Re: Server Keys
> On 12 Nov 2019, at 17:27, Mundile wrote: > > How do include a list of keys in BIND9 server clause: You don’t. Only a single key is supported optionally surrounded by braces. For key rollover you update the server side to support multiple keys rather than have the client side try multiple keys. Mark > server ip-addr { > [ keys "key-name"; ["key-name"; ... ; ] > ;} > For example, I have tried the following but it is giving errors > > server 162.0.4.49 { > > keys { tsig.example.org1 ; tsig.example.org2; tsig.example.org3 }; > }; > Sent from Mail for Windows 10 > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Server Keys
How do include a list of keys in BIND9 server clause: server ip-addr { [ keys "key-name"; ["key-name"; ... ; ] ;} For example, I have tried the following but it is giving errors server 162.0.4.49 { keys { tsig.example.org1 ; tsig.example.org2; tsig.example.org3 }; }; Sent from Mail for Windows 10 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: .onion and dnssec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Tony, On Mon, 11 Nov 2019, Tony Finch wrote: Erich Eckner wrote: However, I encounter the issue here: https://lists.isc.org/mailman/htdig/bind-users/2011-November/085536.html If you are running 9.14 (or newer) you can use the validate-except configuration option. In older versions you can use `rndc nta` but that is very inconvenient if you need a long-term exception. I'm running 9.14.7 and tried both, but while it does not give any errors, the lookup still fails (`rndc nta onion` is logged successfully, so it seems to do the right thing). I have also a hard time, generating some useful debug output - setting `-d 9` does not give additional information in the system log. And running named manually with -d 9 prints nothing to stdout (though, it seems, it generates a log file, then) Digging a little through my configuration, I noticed, that "." is actually a slave zone: zone "." in { type slave; file "/etc/opennic/slave/tld-root"; notify no; masters { 45.56.115.189; # ns0.opennic.glue 45.56.116.224; # ns0.opennic.glue 2001:470:1f0e:8a0::2; # ns0.opennic.glue 2600:3c02::f03c:91ff:fe33:e1ba; # ns0.opennic.glue }; }; Might this be an issue? (I notice, that the lookup succeeds when I comment out the root zone.) Cheers, Erich -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3Jr+EACgkQCu7JB1Xa e1oB3w//XDc4qamyWEgKc/kEDwcmE0EKCYZnA7uP5D/yQjm0wHLUbz+mOccB7x22 S+G4FE320B5E7r3mHBNAS441G/9tRdAhH69DlTQUsUyyE5g0ETP/8lyoPcZdJLwJ Uip/ibaff71AE+HURre8xOIG0yTvPyA1rOJ7viGS99TSPLLC35QhAU5niPw6KhPt 398ApmJab3cTLtO+Vg+aRZLhMmPxNdbeJCIF7pKsHqFMOde2P+Ru5bvnGIxf6Fmi WPpHY+EG26A7cD0XfQKvskjgAlcgLW2SinLV6NwScjH60fxIhzWgKe2QH9+Z5GDi NKH8MeGPCDs9KHI5cn4lBJ6eCFSbXVmWa9J+MBcbOB7OdHBuBLm1Vbvu6py65djz hlfSZ4HXgCHTUjipSGkLIvcG2tcVwyiRA8k6vBTrNjY6orFW1E52MaRvtml0aM16 xmOwfhlSuFPZ2X/l8m8hR5/Sz6aEyBGBl6tK56ESmvgYoOhiAVke7PGGBnArP8N2 BpeZQn5DTXg0tAtr4mjEetTeb2LJUa29cnWYdkheN3+2kK4eloSfAEynDfgpzfVu zbZpayZIXzQf8F2XmtEOgEyTWJiKa+lvwJHrqelGpqFsMinPSJfqYeKMguEG32p5 w8N+QBDI1jlmjqhiYn0A9ww4AgtDBspDD6CYIgX1YA2Bu3kv2Q8= =64oN -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debug logging for auto-dnssec inline signing
Tony Finch wrote:- >> What "category" should one be logging in order to get details of DNSSEC >> inline signing when running Bind 9.8.11? > >I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has >been unsupported for ages. Correct - I need to practice my proof reading skills :-( >Yes, there is not very much logging automatic zone signing. I think that >has been improved a bit in 9.15 but I haven't looked at it in detail. Hopefully some helpful ISC person will be along shortly with better particulars of the logging available for automatic signing in both 9.11 & later releases. I do seem to recall reading that RIPE chose Knot over Bind for DNS signing related to the logging. >> I have an authoratitive master server with a number of domains set with:- >> >> inline-signing yes; >> auto-dnssec maintain; >> >> and have a suspicion that Bind has simply stopped re-signing most of them. It turns out that I became nervous one day before I should have. The zones in question were re-signed overnight. >There have been some bugs in this area which were fixed in 9.13.3 and that >don't appear in the 9.11 branch - but I don't know if the fixes are >relevant to 9.11. > >See changes 5015, 5014, 5004 >https://gitlab.isc.org/isc-projects/bind9/blob/v9_13_3/CHANGES Those are indeed interesting, thanks. Perhaps this suggests that sticking with the ESV version might be less prudent on DNSSEC signers. Do you (or others) have a view on this? Best wishes, Matthew ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: .onion and dnssec
