Re: Complete DNS fake root setup example
On 2016.01.20 12.12, MURTARI, JOHN wrote: Folks, Had to do some testing where we wanted our own insulated fake root environment. We wanted to start from simulated root name servers. I was surprised I couldn’t find a complete example even after some extensive searches. The concepts are easy, but the devil is in the details. We had done this before, but no one ever kept notes so I figured by posting it on the list it will eventually find its way into Google. Here are the setup instructions below, name & ip address have been changed to protect the innocent! Your comments/suggestions are welcome! my suggestion would be to not use other people's domain names and ip addresses when protecting the innocent. after all, they're innocent too, and i'd imagine you wouldn't want them using your domain name in their examples ;) . various rfcs [6761, 3330, others] provide for these needs. -ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Complete DNS fake root setup example
--- Original msg On Wed, Jan 20, 2016 at 05:12:44PM +, MURTARI, JOHN wrote: > Folks, > Had to do some testing where we wanted our own > insulated fake root environment. We wanted to start > from simulated root name servers. I was surprised I > couldn't find a complete example even after some > extensive searches. > > The concepts are easy, but the devil is in the > details. We had done this before, but no one ever > kept notes so I figured by posting it on the list it > will eventually find its way into Google. Here are > the setup instructions below, name & ip address have > been changed to protect the innocent! Your > comments/suggestions are welcome! The key parts are the root hints and the trust anchors. You can see several such fake root configurations in the BIND 9 system tests (look in bin/tests/system), e.g., the resolver system test. Mukund --- Original msg Thanks for that. I took a look in the distribution at the directories you mentioned. There is very little explanatory text. Not so sure someone would find it useful in setting up their own fake root and a delegation path. John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Complete DNS fake root setup example
On Wed, Jan 20, 2016 at 12:12 PM, MURTARI, JOHN wrote: > Folks, > > Had to do some testing where we wanted our own insulated > fake root environment. We wanted to start from simulated root name servers. > I was surprised I couldn’t find a complete example even after some extensive > searches. > > > > The concepts are easy, but the devil is in the details. We > had done this before, but no one ever kept notes so I figured by posting it > on the list it will eventually find its way into Google. Here are the > setup instructions below, name & ip address have been changed to protect the > innocent! Your comments/suggestions are welcome! > Not a bad idea. Some comments: /etc/resolv.conf should point to a recursive resolver, not a non-recursive authoritative server. Hosts 6,7,12, and 13 should all be non-recursive authoritative servers. There should be a separate resolver. Looks like the contents of "db.bongo.com" were not fully anonymized. -- Bob Harold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Complete DNS fake root setup example
Hi John On Wed, Jan 20, 2016 at 05:12:44PM +, MURTARI, JOHN wrote: > Folks, > Had to do some testing where we wanted our own > insulated fake root environment. We wanted to start > from simulated root name servers. I was surprised I > couldn't find a complete example even after some > extensive searches. > > The concepts are easy, but the devil is in the > details. We had done this before, but no one ever > kept notes so I figured by posting it on the list it > will eventually find its way into Google. Here are > the setup instructions below, name & ip address have > been changed to protect the innocent! Your > comments/suggestions are welcome! The key parts are the root hints and the trust anchors. You can see several such fake root configurations in the BIND 9 system tests (look in bin/tests/system), e.g., the resolver system test. Mukund signature.asc Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users