Re: nsupdate TSIG error?

2022-02-24 Thread @lbutlr
On 2022 Feb 24, at 14:19, @lbutlr  wrote:
> I am invoking nsupdate with 

Oh, never mind. Major Brain Fart.


-- 
"Everyone has a photographic Memory, some just don't have film."
~Steven Wright

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate -g always uses master from SOA to form SPN

2021-08-26 Thread Chris Buxton
Use of a hidden primary makes some sense for external (public) DNS, but IMO not 
for situations where you would want to use GSS-TSIG. So while I would consider 
this a bug, I don’t think it will be tripped often.

BIND does support multiple SPNs on a single server, but you have to change how 
you configure it.

Regards,
Chris Buxton

> On Aug 26, 2021, at 7:32 AM, Magnus Holmgren  
> wrote:
> 
> When using GSS-TSIG, nsupdate (with the -g flag) always forms the SPN from the
> master server specified in the SOA record, rather than the server specified
> with the server command. Is that really correct behaviour, or should I report
> this as a bug? I've been scouring the Internet, but couldn't find any prior
> discussion about this particular situation.
> 
> The issue arises when employing a hidden primary, and the server in the SOA
> record is actually a secondary, which I though was a rather common setup. In
> this situation, the real primary has to be specified with the server command,
> and I thought the SPN should represent the service and server being
> communicated with.
> 
> I can work around the problem by adding an SPN matching the SOA primary to
> Kerberos, but AFAIU, BIND can only be configured (tkey-gssapi-credential) to
> use a single SPN to look up keys in the keytab, so all the SPNs involved have
> to be aliases of each other, it seems.
> 
> --
> Magnus Holmgren
> MILLNET AB
> 
> 
> 
> 
> 
> 
> 
> --
> Vid e-postkontakt med Millnet är det normalt att åtminstone vissa
> personuppgifter sparas om dig. Du kan läsa mer om vilka uppgifter som
> sparas och hur vi hanterar dem på https://www.millnet.se/integritetspolicy/
> .
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate and zone files, was Re: Using RNDC to control remote access to my BIND server

2021-04-25 Thread Tony Finch
Paul Kosinski via bind-users  wrote:

> A couple of years ago, I tried using nsupdate to modify a dynamic (DHCP)
> IP address for my very simple domain. It worked, except that it totally
> messed up the organization of the zone file. Since the file only has 44
> active lines (which are organized logically), I maintain it by hand.
> After nsupdate made the one line change, the zone file became
> unmaintainable.
>
> Was this a bug in nsupdate, or does nobody try to understand their zone
> files.

When you have a zone that accepts dynamic updates, then its zone file is
owned by `named`, and `named` will rewrite the file to incorporate
updates, which (as you saw) also strips out comments and canonicalized the
formatting. This is often surprising and upsetting to people who are new
to dynamic updates - you are not alone!

Basically, if you are doing dynamic updates, then the source of truth for
your zone needs to be somewhere else, not the zone file used by `named`.
(For example, at my work our zones are stored in a database and edited
with a web front end.)

I have some scripts which allow you to maintain your zone file however you
want, and push any differences into `named` using `nsupdate`, so you never
need to touch the zone files that it owns. https://dotat.at/prog/nsdiff/

Tony.
-- 
f.anthony.n.finchhttps://dotat.at/
Lyme Regis to Lands End including the Isles of Scilly: Easterly or
northeasterly 5 to 7, occasionally 4 in east. Moderate or rough. Fair.
Good.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate apparently not working for me. What am I overlooking / doing wrong?

2020-07-28 Thread Brett Delmage

On Wed, 29 Jul 2020, Mark Andrews wrote:


Make sure you are using the CORRECT name in the dig query.  You used
ddns-key.ottawatch.ca instead of ddns-update.ottawatch.ca.


Thanks Mark... so tired I didn't see that when staring at it. 
(Blame grass allergies and terrible heat lately.)



Also you can delete and add in the same UPDATE operation.  Remove the
first “send” in nsupdate.script.


Yes, thanks for the tip. I did man nsupdate :-) I had 
nsupdate debug enabled earlier, so split this it up while testing.



Also ottawatch.ca has DS records but the zone is not signed.  You need
to fix this as lookups are failing for anyone that is validating responses.


Again, testing artifact. Domain is actually signed but I disabled that and 
took it out of the config to simplify while testing.


Domain is not live for anything now but my kicking around so no harm done 
except to eagle eyes like yours who look up DNSSEC chain of trust :-)


Thanks for your second look and premiere response.

Brett

p.s. this Mailman list is slightly misconfigured. I have DKIM signing and 
a DMARC policy, so get lots of failure reports when I post to this list. 
Any chance you guys could toggle that flag so the list doesn't break DKIM 
signing? It's a straight-forward toggle; I use it on Mailman lists I run.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate apparently not working for me. What am I overlooking / doing wrong?

2020-07-28 Thread Mark Andrews
Make sure you are using the CORRECT name in the dig query.  You used
ddns-key.ottawatch.ca instead of ddns-update.ottawatch.ca.

Also you can delete and add in the same UPDATE operation.  Remove the
first “send” in nsupdate.script.

Also ottawatch.ca has DS records but the zone is not signed.  You need
to fix this as lookups are failing for anyone that is validating responses.

ottawatch.ca.   86400   IN  DS  63970 8 1 
FE95768ADB2B2F9E87B3C6B4210D4C21766A2EC6
ottawatch.ca.   86400   IN  DS  63970 8 2 
1139FAEF396A03435BD093ACA623306B3307D11163188D4D5143909D 3CEF76EC

Mark

> On 29 Jul 2020, at 12:30, Brett Delmage  wrote:
> 
> nsupdate works according to updated contents of a dynamic zonefile but dig 
> does not report the added A record.
> 
> What am I doing stupidly here?
> 
> BIND version 1:9.16.5-1+ubuntu18.04.1
> - both authoritative and local recursive
> 
> zone config:
> zone "ottawatch.ca"
>{
>type master;
>file "/var/lib/bind/master/ottawatch.ca";
>allow-transfer { key "pannier-xfer"; };
>notify yes;
>update-policy { grant ddns-key.ottawatch.ca subdomain ottawatch.ca.; };
>};
> 
> [do I have the correct update-policy syntax?]
> (I also tried "update-policy local" with nsupdate -l, with same results.)
> 
> 
> # nsupdate -D -k ddns-key.ottawatch.ca nsupdate.script
> 
> nsupdate.script:
> 
> server 127.0.0.1
> zone ottawatch.ca.
> update del ddns-update.ottawatch.ca. a
> send
> update add ddns-update.ottawatch.ca. 999 a 3.4.5.8
> send
> 
> zone DB after update and "rndc sync" executed to incorporate .jnl:
> 
> $ORIGIN .
> $TTL 900; 15 minutes
> ottawatch.caIN SOA  cacloud.ottawatch.ca. 
> hostmaster.ottawatch.ca. (
>2020072808 ; serial
>900; refresh (15 minutes)
>180; retry (3 minutes)
>2419200; expire (4 weeks)
>900; minimum (15 minutes)
>)
>NS  cacloud.ottawatch.ca.
>NS  pannier.ottawatch.ca.
>A   206.248.172.47
>MX  10 mail1.ottawajazzscene.ca.
>TXT "v=spf1 a ip4:206.248.172.47 -all"
> $ORIGIN ottawatch.ca.
> cacloud A   23.111.69.176
>2607:7b00:7200:1::281a:5de2
> $TTL 999; 16 minutes 39 seconds
> ddns-update A   3.4.5.8 <--- nsupdate worked (it seems)
> $TTL 900; 15 minutes
> pannier A   206.248.172.47
>2607:f2c0:a000:1d1::73:1
> 
> 
> 
> # dig -4 @cacloud.ottawatch.ca cacloud.ottawatch.ca. a
> 
> ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca cacloud.ottawatch.ca. a
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1862
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 195a1192604da78e01005f20daf7193b36ec5545d879 (good)
> ;; QUESTION SECTION:
> ;cacloud.ottawatch.ca.  IN  A
> 
> ;; ANSWER SECTION:
> cacloud.ottawatch.ca.   900 IN  A   23.111.69.176
> 
> ;; Query time: 0 msec
> ;; SERVER: 23.111.69.176#53(23.111.69.176)
> ;; WHEN: Tue Jul 28 22:12:07 EDT 2020
> ;; MSG SIZE  rcvd: 93
> 
> BUT dig does not report the nsupdate-added a record (NXDOMAIN):
> 
> # dig -4 @cacloud.ottawatch.ca ddns-key.ottawatch.ca. a
> 
> ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca ddns-key.ottawatch.ca. 
> a
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49598
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 6db0ccbd0085ecca01005f20db0f7cdb769b038236f9 (good)
> ;; QUESTION SECTION:
> ;ddns-key.ottawatch.ca. IN  A
> 
> ;; AUTHORITY SECTION:
> ottawatch.ca.   900 IN  SOA cacloud.ottawatch.ca. 
> hostmaster.ottawatch.ca. 2020072808 900 180 2419200 900
> 
> ;; Query time: 0 msec
> ;; SERVER: 23.111.69.176#53(23.111.69.176)
> ;; WHEN: Tue Jul 28 22:12:31 EDT 2020
> ;; MSG SIZE  rcvd: 133
> 
> 
> A record added to the dynamic zone file manually works:
> 
> dig -4 @cacloud.ottawatch.ca bb.ottawatch.ca. a
> 
> ; <<>> DiG 9.16.5-Ubuntu <<>> -4 @cacloud.ottawatch.ca bb.ottawatch.ca. a
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8033
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 8feed7fd82821e9a01005f20dc3de1670c37be1dadbc (good)
> 

Re: nsupdate - adding large/split TXT record (2048 bit DKIM key)

2020-06-01 Thread vom513
Done:

https://gitlab.isc.org/isc-projects/bind9/-/issues/1907 


Thanks.

