Re: dnssec updated zone data is not live ??
Niobos wrote: On 17 Dec 2009, at 20:50, Kevin Darcy wrote: Cat'ing the zone file is no longer reliable once you've enabled a zone for Dynamic Update. There might be updates in the log file which haven't been committed to the actual zone file yet. That's why I recommended that you use an AXFR of the zone to check for changes recently made. Or do an rndc freeze example.net. This will stop dynamic updates to the zone and commit the logfile to the zonefile. Be sure to do an rndc unfreeze example.net when you're done to reenable dynamic updates. rndc thaw [zone] is the documented way to resume dynamic updates. I'd also recommend getting acquainted with named-journalprint (formerly just journalprint) which will allow you to see the deltas that have been made to a given zone without taking that zone into frozen state. AlanC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec updated zone data is not live ??
On Dec 18 2009, Alan Clegg wrote: Niobos wrote: On 17 Dec 2009, at 20:50, Kevin Darcy wrote: Cat'ing the zone file is no longer reliable once you've enabled a zone for Dynamic Update. There might be updates in the log file which haven't been committed to the actual zone file yet. That's why I recommended that you use an AXFR of the zone to check for changes recently made. Or do an rndc freeze example.net. This will stop dynamic updates to the zone and commit the logfile to the zonefile. Be sure to do an rndc unfreeze example.net when you're done to reenable dynamic updates. rndc thaw [zone] is the documented way to resume dynamic updates. I'd also recommend getting acquainted with named-journalprint (formerly just journalprint) which will allow you to see the deltas that have been made to a given zone without taking that zone into frozen state. There is also the -j option of named-checkzone (combined with writing out a clean version with -D -o), but unfortunately that only works if the journal is named using the default add .jnl to the zone file name convention. Altogether, using AXFR is the thing to get used to using in this context. (If you disable zone transfers generally, at least allow them on the loopback interface.) Then start using masterfile-format raw, and forget about thinking of zone files are something human readable ... -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec updated zone data is not live ??
Gregory Machin wrote:
On Fri, Dec 11, 2009 at 12:22 AM, Kevin Darcy k...@chrysler.com wrote:
Gregory Machin wrote:
Hi
Please can you advise. I's been ages since I have configured dnssec .
I used nsupdate (with dnssec) to update a zone file with all the host
current ip's so that they are reachable via a host name even when the
ip has changed (a dyndns.org type of thing). Everything seems to work
fine named accepts the update and writes it to the .jnl file but when
it try and ping the updated host name I get ping: unknown host
greg.za.protetor.net, and this is one the server running named. yet I
the logs show
Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
external: updating zone 'device.example.net/IN': deleting rrset at
'greg.device.example.net' A
Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
external: updating zone 'device.example.net/IN': adding an RR at
'greg.device.example.net' A
Which is correct from what I remember the last time I did this.
my zone configuration:
/etc/named.conf
zone device.example.net {
type master;
file /var/named/device.example.net.db;
allow-transfer { any; };
allow-update { key device.example.net; };
};
zone file:
$ORIGIN .
$TTL 3600 ; 1 hour
device.example.net IN SOA ns1.example.net. ns2.example.net. (
2009120805 ; serial
900; refresh (15 minutes)
600; retry (10 minutes)
86400 ; expire (1 day)
3600 ; minimum (1 hour)
)
NS ns1.example.net.
NS ns2.example.net.
A 205.234.215.112
MX 0 server.example.net.
$ORIGIN device.example.net.
$TTL 60 ; 1 minute
gregA 97.xxx.xxx.127
Running:
BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5
First of all, are you talking about DNSSEC, or just plain Dynamic Update
(presumably crypto-authenticated if this is going to be a
publically-updateable zone)? I don't see any DNSSEC records in the zone file
you posted.
Secondly, if you do an AXFR of the zone after the Dynamic Update, does it
reflect the change?
Thirdly, on the machine which is originating the ping, how is it set up to
resolve names? Does it only use DNS? Does it only use *itself* for resolving
DNS? Is there some intermediate caching going on (e.g. nscd or equivalent)?
