Re: converting from opendnssec/openhsm?

2023-01-27 Thread Jan-Piet Mens
is there a known hack to extract keys from opendnssec/openhsm to use for bind bitw inline-signing? Assuming you mean SoftHSM (i/o openhsm), no, I don't think so, at least not when using its default settings. (That is one of the main features of an HSM -- to keep the keys safe -- although there a

Re: converting from opendnssec/openhsm?

2023-01-27 Thread Jan-Piet Mens
What is possible is to have BIND use PKCS#11 to use the keys stored in SoftHSM. I should have added that a key rollover is possible from one to another. The basic idea is to create new keypairs in BIND (dnssec-keygen) and then import them key into SoftHSM for a rollover in OpenDNSSEC. Once that

Re: Requesting Update-Policy Statements Sanity Check, Please

2023-02-03 Thread Jan-Piet Mens
You would probably need to attach your entire named.conf file (with sensitive bits (keys and the like) redacted named-checkconf -px is your friend: prints out the named.conf and included files in canonical form if no errors were detected and obscures shared secrets by replacing them with str

Re: Restrict dynamic updates to one domain - disallow subdomains

2023-02-13 Thread Jan-Piet Mens
is it possible to restrict dynamic dns updates to one domain? I think 'name' is what you're after: grant key-name name host1.example.de. A; You will be aware that the type list can take multiple space-separated values. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-u

Re: Correlation between NOTIFY-Source and AXFR-Source

2023-03-09 Thread Jan-Piet Mens
I always was quite sure that Bind will request XFR from the Primary that sent the NOTIFY. my understanding has always been that the primaries are tried in configured order. Looking forward to hear which is actually correct. :) -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-

Re: dnssec-keygen not available in Bind9.16-utils package?

2023-03-20 Thread Jan-Piet Mens
Have you checked whether there is a bind.*dnssec-utils package? I stumbled across this with a RHEL-type Linux recently... -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptio

Re: Fully automated DNSSEC with BIND 9.16

2023-04-13 Thread Jan-Piet Mens
1. Everytime I restart the service, it seems all these files are recreated. How did you observe this? Just by file timestamps or actual content? And just to be sure to ask the obvious: you are not manually removing these files are you? :) -JP -- Visit https://lists.isc.org/mailman/listi

Re: Catalog zones and disabling notifies

2023-04-19 Thread Jan-Piet Mens
I'd like to stop them from sending notifies when they transfer in a zone. Neither "notify no;" nor "notify primary-only;" seems to do it. Maybe set `notify no' (or `notify explit') globally in options{} and then enable notify on a case-by-case on statically configured zones on the secondary?

Is it possible to move a zone between catalogs on the same secondary?

2023-04-19 Thread Jan-Piet Mens
I'm in the process of migrating a modest number of zones from one signer (OpenDNSSEC) to another (Knot-DNS). (The KSKs are identical so that should not be an issue for this question.) Each of the signers have a catalog (manually maintained for ODS, automatically for Knot) which is transferred

Re: Is it possible to move a zone between catalogs on the same secondary?

2023-04-19 Thread Jan-Piet Mens
Any ideas? is this the point at which I confess I've only now read about Change of Ownership (coo) [1]? -JP [1] https://bind9.readthedocs.io/en/latest/chapter6.html#change-of-ownership-coo -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC fu

Re: Is it possible to move a zone between catalogs on the same secondary? It is.

2023-04-21 Thread Jan-Piet Mens
And yes, you can automate this with nsupdate to old and new catalog, Brilliant, Petr, thank you. I saw some of the loviest log messages this week during coo from k-catz to t-catz: zone t-catz/IN: transferred serial 10: TSIG 't' catz: t-catz: reload start catz: updating

Re: Catalog zone failure

2023-04-30 Thread Jan-Piet Mens
Apr 30 05:33:48 keef named[7473]: catz: zone 'gshapiro.net' uses an invalid primary (no IP address assigned) Apr 30 05:33:48 keef named[7473]: catz: error "failure" while trying to generate config for zone 'gshapiro.net' The way I read this is it's complaining about `gshapiro.net', i.e. one of