> On Jun 1, 2020, at 7:08 AM, Ondřej Surý  wrote:
> 
> I think it’s reasonable for nsupdate to do the chunking on itself. Patches 
> are always welcome, but if you can start by creating issue for us, it would 
> be very much welcome. I can’t offer you any timeframe, but at least it won’t 
> get lost.
> 
> Ondrej
> --
> Ondřej Surý
> ond...@isc.org
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate - adding large/split TXT record (2048 bit DKIM key)

2020-06-01 Thread vom513
> On Jun 1, 2020, at 6:50 AM, Andreas S. Kerber  wrote:
> 
> Yeah, I had troubles with those 2048 bit DKIM records too. nsupdate will need 
> it like this:
> 
> server X.X.X.X
> zone ag-trek.de
> update add test.ag-trek.de. 86400 IN TXT"v=DKIM1; 
> k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3LmxUW2tnM07YbofiOGR3T6KS/BfHmyPYe0GOEEch/abeTjaL3OtuhmVmr4QMe2HV/6n5SBiVh4PE2wZxUcS2LMNbo5Hn7KO3UsTbIxCKuM6jvUpWtJPgC0uBGNkEARQVBSjW9pqYUQYkXzXLEULbu1AThgaUvCbVzWmvTQeEFXbBWP24O/"
>  
> "LkiprI+iKRskRv0qgIOV0CRm32tk4MP/IcZBdjZ3sHrg3myjVJPfSUBOUyISXKRtiwfIgPeCj4V97Q+psmHvnDz9EID0eZaKih8neroRBETYDLFYjd6Pv9JTqrY7jXOHhM4kmOZOUyNXEIz22JVuaNSJbtXzNWTKpyQIDAQAB"
> 
> 
> Break up the record in chunks of less than 255 byte, enclose each of these 
> parts with "" and feed nsupdate all of these chunks seperated with a space on 
> one line.

Thanks - that’s what I needed.  I have an ‘h=‘ tag as well, so I split mine 
into 3 “chunks”.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate - adding large/split TXT record (2048 bit DKIM key)

2020-06-01 Thread Ondřej Surý
I think it’s reasonable for nsupdate to do the chunking on itself. Patches are 
always welcome, but if you can start by creating issue for us, it would be very 
much welcome. I can’t offer you any timeframe, but at least it won’t get lost.

Ondrej
--
Ondřej Surý
ond...@isc.org

> On 1 Jun 2020, at 12:50, Andreas S. Kerber  wrote:
> 
> On Mon, Jun 01, 2020 at 04:11:43AM -0400, vom513 wrote:
>> Can anyone point me to an example of how to do this ?  I have a script that 
>> rotates my DKIM keys, and uses nsupdate to publish.  With 1024 bit - I must 
>> be getting by by the skin of my teeth…
>> 
>> When I try 2048 bit, the record is obviously longer.  All of my attempts of 
>> running it through the Rube Goldberg sed machine have failed - nsupdate 
>> chokes on format.
> 
> Yeah, I had troubles with those 2048 bit DKIM records too. nsupdate will need 
> it like this:
> 
> server X.X.X.X
> zone ag-trek.de
> update add test.ag-trek.de. 86400 IN TXT"v=DKIM1; 
> k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3LmxUW2tnM07YbofiOGR3T6KS/BfHmyPYe0GOEEch/abeTjaL3OtuhmVmr4QMe2HV/6n5SBiVh4PE2wZxUcS2LMNbo5Hn7KO3UsTbIxCKuM6jvUpWtJPgC0uBGNkEARQVBSjW9pqYUQYkXzXLEULbu1AThgaUvCbVzWmvTQeEFXbBWP24O/"
>  
> "LkiprI+iKRskRv0qgIOV0CRm32tk4MP/IcZBdjZ3sHrg3myjVJPfSUBOUyISXKRtiwfIgPeCj4V97Q+psmHvnDz9EID0eZaKih8neroRBETYDLFYjd6Pv9JTqrY7jXOHhM4kmOZOUyNXEIz22JVuaNSJbtXzNWTKpyQIDAQAB"
> 
> 
> Break up the record in chunks of less than 255 byte, enclose each of these 
> parts with "" and feed nsupdate all of these chunks seperated with a space on 
> one line.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate - adding large/split TXT record (2048 bit DKIM key)

2020-06-01 Thread Andreas S. Kerber
On Mon, Jun 01, 2020 at 04:11:43AM -0400, vom513 wrote:
> Can anyone point me to an example of how to do this ?  I have a script that 
> rotates my DKIM keys, and uses nsupdate to publish.  With 1024 bit - I must 
> be getting by by the skin of my teeth…
> 
> When I try 2048 bit, the record is obviously longer.  All of my attempts of 
> running it through the Rube Goldberg sed machine have failed - nsupdate 
> chokes on format.

Yeah, I had troubles with those 2048 bit DKIM records too. nsupdate will need 
it like this:

server X.X.X.X
zone ag-trek.de
update add test.ag-trek.de. 86400 IN TXT"v=DKIM1; 
k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3LmxUW2tnM07YbofiOGR3T6KS/BfHmyPYe0GOEEch/abeTjaL3OtuhmVmr4QMe2HV/6n5SBiVh4PE2wZxUcS2LMNbo5Hn7KO3UsTbIxCKuM6jvUpWtJPgC0uBGNkEARQVBSjW9pqYUQYkXzXLEULbu1AThgaUvCbVzWmvTQeEFXbBWP24O/"
 
"LkiprI+iKRskRv0qgIOV0CRm32tk4MP/IcZBdjZ3sHrg3myjVJPfSUBOUyISXKRtiwfIgPeCj4V97Q+psmHvnDz9EID0eZaKih8neroRBETYDLFYjd6Pv9JTqrY7jXOHhM4kmOZOUyNXEIz22JVuaNSJbtXzNWTKpyQIDAQAB"


Break up the record in chunks of less than 255 byte, enclose each of these 
parts with "" and feed nsupdate all of these chunks seperated with a space on 
one line.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate: using "wildcard" TTL when removing specific record

2020-06-01 Thread Mark Andrews
TTL is ignored on delete if it present.  It is set to 0 when sending.

2.5.4 - Delete An RR From An RRset

   RRs to be deleted are added to the Update Section.  The NAME, TYPE,
   RDLENGTH and RDATA must match the RR being deleted.  TTL must be
   specified as zero (0) and will otherwise be ignored by the primary
   master.  CLASS must be specified as NONE to distinguish this from an
   RR addition.  If no such RRs exist, then this Update RR will be
   silently ignored by the primary master.



> On 1 Jun 2020, at 18:45, Petr Bena  wrote:
> 
> Hello,
> 
> Is there any way to tell nsupdate to delete specific record with ANY TTL 
> value? For example I have following record:
> 
> record.domain.org 3500 A 1.2.3.4
> 
> I want to delete exactly that record (A with IP 1.2.3.4), except I don't know 
> what the TTL is, normally, if I knew the TTL, I would do
> 
> update delete record.domain.org 3500 A 1.2.3.4
> 
> But I would like to do something like
> 
> update delete record.domain.org * A 1.2.3.4
> 
> Is there any way to accomplish this, or do I always have to retrieve the 
> record somehow, figure out the TTL and then continue?
> 
> Thanks
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Nsupdate and TTL

2020-04-23 Thread Tony Finch
Mark Andrews  wrote:
> > On 23 Apr 2020, at 07:20, Evan Hunt  wrote:
> >
> > As far as I can recall, the only way to change a TTL in nsupdate is to
> > delete the whole RRset and then add it back in the same transaction:

There's actually a standard shortcut for TTL changes which is a
consequence of the slightly unexpected UPDATE semantics that we
discussed at the start of the month
(https://lists.isc.org/mailman/htdig/bind-users/2020-April/102851.html)

If an update message contains a new record with the same RDATA as an
existing record, then the new record replaces the existing record. This is
usually a no-op, because all the other fields in the record necessarily
match - except if you are changing the TTL!

