DNSSEC Validating Resolver and Views

2010-03-16 Thread John Marshall 
Context: BIND 9.7.0

I have made use of views on a single server for providing
suitable/selective responses to internal, external and guest clients.
This setup has been working for years but is now broken for clients
querying from a guest network (via the guest view) unless the queries
have checking disabled.

- The guest network is not local to the server.
- Internal view and guest view clients are allowed recursion.
- The breakage only relates to queries for internal zones from guest
  clients.
- Queries for internal zones from (local) internal clients are fine.
- In the guest view, queries for most zones are forwarded to the
  server's internal address (internal view) but queries for some
  zones are forwarded to the server's external address (external view)
- The name servers for all of the internal zones live in an internal
  signed zone.  That zone is visible to the guest and internal views
  and its key is listed in trusted-keys{}.
- The zones being queried (below) are unsigned.

Client: 192.168.25.71 is querying the PTR record for its own address.
Server: 172.25.24.16 is querying itself for the DS record for the
parent of the zone which the client is querying (Why?).
There is no DS record in that zone.  Neither the child or
parent zones are signed.

16-Mar-2010 18:15:34.761 query-errors: debug 1: client 172.25.24.16#62578: view 
internal: query failed (SERVFAIL) for 168.192.in-addr.arpa/IN/DS at query.c:4631
16-Mar-2010 18:15:34.761 query-errors: debug 2: fetch completed at 
resolver.c:6117 for 168.192.in-addr.arpa/DS in 1.358282: SERVFAIL/success 
[domain:168.192.in-addr.arpa,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]
16-Mar-2010 18:15:34.761 query-errors: debug 1: client 192.168.25.71#43718: 
view guest: query failed (SERVFAIL) for 71.25.168.192.in-addr.arpa/IN/PTR at 
query.c:4631
16-Mar-2010 18:15:34.762 query-errors: debug 2: fetch completed at 
resolver.c:3023 for 71.25.168.192.in-addr.arpa/PTR in 2.342775: failure/no 
valid DS 
[domain:25.168.192.in-addr.arpa,referral:0,restart:2,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:1]

Is the problem due to the fact that the name servers live in a signed
zone?  This view configuration has worked for years.  I configured
DNSSEC on the server about 18 months ago.  I guess I've just been lucky?

Again, these queries still work fine with +cd passed to dig, so I'm
obviously missing something with respect to DNSSEC configuration.  I
only just noticed this today (we don't use the guest network much) so I
don't know whether this problem surfaced with 9.7.0 or DNSSEC things
happening higher up.

-- 
John Marshall
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dealing with "unexpected RCODE (SERVFAIL)"

2010-03-16 Thread Ruben Laban 
Hello list,

In my logs I see numerous line like these:

Mar 16 04:59:13 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
resolving 'hotmeil.com/MX/IN': 10.2.1.3#53
Mar 16 04:59:14 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
resolving 'hotmeil.com/MX/IN': 10.0.1.3#53
Mar 16 04:59:15 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
resolving 'hotmeil.com/MX/IN': 10.1.1.3#53

The hostname that's being tried to resolve obviously has a typo in it, users 
tend to make such mistakes a lot.

In our case mx02 runs it own caching nameserver, which uses our internal 
caching nameservers (10,[012].1.3) as forwarders.

Is there something I can change in the configuration of either (or both) mx02 
or 10.[012].1.3 to prevent "the unexpected"?

Is it safe to ignore these error completely (either in our filters or in 
bind's configuration)? I'm a bit hesitant to do so, since I got the feeling 
that I might miss out on actual problems occuring (other than users not being 
able to spell).

I google'd around several times, but could never find any useful information 
on this subject.
-- 
Regards,

Ruben Laban
Senior Systems and Network Administrator
ISM eCompany
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dealing with "unexpected RCODE (SERVFAIL)"

2010-03-16 Thread Matus UHLAR - fantomas 
On 16.03.10 09:45, Ruben Laban wrote:
> In my logs I see numerous line like these:
> 
> Mar 16 04:59:13 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
> resolving 'hotmeil.com/MX/IN': 10.2.1.3#53
> Mar 16 04:59:14 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
> resolving 'hotmeil.com/MX/IN': 10.0.1.3#53
> Mar 16 04:59:15 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
> resolving 'hotmeil.com/MX/IN': 10.1.1.3#53
> 
> The hostname that's being tried to resolve obviously has a typo in it, users 
> tend to make such mistakes a lot.
> 
> In our case mx02 runs it own caching nameserver, which uses our internal 
> caching nameservers (10,[012].1.3) as forwarders.
> 
> Is there something I can change in the configuration of either (or both) mx02 
> or 10.[012].1.3 to prevent "the unexpected"?

the microsoft's nameservers are providing only A and TXT records for
hotmeil.com. They return ". IN SOA (NOERROR)" for other questions.
This is apparently invalid and causes the SERVFAIL.

seems it's time to blame microsoft.

> Is it safe to ignore these error completely (either in our filters or in 
> bind's configuration)? I'm a bit hesitant to do so, since I got the feeling 
> that I might miss out on actual problems occuring (other than users not being 
> able to spell).

you can ignore it or set up own empty version of hotemil.com. Or, fill bug
in their reporting system.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good. 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC Validating Resolver and Views

2010-03-16 Thread John Marshall 
On Tue, 16 Mar 2010 08:14:40 + (UTC), John Marshall wrote:
>
> Client: 192.168.25.71 is querying the PTR record for its own address.
> Server: 172.25.24.16 is querying itself for the DS record for the
>   parent of the zone which the client is querying (Why?).
> There is no DS record in that zone.  Neither the child or
> parent zones are signed.
>
> 16-Mar-2010 18:15:34.761 query-errors: debug 1: client 172.25.24.16#62578: 
> view internal: query failed (SERVFAIL) for 168.192.in-addr.arpa/IN/DS at 
> query.c:4631
> 16-Mar-2010 18:15:34.761 query-errors: debug 2: fetch completed at 
> resolver.c:6117 for 168.192.in-addr.arpa/DS in 1.358282: SERVFAIL/success 
> [domain:168.192.in-addr.arpa,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]
> 16-Mar-2010 18:15:34.761 query-errors: debug 1: client 192.168.25.71#43718: 
> view guest: query failed (SERVFAIL) for 71.25.168.192.in-addr.arpa/IN/PTR at 
> query.c:4631
> 16-Mar-2010 18:15:34.762 query-errors: debug 2: fetch completed at 
> resolver.c:3023 for 71.25.168.192.in-addr.arpa/PTR in 2.342775: failure/no 
> valid DS 
> [domain:25.168.192.in-addr.arpa,referral:0,restart:2,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:1]

I should have checked syslog before posting.  It shows this going on at
the same time...

Mar 16 18:15:33 rwsrv03 named[679]: error (chase DS servers) resolving 
'168.192.in-addr.arpa/DS/IN': 172.25.24.17#53
Mar 16 18:15:33 rwsrv03 named[679]: error (no valid RRSIG) resolving 
'192.in-addr.arpa/NS/IN': 204.61.216.50#53
Mar 16 18:15:33 rwsrv03 named[679]: error (no valid RRSIG) resolving 
'192.in-addr.arpa/NS/IN': 192.35.51.32#53
Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving 
'192.in-addr.arpa/NS/IN': 199.212.0.63#53
Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving 
'192.in-addr.arpa/NS/IN': 199.71.0.63#53
Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving 
'192.in-addr.arpa/NS/IN': 192.42.93.32#53
Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving 
'192.in-addr.arpa/NS/IN': 63.243.194.2#53
Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving 
'192.in-addr.arpa/NS/IN': 72.52.71.2#53
Mar 16 18:15:34 rwsrv03 named[679]: error (no valid DS) resolving 
'71.25.168.192.in-addr.arpa/PTR/IN': 172.25.24.16#53

I don't understand this.  If the client needs an answer from
25.168.192.in-addr.arpa. and we are hosting that zone and its parent
zone (both unsigned, both in our internal view), why are we looking
higher for DS records?

If I grant the guest clients access to the internal view, all is well.
Things seem to go wobbly, unless checking is disabled, when we forward
the guest view queries to the internal view.

-- 
John Marshall
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dealing with "unexpected RCODE (SERVFAIL)"

2010-03-16 Thread Mark Andrews 

In message <20100316090709.gc7...@fantomas.sk>, Matus UHLAR - fantomas writes:
> On 16.03.10 09:45, Ruben Laban wrote:
> > In my logs I see numerous line like these:
> > 
> > Mar 16 04:59:13 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
> > resolving 'hotmeil.com/MX/IN': 10.2.1.3#53
> > Mar 16 04:59:14 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
> > resolving 'hotmeil.com/MX/IN': 10.0.1.3#53
> > Mar 16 04:59:15 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
> > resolving 'hotmeil.com/MX/IN': 10.1.1.3#53
> > 
> > The hostname that's being tried to resolve obviously has a typo in it, user
> s 
> > tend to make such mistakes a lot.
> > 
> > In our case mx02 runs it own caching nameserver, which uses our internal 
> > caching nameservers (10,[012].1.3) as forwarders.
> > 
> > Is there something I can change in the configuration of either (or both) mx
> 02 
> > or 10.[012].1.3 to prevent "the unexpected"?
> 
> the microsoft's nameservers are providing only A and TXT records for
> hotmeil.com. They return ". IN SOA (NOERROR)" for other questions.
> This is apparently invalid and causes the SERVFAIL.
> 
> seems it's time to blame microsoft.

And the lack of a way to register a name in COM without creating a
delegation.  And the lack of a way to say this domain name is not
a valid email domain.

The best thing would be for hotmeil.com to always return NXDOMAIN
and people would correct their spelling errors.  Unfortunately there
is not way to register hotmeil.com without creating a delegation
and you could you have these ISP's that hijack NXDOMAIN and rewrite
it so you get a A record instead of NXDOMAIN.

So Microsoft have to supply a A record but they don't want it to
be used for email so they need to break the MX lookup so MTA's soft
fail and eventually (days later) return the email to the sender.

