RE: BIND, DNSSEC & AD
Hello, (not a Bind related question !) Last time I looked at Microsoft documentation I remember having seen that DNSSEC is for static files only, *not* for "Active Directory integrated" domains ! If that is still true, I think the question about importing keys is irrelevant . You would be needing Bind - from 9.7 onwards - for the DNS servers of the AD domains. Bind can do the trick (DNSSEC + dynamic updating). It would be sufficient to share the KSK, ZSK's can be separate (as they are signed by the then shared KSK). But is the an internal AD domain really an plausible attack vector for hackers ? Kind regards, Marc Lampo Security Officer EURid (for .eu) From: John Williams [mailto:john.1...@yahoo.com] Sent: 28 June 2012 10:35 PM To: bind-users@lists.isc.org Subject: BIND, DNSSEC & AD I have an environment that hosts a BIND based internet facing domain, call it abc.com. I also have an internal Active Directory instance that hosts a MS based DNS instance called abc.com as well. Everything works fine until we decided to implement DNSSEC on Active Directory. Here is my question, is it possible to integrate the two domains? Can I import the BIND DNSSEC keys into MS AD and build DNSSEC into AD using that method? Is there better method? I don't want to have AD DNS be my forward (Internet) facing application. Thanks. JT ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A records in response with CNAME records
Stop spamming the list with essentially the same question. comp.protocols.dns.bind and bind-us...@isc.org are bi-directionally gatewayed. And to answer your question. No there isn't a switch. In message <92e42992-d0be-4d53-b0dc-866102a4e...@googlegroups.com>, Srinivas Kr ishnan writes: > A lot of times we get responses that look like: > > a.b.c.d CNAME x.y.z > x.y.z IP 1.1.1.1 > > BIND always sends out an additional query as soon as it encounters the CNAME > it stops processing and either x.y.z. is in cache or needs another query to r > espond. > > Is there a setting in BIND to actually use the additional information sent in > the response i.e. the IP of x.y.z and not send the additional query. And if > yes what is the "option to set" and will it only work if both the label and t > he alias of the CNAME record were in the same i.e in-bailiwick ? > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME+A record in response
On 06/29/2012 07:50 AM, Srinivas Krishnan wrote: A lot of times we get responses that look like: FOO.BAR CNAME EXAMPLE.BAR EXAMPLE.BAR A 1.1.1.1 BIND currently (atleast with the default settings) when it encounters a CNAME stops processing and checks if EXAMPLE.BAR is in cache or else sends out another query to resolve it even though the A record in the packet completes the chain. Now, is there a setting in BIND to accept the A record or do providers I'm curious why you want to change this behaviour. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND, DNSSEC & AD
Hello JT, I'm currently working on integrating MS DNSSEC (on Windows 2012) and BIND here @ Men & Mice for another customer. I might have a solution for you, but I need more detail information about your setup. I will contact you by E-Mail on Monday (I hope that is not too late). -- Carsten Strotmann ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND, DNSSEC & AD
The purpose behind this is not to protect the internal AD DNS from hijacking. But rather to allow internal clients to run DNSSEC related queries without having to reference external resolvers. dig +dnssec somedomain By the way, integrating BIND into AD will not be permitted. The AD staff will not allow that. That would be ideal though. Thanks, JT From: Marc Lampo To: 'John Williams' ; bind-users@lists.isc.org Sent: Friday, June 29, 2012 3:07 AM Subject: RE: BIND, DNSSEC & AD Hello, (not a Bind related question !) Last time I looked at Microsoft documentation I remember having seen that DNSSEC is for static files only, *not* for “Active Directoryintegrated” domains ! If that is still true, I think the question about importing keys is irrelevant … You would be needing Bind – from 9.7 onwards – for the DNS servers of the AD domains. Bind can do the trick (DNSSEC + dynamic updating). It would be sufficient to share the KSK, ZSK’s can be separate (as they are signed by the then shared KSK). But is the an internal AD domain really an plausible attack vector for hackers ? Kind regards, Marc Lampo Security Officer EURid (for .eu) From:John Williams [mailto:john.1...@yahoo.com] Sent: 28 June 2012 10:35 PM To: bind-users@lists.isc.org Subject: BIND, DNSSEC & AD I have an environment that hosts a BIND based internet facing domain, call it abc.com. I also have an internal Active Directory instance that hosts a MS based DNS instance called abc.com as well. Everything works fine until we decided to implement DNSSEC on Active Directory. Here is my question, is it possible to integrate the two domains? Can I import the BIND DNSSEC keys into MS AD and build DNSSEC into AD using that method? Is there better method? I don't want to have AD DNS be my forward (Internet) facing application. Thanks. JT___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Corrupt zone transfer
