Using a DynDNS hostname in master-statement for a bind slave?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello everyone, sorry if this is a stupid question, I would love to get a RTFM pointing me to the right documentation (I found none...). My setup is like this (at least that is my plan): In my home network I have: Host A with bind as master for my zone example.org Host B with bind as slave for my zone example.org, Host A set as its master The slave server (HOST B) is reachable from the internet via a dynDNS hostname. Now I want to setup another bind as slave on a server hosted at my provider. It should use HOST B as its master, to transfer the zone and act as a slave. BUT I found nothing in the documentation on how to deal with a master server that has no fixed IP and is reachable via a dynamic hostname. Is this possible? Or do I have to setup a VPN to connect the external server to the home network? Thanks in advance for any tips or tricks or hints... Regards, Johannes - -- I don't want to achieve immortality through my work. I want to achieve immortality through not dying. (Woody Allen) -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlOtjV0ACgkQzi3gQ/xETbLrXACfdWvTk/Zjcko7xQP10cEBxv1A eJIAoIY2MPtf3ZnT95BkWOyRFI6Z2a9y =Z1g8 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a DynDNS hostname in master-statement for a bind slave?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 27.06.14 19:56 Doug Barton wrote: > That's because it cannot be done. You need a master with a fixed > address. I was hoping it could be done. My bad. I'll try it with a VPN. Thanks for the answer. Regards, Johannes - -- Love ist like Pi: Natural, irrational and very important. (unknown) -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlOtynsACgkQzi3gQ/xETbK2wwCdGvTOkpIHEEYr1yr9qVXp/Qo3 a7cAn1IAqeQbBZC4KESh6UIwmEOr1SGM =GXDR -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a DynDNS hostname in master-statement for a bind slave?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28.06.14 02:06 Reindl Harald wrote: > setup openvpn with your dyndns as VPN client Another idea I had was using stunnel to tunnel just one port from the home lan to the vserver. But I would need to tell bind to only use TCP, as stunnel is only able to handle TCP. Can I tell bind to only use TCP for zone transfers? Hmm, I'll go dig in the documentation... Regards, Johannes - -- No need to use Windows -- it's easier to go through the door. (unknown) -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlOufw0ACgkQzi3gQ/xETbIoDQCglGQv3wdeYES04kzIqy9WW5rk RsQAn2ZA1ek98JC7fGualCBTRWfmiCF0 =nNsj -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a DynDNS hostname in master-statement for a bind slave?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28.06.14 10:51 Anand Buddhdev wrote: > BIND uses TCP for zone transfers by default. It doesn't fall back > to UDP, so you don't have to configure anything. Oh, my bad, I must have mixed that up with something else then. I'll try using stunnel and report back, if it works. Thanks for your answer! Regards, Johannes - -- `Don't, Ginny, we'll send you loads of owls.´ `We'll send you a Hogwarts toilet seat.´ `George!´ `Only joking, Mum.´ (Harry Potter and the Philosopher's Stone) -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlOvowsACgkQzi3gQ/xETbKxOACgkhuJg+qhbzBojHMCWQ4RYEMF P4cAnRikETFmtUHIHu2CqaptbKp1RxPa =evZv -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind and ZSK-Rollovers: Changing salt automatically?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, I read quite a bit on DNSSEC in the last couple of weeks, and found that BIND can automatically rollover the ZSK without manual intervention. I also found the recommendation, to change the NSEC3 salt each time the key is rolled over. What I did not find is, if BIND can also automatically change the salt each time it does a ZSK rollover. Cos that would be quite handy... Thanks in advance. Regards, Johannes - -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. (Benjamin Franklin, 1759) -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlPRQ2IACgkQzi3gQ/xETbLdFACgizonyyL+xE4w8cEhH/j7wNGV iPEAni0dzUNcZsKhL1daU33o8tdjr659 =r3tG -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and ZSK-Rollovers: Changing salt automatically?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Carsten and all, sorry for the late reply. On 24.07.14 19:53 Carsten Strotmann wrote: > I'm not aware that BIND 9 can do a ZSK rollover all on its own, it > is however possible to set the timing values on the ZSK key files > in a away that BIND 9 will execute the rollover at the set times. > It is also possible to create a direct successor ZSK from an > existing ZSK. That is exactly what I meant. I prepare the keys and bind does the rollover automatically. > But the creation of the new ZSK, as well as setting the timing > values, need to be done outside BIND 9. It is relaive > strightforward to script this in a cron job, and there are > ready-made tools that can help. I'll dig into scripting that. But I found Michael W Lucas' DNSSEC Mastery pretty good read on the process.. > In the same cron job, it is then possible to create a new NSEC3 > salt and inject that into the zone. So basically BIND cannot do that for me, each time it does a key rollover. That's what I wanted to know. > Doing so at the exact moment of the ZSK key rollover (to prevent > unecessary re-generation of all RRSIGs) is tricky. > > If the zone is no too big (e.g. re-generating all RRSIGs is not a > problem), I would recommend to roll the salt in the same intervals, > but independent from the ZSK rollover. I'll stick with this, then. Regards, Johannes - -- Debian est omnis divisa in partes tres, quarum unam nominari Stable, aliam Testing, tertiam qui ipsorum lingua Sid, nostra Unstable appellantur. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlPWd00ACgkQzi3gQ/xETbJYRwCaAp4UiwsIlIp2zjq/w0ImOJjC YoUAnjTMjMJ/wbkhKR1oj7iJS1p1H6G7 =qHrR -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and ZSK-Rollovers: Changing salt automatically?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28.07.14 19:09 Evan Hunt wrote: > On Mon, Jul 28, 2014 at 06:16:13PM +0200, Johannes Kastl wrote: >> So basically BIND cannot do that for me, each time it does a key >> rollover. That's what I wanted to know. > > "rndc signing -nsec3param" can change your salt. Specifying "auto" > as the salt causes named to generate a salt at random. Good to know. > There's currently no way to schedule it the way you can schedule > key rollovers, but you can put it in a crontab. As I said, knowing that BIND does not do that automatically and I have to put it in a crontab is exactly what I wanted to know... Thanks for the answer. Regards, Johannes - -- Sex is like hacking. You get in, you get out, and you hope you didnt leave something behind that can be traced back to you. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlPWqDkACgkQzi3gQ/xETbLIQACfUmKFDj49mPw9/WQacLDHjECR NjkAn0j++xb8pVQm/X/VeUOQ87RNQDOO =5Fk7 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and ZSK-Rollovers: Changing salt automatically?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28.07.14 23:05 Evan Hunt wrote: >> "rndc signing -nsec3param" can change your salt. Specifying >> "auto" as the salt causes named to generate a salt at random. > > I forgot to mention that the "auto" feature is new in 9.10, not in > older versions. Thanks for the answer, good to know. Regards, Johannes - -- You know the world is going crazy when the best rapper is a white guy, the best golfer is a black guy, the Swiss hold the America's Cup, France is accusing the US of arrogance, and Germany doesn't want to go to war. (aus alt.jokes) -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlPZLrgACgkQzi3gQ/xETbK9ZwCeOUZPqevQKtHAxikkinohndIc WPkAoJqAuwQCHJZaSwDdsM91FT2UMaQ8 =VyvF -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Reload BIND to listen on additional interface?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, in the quest to use a master behind a Router with changing IPs, I set up a VPN and told bind on both sides to listen on the additional VPN-IPs. But, sometimes they are not available at bind startup or the VPN loses connection. So, when the VPN connection is ready again, I can let OpenVPN run a script. My idea was to use this script to tell bind, that it can now bind to the interface again. Question now is, which (rndc) command does that? Does a ‘rndc reconfig‘ tell BIND to newly bind to the interfaces? Thanks in advance. Regards, Johannes - -- Working with Unix is like wrestling a worthy opponent. Working with windows is like attacking a small whining child who is carrying a .38. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlPaJ1wACgkQzi3gQ/xETbJpDwCfYJlwYptEG2hpngbsykH34mhp trcAniQEX8RujnAKoN/bz6hZ8J+qMHqN =7I5Q -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reload BIND to listen on additional interface?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 31.07.14 13:29 Tony Finch wrote: > Have you tried it to see if it just works automatically without an > explicit poke from rndc? I guess I made a problem where there is none. At least if the option below works... I'll give it a try... > The ARM describes this option: > > automatic-interface-scan > Regards, Johannes - -- Microsoft isn't the answer. Microsoft is the question, and the answer is NO. (unknown) -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlPaKRsACgkQzi3gQ/xETbKuAgCggiwLay4Wk8572pEPEThUqwOG vBoAn3Ll/zEplmcoAF7JS0+Hyg89ahWo =jwtR -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc (and now nsupdate too)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, On 01.08.14 15:58 Reindl Harald wrote: > the whole discussion about rndc or not rndc follow up therads and > side-threads startet after that reply below from me yesterday and > whoever brought "bounce" in the game did also not understand the > context of the discussion Calm down, everyone. Please. I did not intend to start a thread that long and, uhm, intense... My (simplified) conclusion: In most setups, using rndc is the right way, because most people do not know its advantages or the disadvantages of killing the daemon. But there is a german saying "Ausnahmen bestätigen die Regel", which could be translated as 'exceptions prove the rule'. So, those (exceptions) who really do know what they are doing can workaround rndc. Regards, Johannes - -- Multiple exclamation marks are a sure sign of diseased mind. (Terry Pratchett) -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlPbpn0ACgkQzi3gQ/xETbK4qACeLHAGdp/yPjidlOHlMHpO+gw9 HjIAoIyYpqXq4MOuNCu6OkpHuvWbsFwL =FrGZ -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reload BIND to listen on additional interface?