Re: Disable Refused answer

2009-12-08 Thread Tony Finch
On Fri, 4 Dec 2009, Chris Thompson wrote: [It's never been entirely clear to me why these functions have to be combined, especially given that server [ipaddr/len] {bogus yes;}; can be used to block outgoing queries.] The CIDR syntax for server clauses is relatively new. Before it was added

Re: Blacklisting private address range

2010-02-24 Thread Tony Finch
On Wed, 24 Feb 2010, Stephane Bortzmeyer wrote: On Tue, Feb 23, 2010 at 09:56:55PM -0500, Diosney Sarmiento Herrera diosne...@gmail.com wrote: Have any sense to blacklist the private address ranges on a server that is facing Internet? I am not sure I parse your sentence correctly but may

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-24 Thread Tony Finch
On Tue, 23 Feb 2010, Joe Baptista wrote: Lets not forget the IETF has had 15 years to secure the DNS. The result is the DNSSEC abortion. It has failed. It looks pretty lively to me. DNSSEC has multiple interoperable implementations, and it will be deployed in the most important zones this

Re: T_ANY

2010-03-20 Thread Tony Finch
On Sat, 20 Mar 2010, Glenn English wrote: Just why qmail reports a T_ANY failure as a CNAME failure, I also don't know. This is a bug in qmail. It tries to canonicalize domains in the SMTP envelope of outgoing messages. It originally did this by performing CNAME queries on each domain, but

Re: Same source port queries dropped by ServerIron load balancer

2010-03-30 Thread Tony Finch
On Tue, 30 Mar 2010, Abdulla Bushlaibi wrote: We are facing query drops by using dnsperf tool from ISC testing the DNS service via load balancer. Multiple queries from the same source port are being dropped partially by the load balancer and as per the load balancer vendor feed back, this is

Re: Problem with an unsigned private subzone of a signed public zone

2010-04-19 Thread Tony Finch
On 19 Apr 2010, at 20:40, Chris Thompson c...@cam.ac.uk wrote: On Apr 19 2010, I wrote: [...] Of course, it could also prove there is no DS record for private.cam.ac.uk, but the absence of NS records as well apparently makes it think that private.cam.ac.uk is bogus. More experiments

Re: ad flag for RRSIG queries

2010-07-14 Thread Tony Finch
On Wed, 14 Jul 2010, Chris Thompson wrote: With 9.7.1-P1 (and a trust anchor for dlv.isc.org) on a local workstation dig +dnssec -t RRSIG www.forfunsec.org @127.0.0.1 initially times out. But after doing dig +dnssec -t ANY www.forfunsec.org @127.0.0.1 the same command reports the three

Re: root-anchor.xml anchors.xml in Bind

2010-07-18 Thread Tony Finch
On Sat, 17 Jul 2010, Stephane Bortzmeyer wrote: OK, let's rephrase it: as far as I know, the root managers did not announce that they will follow RFC 5011. But may be they did and I just missed the announcement or may be they will do it in the future. But check yourself before using

Re: odbc.ucas.com lookup problem

2010-07-20 Thread Tony Finch
On Tue, 20 Jul 2010, Chris Thompson wrote: However, I haven't yet been able to work out exactly *what* is wrong with the response, as demonstrated by dig (say). Any ideas? Could it be complaining about the lack of compression? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ NORTH

Re: odbc.ucas.com lookup problem

2010-07-20 Thread Tony Finch
On Tue, 20 Jul 2010, Chris Thompson wrote: However, I haven't yet been able to work out exactly *what* is wrong with the response, as demonstrated by dig (say). Any ideas? Got it. The nameservers for ucas.com give a referral for odbc.ucas.com. That means the zone for odbc.ucas.com is

Re: odbc.ucas.com lookup problem

2010-07-20 Thread Tony Finch
On Tue, 20 Jul 2010, Kevin Darcy wrote: It seems that UCAS is just proxying non-A queries from its load-balancers back to its regular nameservers. No, the load balancers are simply braindamaged. Try SOA or NS or TXT queries and you get a timeout. Tony. -- f.anthony.n.finch d...@dotat.at

Re: Script for verifying zone files

2010-07-22 Thread Tony Finch
On Thu, 22 Jul 2010, Atkins, Brian (GD/VA-NSOC) wrote: Does anyone know of an existing script or program that can parse a zone file and verify records against an active server? Have you looked at named-checkzone? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ FORTIES: NORTH 5 OR

Re: USADOTGOV.NET Root Problems?