Mark

> > Is it safe to ignore these error completely (either in our filters or in 
> > bind's configuration)? I'm a bit hesitant to do so, since I got the feeling
>  
> > that I might miss out on actual problems occuring (other than users not bei
> ng 
> > able to spell).
> 
> you can ignore it or set up own empty version of hotemil.com. Or, fill bug
> in their reporting system.
> 
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> I intend to live forever - so far so good. 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dealing with "unexpected RCODE (SERVFAIL)"

2010-03-16 Thread Matus UHLAR - fantomas 
> > On 16.03.10 09:45, Ruben Laban wrote:
> > > In my logs I see numerous line like these:
> > > 
> > > Mar 16 04:59:13 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
> > > resolving 'hotmeil.com/MX/IN': 10.2.1.3#53
> > > Mar 16 04:59:14 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
> > > resolving 'hotmeil.com/MX/IN': 10.0.1.3#53
> > > Mar 16 04:59:15 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
> > > resolving 'hotmeil.com/MX/IN': 10.1.1.3#53

> In message <20100316090709.gc7...@fantomas.sk>, Matus UHLAR - fantomas writes:
> > the microsoft's nameservers are providing only A and TXT records for
> > hotmeil.com. They return ". IN SOA (NOERROR)" for other questions.
> > This is apparently invalid and causes the SERVFAIL.
> > 
> > seems it's time to blame microsoft.

On 16.03.10 23:43, Mark Andrews wrote:
> And the lack of a way to register a name in COM without creating a
> delegation.  And the lack of a way to say this domain name is not
> a valid email domain.

It's apparently because DNS was designed to provide records that exist, not
those that do not.

> The best thing would be for hotmeil.com to always return NXDOMAIN
> and people would correct their spelling errors.  Unfortunately there
> is not way to register hotmeil.com without creating a delegation
> and you could you have these ISP's that hijack NXDOMAIN and rewrite
> it so you get a A record instead of NXDOMAIN.

> So Microsoft have to supply a A record but they don't want it to
> be used for email so they need to break the MX lookup so MTA's soft
> fail and eventually (days later) return the email to the sender.

You can also register a domain and not provide any records for it (except
SOA and NS), which would be best in current situation imho.

However Microsoft decided to provide A records for hotmeil.com (and
www.hotmeil.com too), so they don't want people to fix their typos, but are
doing it themselves instead.

Yes, there could be way to define a domain that has A record but does not
provide mail service. Unluckily, in case of MX nonexistance the A is used
(as implicit zero-priority MX).

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC HW Support

2010-03-16 Thread prock...@yahoo.com 
I'd like to get your feedback on the following thoughts regarding DNSSEC HW 
support.

Any layer 2 or 3 devices forwarding frames or packets should not be affected by 
the implementation of DNSSEC regardless of the type of protocol (TCP/UDP) or 
the query size (large or small).

Layer 4 devices (smart switches) should not be affected by the implementation 
of DNSSEC using the same logic.

My thoughts are these products simply forward data based on an frame, IP 
address, or protocol and should not be affected by the implementation of 
DNSSEC.  Would you agree?

Thanks in advance.


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC HW Support

2010-03-16 Thread Gary Wallis 

I'd like to get your feedback on the following thoughts regarding DNSSEC HW 
support.

Any layer 2 or 3 devices forwarding frames or packets should not be affected by 
the implementation of DNSSEC regardless of the type of protocol (TCP/UDP) or 
the query size (large or small).

Layer 4 devices (smart switches) should not be affected by the implementation 
of DNSSEC using the same logic.

My thoughts are these products simply forward data based on an frame, IP 
address, or protocol and should not be affected by the implementation of 
DNSSEC.  Would you agree?

Thanks in advance.



I think you are basically correct except for one very important caveat:

DNS BGP anycasting (in wide spread use by many large operations,) where 
you might need to sign zones on the fly with special crypto hardware.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC HW Support

2010-03-16 Thread prock...@yahoo.com 
> > I'd like to get your feedback on
> the following thoughts regarding DNSSEC HW support.
> > 
> > Any layer 2 or 3 devices forwarding frames or packets
> should not be affected by the implementation of DNSSEC
> regardless of the type of protocol (TCP/UDP) or the query
> size (large or small).
> > 
> > Layer 4 devices (smart switches) should not be
> affected by the implementation of DNSSEC using the same
> logic.
> > 
> > My thoughts are these products simply forward data
> based on an frame, IP address, or protocol and should not be
> affected by the implementation of DNSSEC.  Would you
> agree?
> > 
> > Thanks in advance.
> > 
> 
> I think you are basically correct except for one very
> important caveat:
> 
> DNS BGP anycasting (in wide spread use by many large
> operations,) where you might need to sign zones on the fly
> with special crypto hardware.

So if I'm testing a router for DNSSEC compliance, you'd recommend I run a test 
using RIP or OSPF, then a separate test for BGP.  Is that correct?

I'm trying to figure out how many tests I need to run for an individual product 
(layer 2, 3, 4, and 7) before I can say it is completely DNSSEC compliant.


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC HW Support

2010-03-16 Thread Niobos 
On 2010-03-16 15:57, prock...@yahoo.com wrote:
> I'm trying to figure out how many tests I need to run for an
> individual product (layer 2, 3, 4, and 7) before I can say it is
> completely DNSSEC compliant.
By definition, any layer 2, 3 and 4 product is DNSSEC-agnostic: DNS with
or without SEC-extension is considered payload. If a L2,3 or 4 devices
does work with DNS and doesn't work with DNSSEC, it's broken and needs
replacement. For completeness: switches and routers are layer 2 and 3
respectively.

Layer 7 devices might be affected, since they may preform extensive
checking on the DNS-content itself.

To answer your question: 0 tests for layer 2, 3 and 4. To be "completely
compliant", you'd need to run an infinite number of tests for layer 7
devices. I'd test the different algorithms, including some very recent
(RSASHA512) and different security statuses (bogus, insecure, secure).

Niobos
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and child zones on same authoritative NS. Expert help needed.

2010-03-16 Thread Sam Wilson 
In article ,
 Gary Wallis  wrote:

> Let's say I have this setup :
> 
> BIND 9.4 named.conf includes a master.zones file with the following:
> 
> ...
>  zone "ns1.yourdomain.com" {
>  type master;
>  file "master/external/n/ns1.yourdomain.com.signed";
>  };
> 
>  zone "ns2.yourdomain.com" {
>  type master;
>  file "master/external/n/ns2.yourdomain.com.signed";
>  };
> 
>  zone "yourdomain.com" {
>  type master;
>  file "master/external/y/yourdomain.com.signed";
>  };
> ...
> 
> More background for question below:
> 
> The yourdomain.com is I gather the zone APEX for all featured zones 
> above. (Is this the correct use of the term APEX?)

"Parent", as Mark has already pointed out.

> I am learning via trial and error about transitioning from DNS to DNSSEC 
> and we have these child zones (is ns1.yourdomain.com really a child 
> zone, as regards the setup above?) that currently have precedence over 
> the parent zone yourdomain.com for conflicting A records. For example:
> 
> If
> 
> ns1 A 123.123.123.123
> 
> is placed in yourdomain.com zone.

Some nitpicking - I'm not a DNSSEC expert and I'm not commenting on that 
part of your question.  Including this record would normally be an 
error.  ns1.yourdomain.com is delegated into its own zone and the A 
record should be in that zone, not in the parent zone.[1]

> And a similar RR is placed in ns1.yourdomain.com zone, like:
> 
> ns1 IN A 10.0.0.1

If you place ns1 in the zone ns1.yourdomain.com then the name will be 
ns1.ns1.yourdomain.com.  If you force the name to be ns1.yourdomain.com 
[2] then that A record should override the one in the parent zone (see 
[1] again).

> And named reloaded.
> 
> dig @localhost ns1.yourdomain.com A +short
> 
> will return 10.0.0.1, the parent A RR is ignored.

Correct - see above

Can't answer your DNSSEC queries, but I'm not sure if they're relevant 
if you correct the above.

Sam


[1] UNLESS ns1.yourdomain.com is also the name of one of the nameservers 
for a child zone in which case that record would be a glue record which 
would be valid in the parent zone.  It would normally be superseded by 
the corresponding A record in the child zone which is regarded as a more 
trustworthy source of data. There are various ways by which a server for 
the parent zone can learn the correct data from the child zone.

[2] You can do that by using the @ sign in the LHS of the A RR, or by 
using a fully qualified name (inflexible), or by using the $ORIGIN 
directive,  or by leaving the name blank at the head of the zone 
(slightly risky).  Of these @ is the one mostly recommended.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Problem resolving domains with valid GLUE records but misconfigured NS records

2010-03-16 Thread Gilbert Cassar 

Hi,

We have a recurring problem with recursive domain resolution using a 
bind 9.6 caching server.  An example of such a zone is ecb.eu. The 
problem seems due to a misconfiguration on their side where all the 
(supposedly authorative) NS records listed in their zone file do not 
answer requests to resolve ecb.eu hosts. This prevents us from resolving 
anything under the domain after that the NS records are cached (the 
first query goes through as the GLUE record seems to work). The 
interesting thing is that it works fine if we try to resolve the domain 
using either Windows DNS or using Google open DNS service.


Since a number of sites seem to have this type of problems we would like 
to be able to resolve them as well. Any idea of how can we configure to 
be able to circumvent this problem?


Please find below some digs I did to diagnose the problem.

Regards and Thanks
Gilbert
University of Malta


Asking the EU servers
r...@wenzu:~/bind-9.7.0# dig ns ecb.eu @a.nic.eu
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58355
;; AUTHORITY SECTION:
ecb.eu.86400INNSns1.ecb.int.

Checking for the NS records ...
r...@wenzu:~/bind-9.7.0# dig ns ecb.eu @ns1.ecb.int.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3891
;; ANSWER SECTION:
ecb.eu.86400INNSns1.de.colt.net.
ecb.eu.86400INNSns0.de.colt.net.
ecb.eu.86400INNSauth02.ns.de.uu.net.
ecb.eu.86400INNSauth52.ns.de.uu.net.

Asking their NS Servers:
r...@wenzu:~/bind-9.7.0# dig ns ecb.eu @auth02.ns.de.uu.net
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27397




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and child zones on same authoritative NS. Expert help needed.

2010-03-16 Thread Gary Wallis 

Sam Wilson wrote:

In article ,
 Gary Wallis  wrote:


Let's say I have this setup :

BIND 9.4 named.conf includes a master.zones file with the following:

...
 zone "ns1.yourdomain.com" {
 type master;
 file "master/external/n/ns1.yourdomain.com.signed";
 };

 zone "ns2.yourdomain.com" {
 type master;
 file "master/external/n/ns2.yourdomain.com.signed";
 };

 zone "yourdomain.com" {
 type master;
 file "master/external/y/yourdomain.com.signed";
 };
...

