Deleting a key

2024-08-06 Thread Casey Deccio
Hi all, I'm probably missing something obvious here, but I'm trying to figure out how to "delete" a DNSKEY from zone that uses inline signing. The zone statement looks like this: zone "dns-lab.info" { type master; file "/var/cache/bind/db.dns-lab.info";

Re: Deleting a key

2024-08-07 Thread Casey Deccio
> On Aug 7, 2024, at 12:02 AM, Casey Deccio wrote: > > Hi all, > > I'm probably missing something obvious here, but I'm trying to figure out how > to "delete" a DNSKEY from zone that uses inline signing. The zone statement > looks

Re: Deleting a key

2024-08-16 Thread Casey Deccio
> On Aug 7, 2024, at 12:02 AM, Casey Deccio wrote: > > I'm probably missing something obvious here, but I'm trying to figure out how > to "delete" a DNSKEY from zone that uses inline signing. So I finally just did the following: $ sudo rm /var/cache/bind/K

Re: cannot resolve oppedahl.com from uspto.gov domain

2012-02-03 Thread Casey Deccio
On Fri, Feb 3, 2012 at 9:53 AM, Cricket Liu wrote: > This is consistent with something I noticed earlier: DNSViz validates > oppedahl.com's chain of trust without a problem, but Verisign Labs' > DNSSEC Debugger reports no response from oppedahl.com's name servers. > DNSViz is hosted by Sandia,

Re: DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-09 Thread Casey Deccio
On Thu, Feb 9, 2012 at 1:26 AM, Stephane Bortzmeyer wrote: > Unless you make DNSSEC mandatory, how will > you solve the ghost domain problem with DNSSEC? If the resolver is > sticky (will not go to the parent to ask the NS RRset), it won't check > the NSEC at the parent either... > > Actually, it

Re: DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-10 Thread Casey Deccio
On Fri, Feb 10, 2012 at 7:37 AM, Stephane Bortzmeyer wrote: > On Thu, Feb 09, 2012 at 12:38:42PM -0800, > Casey Deccio wrote > a message of 67 lines which said: > > > Actually, it should, in the spirit of DNSSEC. > > OK, so there is nothing that can be done at

Re: DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-10 Thread Casey Deccio
On Fri, Feb 10, 2012 at 2:27 PM, Casey Deccio wrote: > Unless future specification or implementation designated that delegation > follow the same model as trust--that is, that a delegation only last as > long as the parent said it did. I hadn't previously read Paul's resim

Re: DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-13 Thread Casey Deccio
On Mon, Feb 13, 2012 at 2:31 PM, Tony Finch wrote: > Florian Weimer wrote: > > > > Doesn't the DNSSEC-based mitigation rely on RRSIGs whose validity does > > not extend too far into the future? > > It depends on the TTL of the DS record or its proof of nonexistence. > > Of course, the TTL is als

Re: NS record for subzone definition

2012-03-14 Thread Casey Deccio
On Tue, Mar 13, 2012 at 9:33 AM, hugo hugoo wrote: > Thanks for this interesting feedback. > Now I have the problem to detect this kind of bad configuration. > > If I have: > > Zone toto.be: > > toto.be. > > NS ns1.xxx.be > > + some records > > > Zone titi.toto.be: > > > titi.to

Re: www.glb.hud.gov

2012-04-19 Thread Casey Deccio
On Thu, Apr 19, 2012 at 5:59 AM, Chris Thompson wrote: > On Apr 19 2012, Richard Laager wrote: > > Are others timing out trying to resolve www.glb.hud.gov? This seems >> (though I haven't done extensive testing) to only happen to me with >> BIND. >> >> http://dnsviz.net/d/www.glb.**hud.gov/dnsse

Re: Problem with DNSSEC signing zone

2012-07-20 Thread Casey Deccio
On Fri, Jul 20, 2012 at 2:52 AM, William Thierry SAMEN < thierry.sa...@gmail.com> wrote: > i just have a problem with my zone signing output i made all the steps to > obtain a good result. ... > my zone name is *willzik.co.uk* > ** > I'm getting an NXDOMAIN response from the co.uk servers, rathe

Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Casey Deccio
On Fri, Jul 20, 2012 at 6:03 AM, Brian J. Murrell wrote: > On 12-07-20 08:34 AM, Brian J. Murrell wrote: > > > > The problem here seems to be fragmented UDP. > > I seem to have misdiagnosed this due to tcpdump peculiarities. I only > initially saw/suspected the problem since my capture for port 5

Re: DNSSEC troubles (no valid NSEC) ?

