Re: Question about URL being logged by resolver

Hi J. I'm not sure what the cause of the URLs is, but I can confirm I'm seeing the same URLs in my own logs. The queries originate from multiple devices on my internal network - all Apple devices I think. My advice: I wouldn't waste too much effort trying to solve this one, as it is almost

Re: How should I configure internal and external DNS servers

Hi Nick. Your current set-up sounds like a fairly common configuration. And depending on your requirements there are a number of options that you might consider. But let's start with requirements: I've made some assumptions - please advise if I've got any of this wrong?: * You have two

Re: Should I set parental-agents to localhost?

Hi Björn. Not sure if my (late) reply is any use to you, but yes my understanding is that you could use localhost as the parental agent in the cases where (a) the local machine also hosts the parent zone, or (b) it is a recursive resolver. In the latter case the DNSSEC responses would be

Re: KSAP - How to manually rollover keys documentation?

On 28/09/23 10:02, Eddie Rowe wrote: I am using the nifty feature of the KASP in 9.16.23, but I cannot seem to locate documentation on how to manually rollover keys in case this is needed in the future. The documentation is excellent as far as discussing the steps involved for the manual or

Re: KASP Key Rollover: ZSK Disappears Immediately

On 29/09/23 12:05, Eddie Rowe wrote: When I perform a ZSK key rollover the existing ZSK disappears *immediately* so not sure what I am missing when using the KASP to manage key rollover.  The state for the keys looks good and for this test I have TTL set to 1 hour..  But why does dig not show

Re: KASP Key Rollover: ZSK Disappears Immediately

stick around. I can only assume that the reason you have rumoured state is because you are trying to roll your ZSK to soon after the previous ZSK rollover? Have you checked the various timing settings in the KASP definition? Nick. On 30/09/23 11:32, Nick Tait via bind-users wrote: On 29/09/

why did it take 26 hours for DSState to change to omnipresent?

Hi there. Ever since I updated my BIND configuration to use the new dnssec-policy feature (a year or so ago) my KSK/CSK rollovers have been a complete shambles. My problems stem from the inference (based documentation and examples) that running "rndc dnssec -checkds published" tells BIND that

Re: per record responses based on originating IP

On 16/05/22 20:05, Angus Clarke wrote: As mentioned in a separate reply to Grant, the goal is to have (amongst other things) local recursors "find" the locally deployed authoritative servers through NS records. What hasn't been mentioned is that I am also looking to simplify configuration

Re: why did it take 26 hours for DSState to change to omnipresent?

On 16/05/22 21:34, Matthijs Mekking wrote: Hi Nik, On 16-05-2022 07:49, Nick Tait via bind-users wrote: Hi there. Ever since I updated my BIND configuration to use the new dnssec-policy feature (a year or so ago) my KSK/CSK rollovers have been a complete shambles. My problems stem from

Re: per record responses based on originating IP

On 13/05/22 09:02, Grant Taylor via bind-users wrote: On 5/12/22 2:41 PM, Nick Tait via bind-users wrote: This sounds like exactly the sort of use case for Response Policy Zones: How are you going to have RPZ return different addresses for different clients?  Are you suggesting use different

Re: Primary zone not fully maintained by BIND

On 26/05/22 20:34, Matthijs Mekking wrote: What version are you using? We had a bug with dnssec-policy and views (#2463), but that has been fixed. Since 9.16.18 you should not be able to set the same key-directory for the same zone in different views. Hi Matthijs. You got me worried just

Re: per record responses based on originating IP

On 13/05/2022 12:30 am, Angus Clarke wrote: Does bind have some simple way to respond differently based on source address but on a per record basis? Or perhaps include a baseline zone in a view and separately include differences for that view - something like this perhaps? Hi Angus. This

Re: Bind and systemd-resolved

Hi list. I'm not 100% sure, but I wonder if disabling systemd-resolved may create issues if, for example, you are using netplan with systemd-networkd as the renderer? E.g. Will it still be possible to pick up DNS servers from IPv6 router advertisements? A lower impact (and IMHO more

Confused by parental-source documentation

Hi list. I've been reading the latest BIND9 documentation on the new DNSSEC features, and section 4.2.28.1 got me horribly confused: /The following options apply to DS queries sent to //|parental-agents|//:/ /|parental-source|/ /|parental-source|//determines which local

