Re: Server Keys
> On 12 Nov 2019, at 17:27, Mundile wrote:
>
> How do include a list of keys in BIND9 server clause:
You don’t. Only a single key is supported optionally surrounded by
braces. For key rollover you update the server side to support multiple
keys rather than have the client side try multiple keys.
Mark
> server ip-addr {
> [ keys "key-name"; ["key-name"; ... ; ]
> ;}
> For example, I have tried the following but it is giving errors
>
> server 162.0.4.49 {
>
> keys { tsig.example.org1 ; tsig.example.org2; tsig.example.org3 };
> };
> Sent from Mail for Windows 10
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Server Keys
How do include a list of keys in BIND9 server clause:
server ip-addr {
[ keys "key-name"; ["key-name"; ... ; ]
;}
For example, I have tried the following but it is giving errors
server 162.0.4.49 {
keys { tsig.example.org1 ; tsig.example.org2; tsig.example.org3 };
};
Sent from Mail for Windows 10
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: .onion and dnssec
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi Tony,
On Mon, 11 Nov 2019, Tony Finch wrote:
Erich Eckner wrote:
However, I encounter the issue here:
https://lists.isc.org/mailman/htdig/bind-users/2011-November/085536.html
If you are running 9.14 (or newer) you can use the validate-except
configuration option. In older versions you can use `rndc nta` but
that is very inconvenient if you need a long-term exception.
I'm running 9.14.7 and tried both, but while it does not give any errors,
the lookup still fails (`rndc nta onion` is logged successfully, so it
seems to do the right thing). I have also a hard time, generating some
useful debug output - setting `-d 9` does not give additional information
in the system log. And running named manually with -d 9 prints nothing to
stdout (though, it seems, it generates a log file, then)
Digging a little through my configuration, I noticed, that "." is actually
a slave zone:
zone "." in {
type slave;
file "/etc/opennic/slave/tld-root";
notify no;
masters {
45.56.115.189; # ns0.opennic.glue
45.56.116.224; # ns0.opennic.glue
2001:470:1f0e:8a0::2; # ns0.opennic.glue
2600:3c02::f03c:91ff:fe33:e1ba; # ns0.opennic.glue
};
};
Might this be an issue? (I notice, that the lookup succeeds when I comment
out the root zone.)
Cheers,
Erich
-BEGIN PGP SIGNATURE-
iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3Jr+EACgkQCu7JB1Xa
e1oB3w//XDc4qamyWEgKc/kEDwcmE0EKCYZnA7uP5D/yQjm0wHLUbz+mOccB7x22
S+G4FE320B5E7r3mHBNAS441G/9tRdAhH69DlTQUsUyyE5g0ETP/8lyoPcZdJLwJ
Uip/ibaff71AE+HURre8xOIG0yTvPyA1rOJ7viGS99TSPLLC35QhAU5niPw6KhPt
398ApmJab3cTLtO+Vg+aRZLhMmPxNdbeJCIF7pKsHqFMOde2P+Ru5bvnGIxf6Fmi
WPpHY+EG26A7cD0XfQKvskjgAlcgLW2SinLV6NwScjH60fxIhzWgKe2QH9+Z5GDi
NKH8MeGPCDs9KHI5cn4lBJ6eCFSbXVmWa9J+MBcbOB7OdHBuBLm1Vbvu6py65djz
hlfSZ4HXgCHTUjipSGkLIvcG2tcVwyiRA8k6vBTrNjY6orFW1E52MaRvtml0aM16
xmOwfhlSuFPZ2X/l8m8hR5/Sz6aEyBGBl6tK56ESmvgYoOhiAVke7PGGBnArP8N2
BpeZQn5DTXg0tAtr4mjEetTeb2LJUa29cnWYdkheN3+2kK4eloSfAEynDfgpzfVu
zbZpayZIXzQf8F2XmtEOgEyTWJiKa+lvwJHrqelGpqFsMinPSJfqYeKMguEG32p5
w8N+QBDI1jlmjqhiYn0A9ww4AgtDBspDD6CYIgX1YA2Bu3kv2Q8=
=64oN
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Debug logging for auto-dnssec inline signing
Tony Finch wrote:- >> What "category" should one be logging in order to get details of DNSSEC >> inline signing when running Bind 9.8.11? > >I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has >been unsupported for ages. Correct - I need to practice my proof reading skills :-( >Yes, there is not very much logging automatic zone signing. I think that >has been improved a bit in 9.15 but I haven't looked at it in detail. Hopefully some helpful ISC person will be along shortly with better particulars of the logging available for automatic signing in both 9.11 & later releases. I do seem to recall reading that RIPE chose Knot over Bind for DNS signing related to the logging. >> I have an authoratitive master server with a number of domains set with:- >> >> inline-signing yes; >> auto-dnssec maintain; >> >> and have a suspicion that Bind has simply stopped re-signing most of them. It turns out that I became nervous one day before I should have. The zones in question were re-signed overnight. >There have been some bugs in this area which were fixed in 9.13.3 and that >don't appear in the 9.11 branch - but I don't know if the fixes are >relevant to 9.11. > >See changes 5015, 5014, 5004 >https://gitlab.isc.org/isc-projects/bind9/blob/v9_13_3/CHANGES Those are indeed interesting, thanks. Perhaps this suggests that sticking with the ESV version might be less prudent on DNSSEC signers. Do you (or others) have a view on this? Best wishes, Matthew ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: .onion and dnssec
Erich Eckner wrote: > > However, I encounter the issue here: > https://lists.isc.org/mailman/htdig/bind-users/2011-November/085536.html If you are running 9.14 (or newer) you can use the validate-except configuration option. In older versions you can use `rndc nta` but that is very inconvenient if you need a long-term exception. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forth, Tyne, Dogger: Cyclonic 5 to 7. Moderate or rough. Showers. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
.onion and dnssec
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
I'm running a recursive bind (root hint, several master zones for opennic
tlds) and would like to extend it by resolving .onion addresses through my
tor node.