2010-07-24 Thread Tony Finch
On Sat, 24 Jul 2010, Warren Kumari wrote: On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote: Why would any inspection policy not allow fragmented UDP packets? There's nothing wrong with that. Because it's hard The issue is that then you need to buffer fragments until you get a full

Re: Forwarding to two servers

2010-08-06 Thread Tony Finch
On Thu, 5 Aug 2010, Lyle Giese wrote: zone mydomain.com{ type forward; forward only; forwarders { ip address of priv server;}; }; The priv server needs to be authorative(and probably master) for mydomain.com. As I understand it, BIND makes recursive queries to forwarding servers. If the

Re: dns-sec and Maintaining Human Sanity

2010-08-06 Thread Tony Finch
On Fri, 6 Aug 2010, Martin McCormick wrote: I have started looking at various ways for our organization to begin using dns-sec as this appears to be a high management priority and it will eventually become necessary to operate. We have a fairly simple structure with a official master

Re: Protecting bind from DNS cache poisoning!!!

2010-08-09 Thread Tony Finch
On Mon, 9 Aug 2010, Shiva Raman wrote: I tried implementing dnssec using the following document http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/ That is rather out of date: it does not cover some important BIND-9.7 DNSSEC validation features, specifically RFC 5011

Re: Forwarding to two servers

2010-08-10 Thread Tony Finch
On Mon, 9 Aug 2010, CLOSE Dave (DAE) wrote: Based on suggestions here, I now have a named.conf file like this: options { ... }; logging { ... }; zone . IN { type forward; forwarders { PUB; }; forward only; }; zone HOST1 { type forward; forwarders { PRIV; }; }; zone HOST2 {

Re: Forwarding to two servers

2010-08-10 Thread Tony Finch
On Tue, 10 Aug 2010, Joseph S D Yao wrote: On Fri, Aug 06, 2010 at 10:43:01PM +0100, Tony Finch wrote: ... As I understand it, BIND makes recursive queries to forwarding servers. If the target is authoritative, you configure the zone as a stub. This is not documented. I believe

Re: cant update 'cz'

2010-09-05 Thread Tony Finch
On 30 Aug 2010, at 00:02, clem...@dwf.com wrote: Can you either point me at the documentation I need to read, or explain how to 'Add one for the root zone' Have a look at: http://fanf.livejournal.com/107310.html Note that since you are using bind-9.6 you have to use a trusted-keys

Re: DNSSEC, views trusted keys...

2010-09-12 Thread Tony Finch
I could not get private stub nor forward zones to work if their public parent is signed and does not have a delegation to the private zone. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ On 12 Sep 2010, at 03:41, Chris Buxton chris.p.bux...@gmail.com wrote: On Sep 11, 2010, at

Re: isc trust anchor

2010-09-15 Thread Tony Finch
On Wed, 15 Sep 2010, sami's strat wrote: a.us is (dnssec) signed and the parent domain has a copy of the DS keys. Is there a way to have host.b.com run dnssec aware queries against a.us? You don't need or want the ISC DLV trust anchor for that, since there is a chain of trust to the root and

Re: auto-dnssec resign timers

2010-09-17 Thread Tony Finch
On 17 Sep 2010, at 14:10, Niobos nio...@dest-unreach.be wrote: Is the current version of the ARM available online somewhere? http://dotat.at/tmp/arm97/ IIRC the specific version that comes from is 9.7.1p2. Tony. -- f.anthony.n.finch d...@dotat.at

Re: 2038 problem and BIND.

2010-09-20 Thread Tony Finch
On Mon, 20 Sep 2010, Alan Clegg wrote: All signature expire times are in MMDDHHMMSS format in the zone data and are handled correctly as far as BIND deals with it. If your OS deals with the 2038 issue correctly, then BIND will as well. RFC 4034 says that the signature validity times are

Re: Here I am again, hat in hand with humble demeanor.......

2010-09-24 Thread Tony Finch
On Fri, 24 Sep 2010, Stewart Dean wrote: 1) I assume the canonical location of named.conf is always in /etc? A default build of bind expects to find it in /etc/named.conf If you are running chrooted it needs to be copied into the chroot. 2) My home-built binary is nearly 7MB, while the CentOS

RE: When does BIND send queries with DO flag enabled?

