Re: Minimum TTL?
Am 10.02.2018 um 05:11 schrieb John Levine: But to answer your question, off-hand, I'd say that any TTL under 60s is = suspicious and any TTL under 10s is almost certainly intentionally = abusive. I hope you're not planning to do much spam filtering i do for years with a min-ttl of 90 secods and you will have a hard-time to beat our results - using a mix of many DNSBL/DNSWL on postsrceen as well as SpamAssasin does the trick and not ordianry low TTL's ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 12.02.2018 um 20:36 schrieb wbr...@e1b.org: From: "Reindl Harald" To: bind-users@lists.isc.org the ISP has no business to touch any package bewteen source and me because he can't know the implications - he even must not know about them because it#s not his business And yet they do (Supercookies?), and sell that data to any and all buyers but *that* was not the point which you stripped (by intention?) from the quote ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.11.2 acting as a forwarder: authority section populated differently than BIND 9.9.11 ?
I'm preparing to upgrade from BIND 9.9.11 to 9.11.2. I notice a difference in how named populates the authority section in some responses, and am trying to understand if it's OK. My server is a caching-only server, and provides recursive service. For some zones, my server is configured to forward to another set of servers. The servers specified as my forwarding target a BIND 9.9.11 servers providing recursive service, and happen to also be authoritative for the zones I'm forwarding to them. My server (and those servers it selectively forwards to) does not specify "minimal-responses" in its configuration. -- My server forwards queries for zone "princeton.edu" to another set of servers, as described earlier. I perform a recursive lookup for an existing RR inside that zone. When my server is running BIND 9.9.11, it returns an answer with the authority section populated. That section's contents are what I expect -- the NS records specified for the zone in which the label resides: % dig @127.0.0.1 plaid.princeton.edu. A ; <<>> DiG 9.9.11 <<>> @127.0.0.1 plaid.princeton.edu. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4126 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;plaid.princeton.edu. IN A ;; ANSWER SECTION: plaid.Princeton.EDU.43179 IN A 140.180.226.197 ;; AUTHORITY SECTION: Princeton.EDU. 70344 IN NS dikahble.Princeton.EDU. Princeton.EDU. 70344 IN NS auth1.dns.cogentco.com. Princeton.EDU. 70344 IN NS adns1.ucsc.edu. Princeton.EDU. 70344 IN NS adns2.ucsc.edu. Princeton.EDU. 70344 IN NS dns.Princeton.EDU. Princeton.EDU. 70344 IN NS auth2.dns.cogentco.com. ;; ADDITIONAL SECTION: dns.Princeton.EDU. 30743 IN A 128.112.129.15 dikahble.Princeton.EDU. 32546 IN A 128.112.134.4 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 13 10:26:59 EST 2018 ;; MSG SIZE rcvd: 257 -- But when I upgrade my server to BIND 9.11.2, the same lookup performed immediately after I start my server returns no authority records, which is a surprise to me: % dig @127.0.0.1 plaid.princeton.edu. A ; <<>> DiG 9.11.2 <<>> @127.0.0.1 plaid.princeton.edu. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1135 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 63342752c773c411b8b830385a830429d4d1686dd32d2d60 (good) ;; QUESTION SECTION: ;plaid.princeton.edu. IN A ;; ANSWER SECTION: plaid.Princeton.EDU.43200 IN A 140.180.226.197 ;; Query time: 5 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 13 10:28:41 EST 2018 ;; MSG SIZE rcvd: 111 If I next issue another lookup like this to my server to cause it to perform some different work: % dig @127.0.0.1 foo.example.com. A ; <<>> DiG 9.11.2 <<>> @127.0.0.1 foo.example.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57462 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: f61e7ac231c1a37e3b5cdf575a83045994703633bafd0296 (good) ;; QUESTION SECTION: ;foo.example.com. IN A ;; AUTHORITY SECTION: example.com.3600IN SOA sns.dns.icann.org. noc.dns.icann.org. 2018013013 7200 3600 1209600 3600 ;; Query time: 672 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 13 10:29:29 EST 2018 ;; MSG SIZE rcvd: 129 ... and THEN re-issue my original query, the response's authority section is populated with records for the root domain, which is a surprise to me: % dig @127.0.0.1 plaid.princeton.edu. A ; <<>> DiG 9.11.2 <<>> @127.0.0.1 plaid.princeton.edu. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4208 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 27 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: fb305a768a4968defdf64dd65a830468abe3a7b146678e56 (good) ;; QUESTION SECTION: ;plaid.princeton.edu. IN A ;; ANSWER SECTION: plaid.Princeton.EDU.43137 IN A 140.180.226.197 ;; AUTHORITY SECTION: . 518385 IN NS l.root-servers.net. . 518385 IN NS f.root-servers.net. . 518385 IN NS k.root-servers.net. . 518385 IN NS b.root-servers.net. . 518385 IN NS g.root-servers.net. . 518385 IN NS j.