Re: question about DNSSEC with PKCS11

2023-08-15 Thread Jan-Piet Mens
1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more insecure to convert the key(s) from HSM to .private file with dnssec-keyfromlabel ? keys are not actually 'converted' with this utility; instead the .private file links to the corresponding private (and typically unexportab

Re: help me with the ipv6 PTR generation

2023-08-23 Thread Jan-Piet Mens
IPv6 PTR records are simply reversed. easier said than done, for some of us. I use BIND's arpaname(1) utility which does the work for me: $ arpaname 2001:db8::1 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA -JP -- Visit https://lists.isc.org/mailman/listinfo/

Re: Change in zone file formatting after enabling allow-update (lot´s of $ORIGIN)

2023-09-22 Thread Jan-Piet Mens
After the first automated name change, my zone file was unformatted. I lost the comments and more than 500 occurrences of the ORIGIN parameter were inserted. Configuring dynamic DNS updates on a zone means that named takes control over how the zone file is (periodically) rewritten to disk. There

Re: Can i use my custom root hint file

2012-02-15 Thread Jan-Piet Mens
> For My internal DNS setup i want to create a internal root hint file . > Should i follow the pattern of standard root hint file ? Yes, create your own hints zone containing one or more NS RRsets with their respective glue. Something along these lines: .360 IN NS

Re: zone transfer with DIG: SOA duplicate

2012-03-19 Thread Jan-Piet Mens
> What is the starting and ending SOA record? > > In the original zone, there is ony one SOA record... The "starting" SOA is the SOA in your zone. The final SOA is used to indicate end-of-transfer and is a copy of the first; you can safely ignore it or, as Michael pointed out, supress it.

Re: how to generate the name of a .nzf file?

2012-03-20 Thread Jan-Piet Mens
> The question is: how to generate the name of a nzf file? > Is there a tool or an easy way? The code is in lib/dns/view.c if (allow) { char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(NZF)]; isc_sha256_data((void *)view->name, strlen(view->name), buffer)

Re: Test DNSSEC validation

2012-04-18 Thread Jan-Piet Mens
> What is the best way to log DNSSEC failures in Bind without enforcing > DNSSEC validation? > > That is I want to see what Bind would have rejected because of failed > DNSSEC validation, but I do not want to return SERVFAIL to my client. I don't think that is possible without modifying the clien

Re: Exclude a domain from DNSSEC validation, like Unbound's "domain-insecure".

2012-04-26 Thread Jan-Piet Mens
Augie, > Is there a way to exclude a domain from DNSSEC validation, like > Unbound's "domain-insecure"? That is regrettably not possible at the moment, at least not in BIND 9.9.0. The only (quite impracticable) workaround would be to define the zone authoritatively yourself and populate it someh

Re: Question about KSK

2012-04-27 Thread Jan-Piet Mens
> When the shared KSK needed to be rolled over, you would have to > process DS records in the parents of your few dozen zones all at the > same time. *If* you want to roll the KSK, a.k.a. "when did you last roll your SSH keys?" :-) -JP ___ Pleas

Re: Question about KSK

2012-04-27 Thread Jan-Piet Mens
> I was mistakenly thinking the KSK also had an expiration as the > the ZSK does. Keys don't expire; signatures (RRSIGs) do. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users maili

Re: Configuring CNAME for nosslsearch.google.com

2012-05-08 Thread Jan-Piet Mens
> -%<- > @ IN SOA localhost root@localhost. ( > 2012041100 > 7200 > 1800 > 1209600 >

Re: DNSSEC

2012-05-10 Thread Jan-Piet Mens
> Comcast has taken a pragmatic view. I'm glad to see they've turned on > validation, but I can see why they need to configure exceptions. Without > being able to manage exceptions, large ISPs are not going to turn on > validation. Indeed, which brings on the question why BIND (still) doesn't have

Re: DNSSEC

2012-05-11 Thread Jan-Piet Mens
> So how do we implement one? Create a separate caching server with DNSSEC > validation turned off and forward all queries for the broken domain to it? Unbound can be configured (on the fly) to ignore DNSSEC for individual zones. From the unbound.conf(5) page: domain-insecure: Sets

