Slave DNS zone problem
Hi All, I have a problem with one of my DNS. This DNS is configured as slave and have two masters (hosting different domains). Recently, I changed the IP of one of the master DNS then all domains under that master DNS cannot be resolved on the slave DNS although the zone files keeps on updating. For other slave DNS, still works fine. Also, I just noticed that all new domains created on the two master DNS cannot be resolved in the slave DNS but the zone file is updated. I am getting SERVFAIL error. I also tried named-checkconf and named-checkzone but no error found. What are the others things/parameters taht I should check? Thanks and Regards, Rock ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Slave DNS zone problem
Hi just a small check : try connectivity and zone xfer by hand, just to see if an ACL in not blocking it : on the slave : dig @master.com zone.com axfr Philippe From: bind-users-bounces+philippe.simonet=swisscom@lists.isc.org [mailto:bind-users-bounces+philippe.simonet=swisscom@lists.isc.org] On Behalf Of Rock July Sent: Thursday, September 09, 2010 10:43 To: bind-users@lists.isc.org Subject: Slave DNS zone problem Hi All, I have a problem with one of my DNS. This DNS is configured as slave and have two masters (hosting different domains). Recently, I changed the IP of one of the master DNS then all domains under that master DNS cannot be resolved on the slave DNS although the zone files keeps on updating. For other slave DNS, still works fine. Also, I just noticed that all new domains created on the two master DNS cannot be resolved in the slave DNS but the zone file is updated. I am getting SERVFAIL error. I also tried named-checkconf and named-checkzone but no error found. What are the others things/parameters taht I should check? Thanks and Regards, Rock ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC, views trusted keys...
I have 9.7.1-P2 running and since it's supposed to be 'for humans', I guess I'm trying to determing if I am one. It's not going as well as hoped... :-) I have a domain - example.net, with two views, the usual 'internal' and 'external'; a third is planned. The master maintaining all the sub-domains with auto-dnssec maintain. Master and slaves have dnssec-validation on and lookaside auto. My internal systems use these servers as their resolvers. The external view doesn't allow recursion. example.net's internal view is signed by ksk-internal. (Yes, the ZSK sigs are there too.) example.net's external view is signed by ksk-external, which is distinct from ksk-internal. The external keys are registered in the ISC DLV, and dnsviz seems quite happy to validate a host that is in a delegated sub-domain signed by a yet another key. I'm unclear about how to configure this for the validation side of example.net. The ARM has a sentence where it says that BIND 'won't do crypto validation on zones for which it is authoritative'. And sure enough, dig +adflag to either view never has AD set on the response. (It will on ., isc.org, .gov, so validation is working.) This doesn't seem right. How is an ordinary internal client supposed to know that it has authoritative (signed) data? Yes, someday there may be client resolver libraries that provide end-to-end validation. But until then, if trusting AD from my configured server is good enough for .gov, why isn't it good enough for example.net? I've heard the argument that 'it doesn't make sense to verify the zone on your own disk', but I don't buy it. I'd like, for example, for my internal servers to show green with http://www.dnssec-validator.cz/'s firefrox plugin... If a server is authoritative for a zone that it maintains, it knows that the signatures are all valid (or not). It also should be able to check with its parent (dlv, trusted-key list...) that its delegation is still valid. So it's surprising that it won't set AD. The idea that the client should trust AA without AD in this case also seems a step backwards. There is other advice in the ARM that says to put 'your organization's public keys in the trusted-keys list'. That doesn't help - and in fact, confuses me even more since example.net has TWO different public keys - one for each view. And trusted-keys is a global server option... I must be missing something. Bottom line question: Short of configuring some other systems as caching-only validating nameservers and having clients point to them, how does one configure BIND to get AD for authoritative zones - preferably iff it can validate that the chain of delegations to it is valid? And no, it's not practical to run nested copies of BIND - most of my systems are small embedded systems with very limited memory. Nor is it practical to double the number of name servers in my network. Semi-related question: Does anyone know of a public validating resolver that uses the isc dlv? That doesn't solve the internal problem, of course, but it would be handy for testing from 'outside'. - This communication may not represent my employer's views, if any, on the matters discussed. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave DNS zone problem
On 9/9/2010 4:43 AM, Rock July wrote: Hi All, I have a problem with one of my DNS. This DNS is configured as slave and have two masters (hosting different domains). Recently, I changed the IP of one of the master DNS then all domains under that master DNS cannot be resolved on the slave DNS although the zone files keeps on updating. Are you checking the slave to make sure that the updated zone is actually being transferred? Also, I just noticed that all new domains created on the two master DNS cannot be resolved in the slave DNS but the zone file is updated. I am getting SERVFAIL error. Are you configuring the slave server to be authoritative for these new zones? -- Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