More background for question below:

The yourdomain.com is I gather the zone APEX for all featured zones 
above. (Is this the correct use of the term APEX?)


"Parent", as Mark has already pointed out.


Got that :)

I would be nice to know what a zone apex is since what I have found on 
the web so far is pretty self-referential.




I am learning via trial and error about transitioning from DNS to DNSSEC 
and we have these child zones (is ns1.yourdomain.com really a child 
zone, as regards the setup above?) that currently have precedence over 
the parent zone yourdomain.com for conflicting A records. For example:


If

ns1 A 123.123.123.123

is placed in yourdomain.com zone.


Some nitpicking - I'm not a DNSSEC expert and I'm not commenting on that 
part of your question.  Including this record would normally be an 
error.  ns1.yourdomain.com is delegated into its own zone and the A 
record should be in that zone, not in the parent zone.[1]





And a similar RR is placed in ns1.yourdomain.com zone, like:

ns1 IN A 10.0.0.1


If you place ns1 in the zone ns1.yourdomain.com then the name will be 
ns1.ns1.yourdomain.com.  If you force the name to be ns1.yourdomain.com 
[2] then that A record should override the one in the parent zone (see 
[1] again).



Good job! You spotted my error/typo the test setup actually is:

...
@ IN A 10.0.0.1
...

for ns1.yourdomain.com zone file




And named reloaded.

dig @localhost ns1.yourdomain.com A +short

will return 10.0.0.1, the parent A RR is ignored.


Correct - see above

Can't answer your DNSSEC queries, but I'm not sure if they're relevant 
if you correct the above.


Regarding my main question:

How to delegate signing authority from parent yourdomain.com to child 
ns1.yourdomain.com.



In this case in the same BIND configuration (same named daemon) as shown 
above in the named.conf frag.


I also need to know if the initial zone signing has to be changed, i.e. 
sign the parent and child zones differently etc.


It seems that I need to provide the child DS record from 
dsset-ns1.yourdomain.com that was generated by dnssec-signzone when I 
signed the child.


dsset-ns1.yourdomain.com contents:

ns1.yourdomain.com. IN DS 181 5 1 
FD110AAAFAC8101DD8EC946FD5B62FDC9B012EA1


That would go in the yourdomain.com parent db file. But I imagine some 
other steps are needed and I'm not sure what they are.


I am reading about DS records now. But if anyone has a short how-to (or 
listing of bash commands) for this simple case that would be great.


I still have to setup a DNSSEC resolver to be able to test my "test" 
auth DNS server. And will provide results and a how-to if I manage to 
get this "internal" DNSSEC parent-child delegation working on my own.




Sam


[1] UNLESS ns1.yourdomain.com is also the name of one of the nameservers 
for a child zone in which case that record would be a glue record which 
would be valid in the parent zone.  It would normally be superseded by 
the corresponding A record in the child zone which is regarded as a more 
trustworthy source of data. There are various ways by which a server for 
the parent zone can learn the correct data from the child zone.


This is what I know from experience but have never seen written 
anywhere. Thx!




[2] You can do that by using the @ sign in the LHS of the A RR, or by 
using a fully qualified name (inflexible), or by using the $ORIGIN 
directive,  or by leaving the name blank at the head of the zone 
(slightly risky).  Of these @ is the one mostly recommended.


Good. We started using @ several year ago but did not know about all 
these details and differences you mention.



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



Thanks all!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and child zones on same authoritative NS. Expert help needed.

2010-03-16 Thread Barry Margolin 
In article ,
 Gary Wallis  wrote:

> I would be nice to know what a zone apex is since what I have found on 
> the web so far is pretty self-referential.

The resource record set for the zone name itself (e.g. SOA and NS) is 
the apex.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and child zones on same authoritative NS. Expert help needed.

2010-03-16 Thread Sam Wilson 
In article ,
 Gary Wallis  wrote:

> Sam Wilson wrote:
> > In article ,
> >  Gary Wallis  wrote:
> > 
> >> Let's say I have this setup :
> >>
> >> BIND 9.4 named.conf includes a master.zones file with the following:
> >>
> >> ...
> >>  zone "ns1.yourdomain.com" {
> >>  type master;
> >>  file "master/external/n/ns1.yourdomain.com.signed";
> >>  };
> >>
> >>  zone "ns2.yourdomain.com" {
> >>  type master;
> >>  file "master/external/n/ns2.yourdomain.com.signed";
> >>  };
> >>
> >>  zone "yourdomain.com" {
> >>  type master;
> >>  file "master/external/y/yourdomain.com.signed";
> >>  };
> >> ...
> >>
> >> More background for question below:
> >>
> >> The yourdomain.com is I gather the zone APEX for all featured zones 
> >> above. (Is this the correct use of the term APEX?)
> > 
> > "Parent", as Mark has already pointed out.
> 
> Got that :)
> 
> I would be nice to know what a zone apex is since what I have found on 
> the web so far is pretty self-referential.

The zone apex is the name of the zone.  It will always have SOA and NS 
records at that point and in DNS Classic[tm] may, but need not, have 
other records as well (MX and A are common).  DNSSEC brings other RRs to 
the party at the apex.

Sam
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and child zones on same authoritative NS. Expert help needed.

2010-03-16 Thread Alan Clegg 
Gary Wallis wrote:

[other stuff snipped out]

> Regarding my main question:
> 
> How to delegate signing authority from parent yourdomain.com to child
> ns1.yourdomain.com.

Insert the DS records from the child into the parent and re-sign the parent.

> I still have to setup a DNSSEC resolver to be able to test my "test"
> auth DNS server. And will provide results and a how-to if I manage to
> get this "internal" DNSSEC parent-child delegation working on my own.

http://www.isc.org/files/DNSSEC_in_6_minutes.pdf

AlanC



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

CIDR in-addr.arpa problem

2010-03-16 Thread Lister 

Hello all,

I have a problem with a CIDR IN-ADDR.ARPA delegation of a /28 netblock.
Domain names and IP numbers have been edited for privacy purposes.

I've had my local ISP make me a CIDR in-addr.arpa delegation for the block
192.168.33.112/28 to my name servers:
   ns1.mydomain.dom
   ns2.mydomain.dom

on my BIND-9.6.0-P1 I did the following:

in named.conf:
--
zone "112/28.33.168.192.in-addr.arpa" {
  type master;
  file "master/112-28.33.168.192.rev";
  allow-query { any; };
  allow-transfer { affilates; };//irrelevant to the topic in question
  notify yes;
};

in master/112-28.33.168.192.rev:

$ORIGIN 112/28.33.168.192.in-addr.arpa.
$TTL 3600   ; 1 hour
@ IN SOA  ns1.mydomain.dom. hostmaster.mydomain.dom. (
   2010031600 ; serial
   15m; refresh
   10m; retry
   1d ; expire
   60 ; -ve cache ttl
   )
$TTL 1d
@  NS ns1.mydomain.dom.
@  NS ns2.mydomain.dom.
$TTL 30
113  PTR host1.mydomain.dom.
114  PTR host2.mydomain.dom.
;.
;.
126  PTRhostN.mydomain.dom.

To the best on my knowledge, the above config is correct. However BIND responds 
to PTR queries authoritatively with NXDOMAIN, and, AFTER FORWARDING. It gives 
the same query respone for anything in the /24 (class C) network, not only my 
/28.
Naturally, it should NOT forward; and if it does, it should NOT respond 
authoritatively.

Using a '-' instead of '/' in the config files made no difference.
I tried this on BIND-9.6.0-P1 on FreeBSD-7.1 and BIND-9.4.3-P3 on CentOS 5.3 
with the same results.

BIND 9.6 was built in a standard way as FreeBSD port. This is how it was as 
obtained from syslog:
built with '--localstatedir=/var' '--disable-linux-caps' 
'--with-randomdev=/dev/random' '--with-openssl=/usr' 
'--with-libxml2=/usr/local' '--without-idn' '--enable-threads' 
'--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info/' '--build=x86_64-portbld-freebsd7.1' 
'build_alias=x86_64-portbld-freebsd7.1' 'CC=cc' 'CFLAGS=-O2 
-fno-strict-aliasing -pipe' 'LDFLAGS= -rpath=/usr/lib:/usr/local/lib' 'CXX=c++' 
'CXXFLAGS=-O2 -fno-strict-aliasing -pipe'


Please tell me if I did something wrong or it's a BIND problem and if so, if 
there's a workaround.

Kind regards,
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and child zones on same authoritative NS. Expert help needed.

2010-03-16 Thread Gary Wallis 

Alan Clegg wrote:

Gary Wallis wrote:

[other stuff snipped out]


Regarding my main question:

How to delegate signing authority from parent yourdomain.com to child
ns1.yourdomain.com.


Insert the DS records from the child into the parent and re-sign the parent.


I still have to setup a DNSSEC resolver to be able to test my "test"
auth DNS server. And will provide results and a how-to if I manage to
get this "internal" DNSSEC parent-child delegation working on my own.


http://www.isc.org/files/DNSSEC_in_6_minutes.pdf

AlanC


Test system working. Many thanks to everybody.

Cheers!
Gary
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC HW Support

2010-03-16 Thread Warren Kumari 


On Mar 16, 2010, at 11:39 AM, Niobos wrote:


On 2010-03-16 15:57, prock...@yahoo.com wrote:

I'm trying to figure out how many tests I need to run for an
individual product (layer 2, 3, 4, and 7) before I can say it is
completely DNSSEC compliant.

By definition, any layer 2, 3 and 4 product is DNSSEC-agnostic:


Well, yes, kinda.

Unfortunately there are a large number of things like firewalls and  
consumer CPE that folks think of as layer 3/4 devices, but that do  
silly things like assume DNS is only UDP, or max out at 512 bytes or  
force DNS proxy mode.


While we could argue for hours abut whether they are really only l3/l4  
devices, it wouldn't change the fact that folks think of them as  
"routers".


ICANN SSAC / CORE released a report a while back: http://www.icann.org/en/committees/security/sac035.pdf 
 and I know that I have seen a bunch of other more recent tests.


W


DNS with
or without SEC-extension is considered payload. If a L2,3 or 4 devices
does work with DNS and doesn't work with DNSSEC, it's broken and needs
replacement. For completeness: switches and routers are layer 2 and 3
respectively.

Layer 7 devices might be affected, since they may preform extensive
checking on the DNS-content itself.

