Re: [WISPA] Authoritative BIND issues
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 And now upgrade ;) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097 It will never end with BIND - MUUUuuhahahahaha! pls see below for additional comments. On 6/4/2010 2:22 PM, Mike Hammett wrote: I got the errors to stop (period after the Origin, put there by a config generator), but it still doesn't answer for itself and looks to the roots and so on. Don't do that Mike. If I'm issuing the command as I stated below, it shouldn't matter that the public authoritative server is elsewhere, would it? Yes it absolutely does. What you might do, depending on what you're trying to do, is create a new NS RR for it in the master db file, and then slave the master. You can also make your machine a manual master by doing an AXFR of the zonefile from the AUTH server, then changing the SOA and NS Records in that zonefile to indicate that your new server is actually the (or at least one of) AUTH name server for that zone. But really, most of the reasons you would do the second item (which it sounds like you're trying to do), probably aren't part of why you're doing this. If you want the server to answer AUTH, then merely slave the master, coz what you're doing is bordering on what is known as creating a 'hidden master'. Which is what we do with servers for rootzones or TLD zones where the real master isn't even accessible from the outside, and only allows for zone AXFRs from the machines that are 'slaving' the hidden master, and even though they're slaving it, it is their IPs that are in the NS records as AUTH for the zone(s), making them AUTH, and masters, even though they're slaving the zone from a hidden master. We do this too in registries. I'm trying to build this new system without messing with the production system. Just edit the db file for the zone in question on the master, adding your new box as AUTH for the zone w/an NS RR, then on the new box, merely slave the master. Don't forget to up your serial before HUP'ing the master when you load the new zonefile. if you are trying to set up a new forward facing master, and slave the zone from a hidden master, then the SOA should be the machine that is slaving the hidden master, and all other AUTH servers should simply slave that machine's zonefile, with their glue included in that file. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com On 6/4/2010 1:12 PM, Mike Hammett wrote: I'm trying to setup a new authoritative BIND server, but all test queries I issue to the server (dig @serversIP test.domain) get forwarded to the root servers and so on. My zones have recursive searching disabled. How is this happening? There are errors in loading the zone, but if all queries are being sent out to the public Internet, how am I going to be able to test the new system? WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ - -- Bradley D. Thornton Manager Network Services NorthTech Computer TEL: +1.760.666.2703 (US) TEL: +44.702.405.1909 (UK) http://NorthTech.US -BEGIN PGP SIGNATURE- iQEcBAEBAwAGBQJMJR80AAoJEE1wgkIhr9j3bNsH/Arq5Vy7fQiSgKrQDqfQq0mM +Qp4Psg20GgTVeBDsDytH13MSNUrPu+3JhaUbPc+b7hr+f7qxgbXfardhLQxpP2V mI2A3NZB2TfMAMYKhdrYEJOedCrFa/Jmz6gjDuQvvDUQG3aCE0N10mXhkXBgsTUJ F+FGLRAlvAhWB5TimXhV+vWfmwNjkz55jaWPv/lBN3VGosfoVmcAtvizV3yywixx Ia+pYrgpGw98ao4/tbdwt4ZHF7syPJ98DHa3qCo5GEqD9ljujcyU8olpjptx5W/l FYEfikQeTF/LgCdCESifeNrHrjQofrfqvtKxXOUpf/WkGVMDHchZOjDH7mrQ/+I= =F0dn -END PGP SIGNATURE- WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Authoritative BIND issues
I dumped the VM, started from scratch using webmin to build everything and we came out well. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com On 6/25/2010 4:27 PM, Bradley D. Thornton wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 And now upgrade ;) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097 It will never end with BIND - MUUUuuhahahahaha! pls see below for additional comments. On 6/4/2010 2:22 PM, Mike Hammett wrote: I got the errors to stop (period after the Origin, put there by a config generator), but it still doesn't answer for itself and looks to the roots and so on. Don't do that Mike. If I'm issuing the command as I stated below, it shouldn't matter that the public authoritative server is elsewhere, would it? Yes it absolutely does. What you might do, depending on what you're trying to do, is create a new NS RR for it in the master db file, and then slave the master. You can also make your machine a manual master by doing an AXFR of the zonefile from the AUTH server, then changing the SOA and NS Records in that zonefile to indicate that your new server is actually the (or at least one of) AUTH name server for that zone. But really, most of the reasons you would do the second item (which it sounds like you're trying to do), probably aren't part of why you're doing this. If you want the server to answer AUTH, then merely slave the master, coz what you're doing is bordering on what is known as creating a 'hidden master'. Which is what we do with servers for rootzones or TLD zones where the real master isn't even accessible from the outside, and only allows for zone AXFRs from the machines that are 'slaving' the hidden master, and even though they're slaving it, it is their IPs that are in the NS records as AUTH for the zone(s), making them AUTH, and masters, even though they're slaving the zone from a hidden master. We do this too in registries. I'm trying to build this new system without messing with the production system. Just edit the db file for the zone in question on the master, adding your new box as AUTH for the zone w/an NS RR, then on the new box, merely slave the master. Don't forget to up your serial before HUP'ing the master when you load the new zonefile. if you are trying to set up a new forward facing master, and slave the zone from a hidden master, then the SOA should be the machine that is slaving the hidden master, and all other AUTH servers should simply slave that machine's zonefile, with their glue included in that file. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com On 6/4/2010 1:12 PM, Mike Hammett wrote: I'm trying to setup a new authoritative BIND server, but all test queries I issue to the server (dig @serversIP test.domain) get forwarded to the root servers and so on. My zones have recursive searching disabled. How is this happening? There are errors in loading the zone, but if all queries are being sent out to the public Internet, how am I going to be able to test the new system? WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ - -- Bradley D. Thornton Manager Network Services NorthTech Computer TEL: +1.760.666.2703 (US) TEL: +44.702.405.1909 (UK) http://NorthTech.US -BEGIN PGP SIGNATURE- iQEcBAEBAwAGBQJMJR80AAoJEE1wgkIhr9j3bNsH/Arq5Vy7fQiSgKrQDqfQq0mM +Qp4Psg20GgTVeBDsDytH13MSNUrPu+3JhaUbPc+b7hr+f7qxgbXfardhLQxpP2V mI2A3NZB2TfMAMYKhdrYEJOedCrFa/Jmz6gjDuQvvDUQG3aCE0N10mXhkXBgsTUJ F+FGLRAlvAhWB5TimXhV+vWfmwNjkz55jaWPv/lBN3VGosfoVmcAtvizV3yywixx Ia+pYrgpGw98ao4/tbdwt4ZHF7syPJ98DHa3qCo5GEqD9ljujcyU8olpjptx5W/l FYEfikQeTF/LgCdCESifeNrHrjQofrfqvtKxXOUpf/WkGVMDHchZOjDH7mrQ/+I= =F0dn -END PGP SIGNATURE- WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe:
[WISPA] Authoritative BIND issues
I'm trying to setup a new authoritative BIND server, but all test queries I issue to the server (dig @serversIP test.domain) get forwarded to the root servers and so on. My zones have recursive searching disabled. How is this happening? There are errors in loading the zone, but if all queries are being sent out to the public Internet, how am I going to be able to test the new system? -- - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Authoritative BIND issues
Try this:
// options section fragment of named.conf
// recursion no = limits caching
options {
directory /var/named;
version 1.2.3.4;
recursion no;
};
// zone file sections
--
Justin Wilson j...@mtin.net
http://www.mtin.net/blog
Wisp Consulting Tower Climbing Network Support
From: Mike Hammett wispawirel...@ics-il.net
Reply-To: WISPA General List wireless@wispa.org
Date: Fri, 04 Jun 2010 13:12:26 -0500
To: WISPA General List wireless@wispa.org
Subject: [WISPA] Authoritative BIND issues
I'm trying to setup a new authoritative BIND server, but all test
queries I issue to the server (dig @serversIP test.domain) get forwarded
to the root servers and so on. My zones have recursive searching
disabled. How is this happening?