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 31.07.14 13:55 Mark Andrews wrote: > > 9.10 also has "rndc scan" for platforms without a routing socket or > if you want to do it manually. As I have not found a working RPM of bind 9.10 for openSUSE this far, I have to ask: How to handle this using 9.9.5? Just try and see what happens? Regards, Johannes - -- `Three Dementor attacks in a week, and all Romilda Vane does is ask me if it's true you've got a Hippogriff tattooed across your chest´ [...] `I told her it's a hungarian Horntail,´ said Ginny, turning a page of her newspaper idly.`Much more Macho´ (Ginny Weasley in Harry Potter 6) -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlPbxfwACgkQzi3gQ/xETbJr7ACfUV7pu0PQPuzoTQtPFbLnTASS /bkAn1SUkmElmO1dqpSDGHIUI1/n62F0 =lmp5 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NAMED issue
On 09.02.17 09:24 Sudharanjan Patnaik wrote: > Issue: The named process is getting hung or stopped at least once a > day on each of these Replicas. This is happening since more than 1 > year. Meanwhile, many vulnerability patch versions upgraded and > currently running with the latest BIND 9.9.9.P5. Temporary Fix: A > script is running to check and restart the named process if stopped > or hung. Without logs it might be very hard to help you... Johannes signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
"chase DS servers" while setting up a Split-DNS-Server with static-stub
Hi all,
I am trying to get more familiar with named/bind, and thus I am
experimenting a little. I am seeking for guidance in setting up a
split-dns server (aka resolving internal hosts that the outside does
not see and know about).
Host_1
I have bind running as caching resolver in my home dmz, only
accessible on the internal net. All DNS queries go through this one,
works like a charm, even with DNSSEC validation enabled.
Host_2
Then I set up another bind as master for my zone ojkastl.de, which has
all the internal hosts, that the external one does and should not
have. The hosts is set as NS in the SOA of the zone and has an A
record for itself in the zone. Querying this host directly with dig
+norecurse lets me resolve my internal hosts.
I added the following to my named.conf on Host_1, and it works.
-- snip --
zone "ojkastl.de" {
type static-stub;
server-addresses { 192.168.99.3; };
};
-- snip --
The only thing I notice are these lines in the logs:
Host_1
-- snip --
error (chase DS servers) resolving 'ojkastl.de/DS/IN': 192.168.99.3#53
-- snip --
Host_2
-- snip --
client 192.168.99.2#22059 (ojkastl.de): query (cache)
'ojkastl.de/DS/IN' denied
-- snip --
Is this actually something to worry about?
I guess that DS might be DNSSEC related, but apparently one cannot
disable dnssec validation for only one zone (or rather I could not get
it to work). And as this zone is not signed (yet) it might not matter.
When using a forward-type zone I got lots of additional NS records for
de (nic.de etc.) in my dig tests, so I tried the static stub.
Thanks in advance for your help!
Johannes
signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: "chase DS servers" while setting up a Split-DNS-Server with static-stub
Hi Tony, On 14.02.17 13:16 Tony Finch wrote: > It's annoying but benign. [nice explanation snipped] Thanks for the confirmation, so it's nothing to worry about. > For a "forward" zone, BIND acts as a recursive client, and expects > the target server to be a recursive server. This mostly becomes > important if there are delegations from the zone. Nope. > For a static-stub zone, BIND is an iterative client as usual, so > it expects the target server to be an authoritative server. The > static-stub configuration in effect overrides the zone's NS > records. It seems my choice of static-stub was not wrong in my case. Thanks for the fast answer, Tony! Johannes signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "chase DS servers" while setting up a Split-DNS-Server with
On 14.02.17 13:24 MURTARI, JOHN wrote: > Johannes, > Noted your message below. I might suggest you check out the 'views' > feature of BIND. You may find it a lot easier to setup/manage. Some > starting info: > https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-example.html > Best regards! > John Hi John, I actually know about it and have set this up in my internal net for another project. But I think in this case it is not applicable. I have no *one* server, that serves both internal and external queries. I have an external somewhere outside my net, that I have no direct access to (provider server atm). And I have my internal one, that cannot be reached from outside my lan. Or am I missing something with the views? Did you mean the first resolving server should have another view acting as an authoritative server for my zone? Johannes signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: trouble delegating a subdomain via NS record
Hi, On 16.02.17 17:31 John Ratliff wrote: > IN NS ipa-test-client.example.com. > idm IN NS ipa1.example.com. > > IN MX 50 spamfw.example.com. > > IN A 10.9.6.54 I could be totally wrong, but doesn't an empty first column use the first column of the last entry? So you would have set MX and A for idm, not for ipa1.example.com.? Johannes signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