To answer your question: 0 tests for layer 2, 3 and 4. To be  
"completely

compliant", you'd need to run an infinite number of tests for layer 7
devices. I'd test the different algorithms, including some very recent
(RSASHA512) and different security statuses (bogus, insecure, secure).

Niobos
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
"Beware that the most effective way for someone to decrypt your data  
may be with rubber hose." --- SSH 1.2.12 README



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CIDR in-addr.arpa problem

2010-03-16 Thread Kevin Darcy 
What do the CNAMEs look like in 33.168.192.in-addr.arpa, or, if that's 
not a delegated zone, the closest-enclosing zone of that?



- Kevin


On 3/16/2010 3:19 PM, Lister wrote:

Hello all,

I have a problem with a CIDR IN-ADDR.ARPA delegation of a /28 netblock.
Domain names and IP numbers have been edited for privacy purposes.

I've had my local ISP make me a CIDR in-addr.arpa delegation for the 
block

192.168.33.112/28 to my name servers:
   ns1.mydomain.dom
   ns2.mydomain.dom

on my BIND-9.6.0-P1 I did the following:

in named.conf:
--
zone "112/28.33.168.192.in-addr.arpa" {
  type master;
  file "master/112-28.33.168.192.rev";
  allow-query { any; };
  allow-transfer { affilates; };//irrelevant to the topic in 
question

  notify yes;
};

in master/112-28.33.168.192.rev:

$ORIGIN 112/28.33.168.192.in-addr.arpa.
$TTL 3600   ; 1 hour
@ IN SOA  ns1.mydomain.dom. hostmaster.mydomain.dom. (
   2010031600 ; serial
   15m; refresh
   10m; retry
   1d ; expire
   60 ; -ve cache ttl
   )
$TTL 1d
@  NS ns1.mydomain.dom.
@  NS ns2.mydomain.dom.
$TTL 30
113  PTR host1.mydomain.dom.
114  PTR host2.mydomain.dom.
;.
;.
126  PTRhostN.mydomain.dom.

To the best on my knowledge, the above config is correct. However BIND 
responds to PTR queries authoritatively with NXDOMAIN, and, AFTER 
FORWARDING. It gives the same query respone for anything in the /24 
(class C) network, not only my /28.
Naturally, it should NOT forward; and if it does, it should NOT 
respond authoritatively.


Using a '-' instead of '/' in the config files made no difference.
I tried this on BIND-9.6.0-P1 on FreeBSD-7.1 and BIND-9.4.3-P3 on 
CentOS 5.3 with the same results.


BIND 9.6 was built in a standard way as FreeBSD port. This is how it 
was as obtained from syslog:
built with '--localstatedir=/var' '--disable-linux-caps' 
'--with-randomdev=/dev/random' '--with-openssl=/usr' 
'--with-libxml2=/usr/local' '--without-idn' '--enable-threads' 
'--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info/' '--build=x86_64-portbld-freebsd7.1' 
'build_alias=x86_64-portbld-freebsd7.1' 'CC=cc' 'CFLAGS=-O2 
-fno-strict-aliasing -pipe' 'LDFLAGS= -rpath=/usr/lib:/usr/local/lib' 
'CXX=c++' 'CXXFLAGS=-O2 -fno-strict-aliasing -pipe'



Please tell me if I did something wrong or it's a BIND problem and if 
so, if there's a workaround.


Kind regards,
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC Validating Resolver and Views

2010-03-16 Thread Mark Andrews 

In message , John Marshall 
writes:
> On Tue, 16 Mar 2010 08:14:40 + (UTC), John Marshall wrote:
> >
> > Client: 192.168.25.71 is querying the PTR record for its own address.
> > Server: 172.25.24.16 is querying itself for the DS record for the
> > parent of the zone which the client is querying (Why?).
> > There is no DS record in that zone.  Neither the child or
> > parent zones are signed.
> >
> > 16-Mar-2010 18:15:34.761 query-errors: debug 1: client 172.25.24.16#62578: 
> view internal: query failed (SERVFAIL) for 168.192.in-addr.arpa/IN/DS at quer
> y.c:4631
> > 16-Mar-2010 18:15:34.761 query-errors: debug 2: fetch completed at resolver
> .c:6117 for 168.192.in-addr.arpa/DS in 1.358282: SERVFAIL/success [domain:168
> .192.in-addr.arpa,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,ba
> dresp:1,adberr:0,findfail:0,valfail:0]
> > 16-Mar-2010 18:15:34.761 query-errors: debug 1: client 192.168.25.71#43718:
>  view guest: query failed (SERVFAIL) for 71.25.168.192.in-addr.arpa/IN/PTR at
>  query.c:4631
> > 16-Mar-2010 18:15:34.762 query-errors: debug 2: fetch completed at resolver
> .c:3023 for 71.25.168.192.in-addr.arpa/PTR in 2.342775: failure/no valid DS [
> domain:25.168.192.in-addr.arpa,referral:0,restart:2,qrysent:1,timeout:0,lame:
> 0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:1]
> 
> I should have checked syslog before posting.  It shows this going on at
> the same time...
> 
> Mar 16 18:15:33 rwsrv03 named[679]: error (chase DS servers) resolving '168.1
> 92.in-addr.arpa/DS/IN': 172.25.24.17#53
> Mar 16 18:15:33 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-
> addr.arpa/NS/IN': 204.61.216.50#53
> Mar 16 18:15:33 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-
> addr.arpa/NS/IN': 192.35.51.32#53
> Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-
> addr.arpa/NS/IN': 199.212.0.63#53
> Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-
> addr.arpa/NS/IN': 199.71.0.63#53
> Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-
> addr.arpa/NS/IN': 192.42.93.32#53
> Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-
> addr.arpa/NS/IN': 63.243.194.2#53
> Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-
> addr.arpa/NS/IN': 72.52.71.2#53
> Mar 16 18:15:34 rwsrv03 named[679]: error (no valid DS) resolving '71.25.168.
> 192.in-addr.arpa/PTR/IN': 172.25.24.16#53
> 
> I don't understand this.  If the client needs an answer from
> 25.168.192.in-addr.arpa. and we are hosting that zone and its parent
> zone (both unsigned, both in our internal view), why are we looking
> higher for DS records?

Because you have a trust anchor configured at or above the query name and
the validator need to see a DS or non existance proof (NSEC/NSEC3) for the
DS which indicates a secure to insecure transition.

Are your trust anchors up to date?

Mark
 
> If I grant the guest clients access to the internal view, all is well.
> Things seem to go wobbly, unless checking is disabled, when we forward
> the guest view queries to the internal view.
> 
> -- 
> John Marshall
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

threading and linux (2.6.

2010-03-16 Thread Jack Tavares 
Hello -

What is the default build on linux (2.6) with regard to threads.
If I don't explicitly enable or disable threads, does named
run threaded or unthreaded?

Thanks
--
jack
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dealing with "unexpected RCODE (SERVFAIL)"

2010-03-16 Thread Mark Andrews 

In message <20100316131539.ga10...@fantomas.sk>, Matus UHLAR - fantomas writes:
> > > On 16.03.10 09:45, Ruben Laban wrote:
> > > > In my logs I see numerous line like these:
> > > > 
> > > > Mar 16 04:59:13 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
> > > > resolving 'hotmeil.com/MX/IN': 10.2.1.3#53
> > > > Mar 16 04:59:14 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
> > > > resolving 'hotmeil.com/MX/IN': 10.0.1.3#53
> > > > Mar 16 04:59:15 mx02 named[4606]: unexpected RCODE (SERVFAIL) 
> > > > resolving 'hotmeil.com/MX/IN': 10.1.1.3#53
> 
> > In message <20100316090709.gc7...@fantomas.sk>, Matus UHLAR - fantomas writ
> es:
> > > the microsoft's nameservers are providing only A and TXT records for
> > > hotmeil.com. They return ". IN SOA (NOERROR)" for other questions.
> > > This is apparently invalid and causes the SERVFAIL.
> > > 
> > > seems it's time to blame microsoft.
> 
> On 16.03.10 23:43, Mark Andrews wrote:
> > And the lack of a way to register a name in COM without creating a
> > delegation.  And the lack of a way to say this domain name is not
> > a valid email domain.
> 
> It's apparently because DNS was designed to provide records that exist, not
> those that do not.

Actually it's designed to provide records that exist *and* to tell you
when they don't exist.  Reserving namespace is outside of the DNS itself.
 
> > The best thing would be for hotmeil.com to always return NXDOMAIN
> > and people would correct their spelling errors.  Unfortunately there
> > is not way to register hotmeil.com without creating a delegation
> > and you could you have these ISP's that hijack NXDOMAIN and rewrite
> > it so you get a A record instead of NXDOMAIN.
> 
> > So Microsoft have to supply a A record but they don't want it to
> > be used for email so they need to break the MX lookup so MTA's soft
> > fail and eventually (days later) return the email to the sender.
> 
> You can also register a domain and not provide any records for it (except
> SOA and NS), which would be best in current situation imho.
>
> However Microsoft decided to provide A records for hotmeil.com (and
> www.hotmeil.com too), so they don't want people to fix their typos, but are
> doing it themselves instead.

They are kind of forced to these days due to the abuse of the DNS by ISP's.
 
> Yes, there could be way to define a domain that has A record but does not
> provide mail service. Unluckily, in case of MX nonexistance the A is used
> (as implicit zero-priority MX).

Which is why "MX 0 ." is needed.  We have it for SRV "SRV 0 0 ."
means there is no service.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem resolving domains with valid GLUE records but misconfigured NS records

2010-03-16 Thread Mark Andrews 

In message <4b9fad0c.1090...@um.edu.mt>, Gilbert Cassar writes:
> Hi,
> 
> We have a recurring problem with recursive domain resolution using a 
> bind 9.6 caching server.  An example of such a zone is ecb.eu. The 
> problem seems due to a misconfiguration on their side where all the 
> (supposedly authorative) NS records listed in their zone file do not 
> answer requests to resolve ecb.eu hosts. This prevents us from resolving 
> anything under the domain after that the NS records are cached (the 
> first query goes through as the GLUE record seems to work). The 
> interesting thing is that it works fine if we try to resolve the domain 
> using either Windows DNS or using Google open DNS service.
> 
> Since a number of sites seem to have this type of problems we would like 
> to be able to resolve them as well. Any idea of how can we configure to 
> be able to circumvent this problem?

The best thing is to complain to the administrator of the zone,
hostmas...@ecb.int, i...@key-systems.net, jan.pflugr...@ecb.int.

