BIND 9.16.30 - $INCLUDE file in the rpz zone file not reloading content and dig not working

2023-03-16 Thread Nagesh Thati 
Hi Team,
I have configured a named with rpz,
*options section has,*


*response-policy {zone "rpz.local";} qname-wait-recurse
no;*

*Zone Section in named.conf,*



*zone "rpz.local" {type master;file
"/var/named/zones/masters/db.rpz.local";};*

*Zone file content,*










*> cat db.rpz.local;; rpz.local;$TTL2h ; default TTL$ORIGIN
 rpz.local.@SOA nonexistent.nodomain.none. dummy.nodomain.none. 1
12h 15m 3w 2h; name server is never accessed but out-of-zone NS
 nonexistant.nodomain.none.$INCLUDE /var/named/zones/masters/rpz.local.data*


*Include file content,*


*> cat rpz.local.datanagesh1.com  A 1.2.3.4*
*nagesh2.com  A 2.3.4.5*

When named is restarted using systemctl above rpz rules are working fine,
but when I add a new rule *nagesh3.com  A 3.4.5.6
* manually in
the include file and run "rndc reconfig and rndc reload", named is not
picking up the updated include file and *nagesh3.com * rpz
rule is not working.

Can someone please help me with named reloading from the updated include
file without restarting the named service.

Thanks
Nagesh.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.16.30 - $INCLUDE file in the rpz zone file not reloading content and dig not working

2023-03-16 Thread Nagesh Thati 
Thanks for the reply Fred Morris,
Yes, even after serial number increment and reconfig and reload also not
picking up the include file data.


On Fri, Mar 17, 2023 at 2:45 AM Fred Morris  wrote:

> Hello
>
> On Thu, 16 Mar 2023, Nagesh Thati wrote:
> > [...]
> > When named is restarted using systemctl above rpz rules are working fine,
> > but when I add a new rule *nagesh3.com <http://nagesh3.com> A 3.4.5.6
> > * manually in
> > the include file and run "rndc reconfig and rndc reload", named is not
> > picking up the updated include file and *nagesh3.com <http://nagesh3.com>*
> rpz
> > rule is not working.
>
> Are you incrementing the SOA serial number?
>
> --
>
> Fred Morris, internet plumber
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.16.30 - $INCLUDE file in the rpz zone file not reloading content and dig not working

2023-03-17 Thread Nagesh Thati 
Hi,
I tried syntax, but it didn't work.
Thanks.

On Fri, Mar 17, 2023 at 11:41 AM Sachchidanand Upadhyay 
wrote:

> Hi,
>
>   Have you checked the syntax?
>
>   try this:
>
>*$INCLUDE "/var/named/zones/masters/rpz.local.data";*
>
> *Regards,*
> *Sachchidanand*
>
> --
> *From: *tcpnag...@gmail.com
> *To: *m3...@m3047.net
> *Cc: *bind-users@lists.isc.org
> *Sent: *Friday, March 17, 2023 9:18:32 AM
> *Subject: *Re: BIND 9.16.30 - $INCLUDE file in the rpz zone file not
> reloading content and dig not working
>
> Thanks for the reply Fred Morris,
> Yes, even after serial number increment and reconfig and reload also not
> picking up the include file data.
>
>
> On Fri, Mar 17, 2023 at 2:45 AM Fred Morris  wrote:
>
>> Hello
>>
>> On Thu, 16 Mar 2023, Nagesh Thati wrote:
>> > [...]
>> > When named is restarted using systemctl above rpz rules are working
>> fine,
>> > but when I add a new rule *nagesh3.com <http://nagesh3.com> A 3.4.5.6
>> > * manually in
>> > the include file and run "rndc reconfig and rndc reload", named is not
>> > picking up the updated include file and *nagesh3.com <
>> http://nagesh3.com>* rpz
>> > rule is not working.
>>
>> Are you incrementing the SOA serial number?
>>
>> --
>>
>> Fred Morris, internet plumber
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.16.30 - $INCLUDE file in the rpz zone file not reloading content and dig not working

2023-03-19 Thread Nagesh Thati 
HI,
I am still not able to reload the named with the $include file updated
content. Any help would be appreciated.
Thanks.

On Fri, Mar 17, 2023 at 12:43 PM Nagesh Thati  wrote:

> Hi,
> I tried syntax, but it didn't work.
> Thanks.
>
> On Fri, Mar 17, 2023 at 11:41 AM Sachchidanand Upadhyay 
> wrote:
>
>> Hi,
>>
>>   Have you checked the syntax?
>>
>>   try this:
>>
>>*$INCLUDE "/var/named/zones/masters/rpz.local.data";*
>>
>> *Regards,*
>> *Sachchidanand*
>>
>> --
>> *From: *tcpnag...@gmail.com
>> *To: *m3...@m3047.net
>> *Cc: *bind-users@lists.isc.org
>> *Sent: *Friday, March 17, 2023 9:18:32 AM
>> *Subject: *Re: BIND 9.16.30 - $INCLUDE file in the rpz zone file not
>> reloading content and dig not working
>>
>> Thanks for the reply Fred Morris,
>> Yes, even after serial number increment and reconfig and reload also not
>> picking up the include file data.
>>
>>
>> On Fri, Mar 17, 2023 at 2:45 AM Fred Morris  wrote:
>>
>>> Hello
>>>
>>> On Thu, 16 Mar 2023, Nagesh Thati wrote:
>>> > [...]
>>> > When named is restarted using systemctl above rpz rules are working
>>> fine,
>>> > but when I add a new rule *nagesh3.com <http://nagesh3.com> A 3.4.5.6
>>> > * manually in
>>> > the include file and run "rndc reconfig and rndc reload", named is not
>>> > picking up the updated include file and *nagesh3.com <
>>> http://nagesh3.com>* rpz
>>> > rule is not working.
>>>
>>> Are you incrementing the SOA serial number?
>>>
>>> --
>>>
>>> Fred Morris, internet plumber
>>>
>>> --
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>> from this list
>>>
>>> ISC funds the development of this software with paid support
>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>> information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Secure Active Directory Updates Failing on AlmaLinux 9 with ISC BIND 9.18.28

2024-08-06 Thread Nagesh Thati 
Hello BIND Users,

*Issue Description:*
I'm experiencing an issue with secure Active Directory (AD) updates on an
AlmaLinux 9 system using ISC BIND. Despite following the necessary
configurations, I'm receiving error messages indicating that the requests
from the AD server are not signed and encountering GSSAPI-related errors.
Notably, the exact build and configurations are working without any issues
on CentOS 7.

