from:"Brian J. Murrell"

Re: HTTP API for bind

2023-05-26 Thread Brian J. Murrell

On Fri, 2023-05-26 at 16:51 +0530, Shailendra Gautam wrote:
> Does bind provide any way to manage(add,update,delete) resource
> records
> with HTTP API, like powerdns?

Not TTBOMK.  It does have an API for managing RRs but that is using RFC
2136 and not HTTP.

> I currently use zonefiles to store DNS data
> and have been planning to switch to an API to add/remove records. Is
> there
> any way to do that with bind?

Sounds like you want a tool which has an HTTP API and can translate
those calls into the RFC 2136 update protocol.

Or you could just use the RFC 2136 update protocol directly.

Or you could use CLI tools supplied with BIND even, such as "nsupdate"
that can do updates.

If you really want an HTTP API, I guess you could start doing searches
for "RFC2136 HTTP" and see if anyone has implemented such a thing.

Maybe https://github.com/frillip/noip-rfc2136 does what you want.

Perhaps there are others.  I will leave that search as an exercise for
the reader.

Or you could even write your own.  I have a faint recollection of
writing such a thing as a CGI script in the past.  It should not be
terribly difficult.  Yeah.  I found it:

#!/bin/bash

key_name="put your key name here"

args_string=${REQUEST_URI##*\?}
eval "${args_string//\&/ }"

# undo url encoding
pass=${pass//\%2F/\/}
pass=${pass//\%3D/=}

cat &2

rm -f /tmp/kfile.*

echo "Content-type: text/html

good $REMOTE_ADDR"

But most likely you will want to use that GitHub project I pointed out
above rather than my Q hack above.  Above is just to illustrate how
basic and simple it could be.

Cheers,
b.

signature.asc
Description: This is a digitally signed message part
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

filter queries for A records from some clients

2022-03-10 Thread Brian J. Murrell

I am trying to do some testing of an IPv6-only network here using some
nat64 to reach the "legacy" :-) IPv4 Internet.  My network is currently
dual-stack.

I have dns64 query mapping working, but I am still seeing some clients
that I am trying to test with (that still have IPv4 addresses until the
test proves successful) using IPv4 to the Internet.  I can only surmise
that this is a case where the client did a happy-eyeballs query for
both A and  records and got an A record back first.

To that effort, I want to try filtering out A record queries (or
responses) from those clients so that they only get the  results
back whether those are real IPv6 addresses or dns64 mapped addresses.

Is there any way to filter A queries or replies to achieve this goal?

I am noticing the .rpz-ip trigger, but being pretty green at RPZ policy
writing, it's not clear to me if that can be used to filter just A
records.

Cheers,
b.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: copy EDNS options to resolver response

2022-02-19 Thread Brian J. Murrell

On Sun, 2022-02-20 at 08:16 +1100, Mark Andrews wrote:
> 
> EDNS is hop by hop. There is no copying by any compliant server. 

Fair enough.  I thought it was a long shot.

Cheers,
b.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: copy EDNS options to resolver response

2022-02-19 Thread Brian J. Murrell

On Sat, 2022-02-19 at 19:02 +0100, Matus UHLAR - fantomas wrote:
> 
> what's the point of this setup?
> BIND can resolve by itself perfectly and you wouldn't rely on 3rd
> party 
> service

Except that it cannot do EDE, as I already said in my original message.

Cheers,
b.

signature.asc
Description: This is a digitally signed message part
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

copy EDNS options to resolver response

2022-02-19 Thread Brian J. Murrell

I have a BIND9 server configured as a resolver for the local network to
forward all requests to 1.1.1.1.  Given that that 1.1.1.1 includes
(RFC8914) EDE EDNS options in it's responses, can I configure the BIND
resolver to forward those EDNS options in it's response to the client?

While I know BIND9 doesn't yet do EDE itself, I am hoping for an option
in BIND to just blindly copy whatever EDNS options it receives to it's
client.

Cheers,
b.



signature.asc
Description: This is a digitally signed message part
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

"overlay" views

2020-01-20 Thread Brian J. Murrell

I'm really not sure about what the name of this feature I am going to
describe would be.  I would probably call it an "overlay view".  But I
am sure there are better names.

Imagine I have a BIND 9 server for the following network topology:


Network 1
192.168.1.0/24   
-|.254  |
 |   Router |
Network 2|  |
192.168.2.0/24   |  |
-|.254  |
 |  |
Network 3|  |
192.168.3.0/24   |  |
-|.254  |
 

There are a few dozen hosts/services on Network 3 which hosts from
Network 1 and Network 2 need to resolve names of.  All pretty
straightforward.

But the hosts on Network 1 and Network 2 need to resolve the same name
(let's call it "gateway") to the address of their interface on Router. 
So that is, hosts on Network 1 want a query of "gateway." to resolve to
192.168.1.254 and hosts on Network 2 want a query of "gateway." to
resolve to  192.168.2.254.

So this is currently all achievable through "views" in BIND 9, but
requires that the zone data for each view be 98% duplicate (Network 3
resources) and continually copy-n-paste updated whenever names on
Network 3 are added.

What I am looking for is a way to save the duplicate copying of Network
3 resources to the views for Network 1 and Network 2.  This is where
the term "overlay" comes in.  What I'd like to do is reference a single
copy of data from Network 3 in Network 1 and 2's views but "overlay"
some view-specific resources on top of that, namely the "gateway."
name, with it's per-view specific value.

Thoughts?

b.



signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-25 Thread Brian J. Murrell

On Wed, 2018-01-17 at 10:45 -0500, Brian J. Murrell wrote:
> I have a BIND (9.9.4)[1] server that runs well most of the time, but
> periodically it will start returning SERVFAIL for very high-level
> domains such as *.google.com, *.gstatic.com, *.github.com, etc.  It
> seems to happen most frequently with Google domains, but I wonder if
> that is just a reflection on the percentage of queries I have for
> those
> here.

The culprit here is the DDNS processing.  Once I moved the DDNS
processing (that is coming from the DHCP server) off onto a separate
server the problem server stopped having SERVFAIL for names that it
should just not happen for, like www.google.com.

So, now I just have to chase down why DDNS is causing this.

This BIND server is from the FreeIPA project so it's an LDAP-backed
BIND so perhaps (probably?) that has something to do with it.  I will
take it up with the FreeIPA folks since it's their build of BIND that
is causing the problems.

Much much thanks for the help and patience here while I got to the root
cause.

Cheers,
b.

signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-23 Thread Brian J. Murrell

On Tue, 2018-01-23 at 09:53 -0700, Grant Taylor via bind-users wrote:
> 
> Could you try disabling DDNS updates for a little while?

That's effectively what I have done.

I set up a second server configuration running new zone on a different
IP address and pointed the DHCP server at it so that the DHCP server is
no longer sending DDNS updates to the server that is having these
intermittent outages.

I've set up CNAME pointers from the main server to the new server for
the names (of DHCP clients) that need to be resolvable as well as for a
reverse zone on the new server.

> Maybe you'll 
> get lucky (for a given value of luck) and find that the problem 
> continues happening even with DDNS updates disabled.  Thus you will
> have 
> a reasonable idea that the issue is not related to DDNS updates.

Exactly my goal.  I'm fairly sure that the problem is going to stop
happening now that the server is no longer processing DDNS updates.

Unfortunately it's impractical to run like this for the long term as
any DHCP client that comes into the network ought to be able to be
resolvable by it's name in the main zone, but that would require CNAMEs
for any and every possible name that could show up in a DHCP client.

Cheers,
b.

signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-23 Thread Brian J. Murrell

On Tue, 2018-01-23 at 13:38 +0100, Reindl Harald wrote:
> 
> pretty sure it's possible and likely not much different than the 
> unbound-sample below which asks a rbldnsd on port 1043 on the same
> machine
> 
> stub-zone:
>   name: "zone-name."
>   stub-addr: 127.0.0.1@1053

This all falls apart because you cannot instruct the ISC DHCP server to
send DDNS updates to a non-standard (!53) port.  :-(

I seem to have no choice but to run the isolated server on a different
IP address and then have to start managing the listen-on directive in
the main server to list all addresses other than the isolated server's
address.  :-(

Cheers,
b.

signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-23 Thread Brian J. Murrell

On Tue, 2018-01-23 at 13:38 +0100, Reindl Harald wrote:
> 
> pretty sure it's possible and likely not much different than the 
> unbound-sample below which asks a rbldnsd on port 1043 on the same
> machine
> 
> stub-zone:
>   name: "zone-name."
>   stub-addr: 127.0.0.1@1053

That's the sort of path I was going to take with a forward zone in the
main server to my DHCP-DDNS-isolation server, but in the new zone I
create on the isolation server I have to list NS(es) for the new zone
and while those will be on the (IP address of the) main server they
will be on a different port.

Of course anything doing an NS query for that new zone on that server
will just get an IP address for the NS and not the port also.  Maybe in
such an isolated environment that doesn't matter since the only thing
doing an queries to that isolated server on the alternate port will be
the main server on behalf of the clients in the local network.

I'll give it a shot.

Cheers,
b.

signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-23 Thread Brian J. Murrell

Here's a new most interesting data point.

All of these outages happen right after a DHCP client connect and sends
a DDNS update to BIND.

It would be an interesting experiment to isolate the zone that receives
DDNS updates for the DHCP clients onto a separate server to see if that
makes this problem go away for the main server, but I don't have
another machine to run another BIND on and I don't think it's possible
to run two BINDs on the same machine on different ports and have one
(on port 53) delegate a zone to another running on some other port.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-23 Thread Brian J. Murrell

On Mon, 2018-01-22 at 12:45 +, Tony Finch wrote:
> 
> lame-servers is also a log category, and tends to be quite noisy
> about
> various problems :-)

Turns out I do already have lame server logging enabled.  I.e.:

20-Jan-2018 12:01:37.053 lame server resolving 'backup-ns.yn.cninfo.net' (in 
'yn.cninfo.net'?): 202.98.160.68#53
20-Jan-2018 12:01:37.054 lame server resolving 'backup-ns.yn.cninfo.net' (in 
'yn.cninfo.net'?): 202.98.160.68#53

But there isn't a single lame server message with "google" anywhere in
it.

This problem is really not looking like a lame delegation issue,
wouldn't you agree?

Any further ideas?

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-22 Thread Brian J. Murrell

On Mon, 2018-01-22 at 16:10 +, Tony Finch wrote:
> 
> You should make sure it is enabled, because there are vital clues in
> those
> log lines :-)

But they will only occur if there is some lameness with the ns[1-
4].google.com records and that will already be reported with lame:n in
the "fetch completed at resolver.c" lines won't they, or am I
completely misunderstanding something here?

> Yes, and you should track down when they occur and look for other
> error
> indications areound that time.