2010-09-30 Thread Tony Finch
On Thu, 30 Sep 2010, Taylor, Gord wrote: The business partner has already fixed their firewall (allow_dnssec_bit=1 on CheckPoint) Just in case anyone else is worried about interop problems, I note that allow_dnssec_bit=1 is the default setting. A CheckPoint firewall administrator has to

Re: GSS-TSIG and Active Directory

2010-09-30 Thread Tony Finch
On Thu, 30 Sep 2010, Nicholas F Miller wrote: Does anyone actually have GSS-TSIG working with an Active Directory? There are some GSS-TSIG interop fixes in 9.7.2. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5

Re: Auto signing ARM

2010-10-01 Thread Tony Finch
I haven't seen any answers to Timothe's questions below, though I have been keeping an eye out for them. The documentation in this area is a bit thin... Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ On 20 Sep 2010, at 20:28, Timothe Litt l...@acm.org wrote: I'm trying to get

Re: can't validate existing negative responses (not a zone cut) messages

2010-10-22 Thread Tony Finch
On Sun, 3 Oct 2010, Chris Thompson wrote: Oct 3 16:53:10 dnssec: warning: validating @14c9cd70: 98.206.101.95.IN-ADDR.ARPA PTR: can't validate existing negative responses (not a zone cut) What do they mean, exactly? And should I be worrying about them? They all seem to refer to PTR

Re: basic MX question

2010-10-28 Thread Tony Finch
On Thu, 28 Oct 2010, fddi wrote: I am going to start in production environment a bunch of 3 mail servers for my domain, let'say mydomain.com I need to install a X509 certificate on each server in a way that upon x509 authentication thunderbird or whatever MUA won't complain about hostname

Re: out of place mx records.

2010-10-29 Thread Tony Finch
On Fri, 29 Oct 2010, Mark Andrews wrote: It would be nice if we could standardise a MX target of . as saying that this domain doesn't accept email e.g. MX 0 . the same way as SRV 0 0 0 . means that there is no service for the named protocol. That way the sending MTA or the MSA can reject the

Re: DNSSEC and Bind 9.3.6

2010-11-03 Thread Tony Finch
On Wed, 3 Nov 2010, Stephane Bortzmeyer wrote: On Wed, Nov 03, 2010 at 11:24:03AM -0200, alexan...@nautae.eti.br alexan...@nautae.eti.br wrote a message of 31 lines which said: So, is that possible in any way to use DNSSEC with Bind 9.3.6? Yes. DNSSEC appeared in BIND 9.0. DNSSEC has

Re: odd dig results for fqdn

2011-01-25 Thread Tony Finch
On Tue, 25 Jan 2011, M. Meadows wrote: Any thoughts on why this might happen? Invalid CNAME at zone apex. ; DiG 9.6.2-P2 any getaroomgetadeal.com @ns1.slicehost.com. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 15830 ;; flags: qr aa rd; QUERY: 1,

Re: Stub zone vs forward zone

2011-03-14 Thread Tony Finch
On Mon, 14 Mar 2011, Jan-Piet Mens wrote: A stub zone tells BIND to load SOA and NS records from its masters {}. (forwarders {} is, I belive, both useless and incorrect here.) From that point onwards, your BIND will use the data in the stub to recursively find answers to queries for that

Re: dns RR method is not equal balanced?

2011-03-29 Thread Tony Finch
Kay ch...@daumcorp.com wrote: some domain has 12 IPs but traffic of the server is not equal. The traffic of 11 IPs is same and just 1 IP is higher than others. If you use round-robin DNS you are relying on the clients not to muck around with the responses they get from your DNS server. If they

Re: A beginners question regarding a caching-only name server

2011-04-08 Thread Tony Finch
Patrick Rynhart p.rynh...@massey.ac.nz wrote: I am new to using BIND and thought that I would start by setting up a caching-only name server on a VM running CentOS 5.5. While in this mode, my understanding is that named should be passively listening for any DNS requests that are resolved and

Re: SOA RNAME Value

2011-04-14 Thread Tony Finch
Justin Krejci jkre...@usinternet.com wrote: So I am wondering if this is normal/expected behavior for BIND and if so should debug logging or named-checkzone with debugging be able to identify this as the problem. Or am I missing something else altogether? With bind-9.7.3, I get the following

Re: question on minimal file permissions

2011-04-18 Thread Tony Finch
hostmas...@g-net.be hostmas...@g-net.be wrote: The reason I ask is because I'm setting up a DNS sec server and for easy key rollover and manageability I have created several new directories on a usb stick for example. Key files and zone files now all have 774 permissions , owned by bind:bind

Re: question on minimal file permissions

2011-04-18 Thread Tony Finch
hostmas...@g-net.be hostmas...@g-net.be wrote: 4 dr--r--r-- 2 bind bind 4096 2011-04-18 14:50 . You should set execute permission on the directory so that bind can traverse it. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Rockall, Malin, Hebrides: South 5 to 7, occasionally