Then complain to the "EU" administrators as they are *also* responsible
for keeping delegations up to date (RFC 1034) and this one clearly
isn't up to date.

Mark

> Please find below some digs I did to diagnose the problem.
> 
> Regards and Thanks
> Gilbert
> University of Malta
> 
> 
> Asking the EU servers
> r...@wenzu:~/bind-9.7.0# dig ns ecb.eu @a.nic.eu
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58355
> ;; AUTHORITY SECTION:
> ecb.eu.86400INNSns1.ecb.int.
> 
> Checking for the NS records ...
> r...@wenzu:~/bind-9.7.0# dig ns ecb.eu @ns1.ecb.int.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3891
> ;; ANSWER SECTION:
> ecb.eu.86400INNSns1.de.colt.net.
> ecb.eu.86400INNSns0.de.colt.net.
> ecb.eu.86400INNSauth02.ns.de.uu.net.
> ecb.eu.86400INNSauth52.ns.de.uu.net.
> 
> Asking their NS Servers:
> r...@wenzu:~/bind-9.7.0# dig ns ecb.eu @auth02.ns.de.uu.net
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27397
> 
> 
> 
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: threading and linux (2.6.

2010-03-16 Thread Gary Wallis 

Jack Tavares wrote:

Hello -

 


What is the default build on linux (2.6) with regard to threads.

If I don't explicitly enable or disable threads, does named

run threaded or unthreaded?


Threaded.



 


Thanks

--

jack




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC Validating Resolver and Views

2010-03-16 Thread John Marshall 
On Wed, 17 Mar 2010, 09:03 +1100, Mark Andrews wrote:
> In message , John 
> Marshall 
> writes:
> > I don't understand this.  If the client needs an answer from
> > 25.168.192.in-addr.arpa. and we are hosting that zone and its parent
> > zone (both unsigned, both in our internal view), why are we looking
> > higher for DS records?
> 
> Because you have a trust anchor configured at or above the query name and
> the validator need to see a DS or non existance proof (NSEC/NSEC3) for the
> DS which indicates a secure to insecure transition.
> 
> Are your trust anchors up to date?

I haven't changed my dlv.isc.org anchor since I configured DNSSEC on the
server about 18 months ago: it matches the one published on the ISC web
site (2008/09/21) and everything works fine for my internal view.

> > If I grant the guest clients access to the internal view, all is well.
> > Things seem to go wobbly, unless checking is disabled, when we forward
> > the guest view queries to the internal view.

So, this seems to be where it's breaking.  Perhaps my design is just
wrong and it "just happened to work" until either 9.7.0 or...?  It still
works if the guest view client queries with checking disabled.  It works
properly for internal view clients.  Does a second level of indirection
mean that the resolver loses sight of the trust anchor?

options {
...
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.isc.org.;
};

trusted-keys {
dlv.isc.org. 257 3 5
...
};

view "internal" IN {
match-clients {
IntNET;
! ExtStealth;
! ExtDNS;
ExtNET;
localhost;
};
allow-query {
localhost;
IntNET;
ExtNET;
};
recursion yes;
...
zone "168.192.in-addr.arpa" {
type master;
file "db/master/192.168";
};

zone "25.168.192.in-addr.arpa" {
type master;
file "db/master/192.168.25";
allow-update {
key dhcp-rw.;
};
};
};

view "guest" IN {
match-clients {
GstNET;
};
allow-query {
GstNET;
};
recursion yes;
...
forward only;
forwarders {
172.25.24.16;   # self (internal)
};

zone  {
type forward;
forward only;
forwarders {
203.58.93.34;   # self (external)
};
};
};

view "external" IN {
match-clients {
any;
};
recursion no;
additional-from-cache no;
...
zone  {
type master;
...
};
};

-- 
John Marshall
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC Validating Resolver and Views

2010-03-16 Thread Mark Andrews 

In message <20100316234500.ga99...@rwpc12.mby.riverwillow.net.au>, John Marshal
l writes:
> On Wed, 17 Mar 2010, 09:03 +1100, Mark Andrews wrote:
> > In message , John Marsh
> all 
> > writes:
> > > I don't understand this.  If the client needs an answer from
> > > 25.168.192.in-addr.arpa. and we are hosting that zone and its parent
> > > zone (both unsigned, both in our internal view), why are we looking
> > > higher for DS records?
> > 
> > Because you have a trust anchor configured at or above the query name and
> > the validator need to see a DS or non existance proof (NSEC/NSEC3) for the
> > DS which indicates a secure to insecure transition.
> > 
> > Are your trust anchors up to date?
> 
> I haven't changed my dlv.isc.org anchor since I configured DNSSEC on the
> server about 18 months ago: it matches the one published on the ISC web
> site (2008/09/21) and everything works fine for my internal view.
> 
> > > If I grant the guest clients access to the internal view, all is well.
> > > Things seem to go wobbly, unless checking is disabled, when we forward
> > > the guest view queries to the internal view.
> 
> So, this seems to be where it's breaking.  Perhaps my design is just
> wrong and it "just happened to work" until either 9.7.0 or...?  It still
> works if the guest view client queries with checking disabled.  It works
> properly for internal view clients.  Does a second level of indirection
> mean that the resolver loses sight of the trust anchor?
> 
> options {
> ...
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside . trust-anchor dlv.isc.org.;
> };
> 
> trusted-keys {
> dlv.isc.org. 257 3 5
> ...
> };
> 
> view "internal" IN {
> match-clients {
> IntNET;
> ! ExtStealth;
> ! ExtDNS;
> ExtNET;
> localhost;
> };
> allow-query {
> localhost;
IntNET;
> ExtNET;
> };
> recursion yes;
> ...
> zone "168.192.in-addr.arpa" {
> type master;
> file "db/master/192.168";
> };
> 
> zone "25.168.192.in-addr.arpa" {
> type master;
> file "db/master/192.168.25";
> allow-update {
> key dhcp-rw.;
> };
> };
> };
> 
> view "guest" IN {
> match-clients {
> GstNET;
> };
> allow-query {
> GstNET;
> };
> recursion yes;
> ...
> forward only;
> forwarders {
> 172.25.24.16;   # self (internal)
> };
> 
> zone  {
> type forward;
> forward only;
> forwarders {
> 203.58.93.34;   # self (external)
> };
> };
> };
> 
> view "external" IN {
> match-clients {
> any;
> };
> recursion no;
> additional-from-cache no;
> ...
> zone  {
> type master;
> ...
> };
> };
> 
> -- 
> John Marshall

It should work.  You don't have any other trusted-keys configured?

My next step would be to ask from a internal, not a guest address,
for DS 168.192.in-addr.arpa.  This eliminates one step in the chain.

You should get something like this.  Note "ad" is set in flags so this
has passed validation using dlv.isc.org as the trust anchor.

; <<>> DiG 9.7.0 <<>> +dnssec ds 168.192.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12909
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;168.192.in-addr.arpa.  IN  DS

;; AUTHORITY SECTION:
168.192.in-addr.arpa.   7434IN  RRSIG   NSEC 5 4 10800 20100326192205 
20100316192205 44093 192.in-addr.arpa. 
MhwZmez+ZUdVRFKyhzlKjiyj08rbs2gjxpCV/yacJDjXthZoDtYtq6Ml 
MUsr/Ac4qbnjIOjGcfr3QHndDblco/GFGDXgscypspyoJ2yRl+i8n+p4 
Vp4nnpVkwaQObtQRZQWSOB2sqAzmGdiYqEnAK3rUj6nufzsBJOrzYjvX bzQ=
168.192.in-addr.arpa.   7434IN  NSEC0.169.192.in-addr.arpa. NS 
RRSIG NSEC
192.in-addr.arpa.   7434IN  SOA chia.arin.net. 
dns-ops.arin.net. 2010031617 1800 900 691200 10800
192.in-addr.arpa.   7434IN  RRSIG   SOA 5 3 86400 20100326192205 
20100316192205 44093 192.in-addr.arpa. 
PsLYw1RyLT2xUm41c78zq89219xxrm1WI0QSIrtnakHsWkqBsXn9DXG4 
v2KbrjdCJglIVHEcJhrZ/GBNsq0ZIXT/GeskMRy/EfHFi8yVwGx/FCs5 
H1FUtYs+1DOjeGQnv2UOiQfYMxp1yyxEHah9zzV6QqYpoCUVL7J3E025 eZc=

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 17 10:56:12 2010
;; MSG SIZE  rcvd: 502

If it doesn't work I would ask for NS 192.in-addr.arpa, then DNSKEY
192.in-addr.arpa, then DLV 192.in-addr.arpa.dlv.isc.org, t