2012-07-25 Thread Casey Deccio
On Wed, Jul 25, 2012 at 10:07 AM, Frantisek Hanzlik wrote: > I solve problem with delivering mail to address "x...@br.ds.mfcr.cz". > MTA obviously isn't able resolve MX records for this domain. > "dig @localhost -t MX br.ds.mfcr.cz" ends with SERVFAIL error: > > ... > > and in BIND (v9.7.4 i686)

Re: DS record TTL question.

2012-08-08 Thread Casey Deccio
On Wed, Aug 8, 2012 at 9:36 AM, GS Bryan wrote: > My question is how can I control the TTL of the DS record inserted into a > signed zone via inline signing? I'm using BIND 9.9.1 P2. > > My zone file has a default TTL of 3600 a.k.a. 1 hour, but it seems the 2 > DS records put into the signed vers

Re: [DNSSEC] Dealing with an inconsistent NSEC

2012-10-23 Thread Casey Deccio
On Tue, Oct 23, 2012 at 1:08 AM, Stephane Bortzmeyer wrote: > It may be a bug in BIND and it is certainly a bug in the zone > pcextreme.nl. > > BIND validating resolvers are unable to get the IP address of > v1.pcextreme.nl. > > I believe this is because of the strange NSEC: > > tools-newerst.pcex

Re: [DNSSEC] Dealing with an inconsistent NSEC

2012-10-23 Thread Casey Deccio
On Tue, Oct 23, 2012 at 6:36 AM, Stephane Bortzmeyer wrote: > On Tue, Oct 23, 2012 at 06:27:12AM -0700, > Casey Deccio wrote > a message of 88 lines which said: > > > The issue here is that no delegation NS records exist for > > v1.pcextreme.nlin its parent zone, pcex

Re: question about dns query distribution

2013-02-06 Thread Casey Deccio
On Wed, Feb 6, 2013 at 11:32 AM, M. Meadows wrote: > > Recently noticed that for 2 nameservers ns1.tbd.com and ns2.tbd.com(names are > changed to protect the innocent) the first nameserver > consistently receives twice as many queries as the 2nd nameserver. > Who can tell me why queries are dist

Re: Stop of logging of No Valid Signature Found

2013-02-25 Thread Casey Deccio
On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz wrote: > Yes, I know lots of places don't have DNSSEC signed zones. **I** have not > done mine yet, but I turned on DNSSEC checking on my server and I am > getting all too many messages like: > > validating @0xb4247b50: 117.in-addr.arpa NSEC

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-18 Thread Casey Deccio
On Wed, Jul 17, 2013 at 10:58 AM, Bill Owens wrote: > This is one of the weirder ones I've seen. . . there are TXT and MX records > for ic.fbi.gov, both correctly signed: > > ... > However, that NSEC3 record is not signed. FWIW, DNSViz checks the chain of trust for authenticated denial-of-existe

Re: Validation succeeds when keys with multiple algorithms present, but not RRSIGs for both

2013-08-02 Thread Casey Deccio
On Fri, Aug 2, 2013 at 5:25 AM, Mark Andrews wrote: > > In message <51fb9c18.23133.401e...@tmorizot.sd.is.irs.gov>, "Scott Morizot" > wri > tes: >> The BIND 9 resolver returns an answer with the AD bit set. Unbound >> returns SERVFAIL. Secure64 Caches also return SERVFAIL. Those are the >> only t

Re: ZSK rollover weirdness

2013-09-06 Thread Casey Deccio
On Fri, Sep 6, 2013 at 10:22 AM, Evan Hunt wrote: > The revoke bit has no defined meaning for a ZSK. While it's true the revoke bit really has no use for a true ZSK (i.e., a key where there's another key, a KSK, that is used to authenticate it), RFC 5011 doesn't distinguish based on either sign

Re: ZSK rollover weirdness

2013-09-09 Thread Casey Deccio
On Fri, Sep 6, 2013 at 1:32 PM, Lawrence K. Chen, P.Eng. wrote: > > > -- > > > > So, can I just remove the Revoke line (is there an option in > dnssec-settime to do this?) and have things fixed... > > > guess dnssec-settime -A none -R none will remove itbut guessing

Synthesized CNAME from NXDOMAIN

2013-10-03 Thread Casey Deccio
Hi all, I'm looking to get RPZ-like behavior in a non-RPZ context. From the BIND9 ARM (9.9.4), this is a snippet from an RPZ zone: ; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com *.bzone.domain.com CNAME *.garden.example.com. I would like to apply something similar

Re: Synthesized CNAME from NXDOMAIN

2013-10-03 Thread Casey Deccio
On Thu, Oct 3, 2013 at 2:54 PM, Paul Wouters wrote: > You are why we can't have nice things :P > > We had enough Sitewinders. With DNSSEC on the endnode, your lies won't > be believed anway. What you are trying is wrong, bad and broken. > > This might be a fair statement in the right context. Bu

