Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?
> On 22 Jul 2020, at 08:23, @lbutlr wrote: > > On 21 Jul 2020, at 06:37, Mark Andrews wrote: >> On 21 Jul 2020, at 18:23, @lbutlr wrote: >>> >>> Bind is a poor choice for desktop use. Packages like unbound are much >>> better for that sort of use, and it is fr less critical if those packages >>> have security issues. >> >> Anything that talks to the net is critical path from a security perspective. > > There are different levels of critical, and unbound is a lot further down > that list that bind. I would beg to differ. From an exposure perspective they are identical. They both ask questions onto the network and both have to parse and process those answers. They both produce similar CVSS scores, which are a much more objective way of analysis the need to pay attention to a security issues. BIND and UNBOUND both have had CVSS scores of 7.5 for packets of death. A packet of death that does nothing else has a CVS 3.0 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). CVSS, v3.0, a score of 0.0 receives a "None" rating; a 0.1-3.9 score gets a "Low" severity rating; a score of 4.0-6.9 is a "Medium" rating; score of 7.0-8.9 is a "High" rating; and a score of 9.0 - 10.0 is a "Critical" rating. If it the fault leads to a potential remote compromise you get into the Critical range. > -- > We are born naked, wet and hungry; then it's all downhill. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?
On 21 Jul 2020, at 06:37, Mark Andrews wrote: > On 21 Jul 2020, at 18:23, @lbutlr wrote: >> >> Bind is a poor choice for desktop use. Packages like unbound are much better >> for that sort of use, and it is fr less critical if those packages have >> security issues. > > Anything that talks to the net is critical path from a security perspective. There are different levels of critical, and unbound is a lot further down that list that bind. -- We are born naked, wet and hungry; then it's all downhill. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS error, from a newbee to the real experts..
>From what you posted, it appears when you query the recursive server NS1 (192.168.14.10), it returns no error, it gives back NXDOMAIN with the AD flag. That would indicate DNSSEC worked. That does not match the log messages you posted, that would indicate there's a DNSSEC validation error, and you should have received SERVFAIL. On Mon, Jul 20, 2020 at 11:47 PM Weeltin wrote: > Hi Josh, > > Thanks for your answer, it made me go trough all the config again, just to > make sure that it wasnt pointing to the authoritative server anywhere but > in the configuration of the recursive server > > I saw that "“recursion requested but not available" when i send the query > against the authoritative. Kind a expected that, since it aint allowed to > do recursion. > > as requested i made the dig on the the authoritative server i get the > correct answer, so i expect it has loaded the zonefiles correctly. > > ns2:/home/weeltin# dig @127.0.0.01 example.home > > ; <<>> DiG 9.14.12 <<>> @127.0.0.01 example.home > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45487 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: b9129ece5d9fbc3e6f01a2215f15a461388d4af048be37fa (good) > ;; QUESTION SECTION: > ;example.home. IN A > > ;; AUTHORITY SECTION: > example.home. 604800 IN SOA ns2.example.home. hostmaster.example.home. 2 > 604800 86400 2419200 604800 > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Mon Jul 20 14:04:17 UTC 2020 > ;; MSG SIZE rcvd: 120 > > > just to be sure, i rand the dig command again on my client > > [weeltin@c1 ~]$ dig c1.example.home > > ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> c1.example.home > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1787 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 862cc48a975a32a324cd14e65f15ba5e3f2c972d1f753586 (good) > ;; QUESTION SECTION: > ;c1.example.home. IN A > > ;; AUTHORITY SECTION: > . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020072000 > 1800 900 604800 86400 > > ;; Query time: 1043 msec > ;; SERVER: 192.168.14.10#53(192.168.14.10) > ;; WHEN: Mon Jul 20 11:38:06 EDT 2020 > ;; MSG SIZE rcvd: 147 > > > Log output from NS1 (recursive) > > Jul 20 15:38:05 ns1 daemon.info named[4022]: validating > example.home/SOA: got insecure response; parent indicates it should be > secure > Jul 20 15:38:05 ns1 daemon.info named[4022]: no valid RRSIG resolving > 'c1.example.home/DS/IN': 192.168.14.20#53 > Jul 20 15:38:06 ns1 daemon.info named[4022]: insecurity proof failed > resolving 'c1.example.home/A/IN': 192.168.14.20#53 > > > and there is no log entries on the authoritative server > > /Weeltin > > On Sun, Jul 19, 2020 at 6:05 AM Josh Kuo wrote: > >> When querying your internal domain, I see the query actually ends with >> “recursion requested but not available”, it looks like you are querying >> directly against your auth server, so I would check the setting to ensure >> the zone file is actually loaded correctly. >> >> What Mark answered is assuming you are querying the recursive which then >> returned SERVFAIL due to DNSSEC validation, but I do not see that in the >> information you provided. >> >> Can you run dig on the auth server itself, dig @ 127.0.0.1 for >> example.home, and see what it returns? >> >> >> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?