So, over the last week of tracing I have only these lines which match
"fetch completed at resolver.c:[0-9]* for ns[1-4].google.com":

19-Jan-2018 09:41:53.347 fetch completed at resolver.c:7492 for 
ns4.google.com/ in 0.042154: success/success 
[domain:google.com,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
19-Jan-2018 09:41:53.350 fetch completed at resolver.c:7492 for 
ns2.google.com/ in 0.042019: success/success 
[domain:google.com,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
19-Jan-2018 09:41:53.356 fetch completed at resolver.c:7492 for 
ns3.google.com/ in 0.043881: success/success 
[domain:google.com,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
19-Jan-2018 09:41:53.362 fetch completed at resolver.c:7492 for 
ns1.google.com/ in 0.047039: success/success 
[domain:google.com,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]

None of them show any lame servers.

Wouldn't I see occurrences of those with lame:n if I there were any
lameness?

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-22 Thread Brian J. Murrell

On Mon, 2018-01-22 at 12:04 +, Tony Finch wrote:
> 
> The thing to look out for is the minutes before the outage starts -
> see
> what kind of failures you get.

So, taking this approach, looking for the first occurrence of just any
one of the names ns[1-4].google.com prior to the A/ queries that
are in http://brian.interlinx.bc.ca/named.run.log starting at:

19-Jan-2018 18:04:50.785 createfetch: ns1.google.com A

(which end up resulting in the SERVFAIL for www.google.com/IN/A) the
first previous occurrence of just any one of those names is:

19-Jan-2018 17:48:59.122 resquery 0x7f10102ecd50 (fctx 
0x7f10102e5dc0(lh4.ggpht.com/)): response
19-Jan-2018 17:48:59.122 received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   3024
;; flags: qr cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lh4.ggpht.com. IN  

;; AUTHORITY SECTION:
ggpht.com.  172800  IN  NS  ns2.google.com.
ggpht.com.  172800  IN  NS  ns1.google.com.
ggpht.com.  172800  IN  NS  ns3.google.com.
ggpht.com.  172800  IN  NS  ns4.google.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - 
CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 
20180124054922 20180117043922 46967 com. 
pjslTFtda4UfkpJtO9rbVmzSRQ+JslWRuBl/r0tkeyX4nBA8wjOIQjCH DJl+C6CA8TMW
lO9dfx5ZHM2s59N/XfQG3fp2N68bf3rhSp5OwUEVy205 
6LMbiiW7wjp0MEQOGorvf29kS6ApuZHGOseP5HQrAIBO4XxZvomAPME+ Q1c=
FGFB71PIIJ5JUGA7GFUQ06ANFUVDRKBA.com. 86400 IN NSEC3 1 1 0 - 
FGFGQ2SH7LNK03PV0R76S8B47TPVJK59 NS DS RRSIG
FGFB71PIIJ5JUGA7GFUQ06ANFUVDRKBA.com. 86400 IN RRSIG NSEC3 8 2 86400 
20180125052147 20180118041147 46967 com. 
DkAophVbTjntmUtcj2HIiigTv5yxlNuTIAGWgXY+W9QhAJp4UUYpqxOe jmyxVEUtfYqS
3ANVWz7EI+ucYS1CE8UKuWUx4eGAz8F/YbN/KA5cvxWO 
SEqri5Lg3W2MjiB/DXXFI/WrnmuLPNIQdDZD2H1lQ56CTUAL0pPpDby9 788=

;; ADDITIONAL SECTION:
ns2.google.com. 172800  IN  A   216.239.34.10
ns1.google.com. 172800  IN  A   216.239.32.10
ns3.google.com. 172800  IN  A   216.239.36.10
ns4.google.com. 172800  IN  A   216.239.38.10

I realize this query result has nothing to do with www,google.com, but
it is the first occurrence of just any of the names ns[1-4].google.com
prior to the start of the subsequent SERFAIL processing that starts at
18:04:50.785 and it's more than 10 minutes prior to the SERVFAIL.

That seems to indicate that nothing at all to do with any of the names
ns[1-4].google.com happens for more than 10 minutes before a SERVFAIL
is returned for www.google.com right?  Nothing at all happens that
could result in a any of those names being lame, right?

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-22 Thread Brian J. Murrell

On Mon, 2018-01-22 at 12:45 +, Tony Finch wrote:
> 
> They'll have a log category of edns-disabled.

But if the problem were EDNS, would it be so intermittent and always
fixable by rndc reload?

> But, looking through the
> code, if this is leading to lameness you will also get lame-servers
> log
> messages.

So just looking for lame servers will cover EDNS issues also then,
right?

> lame-servers is also a log category, and tends to be quite noisy
> about
> various problems :-)

Yeah.  Must be disabled by default on EL7 I would guess, just because
it's so noisy.

> The tagged values there are various kinds of things that happened
> when
> resolving; the lame: tag is a count of the lame servers that were
> encountered, including both newly discovered lame servers and cached
> lame
> servers.

So, if lame servers were a problem with resolving ns[1-4].google.com,
then I would see messages like in my previous message with a lame:n tag
where n > 0, yes?

Cheers,
b.

signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-22 Thread Brian J. Murrell

On Mon, 2018-01-22 at 12:04 +, Tony Finch wrote:
> 
> That indicates that it has already marked the servers as lame, so the
> packet trace isn't going to tell you what caused the lameness.

OK.

> The thing to look out for is the minutes before the outage starts -
> see
> what kind of failures you get.
> 
> Also, check the logs for EDNS

What do EDNS problem messages look like?  Just something to grep for I
mean.

> or lame-servers complaints

Does the "lame:1" in this message indicate lameness:

18-Jan-2018 11:12:47.103 fetch completed at resolver.c:3074 for 
149.243.194.103.in-addr.arpa/PTR in 0.000744: failure/success 
[domain:243.194.103.in-addr.arpa,referral:0,restart:1,qrysent:0,timeout:0,lame:1,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]

Of course, that one is irrelevant to my situation, I'm just using it as
an example of how to find lame delegations.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-20 Thread Brian J. Murrell

OK.  I now have named trace logging

http://brian.interlinx.bc.ca/named.run.log

and a packet dump:

http://brian.interlinx.bc.ca/dns-packets.txt

that demonstrates how BIND is getting .com referrals from the root
servers when doing a query for www.google.com and then doing nothing
with those referrals before returning a SERVFAIL.

The packet trace also shows that BIND queried ns2.google.com for an RR:

18:04:42.444669 IP server.interlinx.bc.ca.8727 > ns2.google.com.domain: 4359% 
[1au] ? playatoms-pa.googleapis.com. (56)
18:04:42.491612 IP ns2.google.com.domain > server.interlinx.bc.ca.8727: 4359*- 
2/0/0 CNAME googleapis.l.google.com.,  2607:f8b0:400b:80e::200a (107)
18:04:42.494681 IP server.interlinx.bc.ca.21592 > ns2.google.com.domain: 50060% 
[1au] ? googleapis.l.google.com. (52)
18:04:42.541496 IP ns2.google.com.domain > server.interlinx.bc.ca.21592: 
50060*- 1/0/0  2607:f8b0:400b:808::200a (69)

only 9 seconds before returning a SERVFAIL on another name that same
server is authoritative for so it had data for at least one of the
servers that are authoritative for the domain.  Yet only 8 seconds
later it starts looking for it's IP address again.

At 18:04:50.805 it started the A and  queries for ns2.google.com:

19-Jan-2018 18:04:50.805 fctx 0x7f10230b1950(ns2.google.com/A): start
19-Jan-2018 18:04:50.805 fctx 0x7f10230b1950(ns2.google.com/A): try
19-Jan-2018 18:04:50.805 fctx 0x7f10230b1950(ns2.google.com/A): cancelqueries
19-Jan-2018 18:04:50.805 fctx 0x7f10230b1950(ns2.google.com/A): getaddresses
19-Jan-2018 18:04:50.805 fctx 0x7f10230b1950(ns2.google.com/A): query
19-Jan-2018 18:04:50.805 resquery 0x7f10230b60d0 (fctx 
0x7f10230b1950(ns2.google.com/A)): send
19-Jan-2018 18:04:50.806 resquery 0x7f10230b60d0 (fctx 
0x7f10230b1950(ns2.google.com/A)): sent
19-Jan-2018 18:04:50.807 fctx 0x7f102309d0d0(ns2.google.com/): start
19-Jan-2018 18:04:50.807 fctx 0x7f102309d0d0(ns2.google.com/): try
19-Jan-2018 18:04:50.807 fctx 0x7f102309d0d0(ns2.google.com/): cancelqueries
19-Jan-2018 18:04:50.807 fctx 0x7f102309d0d0(ns2.google.com/): getaddresses
19-Jan-2018 18:04:50.807 fctx 0x7f102309d0d0(ns2.google.com/): query
19-Jan-2018 18:04:50.807 resquery 0x7f10230b68e0 (fctx 
0x7f102309d0d0(ns2.google.com/)): send
19-Jan-2018 18:04:50.807 resquery 0x7f10230b68e0 (fctx 
0x7f102309d0d0(ns2.google.com/)): sent
19-Jan-2018 18:04:50.808 resquery 0x7f10230b60d0 (fctx 
0x7f10230b1950(ns2.google.com/A)): udpconnected
19-Jan-2018 18:04:50.808 resquery 0x7f10230b60d0 (fctx 
0x7f10230b1950(ns2.google.com/A)): senddone
19-Jan-2018 18:04:50.808 resquery 0x7f10230b68e0 (fctx 
0x7f102309d0d0(ns2.google.com/)): udpconnected

At 18:04:51.236 it got the referral to the .com servers:

19-Jan-2018 18:04:51.236 fctx 0x7f102309d0d0(ns2.google.com/): sendevents
19-Jan-2018 18:04:51.236 resquery 0x7f10230b60d0 (fctx
0x7f10230b1950(ns2.google.com/A)): response
19-Jan-2018 18:04:51.236 received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   9693
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ns2.google.com.IN  A

;; AUTHORITY SECTION:
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.86400   IN  DS  30909 8 2 
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.86400   IN  RRSIG   DS 8 1 86400 2018020120 
2018011919 41824 . kw9YN9f0zLsasR4xqRWC5zNwOlfhY7/1WwhfHnJpqpUpZok9MPefvv8q 
JpAG4ZVed57r4oZzv0dB1l3fu+dEZi7UFS1xX6H0GFxGDYrpLuXR4Emn 
+1ih6zIM/iWE0O6H7ElgTvgs4tZNJ7n2BX4keEAtCCSa0j9OtEYAlxHx 
SZumcmDxb/btwTmuT9BfxXj0UeJ/96rud5jfuz+fi6cF8fuiy728262G 
FjjzjjO8T1qqPcRlDDm41JXe5D0XmKV13T+I2bSaRHp5HSp0TV2p3mGH 
2UobkPZ9pUpGvCwgsNaxjyCBVosnOUbQJ2uKQUQlkrMqQakDjvvPcT1h OgqYMA==

;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800  IN  A   192.5.6.30
a.gtld-servers.net. 172800  IN  2001:503:a83e::2:30
b.gtld-servers.net. 172800  IN  A   192.33.14.30
b.gtld-servers.net. 172800  IN

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-19 Thread Brian J. Murrell

On Fri, 2018-01-19 at 15:22 +, Tony Finch wrote:
> 
> You don't have any weird middleboxes between your resolver and the
> Internet, do you?