Re: Clarification on TTL Value

2012-05-15 Thread Jan-Piet Mens
> rd1.ramesh40finalround.com. 98400 INA 11.11.11.11 > rd1.ramesh40finalround.com. 96400 INA 12.12.12.12 > rd1.ramesh40finalround.com. 99 IN A 13.13.13.13 > rd1.ramesh40finalround.com. 1 INA 14.14.14.14 RFC 2181, section 5.2 specifies: "the use

Re: nsupdate fails on CNAME but A and PTR goes through

2012-05-17 Thread Jan-Piet Mens
> > server 127.0.0.1 > > zone ccnr.biotechnology. > > update add second 86400 in cname first > > send > update failed: NOTZONE Have you tried specifying qualified names? update add second.ccnr.biotechnology. 86400 in cname first.ccnr.biotechnology. -JP __

Re: Checking for zone expiration?

2012-05-22 Thread Jan-Piet Mens
Warren, > I wrote a tool to do this a while back -- > http://code.google.com/p/dns-slave-expire-checker/ Cool stuff and very useful. I took it for a tiny spin, and here are my EUR 0.02 :) 1. Doesn't seem to grok all RRtypes in slave zones, due probably to missing functionality of dnspython;

Re: different between views and having multiple instances

2012-05-24 Thread Jan-Piet Mens
> I need to understand the difference between configuring bind views and > having multiple instances of bind. I have 5 network interfaces on my server > and I want to have 2 instances of DNS server (just for testing) and I don't > know which one to do ? BIND views are powerful, but configuring the

Re: VMware & Bind

2012-06-06 Thread Jan-Piet Mens
> > 2) When I tried a test master BIND in a VM, there was not enough entropy >to generate DNSSEC keys. Entropy has been discussed frequently on this list. As a quick workaround, I recommend running http://www.issihosts.com/haveged/ -JP ___

Re: Corrupted zone files on 9.9.1 slave, temp files with text contents...

2012-06-08 Thread Jan-Piet Mens
> Probably nothing. I believe the default format for slave zones is now > compiled rather than text. Remove all the zone files on the slave and > reload it. ... after defining `masterfile-format text;' :-) -JP ___ Please visit https://lists.isc

Re: BIND ignores changes in zonefiles

2012-06-14 Thread Jan-Piet Mens
> We have a script that generates the zonefiles for bind. This script is > working correct, i.e. the files are correctly generated and have no > syntax errors. When adding e.g a CNAME to our database, the script > generates a correct file, including this CNAME. BIND reloads this file > with its cor

Re: BIND ignores changes in zonefiles

2012-06-14 Thread Jan-Piet Mens
> The serialnumber in the SOA record is lower than the serial number BIND > pretends to load in the logs. But why would BIND log to load the right > zone, but use an old one? Because it's loading the wrong file? Have you (or somebody else) changed `directory' option or path to master zone file?

RPM [was: Re: bind dies with assertion failure]

2012-07-03 Thread Jan-Piet Mens
> While it's always better to compile and install from the latest > stable version, it's also nice to use their package management > system especially when you have to deal with multiple systems. Building BIND is easy; turning it into an installable RPM not so. I highly recommend fpm [1] which mak

Re: RPM [was: Re: bind dies with assertion failure]

2012-07-03 Thread Jan-Piet Mens
> > Building BIND is easy; turning it into an installable RPM not so. > > I highly recommend fpm [1] which makes building an RPM trivial. :) > > Any advice or tricks for making a DEB for Ubuntu? Yes: use fpm. :) > So far my plan was to copy the source directory to each server and just > run "ma

Re: How can I set the interface used to transfer zones?

2012-07-05 Thread Jan-Piet Mens
> Is it possible to configure my slave to receive zones using an > specific interface from master? Your slave's zone stanza looks like this: zone "example.net" { type slave; file "..."; masters { 10.1.1.1; }; }; The `masters' statem

Re: How can I set the interface used to transfer zones?

2012-07-05 Thread Jan-Piet Mens
> Yes. That´s the problem. I have this statement defined, but it still > try to connect using the wrong IP. Any ideas? I misunderstood then. Try `transfer-source'. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to uns

Re: How can I set the interface used to transfer zones?

