RE: minimal-responses yes; to prevent downstream MS DNS server following DNS delegations

2011-05-03 Thread Spain, Dr. Jeffry A.
In the Windows DNS Manager, open the Properties page of the applicable DNS server. On the Forwarders tab, click Edit and enter the IP address(es) of the BIND server(s) to which you want the Windows DNS server to forward queries. Click OK, and now back on the Forwarders tab, uncheck Use root

DNSSEC key rollover failure

2011-06-17 Thread Spain, Dr. Jeffry A.
For our zone countryday.net, which is configured with auto-dnssec maintain and is running on bind 9.8.0, a ZSK rollover is in progress but seems to be failing. The metadata for the original key is: ; This is a zone-signing key, keyid 2750, for countryday.net. ; Created: 20110402153620 (Sat Apr

RE: DNSSEC key rollover failure

2011-06-17 Thread Spain, Dr. Jeffry A.
Thanks, Phil. How big is the zone, and how did you sign it originally? If you used rndc sign, then there will be little jitter in the RRSIG so they'll all tend to roll over together. For most of our zones, I signed them manually using dnssec-signzone and tuning the jitter for a constant

RE: DNSSEC key rollover failure

2011-06-17 Thread Spain, Dr. Jeffry A.
What does `rndc sign zone` do? Thanks, Tony. I have never run rndc sign, as the zone is configured with auto-dnssec maintain. Before intervening in this manner, I would like to gain a greater understanding of what is going on. Thanks. Jeff. ___

RE: DNSSEC key rollover failure

2011-06-17 Thread Spain, Dr. Jeffry A.
Thanks, Phil. The document I used to set up the rotation schedules is Good Practices Guide for Deploying DNSSEC at http://www.enisa.europa.eu/act/res/technologies/tech/gpgdnssec. It recommends a two-week interval between ZSK inactivation and deletion. I will carefully study the IETF draft

DNSSEC Key Rollover Questions

2011-06-18 Thread Spain, Dr. Jeffry A.
Assume that bind 9.8.0 is in operation. A zone is configured with auto-dnssec maintain, and the zone signing keys K and its successor K' are published. Further assume that the activation time for K has passed and the zone is properly signed with K. Now suppose that the activation time for K'

RE: DNSSEC key rollover failure

2011-07-04 Thread Spain, Dr. Jeffry A.
And now, as July 1 has passed and July 9 approaches, can you share a summary of what you found? Thanks. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header On June 10, our zone countryday.net running on a bind 9.8.0 server began an

RE: Bug in Bind 9.8 or am I doing something wrong?

2011-09-06 Thread Spain, Dr. Jeffry A.
Lyle: If I understand your issue correctly, it is one that I also experienced when using a Windows 2008 R2 DNS server to forward to a BIND 9.8.0 recursive resolver configured to perform DNSSEC validation. By default Windows 2008 R2 DNS forwards queries with the CD flag set in the query, and it

RE: BIND/named on VM

2011-10-14 Thread Spain, Dr. Jeffry A.
Walter: I have compiled bind 9.8.0 on Ubuntu Natty on a number of VMs on ESXi 4.1 and 5.0. There have been no problems with either authoritative or recursive name services. The potential issues with NTP on virtual machines are, I think, not related. They have to do with the fact that the VM

9.9.0b1 inline-signing questions

2011-11-18 Thread Spain, Dr. Jeffry A.
I am testing bind 9.9.0b1 compiled on Ubuntu Oneiric x64 (nstest.jaspain.net). I configured a zone as follows: zone jaspain.net { type master; file /var/lib/bind/jaspain.net/jaspain.net.db; key-directory /var/lib/bind/jaspain.net; update-policy local;

RE: 9.9.0b1 inline-signing questions

2011-11-18 Thread Spain, Dr. Jeffry A.
Thanks, Evan. Can you also comment about the meaning of BITWS=201502 at the beginning of the output of named-journalprint? Jeff. -Original Message- From: Evan Hunt [mailto:e...@isc.org] Sent: Friday, November 18, 2011 1:59 PM To: Spain, Dr. Jeffry A. Cc: bind-users@lists.isc.org

RE: OT: Bind 9.9.0B1 Inline-Signing Question

2011-11-18 Thread Spain, Dr. Jeffry A.
I'd like to ask for clarification on the operational issue stated below. Suppose there are no current changes to an inline-signed master zone, i.e. myzone.db.signed timestamp is later than myzone.db timestamp. In this circumstance, is it safe to stop and restart the bind service or reboot the

