Re: Reverse lookups not working when Internet connection failed.
Thank you all for the replies. For what I understand after reading your replies (I might be wrong :) ), reverse lookups fail when I have no outgoing connection because some caching or or transfer is needed from 66.136.193.in-addr.arpa. , wich I don't control. This is divided in several networks, 2 of them under my control. I'll have to read more carefully your suggestions to see if I find an alternative way to achieve this only by modifying my zone files, without messing up my current setup. I'll let you know how it goes. Thanks once again. David > On 11/4/22 2:07 PM, Mark Andrews wrote: >> Any ISP that offers these delegations should be allowing their >> customers to transfer the zone that contains the CNAMEs for the >> customer address space by default. > > I've had enough trouble getting ISPs to support 2317 delegation period. > I think that asking them to allow me to do a zone transfer would have > been a hard no. > > I certainly don't think this would be allowed /by/ /default/. > > I just checked and § 5.1 of RFC 2317 mentioned having the parent do a > secondary zone transfer of the child zone. But I don't see any mention > of the child doing a secondary zone transfer of the parent zone. > > I think that would be a good idea. > > > > -- > Grant. . . . > unix || die > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ > for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[Fwd: dnssec-signzone]
Hi again. So finally i was able to sign my zone thanks to a different (older) tutorial. I specified dnssec-signzone with flags -o and -S and it worked! If anyone could please answer these questions, I would appreciate it 1) do I need to generate those 2 .key and .private files if I intend to sign my several reverse zones? - I think so. 2) What happens if I need to change a record in my zone.signed file? Do I need to sign it again? Please remember my bind version is 9.8.2 so I have to automatic mechanisms. Thank you very much! - Mensagem Original -- Assunto: dnssec-signzone De: "David Alexandre M. de Carvalho" Data:Seg, Abril 6, 2020 4:05 pm Para:bind-users@lists.isc.org -- Hi all. So I'm still fighting with dnssec in BIND 9.8.2 (oracle linux 6). Unfortunately no automatic sigining before Bind 9.9, from what I read. I can't sign my zone, I keep getting "dnssec-signzone: fatal: No signing keys specified or found." By now I've tried to move the files generated with dnssec-keygen but no success. I'm using bind-chroot and created a temp folder /var/named/my_keys. Here, I've created the 2 .key and .private files. Since dnssec-signzone couldn't find the keys (even specifying -k or -K), I've copied them to /etc/pki/dnssec-keys and run the command with the same result. Now, I've copied all the key and private files to /var/named/chroot/var/named where my zone file exists (di.hosts) running from there, I also get "dnssec-signzone: fatal: No signing keys specified or found." I changed the owner and group to "named", and they are both readable. Could anyone please tell me what am I doing wrong? also, do I need to generate those 2 .key and .private files if I intend to sign my several reverse zones? Thank you very much! Regards Os melhores cumprimentos David Alexandre M. de Carvalho --- Especialista de Informática Departamento de Informática Universidade da Beira Interior ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec-signzone
Hi all. So I'm still fighting with dnssec in BIND 9.8.2 (oracle linux 6). Unfortunately no automatic sigining before Bind 9.9, from what I read. I can't sign my zone, I keep getting "dnssec-signzone: fatal: No signing keys specified or found." By now I've tried to move the files generated with dnssec-keygen but no success. I'm using bind-chroot and created a temp folder /var/named/my_keys. Here, I've created the 2 .key and .private files. Since dnssec-signzone couldn't find the keys (even specifying -k or -K), I've copied them to /etc/pki/dnssec-keys and run the command with the same result. Now, I've copied all the key and private files to /var/named/chroot/var/named where my zone file exists (di.hosts) running from there, I also get "dnssec-signzone: fatal: No signing keys specified or found." I changed the owner and group to "named", and they are both readable. Could anyone please tell me what am I doing wrong? also, do I need to generate those 2 .key and .private files if I intend to sign my several reverse zones? Thank you very much! Regards Os melhores cumprimentos David Alexandre M. de Carvalho --- Especialista de Informática Departamento de Informática Universidade da Beira Interior ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[Fwd: Re: bind 9.11.2 - domain and subdomain with one zone does not work]