2012-07-05 Thread Jan-Piet Mens
> That's really odd... I note that on the master zone you have allow-query { local; }; Does "local" contain the slave's address? It must be allowed to query the SOA record of the zone to transfer. -JP ___ Please visit https://l

Re: Weird stuff with one host... :-S

2012-07-16 Thread Jan-Piet Mens
> no A record, but if I log into my server, where I have: Is your name server configured to use views? Looks to me as though a view is "hiding" your answer. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: Error: already exists previous definition

2012-07-21 Thread Jan-Piet Mens
> 20-Jul-2012 15:26:40.181 config: error: > /var/named/etc/namedb/conf/zone_0.conf:1529: zone 'x.net': > already exists previous definition: > /var/named/etc/namedb/conf/zone_0.conf:1529 > 20-Jul-2012 15:26:46.270 general: error: reloading configuration > failed: failure That looks very suspic

Re: Slave DNS

2012-07-21 Thread Jan-Piet Mens
> I find it realy annoying, if I have ask every time the owner of the Slave, > to add a new zone. Assuming your version of BIND is new enough, look at `rndc addzone' with which you can add and remove zones at run-time w/out having to edit `named.conf'. -JP

Re: Slave DNS

2012-07-21 Thread Jan-Piet Mens
> Which mean, my DNS partner need his own rndc key which let him add/remove > zones as slave? You are the master. He is the slave. You have an rndc key for his slave server, so that you can add a slave zone on his server. [Substitute he/his by she/hers if required.] And vice versa. :) Grab a rec

Re: Slave DNS

2012-07-21 Thread Jan-Piet Mens
> IIRC that will add the zone to the master, the question, as I heard it, > was to add it to the slave server, to avoid disturbing the owner of > the slave to manually editing the slave config. With `rndc addzone' you specify whether you are adding a master or slave zone, just as you would in na

Re: dig: Transfer failed

2012-07-26 Thread Jan-Piet Mens
> > Check the 'allow-transfer' option in your named.conf. > > I don't have this option. Should I include it? If you want to provide zone transfers, you include it. If you don't, leave it out. (You might also want to glance at BIND's Administrator's Reference [ARM] while you're at it ...)

Re: How to check data file's content in DNS secondary server?

2012-07-26 Thread Jan-Piet Mens
> After upgrade to Bind V9.9.1-P2: > [root@localhost ~]# file /var/named/zzy4.com.dom > /var/named/zzy4.com.dom: data Use named-compilezone to convert from one to the other. You can force the previous text-transfers by setting this option on a per/zone or globally: masterfile-format text

Re: Question about connections to BIND and tcp 443

2012-08-22 Thread Jan-Piet Mens
> They are currently being block from connecting to 443 since these > servers are only DNS. Is there any reason for clients to connect to > tcp 443 for any type of DNS resolution? Sounds a bit as though your clients think the BIND box is a HTTP origin server... I'd look into what programs they're

Re: Using BIND-DLZ for a hidden master [was: Re: dns master-slave transfer]

2012-10-31 Thread Jan-Piet Mens
Chris, > Can one use BIND 9.9 "inline signing" > with the unsigned version provided by a DLZ interface? there's no reason why you shouldn't be able to. Your BIND 9.9 inline signer would AXFR from BIND DLZ without trouble, but your signer won't be notified by DLZ; you'd have to "manually" issue N

Re: Delegations

2012-11-01 Thread Jan-Piet Mens
> YPYMAYTYP Zero results from my favorite search engine -- congratulations. ;-) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists

Re: BIND and DNSSEC

2012-11-01 Thread Jan-Piet Mens
> I do as well, and this will be documented in the next version of this > document. I believe you've mentioned that here before. Several times. Today. ;-) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe fr

Re: Change in statistics format

2012-11-15 Thread Jan-Piet Mens
> Thanks, Phil. Those were my thoughts as well. For the present, > I'll write my own monitoring plugin to parse the XML data. If you need some inspiration, I wrote a bit of C code [1] which does that rather effectively. It doesn't do what you want, but it may get you started. ;-) -JP

Re: gitnamed, a project to manage name server by git

2013-01-08 Thread Jan-Piet Mens
> GitNamed is a project that manage name server by git. you can clone > the git repo to any workstation, edit zone file, commit and push it. > the data will push to the master and slave name server on the fly. Very interesting; thanks for sharing. I hear the Fedora Project does something along si

Re: MNAME not a listed NS record

2013-01-16 Thread Jan-Piet Mens
> Is there anything technically wrong with having a SOA MNAME field > that isn't listed as a NS record? Not at all; that works fine. > The server listed as MNAME will host the zone and is authoritative > for the zone, but out of latency concerns it isn't ideal to have > other resolvers querying t

Re: what do you use for logging?