Re: Synthesized CNAME from NXDOMAIN

2013-10-03 Thread Casey Deccio
On Thu, Oct 3, 2013 at 5:42 PM, Mark Andrews wrote: > > Use a DNAME record. That works with DNSSEC. > > Thanks for the suggestion. I would use DNAME, except the old namespace will still have names under it, and names are not allowed to exist below a DNAME. In other words, we're not replacing t

Re: Synthesized CNAME from NXDOMAIN

2013-10-03 Thread Casey Deccio
On Thu, Oct 3, 2013 at 5:52 PM, Mark Andrews wrote: > Then I suggest that you just add CNAMEs whenever you remove other record. > Once a part of the namespace only have CNAME/DNAME below it replace it > with a DNAME. You will converge on the earlier example. > Thanks - I'll start there. Casey

Re: Insecurity proof failed resolving newsletter.postbank.de - but why?

2014-01-20 Thread Casey Deccio
On Mon, Jan 20, 2014 at 12:46 PM, Graham Clinch wrote: > Thanks for the replies - and noticing the missing 'NS'! > > From my rather brain-busting afternoon reading, I believe this situation > is covered by section 4.4 of RFC 6840, which requires a validator to ensure > the NS type bit is set for a

Re: localhoast A record?

2014-03-21 Thread Casey Deccio
On Fri, Mar 21, 2014 at 8:50 AM, Mitchell Kuch wrote: > Hello - > > I've adopted a number of zones and most of them contain "localhost in > a 127.0.0.1" records. I'm curious what current RFC standards state and > what the community considers best practice. RFC1537 states that zones > should conta

Re: problem resolving ardownload.adobe.com

2014-07-07 Thread Casey Deccio
On Wed, Jul 2, 2014 at 2:51 PM, Carl Byington wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > version: 9.10.0-P2 > > dig ardownload.adobe.com. @localhost > > ;; ANSWER SECTION: > ardownload.adobe.com. 8743IN CNAME ardownload.wip4.adobe.com. > > What is the rest of the dig ou

Re: Wrong NSEC3 for wildcard cname

2014-11-19 Thread Casey Deccio
Hi Graham, On Wed, Nov 19, 2014 at 11:59 AM, Graham Clinch wrote: > Using bind 9.9.5 with inline-signing, I have a test wildcard cname > record in two zones: > > *.cnametest.lancs.ac.uk CNAME www.lancs.ac.uk > *.cnametest.palatine.ac.uk CNAME www.palatine.ac.uk > > dnsviz is showing the error >

Re: Wrong NSEC3 for wildcard cname

2014-11-21 Thread Casey Deccio
On Wed, Nov 19, 2014 at 7:03 PM, Graham Clinch wrote: > Thanks - that's certainly looking less red. DNSViz is an exceptionally > useful tool! > > Thanks! > ... > > delv +vtrace continues to report "NSEC3 at super-domain" only for > foo.cnametest2.palatine.ac.uk records, and not for > foo.cname

Re: DNS: how to verify glue NS records?

2014-12-05 Thread Casey Deccio
Hi Alexei, On Fri, Dec 5, 2014 at 10:16 AM, Alexei Malinin wrote: > I would like to resolve this problem: > - I have a child DNS zone served by my ISP slave name server; > - the parent zone is served by my ISP master name server; > - the question is - how and with what tools (dig, host, nslookup

Re: Glue records for secondary NS

2014-12-05 Thread Casey Deccio
On Fri, Dec 5, 2014 at 11:47 AM, Robert Moskowitz wrote: > I have 3 secondaries run by other domains. This was to give me some > geo-diversity. How do I create glue records for them? My registrar only > lets me create glue records within my domain (the web form pre-provides the > domain part o

Re: Glue records for secondary NS

2014-12-05 Thread Casey Deccio
On Fri, Dec 5, 2014 at 1:00 PM, Robert Moskowitz wrote: > > On 12/05/2014 12:30 PM, Casey Deccio wrote: > > Short answer: you don't need, nor should you configure glue, for the > servers run by the other domains. > > > It would be nice, then, if all these DNS tool si

Re: DNS: how to verify glue NS records?

