Fwd: Reverse zone reformatting after nsupdate execution

2021-01-27 Thread Greg Donohoe
Adding mailing list for archiving. -- Forwarded message - From: Greg Donohoe Date: Wed, Jan 27, 2021 at 6:11 PM Subject: Re: Reverse zone reformatting after nsupdate execution To: Chris Isaksen Thank you very much for your reply Chris. Changing the masterfile-style has

Re: Reverse zone reformatting after nsupdate execution

2021-01-27 Thread Chris Isaksen
From: bind-users on behalf of Ondřej Surý Sent: Wednesday, January 27, 2021 8:29 AM To: Greg Donohoe Cc: bind-users@lists.isc.org Subject: Re: Reverse zone reformatting after nsupdate execution You might want to change `masterfile-style` configuration

Re: Reverse zone reformatting after nsupdate execution

2021-01-27 Thread Ondřej Surý
to figure out the cause of an >> issue I am seeing when running nsupdate on my BIND9 server. >> Below you will find all the the details as to how my server is configured >> and also the nsupdate commands that I am running. >> >> The issue I am seeing is that I hav

Re: Reverse zone reformatting after nsupdate execution

2021-01-27 Thread Ondřej Surý
ut the cause of an > issue I am seeing when running nsupdate on my BIND9 server. > Below you will find all the the details as to how my server is configured and > also the nsupdate commands that I am running. > > The issue I am seeing is that I have configured a /16 10.10.in-addr.arpa >

Reverse zone reformatting after nsupdate execution

2021-01-27 Thread Greg Donohoe
Hello. I am hoping that someone can help me to figure out the cause of an issue I am seeing when running nsupdate on my BIND9 server. Below you will find all the the details as to how my server is configured and also the nsupdate commands that I am running. The issue I am seeing is that I have

Re: Cannot get nsupdate to work (for letsencrypt acme.sh client)

2020-08-05 Thread Mark Andrews
Unfortunately comments section on that page doesn’t work. You press preview and you get a error response back. > On 6 Aug 2020, at 02:21, Brett Delmage wrote: > > On Wed, 5 Aug 2020, Mark Andrews wrote: > >> If I use the example zone on that page *no* errors are reported. >> If I modify

Re: Cannot get nsupdate to work (for letsencrypt acme.sh client)

2020-08-05 Thread Brett Delmage
On Wed, 5 Aug 2020, Mark Andrews wrote: If I use the example zone on that page *no* errors are reported. If I modify restarchitect.com to have a A record at _acme-challenge.restarchitect.com then errors will be reported. I certainly did get an error originally. I would not have found this

Re: Cannot get nsupdate to work (for letsencrypt acme.sh client)

2020-08-04 Thread Mark Andrews
ct, so then I don't need to send a help plea and > look like an idiot. Just not in this report, although an earlier version led > me to seeing another problem, which was good. > > Brett > >> >> >> >> Mark >> >>> On 5 Aug 2020, at 08:44, Bre

Re: Cannot get nsupdate to work (for letsencrypt acme.sh client)

2020-08-04 Thread Brett Delmage
help plea and look like an idiot. Just not in this report, although an earlier version led me to seeing another problem, which was good. Brett Mark On 5 Aug 2020, at 08:44, Brett Delmage wrote: I'm having a problem getting nsupdate to work, as shown below. (Despite reading the man

Re: Cannot get nsupdate to work (for letsencrypt acme.sh client)

2020-08-04 Thread Mark Andrews
Thanks for full details. Your key name usage is not consistent. acmesh-ottawatch != ottawatch-acmesh Why are you adding `check-names warn;`? check-names does NOT apply to TXT records. Mark > On 5 Aug 2020, at 08:44, Brett Delmage wrote: > > I'm having a problem getting nsupdat

Cannot get nsupdate to work (for letsencrypt acme.sh client)

2020-08-04 Thread Brett Delmage
I'm having a problem getting nsupdate to work, as shown below. (Despite reading the man pages I'm not 100% clear about the exact scope of the grant options and it may not be right. Examples would be helpful.) I generated the key: ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca

Re: nsupdate apparently not working for me. What am I overlooking / doing wrong?

2020-07-28 Thread Brett Delmage
can delete and add in the same UPDATE operation. Remove the first “send” in nsupdate.script. Yes, thanks for the tip. I did man nsupdate :-) I had nsupdate debug enabled earlier, so split this it up while testing. Also ottawatch.ca has DS records but the zone is not signed. You need to fix

Re: nsupdate apparently not working for me. What am I overlooking / doing wrong?

