Re: DNSSEC and forwarding
> On 14 Apr 2022, at 01:02, Duchscher, Dave J via bind-users
> wrote:
>
>
>> On Apr 13, 2022, at 12:00 AM, Grant Taylor via bind-users
>> wrote:
>>
>> This Message Is From an External Sender
>> This message came from outside your organization.
>> On 4/12/22 7:18 PM, Duchscher, Dave J via bind-users wrote:
>>> We are dropping this configuration and looking at doing something else.
>>
>> I'm sorry to hear that.
>>
>>> We have had intermittent issues with Slack, Microsoft, and a growing
>>> list of domains. Even have one that consistently fails.
>>
>> Are you able to share any specific details / examples so that others can
>> see an example of what to loo out for?
>
> Sure.
>
> Just to clear, the setup looks like this:
>
> Internal DNS --> DMZ DNS Cache -> World
>
> Internal DNS is forward only. Only internal DNS allowed on the DNS
> cache systems. DNSSEC validation can be enabled or disabled on the
> cache systems since named always sets the check disabled flag when
> forwarding. This also means that you can't forward to an upstream
> DNS system and have it do the DNSSEC validation. Wish there was a
> way to turn this off or if it would only set the check disabled
> flag when DNSSEC validation is enabled.
>
> Failures mode is that everything looks to work and then a domain
> will stop resolving. Sometimes we get timeouts, sometimes SERVFAIL,
> and other times NXDOMAIN.
>
> On a test setup with fresh restart, these domains always fail.
>
>cybr.club
This at least, in part, is because cybr.club returns a CNAME for
cybr.club/DS. Both DS and CNAME should not exist at top of zone.
% dig cybr.club ds @dns2.registrar-servers.com
; <<>> DiG 9.17.22 <<>> cybr.club ds @dns2.registrar-servers.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10964
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cybr.club. IN DS
;; ANSWER SECTION:
cybr.club. 1799IN CNAME d2vd625ao8btyl.cloudfront.net.
;; Query time: 27 msec
;; SERVER: 156.154.133.200#53(dns2.registrar-servers.com) (UDP)
;; WHEN: Thu Apr 14 12:59:10 AEST 2022
;; MSG SIZE rcvd: 81
%
Part also because named doesn’t retry on validation failure with CD=0 and
we haven’t done enough real life testing involving forwarders.
Returning CNAME to a DS query is fine except when the QNAME is the apex of
a zone which makes detecting this sort of breakage hard.
The simplest fix is to not send CD=1 queries unless the client requests it.
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index c8724f68ba..6b7a95178b 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -2433,29 +2433,12 @@ resquery_send(resquery_t *query) {
}
/*
-* Set CD if the client says not to validate, or if the
-* question is under a secure entry point and this is a
-* recursive/forward query -- unless the client said not to.
+* Set CD if the client says not to validate.
*/
if ((query->options & DNS_FETCHOPT_NOCDFLAG) != 0) {
/* Do nothing */
} else if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
- } else if (res->view->enablevalidation &&
- ((fctx->qmessage->flags & DNS_MESSAGEFLAG_RD) != 0))
- {
- bool checknta = ((query->options & DNS_FETCHOPT_NONTA) == 0);
- bool ntacovered = false;
- result = issecuredomain(res->view, fctx->name, fctx->type,
- isc_time_seconds(>start),
- checknta, , _domain);
- if (result != ISC_R_SUCCESS) {
- secure_domain = false;
- }
- if (secure_domain ||
- (ISFORWARDER(query->addrinfo) && ntacovered)) {
- fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
- }
}
/*
Note just saying something is broken without giving details actually makes it
next to impossible to diagnose what is going wrong. This email was the first
message where you specified failing names.
>am-explorer.com
>simutext.com
>simutext2.com
>
> These domains fail randomly and we have not been able to produce
> the failure.
>
>a.slack-edge.com
>portal.azure.com
>rex-sftp.bncollege.com
>
> There is also our teams and sharepoint domains but rather not put
> them here.
>
> I hope this helps. Needless to say, it has been a frustration
> situation.
> --
> Dave
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/
Re: Question about missing bind.keys
On Tue, Apr 12, 2022 at 09:37:22PM -0400, J Doe wrote: > Apologies for my late reply. Thank you so much for the detailed > explanation of: dnssec-validation auto and what happens when: bind.keys > doesn't exist. > > With this setting in place in my: named.conf I then restarted BIND, gave > it a second to pull the trust information and then used: delv to test > verification. > > The first test for unverified/unsigned was: > > $ delv google.com > ; unsigned answer > . . . > > ... and the second test for verified/signed was: > > $ delv ietf.org > ; fully validated > . . . > > ... which wouldn't have worked if: dnssec-validation auto failed in > getting the same information as: bind.keys "delv" isn't actually the right tool for this job - it does its own internal validation, regardless of whether the name server it's querying is doing validation correctly or not. Instead, use "dig" to query your name server and look for the "ad" bit (Authenticated Data) in the reponse: $ dig @localhost unsigned.com | grep flags ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 $ dig @localhost ietf.org | grep flags ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ^^ -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and forwarding
On 2022-04-13 17:08, Nicholas Miller wrote:
I believe this is the option you are looking for:
validate-except { domain.example; };
rndc nta domain.example
remember to define nta ttl in named.conf
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and forwarding
On Apr 13, 2022, at 10:08 AM, Nicholas Miller
wrote:
>
> I believe this is the option you are looking for:
>
> validate-except { domain.example; };
Thanks but that doesn't fix our problem. We use it to fix the
problematic domains for now but that is a temporary solution. There
is always another domain that crops up and will need to be exempted.
