Re: DNSSEC validation via DLV
That I understand. Use me (Posix) then, full DNSSEC support. https://vweb.co.za. If you like, run your DNS wherever you want, just use me at the Registrar. Unfortunately, very few Registrars in ZA-Land have implemented DNSSEC support - despite ZA having a very high percentage of DNSSEC resolver support (about 50% of all queries hit a DNSSEC aware recursive resolver!) On 2019/07/19 01:57, p...@vspace.co.za wrote: By all means, not a difficult process at all. I have DNSSEC enabled and fully operational on .com domains. Problem being, no options exist as to export the DS record of co.za, com.au or net.au domains to the respective registrars, being namecheap.com and axxess.co.za. Noted that namecheap.com does accept the DS records for .com domains, yet not for .au domains. -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mal via bind-users Sent: Thursday, 18 July 2019 10:22 PM To: m...@posix.co.za; bind-users@lists.isc.org Subject: Re: DNSSEC validation via DLV Not a difficult process really.. -Configure a DNSSEC enabled name server -Create a some zone keys (dnssec-keygen) -Sign your zone (dnssec-signzone) -Update your nameserver configuration to point to the signed zone file -Export your DS records (dsset) to the domain registration company (EPP). Confirm the chain.. http://dnsviz.net/d/apnic.com.au/dnssec/ Mal On 18/07/2019 4:46 pm, Mark Elkins wrote: I can't comment on com.au (but looking up the Nameservers, I see the AD bit set - so DNSSEC appears to be in use.. However, co.za (and net.oza, org.za & web.za) which are managed by the ZACR (and DNS) - they are all signed and I personally have domains under these second levels - all running DNSSEC. The DS records are added to the parents using EPP - and it works perfectly. I used to present free (to the community) DNS classes to the community (the ZACR paid me) and this (DNSSEC) was taught to attendees. Unfortunately, no more classes for now. DNSSEC in CO.ZA became live at about the time DLV stopped running. The other SLD's had already been running for about a year. For the record, EDU.ZA is also signed and can accept DS records - albeit via a Web interface. @peek - you are most welcome to chat to me. On 2019/07/18 04:34, p...@vspace.co.za wrote: With DLV (DNSSEC Lookaside Validation) having been decommissioned, though zones still exists that does not provide a fully signed path from root to zone, i.e. .com.au , co.za etc, how would an administrator enable / implement DNSSEC validation for these zones ? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark James ELKINS - Posix Systems - (South) Africa m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation via DLV
On 19/07/2019 9:27 am, p...@vspace.co.za wrote: > > Problem being, no options exist as to export the DS record of co.za, com.au > or net.au domains to the respective registrars, being namecheap.com and > axxess.co.za. > Change registry right ? Crazy domains supports them for the ".com.au" zone. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC validation via DLV
By all means, not a difficult process at all. I have DNSSEC enabled and fully operational on .com domains. Problem being, no options exist as to export the DS record of co.za, com.au or net.au domains to the respective registrars, being namecheap.com and axxess.co.za. Noted that namecheap.com does accept the DS records for .com domains, yet not for .au domains. -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mal via bind-users Sent: Thursday, 18 July 2019 10:22 PM To: m...@posix.co.za; bind-users@lists.isc.org Subject: Re: DNSSEC validation via DLV Not a difficult process really.. -Configure a DNSSEC enabled name server -Create a some zone keys (dnssec-keygen) -Sign your zone (dnssec-signzone) -Update your nameserver configuration to point to the signed zone file -Export your DS records (dsset) to the domain registration company (EPP). Confirm the chain.. http://dnsviz.net/d/apnic.com.au/dnssec/ Mal On 18/07/2019 4:46 pm, Mark Elkins wrote: > I can't comment on com.au (but looking up the Nameservers, I see the > AD bit set - so DNSSEC appears to be in use.. > > However, co.za (and net.oza, org.za & web.za) which are managed by the > ZACR (and DNS) - they are all signed and I personally have domains > under these second levels - all running DNSSEC. The DS records are > added to the parents using EPP - and it works perfectly. I used to > present free (to the community) DNS classes to the community (the ZACR > paid me) and this (DNSSEC) was taught to attendees. Unfortunately, no > more classes for now. > > DNSSEC in CO.ZA became live at about the time DLV stopped running. The > other SLD's had already been running for about a year. > > For the record, EDU.ZA is also signed and can accept DS records - > albeit via a Web interface. > > @peek - you are most welcome to chat to me. > > > On 2019/07/18 04:34, p...@vspace.co.za wrote: > >> With DLV (DNSSEC Lookaside Validation) having been decommissioned, >> though zones still exists that does not provide a fully signed path >> from root to zone, i.e. .com.au , co.za etc, how would an >> administrator enable / implement DNSSEC validation for these zones ? >> >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: factor addresses out of 'forwarders' statement
On 7/18/19 3:24 PM, John Thurston wrote:
I have a number of 'forward' zones defined. Many of them look exactly
the same except for their name. It would be helpful to abstract the
addresses of my forwarders out and name them only once. But I can't find
any way to do this.
