Re: DNSSEC will eventually generate Identical Key ID's

2018-09-12 Thread Warren Kumari 
On Mon, Sep 10, 2018 at 4:45 AM Ray Bellis  wrote:

> On 09/09/2018 18:51, Mark Elkins wrote:
> > Just for the record, although I do look from a curiosity point of view
> > for Identical Key ID's once every few month - I've never seen them -
> > until now.
> >
> > Now I have them - generated by BIND within a few days of each other...
> >
> > I've been running DNSSEC for 7 years and have around 400 DNSSEC keys for
> > 133 signed Domains.
> > I'm a smallish Registrar for ZA domains.
> >
> > Never assume a KeyID is unique.  :-)
>
> It's inevitable that they won't be.
>
> With only a 16 bit key tag space (and in 2016 Roy Arends discovered that
> the effective space is only 15 bits) then due to the birthday collision
> paradox you only need of the order of sqrt(32k) different keys to get a
> 50% chance of a collision.
>
>
This reminds me of some interesting (well, interesting to me :-)) related
research Ben Laurie and I did around that time -- while looking at the
distribution of generated keys I noticed that OpenSSL / GnuTLS generate a
different distribution than e.g mbedTLS.
OpenSSL / GnuTLS optimize the generation of primes by setting the least
significant bits (fair, they have to be odd to be primes :-)) but also
clear the most significant bits of both P and Q (to ensure that the product
of P & Q do not overflow) -- this results in a key with less bits of
"security" than most would expect...

W





> Ray
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error parsing file

2018-09-12 Thread BARAJAS BERMEJO, Sergio 
Hi,

It's solved!! thanks

馃槉


De: Anand Buddhdev 
Enviado: mi茅rcoles, 12 de septiembre de 2018 21:42
Para: BARAJAS BERMEJO, Sergio; bind-users@lists.isc.org
Asunto: Re: Error parsing file

On 12/09/2018 20:22, BARAJAS BERMEJO, Sergio wrote:

Hi Sergio,

> $TTL2d
> @   IN  SOA sergiobarajas (
>  17 ; Serial
>  604800 ; Refresh
>   86400 ; Retry
> 2419200 ; Expire
>   86400 )   ; Negative Cache TTL

Your SOA record is incomplete. The SOA record's RDATA section needs 7
elements, the first two of which are the MNAME (master name server) and
RNAME (responsible person). Your SOA record only has one of those
elements, "sergiobarajas".
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error parsing file

2018-09-12 Thread BARAJAS BERMEJO, Sergio 
I'm sorry,

The data that I have posted is not real.

It is an example, I can't suppose that hosting.com is a real domain.

I promise you, that i will be more careful



De: Rob Foehl 
Enviado: mi茅rcoles, 12 de septiembre de 2018 22:07
Para: BARAJAS BERMEJO, Sergio
Asunto: Re: Error parsing file

On Wed, 12 Sep 2018, BARAJAS BERMEJO, Sergio wrote:

> IN  NS  ns1.hosting.com.
> IN  NS  ns2.hosting.com.

I'm the operator of the infrastructure that happens to have these names,
and I'd appreciate it if you would stop posting a bunch of invalid noise
about them on a public list.

The example.com namespace exists for a reason.

-Rob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error parsing file

2018-09-12 Thread Anand Buddhdev 
On 12/09/2018 20:22, BARAJAS BERMEJO, Sergio wrote:

Hi Sergio,

> $TTL2d
> @   IN  SOA sergiobarajas (
>  17 ; Serial
>  604800 ; Refresh
>   86400 ; Retry
> 2419200 ; Expire
>   86400 )   ; Negative Cache TTL

Your SOA record is incomplete. The SOA record's RDATA section needs 7
elements, the first two of which are the MNAME (master name server) and
RNAME (responsible person). Your SOA record only has one of those
elements, "sergiobarajas".
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Issues configuring delegated subdomain zone

2018-09-12 Thread BARAJAS BERMEJO, Sergio 
Thanks this is solver, now I have another problem.

I will send a new message





De: Bob Harold 
Enviado: mi茅rcoles, 12 de septiembre de 2018 16:47
Para: BARAJAS BERMEJO, Sergio
Cc: bind-users@lists.isc.org
Asunto: Re: Issues configuring delegated subdomain zone


On Wed, Sep 12, 2018 at 5:49 AM BARAJAS BERMEJO, Sergio 
mailto:sergio.bara...@econocom.com>> wrote:
Hello,
I have an issue configuring delegated subdomain zone from one NS to another one.
For security reasons I will obviously not put real domain data (I imagine you 
will understand).