2020-07-28 Thread Mark Andrews
3CEF76EC Mark > On 29 Jul 2020, at 12:30, Brett Delmage wrote: > > nsupdate works according to updated contents of a dynamic zonefile but dig > does not report the added A record. > > What am I doing stupidly here? > > BIND version 1:9.16.5-1+ubuntu18.04.1 > - b

nsupdate apparently not working for me. What am I overlooking / doing wrong?

2020-07-28 Thread Brett Delmage
nsupdate works according to updated contents of a dynamic zonefile but dig does not report the added A record. What am I doing stupidly here? BIND version 1:9.16.5-1+ubuntu18.04.1 - both authoritative and local recursive zone config: zone "ottawatch.ca" { t

Re: BIND, nsupdate and acme.sh DNS authentication

2020-07-23 Thread Michael De Roover
, specifically) working with nsupdate (which acme.sh uses) and BIND have been a PITA. I haven't been overly impressed with the debug capabilities to help get nsupdate working properly. Interesting, I wasn't aware of this. Looking at Manjaro's site again, I found that their main website indeed uses

BIND, nsupdate and acme.sh DNS authentication

2020-07-23 Thread Brett Delmage
-official/acme.sh If you are running your own nameserver you also need to enable dynamic updates so that the acme.sh client can create TXT records during certificate acqusition and renewal. However I have found that getting zone dynamic updates (authentication, specifically) working with nsupdate

Re: nsupdate - adding large/split TXT record (2048 bit DKIM key)

2020-06-01 Thread vom513
Done: https://gitlab.isc.org/isc-projects/bind9/-/issues/1907 <https://gitlab.isc.org/isc-projects/bind9/-/issues/1907> Thanks. > On Jun 1, 2020, at 7:08 AM, Ondřej Surý wrote: > > I think it’s reasonable for nsupdate to do the chunking on itself. Patches > are always w

Re: nsupdate - adding large/split TXT record (2048 bit DKIM key)

2020-06-01 Thread vom513
> On Jun 1, 2020, at 6:50 AM, Andreas S. Kerber wrote: > > Yeah, I had troubles with those 2048 bit DKIM records too. nsupdate will need > it like this: > > server X.X.X.X > zone ag-trek.de > update add test.ag-trek.de. 86400 IN TXT

Re: nsupdate - adding large/split TXT record (2048 bit DKIM key)

2020-06-01 Thread Ondřej Surý
I think it’s reasonable for nsupdate to do the chunking on itself. Patches are always welcome, but if you can start by creating issue for us, it would be very much welcome. I can’t offer you any timeframe, but at least it won’t get lost. Ondrej -- Ondřej Surý ond...@isc.org > On 1 Jun 2

Re: nsupdate - adding large/split TXT record (2048 bit DKIM key)

2020-06-01 Thread Andreas S. Kerber
On Mon, Jun 01, 2020 at 04:11:43AM -0400, vom513 wrote: > Can anyone point me to an example of how to do this ? I have a script that > rotates my DKIM keys, and uses nsupdate to publish. With 1024 bit - I must > be getting by by the skin of my teeth… > > When I try 2048

Re: nsupdate: using "wildcard" TTL when removing specific record

2020-06-01 Thread Mark Andrews
be ignored by the primary master. CLASS must be specified as NONE to distinguish this from an RR addition. If no such RRs exist, then this Update RR will be silently ignored by the primary master. > On 1 Jun 2020, at 18:45, Petr Bena wrote: > > Hello, > > Is there any way t

nsupdate: using "wildcard" TTL when removing specific record

2020-06-01 Thread Petr Bena
Hello, Is there any way to tell nsupdate to delete specific record with ANY TTL value? For example I have following record: record.domain.org 3500 A 1.2.3.4 I want to delete exactly that record (A with IP 1.2.3.4), except I don't know what the TTL is, normally, if I knew the TTL, I would do

nsupdate - adding large/split TXT record (2048 bit DKIM key)

2020-06-01 Thread vom513
Hello, Can anyone point me to an example of how to do this ? I have a script that rotates my DKIM keys, and uses nsupdate to publish. With 1024 bit - I must be getting by by the skin of my teeth… When I try 2048 bit, the record is obviously longer. All of my attempts of running it through