There are errors in loading the zone, but if all queries are being sent
out to the public Internet, how am I going to be able to test the new
system?
--
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
WISPA Wants You! Join today!
http://signup.wispa.org/
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
WISPA Wants You! Join today!
http://signup.wispa.org/
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Authoritative BIND issues
On Fri, Jun 4, 2010 at 13:12, Mike Hammett wispawirel...@ics-il.net wrote: There are errors in loading the zone, but if all queries are being sent out to the public Internet, how am I going to be able to test the new system? If there were errors in loading the zone, then it's not going to answer queries for the zone. First, you'll need to read the error logs and tea leaves, to see why your zone file isn't loading; once that's taken care of, you can then worry about testing. David Smith MVN.net WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Authoritative BIND issues
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Yup. I pointed that out on the other list too. Could be as simple as not upping your serial too ;) I like this format - works well with scripts mmdd## - that should give you more than enough updates to your zonefiles each day for an AUTH server. And look for those missing periods, braces, semicolons, etc., like David pointed out below. hosts for A RRs end w/periods too, and for the rp don't forget that it's all dots - no @ sign. Try loading a dummy zone with just a couple of hosts w/simple A RRs and build from there ;) Use that SOA for the top of your template. Always up your serial whenever you HUP. Just parse through it - I'm sure you'll find it. Also, if that's not it, make sure your running RFC compliant FQDNs. IOW, no _, which, depending upon how you compiled BIND you may need to specifically allow - - otherwise BIND will reject those. Microsoft likes to promote the use of underscores in machine names - forcing the admin to give those boxes different hostnames of provide support for those non RFC compliant hostnames - many DNS servers out there on the Internet won't anyway - none of mine will. On 6/4/2010 11:24 AM, David E. Smith wrote: On Fri, Jun 4, 2010 at 13:12, Mike Hammett wispawirel...@ics-il.net wrote: There are errors in loading the zone, but if all queries are being sent out to the public Internet, how am I going to be able to test the new system? If there were errors in loading the zone, then it's not going to answer queries for the zone. First, you'll need to read the error logs and tea leaves, to see why your zone file isn't loading; once that's taken care of, you can then worry about testing. David Smith MVN.net WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ - -- Bradley D. Thornton Manager Network Services NorthTech Computer TEL: +1.760.666.2703 (US) TEL: +44.702.405.1909 (UK) http://NorthTech.US -BEGIN PGP SIGNATURE- iQEcBAEBAwAGBQJMCWtVAAoJEE1wgkIhr9j3GMAH/0LNX/gsHVkFm5YDMj0BP1ed CTDzyiVLDJjGS554oc+68gBMywPIOdDPCgm8dOj8pD5+cHX91EeabXbGxR6V6JRY qOFmcGWegoBEhZcusWkBaNtZKrcvRgyRfLUFXMCfu7kXvhIsL0sJ//1qjbrSUj4A qs6lpRJc0IXyL3JmERXV/z4dKMhMbPFuz+dFIpPraNT38D5c3KqkPaAx0QAJLHTc Z74luL3DJH9s6flK8mMRF9vL3Tv+3Zjv+gaG80FeT7vd9mVkoffLdqZfpeTJ71xo f+2pKyvYcfOEGFMwOx9ak9stWNh5MQwl0/4r+gW3p00WnP1+eiTuA1E/fTEOP6k= =xn0X -END PGP SIGNATURE- WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Authoritative BIND issues
I got the errors to stop (period after the Origin, put there by a config generator), but it still doesn't answer for itself and looks to the roots and so on. If I'm issuing the command as I stated below, it shouldn't matter that the public authoritative server is elsewhere, would it? I'm trying to build this new system without messing with the production system. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com On 6/4/2010 1:12 PM, Mike Hammett wrote: I'm trying to setup a new authoritative BIND server, but all test queries I issue to the server (dig @serversIP test.domain) get forwarded to the root servers and so on. My zones have recursive searching disabled. How is this happening? There are errors in loading the zone, but if all queries are being sent out to the public Internet, how am I going to be able to test the new system? WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
