segfaults with bind RPZ?
All, I had a use-case for bind RPZ today, so enabled it on our internal testing DNS servers (running 9.8.1-P1). I had already created and deployed the rpz zone, as a sub-zone of our (DNSSEC-signed) main zone. As soon as the cfengine job ran, which basically added: response-policy { zone rpz.main.zone.com; }; ...and issued an rndc config, I got a segfault. Hmm. Ok, restart the process. 20 minutes later, another segfault. Hmm. Open GDB, and I get errors trying to attach: ../../gdb/linux-nat.c:1361: internal-error: linux_nat_post_attach_wait: Assertion `pid == new_pid WIFSTOPPED (status)' failed. Bah. So I can't supply a traceback unfortunately. Has anyone else seen problems deploying RPZ in a DNSSEC-validating recursive resolver, running 9.8.1-P1? Platform is x86_64, RHEL5. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cache only and reverse mapping
On Dec 15, 2011, at 3:07 AM, sasa sasa wrote: For an ISP, is there any risk in configuring BIND DNS as cache only and adding customer's reverse mapping zones? If this copy of the reverse zone is for the world's use (i.e. in the delegation tree), then your DNS server would be answering queries from the world, and a caching server answering queries from the world is vulnerable to known cache vulnerabilities in the DNS protocol. On the other hand, if this copy of the reverse zone is only to answer your customer's queries, and the DNS server is configured not to answer queries from the world, then you've avoided the DNS protocol vulnerabilities and there's no special risk attached to serving this zone. Aside from the issue of preventing known cache vulnerabilities in the DNS protocol, folks often separate caching from authoritative (specifically, in the delegation tree) as an insurance policy against bugs and vulnerabilities that haven't been found yet. It's hard to quantify risks associated with bugs and vulnerabilities that no one has found yet and may not even exist. Any other possible implementations? We'd have to know what you're trying to accomplish. John Wobus Cornell U ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME only zone?
If CloudFlare is similar to Akamai's solution, recursive servers never see the CNAME record. Instead, when the auth server receives the query for the A record of the apex, it performs its own query for the CNAME, and returns the result of this. In other words, if your theory is correct, this CNAME is window dressing for the customer (yes, they gave me a CNAME, I'm happy!) while actually they serve A records that they've specified to give the same answer as whatever address the A record of such-and-such name has. What they present in their customer interface or store in their zone-file-equivalent is arbitrary. Makes DNSSEC interesting. It's always helpful to be able to tell your customer yes, we gave you a CNAME, just like you asked for. We do it even if our competitors say no! John Wobus P.S. Hm, I wonder if a TLD will give me a three part CNAME: if they've given me example.com. CNAME foo, will they also give me www.example.com. CNAME foo? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cache only and reverse mapping
I'm trying to setup a DNS for an ISP, this ISP's DNS is in delegation tree (answering world), and I know about cache vulnerabilities so I was wondering what is the best solution for ISPs? By separating cache from authorities, you mean implementing 2 DNSs (2 different IPs)? This doesn't sound practical. Thanks, Sa On Dec 15, 2011, at 3:07 AM, sasa sasa wrote: For an ISP, is there any risk in configuring BIND DNS as cache only and adding customer's reverse mapping zones? If this copy of the reverse zone is for the world's use (i.e. in the delegation tree), then your DNS server would be answering queries from the world, and a caching server answering queries from the world is vulnerable to known cache vulnerabilities in the DNS protocol. On the other hand, if this copy of the reverse zone is only to answer your customer's queries, and the DNS server is configured not to answer queries from the world, then you've avoided the DNS protocol vulnerabilities and there's no special risk attached to serving this zone. Aside from the issue of preventing known cache vulnerabilities in the DNS protocol, folks often separate caching from authoritative (specifically, in the delegation tree) as an insurance policy against bugs and vulnerabilities that haven't been found yet. It's hard to quantify risks associated with bugs and vulnerabilities that no one has found yet and may not even exist. Any other possible implementations? We'd have to know what you're trying to accomplish. John Wobus Cornell U ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cache only and reverse mapping
On Dec 16, 2011, at 11:22 AM, sasa sasa wrote: I'm trying to setup a DNS for an ISP, this ISP's DNS is in delegation tree (answering world), and I know about cache vulnerabilities so I was wondering what is the best solution for ISPs? By separating cache from authorities, you mean implementing 2 DNSs (2 different IPs)? This doesn't sound practical. Then I suspect you know all this, but... The practicality certainly depends upon your site's situation. Many sites have enough IPs to allocate a few more to DNS, and enough server capacity to run more bind instances, but I imagine some don't. Two such bind instances could be on different hardware or the same, but two IPs would be necessary. Bind typically runs on OSes that, without tricks such as natting, generally support just one program listening to a specific port/ip. Bind's view feature allows a single bind instance on a single IP to act like a bit like two instances, offering some of the advantages of isolating their respective functions. Aside from this, a bind instance can be configured not answer queries to non-authoritative data from outside your address space. This also gives you some of the risk advantages you'd get from running separate instances. John Wobus Cornell University ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cache only and reverse mapping
sasa sasa wrote: I'm trying to setup a DNS for an ISP, this ISP's DNS is in delegation tree (answering world), and I know about cache vulnerabilities so I was wondering what is the best solution for ISPs? By separating cache from authorities, you mean implementing 2 DNSs (2 different IPs)? This doesn't sound practical. Thanks, Sa Why not? Your customers don't need to know about the authoritatives directly; the only addresses they'll require are the caching servers'. I'd bet on small efficiencies to be gained only by mixing the two, but not worth the potential troubles, IMHO. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users