Thanks for the reply. Actually my setup is just like 1) zone delegation Am 03.04.20 um 15:20 schrieb David Alexandre M. de Carvalho: > Where can I find about alternatives to point 2? in the part you quoted from me > I have a windows subdomain configured in that way, never realized there was a > better way. > Thanks and regards. which way? a) zone-delegation, 192.168.196.1 is the nameserver responsible for whatever below subzone.example.com subzone IN A 192.168.196.1 subzone IN NS subzone b) records in the same main zone file subzone IN A 192.168.1.1 www.subzone IN A 192.168.196.10 mail.subzone IN A 192.168.196.11 >>>> why so much complexity to begin with? >>>> >>>> t1 A 127.0.0.3 >>>> sub.t30 A 127.0.0.2 >> >> On 03.04.20 11:53, mail-list-us...@materna.de wrote: >>> --- >>> Well, in first place to make it human readable, if needed to look into the >>> zone. >> >> well >> 1. the above is more readablt than whay you proposed. >> >> 2. delegating subdomain (sub) to other servers via NS records and setting >>any other records in the zone is a bad idea. >> >> 3. putting localhost into any domain is useless and I discourage you from >>doing that >> >>> For some subdomains we would have entries for the subdomain itself, like >>> couple NS,TXT,A,CNAME,SRV etc. >>> So with these thoughts, the documentation gives this as a valid option and >>> it >>> worked in small scale on the testsystem, so we decieded to go this way. >>> If this needs to be changed, I need a reason besides of 'that is this way >>> more easy', >>> because these zones get generated from an automated system and I need an >>> argument to get a permission for a change request. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.11.2 - domain and subdomain with one zone does not work
Hi! Where can I find about alternatives to point 2? I have a windows subdomain configured in that way, never realized there was a better way. Thanks and regards. Os melhores cumprimentos David Alexandre M. de Carvalho --- Especialista de Informática Departamento de Informática Universidade da Beira Interior >>> why so much complexity to begin with? >>> >>>t1 A 127.0.0.3 >>>sub.t30 A 127.0.0.2 > > On 03.04.20 11:53, mail-list-us...@materna.de wrote: >>--- >>Well, in first place to make it human readable, if needed to look into the >>zone. > > well > 1. the above is more readablt than whay you proposed. > > 2. delegating subdomain (sub) to other servers via NS records and setting >any other records in the zone is a bad idea. > > 3. putting localhost into any domain is useless and I discourage you from >doing that > >>For some subdomains we would have entries for the subdomain itself, like >>couple NS,TXT,A,CNAME,SRV etc. >>So with these thoughts, the documentation gives this as a valid option and it >>worked in small scale on the testsystem, so we decieded to go this way. >>If this needs to be changed, I need a reason besides of 'that is this way >>more easy', >>because these zones get generated from an automated system and I need an >>argument to get a permission for a change request. > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Support bacteria - they're the only culture some people have. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC - many doubts
Hello, good afternoon. My first post in this list :) I'm running BIND Chroot for many years (currently version 9.8.2) on some old hardware running Oracle Linux 6. I believe it was last year when I was reading about implementing DNSSEC, and I think I've even tried to generate a keypair in the slowest server, which after more than a day, wasn't ready yet. Maybe I was doing something wrong, I honestly don't know. So now I had some time and reading about this again. If I query either of my servers about my domain: dig @dns di.ubi.pt DNSKEY I do get the DNSKEY, but I have no records when querying about +dnssec. My topdomain (ubi.pt) doesn't have DNSSEC yet either. my named.conf already has the following: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; Outside the configuration file I also have a /etc/named.root.key My questions: 1) Will my old servers (1GB RAM) become much slower with DNSSEC? Is it worth it? 2) I have one global "hosts" file and 3 reverse zone files, each for the respective IP network. Can I use the same Keypair in all of them? 3) Are the files /etc/named.root.key file and /etc/named.iscdlv.key already being used? I compared them to the result of the DNSKEY dig query but they are different. Thank you so much for your time! Best regards Os melhores cumprimentos David Alexandre M. de Carvalho --- Especialista de Informática Departamento de Informática Universidade da Beira Interior ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