Let's suppose that the delegated subdomain is: 
midominio.principal.hosting.com
If we make a "dig" query, putting the hosting server's NS as the domain name 
server:

dig @ns1.hosting.com 
midominio.principal.hosting.com

; <<>> DiG 9.10.3-P4-Debian <<>> @ns1.hosting.com 
midominio.principal.hosting.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40831
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;midominio.principal.hosting.com. IN A

;; AUTHORITY SECTION:
midominio.principal.hosting.com. 125 IN 
NS sb2.principal.hosting.com.
midominio.principal.hosting.com. 125 IN 
NS sb1.principal.hosting.com.

;; ADDITIONAL SECTION:
sb1.principal.hosting.com. 125 IN A 
xxx.xxx.xxx.52
sb2.principal.hosting.com. 125 IN A 
xxx.xxx.xxx.53

;; Query time: 12 msec
;; SERVER: 31.193.224.20#53(31.193.224.20)
;; WHEN: Wed Sep 12 08:09:36 CEST 2018
;; MSG SIZE rcvd: 133

>From which we deduce several things:


  1.  That in the zone principal.hosting.com of 
the main server of the hosting there are created two registers of type A:
 *   sb1.principal.hosting.com. 125 IN A 
xxx.xxx.xxx.52
sb2.principal.hosting.com. 125 IN A 
xxx.xxx.xxx.53
  2.  That the authorized DNS servers on the subdomain 
midominio.principal.hosting.com are:
sb1.principal.hosting.com y el 
sb2.principal.hosting.com

Having said that, in my vps I have defined the following:

; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;

$TTL 86400
@ IN SOA sb1. sb2. mail. (

The first field after "SOA" is the *ONE* master server for the  domain.  You 
cannot list two.  Should be:
@ IN SOA sb1. mail. (

--
Bob Harold

10 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
; REGISTROS
NS sb1.principal.hosting.com.
NS sb2.principal.hosting.com.
IN MX 10 
mail.midominio.principal.hosting.com.
sb1 IN A xxx.xxx.xxx.52
sb2 IN A xxx.xxx.xxx.53
www IN A xxx.xxx.xxx.53
mail IN A xxx.xxx.xxx.53
webmail IN CNAME mail
* IN A xxx.xxx.xxx.53


However I can not get it to solve for example 
www.midominio.principal.hosting.com 
What am I doing wrong?.
Thank you very much in advance

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Error parsing file

2018-09-12 Thread BARAJAS BERMEJO, Sergio 
Hi,

I have this zone file:


$TTL2d
@   IN  SOA sergiobarajas (
 17 ; Serial
 604800 ; Refresh
  86400 ; Retry
2419200 ; Expire
  86400 )   ; Negative Cache TTL
;
IN  NS  ns1.hosting.com.
IN  NS  ns2.hosting.com.
; Registro MX 
IN  MX  10  sergiobarajas.select.hosting.com.
sergiobarajas   IN  A   31.193.228.53
sb1 IN  A   31.193.228.52
sb2 IN  A   31.193.228.53

$ORIGIN sergiobarajas.select.hosting.com.
;---Servidores de Dominio
sergiobarajas.select.hosting.com.   IN  NS  
sb1.select.hosting.com.
sergiobarajas.select.hosting.com.   IN  NS  
sb2.select.hosting.com.
; Registro MX --
; Nombre clase   MX  preferenciaHost
IN  MX  10  mail.sergiobarajas.select.hosting.com.


When I do "named-checkzone select.hosting.com db.thisfile"


It outputs this error:


dns_rdata_fromtext: db.thisfile:7: near eol: unexpected end of input
zone select.hosting.com/IN: loading from master file db.thisfile failed: 
unexpected end of input
zone select.hosting.com/IN: not loaded due to errors.

What is wrong?

Thanks


-

Sergio Barajas Bermejo

T茅cnico de sistemas


Plaza Biribila, 4, 48001 Bilbo, Bizkaia

email : sergio.bara...@econocom.com

web : www.econocom.com



[Logo_ECONOCOM_BD]


Advertencia legal: La informaci贸n que figura en la presente comunicaci贸n y que 
la acompa帽a puede ser de naturaleza confidencial o bien estar sujeta a normas 
de confidencialidad legal o a protecciones relativas a su divulgaci贸n. Tiene 
por 煤nico objeto su utilizaci贸n por parte del receptor a quien est谩 destinada. 
Si usted no es el destinatario de la presente comunicaci贸n, rogamos eliminar y 
destruir todos los ejemplares de 茅sta que se encuentren en su poder, avis谩ndole 
al remitente que la recibi贸 por error. Queda expresamente prohibido examinar o 
difundir la presente comunicaci贸n o ejecutar actos en base a la misma.

