Re: Reload only ACL

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2016-04-25 at 23:23 +0300, Ali Jawad wrote:
> based on a user tool the users "hundreds in corporate environment" get
> either public or private zone,

Rather than the tool writing an ACL for bind, can the tool instead
reconfigure the user's local workstation dns settings to point to one of
two different (sets of) bind servers? One serves the public zone, one
serves the private zone.



-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlcejGIACgkQL6j7milTFsFGxQCeLAh24G0V0Q/TqxhJCpJo9urj
n3wAn3ZaYI0s6ubAuBNHISoNsVLmdbS4
=xrrO
-END PGP SIGNATURE-



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reload only ACL

[Anand Buddhdev]

On 25/04/16 22:23, Ali Jawad wrote:

Hi Ali Jawad,

> I do have a very specific requirement for private/public zones and based on
> a user tool the users "hundreds in corporate environment" get either public
> or private zone, the tool simply writes to an ACL file, my problem is that
> the only way I found that does not flush the cache of the server and
> reloads the ACL is rndc reconfig, but that appears to stall the server for
> new queries "tested with dig" for a few moments, and given I have a change
> of ACL from a user every a few times per minute it is not very viable. Is
> there an alternative to doing this ? and/or a way to have BIND load the ACL
> dynamically ?

I'm not aware of any way to look up ACLs dynamically. However, a
configuration that involves reconfiguring BIND several times a minute
seems like a bad design. Can't you have pre-defined address ranges of
public or private zones, and just pre-configure these in BIND once?

Sometimes it helps to rethink your design.

Regards,

Anand
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reload only ACL

[Ali Jawad]

Hi
I do have a very specific requirement for private/public zones and based on
a user tool the users "hundreds in corporate environment" get either public
or private zone, the tool simply writes to an ACL file, my problem is that
the only way I found that does not flush the cache of the server and
reloads the ACL is rndc reconfig, but that appears to stall the server for
new queries "tested with dig" for a few moments, and given I have a change
of ACL from a user every a few times per minute it is not very viable. Is
there an alternative to doing this ? and/or a way to have BIND load the ACL
dynamically ?
Regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Compiling BIND9 on CentOS 7

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2016-04-25 at 13:54 -0400, Sean Son wrote:
> Reindl

> Thank you for your response.  Let me see if what you provided will
> work
> with what I am trying to do.

If you are compiling any source code for rpm based distributions like
RedHat, you really want to look at the rpm packaging. RedHat has an rpm
spec file for their older bind on RHEL7/Centos7. I modified that for the
latest bind.

http://www.five-ten-sg.com/mapper/bind

That builds the latest version of Bind from ISC, in a manner compatible
with stock bind installs from the Centos7 distribution. The files are
installed into the same locations.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlcedWkACgkQL6j7milTFsEoRgCfY41g6L65iylYWrZvDA5cYRf1
TmcAmwbSQ1VhpmWSyj7mRGQViIFKpaaC
=M7y/
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

[jasonsu]

On Mon, Apr 25, 2016, at 11:33 AM, Matthew Pounsett wrote:
> Unless you have a clear reason to do it (perhaps there's some security
> consideration I haven't thought of) it seems to me it's unnecessary
> complexity that would lead to problems just like this.

Noted.

Still, I'd honestly like to know that my chroot'd environment make sense, and 
works, and why -- rather than just being lucky that it doesn't break.

I'm gonna stick with trying to figure this out -- and likely afterwards stop 
tearing down the existing chroot on exit.

> > I'm not clear on it.
> 
> Although BIND 9 has never had a remote code execution exploit that I'm
> aware of, it's still advisable to run it in a chroot environment.

Oh well.

I completely gave up on chroot'd ntpd because of the endless weirdness.  
Finally just moved to openntpd as (1) it had safe privsep, (2) no chroot req'd, 
and (3) did the job I need.

It'd be great to be able to dump it here too, but since, for the moment, bind9 
does (3) for me nicely, and nothing else does quite yet, I guess I stick with 
chroot.

But IMO it'd be really nice if it went away.  And from what I'm reading in 
various threads online, I'm not the only one who wouldn't mind.

Now back to figuring this^ out :-/

Thanks.

Jason
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

[Matthew Pounsett]

On Monday, 25 April 2016,  wrote:

>
>
> On Mon, Apr 25, 2016, at 10:58 AM, Matthew Pounsett wrote:
> > It's not clear to me why one would want to destroy/rebuild the chroot
> every
> > time you restart the process.
>
> Well, here
>
> (1) Because I inherited it this way, and
> (2) The notes' quoted examples did that too, and
> (3) I'd not yet gotten any/good advice NOT to (security?)


Unless you have a clear reason to do it (perhaps there's some security
consideration I haven't thought of) it seems to me it's unnecessary
complexity that would lead to problems just like this.

>
> TBH, I'm not even sure whether "these days", chroot is still recommended.
> Apparmor or Docker instead? Is privsep taken care of in current bind so we
> don't have to worry about it anymore (e.g., the openntpd vs ntpd case)?
> I'm not clear on it.


