Re: tsig indicates error
On 24/07/2015 6:07:09 PM, John Miller johnm...@brandeis.edu wrote: On Fri, Jul 24, 2015 at 11:52 AM, Mark Elkins m...@posix.co.za wrote: On Fri, 2015-07-24 at 15:44 +, Managed Pvt nets wrote: On 24/07/2015 5:05:24 PM, Alan Clegg a...@clegg.com wrote: Possible problems: Mismatched keys. Mismatched key names. Mismatched clocks. Most likely mismatched key. I have to figure out how to make sure my master does not require TSIGs and my slave does not try to use them. TSIG is a step towards better security. Rather learn how to use it than go backwards. I see TSIG as a step towards DNSSEC... I'm with Mark on this. TSIG isn't that tough to figure out--a couple hours and you should have it down. Cricket/Paul's book, and Pro DNS and BIND 10 are good intros to the subject. I'm installing a copy of Debian 8.1 for myself right now--I'm curious to see what the stock BIND config looks like (we use RHEL here at the office). Thanks all. I finally got this working. === Jul 27 14:40:24 hostname named[6016]: zone myzone.co.zw/IN: transferred serial 2015072400: TSIG 'rndc-key' === many thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Crypto failure Issues
I am using a prebuilt binary will give compiling it myself a try and see what that yields. Larry Stewart, CISSP Contractor - ManTech Network Engineer Office: 520-538-4227 DSN: 879-4227 Cell phone: 520-227-8251 larry.c.stewart@mail.mil -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ted Mittelstaedt Sent: Friday, July 24, 2015 12:28 PM To: bind-users@lists.isc.org Subject: Re: Crypto failure Issues Did you compile both openssl and bind or are you using a prebuilt binary? There are (apparently) problems with OpenSSL 1.0.2 on the 32 bit Solaris 10 platform. This was discussed on the openssl-users mailing list a few months ago. The fix was building with an openssl 1.0.1 version on that platform. I would try that myself. Ted On 7/24/2015 10:31 AM, Stewart, Larry C Sr CTR DISA JITC (US) wrote: All It occurred to me that you may need more info to assist me the logs show the following: Jul 23 15:55:11 nit-dns2 named[20169]: [ID 873579 daemon.notice] starting BIND 9.10.2-P2 -t /nithr -u nithr -d 2 -f Jul 23 15:55:11 nit-dns2 named[20169]: [ID 873579 daemon.notice] built with '--prefix=/' '--with-openssl=/usr/local/ssl' '--enable-threads' 'CC=/usr/sfw/bin/gcc' Jul 23 15:55:11 nit-dns2 named[20169]: [ID 873579 daemon.notice] Jul 23 15:55:11 nit-dns2 named[20169]: [ID 873579 daemon.notice] BIND 9 is maintained by Internet Systems Consortium, Jul 23 15:55:11 nit-dns2 named[20169]: [ID 873579 daemon.notice] Inc. (ISC), a non-profit 501(c)(3) public-benefit Jul 23 15:55:11 nit-dns2 named[20169]: [ID 873579 daemon.notice] corporation. Support and training for BIND 9 are Jul 23 15:55:11 nit-dns2 named[20169]: [ID 873579 daemon.notice] available at https://www.isc.org/support Jul 23 15:55:11 nit-dns2 named[20169]: [ID 873579 daemon.notice] Jul 23 15:55:11 nit-dns2 named[20169]: [ID 873579 daemon.warning] ENGINE_by_id failed (crypto failure) Jul 23 15:55:11 nit-dns2 named[20169]: [ID 873579 daemon.crit] initializing DST: crypto failure Jul 23 15:55:11 nit-dns2 named[20169]: [ID 873579 daemon.crit] exiting (due to fatal error) As you can see I am running named in a chroot jail. I compile it the same as when I am using the older version of openssl. Looking on line this issue seems to have raised its head with the release of openssl 1.0.0, but