Too many open files

2014-03-14 Thread Hinst, Robert 
Running bind-9.3.6-4.P1.el5_5.3 on CentOS 5.5 and I'm constantly seeing the 
following in my BIND logs:

general: error: isc_socket_create: fcntl/reserved: Too many open files

But I don't see why. Named only has 583 files open and I upped the max to 9 
in /etc/security/limits.conf. Has anyone encountered this before or have any 
insight?

# lsof -n -u named|wc -l
583

# su -s /bin/sh -c 'ulimit -a' named
core file size  (blocks, -c) 0
data seg size   (kbytes, -d) unlimited
scheduling priority (-e) 0
file size   (blocks, -f) unlimited
pending signals (-i) 52223
max locked memory   (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files  (-n) 9
pipe size(512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority  (-r) 0
stack size  (kbytes, -s) 10240
cpu time   (seconds, -t) unlimited
max user processes  (-u) unlimited
virtual memory  (kbytes, -v) unlimited
file locks  (-x) unlimited



Rob Hinst
Network Architect
Lightower Fiber Networks

+ 631 300 3795 [office]
+ 631 338 1061 [mobile]
+ rhi...@lightower.com
+ www.lightower.com

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Audit the consistency of zone files on DNS servers

2014-03-14 Thread Maren S. Leizaola 






Hello,
 What do you guys recommend to audit every resource
record in a zone file against all the records in all the DNS servers
that host the zone file.

I want  something that I feed the master zone file and then goes to each
NS server and ensures that each of the records are identical in all of
them.

What I want to be able to detect are serial number errors, where a zone
has been updated but the serial number has not changed. In this
circumstances comparing SOA of all the servers would not report any
errors, but the zone file in the different servers are incorrect.

Regards,
Maren.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Phil Mayers 

On 14/03/14 12:28, Maren S. Leizaola wrote:






Hello,
  What do you guys recommend to audit every resource
record in a zone file against all the records in all the DNS servers
that host the zone file.

I want  something that I feed the master zone file and then goes to each
NS server and ensures that each of the records are identical in all of
them.


dig @server zone axfr >file
diff file file.real

?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Stephane Bortzmeyer 
On Fri, Mar 14, 2014 at 12:33:47PM +,
 Phil Mayers  wrote 
 a message of 25 lines which said:

> dig @server zone axfr >file
> diff file file.real

diff is not clever enough, you'll find many spurious differences. Try
feeding the two files (the local one and the AXFRed one) through
named-compilezone to canonicalize them.

(I actually use a non-BIND tool, ldns-read-zone)

http://www.bortzmeyer.org/canonicalize-zones.html
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Stephane Bortzmeyer 
On Fri, Mar 14, 2014 at 12:33:47PM +,
 Phil Mayers  wrote 
 a message of 25 lines which said:

> dig @server zone axfr >file
> diff file file.real

If you're really paranoid, it may not be sufficient since a server may
reply differently to "normal" DNS queries and to zone file transfer
requests (for instance if the server is also authoritative for a
child zone, see RFC 5936, section 3.2).

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Phil Mayers 
Quite right I should have noted the need to canonicalise.
-- 
Sent from my phone with, please excuse brevity and typos___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Update Security

2014-03-14 Thread Bob McDonald 
I want to confirm my understanding of security of DDNS updates.

I have a stealth master "A" feeding slave "B" and "C".

I have allow-update-forwarding { any; } specified on "B" and "C".

If a client "D" presents an update to "B" or "C" it will automatically be
forwarded to "A".

If "B" or "C" are in the allow-updates ACL on "A" all updates will be
applied.

If "D" is in the allow-udates ACL on "A" (and not "B" or "C") the updates
from "D" will be applied.  However an update from "E" presented to "B" or
"C" will be forwarded but not processed.

Is this correct?

Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Update Security

2014-03-14 Thread Mark Andrews 

If you are going to forward updates use TSIG or SIG(0) to sign the
update and stop worrying about addresses.  TSIG and SIG(0) are
billions and billions of times stronger authenticators than a IP
address.

"allow-update-forwarding { any; };" says forward all updates
regardless of the address they were sent from.

As for you question.  Addresses are not preserved so A doesn't know
it came from E unless the messages are signed.

