RE: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Tony Finch
Spain, Dr. Jeffry A. spa...@countryday.net wrote:

 From time to time I want to review the current state of the zone files.
 I have been accustomed with v9.8 to taking a copy of a signed zone file
 and stripping out the DNSSEC-related records in a text editor for easy
 review.

I use `dig axfr dotat.at | grep -v RRSIG`.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Faeroes: Southwest 6 to gale 8, becoming cyclonic severe gale 9 to violent
storm 11, perhaps hurricane force 12 later. High or very high, occasionally
phenomenal. Rain or squally showers. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Jan-Piet Mens
On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote:

 I use `dig axfr dotat.at | grep -v RRSIG`

... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM

hoping, of course, that no owner name is called 'RRSIG' et. al.  ;-)

-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Tony Finch
Jan-Piet Mens jpmens@gmail.com wrote:
 On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote:

  I use `dig axfr dotat.at | grep -v RRSIG`

 ... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM

I think it is more useful to see those records than to spend effort
stripping them out.

 hoping, of course, that no owner name is called 'RRSIG' et. al.  ;-)

Knowing rather than hoping, but yes, it is good enough for the command
line but not safe to embed in a script.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Biscay: Southerly 4 or 5 occasional 6 in north, veering westerly 3 or 4.
Rough. Mainly fair. Moderate or good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Shumon Huque
On Thu, Nov 24, 2011 at 02:29:05PM +0100, Jan-Piet Mens wrote:
 On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote:
 
  I use `dig axfr dotat.at | grep -v RRSIG`
 
 ... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM
 
 hoping, of course, that no owner name is called 'RRSIG' et. al.  ;-)
 
 -JP

How about something like:

  dig axfr zone | awk '$4 !~ ^NSEC$|^NSEC3$|^RRSIG$ {print}'

awk requires a tiny bit more typing, but the result is much more precise ..

-- 
Shumon Huque
University of Pennsylvania.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Chris Thompson

On Nov 24 2011, Shumon Huque wrote:


On Thu, Nov 24, 2011 at 02:29:05PM +0100, Jan-Piet Mens wrote:

On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote:

 I use `dig axfr dotat.at | grep -v RRSIG`

... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM

hoping, of course, that no owner name is called 'RRSIG' et. al.  ;-)

-JP


How about something like:

 dig axfr zone | awk '$4 !~ ^NSEC$|^NSEC3$|^RRSIG$ {print}'

awk requires a tiny bit more typing, but the result is much more precise ..


If we are trying to turn Tony's ad hoc command into something publishable,
it would be better to use

 dig +nocmd +nostats +onesoa AXFR zone | awk ...

(although for +onesoa you need the dig from BIND 9.8 or later).

--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Spain, Dr. Jeffry A.
 dig axfr dotat.at | grep -v RRSIG. Tony.
 dig axfr dotat.at | grep -v RRSIG | grep -v TYPE65534 | grep -v DNSKEY | grep 
 -v NSEC3PARAM. JP.
 dig axfr zone | awk '$4 !~ ^NSEC$|^NSEC3$|^RRSIG$ {print}'. Shumon.

Thank you, gentlemen. These are very helpful. As we are primarily Windows 
users, I have had a tendency to dig axfr from my Windows workstation and remove 
the DNSSEC-related records with a regular expression search in my text editor. 
I really should take the time to learn more about grep and awk. Happy 
Thanksgiving to all. Jeff.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Jan-Piet Mens
Jeffry,

 I have had a tendency to dig axfr from my Windows workstation

+1 to you for using `dig' on Windows; most don't even know it exists
and suffer the `nslookup' pain. ;-)

-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Tony Finch
Chris Thompson c...@cam.ac.uk wrote:

 If we are trying to turn Tony's ad hoc command into something publishable,

See the loadzone, axfrzone, and cleanzone functions in
http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/bind/bin/nsdiff

Writing code to process arbitrary zones is a rather different job from a
quick command line to make it easier to eyeball a simple zone you know
well.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Northwest Hebrides, Bailey: Southerly veering southwesterly storm 10 to
hurricane force 12, veering westerly 7 to severe gale 9 later. Very high. Rain
then squally showers. Moderate or good occasional poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Todd Snyder
 
  I have had a tendency to dig axfr from my Windows workstation
 
 +1 to you for using `dig' on Windows; most don't even know it exists
 and suffer the `nslookup' pain. ;-)
 

First thing I do on a new windows box is download the BIND package and throw 
dig on the box ... well, right after I get FF/Chrome.

I don't understand why Windows doesn't include dig by default, even now.  Free 
software hate?

t.

-
This transmission (including any attachments) may contain confidential 
information, privileged material (including material protected by the 
solicitor-client or other applicable privileges), or constitute non-public 
information. Any use of this information by anyone other than the intended 
recipient is prohibited. If you have received this transmission in error, 
please immediately reply to the sender and delete this information from your 
system. Use, dissemination, distribution, or reproduction of this transmission 
by unintended recipients is not authorized and may be unlawful.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Bind 9.9.0b2 inline signing...

2011-11-24 Thread Spain, Dr. Jeffry A.
 I don't understand why Windows doesn't include dig by default, even now.  
 Free software hate?

I wonder if it some kind of intellectual property issue. Microsoft has to be 
able to sell Windows and therefore must consider any added costs related to 
including a component that they do not own and would have to license. I suppose 
they could develop a similar application themselves, but I think they tend to 
focus more on end-user rather than administrative functionality in their 
development efforts.

This is certainly not Microsoft's only issue with DNS. They have pretty much 
developed their own DNS ecosystem over the years, starting with Active 
Directory for Windows 2000, and they have not kept up with the functionality in 
bind. For example, the current iteration of Microsoft DNS in Windows Server 
2008 R2 has a faulty implementation of DNSSEC -- you can't enter the root zone 
trust anchor. I have set up my Windows domain controllers (DNS servers) to 
forward to a DNSSEC-enabled bind recursive resolver. Even that turned out to be 
a challenge because of the way Windows uses the CD and DO flags in DNS queries. 
Supposedly DNS in Windows 8 server is going to fix these issues. We shall see. 
Jeff.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: pns nxdomain equivelent

2011-11-24 Thread matei marius



I am giving you more details with the hope that maybe someone will give me a 
hint.


In named.conf  (bind 9.9b2) I have:

# for NXDOMAIN Redirection
zone . {
   type redirect;
   file /etc/bind/zones/redirect.db;
};


redirect.db file contains:

$TTL 300
@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0
@ IN NS ns.example.net


; suffix matches

; the following line is working
*.youtube.com.     cname     .


; prefix matches are not working

mail*.      cname   .
ads*.       cname   .


; full match is not working too

*fulldomain*.    cname   .

; default behaviour in the case that it is not previously matched

*. IN     A     74.125.39.104___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2011-11-24 Thread Loganathan Thirukkumaran
Hello All,
 
We have our slave servers running compiled Bind 9.6.1-P3 on CentOS 5.4. 
 
Can I upgrade to 9.8.1-P1 directly from the current version 9.6.1-P3?  Or It 
has to be on the same 9.6.ESV-R5-P1 latest version?
 
 Master is in internal running on Bind 9.2.1, doing only pusing the 
config/zones to slaves. With the current setup we don't face any problem to 
push the config/zones from master to slaves. Plan to upgrade slaves first to 
patch for eve-2011-4313 as they are in public and doing both authoritative and 
recursive.Will it create any problem if i patch the slaves to latest version? 
 
FYI, We are not using dnssec currently.
 
Thanks in advance 
 
Thiru___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users