Re: Upgrade Bind documentation

2013-10-25 Thread Carsten Strotmann 
Hello Donald,

"Davis, Donald W"  writes:

> Does anyone have any advice or perhaps documentation for upgrading
> Bind? I currently have two AIX servers running as Master/Slave. I need
> to upgrade from v9.8.1-P1 to v9.8.6.   I will need to document an
> implementation plan for change control and was hoping someone else may
> have something they can share.
>
> I’ve browsed the ISC web site looking for release notes,
> install/compile instructions, migration plans, etc without much
> success.
>

The BIND release notes give a good overview of changes between
releases. Jeremy has posted the links to the notes. Inside a major
version number, there should be no drastic changes to BIND (so 9.8.1 ->
9.8.6 should be save).

If you want to compile BIND yourself, I recommend compiling on a
separate development machine and then transferring the compiled BIND
binaries over to the DNS servers.

"named -V" gives you the compile switches used to compile your current
BIND. If you use the very same switches during compiling 9.8.6, you
should get a new BIND that matches your existing setup and is a
"drop-in" replacement.

Best regards

Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrade Bind documentation

2013-10-25 Thread Carsten Strotmann 
Eduardo Bonsi  writes:

> Menandmice have some pre-compiled packages updates for these systems.
>
> http://support.menandmice.com/download/bind/
>
> GNU-kfreebsd/
> illumian/
> kGNUfreebsd/
> linux/
> macosx/
> solaris/
>
(as the one compiling the BIND packages @ Men & Mice):

unfortunatntly we do not have an AIX machine available to provide AIX
installation packages today. 

If someone could donate a AIX development machine running an up-to-date
AIX version, we would use that machine to provide BIND AIX packages the
same way as we do for the other systems listed above.

Also, anyone is looking for BIND packages for an operating-system not in
the above list, please contact me. We are building the packages based on
the requsts and demand.

-- Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

MAcOS X 10.9 upgrade removes BIND

2013-10-25 Thread Carsten Strotmann 
Hi BIND users on MacOS,

it looks like the upgrade to MacOS X 10.9 "Mavericks" removes
BIND. Early reports also indicate that the upgrade process also removes
the BIND configuration file "/etc/named.conf" and all zonefiles in
"/var/named". It happend on my machine, and there are reports coming in
from other users, but I need to confirm this on a lab environment.

The Men & Mice BIND MacOS X installers at currently fail on MacOS X
10.9, because /var/named is not there. I'm working on updating the Men &
Mice packages to work on MacOS X 10.9.

Best regards

Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

zone delegation/forwarding in a non-recursive view

2013-10-25 Thread Yiorgos Stamoulis 
Hi,

I have authoritative dns system (1 master bind-9.8.2 & 2 slaves
bind-9.8.2 & bind-9.3.6) with several zones and two views.

The internal view allows recursion and the external not.

I now have the requirement to delegate/forward a zone to an external
nameserver.

This works OK for the internal view, but fails for the external as
recursion is not allowed.

Is it possible to do this? how?

Regards

Yiorgos
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone delegation/forwarding in a non-recursive view

2013-10-25 Thread Mark Andrews 

In message <526a4c15.4090...@stamoulis.eu>, Yiorgos Stamoulis writes:
> Hi,
> 
> I have authoritative dns system (1 master bind-9.8.2 & 2 slaves
> bind-9.8.2 & bind-9.3.6) with several zones and two views.
> 
> The internal view allows recursion and the external not.
> 
> I now have the requirement to delegate/forward a zone to an external
> nameserver.
> 
> This works OK for the internal view, but fails for the external as
> recursion is not allowed.

How do you know that it fails for the external zone?  If you get back
a referral it is working correctly.
 
> Is it possible to do this? how?
> 
> Regards
> 
> Yiorgos
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone delegation/forwarding in a non-recursive view

2013-10-25 Thread Kevin Darcy 
Although you lump them together, forwarding and delegation are very 
different things.


Forwarding is a way to bypass the normal resolution mechanism, forcing 
your resolver to essentially "daisy-chain" recursion on behalf of a 
requesting recursive client. Another way to put it, is that you're 
dumbing down your nameserver to the level of a PC or embedded device 
that only knows to send recursive queries to a predefined list of 
upstream resolvers. In fact, forwarding in BIND is in a sense even 
_dumber_ than recursive resolution in a PC or embedded device, because 
those device types can usually get a list of recursive resolvers 
*dynamically* (via DHCP options), whereas in BIND one configures 
forwarders *statically*.