Re: Bind and systemd-resolved

On 1/05/2022 9:13 pm, Reindl Harald wrote: Am 01.05.22 um 06:38 schrieb Nick Tait via bind-users: I'm not 100% sure, but I wonder if disabling systemd-resolved may create issues if, for example, you are using netplan with systemd-networkd as the renderer? E.g. Will it still be possible

Re: Bind9 Server conflicts with docker0 interface

On 7/05/2022 1:38 am, Maurà cio Penteado via bind-users wrote: I added the A-record "ns1  IN  A  172.17.0.1" to my zone-file as suggested and it seems that the order fixed the issue. Now my Bind9 clients are getting ip 192.168.0.10 favorably. Hi Mauricio. I don't think anyone suggested that

Re: Bind and systemd-resolved

On 2/05/2022 8:13 pm, Reindl Harald wrote: you want 127.0.0.1 act as your resolver no matter what Well, not always... If your local BIND service isn't a recursive resolver irrelevant in context of this topic and worth exactly the same as saying "if you don't use bind at all" and honestly i

Re: Bind9 Server conflicts with docker0 interface

On 6/05/2022 7:51 am, Grant Taylor via bind-users wrote: On my Bind9 server, I have the following zone-files: forward.example.lan.db: ns1     IN      A           192.168.0.10 ns1     IN          fe80::f21f:afff:fe5d:be90 I don't see the 2nd, Docker (?), address; 172.17.0.1, in the zone. 

Re: Issue with dns resolution for www.ssa.gov

On 2/09/22 08:09, Bhangui, Sandeep - BLS CTR via bind-users wrote: # nslookup _www.ssa.gov_ ;; Got SERVFAIL reply from 127.0.0.1, trying next server Server: 198.6.1.1 Address:    198.6.1.1#53 Non-authoritative answer: Hi Sandeep. This looks like when you use

Re: Sparklight and DNSSEC

On 27/09/2022 3:58 am, Benny Pedersen wrote: imho dnssec-validation auto;  have a bug as it validates domains without DS set hope bind developpers can confirm or deny it Hi Benny. Until DS records are published in the parent zone, the (signed) zone is considered 'insecure', and validation

Re: dig +norecurse behaviour changed with 9.16.33

Hi Veronique. I'm not an expert, but to me the 9.16 behaviour is what I would expect to happen, based on: * When you issue the non-recursive query for "spectrum.cern.ch", it is answered from the "cern.ch" zone, which only knows the CNAME (returned in the ANSWER section) and the NS

Secondary zone is only using the first listed primary

Hi list. I have a BIND server that is acting as a secondary to replicate a zone from SpamHaus/Deteque, which is then used internally as a Response Policy Zone. This had been working fine for several years, but recently I noticed that BIND was reporting that the zone had expired. When I

RE: Dnssec issues

Hi Salma.While I haven't experienced your problem before, I do recall having 'issues' with DNSSEC when my router was acting as a caching DNS resolver.My suggestion is to check if you have an appliance 'helping' with DNS (e.g. between these servers and the Internet?) and if so try turning that

Re: Providing AD flag for authoritative domains

On 23/12/2022 2:30 am, Jesus Cea wrote: Is there any way to configure bind to verify DNSSEC integrity and signal the AD flag for authoritative domains?. Views (it would lose the AA flag, then)? What would be the best practice for dnssec verification? To use a fully validating local resolver?

Re: parental-agents clause - IP address only ?

On 5/12/22 15:34, vom513 wrote: Hello all, So I set up parental-agents lists for my zones, and actually got to see it work (awesome !). bind detected the parent DS records and acted accordingly. However, I currently have these lists configured using the IP (v4 only at the moment) addresses

Re: KASP: sharing policy and keys between views

Hi Carsten.I've been running split views with a DNSSEC zone using dnssec-policy for at least a couple of years.I'm using a CSK (i.e. combined KSK+ZSK) and haven't yet worked out the best way to automate key rollover wrt DS in parent zone, so my key rollovers are manual currently. Consequently

Re: Best practice MultiView

Hi Jiaming. You'll also need "match-clients" in the first view (at least), so that the correct view handles the zone transfer request. As well as specifying 'the right key' in match-clients, you'll probably also want to specify 'not the wrong key', otherwise you won't be able to query the

Re: Piggybacking on a zone’s dnssec-policy using auto-dnssec: How can one do this after Bind 9.19?