Re: BIND 9.8.0 + openssl 1.0.0d + chroot == issues

2011-04-19 Thread Tony Finch
On 20 Apr 2011, at 01:11, Mark Andrews ma...@isc.org wrote: In message 4dadfb29.6080...@dougbarton.us, Doug Barton writes: I have had 2 reports now of people using BIND 9.8.0 on FreeBSD compiled against openssl 1.0.0d not being able to chroot unless they copy $PREFIX/lib/engines/libgost.so

Re: Strange behaviour resolving CNAME's via a forwarder.

2011-04-20 Thread Tony Finch
Adam Goodall adam.good...@gmail.com wrote: This certainly seems to have solved the problem. I'm not convinced i understand why it didn't work they way i was trying but this is a perfectly acceptable alternative - thanks for your help! A server that you forward queries to is expected to be a

Re: key directory in named.conf

2011-04-27 Thread Tony Finch
rams brames...@gmail.com wrote: How to declare multiple signed key paths in key-directory. When i declare as follows, named not starting. key-directory {/var/named/zones;/root/ramesh/Largezone;} You can specify a key-directory inside a zone statement if you want the keys for that zone to be

Re: Stumped - SERVFAIL vs NOERROR?

2011-04-27 Thread Tony Finch
Karl Auer ka...@biplane.com.au wrote: Using our local caching, recursive BIND9 nameservers, we get SERVFAIL on a particular domain, namely mailergoat.rsi.co.jp. But from other places, we get NOERROR (which is the correct answer, because there is a A record with that name). However, from some

Re: Anyone have problems with BIND 9.8.0

2011-04-29 Thread Tony Finch
A couple of problems: Firstly, if you are running chrooted and have a recent version of OpenSSL installed, you must either copy the OpenSSL gost cipher engine loadable module into your chroot, or hack the build scripts to disable gost support. The easiest way to do this is to make the obvious

Re: Anyone have problems with BIND 9.8.0

2011-05-02 Thread Tony Finch
A couple of problems: Firstly, if you are running chrooted and have a recent version of OpenSSL installed, you must either copy the OpenSSL gost cipher engine loadable module into your chroot, or hack the build scripts to disable gost support. The easiest way to do this is to make the

RE: [DNSSEC] Resolver behavior with broken DS records

2011-05-09 Thread Tony Finch
Marc Lampo marc.la...@eurid.eu wrote: Sorry, I still cannot confirm the problem with Bind 9.7.3-P2 version ... 4 DS's in total, for each KSK 1 DS with SHA-1, one with SHA-2 for one KSK, the algorithm used was changed from 5 to 8. As I understand it the problem that Stephane reported

Re: Bind 9.8 chroot and gsstsig - what additional libraries do I need?

2011-05-23 Thread Tony Finch
Juergen Dietl isclist...@googlemail.com wrote: I run bind 9.8 with GSS-TSIG in serveral domains with update-policy list for secure updatesand all is working fine. Before my bind was in a CHROOT enviroment. But with using GSS-TSIG it seems to need a lot more libraries. Did it stop working

Re: ns.il cname?

2011-06-03 Thread Tony Finch
Carl Byington c...@byington.org wrote: ns.il. 86400 IN CNAME relay.huji.ac.il. il. 86400 IN NS nse.ns.il. With that cname, how are NS records like nse.ns.il supposed to work? The presence of a CNAME at a name has no effect on

Re: BIND 9.7 Serial Number Decrease Problem

2011-06-06 Thread Tony Finch
Barry Finkel bsfin...@anl.gov wrote: I am not sure how to decode the .jnl file; I have not looked at the code in detail. Try the named-journalprint program. You can also try named-compilezone -j which applies the journal to the master file. Tony. -- f.anthony.n.finch d...@dotat.at

Re: Problem resolving CNAME in BIND 9.8.0 and 9.8.0-P2

2011-06-10 Thread Tony Finch
Phil Mayers p.may...@imperial.ac.uk wrote: This might be the problem resolving CNAMEs that was discussed on the list recently: https://lists.isc.org/pipermail/bind-users/2011-May/thread.html#83714 Bind 9.8.0 intermittent problem with non-recursive responses It was fixed in 9.8.1 But note

Re: ksk in a volume

2011-06-16 Thread Tony Finch
Niobos nio...@dest-unreach.be wrote: However, I don't see any security-benefits in this scenario: If the attacker gets hold of the credentials to update the zone dynamically, he can do so in both cases (KSK online or offline). If your server is compromised, he can add/remove records in both

Re: DNSSEC key rollover failure

2011-06-17 Thread Tony Finch
Spain, Dr. Jeffry A. spa...@countryday.net wrote: I'm sure I could solve this by removing all of the DNSSEC data and resigning the zone, but would prefer not to do this except as a last resort. If anyone has troubleshooting suggestions or other insights, I would be grateful for those. Thanks.

