Re: Resign a zone
Le mardi 8 novembre 2011 10:34, rams a écrit : Hi , I have signed zone and already i have resigned two times. Now again i am resigning zone but after resign zone , RRSIG values are not changed. the same old values displaying. Any wrong in me. Could you please guide me how to change RRSIG values. webmin module provide correct support to resignzone thanks also to automatic resign -- http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://urlshort.eu fakessh @ pgpdF2sY8w6Ua.pgp Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the A and PTR for sending mail
On 10.11.2011 02:57, 风河 wrote: I have two server IPs, the A records for them are: mail.dnsbed.com.300 IN A 74.117.233.4 mail.dnsbed.com.300 IN A 74.117.232.204 The corresponding PTR records are: 4.233.117.74.in-addr.arpa. 36466 IN PTR dnsbed.com. 204.232.117.74.in-addr.arpa. 36453 IN PTR dnsbed.com. The forward lookup for dnsbed.com returns:; 173.245.61.41 173.245.61.115 The reverse entries for your nameserver don't have to match your mailserver name but they must be consistent, i.e. the reverse must resolve forward to the IP address. mail.dnsbed.com - 74.117.233.4 - dnsbed.com - 74.117.233.4 would be a consistent reverse/forward loop. mail.dnsbed.com - 74.117.233.4 - dnsbed.com - 173.245.61.41 is not Maybe the easiest way would be to change the PTRs of 4.233.117.74.in-addr.arpa. and 204.232.117.74.in-addr.arpa to mail.dnsbed.com, so you don't have to move the A records of dnsbed.com HTH, Hauke. signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Subdomain Issue
On 11/09/11 15:59, trm asn wrote: On Wed, Nov 9, 2011 at 3:15 PM, Matus UHLAR - fantomas uh...@fantomas.sk mailto:uh...@fantomas.sk wrote: Now I have only one question: On 08.11.11 20:27, trm asn wrote: The moment I have done the rndc reload example.com http://example.com, the domain and all subdomain were became not resolvable. what does the named's log say? -- Is there any thing wrong if I declare my zone like this as below... $TTL 300 @ IN SOA ns4.example.com. postmaster.example.com. ( 200806 ; Serial Number 10800 ; Refresh after 3 hours 3600; Retry after 1 hour 604800 ; Expire after 1 week 300 ) ; Minimum TTL of 1 day ; Name servers IN NS ns4.example.com IN NS ns2.example.com IN NS ns1.example.com testINNS ns1973.hostgator.com testINNS ns1974.hostgator.com INA203.39.45.19 INMX mail.goole.com wwwINCNAME example.com aINA203.39.45.20 bINA203.39.45.21 /\ *Tarak* * Where are your A records for your name servers, ns1.example.com, ns2,example.com and ns4.example.com? And please answer the question above, what does the named's log say when starting up? Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Securing zone transfer and DDNS
Thanks everybody for the answers.
I have one more question - how can I block every update for every zone in
options section using update-policy?
logging { ... };
options {
directory /var/named;
dnssec-enable yes;
recursion yes;
allow-recursion { 127.0.0.1; };
allow-transfer { none; };
allow-update { none; };
};
key rndc-key { ... };
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { rndc-key; };
};
key transfer-key { ... };
key ddns-key { ... };
zone . IN {
type hint;
file named.ca;
};
zone localhost IN {
type master;
file localhost.zone;
};
zone 0.0.127.in-addr.arpa IN {
type master;
file named.local;
};
zone my.zone IN {
type master;
file my.zone;
allow-transfer { key transfer-key; };
update-policy {
grant ddns-key zonesub ANY;
};
};
--
Pozdrawiam,
Aleksander Kurczyk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Securing zone transfer and DDNS
I have one more question - how can I block every update for every zone in options section using update-policy? Are you actually *reading* the documentation: the ARM actually defines `allow-update': Specifies which hosts are allowed to submit Dynamic DNS updates for master zones. The default is to deny updates from all hosts. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Subdomain Issue
