Re: [Dnsmasq-discuss] multiple soa

2018-10-15 Thread Алексей Кузнецов
Thx for answer.

вт, 16 окт. 2018 г., 2:34 Simon Kelley :

> I have to confess I never considered this as a valid possibility, but to
> does make sense, maybe.
>
> The sane, backward-compatible way to do it might be to extend the syntax
> of auth-soa, to allow a zone name to be included, so your second
> auth-soa line would become
>
> auth-soa=sub.mobile-test.ru,2018101101,sub.mobile-test.example.ru
> ,120,120,604800
>
> So, no, you can't do this with the existing code, sorry. It's a possible
> future enhancement.
>
> Cheers,
>
> Simon.
>
>
>
> On 15/10/18 20:43, Алексей Кузнецов wrote:
> > no chance?
> >
> > On Thu, Oct 11, 2018 at 7:08 PM Алексей Кузнецов
> > mailto:kuznetsovalexe...@gmail.com>>
> wrote:
> >
> > # My zones and their subnets
> > auth-zone=mobile-test.example.ru 
> > auth-zone=ns1.mobile-test.example.ru <
> http://ns1.mobile-test.example.ru>
> >
> >
> > # SOA config
> > auth-soa=2018101101,mobile-test.example.ru
> > ,120,120,604800
> >
> > # Slave NS: nameserver2.provider.com
> >  (50.60.70.80)
> > # Secondary NS (slave NS at IT)
> > auth-sec-servers=msk-dc1.example.ru 
> > auth-sec-servers=msk-dc2.example.ru 
> > auth-sec-servers=msk-dc3.example.ru 
> > auth-sec-servers=msk-DC1.example.ru 
> > auth-sec-servers=msk-DC2.example.ru 
> > auth-sec-servers=msk-DC3.example.ru 
> > # Allow zone transfers to secondary NS
> > auth-peer=172.17.8.75
> > auth-peer=172.17.8.74
> > auth-peer=172.17.8.7
> >
> > # Authoritative DNS on interface eth0
> > auth-server=ns1.mobile-test.example.ru
> > ,ens160
> >
> > If i add these lines
> > auth-zone=sub.mobile-test.example.ru <
> http://sub.mobile-test.example.ru>
> > auth-soa=2018101101,sub.mobile-test.example.ru
> > ,120,120,604800
> > i have error
> > dnsmasq[10843]: dnsmasq: syntax check OK.
> > dnsmasq[10847]: dnsmasq: illegal repeated keyword at line 29 of
> > /etc/dnsmasq.d/dnsmasq.conf
> >
> > line 29 is auth-soa=2018101101,sub.mobile-test.example.ru
> > ,120,120,604800
> >
> > On Wed, Oct 10, 2018 at 1:40 PM Petr Mensik  > > wrote:
> >
> > Second soa in one zone cannot be added. One zone has one soa.
> > Can you
> > please share relevant configuration parts?
> >
> > On 10/09/2018 11:46 AM, Алексей Кузнецов wrote:
> > > Hello, i set zone with soa record and its work fine. I want
> > add second soa
> > > zone but dnsmasq say dublicate options in config. How to add
> > second soa?
> > >
> > >
> > >
> > > ___
> > > Dnsmasq-discuss mailing list
> > > Dnsmasq-discuss@lists.thekelleys.org.uk
> > 
> > >
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> > >
> >
> > --
> > Petr Menšík
> > Software Engineer
> > Red Hat, http://www.redhat.com/
> > email: pemen...@redhat.com   PGP:
> > 65C6C973
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> > 
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> >
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
>
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] Duplicate IP detection with fixed IP

2018-10-15 Thread Simon Kelley
On 08/10/18 11:39, Bernard CLABOTS wrote:

> => So My iPhone is legit.
> 
> "Servers with knowledge of the client's configuration parameters
> 
>   respond with a DHCPACK message to the client.  Servers SHOULD NOT
>   check that the client's network address is already in use; the
>   client may respond to ICMP Echo Request messages at this point."
> 
> => Invalidates the fix you did in 2017:
> "
> 
> commit 5ce3e76fbf89e942e8c54ef3e3389facf0d9067a
> 
> Author: Simon Kelley 
> 
> Date:   Fri Apr 28 22:14:20 2017 +0100
> 
>  
> 
>     DHCPv4: do ICMP-ping check in all cases other that current lease.
> 
> "


This was partially reverted in 1d224949cced9e82440d00b3dbaf32c262bac2ff



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


[Dnsmasq-discuss] Announce: dnsmasq-2.80rc1

2018-10-15 Thread Simon Kelley
As far as I'm aware, the development tree is in a good state at the
moment, and I'd like to begin the process to release 2.80. Accordingly
I've tagged the first release candidate.