If so, have you waited long enough for the entries to expire from that
intermediate cache?
- Kevin
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Hi kevin
Just plain Dynamic Update with crypto-authenticated keys
if I do a dig on
r...@server [~]# dig @ns1.example.net device.example.net A +tcp
; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 @ns1.example.net
device.example.net A +tcp
; (1 server found)
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 44660
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;device.example.net.IN A
;; ANSWER SECTION:
device.example.net. 3600IN A 205.xxx.xxx.112
;; AUTHORITY SECTION:
device.example.net. 3600IN NS ns1.example.net.
device.example.net. 3600IN NS ns2.example.net.
;; Query time: 1 msec
;; SERVER: 205.234.215.113#53(205.234.215.113)
;; WHEN: Fri Dec 11 03:30:08 2009
;; MSG SIZE rcvd: 85
There should be an A record for a host greg.device.example.net. IN A
97.xxx.xxx.127
Yet if I cat the zone file there is a record
gregA 97.xxx.xxx.127
I'm doing the ping on the dns server that is hosting the
device.example.net zone ..
Cat'ing the zone file is no longer reliable once you've enabled a zone
for Dynamic Update. There might be updates in the log file which haven't
been committed to the actual zone file yet. That's why I recommended
that you use an AXFR of the zone to check for changes recently made.
- Kevin
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[Fwd: Re: dnssec updated zone data is not live ??]
Sorry, I meant journal file, not log file.
Also, your original message states that the change was written to the
journal. How are you checking that? Using something like journalprint?
I'd still recommend doing an AXFR if you want to know what's _really_ in
the zone on the master.
- Kevin
---BeginMessage---
Gregory Machin wrote:
On Fri, Dec 11, 2009 at 12:22 AM, Kevin Darcy k...@chrysler.com wrote:
Gregory Machin wrote:
Hi
Please can you advise. I's been ages since I have configured dnssec .
I used nsupdate (with dnssec) to update a zone file with all the host
current ip's so that they are reachable via a host name even when the
ip has changed (a dyndns.org type of thing). Everything seems to work
fine named accepts the update and writes it to the .jnl file but when
it try and ping the updated host name I get ping: unknown host
greg.za.protetor.net, and this is one the server running named. yet I
the logs show
Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
external: updating zone 'device.example.net/IN': deleting rrset at
'greg.device.example.net' A
Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
external: updating zone 'device.example.net/IN': adding an RR at
'greg.device.example.net' A
Which is correct from what I remember the last time I did this.
my zone configuration:
/etc/named.conf
zone device.example.net {
type master;
file /var/named/device.example.net.db;
allow-transfer { any; };
allow-update { key device.example.net; };
};
zone file:
$ORIGIN .
$TTL 3600 ; 1 hour
device.example.net IN SOA ns1.example.net. ns2.example.net. (
2009120805 ; serial
900; refresh (15 minutes)
600; retry (10 minutes)
86400 ; expire (1 day)
3600 ; minimum (1 hour)
)
NS ns1.example.net.
NS ns2.example.net.
A 205.234.215.112
MX 0 server.example.net.
$ORIGIN device.example.net.
$TTL 60 ; 1 minute
gregA 97.xxx.xxx.127
Running:
BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5
First of all, are you talking about DNSSEC, or just plain Dynamic Update
(presumably crypto-authenticated if this is going to be a
publically-updateable zone)? I don't see any DNSSEC records in the zone file
you posted.
Secondly, if you do an AXFR of the zone after the Dynamic Update, does it
reflect the change?
Thirdly, on the machine which is originating the ping, how is it set up to
resolve names? Does it only use DNS? Does it only use *itself* for resolving
DNS? Is there some intermediate caching going on (e.g. nscd or equivalent)?
If so, have you waited long enough for the entries to expire from that
intermediate cache?
- Kevin
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Hi kevin
Just plain Dynamic Update with crypto-authenticated keys
if I do a dig on
r...@server [~]# dig @ns1.example.net device.example.net A +tcp
; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 @ns1.example.net
device.example.net A +tcp
; (1 server found)
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 44660
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;device.example.net.IN A
;; ANSWER SECTION:
device.example.net. 3600IN A 205.xxx.xxx.112
;; AUTHORITY SECTION:
device.example.net. 3600IN NS ns1.example.net.
device.example.net. 3600IN NS ns2.example.net.