Delegation, on the other hand, is the way the whole namespace hierarchy 
is joined together. If you delegate a subzone, you allow iterative (= 
non-recursive) resolvers to follow the namespace hierarchy down into 
another branch of the tree. One branch links to another branch, and so 
on. That's how the whole tree is formed, all of the way from the root 
down to the "leaf" nodes.


So, what is the real requirement here? To create or link in a new branch 
of the tree? Or merely to enlarge the set of clients which are allowed 
to use your nameserver instance in a recursive manner? The answers to 
those questions will determine whether forwarding or delegation is the 
appropriate solution.


- Kevin

On 10/25/2013 6:46 AM, Yiorgos Stamoulis wrote:

Hi,

I have authoritative dns system (1 master bind-9.8.2 & 2 slaves
bind-9.8.2 & bind-9.3.6) with several zones and two views.

The internal view allows recursion and the external not.

I now have the requirement to delegate/forward a zone to an external
nameserver.

This works OK for the internal view, but fails for the external as
recursion is not allowed.

Is it possible to do this? how?

Regards

Yiorgos
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone delegation/forwarding in a non-recursive view

2013-10-25 Thread Barry Margolin 
In article ,
 Yiorgos Stamoulis  wrote:

> Hi,
> 
> I have authoritative dns system (1 master bind-9.8.2 & 2 slaves
> bind-9.8.2 & bind-9.3.6) with several zones and two views.
> 
> The internal view allows recursion and the external not.
> 
> I now have the requirement to delegate/forward a zone to an external
> nameserver.
> 
> This works OK for the internal view, but fails for the external as
> recursion is not allowed.
> 
> Is it possible to do this? how?

Forwarding is a modification of recursion -- it tells the server 
"Instead of querying the servers in the NS records, query these specific 
servers." But if you're not recursing (either because recursion is 
disabled, or because the client didn't request it), you won't forward.

Authoritative servers usually don't get requests with the Recursion 
Desired flag -- external caching servers usually do iterative queries. I 
don't understand why this is a problem for you, though. You said you're 
delegating to an external nameserver, so when you return the referral 
they should be able to go there by themselves.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MAcOS X 10.9 upgrade removes BIND

2013-10-25 Thread Eduardo Bonsi 

I want to confirm what Carsten said here;

I just performed an upgrade from Snow Leopard, 10.6.8 one day before 
Yesterday. The upgrade itself went fine except for BIND and Apache.


After upgrading to OS X Mavericks, 10.9, the upgrade removed all the 
files mentioned bellow plus all the Websites on Apache configuration as 
well. OS X Mavericks no longer have the web sharing. So it is highly 
advisable to backup your BIND and Apache configuration files before 
upgrade. Fortunately I had a copy of all these files in a backup mirror 
server. So, for me was just a matter of connecting and copying all these 
files back to OS X Mavericks and set the nrdc key again.


Here is the files to backup;

Full path to the named.conf file   /etc/named.conf  
Full path to the named executable  /usr/sbin/named  
Full path to whois command whois
Full path to ndc command   ndc  
Full path to rndc command  rndc 
Full path to rndc-confgen command  rndc-confgen
Full path to the rndc.conf file/etc/rndc.conf   
Full path to named-checkzone command   named-checkzone  
Full path to named-checkconf command   named-checkconf  
Full path to dnssec-keygen command dnssec-keygen
Full path to dnssec-signzone command   dnssec-signzone  

In addition do not forget to back-up the PID file location in your 
system whatever the PID file it is located;


Default PID file location  ———? Your location

On 10/25/13, 12:36 AM, Carsten Strotmann wrote:

Hi BIND users on MacOS,

it looks like the upgrade to MacOS X 10.9 "Mavericks" removes
BIND. Early reports also indicate that the upgrade process also removes
the BIND configuration file "/etc/named.conf" and all zonefiles in
"/var/named". It happend on my machine, and there are reports coming in
from other users, but I need to confirm this on a lab environment.

The Men & Mice BIND MacOS X installers at currently fail on MacOS X
10.9, because /var/named is not there. I'm working on updating the Men &
Mice packages to work on MacOS X 10.9.

