Re: check-names vs. acl

2010-02-25 Thread Mark Andrews

In message <20100225123134.gb2...@fantomas.sk>, Matus UHLAR - fantomas writes:
> On 25.02.10 12:01, Matus UHLAR - fantomas wrote:
> > I see that hosts that are not allowed to recurse are often generating
> > check-named errors.
> 
> check-names it is.
> 
> I apparently too often use "named" so I do this king of mistypes.
> 
> > I wonder if it wouldn't be better to check ACL's first and check-names just
> > after it?

It really depends what's more important for you to see.  Whether
you got a recursive query that didn't match a acl or a query that
failed check-names.  Both get REFUSED so the client can't tell the
difference.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-25 Thread Evan Hunt
> > Or, if you think you might accidentally sign your zones or configure
> > trust anchors, you can:
> >
> > dnssec-enable no;
> > dnssec-validation no;
> >
> 
> OK - so if I do the above - will that prevent my recursive server from doing
> DNSSEC if it gets information from a DNSSEC signed zone?

Yes, but "don't configure any trust anchors" gets the job done too.  If
your configuration doesn't say "trusted-keys", "managed-keys", or
"dnssec-lookaside auto;" anywhere, then DNSSEC is not in use.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-25 Thread Paul Wouters

On Thu, 25 Feb 2010, Eugene Crosser wrote:


Right now, as far as I am concerned, the main obstacle to more widespread
adoption on DNSSEC is the lack of procedure to establish trust between your zone
and the TLD. Even if my zone is signed, and it's in .org which is signed too, I
have no (googlable) way to get my DS included into the TLD zone.


Registrars are working on this. It requires them to update EPP etc. I am not 
sure
if .org already accepts DS records via EPP, but I know others (eg opensrs) have
started taken steps to implement this in their interface to the users.

There are some corner cases that need to be solved, such as what to do when a
domain moves from one DNS zone operator to another. Usually private keys cannot
be handed over, so this might require multiple DS record support, etc.

See further http://dnsseccoalition.org/website/


Of course dlv.isc.org exsits, but I think it's publicly perceived as a testbed
rather than a production anchor.


It is production, not a testbed. And useful for anyone who wants to put their DS
into it. The only thing missing there is easy access to a bulk submission 
interface.

Paul
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Question about dig command

2010-02-25 Thread Stephane Bortzmeyer
On Thu, Feb 25, 2010 at 10:58:49AM -0500,
 Khuu, Linh   MicroTech  wrote 
 a message of 54 lines which said:

> client ::1#33086: query (cache) 'dnssec12.datamtn.com//IN' denied
> 
> Then I switched to use the ???dig??? command from 9.4.1-P1 to query the same 
>  record, I got result nicely.

Possible reason: the recent dig can use IPv6 *transport* (talking to
the server with IPv6, not just asking IPv6 *data*). But may be ::1
(localhost in IPv6) is not authorized by your name server. Check the
ACL, try dig with -4 (or @127.0.0.1), etc.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-25 Thread Joe Baptista
On Wed, Feb 24, 2010 at 10:23 PM, Alan Clegg  wrote:

> Joe Baptista wrote:
>
> >   dnssec-enable yes;
> > and
> >   dnssec-validation yes;
> >
> > are the defaults since BIND 9.5
> >
> >
> > How do I turn it off.
>
> Since you edited out the most important part of my post, I'll repeat it
> here before I answer your question:
>

Sorry - not my intention. It's just that part of the post did not apply to
me. My question was not related to an authoritative server but a recursive
only server.


>
>Serving signed zones requires signed zone data to serve.
>Validation requires configuration of trust anchors.
>
> To "turn it off",
>
> Don't sign your zones and don't configure trust anchors.
>

Like I said the server is recursive only - no zones served.


>
> Or, if you think you might accidentally sign your zones or configure
> trust anchors, you can:
>
> dnssec-enable no;
> dnssec-validation no;
>

OK - so if I do the above - will that prevent my recursive server from doing
DNSSEC if it gets information from a DNSSEC signed zone?


Thanks for your help here
joe
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question about dig command

2010-02-25 Thread Khuu, Linh MicroTech
Hi,

I have question about “dig” command in IPV6.

