Re: dnssec updated zone data is not live ??
On Fri, Dec 11, 2009 at 12:22 AM, Kevin Darcy k...@chrysler.com wrote: Gregory Machin wrote: Hi Please can you advise. I's been ages since I have configured dnssec . I used nsupdate (with dnssec) to update a zone file with all the host current ip's so that they are reachable via a host name even when the ip has changed (a dyndns.org type of thing). Everything seems to work fine named accepts the update and writes it to the .jnl file but when it try and ping the updated host name I get ping: unknown host greg.za.protetor.net, and this is one the server running named. yet I the logs show Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view external: updating zone 'device.example.net/IN': deleting rrset at 'greg.device.example.net' A Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view external: updating zone 'device.example.net/IN': adding an RR at 'greg.device.example.net' A Which is correct from what I remember the last time I did this. my zone configuration: /etc/named.conf zone device.example.net { type master; file /var/named/device.example.net.db; allow-transfer { any; }; allow-update { key device.example.net; }; }; zone file: $ORIGIN . $TTL 3600 ; 1 hour device.example.net IN SOA ns1.example.net. ns2.example.net. ( 2009120805 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) NS ns1.example.net. NS ns2.example.net. A 205.234.215.112 MX 0 server.example.net. $ORIGIN device.example.net. $TTL 60 ; 1 minute greg A 97.xxx.xxx.127 Running: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5 First of all, are you talking about DNSSEC, or just plain Dynamic Update (presumably crypto-authenticated if this is going to be a publically-updateable zone)? I don't see any DNSSEC records in the zone file you posted. Secondly, if you do an AXFR of the zone after the Dynamic Update, does it reflect the change? Thirdly, on the machine which is originating the ping, how is it set up to resolve names? Does it only use DNS? Does it only use *itself* for resolving DNS? Is there some intermediate caching going on (e.g. nscd or equivalent)? If so, have you waited long enough for the entries to expire from that intermediate cache? - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Hi kevin Just plain Dynamic Update with crypto-authenticated keys if I do a dig on r...@server [~]# dig @ns1.example.net device.example.net A +tcp ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 @ns1.example.net device.example.net A +tcp ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44660 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;device.example.net.IN A ;; ANSWER SECTION: device.example.net. 3600IN A 205.xxx.xxx.112 ;; AUTHORITY SECTION: device.example.net. 3600IN NS ns1.example.net. device.example.net. 3600IN NS ns2.example.net. ;; Query time: 1 msec ;; SERVER: 205.234.215.113#53(205.234.215.113) ;; WHEN: Fri Dec 11 03:30:08 2009 ;; MSG SIZE rcvd: 85 There should be an A record for a host greg.device.example.net. IN A 97.xxx.xxx.127 Yet if I cat the zone file there is a record gregA 97.xxx.xxx.127 I'm doing the ping on the dns server that is hosting the device.example.net zone .. Thanks for your assistance .. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Windows : compilation options
Hi, I succeeded in compile ISC Bind for Windows. I'm now trying to enable fixed rrset (--enable-fixed-rrset for the configure file). But I did'nt find how to change options for a Windows compilation. Can anyone help me ? Best regards, Romain De Rasse ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Windows : compilation options
Romain De Rasse wrote: Hi, I succeeded in compile ISC Bind for Windows. I'm now trying to enable fixed rrset (--enable-fixed-rrset for the configure file). But I did'nt find how to change options for a Windows compilation. Can anyone help me ? #define DNS_RDATASET_FIXED 1 in config.h Danny -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Best practices or known issues with split-dns
I'm trying to put together a list of best practices for use in my org around the use of split-dns (implementation, operational, technical, etc.) . Obviously, I'd rather not start from scratch, and since I'd only be basing the doc on my experience, there may be things I miss as well. Does anyone have, or know of, a similar doc? Even if I get a bunch of pointers to several sites with individual items, I don't mind pulling disparate sources together into a single doc. If I find enough content I could make it generic enough to post publicly as well for community consumption - maybe through bind9.net (I'd be open to suggestions on where to post). Thanks, Gord T (GCIH, CISSP, GEEK) ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courriel peut contenir des renseignements protégés et confidentiels. Lexpéditeur ne renonce pas aux droits et obligations qui sy rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements quil contient par une personne autre que le destinataire désigné est interdite. Si vous recevez ce courriel par erreur, veuillez men aviser immédiatement, par retour de courriel ou par un autre moyen. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Best practices or known issues with split-dns
I should also clarify, before someone states it, that I don't WANT to use split-dns, and my goal is to always migrate away from it. But there are instances (acquisitions, routing constraints, etc.) where we are stuck with split-dns, at least for a short period of time. Thanks, Gord T (GCIH, CISSP, GEEK) -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Taylor, Gord Sent: 2009, December, 11 10:56 AM To: bind-users@lists.isc.org Subject: Best practices or known issues with split-dns I'm trying to put together a list of best practices for use in my org around the use of split-dns (implementation, operational, technical, etc.) . Obviously, I'd rather not start from scratch, and since I'd only be basing the doc on my experience, there may be things I miss as well. Does anyone have, or know of, a similar doc? Even if I get a bunch of pointers to several sites with individual items, I don't mind pulling disparate sources together into a single doc. If I find enough content I could make it generic enough to post publicly as well for community consumption - maybe through bind9.net (I'd be open to suggestions on where to post). Thanks, Gord T (GCIH, CISSP, GEEK) ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courriel peut contenir des renseignements protégés et confidentiels. Lexpéditeur ne renonce pas aux droits et obligations qui sy rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements quil contient par une personne autre que le destinataire désigné est interdite. Si vous recevez ce courriel par erreur, veuillez men aviser immédiatement, par retour de courriel ou par un autre moyen. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users