Re: Nsupdate and TTL

2020-04-23 Thread Tony Finch
Mark Andrews wrote: > > On 23 Apr 2020, at 07:20, Evan Hunt wrote: > > > > As far as I can recall, the only way to change a TTL in nsupdate is to > > delete the whole RRset and then add it back in the same transaction: There's actually a standard shortcut for TTL change

Re: Nsupdate and TTL

2020-04-23 Thread Mark Andrews
sted below. The UPDATE message is a bit larger but it is robust. Mark > On 23/04/2020 01:06, Mark Andrews wrote: >> >>> On 23 Apr 2020, at 07:20, Evan Hunt wrote: >>> >>> On Wed, Apr 22, 2020 at 03:04:38PM -0600, @lbutlr via bind-users wrote: >>>&g

Re: Nsupdate and TTL

2020-04-23 Thread Petr Bena
will have TTL overriden with the last one you add. On 23/04/2020 01:06, Mark Andrews wrote: On 23 Apr 2020, at 07:20, Evan Hunt wrote: On Wed, Apr 22, 2020 at 03:04:38PM -0600, @lbutlr via bind-users wrote: # nsupdate -k /path/to/key zone example.com ttl 3600 send ^d No errors, but no change

Re: Nsupdate and TTL

2020-04-22 Thread Mark Andrews
> On 23 Apr 2020, at 07:20, Evan Hunt wrote: > > On Wed, Apr 22, 2020 at 03:04:38PM -0600, @lbutlr via bind-users wrote: >> # nsupdate -k /path/to/key >>> zone example.com >>> ttl 3600 >>> send >>> ^d >> >> No errors, but no chan

Re: Nsupdate and TTL

2020-04-22 Thread Evan Hunt
On Wed, Apr 22, 2020 at 03:04:38PM -0600, @lbutlr via bind-users wrote: > # nsupdate -k /path/to/key > > zone example.com > > ttl 3600 > > send > > ^d > > No errors, but no change in the TTL. "ttl 3600" just means "from now on assume I mean

Nsupdate and TTL

2020-04-22 Thread @lbutlr via bind-users
What is the proper syntax gor changing the TTL on a zone with nsupdate? Does the existence of $TTL 86400 in the domain.conf file override nssupdate’s attempts to change the TTL? # nsupdate -k /path/to/key > zone example.com > ttl 3600 > send > ^d No errors, but no change in the TT

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread Tony Finch
Shumon Huque wrote: > > The implication is that "ignore" also means set the response code to > NOERROR. Although, I suppose CNAME related UPDATE processing could have > been special cased to return an error code like YXRRSET (even without a > specified prerequisite clause). Ah, yes, now you

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread Bob Harold
I recently tried using dnspython to replay captured queries and found that it refuses to do any "meta" queries, including "ANY". But since the real world occasionally uses meta queries, I need to be able to make them. I ended up using https://github.com/paulc/dnslib, but I don't see where that

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread Shumon Huque
On Wed, Apr 1, 2020 at 8:36 AM Tony Finch wrote: > > This error behaviour is mostly specified by the UPDATE protocol (RFC > 2136). It's worth reading the RFC becasue (as you have found) some of the > behaviour is a bit surprising. For instance, adding a record that already > exists is not an

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread Tony Finch
howing the user before the user prepared the update. > I am looking for a some alternative to nsupdate, that can achieve the > same, but more machine friendly, like a "proper DNS library" you talk > about, is there any such a thing? The system I work with is mostly perl

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread G.W. Haywood via bind-users
Hi there, On Wed, 1 Apr 2020, Petr Bena wrote: ... Is there any alternative to nsupdate, something that can work with XML or JSON payloads or provide output in such machine parseable format? ... If it's any help DNS::ZoneParse claims to be able to output XML - but I don't have any experience

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread Timothe Litt
is basically a wrapper around dig and nsupdate that allows > people with "less CLI knowledge" to easily manipulate DNS records. The > main reason for this was that in our corporation we have about 400 > internal DNS zones hosted on over 100 different BIND master servers, >

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread Ondřej Surý
I would recommend dnspython as a start. The API is very non-Python, but once you get hang of it, it’s not that bad. Ondrej -- Ondřej Surý ond...@isc.org > On 1 Apr 2020, at 15:21, Petr Bena wrote: > > like a "proper DNS library" you talk about, is there any such a thing? signature.asc