I have bind-9.6.1-P3 compiled with ipv6 enable. So far it’s running great. But 
when I use the “dig” command from 9.6.1-P3, I get the following error when 
query  record:

client ::1#33086: query (cache) 'dnssec12.datamtn.com//IN' denied

Then I switched to use the “dig” command from 9.4.1-P1 to query the same  
record, I got result nicely.

Why dig command from 9.6.1-P3 got denied when querying records???

Linh Khuu


PGP.sig
Description: PGP signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

check-names vs. acl

2010-02-25 Thread Matus UHLAR - fantomas
On 25.02.10 12:01, Matus UHLAR - fantomas wrote:
> I see that hosts that are not allowed to recurse are often generating
> check-named errors.

check-names it is.

I apparently too often use "named" so I do this king of mistypes.

> I wonder if it wouldn't be better to check ACL's first and check-names just
> after it?

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you. 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Cannot use dnssec-settime with old keys

2010-02-25 Thread Stephane Bortzmeyer
On Thu, Feb 25, 2010 at 10:47:58AM +0100,
 Hauke Lampe  wrote 
 a message of 55 lines which said:

> For example, try:
> > dnssec-settime -P+0 -A+0 -f -v 3 Ktoto.fr.+008+42555

OK, it works, thanks.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: BIND 9.6.2rc1 make test question

2010-02-25 Thread Stacey Jonathan Marshall

On 02/24/10 20:56, John Center wrote:

Hi Stace,

Sorry, I didn't think this was necessarily a Solaris problem.  I'm running this 
on Solaris 10 (SPARC 64bit), built with Sun Studio 12.1.  Why did it occur on 
OpenSolaris?
  

Hi John,

Interesting, I didn't see the issue on Solaris 10 but then I'm not 
certain if I tested on 64bit - we only compile it 32bit. We have not 
discovered the cause on OpenSolaris as yet, its logged here as CR 6909705.


Regards,  Stace

Thanks.

-John


From: stacey.marsh...@sun.com [stacey.marsh...@sun.com]
Sent: Wednesday, February 24, 2010 9:01 AM
To: John Center
Cc: bind-users@lists.isc.org
Subject: Re: BIND 9.6.2rc1 make test question

On 02/15/10 20:25, John Center wrote:
  

Hi,

I just built BIND 9.6.2rc1 & make test passes except for the following:

A:the dst module provides the capability to verify data signed with
the RSA and DSA algorithms
I:testing t2_data_1, t2_dsasig, test., 23616, DST_ALG_DSA, ISC_R_SUCCESS
I:testing t2_data_1, t2_rsasig, test., 54622, DST_ALG_RSAMD5,
ISC_R_SUCCESS
I:testing t2_data_1, t2_dsasig, test., 54622, DST_ALG_RSAMD5,
!ISC_R_SUCCESS
I:testing t2_data_2, t2_dsasig, test., 23616, DST_ALG_DSA, !ISC_R_SUCCESS
mem.c:322: INSIST(dl != 0L) failed.
I:the test case caused exception 6
R:UNRESOLVED

What does this mean & where do I look to resolve this issue?

Thanks.

-John



John,

You don't state what your building on? I too have come across the same
error on OpenSolaris circa snv_117.

Stace
  


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Random slow queries

2010-02-25 Thread Stacey Jonathan Marshall

On 02/24/10 18:50, Mike Chesney wrote:

Running Bind 9.6.1-P3

We run authorative DNS for 60k+ zones.  One one network where we two 
dns servers both running the same hardware on Centos 5.4


We see slow dns responses : example

for i in {1..250}; do dig example.com  @localhost 
| grep "Query time:"; done;
Centos is a time-sharing system right.  I wonder if your time-share is 
up and your simply being scheduled off CPU - the network communication 
is an opportunity for the scheduler to do that.
Try adding a sleep and see if your results smooth out - more 0 msec and 
less msec total.


for i in {1..250}; do sleep 0.5; dig example.com  @localhost | grep 
"Query time:"; done;


Sometimes they'll all come back w/ a 0msec response .  But every few 
runs we see.