Re: BIND 9.11.2 acting as a forwarder: authority section populated differently than BIND 9.9.11 ?
Irwin Tillman wrote: > > When my server is running BIND 9.9.11, it returns an answer with the > authority section populated. > > But when I upgrade my server to BIND 9.11.2, the same lookup > performed immediately after I start my server returns no authority records, > which is a surprise to me: This is a consequence of a change to BIND's EDNS buffer size probing behaviour. Before 9.10, it would start with a 4096 byte buffer size and reduce it in response to problems; in 9.10 and later it starts with a 512 byte buffer size and works up to bigger sizes as long as things continue to work. Because the initial queries only offer a small buffer size, there is less room for addidional data, so it can be (harmlessly) dropped. In this specific case, when your server queries e.g. dns.princeton.edu with a 512 byte buffer, the upstream server returns a minimal response. (This seems very meek to me, because when I try with a 513 byte buffer, I get a 345 byte response with a decent amount of additional data, which could just as well have been returned to a 512 byte buffer query.) So your server doesn't have anything to put in the additional section, so it leaves it empty. The more information your server collects as time goes on, the more additional data it can add to its responses. Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Sole, Lundy, Fastnet, Irish Sea: West or northwest, backing south or southwest, 5 to 7, increasing gale 8 for a time, occasionally severe gale 9 later except in Sole. Rough or very rough, moderate except in Sole. Squally wintry showers then rain. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC validation
Hello, I am trying to implement the full recursive resolver with libbind library in my client code. I am not using resolv.conf in my implementation. Can anyone please help to point any sample code for this. Thank you for your help and time. Rgds simon ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation
On Tue, Feb 13, 2018 at 12:08:18PM -0800, SIMON BABY wrote: > I am trying to implement the full recursive resolver with libbind library > in my client code. I am not using resolv.conf in my implementation. Can > anyone please help to point any sample code for this. Not even BIND uses libbind anymore. What's the purpose of this? Why not just use BIND 9, or some other existing resolver? -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation
Hello Evan, Thank you so much for the quick response. My requirement is to implement only the recursive resolve and validation part of the DNSSEC in my client application. Our CPU and memory are very limited. So I am not sure I can go and use BIND 9. With BIND 9, can I integrate the library in my application to send queries and validate the answer in my client code itself. Can you please point if any sample code. Rgds Simon On Tue, Feb 13, 2018 at 12:26 PM, Evan Hunt wrote: > On Tue, Feb 13, 2018 at 12:08:18PM -0800, SIMON BABY wrote: > > I am trying to implement the full recursive resolver with libbind library > > in my client code. I am not using resolv.conf in my implementation. Can > > anyone please help to point any sample code for this. > > Not even BIND uses libbind anymore. > > What's the purpose of this? Why not just use BIND 9, or some other > existing resolver? > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation
On Tue, Feb 13, 2018 at 12:42:26PM -0800, SIMON BABY wrote: > My requirement is to implement only the recursive resolve and validation > part of the DNSSEC in my client application. Our CPU and memory are very > limited. So I am not sure I can go and use BIND 9. But why do you need your application to contain a recursive resolver? I can understand why you'd want a built-in validator, but you don't need to do full recursive resolution for that; you can send queries to an external resolver and then validate the responses. > With BIND 9, can I integrate the library in my application to send queries > and validate the answer in my client code itself. Can you please point if > any sample code. If you're content to do as I suggested above - send queries to an external resolver, validate the responses - then see the command 'delv' in the BIND 9 source tree; it does that. Implementing a full resolver with a library is possible in BIND 9.12, in which we spun off a lot of the name server code into a new libns library. I can't point you to any sample code other than named itself, though. Given what you said about limited CPU and memory, I can't really recommand either solution. I'd probably just use dnsmasq and turn on its DNSSEC validation option. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation
Hello Evan, Thanks you so much for answering my questions. Inline my comments. But why do you need your application to contain a recursive resolver? 1. Assume if I use an external recursive resolver and if that resolver does not support DNSSEC, how can I validate the signature? 2. If I use an external resolver and if a hacker sits in between my system and the external resolver, will it detect ? 3. When the external resolver resolve a query and when it response back to the client , will it strip off the signatures? I assume the validation is already done at the recursive resolver. 4. Can I integrate dnsmasq option with my client application? Any reference. Thanks once again for your help and time. Rgds Simon On Tue, Feb 13, 2018 at 1:11 PM, Evan Hunt wrote: > On Tue, Feb 13, 2018 at 12:42:26PM -0800, SIMON BABY wrote: > > My requirement is to implement only the recursive resolve and validation > > part of the DNSSEC in my client application. Our CPU and memory are very > > limited. So I am not sure I can go and use BIND 9. > > But why do you need your application to contain a recursive resolver? > > I can understand why you'd want a built-in validator, but you don't need > to do full recursive resolution for that; you can send queries to an > external resolver and then validate the responses. > > > With BIND 9, can I integrate the library in my application to send > queries > > and validate the answer in my client code itself. Can you please point if > > any sample code. > > If you're content to do as I suggested above - send queries to an external > resolver, validate the responses - then see the command 'delv' in the > BIND 9 source tree; it does that. > > Implementing a full resolver with a library is possible in BIND 9.12, > in which we spun off a lot of the name server code into a new libns > library. I can't point you to any sample code other than named itself, > though. > > Given what you said about limited CPU and memory, I can't really recommand > either solution. I'd probably just use dnsmasq and turn on its DNSSEC > validation option. > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation
On Tue, Feb 13, 2018 at 3:42 PM, SIMON BABY wrote: > Hello Evan, > > Thank you so much for the quick response. > > My requirement is to implement only the recursive resolve and validation > part of the DNSSEC in my client application. Our CPU and memory are very > limited. So I am not sure I can go and use BIND 9. > I get that this is bind-users, but have you looked at https://getdnsapi.net/ ? W > With BIND 9, can I integrate the library in my application to send queries > and validate the answer in my client code itself. Can you please point if > any sample code. > > > Rgds > Simon > > > > On Tue, Feb 13, 2018 at 12:26 PM, Evan Hunt wrote: >> >> On Tue, Feb 13, 2018 at 12:08:18PM -0800, SIMON BABY wrote: >> > I am trying to implement the full recursive resolver with libbind >> > library >> > in my client code. I am not using resolv.conf in my implementation. Can >> > anyone please help to point any sample code for this. >> >> Not even BIND uses libbind anymore. >> >> What's the purpose of this? Why not just use BIND 9, or some other >> existing resolver? >> >> -- >> Evan Hunt -- e...@isc.org >> Internet Systems Consortium, Inc. > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation
Thanks Warren. I will look into https://getdnsapi.net/ . Rgds simon On Tue, Feb 13, 2018 at 2:07 PM, Warren Kumari wrote: > On Tue, Feb 13, 2018 at 3:42 PM, SIMON BABY wrote: > > Hello Evan, > > > > Thank you so much for the quick response. > > > > My requirement is to implement only the recursive resolve and validation > > part of the DNSSEC in my client application. Our CPU and memory are very > > limited. So I am not sure I can go and use BIND 9. > > > > I get that this is bind-users, but have you looked at > https://getdnsapi.net/ ? > > W > > > With BIND 9, can I integrate the library in my application to send > queries > > and validate the answer in my client code itself. Can you please point if > > any sample code. > > > > > > Rgds > > Simon > > > > > > > > On Tue, Feb 13, 2018 at 12:26 PM, Evan Hunt wrote: > >> > >> On Tue, Feb 13, 2018 at 12:08:18PM -0800, SIMON BABY wrote: > >> > I am trying to implement the full recursive resolver with libbind > >> > library > >> > in my client code. I am not using resolv.conf in my implementation. > Can > >> > anyone please help to point any sample code for this. > >> > >> Not even BIND uses libbind anymore. > >> > >> What's the purpose of this? Why not just use BIND 9, or some other > >> existing resolver? > >> > >> -- > >> Evan Hunt -- e...@isc.org > >> Internet Systems Consortium, Inc. > > > > > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. >---maf > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation
On Tue, Feb 13, 2018 at 01:33:10PM -0800, SIMON BABY wrote: > 1. Assume if I use an external recursive resolver and if that resolver does > not support DNSSEC, how can I validate the signature? Depends what you mean by supporting DNSSEC; see below. > 2. If I use an external resolver and if a hacker sits in between my > system and the external resolver, will it detect ? That's exactly what DNSSEC is for. If someone alters the answer, the signatures won't validate. > 3. When the external resolver resolve a query and when it response back to > the client, will it strip off the signatures? I assume the validation is > already done at the recursive resolver. The resolver doesn't have to do DNSSEC validation itself (though of course it's a good idea). It just needs to pass along signatures on request. If you're using a resolver that doesn't do that... well, use a different one. You can run a resolver as a separate local process, listening on the localhost address. This ensures you have the resolver features you need and also makes it quite a lot harder to mount a man-in-the-middle attack. > 4. Can I integrate dnsmasq option with my client application? Any reference. If you need it to be built in to your application, I'm not sure. Warren's suggestion of using getdns-api was a better idea anyway. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation
Thanks Evan for answering my questions. I will look more into getdns-api or libunbund library for the client side resolve. Rgds Simon On Tue, Feb 13, 2018 at 3:00 PM, Evan Hunt wrote: > On Tue, Feb 13, 2018 at 01:33:10PM -0800, SIMON BABY wrote: > > 1. Assume if I use an external recursive resolver and if that resolver > does > > not support DNSSEC, how can I validate the signature? > > Depends what you mean by supporting DNSSEC; see below. > > > 2. If I use an external resolver and if a hacker sits in between my > > system and the external resolver, will it detect ? > > That's exactly what DNSSEC is for. If someone alters the answer, > the signatures won't validate. > > > 3. When the external resolver resolve a query and when it response back > to > > the client, will it strip off the signatures? I assume the validation is > > already done at the recursive resolver. > > The resolver doesn't have to do DNSSEC validation itself (though of course > it's a good idea). It just needs to pass along signatures on request. If > you're using a resolver that doesn't do that... well, use a different one. > > You can run a resolver as a separate local process, listening on the > localhost address. This ensures you have the resolver features you need > and also makes it quite a lot harder to mount a man-in-the-middle attack. > > > 4. Can I integrate dnsmasq option with my client application? Any > reference. > > If you need it to be built in to your application, I'm not sure. Warren's > suggestion of using getdns-api was a better idea anyway. > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Testing
Please ignore -- just testing post mailman upgrade. Best, -Dan Mahoney ISC Operations Group ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