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread Petr Bena
this can be achieved with the nsupdate, I guess the prereq statement is what I need to work with, but as I said - parsing the current output of nsupdate, especially that header from debug or answer section, is just not very easy, and I wouldn't be surprised if the format of output changed

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread Mark Andrews
> On 1 Apr 2020, at 20:07, Petr Bena wrote: > > Hello, > > Some preamble: Some time ago I created an open source DNS admin web GUI *1 > that is basically a wrapper around dig and nsupdate that allows people with > "less CLI knowledge" to easily manipula

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread Tony Finch
Petr Bena wrote: > I think your approach of using standard protocols (DNS queries and updages) to edit zones is very good! > Is there any alternative to nsupdate, something that can work with XML > or JSON payloads or provide output in such machine parseable format? I've d

Machine friendly alternative to nsupdate

2020-04-01 Thread Petr Bena
Hello, Some preamble: Some time ago I created an open source DNS admin web GUI *1 that is basically a wrapper around dig and nsupdate that allows people with "less CLI knowledge" to easily manipulate DNS records. The main reason for this was that in our corporation we have about 400

Re: nsupdate with respone-policy zone

2019-11-20 Thread mail-list-users
Thank you very much, this did the trick. Have a nice day! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: nsupdate with respone-policy zone

2019-11-20 Thread Tony Finch
mail-list-us...@materna.de wrote: > > server 127.0.0.1 > debug no > zone testoverride > update add zzz.google.de 604800 A 127.0.0.1 > send The problem is that nsupdate needs fully-qualified domain names - you can't omit the zone name like you can in zone files. So your script

nsupdate with respone-policy zone

2019-11-20 Thread mail-list-users
Hello, I try to update my RPZ Zone 'testoverride' with nsupdate. Sadly I get only 127.0.0.1#56851: view public: updating zone 'testoverride/IN': update failed: update RR is outside zone (NOTZONE) as error message. How do I update a RPZ zone with nsupdate? Do I miss something? Do I understand

Re: Useful tip on nsupdate -- readline support.

2019-06-12 Thread Mukund Sivaraman
Hi Ondrej On Wed, Jun 12, 2019 at 04:08:20PM +0200, Ondřej Surý wrote: > Hey list, > > I believe this needs addressing from the BIND team. > > > * readline is GPL > > BIND 9 supports compilation with libedit which is 99% drop-in replacement > since 2015 (017cbd44). I had mentioned libedit in

Re: Useful tip on nsupdate -- readline support.

2019-06-12 Thread Ondřej Surý
Hey list, I believe this needs addressing from the BIND team. > * readline is GPL BIND 9 supports compilation with libedit which is 99% drop-in replacement since 2015 (017cbd44). The well-established open-source distributions are well aware of the readline firm stand on the GPL vs LGPL for the

Re: Useful tip on nsupdate -- readline support.

2019-06-12 Thread Tony Finch
Mukund Sivaraman wrote: > On Tue, Jun 11, 2019 at 10:03:30AM -0400, Warren Kumari wrote: > > > > I manually use nsupdate to make some changes to some of my zones - > > most recently I had to add a bunch of reverse DNS records. These are > > all very simila

Re: Useful tip on nsupdate -- readline support.

2019-06-11 Thread Warren Kumari
On Tue, Jun 11, 2019 at 10:59 AM Mukund Sivaraman wrote: > > On Tue, Jun 11, 2019 at 10:03:30AM -0400, Warren Kumari wrote: > > Hi there all, > > > > I manually use nsupdate to make some changes to some of my zones - > > most recently I had to add a bunch of reverse

Re: Useful tip on nsupdate -- readline support.

2019-06-11 Thread Mukund Sivaraman
On Tue, Jun 11, 2019 at 10:03:30AM -0400, Warren Kumari wrote: > Hi there all, > > I manually use nsupdate to make some changes to some of my zones - > most recently I had to add a bunch of reverse DNS records. These are > all very similar - the first octet changes, and then

Re: nsupdate reject

2019-05-22 Thread Tony Finch
@lbutlr wrote: > > If I remove "update-policy local; " the nsupdate works, but it seems > like it should have worked with the update-policy since I was in fact > local to the bind server. The "local" keyword enables server-side support for `nsupdate -l`, which m

Re: nsupdate reject

2019-05-20 Thread @lbutlr
}; }; gives "'allow-update' is ignored when 'update-policy' is present" when I load the conf file. If I remove "update-policy local; " the nsupdate works, but it seems like it should have worked with the update-policy since I was in fact local to the bind server. -- My little b

Re: nsupdate reject

2019-05-20 Thread @lbutlr
On 20 May 2019, at 16:21, Noel Butler wrote: >allow-update { key "keyname"; }; Ah, no I did not. The instructions I found, as I mentioned in a later post, were to add grant dons-key. iOS this a change in 9.14, because I did not have to do this in 9.12? > and nsLOOKUP ? Just a thinko.

