Re: Securing zone transfer and DDNS

2011-11-07 Thread Aleksander Kurczyk 
Dnia 7 listopada 2011 3:47 Doug Barton do...@dougbarton.us napisał(a):
 First question, why use 2 keys? The combination of a key and an address
 match list should be enough. Second question, what version of BIND are
 you using? It probably doesn't matter, but it's good form to include
 that information.

Because I want to try set multiple key. Currently I have only one server 
(localhost - 127.0.0.1) but in future on real working network I would have to 
setup more than one server and I don't know how. I will have to simply add new 
key to the allow-update or allow-transfer option?

Bind version is: 9.7.4

  Unfortunately when I add to the keys option in server section more
  than one key the named doesn't start anymore. Format of the key
  option in the book is different than in the manual. When I remove
  whole server section everything works ok. Is the keys section
  important? For what this section is for? How can I use one key to
  secure zone transfer to one host and other to secure zone transfer to
  other host? It is possible?
 
 Doesn't look that way. The ARM is your best source for config info.

Maybe this is a stupid question but what is ARM?

 The include directive is related to adding an external file to your
 named.conf. Unless that's what you're intending to do, you probably
 don't want it here.

The key is in a external file.

  server 127.0.0.1 { keys { key; }; };
 
 The term keys here would seem to indicate that you can add multiple
 keys per server, but ...
 
  zone my.zone in { type master; file my.zone; allow-transfer { key
  key; }; allow-update { key key; }; };
 
 I don't see anything in the ARM about including key directives in the
 allow-update or allow-transfer grammar.

Without that (keys only in server section) I can transfer whole domain (dig 
my.zone axfr) without passing any key.

 You can probably also get some useful information by using named-checkconf.

Named-checkconf returning an error with } expected after ; and ; expected 
after }.

-- 
Pozdrawiam,
Aleksander Kurczyk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Securing zone transfer and DDNS

2011-11-07 Thread Phil Mayers 

On 07/11/11 14:31, Aleksander Kurczyk wrote:


Maybe this is a stupid question but what is ARM?


Google for bind ARM. 1st hit.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Securing zone transfer and DDNS

2011-11-07 Thread Davis, Robert 
Administrator's Reference Manual.

Bob Davis
National Agricultural Library
robert.dav...@ars.usda.gov
301.504.5859

-Original Message-
From: bind-users-bounces+robert.davis1=ars.usda@lists.isc.org
[mailto:bind-users-bounces+robert.davis1=ars.usda@lists.isc.org] On
Behalf Of Phil Mayers
Sent: Monday, November 07, 2011 9:47 AM
To: bind-users@lists.isc.org
Subject: Re: Securing zone transfer and DDNS

On 07/11/11 14:31, Aleksander Kurczyk wrote:

 Maybe this is a stupid question but what is ARM?

Google for bind ARM. 1st hit.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Securing zone transfer and DDNS

2011-11-07 Thread Evan Hunt 
 Create your keys with the dnssec-keygen utility (check its manual page).

Or 'ddns-confgen' is somewhat simpler.  Its output is already in the
format named.conf wants, and the keys it generates can be repurposed
for other uses than DDNS.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Securing zone transfer and DDNS

2011-11-07 Thread Aleksander Kurczyk 
Dnia 7 listopada 2011 15:59 Jan-Piet Mens jpmens@gmail.com napisał(a):
  Bind version is: 9.7.4
 
 Upgrade; 9.8.1 is current. (In addition, you're reading a book called
 BIND 10 -- even though the book doesn't once mention that software!)

I'm using Mac OS X 10.4.11 Tiger on G4 400 MHz PPC Mac and BIND 9.7.4 is the 
last version that I'm able to use.

 I assume what you probably want to do is something like this:
 
 key my.key {
 algorithm HMAC-MD5;
 secret ;
 };
 key my.key2 {
 ...
 };
 
 acl xferkey {
 key my.key2;
 };
 
 zone example.net IN {
 type master;
 file example.net;
 allow-update {
 key my.key;
 };
 allow-transfer {
 xferkey;
 };
 };

That's what I'm trying to do :) but what's with the server section? On the book 
it's both in the master and slave (zone tranasfer) named.conf files.

 Instead of allow-update, I'd like to suggest you read up on the `grant'
 statement which allows a much finer granularity on DDNS.

I have trying:
update-policy { grant key subdomain my.zone any; }; (described in this book)
but it doesn't work.

-- 
Pozdrawiam,
Aleksander Kurczyk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Securing zone transfer and DDNS

2011-11-07 Thread Michael Graff 
Are you saying you cannot compile from source, or that you must use the vendor 
supplied version of bind?

On Nov 7, 2011, at 10:04, Aleksander Kurczyk aleksanderkurc...@o2.pl wrote:

 I'm using Mac OS X 10.4.11 Tiger on G4 400 MHz PPC Mac and BIND 9.7.4 is the 
 last version that I'm able to use.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Re: Securing zone transfer and DDNS

2011-11-07 Thread Mark Andrews 

In message 85ecc83.4a6e4d68.4eb81652.18...@o2.pl, 
=?UTF-8?Q?Aleksander_Kurczyk?= writ
es:
 Dnia 7 listopada 2011 17:29 Michael Graff mgr...@isc.org napisał(a):
  Are you saying you cannot compile from source, or that you must use the 
 vendor supplied version of bind?
 I have tried to compile version 9.8.1 but make exited with some errors. I 
 have compiled version 9.7.4. The version of BIND supplied with this 
 version of OS X (10.4.11) is 9.4.x. I'm using Xcode tools 2.5 (gcc 3.3 
 and 4.0) supplied with Tiger.

Please send a full transcript of the compile of 9.8.1 to bind9-b...@isc.org.
Tiger is getting long in the tooth now but named should still compile on it
however we don't have version of MacOS that old to do test builds on anymore.

As for your zone transfer problem.  Specify the key to use in the masters 
clause.

masters { 1.2.3.4 key xferkey; };

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: several master ip's for a slave zone

2011-11-07 Thread Barry Margolin 
In article mailman.5.1320639019.68562.bind-us...@lists.isc.org,
 Mark Andrews ma...@isc.org wrote:

 Transfer graph loops prevent expire working as a safeguard against
 loss of connectivity to the master source. 

Some people may consider that a feature.

Of course, they could also just set the expire time really high.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users