The option I was looking for, which doesn't seem to exist is turning
off named setting the check disable flag when forwarding to another
system. With that ability, we could have moved DNSSEC validation
to the cache systems.
--
Dave
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and forwarding
I believe this is the option you are looking for:
validate-except { domain.example; };
_
Nicholas Miller, OIT, University of Colorado at Boulder
> On Apr 13, 2022, at 9:02 AM, Duchscher, Dave J via bind-users
> wrote:
>
>
>> On Apr 13, 2022, at 12:00 AM, Grant Taylor via bind-users
>> wrote:
>>
>> This Message Is From an External Sender
>> This message came from outside your organization.
>> On 4/12/22 7:18 PM, Duchscher, Dave J via bind-users wrote:
>>> We are dropping this configuration and looking at doing something else.
>>
>> I'm sorry to hear that.
>>
>>> We have had intermittent issues with Slack, Microsoft, and a growing
>>> list of domains. Even have one that consistently fails.
>>
>> Are you able to share any specific details / examples so that others can
>> see an example of what to loo out for?
>
> Sure.
>
> Just to clear, the setup looks like this:
>
> Internal DNS --> DMZ DNS Cache -> World
>
> Internal DNS is forward only. Only internal DNS allowed on the DNS
> cache systems. DNSSEC validation can be enabled or disabled on the
> cache systems since named always sets the check disabled flag when
> forwarding. This also means that you can't forward to an upstream
> DNS system and have it do the DNSSEC validation. Wish there was a
> way to turn this off or if it would only set the check disabled
> flag when DNSSEC validation is enabled.
>
> Failures mode is that everything looks to work and then a domain
> will stop resolving. Sometimes we get timeouts, sometimes SERVFAIL,
> and other times NXDOMAIN.
>
> On a test setup with fresh restart, these domains always fail.
>
>cybr.club
>am-explorer.com
>simutext.com
>simutext2.com
>
> These domains fail randomly and we have not been able to produce
> the failure.
>
>a.slack-edge.com
>portal.azure.com
>rex-sftp.bncollege.com
>
> There is also our teams and sharepoint domains but rather not put
> them here.
>
> I hope this helps. Needless to say, it has been a frustration
> situation.
> --
> Dave
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and forwarding
> On Apr 13, 2022, at 12:00 AM, Grant Taylor via bind-users > wrote: > > This Message Is From an External Sender > This message came from outside your organization. > On 4/12/22 7:18 PM, Duchscher, Dave J via bind-users wrote: > > We are dropping this configuration and looking at doing something else. > > I'm sorry to hear that. > > > We have had intermittent issues with Slack, Microsoft, and a growing > > list of domains. Even have one that consistently fails. > > Are you able to share any specific details / examples so that others can > see an example of what to loo out for? Sure. Just to clear, the setup looks like this: Internal DNS --> DMZ DNS Cache -> World Internal DNS is forward only. Only internal DNS allowed on the DNS cache systems. DNSSEC validation can be enabled or disabled on the cache systems since named always sets the check disabled flag when forwarding. This also means that you can't forward to an upstream DNS system and have it do the DNSSEC validation. Wish there was a way to turn this off or if it would only set the check disabled flag when DNSSEC validation is enabled. Failures mode is that everything looks to work and then a domain will stop resolving. Sometimes we get timeouts, sometimes SERVFAIL, and other times NXDOMAIN. On a test setup with fresh restart, these domains always fail. cybr.club am-explorer.com simutext.com simutext2.com These domains fail randomly and we have not been able to produce the failure. a.slack-edge.com portal.azure.com rex-sftp.bncollege.com There is also our teams and sharepoint domains but rather not put them here. I hope this helps. Needless to say, it has been a frustration situation. -- Dave -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Supporting LOC RR's