Re: nsupdate reject

2019-05-20 Thread Noel Butler
you should be using or at least meant to say, nsUPDATE On 20/05/2019 10:27, @lbutlr wrote: > Trying to update some DNS under a relatively newly installed bin 9.14 with > nsupdate. > > I have a file admin.key that looks basically like this: > key "rndc-key" { > algori

Re: nsupdate reject

2019-05-20 Thread @lbutlr
On 19 May 2019, at 18:27, @lbutlr wrote: > This is the same key block that is in named.conf. I am launching NSLOOKUP > with -k admin.key, but when I try to make a change and then "send", I get > "update failed: REFUSED." I found a page that recommended adding a ddns-key and then adding "grant

RE: nsupdate reject

2019-05-20 Thread Bob McDonald
The most obvious thing is to look at the zone and see if that key is included in an allow-update statement for the zone. Bob ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

nsupdate reject

2019-05-19 Thread @lbutlr
Trying to update some DNS under a relatively newly installed bin 9.14 with nsupdate. I have a file admin.key that looks basically like this: key "rndc-key" { algorithm hmac-sha256; secret "SECRETSTUFF="; }; This is the same key block that is in named.conf. I a

Re: rndc and nsupdate failing to work for me

2019-03-14 Thread Marc Chamberlin via bind-users
On 03/14/2019 04:40 AM, Niall O'Reilly wrote: > On 14 Mar 2019, at 5:17, Marc Chamberlin via bind-users wrote: > >> On 03/13/2019 08:33 PM, John W. Blue wrote: >>> As an option, instead of including /etc/rndc.key nothing prevents you >>> from including rndc.conf.  That way you are consistent with

Re: rndc and nsupdate failing to work for me

2019-03-14 Thread Marc Chamberlin via bind-users
nning on a Linux >> system, OpenSuSE Leap 15) so that I can accept DNS challenges/verification >> from/for LetsEncrypt certificates, and I am running into a wall trying to >> get nsupdate (and rndc which I wanted to use to test the server with) to >> work with the server. So I

Re: rndc and nsupdate failing to work for me

2019-03-14 Thread Niall O'Reilly
On 14 Mar 2019, at 5:17, Marc Chamberlin via bind-users wrote: > On 03/13/2019 08:33 PM, John W. Blue wrote: >> >> As an option, instead of including /etc/rndc.key nothing prevents you >> from including rndc.conf.  That way you are consistent with your useage. Another option is to include

Re: rndc and nsupdate failing to work for me

2019-03-14 Thread Mark Andrews
t; Hello Bind Users, > > I have been working on upgrading my Bind 9.11.2 server (running on a Linux > system, OpenSuSE Leap 15) so that I can accept DNS challenges/verification > from/for LetsEncrypt certificates, and I am running into a wall trying to get > nsupdate (and rnd

Re: rndc and nsupdate failing to work for me

2019-03-13 Thread Marc Chamberlin via bind-users
rndc.conf in named.conf lead named to bellyache about multiple "options" clauses... I will poke at it some more, as it would be nice to minimize the possibility of getting the two key definitions out of sync, which is why I tried it from the other direction using the include statement in rndc.c

RE: rndc and nsupdate failing to work for me

2019-03-13 Thread John W. Blue
there is an /etc/rndc.key file but it choosing to use rndc.conf is the secret the same in both places? As an option, instead of including /etc/rndc.key nothing prevents you from including rndc.conf. That way you are consistent with your useage. I personally do not use nsupdate, but I thought that key

rndc and nsupdate failing to work for me

2019-03-13 Thread Marc Chamberlin via bind-users
Hello Bind Users, I have been working on upgrading my Bind 9.11.2 server (running on a Linux system, OpenSuSE Leap 15) so that I can accept DNS challenges/verification from/for LetsEncrypt certificates, and I am running into a wall trying to get nsupdate (and rndc which I wanted to use to test

Re: Is it possible to use nsupdate with EDNS0?

