Re: Strange behaviour with DNSSec

2010-03-08 Thread Kalman Feher
Can you provide the domain name and an example of the problem? That will help in identifying the issue. On 8/03/10 11:21 AM, bsd b...@todoo.biz wrote: Hello, I am running an important subzone of .museum zone (which implements both DNSSec and IDN) and I have a strange behavior going onŠ

Re: Preparing for upcoming DNSSEC changes on 5/5

2010-05-03 Thread Kalman Feher
On 1/05/10 7:10 PM, Server Administrator server53a...@gmail.com wrote: I tried OARC's DNS Reply Size Test on two of my name servers, both on the same network, behind the same firewall router. Both came back and reported DNS reply size limit is at least 3843 (results below). Is 3843

Re: Preparing for upcoming DNSSEC changes on 5/5

2010-05-03 Thread Kalman Feher
On 3/05/10 7:34 PM, Lightner, Jeff jlight...@water.com wrote: There is no EDNS entry in my named.conf. Do I need one, given that above worked? You probably should. Your resolver is saying its capable of handling 4096, but apparently your network path may not support that. The changes on the

Re: Preparing for upcoming DNSSEC changes on 5/5

2010-05-03 Thread Kalman Feher
On 3/05/10 9:54 PM, Lightner, Jeff jlight...@water.com wrote: On doing that however, I now see the advertised value is 3839 but the at least value is 3828 on one and 3827 on the other as shown below. Based on that it appears one should NOT set the edns-udp-size as it doesn't fix the

Nsupdate -l not using session.key

2010-06-30 Thread Kalman Feher
While testing bind 9.7.1 features including automated signing and update-policy local. I encountered some strange behaviour using nsupdate -l. When using nsupdate -l I was not able to update the zone in question and the following error was generated: update-security: error: client 127.0.0.1#9292:

Re: Nsupdate -l not using session.key

2010-06-30 Thread Kalman Feher
On 30/06/10 5:25 PM, Alan Clegg acl...@isc.org wrote: On 6/30/2010 11:13 AM, Kalman Feher wrote: While testing bind 9.7.1 features including automated signing and update-policy local. I encountered some strange behaviour using nsupdate -l. When using nsupdate -l I was not able to update

Re: Nsupdate -l not using session.key

2010-07-01 Thread Kalman Feher
AM, Kalman Feher wrote: While testing bind 9.7.1 features including automated signing and update-policy local. I encountered some strange behaviour using nsupdate -l. When using nsupdate -l I was not able to update the zone in question and the following error was generated: update-security

Re: bind says 'clocks are unsynchronized' but they are not

2010-07-07 Thread Kalman Feher
If you really do have such a small pipe (with your email address I assume Sweden. I didn't think Swedes even knew there were link types other than fibre ;) )then perhaps you're throttling it to the point where your NTP sync drops off. Options: Perhaps try some traffic shaping on the link. IXFR

Re: R: Does bind send email?

2010-07-09 Thread Kalman Feher
Since you now know that BIND doesn't send email and its possible to name a virus whatever the virus writer wishes, it might be prudent to compare the file with a known good version from here (check signatures): ftp://ftp.isc.org/isc/bind9/ While off topic for this forum, you should also try

Re: reason for expected covering NSEC3, got an exact match ?

2010-07-13 Thread Kalman Feher
It looks like normal NSEC to me, unless you are referring to an isolated copy of the domain not accessible to the public: ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 22416 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version:

Re: reason for expected covering NSEC3, got an exact match ?

2010-07-13 Thread Kalman Feher
On 13/07/10 3:10 PM, Gilles Massen gilles.mas...@restena.lu wrote: Kalman Feher wrote: It looks like normal NSEC to me, unless you are referring to an isolated copy of the domain not accessible to the public: Yes, indeed, sorry about that. I should keep my playgrounds tidier. The actual zone

Re: ad flag for RRSIG queries

2010-07-14 Thread Kalman Feher
Using bind 9.7.1. w/ IANA test bed and not DLV: dig +dnssec rrsig www.iis.se ; DiG 9.7.1 +dnssec rrsig www.iis.se ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 49621 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT

Re: ad flag for RRSIG queries

2010-07-14 Thread Kalman Feher
Using the ORG trust anchor from the ITAR yields the following result on 9.7.1 (no P1 patch). No initial time out. # dig +dnssec -t RRSIG www.forfunsec.org ; DiG 9.7.1 +dnssec -t RRSIG www.forfunsec.org ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ; EDNS: version: 0,

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

2010-07-16 Thread Kalman Feher
As a once off I did the following last night. (yes I know the DNSKEY would have been fine too). anchors2keys worked fine so long as the format was correct so... I just cut and pasted the content of : https://data.iana.org/root-anchors/root-anchors.xml Zone to delegation, algorithm, digest type