So you can simply re-write an existing RRSet with a new TTL, without
deleting anything. This has the great advantage of avoiding the
contradictory ordering requirements that you get from apex NS records
and CNAME records: to change a CNAME you must delete then add, but to
(completely) change an apex NS RRset you must add then delete.

nsdiff always does a delete then add so that it doesn't need special case
code for one weird RRset. The apex NS RRset case is very rare - the only
time I encounter it is when bootstrapping a zone from scratch, in which
case I need a second run of nsdiff to get rid of my "empty" zone `NS
localhost` record :-)

> Also don’t forget to add a prerequisite section to ensure you are removing
> the records you think you are.

nsdiff takes another shortcut here: it only uses the SOA serial number as
a prerequisite check, because if the serial number matches, then the zone
hasn't changed from the source zone file that nsdiff was working from.
nspatch includes an automatic retry loop in case the zone changes
unexpectedly, which is safe so long as conflicting changes only happen
from DNSSEC signing activity.

http://dotat.at/prog/nsdiff/

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Forth, Tyne, Dogger: Northeast backing north later, 3 or 4. Slight. Fog
patches later. Good, becoming poor or very poor later.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Nsupdate and TTL

2020-04-23 Thread Mark Andrews


> On 23 Apr 2020, at 17:31, Petr Bena  wrote:
> 
> Hello,
> 
> From my experience you don't need to delete whole set, I was actually doing 
> this quite recently and discovered and interesting behavior of BIND server - 
> last record you add will override the TTL value for a set.
> 
> So if you add another NS record to a zone, all existing NS records will have 
> TTL overriden with the last one you add.

Which is a side effect of BIND having a single TTL per RRset as I
said below.

To use UPDATE to change records on any DNS server please use the
methods listed below. The UPDATE message is a bit larger but it is
robust.

Mark

> On 23/04/2020 01:06, Mark Andrews wrote:
>> 
>>> On 23 Apr 2020, at 07:20, Evan Hunt  wrote:
>>> 
>>> On Wed, Apr 22, 2020 at 03:04:38PM -0600, @lbutlr via bind-users wrote:
 # nsupdate -k /path/to/key
> zone example.com
> ttl 3600
> send
> ^d
 No errors, but no change in the TTL.
>>> "ttl 3600" just means "from now on assume I mean ttl 3600 in all the
>>> records I send". You didn't actually send an update, so nothing changed..
>>> 
>>> As far as I can recall, the only way to change a TTL in nsupdate is to
>>> delete the whole RRset and then add it back in the same transaction:
>>> 
 zone example.com
 ttl 3600
 update del example.com in a
 update add example.com in a 192.0.2.1
 update add example.com in a 192.0.2.2
 update add example.com in a 192.0.2.3
 send
>> Also don’t forget to add a prerequisite section to ensure you are removing
>> the records you think you are.
>> 
>> zone example.com
>> ttl 3600
>> prereq yxrrset example.com in a 192.0.2.1
>> prereq yxrrset example.com in a 192.0.2.2
>> prereq yxrrset example.com in a 192.0.2.3
>> update del example.com in a
>> update add example.com in a 192.0.2.1
>> update add example.com in a 192.0.2.2
>> update add example.com in a 192.0.2.3
>> send
>> 
>> Also note you can’t do it this way for the NS RRset at top of zone.  You 
>> need to
>> delete the NS RRs individually and then add them back without deleting all 
>> the
>> NS at any point in the process as the NS RRset is required to always exist.
>> 
>> Note: named only keeps a single TTL for a RRset so it will update the TTL on 
>> all
>> the records when you add a new one with a different TTL but this is not part 
>> of
>> the UPDATE RFC.
>> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Nsupdate and TTL

2020-04-23 Thread Petr Bena

Hello,

From my experience you don't need to delete whole set, I was actually 
doing this quite recently and discovered and interesting behavior of 
BIND server - last record you add will override the TTL value for a set.


So if you add another NS record to a zone, all existing NS records will 
have TTL overriden with the last one you add.


On 23/04/2020 01:06, Mark Andrews wrote:



On 23 Apr 2020, at 07:20, Evan Hunt  wrote:

On Wed, Apr 22, 2020 at 03:04:38PM -0600, @lbutlr via bind-users wrote:

# nsupdate -k /path/to/key

zone example.com
ttl 3600
send
^d

No errors, but no change in the TTL.

"ttl 3600" just means "from now on assume I mean ttl 3600 in all the
records I send". You didn't actually send an update, so nothing changed..

As far as I can recall, the only way to change a TTL in nsupdate is to
delete the whole RRset and then add it back in the same transaction:


zone example.com
ttl 3600
update del example.com in a
update add example.com in a 192.0.2.1
update add example.com in a 192.0.2.2
update add example.com in a 192.0.2.3
send

Also don’t forget to add a prerequisite section to ensure you are removing
the records you think you are.

zone example.com
ttl 3600
prereq yxrrset example.com in a 192.0.2.1
prereq yxrrset example.com in a 192.0.2.2
prereq yxrrset example.com in a 192.0.2.3
update del example.com in a
update add example.com in a 192.0.2.1
update add example.com in a 192.0.2.2
update add example.com in a 192.0.2.3
send

Also note you can’t do it this way for the NS RRset at top of zone.  You need to
delete the NS RRs individually and then add them back without deleting all the
NS at any point in the process as the NS RRset is required to always exist.

Note: named only keeps a single TTL for a RRset so it will update the TTL on all
the records when you add a new one with a different TTL but this is not part of
the UPDATE RFC.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Nsupdate and TTL

2020-04-22 Thread Mark Andrews


> On 23 Apr 2020, at 07:20, Evan Hunt  wrote:
> 
> On Wed, Apr 22, 2020 at 03:04:38PM -0600, @lbutlr via bind-users wrote:
>> # nsupdate -k /path/to/key
>>> zone example.com
>>> ttl 3600
>>> send
>>> ^d
>> 
>> No errors, but no change in the TTL.
> 
> "ttl 3600" just means "from now on assume I mean ttl 3600 in all the
> records I send". You didn't actually send an update, so nothing changed..
> 
> As far as I can recall, the only way to change a TTL in nsupdate is to
> delete the whole RRset and then add it back in the same transaction:
> 
>> zone example.com
>> ttl 3600
>> update del example.com in a
>> update add example.com in a 192.0.2.1
>> update add example.com in a 192.0.2.2
>> update add example.com in a 192.0.2.3
>> send

Also don’t forget to add a prerequisite section to ensure you are removing
the records you think you are.

zone example.com
ttl 3600
prereq yxrrset example.com in a 192.0.2.1
prereq yxrrset example.com in a 192.0.2.2
prereq yxrrset example.com in a 192.0.2.3
update del example.com in a
update add example.com in a 192.0.2.1
update add example.com in a 192.0.2.2
update add example.com in a 192.0.2.3
send

Also note you can’t do it this way for the NS RRset at top of zone.  You need to
delete the NS RRs individually and then add them back without deleting all the
NS at any point in the process as the NS RRset is required to always exist.

Note: named only keeps a single TTL for a RRset so it will update the TTL on all
the records when you add a new one with a different TTL but this is not part of
the UPDATE RFC.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Nsupdate and TTL

2020-04-22 Thread Evan Hunt
On Wed, Apr 22, 2020 at 03:04:38PM -0600, @lbutlr via bind-users wrote:
> # nsupdate -k /path/to/key
> > zone example.com
> > ttl 3600
> > send
> > ^d
> 
> No errors, but no change in the TTL.

"ttl 3600" just means "from now on assume I mean ttl 3600 in all the
records I send". You didn't actually send an update, so nothing changed..

As far as I can recall, the only way to change a TTL in nsupdate is to
delete the whole RRset and then add it back in the same transaction:

> zone example.com
> ttl 3600
> update del example.com in a
> update add example.com in a 192.0.2.1
> update add example.com in a 192.0.2.2
> update add example.com in a 192.0.2.3
> send

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate with respone-policy zone

2019-11-20 Thread mail-list-users
Thank you very much, this did the trick.

Have a nice day!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate with respone-policy zone

2019-11-20 Thread Tony Finch
mail-list-us...@materna.de  wrote:
>
> server 127.0.0.1
> debug no
> zone testoverride
> update add zzz.google.de 604800 A 127.0.0.1
> send

The problem is that nsupdate needs fully-qualified domain names - you
can't omit the zone name like you can in zone files. So your script needs
to be

zone testoverride
update add zzz.google.de.testoverride 604800 A 127.0.0.1
send

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Viking: South backing east, 4 to 6. Moderate, occasionally slight in east.
Showers later. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate reject

2019-05-22 Thread Tony Finch
@lbutlr  wrote:
>
> If I remove "update-policy local; " the nsupdate works, but it seems
> like it should have worked with the update-policy since I was in fact
> local to the bind server.

The "local" keyword enables server-side support for `nsupdate -l`, which
makes dynamic updates really easy to use because you don't have to worry
about TSIG keys. (My production primary server pushes zone changes using
roughly `nsdiff | nsupdate -l`.)

