have a zone on a server, say: - the.zone with "flat" files being the backend for it. Now wanting to have: - sub.the.zone served by the same BIND server, but stored in.. "SQL" backend. How... well how to make that work if at all possible? I'd hope it can be done with some "trickery" in config/zone files if it is not 'easy-peasy' many thanks, L. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
zone forward to pseudo domain(*.local) does not work
hi guys I'm quite sure I must be missing something trivial, yet my logic here might be failing too... I have a boxA which for local clients resolves mydom.local just fine. And I've a boxB which zone "mydom.local." IN { forward first; type forward; forwarders port 53 { 10.3.1.100; }; }; and here is where I cannot resolve that mydom.local domain. On boxB logs these show: named[20124]: broken trust chain resolving 'mydom.local/A/IN': 10.3.1.100#53 named[20124]: no valid RRSIG resolving 'mydom.local/DNSKEY/IN': 10.3.1.100#53 I checked responses from boxA with +dnssec and as expected these are secure(d). boxA does allow-transfer boxB What is the problem, what I got wrong there? many thanks, L. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to dynamically change/update (own private) domain record
On 22/09/18 21:58, Mark Andrews wrote: The update policy rules you have don’t allow the apex to be updated. Change the rule types to “subdomain” and the name fields to “dom.local”. fantastycznie! many! thanks may I also ask why cname does not work in my setup? client @0x7f4d84094190 10.3.1.100#12046/key nsupdate_key: updating zone 'dom.local/IN': attempt to add CNAME alongside non-CNAME ignored ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to dynamically change/update (own private) domain record
On 22/09/18 17:04, Reindl Harald wrote: Am 22.09.18 um 17:53 schrieb lejeczek via bind-users: is it possible to update domain(not hosts of/in the domain) records? there is nothing like "not hosts of/in the domain" Something like domain.local A 10.1.1.100 which is simply an A record and not "not hosts of/in the domain" simple, right? I'm trying nsupdate but it refuses to do above what about provide informations like state of the zone file and unaltered input/output of "nsupdate" given that crystal balls are out of order? from my previous post, (different subject): .. I do: > update delete ddd.dom.local. 86400 in a 10.3.1.100 > send and that works, but when I try: > update add dom.local. 86400 in a 10.3.1.100 > send update failed: REFUSED ..and in logs: client @0x7fd7a40f2e40 127.0.0.1#9489/key nsupdate_key: updating zone 'dom.local/IN': update failed: rejected by secure update (REFUSED) ..and zone: zone "dom.local" IN { auto-dnssec maintain; key-directory "myZones"; allow-query { localhost; dom.local; }; #allow-update { key dhcpd; key nsupdate_key; }; update-policy { grant dhcpd wildcard *.dom.local. A CNAME TXT; grant nsupdate_key wildcard *.dom.local. A CNAME TXT; }; # below line would be for a slave/stub secondary server #allow-transfer { localbox; 172.25.12.203; }; type master; file "myZones/dom.local.signed"; }; thanks, L ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to dynamically change/update (own private) domain record
hi guys is it possible to update domain(not hosts of/in the domain) records? Something like domain.local A 10.1.1.100 simple, right? I'm trying nsupdate but it refuses to do above. many thanks, L. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
domain's own a record(s)
hi everyone I have a quick questionon possibly trivial issue. I do: > update delete ddd.dom.local. 86400 in a 10.3.1.100 > send and that works, but when I try: > update add dom.local. 86400 in a 10.3.1.100 > send update failed: REFUSED ..and in logs: client @0x7fd7a40f2e40 127.0.0.1#9489/key nsupdate_key: updating zone 'dom.local/IN': update failed: rejected by secure update (REFUSED) I'm hoping that I can add another A record to dom.local. What is the problem here? I must be something obvious, right? many thanks, L. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
no valid signature found - but where do the queries come from?