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

2010-07-17 Thread Kalman Feher
My earlier post described altering the format and included the file that anchors2keys would work with. Kal Feher On 17/07/2010, at 23:46, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Fri, Jul 16, 2010 at 01:57:05PM +, ALAIN AINA aal...@trstech.net wrote a message of 20 lines

Re: BIND integration with windows DNS

2010-07-27 Thread Kalman Feher
On 27/07/10 8:10 AM, Arnoud Tijssen atijs...@ram.nl wrote: I`m facing kind of a challenge. At the moment we have BIND and windows DNS within our corporate network. I would like to get rid of windows DNS and switch completely over to BIND, but since DNS is so intertwined with AD this is

Re: AW: Limitation on concurrently handled queries

2010-08-11 Thread Kalman Feher
Perhaps you could explain the reasoning behind the request? If you are trying to preserve resources there are better ways. If you are trying to restrict access to master/slave zones then you should use access lists, either at zone or view level. On 11/08/10 3:42 PM, Dangl, Thomas

Re: Timeouts and retries on high speed Lans

2010-09-14 Thread Kalman Feher
So the cache servers are HA behind something (F5 LTM, Cisco local director, something else). Are the authoritative servers? It would seem sensible to do the same with them. That way a timeout only occurs if the whole HA cluster is unavailable. You can alleviate even that situation by seeding the

Re: BIND 9.7.1 + DLZ + DNSSEC: Possible?

2010-09-14 Thread Kalman Feher
Sign them offline or out of band using a database trigger to initiate the signing. Your schema might need to change a little though. For a ccTLD, your private key should probably be secure and offline anyway. Zone updates should be reasonably automatable using either the BIND dnssec tools or any

Re: Second dig lookup not the same as the first

2010-09-16 Thread Kalman Feher
For the TCP issues check your network. I'm not familiar with DLZ, but it may be worth understanding how it is effected by the addition-from-[auth|cache] options. Since you get the full response once, I presume you do not have minimal responses enabled. My ignorance of DLZ is showing, but

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-20 Thread Kalman Feher
On 20/09/10 6:09 PM, Kevin Oberman ober...@es.net wrote: Date: Mon, 20 Sep 2010 11:03:31 +0200 From: Kalman Feher kalman.fe...@melbourneit.com.au Sender: bind-users-bounces+oberman=es@lists.isc.org Apologies in advance for the longer than intended reply. I've spent a lot of time

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-21 Thread Kalman Feher
On 21/09/10 8:43 AM, Niobos nio...@dest-unreach.be wrote: Thank you for the excellent advice! On 2010-09-20 18:09, Kevin Oberman wrote: I recommend anyone attempting to secure their DNS read the NIST Computer Security Resource Center document SP800-81 Rev.1, Secure Domain Naming System

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-22 Thread Kalman Feher
On 22/09/10 4:14 AM, Doug Barton do...@dougbarton.us wrote: On 9/21/2010 7:46 AM, Kalman Feher wrote: It may well be analogous to that (though I disagree), but the quote does not substantiate why knowing public information is bad. In the example above, you've simply saved your switchboard

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-22 Thread Kalman Feher
On 22/09/10 11:29 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: I'll reply with a quote from the BIND DNS book: It¹s the difference between letting random folks call your company¹s switchboard and ask for John Q. Cubicle¹s phone number [versus] sending them a copy of your

Re: When does BIND send queries with DO flag enabled?

2010-09-29 Thread Kalman Feher
On 29/09/10 10:30 PM, Kevin Oberman ober...@es.net wrote: Date: Wed, 29 Sep 2010 15:51:55 -0400 From: Taylor, Gord gord.tay...@rbc.com Sender: bind-users-bounces+oberman=es@lists.isc.org We recently ran into an intermittent problem sending queries to a business partner. Turns out

Re: per-zone-recursion?

2010-10-01 Thread Kalman Feher
On 1/10/10 9:15 AM, Joerg Dorchain jo...@dorchain.net wrote: On Thu, Sep 30, 2010 at 07:13:11PM -0400, Kevin Darcy wrote: Per-zone recursion control doesn't exist in BIND, because frankly it doesn't make sense. I used to think that, too, until I came to my specific problem. Either a

Re: Bind and blacklist IP file

2010-10-11 Thread Kalman Feher
On 11/10/10 1:02 PM, Alans alans...@gmail.com wrote: Hello, Is it possible for bind dns to check the queries, if the returned answer is existed in a file that contains blacklisted IPs then block it? DNS RPZ may do what you want. There is a patch on the isc.org website for 9.4,9.6