RE: RPZ configuration examples

2011-11-19 Thread Spain, Dr. Jeffry A.
1. Do you have basic example/steps to configure RPZ in Bind? ( I need couple of examples like /etc/named.conf file and zone files for rpz 2. If I use RPZ, recursive DNS will contact remote RBL database for every DNS query? 3. Is it possible to download DNS RBLs locally on the DNS server

RE: Puzzeling about IPv6

2011-11-19 Thread Spain, Dr. Jeffry A.
If you are concerned about a repeat of the IPv4 address exhaustion problem, this is a different issue. The 64-bit IPv6 interface identifier has to be unique for each device on an IPv6 subnet. Even if you choose the IIDs randomly for, say, 1000 devices, the probability of a duplicate is very

socket.c error in bind 9.9.0b2

2011-11-22 Thread Spain, Dr. Jeffry A.
When bind 9.9.0b2 starts up, the syslog shows the following messages: Nov 22 10:18:19 nstest2 named[17190]: using default UDP/IPv6 port range: [1024, 65535] Nov 22 10:18:19 nstest2 named[17190]: listening on IPv6 interfaces, port 53 Nov 22 10:18:19 nstest2 named[17190]: socket.c:5728: unexpected

RE: Bind 9.9.0b2 inline signing...

2011-11-22 Thread Spain, Dr. Jeffry A.
Kevin: I did something similar, using nsupdate to modify the unsigned zone instead of a manual edit. The myzone.db, myzone.db.jnl, myzone.db.signed, and myzone.db.signed.jnl files all get updated appropriately. rndc reload is not necessary. It is interesting to note that the serial number in

RE: Bind 9.9.0b2 inline signing...

2011-11-23 Thread Spain, Dr. Jeffry A.
Evan: I'd like to ask for clarification. My understanding is that inline-signing yes: is necessary to cause bind to keep separate signed and unsigned zone files, and that the source of the unsigned zone file can be a disk file in the case of a master, or a zone transfer in the case of a slave.

RE: Bind 9.9.0b2 inline signing...

2011-11-23 Thread Spain, Dr. Jeffry A.
Now, you can *also* turn on DDNS and use nsupdate on an inline-signing zone... but, if you're going to be using DDNS anyway, then I'm unclear what operational need is being served by separating the data. With or without inline-singing, your master file will be overwritten, and you'll have

RE: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Spain, Dr. Jeffry A.
dig axfr dotat.at | grep -v RRSIG. Tony. dig axfr dotat.at | grep -v RRSIG | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM. JP. dig axfr zone | awk '$4 !~ ^NSEC$|^NSEC3$|^RRSIG$ {print}'. Shumon. Thank you, gentlemen. These are very helpful. As we are primarily Windows users, I

RE: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Spain, Dr. Jeffry A.
I don't understand why Windows doesn't include dig by default, even now. Free software hate? I wonder if it some kind of intellectual property issue. Microsoft has to be able to sell Windows and therefore must consider any added costs related to including a component that they do not own

RE: Exercising RFC 5011 rollovers

2011-11-25 Thread Spain, Dr. Jeffry A.
Does anyone provide a zone with a trust anchor that is frequently rolled over in that way, just so that one can see whether it really works? Then one's feelings might be warmer and less fuzzy... I looked at the DNSSEC section of the bind test suite (bind-9.9.0b2/bin/tests/system/dnssec) to see

RE: Exercising RFC 5011 rollovers

2011-11-26 Thread Spain, Dr. Jeffry A.
There are tools for this. E.g. libfaketime Looks like libfaketime (http://www.code-wizards.com/projects/libfaketime/) lets you accelerate the system time. Adapting one of their examples: LD_PRELOAD=./libfaketime.so.1 FAKETIME=x5000 /bin/bash -c 'while true; do echo $SECONDS ; sleep 43200 ;

RE: Configuration RPZ using BIND RPM package

2011-11-26 Thread Spain, Dr. Jeffry A.
Is it possible in configure RPZ by download Bind.tar.gz file from isc website. if yes, do i need to remove completely all running configuration including /etc/named.rfc1912.zones and /etc/named.caching-nameserver.conf files? Kindly suggest. Regards Babu Babu: While I am an Ubuntu user, I

RE: Bind 9.9.0b2 inline signing...