I have yet to discover a solution on line. Larry Stewart, CISSP Contractor - ManTech Network Engineer Office: 520-538-4227 DSN: 879-4227 Cell phone: 520-227-8251 larry.c.stewart@mail.mil -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Stewart, Larry C Sr CTR DISA JITC (US) Sent: Friday, July 24, 2015 9:22 AM To: bind-users@lists.isc.org Subject: Crypto failure Issues I am having issues with bind failing to start due to a crypto failure when I compile with the --with-openssl option when I have openssl version 1.0.2d or 1.0.2c Is anyone aware of any compatibility issues between bind and openssl version 1.0.2? I have no issues when I use openssl version 0.9.8zf. My system is a Solaris 10 x86 OS Larry Stewart, CISSP Contractor - ManTech Network Engineer Office: 520-538-4227 DSN: 879-4227 Cell phone: 520-227-8251 larry.c.stewart@mail.mil ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Crypto failure Issues
Stewart, Larry C Sr CTR DISA JITC (US) larry.c.stewart@mail.mil wrote: I am having issues with bind failing to start due to a crypto failure when I compile with the --with-openssl option when I have openssl version 1.0.2d or 1.0.2c Is anyone aware of any compatibility issues between bind and openssl version 1.0.2? I have no issues when I use openssl version 0.9.8zf. This sounds like the GOST problem. Try building BIND with ./configure --without-gost or copy the OpenSSL GOST engine shared object into your chroot. e.g. https://lists.isc.org/pipermail/bind-users/2014-June/093450.html http://gnats.netbsd.org/48658 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Tyne, Dogger, Fisher: Northeast 5 or 6 backing north 4 or 5, but cyclonic at first in Dogger. Moderate. Rain or showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: tsig indicates error
Managed Pvt nets m...@icabs.co.zw wrote: Jul 27 14:40:24 hostname named[6016]: zone myzone.co.zw/IN: transferred serial 2015072400: TSIG 'rndc-key' It isn't a very good idea to use the same key for zone transfers and for rndc. It is common to allow zone transfers to third parties, and you don't want them to be able to fiddle with your name server! Best to have separate keys for rndc and different keys for each secondary (or for each set of secondaries under the same management). Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Biscay: Northwest 5 or 6, occasionally 4 later. Moderate or rough. Fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig md - Feature? Bug? What's going on?
On Mon, Jul 27, 2015 at 12:19 PM, Matthew Horsfall (alh) wolfs...@gmail.com wrote: Attempting to 'dig' for 'md' does something really weird. What am I missing? Ah, md is an obsolete RRTYPE. Nevermind! (Just like typing dig a.) -- Matthew Horsfall (alh) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig md - Feature? Bug? What's going on?
Matthew Horsfall (alh) wolfs...@gmail.com wrote: On Mon, Jul 27, 2015 at 12:19 PM, Matthew Horsfall (alh) wolfs...@gmail.com wrote: Attempting to 'dig' for 'md' does something really weird. What am I missing? Ah, md is an obsolete RRTYPE. Nevermind! (Just like typing dig a.) Indeed. But why does it query for NS? ;; QUESTION SECTION: ;. IN NS Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Irish Sea: Cyclonic 5 to 7, occasionally 4 in north, becoming northwesterly 4 or 5. Slight or moderate, but rough at first in south. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dig md - Feature? Bug? What's going on?