An ACL doesn't make sense. A 'masters' list doesn't work.
Is there some way to do this?
alias { 10.10.1.2; 10.10.3.4; 10.10.5.6; }
zone "foo" {type forward; forwarders ( alias;}; };
Maybe.
Take a look at include statements.
You'll probably need to have the contents of the alias in it's own file:
--8<--
10.10.1.2; 10.10.3.4; 10.10.5.6;
-->8--
Then construct your zone statement a little bit differently.
--8<--
zone "foo" {type forward; forwarders (
include "/path/to/alias/file"
); };
-->8--
You are functionally doing what you want.
What you're really doing is manipulating text files that happen to be
the aggregate BIND config file.
You could probably move more of the duplicate part of the config into
the included file and have less to type for each zone.
Note: I've not tested this in a while, things may have changed since I
last tried this.
The other non-BIND option is to use some sort of pre-processor to
generate your BIND config file for you. I personally reach for M4 for
things like this. I can define a macro that accepts the zone name as a
parameter. Then I use the macro for each zone and let M4 stamp out the
necessary config lines for me. }:-)
Then there are the other zone loading methods, DLZ, catalog zones, etc.
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
factor addresses out of 'forwarders' statement
I have a number of 'forward' zones defined. Many of them look exactly
the same except for their name. It would be helpful to abstract the
addresses of my forwarders out and name them only once. But I can't find
any way to do this.
An ACL doesn't make sense. A 'masters' list doesn't work.
Is there some way to do this?
alias { 10.10.1.2; 10.10.3.4; 10.10.5.6; }
zone "foo" {type forward; forwarders ( alias;}; };
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation via DLV
Not a difficult process really.. -Configure a DNSSEC enabled name server -Create a some zone keys (dnssec-keygen) -Sign your zone (dnssec-signzone) -Update your nameserver configuration to point to the signed zone file -Export your DS records (dsset) to the domain registration company (EPP). Confirm the chain.. http://dnsviz.net/d/apnic.com.au/dnssec/ Mal On 18/07/2019 4:46 pm, Mark Elkins wrote: > I can't comment on com.au (but looking up the Nameservers, I see the AD > bit set - so DNSSEC appears to be in use.. > > However, co.za (and net.oza, org.za & web.za) which are managed by the > ZACR (and DNS) - they are all signed and I personally have domains under > these second levels - all running DNSSEC. The DS records are added to > the parents using EPP - and it works perfectly. I used to present free > (to the community) DNS classes to the community (the ZACR paid me) and > this (DNSSEC) was taught to attendees. Unfortunately, no more classes > for now. > > DNSSEC in CO.ZA became live at about the time DLV stopped running. The > other SLD's had already been running for about a year. > > For the record, EDU.ZA is also signed and can accept DS records - albeit > via a Web interface. > > @peek - you are most welcome to chat to me. > > > On 2019/07/18 04:34, p...@vspace.co.za wrote: > >> With DLV (DNSSEC Lookaside Validation) having been decommissioned, >> though zones still exists that does not provide a fully signed path >> from root to zone, i.e. .com.au , co.za etc, how would an >> administrator enable / implement DNSSEC validation for these zones ? >> >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation via DLV
I can't comment on com.au (but looking up the Nameservers, I see the AD bit set - so DNSSEC appears to be in use.. However, co.za (and net.oza, org.za & web.za) which are managed by the ZACR (and DNS) - they are all signed and I personally have domains under these second levels - all running DNSSEC. The DS records are added to the parents using EPP - and it works perfectly. I used to present free (to the community) DNS classes to the community (the ZACR paid me) and this (DNSSEC) was taught to attendees. Unfortunately, no more classes for now. DNSSEC in CO.ZA became live at about the time DLV stopped running. The other SLD's had already been running for about a year. For the record, EDU.ZA is also signed and can accept DS records - albeit via a Web interface. @peek - you are most welcome to chat to me. On 2019/07/18 04:34, p...@vspace.co.za wrote: With DLV (DNSSEC Lookaside Validation) having been decommissioned, though zones still exists that does not provide a fully signed path from root to zone, i.e. .com.au , co.za etc, how would an administrator enable / implement DNSSEC validation for these zones ? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark James ELKINS - Posix Systems - (South) Africa m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