; Query time: 501 msec
;; Query time: 111 msec
;; Query time: 0 msec
;; Query time: 0 msec
; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 1461 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 441 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec

This is just a snapshot, most other entries are all 0.  This doesn't 
happen on any of our other dns servers.  Load is pretty low on this 
machine around .3   4gb ram.  Named consumes about 15% of memory and 
4% of cpu.  Not sure where to look next. 





___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
  


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


check-named vs. acl

2010-02-25 Thread Matus UHLAR - fantomas
Hello,

I see that hosts that are not allowed to recurse are often generating
check-named errors.

I wonder if it wouldn't be better to check ACL's first and check-names just
after it?

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name. 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-25 Thread Sam Wilson
In article ,
 Florian Weimer  wrote:

> * Sam Wilson:
> 
> > Has anyone found any uz5* servers out there yet?
> 
> node.pk, dempsky.org has such name servers.  I thought there were
> more.  Has the magic prefix changed?

OK.  I found none in 130 MB of cache from 3 servers.  Clearly the wave 
hasn't broken yet.

Sam
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Cannot use dnssec-settime with old keys

2010-02-25 Thread Hauke Lampe
Stephane Bortzmeyer wrote:

> And strace (Debian/Linux box) shows that key files were opened only in
> read-only and no file was opened for writing:
> 
> % strace dnssec-settime -f -v 3 Ktoto.fr.+008+42555 |& grep open
> 
> Did anyone managed to use dnssec-settime -f ? 

Yes. The key file format is upgraded on write operations only.

For example, try:
> dnssec-settime -P+0 -A+0 -f -v 3 Ktoto.fr.+008+42555


Hauke.



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-25 Thread Florian Weimer
* Sam Wilson:

> Has anyone found any uz5* servers out there yet?

node.pk, dempsky.org has such name servers.  I thought there were
more.  Has the magic prefix changed?

-- 
Florian Weimer
BFK edv-consulting GmbH   http://www.bfk.de/
Kriegsstraße 100  tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-25 Thread Florian Weimer
* Eugene Crosser:

> Right now, as far as I am concerned, the main obstacle to more
> widespread adoption on DNSSEC is the lack of procedure to establish
> trust between your zone and the TLD.

There's no standard procedure for NS and glue management, either, and
it still seems to work quite well. 8-)

-- 
Florian Weimer
BFK edv-consulting GmbH   http://www.bfk.de/
Kriegsstraße 100  tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-25 Thread Hauke Lampe
Stephane Bortzmeyer wrote:
>  Sam Wilson  wrote 
> 
>> Has anyone found any uz5* servers out there yet?
> 
> Zero for opendns.com, dnscurve.org, etc.

One:

> dempsky.org.  259200  IN  NS  
> uz5p4utwsxu5p3r9xrw0ygddw2hxh7bkhd0vdwtbt92lf058ny1p79.dempsky.org.
> dempsky.org.  259200  IN  NS  ns1.everydns.net.
> dempsky.org.  259200  IN  NS  ns2.everydns.net.
> dempsky.org.  259200  IN  NS  ns3.everydns.net.
> dempsky.org.  259200  IN  NS  ns4.everydns.net.

From what I know about DNSCurve, an average of one in five lookups for
this zone would use encrypted transport.

Anyway, bind-users is probably not the right mailing list for this
topic, unless a more formal protocol description for DNSCurve appears.

There's a similar thread on dnsops, so I suggest everyone interested in
DNSCurve subscribe and participate there:
https://lists.dns-oarc.net/mailman/listinfo/dns-operations



Hauke.



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cannot use dnssec-settime with old keys

2010-02-25 Thread Stephane Bortzmeyer
On Tue, Feb 23, 2010 at 05:54:01PM +0100,
 Stephane Bortzmeyer  wrote 
 a message of 18 lines which said:

> OK, I upgrade:
> 
> % dnssec-settime  -v 3 -f Ktoto.fr.+008+42555 
> dnssec-settime: toto.fr/RSASHA256/42555
> 
> But it changed nothing, ls -l shows that the file did not change and I
> still get the message "incompatible format version 1.2".