A tarball is available here:

http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.80rc1.tar.gz

Please, if you can, download, build and test.


Cheers,

Simon.




signature.asc
Description: OpenPGP digital signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] multiple soa

2018-10-15 Thread Simon Kelley
I have to confess I never considered this as a valid possibility, but to
does make sense, maybe.

The sane, backward-compatible way to do it might be to extend the syntax
of auth-soa, to allow a zone name to be included, so your second
auth-soa line would become

auth-soa=sub.mobile-test.ru,2018101101,sub.mobile-test.example.ru,120,120,604800

So, no, you can't do this with the existing code, sorry. It's a possible
future enhancement.

Cheers,

Simon.



On 15/10/18 20:43, Алексей Кузнецов wrote:
> no chance?
> 
> On Thu, Oct 11, 2018 at 7:08 PM Алексей Кузнецов
> mailto:kuznetsovalexe...@gmail.com>> wrote:
> 
> # My zones and their subnets
> auth-zone=mobile-test.example.ru 
> auth-zone=ns1.mobile-test.example.ru 
> 
> 
> # SOA config
> auth-soa=2018101101,mobile-test.example.ru
> ,120,120,604800
> 
> # Slave NS: nameserver2.provider.com
>  (50.60.70.80)
> # Secondary NS (slave NS at IT)
> auth-sec-servers=msk-dc1.example.ru 
> auth-sec-servers=msk-dc2.example.ru 
> auth-sec-servers=msk-dc3.example.ru 
> auth-sec-servers=msk-DC1.example.ru 
> auth-sec-servers=msk-DC2.example.ru 
> auth-sec-servers=msk-DC3.example.ru 
> # Allow zone transfers to secondary NS
> auth-peer=172.17.8.75
> auth-peer=172.17.8.74
> auth-peer=172.17.8.7
> 
> # Authoritative DNS on interface eth0
> auth-server=ns1.mobile-test.example.ru
> ,ens160
> 
> If i add these lines
> auth-zone=sub.mobile-test.example.ru 
> auth-soa=2018101101,sub.mobile-test.example.ru
> ,120,120,604800
> i have error
> dnsmasq[10843]: dnsmasq: syntax check OK.
> dnsmasq[10847]: dnsmasq: illegal repeated keyword at line 29 of
> /etc/dnsmasq.d/dnsmasq.conf
> 
> line 29 is auth-soa=2018101101,sub.mobile-test.example.ru
> ,120,120,604800
> 
> On Wed, Oct 10, 2018 at 1:40 PM Petr Mensik  > wrote:
> 
> Second soa in one zone cannot be added. One zone has one soa.
> Can you
> please share relevant configuration parts?
> 
> On 10/09/2018 11:46 AM, Алексей Кузнецов wrote:
> > Hello, i set zone with soa record and its work fine. I want
> add second soa
> > zone but dnsmasq say dublicate options in config. How to add
> second soa?
> >
> >
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> 
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> 
> -- 
> Petr Menšík
> Software Engineer
> Red Hat, http://www.redhat.com/
> email: pemen...@redhat.com   PGP:
> 65C6C973
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




signature.asc
Description: OpenPGP digital signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] IETF RFC 5011 "Automated Updates of DNS Security (DNSSEC) Trust Anchors" supported?

2018-10-15 Thread Simon Kelley
On 11/10/18 00:28, Rene 'Renne' Bartsch, B.Sc. Informatics wrote:
> Hi,
> 
> the old root-KSK will be deleted today at 16:00 UTC and the TTLs will
> run out not later than 48 hours.
> 
> Does Dnsmasq support IETF RFC 5011 or are there any plans to implement
> IETF RFC 5011?
> 

No, and probably not.