2014-12-05 Thread Casey Deccio
Hi Alexei, On Fri, Dec 5, 2014 at 2:31 PM, Alexei Malinin wrote: > Thank you for the explanation. > > I'm sorry for the misleading Subject of this thread, of course I meant > "delegation NS records". > > No problem. I knew what you meant :) > I understand from your reply that there are no tec

Re: Glue records for secondary NS

2014-12-05 Thread Casey Deccio
On Fri, Dec 5, 2014 at 3:23 PM, Mark Andrews wrote: > > There are other cases where glue is necessary. RFC 1034 unfortunately > does not list them. It only lists the most obvious case. > > Good point. Of course, the general principle is to avoid cyclic dependencies and simplify/minimize your r

Re: How to alias a domain

2015-01-16 Thread Casey Deccio
Hi John, On Fri, Jan 16, 2015 at 10:36 AM, John wrote: > DNAME will not work with DNSSEC. > Not true. DNAMEs enable CNAME synthesis to other domains, after which synthesis the response works just like regular CNAME response would. The authentication works by authenticating the DNAME (using t

Re: How to alias a domain

2015-01-16 Thread Casey Deccio
On Fri, Jan 16, 2015 at 10:49 AM, Casey Deccio wrote: > ... The CNAME requires to RRSIG... > Typo: That should read: "... The CNAME requires no RRSIG..." Cheers, Casey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-user

Re: [DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Casey Deccio
On Mon, Feb 16, 2015 at 11:34 AM, Stephane Bortzmeyer wrote: > With Unbound, I get a SERVFAIL: > > ... > But BIND accepts it (and so does Google Public DNS): > > ... DNSviz, like Unbound, says the domain is broken: > > "Broken" is a loaded te

Re: named[1095]: error (unexpected RCODE REFUSED)

2015-05-04 Thread Casey Deccio
On Mon, May 4, 2015 at 9:38 AM, Chris wrote: > I've just finished setting up Bind as a local caching name server to > work in conjunction with my Spamassassin setup. I did this because > queries to uribl.com were getting blocked probably due to my ISPs > reputation for spam. It seems to be workin

Re: expired KSK, other domains failed to resolve?

2015-08-06 Thread Casey Deccio
On Thu, Aug 6, 2015 at 4:16 AM, Lawrence K. Chen, P.Eng. wrote: > So, in running some testsI found that "dig +trace kstatesports.com" > would get to ns-1.ksu.edu show couple NSEC3 records and stop. > $ dig +short kstatesports.com ns ns-2.ksu.edu. ns-3.ksu.edu. ns-1.ksu.edu. Because the ksta

Re: do not stupidly delete ZSK files

2015-08-06 Thread Casey Deccio
On Thu, Aug 6, 2015 at 7:55 PM, Lawrence K. Chen, P.Eng. wrote: > Ok, so way back thenthey were running servers that didn't support > NSEC3 RRs and it had nothing to do with what algorithm we were using5 > for RSASHA1 or 7 for RSASHA1-NSEC3-SHA1. > DNSSEC introduces: new records (and typ

Re: configuration error in lists.isc.org

2015-08-07 Thread Casey Deccio
On Fri, Aug 7, 2015 at 2:57 AM, Reindl Harald wrote: > > Am 07.08.2015 um 01:25 schrieb Heiko Richter: > >> So ISC: please fix your list servers, let them rewrite the From headers! >> > > please try to understand the topic before blaming! > http://wiki.list.org/DEV/DMARC > > * SPF is about envelo

Re: [OT] Re: configuration error in lists.isc.org

2015-08-07 Thread Casey Deccio
On Fri, Aug 7, 2015 at 11:23 AM, Heiko Richter wrote: > Correction: > - > All implementations of SPF always check 2 addresses: > - Envelope-From address > - From address > > SPF will fail whenever the client is not authorized to send for either > the Envelope-From address or the

Re: dnskey algorithm update

2016-01-08 Thread Casey Deccio
On Thu, Jan 7, 2016 at 3:00 PM, Carl Byington wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Thu, 2016-01-07 at 08:34 -0600, Jeremy C. Reed wrote: > > On Wed, 6 Jan 2016, Carl Byington wrote: > > > > Is there a more authoritative document that describes the algorithm > > > roll

Re: any tool or command to find/verify the closest encloser NSEC3 record

2016-06-29 Thread Casey Deccio
On Tue, Jun 28, 2016 at 6:29 AM, rams wrote: > Hi, > Greetings > Is anyone can help me to verify the NSEC3 record in response is correct or > not. > Do we have any tool or command to check closet encloser NSEC3 record or > Correct NSEC3 record returned in response. > DNSViz: https://github.

Re: getting not authoritative with some notifies

2016-07-28 Thread Casey Deccio
On Thu, Jul 28, 2016 at 10:34 AM, Paul A wrote: > Yes on both server and the slave and primary are listed on the NS RR. I'm > really at a loss here, the zone updates on the slave but I keep getting > that > message. > There's a difference between a server being listed in the NS RRset and a serve

nslookup issues

2022-09-13 Thread Casey Deccio
I am trying to track down a bug. I think it is in nslookup (which is why I'm asking here), but there are so many pieces required to reproduce it that I cannot tell for sure. Let me explain my setup: All hosts are running Debian bullseye. None of the problems happened *until* I upgraded from