2013-01-17 Thread Jan-Piet Mens
> Is using syslog a sane default for new installations or when using > official vendor packages with their startup scripts? I for one would not want to miss BIND9's logging to auto-rotated files: file "/var/named/log/named.log" versions 10 size 5m; Other than that, I'd say logging via

Re: what do you use for logging?

2013-01-17 Thread Jan-Piet Mens
> Could "CLI utility" be man(1) and info(1)? :-) It could, yes, but `b10-msg NNN` isn't going to break BIND 10's development budget (I hope), and I feel it to be more practical than scrolling through a man page with 900+ error-messages in it. ;) But even a simple text file installed on the serve

What causes 'zone transfer setup failed' ?

2013-01-25 Thread Jan-Piet Mens
Hello, I'm seeing quite a number of messages like xfer-out: debug 3: client 192.168.1.2#54688 (example.com): zone transfer setup failed BIND 9.9.2P1 here, configured with: request-ixfr no; transfer-format many-answers; transfers-in 100; transfers-per-ns

Re: What causes 'zone transfer setup failed' ?

2013-01-25 Thread Jan-Piet Mens
On Fri Jan 25 2013 at 13:45:58 CET, Ben Croswell wrote: > A common issue is the secondary not being allowed to query the master for > the SOA of the zone. Ensure the master has an allow-query that includes the > secondary. The BIND slave can query the PowerDNS master (for the SOA over UDP and for

Re: What causes 'zone transfer setup failed' ?

2013-01-25 Thread Jan-Piet Mens
> Note that the log message related to outgoing zone transfers from named, The shame! That's what I get for being at it 17 hours non-stop. I overlooked the -out. Sorry and thank you, Tony. -JP ___ Please visit https://lists.isc.org/mailman/listi

rndc addzone|delzone: some questions

2013-01-26 Thread Jan-Piet Mens
Hello, we have a few BIND (9.9) slave servers, each slaving a couple of hundred thousand small zones (a dozen records in each). A file included into named.conf is periodically generated from a database, and named is reconfigured (rndc reconfig) to load new slave zones. I'm considering replacing t

Re: rndc addzone|delzone: some questions

2013-01-27 Thread Jan-Piet Mens
Evan, On Sun Jan 27 2013 at 00:10:28 CET, Evan Hunt wrote: > Delzone just means delete the zone from named, not delete the zone file > from the filesystem. (And I reckon we can do a good deal more harm by > deleting files you wanted to keep than by leaving files for you to delete > yourself...)

Re: newstats XSL broken?

2013-02-03 Thread Jan-Piet Mens
Evan, On Sat Jan 26 2013 at 03:51:17 CET, Evan Hunt wrote: > I'd love it if you'd try it, actually, find out how hard it is to modify > your tools to use the new schema, and send feedback. I think the XSL is broken (see attached patch), at least Chrome & Safari say the document is empty and Fire

BIND9 statistics-server: JSON?

2013-02-14 Thread Jan-Piet Mens
As a fan of BIND's statistics-server I was tempted to see if I could reduce the size of the data (XML) named produces by adding an option to produce JSON. The patch [1] (which is terribly quick and dirty) does that. [1] https://gist.github.com/jpmens/4958763 Accessing the URI /json on named would

Re: odd compile error in a lib

2013-02-14 Thread Jan-Piet Mens
> I installed FreeBSD 9.1 on 3 virtually identical HP rack servers. ^^^ It seems this box is missing a Kerberos (krb5) library, but I don't know what it's called on FreeBSD. Maybe compare a list of installed packages on the servers and install what's

Re: newstats XSL broken?