But `update-policy local` actually means something kind of complicated and
subtle and what it means changed a bit last year to address some odd edge
cases (https://kb.isc.org/docs/aa-01599). I still need to delete some
config complication that was a result of this: my primary server zone
clauses have:

allow-update { !{ !localhost; any; }; key local-ddns; };

which is an alternative spelling of `update policy local` that's slightly
safer than the pre-2018 meaning.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Lyme Regis to Lands End including the Isles of Scilly: West or southwest 3 or
4, becoming variable 2 or 3 for a time. Smooth or slight becoming moderate in
far west. Fog patches overnight. Moderate or good, occasionally very poor
overnight.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate reject

2019-05-20 Thread @lbutlr
On 20 May 2019, at 20:45, @lbutlr  wrote:
> 
> On 20 May 2019, at 16:21, Noel Butler  wrote:
>>   allow-update { key "keyname"; };
> 
> Ah, no I did not. The instructions I found, as I mentioned in a later post, 
> were to add grant dons-key. iOS this a change in 9.14, because I did not have 
> to do this in 9.12?

zone "kreme.com" { 
type master; 
file "master/kreme.com.signed"; 
update-policy local;
auto-dnssec maintain;
allow-update { 
key "rndc-key";
};
 };

gives "'allow-update' is ignored when 'update-policy' is present" when I load 
the conf file.

If I remove "update-policy local; " the nsupdate works, but it seems like it 
should have worked with the update-policy since I was in fact local to the bind 
server.

-- 
My little brother got his arm stuck in the microwave. So my mom had to
take him to the hospital. My grandma dropped acid this morning, and she
freaked out. She hijacked a busload of penguins. So it's sort of a
family crisis. Bye!


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate reject

2019-05-20 Thread @lbutlr
On 20 May 2019, at 16:21, Noel Butler  wrote:
>allow-update { key "keyname"; };

Ah, no I did not. The instructions I found, as I mentioned in a later post, 
were to add grant dons-key. iOS this a change in 9.14, because I did not have 
to do this in 9.12?

> and nsLOOKUP ?

Just a thinko.

-- 
The hippo of recollection stirred in the muddy waters of the mind.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate reject

2019-05-20 Thread Noel Butler
did you allow for it under the zone ? Adding a key as such will not give
you global operations 

zone foo { 

 ... 

   allow-update { key "keyname"; }; 

... 

} 

and nsLOOKUP ?  Its either to early in the morning here and i'm
mis-reading what you're doing, or you should be using or at least meant
to say, nsUPDATE 

On 20/05/2019 10:27, @lbutlr wrote:

> Trying to update some DNS under a relatively newly installed bin 9.14 with 
> nsupdate.
> 
> I have a file admin.key that looks basically like this:
> key "rndc-key" {
> algorithm hmac-sha256;
> secret "SECRETSTUFF=";
> };
> 
> This is the same key block that is in named.conf. I am launching NSLOOKUP 
> with -k admin.key, but when I try to make a change and then "send", I get 
> "update failed: REFUSED."
> 
> Is this not the key that is wanted? It appears to be the only key I have. Do 
> I need to change to some different key type for bind 9.14, or am I forgetting 
> something else.
> 
> I did make some changes to the DNS back in 9/12 several months ago, and I 
> don't recall having to even provide the key then.

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate reject

2019-05-20 Thread @lbutlr
On 19 May 2019, at 18:27, @lbutlr  wrote:
> This is the same key block that is in named.conf. I am launching NSLOOKUP 
> with -k admin.key, but when I try to make a change and then "send", I get 
> "update failed: REFUSED."

I found a page that recommended adding a ddns-key and then adding "grant 
ddns-key zonesub ANY;" to the zone info, but that produces and error "unknown 
option 'grant'".

-- 
'You know what the greatest tragedy is in the whole world?' said Ginger,
not paying him the least attention. 'It's all the people who never find
out what it is they really want to do or what it is they're really good
at. It's all the sons who become blacksmiths because their fathers were
blacksmiths. It's all the people who could be really fantastic flute
players who grow old and die without ever seeing a musical instrument,
so they become bad ploughmen instead. It's all the people with talents
who never even find out. Maybe they are never born in a time when it is
possible to find out.'



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: nsupdate reject

2019-05-20 Thread Bob McDonald
The most obvious thing is to look at the zone and see if that key is
included in an allow-update statement for the zone.

Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate with RPZ

2018-05-23 Thread Blason R
Well, thanks for the update. Later I managed to resolve it but issue is;
since this is RPZ a zone and RR are difference hence I dont think nsupdate
would solve my purpose here?

Like zone test.update while RR is

block.this.domain  CNAME  wg.test.update.

Please correct me if I am wrong.

On Wed, May 23, 2018 at 8:43 PM, Chris Buxton 
wrote:

> On May 22, 2018, at 7:35 PM, Blason R  wrote:
>
> > Wondering if anyone have a working How-To guide for implementing
> nsupdate with RPZ? I mean do we need to configure any specific settings in
> zone of Options?
>
> A response policy zone is a zone like any other. You would normally
> restrict access to query it, but if you want to allow some system to manage
> the content of that zone dynamically, go ahead and set up an allow-update
> (or update-policy, if that's what you need) on that zone. Just make sure
> the updater is also allowed to query the zone.
>
> If that's not your use case, tell us what your use case is in more detail
> and perhaps the list can help.
>
> Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate with RPZ

2018-05-23 Thread Chris Buxton
On May 22, 2018, at 7:35 PM, Blason R  wrote:

> Wondering if anyone have a working How-To guide for implementing nsupdate 
> with RPZ? I mean do we need to configure any specific settings in zone of 
> Options?

A response policy zone is a zone like any other. You would normally restrict 
access to query it, but if you want to allow some system to manage the content 
of that zone dynamically, go ahead and set up an allow-update (or 
update-policy, if that's what you need) on that zone. Just make sure the 
updater is also allowed to query the zone.

If that's not your use case, tell us what your use case is in more detail and 
perhaps the list can help.

Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Nsupdate usage scenario

2016-05-04 Thread Alan Clegg
On 5/4/16, 4:27 PM, "/dev/rob0"  wrote:

>My personal recommendation: get over the idea of looking at zone
>files; use "dig axfr example.com. | less".  Let named manage and
>serve the DNS data as it will.  Comments can be included as TXT
>records if you like.

So much this.

AlanC


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Nsupdate usage scenario

2016-05-04 Thread /dev/rob0
On Wed, May 04, 2016 at 03:17:38PM -0400, Paul Kosinski wrote:
> Interesting idea -- it never occurred to me that I could have 
> separate zone files for sub-domains.

Every zone is a subzone of its parent zone.

> So, if I had a tiny zone file for "dynamic.example.com" alone, and 
> a bigger zone file for all the other stuff for "example.com", could 
> I be *sure* that nsupdate would *only* modify the tiny file, and 
> not mess with the bigger, main file?
> 
> Or would I also have to put a ZONE statement as the first line of 
> the nsupdate data stream specifying "dynamic.example.com" as the 
> zone to be updated? (And would that *guarantee* the main file was 
> not changed?)

This is a bigger can of worms than you think.  I did it with my own 
dynamic zone some years back, now wishing to flatten it back into 
the parent zone (because they are both dynamic now.)

* You have to delegate the [sub]zone to a set of nameservers
* You have to configure those nameservers to serve that [sub]zone

The NS for your subzone can be, but need not be, the same as the ones 
serving your parent zone.  Choose one to be master.  Put that name in 
the SOA MNAME field for the subzone.  (The MNAME is used by nsupdate 
in choosing where to send an update.  It's not essential because you 
can also use a "server" line in your nsupdate input.)

Note that on the master you need an allow-update or update-policy in 
your zone statement.

My personal recommendation: get over the idea of looking at zone 
files; use "dig axfr example.com. | less".  Let named manage and 
serve the DNS data as it will.  Comments can be included as TXT 
records if you like.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Nsupdate usage scenario

2016-05-04 Thread Paul Kosinski
Interesting idea -- it never occurred to me that I could have separate
zone files for sub-domains.

So, if I had a tiny zone file for "dynamic.example.com" alone, and a
bigger zone file for all the other stuff for "example.com", could I be
*sure* that nsupdate would *only* modify the tiny file, and not mess
with the bigger, main file?

Or would I also have to put a ZONE statement as the first line of the
nsupdate data stream specifying "dynamic.example.com" as the zone to be
updated? (And would that *guarantee* the main file was not changed?)


On Mon, 2 May 2016 14:15:21 -0500 (CDT)
"Jeremy C. Reed"  wrote:

> What about using a specific zone file just for the purpose of the
> single A record you want to maintain using dynamic updates?
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Nsupdate usage scenario

2016-05-03 Thread Tony Finch
Paul Kosinski  wrote:

> Except for this single dynamic IP address, the zone file is maintained
> by hand with a text editor, so rearranging it into an arbitrary order
> would make hand maintenance much more difficult.
>
> If there is a way to have nsupdate preserve the original order of the
> zone file -- simply modifying the one A record "in place" and updating
> the serial number -- that would be nice. If not I guess I will have to
> continue using the little Perl script I wrote to do just that.