I don't believe so.  Not entirely sure what "weird middleboxes" refers
to in this context though.  And by resolver are you referring to my
BIND9 server or the resolvers on the clients of that server?

I've added packet capturing to the debug collection so that I can see
what my BIND9 server is sending and receiving in the way of queries and
responses when this happens again.

Cheers,
b.

signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-19 Thread Brian J. Murrell

On Fri, 2018-01-19 at 14:54 +, Tony Finch wrote:
> 
> Those responses look like referrals from the root servers to the .com
> servers;

Ahhh.  Right.  That makes sense.

> I would expect you to see `named` repeating the queries as it
> follows the iterative resolution algorithm.

Indeed.  I will looking further down the log then...

So, between that initial:

19-Jan-2018 09:06:18.893 resquery 0x7f1010f3bd90 (fctx 
0x7f1010f23d90(www.google.com/A)): response

is just the referrals to .com for that query and the referrals to .com
for the subsequent ns[1-4].google.com queries before we get to:

19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): query 
failed (SERVFAIL) for www.google.com/IN/A at query.c:7007
19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): error
19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): send
19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): sendto
19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): senddone
19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): next
19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): 
ns_client_detach: ref = 0
19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): endrequest
19-Jan-2018 09:06:18.967 fetch completed at resolver.c:7415 for 
www.google.com/A in 0.547099: SERVFAIL/success 
[domain:com,referral:1,restart:0,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
19-Jan-2018 09:06:18.967 fetch 0x7f1012541cd0 (fctx 
0x7f1010f23d90(www.google.com/A)): destroyfetch
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): query failed 
(SERVFAIL) for www.google.com/IN/A at query.c:7007
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): error
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): send
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): sendto
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): senddone
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): next
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): 
ns_client_detach: ref = 0
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): endrequest
19-Jan-2018 09:06:18.968 fetch 0x7f102c5def88 (fctx 
0x7f1010f23d90(www.google.com/A)): destroyfetch
19-Jan-2018 09:06:18.968 fctx 0x7f1010f23d90(www.google.com/A): shutdown
19-Jan-2018 09:06:18.968 fetch 0x7f10125423f0 (fctx 
0x7f1010d86e80(ns1.google.com/A)): destroyfetch
19-Jan-2018 09:06:18.968 fctx 0x7f1010d86e80(ns1.google.com/A): shutdown
19-Jan-2018 09:06:18.968 adb: fetch of 'ns1.google.com' A failed: SERVFAIL
19-Jan-2018 09:06:18.968 DNS_EVENT_ADBNOMOREADDRESSES
19-Jan-2018 09:06:18.968 cfan: skipping find 0x7f10228d7630
19-Jan-2018 09:06:18.968 fetch 0x7f10191e91e8 (fctx 
0x7f1010d88a40(ns1.google.com/)): destroyfetch
19-Jan-2018 09:06:18.968 fctx 0x7f1010d88a40(ns1.google.com/): shutdown
19-Jan-2018 09:06:18.968 adb: fetch of 'ns1.google.com'  failed: SERVFAIL
19-Jan-2018 09:06:18.968 DNS_EVENT_ADBNOMOREADDRESSES
19-Jan-2018 09:06:18.968 cfan: processing find 0x7f10228d7630
19-Jan-2018 09:06:18.968 sending event 0x7f10228d76b8 to task 0x7f10247a2f10 
for find 0x7f10228d7630
19-Jan-2018 09:06:18.968 fetch 0x7f102069a2d0 (fctx 
0x7f1010a83a60(ns2.google.com/A)): destroyfetch
19-Jan-2018 09:06:18.968 fctx 0x7f1010a83a60(ns2.google.com/A): shutdown
19-Jan-2018 09:06:18.968 adb: fetch of 'ns2.google.com' A failed: SERVFAIL
19-Jan-2018 09:06:18.968 DNS_EVENT_ADBNOMOREADDRESSES
19-Jan-2018 09:06:18.968 cfan: skipping find 0x7f10208679e0
19-Jan-2018 09:06:18.968 fetch 0x7f10206998b0 (fctx 
0x7f1010a83ea0(ns2.google.com/)): destroyfetch
19-Jan-2018 09:06:18.968 fctx 0x7f1010a83ea0(ns2.google.com/): shutdown
19-Jan-2018 09:06:18.968 adb: fetch of 'ns2.google.com'  failed: SERVFAIL
19-Jan-2018 09:06:18.968 DNS_EVENT_ADBNOMOREADDRESSES
19-Jan-2018 09:06:18.968 cfan: processing find 0x7f10208679e0
19-Jan-2018 09:06:18.968 sending event 0x7f1020867a68 to task 0x7f10247a2f10 
for find 0x7f10208679e0
19-Jan-2018 09:06:18.968 fetch 0x7f102112d400 (fctx 
0x7f1010b6bee0(ns3.google.com/)): destroyfetch
19-Jan-2018 09:06:18.970 fctx 0x7f1010b6bee0(ns3.google.com/): shutdown
19-Jan-2018 09:06:18.970 adb: fetch of 'ns3.google.com'  failed: SERVFAIL
19-Jan-2018 09:06:18.970 DNS_EVENT_ADBNOMOREADDRESSES
19-Jan-2018 09:06:18.970 cfan: skipping find 0x7f102309fc10
19-Jan-2018 09:06:18.971 client fd31:aeb1:48df:0:e5f4:253a:6c1f:b73d#16975 
(wifi-test.mobidia.com): query failed (SERVFAIL) for wifi-test.mobidia.com/IN/A 
at query.c:7007
19-Jan-2018 09:06:18.971 client fd31:aeb1:48df:0:e5f4:253a:6c1f:b73d#16975 
(wifi-test.mobidia.com): error
19-Jan-2018 09:06:18.971 client fd31:aeb1:48df:0:e5f4:253a:6c1f:b73d#16975 
(wifi-test.mobidia.com): send
19-Jan-2018 09:06:18.971 client fd31:aeb1:48df:0:e5f4:253a:6c1f:b73d#16975 
(wifi-test.mobidia.com): sendto

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-19 Thread Brian J. Murrell

On Thu, 2018-01-18 at 17:46 +, Tony Finch wrote:
> Brian J. Murrell <br...@interlinx.bc.ca> wrote:
> > On Thu, 2018-01-18 at 15:41 +, Tony Finch wrote:
> > >
> > > The default is 10 minutes - try reducing it and see if the outage
> > > becomes shorter.
> >
> > If it does, what is that telling me?
> 
> My hypothesis here is that `named` has marked all the nameservers for
> the
> domain that is failing as lame, so it no longer has anywhere to send
> queries for the domain, so it returns a SERVFAIL.

Seems this might be the case.  Using a trace level of 11, when a
failure starts this seems to be the trail...

19-Jan-2018 09:06:18.893 resquery 0x7f1010f3bd90 (fctx 
0x7f1010f23d90(www.google.com/A)): response
19-Jan-2018 09:06:18.893 received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  25156
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;www.google.com.IN  A

;; AUTHORITY SECTION:
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.86400   IN  DS  30909 8 2 
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.86400   IN  RRSIG   DS 8 1 86400 2018020105 
2018011904 41824 . IwT0e9jOKKgASgCQXGsryxFFeN5R0e/HPGCzQuD7rhtCYg4UywLcJ9A1 
Ftn0drh2mggBE5wWX90dc5u26P8Gt1jkJ8XbxyjNHA5uTmakjVnGGOZ+ 
9N/6JMtDApT4F6q/3EN8dkctxWvEe9uph8dFR1Uj0aqCNS3aQ0ge4LkS 
JPfRQ2FIQCQxsh+Ts2hdiC6mThpWoFmwmfBxGPu/NsS92/iA5EaP4ZOK 
oIRqrvgyV4PrTDJM8StJJk9qw7z78RC+3/RfEsnwICXKptIGE4AekqIa 
RiVhkTrXhCZAibab5gtqkCkWZ6kF1/6Xbcjexj4VHL+FxqlQCec6CUcz Wpt/DA==

;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800  IN  A   192.5.6.30
a.gtld-servers.net. 172800  IN  2001:503:a83e::2:30
b.gtld-servers.net. 172800  IN  A   192.33.14.30
b.gtld-servers.net. 172800  IN  2001:503:231d::2:30
c.gtld-servers.net. 172800  IN  A   192.26.92.30
c.gtld-servers.net. 172800  IN  2001:503:83eb::30
d.gtld-servers.net. 172800  IN  A   192.31.80.30
d.gtld-servers.net. 172800  IN  2001:500:856e::30
e.gtld-servers.net. 172800  IN  A   192.12.94.30
e.gtld-servers.net. 172800  IN  2001:502:1ca1::30
f.gtld-servers.net. 172800  IN  A   192.35.51.30
f.gtld-servers.net. 172800  IN  2001:503:d414::30
g.gtld-servers.net. 172800  IN  A   192.42.93.30
g.gtld-servers.net. 172800  IN  2001:503:eea3::30
h.gtld-servers.net. 172800  IN  A   192.54.112.30
h.gtld-servers.net. 172800  IN  2001:502:8cc::30
i.gtld-servers.net. 172800  IN  A   192.43.172.30
i.gtld-servers.net. 172800  IN  2001:503:39c1::30
j.gtld-servers.net. 172800  IN  A   192.48.79.30
j.gtld-servers.net. 172800  IN  2001:502:7094::30
k.gtld-servers.net. 172800  IN  A   192.52.178.30
k.gtld-servers.net. 172800  IN  2001:503:d2d::30
l.gtld-servers.net. 172800  IN  A   192.41.162.30
l.gtld-servers.net. 172800  IN  2001:500:d937::30
m.gtld-servers.net. 172800  IN  A   192.55.83.30
m.gtld-servers.net. 172800  IN  2001:501:b1f9::30


19-Jan-2018 09:06:18.894 fctx 0x7f1010f23d90(www.google.com/A): 
noanswer_response
19-Jan-2018 09:06:18.894 log_ns_ttl: fctx 0x7f1010f23d90: noanswer_response: 
www.google.com (in '.'?): 1 518400
19-Jan-2018 09:06:18.894 log_ns_ttl: fctx 0x7f1010f23d90: DELEGATION: 
www.google.com (in 'com'?): 0 518400
19-Jan-2018 09:06:18.895 fctx 0x7f1010f23d90(www.google.com/A): cache_message
19-Jan-2018 09:06:18.895 fctx 0x7f1010f23d90(www.google.com/A): cancelquery
19-Jan-2018 09:06:18.895 fctx 0x7f1010f23d90(www.google.com/A): nameservers now 
above QDOMAIN
19-Jan-2018 09:06:18.895 fctx 0x7f1010f23d90(www.google.com/A): done
19-Jan-2018 09:06:18.896 fctx 0x7f1010f23d90(www.google.com/A): stopeverything
19-Jan-2018 09:

Re: intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-18 Thread Brian J. Murrell

On Thu, 2018-01-18 at 15:41 +, Tony Finch wrote:
> 
> Does the time to recovery correspond to the lame-ttl setting?