Naively, I tried to add this to my config file:
zone "onion" IN {
type forward;
forward only;
forwarders {
192.168.0.3 port 9053;
192.168.1.3 port 9053;
};
};
However, I encounter the issue here:
https://lists.isc.org/mailman/htdig/bind-users/2011-November/085536.html
I confirmed that by putting the domain (like suggested in the answers)
below a self-controlled domain without DNSSEC (e.g. "onion.eckner.net"),
which made things work.
However, this feels really clumsy for .onion addresses: you have to edit
the url in the address bar and - even worse - you leak the used domain to
the hidden service (in case of http(s), at least) ...
Configuring .onion as master/slave is also not an option, because tor does
not offer zone transfers (for privacy reasons, probably) and because the
ip addresses are auto-generated on request.
Is there any possibility to get this running without stripping DNSSEC from
the clients (e.g. without setting up another nameserver infront which does
not do DNSSEC)? Can I somehow (locally) resign the root zone with my own
keys but still check the signature on all but .onion tlds?
Any other ideas?
regards,
Erich
-BEGIN PGP SIGNATURE-
iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3JekoACgkQCu7JB1Xa
e1pSsA//dJKqnjvzCZRzL3kFtkYabd8g8OYTB7aZdjzuGRxIR9Wn40RxbkavaN1I
Xtm9MI3D352ZW9ibxW/djJrhXZht0qxCKQqewpi9ucSzbjHcDMCljccLOD5EOA1C
o3t5Lk4KGQeHWAhulD9WrDzEa3ZjvCcStZc3h5An/PaXUHxLEd227bK6qm0ooS9L
IgnGhvbGeo7kiaMoI6r/wPCVDhiBwcn434+s1oE7NG5PedQwNAR4QESOD/PFe388
v5YhGVW8PtySObQrcq0fGIDXGGyXbzAZ2+F0nBzB+HJ7azPi69mA5XA0PX7gBrj+
+79N/A1KaJ05p8gdsM5N/ySes4ClY8fTxNSRwqJocCO32dNXAkXxqGVZrowvHCqu
xZHqXWmRIG4WOTvYiTfPtNkdJfqAN/i/w8r9kV6OG7KqOXMvRsZa2XAn7vReyUVB
BylpUfp0FxRlcKt514rziI5q5MrL23jOIdRNX3pUwsscbRPx8Ak4HmbyDcmz5X/r
/L/s5dodD6qa4tPnXGI+TPOvXU2D9uKaaN+0XncvZtebqwZt00WZKXtwGq0LkjRB
luXI4LX3YuqJD58BWpOZlIiBmAETkOljAStJiV5HuIxuLAlJ6yGGr1PsEffl+wLY
GHsol1K0NbO5m88PruGqvPDXq9AYrpaGrDyQnvsqUeEJYpyasJU=
=pTLQ
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Debug logging for auto-dnssec inline signing
Matthew Richardson wrote: > What "category" should one be logging in order to get details of DNSSEC > inline signing when running Bind 9.8.11? I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has been unsupported for ages. Yes, there is not very much logging automatic zone signing. I think that has been improved a bit in 9.15 but I haven't looked at it in detail. > I have an authoratitive master server with a number of domains set with:- > > inline-signing yes; > auto-dnssec maintain; > > and have a suspicion that Bind has simply stopped re-signing most of them. There have been some bugs in this area which were fixed in 9.13.3 and that don't appear in the 9.11 branch - but I don't know if the fixes are relevant to 9.11. See changes 5015, 5014, 5004 https://gitlab.isc.org/isc-projects/bind9/blob/v9_13_3/CHANGES Tony. -- f.anthony.n.finchhttp://dotat.at/ Shetland Isles: East 5 to 7, backing northeast 6 to gale 8. Moderate or rough, becoming rough or very rough later, occasionally high in west. Rain or showers. Moderate or good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