You can do this with nsdiff - http://dotat.at/prog/nsdiff/ - but it's
probably overkill for one dynamic entry in an otherwise static zone.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Fisher, German Bight: West 3 or 4, occasionally 5 at first. Slight or
moderate. Rain at first in east. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Nsupdate usage scenario

2016-05-02 Thread Matthew Pounsett
On 2 May 2016 at 16:38,  wrote:

>
>
> On Mon, May 2, 2016, at 12:15 PM, Jeremy C. Reed wrote:
> > What about using a specific zone file just for the purpose of the single
> > A record you want to maintain using dynamic updates?
>
> Well, this is a timely idea for another issue I've been working on ...
>
> Could you expand on this a bit? Maybe an example?
>
> I'm not clear how you go about maintaining a 'different' zone for a record
> that belong in the 'original', parent zone.
>
> He's suggesting something like having example.com and dynamic.example.com
as separate zones, where the A record at the apex of the dynamic.example.com
zone is the host you want to maintain.   That'll let you have different
configurations for both zones (one dynamic, one manual).

example.com. IN SOA (...)
 IN NS ns1.example.com.
 IN NS ns2.example.com.

www  IN A  192.0.2.1
dynamic  IN NS ns1.example.com.
 IN NS ns2.example.com.
---

dynamic.example.com. IN SOA (...).
 IN NS ns1.example.com.
 IN NS ns2.example.com.
 IN A  192.0.2.1  ; use nsupdate to change me
---
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Nsupdate usage scenario

2016-05-02 Thread jasonsu


On Mon, May 2, 2016, at 12:15 PM, Jeremy C. Reed wrote:
> What about using a specific zone file just for the purpose of the single 
> A record you want to maintain using dynamic updates?

Well, this is a timely idea for another issue I've been working on ...

Could you expand on this a bit? Maybe an example?

I'm not clear how you go about maintaining a 'different' zone for a record that 
belong in the 'original', parent zone.

Jason
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Nsupdate usage scenario

2016-05-02 Thread Jeremy C. Reed
Also for the generated master file, have a look at "masterfile-style 
full;" option.  Have a look at the named-compilezone -j with -s full or 
-s relative so you can compare outputs.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Nsupdate usage scenario

2016-05-02 Thread Jeremy C. Reed
What about using a specific zone file just for the purpose of the single 
A record you want to maintain using dynamic updates?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: nsupdate and views

2015-03-18 Thread Darcy Kevin (FCA)
If you can't arrange for the source address of the nsupdate to fall within the 
match-clients of the view, you can always put a TSIG key in the match-clients 
for the view, and then sign the update with that key.


- Kevin

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of David Covey
Sent: Tuesday, March 17, 2015 10:06 PM
To: bind-us...@isc.org
Subject: nsupdate and views

Hello all,
I don't quite see how to dynamically manage multiple views of a zone. 
Specifically I have a zone name with both 'internal' and 'external'
views that I'd like to manage with the nsupdate command. Is there a way to 
specify the zone+view using nsupdate?

 - David Covey
   Geophysical Institute, University of Alaska Fairbanks

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate and views

2015-03-17 Thread David Covey
Mark,
Thanks. I found where this was discussed here previously (Jan. 2003);
apologies for not being thorough. 
 - David Covey
   Deophysical Institute, University of Alaska Fairbanks

  To: David Covey david.co...@gi.alaska.edu
  Cc: bind-us...@isc.org
  From: Mark Andrews ma...@isc.org
  Subject: Re: nsupdate and views
  Date: Wed, 18 Mar 2015 14:01:28 +1100


  Use different TSIG keys to direct the UPDATE request to the correct view.

  In message 5508dd86.kc1mmon8e03wtkto%david.co...@gi.alaska.edu, David 
 Covey w
  rites:
   Hello all,
   I don't quite see how to dynamically manage multiple views of a
   zone. Specifically I have a zone name with both 'internal' and 'external'
   views that I'd like to manage with the nsupdate command. Is there a
   way to specify the zone+view using nsupdate?
   
- David Covey
  Geophysical Institute, University of Alaska Fairbanks
   
   ___
   Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe
from this list
   
   bind-users mailing list
   bind-users@lists.isc.org
   https://lists.isc.org/mailman/listinfo/bind-users
  -- 
  Mark Andrews, ISC
  1 Seymour St., Dundas Valley, NSW 2117, Australia
  PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate and views

2015-03-17 Thread Mark Andrews

Use different TSIG keys to direct the UPDATE request to the correct view.

In message 5508dd86.kc1mmon8e03wtkto%david.co...@gi.alaska.edu, David Covey w
rites:
 Hello all,
 I don't quite see how to dynamically manage multiple views of a
 zone. Specifically I have a zone name with both 'internal' and 'external'
 views that I'd like to manage with the nsupdate command. Is there a
 way to specify the zone+view using nsupdate?
 
  - David Covey
Geophysical Institute, University of Alaska Fairbanks
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
  from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate, semicolon, backslash

2014-09-13 Thread Mark Andrews

In message 5413d5d9.3000...@yahoo.fr, Giuseppe writes:
 Hello Mark,
 
 If I understood, it's a normal comportement to find backslash in TEXT data.

More that it is escaped.  double quote and back slash must be escaped.
semicolon needs to be escaped if the string isn't quoted.
 
 In my case, i implement DKIM DNS and in master files I have:
 
 ;; ANSWER SECTION:
 google._domainkey.test.com. 1800 IN TXT v=DKIM1\; k=rsa\; p=MIGfMA
 
 At this time, it not working. And I was thinking that is the backslash 
 the problème.
 
 So, I have to do more troubleshooting about this case.
 
 Thanks for your help
 Zeppi
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate, semicolon, backslash

2014-09-12 Thread Mark Andrews

In message 54130f2a.9040...@yahoo.fr, Giuseppe writes:
 Hello,
 
 I work with nsupdate for update our domains zones. And I have problem with 
 semicolonin TXT record type.
 
 A small example:
 
   nsupdate -v
 
update add test1.com 400 TXT hello*;*
update add test2.com 400 TXT hello*\;*
show
 
   Outgoing update query:
   ;; -HEADER- opcode: UPDATE, status: NOERROR, id:  0
   ;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
   ;; UPDATE SECTION:
   test1.com.400INTXThello*\;*
   test2.com.400INTXThello*\;*
 
 In my Zone file it is the same problem.
 
 I would like:
 
 test1.com.400INTXThello*;*
 
 without backslash before semicolon. Is important because service using 
 secure._domainKey, _adsp._domainKey, etc.. no
 t work if
 backslashis in zone and semicolon is needed.
 
 Other are the same problem?
 
 Thanks,
 Zeppi

Backslash and semicolons are special characters in master files.
DiG prints records in master file format.  This allows the record
to be cut and pasted into master files, nsupdate etc.  It also means
that the presentation encoding doesn't change between AXFR, IXFR
and other types.  It also escapes some characters that may not
always strictly need escaping in every circumstance.

'@' '$' '.' '\' '' are all special characters in master files.

To enter a backslash one has to enter two backslashes.  A backslash
before a semicolon turns off its special meaning of comment introducer.
A backslash says the next character is a literal except when that
character is a digit in which case it the start of \DDD which is
the decimal value or the character.

THe RHS below is without the master file escaping

\h\e\l\l\o\;\* - hello;*

hello\;* - hello;*

hello;* - hello;*

Now to add a backslash you need to enter two escapes, the RHS is
again without master file escaping.

hello\\;* - hello\;*

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate, semicolon, backslash

2014-09-12 Thread Giuseppe

Hello Mark,

If I understood, it's a normal comportement to find backslash in TEXT data.

In my case, i implement DKIM DNS and in master files I have:

;; ANSWER SECTION:
google._domainkey.test.com. 1800 IN TXT v=DKIM1\; k=rsa\; p=MIGfMA

At this time, it not working. And I was thinking that is the backslash 
the problème.


So, I have to do more troubleshooting about this case.

Thanks for your help
Zeppi
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate for default TTL

2012-12-26 Thread Carsten Strotmann

Hello Feng He,

Feng He fen...@nsbeta.info writes:

 Is there a way to dynamic update the zone's default TTL by nsupdate?

A default TTL (example $TTL 3600) is a property of a zone file on disk,
it is a control statement read by the BIND name server when loading the
zone file.

The default TTL is applied to all resource records that do not have a
dedicated TTL defined. After loading the zone, every resource record
will have a dedicated TTL and there is no default TTL in a loaded zone
(in memory).

Because there is no concept of a default TTL in a loaded zone, you
can only change the dedicated TTLs on each individual resource record
using the nsupdate tool.

