RE: DNS64 - multiple mapping
Hi Rock, So have u got success in mapping specific v6 network to defined v4 network? From: Rock July [mailto:headgea...@yahoo.com] Sent: Monday, June 04, 2012 10:55 AM To: Gaurav Kansal; 'Phil Mayers'; bind-users@lists.isc.org Subject: Re: DNS64 - multiple mapping Hi Gaurav, My goal is to mapped IPv6 to a specific IPv4 network that is why I use a mapped { } in options. Regards, Rock From: Gaurav Kansal gaurav.kan...@nic.in To: 'Rock July' headgea...@yahoo.com; 'Phil Mayers' p.may...@imperial.ac.uk; bind-users@lists.isc.org Sent: Wednesday, May 30, 2012 6:34 PM Subject: RE: DNS64 - multiple mapping Why u are using mapped{} options in dns64 conf ??? What we are doing is: dns64 2001:db8:5200::/96 { Clients { 2001:db8:1000:10::/64; 2001:db8:20:10::/64; ……. }; }; From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Rock July Sent: Monday, May 28, 2012 8:05 AM To: Phil Mayers; bind-users@lists.isc.org Subject: Re: DNS64 - multiple mapping Hi Phil, Thanks. We have multiple IPv4 networks and we want to have different IPv6 address network mapping for each IPv4 manily for security reasons. Based from your reply, I can add multiple dns64 in options. Should I configure it like this? options { directory /var/cache/bind; auth-nxdomain no; listen-on-v6 { any; }; allow-query { any; }; dns64 2001:db8:1:::/96 { clients { any; }; mapped { 10.10.10.0/24; }; }; dns64 2001:db9:1:::/96 { clients { any; }; mapped { 10.10.20.0/24; }; }; }; Thanks From: Phil Mayers p.may...@imperial.ac.uk To: bind-users@lists.isc.org Sent: Thursday, May 24, 2012 4:15 PM Subject: Re: DNS64 - multiple mapping On 05/24/2012 07:36 AM, Rock July wrote: Hi All, Is it possible for me to add multiple dns64 in options? I want to have Yes. different IPv6 prefix for each IPv4 network address. I don't know what the means, but the dns64 option takes a quite comprehensive set of ACLs to match client and original packet A address(es) as well as other options. Perhaps you should read the ARM? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ISC Security Advisory: Handling of zero length rdata can cause named to terminate,unexpectedly
ISC Security Advisory: Note: This email advisory is provided for your information. The most up to date advisory information will always be at: http://www.isc.org/software/bind/advisories/cve-2012-1667 please use this URL for the most up to date advisory information. Title: Handling of zero length rdata can cause named to terminate unexpectedly Processing of DNS resource records where the rdata field is zero length may cause various issues for the servers handling them. CVE: CVE-2012-1667 Document Version: 1.0 Posting date: 4 June 2012 Program Impacted: BIND Versions affected: 9.0.x - 9.6.x, 9.4-ESV-9.4-ESV-R5-P1, 9.6-ESV-9.6-ESV-R7, 9.7.0-9.7.6, 9.8.0-9.8.3, 9.9.0-9.9.1 Severity: Critical Exploitable: Remotely Description: This problem was uncovered while testing with experimental DNS record types. It is possible to add records to BIND with null (zero length) rdata fields. Processing of these records may lead to unexpected outcomes. Recursive servers may crash or disclose some portion of memory to the client. Secondary servers may crash on restart after transferring a zone containing these records. Master servers may corrupt zone data if the zone option auto-dnssec is set to maintain. Other unexpected problems that are not listed here may also be encountered. Impact: This issue primarily affects recursive nameservers. Authoritative nameservers will only be impacted if an administrator configures experimental record types with no data. If the server is configured this way, then secondaries can crash on restart after transferring that zone. Zone data on the master can become corrupted if the zone with those records has named configured to manage the DNSSEC key rotation. CVSS Score: 8.5 CVSS Equation: (AV:N/AC:L/Au:N/C:P/I:N/A:C) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculatoradvversion=2vector=(AV:N/AC:L/Au:N/C:P/I:N/A:C) Workarounds: Workarounds are under investigation, but none are known at this time. Solution: Upgrade to one of the following versions: https://www.isc.org/software/bind/96-esv-r7-p1 https://www.isc.org/software/bind/976-p1 https://www.isc.org/software/bind/983-p1 https://www.isc.org/software/bind/991-p1 Exploit Status: No known active exploits but a public discussion of the issue has taken place on a public mailing list. Acknowledgment: Dan Luther, Level3 Communications, for finding the issue, Jeffrey A. Spain, Cincinnati Day School, for replication and testing. *Document Revision History: * 1.0 Released to Public 4 June, 2012 1.1 Updated Severity to Critical References: - Do you have questions? Questions regarding this advisory should go to security-offi...