;; Query time: 1 msec
;; SERVER: 205.234.215.113#53(205.234.215.113)
;; WHEN: Fri Dec 11 03:30:08 2009
;; MSG SIZE rcvd: 85
There should be an A record for a host greg.device.example.net. IN A
97.xxx.xxx.127
Yet if I cat the zone file there is a record
gregA 97.xxx.xxx.127
I'm doing the ping on the dns server that is hosting the
device.example.net zone ..
Cat'ing the zone file is no longer reliable once you've enabled a zone
for Dynamic Update. There might be updates in the log file which haven't
been committed to the actual zone file yet. That's why I recommended
that you use an AXFR of the zone to check for changes recently made.
- Kevin
---End Message---
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec updated zone data is not live ??
On Fri, Dec 11, 2009 at 12:22 AM, Kevin Darcy k...@chrysler.com wrote:
Gregory Machin wrote:
Hi
Please can you advise. I's been ages since I have configured dnssec .
I used nsupdate (with dnssec) to update a zone file with all the host
current ip's so that they are reachable via a host name even when the
ip has changed (a dyndns.org type of thing). Everything seems to work
fine named accepts the update and writes it to the .jnl file but when
it try and ping the updated host name I get ping: unknown host
greg.za.protetor.net, and this is one the server running named. yet I
the logs show
Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
external: updating zone 'device.example.net/IN': deleting rrset at
'greg.device.example.net' A
Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
external: updating zone 'device.example.net/IN': adding an RR at
'greg.device.example.net' A
Which is correct from what I remember the last time I did this.
my zone configuration:
/etc/named.conf
zone device.example.net {
type master;
file /var/named/device.example.net.db;
allow-transfer { any; };
allow-update { key device.example.net; };
};
zone file:
$ORIGIN .
$TTL 3600 ; 1 hour
device.example.net IN SOA ns1.example.net. ns2.example.net. (
2009120805 ; serial
900 ; refresh (15 minutes)
600 ; retry (10 minutes)
86400 ; expire (1 day)
3600 ; minimum (1 hour)
)
NS ns1.example.net.
NS ns2.example.net.
A 205.234.215.112
MX 0 server.example.net.
$ORIGIN device.example.net.
$TTL 60 ; 1 minute
greg A 97.xxx.xxx.127
Running:
BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5
First of all, are you talking about DNSSEC, or just plain Dynamic Update
(presumably crypto-authenticated if this is going to be a
publically-updateable zone)? I don't see any DNSSEC records in the zone file
you posted.
Secondly, if you do an AXFR of the zone after the Dynamic Update, does it
reflect the change?
Thirdly, on the machine which is originating the ping, how is it set up to
resolve names? Does it only use DNS? Does it only use *itself* for resolving
DNS? Is there some intermediate caching going on (e.g. nscd or equivalent)?
If so, have you waited long enough for the entries to expire from that
intermediate cache?
- Kevin
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Hi kevin
Just plain Dynamic Update with crypto-authenticated keys
if I do a dig on
r...@server [~]# dig @ns1.example.net device.example.net A +tcp
; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 @ns1.example.net
device.example.net A +tcp
; (1 server found)
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 44660
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;device.example.net.IN A
;; ANSWER SECTION:
device.example.net. 3600IN A 205.xxx.xxx.112
;; AUTHORITY SECTION:
device.example.net. 3600IN NS ns1.example.net.
device.example.net. 3600IN NS ns2.example.net.
;; Query time: 1 msec
;; SERVER: 205.234.215.113#53(205.234.215.113)
;; WHEN: Fri Dec 11 03:30:08 2009
;; MSG SIZE rcvd: 85
There should be an A record for a host greg.device.example.net. IN A
97.xxx.xxx.127
Yet if I cat the zone file there is a record
gregA 97.xxx.xxx.127
I'm doing the ping on the dns server that is hosting the
device.example.net zone ..
Thanks for your assistance ..
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
