date:20190515

Re: Updating to 9.14

2019-05-15 Thread Mark Andrews



> On 16 May 2019, at 5:11 am, @lbutlr  wrote:
> 
> Currently running latest release of Bind 9.12, which is now EOLed and want to 
> move to 9.14. I was looking on google for 
> 
> update "bind9.12" "bind 9.14"
> 
> But did not find anything of use. I did find the 9.14 announcement, but there 
> isn't a link there to release notes. I know there has been at least one 
> significant change in the named.conf file.
> 
> 
> 
> Other than the “allow-update” and “allow-update-forwarding” issue which does 
> not affect me, what other configuration issues am I going to hit?

Below are all the changes between 9.12 and 9.14.  Most of these are cosmetic,
new/extended features.  doc/misc/options is automatically generated from the
parser so it reflects what reality.  It’s also a good way to find the option
name when you forget it.

filter- is now a plugin module.

diff --git a/doc/misc/options b/doc/misc/options
index 0544b388f1..c692ed2ec9 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -93,13 +93,14 @@ options {
 [ dscp  ] { (  |  [ port
  ] |  [ port  ] ) [ key
  ]; ... } ] [ zone-directory  ] [
-in-memory  ] [ min-update-interval  ]; ... };
+in-memory  ] [ min-update-interval  ]; ... };
 check-dup-records ( fail | warn | ignore );
 check-integrity ;
 check-mx ( fail | warn | ignore );
 check-mx-cname ( fail | warn | ignore );
-check-names ( master | slave | response
-) ( fail | warn | ignore ); // may occur multiple times
+check-names ( primary | master |
+secondary | slave | response ) (
+fail | warn | ignore ); // may occur multiple times
 check-sibling ;
 check-spf ( warn | ignore );
 check-srv-cname ( fail | warn | ignore );
@@ -110,11 +111,11 @@ options {
 cookie-secret ; // may occur multiple times
 coresize ( default | unlimited |  );
 datasize ( default | unlimited |  );
-deallocate-on-exit ; // obsolete
+deallocate-on-exit ; // ancient
 deny-answer-addresses { ; ... } [
-except-from { ; ... } ];
-deny-answer-aliases { ; ... } [ except-from {
-; ... } ];
+except-from { ; ... } ];
+deny-answer-aliases { ; ... } [ except-from { ; ...
+} ];
 dialup ( notify | notify-passive | passive | refresh |  );
 directory ;
 disable-algorithms  { ;
@@ -132,6 +133,7 @@ options {
 }; // may occur multiple times
 dns64-contact ;
 dns64-server ;
+dnskey-sig-validity ;
 dnsrps-enable ; // not configured
 dnsrps-options {  }; // not configured
 dnssec-accept-expired ;
@@ -145,7 +147,8 @@ options {
 dnssec-update-mode ( maintain | no-resign );
 dnssec-validation ( yes | no | auto );
 dnstap { ( all | auth | client | forwarder |
-resolver ) [ ( query | response ) ]; ... }; // not configured
+resolver | update ) [ ( query | response ) ];
+... }; // not configured
 dnstap-identity (  | none |
 hostname ); // not configured
 dnstap-output ( file | unix )  [
@@ -163,15 +166,15 @@ options {
 empty-contact ;
 empty-server ;
 empty-zones-enable ;
-fake-iquery ; // obsolete
-fetch-glue ; // obsolete
+fake-iquery ; // ancient
+fetch-glue ; // ancient
 fetch-quota-params;
 fetches-per-server  [ ( drop | fail ) ];
 fetches-per-zone  [ ( drop | fail ) ];
 files ( default | unlimited |  );
-filter- { ; ... };
-filter--on-v4 ( break-dnssec |  );
-filter--on-v6 ( break-dnssec |  );
+filter- { ; ... }; // obsolete
+filter--on-v4 ; // obsolete
+filter--on-v6 ; // obsolete
 flush-zones-on-shutdown ;
 forward ( first | only );
 forwarders [ port  ] [ dscp  ] { ( 
@@ -182,18 +185,19 @@ options {
 fstrm-set-output-notify-threshold ; // not configured
 fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
 fstrm-set-output-queue-size ; // not configured
-fstrm-set-reopen-interval ; // not configured
+fstrm-set-reopen-interval ; // not configured
 geoip-directory (  | none ); // not configured
-geoip-use-ecs ; // not configured
+geoip-use-ecs ; // obsolete
 glue-cache ;
-has-old-clients ; // obsolete
+has-old-clients ; // ancient
 heartbeat-interval ;
-host-statistics ; // not implemented
-host-statistics-max ; // not implemented
+host-statistics ; // ancient
+host-statistics-max ; // ancient
 hostname (  | none );
 inline-signing ;
-interface-interval ;
-ixfr-from-differences ( master | slave |  );
+