I am not sure.  I'm not always aware of when it starts.  I guess if I
am running a trace level permanently the log would tell me though.

> The default
> is 10 minutes - try reducing it and see if the outage becomes
> shorter.

If it does, what is that telling me?  The problem domains are listing
NSes that don't actually host the zone?  I thought named normally
logged lame delegations but I don't see a single one in the last few
days.

That said, if such a high-visibility domain as googles were
misconfigured, it would be wreaking havoc all over the Internet, and
drawing lots of attention wouldn't it?

> When you have a failure, try `rndc flushtree` to more selectively
> drop
> problematic state - you might have to find out the nameservers of the
> broken domain and flush them. (The google.com nameservers are under
> google.com; GitHub's are under dynect.net and a bunch of awsdns
> domains.)

rndc flushtree takes a domain name though doesn't it?  In what case
would I need to find nameservers?

So, when I do rndc reload am I flushing the cache?  :-(

> Look at the end of the dump - the address database,

; Address database dump
...
; ns3.google.com [v4 TTL 7] [v6 TTL 7] [v4
failure] [v6 failure]
; ns2.google.com [v4 TTL 7] [v6 TTL 7] [v4
failure] [v6 failure]
; ns1.google.com [v4 TTL 7] [v6 TTL 7] [v4
failure] [v6 failure]
; ns4.google.com [v4 TTL 7] [v6 TTL 7] [v4
failure] [v6 failure]

> bad cache,

Empty.

> and
> servfail cache.

Non-existent section in my database dump.

> > Do I need tracing enabled before the situation happens?
> 
> That will make it a lot easier, yes :-)
> 
> > What level (how many "rndc trace"s should I run)?
> 
> You can specify a number directly, like `rndc trace 11` - level 11 is
> handy because it includes query and response packet dumps (er, but
> that
> is a 9.11 feature - in 9.9 you'll only get the response packets).

I'll set that trace now and hope to hit the problem again soon --
before I fill up my filesystem.  :-)

Cheers,
b.

signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-17 Thread Brian J. Murrell

I have a BIND (9.9.4)[1] server that runs well most of the time, but
periodically it will start returning SERVFAIL for very high-level
domains such as *.google.com, *.gstatic.com, *.github.com, etc.  It
seems to happen most frequently with Google domains, but I wonder if
that is just a reflection on the percentage of queries I have for those
here.

In any case when this happens, it will last a few minutes until it
resolves itself and/or I issue an "rndc reload".  That always seems to
correct it if I don't care to wait it out.

I'm wondering what the steps are to try to get to the bottom of this.

I have a db dump (rndc dumpdb) as well as some trace (rndc trace x10)
while this is happening.  Is this enough?  If so, what should I look
for as a cause of the SERVFAILs?

If not, what more do I need to collect?  Do I need tracing enabled
before the situation happens?  What level (how many "rndc trace"s
should I run)?

Very greatful for any help.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

error (insecurity proof failed) resolving './DS/IN'

2015-03-23 Thread Brian J. Murrell

Trying to follow an example I found of manually verifying a name's
DNSSEC records I did the following:

# dig . DNSKEY | grep -Ev '^($|;)'  root.keys
# dig +sigchase +trusted-key=./root.keys www.eurid.eu. A

That resulted in some errors but more importantly the following in my
syslog:

Mar 23 08:11:15 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 192.33.4.12#53
Mar 23 08:11:15 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 192.203.230.10#53
Mar 23 08:11:15 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 192.58.128.30#53
Mar 23 08:11:15 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 192.112.36.4#53
Mar 23 08:11:15 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 192.228.79.201#53
Mar 23 08:11:16 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 193.0.14.129#53
Mar 23 08:11:16 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 192.5.5.241#53
Mar 23 08:11:16 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:503:ba3e::2:30#53
Mar 23 08:11:16 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 128.63.2.53#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 192.36.148.17#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:500:3::42#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:dc3::35#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:503:c27::2:30#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:7fd::1#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:500:2f::f#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 198.41.0.4#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:500:1::803f:235#53
Mar 23 08:11:18 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:500:84::b#53

I'm really not sure why though.

I'm using

BIND 9.8.1-P1

built with '--prefix=/usr' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' 
'--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' 
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' 
'--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE 
-O2' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 
'CPPFLAGS=-D_FORTIFY_SOURCE=2'

Any ideas on what this is or what more information I can provide to help
chase it down?

Cheers,
b.



signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Nintendo('s NSes) are asking my IP for it's rdns

2012-07-24 Thread Brian J. Murrell

I've come across something interesting in my named logs:

00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache) 
'5.37.58.216.in-addr.arpa/PTR/IN' denied
00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache) 
'5.37.58.216.in-addr.arpa/PTR/IN' denied
00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache) 
'5.37.58.216.in-addr.arpa/PTR/IN' denied
00:16:37 named client 205.166.76.12#55728: view greatunwashed: query (cache) 
'5.37.58.216.in-addr.arpa/PTR/IN' denied
00:16:37 named client 205.166.76.12#55728: view greatunwashed: query (cache) 
'5.37.58.216.in-addr.arpa/PTR/IN' denied
00:16:38 named client 205.166.76.12#55728: view greatunwashed: query (cache) 
'5.37.58.216.in-addr.arpa/PTR/IN' denied

where 216.58.37.216 is my IP address, assigned by my ISP and reverse
resolved by my ISP's name servers.

What is interesting is the fact that 205.166.76.12 are asking me
(216.58.37.216) for the PTR for my address.

Is this just broken NS software or are they (Nintendo, FWIW) doing
something interesting, like giving everyone an opportunity to provide
an rdns for their own IP address without everyone having to make
classless in-addr.arpa delegation arrangements with their ISP (which
mine refused to do)?

It's kind of a neat concept if it's not just an accident of broken NS
software.

Has anyone else seen anything like this before?  Is there some
(proposed even) standard for doing this that I'm not aware of?

In any case, now to the BIND part.  It seems reasonable for me to
answer that query, either with my own data or simply by allowing
that query to recurse.

I suppose I could create a zone for it and put some data in it for
that one record if I wanted to provide my own data.  But what if I
just wanted to allow recursive queries on that name so that I simply
returned whatever the proper NSes for it reports?  I guess I could add
a zone record for it with a forwarder(s) configured to the name's proper
NSes, yes?  But that means me having to maintain those forward records
in tandem with my ISP playing musical NSes (which I don't expect but
why create a possible maintenance headache).

So how could I configure BIND to allow a query for 5.37.58.216.in-
addr.arpa to be recursive for everyone, but of course, continue to
disallow general open recursive querying for names not served here?

Cheers,
b.




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Nintendo('s NSes) are asking my IP for it's rdns

2012-07-24 Thread Brian J. Murrell

On 12-07-24 07:05 AM, Brian J. Murrell wrote:
 I've come across something interesting in my named logs:
 
 00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache) 
 '5.37.58.216.in-addr.arpa/PTR/IN' denied
 00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache) 
 '5.37.58.216.in-addr.arpa/PTR/IN' denied
 00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache) 
 '5.37.58.216.in-addr.arpa/PTR/IN' denied
 00:16:37 named client 205.166.76.12#55728: view greatunwashed: query (cache) 
 '5.37.58.216.in-addr.arpa/PTR/IN' denied
 00:16:37 named client 205.166.76.12#55728: view greatunwashed: query (cache) 
 '5.37.58.216.in-addr.arpa/PTR/IN' denied
 00:16:38 named client 205.166.76.12#55728: view greatunwashed: query (cache) 
 '5.37.58.216.in-addr.arpa/PTR/IN' denied
 
 where 216.58.37.216

That should be 216.58.37.5.

 is my IP address, assigned by my ISP and reverse
 resolved by my ISP's name servers.
 
 What is interesting is the fact that 205.166.76.12 are asking me
 (216.58.37.216) for the PTR for my address.

And again, that should be 216.58.37.5.

Sorry for the typos.

Cheers,
b.



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Nintendo('s NSes) are asking my IP for it's rdns

2012-07-24 Thread Brian J. Murrell

On 12-07-24 07:53 AM, Phil Mayers wrote:
 On 24/07/12 12:05, Brian J. Murrell wrote:
 
 Change ISP?

A.  You must be one of those people who live in that part of the
world where internet service providing is not a monopoly, duopoly or at
best a price-fixing oligopoly.  :-)  Unfortunately that's not all of us.

Besides, although my ISP won't delegate the in-addr.arpa. for my one
single IP address to me, they will allow me to tell them what to put in
for it's PTR.  So it doesn't totally suck.

 I don't think that's what is going on. But even if it were, I think that
 would be a bad idea, personally.

Why?  I mean other than a knee-jerk reaction to that behavior not (yet)
being documented in an RFC somewhere?  I mean for practical purposes why
is what they are (or rather, could be, assuming my suggestion about what
they could be doing is correct) doing necessarily bad?

 DNS is well-specified in the RFCs.

Sure.  So there is no room for expansion?

 Violating those to work around lazy ISPs is not a good solution.

What exactly is it violating?  Is there somewhere in an RFC that says an
NS MUST NOT try to query a nameserver at a given IP for the PTR RR for
itself?

If we assume they are first going to an IP address to see if it's
willing to provide a PTR for itself and then falling back to using the
procedure defined in the RFCs and asking the NSes defined for that IP,
what are they breaking?  It seems to be they are extending, not violating.

The fact that it's Nintendo which does create networkable hardware is
what makes me wonder if it's more by design than brokenness.  What if,
for example, they put a lightweight NS into all of their hardware (i.e.
handheld and other game units) that returns a PTR for it's own IP as a
means of identifying the unit?  Certainly, they could have just invented
their own who are you protocol, but instead they decided to do
something interesting with an existing protocol that already answers
who is.

My son has a gameboy or 2.  It might be interesting to see if it
responds to a PTR query.  I will have to wait for him to come back from
camp to see.

 We see all kinds of weird nonsense come into our DNS servers. We see
 LOTS AND LOTS of these two zones, continually:
 
 75.97.111.76#27300: view main: query (cache)
 'mx241.emailfiltering.com/A/IN' denied
 
 41.218.219.221#26895: view main: query (cache)
 'service17.mimecast.com/A/IN' denied

Yeah, but these are not interesting.  These look like either
misconfigured resolvers, or opendns probing, or something.  The thing
that makes the behavior I posted about interesting (IMHO) is the
possible usefulness of it.

 But we also see a trickle of other crap that is nothing to do with us,
 for example:
 
 190.26.0.2#16074: view main: query (cache) 'ns1.webservices.net/A/IN'
 denied
 
 59.90.143.134#48824: view main: query (cache) 'a20.g.akamai.net/A/IN'
 denied

Sure, I think we all get that.  Same as above.  But none of it is
interesting.

 I've never established why this happens, whether it's some kind of
 attempt at cache poisoning from botnets or just broken software. But
 frankly I don't care - I just ignore it.

Of course.  So do I.  And I have been ignoring the queries I posted
about until I realized they had some interesting aspect to them.

Cheers,
b.