2011-11-28 Thread Spain, Dr. Jeffry A.
I don't understand why Windows doesn't include dig by default, even now. Free software hate? And grep and logrotate! At least the GnuWin32 project has a good version of grep. I think that if I had to use a Windows workstation my first installs would be the ISC binary kit and

RE: dnssec-keygen not responding

2011-11-30 Thread Spain, Dr. Jeffry A.
I'd be rather wary of keys made from /dev/urandom but I am often times a paranoid security freak. Inexpensive USB-attachable RNG: http://www.entropykey.co.uk/ Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit

DNSSEC key rollover problems

2011-12-28 Thread Spain, Dr. Jeffry A.
This issue relates to the server nstest.jaspain.net (74.203.156.157), which is running bind 9.9.0b2. Please refer to http://dnsviz.net/d/jaspain.net/dnssec/. The RRSIGs on the jaspain.net , A, and TXT RRSets signed by ZSK 35297 expired on 12/17/2011, and those RRSets have not been resigned

RE: Take your DNSSEC with a grain of salt ...

2011-12-31 Thread Spain, Dr. Jeffry A.
I've taken some time to write down my knowledge on NSEC3 use of the salt and iteration parameters: http://strotmann.de/roller/dnsworkshop/entry/take_your_dnssec_with_a Thanks, Carsten. This is a very clear, concise, and informative article. Given the recommendation to change NSEC3 salt

bind9.9.0rc1 DNSSEC key rollover failure

2012-01-08 Thread Spain, Dr. Jeffry A.
A couple of weeks ago I found a DNSSEC key rollover problem with bind 9.9.0b2. See https://lists.isc.org/pipermail/bind-users/2011-December/086063.html. This appears to have persisted after upgrading to bind 9.9.0rc1 this afternoon. See http://dnsviz.net/d/jaspain.net/dnssec/. The RRSIGs on the

RE: 9.9.0rc1: example from arm 4.8.3 does not validate

2012-01-18 Thread Spain, Dr. Jeffry A.
I tried the example from page 23 with a local zone, a trusted key and inline-signing, ... But I'm getting no ad-flag I think that is expected behavior when you query an authoritative server directly. For example, our authoritative server: dig @ns1.countryday.net countryday.net dnskey +dnssec

RE: Extracting key tag from DNSKEY

2012-01-25 Thread Spain, Dr. Jeffry A.
Can I extract the key tag from a DNSKEY, obtained via dig? Try the following: dig @bind.odvr.dns-oarc.net. isc.org dnskey +multiline Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit

RE: bind 9.9 inline-signing issue..

2012-01-29 Thread Spain, Dr. Jeffry A.
After setting up a zone with DNSSEC using inline-signing, I have run into the issue where if I do anything that updates the unsigned file that is input into BIND, that it never seems to update the signed data it generated. As an example, I had serial number of 2012012701 in the test zone

RE: bind 9.9 inline-signing issue..

2012-01-30 Thread Spain, Dr. Jeffry A.
I suspect that something was wrong with the unsigned zone, 'rndc reload' failed to catch the problem, and so the zone got itself into a weird state. The exact circumstance in which I've seen this happen involved a failure to update the SOA serial, but there may be other triggers for it as

bind9.9.0rc2 inline signing tests

2012-01-31 Thread Spain, Dr. Jeffry A.
I compiled and installed bind 9.9.0 rc2 on Ubuntu Oneiric x64. The zone jaspain.net used for testing was configured as a master zone with update-policy local, auto-dnssec maintain, and inline-signing yes. I tested by making changes to the unsigned zone, and used named-checkzone to output the

RE: bind9.9.0rc2 inline signing tests

2012-01-31 Thread Spain, Dr. Jeffry A.
It's supposed to be rndc sync -clean, not -clear. I thought we'd fixed that, darn it... Thanks. rndc sync -clean jaspain.net works and does remove the journal files. Jeff ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to

RE: bind9.9.0rc2 inline signing tests

2012-01-31 Thread Spain, Dr. Jeffry A.
2. Prior to the second test, in an attempt to get rid of the journal files, I issued the command rndc sync -clear jaspain.net. This generated an error rndc: 'sync' failed: unknown class/type. I found that rndc sync and rndc sync jaspain.net both worked, so I think rndc just doesn't

RE: bind9.9.0rc2 inline signing tests

2012-01-31 Thread Spain, Dr. Jeffry A.
Hostnames can't begin with a hyphen (RFC 952). Domain names can start with anything. I guess that makes the syntax rndc sync [-clean] [zone [class [view]]] unavoidably ambiguous. Maybe a way around this would be a new command rndc clean [zone [class [view]]]. Jeffry A. Spain Network

