Re: How to update zone with dnssec-policy

[Matthew Seaman]

On 03/07/2023 19:36, Matthias Fechner wrote:

What I understood from the documentation:
*-s* /server/[#/port/]

I can maintain e.g. my zones from my local computer at home inside a git 
repository and use nsdiff and nspatch to push the changes to the server 
in the internet?


Correct.

Does the server then has the source file (fechner.net) or does the 
server only work with raw and the .jnl file?


By default, the primary server will end up with a `fetchner.net` zone 
data file in text format which contains the pretty much the same RRs as 
your master copy in git, but reformatted into a standard style, sorted 
into order and with comments stripped[*].  Plus added DNSKEY, CDS, 
CDNSKEY, RRSIG records from dnssec signing.


There will be a .jnl file for each zone with the latest updates to the 
zone -- in principle you can use rndc(8) to flush changes from the 
journal into the main zone file, but this isn't necessary if you're 
using nsupdate based methods exclusively to maintain the zone data.


[*] Unless you have configured `masterfile-format raw` in which case 
your zone files will be in binary format.


It I add a new zone, do I only need to configure it as master, define 
access to it and then upload the zone data via nspatch?


That should work, I think.  Can't say for sure as I don't tend to add 
new zones much.  You might need to start with a minimal zone file 
containing just SOA and NS records.


If that would all be possible, that technique can maybe also used to 
change letsencrypt verification to dns using the nsupdate command to get 
required information into the zone file.


Yes, I can confirm this works brilliantly with the dns-rfc2136 plugin.

That would definitely open a lot of new possibilities to put more 
automation the the full setup. ;)


I've found it works very well to exempt TLSA and SSHFP records from 
nsdiff management (ie. nsdiff -i 'TLSA|SSHFP' ...) and then use Ansible 
to generate the appropriate resource records from corresponding keys on 
each host and add them into the zone data using the 
community.general.nsupdate module.


Cheers,

Matthew

--
Dr Matthew J Seaman
1 Newland St, Eynsham, Witney, OXON, 0X29 4LB



OpenPGP_signature
Description: OpenPGP digital signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to update zone with dnssec-policy

[Matthew Seaman]

On 02/07/2023 12:27, Matthias Fechner wrote:
I have the following problem that changes in a zone file do not get 
active, no matter if I reload the zone using rndc or restarting bind 
9.16.42 on FreeBSD.
If I update a zone I edit the zone file, adapt the serial in the SOA and 
normally do a rndc reload fechner.net.


The nameserver is more or less setup like it is described here:
https://wiki.idefix.fechner.net/freebsd/bind/

The zonefile for domain fechner.net are in directory: 
/usr/local/etc/namedb/master/fechner.net


It is not a dynamic zone file or better I cannot freeze it:
  rndc freeze fechner.net
rndc: 'freeze' failed: not dynamic

But if I delete the files:
fechner.net.jbk
fechner.net.signed.jnl

and restart bind, zone changes are correctly loaded and I can see an 
increased serial in:

dig -t soa fechner.net.

Would be nice if someone can explain me, how I need to edit a zone file, 
that has a dnssec-policy attached that modification get active, without 
the need to delete the `*.[jbk|jnl] files.




Personally, I maintain zone files with DNSSEC signing on FreeBSD using 
the dns/p5-DNS-nsdiff port, which is a perl module written by Tony Finch 
-- someone well known on this list.


You can keep your zone files in git or whatever code repository suits 
you. nsdiff will compare what's live in your DNS zone against whats in 
your updated zone file and generate a script for nsupdate(1) to make the 
former match the latter.


You'll need to configure appropriate levels of access for nsupdate(1). 
That can be from pretty much any machine given you set up zone policies 
and distribute keys appropriately. Although if you run nsdiff directly 
on your primary DNS machine, you should be able to use the built-in 
/var/run/named/session.key with a per-zone policy like:


```
 update-policy {
 grant local-ddns zonesub any;
 };
```

See the '-l' flag to nsupdate(1)

Cheers,

Matthew




--
Dr Matthew J Seaman
1 Newland St, Eynsham, Witney, OXON, 0X29 4LB


OpenPGP_signature
Description: OpenPGP digital signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS traffic accounting

[Matthew Seaman]

On 07/18/17 16:09, Abi Askushi wrote:
> I am trying to figure out how could I account the DNS traffic generated
> from clients in terms of bytes. My setup is a simple caching DNS with
> several clients querying the DNS server.  I can measure the DNS traffic
> that is generated from the DNS server on the WAN side by using some
> monitoring tool (pmacct) but I am not sure how could I account this traffic
> to the clients that are generating this traffic. By simply monitoring the
> internal DNS traffic from clients I expect to not be accurate since it will
> include also cached responses which do not generate WAN traffic.
> 
> Any suggestion how to approach this problem?

