Re: openssl alert when 9.8i installed?
"aklist" wrote: >Thanks Jeremy: When you say "look at the output" is that captured >anywhere by default? I do I need to capture the output to a text file >when running >./configure? I watched it racing past in my terminal window but couldn't >follow it. I never build an executable without running script -a . to keep a record of what I did and what messages were produced. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Magic for NSEC3
Thanks for your input /Jonathan On Jan 3, 2009, at 16:13, Mark Andrews wrote: In message , "Jonathan Petersson" writes: Hi all, Hopefully this post wont cause as much SPAM as my last one. About a year ago I started looking into DNSSEC and how to work with it for dynamic updates etc. Since only NSEC was supported, allowing whomever to do a unauthorized zone-transfer I canceled my projects later finding out that NSEC3 would stop the behavior. One really needs to look at the cost benefit analysis to decide whether to use NSEC or NSEC3. NSEC3 is much more expensive than NSEC3 for both authoritative servers and validators than NSEC. There are almost no zone that need that level of protection. Stopping AXFR/IXFR has almost zero cost so for many people it has become reflex without any need to justify it. Stopping zone enumeration has a relatively high cost. Note for many servers stopping AXFR/IXFR was not about the zone content and more about preserving file descriptors for use by the slaves and legitimate TCP clients rather than the curious. With the release of BIND 9.6 my understanding is that NSEC3 is now supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty clueless as whether there's any magic sauce to get NSEC3 records vs. NSEC. If anyone has a pointer that would be of help, I've tried using NSEC3RSASHA1 keys without success of getting NSEC3 records. NSEC3RSASHA1 allows the use of either NSEC and NSEC3 when signing the zone. You need to tell dnssec-signzone which one to use. dnssec-signzone -3 salt [-H iterations] [-A] Thx /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Magic for NSEC3
In message , "Jonathan Petersson" writes: > Hi all, > > Hopefully this post wont cause as much SPAM as my last one. About a > year ago I started looking into DNSSEC and how to work with it for > dynamic updates etc. Since only NSEC was supported, allowing whomever > to do a unauthorized zone-transfer I canceled my projects later > finding out that NSEC3 would stop the behavior. One really needs to look at the cost benefit analysis to decide whether to use NSEC or NSEC3. NSEC3 is much more expensive than NSEC3 for both authoritative servers and validators than NSEC. There are almost no zone that need that level of protection. Stopping AXFR/IXFR has almost zero cost so for many people it has become reflex without any need to justify it. Stopping zone enumeration has a relatively high cost. Note for many servers stopping AXFR/IXFR was not about the zone content and more about preserving file descriptors for use by the slaves and legitimate TCP clients rather than the curious. > With the release of BIND 9.6 my understanding is that NSEC3 is now > supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty > clueless as whether there's any magic sauce to get NSEC3 records vs. > NSEC. > > If anyone has a pointer that would be of help, I've tried using > NSEC3RSASHA1 keys without success of getting NSEC3 records. NSEC3RSASHA1 allows the use of either NSEC and NSEC3 when signing the zone. You need to tell dnssec-signzone which one to use. dnssec-signzone -3 salt [-H iterations] [-A] > Thx > > /Jonathan > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: openssl alert when 9.8i installed?
Hi, ns1# find / -name 'openssl' -print /usr/bin/openssl /usr/include/openssl /usr/local/bin/openssl /usr/local/include/openssl /usr/local/include/openssl.old/openssl /usr/local/share/doc/openssl /usr/local/openssl /usr/local/ssl/bin/openssl /usr/local/ssl/include/openssl /usr/share/openssl /usr/src/crypto/openssl /usr/src/secure/usr.bin/openssl /usr/ports/security/openssl /usr/home/andrew/openssl-0.9.8i/apps/openssl /usr/home/andrew/openssl-0.9.8i/include/openssl You have MANY installations of OpenSSL; as a helpful observation, you might want to clear those up as you'll have applications that could be running against outdated versions of OpenSSL, and causing problems like the one you're seeing with Bind. ns1# /usr/local/bin/openssl version OpenSSL 0.9.8i 15 Sep 2008 ns1# /usr/bin/openssl version OpenSSL 0.9.8i 15 Sep 2008 and my configure statement is: ./configure --prefix=/usr --sysconfdir=/etc/namedb --mandir=/usr/share/man --localstatedir=/var --disable-threads --with-openssl=/usr/local/openssl This is not an accurate/fair test. You're pointing Bind to the OpenSSL installed under /usr/local/openssl, but you're running the version check on the OpenSSL installed in /usr/local and /usr. What do you get when you run "/usr/local/openssl/bin/openssl version" (which is the OpenSSL executable you're pointing Bind to.) You could also try to change --with-openssl=/usr/local/openssl to --with-openssl=/usr or --with-openssl=/usr/local (remember to "make distclean" between configure command-line changes.) Regards, Andy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: openssl alert when 9.8i installed?