Timothe Litt writes: > Anyhow, it's not clear exactly what problem you're asking LOC (or > anything) to solve. Which problems do LOC solve? I remember adding LOC records for fun?() in the previous millennium when RFC 1876 was fresh out of the press. But even back then paranoia finally took over, and I deleted all of them. Don't think I ever found anything to actually use them for. Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: all resource record types and examples
As I have such a zone I will paste it here. But fore sure it is not complete as it was created some time ago. regards Klaus $ cat types.test $TTL 60 ; 1 minute @ IN SOA sec1.rcode0.net. rcodezero.ipcom.at. ( 36 ; serial 1200 ; refresh (20 minutes) 3600 ; retry (1 hour) 604800 ; expire (1 week) 60; minimum (1 minutes) ) @ NS ns3.example.com. A IN A 127.0.0.1 IN 2000::1 AFSDB IN AFSDB 1 afs.example.com. ALIAS IN TYPE65401 \# 12 0377036E696302617400 CAA IN CAA 128 issue "letsencrypt.org" CDNSKEY IN CDNSKEY 256 3 8 AwEAAff+pyxoKgbxjywWKXe+sUkoygZpVvZubhpNCHVf727CwezWaXOMGg62Lz+ijAi2u7MNRN+LJtaleewNMAGJ+fx6GTn3pSgZjyI+J+YdWD+8dORyuag1rQ+04i/LjJpEtO/PNOoD7Pz1FQlLxzx36Vd/nSQSZbEZiLXCf3LDsjKTwWhRLnt85VOKcFylplFAhUoLRkQpOD/A3eZR7lL6Z5RijN+ii+DtPorzFbFmd0de/VPTwEK6l1f8FsfONBzzTQ== CDS IN CDS 49189 5 1 97d6d9dd5afa5ebe258e2c3631fed338ca613f9d CERTIN CERT6 0 0 FGOzZ3SxhaY/J5YoupAK6P7+u74waHR0cDovL3BrYS5rbGVlbi5jaC9nbnVwZy5hc2M= CNAME IN CNAME cname.example.com. DNAME IN DNAME dname.example.com. DNSKEY IN DNSKEY 256 3 8 AwEAAff+pyxoKgbxjywWKXe+sUkoygZpVvZubhpNCHVf727CwezWaXOMGg62Lz+ijAi2u7MNRN+LJtaleewNMAGJ+fx6GTn3pSgZjyI+J+YdWD+8dORyuag1rQ+04i/LjJpEtO/PNOoD7Pz1FQlLxzx36Vd/nSQSZbEZiLXCf3LDsjKTwWhRLnt85VOKcFylplFAhUoLRkQpOD/A3eZR7lL6Z5RijN+ii+DtPorzFbFmd0de/VPTwEK6l1f8FsfONBzzTQ== DS IN DS 49189 5 1 97d6d9dd5afa5ebe258e2c3631fed338ca613f9d HINFO IN HINFO PC-Intel-700mhz "Redhat Linux 7.1" LOC IN LOC 48 11 6.400 N 16 20 0.200 E 190.00m 1.00m 100.00m 10.00m MB IN MB mb.example.com. MX IN MX 10 mail.example.com. NAPTR IN NAPTR 0 0 "S" "SIP+D2U" "" _sip._udp.videogw.example.net. NAPTR IN NAPTR 1 0 "S" "SIP+D2U" "" _sip._tcp.videogw.example.net. NS IN NS ns1.example.com. NS IN NS ns2.example.com. OPENPGPKEY IN OPENPGPKEY mQGiBEyXadoRBADTUoaVczNG3ras9/nqhHVduWDjxi0wbhMfRpciB2NK9T5YVVPqLPDtRCpso07a PTR IN PTR ptr.example.com. RP IN RP serveradmin.example.at. serveradmin.example.at. SMIMEA IN SMIMEA 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e971 ; SPF hatte mal einen eigenen Typ, aber laut RFC soll nur TXT verwendet werden SPF IN SPF "v=spf1 mx -all" SPF IN TXT "v=spf1 mx -all" SRV IN SRV 0 0 5060 vgw1.a1.net. SSHFP IN SSHFP 4 1 8915504c4136d16f6c9c81d15e295b66089fa4e2 TLSAIN TLSA3 1 1 0eb9e66d24d72f85db53a982af5befa1e6043565b5792ba8cde2ae17c9b8d92e TXT IN TXT ganzkurz TXT IN TXT "das ist ein kurzer Text" TXT IN TXT "dieser TXT record ist genau 255 zeichen lang 567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 12345" ;TXTIN TXT "das ist ein langer, sehr sehr sehr langer Text 50" "das ist ein langer, sehr sehr sehr langer Text 50" "das ist ein langer, sehr sehr sehr langer Text 50" "das ist ein langer, sehr sehr sehr langer Text 50" "das ist ein langer, sehr sehr sehr langer Text 50" "das ist ein langer, sehr sehr sehr langer Text300" URIIN URI 10 1 "ftp://ftp1.example.com/public; WKS IN WKS 1.1.1.1 TCP ( smtp discard rpc ) Von: bind-users Im Auftrag von rams Gesendet: Dienstag, 12. April 2022 14:43 An: bind-users Betreff: all resource record types and examples Hi, Greetings ... Could someone please share all supported DNS RRs and examples of each RR. Regards, Ramesh -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