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named validating @0x...: ... SOA: no valid signature found

2012-07-21 Thread Brian J. Murrell

On 12-07-20 07:16 PM, Mark Andrews wrote:
 
   dnssec-validation auto;

Well, this seems to have done the trick.  Changing it from yes to auto
has eliminated most (almost all in fact) of the validation
warnings/errors I was getting in my logs.

   tells named to use the compiled
   in root key in addition to enabling validation.

A.  So yes just enables validation but doesn't use any compiled in
root key?  If so, this is an annoying (all due respect) and small but
important distinction.

I'm not sure about anyone else, but a yes/no/auto selector to me means
either an explicit yes or explicit no with auto meaning some kind of do
what you think is right in terms of making it yes or no.  I don't
typically think of it as no or yes plus some additional functionality.

Anyway, you have my since appreciation for persevering with me in my
efforts to figure this out.

b.



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Brian J. Murrell

On 12-05-15 09:01 AM, Phil Mayers wrote:
 

Sorry about the way delayed response.  There seems to be some confusion
about which list/group gmane is following.
 
 Isn't it more likely it's a local problem?

Indeed.  But what, is the question (and I do have the answer, now --
see below).

 Which version of bind are you running?

I was running 9.8.3 and now 9.9.1-P1

 Does *any* zone validate

Yes.

 e.g. try:
 
 dig +dnssec @localhost www.ic.ac.uk

# dig +dnssec @localhost www.ic.ac.uk

;  DiG 9.9.1-P1  +dnssec @localhost www.ic.ac.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 725
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.ic.ac.uk.  IN  A

;; ANSWER SECTION:
www.ic.ac.uk.   3600IN  A   155.198.140.14
www.ic.ac.uk.   3600IN  RRSIG   A 5 4 3600 20120812165527 
20120713164639 4743 ic.ac.uk. 
UZDw0aM0xPFXAmb5/PReP8hSWR/eNmMA479JFoZyHmxRrepTaJWLya+R 
1F2Y2LI/T12QlFkw09KBsgZo+hGr2MWfPyMAjNttzDLCqGM7dDNBUnuz 
H4G7DUnTvpnIV3VcLHqIh2z+j5ZmBb4+O4MIbNbBh8reVIacM8jgGNPH Evs=

;; AUTHORITY SECTION:
ic.ac.uk.   86400   IN  NS  ns1.ic.ac.uk.
ic.ac.uk.   86400   IN  NS  authdns1.csx.cam.ac.uk.
ic.ac.uk.   86400   IN  NS  ns2.ic.ac.uk.
ic.ac.uk.   86400   IN  NS  ns0.ic.ac.uk.
ic.ac.uk.   86400   IN  RRSIG   NS 5 3 86400 20120806213024 
20120707210235 4743 ic.ac.uk. 
AYa7xE/1ZDMvt0c1wGY/+eu4vgbJm4EV+i+1YYZhtLu44bdnHndfptNZ 
ECxeOI8JVeaKUq1zPspK9UnTCLFDkfCq9cIVFjZhpHQSPHtd3Vss40Vl 
gKrOG6qm4RfmPbLaUDKxu/LsR/W+iRbbiwI2fsso34BTUJeKPZGwqHPG j9k=

;; ADDITIONAL SECTION:
ns0.ic.ac.uk.   86400   IN  A   155.198.142.80
ns0.ic.ac.uk.   86400   IN  2001:630:12:600:1::80
ns1.ic.ac.uk.   86400   IN  A   155.198.142.81
ns1.ic.ac.uk.   86400   IN  2001:630:12:600:1::81
ns2.ic.ac.uk.   86400   IN  A   155.198.142.82
authdns1.csx.cam.ac.uk. 86400   IN  A   131.111.12.37
authdns1.csx.cam.ac.uk. 86400   IN  2001:630:212:12::d:a1
ns0.ic.ac.uk.   86400   IN  RRSIG   A 5 4 86400 20120807164706 
20120708162343 4743 ic.ac.uk. 
SDz7qZbq+O/SMopAP4L1W9QeeuJu6+vBW25h4WIoDmFgXb+OPx3/M/6H 
6pBFUpO2XoBfurRHly0r2yy7C4x3X7vth8nT9Xo16ZL9nauYwbUIM3f3 
zDECyEzrkPf8EDcwRYycOJfcKcAlxG0FiPBav+WJW8PNMR43YAsr6w5D ZLU=
ns0.ic.ac.uk.   300 IN  RRSIG    5 4 300 20120809142748 
20120710132748 4743 ic.ac.uk. 
U+LTVkUNoTWXNTabEd/rt15qze4iLWhDFyw+inaYgToGxYA5y3JS+fnx 
qfe2+GUFSLOz/Xo6czEe7728vCLgXzLQckAyS3g56NUfHKyXO1WWa6lQ 
k1r9UoNOSj5vTu0YLQN1FgP4aSFjowZzeQtbX//aDXZEVHKjNz4UFwBA zPs=
ns1.ic.ac.uk.   86400   IN  RRSIG   A 5 4 86400 20120816015657 
20120717011404 4743 ic.ac.uk. 
dFRwdOkf670aLyyLtnLAYwo18XQGIFgT8YWQukrsj514pINSR5WUkcpd 
ReUOGLy9+RDEfpWwDsvdp1DLrxbUzElTF5Qkg/1d76qqB6WxmnQq6lqz 
r5zKgfh9GNZHKrAOzvLcxlUFhd2xm1NXjktjIhb6CLH+qrJRR9h9+Zxy MlQ=
ns1.ic.ac.uk.   300 IN  RRSIG    5 4 300 20120809142748 
20120710132748 4743 ic.ac.uk. 
OBSX8EyrqDcE6QzArCOaecx3Rf5fuBqfMctc/6M+3SnCHqQ9Dzp0YZly 
2f6OJXu2JCrR4lGEUfgnA8rXDCKLgkzVIWFZi4y0GVuY2VHXhBptT9ri 
P0xRDqytbK9FAmIQMjn0gVuRBA6FhHhalh59FrcimXT/DyEj3TjsW2iD IsQ=
ns2.ic.ac.uk.   86400   IN  RRSIG   A 5 4 86400 20120804065011 
20120705063843 4743 ic.ac.uk. 
IQ9KZAqCZLRpDwSpFpwor5ru7ltRfgBkFITKVs5ICz0fGrMQ9uWeWVY2 
CLNVmPeXtMseId7Y67+CM4q2Zu+zfBtSiLlDbbqD13FnSdmjqLCHF4PG 
7UVW1Z9uqjSHndKuuXeihNUSogyDZyoqf1b4SRcmRwOjgsM7HX0gWy87 jBs=

;; Query time: 451 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 20 07:24:59 2012
;; MSG SIZE  rcvd: 1466
 
 ...and you should see:
 
 ; -HEADER- opcode: QUERY, status: NOERROR, id: 18199
 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 11
 
 Note the ad flag - authenticated data.

Yup, I did see that.

The problem here seems to be fragmented UDP.  I only ever receive the
first fragment.  Since I am tcpdumping on the external interface of my
router, I know it's not my router dropping it (which does have an
iptables policy installed, but tcpdump happens before iptables AFAIU;
that is you see *everything* with tcpdump, even on an interface where
iptables is set to drop traffic).  I can only assume it's my ISP or
something upstream.

I am able to receive fragmented ICMP however.  For example:

$ ping -M want -s 3000 74.125.226.17
PING 74.125.226.17 (74.125.226.17) 3000(3028) bytes of data.
3008 bytes from 74.125.226.17: icmp_req=1 ttl=58 time=29.1 ms
3008 bytes from 74.125.226.17: icmp_req=2 ttl=58 time=28.2 ms
3008 bytes from 74.125.226.17: icmp_req=3 ttl=58 time=28.6 ms
3008 bytes from 74.125.226.17: icmp_req=4 ttl=58 time=29.0 ms
3008 bytes from 74.125.226.17: icmp_req=5 ttl=58 time=29.9 ms
3008 bytes from 74.125.226.17: icmp_req=6 ttl=58 time=28.8

Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Brian J. Murrell

On 12-07-20 08:34 AM, Brian J. Murrell wrote:
 
 The problem here seems to be fragmented UDP.

I seem to have misdiagnosed this due to tcpdump peculiarities.  I only
initially saw/suspected the problem since my capture for port 53
packets was including (only the first) ipv4 fragments.  When adding a
capture specifically to get all ipv4 fragments in addition to my port
53 packets, I do see all of the fragments.

So back to the drawing board.

In my previous posting, I was able to demonstrate that I do get some
queries authenticated, but others (corresponding to the errors in my
logs) are not.  For example:

Jul 20 08:59:37 linux named[17472]:   validating @0xf48d01b0: 119.in-addr.arpa 
SOA: no valid signature found

and sure enough:

# dig +dnssec @localhost 119.in-addr.arpa SOA

;  DiG 9.9.1-P1  +dnssec @localhost 119.in-addr.arpa SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 49713
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 14

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;119.in-addr.arpa.  IN  SOA

;; ANSWER SECTION:
119.in-addr.arpa.   172800  IN  SOA ns1.apnic.net. 
read-txt-record-of-zone-first-dns-admin.apnic.net. 3006082431 7200 1800 604800 
172800
119.in-addr.arpa.   172800  IN  RRSIG   SOA 5 3 172800 20120819055026 
20120720045026 31291 119.in-addr.arpa. 
DxSB8J+SsHzLRv/qiFdQOLQ4eYEgCm6lUGr5/qoMje7iY9OIaaXmH/WM 
GwbTDdT7YNXfkZ7ZfpEnE5N9OeNW6Wghi8Wcerpy3OmEYMTWc1ZNgH70 
KC8Rhth23mCkv+IdCEsirVKdgTgLYsRlPFMbp6WQveMQRyJwvGJQm4QI Ejk=

;; AUTHORITY SECTION:
119.in-addr.arpa.   78212   IN  NS  ns1.apnic.net.
119.in-addr.arpa.   78212   IN  NS  sec1.authdns.ripe.net.
119.in-addr.arpa.   78212   IN  NS  ns2.lacnic.net.
119.in-addr.arpa.   78212   IN  NS  ns4.apnic.net.
119.in-addr.arpa.   78212   IN  NS  ns3.apnic.net.
119.in-addr.arpa.   78212   IN  NS  apnic1.dnsnode.net.
119.in-addr.arpa.   78212   IN  NS  tinnie.arin.net.

