[auto-dnssec] Switching to NSEC3 leaves behind stale NSEC signatures?
I have a zone maintained by: inline-signing yes; auto-dnssec maintain; update-policy local; I switched it from the default NSEC to NSEC3 with: rndc signing -nsec3param 1 0 10 68f499ee auto.rd.nic.fr It seems to work but the zone still contains NSEC signatures (but no NSEC records): auto.rd.nic.fr. 86400 IN RRSIG NSEC 8 4 86400 20130829140232 20130730135801 53989 auto.rd.nic.fr. FNHDlnIq1fN0bVJtLvP56BNw3Pydmogp8KWn2n200zMWSuHrq1sgU3Q3 cv8o+Cbr6w871IHBKwd+edz67URntzWferPzy2aklAEIdsRlvHSDHJyD WzUs915+GeUR0NOU2m/zfWQBAYBj8UP2i1puxh4NBzfnGF9ChCRKuhrT pBz+hxgdNKpQ2rt+NkBXFGKtZUz1eIDCpiT5F8CweetnajSyKRUVFCod emrOfdR1axr4Bp5Jaokrp5XbC2tefSs+NqXJycHBhmMGisAXOho4fOKY 5OWMb7IrcXA0xh8LUF5+uuQ6mpM7j+i0ZLiubt2TR6VxkcGbb4yfXWef x7vYAQ== Some checking tools complain. For instance, validns: auto.rd.nic.fr:8: auto.rd.nic.fr. RRSIG exists for non-existing type NSEC Is it a bug? Or did I use the wrong procedure to switch to NSEC3? BIND 9.9.2-P1 (the last version in the current Ubuntu) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Internernal view is answering to external ping
Hi brothers I have running bind9 on debian, with master zone for mydomain.com i created internal view for resolve names on my lan, and external zone for resolve my host on Internet, this is the working scenario Internal view LAN IP 192.168.0.67 Hostname sales.mydomain.com External view WAN IP 200.57.66.77 Hostname sales.mydomain.com When I make a ping from a other Internet access I get the answer from internal View Pinging sales.mydomain.com [192.168.0.67] with 32 bytes o Ping statistics for 192.168.0.67 Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 2ms, Average = 1ms Is it possible to change this issue? Thanks in advance. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internernal view is answering to external ping
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2013-07-31 at 17:39 -0500, IT Support wrote: I have running bind9 on debian, with master zone for mydomain.com i created internal view for resolve names on my lan, and external zone for resolve my host on Internet, standard answer - post your bind config. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlH5k9MACgkQL6j7milTFsEtzgCeKCNBwf7sAtPQDXC+qU+vq6Go 8esAn2aWS7UaRcqWx8CDgG95+jZA1jXC =knAS -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internernal view is answering to external ping
Dear Carl
Thanks for your answer here the output:
acl allowed-users {
localhost;
200.57.66.77/28;
192.168.0.0/23;
189.0.0.0/8;
172.16.102.1;
172.28.76.0/24;
};
acl internal {
localhost;
200.57.66.77/28;
192.168.0.0/23
};
acl slaves {
200.57.66.78;
};
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include /etc/bind/named.conf.options;
// prime the server with knowledge of the root servers
//zone . {
// type hint;
// file /etc/bind/db.root;
//};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
//zone localhost {
// type master;
// file /etc/bind/db.local;
//};
//zone 127.in-addr.arpa {
// type master;
// file /etc/bind/db.127;
//};
//zone 0.in-addr.arpa {
// type master;
// file /etc/bind/db.0;
//};
//zone 255.in-addr.arpa {
// type master;
// file /etc/bind/db.255;
//};
//zone 168.192.IN-ADDR.ARPA {
//type master;
//file /etc/bind/db.192;
//};
//zone 10.IN-ADDR.ARPA {
// type master;
// file /etc/empty;
//};
//zone 16.172.IN-ADDR.ARPA {
// type master;
// file /etc/empty;
//};
// zone com { type delegation-only; };
// zone net { type delegation-only; };
// From the release notes:
// Because many of our users are uncomfortable receiving undelegated
answers
// from root or top level domains, other than a few for whom that behaviour
// has been trusted and expected for quite some length of time, we have now
// introduced the root-delegations-only feature which applies
delegation-only
// logic to all top level domains, and to the root domain. An
exception list
// should be specified, including MUSEUM and DE, and any other top
level
// domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { DE; MUSEUM; };
include /etc/bind/named.conf.local;
logging {
category lame-servers { null; };
category edns-disabled { null; };
};
key dhcpupdate {
algorithm hmac-md5;
secret ddjsdfruifhrfr88r8rr5544==;
};
Thanks in advance.
On 31/07/2013 5:46 PM, Carl Byington wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 2013-07-31 at 17:39 -0500, IT Support wrote:
I have running bind9 on debian, with master zone for mydomain.com i
created internal view for resolve names on my lan, and external zone
for resolve my host on Internet,
standard answer - post your bind config.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlH5k9MACgkQL6j7milTFsEtzgCeKCNBwf7sAtPQDXC+qU+vq6Go
8esAn2aWS7UaRcqWx8CDgG95+jZA1jXC
=knAS
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Internernal view is answering to external ping
On 1 August 2013 00:59, IT Support it.compilat...@gmail.com wrote: Thanks in advance. Where is your view/zone configuration? (possibly in one of the included files) you will need to post that configuration as well. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internernal view is answering to external ping
Post your *full* config not half of it. How the hell do you expect
people to identify problems unless you give them the neccessary
details.
Do you give you car mechanic only access to the boot when you have
a engine problem?
You said you created views yet you didn't send anything that described
how the views were configured.
Mark
In message 51f9a4dc.6040...@gmail.com, IT Support writes:
Dear Carl
Thanks for your answer here the output:
acl allowed-users {
localhost;
200.57.66.77/28;
192.168.0.0/23;
189.0.0.0/8;
172.16.102.1;
172.28.76.0/24;
};
acl internal {
localhost;
200.57.66.77/28;
192.168.0.0/23
};
acl slaves {
200.57.66.78;
};
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include /etc/bind/named.conf.options;
// prime the server with knowledge of the root servers
//zone . {
// type hint;
// file /etc/bind/db.root;
//};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
//zone localhost {
// type master;
// file /etc/bind/db.local;
//};
//zone 127.in-addr.arpa {
// type master;
// file /etc/bind/db.127;
//};
//zone 0.in-addr.arpa {
// type master;
// file /etc/bind/db.0;
//};
//zone 255.in-addr.arpa {
// type master;
// file /etc/bind/db.255;
//};
//zone 168.192.IN-ADDR.ARPA {
//type master;
//file /etc/bind/db.192;
//};
//zone 10.IN-ADDR.ARPA {
// type master;
// file /etc/empty;
//};
//zone 16.172.IN-ADDR.ARPA {
// type master;
// file /etc/empty;
//};
// zone com { type delegation-only; };
// zone net { type delegation-only; };
// From the release notes:
// Because many of our users are uncomfortable receiving undelegated
answers
// from root or top level domains, other than a few for whom that behaviour
// has been trusted and expected for quite some length of time, we have now
// introduced the root-delegations-only feature which applies
delegation-only
// logic to all top level domains, and to the root domain. An
exception list
// should be specified, including MUSEUM and DE, and any other top
level
// domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { DE; MUSEUM; };
include /etc/bind/named.conf.local;
logging {
category lame-servers { null; };
category edns-disabled { null; };
};
key dhcpupdate {
algorithm hmac-md5;
secret ddjsdfruifhrfr88r8rr5544==;
};
Thanks in advance.