My take on this is that anything running dnsmasq has net access, by
definition, and really should have a method of doing automatic updates
for security fixes, etc. As such it has a method of authentication put
in place by the software providers, and that is the best way to update
the root key.


The RFC5011 method is surprisingly limited. Any software image with only
has the original key "baked in" will not update to the new key using
RFC5011 now, since 5011 relies on a period when the new key is published
and the old still trusted during which the host is active.


Cheers,

Simon.

> Regards,
> 
> Renne
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] multiple soa

2018-10-15 Thread Алексей Кузнецов
no chance?

On Thu, Oct 11, 2018 at 7:08 PM Алексей Кузнецов <
kuznetsovalexe...@gmail.com> wrote:

> # My zones and their subnets
> auth-zone=mobile-test.example.ru
> auth-zone=ns1.mobile-test.example.ru
>
>
> # SOA config
> auth-soa=2018101101,mobile-test.example.ru,120,120,604800
>
> # Slave NS: nameserver2.provider.com (50.60.70.80)
> # Secondary NS (slave NS at IT)
> auth-sec-servers=msk-dc1.example.ru
> auth-sec-servers=msk-dc2.example.ru
> auth-sec-servers=msk-dc3.example.ru
> auth-sec-servers=msk-DC1.example.ru
> auth-sec-servers=msk-DC2.example.ru
> auth-sec-servers=msk-DC3.example.ru
> # Allow zone transfers to secondary NS
> auth-peer=172.17.8.75
> auth-peer=172.17.8.74
> auth-peer=172.17.8.7
>
> # Authoritative DNS on interface eth0
> auth-server=ns1.mobile-test.example.ru,ens160
>
> If i add these lines
> auth-zone=sub.mobile-test.example.ru
> auth-soa=2018101101,sub.mobile-test.example.ru,120,120,604800
> i have error
> dnsmasq[10843]: dnsmasq: syntax check OK.
> dnsmasq[10847]: dnsmasq: illegal repeated keyword at line 29 of
> /etc/dnsmasq.d/dnsmasq.conf
>
> line 29 is auth-soa=2018101101,sub.mobile-test.example.ru,120,120,604800
>
> On Wed, Oct 10, 2018 at 1:40 PM Petr Mensik  wrote:
>
>> Second soa in one zone cannot be added. One zone has one soa. Can you
>> please share relevant configuration parts?
>>
>> On 10/09/2018 11:46 AM, Алексей Кузнецов wrote:
>> > Hello, i set zone with soa record and its work fine. I want add second
>> soa
>> > zone but dnsmasq say dublicate options in config. How to add second soa?
>> >
>> >
>> >
>> > ___
>> > Dnsmasq-discuss mailing list
>> > Dnsmasq-discuss@lists.thekelleys.org.uk
>> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>> >
>>
>> --
>> Petr Menšík
>> Software Engineer
>> Red Hat, http://www.redhat.com/
>> email: pemen...@redhat.com  PGP: 65C6C973
>>
>> ___
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss@lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


[Dnsmasq-discuss] Bug in systemd/dhcp scripts that affects dnsmasq

2018-10-15 Thread Bob Vincent
I've submitted an Ubuntu bug-report here:

https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1797602

*Problem*:


   - systemd breaks resolvconf-dependent DNS

*Test case:*


   - Install dnsmasq with systemd.

*Result*:

   - The script in /etc/dhcp/dhclient-enter-hooks.d/resolvconf defines the
   make_resolv_conf() function to pass DHCP information to the
   /sbin/resolvconf program.
   - The script in /etc/dhcp/dhclient-enter-hooks.d/resolved redefines the
   make_resolv_conf() function to write DHCP information to
   /run/systemd/resolved.conf.d/isc-dhcp-v4-$interface.conf
   - As a result, resolvconf never runs, and dnsmasq never receives the
   DHCP-supplied nameservers.
   - Therefore, DNS resolution is broken.

*Expected result*:

   - DHCP-supplied nameservers should be passed to both resolvconf and to
   systemd.

*Workaround*:

   - Use the 127.0.0.53 address for the systemd resolver as the dnsmasq
   upstream server.

-- 
The web is like usenet, but
the elephants are untrained.
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss