/dev/random in chroot jail causing errors with nsupdate of dnssec signed zone
So I posted a couple of message about how my nsupdates were failing intermittenly when attempting to update a signed zone. The only error I get in the log is: 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': prerequisites are OK 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: signer update.test.net approved 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: update 'test.net/IN' approved 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': update section prescan OK 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': adding an RR at 'newest4.test.net' A 14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure 14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': rolling back The keys are generated with RSASHA1 and use -r /dev/urandom I run named in chroot jail, at /var/named I created /var/named/dev/random with mknod -m644 /var/named/dev/random c 1 8 which mimics the major and minor number from the system ls -lL /dev/random crw-r--r--1 root root 1, 8 May 13 03:27 /dev/random The nsupdates fail, seemingly randomly. When I delete this /dev/random from the chroot, they work. So my question is: am I setting up the /dev/random incorrectly? should I not be creating /dev/random? (the how-tos I have seen all talk about re-creating /dev/null and /dev/random etc) Note: I also tried generating the keys not using /dev/urandom, and have the same inconsistent behavior with the chroot /dev/random present. -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: /dev/random in chroot jail causing errors with nsupdate of dnssec signed zone
One other thing: when I remove /dev/random from the chroot, bind just uses the pre-chroot /dev/random 14-May-2009 14:09:51.065 could not open entropy source /dev/random: file not found 14-May-2009 14:09:51.065 using pre-chroot entropy source /dev/random which is groovy. So I guess I dont need the chroot random, but I would still like to know why using the chrooted /dev/random causes this problem. -- Jack Tavares AIM: jacktavares SKYPE: jackandkaddee Reminder: I am at GMT+2, 10 hours AHEAD of Seattle. My workweek is Sunday-Thursday. Email sent to me Thursday afternoon (PST) may not be viewed until Sunday morning (GMT+2). From: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares [j.tava...@f5.com] Sent: Thursday, May 14, 2009 09:50 To: bind-users@lists.isc.org Subject: /dev/random in chroot jail causing errors with nsupdate of dnssec signed zone So I posted a couple of message about how my nsupdates were failing intermittenly when attempting to update a signed zone. The only error I get in the log is: 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': prerequisites are OK 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: signer update.test.net approved 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: update 'test.net/IN' approved 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': update section prescan OK 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': adding an RR at 'newest4.test.net' A 14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure 14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': rolling back The keys are generated with RSASHA1 and use -r /dev/urandom I run named in chroot jail, at /var/named I created /var/named/dev/random with mknod -m644 /var/named/dev/random c 1 8 which mimics the major and minor number from the system ls -lL /dev/random crw-r--r--1 root root 1, 8 May 13 03:27 /dev/random The nsupdates fail, seemingly randomly. When I delete this /dev/random from the chroot, they work. So my question is: am I setting up the /dev/random incorrectly? should I not be creating /dev/random? (the how-tos I have seen all talk about re-creating /dev/null and /dev/random etc) Note: I also tried generating the keys not using /dev/urandom, and have the same inconsistent behavior with the chroot /dev/random present. -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: file descriptors and max-clients-per-query
On Thu, 14 May 2009, Philippe Maechler wrote: Hello Everybody I'm running a bind 9.4.2-p2 and a 9.5.1-P1 both on a FreeBSD 6.x box as caching servers. let's call them ns1 and ns2 :P short after we shutdown server one we get error messages on the other server - socket: too many open file descriptors What is the other server? I assume you are getting this error message with the old 9.4.2-P2 (and not on the 9.5.1-P1). Before answering your other questions, can you please consider running the latest 9.4.x version? Versions newer than yours offer an improved and more efficient socket API on support systems (like use of kqueue on FreeBSD). If you continue to have the same problems on BIND 9.4.3 (or BIND 9.5.1-P1) or newer, please let us know. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
GSS-TSIG and bind 9.6
HI All I have been working to get dynamic updates working with bind-9.6 and FreeBSD 7 So far I have done the following: 1. Compiled bind with GSSAPI enabled. 2. Added these to named.conf options { ... tkey-gssapi-credential DNS/mydomain.com; ... }; and zone mydomain.com { type master; file master/mydomain.com; update-policy { grant MYDOMAIN.COM ms-subdomain * A; }; }; zone 1.168.192.in-addr.arpa { type master; file master/1.168.192.in-addr.arpa; update-policy { grant MYDOMAIN.COM ms-subdomain * PTR; }; }; 3. Created a user in AD called binddns and set the password to never expire. 4. Used ktpass to create the keytab like this: C:\ ktpass -out krb5.keytab -princ DNS/binddns.mydomain@mydomain.com -pass * -mapuser bind...@mydomain.com 5. Copied krb5.keytab to /etc 6. At s point I figured I should be done. Reloaded bind but no updates. I now ran kinit and nsupdate -g from the box server server.mydomain.com zone atlas.local debug send and saw the following: Reply from SOA query: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2310 ;; flags: qr aa ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;atlas.local. IN SOA ;; ANSWER SECTION: mydomain.com.3600IN SOA server.mydomain.com. admin.mydomain.com. 715 900 600 86400 3600 ;; ADDITIONAL SECTION: server.mydomain.com. 3600 IN A 192.168.1.100 Found zone name: mydomain.com The master is: server.mydomain.com start_gssrequest send_gssrequest Outgoing update query: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 62457 ;; flags: ; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;575112106.sig-server.mydomain.com.ANY TKEY ;; ADDITIONAL SECTION: 575112106.sig-server.mydomain.com. 0 ANY TKEY gss-tsig. 1242311154 1242311154 3 NOERROR 1243 LOTS OF GIBBERISH dns_request_getresponse: FORMERR I still am not however seeing the zone files updated or any jnl files. Anything else I could do to troubleshoot this? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: file descriptors and max-clients-per-query
Hello Jeremy I'm running a bind 9.4.2-p2 and a 9.5.1-P1 both on a FreeBSD 6.x box as caching servers. let's call them ns1 and ns2 :P short after we shutdown server one we get error messages on the other server - socket: too many open file descriptors What is the other server? I assume you are getting this error message with the old 9.4.2-P2 (and not on the 9.5.1-P1). No i have the messages on both servers. If ns1 goes down, we get the messages on ns2 and vice-versa. Before answering your other questions, can you please consider running the latest 9.4.x version? Versions newer than yours offer an improved and more efficient socket API on support systems (like use of kqueue on FreeBSD). I'll try to upgrade to the latest 9.4 version and let you know if I still get the messages on ns1 If you continue to have the same problems on BIND 9.4.3 (or BIND 9.5.1-P1) or newer, please let us know. Philippe ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GSS-TSIG and bind 9.6
Any reason you have chosen gas vs. TSIG? Is this for a windows environment? On May 14, 2009, at 7:37 AM, Peter Fraser petros.fra...@gmail.com wrote: HI All I have been working to get dynamic updates working with bind-9.6 and FreeBSD 7 So far I have done the following: 1. Compiled bind with GSSAPI enabled. 2. Added these to named.conf options { ... tkey-gssapi-credential DNS/mydomain.com; ... }; and zone mydomain.com { type master; file master/mydomain.com; update-policy { grant MYDOMAIN.COM ms-subdomain * A; }; }; zone 1.168.192.in-addr.arpa { type master; file master/1.168.192.in-addr.arpa; update-policy { grant MYDOMAIN.COM ms-subdomain * PTR; }; }; 3. Created a user in AD called binddns and set the password to never expire. 4. Used ktpass to create the keytab like this: C:\ ktpass -out krb5.keytab -princ DNS/binddns.mydomain@mydomain.com -pass * -mapuser bind...@mydomain.com 5. Copied krb5.keytab to /etc 6. At s point I figured I should be done. Reloaded bind but no updates. I now ran kinit and nsupdate -g from the box server server.mydomain.com zone atlas.local debug send and saw the following: Reply from SOA query: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2310 ;; flags: qr aa ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;atlas.local. IN SOA ;; ANSWER SECTION: mydomain.com.3600IN SOA server.mydomain.com. admin.mydomain.com. 715 900 600 86400 3600 ;; ADDITIONAL SECTION: server.mydomain.com. 3600 IN A 192.168.1.100 Found zone name: mydomain.com The master is: server.mydomain.com start_gssrequest send_gssrequest Outgoing update query: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 62457 ;; flags: ; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;575112106.sig-server.mydomain.com.ANY TKEY ;; ADDITIONAL SECTION: 575112106.sig-server.mydomain.com. 0 ANY TKEY gss-tsig. 1242311154 1242311154 3 NOERROR 1243 LOTS OF GIBBERISH dns_request_getresponse: FORMERR I still am not however seeing the zone files updated or any jnl files. Anything else I could do to troubleshoot this? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GSS-TSIG and bind 9.6
Yes it is. On Thu, May 14, 2009 at 11:36 AM, Doug Barton do...@dougbarton.us wrote: Any reason you have chosen gas vs. TSIG? Is this for a windows environment? On May 14, 2009, at 7:37 AM, Peter Fraser petros.fra...@gmail.com wrote: HI All I have been working to get dynamic updates working with bind-9.6 and FreeBSD 7 So far I have done the following: 1. Compiled bind with GSSAPI enabled. 2. Added these to named.conf options { ... tkey-gssapi-credential DNS/mydomain.com; ... }; and zone mydomain.com { type master; file master/mydomain.com; update-policy { grant MYDOMAIN.COM ms-subdomain * A; }; }; zone 1.168.192.in-addr.arpa { type master; file master/1.168.192.in-addr.arpa; update-policy { grant MYDOMAIN.COM ms-subdomain * PTR; }; }; 3. Created a user in AD called binddns and set the password to never expire. 4. Used ktpass to create the keytab like this: C:\ ktpass -out krb5.keytab -princ DNS/binddns.mydomain@mydomain.com -pass * -mapuser bind...@mydomain.com 5. Copied krb5.keytab to /etc 6. At s point I figured I should be done. Reloaded bind but no updates. I now ran kinit and nsupdate -g from the box server server.mydomain.com zone atlas.local debug send and saw the following: Reply from SOA query: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2310 ;; flags: qr aa ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;atlas.local. IN SOA ;; ANSWER SECTION: mydomain.com. 3600 IN SOA server.mydomain.com. admin.mydomain.com. 715 900 600 86400 3600 ;; ADDITIONAL SECTION: server.mydomain.com. 3600 IN A 192.168.1.100 Found zone name: mydomain.com The master is: server.mydomain.com start_gssrequest send_gssrequest Outgoing update query: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 62457 ;; flags: ; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;575112106.sig-server.mydomain.com. ANY TKEY ;; ADDITIONAL SECTION: 575112106.sig-server.mydomain.com. 0 ANY TKEY gss-tsig. 1242311154 1242311154 3 NOERROR 1243 LOTS OF GIBBERISH dns_request_getresponse: FORMERR I still am not however seeing the zone files updated or any jnl files. Anything else I could do to troubleshoot this? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: /dev/random in chroot jail causing errors with nsupdate of dnssec signed zone
In message 4b18a8f75a6384449755bc7784073e93603b776...@exch11.olympus.f5net.com , Jack Tavares writes: One other thing: when I remove /dev/random from the chroot, bind just uses the pre-chroot /dev/random 14-May-2009 14:09:51.065 could not open entropy source /dev/random: file no= t found 14-May-2009 14:09:51.065 using pre-chroot entropy source /dev/random which is groovy. So I guess I dont need the chroot random, but I would still like to know why using the chrooted /dev/random causes this problem. Some versions of OpenSSL do unconditional RSA blinding and this uses /dev/random. RSA blinding is needed when you are establishing a encrypted connection such as with SSL. It is not needed when generating RRSIG's and we disable it when we can. I suspect that /dev/random is not returning enough random data and that the RSA blinding operation is failing as a result. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users