hi users, I'm getting lot of below in log: validating @0x7f53140149a0: ccnr-winsrv1.xxx.private.other.dom.my.dom A: bad cache hit (uk.my.dom/DS) validating @0x7f5314015630: ccnr-winsrv1.xxx.private.other.dom.my.dom : bad cache hit (uk.my.dom/DS) error (broken trust chain) resolving 'ccnr-winsrv1.xxx.private.other.dom.my.dom/A/IN': 192.168.2.100#53 error (broken trust chain) resolving 'ccnr-winsrv1.xxx.private.other.dom.my.dom//IN': 192.168.2.100#53 validating @0x7f52e4002650: my.dom SOA: no valid signature found validating @0x7f52e40032e0: my.dom SOA: no valid signature found validating @0x7f52e4002650: my.dom NSEC: no valid signature found validating @0x7f52e40032e0: my.dom NSEC: no valid signature found validating @0x7f52e4002650: swir.my.dom NSEC: no valid signature found validating @0x7f52e4002650: swir.my.dom NSEC: bad cache hit (swir.my.dom/DS) validating @0x7f52e40032e0: swir.my.dom NSEC: no valid signature found validating @0x7f52e40032e0: swir.my.dom NSEC: bad cache hit (swir.my.dom/DS) validating @0x7f52e40016c0: ccnr-winsrv1.xxx.private.other.dom.my.dom : bad cache hit (uk.my.dom/DS) validating @0x7f52e40008c0: ccnr-winsrv1.xxx.private.other.dom.my.dom A: bad cache hit (uk.my.dom/DS) error (broken trust chain) resolving 'ccnr-winsrv1.xxx.private.other.dom.my.dom//IN': 192.168.2.100#53 error (broken trust chain) resolving 'ccnr-winsrv1.xxx.private.other.dom.my.dom/A/IN': 192.168.2.100#53 it's on a server - serverB.xxx.private.other.com(9.9.4) - which forwards zone my.dom to serverA.my.dom (9.8.2rc1) serverB is insecure whereas serverA.my.dom uses dnssec. Firstly I'm hoping some experts could shed a bit light on what's happening with that frequency these get logged, every few seconds. Is it the dns itself of clients are actually nag the server so constantly - how to trace it? - trace 6 and I cannot see anything. Secondly, it must be configuration I thing, though I think it was ok some time ago, now - on serverB I do: $ host swir.my.dom. 127.0.0.1 -vv Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: Host swir.my.dom not found: 2(SERVFAIL) further I do: $ dig +qr my.dom. and nothing, then: $ dig +qr my.dom. @192.168.2.100 (which is serverA) and I see NS, A, also that from log a line: validating @0x7f52e40016c0: ccnr-winsrv1.xxx.private.other.dom.my.dom : bad cache hit (uk.my.dom/DS) here is my.dom(serverA) appended to private.other.dom(serverB) - what does it mean? how, where to start troubleshooting? many! thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
server forward to server does not work
hi fellow users, I'm having a puzzle to solve and because I'm an amateur I'm hoping an expert could help, otherwise it'll take me ages. I have a 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 which runs a signed zone and another server that forwards to it. The server(swir.private.aaa.bbb.private.czz.yy.zz) that forwards to the zone reports: May 20 16:02:57 swir.private.aaa.bbb.private.czz.yy.zz named[9104]: validating @0x7f5fe4007f80: . SOA: no valid signature found May 20 16:02:57 swir.private.aaa.bbb.private.czz.yy.zz named[9104]: validating @0x7f5fe4008c10: whale.. A: no valid signature found May 20 16:02:57 swir.private.aaa.bbb.private.czz.yy.zz named[9104]: validating @0x7f5fe4007f80: whale.. NSEC: no valid signature found May 20 16:02:57 swir.private.aaa.bbb.private.czz.yy.zz named[9104]: validating @0x7f5fd800f5c0: . SOA: no valid signature found May 20 16:02:57 swir.private.aaa.bbb.private.czz.yy.zz named[9104]: validating @0x7f5fd800f5c0: whale.. NSEC: no valid signature found May 20 16:02:57 swir.private.aaa.bbb.private.czz.yy.zz named[9104]: error (no valid RRSIG) resolving 'whale../DS/IN': 192.168.2.100#53 whale.. is the server with signed zone, above is a result of $ dig +qr any that.zone and query does not return a single record. but if I only do: $ dig +qr any that.zone @192.168.2.100(server with signed zone) then everything works fine, seemingly. Forwarding server's conf snippet is pretty plain vanilla: zone "." IN { forward only; type forward; forwarders port 53 { 192.168.2.100; }; }; forwarding server is 9.9.4-RedHat-9.9.4-29.el7_2.3 What am I doing wrong, what am I missing? many thanks, L. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
multi zone forward ?