Re: Dig +topdown

2011-07-01 Thread Tony Finch
Daniel McDonald dan.mcdon...@austinenergy.com wrote: I set up a zone with dnssec, and wanted to verify that it was working properly. But I appear to have trouble with the root KSK. $ dig +dnssec danmcdonald.us +topdown ;; No trusted key, +sigchase option is disabled Any advise as to what

Re: whether to return RRSIG RRs

2011-07-05 Thread Tony Finch
Cathy Zhang zhangclca...@gmail.com wrote: # Check direct query for RRSIG: If it's not cached with other records, # it should result in an empty response. Why shouldn't recursive server return RRSIG RRs to the client? An RRSIG is part of the RRset that it signs, and the whole thing

Re: Disabling DNSSEC validation per zone?

2011-07-08 Thread Tony Finch
Daniel McDonald dan.mcdon...@austinenergy.com wrote: 08-Jul-2011 08:55:58.700 dnssec: info: validating @0xb4260ad8: ips.backscatterer.local SOA: got insecure response; parent indicates it should be secure I¹m not really certain which parent is reporting this The root zone says that .local

Re: secondary nameserver for subdomains and notify messages to itself

2011-07-08 Thread Tony Finch
fddi f...@gmx.it wrote: how to avoid these useless notification ? notify master-only Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Viking: Easterly, becoming variable, 3 or 4. Slight or moderate. Rain or thundery showers. Good, occasionally poor.

Re: Disabling DNSSEC validation per zone?

2011-07-11 Thread Tony Finch
Daniel McDonald dan.mcdon...@austinenergy.com wrote: ; DiG 9.8.0-P4 @localhost ips.backscatterer.local ds ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 26308 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:

Re: Clients get DNS timeouts because ipv6 means more queries for each lookup

2011-07-11 Thread Tony Finch
Jonathan Kamens j...@kamens.us wrote: I said above that the problem is exacerbated by the fact that many DNS servers don't yet support IPV6 queries. This is because the queries don't get NXDOMAIN responses, which would be cached, but rather FORMERR responses, which are not cached. As a

Re: MX choosing

2011-07-22 Thread Tony Finch
Phil Mayers p.may...@imperial.ac.uk wrote: On 07/22/2011 09:50 AM, Feng He wrote: Given the MX hosts for sympatico.ca domain: $ dig sympatico.ca mx +short 5 mxmta.sympatico.ca. $ dig mxmta.sympatico.ca +short 67.69.240.17 [ and several others ] when the peer MTA fail to talk

New version of nsdiff

2011-08-09 Thread Tony Finch
The nsdiff program examines old and new versions of a DNS zone and outputs the differences as a script for use by BIND's nsupdate program. It allows you to continue to manually maintain flat text master files as before, and feed the changes you make into named's easy dynamic DNSSEC support. This

RE: rndc: 'addzone' failed: permission denied

2011-08-17 Thread Tony Finch
To use `rndc addzone`, named needs to be able to write to the zone configuration file in its working directory, called 3bf305731dd26307.nzf for the _default view. Both named and the user invoking rndc need to be able to read the rndc.key file which is usually in /etc. You need to create the zone's

Re: DNSSEC : once correct, always correct ?

2011-08-17 Thread Tony Finch
Marc Lampo marc.la...@eurid.eu wrote: Experimenting with key roll-over timing conditions, with a Bind 9.7.3 setup, I noticed, today, that this version does not re-validate DNSSEC data, once something makes it into its cache. I wonder though, if that is correct ? Yes. When you publish a

RE: DNSSEC : once correct, always correct ?

2011-08-17 Thread Tony Finch
Marc Lampo marc.la...@eurid.eu wrote: Meaning that that it actually does not re-verify, once data was found to be OK and allowed in the cache. The point of a cache is to avoid network round trips to re-fetch or re-validate data while it is in the cache. The DNS protocol tells the cache how

RE: rndc: 'addzone' failed: permission denied

2011-08-18 Thread Tony Finch
Frank Bulk frnk...@iname.com wrote: Would be nice if the error output or log would indicate such failures. Yes, indeed! Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty, Forth, Tyne, Dogger: Variable 3 or 4, becoming northwest 4 or 5 later in Dogger. Slight,

Re: bind 9.7.0 auto-dnssec doesn't remove final RRSIG on key inactivation?