Mark

In message 
, Bob McDonald writes:
> 
> I want to confirm my understanding of security of DDNS updates.
> 
> I have a stealth master "A" feeding slave "B" and "C".
> 
> I have allow-update-forwarding { any; } specified on "B" and "C".
> 
> If a client "D" presents an update to "B" or "C" it will automatically be
> forwarded to "A".
> 
> If "B" or "C" are in the allow-updates ACL on "A" all updates will be
> applied.
> 
> If "D" is in the allow-udates ACL on "A" (and not "B" or "C") the updates
> from "D" will be applied.  However an update from "E" presented to "B" or
> "C" will be forwarded but not processed.
> 
> Is this correct?

No.

> Bob
> 
> --001a11337302fad9ea04f49380b0
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> I want to confirm my un=
> derstanding of security of DDNS updates.I have a stealth mast=
> er "A" feeding slave "B" and "C". v>
> I have allow-update-forwarding { any; } specified on "B" and &quo=
> t;C".If a client "D" presents an update to &qu=
> ot;B" or "C" it will automatically be forwarded to "A&q=
> uot;.
> If "B" or "C" are in the allow-updates ACL on=
>  "A" all updates will be applied.If "D" i=
> s in the allow-udates ACL on "A" (and not "B" or "=
> C") the updates from "D" will be applied.=A0 However an upda=
> te from "E" presented to "B" or "C" will be f=
> orwarded but not processed.
> Is this correct?Bob
> 
> --001a11337302fad9ea04f49380b0--
> 
> --===4542560060445475228==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===4542560060445475228==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Update Security

2014-03-14 Thread Bob McDonald 
I agree that TSIG or SIG(0) signed updates are certainly a more desirable
approach than allowing updates via address.  My DHCP server is setup to
sign all of it's updates this way.  However, I have AD domain controllers
in the environment that don't currently use signed updates.  Is there a
fairly painless way to convert all the AD machines to signed updates?

TIA,

Bob



On Fri, Mar 14, 2014 at 12:41 PM, Mark Andrews  wrote:

>
> If you are going to forward updates use TSIG or SIG(0) to sign the
> update and stop worrying about addresses.  TSIG and SIG(0) are
> billions and billions of times stronger authenticators than a IP
> address.
>
> "allow-update-forwarding { any; };" says forward all updates
> regardless of the address they were sent from.
>
> As for you question.  Addresses are not preserved so A doesn't know
> it came from E unless the messages are signed.
>
> Mark
>
> In message  h...@mail.gmail.com>
> , Bob McDonald writes:
> >
> > I want to confirm my understanding of security of DDNS updates.
> >
> > I have a stealth master "A" feeding slave "B" and "C".
> >
> > I have allow-update-forwarding { any; } specified on "B" and "C".
> >
> > If a client "D" presents an update to "B" or "C" it will automatically be
> > forwarded to "A".
> >
> > If "B" or "C" are in the allow-updates ACL on "A" all updates will be
> > applied.
> >
> > If "D" is in the allow-udates ACL on "A" (and not "B" or "C") the updates
> > from "D" will be applied.  However an update from "E" presented to "B" or
> > "C" will be forwarded but not processed.
> >
> > Is this correct?
>
> No.
>
> > Bob
> >
> > --001a11337302fad9ea04f49380b0
> > Content-Type: text/html; charset=ISO-8859-1
> > Content-Transfer-Encoding: quoted-printable
> >
> > I want to confirm my
> un=
> > derstanding of security of DDNS updates.I have a stealth
> mast=
> > er "A" feeding slave "B" and
> "C". > v>
> > I have allow-update-forwarding { any; } specified on "B" and
> &quo=
> > t;C".If a client "D" presents an update to
> &qu=
> > ot;B" or "C" it will automatically be forwarded to
> "A&q=
> > uot;.
> > If "B" or "C" are in the allow-updates ACL
> on=
> >  "A" all updates will be applied.If
> "D" i=
> > s in the allow-udates ACL on "A" (and not "B" or
> "=
> > C") the updates from "D" will be applied.=A0 However an
> upda=
> > te from "E" presented to "B" or "C" will
> be f=
> > orwarded but not processed.
> > Is this correct?Bob
> >
> > --001a11337302fad9ea04f49380b0--
> >
> > --===4542560060445475228==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe
> >  from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> > --===4542560060445475228==--
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Kevin Darcy 

On 3/14/2014 8:28 AM, Maren S. Leizaola wrote:

Hello,
 What do you guys recommend to audit every resource
record in a zone file against all the records in all the DNS servers
that host the zone file.