2019-01-17 Thread Dave Warren
On 2019-01-17 08:03, Fumiya Obatake wrote: Thank you for your reply. Since it seems very difficult to realize, I will consider other solutions. The obvious solution would be to use TCP. ___ Please visit

Re: Is it possible to use nsupdate with EDNS0?

2019-01-17 Thread Fumiya Obatake
Thank you for your reply. Since it seems very difficult to realize, I will consider other solutions. Sincerely, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

Re: Is it possible to use nsupdate with EDNS0?

2019-01-16 Thread Mark Andrews
d fragmentation. > Dealing with all of this is done at the application level. Add to that TCP > still needs to be supported on the server anyway there really is no point in > trying. > > Named does not attempt to send larger than 512 byte updates via UDP. There > are no

Re: Is it possible to use nsupdate with EDNS0?

2019-01-16 Thread Mark Andrews
to that TCP still needs to be supported on the server anyway there really is no point in trying. Named does not attempt to send larger than 512 byte updates via UDP. There are no plans to do so. -- Mark Andrews > On 17 Jan 2019, at 00:14, Fumiya Obatake wrote: > > Is it possible to use

Is it possible to use nsupdate with EDNS0?

2019-01-16 Thread Fumiya Obatake
Is it possible to use nsupdate with edns0? Hello, all. I have some questions about nsupdate. I try to update a set of TXT records over 512 bytes in all by using nsupdate without -v option, and it makes TCP connection automatically. In RFC2136, `An update transaction may be carried in a UDP

Re: nsupdate with RPZ

2018-05-23 Thread Blason R
Well, thanks for the update. Later I managed to resolve it but issue is; since this is RPZ a zone and RR are difference hence I dont think nsupdate would solve my purpose here? Like zone test.update while RR is block.this.domain CNAME wg.test.update. Please correct me if I am wrong. On Wed

Re: nsupdate with RPZ

2018-05-23 Thread Chris Buxton
On May 22, 2018, at 7:35 PM, Blason R <blaso...@gmail.com> wrote: > Wondering if anyone have a working How-To guide for implementing nsupdate > with RPZ? I mean do we need to configure any specific settings in zone of > Options? A response policy zone is a zone like any o

nsupdate with RPZ

2018-05-22 Thread Blason R
Hi Team, Wondering if anyone have a working How-To guide for implementing nsupdate with RPZ? I mean do we need to configure any specific settings in zone of Options? Please advise TIA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and nsupdate

2018-03-06 Thread Mark Andrews
he private key. The >> issue disappears when setting the private key to 0644 also and that must >> be done before starting bind - before using nsupdate is not enough. >> >> Do you know if these permissions are standard or a consequence of >> starting DNSSEC via webmin?

Re: AW: DNSSEC and nsupdate

2018-03-06 Thread Tony Finch
t > be done before starting bind - before using nsupdate is not enough. > > Do you know if these permissions are standard or a consequence of > starting DNSSEC via webmin? By default, `dnssec-keygen` creates private keys with perms 0600, so if you run it under a different user than `

AW: DNSSEC and nsupdate

2018-03-03 Thread Prof. Dr. Michael Schefczyk
: DNSSEC and nsupdate Setting the permissions of a *private* key to 0644 sounds like a bad idea. Maybe you mean 0640? On Fri, 2 Mar 2018 23:28:28 + "Prof. Dr. Michael Schefczyk" <mich...@schefczyk.net> wrote: > Dear Mark, > > I did get the issue resolved while sett

Re: DNSSEC and nsupdate

2018-03-02 Thread Paul Kosinski
vironment. > > The issue is that normal permissions in the key-directory are > root:bind 0644 for the public key and root:bind 0600 for the private > key. The issue disappears when setting the private key to 0644 also > and that must be done before starting bind - before using ns

AW: DNSSEC and nsupdate

2018-03-02 Thread Prof. Dr. Michael Schefczyk
be done before starting bind - before using nsupdate is not enough. Do you know if these permissions are standard or a consequence of starting DNSSEC via webmin? Test setup - BIND 9.10.3-P4-Debian stretch: /etc/bind/named.conf include "/etc/bind/named.conf.options"; include

Re: DNSSEC and nsupdate

2018-02-25 Thread Mark Andrews
he webmin setup leads to all keys being stored in /var/lib/bind. The >> naming scheme is K[fqdn]+number+keyid.key or .private. There is one >> key-signing key and one zone-signing key for each fqdn. Resigning works via >> a perl srcipt / cronjob shipped by webmin. >> >