On Thu, Nov 10, 2011 at 8:28 PM, Lyle Giese l...@lcrcomputer.net wrote: On 11/09/11 15:59, trm asn wrote: On Wed, Nov 9, 2011 at 3:15 PM, Matus UHLAR - fantomas uh...@fantomas.sk mailto:uh...@fantomas.sk wrote: Now I have only one question: On 08.11.11 20:27, trm asn wrote: The moment I have done the rndc reload example.com http://example.com, the domain and all subdomain were became not resolvable. what does the named's log say? -- Is there any thing wrong if I declare my zone like this as below... $TTL 300 @ IN SOA ns4.example.com. postmaster.example.com. ( 200806 ; Serial Number 10800 ; Refresh after 3 hours 3600; Retry after 1 hour 604800 ; Expire after 1 week 300 ) ; Minimum TTL of 1 day ; Name servers IN NS ns4.example.com IN NS ns2.example.com IN NS ns1.example.com testINNS ns1973.hostgator.com testINNS ns1974.hostgator.com INA203.39.45.19 INMX mail.goole.com wwwINCNAME example.com aINA203.39.45.20 bINA203.39.45.21 /\ *Tarak* * Where are your A records for your name servers, ns1.example.com, ns2, example.com and ns4.example.com? And please answer the question above, what does the named's log say when starting up? Lyle Giese LCR Computer Services, Inc. ns4 named[3073]: client 116.48.39.92#61358: update 'example.com/IN http://example.com/IN' denied ns4 named[3073]: client 1.22.246.108#55201: update 'example.com/IN http://example.com/IN' denied ns4 named[3073]: client 1.22.246.108#62801: update 'example.com/IN http://example.com/IN' denied ns4 named[3073]: client 1.22.246.108#51446: update 'example.com/IN http://example.com/IN' denied ns4 named[3073]: client 1.22.246.108#51446: update 'example.com/IN http://example.com/IN' denied ns4 named[3073]: client 1.22.246.108#51446: update 'example.com/IN http://example.com/IN' denied ns4 named[3073]: client 220.226.190.130#24055: update 'example.com/IN http://example.com/IN' denied ns4 named[3073]: client 116.48.39.92#64924: updating zone 'example.com/IN http://example.com/IN': update failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) ns4 named[3073]: client 116.48.39.92#60524: update 'example.com/IN http://example.com/IN' denied ns4 named[3073]: client 116.48.39.92#51572: updating zone 'example.com/IN http://example.com/IN': update failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) ns4 named[3073]: client 116.48.39.92#53227: update 'example.com/IN http://example.com/IN' denied ns4 named[3073]: client 202.134.152.150#1050: update 'example.com/IN http://example.com/IN' denied ns4 named[3073]: client 202.134.152.150#1082: updating zone 'example.com/IN http://example.com/IN': update failed: 'RRset exists (value dependent)' prerequisite not satisfi ed (NXRRSET) ns4 named[3073]: client 202.134.152.150#1085: update 'example.com/IN http://example.com/IN' denied ns4 named[3073]: client 116.48.39.92#54887: updating zone 'example.com/IN http://example.com/IN': update failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) ns4 named[3073]: client 116.48.39.92#64927: update 'example.com/IN http://example.com/IN' denied Above are the logs, it's flooded with those error messages . /\ Tarak ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Subdomain Issue
On 11/10/11 12:24, trm asn wrote: On Thu, Nov 10, 2011 at 8:28 PM, Lyle Giese l...@lcrcomputer.net mailto:l...@lcrcomputer.net wrote: On 11/09/11 15:59, trm asn wrote: On Wed, Nov 9, 2011 at 3:15 PM, Matus UHLAR - fantomas uh...@fantomas.sk mailto:uh...@fantomas.sk mailto:uh...@fantomas.sk mailto:uh...@fantomas.sk wrote: Now I have only one question: On 08.11.11 20:27, trm asn wrote: The moment I have done the rndc reload example.com, the domain and all subdomain were became not resolvable. what does the named's log say? -- Is there any thing wrong if I declare my zone like this as below... $TTL 300 @ IN SOA ns4.example.com. postmaster.example.com. ( 200806 ; Serial Number 10800 ; Refresh after 3 hours 3600; Retry after 1 hour 604800 ; Expire after 1 week 300 ) ; Minimum TTL of 1 day ; Name servers IN NS ns4.example.com IN NS ns2.example.com IN NS ns1.example.com testINNS ns1973.hostgator.com testINNS ns1974.hostgator.com INA203.39.45.19 INMX mail.goole.com wwwINCNAME example.com aINA203.39.45.20 bINA203.39.45.21 /\ *Tarak* * Where are your A records for your name servers, ns1.example.com http://ns1.example.com, ns2,example.com http://example.com and ns4.example.com http://ns4.example.com? And please answer the question above, what does the named's log say when starting up? Lyle Giese LCR Computer Services, Inc. ns4 named[3073]: client 116.48.39.92#61358: update 'example.com/IN' denied ns4 named[3073]: client 116.48.39.92#64924: updating zone 'example.com/IN': update failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) Above are the logs, it's flooded with those error messages . /\ Tarak the first error basically states the zone is not setup for Dynamic DNS updates or at least not from the ip address 116.48.39.92. And that is setup in named.conf, not the zone file(the zone file is what is posted here). The second error is a result of the first error. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
