Re: dnssec updated zone data is not live ??
Niobos wrote: On 17 Dec 2009, at 20:50, Kevin Darcy wrote: Cat'ing the zone file is no longer reliable once you've enabled a zone for Dynamic Update. There might be updates in the log file which haven't been committed to the actual zone file yet. That's why I recommended that you use an AXFR of the zone to check for changes recently made. Or do an rndc freeze example.net. This will stop dynamic updates to the zone and commit the logfile to the zonefile. Be sure to do an rndc unfreeze example.net when you're done to reenable dynamic updates. rndc thaw [zone] is the documented way to resume dynamic updates. I'd also recommend getting acquainted with named-journalprint (formerly just journalprint) which will allow you to see the deltas that have been made to a given zone without taking that zone into frozen state. AlanC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec updated zone data is not live ??
On Dec 18 2009, Alan Clegg wrote: Niobos wrote: On 17 Dec 2009, at 20:50, Kevin Darcy wrote: Cat'ing the zone file is no longer reliable once you've enabled a zone for Dynamic Update. There might be updates in the log file which haven't been committed to the actual zone file yet. That's why I recommended that you use an AXFR of the zone to check for changes recently made. Or do an rndc freeze example.net. This will stop dynamic updates to the zone and commit the logfile to the zonefile. Be sure to do an rndc unfreeze example.net when you're done to reenable dynamic updates. rndc thaw [zone] is the documented way to resume dynamic updates. I'd also recommend getting acquainted with named-journalprint (formerly just journalprint) which will allow you to see the deltas that have been made to a given zone without taking that zone into frozen state. There is also the -j option of named-checkzone (combined with writing out a clean version with -D -o), but unfortunately that only works if the journal is named using the default add .jnl to the zone file name convention. Altogether, using AXFR is the thing to get used to using in this context. (If you disable zone transfers generally, at least allow them on the loopback interface.) Then start using masterfile-format raw, and forget about thinking of zone files are something human readable ... -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec updated zone data is not live ??
Gregory Machin wrote: On Fri, Dec 11, 2009 at 12:22 AM, Kevin Darcy k...@chrysler.com wrote: Gregory Machin wrote: Hi Please can you advise. I's been ages since I have configured dnssec . I used nsupdate (with dnssec) to update a zone file with all the host current ip's so that they are reachable via a host name even when the ip has changed (a dyndns.org type of thing). Everything seems to work fine named accepts the update and writes it to the .jnl file but when it try and ping the updated host name I get ping: unknown host greg.za.protetor.net, and this is one the server running named. yet I the logs show Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view external: updating zone 'device.example.net/IN': deleting rrset at 'greg.device.example.net' A Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view external: updating zone 'device.example.net/IN': adding an RR at 'greg.device.example.net' A Which is correct from what I remember the last time I did this. my zone configuration: /etc/named.conf zone device.example.net { type master; file /var/named/device.example.net.db; allow-transfer { any; }; allow-update { key device.example.net; }; }; zone file: $ORIGIN . $TTL 3600 ; 1 hour device.example.net IN SOA ns1.example.net. ns2.example.net. ( 2009120805 ; serial 900; refresh (15 minutes) 600; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) NS ns1.example.net. NS ns2.example.net. A 205.234.215.112 MX 0 server.example.net. $ORIGIN device.example.net. $TTL 60 ; 1 minute gregA 97.xxx.xxx.127 Running: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5 First of all, are you talking about DNSSEC, or just plain Dynamic Update (presumably crypto-authenticated if this is going to be a publically-updateable zone)? I don't see any DNSSEC records in the zone file you posted. Secondly, if you do an AXFR of the zone after the Dynamic Update, does it reflect the change? Thirdly, on the machine which is originating the ping, how is it set up to resolve names? Does it only use DNS? Does it only use *itself* for resolving DNS? Is there some intermediate caching going on (e.g. nscd or equivalent)? If so, have you waited long enough for the entries to expire from that intermediate cache? - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Hi kevin Just plain Dynamic Update with crypto-authenticated keys if I do a dig on r...@server [~]# dig @ns1.example.net device.example.net A +tcp ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 @ns1.example.net device.example.net A +tcp ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44660 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;device.example.net.IN A ;; ANSWER SECTION: device.example.net. 3600IN A 205.xxx.xxx.112 ;; AUTHORITY SECTION: device.example.net. 3600IN NS ns1.example.net. device.example.net. 3600IN NS ns2.example.net. ;; Query time: 1 msec ;; SERVER: 205.234.215.113#53(205.234.215.113) ;; WHEN: Fri Dec 11 03:30:08 2009 ;; MSG SIZE rcvd: 85 There should be an A record for a host greg.device.example.net. IN A 97.xxx.xxx.127 Yet if I cat the zone file there is a record gregA 97.xxx.xxx.127 I'm doing the ping on the dns server that is hosting the device.example.net zone .. Cat'ing the zone file is no longer reliable once you've enabled a zone for Dynamic Update. There might be updates in the log file which haven't been committed to the actual zone file yet. That's why I recommended that you use an AXFR of the zone to check for changes recently made. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[Fwd: Re: dnssec updated zone data is not live ??]