Best regards

Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MAcOS X 10.9 upgrade removes BIND

2013-10-25 Thread Carsten Strotmann 
Hello Eduardo,

thanks for confirming that MacOS X removed BIND.

Our new BIND installers for MacOS X 10.9 are now available at 


I've build BIND 9.9.4 (with and without RRL) and BIND 9.8.6. If anyone
need 9.6-ESV let me know.

Please report any issues with this installers to me.

Best regards

Carsten Strotmann

Eduardo Bonsi  writes:

> I want to confirm what Carsten said here;
>
> I just performed an upgrade from Snow Leopard, 10.6.8 one day before
> Yesterday. The upgrade itself went fine except for BIND and Apache.
>
> After upgrading to OS X Mavericks, 10.9, the upgrade removed all the
> files mentioned bellow plus all the Websites on Apache configuration
> as well. OS X Mavericks no longer have the web sharing. So it is
> highly advisable to backup your BIND and Apache configuration files
> before upgrade. Fortunately I had a copy of all these files in a
> backup mirror server. So, for me was just a matter of connecting and
> copying all these files back to OS X Mavericks and set the nrdc key
> again.
>
> Here is the files to backup;
>
> Full path to the named.conf file   /etc/named.conf
> Full path to the named executable  /usr/sbin/named
> Full path to whois command whois  
> Full path to ndc command   ndc
> Full path to rndc command  rndc   
> Full path to rndc-confgen command  rndc-confgen
> Full path to the rndc.conf file/etc/rndc.conf 
> Full path to named-checkzone command   named-checkzone
> Full path to named-checkconf command   named-checkconf
> Full path to dnssec-keygen command dnssec-keygen  
> Full path to dnssec-signzone command   dnssec-signzone
>
> In addition do not forget to back-up the PID file location in your
> system whatever the PID file it is located;
>
> Default PID file location  ———? Your location
>
> On 10/25/13, 12:36 AM, Carsten Strotmann wrote:
>> Hi BIND users on MacOS,
>>
>> it looks like the upgrade to MacOS X 10.9 "Mavericks" removes
>> BIND. Early reports also indicate that the upgrade process also removes
>> the BIND configuration file "/etc/named.conf" and all zonefiles in
>> "/var/named". It happend on my machine, and there are reports coming in
>> from other users, but I need to confirm this on a lab environment.
>>
>> The Men & Mice BIND MacOS X installers at currently fail on MacOS X
>> 10.9, because /var/named is not there. I'm working on updating the Men &
>> Mice packages to work on MacOS X 10.9.
>>
>> Best regards
>>
>> Carsten Strotmann
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MAcOS X 10.9 upgrade removes BIND

2013-10-25 Thread Mark Andrews 

In message <87bo2dxf8g@csgate4.strotmann.de>, Carsten Strotmann writes:
> Hello Eduardo,
> 
> thanks for confirming that MacOS X removed BIND.

It has been moved to the Server Edition according to krypted.com[1].

However it would be nice for Apple to LET PEOPLE KNOW in advance.
No where in the AppStore does it warn about functionality being
removed.  Lots of new stuff being promoted but no warnings about
things going away.

If you go to the Apple Web site and technical specs page[2] of
Mavericks and look the the "OS X Server Product Overview"[3] you
find it is out of date as it is still pointing to Mountain Lion.

If you have already "purchased" Mavericks please add a negative
review which warns about the functionality being removed from the
basic edition.  At least then people may be warned about this.

Apple should be encouraging people to run validating resolvers on
their machines, not making it harder for them to do this.

Mark

[1] 
http://krypted.com/mac-security/setup-the-dns-service-in-os-x-mavericks-server/
[2] http://www.apple.com/au/osx/specs/
[3] 
http://movies.apple.com/media/us/osx/2012/server/docs/OSXServer_Product_Overview.pdf
 