Lyle Giese wrote: I am not running named as named, but as root(no -u on command line). But in testng I did change the permissions on this directory to 777 with no change in behaviour and changed it back to 755. Lyle Giese LCR Computer Services, Inc. dhottin...@harrisonburg.k12.va.us wrote: Does name own the directory? Quoting Lyle Giese l...@lcrcomputer.net: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) The error is Sep 9 10:40:05 linuxps named[30549]: transfer of '103.0.10.in-addr.arpa/IN/chase' from 209.172.152.3#53: Transfer completed: 1 messages, 261 records, 5636 bytes, 0.116 secs (48586 bytes/sec) Sep 9 10:40:05 linuxps named[30549]: zone 103.0.10.in-addr.arpa/IN/chase: sending notifies (serial 2010081601) Sep 9 10:40:05 linuxps named[30549]: dumping master file: tmp-QJcEgeBZ3h: open: permission denied There is never a path mentioned in the permission denied message and the zone files are not written out to disk. I have set a directory in the options section: Options { directory /etc/named; }; When I run named-checkconf against named.conf, it is always erroring out against this line(directory line), no matter what I put there or different syntax I insert. And yes the directory really does exist. named.conf: line 17: change directory to: '/etc/named' failed: file not found named.conf:line 17: parse failed What 'file' is named-checkconf looking for? Or is this a bogus error message? Am I missing something else? I am starting named as root, but appear to be getting permission issues. It just does not make any sense right now. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) I had similar problems with 9.7.1-P2 and it seemed that the named init script generated for F11 reset permissions on the /var/named directory. Go figure. But, to make it work, I inserted a chmod command just before it launched the daemon to set /var/named as owned by named. I also like the executable in /usr/local/sbin rather than /usr/sbin as the script said. so mine now is as below: ... chown -hR named:named /var/named ## DRF #daemon /usr/sbin/$named -u named ${OPTIONS};## DRF daemon /usr/local/sbin/$named -u named ${OPTIONS}; ## DRF ... I don't start it directly from the command line though, so running from the command line as root should not have that ownership problem. You might check the actual install directory as you might be running the old executable. Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC, views trusted keys...
On 09/09/2010 03:45 PM, Timothe Litt wrote: There is other advice in the ARM that says to put 'your organization's public keys in the trusted-keys list'. That doesn't help - and in fact, confuses me even more since example.net has TWO different public keys - one for each view. And trusted-keys is a global server option... I must be missing something. I don't think so. Currently AFAICT bind will not set AD on authoritative zones, with any combination of options. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) I had similar problems with 9.7.1-P2 and it seemed that the named init script generated for F11 reset permissions on the /var/named directory. Go figure. But, to make it work, I inserted a chmod command just before it launched the daemon to set /var/named as owned by named. I also like the executable in /usr/local/sbin rather than /usr/sbin as the script said. so mine now is as below: ... chown -hR named:named /var/named ## DRF #daemon /usr/sbin/$named -u named ${OPTIONS};## DRF daemon /usr/local/sbin/$named -u named ${OPTIONS}; ## DRF ... I don't start it directly from the command line though, so running from the command line as root should not have that ownership problem. You might check the actual install directory as you might be running the old executable. Dave I checked the version of named and named-checkconf using -v and -V and tried running it via the full path. They have the right version number 9.7.1-P2. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
On Thu, 9 Sep 2010, Lyle Giese wrote: David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) [snipped] I checked the version of named and named-checkconf using -v and -V and tried running it via the full path. They have the right version number 9.7.1-P2. Lyle Giese Lyle, since it runs from the command line, it would seem that you're left with the zone files and those special files named needs. From the named-checkconf man: Note: files that named reads in separate parser contexts, such as rndc.key and bind.keys, are not automatically read by named-checkconf. Configuration errors in these files may cause named to fail to run, even if named-checkconf was successful. named-checkconf can be run on these files explicitly, however. I have also found some pesky errors in my zone files by running named-checkzone on them. That may be indicated as you can run but the zones don't open. Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) [snipped] I checked the version of named and named-checkconf using -v and -V and tried running it via the full path. They have the right version number 9.7.1-P2. Lyle Giese Lyle, since it runs from the command line, it would seem that you're left with the zone files and those special files named needs. From the named-checkconf man: Note: files that named reads in separate parser contexts, such as rndc.key and bind.keys, are not automatically read by named-checkconf. Configuration errors in these files may cause named to fail to run, even if named-checkconf was successful. named-checkconf can be run on these files explicitly, however. I have also found some pesky errors in my zone files by running named-checkzone on them. That may be indicated as you can run but the zones don't open. Dave the more I play, the more it looks like named just plain won't write out to disk anything except via syslog. The issue I saw with named-checkconf was user error. (bad command line). I am starting named as root and it shows up in ps as owned by root. In the global options section I have set: directory /etc/named; This directory is owned by root and is set to 777 and named still won't write to it. The only thing I can come up with it's a problem