Re: split horizon and zone transfers to secondary DNS servers
> May I transfer *views* rather than zone description files? No. That's why it is called "zone" transfer. :) > May I transfer two zone description files for a single zone to a > single server? Again no. (See previous thread on your request to serve two zone files for the same zone in the one view; same rules apply here.) > Or should I use separate secondary DNS servers for internal and > external zones? That depends a bit on your setup. Judicious use of views with ACLs could help you solve your problem regarding the zone transfers, but you may feel more comfortable with separate servers. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
split horizon and zone transfers to secondary DNS servers
:-) I have defined two views (let's call them an `internal' and an `external') for my zones on the primary DNS server. Let's assume I'd like the secondary DNS server to use the same two views synchronized to the primary DNS. May I transfer *views* rather than zone description files? May I transfer two zone description files for a single zone to a single server? Or should I use separate secondary DNS servers for internal and external zones? Best regards, /M ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multiple `zone' clauses for a single domain?
> The documentation for `match-clients' isn't comprehensive enough... Can > I add all host from, for example 172.16/16 except a single host? Does: > > match-clients { 172.16.0.0/16;!172.16.1.1; } BIND checks the ACL in the order you specify. In your example, 172.16.1.1 will be allowed by the first rule. Change the order: match-clients { !172.16.1.1; 172.16.0.0/16; } This disallows 172.16.1.1 first, which will work as you expect it to. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
On 11/24/2011 11:21 AM, Jan-Piet Mens wrote: > Jeffry, > >> I have had a tendency to dig axfr from my Windows workstation > > +1 to you for using `dig' on Windows; most don't even know it exists > and suffer the `nslookup' pain. ;-) > It comes with the Windows version of BIND9. Danny ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multiple `zone' clauses for a single domain?
On 25/11/2011 23:36, Marek Kozlowski wrote: > One more question: > The documentation for `match-clients' isn't comprehensive enough... Can > I add all host from, for example 172.16/16 except a single host? Does: > > match-clients { 172.16.0.0/16;!172.16.1.1; } List the exception first, otherwise it will never match: match-clients { !172.16.1.1; 172.16.0.0/16; }; Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multiple `zone' clauses for a single domain?
:-) One more question: The documentation for `match-clients' isn't comprehensive enough... Can I add all host from, for example 172.16/16 except a single host? Does: match-clients { 172.16.0.0/16;!172.16.1.1; } form an AND or an OR? Best regards, /m ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multiple `zone' clauses for a single domain?
On 25/11/2011 16:59, Marek Kozlowski wrote: > Is it allowed to use a few `zone' clauses for a single domain? Is > something like this correct: > > zone "mickey.mouse.com" in { > type master; > file "pri/mickey-public.zone"; > allow-query { any; }; > allow-transfer { xfer; }; > }; > > zone "mickey.mouse.com" in { > type master; > file "pri/mickey-private.zone"; > allow-query { trusted; }; > allow-transfer { xfer; }; > }; > > where `mickey-public.zone' stores information on public hosts from my > domain while `mickey-private.zone' stores hosts that should be > visible/known only for trusted host? This doesn't work -- you can't mix the data from two different zone files in this way. One zone file per zone is the rule. Although that file can include others, this doesn't really provide scope for the sort of thing you want to do. > Should I duplicate all records from `mickey-public.zone' in > `mickey-private.zone'? Duplicating records like that is annoying and error prone. It's a better strategy to create separate zones for your private internal and your public data. So you can have example.com published to the world, and example.local just for your private stuff. Or you could create a sub-domain of your globally published data eg. local.example.com (Although in this case, if you delegate the private zone from the public one, the delegation records and any glue will be publicly available, which may not be desirable.) > Do I *have* to use views to deal with such distinction or can I specify > it just as above without views? If you need to give different answers from the same server depending on who is asking the question, then, yes, you definitely need views. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Exercising RFC 5011 rollovers