> Our new BIND installers for MacOS X 10.9 are now available at 
> 
> 
> I've build BIND 9.9.4 (with and without RRL) and BIND 9.8.6. If anyone
> need 9.6-ESV let me know.
> 
> Please report any issues with this installers to me.
> 
> Best regards
> 
> Carsten Strotmann
> 
> Eduardo Bonsi  writes:
> 
> > I want to confirm what Carsten said here;
> >
> > I just performed an upgrade from Snow Leopard, 10.6.8 one day before
> > Yesterday. The upgrade itself went fine except for BIND and Apache.
> >
> > After upgrading to OS X Mavericks, 10.9, the upgrade removed all the
> > files mentioned bellow plus all the Websites on Apache configuration
> > as well. OS X Mavericks no longer have the web sharing. So it is
> > highly advisable to backup your BIND and Apache configuration files
> > before upgrade. Fortunately I had a copy of all these files in a
> > backup mirror server. So, for me was just a matter of connecting and
> > copying all these files back to OS X Mavericks and set the nrdc key
> > again.
> >
> > Here is the files to backup;
> >
> > Full path to the named.conf file   /etc/named.conf  
> > Full path to the named executable  /usr/sbin/named  
> > Full path to whois command whois
> > Full path to ndc command   ndc  
> > Full path to rndc command  rndc 
> > Full path to rndc-confgen command  rndc-confgen
> > Full path to the rndc.conf file/etc/rndc.conf   
> > Full path to named-checkzone command   named-checkzone  
> > Full path to named-checkconf command   named-checkconf  
> > Full path to dnssec-keygen command dnssec-keygen
> > Full path to dnssec-signzone command   dnssec-signzone  
> >
> > In addition do not forget to back-up the PID file location in your
> > system whatever the PID file it is located;
> >
> > Default PID file location  ? Your location
> >
> > On 10/25/13, 12:36 AM, Carsten Strotmann wrote:
> >> Hi BIND users on MacOS,
> >>
> >> it looks like the upgrade to MacOS X 10.9 "Mavericks" removes
> >> BIND. Early reports also indicate that the upgrade process also removes
> >> the BIND configuration file "/etc/named.conf" and all zonefiles in
> >> "/var/named". It happend on my machine, and there are reports coming in
> >> from other users, but I need to confirm this on a lab environment.
> >>
> >> The Men & Mice BIND MacOS X installers at currently fail on MacOS X
> >> 10.9, because /var/named is not there. I'm working on updating the Men 
> &
> >> Mice packages to work on MacOS X 10.9.
> >>
> >> Best regards
> >>
> >> Carsten Strotmann
> >> ___
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> >>
> >> bind-users mailing list
> >> bind-users@lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> >>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MAcOS X 10.9 upgrade removes BIND

2013-10-25 Thread Michael Sinatra 
On 10/25/13 1:33 PM, Carsten Strotmann wrote:
> Hello Eduardo,
> 
> thanks for confirming that MacOS X removed BIND.
> 
> Our new BIND installers for MacOS X 10.9 are now available at 
> 
> 
> I've build BIND 9.9.4 (with and without RRL) and BIND 9.8.6. If anyone
> need 9.6-ESV let me know.
> 
> Please report any issues with this installers to me.

Thanks to Carsten and Men and Mice for doing this.

I usually maintain the latest BIND on my Mac using MacPorts.  It looks
like you can still do that on Mavericks, but there some work
(http://www.ghostwheel.com/merlin/Personal/notes/2013/10/05/macports-on-mavericks/)
you have to do--MacPorts doesn't currently support Mavericks out of the
box.  The good news is that it looks like you can still download a
supported version of xcode for Mavericks.

michael


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MAcOS X 10.9 upgrade removes BIND

2013-10-25 Thread Sean Channel 
As for XCode, you might want to both update from the app store and check the 
XCode Preferences [menu] on the “Downloads” tab to make sure there are no 
additional updates being distributed that way, regardless of OS version, IMHO.

Thanks for the M&M package, this is fantastic!  On the critical side, the 
package BOM only lists an extinct tarball instead of the actual files and 
directories in the package. Just a nit pick, apologies:

$ lsbom 
/private/var/db/receipts/com.menandmice.iscbind994ForMacosX10.9.Package_Root.pkg.bom
 
.   40755   0/80
./tmp   41775   0/0
./tmp/ISCBIND-9.9.4-binary-x86_64-10.9-.tar.gz  100664  0/0 17867831
3291002827

_S


On Oct 25, 2013, at 3:53 PM, Michael Sinatra  
wrote:

> On 10/25/13 1:33 PM, Carsten Strotmann wrote:
>> Hello Eduardo,
>> 
>> thanks for confirming that MacOS X removed BIND.
>> 
>> Our new BIND installers for MacOS X 10.9 are now available at 
>> 
>> 
>> I've build BIND 9.9.4 (with and without RRL) and BIND 9.8.6. If anyone
>> need 9.6-ESV let me know.
>> 
>> Please report any issues with this installers to me.
> 
> Thanks to Carsten and Men and Mice for doing this.
> 
> I usually maintain the latest BIND on my Mac using MacPorts.  It looks
> like you can still do that on Mavericks, but there some work
> (http://www.ghostwheel.com/merlin/Personal/notes/2013/10/05/macports-on-mavericks/)
> you have to do--MacPorts doesn't currently support Mavericks out of the
> box.  The good news is that it looks like you can still download a
> supported version of xcode for Mavericks.
> 
> michael
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and split DNS

2013-10-25 Thread David Newman 


On 10/23/13 5:20 PM, Mark Andrews wrote:
> In message <5268626c.8040...@networktest.com>, David Newman writes:
>> On 10/23/13 4:28 PM, Mark Andrews wrote:
>>> You sign all versions of the zone.
>>>
>>> As for key management you can:
>>>
>>> * use the same keys in all views which makes mobile device
>>>   management simpler as there is no need to distribute keys.
>>>   Validating from the root will work in all cases though
>>>   there is still something to be said for distributing keys
>>>   for local zones locally as this prevents resolution
>>>   failures when the site is disconnected from the rest of
>>>   the world.
>>>
>>> * different keys per view.  You will need to distribute the
>>>   keys and for mobile devices they will need all sets of
>>>   keys as they see both the internal and external views
>>>   depending apon where they attach to the network and whether
>>>   there is a VPN active.  For fixed devices different keys
>>>   will cause data leakage to be rejected as the leaked data
>>>   won't validate.
>>>
>>> You can change strategy if you pick the wrong one.
>>
>> Thanks, makes sense.
>>
>> What about delegation? Right now, there is none between external zones
>> and internal forward zones using RFC 1918 addresses.
>>
>> I *think* option 1 would require, for example, example.org's zone to
>> include delegation and glue records for internal.example.org to keep the
>> chain of trust intact.
>>
>> And I *think* option 2 in theory could be set up as an island of trust,
>> with no delegation from parent domains.
> 
> You can
> * add the delegation for internal.example.org to example.org
>   and make it visible to the world with a appropriate acl on
>   internal.example.org.
> * have two version of example.org, one with and one without the
>   delegation for internal.example.org.

I went this route, and encountered three issues:

1. After a reload, there are out-of-zone warnings for hosts in example.org:

25-Oct-2013 16:02:49.330 general: warning:
dynamic/example.org/example.org.db:133: ignoring out-of-zone data
(hostname.example.org)

Both internal and external zones are called 'example.org' but each is in
a separate view. These warnings come from the example.org zone file, the
one in the external view.

2. With two zones using the same name, I'm unsure how to use rndc to
reload just the internal or just the external version since both use the
same name.

3. Another internal nameserver gets intermittent dig +dnssec errors on
queries for internal resources. Sometimes after a restart, the result is
NOERROR and other times it's NXDOMAIN or SERVFAIL.

This is seen on an internal recursive nameserver (let's call it NS2). I
think this might be due to the presence of external servers in the
forwarding statement. If I comment out the external forwarders and
include only one other internal server (let's call it NS1), dig lookups
always work, including DNSSEC.

Problem is, NS1 is currently an authoritative and recursive server, and
I'm trying to separate these functions. Is there some other way to build
up a cache and get DNSSEC data on NS2?

Config details below. Thanks very much for additional troubleshooting clues.

dn

This is from named.conf:

acl internal-xfer {
..
}

acl external-xfer {
..
}

acl trusted {
..
}

view "internal" in {

match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;

..

   zone "example.org" in {
type master;
file "dynamic/split.example.org/split.example.org.db";
allow-query { trusted; };
allow-transfer { internal-xfer; };
// internal and external zones use same key
key-directory "managed-keys/example.org";
inline-signing yes;
auto-dnssec maintain;
};

..

};

view "external" in {

match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;

..

zone "example.org" in {
type master;
file "dynamic/example.org/example.org.db";
allow-query { any; };
allow-transfer { external-xfer; };
// internal and external zones use same key
key-directory "managed-keys/example.org";
inline-signing yes;
auto-dnssec maintain;
};

..
};


Here is the internal split.example.org.db zone file:

$TTL 1h
internal.example.org. IN SOA ns.example.org. hostmaster.example.org. (
2013102500 ; serial
1h ; refresh
15m; retry
28d; expire
1h )   ; minimum
example.org.IN  NS  ns.example.org.
example.org.