2011-08-25 Thread Tony Finch
Phil Mayers p.may...@imperial.ac.uk wrote: I first create and publish a new ZSK with no activation date. After waiting the requisite amount of time, I use dnssec-settime: dnssec-settime -A Knewid dnssec-settime -I Koldid rndc sign zone ...and bind immediately starts using the new key for

Re: Bug in Bind 9.8 or am I doing something wrong?

2011-09-06 Thread Tony Finch
Lyle Giese l...@lcrcomputer.net wrote: zone chaseprod.local{ type forward; forwarders {10.0.100.205;};}; This seemed to work until I added some stuff for DNSSEC to my named.conf. In order to forward a zone in the presence of DNSSEC validation, the zone has to have a valid

Re: Bug in Bind 9.8 or am I doing something wrong?

2011-09-06 Thread Tony Finch
Jaap Akkerhuis j...@nlnetlabs.nl wrote: Additionally .local is reserved for mDNS .. Can you give some references? http://tools.ietf.org/html/draft-chapin-rfc2606bis Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Lundy, Fastnet: West or southwest, 6 to gale 8, decreasing 5

Re: Compelling Reason for Deploying DNSSEC

2011-09-16 Thread Tony Finch
michoski micho...@cisco.com wrote: It's basically a risk analysis game. You should be able to think through common use cases for your service, and identify places where DNSSEC would add value. Your business values validity of its DNS data, or not. Apart from protecting the DNS itself, there

Re: Upgrading From 9.7.2 to 9.8.1 startup failed (due to fatal error)

2011-09-16 Thread Tony Finch
Ken Schweigert shaw...@gmail.com wrote: logging { ... channel dev_null_log { file /dev/null; }; … category lame-servers { dev_null_log; }; … Use the built-in null channel instead. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Irish Sea: South or

inline-signing

2011-09-30 Thread Tony Finch
I have been playing with the new inline signing feature. Documentation bug: the inline-signing option is not mentioned in the syntax for slave zones. I have not been able to get master inline signing working. Firstly, it fails to create the signed copy of the zone automatically. If I create it

Re: DNSSEC not populating parent zone files with DS records

2011-10-03 Thread Tony Finch
Bill Owens ow...@nysernet.org wrote: However, in this case I believe your problem is the lack of NS records in nau.edu for extended.nau.edu. It's difficult to know for sure, but it appears that the only signature for the NS RRSET is using the ZSK for extended.nau.edu, not the ZSK for nau.edu.

Re: DNSSEC not populating parent zone files with DS records

2011-10-03 Thread Tony Finch
Michael Sinatra mich...@rancid.berkeley.edu wrote: There are ways of getting the DS records into the zone(s). Here are some steps that I took on some test zones: Alternatively, set update-policy local; on your parent zone and use this little pipeline on the master server. Substitute $parent

Re: DNSSEC not populating parent zone files with DS records

2011-10-04 Thread Tony Finch
Raymond Drew Walker ray.wal...@nau.edu wrote: In testing, this pipe sets up the following for nsupdate which fails: Sorry, I forgot the TTL command. Adjust its value as you require... dig +noall +answer dnskey $child | dnssec-dsfromkey -f /dev/stdin $child | (echo zone $parent; echo ttl

Re: DNSSEC Signing Key Questions

2011-10-04 Thread Tony Finch
McConville, Kevin kmcconvi...@albany.edu wrote: 1) Is there any way to have the zsk be auto-generated based upon the inactive date listed in the zsk meta-data? Not yet, though I believe this feature is on the wish list. 2) With a static zone, are the update-policy local and auto-dnssec

Re: DNSSEC SERVFAIL when parent zone has no DS record

2011-10-05 Thread Tony Finch
Sergio Charpinel Jr. sergiocharpi...@gmail.com wrote: After suplying DS and the respective NS record for subdomain in the parent zone (domain.com), it works. That sounds like you had no delegation RRs in the parent zone. In that case the parent zone will contain a secure denial of existence of

Re: DNSSEC not populating parent zone files with DS records

2011-10-06 Thread Tony Finch
Raymond Drew Walker ray.wal...@nau.edu wrote: After reading this, RFC1034, and conferring with the original implementor of DNS at our institution, I have a better wrangle on the NS issue. Child zone NS records were never populated in the parent because all zones were under the same name

Re: Modify BIND ACLs on-the-fly?