Erich Eckner wrote: > > However, I encounter the issue here: > https://lists.isc.org/mailman/htdig/bind-users/2011-November/085536.html If you are running 9.14 (or newer) you can use the validate-except configuration option. In older versions you can use `rndc nta` but that is very inconvenient if you need a long-term exception. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forth, Tyne, Dogger: Cyclonic 5 to 7. Moderate or rough. Showers. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
.onion and dnssec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I'm running a recursive bind (root hint, several master zones for opennic tlds) and would like to extend it by resolving .onion addresses through my tor node. Naively, I tried to add this to my config file: zone "onion" IN { type forward; forward only; forwarders { 192.168.0.3 port 9053; 192.168.1.3 port 9053; }; }; However, I encounter the issue here: https://lists.isc.org/mailman/htdig/bind-users/2011-November/085536.html I confirmed that by putting the domain (like suggested in the answers) below a self-controlled domain without DNSSEC (e.g. "onion.eckner.net"), which made things work. However, this feels really clumsy for .onion addresses: you have to edit the url in the address bar and - even worse - you leak the used domain to the hidden service (in case of http(s), at least) ... Configuring .onion as master/slave is also not an option, because tor does not offer zone transfers (for privacy reasons, probably) and because the ip addresses are auto-generated on request. Is there any possibility to get this running without stripping DNSSEC from the clients (e.g. without setting up another nameserver infront which does not do DNSSEC)? Can I somehow (locally) resign the root zone with my own keys but still check the signature on all but .onion tlds? Any other ideas? regards, Erich -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3JekoACgkQCu7JB1Xa e1pSsA//dJKqnjvzCZRzL3kFtkYabd8g8OYTB7aZdjzuGRxIR9Wn40RxbkavaN1I Xtm9MI3D352ZW9ibxW/djJrhXZht0qxCKQqewpi9ucSzbjHcDMCljccLOD5EOA1C o3t5Lk4KGQeHWAhulD9WrDzEa3ZjvCcStZc3h5An/PaXUHxLEd227bK6qm0ooS9L IgnGhvbGeo7kiaMoI6r/wPCVDhiBwcn434+s1oE7NG5PedQwNAR4QESOD/PFe388 v5YhGVW8PtySObQrcq0fGIDXGGyXbzAZ2+F0nBzB+HJ7azPi69mA5XA0PX7gBrj+ +79N/A1KaJ05p8gdsM5N/ySes4ClY8fTxNSRwqJocCO32dNXAkXxqGVZrowvHCqu xZHqXWmRIG4WOTvYiTfPtNkdJfqAN/i/w8r9kV6OG7KqOXMvRsZa2XAn7vReyUVB BylpUfp0FxRlcKt514rziI5q5MrL23jOIdRNX3pUwsscbRPx8Ak4HmbyDcmz5X/r /L/s5dodD6qa4tPnXGI+TPOvXU2D9uKaaN+0XncvZtebqwZt00WZKXtwGq0LkjRB luXI4LX3YuqJD58BWpOZlIiBmAETkOljAStJiV5HuIxuLAlJ6yGGr1PsEffl+wLY GHsol1K0NbO5m88PruGqvPDXq9AYrpaGrDyQnvsqUeEJYpyasJU= =pTLQ -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debug logging for auto-dnssec inline signing
Matthew Richardson wrote: > What "category" should one be logging in order to get details of DNSSEC > inline signing when running Bind 9.8.11? I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has been unsupported for ages. Yes, there is not very much logging automatic zone signing. I think that has been improved a bit in 9.15 but I haven't looked at it in detail. > I have an authoratitive master server with a number of domains set with:- > > inline-signing yes; > auto-dnssec maintain; > > and have a suspicion that Bind has simply stopped re-signing most of them. There have been some bugs in this area which were fixed in 9.13.3 and that don't appear in the 9.11 branch - but I don't know if the fixes are relevant to 9.11. See changes 5015, 5014, 5004 https://gitlab.isc.org/isc-projects/bind9/blob/v9_13_3/CHANGES Tony. -- f.anthony.n.finchhttp://dotat.at/ Shetland Isles: East 5 to 7, backing northeast 6 to gale 8. Moderate or rough, becoming rough or very rough later, occasionally high in west. Rain or showers. Moderate or good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users