Although BIND 9 has never had a remote code execution exploit that I'm
aware of, it's still advisable to run it in a chroot environment.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

[jasonsu]

On Mon, Apr 25, 2016, at 10:58 AM, Matthew Pounsett wrote:
> It's not clear to me why one would want to destroy/rebuild the chroot every
> time you restart the process. 

Well, here

(1) Because I inherited it this way, and
(2) The notes' quoted examples did that too, and
(3) I'd not yet gotten any/good advice NOT to (security?)

TBH, I'm not even sure whether "these days", chroot is still recommended.  
Apparmor or Docker instead? Is privsep taken care of in current bind so we 
don't have to worry about it anymore (e.g., the openntpd vs ntpd case)?  I'm 
not clear on it.

> However, as long as you're doing that you
> should make sure that all the important files are preserved.  As you noted
> earlier, it looks like your journal file is probably not preserved.  I'd
> start there, and if that doesn't fix it, then have a careful look at what's
> in your chroot tree before you shut down the server, and compare that to
> what's in the chroot after you start it up again.

Good suggestion.  Will give it a try.

Jason
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

[Matthew Pounsett]

On 25 April 2016 at 13:53,  wrote:

>
>
> I suspect that there's something wrong with what is/isn't copied , and
> maybe when, in that chroot build/destroy script.
>

It's not clear to me why one would want to destroy/rebuild the chroot every
time you restart the process.  However, as long as you're doing that you
should make sure that all the important files are preserved.  As you noted
earlier, it looks like your journal file is probably not preserved.  I'd
start there, and if that doesn't fix it, then have a careful look at what's
in your chroot tree before you shut down the server, and compare that to
what's in the chroot after you start it up again.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Compiling BIND9 on CentOS 7

[Sean Son]

Reindl

Thank you for your response.  Let me see if what you provided will work
with what I am trying to do.


Thanks again!



On Mon, Apr 25, 2016 at 1:36 PM, Reindl Harald 
wrote:

>
>
> Am 25.04.2016 um 19:23 schrieb Sean Son:
>
>> Thank you for your reply.
>>
>> The issue is, I do not know what other services/targets will need to be
>> started prior to BIND starting. In other words, I have no idea how to
>> set up the unit file for BIND.
>>
>
> none - just none
>
> and even if - how would a blind script at startup solve that question - if
> it don't (and it really don't) what's your exactly problem?
> ___
>
> [Unit]
> Description=DNS Server
>
> [Service]
> Type=simple
> ExecStart=/usr/sbin/named -f -u named
> ExecReload=/usr/bin/kill -HUP $MAINPID
> ExecStop=/usr/bin/kill -TERM $MAINPID
> Restart=always
> RestartSec=1
>
> [Install]
> WantedBy=multi-user.target
> ___
>
> On Mon, Apr 25, 2016 at 12:09 PM, Anand Buddhdev > > wrote:
>>
>> On 25/04/16 17:59, Sean Son wrote:
>>
>> Hi Sean Son,
>>
>> > I know I emailed the list about compiling BIND on a SystemD distro
>> earlier
>> > last month. This time I have a different question. After I compile
>> BIND9 on
>> > CentOS 7 , how do I get it to start up at boot time and how do I
>> restart
>> > it? I don't want to have to write a systemd unit configuration file
>> for it.
>> > I want it to run using a boot script or some other way that will
>> allow BIND
>> > to start up at boot and also allow the system administrator to
>> restart BIND
>> > if it ever stops running.
>>
>> A systemd unit file is the *easiest* and *simplest* way to get BIND to
>> start at boot. Is there any reason you don't want to use systemd? It's
>> not difficult at all. You just a few lines in a file to create a
>> system
>> unit.
>>
>> If you don't want systemd to restart BIND if it crashes, then you can
>> just set:
>>
>> Restart=no
>>
>> Then, you can start BIND by hand with "systemctl start "
>>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

[jasonsu]

On Mon, Apr 25, 2016, at 10:46 AM, Matthew Pounsett wrote:
> > Unfortunately, that^ returns no TXT record either.  Which to me suggests
> > the problem's 'earlier'.
> >
> 
> Yeah.  I think you need to solve the problem with the vanishing journal
> file first.   But, the above dig is what you *should* do to get back the
> TXT record that you're adding.  If it's not getting you the record, then
> there's a problem with your server somewhere.

Got it.

I suspect that there's something wrong with what is/isn't copied , and maybe 
when, in that chroot build/destroy script.

Although it does seem to be mostly consistent with some of the tutes I'm 
finding online, I can't see the problem yet ...

I did try to look at opensuse project's rpm-build's spec file to maybe cherry 
pick the chroot stuff.  It's a complete mess, and beyond me what's what in 
there.  Let's just say I can now understand WHY my predecessor on this machine 
went the DIY route (some of the comments in his notes were -- colorful ;-) )

I've 'started over' a couple of times already on this box, but just get to the 
same point.

I really DON'T want to run bind without the chroot, so haven't taken that path.