Permissions change after running dnssec-settime bind 9.9.0rc2

2012-01-31 Thread Spain, Dr. Jeffry A.
I ran dnssec-settime from bind 9.9.0rc2 today to change the metadata on two of my ZSKs. Before running dnssec-settime, using one of these keys as an example, the file permissions were: -rw-r--r-- 1 root bind 535 2012-01-31 11:47 Kjaspain.us.+005+30795.key -rw-r- 1 root bind 1058

RE: Permissions change after running dnssec-settime bind 9.9.0rc2

2012-02-01 Thread Spain, Dr. Jeffry A.
Now the private key is inaccessible to the named process, which is running as user bind. User bind is a member of group bind. Any time a private key file is rewritten, the mode is changed to 600. There's no rule that it has to be owned by root, though; could you just chown it to user bind?

RE: trying DNSSEC with 9.9-rc1

2012-02-01 Thread Spain, Dr. Jeffry A.
Any suggestions, folks? What am I not understanding? Michael: To determine why there is no DNSSEC information being returned by your dig query, consider the following: What are the timestamps in your key metadata? Are they currently published and active? nstest/etc/namedb/keys;dnssec-settime

RE: Recovering from over enthusiastic key cleanup...

2012-02-02 Thread Spain, Dr. Jeffry A.
So, is there: A: an easy way to figure out what keyfiles are no longer being used / referenced? B: a simpler way to recover from this when one *does* make a boo boo? What a fun evening. For the sake of interest, which version of bind is in use? With regard to item A, how about executing the

RE: How to validate DNSSEC signed record with dig?

2012-02-05 Thread Spain, Dr. Jeffry A.
I am trying to validate DNSSEC signature on ns record using dig. Domain nox.su is properly signed using DNSSEC. I am trying to validate it as dicribed here: http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/ $ dig +nocomments +nostats +nocmd +noquestion -t dnskey .

RE: zone serial (0) unchanged. zone may fail to transfer to slaves.

2012-02-05 Thread Spain, Dr. Jeffry A.
named (BIND 9.7.4-P1) err named[9964]: 05-Feb-2012 17:23:16.586 general: error: zone 127.IN-ADDR.ARPA/IN/internal: zone serial (0) unchanged. zone may fail to transfer to slaves. Ignore it. The message is suppressed in the next maintence release. I see similar messages in 9.9.0rc2, where

RE: zone serial (0) unchanged. zone may fail to transfer to slaves.

2012-02-06 Thread Spain, Dr. Jeffry A.
Feb 4 15:53:46 nsb0s named[9090]: zone jspain.us/IN (signed): zone serial (2012013003) unchanged. zone may fail to transfer to slaves. I suspect that is is benign. Had you just thawed the server/zone? After a review of the logs over the past several days, I see that this message occurred

RE: How to validate DNSSEC signed record with dig?

2012-02-07 Thread Spain, Dr. Jeffry A.
dnssec-signzone: fatal: key myKSK.key not at origin What are the contents of myKSK.key? The format is mydomain.com. IN DNSKEY ... where mydomain.com is the domain origin. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please

RE: How to validate DNSSEC signed record with dig?

2012-02-08 Thread Spain, Dr. Jeffry A.
William: In my tests of DNSSEC, I have used 'auto-dnsssec maintain;' rather than explicitly signing the zone with dnssec-signzone. I believe I recall that you are using bind 9.8, so this should work for you as well. Here's something you can try: In your bind configuration use the following

RE: State diagram for DNSsec key lifecycle

2012-02-09 Thread Spain, Dr. Jeffry A.
Please comment on this state diagram: https://www.chaos1.de/svn-public/repos/network-tools/DNSsec/trunk/dnssec_key_states.pdf For greater clarity, I suggest that for the state transitions (captions on the arrows), you refer specifically to the four metadata timestamps that are present in the

RE: Getting a formerr 'invalid response' for winqual.microsoft.com. but dig +trace works.

2012-02-09 Thread Spain, Dr. Jeffry A.
It's because a few load balancer vendors don't read freely available specifications but instead appear to reverse engineer the protocol and get it wrong. BIND 9.7.0 fixed a long standing of accepting glue promoted to answer by parent nameservers. Once we did that there was no need to

RE: State diagram for DNSsec key lifecycle

2012-02-10 Thread Spain, Dr. Jeffry A.
I recommend activate + publish at the same time. I'd appreciate knowing your reasoning for preferring this You are going from unsigned to signed. There is no benefit in publishing, waiting then activating. The IETF draft DNSSEC Key Timing Considerations

RE: dig -- only RRSIG present.

