Re: Format of 'dig -k' TSIG key file?
In message 20090730174054.h23...@gwyn.tux.org, Joseph S D Yao writes:
I assume someone can answer this; but Google has not been able to be my
friend on this one.
In dig(1), the '-k' option is said to require a TSIG key file as an
option. I have a TSIG file with a comment header and the following:
key mynet. { algorithm hmac-md5; secret Ain/tGonnaTellNoWay==; };
[OK, so I changed the secret! and flattened it to one line.]
Running
dig -k mynet.key axfr example.zone @other.example.zone
gives me,
Couldn't read key from mynet.key: label too long
///
// Hmmm. The first line of the comment is 71 characters (like this),
// and it must not like the comment.
///
Removing the comment header gives me,
Couldn't read key from mynet.key: unexpected token
OK. Maybe 'dig' wants a KEY resource record file that looks like it
came out of 'dnssec-keygen'. I changed it to:
mynet. IN KEY 512 3 157 Ain/tGonnaTellNoWay==
and the same command line, on a perfectly readable file, says:
Couldn't read key from mynet.key: file not found
What does work is:
dig -y mynet.:Ain/tGonnaTellNoWay== axfr example.zone @other.example.zo
ne
but I really, really find this not altogether pleasant.
Plus, I'm curious to know what 'dig -k' really wants to see.
A keyfile as generated by dnssec-keygen -a HMAC-*.
HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512.
e.g.
% /usr/local/sbin/dnssec-keygen -a HMAC-SHA512 -n host -b 512 foo
Kfoo.+165+63966
% /usr/local/bin/nsupdate -k Kfoo.+165+63966
quit
% more Kfoo.+165+63966.private
Private-key-format: v1.3
Algorithm: 165 (HMAC_SHA512)
Key:
7f+EK0fXRFuOb71yYWuTSxo8CFyTuDiv09MAxaJ1kz4RPgJpb1sOmoj1DVgld3YO9N6zTGirqMKjnw45M8JZUQ==
Bits: AAA=
Created: 20090731052825
% more Kfoo.+165+63966.key
foo. IN KEY 512 3 165 7f+EK0fXRFuOb71yYWuTSxo8CFyTuDiv09MAxaJ1kz4RPgJpb1sOmoj1
DVgld3YO9N6zTGirqMKjnw45M8JZUQ==
%
Possibly irrelevant, but the real key is 88 characters long (including
'=' pads). It was sent me by the owners of the other.example.zone name
server.
C-SHA512
Thanks in advance!
--
/*\
**
** Joe Yaoj...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: The Year of the Sevenfold Increase
Completely off topic, but another solution to our (my?) woes would be people refraining from using URL shortening/obfuscating services when posting URL's to public mailing lists. What's really ironic is the shortened/obfuscated URL is the same length as the original, http://dnscurve.org From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Joe Baptista Sent: Friday, 31 July 2009 3:41 AM To: c...@cam.ac.uk Cc: Bind Users Mailing List Subject: Re: The Year of the Sevenfold Increase You guys get excited over small potatoes. There are hundreds of millions of potential DLV RRsets. This is not even a drop in the bucket. cheers joe baptista p.s. this message does not imply i support dnssec deployment. dnscurve is the solution to our woes http://bit.ly/pJVq4 On Thu, Jul 30, 2009 at 11:37 AM, Chris Thompson c...@cam.ac.uk wrote: [You'll find a mighty strange web page if you google for that subject, but I couldn't resist...] On 30 July 2008, dlv.isc.org had 113 DLV RRsets On 30 July 2009, dlv.isc.org had 791 DLV RRsets (and I didn't cheat! it came out exactly 7x) So, will we see another 7x increase by 30 July 2010, or will the numbers start dropping as higher-level domains get their signed delegation procedures going? Anyway, congratulations and thanks to ISC for providing this service. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Joe Baptista www.publicroot.org PublicRoot Consortium The future of the Internet is Open, Transparent, Inclusive, Representative Accountable to the Internet community @large. Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084 Personal: www.joebaptista.wordpress.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: socket.c:4524: unexpected error in BIND 9.4.3 P3
At Thu, 30 Jul 2009 22:16:47 +0700, Le Vu lev@gmail.com wrote: I have updated BIND from 9.4.2-P2 to 9.4.3-P3 to mitigate the Dynamic Update DOS attack. I have noted a lot of errors from socket.c (which I have never seen before with v9.4.2) Jul 30 06:25:18 DNS1 named[2]: socket.c:4524: unexpected error: Jul 30 06:25:18 DNS1 named[2]: 22/Invalid argument There are also some of these errors: Jul 30 07:26:17 DNS1 named[2]: sockmgr 0xb7f05008: maximum number of FD events (64) received BIND is compiled with following option on Centos 5.3 (another machine with RHEL 4.4 has these error too): ./configure --disable-openssl-version-check --with-openssl=no What should I do: - go back to 9.4.2-P2 and use iptables to filter DNS update packet - use another version of BIND - ignore the error If you didn't have a performance problem with 9.4.2-P2, please try rebuilding 9.4.3-P3 with --disable-epoll as a workaround. We've heard the problem you saw several times: https://lists.isc.org/pipermail/bind-users/2009-April/076026.html https://lists.isc.org/pipermail/bind-users/2009-May/076265.html but haven't figured out the cause of that. While it doesn't seem to be super rare, it doesn't seem to be so common...I myself have never seen this on my Linux test box, and many other Linux users apparently don't have this problem either (otherwise we'd have got this report much more frequently). If you're willing to help debug this problem (even if the workaround works), that would be great. Thanks, --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Correction to signatures on yesterday's BIND 9 releases
Evan Hunt wrote: reading carefully to the end of the line and notice that the 2006 Perhaps some people who did validate the files were similarly incautious. Or decided, taking account of the circumstances, not to treat expired as a synonym for not trustworthy. /Niall ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Format of 'dig -k' TSIG key file?