OT: Bind 9.9.0B1 Inline-Signing Question
I know that this isn't the forum for betas, which is why I put off-topic on the subject line. We are trying to implement DNSSEC for our static zones. While the dynamic signing has been automated, static inline-signing isn't available until Bind 9.9 We have been testing with the alphas and now with the beta. What we are seeing is that whenever named starts, it initially creates the signed static zone file, but never really finishes. The logging shows: 10-Nov-2011 14:38:14.766 general: error: zone xx.org/IN (signed): not loaded due to errors. 10-Nov-2011 14:38:14.766 general: info: zone localhost/IN: loaded serial 42 10-Nov-2011 14:38:14.767 general: notice: all zones loaded 10-Nov-2011 14:38:14.768 general: notice: running 10-Nov-2011 14:38:14.768 general: info: zone xx.org/IN (signed): loaded serial 200905 10-Nov-2011 14:38:14.768 notify: info: zone xx.org/IN /IN (signed): sending notifies (serial 200905) So, it doesn't load the zone due to errors, but then later claims to load the same zone file. Has anyone been able to get the inline-signing function to work? I've triple-checked my named.conf, ran named-checkzone, went to a vanilla zone file, and even tested the zone file as dynamic (which worked). Any ideas or suggestions of where to check next are greatly appreciated. Thanks, -Kevin Kevin McConville University at Albany ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OT: Bind 9.9.0B1 Inline-Signing Question
Do you see that each time named starts or just on the first load of the zone? What happens if you send a query to the server with dig +dnssec? On Nov 10, 2011, at 14:23, McConville, Kevin kmcconvi...@albany.edu wrote: I know that this isn’t the forum for betas, which is why I put off-topic on the subject line. We are trying to implement DNSSEC for our static zones. While the dynamic signing has been automated, static inline-signing isn’t available until Bind 9.9 We have been testing with the alphas and now with the beta. What we are seeing is that whenever named starts, it initially creates the signed static zone file, but never really finishes. The logging shows: 10-Nov-2011 14:38:14.766 general: error: zone xx.org/IN (signed): not loaded due to errors. 10-Nov-2011 14:38:14.766 general: info: zone localhost/IN: loaded serial 42 10-Nov-2011 14:38:14.767 general: notice: all zones loaded 10-Nov-2011 14:38:14.768 general: notice: running 10-Nov-2011 14:38:14.768 general: info: zone xx.org/IN (signed): loaded serial 200905 10-Nov-2011 14:38:14.768 notify: info: zone xx.org/IN /IN (signed): sending notifies (serial 200905) So, it doesn’t load the zone due to errors, but then later claims to load the same zone file. Has anyone been able to get the inline-signing function to work? I’ve triple-checked my named.conf, ran named-checkzone, went to a vanilla zone file, and even tested the zone file as dynamic (which worked). Any ideas or suggestions of where to check next are greatly appreciated. Thanks, -Kevin Kevin McConville University at Albany ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OT: Bind 9.9.0B1 Inline-Signing Question
I know that this isn't the forum for betas Sure it is. :) We have been testing with the alphas and now with the beta. What we are seeing is that whenever named starts, it initially creates the signed static zone file, but never really finishes. What do you mean by never really finishes? What are the options that are set for the static zone? You should have these: auto-dnssec maintain; inline-signing yes; key-directory dir; ...with dir set to the location of the DNSSEC signing keys for your zone, including at least one KSK and one ZSK, both of which are set to be published and active. 10-Nov-2011 14:38:14.766 general: error: zone xx.org/IN (signed): not loaded due to errors. [...] 