Jason
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

[Matthew Pounsett]

On 25 April 2016 at 13:44,  wrote:

>
>
> On Mon, Apr 25, 2016, at 10:19 AM, Matthew Pounsett wrote:
> > > TBH I don't understand WHAT to 'expect' from dig to test/verify this^.
> > > What do I dig to get an answer with "TEST STRING" in it?
> >
> > dig in txt test.example.com @ns01.example.com
>
> Thanks.
>
> Unfortunately, that^ returns no TXT record either.  Which to me suggests
> the problem's 'earlier'.
>

Yeah.  I think you need to solve the problem with the vanishing journal
file first.   But, the above dig is what you *should* do to get back the
TXT record that you're adding.  If it's not getting you the record, then
there's a problem with your server somewhere.


>
> Jason
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

[jasonsu]

On Mon, Apr 25, 2016, at 10:19 AM, Matthew Pounsett wrote:
> > TBH I don't understand WHAT to 'expect' from dig to test/verify this^.
> > What do I dig to get an answer with "TEST STRING" in it?
> 
> dig in txt test.example.com @ns01.example.com

Thanks.

Unfortunately, that^ returns no TXT record either.  Which to me suggests the 
problem's 'earlier'.

Jason
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Compiling BIND9 on CentOS 7

[Sean Son]

Thank you for your reply.

The issue is, I do not know what other services/targets will need to be
started prior to BIND starting. In other words, I have no idea how to set
up the unit file for BIND.

Thanks



On Mon, Apr 25, 2016 at 12:09 PM, Anand Buddhdev  wrote:

> On 25/04/16 17:59, Sean Son wrote:
>
> Hi Sean Son,
>
> > I know I emailed the list about compiling BIND on a SystemD distro
> earlier
> > last month. This time I have a different question. After I compile BIND9
> on
> > CentOS 7 , how do I get it to start up at boot time and how do I restart
> > it? I don't want to have to write a systemd unit configuration file for
> it.
> > I want it to run using a boot script or some other way that will allow
> BIND
> > to start up at boot and also allow the system administrator to restart
> BIND
> > if it ever stops running.
>
> A systemd unit file is the *easiest* and *simplest* way to get BIND to
> start at boot. Is there any reason you don't want to use systemd? It's
> not difficult at all. You just a few lines in a file to create a system
> unit.
>
> If you don't want systemd to restart BIND if it crashes, then you can
> just set:
>
> Restart=no
>
> Then, you can start BIND by hand with "systemctl start ".
>
> Regards,
> Anand
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

[Matthew Pounsett]

On Sunday, 24 April 2016,  wrote:

> > This zone would not pass named-checkzone, which interestingly, is the
> same code which named itself uses when initially loading a zone.
>
> It appears to
>
> named-checkzone -t /var/chroot/named example.com
> /namedb/master/example.com.zone
> zone example.com/IN: loaded serial 1461540029
> OK
>
>
> cat /tmp/nsupdate.txt
> server ns01.example.com
> debug yes
> zone example.com.
> update add test.example.com. 300 in TXT "TEST STRING"
> show
> send
>
> $NSUPDATE /tmp/nsupdate.txt
>
> @ server
>
> Apr 24 16:24:02 ns01 named[14954]: 24-Apr-2016 16:24:02.350
> update-security: info: client 10.0.0.17#26427/key jason-key: view external:
> signer "jason-key" approved
> Apr 24 16:24:02 ns01 named[14954]: 24-Apr-2016 16:24:02.350
> update: info: client 10.0.0.17#26427/key jason-key: view external: updating
> zone 'example.com/IN': adding an RR at 'test.example.com' TXT "TEST
> STRING"
>
> TBH I don't understand WHAT to 'expect' from dig to test/verify this^.
> What do I dig to get an answer with "TEST STRING" in it?


dig in txt test.example.com @ns01.example.com

>
> Jason
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Compiling BIND9 on CentOS 7

[Anand Buddhdev]

On 25/04/16 17:59, Sean Son wrote:

Hi Sean Son,

> I know I emailed the list about compiling BIND on a SystemD distro earlier
> last month. This time I have a different question. After I compile BIND9 on
> CentOS 7 , how do I get it to start up at boot time and how do I restart
> it? I don't want to have to write a systemd unit configuration file for it.
> I want it to run using a boot script or some other way that will allow BIND
> to start up at boot and also allow the system administrator to restart BIND
> if it ever stops running.

A systemd unit file is the *easiest* and *simplest* way to get BIND to
start at boot. Is there any reason you don't want to use systemd? It's
not difficult at all. You just a few lines in a file to create a system
unit.

If you don't want systemd to restart BIND if it crashes, then you can
just set:

Restart=no

Then, you can start BIND by hand with "systemctl start ".

Regards,
Anand
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Compiling BIND9 on CentOS 7

[Sean Son]

Hello all

I know I emailed the list about compiling BIND on a SystemD distro earlier
last month. This time I have a different question. After I compile BIND9 on
CentOS 7 , how do I get it to start up at boot time and how do I restart
it? I don't want to have to write a systemd unit configuration file for it.
I want it to run using a boot script or some other way that will allow BIND
to start up at boot and also allow the system administrator to restart BIND
if it ever stops running.

Any help is greatly appreciated and I apologize if this topic is too
similar to my previous thread.


Thank you!


Sean
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users