Updating to 9.14

2019-05-15 Thread @lbutlr

Currently running latest release of Bind 9.12, which is now EOLed and want to 
move to 9.14. I was looking on google for 

update "bind9.12" "bind 9.14"

But did not find anything of use. I did find the 9.14 announcement, but there 
isn't a link there to release notes. I know there has been at least one 
significant change in the named.conf file.



Other than the “allow-update” and “allow-update-forwarding” issue which does 
not affect me, what other configuration issues am I going to hit?

I am still OpenSSL 1.0.2r, do I need to move to OpenSSL 1.1.1? I mean, I am 
probably going to do that anyway, RSN, but this would be an excuse to do it now.

-- 
Forgive your enemies, but remember their names.




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind resolver zone delegation

2019-05-15 Thread Mark Andrews

The servers for vpn.smiths.com are misconfigured. The zone vpn.smiths.com
is delegated to them but they are configured to serve smiths.com.  Just
because Google ignores the delegation error, it doesn’t make the configuration
correct.

Mark

smiths.com. 172800  IN  NS  ns-east.cerf.net.
smiths.com. 172800  IN  NS  ns-west.cerf.net.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - 
CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 
2019051901 20190512033441 3800 com. 
UJTuCBjwehBYdQKMgLo6SxdAh/FU4WTYNgzupGJmnQsZGe7py+NRotht 
wgTN9V0A8RqzUBsgdxvK6h4R+e+K7ISgBK/Bb65N07BnnSyFQxowIXi2 
lnhEEpDiIDDx/Ca1aA9kVK+2Tn51tR7ZVZeMtkIesqZTOANCfmec9wea V9s=
L9MECSI4V5NQE1C3N2DNCJ6USFQA1C4H.com. 86400 IN NSEC3 1 1 0 - 
L9MGE0KHV110F24LIONHR6F2508ITI97 NS DS RRSIG
L9MECSI4V5NQE1C3N2DNCJ6USFQA1C4H.com. 86400 IN RRSIG NSEC3 8 2 86400 
20190521045234 20190514034234 3800 com. 
fWfPYqFE88diYC8Pil3ZDm38TaCS7i4o7qLXRZ6dLUF8daWX3cfjm7iq 
ueuIW4b1k4jtjfwpLCxvWRHcVrheFDtw9ED7g2tIbmj9Fxdq1bML1YYS 
D+yZceUk/JYN7wv5M3CCeroKfwS0/1LjldXVUvvjG95vczoRVDYOrE8F 8Pg=
;; Received 580 bytes from 192.5.6.30#53(a.gtld-servers.net) in 13 ms

vpn.smiths.com. 86400   IN  NS  resolve02.sslra.com.
vpn.smiths.com. 86400   IN  NS  resolve01.sslra.com.
;; Received 97 bytes from 2001:1890:1ff:9f1:99:99:99:136#53(ns-east.cerf.net) 
in 320 ms

smiths.com. 60  IN  SOA resolve01.sslvpndemo.com. 
hostmaster.resolve01.sslvpndemo.com. 5 10800 3600 604800 60
;; Received 111 bytes from 216.132.83.124#53(resolve01.sslra.com) in 174 ms