Re: nslookup issues

2022-09-13 Thread Casey Deccio
> On Sep 13, 2022, at 3:35 PM, Graham Clinch wrote: > > I suspect nrpe-ng is closing stdin before launching nslookup. > > > With mac homebrew's build of bind 9.18.6 and a bit of shell redirection to > close stdin, I get: > > --- > $ /opt/homebrew/bin/nslookup -version > nslookup 9.18.6 > >

Re: How do I do a zone transfer of two different views

2010-08-27 Thread Casey Deccio
On Fri, Aug 27, 2010 at 11:22 PM, Scott Simpson wrote: > I have a master DNS server with two different views: "internal" and > "external". How do I do a zone transfer of the two different views? The > following on the slave only grabs the internal view: > Use two TSIG keys, one for each view, to

Re: Trouble with host and DNSSEC

2010-09-15 Thread Casey Deccio
On Wed, Sep 15, 2010 at 7:34 AM, Timothy Holtzen wrote: >  I am having trouble resolving the host name cod.ed.gov which I believe > may be dnssec related ... > in my logs I am getting the messages: > > validating @0x2ab727eb5810: cod.ed.gov A: got insecure response; parent > indicates it should

Re: Key ID from DNSKEY - how?

2010-10-27 Thread Casey Deccio
On Wed, Oct 27, 2010 at 10:46 AM, Mark Elkins wrote: > I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to > do this in PHP as this is inside some existing PHP (Web) scripts but I > guess calling a C program would not be too inconvenient. > See RFC 4034, Appendix B (http://to

Re: error (broken trust chain) resolving

2010-11-02 Thread Casey Deccio
On Tue, Nov 2, 2010 at 10:21 AM, Brian J. Murrell wrote: > Alan Clegg isc.org> writes: >> >> On 11/2/2010 8:11 AM, Brian J. Murrell wrote: >> > >> > named error (broken trust chain) resolving '133.168.163.66.sa- >> > trusted.bondedsender.org/TXT/IN': 173.45.100.146#53 > >> There isn't a chain of

Re: error (broken trust chain) resolving

2010-11-03 Thread Casey Deccio
On Wed, Nov 3, 2010 at 4:44 AM, Brian J. Murrell wrote: > Casey Deccio deccio.net> writes: >> >> However, a broken chain means that the validating resolver expects a >> chain to exist, but the chain does not extend properly. > > How does a resolver come to this e

Re: error (broken trust chain) resolving

2010-11-09 Thread Casey Deccio
On Tue, Nov 9, 2010 at 8:10 PM, Brian J. Murrell wrote: > The only written to that file when one of those broken chain lookups happen > is: > > dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bondedsender.org TXT: > starting > dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bonded

Re: error (broken trust chain) resolving

2010-11-15 Thread Casey Deccio
On Mon, Nov 15, 2010 at 3:36 AM, Brian J. Murrell wrote: > > Was any of that information I posted in the previous message useful?  If not, > I'd be happy to gather some more. > Well, I'm curious as to why you're not getting the AD bit set for the negative proof of existence for bondedsender.org/D

Re: error (broken trust chain) resolving

2010-11-15 Thread Casey Deccio
On Mon, Nov 15, 2010 at 6:31 AM, Casey Deccio wrote: > On Mon, Nov 15, 2010 at 3:36 AM, Brian J. Murrell > wrote: >> >> Was any of that information I posted in the previous message useful?  If not, >> I'd be happy to gather some more. >> > > Well, I'

Re: error (broken trust chain) resolving

2010-11-15 Thread Casey Deccio
On Mon, Nov 15, 2010 at 6:31 AM, Casey Deccio wrote: > > Well, I'm curious as to why you're not getting the AD bit set for the > negative proof of existence for bondedsender.org/DS. After a review of NSEC3 showed that this particular behavior is expected because org has been

Re: error (broken trust chain) resolving

2010-11-22 Thread Casey Deccio
On Mon, Nov 22, 2010 at 5:28 AM, Brian J. Murrell wrote: > Casey Deccio deccio.net> writes: >> >> After a review of NSEC3 showed that this particular behavior is >> expected because org has been signed using NSEC3 with the opt-out bit >> set. > > I'm afr

Re: US DNSSEC Key

2010-12-01 Thread Casey Deccio
On Wed, Dec 1, 2010 at 7:36 AM, John Williams wrote: > I'm being told there is an RSA verification failure on the .US domain.  I''m > getting details from the following;  http://dnsviz.net/d/us/dnssec/  I have a > signed zone under us.  How does this affect my domain and other signed zones > under

Re: Does anyone know where to find the ISC signing keys for source packages?