AW: DNSSEC and nsupdate

2018-02-25 Thread Prof. Dr. Michael Schefczyk
.private. There is one key-signing key > and one zone-signing key for each fqdn. Resigning works via a perl srcipt / > cronjob shipped by webmin. > > To be able to generate future letsencrypt wildcard certificates, I would like > to implant acme challenges as TXT records via DNS. Usi

Re: DNSSEC and nsupdate

2018-02-24 Thread Mark Andrews
ch fqdn. Resigning works via a perl srcipt / > cronjob shipped by webmin. > > To be able to generate future letsencrypt wildcard certificates, I would like > to implant acme challenges as TXT records via DNS. Using nsupdate, the dnssec > signing becomes troublesome. The error messa

DNSSEC and nsupdate

2018-02-24 Thread Prof. Dr. Michael Schefczyk
or .private. There is one key-signing key and one zone-signing key for each fqdn. Resigning works via a perl srcipt / cronjob shipped by webmin. To be able to generate future letsencrypt wildcard certificates, I would like to implant acme challenges as TXT records via DNS. Using nsupdate, the dnssec

Re: head scratcher: nsupdate, Bind views, and TLSA record updates

2017-11-01 Thread Kevin via bind-users
I think it's sorted, thanks all. -Kevin From: "Tony Finch" <d...@dotat.at> To: bind-us...@isc.org Sent: Wednesday, November 1, 2017 2:50:32 AM Subject: Re: head scratcher: nsupdate, Bind views, and TLSA record updates Mark Andrews <ma...@isc.org> wrote

Re: head scratcher: nsupdate, Bind views, and TLSA record updates

2017-11-01 Thread Tony Finch
Mark Andrews wrote: > > More correctly _tcp.mail.thesandiegos.com is delegated to > ns1._tcp.mail.thesandiegos.com (75.149.33.153) but the machine is > not configured to serve that zone. This also explains the puzzling check-names problem earlier - ns1._tcp.mail.thesandiegos.com

Re: head scratcher: nsupdate, Bind views, and TLSA record updates

2017-10-31 Thread Mark Andrews
achine is not configured to serve that zone. Kevin, Unless you have good reason to have a delegation for _tcp.mail.thesandiegos.com I would remove it. If you do have a reason to have it then you need to add the zone and add a secure delegation to it. Remember nsupdate can add re

Re: head scratcher: nsupdate, Bind views, and TLSA record updates

2017-10-31 Thread Carl Byington
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Tue, 2017-10-31 at 17:16 -0700, Kevin via bind-users wrote: > $ dig TLSA _25._tcp.mail.thesandiegos.com @75.149.33.153 +dnssec > +short > > I'm really at a loss as to what's going on inside of Bind. dig TLSA _25._tcp.mail.thesandiegos.com

Re: head scratcher: nsupdate, Bind views, and TLSA record updates

2017-10-31 Thread Kevin via bind-users
- Original Message - > From: "Warren Kumari" <war...@kumari.net> > To: "Kevin" <bind-users...@thesandiegos.com> > Cc: "bind-users" <bind-users@lists.isc.org> > Sent: Tuesday, October 31, 2017 12:47:06 PM > Subject: Re: head

Re: head scratcher: nsupdate, Bind views, and TLSA record updates

2017-10-31 Thread Warren Kumari
e - >> From: "Kevin" <bind-users...@thesandiegos.com> >> To: "Kevin" <bind-users...@thesandiegos.com> >> Cc: "Warren Kumari" <war...@kumari.net>, "bind-users" >> <bind-users@lists.isc.org> >> Sent

Re: head scratcher: nsupdate, Bind views, and TLSA record updates

2017-10-31 Thread Kevin via bind-users
- Original Message - > From: "Kevin" <bind-users...@thesandiegos.com> > To: "Kevin" <bind-users...@thesandiegos.com> > Cc: "Warren Kumari" <war...@kumari.net>, "bind-users" > <bind-users@lists.isc.org> > Sent

Re: head scratcher: nsupdate, Bind views, and TLSA record updates

2017-10-31 Thread Kevin via bind-users
- Original Message - > From: "Kevin" <bind-users...@thesandiegos.com> > To: "Warren Kumari" <war...@kumari.net> > Cc: "Kevin" <bind-users...@thesandiegos.com>, "bind-users" > <bind-users@lists.isc.org> > Sent

