Re: Strange issue with signed zone

2012-11-08 Thread Peter Andreev 
Hi everybody!

We signed another zone and met the same problem again. The only
difference is algorithm - now it is RSASHA256.

> We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we
> signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT.
> Recently we realised that our servers don't generate NSEC3 for signed zone.
> Problem has gone after we restarted BIND instances.

We are using views, could it be related?


-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dns master-slave transfer

2012-11-08 Thread Matus UHLAR - fantomas 

于 2012-10-29 9:58, kavin 写道:

Now,I want transfer the zone data from the master dns serverto slave
dns server ,the master dns use bind-dlz+mysql and the slave dns server
use bind+file.


On 29.10.12 10:45, Feng He wrote:
AFAIK, BIND DLZ doesn't send a notify message to slave, so both your 
master and slave should be able to use the DLZ backend and run a 
mysql replication for data sync.


NOTIFY is not required to implement DNS, it just makes propagation faster.
AXFR should work without it, however the refresh/retry in SOA should be
small enough (depends on how often you change the data).

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains? 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Shared dynamic zone on external view?

2012-11-08 Thread Nicolas C. 

Le 08/11/2012 13:20, /dev/rob0 a écrit :

On Thu, Nov 08, 2012 at 09:23:05AM +1100, Mark Andrews wrote:

In message <509a8796.7060...@nryc.fr>, "Nicolas C." writes:

I have a dynamic zone on an external view, this zone is updated
with a TSIG key from outside of our network. There is a secondary
DNS server, also outside our network on which zones transfers are
working fine with no key.

We would like to make one of our internal DNS secondary for this
zone and we have the "dynamic zone shared between views" problem.
I tried to follow the FAQ but no luck so far.

I'm not sure that what I'm trying to do is possible, can someone
confirm this?

Should I follow the FAQ and make my dynamic zone "master" on the
"internal" view? That makes less sense to us because this are
public zones, updated from the outsite.

This is my configuration :

view "internal" {
match-clients {

  !key external;
  key shared;

  
};

zone "" {
  type slave;
  file "db.shared-int";
  masters { IPv4-of-my-DNS; };


You need to force the internal zone to talk to the external zone.

masters { IPv4-of-my-DNS key external; };


Should not the master also have an "also-notify" to notify the
internal zone as well? Or the zone might contain a bogus internal-
only NS host, but that would seem less appropriate. If the notify
received is only for the external view, the internal view will only
update on elapsed SOA expire time.


Yes, it is specified on the FAQ and you can see it in my configuration 
below (also-notify { IPv4-of-my-DNS; };).


It's working now, I had some issues because the DNS server was 100% 
secondary so notifications were disabled globally in "options". When it 
became master for this dynamic zone, it wasn't notifying the internal 
view on the secondary.


Enabling notifications or explicitly notifying the secondary solved the 
problem.


Regards,

Nicolas


  transfer-source IPv4-of-my-DNS;
};
};

view "external" {

match-clients { !key shared; any };
allow-transfer { IPv4-of-my-DNS; };
server IPv4-of-my-DNS; { keys { shared; }; };

zone "" {
  type master;
  file "db.shared-ext";
  notify yes;
  also-notify { IPv4-of-my-DNS; };



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Shared dynamic zone on external view?

2012-11-08 Thread /dev/rob0 
On Thu, Nov 08, 2012 at 09:23:05AM +1100, Mark Andrews wrote:
> In message <509a8796.7060...@nryc.fr>, "Nicolas C." writes:
> > I have a dynamic zone on an external view, this zone is updated 
> > with a TSIG key from outside of our network. There is a secondary 
> > DNS server, also outside our network on which zones transfers are 
> > working fine with no key.
> > 
> > We would like to make one of our internal DNS secondary for this 
> > zone and we have the "dynamic zone shared between views" problem. 
> > I tried to follow the FAQ but no luck so far.
> > 
> > I'm not sure that what I'm trying to do is possible, can someone 
> > confirm this?
> > 
> > Should I follow the FAQ and make my dynamic zone "master" on the 
> > "internal" view? That makes less sense to us because this are 
> > public zones, updated from the outsite.
> > 
> > This is my configuration :
> > 
> > view "internal" {
> >match-clients {
> > 
> >  !key external;
> >  key shared;
> > 
> >  
> >};
> > 
> >zone "" {
> >  type slave;
> >  file "db.shared-int";
> >  masters { IPv4-of-my-DNS; };
> 
> You need to force the internal zone to talk to the external zone.
> 
>   masters { IPv4-of-my-DNS key external; };

Should not the master also have an "also-notify" to notify the 
internal zone as well? Or the zone might contain a bogus internal- 
only NS host, but that would seem less appropriate. If the notify 
received is only for the external view, the internal view will only 
update on elapsed SOA expire time.

> >  transfer-source IPv4-of-my-DNS;
> >};
> > };
> > 
> > view "external" {
> > 
> >match-clients { !key shared; any };
> >allow-transfer { IPv4-of-my-DNS; };
> >server IPv4-of-my-DNS; { keys { shared; }; };
> > 
> >zone "" {
> >  type master;
> >  file "db.shared-ext";
> >  notify yes;
> >  also-notify { IPv4-of-my-DNS; };
> > 
> >  update-policy {
> >grant another-key subdomain  ANY;
> >grant princi...@rea.lm subdomain  ANY;
> >  };
> > };
> > 
> > When I reload the configuration or try to initiate a zone 
> > transfer with dig and the "shared" key, I have this message
> > in the logs.
> > 
> > zone /IN/internal: refresh: unexpected rcode (SERVFAIL)
> > from master IPv4-of-my-DNS#53 (source IPv4-of-my-DNS#0)
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users