2013-02-19 Thread Jan-Piet Mens
Shane, > Yes, we had discovered and fixed this in the master branch (patch > attached). Apologies for the brokenness! I've applied that, and it does indeed look better, but not good enough :) See screen shot [1]. No worries, though: I'll wait until you release (and I'm more looking forward to yo

Re: newstats XSL broken?

2013-02-19 Thread Jan-Piet Mens
> That just means there's no data to graph yet. Send your server a few > queries and try it again. Duh. Didn't occur to me, because I was looking for the list of authoritative zones served by named. Other than that, the output looks very sexy. (Are people really interested in the 'Tasks' list?

Re: bad zone transfer request of reverse addr zone

2013-03-01 Thread Jan-Piet Mens
> I get this for all my secondaries for my reverse domain: > > client 63.68.132.50 view external: bad zone transfer request: > '192-26.67.83.208.in-addr.arpa/IN': non-authoritative zone > (NOTAUTH): 23 Time(s) The zone is either not defined in the view the client is accessing, and/or it wasn't lo

Re: spf ent txt records.

2013-03-13 Thread Jan-Piet Mens
> Does our DNS-server support SPF-type records? Or do we put SPF-info in a > TXT-record? BIND has supported SPF records since 9.4 I think, so yes. Their functionality is identical (i.e. define both if you want/need both) name ttl class TXT text name ttl class SPF

Re: BIND9 statistics-server: JSON?

2013-03-15 Thread Jan-Piet Mens
> { "text": "snipped" } ;-) > Evan has merged this into master I know -- he's kept me busy looking and testing, and it looks very good. > and it will go out in 9.10, sometime > later this year. (We're also putting it into our new subscription > branch, which should be available for subscriptio

Re: Reinstall after modifying

2013-08-21 Thread Jan-Piet Mens
> how can I install bind as a named server after I have made my > modification to it's source code without using "yum" First you ./configure, specifying the options you want to use; pay particular attention to installation paths. (The best way to determine how your existing BIND was configured is

Re: FW: subscribe in bind-developer

2013-08-28 Thread Jan-Piet Mens
> how can I subscribe in bind-developer channel ? (bind9 version ),,, > because I want to modify bind code bind-workers ? [1] -JP [1] https://lists.isc.org/mailman/listinfo/bind-workers ___ Please visit https://lists.isc.org/mailman/listinfo/bi

Re: rndc addzone gets permission denied

2014-01-12 Thread Jan-Piet Mens
> but getting rndc: 'addzone' failed: permission denied, nothing on the logs, > only received control channel command 'addzone zone.local { type slave; > file "slaves/zone.local"; masters { 172.31.199.154; }; };' even after rndc > trace 99. > > allow-new-zones yes; > > tried with chmod 777 for /var

Re: Need help debugging my zone file

2014-01-31 Thread Jan-Piet Mens
> carter bind # named-checkzone espersunited.com db.espersunited.com > dns_master_load: db.espersunited.com:37: www.espersunited.com: CNAME and > other data > zone espersunited.com/IN: loading from master file db.espersunited.com > failed: CNAME and other data > zone espersunited.com/IN: not loaded

Re: Need help debugging my zone file

2014-01-31 Thread Jan-Piet Mens
(*shamefaced*) Your message popped up as 'new' which is why I answered before noticing it had been answered already. :( -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

Re: com.google how did they do that

2015-04-01 Thread Jan-Piet Mens
> I'm sure it was not cheap. Peanuts compared to their buying .app for $25m. [1] Here's a list of the other TLDs they've got so far: [2] > Brace yourself! There are many here now, and more coming. The list of delegated strings [3] increases almost daily, yes. (And I can't stop laughing.)

Re: Why log a failed transfer successfully?

