Re: Conflicting glue records?

2009-01-07 Thread Doug Barton 
Milo Hyson wrote:
> If different registrars contain different host records for the same name
> server, what glue records are established in the root servers? Suppose
> two domains at different registrars both list ns1.mydomain.com as a
> nameserver but each gives a different IP. Are the results undefined?

I'm not sure what the theoretically "correct" way for the reg*'s to
resolve this is, but in practice you're right, the results are
undefined. If these are all hosts and records that you control, the
short answer is, "be careful not to do that."

If you've run into a situation where a hostname for a domain you now
control has stale glue your best point of contact is your registrar
for com/net/org/info/biz/us.


hth,

Doug
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: problem with nsupdate

2009-01-07 Thread Doug Barton 
Oliver Block wrote:
> I CAN SEE NO ERROR MESSAGE.

The server log is usually informative in these situations.


hth,

Doug
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Conflicting glue records?

2009-01-07 Thread Barry Margolin 
In article ,
 "Dawn Connelly"  wrote:

> Each registrars push the information that they have. So if you have
> apples.com with an NS record of ns1.dns.com==137.161.0.1 and
> oranges.com with a NS record of ns1.dns.com=137.161.0.2, when people
> query for apples, they will get the .1 address and when they query for
> oranges.com they will get the .2 address. Inversely if apples.com has
> an ns record of ns1.apples.com and oranges.com has an NS record of
> ns1.oranges.com but they both resolve to the same IP address, the
> requester will see the corresponding name.

The above makes no sense.  There's only one set of COM servers, and they 
can only have one set of glue records.

Also, even though there are many registrars, there's only one registry 
that they all update.

> On Wed, Jan 7, 2009 at 6:29 PM, Milo Hyson  wrote:
> > If different registrars contain different host records for the same name
> > server, what glue records are established in the root servers? Suppose two
> > domains at different registrars both list ns1.mydomain.com as a nameserver
> > but each gives a different IP. Are the results undefined? Is there some rule
> > that is followed to resolve the conflict?
> >
> > --
> >
> > Milo Hyson
> >
> > Chief Scientist
> >
> > CyberLife Labs
> >
> >
> > ___
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Conflicting glue records?

2009-01-07 Thread Dawn Connelly 
Each registrars push the information that they have. So if you have
apples.com with an NS record of ns1.dns.com==137.161.0.1 and
oranges.com with a NS record of ns1.dns.com=137.161.0.2, when people
query for apples, they will get the .1 address and when they query for
oranges.com they will get the .2 address. Inversely if apples.com has
an ns record of ns1.apples.com and oranges.com has an NS record of
ns1.oranges.com but they both resolve to the same IP address, the
requester will see the corresponding name.

On Wed, Jan 7, 2009 at 6:29 PM, Milo Hyson  wrote:
> If different registrars contain different host records for the same name
> server, what glue records are established in the root servers? Suppose two
> domains at different registrars both list ns1.mydomain.com as a nameserver
> but each gives a different IP. Are the results undefined? Is there some rule
> that is followed to resolve the conflict?
>
> --
>
> Milo Hyson
>
> Chief Scientist
>
> CyberLife Labs
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Conflicting glue records?

2009-01-07 Thread Milo Hyson 
If different registrars contain different host records for the same  
name server, what glue records are established in the root servers?  
Suppose two domains at different registrars both list ns1.mydomain.com  
as a nameserver but each gives a different IP. Are the results  
undefined? Is there some rule that is followed to resolve the conflict?


--
Milo Hyson
Chief Scientist
CyberLife Labs


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

problem with nsupdate

2009-01-07 Thread Oliver Block 
Hello everybody,

I was trying to get nsupdate creating an A Record for a subdomain. I was 
following one of the tutorials out there in the web.

After I finished everything I received the following (manually obscured) 
output from nsupdate -d:

Creating key...
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
west.oliver-block.eu.   86400   IN      A       192.73.171.242

Sending update to 85.214.68.33#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  60017
;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;oliver-block.eu.               IN      SOA

;; UPDATE SECTION:
west.oliver-block.eu.   86400   IN      A       192.73.171.242

;; TSIG PSEUDOSECTION:
dyndns.                 0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 
1231377216 300 16 Ud1iyORRRZT4KXn67kFAzg== 60017 NOERROR 0

; Communication with server failed: operation canceled


I CAN SEE NO ERROR MESSAGE. But did not work much neither with dns nor 
nsupdate. Can anyone give me a hint what the problem may be?

BTW: Please cc me, as I am not subscribed.

Best Regards,

Oliver Block
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Ever growing jnl files

2009-01-07 Thread Mark Andrews 

see max-journal-size ;

In message , Nicholas F Mill
er writes:
> We have a few dynamic zones that are provisioned using Addhost. When  
> addhost adds records to the zone every night it will run "nsupdate <  
> update.file". The update.file will contain records like these:
> 
> prereq yxrrset machine.colorado.edu. in a
> update delete  machine.colorado.edu. in a
> 
> prereq yxrrset machine.colorado.edu. in hinfo
> update delete machine.colorado.edu. in HINFO
> 
> This all works fine but the jnl doesn't ever go away after nsupdate  
> runs like this. The jnl will continue to be appended to every night  
> when nsupdate is run again. If we use nsupdate without feeding it a  
> file the jnl will disappear like it's supposed to. Is this a glitch in  
> bind bind-9.5.0-P2?
> 
> 
> Nicholas Miller, ITS, University of Colorado at Boulder
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6.0-P1 is now available (rob_aust...@isc.org)

2009-01-07 Thread Andy Shellam 
Also https://lists.isc.org/pipermail/bind-announce/ carries the 
announcements archive.


Regards,
Andy

Jason Mitchell wrote:

Hi Barry,

https://lists.isc.org/pipermail/bind-users/

Cheers,

Jason

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of bsfin...@anl.gov
Sent: Thursday, 8 January 2009 9:15 AM
To: bind-users@lists.isc.org
Subject: Re: BIND 9.6.0-P1 is now available (rob_aust...@isc.org)

Echoing a complaint made recently -- I saw the announcements of the
-P1 patch for the various supported versions of BIND via the
bind-users digest.  I used to get them also via some -announce
list at ISC, I do not remember the name, maybe bind-annou...@isc.org .

And I noticed that the list archives at

 http://marc.info/?l=bind-users

end at the end of last November.  The December and January postings are
not there.  Is there another archive site?
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

  

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND 9.6.0-P1 is now available (rob_aust...@isc.org)

2009-01-07 Thread Jason Mitchell 
Hi Barry,

https://lists.isc.org/pipermail/bind-users/

Cheers,

Jason

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of bsfin...@anl.gov
Sent: Thursday, 8 January 2009 9:15 AM
To: bind-users@lists.isc.org
Subject: Re: BIND 9.6.0-P1 is now available (rob_aust...@isc.org)

Echoing a complaint made recently -- I saw the announcements of the
-P1 patch for the various supported versions of BIND via the
bind-users digest.  I used to get them also via some -announce
list at ISC, I do not remember the name, maybe bind-annou...@isc.org .

And I noticed that the list archives at

 http://marc.info/?l=bind-users

end at the end of last November.  The December and January postings are
not there.  Is there another archive site?
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6.0-P1 is now available (rob_aust...@isc.org)

2009-01-07 Thread bsfinkel 
Echoing a complaint made recently -- I saw the announcements of the
-P1 patch for the various supported versions of BIND via the
bind-users digest.  I used to get them also via some -announce
list at ISC, I do not remember the name, maybe bind-annou...@isc.org .

And I noticed that the list archives at

 http://marc.info/?l=bind-users

end at the end of last November.  The December and January postings are
not there.  Is there another archive site?
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem resolving "www.lmsintl.com"

2009-01-07 Thread Josh Kuo 
Make sure your Windows client is not appending any additional suffix
to your domain name by adding a . to the end of your domain name. So
for example, your nslookup command should look something similar to
this:

nslookup www.lmsintl.com.

What happens when you do "dig www.lmsintl.com. a"? Does it return the
proper answer?


On Wed, Jan 7, 2009 at 11:37 AM, Apisa, Kathy (US - MABS)
 wrote:
> I am running bind 9,4.2-P2 on windows and can resolve all external Domains
> names with the exception of www.lmsintl.com
>
>
>
> Doing a "dig www.lmsintl.com +trace returns the proper address
>
> If I do a ping or nslookup on www.lmsintl.com I get an error can't find
> www.lmsintl.com: server failed therefore I am unable to access their
> website.
>
>
>
> Any suggestions.
>
>
>
> Thanks much,
>
> Kathy Apisa
>
> 
>
> Information Technology
>
> 330-796-5963 (voice)
>
> 330-796-9805 (fax)
>
> kathy.ap...@meggitt.com
>
>
>
> This email may contain proprietary information and/or copyright material.
> This email is intended for the use of the addressee only. Any unauthorized
> use may be unlawful. If you receive this email by mistake, please advise the
> sender immediately by using the reply facility in your email software.
>
> Information contained in and/or attached to this document may be subject to
> export control regulations of the European Community, USA, or other
> countries. Each recipient of this document is responsible to ensure that
> usage and/or transfer of any information contained in this document complies
> with all relevant export control regulations. If you are in any doubt about
> the export control restrictions that apply to this information, please
> contact the sender immediately.
>
> Be aware that Meggitt may monitor incoming and outgoing emails to ensure
> compliance with the Meggitt IT User policy.
>
> This transmittal and any attached documents may contain technical data, the
> use of which may be restricted by the U.S. Arms Export Control Act and/or
> the Export Administration Act. By accepting such data, the recipient agrees
> to comply with the International Traffic in Arms Regulations (ITAR) and/or
> the Export Administration Regulations, as applicable.
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Ever growing jnl files

2009-01-07 Thread Jeremy C. Reed 
On Wed, 7 Jan 2009, Mike Eggleston wrote:

> On Wed, 07 Jan 2009, Nicholas F Miller might have said:
> 
> > We have a few dynamic zones that are provisioned using Addhost. When  
> > addhost adds records to the zone every night it will run "nsupdate <  
> > update.file". The update.file will contain records like these:
> > 
> > prereq yxrrset machine.colorado.edu. in a
> > update delete  machine.colorado.edu. in a
> > 
> > prereq yxrrset machine.colorado.edu. in hinfo
> > update delete machine.colorado.edu. in HINFO
> > 
> > This all works fine but the jnl doesn't ever go away after nsupdate  
> > runs like this. The jnl will continue to be appended to every night  
> > when nsupdate is run again. If we use nsupdate without feeding it a  
> > file the jnl will disappear like it's supposed to. Is this a glitch in  
> > bind bind-9.5.0-P2?

I am not sure how the remote server would behave different with "nsupdate" 
versus "nsupdate < file" (assuming same input).

> What about a crontab entry for once a week or once a month that does a
> freeze/unfreeze to force the jnl file to get played into the zone files?

This is unrelated. The synchronization of the dynamic update data (in the 
journal database) to the real zone file is done occasionally -- and may be 
delayed by up to 15 minutes. (This time is not configurable other by 
redefining DNS_DUMP_DELAY macro to number of seconds in the build 
environment and rebuilding BIND.)

The journal file may continue to grow when it is also used for IXFR 
tracking for incremental zone transfers.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Problem resolving "www.lmsintl.com"

2009-01-07 Thread Apisa, Kathy (US - MABS) 
I am running bind 9,4.2-P2 on windows and can resolve all external
Domains names with the exception of www.lmsintl.com
 

 

Doing a "dig www.lmsintl.com   +trace returns
the proper address

If I do a ping or nslookup on www.lmsintl.com 
I get an error can't find www.lmsintl.com  :
server failed therefore I am unable to access their website.

 

Any suggestions.

 

Thanks much,

Kathy Apisa



Information Technology

330-796-5963 (voice)

330-796-9805 (fax)

kathy.ap...@meggitt.com

 



This email may contain proprietary information and/or copyright
material. This email is intended for the use of the addressee only.
Any unauthorized use may be unlawful. If you receive this email by
mistake, please advise the sender immediately by using the reply
facility in your email software.

Information contained in and/or attached to this document may be
subject to export control regulations of the European Community, USA,
or other countries. Each recipient of this document is responsible to
ensure that usage and/or transfer of any information contained in
this document complies with all relevant export control regulations.
If you are in any doubt about the export control restrictions that
apply to this information, please contact the sender immediately.

Be aware that Meggitt may monitor incoming and outgoing emails to
ensure compliance with the Meggitt IT User policy.

This transmittal and any attached documents may contain technical
data, the use of which may be restricted by the U.S. Arms Export
Control Act and/or the Export Administration Act.  By accepting such
data, the recipient agrees to comply with the International Traffic
in Arms Regulations (ITAR) and/or the Export Administration
Regulations, as applicable.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND Security Advisory (CVE-2009-0025; Severity: Low)

2009-01-07 Thread Rob_Austein 
Internet Systems Consortium Security Advisory.
  BIND: EVP_VerifyFinal() and DSA_do_verify() return checks.
  7 January 2009

Versions affected:

BIND 9.0 (all versions)
BIND 9.1 (all versions)
BIND 9.2 (all versions)
BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6
BIND 9.4.0, 9.4.1, 9.4.2, 9.4.3
BIND 9.5.0, 9.5.1
BIND 9.6.0

Severity: Low.

Description:

Return values from OpenSSL library functions EVP_VerifyFinal()
and DSA_do_verify() were not checked properly.

Impact:

It is theoretically possible to spoof answers returned from
zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6).

Workaround:

BIND 9.3, 9.4, 9.5 and 9.6:
Disable the affected algorithms in named.conf.  This
will cause answers from zones signed only with DSA (3)
and/or NSEC3DSA (6) to be treated as insecure.

BIND 9.3, 9.4, 9.5:
disable-algorithms . { DSA; };
BIND 9.6:
disable-algorithms . { DSA; NSEC3DSA; };

Fix:

Upgrade to 9.3.6-P1, 9.4.3-P1, 9.5.1-P1, 9.6.0-P1.

There are no fixes planned for BIND 9.1 or BIND 9.2, as those
releases do not implement the current DNSSEC protocol.

Questions should be addressed to bind9-b...@isc.org.

CVE:CVE-2009-0025

Also see CVE-2008-5077 for the corresponding OpenSSL issue

Acknowledgement:

Credit: Google Security Team (for the original OpenSSL issue),
Florian Weimer for spotting that BIND9 was vulnerable.

Revision History:

  2009-01-05Initial pre-release text

  2009-01-07Public release with corrected CVE
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.3.6-P1 is now available

2009-01-07 Thread Rob_Austein 
BIND 9.3.6-P1 is now available.

BIND 9.3.6-P1 is a SECURITY patch for BIND 9.3.6.  It addresses a bug
in which return values from some OpenSSL functions were left unchecked,
making it theoretically possible to spoof answers from some signed
zones.

Bugs should be reported to bind9-b...@isc.org.

BIND 9.3.6-P1 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.3.6-P1/bind-9.3.6-P1.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.3.6-P1/bind-9.3.6-P1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.3.6-P1/bind-9.3.6-P1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.3.6-P1/bind-9.3.6-P1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at .

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.3.6-P1/BIND9.3.6-P1.zip
ftp://ftp.isc.org/isc/bind9/9.3.6-P1/BIND9.3.6-P1.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.3.6-P1/BIND9.3.6-P1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.3.6-P1/BIND9.3.6-P1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.3.6-P1/BIND9.3.6-P1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.3.6-P1/BIND9.3.6-P1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.3.6-P1/BIND9.3.6-P1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.3.6-P1/BIND9.3.6-P1.debug.zip.sha512.asc

Changes since 9.3.6:

2522.   [security]  Handle -1 from DSA_do_verify().

2498.   [bug]   Removed a bogus function argument used with
ISC_SOCKET_USE_POLLWATCH: it could cause compiler
warning or crash named with the debug 1 level
of logging. [RT #18917]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.4.3-P1 is now available

2009-01-07 Thread Rob_Austein 
BIND 9.4.3-P1 is now available.

BIND 9.4.3-P1 is a SECURITY patch for BIND 9.4.3.  It addresses a bug
in which return values from some OpenSSL functions were left unchecked,
making it theoretically possible to spoof answers from some signed
zones.

Bugs should be reported to bind9-b...@isc.org.

BIND 9.4.3-P1 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at .

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip
ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.sha512.asc

Changes since 9.4.3:

2522.   [security]  Handle -1 from DSA_do_verify().

2498.   [bug]   Removed a bogus function argument used with
ISC_SOCKET_USE_POLLWATCH: it could cause compiler
warning or crash named with the debug 1 level
of logging. [RT #18917]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.5.1-P1 is now available

2009-01-07 Thread Rob_Austein 
BIND 9.5.1-P1 is now available.

BIND 9.5.1-P1 is a SECURITY patch for BIND 9.5.1.  It addresses a bug
in which return values from some OpenSSL functions were left unchecked,
making it theoretically possible to spoof answers from some signed
zones.

Bugs should be reported to bind9-b...@isc.org.

BIND 9.5.1-P1 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.5.1-P1/bind-9.5.1-P1.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.5.1-P1/bind-9.5.1-P1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P1/bind-9.5.1-P1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P1/bind-9.5.1-P1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at .

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.5.1-P1/BIND9.5.1-P1.zip
ftp://ftp.isc.org/isc/bind9/9.5.1-P1/BIND9.5.1-P1.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.5.1-P1/BIND9.5.1-P1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P1/BIND9.5.1-P1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P1/BIND9.5.1-P1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P1/BIND9.5.1-P1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P1/BIND9.5.1-P1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P1/BIND9.5.1-P1.debug.zip.sha512.asc

Changes since 9.5.1:

2522.   [security]  Handle -1 from DSA_do_verify().

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.6.0-P1 is now available

2009-01-07 Thread Rob_Austein 

BIND 9.6.0-P1 is now available.

BIND 9.6.0-P1 is a SECURITY patch for BIND 9.6.0.  It addresses a bug
in which return values from some OpenSSL functions were left unchecked,
making it theoretically possible to spoof answers from some signed
zones.

Bugs should be reported to bind9-b...@isc.org.

BIND 9.6.0-P1 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.6.0-P1/bind-9.6.0-P1.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.6.0-P1/bind-9.6.0-P1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.6.0-P1/bind-9.6.0-P1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.0-P1/bind-9.6.0-P1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at .

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.6.0-P1/BIND9.6.0-P1.zip
ftp://ftp.isc.org/isc/bind9/9.6.0-P1/BIND9.6.0-P1.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.6.0-P1/BIND9.6.0-P1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6.0-P1/BIND9.6.0-P1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.0-P1/BIND9.6.0-P1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.6.0-P1/BIND9.6.0-P1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6.0-P1/BIND9.6.0-P1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.0-P1/BIND9.6.0-P1.debug.zip.sha512.asc

Changes since 9.6.0:

2522.   [security]  Handle -1 from DSA_do_verify() and EVP_verify().

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Ever growing jnl files

2009-01-07 Thread Nicholas F Miller 
All good suggestions. We have given them both some thought. I was just  
wondering if there was a problem with the way we were doing things.


Nicholas Miller, ITS, University of Colorado at Boulder

On Jan 7, 2009, at 11:34 AM, Mike Eggleston wrote:


What about a crontab entry for once a week or once a month that does a
freeze/unfreeze to force the jnl file to get played into the zone  
files?


Mike


On Jan 7, 2009, at 11:35 AM, Scott Baker wrote:


How about:

#Do not let the journals get too big
max-journal-size 512k;


On Jan 7, 2009, at 11:36 AM, Jonathan Petersson wrote:


I've seen similar behaviors in earlier versions of BIND as well. Since
it doesn't seam to impact performance etc I haven't really bothered
with it. What you can do is to run an rndc freeze/thaw, this will
check out the journal file.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Ever growing jnl files

2009-01-07 Thread Jonathan Petersson 
I've seen similar behaviors in earlier versions of BIND as well. Since
it doesn't seam to impact performance etc I haven't really bothered
with it. What you can do is to run an rndc freeze/thaw, this will
check out the journal file.

/Jonathan

On Wed, Jan 7, 2009 at 10:30 AM, Nicholas F Miller
 wrote:
> We have a few dynamic zones that are provisioned using Addhost. When addhost
> adds records to the zone every night it will run "nsupdate < update.file".
> The update.file will contain records like these:
>
> prereq yxrrset machine.colorado.edu. in a
> update delete  machine.colorado.edu. in a
>
> prereq yxrrset machine.colorado.edu. in hinfo
> update delete machine.colorado.edu. in HINFO
>
> This all works fine but the jnl doesn't ever go away after nsupdate runs
> like this. The jnl will continue to be appended to every night when nsupdate
> is run again. If we use nsupdate without feeding it a file the jnl will
> disappear like it's supposed to. Is this a glitch in bind bind-9.5.0-P2?
>
> 
> Nicholas Miller, ITS, University of Colorado at Boulder
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Named goes deaf

2009-01-07 Thread Scott Haneda 
Hello, running BIND 9.4.2-P2 on OS X 10.5, this is just what comes  
with OS X out of the box.  Today, my secondary NS provider could not  
zone transfer.  I looked into it and could not telnet to port 53,  
connection refused.


This happens quite often on my friends machine, but he runs OS X 10.3  
and is using QuickDNS to manage his zones.  I figured it was just an  
old OS issue.  I just restart named on his machine, and all is better.


In both cases, named was answering queries, I assume since those  
happen on a UDP port?  How can one go deaf and not the other?  Any  
idea why named goes deaf on me every now and then?


All I have to do is issue `rndc stop` and then launchd picks it up and  
starts it again.  All is then well.


What is the correct way to restart named on OS X?  I can run `rndc  
stop` but `rndc start` is a non known command.  The plist that is part  
of launchd is just calling `/usr/sbin/named -f`


I could easily write a small script that tried to talk to port 53 tcp,  
and then restart, but this seems to have plagued me in some way or  
another since OS X 10.3 and I would like to get to the bottom of it.   
Can someone explain to me if there are an other repercussions other  
than my secondary will not be able to pull zones in this case?


Thanks
--
Scott

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Ever growing jnl files

2009-01-07 Thread Mike Eggleston 
On Wed, 07 Jan 2009, Nicholas F Miller might have said:

> We have a few dynamic zones that are provisioned using Addhost. When  
> addhost adds records to the zone every night it will run "nsupdate <  
> update.file". The update.file will contain records like these:
> 
> prereq yxrrset machine.colorado.edu. in a
> update delete  machine.colorado.edu. in a
> 
> prereq yxrrset machine.colorado.edu. in hinfo
> update delete machine.colorado.edu. in HINFO
> 
> This all works fine but the jnl doesn't ever go away after nsupdate  
> runs like this. The jnl will continue to be appended to every night  
> when nsupdate is run again. If we use nsupdate without feeding it a  
> file the jnl will disappear like it's supposed to. Is this a glitch in  
> bind bind-9.5.0-P2?

What about a crontab entry for once a week or once a month that does a
freeze/unfreeze to force the jnl file to get played into the zone files?

Mike
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Ever growing jnl files

2009-01-07 Thread Scott Baker 
Nicholas F Miller wrote:
> We have a few dynamic zones that are provisioned using Addhost. When
> addhost adds records to the zone every night it will run "nsupdate <
> update.file". The update.file will contain records like these:
> 
> prereq yxrrset machine.colorado.edu. in a
> update delete  machine.colorado.edu. in a
> 
> prereq yxrrset machine.colorado.edu. in hinfo
> update delete machine.colorado.edu. in HINFO
> 
> This all works fine but the jnl doesn't ever go away after nsupdate runs
> like this. The jnl will continue to be appended to every night when
> nsupdate is run again. If we use nsupdate without feeding it a file the
> jnl will disappear like it's supposed to. Is this a glitch in bind
> bind-9.5.0-P2?

How about:

#Do not let the journals get too big
max-journal-size 512k;
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Ever growing jnl files

2009-01-07 Thread Nicholas F Miller 
We have a few dynamic zones that are provisioned using Addhost. When  
addhost adds records to the zone every night it will run "nsupdate <  
update.file". The update.file will contain records like these:


prereq yxrrset machine.colorado.edu. in a
update delete  machine.colorado.edu. in a

prereq yxrrset machine.colorado.edu. in hinfo
update delete machine.colorado.edu. in HINFO

This all works fine but the jnl doesn't ever go away after nsupdate  
runs like this. The jnl will continue to be appended to every night  
when nsupdate is run again. If we use nsupdate without feeding it a  
file the jnl will disappear like it's supposed to. Is this a glitch in  
bind bind-9.5.0-P2?



Nicholas Miller, ITS, University of Colorado at Boulder

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind9 Kerberos authentication

2009-01-07 Thread Rob Austein 
At Wed, 07 Jan 2009 09:51:07 +1000, Da Rock wrote:
> 
> I'm trying to find some more clarification on how to use kerberos for
> dnssec. I thought it may have been possible a while ago, was told there
> was only tsig, then found a reference to it in the Administrators guide.
> 
> I've been trying to find a tutorial or howto (or at least something) on
> google but with no luck at all.
> 
> Anyone here that could help?

You're confusing DNS object security with DNS channel security.

There's a (hideously complex) specification for using Kerberos to
provide DNS channel security ("GSS-TSIG").  There is no mechanism for
using Kerberos to provide DNS object security ("DNSSEC"), nor is there
likely to be.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: named’s “/dev/random" error on AIX

2009-01-07 Thread Hajducko, Steven 
If your AIX system doesn't have a /dev/random or /dev/urandom, try the 
following -

Get the correct major number from the system ( 56 in this case )

r...@dimqswlv2:/ ==> # odmget CuDvDr | grep -p random
CuDvDr:
resource = "ddins"
value1 = "random"
value2 = "56"
value3 = ""

r...@dimqswlv2:/ ==> # mknod /dev/random c 56 0
r...@dimqswlv2:/ ==> # mknod /dev/urandom c 56 1

--
sh

> -Original Message-
> From: bind-users-boun...@lists.isc.org 
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Chris Buxton
> Sent: Wednesday, January 07, 2009 9:48 AM
> To: 蚂蚁蚂蚁
> Cc: comp-protocols-dns-b...@isc.org
> Subject: Re: named’s “/dev/random" error on AIX
> 
> On Jan 6, 2009, at 11:11 PM, 蚂蚁蚂蚁 wrote:
> > system info:AIX 5.3
> > bind info : 9.6.0
> >
> > when i start up named , i get  serval error about "/dev/random" :
> >
> > #./named -g -d 99
> > 07-Jan-2009 14:10:14.716 starting BIND 9.6.0 -g -d 99
> > 07-Jan-2009 14:10:14.716 built with '--prefix=/data/aibind' 
> '--enable- 
> > threads' '--with-randomdev=/dev/urandom' 
> '--with-openssl=no' 'CC=xlc'
> > 'CFLAGS=-q64'
> 
> > 07-Jan-2009 14:10:14.751 set maximum stack size to 2147483646: You 
> > must use the keyboard to create entropy, since your system 
> is lacking 
> > /dev/random (or equivalent)
> 
> Not being an AIX user, I can't say for sure, but I notice 
> that named reports that it was built with the random device 
> set to /dev/urandom.  
> Does your system have such a device node?
> 
> Chris Buxton
> Professional Services
> Men & Mice
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named’s “/dev/random" error on AIX

2009-01-07 Thread Chris Buxton 

On Jan 6, 2009, at 11:11 PM, 蚂蚁蚂蚁 wrote:

system info:AIX 5.3
bind info : 9.6.0

when i start up named , i get  serval error about "/dev/random" :

#./named -g -d 99
07-Jan-2009 14:10:14.716 starting BIND 9.6.0 -g -d 99
07-Jan-2009 14:10:14.716 built with '--prefix=/data/aibind' '--enable-
threads' '--with-randomdev=/dev/urandom' '--with-openssl=no' 'CC=xlc'
'CFLAGS=-q64'



07-Jan-2009 14:10:14.751 set maximum stack size to 2147483646: You
must use the keyboard to create entropy, since your system is lacking
/dev/random (or equivalent)


Not being an AIX user, I can't say for sure, but I notice that named  
reports that it was built with the random device set to /dev/urandom.  
Does your system have such a device node?


Chris Buxton
Professional Services
Men & Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Special property of default_debug logging channel

2009-01-07 Thread Chris Thompson 

To quote from the ARM:

| The default_debug channel has the special property that it only
| produces output when the server's debug level is nonzero. 


Is it possible to define one's own logging channels that behave similarly?
Just specifying "severity dynamic" is not enough: one gets info level
logging after "rndc notrace" rather than no logging at all.

The problem is that one may want something with slightly different
properties than default_debug, e.g. print-category or print-severity
settings, versions, size etc., but still want to keep this "special
property".

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

named’s “/dev/random" error on AIX

2009-01-07 Thread 蚂蚁蚂蚁 
system info:AIX 5.3
bind info : 9.6.0

when i start up named , i get  serval error about "/dev/random" :


#./named -g -d 99
07-Jan-2009 14:10:14.716 starting BIND 9.6.0 -g -d 99
07-Jan-2009 14:10:14.716 built with '--prefix=/data/aibind' '--enable-
threads' '--with-randomdev=/dev/urandom' '--with-openssl=no' 'CC=xlc'
'CFLAGS=-q64'
07-Jan-2009 14:10:14.716 found 16 CPUs, using 16 worker threads
07-Jan-2009 14:10:14.719 using up to 65534 sockets
07-Jan-2009 14:10:14.750 loading configuration from '/data/aibind/etc/
named.conf'
07-Jan-2009 14:10:14.751 set maximum stack size to 2147483646: You
must use the keyboard to create entropy, since your system is lacking
 /dev/random (or equivalent)


07-Jan-2009 14:10:14.751 set maximum data size to 2147483647: You must
use the keyboard to create entropy, since your system is lacking
 /dev/random (or equivalent)


07-Jan-2009 14:10:14.751 set maximum core size to 2147483647: You must
use the keyboard to create entropy, since your system is lacking
 /dev/random (or equivalent)


07-Jan-2009 14:10:14.751 set maximum open files to 2147483647: You
must use the keyboard to create entropy, since your system is lacking
 /dev/random (or equivalent)

07-Jan-2009 14:10:14.757 using default UDP/IPv4 port range: [1024,
65535]
07-Jan-2009 14:10:14.764 using default UDP/IPv6 port range: [1024,
65535]



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind9 Kerberos authentication

2009-01-07 Thread Da Rock 
I'm trying to find some more clarification on how to use kerberos for
dnssec. I thought it may have been possible a while ago, was told there
was only tsig, then found a reference to it in the Administrators guide.

I've been trying to find a tutorial or howto (or at least something) on
google but with no luck at all.

Anyone here that could help?

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Magic for NSEC3

2009-01-07 Thread B C 
On Mon, Jan 5, 2009 at 5:57 PM, Jim  wrote:

> While testing our DNSSEC signing product, I found that the expense of
> signing with NSEC3 versus NSEC was very data dependent. In TLD type
> zones with a sparse number of records that needed to be signed,
> signing time could be reduced from hours to minutes by specifying
> NSEC3. The resultant data files were much smaller than  those signed
> with NSEC.

This is presumably a result of OPT-IN and as more child zones are
signed the effect will be less marked.

Brett
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users