Attempting to 'dig' for 'md' does something really weird. What am I missing? mhorsfall@dumai:~$ dig m ; DiG 9.9.5-4.3ubuntu0.2-Ubuntu m ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 44519 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;m.INA ;; Query time: 2 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Mon Jul 27 12:17:38 EDT 2015 ;; MSG SIZE rcvd: 19 mhorsfall@dumai:~$ dig d ; DiG 9.9.5-4.3ubuntu0.2-Ubuntu d ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 22301 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;d.INA ;; Query time: 3 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Mon Jul 27 12:17:39 EDT 2015 ;; MSG SIZE rcvd: 19 mhorsfall@dumai:~$ dig md ; DiG 9.9.5-4.3ubuntu0.2-Ubuntu md ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 14960 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;.INNS ;; ANSWER SECTION: .392353INNSl.root-servers.net. .392353INNSb.root-servers.net. .392353INNSg.root-servers.net. .392353INNSk.root-servers.net. .392353INNSi.root-servers.net. .392353INNSc.root-servers.net. .392353INNSh.root-servers.net. .392353INNSm.root-servers.net. .392353INNSa.root-servers.net. .392353INNSd.root-servers.net. .392353INNSj.root-servers.net. .392353INNSf.root-servers.net. .392353INNSe.root-servers.net. ;; Query time: 29 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Mon Jul 27 12:17:40 EDT 2015 ;; MSG SIZE rcvd: 239 -- Matthew Horsfall (alh) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: tsig indicates error
On Mon, Jul 27, 2015 at 04:33:06PM +0100, Tony Finch wrote: It isn't a very good idea to use the same key for zone transfers and for rndc. It is common to allow zone transfers to third parties, and you don't want them to be able to fiddle with your name server! Sometimes, in my experience, people do this because rndc-confgen is relatively easy to use, but generating other keys using dnssec-keygen is cumbersome. So I'll just take this opportunity to mention that in the more recent versions of BIND you can use 'tsig-keygen name', it's much easier. Or if you're on an older release, 'ddns-confgen -q -k name' does the same thing. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig md - Feature? Bug? What's going on?
Matthew Horsfall (alh) writes: Attempting to 'dig' for 'md' does something really weird. What am I missing? The dot. Use dig md. so dig doesn't take the md as the obsoleted RR type md for mail destination. There are more of those name clashes such as MX, CH etc. jaap ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Crypto failure Issues
Thank you that was the trick. What impact does that have on crypto operations used by BIND? Larry Stewart, CISSP Contractor - ManTech Network Engineer Office: 520-538-4227 DSN: 879-4227 Cell phone: 520-227-8251 larry.c.stewart@mail.mil -Original Message- From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch Sent: Monday, July 27, 2015 8:27 AM To: Stewart, Larry C Sr CTR DISA JITC (US) Cc: bind-users@lists.isc.org Subject: Re: Crypto failure Issues Stewart, Larry C Sr CTR DISA JITC (US) larry.c.stewart@mail.mil wrote: I am having issues with bind failing to start due to a crypto failure when I compile with the --with-openssl option when I have openssl version 1.0.2d or 1.0.2c Is anyone aware of any compatibility issues between bind and openssl version 1.0.2? I have no issues when I use openssl version 0.9.8zf. This sounds like the GOST problem. Try building BIND with ./configure --without-gost or copy the OpenSSL GOST engine shared object into your chroot. e.g. https://lists.isc.org/pipermail/bind-users/2014-June/093450.html http://gnats.netbsd.org/48658 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Tyne, Dogger, Fisher: Northeast 5 or 6 backing north 4 or 5, but cyclonic at first in Dogger. Moderate. Rain or showers. Moderate or good. smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig md - Feature? Bug? What's going on?