Best regards and a good new year!

Carsten Strotmann

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate for default TTL

2012-12-26 Thread Feng He
于 2012-12-26 22:12, Carsten Strotmann 写道:
 Because there is no concept of a default TTL in a loaded zone, you
 can only change the dedicated TTLs on each individual resource record
 using the nsupdate tool.

Thanks Carsten.
Happy new year!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate fails on CNAME but A and PTR goes through

2012-05-17 Thread Jan-Piet Mens
  server 127.0.0.1
  zone ccnr.biotechnology.
  update add second 86400 in cname first
  send
 update failed: NOTZONE

Have you tried specifying qualified names?

update add second.ccnr.biotechnology. 86400 in cname 
first.ccnr.biotechnology.

-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate fails on CNAME but A and PTR goes through

2012-05-17 Thread lejeczek

sort of a false alarm
nsupdate with FQDN(dot) did work!(???)

On 17/05/12 12:03, lejeczek wrote:

hi everybody

when I do:

 server 127.0.0.1
 zone ccnr.biotechnology.
 update add second 86400 in cname first
 send
update failed: NOTZONE


in log I get:

May 17 11:59:10 whale named[2910]: debug level is now 5
May 17 12:00:28 whale named[2910]: client 127.0.0.1#33465: 
view biotech: signer nsupdate_key approved
May 17 12:00:28 whale named[2910]: client 127.0.0.1#33465: 
view biotech: updating zone 'ccnr.biotechnology/IN': 
update failed: update RR is outside zone (NOTZONE)


any help greatly apreciated
thanks!
___
Please visit 
https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate on a Windows ec2 instance to update dynamic DNS isn't working

2011-10-10 Thread kallen
On Sat, 08 Oct 2011, Mark Andrews wrote:

 Make sure that the send line has a end of line.  Many windows editors
 don't add a end of line unlike unix editors that do.
 

that was it. thank you!



 In message 20111007221843.gq28...@dradis.groknaut.net, kal...@groknaut.net 
 wr
 ites:
  
  
  hello,
  
  
  i'm trying to update dynamic DNS for my windows ec2 instance by running
  BIND's nsupdate from the instance. it's not working. i'll show details
  below.
  
  anyone have any idea what's going on? what else i should look at or try?
  
  * nsupdate command reports no error
  * my BIND nameserver never sees the packets
  * running wireshark on the windows instance itself shows me it's not
sending any packets to the nameserver
  * the Windows Firewall Service is not running
  * the windows instance runs Windows Server 2003, Datacenter Edition, R2
  
  i do know the nameserver is set up correctly in that my linux instances
  are able to update dynamic dns using nsupdate against this nameserver.
  
  
  contents of update.txt:
  server 10.x.x.x
  zone dev.sushimysavior.com
  update delete SOUS-CHEF-WIN.dev.sushimysavior.com. A 
  update add SOUS-CHEF-WIN.dev.sushimysavior.com. 86400 IN A 10.y.y.y
  show
  debug
  send
  
  in case it is necessary, i have a resolv.conf in place at
  C:\WINDOWS\system32\drivers\etc\resolv.conf that contains:
  
  nameserver 10.x.x.x
  
  
  and here's the nsupdate command run:
  
  C:\work\binC:\WINDOWS\system32\dns\bin\nsupdate.exe -k 
  C:\WINDOWS\system32\d
  ns\etc\Kuser-ddns-ec2.sushimysavior.com.+157+14445.key -v -d -D -L 2 
  C:\WINDO
  WS\system32\dns\etc\update.txt
  setup_system()
  Creating key...
  reset_system()
  user_interaction()
  get_next_command()
  get_next_command()
  get_next_command()
  evaluate_update()
  update_addordelete()
  get_next_command()
  evaluate_update()
  update_addordelete()
  get_next_command()
  show_message()
  Outgoing update query:
  ;; -HEADER- opcode: UPDATE, status: NOERROR, id:  0
  ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
  ;; ZONE SECTION:
  ;dev.sushimysavior.com.  IN  SOA
  
  ;; UPDATE SECTION:
  SOUS-CHEF-WIN.dev.sushimysavior.com. 0 ANY   A
  SOUS-CHEF-WIN.dev.sushimysavior.com. 86400 IN A  10.y.y.y
  
  get_next_command()
  get_next_command()
  cleanup()
  Shutting down task manager
  shutdown_program()
  Shutting down request manager
  Freeing TSIG key
  Destroy DST lib
  Destroying request manager
  Freeing the dispatchers
  Shutting down dispatch manager
  Destroying event
  Shutting down socket manager
  Shutting down timer manager
  Destroying hash context
  Destroying name state
  Removing log context
  Destroying memory context
  
  C:\work\bin
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate on a Windows ec2 instance to update dynamic DNS isn't working

2011-10-08 Thread Mark Andrews

Make sure that the send line has a end of line.  Many windows editors
don't add a end of line unlike unix editors that do.

In message 20111007221843.gq28...@dradis.groknaut.net, kal...@groknaut.net wr
ites:
 
 
 hello,
 
 
 i'm trying to update dynamic DNS for my windows ec2 instance by running
 BIND's nsupdate from the instance. it's not working. i'll show details
 below.
 
 anyone have any idea what's going on? what else i should look at or try?
 
 * nsupdate command reports no error
 * my BIND nameserver never sees the packets
 * running wireshark on the windows instance itself shows me it's not
   sending any packets to the nameserver
 * the Windows Firewall Service is not running
 * the windows instance runs Windows Server 2003, Datacenter Edition, R2
 
 i do know the nameserver is set up correctly in that my linux instances
 are able to update dynamic dns using nsupdate against this nameserver.
 
 
 contents of update.txt:
 server 10.x.x.x
 zone dev.sushimysavior.com
 update delete SOUS-CHEF-WIN.dev.sushimysavior.com. A 
 update add SOUS-CHEF-WIN.dev.sushimysavior.com. 86400 IN A 10.y.y.y
 show
 debug
 send
 
 in case it is necessary, i have a resolv.conf in place at
 C:\WINDOWS\system32\drivers\etc\resolv.conf that contains:
 
 nameserver 10.x.x.x
 
 
 and here's the nsupdate command run:
 
 C:\work\binC:\WINDOWS\system32\dns\bin\nsupdate.exe -k C:\WINDOWS\system32\d
 ns\etc\Kuser-ddns-ec2.sushimysavior.com.+157+14445.key -v -d -D -L 2 C:\WINDO
 WS\system32\dns\etc\update.txt
 setup_system()
 Creating key...
 reset_system()
 user_interaction()
 get_next_command()
 get_next_command()
 get_next_command()
 evaluate_update()
 update_addordelete()
 get_next_command()
 evaluate_update()
 update_addordelete()
 get_next_command()
 show_message()
 Outgoing update query:
 ;; -HEADER- opcode: UPDATE, status: NOERROR, id:  0
 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 ;; ZONE SECTION:
 ;dev.sushimysavior.com.  IN  SOA
 
 ;; UPDATE SECTION:
 SOUS-CHEF-WIN.dev.sushimysavior.com. 0 ANY   A
 SOUS-CHEF-WIN.dev.sushimysavior.com. 86400 IN A  10.y.y.y
 
 get_next_command()
 get_next_command()
 cleanup()
 Shutting down task manager
 shutdown_program()
 Shutting down request manager
 Freeing TSIG key
 Destroy DST lib
 Destroying request manager
 Freeing the dispatchers
 Shutting down dispatch manager
 Destroying event
 Shutting down socket manager
 Shutting down timer manager
 Destroying hash context
 Destroying name state
 Removing log context
 Destroying memory context
 
 C:\work\bin
 
 
 
 thanks!
 kallen
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
  from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate problem after DNSSEC upgrade

2011-01-05 Thread Michelle Konzack
Note:   My nsupdate script us an autogenerated file like:

if ($_GET['nsupdate'] == 'on') {
  $tmp_file = tempnam('/tmp', 'tdphp-vserver.');
  chmod($tmp_file, 0700);
  $fh = fopen($tmp_file, 'a');
  fwrite($fh, server dns1.tamay-dogan.net\n);
  fwrite($fh, update delete . $_GET['vhost'] .  A\n);
  fwrite($fh, prereq nxdomain . $_GET['vhost'] . \n);
  fwrite($fh, update add . $_GET['vhost'] .  86400 CNAME . 
$_SERVER['SERVER_NAME'] . \n);
  fwrite($fh, send\n);
  fseek($fh, 0);
  exec(nsupdate  . $tmp_file, $array, $ret);

but this give me as I sayed already an ExitStatus 2

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

http://www.itsystems.tamay-dogan.net/  http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate problem after DNSSEC

2011-01-05 Thread Phil Mayers

On 01/05/2011 08:09 AM, Michelle Konzack wrote:

I have update mydns1  to DNSSEC and now I have two probems...


Do you mean you have signed your zone?