*Environment:*
- OS: AlmaLinux 9 (using DEFAULT policy for system-wide crypto policies)
- BIND version: 9.18.28
- Active Directory: Windows Server [2016]

*Problem:*
AD updates are being denied. The BIND logs indicate that the requests are
not signed and show GSSAPI errors related to unavailable credentials and
missing files.

*Troubleshooting Steps Taken:*
We tried legacy crypto policy, but it did not work.

*Questions:*
1. What could be causing BIND to reject the AD updates as unsigned, given
that the same configuration works on CentOS 7?
2. How can I resolve the GSSAPI errors regarding unavailable credentials
and missing files?
3. Are there any AlmaLinux 9-specific configurations or steps required to
ensure secure AD updates with BIND?
4. Are there any known issues or incompatibilities between ISC BIND and
AlmaLinux 9 that could be causing this problem?

*Additional Information:*
- The same configuration is working correctly on CentOS 7 without any
issues.
- AlmaLinux 9 is using the DEFAULT policy for system-wide crypto policies.

*Current Setup:*
*# named -V*
BIND 9.18.28 (Extended Support Version) 
running on Linux x86_64 5.14.0-427.18.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC
Tue May 28 06:27:02 EDT 2024
built by make with  '--prefix=/opt/mydir/' '--enable-dependency-tracking'
'--enable-dnstap' '--enable-singletrace' '--enable-querytrace'
'--disable-auto-validation' '--enable-dnsrps-dl' '--enable-dnsrps'
'--enable-full-report' '--with-tuning=large' '--enable-fixed-rrset'
'--with-libidn2' '--with-lmdb' '--with-json-c' '--with-jemalloc=detect'
'--with-maxminddb=yes' '--enable-largefile'
compiled by GCC 11.4.1 20231218 (Red Hat 11.4.1-3)
compiled with OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
linked to OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
compiled with libuv version: 1.42.0
linked to libuv version: 1.42.0
compiled with libnghttp2 version: 1.43.0
linked to libnghttp2 version: 1.43.0
compiled with json-c version: 0.14
linked to json-c version: 0.14
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256
ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384
HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes

default paths:
  named configuration:  /opt/mydir/etc/named.conf
  rndc configuration:   /opt/mydir/etc/rndc.conf
  DNSSEC root key:  /opt/mydir/etc/bind.keys
  nsupdate session key: /opt/mydir/var/run/named/session.key
  named PID file:   /opt/mydir/var/run/named/named.pid
  named lock file:  /opt/mydir/var/run/named/named.lock
  geoip-directory:  /usr/share/GeoIP


*named.conf Snippet:*
options {
directory "/";
allow-query {any;};
allow-transfer {none;};
blackhole {none;};
dnssec-validation yes;
listen-on-v6 {none;};
rrset-order {
order cyclic;
};
dump-file "/var/named/log/named_dump.db";
lame-ttl 0;
max-ncache-ttl 10800;
minimal-responses yes;
pid-file "/var/run/named/named.pid";
recursion no;
session-keyfile "/var/run/named/session.key";
statistics-file "/var/named/log/named.stats";
tcp-clients 150;
*tkey-gssapi-keytab "/etc/krb5.keytab";*
};

*Zone Section in named.conf:*
zone "_msdcs.example.com" IN {
type master;
file "/var/named/zones/masters/db._msdcs.example.com";
*update-policy { grant * subdomain _msdcs.example.com
. ANY; };*
};
zone "_sites.example.com" IN {
type master;
file "/var/named/zones/masters/db._sites.example.com";
update-policy { grant * subdomain _sites.example.com. ANY; };
};
zone "_tcp.example.com" IN {
type master;
file "/var/named/zones/masters/db._tcp.example.com";
update-policy { grant * subdomain _tcp.example.com. ANY; };
};

*krb5.conf:*
# cat krb5.conf

[libdefaults]

default_realm = EXAMPLE.COM
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 30d
default_keytab_name = FILE:/etc/krb5.keytab

[realms]
EXAMPLE.COM = {
kdc = example.com:88
default_domain = example.com
}


[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

*Specific Error Messages:*
*nam

Re: Secure Active Directory Updates Failing on AlmaLinux 9 with ISC BIND 9.18.28

2024-08-08 Thread Nagesh Thati 
Hello Guys,
Any help is much appreciated.
Thanks
Nagesh

On Tue, Aug 6, 2024 at 7:11 PM Nagesh Thati  wrote:

> Hello BIND Users,
>
> *Issue Description:*
> I'm experiencing an issue with secure Active Directory (AD) updates on an
> AlmaLinux 9 system using ISC BIND. Despite following the necessary
> configurations, I'm receiving error messages indicating that the requests
> from the AD server are not signed and encountering GSSAPI-related errors.
> Notably, the exact build and configurations are working without any issues
> on CentOS 7.
>
> *Environment:*
> - OS: AlmaLinux 9 (using DEFAULT policy for system-wide crypto policies)
> - BIND version: 9.18.28
> - Active Directory: Windows Server [2016]
>
> *Problem:*
> AD updates are being denied. The BIND logs indicate that the requests are
> not signed and show GSSAPI errors related to unavailable credentials and
> missing files.
>
> *Troubleshooting Steps Taken:*
> We tried legacy crypto policy, but it did not work.
>
> *Questions:*
> 1. What could be causing BIND to reject the AD updates as unsigned, given
> that the same configuration works on CentOS 7?
> 2. How can I resolve the GSSAPI errors regarding unavailable credentials
> and missing files?
> 3. Are there any AlmaLinux 9-specific configurations or steps required to
> ensure secure AD updates with BIND?
> 4. Are there any known issues or incompatibilities between ISC BIND and
> AlmaLinux 9 that could be causing this problem?
>
> *Additional Information:*
> - The same configuration is working correctly on CentOS 7 without any
> issues.
> - AlmaLinux 9 is using the DEFAULT policy for system-wide crypto policies.
>
> *Current Setup:*
> *# named -V*
> BIND 9.18.28 (Extended Support Version) 
> running on Linux x86_64 5.14.0-427.18.1.el9_4.x86_64 #1 SMP
> PREEMPT_DYNAMIC Tue May 28 06:27:02 EDT 2024
> built by make with  '--prefix=/opt/mydir/' '--enable-dependency-tracking'
> '--enable-dnstap' '--enable-singletrace' '--enable-querytrace'
> '--disable-auto-validation' '--enable-dnsrps-dl' '--enable-dnsrps'
> '--enable-full-report' '--with-tuning=large' '--enable-fixed-rrset'
> '--with-libidn2' '--with-lmdb' '--with-json-c' '--with-jemalloc=detect'
> '--with-maxminddb=yes' '--enable-largefile'
> compiled by GCC 11.4.1 20231218 (Red Hat 11.4.1-3)
> compiled with OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
> linked to OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
> compiled with libuv version: 1.42.0
> linked to libuv version: 1.42.0
> compiled with libnghttp2 version: 1.43.0
> linked to libnghttp2 version: 1.43.0
> compiled with json-c version: 0.14
> linked to json-c version: 0.14
> compiled with zlib version: 1.2.11
> linked to zlib version: 1.2.11
> linked to maxminddb version: 1.5.2
> compiled with protobuf-c version: 1.3.3
> linked to protobuf-c version: 1.3.3
> threads support is enabled
> DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512
> ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
> DS algorithms: SHA-1 SHA-256 SHA-384
> HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384
> HMAC-SHA512
> TKEY mode 2 support (Diffie-Hellman): yes
> TKEY mode 3 support (GSS-API): yes
>
> default paths:
>   named configuration:  /opt/mydir/etc/named.conf
>   rndc configuration:   /opt/mydir/etc/rndc.conf
>   DNSSEC root key:  /opt/mydir/etc/bind.keys
>   nsupdate session key: /opt/mydir/var/run/named/session.key
>   named PID file:   /opt/mydir/var/run/named/named.pid
>   named lock file:  /opt/mydir/var/run/named/named.lock
>   geoip-directory:  /usr/share/GeoIP
>
>
> *named.conf Snippet:*
> options {
> directory "/";
> allow-query {any;};
> allow-transfer {none;};
> blackhole {none;};
> dnssec-validation yes;
> listen-on-v6 {none;};
> rrset-order {
> order cyclic;
> };
> dump-file "/var/named/log/named_dump.db";
> lame-ttl 0;
> max-ncache-ttl 10800;
> minimal-responses yes;
> pid-file "/var/run/named/named.pid";
> recursion no;
> session-keyfile "/var/run/named/session.key";
> statistics-file "/var/named/log/named.stats";
> tcp-clients 150;
> *tkey-gssapi-keytab "/etc/krb5.keytab";*
> };
>
> *Zone Section in named.conf:*
> zone "_msdcs.example.com" IN {
> type master;
> file "/var/named/zones/masters/db._msdcs.example.com&qu

Re: Secure Active Directory Updates Failing on AlmaLinux 9 with ISC BIND 9.18.28

2024-08-20 Thread Nagesh Thati 
ter.example.com>", params ""[597869]
1724136610.500929: Produced preauth for next request: (empty)[597869]
1724136610.500930: AS key determined by preauth: aes256-cts/7523[597869]
1724136610.500931: Decrypted AS reply; session key is:
aes256-cts/9EA3[597869] 1724136610.500932: FAST negotiation:
unavailable[597869] 1724136610.500933: Resolving unique ccache of type
MEMORY[597869] 1724136610.500934: Initializing MEMORY:ii4Cyzt with default
princ DNS/example-master.example@example.com
[597869] 1724136610.500935: Storing
config in MEMORY:ii4Cyzt for krbtgt/example@example.com
: pa_type: 2[597869] 1724136610.500936: Storing
DNS/example-master.example@example.com
 ->
krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.COM
<http://EXAMPLE.COM>\@EXAMPLE.COM@X-CACHECONF: in MEMORY:ii4Cyzt[597869]
1724136610.500937: Storing DNS/example-master.example@example.com
 -> krbtgt/example@example.com
 in MEMORY:ii4Cy*


*Thanks,*
*Nagesh*

On Thu, Aug 8, 2024 at 6:20 PM Petr Špaček  wrote:

> Hello,
>
> my first bet is missing tkey-gssapi-credential configuration statement
> [1], followed by:
> - or incorrect content of keytab,
> - some file permission problem related to /etc/krb5.keytab, or /var/tmp,
> or /tmp,
> - It's Red Hat so a SELinux denial might be a problem as well.
>
> KRB5_TRACE environment variable might help with debugging, see "man
> kerberos" and also check other environment variables and config files
> listed there.
>
> Given that you have a working system I suggest you compare all of the
> above to find out what's the difference.
>
> [1]
>
> https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tkey-gssapi-keytab
>
> Petr Špaček
> Internet Systems Consortium
>
>
> On 08. 08. 24 14:23, Nagesh Thati wrote:
> > Hello Guys,
> > Any help is much appreciated.
> > Thanks
> > Nagesh
> >
> > On Tue, Aug 6, 2024 at 7:11 PM Nagesh Thati  > <mailto:tcpnag...@gmail.com>> wrote:
> >
> > Hello BIND Users,
> >
> > *Issue Description:*
> > I'm experiencing an issue with secure Active Directory (AD) updates
> > on an AlmaLinux 9 system using ISC BIND. Despite following the
> > necessary configurations, I'm receiving error messages indicating
> > that the requests from the AD server are not signed and encountering
> > GSSAPI-related errors. Notably, the exact build and configurations
> > are working without any issues on CentOS 7.
> >
> > *Environment:*
> > - OS: AlmaLinux 9 (using DEFAULT policy for system-wide crypto
> policies)
> > - BIND version: 9.18.28
> > - Active Directory: Windows Server [2016]
> >
> > *Problem:*
> > AD updates are being denied. The BIND logs indicate that the
> > requests are not signed and show GSSAPI errors related to
> > unavailable credentials and missing files.
> >
> > *Troubleshooting Steps Taken:*
> > We tried legacy crypto policy, but it did not work.
> >
> > *Questions:*
> > 1. What could be causing BIND to reject the AD updates as unsigned,
> > given that the same configuration works on CentOS 7?
> > 2. How can I resolve the GSSAPI errors regarding unavailable
> > credentials and missing files?
> > 3. Are there any AlmaLinux 9-specific configurations or steps
> > required to ensure secure AD updates with BIND?
> > 4. Are there any known issues or incompatibilities between ISC BIND
> > and AlmaLinux 9 that could be causing this problem?
> >
> > *Additional Information:*
> > - The same configuration is working correctly on CentOS 7 without
> > any issues.
> > - AlmaLinux 9 is using the DEFAULT policy for system-wide crypto
> > policies.
> >
> > *_Current Setup:_*
> >
> > *# named -V*
> > BIND 9.18.28 (Extended Support Version) 
> > running on Linux x86_64 5.14.0-427.18.1.el9_4.x86_64 #1 SMP
> > PREEMPT_DYNAMIC Tue May 28 06:27:02 EDT 2024
> > built by make with  '--prefix=/opt/mydir/'
> > '--enable-dependency-tracking' '--enable-dnstap'
> > '--enable-singletrace' '--enable-querytrace'
> > '--disable-auto-validation' '--enable-dnsrps-dl' '--enable-dnsrps'
> > '--enable-full-report' '--with-tuning=large' '--enable-fixed-rrset'
> > '--with-libidn2' '--with-lmdb' '--with-json-c'
> > '--with-jemalloc=detect' '--with-maxminddb=yes' '-

Re: Secure Active Directory Updates Failing on AlmaLinux 9 with ISC BIND 9.18.28

2024-09-05 Thread Nagesh Thati 
Thank you all for your assistance.
The issue has finally been resolved. It turns out I was running BIND in a
chroot jail, and the /var/tmp folder was missing within the chroot
environment. This was the cause of the AD update denials.

On Tue, Aug 20, 2024 at 3:27 PM Petr Špaček  wrote:

> Hi Nagesh,
>
> it's unclear what exactly is the log about. Is that first start of the
> server? (I guess so.) Or the client's attempt?
>
> You have mentioned that you have two systems, one working and other one
> failing. I suggest you gather logs from both and compare them line by
> line to find the difference.
>
> Petr Špaček
> Internet Systems Consortium
>
>
> On 20. 08. 24 11:18, Nagesh Thati wrote:
> > Hi,
> > We have checked all the files related to krb and keytab, all files and
> > their permissions are good. But still updates are getting denied. I am
> > attaching the Krb5 Trace output also, please check and let me know.
> > tkey-gssapi-credential option also specified in the named.conf, but
> > still updated are denied.
> >
> > *_KRB5_TRACE Output:_*
> > /[597869] 1724136604.999060: Getting initial credentials for
> > DNS/example-master.example@example.com
> > <mailto:example-master.example@example.com>
> > [597869] 1724136605.002377: Sending unauthenticated request
> > [597869] 1724136605.002378: Sending request (194 bytes) to EXAMPLE.COM
> > <http://EXAMPLE.COM>
> > [597869] 1724136605.002379: Resolving hostname example.com
> > <http://example.com>
> > [597869] 1724136605.002380: Sending initial UDP request to dgram
> > 10.1.8.171:88 <http://10.1.8.171:88>
> > [597869] 1724136605.002381: Received answer (205 bytes) from dgram
> > 10.1.8.171:88 <http://10.1.8.171:88>
> > [597869] 1724136605.002382: Sending DNS URI query for
> > _kerberos.EXAMPLE.COM <http://kerberos.EXAMPLE.COM>.
> > [597869] 1724136605.002383: No URI records found
> > [597869] 1724136605.002384: Sending DNS SRV query for
> > _kerberos-master._udp.EXAMPLE.COM <http://udp.EXAMPLE.COM>.
> > [597869] 1724136605.002385: Sending DNS SRV query for
> > _kerberos-master._tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>.
> > [597869] 1724136605.002386: No SRV records found
> > [597869] 1724136605.002387: Response was not from primary KDC
> > [597869] 1724136605.002388: Received error from KDC:
> > -1765328359/Additional pre-authentication required
> > [597869] 1724136605.002391: Preauthenticating using KDC method data
> > [597869] 1724136605.002392: Processing preauth types: PA-PK-AS-REQ (16),
> > PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
> > [597869] 1724136605.002393: Selected etype info: etype aes256-cts, salt
> > "EXAMPLE.COMDNSexample-master.example.com
> > <http://EXAMPLE.COMDNSexample-master.example.com>", params ""
> > [597869] 1724136605.002394: PKINIT client has no configured identity;
> > giving up
> > [597869] 1724136605.002395: Preauth module pkinit (16) (real) returned:
> > -1765328174/No pkinit_anchors supplied
> > [597869] 1724136610.500899: AS key obtained for encrypted timestamp:
> > aes256-cts/7523
> > [597869] 1724136610.500901: Encrypted timestamp (for 1724136611.194769):
> > plain 301AA011180F32303234303832303036353031315AA105020302F8D1,
> > encrypted
> >
> 8D719F980037E7626CE2B7B1C8B82E56AD5866596D5041C925C85D032BDA06F6102F5E50952B725E4DA945243897C9F92C13213B136CBBAA
> > [597869] 1724136610.500902: Preauth module encrypted_timestamp (2)
> > (real) returned: 0/Success
> > [597869] 1724136610.500903: Produced preauth for next request:
> > PA-ENC-TIMESTAMP (2)
> > [597869] 1724136610.500904: Sending request (274 bytes) to EXAMPLE.COM
> > <http://EXAMPLE.COM>
> > [597869] 1724136610.500905: Resolving hostname example.com
> > <http://example.com>
> > [597869] 1724136610.500906: Sending initial UDP request to dgram
> > 10.1.8.171:88 <http://10.1.8.171:88>
> > [597869] 1724136610.500907: Received answer (94 bytes) from dgram
> > 10.1.8.171:88 <http://10.1.8.171:88>
> > [597869] 1724136610.500908: Sending DNS URI query for
> > _kerberos.EXAMPLE.COM <http://kerberos.EXAMPLE.COM>.
> > [597869] 1724136610.500909: No URI records found
> > [597869] 1724136610.500910: Sending DNS SRV query for
> > _kerberos-master._udp.EXAMPLE.COM <http://udp.EXAMPLE.COM>.
> > [597869] 1724136610.500911: Sending DNS SRV query for
> > _kerberos-master._tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>.
> > [597869] 1724136610.500912: No SRV records found
> > [597869] 1

Secure Active Directory updates and allow-update-forwarding issues

2021-01-19 Thread Nagesh Thati 
Hi,
I am getting update failed on master DNS appliance when I am using
allow-update-forwading,
*updating zone '_msdcs.example.com/IN ':
update failed: rejected by secure update (REFUSED)*

example.com is a active directory enabled zone which has one master and one
slave. Master appliance is hidden, so active directory sends updates to
slave appliance using MNAME specified in the zone SOA section.

*master(10.1.10.203) named.conf:*

tkey-gssapi-keytab "/etc/krb5.keytab"; -> In the option section, in /etc
folder we have keytab file

zone "_msdcs.example.com" IN {
type master;
file "/var/named/zones/masters/db._msdcs.example.com";
allow-transfer {10.1.10.144;};
also-notify {10.1.10.144;};
notify explicit;
*update-policy { grant * subdomain _msdcs.example.com
. ANY; };*
check-names ignore;
zone-statistics yes;
};

*slave(10.1.10.144) named.conf:*
zone "_msdcs.example.com" IN {
type slave;
file "/var/named/zones/slaves/db._msdcs.example.com";
allow-notify {10.1.10.203;};
masters {
10.1.10.203;
};
check-names ignore;
zone-statistics yes;
*allow-update-forwarding{10.1.10.158;};*
};

*10.1.10.158 - AD server*
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Secure Active Directory updates and allow-update-forwarding issues

2021-01-19 Thread Nagesh Thati 
Thanks Mark.

On Tue, Jan 19, 2021 at 6:15 PM Mark Andrews  wrote:

> Forwarding is designed for TSIG and works for SIG(0).  It doesn’t work for
> GSS-TSIG.
>
> --
> Mark Andrews
>
> On 19 Jan 2021, at 22:23, Nagesh Thati  wrote:
>
> 
> Hi,
> I am getting update failed on master DNS appliance when I am using
> allow-update-forwading,
> *updating zone '_msdcs.example.com/IN <http://msdcs.example.com/IN>':
> update failed: rejected by secure update (REFUSED)*
>
> example.com is a active directory enabled zone which has one master and
> one slave. Master appliance is hidden, so active directory sends updates to
> slave appliance using MNAME specified in the zone SOA section.
>
> *master(10.1.10.203) named.conf:*
>
> tkey-gssapi-keytab "/etc/krb5.keytab"; -> In the option section, in /etc
> folder we have keytab file
>
> zone "_msdcs.example.com" IN {
> type master;
> file "/var/named/zones/masters/db._msdcs.example.com";
> allow-transfer {10.1.10.144;};
> also-notify {10.1.10.144;};
> notify explicit;
> *update-policy { grant * subdomain _msdcs.example.com
> <http://msdcs.example.com>. ANY; };*
> check-names ignore;
> zone-statistics yes;
> };
>
> *slave(10.1.10.144) named.conf:*
> zone "_msdcs.example.com" IN {
> type slave;
> file "/var/named/zones/slaves/db._msdcs.example.com";
> allow-notify {10.1.10.203;};
> masters {
> 10.1.10.203;
> };
> check-names ignore;
> zone-statistics yes;
> *allow-update-forwarding{10.1.10.158;};*
> };
>
> *10.1.10.158 - AD server*
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

named failed to resolve forwarding queries(with global forwarders specified with "forward only") when "server section statement" has forwarder IP

2021-11-23 Thread Nagesh Thati 
Hi,

I have a BIND master server(10.1.10.110) and slave server(Recursive,
10.1.10.120) and also a global forwarding to another server for non managed
domains.
Forwarding server(10.1.10.25) also a slave for example1.com and example2.com,
which will get zone transfers from BIND slave server.

Below is my named.conf configuration, in the config, for secure zone
transfers I am using "server statement" with a TSIG communication key. With
this configuration when named is loaded in the BIND slave server,
I can only resolve exmple1.com and example2.com on BIND slave server
(10.1.10.120), for other non managed domains I see *SERVFAIL errors*.

Can anyone tell me why I am getting* tsig errors and SERVFAIL errors* for
non managed zones? Why named using the "server statement" TSIG key in
forwarding queries instead of using this TSIG only for ixfr/axfr?




*BIND AUTH Master IP: 10.1.10.110BIND AUTH Slave IP: 10.1.10.120Forwarder
IP: 10.1.10.25*

*named.conf:*

#-
# ACLs
#-


*acl "transfer-core-dns" { 10.1.10.25};*

#-
# Key Definition
#-
key "RNDC-KEY" {
algorithm HMAC-SHA512;
secret
"ykLMNmAECOp4fcBMqIddG17Ubo4sTvm1zb5YSh7HvEjP8F2f+XU9uavOx4hoVBKANDY0tJIRlNOI8U8LaJunDg==";
};
#-
# Controls Definition
#-
acl "RNDC-USERS" {
127.0.0.1;
localhost;
};
controls {
inet 127.0.0.1 port 953 allow { RNDC-USERS; } keys { "RNDC-KEY";};
};

#-
# Logging Definition
#-
logging {
channel named {
file "/var/named/log/named.log" versions 10 size 100M;
severity  dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
category default {
named;
};
};

#-
# Global Options
#-
options {
directory "/";
allow-query {any;};
allow-transfer {none;};
blackhole {none;};
dnssec-enable yes;
dnssec-validation no;
listen-on-v6 {none;};
check-srv-cname ignore;
check-mx-cname ignore;
check-mx ignore;
check-names master ignore;
check-names response ignore;
dump-file "/var/named/log/named_dump.db";
lame-ttl 600;
max-ncache-ttl 10800;
minimal-responses yes;
pid-file "/var/run/named/named.pid";
recursion yes;
session-keyfile "/var/run/named/session.key";
statistics-file "/var/named/log/named.stats";
tcp-clients 1000;
zone-statistics yes;
empty-zones-enable no;
rrset-order {
order cyclic;
};
transfers-in 50;
transfers-out 30;
transfers-per-ns 30;
no-case-compress {any; };
allow-recursion {any;};
recursive-clients 1;

* forward only; forwarders {10.1.10.25;};*
flush-zones-on-shutdown yes;
};

#-
# Statistics Section
#-
statistics-channels {
inet 127.0.0.1 port 8080 allow { 127.0.0.1; };
};



#-
# Server Definition
#-
key "COMMUNICATION-KEY" {
algorithm HMAC-SHA512;
secret
"1HVF90bx+6ywx5Ovr1SOCcL2inTDc0gYRoG6BK/TU+g8tAr3j0ptJsZ6OjfNxEYcMGDRt5m5z/it1gPe7+jJqA==";
};




*server 10.1.10.25 { keys  "COMMUNICATION-KEY"; provide-ixfr yes;
request-ixfr yes;};*

#-
# Zone Section
#-
zone "." IN { type hint; file "/var/named/zones/masters/db.cache"; };
zone "example1.com" IN {
type slave;
file "/var/named/zones/slaves/db.example1.com";
* allow-transfer {transfer-core-dns;};*
allow-notify {10.1.10.110;};
notify yes;
masters {
10.1.10.110;
};
check-names ignore;
zone-statistics yes;
forwarders {};
};
zone "example2.com" IN {
type slave;
file "/var/named/zones/slaves/db.example2.com";
allow-transfer {transfer-core-dns;};
allow-notify {10.1.10.110;};
notify yes;
masters {
10.1.10.110;
};
check-names ignore;
zone-statistics yes;
forwarders {};
};

*named.log:*
client: error: query (google.com/NS): query_find: *unexpected error after
resuming: tsig indicates error*
query-errors: info: (google.com): *query failed (SERVFAIL) *for
google.com/IN/NS at query.c:8678
client: error: query (google.com/MX): query_find: unexpected error after
resuming: tsig indicates error
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/MX at query.c:8678
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/A at query.c:7118
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/A at query.c:7118
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/NS at query.c:7118
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/MX at query.c:7118
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named failed to resolve forwarding queries(with global forwarders specified with "forward only") when "server section statement" has forwarder IP

2021-11-24 Thread Nagesh Thati 
Thanks a lot for your quick response. Your answer is helpful.

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Virus-free.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Wed, Nov 24, 2021 at 4:22 PM Tony Finch  wrote:

> Nagesh Thati  wrote:
> >
> > Can anyone tell me why I am getting tsig errors and SERVFAIL errors for
> > non managed zones? Why named using the "server statement" TSIG key in
> > forwarding queries instead of using this TSIG only for ixfr/axfr?
>
> TSIG is a bit confusing to set up because there are a bunch of options
> and the use-cases and pros and cons can be unclear.
>
> The `server` clause has a grab-bag of options that you can specify about
> other nameservers that your server might communicate with for whatever
> reason. If you configure a TSIG key in a `server` clause, it is used for
> all traffic with that server. (There will normally be a corresponding
> config on the other server for traffic in the opposite direction.) It's
> convenient to use for traffic between authoritative servers, because it
> gives you one place to secure refresh queries, notifies, and zone
> transfers. But in a more complicated configuration like yours it can have
> an unwanted effect on other traffic.
>
> Another approach is to configure TSIG for each kind of traffic separately.
> More explicit, but more verbose. The way I like to do this is to have
> `acl` clauses with helpful names, which can then be used in allow-notify
> and allow-transfer options to require TSIG for incoming requests; and
> corresponding top-level `primaries` clauses for use in per-zone
> `primaries` and/or `also-notify` clauses for outgoing requests. I can put
> all this access control stuff into a shared config file used on all my
> servers, and the authoritative TSIG stuff will not affect recursive
> queries.
>
> (For example, at Cambridge we have a mutual secondarying arrangement with
> Imperial College with TSIG and IPv6 and DNSSEC and all that good stuff;
> our recursive servers don't know anything special about the Imperial
> zones, and we don't need or want recursive queries between us to use TSIG.
> Our recursive servers still have the same shared access control config,
> but the Imperial parts are not used there, because none of the zone
> clauses refer to the Imperial acl/primaries names.)
>
> This kind of explicit TSIG configuration doesn't work in all cases: for
> instance, you can't specify TSIG keys in the `forwarders` clause, so you
> have to use a `server` clause to configure TSIG for forwarding.
>
> I haven't answered your specific questions because I'm not sure I
> understand the details of your setup properly, but I hope this more
> general answer is helpful.
>
> Tony.
> --
> f.anthony.n.finchhttps://dotat.at/
> harness technological change to human advantage
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Classless reverse zones CNAME and PTR resolution issue

2022-10-31 Thread Nagesh Thati 
Hello,
I am facing an issue with CNAME and PTR records resolution issues when
classless reverse zones are defined in the BIND 9.16.* version (Without
recursion), but it used to work in 9.11.* version (Without recursion).
Below example shows what reverse zones are created and how the dig output
is giving,

*named.conf:*
*recursion no;*






*zone "22.10.13.in-addr.arpa" IN {type master;file
"/var/named/zones/masters/db.22.10.13.in-addr.arpa";check-names
ignore;zone-statistics yes;};*





*zone "0-25.22.10.13.in-addr.arpa" IN {type master;file
"/var/named/zones/masters/db.0-25.22.10.13.in-addr.arpa";
check-names ignore;zone-statistics yes;};*

*db.22.10.13.in-addr.arpa:*











*$TTL1200$ORIGIN 22.10.13.in-addr.arpa.22.10.13.in-addr.arpa.  IN
 SOA remote1.india.com .
admin.india.com . (2022102807 ;
serial21600 ; refresh3600 ; retry
  604800 ; expire86400 ; minimum)IN
 NS  remote1.india.com
.0-25.22.10.13.in-addr.arpa. IN  NS
 remote1.india.com .2.22.10.13.in-addr.arpa.
   1200IN  CNAME   2.0-25.22.10.13.in-addr.arpa.*

*db.0-25.22.10.13.in-addr.arpa*










*$TTL1200$ORIGIN 0-25.22.10.13.in-addr.arpa.0-25.22.10.13.in-addr.arpa.
IN  SOA remote1.india.com .
admin.india.com . (2022102808 ;
serial21600 ; refresh3600 ; retry
  604800 ; expire86400 ; minimum)IN
 NS  remote1.india.com
.2.0-25.22.10.13.in-addr.arpa.   1200
 IN  PTR 3G00051Phone.india.com
.*

*DIG Output:*






















*[root@remote1]# dig @localhost -x 13.10.22.2; <<>> DiG 9.16.30 <<>>
@localhost -x 13.10.22.2; (2 servers found);; global options: +cmd;; Got
answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32110;; flags:
qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; WARNING:
recursion requested but not available;; OPT PSEUDOSECTION:; EDNS: version:
0, flags:; udp: 1232; COOKIE:
f29427e34cd79c010100635fe20b8accc09065ab6b33 (good);; QUESTION
SECTION:;2.22.10.13.in-addr.arpa.   IN  PTR;; ANSWER
SECTION:2.22.10.13.in-addr.arpa. 1200   IN  CNAME
2.0-25.22.10.13.in-addr.arpa.;; Query time: 1 msec;; SERVER:
127.0.0.1#53(127.0.0.1);; WHEN: Mon Oct 31 14:56:11 GMT 2022;; MSG SIZE
 rcvd: 122*

I am getting the answer as only CNAME, not getting the exact A record for
that IP address. This used to work in BIND 9.11.* version, recently I
upgraded to 9.16.* latest version and from that I am facing this issue.


But when I enable the recursion on BIND 9.16.* then I am getting the
expected answer as below,






















*[root@remote1]# dig @localhost -x 13.10.22.2; <<>> DiG 9.16.30 <<>>
@localhost -x 13.10.22.2; (2 servers found);; global options: +cmd;; Got
answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40386;; flags:
qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1;; OPT
PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232; COOKIE:
8cee7aad934beda40100635fe32bf7ce38d08006dbd1 (good);; QUESTION
SECTION:;2.22.10.13.in-addr.arpa.   IN  PTR;; ANSWER
SECTION:2.22.10.13.in-addr.arpa. 1200   IN  CNAME
2.0-25.22.10.13.in-addr.arpa.2.0-25.22.10.13.in-addr.arpa. 1200 IN   PTR
  3G00051Phone.india.com .;; Query time: 0
msec;; SERVER: 127.0.0.1#53(127.0.0.1);; WHEN: Mon Oct 31 15:00:59 GMT
2022;; MSG SIZE  rcvd: 165*

Can someone help me why this behaviour is seen on BIND 9.16.* version.
Thanks,
Nagesh
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Master/Slave communication not working if I use HMAC-SHA* algorithms when views are implemented

2016-10-13 Thread Nagesh Thati 

Hi,

Can anybody implemented master/slave communication with views and 
algorithm HMAC-SHA* algorithms. I tried with all the HMAC-SHA* 
algorithms it didn't work for me, only HMAC-MD5 algorithm worked for 
communication. If anybody has any idea please help me.

Thanks.


--
Thanks,
Nagesh Thati

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Round-robin

2018-01-24 Thread Nagesh Thati 
You can use BIND's RRSET Order for this,
http://www.zytrax.com/books/dns/ch7/queries.html#rrset-order

On Wed, Jan 24, 2018 at 4:37 PM, gsi  wrote:

> Hello,
>
> I have 2 A records like this :
> wwwA10.1.1.1
> wwwA10.1.1.2
>
> When I request www, I got random answers (10.1.1.1 or 10.1.1.2)
> If I use the sortlist option, I always got the same answer.
>
> My question : how can I have cyclic answers :
> request www --> reply 10.1.1.1
> request www --> reply 10.1.1.2
> request www --> reply 10.1.1.1
> request www --> reply 10.1.1.2
> ...
>
> Thanks,
>
> Guillaume.
>
>
>
> --
> Sent from: http://bind-users-forum.2342410.n4.nabble.com/
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

servfail-ttl 0; option in the named.conf global section is crashing the named (BIND 9.10.6)

2018-03-04 Thread Nagesh Thati 
Hello,

I have added a servfail-ttl 0; parameter in the named.conf file in the
global section and restarted the named, but named is not coming up and I
don't see any errors printing in the named.log. When I do a named-checkconf
on named.conf it is giving error as UNKNOWN OPTION servfail-ttl. The
version I am using is BIND 9.10.6 stable build. Can some one help me on
this.
Thanks.

To fix this bug I have added above parameterCVE-2018-5734: A malformed
request can trigger an assertion failure in badcache.c

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: servfail-ttl 0; option in the named.conf global section is crashing the named (BIND 9.10.6)

2018-03-04 Thread Nagesh Thati 
Thanks Mark.


From: bind-users  on behalf of Mark Andrews 

Sent: Monday, March 5, 2018 11:51:06 AM
To: Nagesh Thati
Cc: bind-users@lists.isc.org
Subject: Re: servfail-ttl 0; option in the named.conf global section is 
crashing the named (BIND 9.10.6)


> On 5 Mar 2018, at 4:50 pm, Nagesh Thati  wrote:
>
> Hello,
>
> I have added a servfail-ttl 0; parameter in the named.conf file in the global 
> section and restarted the named, but named is not coming up and I don't see 
> any errors printing in the named.log. When I do a named-checkconf on 
> named.conf it is giving error as UNKNOWN OPTION servfail-ttl. The version I 
> am using is BIND 9.10.6 stable build. Can some one help me on this.
> Thanks.
>
> To fix this bug I have added above parameterCVE-2018-5734: A malformed 
> request can trigger an assertion failure in badcache.c

CVE-2018-5734 does not apply to BIND 9.10.6 (which doesn’t have a servfail-ttl 
option).

CVE-2018-5734 applies to BIND 9.10.5-S1 to 9.10.5-S4, BIND 9.10.6-S1, 9.10.6-S2 
(these versions have servfail-ttl as a option).

"named -v” will report which version of named you are running.

e.g
% named -v
BIND 9.10.6 
%

Parsing errors messages will be logged in the system log as named has not yet 
got far enough into the startup process to know to log the messages elsewhere.

Mark

> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: servfail-ttl 0; option in the named.conf global section is crashing the named (BIND 9.10.6)

2018-03-04 Thread Nagesh Thati 
Thanks Cathy.


From: bind-users  on behalf of Cathy Almond 

Sent: Monday, March 5, 2018 11:53:44 AM
To: bind-users@lists.isc.org
Subject: Re: servfail-ttl 0; option in the named.conf global section is 
crashing the named (BIND 9.10.6)

On 05/03/2018 05:50, Nagesh Thati wrote:
> Hello,
>
> I have added a servfail-ttl 0; parameter in the named.conf file in the
> global section and restarted the named, but named is not coming up and I
> don't see any errors printing in the named.log. When I do a
> named-checkconf on named.conf it is giving error as UNKNOWN OPTION
> servfail-ttl. The version I am using is BIND 9.10.6 stable build. Can
> some one help me on this.
> Thanks.
>
> To fix this bug I have added above parameter   CVE-2018-5734: A
> malformed request can trigger an assertion failure in badcache.c
> <https://kb.isc.org/article/AA-01562/0/CVE-2018-5734%3A-A-malformed-request-can-trigger-an-assertion-failure-in-badcache.c.html>

CVE-2018-5734 affects only the editions listed in the security advisory:

9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, and 9.10.6-S2

These are Supported Preview Editions of BIND provided to eligible ISC
Support customers, not the same as the ones available for download from
our website.

Servfail cache was added to BIND Open Source from BIND 9.11 (although it
was backported to some of the -S editions as a Supported Preview
feature) - see:
https://kb.isc.org/article/AA-01310/109/BIND9-Significant-Features-Matrix.html

This is why the servfail-ttl option is unknown in 9.10.6.

So you're not vulnerable to CVE-2018-5734 - although I see why you might
have thought that you are because the -S editions of BIND have a similar
version numbering scheme to the regular editions, but with -S appended
(it's not often that we have a security issue that affects only those,
but it is still necessary to issue an advisory).

Hope this clarifies (and also sets your mind at rest)?

Cathy
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reverse lookup for classless networks

2018-12-27 Thread Nagesh Thati 
Hello,
I have been trying to make the reverse zones for the classless networks. I
was able to create such zones by following an online guide. The guide says
to create a reverse zone for a classless network as following,
Network: *28.0.0.0/27 *
Reverse Zone: *0-27.128.0.0.28.in-addr.arpa.*
Example PTR record: *130.0-27.128.0.0.28.in-addr.arpa. PTR test.example.com
.*

Now the zone is up, but I have problem in looking up the IP address using
the below method,
*dig @localhost -x 28.0.0.130*

While the above lookup is not working, the below method is working,
*> dig @localhost 130.0-27.128.0.0.28.in-addr.arpa. PTR +short*
*> 3G2Phone.adparent.com .*



*Now can someone tell me why the first method is not working, will my
reverse zone work properly in the real world?*
Thanks for your help.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse lookup for classless networks

2018-12-27 Thread Nagesh Thati 
Thanks Mark,
But is there any other way without using any CNAMEs?

On Thu, Dec 27, 2018 at 4:45 PM Mark Andrews  wrote:

> Because it requires the parent zone with the CNAME records to also be set
> up which maps the well known query names to the alternate names.
>
>
> --
> Mark Andrews
>
> On 27 Dec 2018, at 21:01, Nagesh Thati  wrote:
>
> Hello,
> I have been trying to make the reverse zones for the classless networks. I
> was able to create such zones by following an online guide. The guide says
> to create a reverse zone for a classless network as following,
> Network: *28.0.0.0/27 <http://28.0.0.0/27>*
> Reverse Zone: *0-27.128.0.0.28.in-addr.arpa.*
> Example PTR record: *130.0-27.128.0.0.28.in-addr.arpa. PTR
> test.example.com <http://test.example.com>.*
>
> Now the zone is up, but I have problem in looking up the IP address using
> the below method,
> *dig @localhost -x 28.0.0.130*
>
> While the above lookup is not working, the below method is working,
> *> dig @localhost 130.0-27.128.0.0.28.in-addr.arpa. PTR +short*
> *> 3G2Phone.adparent.com <http://3G2Phone.adparent.com>.*
>
>
>
> *Now can someone tell me why the first method is not working, will my
> reverse zone work properly in the real world?*
> Thanks for your help.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Classless Reverse Zones PTR Dig Format Issue

2019-02-06 Thread Nagesh Thati 
Hello,
I have created a network with *199.192.0.0/11 * and
created 4 subnets with */13* mask in that network,
Network: *199.192.0.0/11  : 192.199.in-addr.arpa*,
Subnet1: *199.192.0.0/13  :
0-13.192.199.in-addr.arpa*,
Subnet2: *199.200.0.0/13  :
0-13.200.199.in-addr.arpa*,
Subnet3: *199.208.0.0/13  :
0-13.208.199.in-addr.arpa*,
Subnet4: *199.216.0.0/13  :
0-13.216.199.in-addr.arpa*.
I fallowed the *RFC 2317 to create CNAME and NS records* in parent zone
which is 192.199.in-addr.arpa
When I dig for a PTR for object *199.192.0.2* in below dig format,
#*dig @localhost -x 199.192.0.2 - GOT RESULT*
I am getting the answer, But, when I dig for object *199.200.255.202* in
below format not getting the answer,
#*dig @localhost -x 199.200.255.202 - NO RESULT*
But if I dig in specific format,
#*dig @localhost 202.255.0-13.200.199.in-addr.arpa PTR - GOT RESULT*

My Question is,
Can it be possible to *dig 199.200.255.202* object with *-x* using a *dig
command*, if yes, what changes needs to be done in the parent and child
reverse zones?

Thanks in advance,
Nagesh.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Assistance Needed: "Too Many Records" Error When Reloading Zone `example.com`, BIND: 9.18.29

2024-09-22 Thread Nagesh Thati 
Hi BIND Community,

I hope this message finds you well.

We are encountering an issue with our DNS zone `example.com`, which
contains approximately 10,000 resource records of various types, including
A, CNAME, TXT, and MX records. When attempting to perform an `rndc reload`
for this zone, we receive a “too many records” error. Below are the details
of the error and relevant log excerpts for your reference:

*BIND Version:*
ISC BIND 9.18.29

*Command Executed:*
# rndc reload example.com
rndc: 'reload' failed: too many records

*`named.log` Output:*
23-Sep-2024 10:21:04.886 query-errors: info: client @0x7f2f17d25168
127.0.0.1#39206 (example.com): query failed (zone not loaded) for
example.com/IN/SOA at query.c:5676
23-Sep-2024 10:21:20.782 zoneload: error: zone example.com/IN: loading from
master file /var/named/zones/db.example.com failed: too many records
23-Sep-2024 10:21:20.782 zoneload: error: zone example.com/IN: not loaded
due to errors.

*`general.log` Output:*
23-Sep-2024 10:33:48.625 general: info: received control channel command
'reload example.com'
23-Sep-2024 10:33:48.625 general: debug 1: zone_startload: zone
example.com/IN: enter
23-Sep-2024 10:33:48.629 general: error: dns_master_load: /var/named/zones/
db.example.com:995: text.example.com: too many records

*Zone File Excerpt (Line 995):*
990 text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 209 for
us-lcm-01.example.com. created on 2024-05-28"
991 text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 211 for
us-vra.example.com. created on 2024-05-28"
992 text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 212 for
us-vdm.example.com. created on 2024-05-28"
993 text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 217 for
us-twlcm-01.example.com. created on 2024-05-28"
994 text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 220 for
us-lcm-02.example.com. created on 2024-05-29"
*995 text.example.com . 5000 IN TXT "Example
Infrastructure Asset ID: 225 for us-dev-remote-50.example.com
. created on 2024-05-29"*
996 text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 228 for
us-vdm-02.example.com. created on 2024-05-29"
997 text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 230 for
us-lcm-03.example.com. created on 2024-05-29"
998 text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 235 for
us-dev-remote-51.example.com. created on 2024-05-29"
999 text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 240 for
us-twlcm-02.example.com. created on 2024-05-29"

*Issue Summary:*
*Zone Definition*: `example.com`
*Number of Records*: ~10,000 (A, CNAME, TXT, MX)
*Error Encountered*: `rndc: 'reload' failed: too many records`
*Logs Indicate*: The zone failed to load due to the excessive number of
records, specifically pointing to TXT records at line 995.

*Additional Information:*
- Zone File Structure: The zone file contains a high number of TXT records,
particularly for infrastructure asset IDs.

*Request for Assistance:*
1. *Understanding the Limit:* Is there a configurable limit in BIND that
restricts the number of records per zone? If so, how can we adjust this
limit to accommodate our current zone size?
2. *Optimization Tips:* Are there best practices for managing large zones
with thousands of records to prevent such issues?
3. *Error Interpretation:* Can the “too many records” error be mitigated by
restructuring the zone file or employing specific configurations?

Any guidance or suggestions to resolve this issue would be greatly
appreciated. Thank you in advance for your support.

Best Regards,
Nagesh
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users