10-Nov-2011 14:38:14.768 general: info: zone xx.org/IN (signed): loaded serial 200905 There are two versions of the x.org zone. One is the unsigned (or raw) version, which holds the data loaded from your master file. The other is the signed version, which contains a copy of the raw version *plus* all the DNSSEC data; this is the one that answers queries. If you configure zone xx.org to use the masterfile xx.db, then the unsigned version of the zone is loaded from that file. The signed version of the zone will be loaded from xx.org.signed.. The error referred to in the first log message above is probably that xx.org.signed doesn't exist. Since there's no masterfile to load the signed version of the zone from, named will go about creating one for you. So the error being logged isn't really an error, it just looks like one; we should probably see about silencing it. At this point, named walks through the unsigned version of the zone, adds RRSIG and NSEC records, and generates a delta which is then applied to the signed version of the zone. After that, the signed version of the zone is fully populated and ready to answer queries. You should then be able to run dig +dnssec @localhost xx.org dnskey and see your signing keys and their signatures. (If you don't, I'd check to make sure your keys are in the right place, accessible to named, and published and active.) The next time you start your server up, the not loaded due to errors message should have gone away. (If it hasn't, then something may have prevented the signed zone's masterfile from being created properly, and I would check directory permissions.) When you modify your static zone file and run 'rndc reload', named will detect the changes that you've made via the same mechanism as ixfr-from-differences, generate signatures for the new records, and add those to the signed version of the zone automatically. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: Securing zone transfer and DDNS
In message 4b476ffb.2625d518.4ebbf979.d1...@o2.pl, =?UTF-8?Q?Aleksander_Kurczy k?= writes: Thanks everybody for the answers. I have one more question - how can I block every update for every zone in opti ons section using update-policy? Updates are blocked by default and will always be blocked by default. There is no global way to set update-policy. It is only a zone option. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using IPv6/IPv4 tunnels to send queries to a DNS server
Thanks for the responses. Can a DNS server (the machine, not BIND) be a tunnel endpoint for 6to4? Thanks, Hansen On Thu, Nov 10, 2011 at 3:05 PM, Hansen Candrawinata hansen.candrawin...@gmail.com wrote: This is not strictly a BIND related question, but thought someone here probably knew the answer. Is it valid to use IPv6/IPv4 tunnels to send DNS queries to a DNS server. Does anyone know what the standards (RFCs) say about this? Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using IPv6/IPv4 tunnels to send queries to a DNS server
In message ca+ofh68z4wuagabxsjnvfyhyhjlkksyljmutrqycgbphmdv...@mail.gmail.com, Hansen Candrawinata writes: Thanks for the responses. Can a DNS server (the machine, not BIND) be a tunnel endpoint for 6to4? Yes, provided it meets all the criteria for being a 6to4 tunnel end point. You need a non ambious IPv4 address for the tunnel end point. If your ISP gives you a NAT'd (shared) address you can't run 6to4. You can't use a RFC 1918 address for your tunnel end point. Your firewall needs to expect reply traffic from anywhere from anywhere. Just because you send your encapsulated packet to 192.88.99.1, don't expect the encapusulted reply traffic to come from 192.88.99.1. 6to4 traffic is asymetric. Some ISP run firewalls which block non symetric traffic. A major part of the problem Google and other big providers have with deploying IPv6 is badly configured 6to4 gateways (often done automatically) and code that doesn't fall back to IPv4, or fall back to IPv4 in a timely manner. Put the two together and you have problems. Test your 6to4 configuration. Personally I would setup a tunnel with a tunnel broker, like HE.NET, rather than running 6to4. You then know who to talk to when you have IPv6 problems. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Reason for Limited number of Root DNS Servers
Dear All, Somewhere I read that number of ROOT DNS servers is limited to 13 because of protocol limitation of DNS and UDP. Exact writing was A combination of limits in the DNS and certain protocols, namely the practical size of unfragmented User Datagram Protocol (UDP) packets, resulted in a limited number of root server addresses that can be accommodated in DNS name query responses. This limit has determined the number of name server installations at (currently) 13 clusters, serving the needs of the entire public Internet worldwide. As root DNS are running in anycast so number is not an issue at all. But I don't understand where exactly is this limitation exists??? Please some elaborate on this. Thanks and Regards, Gaurav Kansal 9910118448 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