Exactly what operating system are you running under? sorry...freebsd 7 I have seen these types of problems with MacOS X and have described on the BIND-USERS list as to how to get around this issue. If you are running MacOS X, then I have an answer, but without knowing what you are running ... Bill Larson On Jan 3, 2009, at 11:14 AM, aklist wrote: Hi All: I downloaded 9.6.0 and ran ./configure --with-openssl and received the warning that I should have 9.8d or better installed. I went ahead and updated to 9.8i and confirmed that it was running, but when I run configure I still get the error? Maybe you have multiple versions of OpenSSL installed. Look at the configure output to see which one it was using. You can use --with-openssl=/path/to/openssl if needed. I'm really confused...I tried to install openssl 9.8i a couple of times, but when I specify the path in the configure statment to what I think is the 9.8i version, I still get the version warning. If I search for openssl I see: ns1# find / -name 'openssl' -print /usr/bin/openssl /usr/include/openssl /usr/local/bin/openssl /usr/local/include/openssl /usr/local/include/openssl.old/openssl /usr/local/share/doc/openssl /usr/local/openssl /usr/local/ssl/bin/openssl /usr/local/ssl/include/openssl /usr/share/openssl /usr/src/crypto/openssl /usr/src/secure/usr.bin/openssl /usr/ports/security/openssl /usr/home/andrew/openssl-0.9.8i/apps/openssl /usr/home/andrew/openssl-0.9.8i/include/openssl ns1# /usr/local/bin/openssl version OpenSSL 0.9.8i 15 Sep 2008 ns1# /usr/bin/openssl version OpenSSL 0.9.8i 15 Sep 2008 and my configure statement is: ./configure --prefix=/usr --sysconfdir=/etc/namedb --mandir=/usr/ share/man --localstatedir=/var --disable-threads --with-openssl=/usr/ local/openssl ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Magic for NSEC3
Hi all, Hopefully this post wont cause as much SPAM as my last one. About a year ago I started looking into DNSSEC and how to work with it for dynamic updates etc. Since only NSEC was supported, allowing whomever to do a unauthorized zone-transfer I canceled my projects later finding out that NSEC3 would stop the behavior. With the release of BIND 9.6 my understanding is that NSEC3 is now supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty clueless as whether there's any magic sauce to get NSEC3 records vs. NSEC. If anyone has a pointer that would be of help, I've tried using NSEC3RSASHA1 keys without success of getting NSEC3 records. Thx /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: openssl alert when 9.8i installed?