Hi all, I currently run two Bind 9.9.* nameservers (details below), I've just added a slave zone to the Windows one, the Linux one being the master. The zone transferred, however, seems to be corrupt in that when opened in Notepad it contains what I can only describe as gobbledegook. The master zone file was created with Vim if that's any help. *Master server* Linux (CentOS) Bind 9.9.0 *Slave server* Windows Server 2003 64 Bit Bind 9.9.1-P1 Thanks for looking -- One blog to rule them all, One blog to reach them, One blog to bring them all, And through the writings teach them ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Corrupt zone transfer
On 06/29/12 10:10, Danny Horne wrote: Hi all, I currently run two Bind 9.9.* nameservers (details below), I've just added a slave zone to the Windows one, the Linux one being the master. The zone transferred, however, seems to be corrupt in that when opened in Notepad it contains what I can only describe as gobbledegook. The master zone file was created with Vim if that's any help. *Master server* Linux (CentOS) Bind 9.9.0 *Slave server* Windows Server 2003 64 Bit Bind 9.9.1-P1 Try dig @slave axfr example.com I bet this will look right. The slave zone is probably in raw format. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Corrupt zone transfer
Thanks Todd, Seeing it cleanly when doing that so I guess the zone file itself is ok On 29 June 2012 16:24, Todd Snyder wrote: > From your slave, if you do > > ** ** > > dig @[master server] zonename AXFR > > ** ** > > Do you get nice text, or garbage? > > ** ** > > *From:* bind-users-bounces+tsnyder=rim@lists.isc.org [mailto: > bind-users-bounces+tsnyder=rim@lists.isc.org] *On Behalf Of *Danny > Horne > *Sent:* Friday, June 29, 2012 11:11 AM > *To:* bind-users@lists.isc.org > *Subject:* Corrupt zone transfer > > ** ** > > Hi all, > > I currently run two Bind 9.9.* nameservers (details below), I've just > added a slave zone to the Windows one, the Linux one being the master. The > zone transferred, however, seems to be corrupt in that when opened in > Notepad it contains what I can only describe as gobbledegook. The master > zone file was created with Vim if that's any help. > > *Master server* > Linux (CentOS) > Bind 9.9.0 > > *Slave server* > Windows Server 2003 64 Bit > Bind 9.9.1-P1 > > Thanks for looking > -- > One blog to rule them all, > One blog to reach them, > One blog to bring them all, > And through the writings teach them > - > This transmission (including any attachments) may contain confidential > information, privileged material (including material protected by the > solicitor-client or other applicable privileges), or constitute non-public > information. Any use of this information by anyone other than the intended > recipient is prohibited. If you have received this transmission in error, > please immediately reply to the sender and delete this information from > your system. Use, dissemination, distribution, or reproduction of this > transmission by unintended recipients is not authorized and may be > unlawful. > -- One blog to rule them all, One blog to reach them, One blog to bring them all, And through the writings teach them ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Corrupt zone transfer
Danny Horne wrote: > > I currently run two Bind 9.9.* nameservers (details below), I've just > added a slave zone to the Windows one, the Linux one being the master. > The zone transferred, however, seems to be corrupt in that when opened > in Notepad it contains what I can only describe as gobbledegook. BIND 9.9 stores slave zones in raw format by default. You can get a standard textual version using named-compilezone -j -f raw -o outfile zonename infile Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty, Forth, Tyne, Dogger, Fisher: South or southwest 5 to 7, decreasing 4 at times later. Moderate or rough. Showers. Good, occasionally moderate.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