On 17/04/23 09:08, Andrej Podzimek via bind-users wrote: The easiest (?) way to make DNSSEC work in all views has been to keep a dnssec-policy for zones in *one* of the views (to generate and maintain keys) and then passively refer to the keys from the zones’ counterparts in other views using

Re: Best practice MultiView

On 18/04/2023 1:40 am, Jiaming Zhang wrote: However, I got a question on the syntax of |also-notify|​, what I can see from bind9's user manual, the target of |also-notify|​ can be | | [ port ] | [ port ]|​, does this means that I can use domain names of the server instead of IP? Both name

Re: Best practice MultiView

On 18/04/2023 2:43 am, Greg Choules via bind-users wrote: Why do you need it? Do you have some secondaries that are not listed as NS in zones? The goal was to have the primary use a particular TSIG key when it sends out the NOTIFY messages to the secondaries, which is achieved by turning off

Re: help with notify

On 18/04/2023 2:16 am, Matt Zagrabelny via bind-users wrote: On Mon, Apr 17, 2023 at 9:04 AM Marco wrote: Am 17.04.2023 um 08:59:29 Uhr schrieb Matt Zagrabelny via bind-users: > I'm running a little older Debian bind: > > bind9               1:9.9.5.dfsg-9 The upgrade

Re: Delegation NS-records when zones share an authority server

On 13/04/2023 5:58 am, Havard Eidnes via bind-users wrote: I suspect you don't need the NS records in challenge.state.ak.us and if you remove them then the records in challenge.state.ak.us are simply part of the state.ak.us zone since they're served off of the same server. Unfortunately "not

Re: BIND operating in Parental Agent role (according to RFC 7344)?

On 12/04/2023 7:51 pm, Petr Špaček wrote: There is a philosophical question whether this is something a DNS server should do. You make a very good point. There are external tools which can automate zone scan, e.g. https://github.com/CZ-NIC/fred-cdnskey-scanner It hadn't occurred to me to

Re: RPZ zone response delay time ?

On 8/04/2023 4:27 am, Jason Vas Dias wrote: I have converted the excellent hosts file at https://someonewhocares.org/hosts/ to a Response Policy Zone (RPZ) file served by my local named that ends: *.google-analytics.com A 0.0.0.0 *.clarity.ms A 0.0.0.0 *.adtelligent.com A 0.0.0.0

BIND operating in Parental Agent role (according to RFC 7344)?

Hi list. I'm currently running a few DNSSEC zones in BIND using dnssec-policy option, albeit with an unlimited lifetime on the KSK, so that I can control KSK roll-overs (which is necessary because my Registrar doesn't support RFC 7344)... Anyway I know that BIND supports RFC 7344 via

Re: Resolve some hosts thats are dnssec signed differently

Hi Matthias. It isn't clear whether the issue you're trying to solve is (a) avoiding DNS resolution going out then in to get to your authoritative servers, or (b) with resolved addresses of your servers being the public address which means that data packets sent to/from those servers are

Re: Resolve some hosts thats are dnssec signed differently

was to hook into the DNS and make sure to not return the IPv4 address 195.30.95.36, but 192.168.0.1 (as all my devices at home are using my local bind here for lookup). I hope that explain it better what I would like to solve. Matthias Am 07.02.2023 um 07:48 schrieb Nick Tait via bind-users: Hi

Re: [KASP] Key rollover

On 9/02/23 05:17, adrien sipasseuth wrote: so it works BUT I need to know more than 48h in advance that the rollover is starting to submit the new KSK to my registar. How can I set this up if it's not with "public-safety"? If it was me, I'd set the KSK to not roll-over automatically, and

Re: [KASP] Key rollover

On 14/02/23 05:39, adrien sipasseuth wrote: "You configure parental agents and named will check which DS’s are published.  Named won’t complete the roll until it knows the new DS is published." => what is parental agent ? i don't find this term in Bind documentation. From what I understand,

RE: How to update zone with dnssec-policy

Hi Matthias.It looks like nobody solved your /original/ problem? If you are still looking for an answer it might help if you posted some logs? The people on this list are good at interpreting any errors you're seeing. :-)Nick. Original message From: Matthias Fechner Date:

Re: Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

On 2/06/23 15:02, Jesus Cea wrote: What I get from your reply is that BIND is not expected to do anything about this. It is a bit disappointed but I agree that BIND is doing the right thing. Too bad big players don't care. But I need to "solve" this, so dropping BIND (nooo!) or patching

Re: Zone Transfers Being Refused

Hi Dulux-Oz.It looks like the router between the primary and secondary DNS servers is performing NAT on the packets it is forwarding between those subnets?It would make your life much simpler if you can turn that off? I.e only NAT packets going out to the Internet/your ISP?Nick.