> On 15 May 2019, at 11:27 pm, Frank Patzig  wrote:
> 
> Hi,
> 
> my bind is 9.14-1.
> 
> I check the zone
> 
> dig @NS-EAST.CERF.NET any  vpn.smiths.com
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @NS-EAST.CERF.NET any
> vpn.smiths.com
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47937
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;vpn.smiths.com.IN  ANY
> 
> ;; AUTHORITY SECTION:
> vpn.smiths.com. 86400   IN  NS  resolve01.sslra.com.
> vpn.smiths.com. 86400   IN  NS  resolve02.sslra.com.
> 
> ;; Query time: 119 msec
> ;; SERVER: 2001:1890:1ff:9f1:99:99:99:136#53(2001:1890:1ff:9f1:99:99:99:136)
> ;; WHEN: Mi Mai 15 13:42:26 CEST 2019
> ;; MSG SIZE  rcvd: 97
> 
> this is fine
> 
> 
> dig @resolve01.sslra.com any  vpn.smiths.com
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @resolve01.sslra.com any
> vpn.smiths.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22398
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;vpn.smiths.com.IN  ANY
> 
> ;; ANSWER SECTION:
> vpn.smiths.com. 30  IN  A   194.105.113.242
> 
> ;; AUTHORITY SECTION:
> smiths.com. 500 IN  NS  resolve01.sslvpndemo.com.
> 
> ;; Query time: 171 msec
> ;; SERVER: 216.132.83.124#53(216.132.83.124)
> ;; WHEN: Mi Mai 15 13:43:04 CEST 2019
> ;; MSG SIZE  rcvd: 94
> 
> OK
> 
> dig @resolve01.sslra.com MX  vpn.smiths.com
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @resolve01.sslra.com MX
> vpn.smiths.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21258
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;vpn.smiths.com.IN  MX
> 
> ;; AUTHORITY SECTION:
> smiths.com. 60  IN  SOA resolve01.sslvpndemo.com.
> hostmaster.resolve01.sslvpndemo.com. 5 10800 3600 604800 60
> 
> ;; Query time: 169 msec
> ;; SERVER: 216.132.83.124#53(216.132.83.124)
> ;; WHEN: Mi Mai 15 13:44:04 CEST 2019
> ;; MSG SIZE  rcvd: 111
> 
> ---
> 
> 
> I check my bind:
> 
> dig @localhost  any  vpn.smiths.com
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @localhost any vpn.smiths.com
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27551
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;vpn.smiths.com.IN  ANY
> 
> ;; ANSWER SECTION:
> vpn.smiths.com

Re: bind resolver zone delegation

2019-05-15 Thread Mukund Sivaraman

On Wed, May 15, 2019 at 03:27:14PM +0200, Frank Patzig wrote:
> In my log
> 
> DNS format error from 64.7.11.138#53 resolving vpn.smiths.com/MX for client
> 127.0.0.1#47512: Name smiths.com (SOA) not subdomain of zone vpn.smiths.com
> -- invalid response
> 
> What is the problem.

> ;; AUTHORITY SECTION:
> smiths.com. 59  IN  SOA resolve01.sslvpndemo.com.
> hostmaster.resolve01.sslvpndemo.com. 5 10800 3600 604800 60

SOA belongs to smiths.com, whereas the resolver is expecting an answer
from zone vpn.smiths.com following the delegation for it. Instead, from
your own paste, vpn.smiths.com/A looks to be an address record in zone
smiths.com (in any case, vpn.smiths.com/MX is missing and the resolver
will reject the negative answer because it has an unexpected SOA owner
name from the smiths.com zone).

Have you setup the "vpn.smiths.com" zone on resolve01.sslra.com and
resolve02.sslra.com?

Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

bind resolver zone delegation

2019-05-15 Thread Frank Patzig


Hi,

my bind is 9.14-1.