2012-02-12 Thread Spain, Dr. Jeffry A.
As Tony Finch pointed out to me a few days ago, the Google public servers don't understand that fact about DS records, and don't know to ask for them in the parent. But here's something interesting - as of my testing just now, they *do* respond with DS records This thread has been kind of

RE: dig -- only RRSIG present.

2012-02-13 Thread Spain, Dr. Jeffry A.
Try this one: dig @bind.odvr.dns-oarc.net. isc.org +dnssec You should get an AD flag returned and a variety of RRSIG records. Jeff. I hope I'm not missing any concepts here, but there should be a public key to verify the RRSIG, where's that? Shouldn't the server return additional DNSKEY

RE: dig -- only RRSIG present.

2012-02-13 Thread Spain, Dr. Jeffry A.
Ok, thanks a lot. I thought it was a client process. Now I can query for the DS, DNSKEY records from isc.org. Final question -- bind.odvr.dns-oarc.net is a cache right? Does bind has such a caching program? Do we have a DNSSEC capable resolver in BIND? Bind *is* a caching program. Yes,

bind 9.9.0rc3 inline signing server not updating unsigned zone

2012-02-21 Thread Spain, Dr. Jeffry A.
The configuration below is for a bind 9.9.0rc3 server named nsb0s providing inline signing service for a hidden master nsb0 and slaves nsb1 and nsb2. The latter three are running bind10-devel-20120119. Nsb1 and nsb2 are also known as ns1.jaspain.net and ns2.jaspain.net. In an effort to test

RE: bind public/private domain question

2012-02-21 Thread Spain, Dr. Jeffry A.
I'm looking for advice on an issue.  I have a publicly registered domain which we also use internally.  I have bind configured as a caching DNS server.  Bind is configured to use four other Windows DNS servers as forwarders for the domain.  Bind should be using the root servers for

RE: bind 9.9.0rc3 inline signing server not updating unsigned zone

2012-02-21 Thread Spain, Dr. Jeffry A.
Ok. The retransfer code needs to look at the unsigned zone rather than the signed one which should fix the not found issue. The following should fix the issue. It compiles but otherwise has not been tested. Thanks, I will try it and get back to you with the result. As to soa refresh

RE: bind 9.9.0rc3 inline signing server not updating unsigned zone

2012-02-22 Thread Spain, Dr. Jeffry A.
Mark: Your patch version 3 is included below to confirm that this is the correct one. Initially the patch didn't work properly due to a missing line break before @@ -5993,6 +5994,12 @@. I fixed that and ran the bind9.9.0rc3 installation again. A manual inspection of server.c afterwards

bind9.9.0rc4 rndc retransfer appears to be fixed

2012-02-23 Thread Spain, Dr. Jeffry A.
With the properly patched bind 9.9.0rc3 running, 'rndc retransfer jaspain.biz' generated no output, presumably indicating success. The log showed some related error messages, however... Seems like it is confusing the serial numbers of the signed and unsigned zones. I installed the

RFC 6303 and bind 9.9.0

2012-02-29 Thread Spain, Dr. Jeffry A.
I reviewed RFC 6303, which recommends configuring a number of zones using an empty zone file as follows: @ 10800 IN SOA @ nobody.invalid. 1 3600 1200 604800 10800 @ 10800 IN NS @ In bind 9.9.0 this results in errors for each zone referring to the empty zone file as follows: Feb 29 19:24:30

RE: RFC 6303 and bind 9.9.0

2012-02-29 Thread Spain, Dr. Jeffry A.
Changing the second line ('@ 10800 IN NS @') to '@ 10800 IN NS localhost.' eliminates the errors. The built in empty zone processing is aware of the special case of NS records without address records. The generic zone processing rules treat this as a error condition. Just for

RE: RFC 6303 and bind 9.9.0

2012-03-01 Thread Spain, Dr. Jeffry A.
Just for clarification, do I understand correctly that if none of the empty zones described in RFC 6303 are set up explicitly in the bind 9.9.0 configuration file, then bind 9.9.0 will process them as such anyway using built-in generic zone processing rules? Yes. To expand a bit on

RE: RFC 6303 and bind 9.9.0

2012-03-01 Thread Spain, Dr. Jeffry A.
In my named.conf I have set up empty zones for the whole of 240/4. I view RFC 6303 as the minimum necessary for a hygienic name server, but there are a number of other permanent bogon address ranges which it makes sense to stub out locally. Would you please elaborate on how you are