@isc.org. - ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://www.isc.org/security-vulnerability-disclosure-policy See our BIND Security Matrix for a complete listing of Security Vulnerabilites and versions affected. Note: ISC patches only Currently supported versions. When possible we indicate EOL versions affected. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an AS IS basis. No warranty or guarantee of any kind is expressed in this notice and none should be inferred. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any inferred warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use of, or reliance on, this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. -- === Larissa Shapiro BIND and DHCP Product Manager, Internet Systems Consortium laris...@isc.org +1 650 423 1335 http://www.isc.org Need BIND or DHCP support? Look to the experts! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.7.6-P1 is now available
Introduction BIND 9.7.6-P1 is the latest production release of BIND 9.7. This document summarizes changes from BIND 9.7.5 to BIND 9.7.6-P1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.1c New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.1-P1 is now available
Introduction BIND 9.9.1-P1 is the latest production release of BIND 9.9. This document summarizes changes from BIND 9.9.0 to BIND 9.9.1-P1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.1c New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] * A note will be added to the README in future releases to explain that the improved scalability provided by using multiple threads to listen for and process queries (change 3137, RT #22992) does not provide any performance benefit when running BIND on versions of the linux kernel that do not include the 'lockless UDP transmit path' changes that were incorporated in 2.6.39. (Some linux distributors may have provided this functionality under their own version numbering systems). Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Improves DNS64 reverse zone performance. [RT #28563] * Adds wire format lookup method to sdb. [RT #28563] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Prevents intermittent named crashes following an rndc reload [RT #28606] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] * Prevents named crashes as a result of dereferencing a NULL pointer in zmgr_start_xfrin_ifquota if the zone was being removed while there were zone transfers still pending [RT #28419] * Corrects a parser bug that could cause named to crash while reading a malformed zone file. [RT #28467] * Ensures that when a client recurses its status fields are consistently set so that named doesn't fail on an INSIST in client.c:exit_check. [RT #28346] * Fixed a problem preventing proper use of 64 bit time values in libbind. [RT # 26542] * isccc/cc.c:table_fromwire could fail to free an allocated object on error, leading to a possible memory leak condition. [RT #28265] * Fixed a build error on systems without ENOTSUP. [RT #28200] * The header file isc/hmacsha.h is now installed when building BIND. [RT #28169] * responses will no longer be returned in the additional section when filter--on-v4 is in use. (Prior to this change, they would be returned for some query types). [RT #27292] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing
BIND 9.8.3-P1 is now available
Introduction BIND 9.8.3-P1 is the latest production release of BIND 9.8. This document summarizes changes from BIND 9.8.2 to BIND 9.8.3-P1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available at http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.1c New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Improves DNS64 reverse zone performance. [RT #28563] * Adds wire format lookup method to sdb. [RT #28563] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.6-ESV-R7-P1 is now available
Introduction BIND 9.6-ESV-R7-P1 is the most recent release of BIND 9.6-ESV. BIND 9.6-ESV is an Extended Support Version of BIND 9. This document summarizes changes from BIND 9.6-ESV-R6 to BIND 9.6-ESV-R7-P1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.1c New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recommended value for max-cache-size for cache-only shared hosts..