On Thu, 2009-07-30 at 17:40 -0400, Joseph S D Yao wrote:
What does work is:
dig -y mynet.:Ain/tGonnaTellNoWay== axfr example.zone
@other.example.zone
but I really, really find this not altogether pleasant.
This gets a bit more funkie when you are not using the default
key-algorithm of hmac-md5 - which you probably should not be using any
more...
Plus, I'm curious to know what 'dig -k' really wants to see.
Uses the original key files.. fine on the machine that they were created
on - but there are always at least two machines involved with any one
key!
I've been thinking about this.
I'd like to see intelligence that allows 'dig' to look inside the
'named.conf' file (following any include statements) for the same key
info that 'named' uses.
Why: The '-y' option is used with zone transfers. That usually means
someone is setting up a secondary and trying to get TSIG to work. They
probably have already set up key stanzas in the config file - so trying
to use those keys would help debugging? They can always fall back to
providing the full tupple of info for the '-y' option.
If only the key-name is specified with the '-y' option, Dig should then
knows to look for a matching key stanza in the named-config-file.
This would at least avoid the need to having the key-secret on the
command line (along with the correct key-algorithm).
dig -C named-config-file ('c' is already used) - tells dig to look
elsewhere for the config file.
--
. . ___. .__ Posix Systems - Sth Africa
/| /| / /__ m...@posix.co.za - Mark J Elkins, SCO ACE,
Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RHEL backports for dynamic update fix are available
For those of you using the canned RHEL BIND packages they sent out errata information for RHEL3, RHEL4 and RHEL5 overnight. They've backported the fix into the BIND 9 versions used. As noted in QA here the dynamic update issue affects all BIND 9 but only 9.4 on were patched by ISC so if you're using for example the RHEL supplied BIND 9.3 on RHEL5 you need to apply the update from RHN. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
stats brainteaser
I've got a monitoring script in place that does an rndc stats and parses the output, then graphs it for me nicely. Yesterday I needed to flush the cache on a number of my servers, and I saw a big spike in queries recorded by the server in the success category. The spike was about 40% more than the usual traffic. So, my mental exercise is this ... does BIND not record a cache hit as a success? Assuming my clients are doing say, 1000queries/second, and all 1000 are cache hits, do they show up as a success? If that's the case, and the same clients were doing their usual 1000q/s after I cleared the cache, why would I see a spike in the successes immediately afterwards? It's unlikely there were actually 40% more queries that came in there, so I am trying to understand how the stats work. Hopefully someone can set me straight, I'm a little confused right now. Thanks! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RHEL backports for dynamic update fix are available
On Fri, Jul 31, 2009 at 06:25:50AM -0700, Jeff Lightner wrote: For those of you using the canned RHEL BIND packages they sent out errata information for RHEL3, RHEL4 and RHEL5 overnight. They’ve backported the fix into the BIND 9 versions used. As noted in QA here the dynamic update issue affects all BIND 9 but only 9.4 on were patched by ISC so if you’re using for example the RHEL supplied BIND 9.3 on RHEL5 you need to apply the update from RHN. Also, this was kind of buried on Sun's site (ok it was on their Security blog, but I missed it): http://sunsolve.sun.com/search/document.do?assetkey=1-66-264828-1 No official patch yet, but there is an ISR available for Solaris 10 now. Ray ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: stats brainteaser
On Fri, Jul 31, 2009 at 10:58 AM, Toddcanada...@gmail.com wrote: I've got a monitoring script in place that does an rndc stats and parses the output, then graphs it for me nicely. How is this being monitored? Are you sure its not an artifact of your monitoring software? I see this behaviour in mrtg/rrdtool when monitoring various dns stats. -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't transfer RFC2317 reverse zone
Nope, no such file exists. I've got bak.* for all my other zones, but not that one. The filename you use to *save* the zone file as is arbitrary, try blah-blah How do I specify that? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Can't transfer RFC2317 reverse zone
With the file statement in the zone declaration for that zone.