Sorry, I meant journal file, not log file. Also, your original message states that the change was written to the journal. How are you checking that? Using something like journalprint? I'd still recommend doing an AXFR if you want to know what's _really_ in the zone on the master. - Kevin ---BeginMessage--- Gregory Machin wrote: On Fri, Dec 11, 2009 at 12:22 AM, Kevin Darcy k...@chrysler.com wrote: Gregory Machin wrote: Hi Please can you advise. I's been ages since I have configured dnssec . I used nsupdate (with dnssec) to update a zone file with all the host current ip's so that they are reachable via a host name even when the ip has changed (a dyndns.org type of thing). Everything seems to work fine named accepts the update and writes it to the .jnl file but when it try and ping the updated host name I get ping: unknown host greg.za.protetor.net, and this is one the server running named. yet I the logs show Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view external: updating zone 'device.example.net/IN': deleting rrset at 'greg.device.example.net' A Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view external: updating zone 'device.example.net/IN': adding an RR at 'greg.device.example.net' A Which is correct from what I remember the last time I did this. my zone configuration: /etc/named.conf zone device.example.net { type master; file /var/named/device.example.net.db; allow-transfer { any; }; allow-update { key device.example.net; }; }; zone file: $ORIGIN . $TTL 3600 ; 1 hour device.example.net IN SOA ns1.example.net. ns2.example.net. ( 2009120805 ; serial 900; refresh (15 minutes) 600; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) NS ns1.example.net. NS ns2.example.net. A 205.234.215.112 MX 0 server.example.net. $ORIGIN device.example.net. $TTL 60 ; 1 minute gregA 97.xxx.xxx.127 Running: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5 First of all, are you talking about DNSSEC, or just plain Dynamic Update (presumably crypto-authenticated if this is going to be a publically-updateable zone)? I don't see any DNSSEC records in the zone file you posted. Secondly, if you do an AXFR of the zone after the Dynamic Update, does it reflect the change? Thirdly, on the machine which is originating the ping, how is it set up to resolve names? Does it only use DNS? Does it only use *itself* for resolving DNS? Is there some intermediate caching going on (e.g. nscd or equivalent)? If so, have you waited long enough for the entries to expire from that intermediate cache? - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Hi kevin Just plain Dynamic Update with crypto-authenticated keys if I do a dig on r...@server [~]# dig @ns1.example.net device.example.net A +tcp ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 @ns1.example.net device.example.net A +tcp ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44660 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;device.example.net.IN A ;; ANSWER SECTION: device.example.net. 3600IN A 205.xxx.xxx.112 ;; AUTHORITY SECTION: device.example.net. 3600IN NS ns1.example.net. device.example.net. 3600IN NS ns2.example.net. ;; Query time: 1 msec ;; SERVER: 205.234.215.113#53(205.234.215.113) ;; WHEN: Fri Dec 11 03:30:08 2009 ;; MSG SIZE rcvd: 85 There should be an A record for a host greg.device.example.net. IN A 97.xxx.xxx.127 Yet if I cat the zone file there is a record gregA 97.xxx.xxx.127 I'm doing the ping on the dns server that is hosting the device.example.net zone .. Cat'ing the zone file is no longer reliable once you've enabled a zone for Dynamic Update. There might be updates in the log file which haven't been committed to the actual zone file yet. That's why I recommended that you use an AXFR of the zone to check for changes recently made. - Kevin ---End Message--- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec updated zone data is not live ??
On Fri, Dec 11, 2009 at 12:22 AM, Kevin Darcy k...@chrysler.com wrote: Gregory Machin wrote: Hi Please can you advise. I's been ages since I have configured dnssec . I used nsupdate (with dnssec) to update a zone file with all the host current ip's so that they are reachable via a host name even when the ip has changed (a dyndns.org type of thing). Everything seems to work fine named accepts the update and writes it to the .jnl file but when it try and ping the updated host name I get ping: unknown host greg.za.protetor.net, and this is one the server running named. yet I the logs show Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view external: updating zone 'device.example.net/IN': deleting rrset at 'greg.device.example.net' A Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view external: updating zone 'device.example.net/IN': adding an RR at 'greg.device.example.net' A Which is correct from what I remember the last time I did this. my zone configuration: /etc/named.conf zone device.example.net { type master; file /var/named/device.example.net.db; allow-transfer { any; }; allow-update { key device.example.net; }; }; zone file: $ORIGIN . $TTL 3600 ; 1 hour device.example.net IN SOA ns1.example.net. ns2.example.net. ( 2009120805 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) NS ns1.example.net. NS ns2.example.net. A 205.234.215.112 MX 0 server.example.net. $ORIGIN device.example.net. $TTL 60 ; 1 minute greg A 97.xxx.xxx.127 Running: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5 First of all, are you talking about DNSSEC, or just plain Dynamic Update (presumably crypto-authenticated if this is going to be a publically-updateable zone)? I don't see any DNSSEC records in the zone file you posted. Secondly, if you do an AXFR of the zone after the Dynamic Update, does it reflect the change? Thirdly, on the machine which is originating the ping, how is it set up to resolve names? Does it only use DNS? Does it only use *itself* for resolving DNS? Is there some intermediate caching going on (e.g. nscd or equivalent)? If so, have you waited long enough for the entries to expire from that intermediate cache? - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Hi kevin Just plain Dynamic Update with crypto-authenticated keys if I do a dig on r...@server [~]# dig @ns1.example.net device.example.net A +tcp ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 @ns1.example.net device.example.net A +tcp ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44660 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;device.example.net.IN A ;; ANSWER SECTION: device.example.net. 3600IN A 205.xxx.xxx.112 ;; AUTHORITY SECTION: device.example.net. 3600IN NS ns1.example.net. device.example.net. 3600IN NS ns2.example.net. ;; Query time: 1 msec ;; SERVER: 205.234.215.113#53(205.234.215.113) ;; WHEN: Fri Dec 11 03:30:08 2009 ;; MSG SIZE rcvd: 85 There should be an A record for a host greg.device.example.net. IN A 97.xxx.xxx.127 Yet if I cat the zone file there is a record gregA 97.xxx.xxx.127 I'm doing the ping on the dns server that is hosting the device.example.net zone .. Thanks for your assistance .. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users