2010-12-23 Thread Casey Deccio
On Thu, Dec 23, 2010 at 12:49 PM, Oisin McGuinness wrote: > I'm getting a new version of Bind to build etc. > > The download pages come with references to signatures (asc, and others). > > But I can't find any reference to current PGP or other signing keys; does > anyone know where to find > them

Re: Does anyone know where to find the ISC signing keys for source packages?

2010-12-28 Thread Casey Deccio
On Tue, Dec 28, 2010 at 1:37 PM, Thomas Schulz wrote: >> >> At Tue, 28 Dec 2010 15:50:23 -0500 (EST), Thomas Schulz wrote: >> > >> > It looks like I am a little dim today. Given gpg and the key, what steps >> > do I do to verify a source package? >> >> General case: >> >> $ gpg --verify sigfile ta

Re: dns best practices

2011-01-25 Thread Casey Deccio
On Sun, Jan 23, 2011 at 10:30 PM, wrote: > Is there a document for dns & bind best practices? > I googled but found nothing valueable. > NIST SP 800-81 Rev. 1: http://csrc.nist.gov/publications/nistpubs/800-81r1/sp-800-81r1.pdf Casey ___ bind-users m

Re: DNSSEC, whitehouse, isc, and troubleshooting...

2011-04-18 Thread Casey Deccio
On Mon, Apr 18, 2011 at 11:07 AM, Evan Hunt wrote: > On Mon, Apr 18, 2011 at 10:51:04AM -0700, John Williams wrote: > > From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad > > flag as expected. I don't see that flag when I query whitehouse.gov (w/ > > +dnssec) and I know tha

Re: ? bad cache hit (eduftcdnsp01.ed.gov/DS)

2011-05-27 Thread Casey Deccio
On Fri, May 27, 2011 at 12:09 PM, Jim Glassford wrote: > Starting today got reports of unable to reach some student ad sites such as > studentloans.gov > > There are problems with this and related sites. Specifically RRSIGs are not being returned with some RRsets, resulting in a broken chain of

Re: nameserver registration

2011-06-18 Thread Casey Deccio
On Sat, Jun 18, 2011 at 4:22 PM, Michael Sinatra wrote: >  Consider: > > baz.org.  NS ns1.dns.podunk.edu. > baz.org.  NS ns2.dns.podunk.edu. > > and > > dns.podunk.edu. NS ns1.dns.podunk.edu. > dns.podunk.edu. NS ns2.dns.podunk.edu. > > In theory, you "should" only need glue in podunk.edu, but pod

Re: nameserver registration

2011-06-20 Thread Casey Deccio
On Sun, Jun 19, 2011 at 10:37 AM, Michael Sinatra wrote: > On 06/18/11 19:22, Casey Deccio wrote: > >> In particular, if the >> name of the name server is itself in the subzone, we could be faced with >> the situation where the NS RRs tell us that in order to learn a name

Re: another question about the glue

2011-07-01 Thread Casey Deccio
On Fri, Jul 1, 2011 at 12:31 PM, PANG J. wrote: > Why the "net" zone has the glue for the servers > which are in the "com" zone? > > Glue refers to address records for name servers of delegated child zones, when the names of those servers are subdomains of the delegated

Re: DNSSEC not populating parent zone files with DS records

2011-10-01 Thread Casey Deccio
On Fri, Sep 30, 2011 at 6:16 PM, Hauke Lampe wrote: > Aside from the missing DS, I don't see why BIND complains about the > NXDOMAIN response at first and then returns that cached record set in > response to later queries for the same name. dig +sigchase validates it, > if provided with the nau.e

Re: Master and slave on same host

2011-10-11 Thread Casey Deccio
On Tue, Oct 11, 2011 at 2:20 PM, Mark Andrews wrote: > To answer the original poster's question. Use TSIG as has already > been pointed out. The following change makes doing this much easier > as it allows you to send to multiple views by having multiple > address/key pairs specified in also-no

Re: Mixing Algorithms for DNSSEC

2011-10-15 Thread Casey Deccio
On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins wrote: > Basically - create a KSK and ZSK with RSASHA1 - Sign - and visibly check > the results. > Add a new KSK using RSASHA256 - prep the zone and sign again. > 1 - Signer is confused - can not sign (or generate a new Signed > Zone)... >V

Re: Mixing Algorithms for DNSSEC

2011-10-15 Thread Casey Deccio
On Sat, Oct 15, 2011 at 1:31 PM, Mark Elkins wrote: > True - no problem with a handful of zones. > > Now assume a few thousand being automated from some script. > > Wonder if OpenDNSSEC handles this at all? > > OK - so I've rewritten my script to not worry (Don't Panic) - just keep > using the mo

Re: DNSSEC external validation issues

2011-11-15 Thread Casey Deccio
On Sun, Nov 13, 2011 at 1:50 PM, Eduardo Bonsi wrote: > Mark and everybody, Thanks for the checking. I had a suspicion that was > the issue but I need a second opinion since when I checked my DNS from the > inside the "refused" status is not happening. Here is what I am getting: > > What does you