Re: DNSSEC Validating Resolver and Views

2010-03-16 Thread Mark Andrews 

Mark Andrews writes:
> 
> In message <20100316234500.ga99...@rwpc12.mby.riverwillow.net.au>, John Marsh
> al
> l writes:
> > On Wed, 17 Mar 2010, 09:03 +1100, Mark Andrews wrote:
> > > In message , John Mar
> sh
> > all 
> > > writes:
> > > > I don't understand this.  If the client needs an answer from
> > > > 25.168.192.in-addr.arpa. and we are hosting that zone and its parent
> > > > zone (both unsigned, both in our internal view), why are we looking
> > > > higher for DS records?
> > > 
> > > Because you have a trust anchor configured at or above the query name and
> > > the validator need to see a DS or non existance proof (NSEC/NSEC3) for th
> e
> > > DS which indicates a secure to insecure transition.
> > > 
> > > Are your trust anchors up to date?
> > 
> > I haven't changed my dlv.isc.org anchor since I configured DNSSEC on the
> > server about 18 months ago: it matches the one published on the ISC web
> > site (2008/09/21) and everything works fine for my internal view.
> > 
> > > > If I grant the guest clients access to the internal view, all is well.
> > > > Things seem to go wobbly, unless checking is disabled, when we forward
> > > > the guest view queries to the internal view.
> > 
> > So, this seems to be where it's breaking.  Perhaps my design is just
> > wrong and it "just happened to work" until either 9.7.0 or...?  It still
> > works if the guest view client queries with checking disabled.  It works
> > properly for internal view clients.  Does a second level of indirection
> > mean that the resolver loses sight of the trust anchor?
> > 
> > options {
> > ...
> > dnssec-enable yes;
> > dnssec-validation yes;
> > dnssec-lookaside . trust-anchor dlv.isc.org.;
> > };
> > 
> > trusted-keys {
> > dlv.isc.org. 257 3 5
> > ...
> > };
> > 
> > view "internal" IN {
> > match-clients {
> > IntNET;
> > ! ExtStealth;
> > ! ExtDNS;
> > ExtNET;
> > localhost;
> > };
> > allow-query {
> > localhost;
> IntNET;
> > ExtNET;
> > };
> > recursion yes;
> > ...
> > zone "168.192.in-addr.arpa" {
> > type master;
> > file "db/master/192.168";
> > };
> > 
> > zone "25.168.192.in-addr.arpa" {
> > type master;
> > file "db/master/192.168.25";
> > allow-update {
> > key dhcp-rw.;
> > };
> > };
> > };
> > 
> > view "guest" IN {
> > match-clients {
> > GstNET;
> > };
> > allow-query {
> > GstNET;
> > };
> > recursion yes;
> > ...
> > forward only;
> > forwarders {
> > 172.25.24.16;   # self (internal)
> > };
> > 
> > zone  {
> > type forward;
> > forward only;
> > forwarders {
> > 203.58.93.34;   # self (external)
> > };
> > };
> > };
> > 
> > view "external" IN {
> > match-clients {
> > any;
> > };
> > recursion no;
> > additional-from-cache no;
> > ...
> > zone  {
> > type master;
> > ...
> > };
> > };
> > 
> > -- 
> > John Marshall
> 
> It should work.  You don't have any other trusted-keys configured?
> 
> My next step would be to ask from a internal, not a guest address,
> for DS 168.192.in-addr.arpa.  This eliminates one step in the chain.
> 
> You should get something like this.  Note "ad" is set in flags so this
> has passed validation using dlv.isc.org as the trust anchor.
> 
> ; <<>> DiG 9.7.0 <<>> +dnssec ds 168.192.in-addr.arpa
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12909
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;168.192.in-addr.arpa.IN  DS
> 
> ;; AUTHORITY SECTION:
> 168.192.in-addr.arpa. 7434IN  RRSIG   NSEC 5 4 10800 20100326192205 2
> 0100316192205 44093 192.in-addr.arpa. MhwZmez+ZUdVRFKyhzlKjiyj08rbs2gjxpCV/ya
> cJDjXthZoDtYtq6Ml MUsr/Ac4qbnjIOjGcfr3QHndDblco/GFGDXgscypspyoJ2yRl+i8n+p4 Vp
> 4nnpVkwaQObtQRZQWSOB2sqAzmGdiYqEnAK3rUj6nufzsBJOrzYjvX bzQ=
> 168.192.in-addr.arpa. 7434IN  NSEC0.169.192.in-addr.arpa. NS RRSI
> G NSEC
> 192.in-addr.arpa. 7434IN  SOA chia.arin.net. dns-ops.arin.net
> . 2010031617 1800 900 691200 10800
> 192.in-addr.arpa. 7434IN  RRSIG   SOA 5 3 86400 20100326192205 20
> 100316192205 44093 192.in-addr.arpa. PsLYw1RyLT2xUm41c78zq89219xxrm1WI0QSIrtn
> akHsWkqBsXn9DXG4 v2KbrjdCJglIVHEcJhrZ/GBNsq0ZIXT/GeskMRy/EfHFi8yVw

Re: CIDR in-addr.arpa problem

2010-03-16 Thread Mark Andrews 

In message <9d84df667a714fab888d578ae8967...@neo>, "Lister" writes:
> Hello all,
> 
> I have a problem with a CIDR IN-ADDR.ARPA delegation of a /28 netblock.
> Domain names and IP numbers have been edited for privacy purposes.
> 
> I've had my local ISP make me a CIDR in-addr.arpa delegation for the block
> 192.168.33.112/28 to my name servers:
> ns1.mydomain.dom
> ns2.mydomain.dom

Stop this stupid crap of hiding the zone.  All it does is make
helping you harder.  Do you want real help or conjecture?
 
> on my BIND-9.6.0-P1 I did the following:
> 
> in named.conf:
> --
> zone "112/28.33.168.192.in-addr.arpa" {
>type master;
>file "master/112-28.33.168.192.rev";
>allow-query { any; };
>allow-transfer { affilates; };//irrelevant to the topic in questio
> n
>notify yes;
> };

Become a (stealth) slave for 33.168.192.in-addr.arpa.  This will ensure
that the CNAME records are always available.

zone 33.168.192.in-addr.arpa {
type slave;
file "slave/33.168.192.rev";
masters { . };
notify no;
};
 
> in master/112-28.33.168.192.rev:
> 
> $ORIGIN 112/28.33.168.192.in-addr.arpa.
> $TTL 3600   ; 1 hour
> @ IN SOA  ns1.mydomain.dom. hostmaster.mydomain.dom. (
> 2010031600 ; serial
> 15m; refresh
> 10m; retry
> 1d ; expire
> 60 ; -ve cache ttl
> )
> $TTL 1d
> @  NS ns1.mydomain.dom.
> @  NS ns2.mydomain.dom.
> $TTL 30
> 113  PTR host1.mydomain.dom.
> 114  PTR host2.mydomain.dom.
> ;.
> ;.
> 126  PTRhostN.mydomain.dom.
> 
> To the best on my knowledge, the above config is correct. However BIND respon
> ds to PTR queries authoritatively with NXDOMAIN, and, AFTER FORWARDING. It gi
> ves the same query respone for anything in the /24 (class C) network, not onl
> y my /28.
> Naturally, it should NOT forward; and if it does, it should NOT respond autho
> ritatively.
> 
> Using a '-' instead of '/' in the config files made no difference.
> I tried this on BIND-9.6.0-P1 on FreeBSD-7.1 and BIND-9.4.3-P3 on CentOS 5.3 
> with the same results.
> 
> BIND 9.6 was built in a standard way as FreeBSD port. This is how it was as o
> btained from syslog:
> built with '--localstatedir=/var' '--disable-linux-caps' '--with-randomdev=/d
> ev/random' '--with-openssl=/usr' '--with-libxml2=/usr/local' '--without-idn' 
> '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/
> share/man' '--infodir=/usr/share/info/' '--build=x86_64-portbld-freebsd7.1' '
> build_alias=x86_64-portbld-freebsd7.1' 'CC=cc' 'CFLAGS=-O2 -fno-strict-aliasi
> ng -pipe' 'LDFLAGS= -rpath=/usr/lib:/usr/local/lib' 'CXX=c++' 'CXXFLAGS=-O2 -
> fno-strict-aliasing -pipe'
> 
> 
> Please tell me if I did something wrong or it's a BIND problem and if so, if 
> there's a workaround.
> 
> Kind regards,
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.5.2-P3 is now available.

2010-03-16 Thread Mark Andrews 

 BIND 9.5.2-P3 is now available.

BIND 9.5.2-P3 is a recommended patch for BIND 9.5.2.  It addresses
excessive query traffic generated when there is a break in the
DNSSEC trust chain as a result of a configuration error.  It is
recommended for anyone using DNSSEC validation and BIND 9.5.x. 

Bugs should be reported to bind9-b...@isc.org.

BIND 9.5.2-P3 can be downloaded from:

ftp://ftp.isc.org/isc/bind9/9.5.2-P3/bind-9.5.2-P3.tar.gz

PGP signatures of the distribution are at:

ftp://ftp.isc.org/isc/bind9/9.5.2-P3/bind-9.5.2-P3.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.5.2-P3/bind-9.5.2-P3.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.2-P3/bind-9.5.2-P3.tar.gz.sha512.asc

The signatures were generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:

ftp://ftp.isc.org/isc/bind9/9.5.2-P3/BIND9.5.2-P3.zip
ftp://ftp.isc.org/isc/bind9/9.5.2-P3/BIND9.5.2-P3.debug.zip

PGP signatures of the binary kit are at:

ftp://ftp.isc.org/isc/bind9/9.5.2-P3/BIND9.5.2-P3.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.2-P3/BIND9.5.2-P3.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.2-P3/BIND9.5.2-P3.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.5.2-P3/BIND9.5.2-P3.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.2-P3/BIND9.5.2-P3.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.2-P3/BIND9.5.2-P3.debug.zip.sha512.asc

Changes since 9.5.2:

--- 9.5.2-P3 released ---

2852.   [bug]   Handle broken DNSSEC trust chains better. [RT #15619]

--- 9.5.2-P2 released ---

2831.   [security]  Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]

2828.   [security]  Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]

2827.   [security]  Bogus NXDOMAIN could be cached as if valid. [RT #20712]

--- 9.5.2-P1 released ---

2772.   [security]  When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]

--- 9.5.2 released ---
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:  +61 2 9871 4742  INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.4-ESV-R1 is now available.

2010-03-16 Thread Mark Andrews 

BIND 9.4-ESV-R1 is now available.

BIND 9.4-ESV-R1 is revision 1 of the extended release version
for BIND 9.4.  It is recommended that all BIND 9.4.x users
upgrade to BIND 9.4-ESV-R1.

BIND 9.4-ESV-R1 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.4-ESV-R1/bind-9.4-ESV-R1.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.4-ESV-R1/bind-9.4-ESV-R1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.4-ESV-R1/bind-9.4-ESV-R1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4-ESV-R1/bind-9.4-ESV-R1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at .

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.4-ESV-R1/BIND9.4-ESV-R1.zip
ftp://ftp.isc.org/isc/bind9/9.4-ESV-R1/BIND9.4-ESV-R1.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.4-ESV-R1/BIND9.4-ESV-R1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4-ESV-R1/BIND9.4-ESV-R1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4-ESV-R1/BIND9.4-ESV-R1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.4-ESV-R1/BIND9.4-ESV-R1.debug.zip.asc

ftp://ftp.isc.org/isc/bind9/9.4-ESV-R1/BIND9.4-ESV-R1.debug.zip.sha256.asc

ftp://ftp.isc.org/isc/bind9/9.4-ESV-R1/BIND9.4-ESV-R1.debug.zip.sha512.asc

Changes since 9.4.0.