2015-04-02 Thread Jan-Piet Mens
> 2001:67c:2e8:5::c100:c6#53: Transfer completed: 0 messages, 0 records, 0 > > Is there any logic to this that I'm missing? s/completed/failed/ on error cannot be particularly difficult to implement. -JP ___ Please visit https://lists.isc.org/m

Re: Testing RFC 5011 key roll

2015-04-18 Thread Jan-Piet Mens
Edward, the subject of this message piqued my interest ;-) > 17-Apr-2015 10:17:02.083 starting BIND 9.10.0 -g -c rfc5011.conf Very ouch. Much pain. Lots frustration. Many hairpulls. Mucho crash. ;) Upgrade to 9.10.2 [1] in which Evan fixes the CVE we discovered on RFC5011 rolls and, thankfully,

Re: Testing RFC 5011 key roll

2015-04-21 Thread Jan-Piet Mens
> My lesson is - besides just working out the configuration - testing > RFC5011 takes more patience than just about any other feature of > DNS/DNSSEC. RFC5011 is the most wall-clock driven mechanism we have. Yup. I learned that as well. As a side note: can you imagine my surprise when, after wai

Re: Adding DNS ALG support to Bind?

2015-11-06 Thread Jan-Piet Mens
Mark, > may want to add a "_dns-update._udp.example.net SRV" record pointing > to the nameservers as someone convinced the router vendor(s) that > this is how you do it Is this a standard? Other than [1], which insinuates it's an Apple-only thing, the Goog turns up only 55 hits for "_dns-update

Re: Writeable file already in use

2016-01-05 Thread Jan-Piet Mens
> Change the filenames on the slave, or just don't have a "file" option > in the slave zone configuration. I was going to yell "TIL from Evan, that 'file' is optional for a slave", but /etc/named.conf:545: zone 'example.com': missing 'file' entry This is on 9.10.3. Did I misunderstand y

Re: Writeable file already in use

2016-01-05 Thread Jan-Piet Mens
> but I believe it's optional otherwise. You are correct (of course). I had inline signing enabled. For a non-signed zone I note the transfer indeed works without a 'file' specification, and I note it's not stored on file anywhere (just in core). Thanks for clarifying. -JP _

Re: Writeable file already in use

2016-01-05 Thread Jan-Piet Mens
> This might make you sad if you have lots of zones or large zones. .. or even just want to look at what was transferred (whitout having to recurse to a `dig axfr'). I see no reason to omit 'file' (except on a diskless slave ;-) -JP ___ Please

Re: Sending extra info in bind dns query packet

2016-07-14 Thread Jan-Piet Mens
Is there an echo in here? More like an endless loop. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo

Re: Sending extra info in bind dns query packet

2016-07-14 Thread Jan-Piet Mens
I did not get this... am I posting this to wrong mailing list? This has been discussed several times on this list within the past few weeks. You should check the archives. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-use

Re: Loading all zone files in a directory

2016-07-23 Thread Jan-Piet Mens
include /etc/nginx/conf.d/*.conf; Bind seems to lack an equivalent syntax. That means that even if I copy a self-contained zone file to the zones directory, I still have to manually register the zone in the named.conf.local file. That should be pretty trivial to template together with Ansible

Correct way to change DNSKEY TTL in inline-signed, auto-dnssec zone?

2022-12-18 Thread Jan-Piet Mens
I'm stumped. I have a zone which had a default $TTL of 86400 and I want to reduce it to 3600. This is normally not a problem, but the TTL of the DNSKEY RRset won't budge from 86400. What is the correct method to change a zone's DNSKEY TTL when it's already been signed with inline-signing yes; aut

Re: Stub zone vs forward zone

2011-03-14 Thread Jan-Piet Mens
Marc, A stub zone tells BIND to load SOA and NS records from its masters {}. (forwarders {} is, I belive, both useless and incorrect here.) From that point onwards, your BIND will use the data in the stub to recursively find answers to queries for that zone. The forwarder on the other hand, instr

Re: Description of log file contents

2011-04-14 Thread Jan-Piet Mens
> Where can I find a description of what the variables at the end of the > line in the query log mean? For example: The full set is +SETDC + recursion requested (- no recursion) S request is signed E EDNS0 enabled T TCP (else UDP) D

Re: Forwarding a subzone of a master zone

2011-04-20 Thread Jan-Piet Mens
> I'd like to reinforce what Chris said, and recommend the use of an > internal root zone for networks/enterprises which have no public > Internet connectivity +1 > A lot of people seem to be scared by the prospect of setting up > their own root zone. It really isn't difficult, and I discuss th