Disclaimer: The information contained in and accompanying this communication 
may be confidential, subject to legal privilege, or otherwise protected from 
disclosure, and is intended solely for the use of the intended recipient(s). If 
you are not the intended recipient of this communication, please delete and 
destroy all copies in your possession, notify the sender that you have received 
this communication in error, and note that any review or dissemination of, or 
the taking of any action in reliance on, this communication is expressly 
prohibited.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrade help with Bind 9.12

2018-09-12 Thread Matus UHLAR - fantomas 

On 12.09.18 13:01, Spears, Luke wrote:

I'm not sure how to go about requesting this but I am looking for information 
on upgrading from BIND 9.8 to 9.11 or 12 depending if it's ESV or not.  We are 
running Ubuntu 14.04


if you use ubuntu *-LTS, you should be safe with the version in ubuntu.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Issues configuring delegated subdomain zone

2018-09-12 Thread Bob Harold 
On Wed, Sep 12, 2018 at 5:49 AM BARAJAS BERMEJO, Sergio <
sergio.bara...@econocom.com> wrote:

> Hello,
> I have an issue configuring delegated subdomain zone from one NS to
> another one.
> For security reasons I will obviously not put real domain data (I imagine
> you will understand).
>
> Let's suppose that the delegated subdomain is:
> midominio.principal.hosting.com
> If we make a "dig" query, putting the hosting server's NS as the domain
> name server:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *dig @ns1.hosting.com 
> midominio.principal.hosting.com  ;
> <<>> DiG 9.10.3-P4-Debian <<>> @ns1.hosting.com 
> midominio.principal.hosting.com  ;
> (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<-
> opcode: QUERY, status: NOERROR, id: 40831 ;; flags: qr rd; QUERY: 1,
> ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but
> not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION: ;midominio.principal.hosting.com
> . IN A ;; AUTHORITY SECTION:
> midominio.principal.hosting.com .
> 125 IN NS sb2.principal.hosting.com .
> midominio.principal.hosting.com .
> 125 IN NS sb1.principal.hosting.com . ;;
> ADDITIONAL SECTION: sb1.principal.hosting.com
> . 125 IN A xxx.xxx.xxx.52
> sb2.principal.hosting.com . 125 IN A
> xxx.xxx.xxx.53 ;; Query time: 12 msec ;; SERVER:
> 31.193.224.20#53(31.193.224.20) ;; WHEN: Wed Sep 12 08:09:36 CEST 2018 ;;
> MSG SIZE rcvd: 133*
>
> From which we deduce several things:
>
>
>1. That in the zone principal.hosting.com of the main server of the
>hosting there are created two registers of type A:
>1.
> *sb1.principal.hosting.com . 125 IN A
>   xxx.xxx.xxx.52 sb2.principal.hosting.com
>   . 125 IN A xxx.xxx.xxx.53*
>2. That the authorized DNS servers on the subdomain
>midominio.principal.hosting.com are:
>*sb1.principal.hosting.com * y el 
> *sb2.principal.hosting.com
>*
>
> Having said that, in my vps I have defined the following:
>
>
>
>
>
>
> *; BIND reverse data file for empty rfc1918 zone ; ; DO NOT EDIT THIS FILE
> - it is used for multiple zones. ; Instead, copy it, edit named.conf, and
> use that copy. ; *
> *$TTL 86400*
>
> *@ IN SOA sb1. sb2. mail. (*
>

The first field after "SOA" is the *ONE* master server for the  domain.
You cannot list two.  Should be:
@ IN SOA sb1. mail. (

-- 
Bob Harold


>
>
>
>
>
>
> * 10 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ;
> Negative Cache TTL ; REGISTROS NS sb1.*
> *principal.hosting.com . NS sb2.*
> *principal.hosting.com . IN MX 10 mail.*
> *midominio.principal.hosting.com .
> sb1 IN A *
> *xxx.xxx.xxx.52 sb2 IN A *
> *xxx.xxx.xxx.53 www IN A *
> *xxx.xxx.xxx.53 mail IN A *
>
> *xxx.xxx.xxx.53 webmail IN CNAME mail * IN A **xxx.xxx.xxx.53*
>
>
> However I can not get it to solve for example
> www.midominio.principal.hosting.com What am I doing wrong?.
> Thank you very much in advance
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Upgrade help with Bind 9.12