> On 21 Jul 2020, at 18:23, @lbutlr wrote: > > On 20 Jul 2020, at 10:09, tale wrote: >> And for what it's worth, not all systems moved away from "named" to >> "bind9". I've been running FreeBSD for decades, and I can't remember >> ever calling the service "bind9". > > The service is always named, the package is bind. I stopped adding the 9 many > years ago unless I need to specify a specific version like "bind nine dot > eleven". > > On 20 Jul 2020, at 11:45, Ted Mittelstaedt wrote: >> When FreeBSD was used mostly for servers it wasn't a problem. But more >> and more people are using it for desktop use where they want to basically >> install it and forget about it, never run patches, never give >> a fig about security. > > Bind is a poor choice for desktop use. Packages like unbound are much better > for that sort of use, and it is fr less critical if those packages have > security issues. Anything that talks to the net is critical path from a security perspective. > I agree that anyone using a FreeBSD install as a server should be using bind, > but I also agree it should not be the default install. You install bind when > you figure out you need it, and not before. > > > > -- > Mickey and Mallory know the difference between right and wrong; the > just don't give a damn. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?
Am 20.07.20 um 19:45 schrieb Ted Mittelstaedt: > On 7/17/2020 11:35 AM, John W. Blue wrote: >> Speaking about things to be annoyed over .. >> >> I am still ticked that FreeBSD dropped BIND from the distribution for >> something called unwinding or whatever it is. >> > > I'm not happy that happened either but the simple fact is that if BIND > would quit dropping support so fast for it's older versions that never > would have happened. The fundamental problem was that BIND dropped > support for it's older versions before the distros dropped support for > their distros. This is happening with a lot of other software packages. how has this anything to do with the fact that there is one named in whatever version in your distribution? it has also nothing to do with bind9 versus bind it's a debian hobby to make such things like apache2 or bind9 where the service is just httpd and named, no number and a completly different name as debian is using > When FreeBSD was used mostly for servers it wasn't a problem. But more > and more people are using it for desktop use where they want to > basically install it and forget about it, never run patches, never give > a fig about security. Simpler programs like Unbound have less code > and so less things to go wrong, need less patches, and are easier to > support for a longer period of time so they get supported for a longer > period of time. Also, Unbound's main purpose in life is as a caching > dns program. Nobody who runs a server on FreeBSD uses Unbound. when i use a pure cache i run unbound and don't know why i wouldn't do so on whatever OS which can run it ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?
On 20 Jul 2020, at 10:09, tale wrote: > And for what it's worth, not all systems moved away from "named" to > "bind9". I've been running FreeBSD for decades, and I can't remember > ever calling the service "bind9". The service is always named, the package is bind. I stopped adding the 9 many years ago unless I need to specify a specific version like "bind nine dot eleven". On 20 Jul 2020, at 11:45, Ted Mittelstaedt wrote: > When FreeBSD was used mostly for servers it wasn't a problem. But more > and more people are using it for desktop use where they want to basically > install it and forget about it, never run patches, never give > a fig about security. Bind is a poor choice for desktop use. Packages like unbound are much better for that sort of use, and it is fr less critical if those packages have security issues. I agree that anyone using a FreeBSD install as a server should be using bind, but I also agree it should not be the default install. You install bind when you figure out you need it, and not before. -- Mickey and Mallory know the difference between right and wrong; the just don't give a damn. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