On 31/07/2013 5:46 PM, Carl Byington wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 2013-07-31 at 17:39 -0500, IT Support wrote:
I have running bind9 on debian, with master zone for mydomain.com i
created internal view for resolve names on my lan, and external zone
for resolve my host on Internet,
standard answer - post your bind config.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlH5k9MACgkQL6j7milTFsEtzgCeKCNBwf7sAtPQDXC+qU+vq6Go
8esAn2aWS7UaRcqWx8CDgG95+jZA1jXC
=knAS
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri
be from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--050203070403020006060804
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
html
head
meta content=text/html; charset=ISO-8859-1
http-equiv=Content-Type
/head
body bgcolor=#FF text=#00
div class=moz-cite-prefixDear Carlbr
br
Thanks for your answer here the output:br
br
acl allowed-users {br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; localhost;br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; font face=Bodoni MTfont
face=Bodoni MT200.57.66.77/font/font/28;br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 192.168.0.0/23;br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 189.0.0.0/8;br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 172.16.102.1;br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 172.28.76.0/24;br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; };br
br
acl internal {br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; localhost;br
font face=Bodoni MTfont face=Bodoni MTnbsp;nbsp;nbsp;nbsp;
nbsp;nbsp;nbsp;nbsp;
200.57.66.77/font/font/28;br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 192.168.0.0/23br
Re: Internernal view is answering to external ping
Thanks Mark for the advice, that output is my whole named.conf, please
let me know if I need to post another output file
This is what do i have on my bind folder:
named.conf
named.conf.dpkg-dist
named.conf.local
named.conf.local.bfRFC1918
named.conf.local.orig
named.conf.options
named.conf.options.dpkg-di
mydomain.com.hosts
mydomain.com.hosts.lan
db.0
db.127
db.192
192.168.0
db.192.168.0.internal
db.192.168.0.internal.jnl
db.192.168.external
db.192.168.internal
db.192.168.internal.jnl
db.192.internal
db.192.jnl
db.255
db.empty
db.local
db.root
root b
On 31/07/2013 7:09 PM, Mark Andrews wrote:
Post your *full* config not half of it. How the hell do you expect
people to identify problems unless you give them the neccessary
details.
Do you give you car mechanic only access to the boot when you have
a engine problem?
You said you created views yet you didn't send anything that described
how the views were configured.
Mark
In message 51f9a4dc.6040...@gmail.com, IT Support writes:
Dear Carl
Thanks for your answer here the output:
acl allowed-users {
localhost;
200.57.66.77/28;
192.168.0.0/23;
189.0.0.0/8;
172.16.102.1;
172.28.76.0/24;
};
acl internal {
localhost;
200.57.66.77/28;
192.168.0.0/23
};
acl slaves {
200.57.66.78;
};
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include /etc/bind/named.conf.options;
// prime the server with knowledge of the root servers
//zone . {
// type hint;
// file /etc/bind/db.root;
//};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
//zone localhost {
// type master;
// file /etc/bind/db.local;
//};
//zone 127.in-addr.arpa {
// type master;
// file /etc/bind/db.127;
//};
//zone 0.in-addr.arpa {
// type master;
// file /etc/bind/db.0;
//};
//zone 255.in-addr.arpa {
// type master;
// file /etc/bind/db.255;
//};
//zone 168.192.IN-ADDR.ARPA {
//type master;
//file /etc/bind/db.192;
//};
//zone 10.IN-ADDR.ARPA {
// type master;
// file /etc/empty;
//};
//zone 16.172.IN-ADDR.ARPA {
// type master;
// file /etc/empty;
//};
// zone com { type delegation-only; };
// zone net { type delegation-only; };
// From the release notes:
// Because many of our users are uncomfortable receiving undelegated
answers
// from root or top level domains, other than a few for whom that behaviour
// has been trusted and expected for quite some length of time, we have now
// introduced the root-delegations-only feature which applies
delegation-only
// logic to all top level domains, and to the root domain. An
exception list
// should be specified, including MUSEUM and DE, and any other top
level
// domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { DE; MUSEUM; };
include /etc/bind/named.conf.local;
logging {
category lame-servers { null; };
category edns-disabled { null; };
};
key dhcpupdate {
algorithm hmac-md5;
secret ddjsdfruifhrfr88r8rr5544==;
};
Thanks in advance.