--- 9.4-ESV-R1 released ---

2852.   [bug]   Handle broken DNSSEC trust chains better. [RT #15619]

--- 9.4-ESV released ---

2831.   [security]  Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]

2828.   [security]  Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]

2827.   [security]  Bogus NXDOMAIN could be cached as if valid. [RT #20712]

2797.   [bug]   Don't decrement the dispatch manager's maxbuffers.
[RT #20613]

2790.   [bug]   Handle DS queries to stub zones. [RT #20440]

2772.   [security]  When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]

--- 9.4-ESVb1 released ---

2698.   [cleanup]   configure --enable-libbind is deprecated. [RT #20090]

2697.   [port]  win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
S_IFREG are defined after including .
[RT #20309]

2690.   [bug]   win32: fix isc_thread_key_getspecific() prototype.
[RT #20315]

2689.   [bug]   Correctly handle snprintf result. [RT #20306]

2688.   [bug]   Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
to decide to fetch the destination address. [RT #20305]

2681.   [bug]   IPSECKEY RR of gateway type 3 was not correctly
decoded. [RT #20269]

2672.   [bug]   Don't enable searching in 'host' when doing reverse
lookups. [RT #20218]

2525.   [experimental]  New logging category "query-errors" to provide detailed
internal information about query failures, especially
about server failures.  (backported as a special
exception to the general policy) [RT #19027]

2670.   [bug]   Unexpected connect failures failed to log enough
information to be useful. [RT #20205]

2649.   [bug]   Set the domain for forward only zones. [RT #19944]

2648.   [port]  win32: isc_time_seconds() was broken. [RT #19900]

2646.   [bug]   Incorrect cleanup on error in socket.c. [RT #19987]

2642.   [bug]   nsupdate could dump core on solaris when reading
improperly formatted key files.  [RT #20015]

2640.   [security]  A specially crafted update packet will cause named
to exit. [RT #2]

2637.   [func]  Rationalize dnssec-signzone's signwithkey() calling.
[RT #19959]

2635.   [bug]   isc_inet_ntop() incorrectly handled 0.0/16 addresses.
[RT #19716]

2633.   [bug]   Handle 15 bit rand() functions. [RT #19783]

2632.   [func]  util/kit.sh: warn if documentation appears to be out of
date.  [RT #19922]

2623.   [bug]   Named started seaches for DS non-optimally. [RT #19915]

2621.   [doc]   Made copyright boilterplate consistent.  [RT #19833]

2920.   [bug]   Delay thawing the zone until the reload of it has

BIND 9.6-ESV is now available.

2010-03-16 Thread Mark Andrews 

BIND 9.6-ESV is now available.

BIND 9.6-ESV is a extended release version for BIND 9.6.

BIND 9.6-ESV can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.6-ESV/bind-9.6-ESV.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.6-ESV/bind-9.6-ESV.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.6-ESV/bind-9.6-ESV.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6-ESV/bind-9.6-ESV.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at .

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.6-ESV/BIND9.6-ESV.zip
ftp://ftp.isc.org/isc/bind9/9.6-ESV/BIND9.6-ESV.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.6-ESV/BIND9.6-ESV.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6-ESV/BIND9.6-ESV.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.6-ESV.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.6-ESV/BIND9.6-ESV.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6-ESV/BIND9.6-ESV.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6-ESV/BIND9.6-ESV.debug.zip.sha512.asc

Changes since 9.6.0.

--- 9.6-ESV released ---

2852.   [bug]   Handle broken DNSSEC trust chains better. [RT #15619]

--- 9.6.2 released ---

2850.   [bug]   If isc_heap_insert() failed due to memory shortage
the heap would have corrupted entries. [RT #20951]

2849.   [bug]   Don't treat errors from the xml2 library as fatal.
[RT #20945]

2846.   [bug]   EOF on unix domain sockets was not being handled
correctly. [RT #20731]

2844.   [doc]   notify-delay default in ARM was wrong.  It should have
been five (5) seconds.

--- 9.6.2rc1 released ---

2838.   [func]  Backport support for SHA-2 DNSSEC algorithms,
RSASHA256 and RSASHA512, from BIND 9.7.  (This
incorporates changes 2726 and 2738 from that
release branch.) [RT #20871]

2837.   [port]  Prevent Linux spurious warnings about fwrite().
[RT #20812]

2831.   [security]  Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]

2828.   [security]  Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]

2827.   [security]  Bogus NXDOMAIN could be cached as if valid. [RT #20712]

2825.   [bug]   Changing the setting of OPTOUT in a NSEC3 chain that
was in the process of being created was not properly
recorded in the zone. [RT #20786]

2823.   [bug]   rbtdb.c:getsigningtime() was missing locks. [RT #20781]

2819.   [cleanup]   Removed unnecessary DNS_POINTER_MAXHOPS define
[RT #20771]

2818.   [cleanup]   rndc could return an incorrect error code 
when a zone was not found. [RT #20767]

2815.   [bug]   Exclusively lock the task when freezing a zone.
[RT #19838]

2814.   [func]  Provide a definitive error message when a master
zone is not loaded. [RT #20757]

--- 9.6.2b1 released ---

2797.   [bug]   Don't decrement the dispatch manager's maxbuffers.
[RT #20613]

2790.   [bug]   Handle DS queries to stub zones. [RT #20440]

2789.   [bug]   Fixed an INSIST in dispatch.c [RT #20576]

2786.   [bug]   Additional could be promoted to answer. [RT #20663]

2784.   [bug]   TC was not always being set when required glue was
dropped. [RT #20655]

2783.   [func]  Return minimal responses to EDNS/UDP queries with a UDP
buffer size of 512 or less.  [RT #20654]

2782.   [port]  win32: use getaddrinfo() for hostname lookups.
[RT #20650]

2777.   [contrib]   DLZ MYSQL auto reconnect support discovery was wrong.

2772.   [security]  When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]

2765.   [bug]   Skip masters for which the TSIG key cannot be found.
[RT #20595]

2760.   [cleanup]   Corrected named-compilezone usage summary. [RT #20533]

2759.   [doc]   Add information about .jbk/.jnw files to
the ARM. [RT #20303]

2758.   [bug]   win

BIND 9.7.0-P1 is now available.

2010-03-16 Thread Mark Andrews 

 BIND 9.7.0-P1 is now available.

BIND 9.7.0-P1 is a recommended patch for BIND 9.7.0.  It addresses
excessive query traffic generated when there is a break in the
DNSSEC trust chain as a result of a configuration error.  It is
recommended for anyone using DNSSEC validation and BIND 9.6.x. 

Bugs should be reported to bind9-b...@isc.org.

BIND 9.7.0-P1 can be downloaded from:

ftp://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz

PGP signatures of the distribution are at:

ftp://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz.sha512.asc

The signatures were generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:

ftp://ftp.isc.org/isc/bind9/9.7.0-P1/BIND9.7.0-P1.zip
ftp://ftp.isc.org/isc/bind9/9.7.0-P1/BIND9.7.0-P1.debug.zip

PGP signatures of the binary kit are at:

ftp://ftp.isc.org/isc/bind9/9.7.0-P1/BIND9.7.0-P1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.0-P1/BIND9.7.0-P1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0-P1/BIND9.7.0-P1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.7.0-P1/BIND9.7.0-P1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.0-P1/BIND9.7.0-P1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0-P1/BIND9.7.0-P1.debug.zip.sha512.asc

Changes since 9.7.0:

--- 9.7.0-P1 released ---

2852.   [bug]   Handle broken DNSSEC trust chains better. [RT #15619]

--- 9.7.0 released ---
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:  +61 2 9871 4742  INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.6.2-P1 is now available.

2010-03-16 Thread Mark Andrews 

 BIND 9.6.2-P1 is now available.

BIND 9.6.2-P1 is a recommended patch for BIND 9.6.2.  It addresses
excessive query traffic generated when there is a break in the
DNSSEC trust chain as a result of a configuration error.  It is
recommended for anyone using DNSSEC validation and BIND 9.6.x. 

Bugs should be reported to bind9-b...@isc.org.

BIND 9.6.2-P1 can be downloaded from:

ftp://ftp.isc.org/isc/bind9/9.6.2-P1/bind-9.6.2-P1.tar.gz

PGP signatures of the distribution are at:

ftp://ftp.isc.org/isc/bind9/9.6.2-P1/bind-9.6.2-P1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.6.2-P1/bind-9.6.2-P1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.2-P1/bind-9.6.2-P1.tar.gz.sha512.asc

The signatures were generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:

ftp://ftp.isc.org/isc/bind9/9.6.2-P1/BIND9.6.2-P1.zip
ftp://ftp.isc.org/isc/bind9/9.6.2-P1/BIND9.6.2-P1.debug.zip

PGP signatures of the binary kit are at:

ftp://ftp.isc.org/isc/bind9/9.6.2-P1/BIND9.6.2-P1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6.2-P1/BIND9.6.2-P1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.2-P1/BIND9.6.2-P1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.6.2-P1/BIND9.6.2-P1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6.2-P1/BIND9.6.2-P1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.2-P1/BIND9.6.2-P1.debug.zip.sha512.asc

Changes since 9.6.2:

--- 9.6.2-P1 released ---

2852.   [bug]   Handle broken DNSSEC trust chains better. [RT #15619]

--- 9.6.2 released ---
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:  +61 2 9871 4742  INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Confused about 9.6.2-P1 and 9.6-ESV

2010-03-16 Thread Doug Barton 
I noticed that the patchfix releases of BIND came out today, so
congratulations on that. :)  However I was confused by the existence of
both a 9.6.2-P1 and a 9.6-ESV (with the same code inside). Is 9.6.2-P1
the last release on the 9.6 branch? For the purpose of "following" a
branch in the FreeBSD ports and base am I better off with one or the
other? The issue is trivial now since the code is the same, but are they
expected to diverge?

I understand the purpose of the -ESV branch, and I think it's great that
ISC is doing this. I would just like to make some plans and need some
guidance.


Thanks,

Doug

-- 

... and that's just a little bit of history repeating.
-- Propellerheads

Improve the effectiveness of your Internet presence with
a domain name makeover!http://SupersetSolutions.com/

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Confused about 9.6.2-P1 and 9.6-ESV

2010-03-16 Thread Mark Andrews 

In message <4ba04e63.8090...@dougbarton.us>, Doug Barton writes:
> I noticed that the patchfix releases of BIND came out today, so
> congratulations on that. :)  However I was confused by the existence of
> both a 9.6.2-P1 and a 9.6-ESV (with the same code inside). Is 9.6.2-P1
> the last release on the 9.6 branch? For the purpose of "following" a
> branch in the FreeBSD ports and base am I better off with one or the
> other? The issue is trivial now since the code is the same, but are they
> expected to diverge?
> 
> I understand the purpose of the -ESV branch, and I think it's great that
> ISC is doing this. I would just like to make some plans and need some
> guidance.

BIND 9.6-ESV is the extended support version of BIND 9.6.  It will
get security patches and other critical fixes added to it.  BIND
9.6-ESV is supported until March 31, 2013.  It's for the vendors
that need longer support with less changes.