> I looked at the DNSSEC section of the bind test suite > (bind-9.9.0b2/bin/tests/system/dnssec) to see if a key rollover test is > part of it. I didn't see that, but it may be elsewhere, as the test suite > is pretty elaborate. The test suite does contain a simulated root server > (ns1), so I bet that with a little ingenuity you could devise a key > rollover test. Timing considerations make it difficult to have an automatic test for this in the standard BIND test suite; the RFC requires certain things to take a very long time. Unless you modify named to speed up the process, rolling to a new trust anchor and deleting the old one takes over a month, which is kind of a drag when you're running 'make check'. :) I quite like the idea of setting up a public zone that revokes and replaces trust anchors periodically. I don't know of one at present. The right place to ask is probably the dnssec-deployment mailing list. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Exercising RFC 5011 rollovers
> Does anyone provide a zone with a trust anchor that is frequently rolled over in that way, just so that one can see whether it really works? Then one's feelings might be warmer and less fuzzy... I looked at the DNSSEC section of the bind test suite (bind-9.9.0b2/bin/tests/system/dnssec) to see if a key rollover test is part of it. I didn't see that, but it may be elsewhere, as the test suite is pretty elaborate. The test suite does contain a simulated root server (ns1), so I bet that with a little ingenuity you could devise a key rollover test. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Exercising RFC 5011 rollovers
> given that their respective administrators have > declared an intention to follow RFC 5011 if they ever roll over their > KSKs. As you say "if they ever roll"; I'm not placing any money on that. ;-) > I could of course set up such a test zone and try to perform an RFC 5011 > rollover on it, using dnssec-revoke and/or the -R option of dnssec-settime, > meanwhile tracking it on another system via a managed-keys entry, but then > if it all went pear-shaped it might not be clear whether I had performed > the rollover correctly or not. I would gladly participate in such a test, if you need me. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Exercising RFC 5011 rollovers
Using "managed-keys" for the root zone and for dlv.isc.org can give one a warm fuzzy feeling, given that their respective administrators have declared an intention to follow RFC 5011 if they ever roll over their KSKs. Except, they never have changed their KSKs so far, so the relevant code in BIND doesn't actually get exercised. Does anyone provide a zone with a trust anchor that is frequently rolled over in that way, just so that one can see whether it really works? Then one's feelings might be warmer and less fuzzy... I could of course set up such a test zone and try to perform an RFC 5011 rollover on it, using dnssec-revoke and/or the -R option of dnssec-settime, meanwhile tracking it on another system via a managed-keys entry, but then if it all went pear-shaped it might not be clear whether I had performed the rollover correctly or not. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multiple `zone' clauses for a single domain?
> Do I *have* to use views to deal with such distinction or can I specify > it just as above without views? You have to use views so that the server can decide which clients get which responses. This you specify in a match-clients {} stanza within the view. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and IXFR
> Is it possible to update DNSSEC-signed domain, re-sign and generate > small differencies to be transferred by IXFR? > > Does it apply with dynamic updates, and with manually configur4ed > zones (via ixfr-from-differencies turned on)? It works fine with dynamic updates, and as of 9.9.0 it will also work with manually configured zones that have inline-signing turned on. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multiple `zone' clauses for a single domain?
On Fri, Nov 25, 2011 at 11:59 AM, Marek Kozlowski wrote: > Do I *have* to use views to deal with such distinction or can I specify > it just as above without views? Pretty sure you have to use views, in the least doing so would likely be the best good practice to follow. -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
multiple `zone' clauses for a single domain?