If so, you are aware that bind requires the zone-signing key to be 
available in order to perform updates - like this:


zone $name {
  type master;
  allow-update { ... };
  key-directory /var/named/data/keys/$name;
};

...and in /var/named/data/keys/$name you need the:

K$name.+005+id.key
K$name.+005+id.private

...files?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate problem after DNSSEC

2011-01-05 Thread Michelle Konzack
Hello Phil Mayers,

Am 2011-01-05 09:19:11, hacktest Du folgendes herunter:
 Do you mean you have signed your zone?

Yes

 If so, you are aware that bind requires the zone-signing key to be
 available in order to perform updates - like this:
 
 zone $name {
   type master;
   allow-update { ... };

allow-update or allow-transfer?

I have the later one and it seems, my zones  where  transfered  after  a
forced reboot of dns2,  but  only  the  ZONEs  which  have  an  IP  in
allow-transfer.  tamay-dogan.net use a key and it does not work.

   key-directory /var/named/data/keys/$name;
 };

Ahh, I have to add this?

 ...and in /var/named/data/keys/$name you need the:
 
 K$name.+005+id.key
 K$name.+005+id.private

many of them

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

http://www.itsystems.tamay-dogan.net/  http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate

2010-10-01 Thread Stephane Bortzmeyer
On Fri, Oct 01, 2010 at 02:58:28PM +0530,
 rams brames...@gmail.com wrote 
 a message of 240 lines which said:

 Suppose we have two A records as ,

These two records have the same {name, class, type} and therefore
belong to the same RRset (Resource Record Set).

 When we update TTL value as below for one of the records , the TTL
 value changes for both the records.

Which is expected since all the members of a RRset share the same TTL
value.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Nsupdate -l not using session.key

2010-07-01 Thread Kalman Feher

I was obviously especially tired yesterday when I tested this.

Anyway BIND was chroot'd and user wasn't.

(slaps forehead)

Problem solved.


On 30/06/10 6:07 PM, Kal Feher kalman.fe...@melbourneit.com.au wrote:

 
 
 
 On 30/06/10 5:25 PM, Alan Clegg acl...@isc.org wrote:
 
 On 6/30/2010 11:13 AM, Kalman Feher wrote:
 While testing bind 9.7.1 features including automated signing and
 update-policy local. I encountered some strange behaviour using nsupdate -l.
 
 When using nsupdate -l I was not able to update the zone in question and the
 following error was generated:
 update-security: error: client 127.0.0.1#9292: view internal: update
 'star/IN' denied
 
 Any suggestions?
 
 Send your named.conf
 Named.conf:
 
 acl xfer {
 
 none;
 };
 acl trusted {
 127.0.0.0/8;
 ::1/128;
 10.115.160.0/22;
 };
 options {
 directory /var/bind;
 pid-file /var/run/named/named.pid;
 bindkeys-file /etc/bind/bind.keys;
 listen-on-v6 { none; };
 listen-on port 53 { any; };
 allow-query {
 trusted;
 };
 allow-query-cache {
 trusted;
 };
 allow-transfer {
 xfer;
 };
 dnssec-enable yes;
 
 };
 logging {
 channel default_log {
 file /var/log/named/named.log versions 5 size 50M;
 print-time yes;
 print-severity yes;
 print-category yes;
 };
 channel query_log {
 file /var/log/named/query.log versions 5 size 100M;
 print-time yes;
 print-severity yes;
 print-category yes;
 };
 channel dnssec_log {
 file /var/log/named/dnssec.log versions 5 size 100M;
 print-time yes;
 print-severity yes;
 print-category yes;
 };
 channel resolver_log {
 file /var/log/named/resolver.log versions 5 size 50M;
 print-time yes;
 print-severity yes;
 print-category yes;
 };
 category default { default_log; };
 category general { default_log; default_syslog; };
 category queries { query_log; };
 category dnssec  { dnssec_log; };
 category resolver { resolver_log; };
 };
 include /etc/bind/rndc.key;
 controls {
 inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys {
 rndc-key; };
 };
 view internal in {
 match-clients { trusted; };
 recursion yes;
 additional-from-auth yes;
 additional-from-cache yes;
 
 zone . in {
 type hint;
 file /var/bind/root.cache;
 };
 zone localhost IN {
 type master;
 file pri/localhost.zone;
 allow-update { none; };
 notify no;
 allow-query { any; };
 allow-transfer { none; };
 };
 
 zone 127.in-addr.arpa IN {
 type master;
 file pri/127.zone;
 allow-update { none; };
 notify no;
 allow-query { any; };
 allow-transfer { none; };
 };
 
 zone star IN {
 type master;
 auto-dnssec maintain;
 update-policy local;
 dnssec-secure-to-insecure no;
 file pri/star/star.zone.signed;
 key-directory pri/star;
 notify no;
 allow-query { any; };
 allow-transfer { none; };
 };
 zone COM { type delegation-only; };
 zone NET { type delegation-only; };
 };
 
 view public in {
 
 match-clients { any; };
 recursion no;
 additional-from-auth no;
 additional-from-cache no;
 
 zone . in {
 type hint;
 file /var/bind/root.cache;
 };
 
 };
 view chaos chaos {
 match-clients { any; };
 allow-query { none; };
 zone . {
 type hint;
 file /dev/null; };
 };
 
 
 AlanC
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Kal Feher 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Nsupdate -l not using session.key

2010-06-30 Thread Alan Clegg
On 6/30/2010 11:13 AM, Kalman Feher wrote:
 While testing bind 9.7.1 features including automated signing and
 update-policy local. I encountered some strange behaviour using nsupdate -l.
 
 When using nsupdate -l I was not able to update the zone in question and the
 following error was generated:
 update-security: error: client 127.0.0.1#9292: view internal: update
 'star/IN' denied

 Any suggestions?

Send your named.conf

AlanC



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Nsupdate -l not using session.key

2010-06-30 Thread Kalman Feher



On 30/06/10 5:25 PM, Alan Clegg acl...@isc.org wrote:

 On 6/30/2010 11:13 AM, Kalman Feher wrote:
 While testing bind 9.7.1 features including automated signing and
 update-policy local. I encountered some strange behaviour using nsupdate -l.
 
 When using nsupdate -l I was not able to update the zone in question and the
 following error was generated:
 update-security: error: client 127.0.0.1#9292: view internal: update
 'star/IN' denied
 
 Any suggestions?
 
 Send your named.conf
Named.conf:

acl xfer {

none;
};
acl trusted {
127.0.0.0/8;
::1/128;
10.115.160.0/22;
};
options {
directory /var/bind;
pid-file /var/run/named/named.pid;
bindkeys-file /etc/bind/bind.keys;
listen-on-v6 { none; };
listen-on port 53 { any; };
allow-query {
trusted;
};
allow-query-cache {
trusted;
};
allow-transfer {
xfer;
};
dnssec-enable yes;

};
logging {
channel default_log {
file /var/log/named/named.log versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
channel query_log {
file /var/log/named/query.log versions 5 size 100M;
print-time yes;
print-severity yes;
print-category yes;
};
channel dnssec_log {
file /var/log/named/dnssec.log versions 5 size 100M;
print-time yes;
print-severity yes;
print-category yes;
};
channel resolver_log {
file /var/log/named/resolver.log versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; default_syslog; };
category queries { query_log; };
category dnssec  { dnssec_log; };
category resolver { resolver_log; };
};
include /etc/bind/rndc.key;
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys {
rndc-key; };
};
view internal in {
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;

zone . in {
type hint;
file /var/bind/root.cache;
};
zone localhost IN {
type master;
file pri/localhost.zone;
allow-update { none; };
notify no;
allow-query { any; };
allow-transfer { none; };
};

zone 127.in-addr.arpa IN {
type master;
file pri/127.zone;
allow-update { none; };
notify no;
allow-query { any; };
allow-transfer { none; };
};

zone star IN {
type master;
auto-dnssec maintain;
update-policy local;
dnssec-secure-to-insecure no;
file pri/star/star.zone.signed;
key-directory pri/star;
notify no;
allow-query { any; };
allow-transfer { none; };
};
zone COM { type delegation-only; };
zone NET { type delegation-only; };
};

view public in {

match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;

zone . in {
type hint;
file /var/bind/root.cache;
};

};
view chaos chaos {
match-clients { any; };
allow-query { none; };
zone . {
type hint;
file /dev/null; };
};

 
 AlanC
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Kal Feher 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: nsupdate and an external database

2009-08-10 Thread Simpson, John R
From the lack of response, I take it that there is no good way to have BIND 
trigger an external database update (or other action) when it receives a DDNS 
update.  At least not without significantly customizing BIND, similar to what 
Quadritec / Lucent / Alcatel-Lucent did with QIP.

Enhancing ProBIND to support BIND-SDB master servers while keeping traditional 
configuration files for the slaves looks feasible.  Would there be interest in 
the BIND community for a version of ProBIND with SDB support, or am I 
re-inventing the wheel?

There are a lot of dead and outdated links for BIND-SDB.  Is it viable for 
long-term use?

