Re: parental-agents clause - IP address only ?
On 5/12/22 15:34, vom513 wrote: Hello all, So I set up parental-agents lists for my zones, and actually got to see it work (awesome !). bind detected the parent DS records and acted accordingly. However, I currently have these lists configured using the IP (v4 only at the moment) addresses of the parent NS’es. I tried inputting hostnames, and I got errors (i.e. syntax) every time. I would prefer to put these in as hostnames. While at a certain level in the tree these don’t change very often, they can and do. I’d rather not have to keep track of these in this manner. So my question - am I just mangling the syntax - or does this clause really only support IPs ? I was thinking if so - perhaps the reason is some chicken vs. egg / security reason ? I.e. not trusting the name (which would have to be itself resolved) ? Thanks in advance for clue++ Although I haven't personally set up parental-agents (yet), I noticed an interesting remark in section 8.2.26.1 of the documentation (https://bind9.readthedocs.io/en/v9_18_8/reference.html#automated-ksk-rollovers) - NB: italics added for emphasis: Note The DS response is not validated so it is recommended to set up a trust relationship with the parental agent. For example, use TSIG to authenticate the parental agent, /or point to a validating resolver/. So you might consider pointing your parental-agents at (an IP address of) your local resolver(s), instead of the parent NSs? However the obvious drawback of this approach would seem to be that the resolver will only check one of the parent NSs for the DS record, whereas if you explicitly specify all the NSs in parental-agents, then they all get checked? Nick. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
TIL: Restricting DiG to UDP only with +ignore
If the UDP query returns TC=1 DiG retries with TCP. I want to see the UDP results and am unable to. Specifying +notcp makes no difference. The correct option is +ignore: # dig @127.0.0.1 'web_client\;*\;athena\;*.keys.redis.sophia.m3047' txt +notcp | tail web_client\;*\;athena\;*.keys.redis.sophia.m3047. 30 IN TXT "web_client;194.55.186.216,404;athena;1670154435" web_client\;*\;athena\;*.keys.redis.sophia.m3047. 30 IN TXT "web_client;43.134.92.151,400;athena;1670132664" web_client\;*\;athena\;*.keys.redis.sophia.m3047. 30 IN TXT "web_client;35.162.155.28,200;athena;1670132664" web_client\;*\;athena\;*.keys.redis.sophia.m3047. 30 IN TXT "web_client;159.89.118.246,200;athena;1670132664" ;; Query time: 9 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP) ;; WHEN: Sun Dec 04 18:42:19 PST 2022 ;; MSG SIZE rcvd: 7500 # dig @127.0.0.1 'web_client\;*\;athena\;*.keys.redis.sophia.m3047' txt +ignore | tail web_client\;*\;athena\;*.keys.redis.sophia.m3047. 30 IN TXT "web_client;80.94.92.40,200;athena;1670111034" web_client\;*\;athena\;*.keys.redis.sophia.m3047. 30 IN TXT "web_client;161.35.213.88,200;athena;1670154435" web_client\;*\;athena\;*.keys.redis.sophia.m3047. 30 IN TXT "web_client;103.10.62.92,404;athena;1670176114" web_client\;*\;athena\;*.keys.redis.sophia.m3047. 30 IN TXT "web_client;54.185.160.223,200;athena;1670154435" ;; Query time: 16 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Sun Dec 04 18:42:26 PST 2022 ;; MSG SIZE rcvd: 1193 The "tell" is that on the footer SERVER line it reports the protocol. Note that in the first case it's TCP, even though +notcp was specified. (The MSG SIZE is also a clue.) Searching the intertubes wasn't much help. When I tried to search the list archives I got a Gateway Timeout. :-( Anyway, it's been a minor personal annoyance for a while; hopefully this helps somebody else with a problem they didn't know they had. -- Fred Morris, internet plumber -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
parental-agents clause - IP address only ?
Hello all, So I set up parental-agents lists for my zones, and actually got to see it work (awesome !). bind detected the parent DS records and acted accordingly. However, I currently have these lists configured using the IP (v4 only at the moment) addresses of the parent NS’es. I tried inputting hostnames, and I got errors (i.e. syntax) every time. I would prefer to put these in as hostnames. While at a certain level in the tree these don’t change very often, they can and do. I’d rather not have to keep track of these in this manner. So my question - am I just mangling the syntax - or does this clause really only support IPs ? I was thinking if so - perhaps the reason is some chicken vs. egg / security reason ? I.e. not trusting the name (which would have to be itself resolved) ? Thanks in advance for clue++ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