2011-11-22 Thread Tony Finch
Jan-Piet Mens jpmens@gmail.com wrote: Any ideas or suggestions? Not a practical one, but there are moves towards a standard nameserver control protocol: http://tools.ietf.org/html/rfc6168 http://tools.ietf.org/html/draft-dickinson-dnsop-nameserver-control

RE: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Tony Finch
Spain, Dr. Jeffry A. spa...@countryday.net wrote: From time to time I want to review the current state of the zone files. I have been accustomed with v9.8 to taking a copy of a signed zone file and stripping out the DNSSEC-related records in a text editor for easy review. I use `dig axfr

Re: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Tony Finch
Jan-Piet Mens jpmens@gmail.com wrote: On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote: I use `dig axfr dotat.at | grep -v RRSIG` ... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM I think it is more useful to see those records than to spend effort stripping them

Re: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Tony Finch
Chris Thompson c...@cam.ac.uk wrote: If we are trying to turn Tony's ad hoc command into something publishable, See the loadzone, axfrzone, and cleanzone functions in http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/bind/bin/nsdiff Writing code to process arbitrary zones is a rather different

Re: DNSSEC and IXFR

2011-11-25 Thread Tony Finch
Matus UHLAR - fantomas uh...@fantomas.sk wrote: Is it possible to update DNSSEC-signed domain, re-sign and generate small differencies to be transferred by IXFR? Yes, it just works with no special effort if you use dynamic updates and auto-dnssec maintain. Tony. -- f.anthony.n.finch

Re: bad cache hit

2011-11-25 Thread Tony Finch
Bryton bry...@tznic.or.tz wrote: I wonder if anyone has ever got the error In my logs I have some of this: 25-Nov-2011 11:23:00.332 dnssec: info: validating @0xabe00470: uofk.edu MX: bad cache hit (uofk.edu/DNSKEY) Which is fairly nicely explained by this:

Re: split horizon and zone transfers to secondary DNS servers

2011-11-28 Thread Tony Finch
Marek Kozlowski kozlo...@mini.pw.edu.pl wrote: OK. Let's assume I have only one primary and only one secondary DNS. I have two views on my primary. May I set up the secondary one for two views as well I make it fully synchronized to the primary one? (AFAIK for `allow-transfer' I specify IP

Re: sub-domain setup

2011-11-28 Thread Tony Finch
Dan McDaniel d...@dm3.us wrote: I'm setting up a new DNS server. We have two offices linked by a VPN. I'm trying to decide whether to have everything under a single domain (example.com) or to split them into sub-domains (office1.example.com, office2.example.com). If your DNS is mostly static

Re: How to identify a raw zone file

2011-12-02 Thread Tony Finch
Evan Hunt e...@isc.org wrote: I'd recommend checking the next four octets as well; they'll be 00 00 00 00 or 00 00 00 01. The first of those is the format that's always been used up to now; the second is the format that will be used in 9.9.0, starting with the next beta. Would it be

[ANN] nsdiff version 1.33

2011-12-02 Thread Tony Finch
nsdiff is an add-on tool for BIND that compares old and new versions of a zone and generates an nsupdate script that turns the old version into the new version. It is designed to bridge the gap between static master files and dynamic DNS updates, making it easier to use auto-dnssec maintain.

Re: RFC 6303 vs. BIND: NS ... has no address records (A or AAAA)

2012-01-10 Thread Tony Finch
Irwin Tillman ir...@princeton.edu wrote: What's the recommended approach? My empty zone is: @ SOA localhost. root.localhost. 1 1h 1000 1w 1h NSlocalhost. I also have a localhost. zone (RFC 2606) which is: @ SOA localhost. root.localhost. 1 1h 1000 1w 1h NSlocalhost. A

Re: RFC 6303 vs. BIND: NS ... has no address records (A or AAAA)

2012-01-11 Thread Tony Finch
Matus UHLAR - fantomas uh...@fantomas.sk wrote: I prefer defining 127.in-addr.arpa and inside: 1.0.0 PTR localhost. I used to do that, but I need fewer zone files if I use the same reverse zone for v6 and v4 :-) I have fairly extensive setup for bogons, and I have set up empty zones to cover

Re: DNSSEC made simple, is this possible?