Exactly what operating system are you running under? I have seen these types of problems with MacOS X and have described on the BIND-USERS list as to how to get around this issue. If you are running MacOS X, then I have an answer, but without knowing what you are running ... Bill Larson On Jan 3, 2009, at 11:14 AM, aklist wrote: Hi All: I downloaded 9.6.0 and ran ./configure --with-openssl and received the warning that I should have 9.8d or better installed. I went ahead and updated to 9.8i and confirmed that it was running, but when I run configure I still get the error? Maybe you have multiple versions of OpenSSL installed. Look at the configure output to see which one it was using. You can use --with-openssl=/path/to/openssl if needed. I'm really confused...I tried to install openssl 9.8i a couple of times, but when I specify the path in the configure statment to what I think is the 9.8i version, I still get the version warning. If I search for openssl I see: ns1# find / -name 'openssl' -print /usr/bin/openssl /usr/include/openssl /usr/local/bin/openssl /usr/local/include/openssl /usr/local/include/openssl.old/openssl /usr/local/share/doc/openssl /usr/local/openssl /usr/local/ssl/bin/openssl /usr/local/ssl/include/openssl /usr/share/openssl /usr/src/crypto/openssl /usr/src/secure/usr.bin/openssl /usr/ports/security/openssl /usr/home/andrew/openssl-0.9.8i/apps/openssl /usr/home/andrew/openssl-0.9.8i/include/openssl ns1# /usr/local/bin/openssl version OpenSSL 0.9.8i 15 Sep 2008 ns1# /usr/bin/openssl version OpenSSL 0.9.8i 15 Sep 2008 and my configure statement is: ./configure --prefix=/usr --sysconfdir=/etc/namedb --mandir=/usr/ share/man --localstatedir=/var --disable-threads --with-openssl=/usr/ local/openssl ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: statistics-channels No such URL
On Sat, 3 Jan 2009, Jonathan Petersson wrote: > So I did find the reason: > Jan 3 09:45:04 localhost named[5038]: statistics-channels specified > but not effective due to missing XML library > > anything besides: > [r...@localhost bind-9.6.0]# rpm -qa | grep libxml2 > libxml2-2.7.2-2.fc10.i386 > libxml2-devel-2.7.2-2.fc10.i386 > > That's needed? Bind is compiled from source with --with-libxml2 > --enable-threads Make sure you are running the same named that you built. Your HAVE_LIBXML2 is not defined. See your config.h for HAVE_LIBXML2. Look at the xml related logs in your config.log to show what happened. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: openssl alert when 9.8i installed?
Hi All: I downloaded 9.6.0 and ran ./configure --with-openssl and received the warning that I should have 9.8d or better installed. I went ahead and updated to 9.8i and confirmed that it was running, but when I run configure I still get the error? Maybe you have multiple versions of OpenSSL installed. Look at the configure output to see which one it was using. You can use --with-openssl=/path/to/openssl if needed. I'm really confused...I tried to install openssl 9.8i a couple of times, but when I specify the path in the configure statment to what I think is the 9.8i version, I still get the version warning. If I search for openssl I see: ns1# find / -name 'openssl' -print /usr/bin/openssl /usr/include/openssl /usr/local/bin/openssl /usr/local/include/openssl /usr/local/include/openssl.old/openssl /usr/local/share/doc/openssl /usr/local/openssl /usr/local/ssl/bin/openssl /usr/local/ssl/include/openssl /usr/share/openssl /usr/src/crypto/openssl /usr/src/secure/usr.bin/openssl /usr/ports/security/openssl /usr/home/andrew/openssl-0.9.8i/apps/openssl /usr/home/andrew/openssl-0.9.8i/include/openssl ns1# /usr/local/bin/openssl version OpenSSL 0.9.8i 15 Sep 2008 ns1# /usr/bin/openssl version OpenSSL 0.9.8i 15 Sep 2008 and my configure statement is: ./configure --prefix=/usr --sysconfdir=/etc/namedb --mandir=/usr/share/man --localstatedir=/var --disable-threads --with-openssl=/usr/local/openssl ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: statistics-channels No such URL
Sorry for all the spamming, I forgot doing a distclean between the builds, it's working now. /Jonathan On Sat, Jan 3, 2009 at 9:51 AM, Jonathan Petersson wrote: > Also: > [r...@localhost bind-9.6.0]# ./configure --with-libxml2 --enable-pthread > . > checking for libxml2 library... yes > . > config.status: executing chmod commands > [r...@localhost bind-9.6.0]# > > > On Sat, Jan 3, 2009 at 9:46 AM, Jonathan Petersson > wrote: >> So I did find the reason: >> Jan 3 09:45:04 localhost named[5038]: statistics-channels specified >> but not effective due to missing XML library >> >> anything besides: >> [r...@localhost bind-9.6.0]# rpm -qa | grep libxml2 >> libxml2-2.7.2-2.fc10.i386 >> libxml2-devel-2.7.2-2.fc10.i386 >> >> That's needed? Bind is compiled from source with --with-libxml2 >> --enable-threads >> >> Thanks >> >> /Jonathan >> >> On Sat, Jan 3, 2009 at 9:41 AM, Jonathan Petersson >> wrote: >>> Hi everyone, >>> >>> Could someone give me a quick pointer what to look for if I get "No >>> such URL" when trying to access the statistics web-site. >>> >>> Thx >>> >>> /Jonathan >>> >> > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: statistics-channels No such URL