hi everybody Is it possible with ISC to forward multiple zones to one(or a few) forwarders without declaring each zone separately? Something like with "view" or "policy" ? many thanks. L. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to put a host to a (just in parent) subdomain
hi everybody I'm trying something simple, or I thought it'd be simple, I realize my question should rather go towards DHCPD community, but I feel like I might be missing something on DNS part. for organizational, or for test if you like, purposes I would like to have subdomain.inparent.zone (so no delegations, just in parent zone) - this works with nsupdate simply: > zone inparent.zone. > update add host.subdomain.inparent.zone 86400 in a 10.10.1.10 > send $ host host.subdomain and it resolves fine, and if I fix my resolv.conf respectively it even resolves host is above correct and nothing else in terms of records & configs is required in order to add a subdomain to already existing parent? and if so, would you know if it's hosts(dhcpd clients) that need specific configs or just DHCPd does the lot? I should mention it's all dnssec. many thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: subdomain/zone with DHCPD
On 15/10/15 16:01, Niall O'Reilly wrote: On 15 October 2015 15:56:42 BST, lejeczek <pelj...@yahoo.co.uk> wrote: hi everybody I'm trying a bind setup which could be talked to by dhcpd. I've bind setup with virtual zones and now trying to set up dhcpd so it would be updating DNS, but... but. In dhcpd.conf I'm trying: and what's in your named.conf? it's: zone "domain.my" IN { key-directory "domain.my"; auto-dnssec maintain; allow-update { key dhcpd; key nsupdate_key; }; allow-transfer { localbox; 172.25.12.203; }; type master; file "domain.my/domain.my.db.signed"; }; and now! I made one change: subnet 192.168.4.64 netmask 255.255.255.224 { ddns-domainname "host.domain.my"; ddns-rev-domainname "in-addr.arpa"; option domain-name-servers 192.168.4.65; option domain-name "host.domain.my"; option host-name = config-option server.ddns-hostname; option broadcast-address192.168.4.95; option routers 192.168.4.65; one-lease-per-client on; zone domain.my. { <= Here!, was - host.domain.my primary 127.0.0.1; key dhcpd; } pool { range dynamic-bootp 192.168.4.66 192.168.4.93; allow unknown-clients; default-lease-time86400; #default-lease-time3600; max-lease-time1; } } now, I get DNS (it all works locally on same one box, it's not a problem of policy, access, etc..) updated, good! :) But that virtual guest still gets (or at least reports) - domain.my - as its FQDN ??? puzzled ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
subdomain/zone with DHCPD
hi everybody I'm trying a bind setup which could be talked to by dhcpd. I've bind setup with virtual zones and now trying to set up dhcpd so it would be updating DNS, but... but. In dhcpd.conf I'm trying: subnet 192.168.4.64 netmask 255.255.255.224 { ddns-domainname "host.domain.my"; ddns-rev-domainname "in-addr.arpa"; option domain-name-servers 192.168.4.65; option domain-name "host.domain.my"; option host-name = config-option server.ddns-hostname; option broadcast-address192.168.4.95; option routers 192.168.4.65; one-lease-per-client on; zone host.domain.my. { primary 127.0.0.1; key dhcpd; } pool { range dynamic-bootp 192.168.4.66 192.168.4.93; allow unknown-clients; default-lease-time86400; #default-lease-time3600; max-lease-time1; } } hoping that virtual zone in DNS server which parent zone/domain is "domain.my" would get updated as dhcpd clients request IPs. parent/main BIND zone config: $TTL 86400 ; 1 day $ORIGIN domain.my. @ IN SOA host.domain.my. root.host.domain.my. ( 102; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 3600 ; minimum (1 hour) ) NS host.domain.my. A 192.168.2.110 host A 192.168.2.110 ; virtual subdomain a.k.a subzone, for virt guest on this host $ORIGIN host.domain.my. virt A 192.168.4.65 If it is looking a bit confusing it's because I'm trying: for domain - "domain.my" - whose bind server is - "host.domain.my" - have this same box to be a host for virt guests. So essentially virt guests would be: guest-1.host.domain.my guest-2.hos... etc, so for guests host.domain.my would be their DNS domain. DNS as such is working but I cannot get DHCP to do its part. I thought it was simple, seemingly.. Can you help? (I'm in the process of signing up to dhcp list) many thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
protect a record (against dynamic update)
hi everybody I'd like to ask about possible ways to protect a record - is it feasible at all? Or maybe some sort of priority mechanisms? What I'd like to do is basically to not let DHCP dynamically update a record that I set earlier manually. My case is where system has multiple interfaces and one has statically configured IP, other interfaces are used by qemu guests and this tends to mess things up a bit. many thanks P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate fails on CNAME but A and PTR goes through
sort of a false alarm nsupdate with FQDN(dot) did work!(???) On 17/05/12 12:03, lejeczek wrote: hi everybody when I do: server 127.0.0.1 zone ccnr.biotechnology. update add second 86400 in cname first send update failed: NOTZONE in log I get: May 17 11:59:10 whale named[2910]: debug level is now 5 May 17 12:00:28 whale named[2910]: client 127.0.0.1#33465: view biotech: signer nsupdate_key approved May 17 12:00:28 whale named[2910]: client 127.0.0.1#33465: view biotech: updating zone 'ccnr.biotechnology/IN': update failed: update RR is outside zone (NOTZONE) any help greatly apreciated thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users