Thanks,

John

 From: Simpson, John R
 Sent: Tuesday, July 28, 2009 4:11 PM
 To: 'bind-users@lists.isc.org'
 Subject: nsupdate and an external database

 Greetings all,

 We have a number of BIND 9.3.4 servers that are managed by ProBIND.  We would 
 like to be able to
 use nsupdate to generate dynamic DNS updates, but, of course, any DDNS 
 updates would be lost
 the next time the zone was pushed since they aren't reflected in ProBIND's 
 MySQL database.

 Is there any standard way to have BIND notify an external function or program 
 that an update has occurred?

 For example, registering a callback function that would then make the 
 appropriate update to the
 ProBIND database?  That's not a perfect solution, since there's still a 
 chance for the zone and the
 external database to be out of sync if the external database update doesn't 
 exactly match the DNS
 update, or if the serial numbers are mishandled.  But it seems like that 
 would be a better solution
 than trying to monitor zone/journal files for changes, or parsing log files.

 I've looked at SDB, which would be attractive if ProBIND or an alternative 
 management system
 used SDB instead of their own schema, and I'm investigating bind-dlz and 
 NetReg.

 Is there a preferred way to handle this?

 Thank you for your time,

 John

John Simpson
Senior Software Engineer, I. T. Engineering and Operations

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate delete question

2009-04-30 Thread Chris Thompson

On Apr 30 2009, James M wrote:


While invoking nsupdate within a program I notice that trying to
delete a nonexistant host does not return an error.


That's a result of the way that RFC 2136 defined update operations.
Read section 3, and note in particular that errors are never generated
in 3.4.2. Sometimes this is a damn nuisance (one would really prefer
BIND to give an error when trying to create an RR co-existing with
a CNAME, for example, rather than ignoring the update), but not really
in your case. Being able to delete RR(s) if they exist, but do nothing
if they don't, is a perfectly reasonable requirement.

What you need to do is to add a prereq requiring the RRset to exist
(prereq yxrrset mandy11.example.com A) or for it to have particular
contents (prereq yxrrset mandy11.example.com A 192.168.255.42)
before it is deleted.

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate delete question

2009-04-30 Thread Niall O'Reilly
On Thu, 2009-04-30 at 10:18 -0400, James M wrote:
 trying to
 delete a nonexistant host does not return an error.

That seems reasonable to me, since the state of the
zone file after the transaction is indeed the state
which would be expected, had the host been present and
deleted.

If you need to ensure that there actually was a change
to the state of the zone, you could specify a prerequisite
in your transaction file, insisting that the RRset or
label of interest is present before deletion.

Something like this might do the trick.

key mandy4.example. blahblahblah
server mandy4.example.com
zone example.com

prereq yxrrset mandy11.example.com a

update delete mandy11.example.com a
send

IHTH
/Niall


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate ACL based on a key AND ip-subnet

2008-11-17 Thread Niall O'Reilly
On Fri, 2008-11-14 at 17:35 -0800, Chris Buxton wrote:
 Use a firewall (with deep packet inspection) to restrict by subnet.  
 Then use the TSIG key in the allow-update statement.
 
 Unfortunately, to my knowledge, that's the only way to do this.

Wouldn't using a BIND view to restrict by subnet work instead
of a firewall?

/Niall


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate ACL based on a key AND ip-subnet

2008-11-17 Thread Jonathan Petersson
Actually, to take this a step further, is there any remote possibility to
combine this with update-policy as well?

I know both questions has been mentioned on the list before with varied
answers but I wanted to raise it again since this was finally figured out.

/Jonathan

On Mon, Nov 17, 2008 at 11:28 AM, Evan Hunt [EMAIL PROTECTED] wrote:

allow-update { !{!10/8;any;}; key update-key; };
 
  Wouldn't this still permit any client on the 10/8 subnet to update the
  zones?

 It's very confusing syntax, but no.

 You're probably thinking in boolean algebra (I did too, when I first
 encountered this).  If it were boolean algebra, you could redistribute
 the negatives: !{!10/8; any;} becomes {!!10/8; !any;} and then
 simplifies to {10/8; none;}.

 But ACLs aren't boolean, so you can't do that.  Each element has three
 possible results not two: match and accept, match and reject, or no
 match, which means continue processing.

 When an ordinary ACL element matches and is negated (for example, the
 element is !10/8; and the address is 10.0.0.1) that means match and
 reject.  But if the match is inside of a *nested* ACL, then it's treated
 differently:  A negative result means the nested ACL didn't match--and
 so you continue processing.

 So if you're checking address A against an ACL of one of the following
 forms, these will be the results:

{ A;B; }   == A is allowed, accept immediately
{  {  A; }; B; }   == A is allowed, accept immediately
{!A;B; }   == A is forbidden, reject immediately
{ !{  A; }; B; }   == A is forbidden, reject immediately
{  { !A; }; B; }   == A matched but was negated, try element B
{ !{ !A; }; B; }   == A matched but was negated, try element B

 Those last two lines there are confusingly similar (and, as written,
 useless).  The difference is what happens if you're checking an address
 *other* than A, and something else in the nested ACL matches it.

{  { !A; any; }; B; }  == any address other than A is accepted at once,
  but A is only accepted if B matches too.
  boolean translation: ((not A) or (A and B))

{ !{ !A; any; }; B; }  == any address other than A is *rejected* at
 once,
  but A is accepted as long as B matches too.
  boolean translation: (A and B)

 Hope that's helpful.  (*I* find it hard to keep this syntax straight, and I
 wrote a big chunk of the code that implements it in BIND 9.5...)

 --
 Evan Hunt -- [EMAIL PROTECTED]
 Internet Systems Consortium, Inc.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate ACL based on a key AND ip-subnet

2008-11-17 Thread Jonathan Petersson
Yeah it would most likely be a feature request/change.

IIRC update-policy cannot be used in congestion with the allow-update
statement. Personally I prefer the usage of update-policy as I can assign
different business units within my organization to take responsibility for
certain records/record types.

As I'm using a multi-view server (public and private IP) I'm concerned that
the update keys used might get compromised (computer stolen or whatever)
thus it would be useful to be able to limit the capability for updates for
specified IP-ranges.

This is achieved with the allow-update policy given throughout this
conversation but as you cannot use them in congestion with update-policy I'm
not able to limit certain records/record types to keys.

To put this in a conf example I'm thinking something like:

allow-update {
! { !10/8; any; };
update-policy { grant key subdomain dummy.com ALL; };
};

I hope this makes sense.

/Jonathan

On Mon, Nov 17, 2008 at 4:43 PM, Evan Hunt [EMAIL PROTECTED] wrote:


  Actually, to take this a step further, is there any remote possibility to
  combine this with update-policy as well?

 I'm not sure what you mean.

 I believe you can use allow-updates to filter according to IP address
 and then update-policy to filter according to key; that might be an
 easier way to accomplish the same thing.  I've never done so, but I'd
 expect it to work.  But it sounds like you're asking for a feature
 change... clarify please?

 --
 Evan Hunt -- [EMAIL PROTECTED]
 Internet Systems Consortium, Inc.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate ACL based on a key AND ip-subnet

2008-11-17 Thread Evan Hunt
 IIRC update-policy cannot be used in congestion with the allow-update
 statement.

My bad--you're right.  There's code I'd never noticed before that says
allow-update will be ignored if update-policy is set.  Whoops.

(Oddly, the check only applies when both of them are defined in the
zone itself.  You can put allow-updates in the view options and
update-policy in the zone, and named won't complain about it...
but it also won't work the way you want it to.)

I don't know why it was implemented this way--there's no protocol reason
I can see.  (There may be other reasons I don't know about.)  It's probably
not a high enough priority for ISC to devote engineering resources to it at
this time, but if someone submitted a patch that added an ACL check to the
update-policy syntax, I'm sure we'd consider it.

--
Evan Hunt -- [EMAIL PROTECTED]
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nsupdate ACL based on a key AND ip-subnet

2008-11-17 Thread Jonathan Petersson
Guess I should start digging in the code then :)

On Mon, Nov 17, 2008 at 5:59 PM, Evan Hunt [EMAIL PROTECTED] wrote:

  IIRC update-policy cannot be used in congestion with the allow-update
  statement.

 My bad--you're right.  There's code I'd never noticed before that says
 allow-update will be ignored if update-policy is set.  Whoops.

 (Oddly, the check only applies when both of them are defined in the
 zone itself.  You can put allow-updates in the view options and
 update-policy in the zone, and named won't complain about it...
 but it also won't work the way you want it to.)

 I don't know why it was implemented this way--there's no protocol reason
 I can see.  (There may be other reasons I don't know about.)  It's probably
 not a high enough priority for ISC to devote engineering resources to it at
 this time, but if someone submitted a patch that added an ACL check to the
 update-policy syntax, I'm sure we'd consider it.

 --
 Evan Hunt -- [EMAIL PROTECTED]
 Internet Systems Consortium, Inc.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users