Also: [r...@localhost bind-9.6.0]# ./configure --with-libxml2 --enable-pthread . checking for libxml2 library... yes . config.status: executing chmod commands [r...@localhost bind-9.6.0]# On Sat, Jan 3, 2009 at 9:46 AM, Jonathan Petersson wrote: > So I did find the reason: > Jan 3 09:45:04 localhost named[5038]: statistics-channels specified > but not effective due to missing XML library > > anything besides: > [r...@localhost bind-9.6.0]# rpm -qa | grep libxml2 > libxml2-2.7.2-2.fc10.i386 > libxml2-devel-2.7.2-2.fc10.i386 > > That's needed? Bind is compiled from source with --with-libxml2 > --enable-threads > > Thanks > > /Jonathan > > On Sat, Jan 3, 2009 at 9:41 AM, Jonathan Petersson > wrote: >> Hi everyone, >> >> Could someone give me a quick pointer what to look for if I get "No >> such URL" when trying to access the statistics web-site. >> >> Thx >> >> /Jonathan >> > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: statistics-channels No such URL
So I did find the reason: Jan 3 09:45:04 localhost named[5038]: statistics-channels specified but not effective due to missing XML library anything besides: [r...@localhost bind-9.6.0]# rpm -qa | grep libxml2 libxml2-2.7.2-2.fc10.i386 libxml2-devel-2.7.2-2.fc10.i386 That's needed? Bind is compiled from source with --with-libxml2 --enable-threads Thanks /Jonathan On Sat, Jan 3, 2009 at 9:41 AM, Jonathan Petersson wrote: > Hi everyone, > > Could someone give me a quick pointer what to look for if I get "No > such URL" when trying to access the statistics web-site. > > Thx > > /Jonathan > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
statistics-channels No such URL
Hi everyone, Could someone give me a quick pointer what to look for if I get "No such URL" when trying to access the statistics web-site. Thx /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing 9.6 on freebsd7 configure problems
Did you install FreeBSD with named ? probably it's the reason why > you can't start. try do something like : find / -name 'named' -print probably you'll see /sbin/named <- bind from FreeBSD /usr/sbin/named <- bind 9.6 ugh...it looks like something's badly hosed...my symlinks are a mess: /namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/namedb/var/run/named what is the best way to remove everything and just start over? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: openssl alert when 9.8i installed?
Hi All: I downloaded 9.6.0 and ran ./configure --with-openssl and received the warning that I should have 9.8d or better installed. I went ahead and updated to 9.8i and confirmed that it was running, but when I run configure I still get the error? Maybe you have multiple versions of OpenSSL installed. Look at the configure output to see which one it was using. You can use --with-openssl=/path/to/openssl if needed. Thanks Jeremy: When you say "look at the output" is that captured anywhere by default? I do I need to capture the output to a text file when running ./configure? I watched it racing past in my terminal window but couldn't follow it. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing 9.6 on freebsd7 configure problems
Hi: I'm trying to install BIND 9.6.0 from source but am having problems with the configure statement. I tried: ./configure --prefix=/usr --sysconfdir=/etc/namedb --mandir=/usr/share/man \ --localstatedir=/var --disable-threads --with-openssl=/usr followed by "make && make install" and 9.6 was installed, but when I try to start it I receive an error Jan 2 15:57:48 ns1 named[1096]: starting BIND 9.6.0 -t /var/named -u bind Jan 2 15:57:48 ns1 named[1096]: built with '--with-openssl' Make sure you are running the correct named binary. (Notice your "built with" is incomplete.) Thanks Jeremy: I noticed that but was not sure what it meant...does that mean the path to openssl was incorrect in my configure? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing 9.6 on freebsd7 configure problems
Hi, Did you install FreeBSD with named ? probably it's the reason why you can't start. try do something like : find / -name 'named' -print probably you'll see /sbin/named <- bind from FreeBSD /usr/sbin/named <- bind 9.6 Best regards, Shamrock ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users