Re: Problem with subdomain delegation - NS RR ignored?

Hi TG. I just wanted to check: 1. Your "hub" zone contains the NS delegation for "fish.hub." to "ns1.fish.hub." with glue record "4.4.4.4". Is 4.4.4.4 the correct IP address of the server you are delegating to? 2. You haven't included the sub zone configuration (i.e. from 4.4.4.4)

Re: migration from auto-dnssec to dnssec-policy deletes keys immediately

> On 28 Dec 2023, at 1:05 PM, Adrian Zaugg > wrote: > > 2023-12-27 23:51:24: zone myzone.ch/IN (signed): reconfiguring zone keys > 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/14076 > (KSK) > 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/3654 >

NOTIFY and TSIG

Hi list. I've been trying to understand whether it is necessary for the NOTIFY request (i.e. sent from primary to secondary server) to use TSIG, in the case where the secondary server specifies a key in its zone's "primaries" option? For example, assume the following set-up: The primary

Re: Zone file got updated via named process unexpected

On 17/12/2023 5:30 pm, liudong...@ynu.edu.cn wrote: I found this zone file got updated in about 15 minutes when I made changes or restarted named, and this behavior seems match the docs bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can confirm I DO NOT configure

mirror zone and hint zone?

Hi list. I've just implemented a mirror zone for ".", and I noticed that it works even though I haven't removed the hint zone (also for "."). What is the recommendation here? Is it OK to have both mirror and hint zones? Or should I remove the hint zone from my configuration, to avoid

Re: dnssec-delegation seems to be broken from .gov to bls.gov

On 7/12/2023 9:05 am, Nick Tait via bind-users wrote: I could be wrong, but based on the output above it looks like the current TTL is 0, which means that doing this should provide immediate relief. Sorry it looks like the DNS server on the Wi-Fi network I'm connected to has done something

Re: dnssec-delegation seems to be broken from .gov to bls.gov

On 7/12/2023 1:53 am, Bhangui, Sandeep - BLS CTR via bind-users wrote: Hi It seems the DNSSEC delegation is broken from “.gov” to bls.gov domain and due to which the records for bls.gov are considered as bogus and we are having issues at our site. It looks like we were in the process of

Re: Stub zones, but secndary?

On 20/11/2023 1:00 pm, Peter wrote: It's tricky. One problem is these are slave zones, they are authoritative and do not work well with DNSSEC. I'm curious... What issues did you have with these zones and DNSSEC? I would have expected that the signed zones should just work? Nick. -- Visit

Re: KASP Key Rollover: ZSK Disappears Immediately

On 03/10/2023 09:59, Eddie Rowe wrote: I appreciate the feedback.  I did make sure the ZSK is omnipresent and the issue still happens so it might be that my attempt to take the default policy and bring it down to 1 day to hurry along testing.  I will see if I can find any test policies in the

Re: Problem upgrading to 9.18 - important feature being removed

On 27/02/2024 13:22, Michael Sinatra wrote: On 2/26/24 13:41, Al Whaley wrote: Originally (under the above command) RR records for DNSSEC were maintained by bind, but the ZSK and KSK keys were maintained by me.  This command is being discarded.  I understand that bind "sort of" supports this

Re: fixed rrset ordering - is this still a thing?

On 02/03/2024 03:42, Mike Mitchell via bind-users wrote: Our networking team is in the habit of entering the IP address of every network interface on a router under one name. The very first address entry is their out-of-band management interface. "rrset-order fixed" is used on their domain

Re: fixed rrset ordering - is this still a thing?

On 02/03/2024 11:36, Greg Choules wrote: Please don't encourage using "search" in resolv.conf or the Windows equivalent. Search domains make queries take longer, impose unnecessary load on resolvers and make diagnosis of issues harder because, when users say "it doesn't work" you have no idea

Re: opendnssec -> inline-signing

On 08/03/2024 12:54, Randy Bush wrote: but WHY NOT? same key sets with opendnssec and inline-signing, we think. The most obvious possibility is that this is referring to a different directory to where you put the keys that you wanted to use: |key-directory "/usr/home/dns/dkeys"| I

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

On 17/04/2024 11:41, John Thurston wrote: I'm seeing strange behavior with a BIND 9.18.24 resolver and dnssec-failed.org. With no dnssec-validation line (or with "dnssec-validation auto") in the .conf, querying for www.dnssec-failed.org returns SERVFAIL, as expected . . until it doesn't.