2018-09-12 Thread Spears, Luke 
I'm not sure how to go about requesting this but I am looking for information 
on upgrading from BIND 9.8 to 9.11 or 12 depending if it's ESV or not.  We are 
running Ubuntu 14.04

v\r
==
CONFIDENTIALITY NOTICE:

This e-mail communication and any attachments may 
contain confidential and privileged information for the use 
of the designated recipients named above. If you are not 
the intended recipient, you are hereby notified that you 
have received this communication in error and that any 
review, disclosure, dissemination, distribution, or copying 
of it or its contents is prohibited. If you have received 
this communication in error, please notify the sender 
immediately and destroy all copies of this communication 
and any attachments.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Issues configuring delegated subdomain zone

2018-09-12 Thread BARAJAS BERMEJO, Sergio 
Hello,
I have an issue configuring delegated subdomain zone from one NS to another one.
For security reasons I will obviously not put real domain data (I imagine you 
will understand).

Let's suppose that the delegated subdomain is: midominio.principal.hosting.com
If we make a "dig" query, putting the hosting server's NS as the domain name 
server:

dig @ns1.hosting.com midominio.principal.hosting.com

; <<>> DiG 9.10.3-P4-Debian <<>> @ns1.hosting.com 
midominio.principal.hosting.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40831
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;midominio.principal.hosting.com. IN A

;; AUTHORITY SECTION:
midominio.principal.hosting.com. 125 IN NS sb2.principal.hosting.com.
midominio.principal.hosting.com. 125 IN NS sb1.principal.hosting.com.

;; ADDITIONAL SECTION:
sb1.principal.hosting.com. 125 IN A xxx.xxx.xxx.52
sb2.principal.hosting.com. 125 IN A xxx.xxx.xxx.53

;; Query time: 12 msec
;; SERVER: 31.193.224.20#53(31.193.224.20)
;; WHEN: Wed Sep 12 08:09:36 CEST 2018
;; MSG SIZE rcvd: 133

>From which we deduce several things:


  1.  That in the zone principal.hosting.com of the main server of the hosting 
there are created two registers of type A:
 *   sb1.principal.hosting.com. 125 IN A xxx.xxx.xxx.52
sb2.principal.hosting.com. 125 IN A xxx.xxx.xxx.53
  2.  That the authorized DNS servers on the subdomain 
midominio.principal.hosting.com are:
sb1.principal.hosting.com y el sb2.principal.hosting.com

Having said that, in my vps I have defined the following:

; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;

$TTL 86400
@ IN SOA sb1. sb2. mail. (
10 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
; REGISTROS
NS sb1.principal.hosting.com.
NS sb2.principal.hosting.com.
IN MX 10 mail.midominio.principal.hosting.com.
sb1 IN A xxx.xxx.xxx.52
sb2 IN A xxx.xxx.xxx.53
www IN A xxx.xxx.xxx.53
mail IN A xxx.xxx.xxx.53
webmail IN CNAME mail
* IN A xxx.xxx.xxx.53


However I can not get it to solve for example 
www.midominio.principal.hosting.com What am I doing wrong?.
Thank you very much in advance
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and secondary DNS servers

2018-09-12 Thread @lbutlr 
On 9 Sep 2018, at 14:58, Mark Elkins  wrote:
> Umm... this initially looks great but something is seriously strange. The 
> first numerical value after DS should be the Key ID (or Key Tag). I really 
> doubt that you would (randomly) create two different DNSKEY records with 
> sequential Key-ID's (Tags) starting from "1"... its usually a relatively 
> random value between 1 and 2^16

Yes, that was a mistake in the configuration.

> Also as an aside - many people are no longer putting the SHA-1 Digest type DS 
> record in their parent, just the longer (more secure?) SHA-256 (Digest Type 
> 2) record.

Thanks, I keep that in mind.

> As the root uses Algorithm 8 - many people also use algorithm 8 - you are 
> using algorithm 7. Algorithm roll-overs are a pain so if you can - move 
> straight to 8.


And that.

> I also can not detect a DNSKEY in your zone?
> dig covisp.net dnskey +cd
> ...gives your SOA.
> Without the "+cd" (ignore any DNSSEC validation) - I get a SERVFAIL.

Yes, I was in the midst of futzing with things at the time.

> Adding DS records into your parent should be the last part of the process in 
> securing your Zone with DNSSEC.

I've pulled the DNSSEC entirely for right now as there is still some research I 
need to do (things like renewal, automating the process for other domains, etc).

-- 
"I've had a perfectly wonderful evening. But this wasn't it." - Groucho
Marx

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users