Server names for query

2009-03-23 Thread Casey Deccio
RFC 1035 [1] (page 44) describes the use of a list of server names (SLIST) to query for a particular name. It is unclear to me from the RFC as to whether the server is selected by address or by name. In other words, all history (e.g., batting average and response time) being equal, if a name reso

Re: Server names for query

2009-03-23 Thread Casey Deccio
On Mon, Mar 23, 2009 at 3:20 PM, Kevin Darcy wrote: > For the *initial* NS query, I believe BIND will resolve those names down to > a flat set of addresses, all of which have equal chance of being tried, so, > yes, if a given NS name resolves to more addresses than other names, it is > more likely

salting NSEC3

2009-09-09 Thread Casey Deccio
Hello, I'm trying to better understand NSEC3. I have a signed zone for which I periodically resign expiring RRs with expiring RRSIGs using dnssec-signzone. When I do so, I use a different salt each time, which results in multiple salts being used in the zone. According to RFC 5155: This is h

Re: Resolving .gov w/dnssec

2010-04-22 Thread Casey Deccio
On Thu, Apr 22, 2010 at 11:17 AM, Nate Itkin wrote: > > Not specifically, but I log a lot of errors resolving in usps.gov. USPS > clearly has configuration issues. A representative sample from my logs: > > 19-Apr-2010 11:04:23.072 lame-servers: no valid RRSIG resolving ' > EGQ1REIRR8NVE4U6I97RO3P

Re: Resolving .gov w/dnssec

2010-04-22 Thread Casey Deccio
On Thu, Apr 22, 2010 at 11:36 AM, Michael Sinatra < mich...@rancid.berkeley.edu> wrote: > But it doesn't contain the RRSIGs for the DNSKEY. 'dig +norec +cdflag > dnskey uspto.gov @dns1.uspto.gov' does not contain RRSIGs so it is only > 1131 bytes. A non-EDNS0 query will receive the TC bit and wi

Re: Resolving .gov w/dnssec

2010-04-22 Thread Casey Deccio
On Thu, Apr 22, 2010 at 4:25 PM, Michael Sinatra < mich...@rancid.berkeley.edu> wrote: > On 04/22/10 15:22, Casey Deccio wrote: > > Actually, what seems interesting to me is that the cutoff seems to be at a >> payload size of 1736, which happens to be the exact size of the

Re: dnssec-keygen is waiting endless...

2010-05-28 Thread Casey Deccio
On Fri, May 28, 2010 at 10:41 AM, Michelle Konzack < linux4miche...@tamay-dogan.net> wrote: > Hello Paul, > > Am 2010-05-28 12:34:16, hacktest Du folgendes herunter: > > My bet is that this is a VM and you have no entropy. Either generate some > > entropy (eg run in paralel something like: find /

Re: dnssec-keygen is waiting endless...

2010-05-28 Thread Casey Deccio
On Fri, May 28, 2010 at 11:25 AM, Michelle Konzack < linux4miche...@tamay-dogan.net> wrote: > > Currently I need to secure my bind9 since I had a massive attack on my > which is the master. Also I have had more then 30 million queries > in less then one week and bind9 has eaten arround 2.4 GByt

Re: Automated DNSSEC (command line)

2010-05-28 Thread Casey Deccio
On Fri, May 28, 2010 at 2:18 PM, Michelle Konzack < linux4miche...@tamay-dogan.net> wrote: > Hello DNSSEC Experts, > > I am ongoing to install 4 new Name Servers and increse my registrar and > hosting service... > > OK, I have tried to make my own 4 domains with 16 zones signed and it > took m

Re: DNSSEC Status...

2010-06-01 Thread Casey Deccio
On Tue, Jun 1, 2010 at 6:55 AM, Heavy Man wrote: > A few questions about DNSSEC... > > I understand the root zones are currently getting signed. The root zone is currently signed with a DURZ (deliberately unvalidatable root zone) as part of its deployment. See the following site for more infor

Re: DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481

2010-06-02 Thread Casey Deccio
On Wed, Jun 2, 2010 at 8:40 AM, Paul Vixie wrote: > Chris Thompson writes: > > > Nothing that I can see. Maybe dnsviz can't cope with multiple PTR > > records in an RRset, as your first case has? (On the other hand it > > handles multiple A records in forward zones OK.) > > to be fair, multiple

Re: DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481

2010-06-02 Thread Casey Deccio
On Wed, Jun 2, 2010 at 7:44 AM, Chris Thompson wrote: > On Jun 2 2010, Matthew Seaman wrote: > > I'm DNSSEC enabling the .ip6.arpa zone for my IPv6 allocation and >> registering it with dlv.isc.org. Using bind-9.7.0-p2 dnssec tools. >> >> Everything seems to be working well, but when I test usi