I want  something that I feed the master zone file and then goes to each
NS server and ensures that each of the records are identical in all of
them.

What I want to be able to detect are serial number errors, where a zone
has been updated but the serial number has not changed. In this
circumstances comparing SOA of all the servers would not report any
errors, but the zone file in the different servers are incorrect.
Or use Dynamic Update exclusively for DNS record maintenance, so that 
"forgetting to update the serial number after a change" is a thing of 
the past[1].


- Kevin

[1] For the nit-pickers out there, the statement is true _even_for_ SOA 
record changes, since they don't "take" unless you "increment" the 
serial number (as per serial-number arithmetic) as part of the change.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Maren S. Leizaola 

On 3/14/2014 9:20 PM, Stephane Bortzmeyer wrote:

On Fri, Mar 14, 2014 at 12:33:47PM +,
  Phil Mayers  wrote
  a message of 25 lines which said:


dig @server zone axfr >file
diff file file.real

If you're really paranoid, it may not be sufficient since a server may
reply differently to "normal" DNS queries and to zone file transfer
requests (for instance if the server is also authoritative for a
child zone, see RFC 5936, section 3.2).




Thank you both for your replies.

I am paranoid and I don't think zone transfers are a good method.
 I want something that looks at the file, intelligently looks at each 
record and sends the right types of queries to all the DNS servers.


We are never sure how bug free bind is. As I am using other DNS servers 
I am not sure how reliably they interactive with Bind...
So trust I nothing until it has been provent to work time and time 
again


I am surprised that there isn't a standard tool out there to do this, it 
seems pretty obvious to me.


Regards,
Maren.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Kevin Darcy 

On 3/14/2014 2:39 PM, Maren S. Leizaola wrote:

On 3/14/2014 9:20 PM, Stephane Bortzmeyer wrote:

On Fri, Mar 14, 2014 at 12:33:47PM +,
  Phil Mayers  wrote
  a message of 25 lines which said:


dig @server zone axfr >file
diff file file.real

If you're really paranoid, it may not be sufficient since a server may
reply differently to "normal" DNS queries and to zone file transfer
requests (for instance if the server is also authoritative for a
child zone, see RFC 5936, section 3.2).




Thank you both for your replies.

I am paranoid and I don't think zone transfers are a good method.
 I want something that looks at the file, intelligently looks at each 
record and sends the right types of queries to all the DNS servers.


We are never sure how bug free bind is. As I am using other DNS 
servers I am not sure how reliably they interactive with Bind...
So trust I nothing until it has been provent to work time and time 
again


I am surprised that there isn't a standard tool out there to do this, 
it seems pretty obvious to me.


Well, you're only *medium* paranoid, at most. If you were *really* 
paranoid, you'd crypto-sign your transfers.


- Kevin
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Singing a RRSET

2014-03-14 Thread Sergio Ramirez 
Hi,

   We need to sign a RRSET individually out of the zone file.
The utilities dnssec-signzone and similars from other packages 
check the zone before signing (SOA RR, DNSKEY RR, etc).

Before to do a piece of programa to do this, we wanted to know if 
there is any tool to sign just a RRSET ?
 
Thanks in advance
--
Sergio R.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Mark Elkins 
On Fri, 2014-03-14 at 14:54 -0400, Kevin Darcy wrote:
> On 3/14/2014 2:39 PM, Maren S. Leizaola wrote:
> > On 3/14/2014 9:20 PM, Stephane Bortzmeyer wrote:
> >> On Fri, Mar 14, 2014 at 12:33:47PM +,
> >>   Phil Mayers  wrote
> >>   a message of 25 lines which said:
> >>
> >>> dig @server zone axfr >file
> >>> diff file file.real
> >> If you're really paranoid, it may not be sufficient since a server may
> >> reply differently to "normal" DNS queries and to zone file transfer
> >> requests (for instance if the server is also authoritative for a
> >> child zone, see RFC 5936, section 3.2).
> >>
> >>
> >
> > Thank you both for your replies.
> >
> > I am paranoid and I don't think zone transfers are a good method.
> >  I want something that looks at the file, intelligently looks at each 
> > record and sends the right types of queries to all the DNS servers.
> >
> > We are never sure how bug free bind is. As I am using other DNS 
> > servers I am not sure how reliably they interactive with Bind...
> > So trust I nothing until it has been provent to work time and time 
> > again
> >
> > I am surprised that there isn't a standard tool out there to do this, 
> > it seems pretty obvious to me.


> Well, you're only *medium* paranoid, at most. If you were *really* 
> paranoid, you'd crypto-sign your transfers.

Makes me wonder a little

I use TSig to sign zone transfers. If I check the log file on the
receiving (slave) machine, I get something like...

14-Mar-2014 14:05:02.648 general: info: zone olpcsa.co.za/IN:
transferred serial 2014031402: TSIG ..

ie - the Serial Number transferred in.  At this point, I'm pretty darn
sure that the zone transfer with that serial No. has transferred
correctly for that zone at that time.

On the 'master' side, I have a cron driven script that keeps Check-Sum's
of my zone files. If the (md5sum) Check-sum for a zone file is wrong,
increment the SOA Serial, update that Check-sum and fire off an 'rndc
reload zone.name'. This allows updating the zone data without
remembering to update the SOA Serial. The script also keeps another file
per zone with just the last SOA-Serial in it - so can detect if the
Serial was incremented. I run each Zone in its own sub-directory to
manage each zones set of files (for managing DNSSEC Keys - etc).

Most zone transfers should be pretty much immediate.

If I were really paranoid:...
One could add code to the 'master' script to then run though the
appropriate 'slave' servers and 'dig' for the new SOA Serial. If a slave
does not report back the new SOA Serial after a minute or so - then
you'd have reason to become paranoid or more sensibly, go hunt down the
reason for the failure. 

Use BIND on the Master. It can, unlike NSD, generate outbound IXFR's.
You could use NSD on the Slaves - which gives you genetic diversity...

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind v9.9.5 becomes unresponsive when using samba4 dlopen driver

2014-03-14 Thread Nikos Mitas 
Hello again,

today I reinstalled bind 9.9.5 without threads, but i still have the same
behavior.

My environment was rhel v6.4, bind 9.9.3-P3 and samba v4.1.
I upgraded to rhel v6.5, bind 9.9.5 and samba v4.1.5 but the problem
remains:

after a while bind 9 becomes unresponsive.

I was not able to use gdb, probably I can do it on Monday, in the meanwhile
this is my named.conf, named -V and pstack output captured the moment bind
was unresponsive.

named-checkconf -px

options {
directory "/var/named";
dump-file "/var/named/data/cache.dump.db";
listen-on port 53 {
"any";
};
listen-on-v6 {
"none";
};
statistics-file "/var/named/data/named.stats.txt";
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
version "Bind";
allow-recursion {
10.0.0.0/8;
10.1.4.0/24;
"localhost";
"localnets";
};
auth-nxdomain yes;
empty-zones-enable no;
max-cache-size 4294967296;
allow-query {
"any";
};
allow-transfer {
"none";
};
allow-update {
127.0.0.1/32;
"localhost";
10.0.0.0/8;
};
forwarders {
8.8.8.8;
8.8.4.4;
};
notify no;
};
controls {
inet 127.0.0.1 port 953 allow {
127.0.0.1/32;
} keys {
"domain1";
};
};
acl "trusted" {
10.1.4.0/24;
127.0.0.1/32;
};
logging {
channel "basic" {
file "/var/log/named/named.log" versions 3 size 20971520;
severity debug 1;
print-time yes;
print-severity yes;
print-category yes;
};
category "default" {
"basic";
};
};
statistics-channels {
inet 0.0.0.0 port 8060 allow {
"trusted";
};
};
key "domain1" {
algorithm "hmac-md5";
secret "";
};
zone "." {
type hint;
file "named.root";
};
zone "localhost" {
type master;
file "master/localhost.zone";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "master/0.0.127.zone";
};
zone "ait.nkm" IN {
type master;
file "dynamic/fz.db.ait.nkm";
};
zone "aka.nkm" IN {
type master;
file "dynamic/fz.db.aka.nkm";
};
zone "axa.nkm" IN {
type master;
file "dynamic/fz.db.axa.nkm";
};
zone "2.1.10.in-addr.arpa" IN {
type master;
file "dynamic/rz.db.2.1.10";
};
zone "7.1.10.in-addr.arpa" IN {
type master;
file "dynamic/rz.db.7.1.10";
};
zone "6.1.10.in-addr.arpa" IN {
type master;
file "dynamic/rz.db.6.1.10";
};
dlz "AD DNS Zone" {
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so -d 3";
};
server ::/0 {
bogus yes;
};

named -V
===
BIND 9.9.5 (Extended Support Version)  built by make with
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
'--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var'
'--enable-ipv6' '--with-pic' '--disable-static'
'--disable-openssl-version-check' '--with-dlz-ldap=yes'
'--with-dlz-filesystem=yes' '--with-gssapi=/usr/include/gssapi'
'--with-dlopen=yes'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-fixed-rrset' '--enable-rrl' '--enable-newstats'
'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu'
compiled by GCC 4.4.7 20120313 (Red Hat 4.4.7-4)
using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
using libxml2 version: 2.7.6

pstack when named was unresponsive

#0  0x0039bb80e975 in fcntl () from /lib64/libpthread.so.0
#1  0x7fc753c1b347 in fcntl_lock () from
/usr/local/samba/lib/private/libtdb.so.1
#2  0x7fc753c1b44f in tdb_brlock () from
/usr/local/samba/lib/private/libtdb.so.1
#3  0x7fc753c1b919 in tdb_nest_lock () from
/usr/local/samba/lib/private/libtdb.so.1
#4  0x7fc753c1bf2c in tdb_transaction_lock () from
/usr/local/samba/lib/private/libtdb.so.1
#5  0x7fc753c213be in _tdb_transaction_start () from
/usr/local/samba/lib/private/libtdb.so.1
#6  0x7fc753c216d3 in tdb_transaction_start () from
/usr/local/samba/lib/private/libtdb.so.1
#7  0x7fc74dafa321 in partition_metadata_start_trans () from
/usr/local/samba/lib/ldb/partition.so
#8  0x7fc74daf5f1f in partition_start_trans () from
/usr/local/samba/lib/ldb/partition.so
#9  0x7fc7594586e1 in ldb_next_start_trans () from
/usr/local/samba/lib/private/libldb.so.1
#10 0x7fc74ed23925 in linked_attributes_start_transaction () from
/usr/local/samba/lib/ldb/linked_attributes.so
#11 0x7fc7594586e1 in ldb_next_start_trans () from
/usr/local/samba/lib/private/libldb.so.1
#12 0x7fc74d2d40c3 in replmd_start_transaction () from
/usr/local/samba/lib/ldb/repl_meta_data.so
#13 0x7fc7594586e1 in ldb_next_start_trans () from
/usr/local/samba/lib/private/libldb.so.1
#14 0x7fc750b83b12 in descriptor_start_transaction () from
/usr/local/samba/lib/ldb/descriptor.so
#15 0x7fc7594586e1 in ldb_next_start_trans () from
/usr/local/samba/lib/private/libldb.so.1
#16 0x7fc74ba7f70f in schema_load_start_transaction () from
/usr/local/samba/

Re: Singing a RRSET

2014-03-14 Thread Alan Clegg 
On 3/14/14, 12:15 PM, Sergio Ramirez wrote:

>We need to sign a RRSET individually out of the zone file.
> The utilities dnssec-signzone and similars from other packages 
> check the zone before signing (SOA RR, DNSKEY RR, etc).
> 
> Before to do a piece of programa to do this, we wanted to know if 
> there is any tool to sign just a RRSET ?

Create it in a valid zone file, sign it, then "dig" it out?

You can't sign without keys, SOA can be standard, this is _probably_
much easier to script than creating code.

AlanC



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Update Security

2014-03-14 Thread Chris Buxton 
On Mar 14, 2014, at 10:50 AM, Bob McDonald  wrote:

> I agree that TSIG or SIG(0) signed updates are certainly a more desirable 
> approach than allowing updates via address.  My DHCP server is setup to sign 
> all of it's updates this way.  However, I have AD domain controllers in the 
> environment that don't currently use signed updates.  Is there a fairly 
> painless way to convert all the AD machines to signed updates?

You would need to set up GSS-TSIG, which is not painless. (It's certainly 
doable, but there are plenty of pitfalls to overcome.) Windows doesn't support 
TSIG, just GSS-TSIG.

AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the 
master.

Regards,
Chris Buxton.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users