I check the zone

dig @NS-EAST.CERF.NET any  vpn.smiths.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @NS-EAST.CERF.NET any
vpn.smiths.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47937
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vpn.smiths.com.IN  ANY

;; AUTHORITY SECTION:
vpn.smiths.com. 86400   IN  NS  resolve01.sslra.com.
vpn.smiths.com. 86400   IN  NS  resolve02.sslra.com.

;; Query time: 119 msec
;; SERVER: 2001:1890:1ff:9f1:99:99:99:136#53(2001:1890:1ff:9f1:99:99:99:136)
;; WHEN: Mi Mai 15 13:42:26 CEST 2019
;; MSG SIZE  rcvd: 97

this is fine


dig @resolve01.sslra.com any  vpn.smiths.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @resolve01.sslra.com any
vpn.smiths.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22398
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vpn.smiths.com.IN  ANY

;; ANSWER SECTION:
vpn.smiths.com. 30  IN  A   194.105.113.242

;; AUTHORITY SECTION:
smiths.com. 500 IN  NS  resolve01.sslvpndemo.com.

;; Query time: 171 msec
;; SERVER: 216.132.83.124#53(216.132.83.124)
;; WHEN: Mi Mai 15 13:43:04 CEST 2019
;; MSG SIZE  rcvd: 94

OK

dig @resolve01.sslra.com MX  vpn.smiths.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @resolve01.sslra.com MX
vpn.smiths.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21258
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vpn.smiths.com.IN  MX

;; AUTHORITY SECTION:
smiths.com. 60  IN  SOA resolve01.sslvpndemo.com.
hostmaster.resolve01.sslvpndemo.com. 5 10800 3600 604800 60

;; Query time: 169 msec
;; SERVER: 216.132.83.124#53(216.132.83.124)
;; WHEN: Mi Mai 15 13:44:04 CEST 2019
;; MSG SIZE  rcvd: 111

---


I check my bind:

dig @localhost  any  vpn.smiths.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @localhost any vpn.smiths.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27551
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vpn.smiths.com.IN  ANY

;; ANSWER SECTION:
vpn.smiths.com. 30  IN  A   194.105.113.242
vpn.smiths.com. 1583IN  NS  resolve01.sslra.com.
vpn.smiths.com. 1583IN  NS  resolve02.sslra.com.

;; AUTHORITY SECTION:
vpn.smiths.com. 1583IN  NS  resolve01.sslra.com.
vpn.smiths.com. 1583IN  NS  resolve02.sslra.com.

;; ADDITIONAL SECTION:
resolve01.sslra.com.506 IN  A   216.132.83.124
resolve02.sslra.com.258 IN  A   64.7.11.138

;; Query time: 172 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mi Mai 15 13:44:38 CEST 2019
;; MSG SIZE  rcvd: 173


dig @localhost  MX  vpn.smiths.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @localhost MX vpn.smiths.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8396
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vpn.smiths.com.IN  MX

;; Query time: 272 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mi Mai 15 13:45:34 CEST 2019
;; MSG SIZE  rcvd: 43


In status is SERVFAIL

In my log

DNS format error from 64.7.11.138#53 resolving vpn.smiths.com/MX for 
client 127.0.0.1#47512: Name smiths.com (SOA) not subdomain of zone 
vpn.smiths.com -- invalid response


What is the problem.


Test with Google is OK:

dig @8.8.8.8  MX  vpn.smiths.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @8.8.8.8 MX vpn.smiths.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21066
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;vpn.smiths.com.IN  MX

;; AUTHORITY SECTION:
smiths.com. 59  IN  SOA 
resolve01.sslvpndemo.com. hostmaster.resolve01.sslvpndemo.com. 5 10800 
360

Re: Updating to 9.14

Updating to 9.14

Re: bind resolver zone delegation

Re: bind resolver zone delegation

bind resolver zone delegation

5 matches

Site Navigation

Mail list logo

Footer information