Re: bind 9.7, dnssec and multiple key directories and resalt NSEC3

2010-06-04 Thread Casey Deccio
On Fri, Jun 4, 2010 at 3:11 AM, Tim Verhoeven wrote: > > The second question. I've tried doing a resalt using dynamic updates > but I can't get it to work. Just adding a new NSEC3PARAM RR crashes > Bind and doing a delete and then a add (to replace the present RR) > gives me a servfail but I see t

Re: bind 9.7, dnssec and multiple key directories and resalt NSEC3

2010-06-04 Thread Casey Deccio
On Fri, Jun 4, 2010 at 9:10 AM, Evan Hunt wrote: > The way it's supposed to work is: you add the new NSEC3PARAM record, > then wait for the new NSEC3 chain to be built. The newly inserted record > will, at first, have its "flags" field set to a nonzero value; this > indicates that the chain isn'

Re: nsupdate, dnssec, minimum ttl

2010-06-17 Thread Casey Deccio
On Thu, Jun 17, 2010 at 12:10 PM, Eric Ham wrote: > > It would appear that the NSEC and RRSIG NSEC TTLs are set to my example.com > zone's minimum TTL which is 86400 instead of inheriting the TTL I set of 7200. > >From RFC 4034 (section 4): The NSEC RR SHOULD have the same TTL value as the

Re: +, -, -E

2010-06-21 Thread Casey Deccio
On Mon, Jun 21, 2010 at 11:46 AM, Peter Laws wrote: > What do they mean? I can't find them and yes, I've googled and also grepped > the docs on isc.org ... > > I'm assuming it's some way of telling if the query was serviced or not ... > Hi Peter, The following is from the section titled "loggin

Re: ad flag for RRSIG queries

2010-07-14 Thread Casey Deccio
I think the issue here is that the authenticity of an RRSIG RR doesn't really make sense without the RRset it covers, and RRSIG themselves are not signed (RFC 4035 section 2.2). The RRSIGs returned by the cache are there initially because they exist (as well as the RRsets they cover), but not beca

Re: Script for verifying zone files

2010-07-22 Thread Casey Deccio
On Thu, Jul 22, 2010 at 10:01 AM, Atkins, Brian (GD/VA-NSOC) wrote: > > Several people suggested looking at named-checkzone, but my goal is to > compare an edited version of the zone file against the active zone file. > If you're just looking at changes, try something like: named-checkzone -D -

Re: www.ncbi.nlm.nih.gov / pubmed

2010-08-18 Thread Casey Deccio
On Wed, Aug 18, 2010 at 5:30 AM, Phil Mayers wrote: > > After a bit of investigation, it seems that the problem is a missing > NSEC/NSEC3 record in the empty reply for: > > $ dig +dnssec @165.112.4.230 ncbi.nlm.nih.gov ds > > ...since the "ncbi" zone is an unsigned child zone, there needs to be an

Re: www.ncbi.nlm.nih.gov / pubmed

2010-08-18 Thread Casey Deccio
On Wed, Aug 18, 2010 at 9:48 AM, Dave Sparro wrote: > On 8/18/2010 8:30 AM, Phil Mayers wrote: >> >> ...since the "ncbi" zone is an unsigned child zone, there needs to be an >> NSEC/NSEC3 record to prove the absence of the DS record, and have a >> secure delegation to an unsigned child zone. > > >

Re: www.ncbi.nlm.nih.gov / pubmed

2010-08-18 Thread Casey Deccio
On Wed, Aug 18, 2010 at 10:55 AM, Dave Sparro wrote: > It seems to me that the OP wanted a work-around to the fact that his end > users couldn't use the website due to a validation failure. > It still seems to me that working around that situation misses the point of > using DNSSEC. > I read your

RRSIGs without DNSKEYs in insecure zone

2010-08-18 Thread Casey Deccio
Using BIND 9.6.2-P2 and 9.7.1.P2 configured for DNSSEC validation with DLV I experience the following issue. When I attempt to resolve www.jobcorps.govI get a SERVFAIL message. The authoritative servers return an RRSIG covering the A RR, but the resolver is unable to validate it because it cannot

Re: RRSIGs without DNSKEYs in insecure zone

2010-08-18 Thread Casey Deccio
On Wed, Aug 18, 2010 at 4:33 PM, Paul Wouters wrote: > On Wed, 18 Aug 2010, Casey Deccio wrote: > > Using BIND 9.6.2-P2 and 9.7.1.P2 configured for DNSSEC validation with DLV >> I experience the following issue. When I >> attempt to resolve www.jobcorps.gov I get a S