At Fri, 1 Jun 2012 21:14:06 +, Dan Mason danma...@qwest.net wrote: cleaning interval has been effectively no-op since BIND 9.5. Tweaking it won't improve performance, although it shouldn't cause a bad effect either. If your cache is too small the CPU will peg when the cleaning-interval goes. Maybe that's changed but the behavior still exists in the 9.7 branch. Setting your cache size really depends on your query load. On a resolver doing 15,000/qps having a cache of 256M will cause a problem during the cleaning-interval whereas if it's 2G you won't notice the interval at all. Also on a busy resolver expect BIND to use about twice as much as where you set your limits. Hmm, looking into the code again, I realized my memory was slightly incorrect: cleaning interval has been effectively no-op since BIND 9.5 should have been cleaning interval has been effectively meaningless and therefore disabled by default since BIND 9.5, and if you explicitly enable it by setting cleaning-interval to a non 0 value, it will still do meaningless but expensive operations. So, in conclusion, my main point should still stand: Tweaking it (cleaning-interval) won't improve performance. And, it could actually do harm. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recommended value for max-cache-size for cache-only shared hosts..
On 06/04/2012 11:36, JINMEI Tatuya / 神明達哉 wrote: At Fri, 1 Jun 2012 21:14:06 +, Dan Mason danma...@qwest.net wrote: cleaning interval has been effectively no-op since BIND 9.5. Tweaking it won't improve performance, although it shouldn't cause a bad effect either. If your cache is too small the CPU will peg when the cleaning-interval goes. Maybe that's changed but the behavior still exists in the 9.7 branch. Setting your cache size really depends on your query load. On a resolver doing 15,000/qps having a cache of 256M will cause a problem during the cleaning-interval whereas if it's 2G you won't notice the interval at all. Also on a busy resolver expect BIND to use about twice as much as where you set your limits. Hmm, looking into the code again, I realized my memory was slightly incorrect: cleaning interval has been effectively no-op since BIND 9.5 should have been cleaning interval has been effectively meaningless and therefore disabled by default since BIND 9.5, and if you explicitly enable it by setting cleaning-interval to a non 0 value, it will still do meaningless but expensive operations. So, in conclusion, my main point should still stand: Tweaking it (cleaning-interval) won't improve performance. And, it could actually do harm. Thanks, I learned something today! But that sort of prompts the question in my mind, why does the option still exist? Doug -- If you're never wrong, you're not trying hard enough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Split-view zone transfer in a dmz environment
Hello everyone i am trying to set a slave server in my dmz but so far i keep stuck with the transfer zone since the master server is setup in split-view and when the transfer take place my zone example.com in the National View has the same info of example.com in my International View . I read about using Tsig to make this but so far no luck, in my previous environment both server where using 2 ip and everything was ok but now i quite lost can anyone drop some light over here.Thanks and regards. this is what i found related to this https://www.isc.org/faq/item/182 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Announcing DSKM DNSsec key management tool ready for beta testing
This is a DNSsec key management add-on to ISC bind 9.9.x for zones with auto-dnssec maintain; inline-signing yes; It creates and deletes keys, submits DS or DNSKEY RRs to parent, validates chain of trust and does alarming per email if something goes wrong. Zones may be local, public or reverse (IP4 or IP6). Initial implemented registrar is joker.com and ip registry ripe.net. Local means internal zones with local trust anchor. Intention is to have DNSsec automated completely. Design is state-table driven with transitions triggered by DNS query results or point in time reached, written in Python3. License is GPLv3, may be downloaded from here https://sourceforge.net/projects/dskm/files/ Source at GitHub: https://github.com/rabaxabel/DSKM Who implements the next registrar? I will implement manual registrar handover notification per email soon. I'm still improving my knowledge about DNSsec (Thanks list!) but DSKM is running with 3 test domains and shortend key life times for 2 months now with only minor problems. Axel --- PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users