And strace (Debian/Linux box) shows that key files were opened only in
read-only and no file was opened for writing:

% strace dnssec-settime -f -v 3 Ktoto.fr.+008+42555 |& grep open
...
open("./Ktoto.fr.+008+42555.key", O_RDONLY) = 4
open("./Ktoto.fr.+008+42555.private", O_RDONLY) = 4

Did anyone managed to use dnssec-settime -f ? 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Modifying a response

2010-02-25 Thread Niobos
On 2010-02-24 14:09, Peter Andreev wrote:
> 2010/2/24 Alan Clegg mailto:acl...@isc.org>>
>
> Peter Andreev wrote:
>
> > > For example: if user asks for non-existent domain, caching
> server
> > > replies with some address and no-error rcode.
> >
> > _Extremely_ bad idea.
> >
> >
> > Yes, I know, but boss is boss and task is task :).
> >
> > Thank you very much for your answer.
>
> You might want to talk to your boss about DNSSEC and how it
> insures that
> "answer modification" is not allowed -- and how it keeps your
> customers
> safe and secure and is a good selling point (see the Comcast
> announcement that was made yesterday).
>
> AlanC
>
> Oh, DNSSSEC is another headache. These two tasks doesn't influence
> each other.
As far as I can tell, they DO: your modified answers will be marked as
BOGUS by DNSSEC and will be thrown away.

Niobos
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Update returns FORMERR: ran out of space

2010-02-25 Thread Stephane Bortzmeyer
On Thu, Feb 25, 2010 at 10:02:45AM +1100,
 Mark Andrews  wrote 
 a message of 68 lines which said:

> Try this patch.  It resets the scratch space 'data' used by
> dns_dnssec_sign().

It works fine. Many thanks.

Sending update to ::1#8053
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  20340
;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
;; ZONE SECTION:
;toto.fr.   IN  SOA

;; UPDATE SECTION:
toto.fr.3600IN  DNSKEY  256 3 8 
AwEAAbQuvEyzE/+5giH+QBjynhogDchi4AaB0YPZR79BRLlXLB34pjzw 
ArvI1dwuqaXW1jwvT5nQ1TDMZHH/qZgBU0X5532zxPi+MOj+Ec3EUp0k 
clsEz5kHwATTG5paqueAd/0N/1iW8SVqNARsIRlcrTU+DENv1z8hhTQq FVoiefGf


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  20340
;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0


25-Feb-2010 09:54:17.287 update: debug 8: client ::1#50327: updating zone 
'toto.fr/IN': prerequisites are OK
25-Feb-2010 09:54:17.287 update: debug 8: client ::1#50327: updating zone 
'toto.fr/IN': update section prescan OK
25-Feb-2010 09:54:17.287 update: info: client ::1#50327: updating zone 
'toto.fr/IN': adding an RR at 'toto.fr' DNSKEY
25-Feb-2010 09:54:17.287 update: debug 8: client ::1#50327: updating zone 
'toto.fr/IN': redundant request
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-25 Thread Stephane Bortzmeyer
On Wed, Feb 24, 2010 at 05:42:06PM +,
 Sam Wilson  wrote 
 a message of 28 lines which said:

> Has anyone found any uz5* servers out there yet?

Zero (0) among the 40301 name servers listed in .FR, for instance (1.6
million domains).

Zero for opendns.com, dnscurve.org, etc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-25 Thread Eugene Crosser
Joe Baptista wrote:

> ORG and GOV and quite a lot of the ccTLD's are "DNSSEC compatible", so I
> don't actually think it'd be much of a horserace if compatibility is all
> you're looking for. 
> 
> 
> I agree they are both DNSSEC compatible but .GOV has only deployed
> DNSSEC in 20% of it's zones. I'm not sure what the percentage is in .ORG
> - 5% ? less ? is it even 1% of the zones? The make work project continues.

Right now, as far as I am concerned, the main obstacle to more widespread
adoption on DNSSEC is the lack of procedure to establish trust between your zone
and the TLD. Even if my zone is signed, and it's in .org which is signed too, I
have no (googlable) way to get my DS included into the TLD zone.

Of course dlv.isc.org exsits, but I think it's publicly perceived as a testbed
rather than a production anchor.

I'd be happy to be wrong. (And, don't tell me to switch back to Verisign 
registrar.)

Eugene



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users