On 31/07/2013 5:46 PM, Carl Byington wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 2013-07-31 at 17:39 -0500, IT Support wrote:
I have running bind9 on debian, with master zone for mydomain.com i
created internal view for resolve names on my lan, and external zone
for resolve my host on Internet,
standard answer - post your bind config.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlH5k9MACgkQL6j7milTFsEtzgCeKCNBwf7sAtPQDXC+qU+vq6Go
8esAn2aWS7UaRcqWx8CDgG95+jZA1jXC
=knAS
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri
be from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--050203070403020006060804
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
html
head
meta content=text/html; charset=ISO-8859-1
http-equiv=Content-Type
/head
body bgcolor=#FF text=#00
div class=moz-cite-prefixDear Carlbr
br
Thanks for your answer here the output:br
br
acl allowed-users {br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; localhost;br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; font face=Bodoni MTfont
face=Bodoni MT200.57.66.77/font/font/28;br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 192.168.0.0/23;br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 189.0.0.0/8;br
Re: Internernal view is answering to external ping
Hi Steven Can you tell me what files do I have to post here? On 31/07/2013 7:04 PM, Steven Carr wrote: On 1 August 2013 00:59, IT Support it.compilat...@gmail.com wrote: Thanks in advance. Where is your view/zone configuration? (possibly in one of the included files) you will need to post that configuration as well. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internernal view is answering to external ping
Send the output of named-checkconf -p. This will combine all the configuration files into one file. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internernal view is answering to external ping
In article mailman.982.1375317436.20661.bind-us...@lists.isc.org,
IT Support it.compilat...@gmail.com wrote:
Thanks Mark for the advice, that output is my whole named.conf, please
let me know if I need to post another output file
It contains:
include /etc/bind/named.conf.options;
include /etc/bind/named.conf.local;
One of these files should contain the view configuration.
This is what do i have on my bind folder:
named.conf
named.conf.dpkg-dist
named.conf.local
named.conf.local.bfRFC1918
named.conf.local.orig
named.conf.options
named.conf.options.dpkg-di
mydomain.com.hosts
mydomain.com.hosts.lan
db.0
db.127
db.192
192.168.0
db.192.168.0.internal
db.192.168.0.internal.jnl
db.192.168.external
db.192.168.internal
db.192.168.internal.jnl
db.192.internal
db.192.jnl
db.255
db.empty
db.local
db.root
root b
On 31/07/2013 7:09 PM, Mark Andrews wrote:
Post your *full* config not half of it. How the hell do you expect
people to identify problems unless you give them the neccessary
details.
Do you give you car mechanic only access to the boot when you have
a engine problem?
You said you created views yet you didn't send anything that described
how the views were configured.
Mark
In message 51f9a4dc.6040...@gmail.com, IT Support writes:
Dear Carl
Thanks for your answer here the output:
acl allowed-users {
localhost;
200.57.66.77/28;
192.168.0.0/23;
189.0.0.0/8;
172.16.102.1;
172.28.76.0/24;
};
acl internal {
localhost;
200.57.66.77/28;
192.168.0.0/23
};
acl slaves {
200.57.66.78;
};
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on
the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include /etc/bind/named.conf.options;
// prime the server with knowledge of the root servers
//zone . {
// type hint;
// file /etc/bind/db.root;
//};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
//zone localhost {
// type master;
// file /etc/bind/db.local;
//};
//zone 127.in-addr.arpa {
// type master;
// file /etc/bind/db.127;
//};
//zone 0.in-addr.arpa {
// type master;
// file /etc/bind/db.0;
//};
//zone 255.in-addr.arpa {
// type master;
// file /etc/bind/db.255;
//};
//zone 168.192.IN-ADDR.ARPA {
//type master;
//file /etc/bind/db.192;
//};
//zone 10.IN-ADDR.ARPA {
// type master;
// file /etc/empty;
//};
//zone 16.172.IN-ADDR.ARPA {
// type master;
// file /etc/empty;
//};
// zone com { type delegation-only; };
// zone net { type delegation-only; };
// From the release notes:
// Because many of our users are uncomfortable receiving undelegated
answers
// from root or top level domains, other than a few for whom that
behaviour
// has been trusted and expected for quite some length of time, we have
now
// introduced the root-delegations-only feature which applies
delegation-only
// logic to all top level domains, and to the root domain. An
exception list
// should be specified, including MUSEUM and DE, and any other top
level
// domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { DE; MUSEUM; };
include /etc/bind/named.conf.local;
logging {
category lame-servers { null; };
category edns-disabled { null; };
};
key dhcpupdate {
algorithm hmac-md5;
secret ddjsdfruifhrfr88r8rr5544==;
};
Thanks in advance.
--
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