Re: head scratcher: nsupdate, Bind views, and TLSA record updates

2017-10-31 Thread Kevin via bind-users
From: "Warren Kumari" <war...@kumari.net> To: "Kevin" <bind-users...@thesandiegos.com> Cc: "bind-users" <bind-users@lists.isc.org> Sent: Tuesday, October 31, 2017 11:28:58 AM Subject: Re: head scratcher: nsupdate, Bind views, and TLSA record upda

Re: head scratcher: nsupdate, Bind views, and TLSA record updates

2017-10-31 Thread Warren Kumari
On Tue, Oct 31, 2017 at 1:50 PM, Kevin via bind-users <bind-users@lists.isc.org> wrote: > I'm running into an odd issue with Bind 9.9.4 whereby I'm trying to run a > scripted nsupdate to rotate TLSA records. I'm running nsupdate via a Bash > script that executes the following

head scratcher: nsupdate, Bind views, and TLSA record updates

2017-10-31 Thread Kevin via bind-users
I'm running into an odd issue with Bind 9.9.4 whereby I'm trying to run a scripted nsupdate to rotate TLSA records. I'm running nsupdate via a Bash script that executes the following nsupdate batch commands which are directed to a Bind "view" that is accessible from the wider internet

Re: question about reverse zones and nsupdate

2017-06-07 Thread Mark Andrews
In message

Re: question about reverse zones and nsupdate

2017-06-07 Thread Grant Taylor via bind-users
On 06/07/2017 02:18 PM, kevin martin wrote: I have tried to setup a reverse zone as 10.10.in-addr.arpa and perform 'update add' commands sending addresses like 22.22.10.10.in-addr.arpa and 2.5.10.10.in-addr.arpa and, in all cases, the update fails with NOTZONE. bind complains "update failed:

question about reverse zones and nsupdate

2017-06-07 Thread kevin martin
I have tried to setup a reverse zone as 10.10.in-addr.arpa and perform 'update add' commands sending addresses like 22.22.10.10.in-addr.arpa and 2.5.10.10.in-addr.arpa and, in all cases, the update fails with NOTZONE. bind complains "update failed: update RR is outside zone (NOTZONE)". Just how

Re: DS record update via nsupdate

2016-06-13 Thread Mark Andrews
In message <7966c1a9-a930-b748-7e09-531304b4d...@rotld.ro>, Catalin Leanca writes: > > Hello, > > When using nsupdate command to update DS records for subdomains > without NS delegation, no error code is returned by command and also > no errors appear in BIND log

DS record update via nsupdate

2016-06-13 Thread Catalin Leanca
Hello, When using nsupdate command to update DS records for subdomains without NS delegation, no error code is returned by command and also no errors appear in BIND logs (and DS is not updated in the zone). Is this a normal behavior? How to make BIND to issue errors when this happen ? Best

Re: Nsupdate usage scenario

2016-05-04 Thread Alan Clegg
On 5/4/16, 4:27 PM, "/dev/rob0" wrote: >My personal recommendation: get over the idea of looking at zone >files; use "dig axfr example.com. | less". Let named manage and >serve the DNS data as it will. Comments can be included as

Re: Nsupdate usage scenario

2016-05-04 Thread /dev/rob0
nd > a bigger zone file for all the other stuff for "example.com", could > I be *sure* that nsupdate would *only* modify the tiny file, and > not mess with the bigger, main file? > > Or would I also have to put a ZONE statement as the first line of > the nsupd

Re: Nsupdate usage scenario

2016-05-04 Thread Paul Kosinski
Interesting idea -- it never occurred to me that I could have separate zone files for sub-domains. So, if I had a tiny zone file for "dynamic.example.com" alone, and a bigger zone file for all the other stuff for "example.com", could I be *sure* that nsupdate would *only*

Re: Nsupdate usage scenario

2016-05-03 Thread Tony Finch
Paul Kosinski <p...@iment.com> wrote: > Except for this single dynamic IP address, the zone file is maintained > by hand with a text editor, so rearranging it into an arbitrary order > would make hand maintenance much more difficult. > > If there is a way to have nsupdate

Re: also-notify and nsupdate doesnt work

2016-05-02 Thread jonny
hi, Am 02.05.2016 um 23:19 schrieb Darcy Kevin (FCA): Right. also-notify (on a master) versus allow-notify (on a slave). Different use cases. the problem would not in the notify config. the notify and transfer works fine with the zone config. until i add the dynamic update option on the

  1   2   3   >