Indeed. But why does it query for NS? When you don't specify a name, dig looks up ./NS by default. When the code for this was originally written, I guess it didn't occur to anyone that you might have specified a type but not a name. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to properly update chroot-bind
Hello , guys, I would like to know how to properly update my chroot bind version. I still can not get some nice doc / info about it. Im using: [root@centos-dns1 ~]# named -v BIND 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 running on a [root@centos-dns1 ~]# uname -a Linux centos-dns1.virtual.com.ar 2.6.32-504.23.4.el6.x86_64 #1 SMP Tue Jun 9 20:57:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux Doing yum update bind-chroot is not the way. This is not a production server yet but it will be soon. Thanks in advance !!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Crypto failure Issues
Stewart, Larry C Sr CTR DISA JITC (US) larry.c.stewart@mail.mil wrote: Thank you that was the trick. What impact does that have on crypto operations used by BIND? GOST is the Russian equivalent of NIST. They publish cryptography standards, amongst other things. There are RFCs describing how to use GOST crypto with TLS, DNSSEC, etc. You might need working GOST crypto if you are working closely with Russian government agencies. In other circumstances you can probably ignore it. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Dogger, Fisher, German Bight, Humber: Cyclonic 5 or 6, occasionally 7 in German Bight, becoming north or northwest 4 or 5. Slight or moderate. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Crypto failure Issues
Thanks Larry Stewart, CISSP Contractor - ManTech Network Engineer Office: 520-538-4227 DSN: 879-4227 Cell phone: 520-227-8251 larry.c.stewart@mail.mil -Original Message- From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch Sent: Monday, July 27, 2015 1:58 PM To: Stewart, Larry C Sr CTR DISA JITC (US) Cc: bind-users@lists.isc.org Subject: RE: Crypto failure Issues Stewart, Larry C Sr CTR DISA JITC (US) larry.c.stewart@mail.mil wrote: Thank you that was the trick. What impact does that have on crypto operations used by BIND? GOST is the Russian equivalent of NIST. They publish cryptography standards, amongst other things. There are RFCs describing how to use GOST crypto with TLS, DNSSEC, etc. You might need working GOST crypto if you are working closely with Russian government agencies. In other circumstances you can probably ignore it. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Dogger, Fisher, German Bight, Humber: Cyclonic 5 or 6, occasionally 7 in German Bight, becoming north or northwest 4 or 5. Slight or moderate. Rain or showers. Good, occasionally poor. smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Crypto failure Issues
And the issue almost certainly is not providing a complete enough change root environment. Gost dynamically loads the crypto engine after named starts. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Crypto failure Issues
Mark Andrews ma...@isc.org wrote: And the issue almost certainly is not providing a complete enough change root environment. Gost dynamically loads the crypto engine after named starts. I have a lot of sympathy for anyone who encounters this problem because it took me a long time to work out what the solution is. Practically no-one has experience of OpenSSL engines because at best the average sysadmin might know that engines are weird stuff you need for HSMs. A large part of this is OpenSSL's fault, because its error reporting is not good enough. OpenSSL has a lot of internal abstraction layers, but its error codes are just per-module errno-style numbers, which means it is fundamentally incapable of explaining what went wrong. Like in this instance when its errno said, ENGINE_by_id failed but because it can't encapsulate the crucial argument in the error code, it can't say, oh by the way, the engine name is GOST. And because the abstraction layer is fundamentally designed to allow you to be unaware of which engine you are using (which engine failed) this ends up making problems hard to debug. BIND is generally a lot better than explaining what it is doing than OpenSSL, but it also has layers, and also has errno-style error codes, so the lack of information propagates. Sadface. Happily BIND has debug logging which lets you report this kind of problem from the depths of its libraries. But it doesn't log in this situation. Sadface. Debian has an interesting patch to BIND which makes it initialize OpenSSL before calling chroot(), which completely solves this problem in a very nice way. This worked well for me until, er, some point in the last few months on the BIND 9.11 HEAD branch. http://anonscm.debian.org/cgit/users/lamont/bind9.git/commit/?h=masterid=60cf6b37caf48bd3270aa2b7b8af5ebc47396dce I am afraid I have not identified why this patch doesn't work any more, because why would anyone in their right mind give a monkeys about elegant solutions to problems caused by obscure crypto algorithms that no-one in their right mind uses. Tony. PS. it seems I am a bit cross about GOST. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Portland, Plymouth: West or northwest 6 to gale 8 decreasing 4 or 5. Moderate or rough. Mainly fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