RE: RFC 6303 and bind 9.9.0

2012-03-02 Thread Spain, Dr. Jeffry A.
If the root hints are updated on ftp://rs.internic.net/domain/, would it require a new build of bind to incorporate them, or is bind able to update its built-in root hints by some other means? No, it requires a rebuild after changing lib/dns/rootns.c. But using a mildly out-of-date hints

RE: RFC 6303 and bind 9.9.0

2012-03-02 Thread Spain, Dr. Jeffry A.
No, it requires a rebuild after changing lib/dns/rootns.c. But using a mildly out-of-date hints file is usually harmless - it is only a *hint*. Right. One of the first things BIND does after starting up is query one of the root servers to get the current set of root servers. Thanks. This

RE: RFC 6303 and bind 9.9.0

2012-03-02 Thread Spain, Dr. Jeffry A.
Didn't the answer to the NS query include the addresses in the Additional Section? It does when I perform the query manually. It gets cut off with the default packet size, but if EDNS0 is used it will include them all. The addresses are included in the additional section. Missed that

RE: BIND 9.9.0 Inline-Signing Out of Control

2012-03-05 Thread Spain, Dr. Jeffry A.
We thought of two other differences between this zone and the others: 1. this zone has NS records with servers that are in the zone itself, and 2. our global also-notify option contain IP addresses that resolve to host names in this zone. I don't have a handle on the underlying problem,

RE: reverse dns for IPV6 ranges

2012-03-05 Thread Spain, Dr. Jeffry A.
Can anyone help me with  its experience on reverse dns for IPV6? Presently, when we reverse an IPV4 subnet for clients, we configure all the reverse for the whole subnet. It is a lot of PTR's but perfectly manageable. With IPV6,  the number of IP's that we will receive is amazing

bind9.9.0 named-checkzone usage message

2012-03-05 Thread Spain, Dr. Jeffry A.
root@ns0s:~ # named-checkzone usage: named-checkzone [-djqvD] [-c class] [-f inputformat] [-F outputformat] [-t directory] [-w directory] [-k (ignore|warn|fail)] [-n (ignore|warn|fail)] [-m (ignore|warn|fail)] [-r (ignore|warn|fail)] [-i (full|full-sibling|local|local-sibling|none)] [-M

RE: A question for the reference

2012-03-05 Thread Spain, Dr. Jeffry A.
I tested this by capturing network traffic on a bind 9.9.0 recursive resolver. The commands 'rndc flush' followed by 'dig @localhost funnygamesite.com' resulted in the following: 1. A query to m.gtld-servers.net. 2. The same referral response that you got below. 3. A follow-up query 500

RE: reverse dns for IPV6 ranges

2012-03-05 Thread Spain, Dr. Jeffry A.
But if only some IP have e reverse..what about the other server who have received an IP in the range? Ip that can be changed every x hours. IF no reverse, it can be blacklisted for some reasons or having some problems with services asking a reverse dns resolution. In my ip6.arpa zone, all

RE: DKIM in TXT record

2012-03-06 Thread Spain, Dr. Jeffry A.
What is the proper format to write a DKIM TXT? There seems to be quite a bit of information about this available via Google search. Here's one reference I found that gives some step-by-step instructions: Creating DKIM TXT Records in Linux/UNIX Bind

RE: fermat primes and dnssec-keygen bug?

2012-03-06 Thread Spain, Dr. Jeffry A.
I would recommend that dnssec-keygen starts ignoring the -e parameter that everyone has put in their scripts to prevent exponent 3 keys, who are not getting keys with exponent 4294967296 + 1 (F5) Alternatively, if this is done on purpose, I guess we should all migrate the 64 bit machines

RE: fermat primes and dnssec-keygen bug?

2012-03-07 Thread Spain, Dr. Jeffry A.
Its not about integer overflow, it's about the fact that F5 does not add to the security, but does use up a lot of CPU cycles. I'd like to study this issue more. Would you please provide a reference that discusses your assertion that using an F5 public exponent does not add to the security

RE: fermat primes and dnssec-keygen bug?

2012-03-07 Thread Spain, Dr. Jeffry A.
Well, go argue with Adam Langly in the bug report I submitted (and Paul quoted in this thread). You're making an argumentum ad verecundiam, which I can't reasonably pursue. In the bug report

RE: fermat primes and dnssec-keygen bug?