;; ADDITIONAL SECTION:
ns1.apnic.net.  167 IN  A   202.12.29.25
ns1.apnic.net.  164129  IN  2001:dc0:2001:0:4608::25
ns2.lacnic.net. 82967   IN  A   200.3.13.11
ns2.lacnic.net. 164257  IN  2001:13c7:7002:3000::11
ns3.apnic.net.  167 IN  A   202.12.28.131
ns3.apnic.net.  164129  IN  2001:dc0:1:0:4777::131
ns4.apnic.net.  167 IN  A   202.12.31.140
ns4.apnic.net.  164129  IN  2001:dc0:4001:1:0:1836:0:140
sec1.authdns.ripe.net.  167 IN  A   193.0.9.3
apnic1.dnsnode.net. 3767IN  A   194.146.106.106
tinnie.arin.net.35918   IN  A   199.212.0.53
tinnie.arin.net.35918   IN  2001:500:13::c7d4:35
sec1.authdns.ripe.net.  167 IN  RRSIG   A 5 4 3600 20120819100246 
20120720090246 16848 ripe.net. 
PnInozslOygv30AuohnYIzlCkeShxybKYeZ4114kpClfsMB/t3liXNmw 
in7Ha8Mh1mOZFtv2lvYDNlnrZgO65xXkUwsH2iz1jCMFU6ZjwGhqVhaX 
PpN6T6BXDHSohpFkVlx0yu9J7BcPMuCD6FJB5yLF4V0UUkJoPOXFAKBa mto=

;; Query time: 239 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 20 09:02:18 2012
;; MSG SIZE  rcvd: 892

no ad bit set.

But why?

Cheers,
b.



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Brian J. Murrell

On 12-07-20 09:11 AM, Phil Mayers wrote:
 
 Or, what happens if you start bind up in debug mode and run the query?
 There will be a lot of output, but I've found most problems to be fairly
 obvious if you read through it.

Yeah, there is a lot of output.  Too big of a haystack for me to find
the needle I'm afraid.  I probably had way too much debug enabled.  I'd
be happy to trim it back if desired.  Just tell me which categories
you'd want to see and what severity to set.

In any case, the log is at
http://brian.interlinx.bc.ca/119.in-addr.arpa.debug and the query I did was:

dig +dnssec @localhost 119.in-addr.arpa SOA

The log should be as brief as it can be as I started named, did the
query and waited for the response and then stopped bind.

Just for good measure, since I think I have posted this before, but here
are the options I have set in my bind configuration with regard to dnssec:

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Cheers,
b.



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Brian J. Murrell

On 12-07-20 10:42 AM, Mark Andrews wrote:
  
 The NS RRset is the delegation records and as such has no RRSIGs.
 If you turn on minimal-responses the NS rrset won't be added and
 AD won't be cleared.  AD is only set to 1 if all the records in the
 answer and authority sections are marked as secure.

OK.  So I added:

minimal-responses yes;

and the dig response does indeed look much more minimal, but the
ad bit is still not being set:

# dig +dnssec @localhost 119.in-addr.arpa SOA

;  DiG 9.9.1-P1  +dnssec @localhost 119.in-addr.arpa SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 45253
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;119.in-addr.arpa.  IN  SOA

;; ANSWER SECTION:
119.in-addr.arpa.   172800  IN  SOA ns1.apnic.net. 
read-txt-record-of-zone-first-dns-admin.apnic.net. 3006082431 7200 1800 604800 
172800
119.in-addr.arpa.   172800  IN  RRSIG   SOA 5 3 172800 20120819055026 
20120720045026 31291 119.in-addr.arpa. 
DxSB8J+SsHzLRv/qiFdQOLQ4eYEgCm6lUGr5/qoMje7iY9OIaaXmH/WM 
GwbTDdT7YNXfkZ7ZfpEnE5N9OeNW6Wghi8Wcerpy3OmEYMTWc1ZNgH70 
KC8Rhth23mCkv+IdCEsirVKdgTgLYsRlPFMbp6WQveMQRyJwvGJQm4QI Ejk=

;; Query time: 720 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 20 10:50:21 2012
;; MSG SIZE  rcvd: 310

Strangely I didn't get an error logged about there being no valid
signature for 119.in-addr.arpa SOA though.

Cheers,
b.



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named validating @0x...: ... SOA: no valid signature found

2012-05-15 Thread Brian J. Murrell

On 12-05-02 09:29 AM, Mark Andrews wrote:
  
 * a firewall blocking EDNS queries.
 * using a non DNSSEC enabled forwarder so you don't get signatures.
 * a firewall blocking fragmented UDP and named falling back to
   plain DNS.
 * other packet loss causing named to fallback to plain DNS.

Given that I have confirmed EDNS works with:

dig edns-v4-ok.isc.org TXT
dig edns-v6-ok.isc.org TXT

and that I don't have a firewall that would/should be dropping
(properly) fragmented UDP[1] and I have no other indications of packet
loss, are we looking at a bug in BIND9 to explain this (mis-)behavior?

Cheers,
b.

[1] I'd be happy to test and provide evidence if anyone has a test that
will do so.  Perhaps a dig command targeted at one of the many failures
that my logs are constantly showing?



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named validating @0x...: ... SOA: no valid signature found

2012-05-06 Thread Brian J. Murrell

On 12-05-02 09:29 AM, Mark Andrews wrote:
 
 
 The zones are signed.  Possible reason are:
 
 * a firewall blocking EDNS queries.

This shouldn't be the case.  Outgoing traffic from the bind9 server
being used here should be completely unfettered.

 * using a non DNSSEC enabled forwarder so you don't get signatures.

I believe my forwarder (bind9 server) is DNSSEC enabled:

options {
...
// enable DNSSEC
dnssec-enable yes;
dnssec-validation yes;
// as of 9.7, use auto instead
// dnssec-lookaside . trust-anchor dlv.isc.org.;
dnssec-lookaside auto;

};

 * a firewall blocking fragmented UDP and named falling back to
   plain DNS.

Again, the firewall should be allowing bind9 to do whatever it wants.

 * other packet loss causing named to fallback to plain DNS.

I'm not seeing any evidence of that here otherwise.

Can you prescribe any tests that I can do to [dis-]prove any of the
above theories?

Cheers and much thanks,
b.





signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

bind restart needed to reflect changes to dynamic zone in multiple views

2011-06-24 Thread Brian J. Murrell

I am using BIND 9.7.2-P2.

I have two views, one internal and one for external queries.  In
both of those views I have some zones which are common so I put them
into their own file zones.common and include that file in both of the
views.

The problem I am having is that when I make a dynamic update to a common
zone, only the internal view sees that change.  External queries still
return the data prior to the update.  If I restart the server, then
external queries get the updated data.

To provide an (excerpted, for brevity) example...

 zones.common 
zone rbl.interlinx.bc.ca {
type master;
file /etc/bind/master/rbl.interlinx.bc.ca.zone;
allow-update { ... };
allow-transfer { ... };
allow-query { any; };
};
 zones.common 

 named.conf 
view trusted {
match-clients { trusted_networks; }; // our internal networks
...
include /etc/bind/zones.common;
...
zone interlinx.bc.ca {
type master;
file /etc/bind/master/interlinx.bc.ca.zone;
allow-update { ... };
allow-query { ... };
allow-transfer { ... };
};
...
};

view greatunwashed {
match-clients { any; }; // all others hosts
...
include /etc/bind/zones.common;
allow-query { great_unwashed_allowed_query; };
zone interlinx.bc.ca {
type slave;
file /etc/bind/slave/interlinx.bc.ca.zone;
masters { ... };
allow-query { any; };
};
};
 named.conf 

To demonstrate, given the above configuration:

greatunwashed_host $ host 1.2.3.4.rbl.interlinx.bc.ca.
Host 1.2.3.4.rbl.interlinx.bc.ca not found: 3(NXDOMAIN)

trusted_host $ host 1.2.3.4.rbl.interlinx.bc.ca.
Host 1.2.3.4.rbl.interlinx.bc.ca. not found: 3(NXDOMAIN)

dns_server $ nsupdate
 server localhost
 zone rbl.interlinx.bc.ca.
 update add 1.2.3.4.rbl.interlinx.bc.ca 60 A 127.0.0.2
 send


trusted_host $ host 1.2.3.4.rbl.interlinx.bc.ca.
1.2.3.4.rbl.interlinx.bc.ca has address 127.0.0.2

greatunwashed_host $ host 1.2.3.4.rbl.interlinx.bc.ca.
Host 1.2.3.4.rbl.interlinx.bc.ca not found: 3(NXDOMAIN)

dns_server # /usr/sbin/rndc reload
server reload successful

trusted_host $ host 1.2.3.4.rbl.interlinx.bc.ca.
1.2.3.4.rbl.interlinx.bc.ca has address 127.0.0.2

greatunwashed_host $ host 1.2.3.4.rbl.interlinx.bc.ca.
Host 1.2.3.4.rbl.interlinx.bc.ca not found: 3(NXDOMAIN)

dns_server # service bind9 restart
 * Stopping domain name service... bind9
   ...done.
 * Starting domain name service... bind9
   ...done.

trusted_host $ host 1.2.3.4.rbl.interlinx.bc.ca.
1.2.3.4.rbl.interlinx.bc.ca has address 127.0.0.2

greatunwashed_host $ host 1.2.3.4.rbl.interlinx.bc.ca.
1.2.3.4.rbl.interlinx.bc.ca has address 127.0.0.2

As you can see, it took a complete server restart for the greatunwashed
view to get the zone update.

Is this expected behavior or a (known?) bug?

Cheers,
b.



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind restart needed to reflect changes to dynamic zone in multiple views

2011-06-24 Thread Brian J. Murrell

On 11-06-24 09:57 AM, Lyle Giese wrote:
 
 It's expected behavior in a way.

Given your explanation, indeed.  :-)

 You are probably making this change in
 the internal view and the internal named process knows about the change
 and reloads the zone.
 
 The external view's process is unaware of the change and does not reload.

A.  I guess I had not considered how BIND handles views and that
it's done with a separate process per view.  But I only have one named
process, so I suppose it's threading for each view.

 1) You could send a periodic rndc reload to the external view process.

Except that I only have the one process.  Any thoughts on how to do this
in such a case?

 2) Since this appears to be an rbl zone, use rbldnsd instead of named to
 serve this zone.

Yeah, I suppose I could.  It would solve this specific use case, but I
don't know that this RBL zone is the extent of this problem.  I'd have
to examine further where there are zones shared by multiple views.  I'm
guessing though that rbldnsd doesn't support remote update, yes?  That
would be limiting for my purposes here.

Cheers,
b.






signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind restart needed to reflect changes to dynamic zone in multiple views

2011-06-24 Thread Brian J. Murrell

On 11-06-24 12:39 PM, Evan Hunt wrote:
 
 You can specify the view in the reload command:
 
 $ rndc reload example.com in external

But reload doesn't work for dynamic zones:

# rndc reload rbl.interlinx.bc.ca in greatunwashed
rndc: 'reload' failed: dynamic zone

and since I want the same zone definition file to be included in both
views, I can't (without separating and mostly duplicating) easily do
that.  I don't think I can even point a non-dynamic zone definition at a
dynamic zone file because of the journal and all that, right?

 You can also configure the zone in one view as a master and the one in the
 other view as a slave; then reloading the master will automatically send a
 notify to the slave.

Yeah, so I've been hearing about.  I suppose in this case I am creating
separate definitions for the zones also.  :-(

This all seems like a pretty serious deficiency in BIND9.  That it
exists I suppose attests to the difficulty in fixing it though.  :-(

Cheers,
b.