Re: Bind and blacklist IP file

2010-10-13 Thread Kalman Feher
On 13/10/10 12:13 PM, Andrey G. Sergeev and...@aernet.ru wrote: Hello Alans, Tue, 12 Oct 2010 16:52:15 +0300 Alans wrote: On 10/12/2010 03:44 PM, Andrey G. Sergeev (AKA Andris) wrote: Hello Ian, Tue, 12 Oct 2010 10:54:19 +0100 Ian Tait wrote: Ok, but you can always browse by

Re: Troubleshooting slow DNS lookup

2010-11-26 Thread Kalman Feher
On 26/11/10 5:58 AM, Mark Andrews ma...@isc.org wrote: In message aanlktimzmc4pgne7n72hnb7gnjuat9r2oktigaazv...@mail.gmail.com, Rian to Wahyudi writes: Hi Mark, Thanks for the pointers , your are spot on! Doing dig +trace +dnssec www.paypal.com always fail. After some

Re: DNSSEC - mismatch between algorithm and type of NSEC

2010-12-29 Thread Kalman Feher
What was the observed behaviour in your test system? From a sanity point of view and if you are checking the zone prior to accepting the DNSKEY, then I see nothing wrong in rejecting it. There are already other restrictions on domains in .EU that establish a precedent for being more demanding on

Re: DNSSEC auto-dnssec issue bind-9.7.2-P3

2011-01-19 Thread Kalman Feher
dniu 2011-01-17 15:39, Kalman Feher pisze: Have you tried more sane times? Those don't look like sensible times even for a test, which is probably why BIND isn't signing. I think you are below the sensitivity level for BIND to sign automatically. If you want to test, try using hours or days

Re: DNSSEC auto-dnssec issue bind-9.7.2-P3

2011-01-21 Thread Kalman Feher
The only way I can replicate the behaviour is with dnssec-enable no or with an unsigned version of the zone in another view. Assuming you've not overlapped your views in such a way (it was a very contrived test), I think you'll need to provide a bit more information on your configuration.

Re: DNSSEC auto-dnssec issue bind-9.7.2-P3

2011-01-21 Thread Kalman Feher
On 21/01/11 2:05 PM, Zbigniew Jasiński szo...@nask.pl wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 W dniu 2011-01-21 11:23, Kalman Feher pisze: The only way I can replicate the behaviour is with dnssec-enable no or with an unsigned version of the zone in another view. Assuming

Re: DNSSEC auto-dnssec issue bind-9.7.2-P3

2011-01-24 Thread Kalman Feher
On 24/01/11 10:53 AM, Zbigniew Jasiński szo...@nask.pl wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 W dniu 2011-01-21 15:17, Kalman Feher pisze: Perhaps we are getting close to the problem then. Can you show the content of the key files? Specifically the metadata which

Re: DNSSEC auto-dnssec issue bind-9.7.2-P3

2011-01-24 Thread Kalman Feher
On 24/01/11 4:08 PM, Zbigniew Jasiński szo...@nask.pl wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 W dniu 2011-01-24 14:34, Kalman Feher pisze: I assume you did add the nsec3param record via nsupdate after adding the zone? I note that there is an NSEC entry there, which

Re: DNSSEC auto-dnssec issue bind-9.7.2-P3

2011-01-25 Thread Kalman Feher
On 25/01/11 2:34 PM, Zbigniew Jasiński szo...@nask.pl wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 W dniu 2011-01-24 17:47, Kalman Feher pisze: This appears to be the problem. I copied your NSEC3PARAM (opt out clear, 12 iterations) details but could not replicate it. Try

Re: DNSSEC auto-dnssec issue bind-9.7.2-P3

2011-01-25 Thread Kalman Feher
On 25/01/11 4:10 PM, Alan Clegg acl...@isc.org wrote: On 1/25/2011 9:51 AM, Kalman Feher wrote: If the nsec3param has been removed, the automated signing will be weird if you are using nsec3 keys. I havent tested this scenario, since it isnt really a working scenario

Re: DNSSEC auto-dnssec issue bind-9.7.2-P3

2011-01-26 Thread Kalman Feher
On 25/01/11 11:20 PM, Mark Andrews ma...@isc.org wrote: In message c964b3cd.13a61%kalman.fe...@melbourneit.com.au, Kalman Feher write s: On 25/01/11 4:10 PM, Alan Clegg acl...@isc.org wrote: On 1/25/2011 9:51 AM, Kalman Feher wrote: If the nsec3param has been removed

Re: Akadns and Bind

2011-02-04 Thread Kalman Feher
On 4/02/11 3:07 AM, Tory M Blue tmb...@gmail.com wrote: On Thu, Feb 3, 2011 at 5:23 PM, Barry Margolin bar...@alum.mit.edu wrote: In article mailman.1636.1296781581.555.bind- SNIPPED www.yahoo.com.    300   IN CNAME fp.wg1.b.yahoo.com. And even when they did, it didn't get involved