with SLES 10 SP3. That's the only thing that makes sense, but I should be able to work through that. When starting named, I see this for all zones. The function to dump master file fails with an open: permission denied. Sep 9 15:30:32 linuxps named[16342]: transfer of '100.0.10.in-addr.arpa/IN' from 209.172.152.3#53: Transfer completed: 1 messages, 260 records, 6103 bytes, 0.224 secs (27245 bytes/sec) Sep 9 15:30:32 linuxps named[16342]: zone 100.0.10.in-addr.arpa/IN: sending notifies (serial 2010081601) Sep 9 15:30:32 linuxps named[16342]: dumping master file: /etc/named/tmp-EKfXmnQngI: open: permission denied ( I set the above zone for file /etc/named/100.0.10.in-addr.arpa; and it appears that named wants to drop a temp file and rename it) Sep 9 15:30:33 linuxps named[16342]: transfer of '102.0.10.in-addr.arpa/IN' from 209.172.152.3#53: Transfer completed: 1 messages, 261 records, 5636 bytes, 0.283 secs (19915 bytes/sec) Sep 9 15:30:33 linuxps named[16342]: zone 102.0.10.in-addr.arpa/IN: sending notifies (serial 2010081601) Sep 9 15:30:33 linuxps named[16342]: dumping master file: tmp-wS5yINBtho: open: permission denied And rndc dumpdb -all yields this error: Sep 9 15:46:03 linuxps named[16342]: received control channel command 'dumpdb -all' Sep 9 15:46:03 linuxps named[16342]: could not open dump file 'named_dump.db': permission denied Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
wllarso wrote: I'm not any sort of Linux expert but this started my mind thinking. Take a look at the BIND FAQ, it comes with the sources. There are some Linux specific comments about file and directory permissions. Bind running under Linux drops special 'root' permissions when it starts up. I am not using the -u option nor am I running in a CHROOT environment. ps shows root owning the named process. Also, there are specific issues when running the Security Enhanced Linux. This may be your situation, or not. We can't tell. I have never on purpose enabled SELinuxGRIN! Lyle Giese Sent from Garminfone by T-Mobile. Lyle Giese wrote: David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) [snipped] I checked the version of named and named-checkconf using -v and -V and tried running it via the full path. They have the right version number 9.7.1-P2. Lyle Giese Lyle, since it runs from the command line, it would seem that you're left with the zone files and those special files named needs. From the named-checkconf man: Note: files that named reads in separate parser contexts, such as rndc.key and bind.keys, are not automatically read by named-checkconf. Configuration errors in these files may cause named to fail to run, even if named-checkconf was successful. named-checkconf can be run on these files explicitly, however. I have also found some pesky errors in my zone files by running named-checkzone on them. That may be indicated as you can run but the zones don't open. Dave the more I play, the more it looks like named just plain won't write out to disk anything except via syslog. The issue I saw with named-checkconf was user error. (bad command line). I am starting named as root and it shows up in ps as owned by root. In the global options section I have set: directory /etc/named; This directory is owned by root and is set to 777 and named still won't write to it. The only thing I can come up with it's a problem with SLES 10 SP3. That's the only thing that makes sense, but I should be able to work through that. When starting named, I see this for all zones. The function to dump master file fails with an open: permission denied. Sep 9 15:30:32 linuxps named[16342]: transfer of '100.0.10.in-addr.arpa/IN' from 209.172.152.3#53: Transfer completed: 1 messages, 260 records, 6103 bytes, 0.224 secs (27245 bytes/sec) Sep 9 15:30:32 linuxps named[16342]: zone 100.0.10.in-addr.arpa/IN: sending notifies (serial 2010081601) Sep 9 15:30:32 linuxps named[16342]: dumping master file: /etc/named/tmp-EKfXmnQngI: open: permission denied ( I set the above zone for file /etc/named/100.0.10.in-addr.arpa; and it appears that named wants to drop a temp file and rename it) Sep 9 15:30:33 linuxps named[16342]: transfer of '102.0.10.in-addr.arpa/IN' from 209.172.152.3#53: Transfer completed: 1 messages, 261 records, 5636 bytes, 0.283 secs (19915 bytes/sec) Sep 9 15:30:33 linuxps named[16342]: zone 102.0.10.in-addr.arpa/IN: sending notifies (serial 2010081601) Sep 9 15:30:33 linuxps named[16342]: dumping master file: tmp-wS5yINBtho: open: permission denied And rndc dumpdb -all yields this error: Sep 9 15:46:03 linuxps named[16342]: received control channel command 'dumpdb -all' Sep 9 15:46:03 linuxps named[16342]: could not open dump file 'named_dump.db': permission denied Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC, views trusted keys...
In message 4c891404.3000...@imperial.ac.uk, Phil Mayers writes: On 09/09/2010 03:45 PM, Timothe Litt wrote: There is other advice in the ARM that says to put 'your organization's public keys in the trusted-keys list'. That doesn't help - and in fact, confuses me even more since example.net has TWO different public keys - one for each view. And trusted-keys is a global server option... I must be missing something. I don't think so. Currently AFAICT bind will not set AD on authoritative zones, with any combination of options. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Add a match-recursion-only view; view secure { match-clients { internal; }; match-recursion-only yes; recursion yes; }; view internal { match-clients { internal; }; recursion no; }; view external { match-clients { !internal; any }; recursion no; }; -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
Many Linux boxes have additional security subsystems added like SELinux and you need to comply with both the filesystem and SELinux's configuration. Also named drops root permissions. Both of these issues are documented in the faq. http://www.isc.org/software/bind/faq -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users