BIND 9.6.3 will be the next maintenance release and will have less
significant fixes in it in addition to security patches and other
critical fixes.  BIND 9.6.x (other than 9.6-ESV) will be EoL'd 6
months after the release of BIND 9.8.0 or March 31, 2013 which ever
comes first.  I would expect BIND 9.8.0 to be released late 2010,
early 2011 based on previous release patterns.  We try to ensure
that there is a final release just before EoL.

Mark

> Thanks,
> 
> Doug
> 
> -- 
> 
>   ... and that's just a little bit of history repeating.
>   -- Propellerheads
> 
>   Improve the effectiveness of your Internet presence with
>   a domain name makeover!http://SupersetSolutions.com/
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC Validating Resolver and Views

2010-03-16 Thread John Marshall 
On Wed, 17 Mar 2010, 11:11 +1100, Mark Andrews wrote:
> In message <20100316234500.ga99...@rwpc12.mby.riverwillow.net.au>, John 
> Marshal
> l writes:
> > > In message , John 
> > > Marsh
> > all 
> > > writes:
> > > > If I grant the guest clients access to the internal view, all is well.
> > > > Things seem to go wobbly, unless checking is disabled, when we forward
> > > > the guest view queries to the internal view.
> > 
> > So, this seems to be where it's breaking.  Perhaps my design is just
> > wrong and it "just happened to work" until either 9.7.0 or...?  It still
> > works if the guest view client queries with checking disabled.  It works
> > properly for internal view clients.  Does a second level of indirection
> > mean that the resolver loses sight of the trust anchor?
> 
> It should work.  You don't have any other trusted-keys configured?

The only other key is for the (internal) zone in which the name servers
live: that's the only zone we're signing at present.

> My next step would be to ask from a internal, not a guest address,
> for DS 168.192.in-addr.arpa.  This eliminates one step in the chain.

I got either named or myself confused when I started modifying the
logging configuration, so I re-started named and now everything works.
Hmmm.  I pointed at another server and noted the same broken behaviour
there as well.  I set up logging (carefully) on that server and pointed
an "internal" client at it.

; <<>> DiG 9.7.0 <<>> @172.25.24.17 168.192.in-addr.arpa. ds
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3079
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;168.192.in-addr.arpa.  IN  DS

;; Query time: 1388 msec
;; SERVER: 172.25.24.17#53(172.25.24.17)
;; WHEN: Wed Mar 17 14:02:00 2010
;; MSG SIZE  rcvd: 38

This is what was logged for the above query...

[queries log]
17-Mar-2010 14:04:11.140 queries: client 172.25.24.18#42640: view internal: 
query: 168.192.in-addr.arpa IN DS + (172.25.24.17)

[dnssec log] (7 iterations of the following)
17-Mar-2010 14:04:11.324 dnssec: debug 3: validating @0x2878c000: 
192.in-addr.arpa NS: starting
17-Mar-2010 14:04:11.324 dnssec: debug 3: validating @0x2878c000: 
192.in-addr.arpa NS: looking for DLV
17-Mar-2010 14:04:11.324 dnssec: debug 3: validating @0x2878c000: 
192.in-addr.arpa NS: plain DNSSEC returns unsecure (.): looking for DLV
17-Mar-2010 14:04:11.324 dnssec: debug 3: validating @0x2878c000: 
192.in-addr.arpa NS: looking for DLV 192.in-addr.arpa.dlv.isc.org
17-Mar-2010 14:04:11.324 dnssec: debug 3: validating @0x2878c000: 
192.in-addr.arpa NS: DLV not validated
17-Mar-2010 14:04:11.324 dnssec: debug 3: validating @0x2878c000: 
192.in-addr.arpa NS: DLV lookup: no valid RRSIG
17-Mar-2010 14:04:11.324 dnssec: debug 3: validator @0x2878c000: 
dns_validator_destroy

[query_errors log]
17-Mar-2010 14:04:12.527 query-errors: debug 1: client 172.25.24.18#42640: view 
internal: query failed (SERVFAIL) for 168.192.in-addr.arpa/IN/DS at query.c:4631
17-Mar-2010 14:04:12.527 query-errors: debug 2: fetch completed at 
resolver.c:6117 for 168.192.in-addr.arpa/DS in 1.386784: SERVFAIL/success 
[domain:168.192.in-addr.arpa,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]

I wondered if flushing the cache would clear this.  It did.  At the very
moment when I had applied sufficient pressure on the Enter key to commit
the "rndc flush" it occurred to me that I ought to dump the cache first.
Sorry.

I'll upgrade these servers to 9.7.0-P1 this afternoon and keep an eye
out for this behaviour recurring.

Thank you for your help.

-- 
John Marshall
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Confused about 9.6.2-P1 and 9.6-ESV

2010-03-16 Thread Doug Barton 
On 03/16/10 20:57, Mark Andrews wrote:
> In message <4ba04e63.8090...@dougbarton.us>, Doug Barton writes:
>> I noticed that the patchfix releases of BIND came out today, so
>> congratulations on that. :)  However I was confused by the existence of
>> both a 9.6.2-P1 and a 9.6-ESV (with the same code inside). Is 9.6.2-P1
>> the last release on the 9.6 branch? For the purpose of "following" a
>> branch in the FreeBSD ports and base am I better off with one or the
>> other? The issue is trivial now since the code is the same, but are they
>> expected to diverge?
>>
>> I understand the purpose of the -ESV branch, and I think it's great that
>> ISC is doing this. I would just like to make some plans and need some
>> guidance.
> 
> BIND 9.6-ESV is the extended support version of BIND 9.6.  It will
> get security patches and other critical fixes added to it.  BIND
> 9.6-ESV is supported until March 31, 2013.  It's for the vendors
> that need longer support with less changes.
> 
> BIND 9.6.3 will be the next maintenance release and will have less
> significant fixes in it in addition to security patches and other
> critical fixes.  BIND 9.6.x (other than 9.6-ESV) will be EoL'd 6
> months after the release of BIND 9.8.0 or March 31, 2013 which ever
> comes first.

Ok, thanks for the response. I'm trying to parse what you wrote in terms
of what to do with BIND in the FreeBSD base. The fact that at the point
9.6.x will be EOL'ed 9.6-ESV won't have the most up to date 9.6 code is
a bit disturbing. When the plans for -ESV were first announced I thought
the plans were to do what was done for 9.4, after the last release on
that branch the -ESV version would come out. If I understand what you're
proposing correctly, it's going to make my decisions down the road more
difficult.


Doug

-- 

... and that's just a little bit of history repeating.
-- Propellerheads

Improve the effectiveness of your Internet presence with
a domain name makeover!http://SupersetSolutions.com/

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Confused about 9.6.2-P1 and 9.6-ESV

2010-03-16 Thread Mark Andrews 

In message <4ba0595b.8090...@dougbarton.us>, Doug Barton writes:
> On 03/16/10 20:57, Mark Andrews wrote:
> > In message <4ba04e63.8090...@dougbarton.us>, Doug Barton writes:
> >> I noticed that the patchfix releases of BIND came out today, so
> >> congratulations on that. :)  However I was confused by the existence of
> >> both a 9.6.2-P1 and a 9.6-ESV (with the same code inside). Is 9.6.2-P1
> >> the last release on the 9.6 branch? For the purpose of "following" a
> >> branch in the FreeBSD ports and base am I better off with one or the
> >> other? The issue is trivial now since the code is the same, but are they
> >> expected to diverge?
> >>
> >> I understand the purpose of the -ESV branch, and I think it's great that
> >> ISC is doing this. I would just like to make some plans and need some
> >> guidance.
> > 
> > BIND 9.6-ESV is the extended support version of BIND 9.6.  It will
> > get security patches and other critical fixes added to it.  BIND
> > 9.6-ESV is supported until March 31, 2013.  It's for the vendors
> > that need longer support with less changes.
> > 
> > BIND 9.6.3 will be the next maintenance release and will have less
> > significant fixes in it in addition to security patches and other
> > critical fixes.  BIND 9.6.x (other than 9.6-ESV) will be EoL'd 6
> > months after the release of BIND 9.8.0 or March 31, 2013 which ever
> > comes first.
> 
> Ok, thanks for the response. I'm trying to parse what you wrote in terms
> of what to do with BIND in the FreeBSD base. The fact that at the point
> 9.6.x will be EOL'ed 9.6-ESV won't have the most up to date 9.6 code is
> a bit disturbing. When the plans for -ESV were first announced I thought
> the plans were to do what was done for 9.4, after the last release on
> that branch the -ESV version would come out. If I understand what you're
> proposing correctly, it's going to make my decisions down the road more
> difficult.
> 
> Doug

ESV's are supposed to be releases which are stable, no dot-o-itis.
We didn't feel 9.6.1 was stable enough so we waited for 9.6.2.  You
could always follow 9.6.x and then apply whatever changes to 9.6-ESV
appear after the final 9.6.x version.
 
Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC Validating Resolver and Views

2010-03-16 Thread Mark Andrews 

In message <20100317041842.gb99...@rwpc12.mby.riverwillow.net.au>, John 
Marshall writes:
> [queries log]
> 17-Mar-2010 14:04:11.140 queries: client 172.25.24.18#42640:
> view internal: query: 168.192.in-addr.arpa IN DS + (172.25.24.17)

Named has fallen back to plain DNS talking to itself.

I'll need to think about this.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Confused about 9.6.2-P1 and 9.6-ESV

2010-03-16 Thread Doug Barton 
On 03/16/10 22:17, Mark Andrews wrote:
> ESV's are supposed to be releases which are stable, no dot-o-itis.

I'm not suggesting that they should be the latter, thus my comment that
what I _thought_ would happen is that once the dot-releases were done in
a given branch the -ESV would start. Frankly I find the plan as you've
laid it out at best odd and confusing. I would be willing to wager I
won't be alone in that, but time will tell.

> We didn't feel 9.6.1 was stable enough so we waited for 9.6.2.  You
> could always follow 9.6.x and then apply whatever changes to 9.6-ESV
> appear after the final 9.6.x version.

Yes, that's sort of how I'm leaning now, but I will have to wait and see
how things play out. I'm just kind of disappointed that what seemed like
it would be a clear path is now going to be considerably more murky.  :-/


Doug

-- 

... and that's just a little bit of history repeating.
-- Propellerheads

Improve the effectiveness of your Internet presence with
a domain name makeover!http://SupersetSolutions.com/

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users