Re: Autodetection of IP address for nsupdate of A record

2011-04-24 Thread Jan-Piet Mens
> Now I want to do it right, but I don't see a way for nsupdate to do > what httpd does: autodetection of client IP address for nsupdate of > its A record. > > I can script something on the client end to get the IP address, but > if possible I'd prefer autodetection, which would be OS- and > s

Re: Autodetection of IP address for nsupdate of A record

2011-04-24 Thread Jan-Piet Mens
> Over the years I wondered why public dynamic DNS services reinvented > these wheels, with custom clients rather than using nsupdate. Now it > makes sense. How I wish they'd used a term other than "dynamic DNS" for their services, though... > While indeed, RFC 2136 had *me* cover

Re: shared KSK for static zone and dynamic subzone?

2011-04-26 Thread Jan-Piet Mens
> While writing this, a compromise came to me. :) I can run forward > zones as children of a single TLD, and use 168.192.in-addr.arpa. as > parent for all my reverse zones. :) If you're setting up your own DNS root server, you could sign that root zone, have your clients enter that island of tru

Re: GSS-TSIG update policy identity field

2011-05-11 Thread Jan-Piet Mens
Juergen, > I use GSS-TSIG and the handbook says that in gss-tsig the content of the > identity field ist the common secret which is the kerberos principal. I believe you'll have to set `tkey-gssapi-credential' and `tkey-domain` for this to work the way you want, though I do confess to not have a

Re: GSS-TSIG update policy identity field

2011-05-11 Thread Jan-Piet Mens
> So I look for a way that I can say that all clients from EXAMPLE.TEST are > allowed to update their own record (or whatever). Sounds like a task for update-policy external [1], but note that that requires updates to be sent via TCP and not UDP. [2] -JP [1]: https://lists.isc.org/piperm

Re: An Invitation to Neuroscientists and Physicists: Singapore Citizen Mr. Teo En Ming (Zhang Enming) Reports First Hand Account of Mind Intrusion and Mind Reading

2011-05-17 Thread Jan-Piet Mens
> Mark my words. You will know the truth in future. Ah: DNSSEC -- the guy is on topic. -JP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Bug in bind 9.7.3 [ and 9.8.0]

2011-05-26 Thread Jan-Piet Mens
> # host -t TXT _adsp._domainkey.federalreserve.gov > > bind dies with > > May 26 19:59:02 resolv04 named[8237]: buffer.c:285: REQUIRE(b->used + 1 > <= b->length) failed > May 26 19:59:02 resolv04 named[8237]: exiting (due to assertion failure) > > This is reproducible and should only affected i

Re: Bug in bind 9.7.3?

2011-05-27 Thread Jan-Piet Mens
> This is reproducible and should only affected in 9.7.3. For the record, the problem has been fixed: http://www.isc.org/software/bind/advisories/cve-2011-1910 -JP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailma

Re: Compromised BIND?

2011-05-31 Thread Jan-Piet Mens
> I have a BIND 9.8.0-P2 server instance running on a production server. My > firewall is showing repeated attempts by named.exe to connect to IP > addresses in foreign countries on ports , 6667 and 6669 - common IRC > ports used by worms/trojans/zombies. Sounds like you're running an IRC bot.

Slow list [was: Re: Compromised BIND?]

2011-06-01 Thread Jan-Piet Mens
> Does anyone else find the bind-users list to be very slow? Yes, very. [Pressing 's'end at 09:54 CET] -JP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: big improvement in BIND9 auth-server startup time

2011-07-13 Thread Jan-Piet Mens
Evan, > may find this information useful: very useful and quite impressive. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.is

Re: bind version problem

2011-07-19 Thread Jan-Piet Mens
> If Bind version of primary dns is "bind-libs-9.3.6-16.P1.el5" and for > secondary dns "bind-9.5.0-29.b2.fc9.i386". Something wrong there: "libs" vs. "server", but I assume you mean server for both. > Is it mandatory the same version for > primary and secondary DNS. Not unless you rely on a pa

Re: Is there a way to disable dnssec validation for a single zone?

2011-08-04 Thread Jan-Piet Mens
> The last time there was a dns issue with usdoj.gov, it took about 3 > weeks for them to fix it. Reeks of incompetence. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing li

  1   2   >