2012-03-07 Thread Spain, Dr. Jeffry A.
There's quite a bit about choosing e in this presentation: http://www.esiea-recherche.eu/Slides09/slides_iAWACS09_Erra-Grenier_How-to-compute-RSA-keys.pdf However, I don't understand the math, so I can't say whether any of the advice is reasonable :( Interesting document, although I'm not a

RE: testing validation

2012-04-18 Thread Spain, Dr. Jeffry A.
I'm testing out dnssec with bind 9.9.0's auto signing and a test domain; this appears to be working (see below, RRSIG records returned from the actual nameserver), however and attempt to validate fails with: # dig +dnssec +sigchase soa raindrop.us When I simply try to validate the root: #

RE: testing validation

2012-04-18 Thread Spain, Dr. Jeffry A.
Alan: Comments on your configuration file: I believe that managed-keys... and zone . { type hint... are built into bind 9.9.0 recursive resolvers and therefore not needed. You can enable the built in root trust anchor by changing dnssec-validation from yes to auto. I think that listen-on {

RE: testing validation

2012-04-18 Thread Spain, Dr. Jeffry A.
Isn't the DS for the zone: . what the managed-keys clause provides? Though putting it back in didn't make the warning go away, so I must be missing something else here... Any difference with dnssec-validation auto and removing the managed-keys and root hint zone? Jeff.

RE: testing validation

2012-04-18 Thread Spain, Dr. Jeffry A.
Why would 149.20.64.20 return ad then? It's not authoritative either... As I understand it, you need a dnssec-enabled recursive resolver to get an AD flag returned. An authoritative-only server will never return an AD flag. Jeff. ___ Please visit

RE: testing validation

2012-04-18 Thread Spain, Dr. Jeffry A.
Though I am still curious about this from the end of sigchase output: Launch a query to find a RRset of type DS for zone: . ;; NO ANSWERS: no more ;; WARNING There is no DS for the zone: . Isn't the DS for the zone: . what the managed-keys clause provides? Now I think I see what you mean. It

RE: DNSSEC Generating Zone Key hanging

2012-04-22 Thread Spain, Dr. Jeffry A.
I was setting up BIND DNSSEC and when I issue the following command the process never finishes. dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com Take a look at the Entropy Key (http://www.entropykey.co.uk/). See also a discussion

RE: Question about KSK

2012-04-27 Thread Spain, Dr. Jeffry A.
We are authoritative for a few dozen small zones. Is it possible to use the same KSK for all of them? I can see where if it gets compromised we would need to resign all zones using the KSK at once. How much effort would I be saving sharing the KSK? My sense is that you would be creating

RE: Inline Signing does not update SOA?

2012-05-07 Thread Spain, Dr. Jeffry A.
When I update the SOA record of the master zone file, if I reload the zone with rndc reload, the SOA record is updated. If I perform a stop/start of the named executable, the SOA change is not updated. Ralph: There was a lot of discussion about this issue on the bind forum around the first

RE: Help for

2012-05-08 Thread Spain, Dr. Jeffry A.
1. In down level Windows, everything is OK. 2. In upper level dns(bind), ns record, and A record of nameserver is fine. 3. But A record in WIndows Server can not resolved by upper level BIND. I think maybe I have to do something in my windows server to connect windows with linux bind? If

RE: How does a child find its parent?

2012-05-08 Thread Spain, Dr. Jeffry A.
Reading the section on delegation in the O'Reilly book, I'm confused about something: The parent is configured to delegate the subdomain to the child with glue records, etc. But how does the child know who to ask if a host in the subdomain requests a record in the parent zone? They don't

RE: Multiple zones with single key pair

2012-05-10 Thread Spain, Dr. Jeffry A.
Multiple zones with a single key - is possible with BIND ? There was a recent discussion on this topic. See thread beginning at https://lists.isc.org/pipermail/bind-users/2012-April/087481.html. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School

RE: Bind 9 configuration

2012-05-20 Thread Spain, Dr. Jeffry A.
(I hope that it's fine to ask about issues connected with the previous version of bind.) Bind9 has its own listserv at bind-users@lists.isc.org. There are many DNS experts available there. Could you confirm that my settings are correct? I'm using this guide (my configuration scenario is

RE: Bind9.9.1 Dependences

2012-05-22 Thread Spain, Dr. Jeffry A.
How can I find out which Unix files/libraries bind requires before I do the compile? I have successfully built Bind 9.9.1 on Ubuntu 12.04 LTS (Precise Pangolin). Since Ubuntu comes with a previous version of the Bind 9 utilities installed, I uninstall the following packages: apt-get purge

RE: different between views and having multiple instances

2012-05-25 Thread Spain, Dr. Jeffry A.
I need to understand the difference between configuring bind views and having multiple instances of bind. I have 5 network interfaces on my server and I want to have 2 instances of DNS server (just for testing) and I don't know which one to do ? BIND views are powerful, but configuring