Re: MAcOS X 10.9 upgrade removes BIND

2013-10-25 Thread Eduardo Bonsi 
I totally agree with you Mark and I opened a discussion at the Apple 
Support Communities.


One have the title:
OS X Mavericks Software Compatibility
https://discussions.apple.com/message/23527657#23527657

The other have the title:
Where is Bind on OS X Mavericks?
https://discussions.apple.com/message/23527415#23527415

However I doubt anyone from the top reads that. I probably have to file 
this as a bug report as well to let the apple engineers know about that.


By the way, Thanks so much Carsten for compile BIND for the OS X Mavericks!

Eduardo

On 10/25/13, 3:32 PM, Mark Andrews wrote:

In message <87bo2dxf8g@csgate4.strotmann.de>, Carsten Strotmann writes:

Hello Eduardo,

thanks for confirming that MacOS X removed BIND.


It has been moved to the Server Edition according to krypted.com[1].

However it would be nice for Apple to LET PEOPLE KNOW in advance.
No where in the AppStore does it warn about functionality being
removed.  Lots of new stuff being promoted but no warnings about
things going away.

If you go to the Apple Web site and technical specs page[2] of
Mavericks and look the the "OS X Server Product Overview"[3] you
find it is out of date as it is still pointing to Mountain Lion.

If you have already "purchased" Mavericks please add a negative
review which warns about the functionality being removed from the
basic edition.  At least then people may be warned about this.

Apple should be encouraging people to run validating resolvers on
their machines, not making it harder for them to do this.

Mark

[1] 
http://krypted.com/mac-security/setup-the-dns-service-in-os-x-mavericks-server/
[2] http://www.apple.com/au/osx/specs/
[3] 
http://movies.apple.com/media/us/osx/2012/server/docs/OSXServer_Product_Overview.pdf


Our new BIND installers for MacOS X 10.9 are now available at


I've build BIND 9.9.4 (with and without RRL) and BIND 9.8.6. If anyone
need 9.6-ESV let me know.

Please report any issues with this installers to me.

Best regards

Carsten Strotmann

Eduardo Bonsi  writes:


I want to confirm what Carsten said here;

I just performed an upgrade from Snow Leopard, 10.6.8 one day before
Yesterday. The upgrade itself went fine except for BIND and Apache.

After upgrading to OS X Mavericks, 10.9, the upgrade removed all the
files mentioned bellow plus all the Websites on Apache configuration
as well. OS X Mavericks no longer have the web sharing. So it is
highly advisable to backup your BIND and Apache configuration files
before upgrade. Fortunately I had a copy of all these files in a
backup mirror server. So, for me was just a matter of connecting and
copying all these files back to OS X Mavericks and set the nrdc key
again.

Here is the files to backup;

Full path to the named.conf file   /etc/named.conf  
Full path to the named executable  /usr/sbin/named  
Full path to whois command whois
Full path to ndc command   ndc  
Full path to rndc command  rndc 
Full path to rndc-confgen command  rndc-confgen
Full path to the rndc.conf file/etc/rndc.conf   
Full path to named-checkzone command   named-checkzone  
Full path to named-checkconf command   named-checkconf  
Full path to dnssec-keygen command dnssec-keygen
Full path to dnssec-signzone command   dnssec-signzone  

In addition do not forget to back-up the PID file location in your
system whatever the PID file it is located;

Default PID file location  ? Your location

On 10/25/13, 12:36 AM, Carsten Strotmann wrote:

Hi BIND users on MacOS,

it looks like the upgrade to MacOS X 10.9 "Mavericks" removes
BIND. Early reports also indicate that the upgrade process also removes
the BIND configuration file "/etc/named.conf" and all zonefiles in
"/var/named". It happend on my machine, and there are reports coming in
from other users, but I need to confirm this on a lab environment.

The Men & Mice BIND MacOS X installers at currently fail on MacOS X
10.9, because /var/named is not there. I'm working on updating the Men

&

Mice packages to work on MacOS X 10.9.

Best regards

Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to

unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users





--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users