2012-01-11 Thread Tony Finch
Howard Leadmon how...@leadmon.net wrote: So I guess my million dollar question is, I want to use DNSSEC (it's actually working now), but I want to be able to edit my zone files the way I always have for many years, and just have BIND sign the zones with the keys and update as needed to keep

Re: DNSSEC made simple, is this possible?

2012-01-11 Thread Tony Finch
Phil Mayers p.may...@imperial.ac.uk wrote: Something like Tony's nsdiff script (see his post) makes it relatively easy, but it's still another step. It's more like a replacement step: run nsdiff | nsupdate instead of rndc reload. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/

Re: RFC 6303 vs. BIND: NS ... has no address records (A or AAAA)

2012-01-12 Thread Tony Finch
Sten Carlsen st...@s-carlsen.dk wrote: Good news is that you should simplify your bogon list, lots of those addresses are now actually in use; e.g. I have regular visits on my pages by 2.x.x.x as they are now mostly handed out (local ISP here) and in legitimate use. My bogon list only

Re: bind 9.9 inline-signing issue..

2012-01-30 Thread Tony Finch
Mark Elkins m...@posix.co.za wrote: I also see... $TTL 0 ; 0 seconds TYPE65534 \# 5 ( 08467D0001 ) TYPE65534 \# 5 ( 0896730001 ) appearing on a secondary for this zone. What is it? (Yes - an unknown data type - the secondary is running bind

Re: bind 9.9 inline-signing issue..

2012-01-30 Thread Tony Finch
Alan Clegg a...@clegg.com wrote: Just be sure to watch for the extra SOA record. :) Or use dig axfr +onesoa ... Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ South-east Iceland: Southerly 5 to 7, occasionally gale 8, but variable 4 at first and later in west. Very rough,

RE: How to validate DNSSEC signed record with dig?

2012-02-06 Thread Tony Finch
Spain, Dr. Jeffry A. spa...@countryday.net wrote: Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com) doesn't appear to offer DNSSEC validation, and 78.46.213.227 (rms.coozila.com) doesn't respond to my query at all. It's worse than that. Google Public DNS doesn't support

Re: Same Transaction ID queries

2012-02-06 Thread Tony Finch
Samer Khattab skhat...@gmail.com wrote: What is BIND internal logic when such a series of queries are received, and why it would not answer to all requests. Each query in progress from a given client must have a different ID, so queries with the same ID are logically the same query which only

Re: How to validate DNSSEC signed record with dig?

2012-02-07 Thread Tony Finch
William Thierry SAMEN thierry.sa...@gmail.com wrote: I'm triying to sign a zone on Bind 9.8-P1 but i have this message: *dnssec-signzone: fatal: key myKSK.key not at origin* It means the zone name in the key is not the same as the zone you are signing. Tony. -- f.anthony.n.finch

Re: How to validate DNSSEC signed record with dig?

2012-02-08 Thread Tony Finch
William Thierry SAMEN thierry.sa...@gmail.com wrote: My file zone: Er this looks like a key file, not a zone file. The key has been generated incorrectly: it has a file name where the zone name should be. ; This is a zone-signing key, keyid 12762, for *../etc/toto.com.* ; Created:

Re: How to validate DNSSEC signed record with dig?

2012-02-08 Thread Tony Finch
William Thierry SAMEN thierry.sa...@gmail.com wrote: dnssec-signzone: error: dns_master_load: ../etc/toto.com:12: toto.com: not at top of zone dnssec-signzone: fatal: failed loading zone from '../etc/toto.com': not at top of zone This is because your zone uses an include directive to

Re: PLEASE READ: An Important Security Announcement from ISC

2012-02-08 Thread Tony Finch
Chris Thompson c...@cam.ac.uk wrote: More directly, http://www.cs.indiana.edu/classes/b649-gupt/kangLiNDSS12.pdf This is definitely worth reading, being an interesting new twist on a fairly old theme. Paul Vixie was trying to do something about risks in this area a couple of years ago:

Re: DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-13 Thread Tony Finch
Florian Weimer f...@deneb.enyo.de wrote: Doesn't the DNSSEC-based mitigation rely on RRSIGs whose validity does not extend too far into the future? It depends on the TTL of the DS record or its proof of nonexistence. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ North FitzRoy,

Re: A few conceptual question about dnssec.

2012-02-17 Thread Tony Finch
dE . de.tec...@gmail.com wrote: Firstly, where do we get the public key for the DS records? A zone's DNSKEY RRset contains its public keys, and these are hashed to make its DS records. For example, $ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g' isc.org. IN DS 12892 5 1

  1   2   3   4   5   6   7   8   9   10   >