:-) Forgive me a stupid question but I can't find the answer... Is it allowed to use a few `zone' clauses for a single domain? Is something like this correct: zone "mickey.mouse.com" in { type master; file "pri/mickey-public.zone"; allow-query { any; }; allow-transfer { xfer; }; }; zone "mickey.mouse.com" in { type master; file "pri/mickey-private.zone"; allow-query { trusted; }; allow-transfer { xfer; }; }; where `mickey-public.zone' stores information on public hosts from my domain while `mickey-private.zone' stores hosts that should be visible/known only for trusted host? Should I duplicate all records from `mickey-public.zone' in `mickey-private.zone'? Do I *have* to use views to deal with such distinction or can I specify it just as above without views? Best regards, Marek ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bad cache hit
On 11/25/2011 03:19 PM, Tony Finch wrote: > Bryton wrote: >> I wonder if anyone has ever got the error > In my logs I have some of this: > > 25-Nov-2011 11:23:00.332 dnssec: info: validating @0xabe00470: uofk.edu MX: > bad cache hit (uofk.edu/DNSKEY) > > Which is fairly nicely explained by this: > > http://dnsviz.net/d/uofk.edu/dnssec/ > > Tony. I understand your scenario, you have DS in edu but no matching DNSKEY in uofk.edu so I think there is a broken trust anchor. Now in my case sometimes I get SERVFAIL and sometimes I get the answers i want showing that it actually works. -- [ Bryton | Systems Engineer | .tzNIC | www.tznic.or.tz ] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bad cache hit
Bryton wrote: > > I wonder if anyone has ever got the error In my logs I have some of this: 25-Nov-2011 11:23:00.332 dnssec: info: validating @0xabe00470: uofk.edu MX: bad cache hit (uofk.edu/DNSKEY) Which is fairly nicely explained by this: http://dnsviz.net/d/uofk.edu/dnssec/ Tony. -- f.anthony.n.finchhttp://dotat.at/ Viking, North Utsire, South Utsire, Forties, Cromarty, Forth, Tyne, Dogger, Fisher, German Bight, Humber: Westerly or southwesterly 7 to severe gale 9, decreasing 6 at times later. Rough or very rough, but high in Viking, North Utsire and South Utsire. Squally showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and IXFR
Matus UHLAR - fantomas wrote: > > Is it possible to update DNSSEC-signed domain, re-sign and generate small > differencies to be transferred by IXFR? Yes, it just works with no special effort if you use dynamic updates and auto-dnssec maintain. Tony. -- f.anthony.n.finchhttp://dotat.at/ South-east Iceland: Northwest severe gale 9 to violent storm 11 backing west 5 to 7, becoming variable 4 later. High or very high. Rain then squally showers. Moderate or good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bad cache hit
Hi, I am having a problem, I am signing a zone with opendnssec, After signing it seems fine and If issue a *dig @[dnssec-aware-recursive-server] [zone] +dnssec SOA* from this [*dnssec-aware-recursive-server*] And the answer is returned with RRSIGS and ad bit But after some time if I issue again i get SERVFAIL and checking the logs i get this 25-Nov-2011 09:16:09.111 debug 3: validating @0xb93ccf28: zone SOA: starting 25-Nov-2011 09:16:09.111 debug 3: validating @0xb93ccf28: zone SOA: attempting positive response validation 25-Nov-2011 09:16:09.111 info: validating @0xb93ccf28: zone SOA: bad cache hit (zone/DNSKEY) 25-Nov-2011 09:16:09.111 debug 3: validator @0xb93ccf28: dns_validator_destroy But after sometime again i get good results with no error I wonder if anyone has ever got the error I have checked dig +cd and i get answers perfectly so I suppose its dnssec issue and i have checked if the RRSIG are expired and its not the case as they are not even close to expiry. I will appreciate. -- [ Bryton | Systems Engineer | .tzNIC | www.tznic.or.tz ] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
On 11/25/2011 00:38, Matus UHLAR - fantomas wrote: > not mentioning new features (mostly DNSSEC related) that new servers have. The OP explicitly excluded DNSSEC, but, yeah. :) -- "We could put the whole Internet into a book." "Too practical." Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC and IXFR
Hello, Just for my curiosity: Is it possible to update DNSSEC-signed domain, re-sign and generate small differencies to be transferred by IXFR? Does it apply with dynamic updates, and with manually configur4ed zones (via ixfr-from-differencies turned on)? OT: if anyone uses opendnssec, does is have this feature too? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
On 11/24/2011 20:10, Loganathan Thirukkumaran wrote: Master is in internal running on Bind 9.2.1, On 25.11.11 00:14, Doug Barton wrote: You want to update this one as well. I know that the theory is that it's "hidden," but the first time an attacker finds it, it's going to get 0wn3d. not mentioning new features (mostly DNSSEC related) that new servers have. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
On 11/24/2011 20:10, Loganathan Thirukkumaran wrote: > Hello All, > > We have our slave servers running compiled Bind 9.6.1-P3 on CentOS 5.4. > > Can I upgrade to 9.8.1-P1 directly from the current version 9.6.1-P3? > Or It has to be on the same 9.6.ESV-R5-P1 latest version? Should be Ok unless you're doing something wacky in your zones. The way to be sure of course is to set up 9.8 on a scratch system and attempt to load your existing config and all the zones. > Master is in internal running on Bind 9.2.1, You want to update this one as well. I know that the theory is that it's "hidden," but the first time an attacker finds it, it's going to get 0wn3d. hth, Doug -- "We could put the whole Internet into a book." "Too practical." Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users