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind restart needed to reflect changes to dynamic zone in multiple views

2011-06-24 Thread Brian J. Murrell

On 11-06-24 01:47 PM, Evan Hunt wrote:
 
 Do the internal and external versions *both* need to be dynamic? 

No, only the internal in fact.

 I'd expect it to work okay if you had only one of them dynamic, and
 sent periodic reload commands to the other one.

Yeah.  I got the master/slave approach working with your suggestion
below as a model.  I reversed the master/slave relationship however to
reflect that changes come from internal only.

I guess it's hoping for too much though to have the master sent notifies
to the slave given that master and slave are both on the same host, yes?
 Hence your suggestion of periodic reload commands?

The data really does need to be quite in sync though.  I'm not sure a
period of less than a second or two is going to be acceptable.  :-(

 The master/slave approach really works better, though.  Something like
 this:
 
 view internal {
 match-clients { !key example-key; localnets; };
 zone example.com {
 type slave;
 masters { localhost key example-key; }
 };
 };
 
 view external {
 match-clients { any; };
 zone example.com {
 type master;
 file filename;
 update-policy { grant example-key zonesub ANY; };
 also-notify { 127.0.0.1; };
 };
 };
 

Cheers, and thanx much for all of that.

b.



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind restart needed to reflect changes to dynamic zone in multiple views

2011-06-24 Thread Brian J. Murrell

On 11-06-24 03:19 PM, David Sparro wrote:
 
 Do you have control of the update process.

Sure.

 You could potentially send
 and update to both views (in other words, send two updates).

How do I, with nsupdate, specify which view's zone I want to update?

 I think
 you'd need separate zone files on the server, too.

Sure, that's not hard.  The hard (or rather, unknown) part is how to
tell nsupdate which view to interact with?

b.






signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error (broken trust chain) resolving

2010-11-24 Thread Brian J . Murrell

Jeremy C. Reed jreed at isc.org writes: 
 
 I was reading it all along, but could never reproduce.

Given the new information I have, I'll hazard to guess that you were trying to 
reproduce with something newer than 9.7.0-P2.

 I thought it was 
 a temporary issue.
 
 I see your new bug report. Someone will follow up soon.

That can probably be closed out (I will follow-up on it as soon as I'm done
here) but I have taken a variance from my distro's prescribed BIND version of
9.7.0-P2 and built a 9.7.2-P2 and after about 12h of data collecting the
problem seems to be gone.

I am going to bug report with said distro also as I hate varying from the 
working set because it just causes possible future problems trying to bug 
report with them.  you are not using the version we support, bla, bla, bla.

So in the end it seems that perhaps it was a bug/situation that was cleared up 
between 9.7.0-P2 and 9.7.2-P2.

Thanx to all that persevered through all of this.  I really should have just 
bitten the bullet and upgraded in the first place.

Cheers,
b.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error (broken trust chain) resolving

2010-11-23 Thread Brian J . Murrell

Casey Deccio casey at deccio.net writes: 
 
 I still don't have the answer to this.

Fair enough.  I was just looking for clarification on your previous statements.

 Perhaps a BIND developer may
 have better insight into the log messages and what may be going on.

Yeah, I was hoping to have caught the attention of a BIND developer here with
all of this by now.  Perhaps they just don't hang out here.  Maybe I will try to
find out where to ask questions that they might see.

Thanx!

b.
 




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error (broken trust chain) resolving

2010-11-22 Thread Brian J . Murrell

Casey Deccio casey at deccio.net writes: 
 
 After a review of NSEC3 showed that this particular behavior is
 expected because org has been signed using NSEC3 with the opt-out bit
 set.

I'm afraid I'm getting a bit lost due to my real lack of understanding of the 
details of DNSSEC.  I wish I had the time to really sit down and understand the 
concepts in complete detail.  :-(

So does the RFC reference just explain why the AD bit (i.e. and not the bigger 
problem of the spew of log entries from named) is not set or does that explain 
the entire problem I am seeing (namely the continuous log spew from named)?

Cheers,
b.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error (broken trust chain) resolving

2010-11-15 Thread Brian J . Murrell

Brian J. Murrell brian at interlinx.bc.ca writes:
 
 Casey Deccio casey at deccio.net writes:
   
  Do you get a NOERROR response with the AD bit set?
 
 Yup:
 ...

Was any of that information I posted in the previous message useful?  If not,
I'd be happy to gather some more.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error (broken trust chain) resolving

2010-11-10 Thread Brian J . Murrell

Casey Deccio casey at deccio.net writes:
 
 On Tue, Nov 9, 2010 at 8:10 PM, Brian J. Murrell brian at interlinx.bc.ca 
wrote:
  $ dig @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org txt

Doh!  I forgot the +dnssec.

 What happens when you run the following queries:
 
 dig +dnssec @linux -p 1053 org SOA
  
 Do you get a NOERROR response with the AD bit set?

Yup:

$ dig +dnssec @linux -p 1053 org SOA

;  DiG 9.7.1-P2  +dnssec @linux -p 1053 org SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 44657
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;org.   IN  SOA

;; ANSWER SECTION:
org.670 IN  SOA a0.org.afilias-nst.info. 
noc.afilias-nst.info. 2009390492 1800 900 604800 86400
org.670 IN  RRSIG   SOA 7 1 900 20101124135902 
20101110125902 61598 org. 
cqufQ6aorG5AeM7mFR/lwm9TnLwdK9PjTH36lEo4fYBk5jH+sgLM17rG 
wZD6c4/ZZHuT4ZvcQMa6pR1CgEtBLq1YAIT5zl0ncWs2pbyS2BFr35k5 
B9thalfcHAGXFATzCFcVzQTVBSFy5QDPMuHpz2LTvaFc0xiE6sGqF+Fr Q14=

;; AUTHORITY SECTION:
org.86175   IN  NS  a2.org.afilias-nst.info.
org.86175   IN  NS  b0.org.afilias-nst.org.
org.86175   IN  NS  a0.org.afilias-nst.info.
org.86175   IN  NS  d0.org.afilias-nst.org.
org.86175   IN  NS  c0.org.afilias-nst.info.
org.86175   IN  NS  b2.org.afilias-nst.org.
org.86175   IN  RRSIG   NS 7 1 86400 20101123154737 
20101109144737 61598 org. 
KncVCF0Fbp56Cf7xW376cEuGnNL/G19WM0GfXhWwWHuWKn2HDjx7OJMi 
a0OYeoo/KlUn0pO0ORgT96vurhOkweEfdZXnpdPRRHBStfmpFZYD9wxG 
FiyGounAQuso/EWSZhmwHXsFieElBQ8+J8sKY+EDo4K92uCZ5QtQAI6S 7m8=

;; Query time: 2 msec
;; SERVER: 10.75.22.3#1053(10.75.22.3)
;; WHEN: Wed Nov 10 09:02:03 2010
;; MSG SIZE  rcvd: 536
 
 dig +dnssec @linux -p 1053 bondedsender.org DS
 
 Do you get a NOERROR response with AD bit

No AD bit set, however...

 set and NSEC3 RRs and their
 covering RRSIGs?

I do get NSEC3 and RRSIG RRs:

;  DiG 9.7.1-P2  +dnssec @linux -p 1053 bondedsender.org DS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 18923
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bondedsender.org.  IN  DS

;; AUTHORITY SECTION:
org.590 IN  SOA a0.org.afilias-nst.info. 
noc.afilias-nst.info. 2009390497 1800 900 604800 86400
org.590 IN  RRSIG   SOA 7 1 900 20101124140403 
20101110130403 61598 org. 
C92vKu2HbiWyt+hgBJD5Arj4egcuL197n0AQWgnKPMQ+XdG90tGG0/5h 
81dQZI/xKQQsoTA5I4oKa9qspxXqC1T1Ej7bBzFqnSrgVDpv1fI/GvIt 
UWbxYL888sn9XE/IP/tHWsbY6aIoSsheYTdJP0oOuunVMkF+i4c25c0v 9Yo=
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 590 IN RRSIG NSEC3 7 2 86400 
20101124140403 20101110130403 61598 org. 
qUeV9GSkAD4cY9ftHxclrhrX9tzzZmUJSDXgDab78x8DoBFZ9LNKg+jG 
Yvqqbk0CqOxAJKE7CGDV6WzcsBQJCdM1+3r3+L660i6jIgubxMwGpWc0 
C/GXRhtYZXOuAHpVI0gHPCSoQzLqYU+QxxBepgOUUxSnLS4Zx7tftpqI zAg=
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 590 IN NSEC3 1 1 1 D399EAAB 
H9PLJ7JCGLSRA48965QFJNJ3D0HC4FP5 NS SOA RRSIG DNSKEY NSEC3PARAM
t2ei86koq1j2hk8c8m677mgc115vgvu8.org. 590 IN RRSIG NSEC3 7 2 86400 
20101124010350 2010111350 61598 org. 
MLy2iRpF6yKCUfcb0zxow1Dn6ky7BaZQrMZCHsfbFOsV7p5fI13JQJ2r 
ihceyFt5G3VcJrnzm5E51YVlKKFEJmHIwaTUdHDTcBznqzOk+s3xm1iC 
o3cBgrMMEOOQwsX7sVMHLg9NuQ395lq2GZtOrvYZWAEpCU9dOmqcSbFO 2+M=
t2ei86koq1j2hk8c8m677mgc115vgvu8.org. 590 IN NSEC3 1 1 1 D399EAAB 
T2GH7ROARI9U6G24CR9QK4J52L88HKPV

;; Query time: 3993 msec
;; SERVER: 10.75.22.3#1053(10.75.22.3)
;; WHEN: Wed Nov 10 09:03:23 2010
;; MSG SIZE  rcvd: 756

The above produced the following in the bind debug log [ sorry for all the line 
wrapping.  Stupid gmane enforces that ]:

dnssec: validating @0x20fc49b0: bondedsender.org DS: starting
dnssec: validating @0x20fc49b0: bondedsender.org DS: attempting negative 
response validation
dnssec: validating @0x20fc49b0: bondedsender.org DS: nsecvalidate: creating 
validator for org SOA
dnssec:   validating @0x20fc7b98: org SOA: starting
dnssec:   validating @0x20fc7b98: org SOA: attempting positive response 
validation
dnssec:   validating @0x20fc7b98: org SOA: keyset with trust 8
dnssec:   validating @0x20fc7b98: org SOA: verify rdataset (keyid=61598): 
success
dnssec:   validating @0x20fc7b98: org SOA: marking as secure, noqname proof not 
needed
dnssec:   validator @0x20fc7b98: dns_validator_destroy
dnssec: validating @0x20fc49b0: bondedsender.org DS: in authvalidated
dnssec: validating @0x20fc49b0: bondedsender.org DS: resuming nsecvalidate
dnssec: validating @0x20fc49b0: bondedsender.org DS

Re: error (broken trust chain) resolving

2010-11-09 Thread Brian J . Murrell

Casey Deccio casey at deccio.net writes:
 
 Reproducing these errors and analyzing the debug-level log messages
 would be helpful since everything looks consistent from a DNSSEC
 perspective, as far as I can see.