Zone 0/27.146.68.12.in-addr.arpa {
...
file blah-blah;
# orfile 0.27.146.68.12.in-addr.arpa; as I believe Mark Andrews suggested
...
};
(See also Jeff Lightner's example earlier in this thread.)
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Steve Brown
Sent: Friday, July 31, 2009 1:22 PM
To: bind-users@lists.isc.org
Subject: Re: Can't transfer RFC2317 reverse zone
Nope, no such file exists. I've got bak.* for all my other zones,
but not that one.
The filename you use to *save* the zone file as is
arbitrary, try blah-blah
How do I specify that?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't transfer RFC2317 reverse zone
With the file statement in the zone declaration for that zone.
Zone 0/27.146.68.12.in-addr.arpa {
...
file blah-blah;
# or file 0.27.146.68.12.in-addr.arpa; as I believe Mark Andrews
suggested
...
};
(See also Jeff Lightner's example earlier in this thread.)
Whoops, sorry missed those. Thanks!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: socket.c:4524: unexpected error in BIND 9.4.3 P3
Le Vu, lev BTW, what can I do to help debugging this problem? If it doesn't lev involve with programming I will try. Submit this to ISC by emailing bind9-b...@isc.org. Thanks! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Format of 'dig -k' TSIG key file?
On Fri, Jul 31, 2009 at 03:32:48PM +1000, Mark Andrews wrote: In message 20090730174054.h23...@gwyn.tux.org, Joseph S D Yao writes: ... Plus, I'm curious to know what 'dig -k' really wants to see. A keyfile as generated by dnssec-keygen -a HMAC-*. ... Of which there are two - a .key file and a .private file. But I never thought of using the .private file format! Next week ... HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512. Now, I must not have been paying attention - all my written down [or electronically inscribed] information says that the HMAC-MD5 algorithm must be used for TSIG. When did this get opened up? Thanks! -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Format of 'dig -k' TSIG key file?
In message 20090731171804.b23...@gwyn.tux.org, Joseph S D Yao writes: On Fri, Jul 31, 2009 at 03:32:48PM +1000, Mark Andrews wrote: In message 20090730174054.h23...@gwyn.tux.org, Joseph S D Yao writes: ... Plus, I'm curious to know what 'dig -k' really wants to see. A keyfile as generated by dnssec-keygen -a HMAC-*. ... Of which there are two - a .key file and a .private file. But I never thought of using the .private file format! Next week ... HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512. Now, I must not have been paying attention - all my written down [or electronically inscribed] information says that the HMAC-MD5 algorithm must be used for TSIG. When did this get opened up? Network Working GroupD. Eastlake 3rd Request for Comments: 4635 Motorola Laboratories Category: Standards TrackAugust 2006 HMAC SHA TSIG Algorithm Identifiers Thanks! -- /*\ ** ** Joe Yaoj...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.6.1-P1
Does anyone knows if there is any solaris .pkg distribution for BIND 9.6.1-P1? Im looking to replace old versions as per: https://www.isc.org/node/474 Thank you, Julian___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.6.1-P1
Does anyone knows if there is any solaris .pkg distribution for BIND 9.6.1-P1? Im looking to replace old versions as per: https://www.isc.org/node/474 Thank you, Julian___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: stats brainteaser
Todd wrote: Yesterday I needed to flush the cache on a number of my servers, and I saw a big spike in queries recorded by the server in the success category. The spike was about 40% more than the usual traffic. After a cache flush, the server has to re-fetch glue and nameserver records from the root up to the target names. This can cause a noticeable spike on a busy resolver. The statistics count these internal queries, too. So, my mental exercise is this ... does BIND not record a cache hit as a success? It does, AFAIK. If it was a success and not a cached negative response or other. Assuming my clients are doing say, 1000queries/second, and all 1000 are cache hits, do they show up as a success? They do, but so do successfully resolved cache misses. The number of cache hits is approximately (responses sent) - (queries caused recursion) Approximately, because the value includes answers from local authoritative zones, FORMERRs and other responses that did not come from the cache. Hauke. signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Format of 'dig -k' TSIG key file?
On Sat, Aug 01, 2009 at 08:07:16AM +1000, Mark Andrews wrote: ... Network Working GroupD. Eastlake 3rd Request for Comments: 4635 Motorola Laboratories Category: Standards TrackAugust 2006 ... Yah, I guess I need to catch up a wee bit. Thanks again! -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
looking for libbind 6.0 prebuild for windows
Hi All, I am working on a project need libresolv support on windows, and I tried to build libbind 6.0 using mingw but failed. So anyone know where to find a libbind 6.0 prebuild for windows? Or give me some hints how to build libbind on windows. -- Best Regards. -Vincent ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