RE: Bind 9.9.x inline signing

2012-06-03 Thread Spain, Dr. Jeffry A.
I didn't like the fact that the unsigned serial (which I manage) was lower than that of the signed zone. Making it bigger than the signed zones version appears to have gotten the zones back in sync - however the slave is still not getting any Notifies (and has not yet caught up). With

RE: Verify raw data within slaves on 9.9.x

2012-06-11 Thread Spain, Dr. Jeffry A.
What tools/commands I can run to get plain ascii/text data out of modern raw/binary on BIND 9.9.x slaves? I just want to verify that changes are correct down to the slaves. So - I can check-in these changes into svn etc. See the ARM under named-checkzone.

RE: Verify raw data within slaves on 9.9.x

2012-06-11 Thread Spain, Dr. Jeffry A.
Would an option be to do a dig axfr on the zone? That works if allow-transfer is set appropriately. It gives you the zone data in canonical rather than relative format. Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to

RE: Understanding cause of DNS format error (FORMERR)

2012-06-22 Thread Spain, Dr. Jeffry A.
I'm a BIND novice and I'm trying to understand what causes my BIND9 resolver (bind97-9.7.0-10.P2) to return an error when queried for the A record of vlasext.partners.extranet.microsoft.com: FWIW I'm not able to reproduce this using a BIND 9.9.1-P1 recursive resolver. On this system dig

Seeking Advice on DNSSEC Algorithm Rollover

2012-06-23 Thread Spain, Dr. Jeffry A.
I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8. The Bv9ARM doesn't discuss this procedure explicitly as far as I can tell, but section 4.9 presents some clues. I'd like to ask the experts on this list if the following procedure might accomplish an algorithm rollover

RE: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-24 Thread Spain, Dr. Jeffry A.
I don't think that bind trying to sign with non-existent key will do any harm - probably just warning. But it's simpler - change metadata of the key - set deletion time to the time you want the key to be deleted (like DS deletion time+TTL). Bind with auto-dnnsec allow re-reads the metadata

RE: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-24 Thread Spain, Dr. Jeffry A.
I discovered that if there was not at least one KSK and ZSK of the same algorithm, dnssec-signzone would fail. If one goes with defaults, KSK life of one year and ZSK of one month, effectively to roll a key algorithm and without forcing the roll-over by removing all the old key/algorithm at

RE: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-24 Thread Spain, Dr. Jeffry A.
I propose the following addition to the Bv9ARM, and request review and comment by the experts on this list. -- 4.9.14 DNSKEY Algorithm Rollover From time to time new digital signature algorithms with improved security are introduced, and it may be desirable for administrators to roll

RE: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-25 Thread Spain, Dr. Jeffry A.
My experience with changing the timing metadata or removing the key files is that named issues a warning like the following: zone zone/IN: Key zone/algorithm/key tag missing or inactive and has no replacement: retaining signatures. In this circumstance none of the RRSIGs or NSECs are

RE: Listen-On and Ipv6

2012-07-09 Thread Spain, Dr. Jeffry A.
If no listen-on statement is included, will requests be processed and logged? From Bv9ARM, p. 68: If no listen-on is specified, the server will listen on port 53 on all IPv4 interfaces. A client could query a quad-A or any other record using IPv4 network transport, and that would be

RE: Problem with DNSSEC signing zone

2012-07-20 Thread Spain, Dr. Jeffry A.
1. Generated KSK and ZSK 2.Add both of keys at the end of my zone file 3.signing my zone with dnssec-signzone command 4.enable dnssec in named options 5.change the name of my zone in the named by namezone.signed 6.I got the root DNSKEY RR set before with dig command

RE: Problem with DNSSEC signing zone

2012-07-20 Thread Spain, Dr. Jeffry A.
all this step has been well done, but the last step: Generate DS records and provide them to your registrar. has not been fluent for me. I found how can i provide key to the registrar i used this command: dnssec-dsfromkey -2 Kwillzik.co.uk KSK.key  is it the good way to do? That command

RE: How to Download and Install Nsupdate from BIND 9 Package

2012-09-24 Thread Spain, Dr. Jeffry A.
Please tell me how to download and install Nsupdate from BIND 9 to run on an Windows XP client?   1. Download http://ftp.isc.org/isc/bind9/9.9.1-P3/BIND9.9.1-P3.zip. 2. Expand the archive and run BINDInstall.exe. 3. Verify and change the target directory according to your preference. 4. Check

  1   2   >