Well, I have attempted this.  I reproduced my existing bind configuration and 
added the following to logging:


category dnssec { debug_log; };
channel debug_log {
file /var/tmp/named.debug;
severity debug 100;
print-category yes;
};

The only written to that file when one of those broken chain lookups happen is:

dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bondedsender.org TXT: 
starting
dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bondedsender.org TXT: 
attempting negative response validation
dnssec: validator @0x2295e9b0: dns_validator_destroy

The dig query that produced that:

$ dig @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org txt

;  DiG 9.7.1-P2  @linux -p 1053 
41.70.55.206.sa-trusted.bondedsender.org 
txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 40957
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;41.70.55.206.sa-trusted.bondedsender.org. IN TXT

;; Query time: 43 msec
;; SERVER: 10.75.22.3#1053(10.75.22.3)
;; WHEN: Tue Nov  9 23:08:39 2010
;; MSG SIZE  rcvd: 58

And the syslog entry:

Nov  9 23:08:39 linux named[11040]: error (broken trust chain) resolving 
'41.70.55.206.sa-trusted.bondedsender.org/TXT/IN': 209.51.221.2#53

So nothing terribly interesting in the debug as far as I can see.  Perhaps I 
don't have enough/the correct debugging enabled?

Cheers,
b.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error (broken trust chain) resolving

2010-11-03 Thread Brian J . Murrell

Casey Deccio casey at deccio.net writes:
  
 There is a difference between a broken trust chain and a trust chain
 that securely ends before reaching the name being queried.

Ahhh.  That makes sense.

 However, a broken chain means that the validating resolver expects a
 chain to exist, but the chain does not extend properly.

How does a resolver come to this expectation?  What is happening that makes
this situation any different than an insecure delegation?  If we take one of
the examples from my original post:

named error (broken trust chain) resolving '133.168.163.66.sa-
trusted.bondedsender.org/TXT/IN': 173.45.100.146#53

Where/why does it break?  Who's is breaking it?  I can see that org. is rife 
with DNSSEC data but that bondedsender.org. is completely void of it.  But 
surely that would be the case of a plain insecure delegation, yes?

 I'm assuming the error above refers to a broken chain, but it's hard
 to tell why without looking at the context, including cache contents
 at the time of the failure, etc.  The DNSSEC configuration (resulting
 in insecure answer) looks okay from my perspective.  Is the error
 persistent or was it a one-time deal?

Well given the particular one above is a dnsbl lookup it's difficult to say if 
I've even looked it up more than once.

Looking at the various occurrences I have it seems to be pervasive for reverse 
addr lookups in bb.barracudacentral.org, sa-accredit.habeas.com, sa-
trusted.bondedsender.org, rbl-plus.mail-abuse.org, relays.mail-abuse.org, 
dialups.mail-abuse.org, blackholes.mail-abuse.org looking for A and TXT records.

It also seems to occur quite frequently for  lookups to domains like 
{seal,ocsp}.verisign.net, login.facebook.com, *.slashdot.org, 
newswww.bbc.net.uk, and others.

Apart from that there are a few domains in which A, MX and PTR lookups return a 
broken chain, but nowhere near as much as the reverse addr lookups and the  
lookups above.

Cheers,
b.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error (broken trust chain) resolving

2010-11-03 Thread Brian J . Murrell

Stephane Bortzmeyer bortzmeyer at nic.fr writes:
  
 Indeed. Your analysis seems right. May be you have somewhere another
 trust anchor (for DLV at ISC or directly for bondedsender.org?)

Hrm.  I'm not sure TBH.  I know I didn't install any trust anchor specifically 
for bondedsender.org, but I do have dnssec-lookaside auto; configured in my 
bind options.

I don't know how to do the same verification of bondedsender.org given that 
however.

 Another possibility: sa-trusted.bondedsender.org is badly lame (none
 of the name servers reply), so it may trigger a bad error message from
 BIND.

Both s0.rpdns.net. and s1.rpdns.net. seem to be responsive.  The number of high-
profile domains involved seems to reduce the probability of this option.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error (broken trust chain) resolving

2010-11-03 Thread Brian J . Murrell

Stephane Bortzmeyer bortzmeyer at nic.fr writes:
  
 They are not name servers of sa-trusted.bondedsender.org:

Damn.  Yes, you are correct.  I forgot it was sa-trusted.bondedsender.org. in
our example and stopped at bondedsender.org.  However going that one more sub-
domain deeper and testing it's NSes, they are all responsive.

And per my previous message, the number of domains affected makes the idea that 
it's lame servers lower probability.

Thanx for keeping me honest.  :-)

b.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error (broken trust chain) resolving

2010-11-03 Thread Brian J . Murrell

Casey Deccio casey at deccio.net writes:
  
 This can happen in a number of different ways:  If any RRSIGs in the
 chain of trust are bogus, expired, or missing.  If NSEC/NSEC3 records
 are not provided or are insufficient to prove that no DS records exist
 for an insecure delegation.  If DS RRs do exist, but none correspond
 to any self-signing DNSKEYs in the child zone.  If DNSKEYs are not
 returned by the resolver.

None of which appear to be the case for this example-case domain sa-
trusted.bondedsender.org as far as I have been able to determine with my 
green DNSSEC skills.

 Yes, bondedsender.org is an insecure delegation.

So from what I have been able to learn so far, there shouldn't be any 
legitimate 
reason why one should be getting broken trust chain errors about a domain that 
has been insecurely delegated, yes?  I mean there is no security in the 
delegation to be broken, right?

 Reproducing these errors and analyzing the debug-level log messages
 would be helpful since everything looks consistent from a DNSSEC
 perspective, as far as I can see.

I might be able to set up a shadow bind installation that mirrors the 
configuration of primary resolver here to do some debugging.  Do you have any 
suggestions as to which debug flags/levels to set to get some meaningful 
information?  Once set up, simply doing some digs with +dnssec against the 
configured server should suffice, yes?

b.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

error (broken trust chain) resolving

2010-11-02 Thread Brian J . Murrell

Since enabling DNSSEC on my resolving server I have been seeing various 
instances of the following sort of messages:

named error (broken trust chain) resolving '133.168.163.66.sa-
trusted.bondedsender.org/TXT/IN': 173.45.100.146#53
named error (broken trust chain) resolving 
'173.65.147.69.bb.barracudacentral.org/A/IN': 75.101.148.228#53
named error (broken trust chain) resolving '133.168.163.66.sa-
accredit.habeas.com/TXT/IN': 72.232.184.122#53
named error (broken trust chain) resolving 
'151.168.163.66.bb.barracudacentral.org/A/IN': 75.101.148.228#53
named error (broken trust chain) resolving 
'149.65.147.69.bb.barracudacentral.org/A/IN': 75.101.143.130#53
named error (broken trust chain) resolving 
'133.168.163.66.bb.barracudacentral.org/A/IN': 75.101.130.80#53
named error (broken trust chain) resolving 
'52.241.193.67.bb.barracudacentral.org/A/IN': 75.101.143.130#53
named error (broken trust chain) resolving 
'61.94.196.66.bb.barracudacentral.org/A/IN': 75.101.148.228#53
named error (broken trust chain) resolving 
'154.168.163.66.bb.barracudacentral.org/A/IN': 75.101.130.80#53
named error (broken trust chain) resolving 
'106.94.196.66.bb.barracudacentral.org/A/IN': 75.101.130.80#53
named error (broken trust chain) resolving 
'184.34.137.98.bb.barracudacentral.org/A/IN': 75.101.143.130#53
named error (broken trust chain) resolving 
'92.45.136.98.bb.barracudacentral.org/A/IN': 75.101.148.228#53
named error (broken trust chain) resolving 
'36.34.137.98.bb.barracudacentral.org/A/IN': 75.101.130.80#53
named error (broken trust chain) resolving 
'154.168.163.66.bb.barracudacentral.org/A/IN': 75.101.143.130#53
named error (broken trust chain) resolving 
'64.218.193.67.bb.barracudacentral.org/A/IN': 75.101.148.228#53
named error (broken trust chain) resolving '92.45.136.98.sa-
accredit.habeas.com/TXT/IN': 173.45.100.162#53
named error (broken trust chain) resolving 
'148.65.147.69.bb.barracudacentral.org/A/IN': 75.101.130.80#53
named error (broken trust chain) resolving 
'158.169.163.66.bb.barracudacentral.org/A/IN': 75.101.143.130#53
named error (broken trust chain) resolving 
'172.65.147.69.bb.barracudacentral.org/A/IN': 75.101.148.228#53
named error (broken trust chain) resolving 
'45.34.137.98.bb.barracudacentral.org/A/IN': 75.101.148.228#53
named error (broken trust chain) resolving '92.45.136.98.sa-
trusted.bondedsender.org/TXT/IN': 64.251.27.187#53
named error (broken trust chain) resolving 
'40.34.137.98.bb.barracudacentral.org/A/IN': 75.101.148.228#53
named error (broken trust chain) resolving '101.43.195.217.sa-
accredit.habeas.com/TXT/IN': 64.251.27.185#53
named error (broken trust chain) resolving 
'103.179.83.130.bb.barracudacentral.org/A/IN': 75.101.143.130#53
named error (broken trust chain) resolving 
'101.43.195.217.bb.barracudacentral.org/A/IN': 75.101.143.130#53
named error (broken trust chain) resolving '101.43.195.217.sa-
trusted.bondedsender.org/TXT/IN': 72.232.192.162#53

I haven't been able to find an explanation of what that broken trust chain 
message means, exactly.

Anyone care to explain?

Thanx,
b.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error (broken trust chain) resolving

2010-11-02 Thread Brian J . Murrell

Alan Clegg aclegg at isc.org writes:
 

Hi Alan,

 There isn't a chain of signed DS records that lead from a trust anchor
 to the thing that you are trying to resolve.

I guess I'm going to have to learn a bit more about DNSSEC in order to parse 
that.  :-)

Are there any good tutorials on the mechanics (as opposed to howtos about  
setting up and configuring trusted zones, etc.) of DNSSEC?  i.e. Alice and Bob 
examples.

Thanx much!

b.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error (broken trust chain) resolving

2010-11-02 Thread Brian J . Murrell

Alan Clegg aclegg at isc.org writes:
 
 On 11/2/2010 8:11 AM, Brian J. Murrell wrote:
  
  named error (broken trust chain) resolving '133.168.163.66.sa-
  trusted.bondedsender.org/TXT/IN': 173.45.100.146#53
 
 There isn't a chain of signed DS records that lead from a trust anchor
 to the thing that you are trying to resolve.

So basically it just means that one or more zones from . down to the thing I'm 
trying to resolve has not been DNSSECized?  i.e. no zone keys, signing, etc.?

Wouldn't that be the case for the majority of things I (or anyone else) would 
be trying to resolve, in these early days of DNSSEC?

It just seems like I'd see way more records (i.e. pretty much everything we try 
to resolve here) of the sort that I posted if that were the case.  Maybe the 
variation in things we try to resolve here is not as much as I'd have thought.

Am I misunderstanding?

b.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

51 matches

Mail list logo