Re: managed-keys update when outgoing UDP is blocked

2020-02-24 Thread Tony Finch 
Branko Mijuskovic  wrote:
>
> We have an authoritative DNS hidden master (bind-9.11.4-9) running behind
> the network where outgoing UDP traffic to unlisted IPs is blocked.
>
> We are using DNSSEC and I've noticed that we are getting following errors
> in the bind9 logfile: 'managed-keys-zone/default: Unable to fetch DNSKEY
> set '.': timed out'

I have configured my hidden primary with a `forwarders` clause pointing at
my recursive servers, which should stop it from trying to talk to the
outside world.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Irish Sea: Westerly 5 to 7, occasionally gale 8 later in south. Moderate,
becoming rough or very rough in south. Wintry showers. Good, occasionally
poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

managed-keys update when outgoing UDP is blocked

2020-02-24 Thread Branko Mijuskovic 
Hi All,

We have an authoritative DNS hidden master (bind-9.11.4-9) running behind
the network where outgoing UDP traffic to unlisted IPs is blocked.

We are using DNSSEC and I've noticed that we are getting following errors
in the bind9 logfile: 'managed-keys-zone/default: Unable to fetch DNSKEY
set '.': timed out'

My question is does bind uses 'try-tcp-refresh' when it fails to get the
keys via UDP from the root servers?

This is because our keys are regularly updated, but I'm not sure how.

# rndc managed-keys status
view: default
next scheduled event: Tue, 25 Feb 2020 19:16:47 GMT

name: .
keyid: 20326
algorithm: RSASHA256
flags: SEP
next refresh: Tue, 25 Feb 2020 19:16:47 GMT
trusted since: Mon, 03 Feb 2020 18:10:26 GMT

# dig @e.root-servers.net . dnskey +multiline

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @e.root-servers.net .
dnskey +multiline
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached


# dig @e.root-servers.net . dnskey +multiline +tcp

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @e.root-servers.net .
dnskey +multiline +tcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22070
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65535
;; QUESTION SECTION:
;. IN DNSKEY

;; ANSWER SECTION:
. 172800 IN DNSKEY 256 3 8 (
AwEAAeN+h0loXPKt7lFdW2zKIDkVHyJ1aYGUVE1dMNBl
RH3kTn40JKcHiPOs+fy0OFVCBwoKa1s9qZtdyP1UC0hg
Koldj3oELK1yLI5MUbTMcNkWbBMRuxRz/CgZJu3Ixcmu
ZWZMbn4LQDMj5YeiUiuWns5vipFGWWpyPyozQXmenSWO
K2GJOwcm7I/DyHVtVdztTvqiHqzy2aRoxwPhmEuAoYzz
uNJJw6JNEnXaN/7l2TIciskFyPVPBFZYHnk+1ma906df
ehIR190z3lh1ZESL2Yy3VIE2QGpRU6Px4ydH5sXxZ2wS
MgqNNga4kjnfM1msBqk3EI48RvTTkuV0yb1eFuU=
) ; ZSK; alg = RSASHA256 ; key id = 33853
. 172800 IN DNSKEY 257 3 8 (
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
) ; KSK; alg = RSASHA256 ; key id = 20326

;; Query time: 20 msec
;; SERVER: 192.203.230.10#53(192.203.230.10)
;; WHEN: Mon Feb 24 20:31:08 UTC 2020
;; MSG SIZE  rcvd: 578

Thanks in advance
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Security sssues with Ubuntu bind9 11.9.3 ?

2020-02-24 Thread Leroy Tennison 
If you have a specific CVE you are concerned with, enter it at 
https://people.canonical.com/~ubuntu-security/cve/.  Ubuntu does not update 
software version in response to security patches but this site gives current 
status.
Ubuntu CVE Tracker
Search for a specific package in Ubuntu: © Canonical Ltd. 2007-2018
people.canonical.com




From: bind-users  on behalf of Noel Butler 

Sent: Sunday, February 23, 2020 7:58 PM
To: bind-users@lists.isc.org 
Subject: [EXTERNAL] Re: Security sssues with Ubuntu bind9 11.9.3 ?


ISC can not control what ubuntu provides, you are best taking this up with 
ubuntu on their mailing lists.


Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify 
us.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.





On 24/02/2020 02:28, Brett Delmage wrote:

But 1:9.11.3+dfsg-1ubuntu1.1 is the version that Ubuntu 18.04 LTS supports, and 
will continue to for 2 more years.

Clearly, it is earlier than 9.11.4

Has Ubuntu properly patched it for relevant security updates? Is it safe to 
run? Of course it will be missing the latest features and software defects 
(which I am exploring on a test server sing a version I compiled myself).



--

Kind Regards,

Noel Butler

This Email, including attachments, may contain legally privileged information, 
therefore remains confidential and subject to copyright protected under 
international law. You may not disseminate any part of this message without the 
authors express written authority to do so. If you are not the intended 
recipient, please notify the sender then delete all copies of this message 
including attachments immediately. Confidentiality, copyright, and legal 
privilege are not waived or lost by reason of the mistaken delivery of this 
message.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Advice on balancing web traffic using geoip ACls

2020-02-24 Thread Ondřej Surý 
As far as we know the bug is present in all current BIND releases. We are still 
investigating the issue, but things are looking positive thanks to Vikor 
Dukhovni’s help with debugging his coredump.

Ondřej
--
Ondřej Surý — ISC

> On 24 Feb 2020, at 11:08, Jukka Pakkanen  wrote:
> 
> 
> Hi, at the download page the status of 9.16 is “Current-Stable” but it also 
> states “only for testing & evalution, *not* recommended for production”?  
> 
> Can you confirm if the DNSSEC inline-signing problem (signing just stops 
> sometimes, affects both 9.11 and 9.14 branch) is present in this or not?  I 
> read from the docs that 9.16 had some work to inline signing done, maybe 
> works better in that regards too?
> 
> Jukka
>  
> Lähettäjä: bind-users  Puolesta Victoria 
> Risk
> Lähetetty: 23. helmikuuta 2020 20:35
> Vastaanottaja: @lbutlr 
> Kopio: bind-users 
> Aihe: Re: Advice on balancing web traffic using geoip ACls
>  
> …
> 9.14 has just been replaced by 9.16, released just this past week. We will 
> continue offering security releases for 9.14 for a 3-month period to support 
> migration to 9.16. Someone doing a migration today should look at 9.16 rather 
> than 9.14.
> …
>  
>  
> Victoria Risk
> Product Manager
> Internet Systems Consortium
> vi...@isc.org
>  
>  
>  
> 
>  
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

VS: Advice on balancing web traffic using geoip ACls

2020-02-24 Thread Jukka Pakkanen 
Hi, at the download page the status of 9.16 is “Current-Stable” but it also 
states “only for testing & evalution, *not* recommended for production”?

Can you confirm if the DNSSEC inline-signing problem (signing just stops 
sometimes, affects both 9.11 and 9.14 branch) is present in this or not?  I 
read from the docs that 9.16 had some work to inline signing done, maybe works 
better in that regards too?

Jukka

Lähettäjä: bind-users  Puolesta Victoria Risk
Lähetetty: 23. helmikuuta 2020 20:35
Vastaanottaja: @lbutlr 
Kopio: bind-users 
Aihe: Re: Advice on balancing web traffic using geoip ACls

…
9.14 has just been replaced by 9.16, released just this past week. We will 
continue offering security releases for 9.14 for a 3-month period to support 
migration to 9.16. Someone doing a migration today should look at 9.16 rather 
than 9.14.
…


Victoria Risk
Product Manager
Internet Systems Consortium
vi...@isc.org




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users