The implication of what you're suggesting is that if client A looks up
some address that isn't in the cache, then they will be charged for
that. However, if client B then comes along and looks up the exact same
address shortly afterwards, they'll get a response from cache and so not
be charged.  That seems a bit arbitrary.

Why not charge your clients based simply on the number of queries they
make against your resolver?  You know or can easily find out how many
queries your resolver is handling in total and how much the WAN traffic
that generates is costing you so it should be fairly easy to come up
with a charging scheme based on the average cost per DNS query.

Cheers,

Matthew



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "spare hosts" as personal DNS nameservers for 'mynew.org'

[Matthew Seaman]

On 2017/07/11 14:57, b...@zq3q.org wrote:
> I have several linux VMs, that are under used, so I want to use them
> for the nameservers for 'mynew.org'.  **Neither are in 'mynew.org';
> is that going to work?**

Yes, that will work.  There is no requirement for any of the NSes for a
zone to be part of that zone or, conversely, not part of that zone.
Although if any of the NSes are in the zone, there should be glue
records added at the level above.

> namecheap support seems to suggest that the personal DNS authorative 
> nameservers
> for 'mynew.org', must be in 'mynew.org', as in
> 
> ns1.mynew.org
> ns2.mynew.org
> 

This is not a requirement from the DNS side.  It's normal for providers
to offer this -- vanity name servers are usually a selling point.

Even so, if you can make ns1.mynew.org and ns2.mynew.org resolve to the
A or  addresses of your VMs, you should be good to go.  named is
going to work the same irrespective of whatever it thinks the hostname
of your VM is, and that can be different to the name users look up in
the DNS.

Failing that, there are any number of other providers that will let you
register a domain, and the vast majority of those certainly will let you
specify your own nameservers.

Cheers,

Matthew






signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: designing the DNS from the scratch

[Matthew Seaman]

On 2017/07/10 14:16, Matus UHLAR - fantomas wrote:
>>> But you do know the approximate speed of light in a vacuum?
> 
> there's always dark in my vacuum, so the speed of light doesn't apply
> there.
> 
> On 10.07.17 09:02, wbr...@e1b.org wrote:
>> More importantly, what is the speed of light in a fiberoptic connection?
>> Speed of electrons in copper wire?
> 
> speed of electrical field, which is the same as speed of light.
> electrons are much slower.
> 
> however, the longest distances on earth are about 2km, which requires
> at least 67ms for signal to get there and 133ms to get back.
> in reality there's some small delay on each network device in the path, so
> the 3ms can only be achieved on short distances.
> 

Indeed.  Assuming the OP was talking about providing an authoritative
service -- that is, to allow the rest of the world to look up their
customer's domains -- then if they went back to their customer with a
more realistic target of say a 95th-percentile limit of a sub-50ms RTT
for users in urban North America, Europe, Russia, Japan and other
locations with a well developed Internet infrastructure, that could be
achieved by putting DNS servers in strategically located POPs on each
continent and using anycast routing to direct traffic to the nearest
location.

Which would be eye-wateringly expensive to do for just one client,
unless they needed about as much capacity as a middle-sized ccTLD.

Or you could buy a service from one of a number of DNS service providers
who provide pretty much exactly what I described.  That will still be
quite expensive, but not to the extent that it would cause inadvertent
emission of bodily fluids.

On the other hand, if they were talking about providing a recursive DNS
caching service to allow their customer's servers to look stuff up from
the internet, then a 3ms RTT is not impossible so long as

   * the DNS machines are sufficiently close to the client's machines
 that you can readily achieve sub-3ms ping RTTs between them

   * the 3ms limit *only* applies to responses from cached data.

There's clearly no way you can guarantee <3ms if your recursive server
needs to talk to a machine on the other side of the planet where it
takes at least 200ms just to get packets there and back again.

Cheers,

Matthew




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The DDOS attack on DYN & RRL ?

[Matthew Seaman]

On 2016/11/01 14:45, Ben Croswell wrote:
> The other option being having a master owned by your company and then
> setting both external providers to secondary from your master. You to
> maintain control over data and hqve diversity.

Agreed.  This works well -- it's what we do.

Cheers,

Matthew




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The DDOS attack on DYN & RRL ?

[Matthew Seaman]

On 2016/10/31 16:09, Barry Margolin wrote:
> I heard that the impact of the attack was even narrower than just the 
> US, it was mostly eastern US. That suggests some things about the 
> granularity of Dyn's anycast network and the distribution of the Mirai 
> botnet.

There were actually three attacks on the same day.  The first (about
12:00 UTC) affected pretty much just the Eastern USA, and we saw little
beyond some raised RTTs in Europe.  The second (about 16:00UTC) took out
all the Dyn POPs in the USA and affected their European POP.  The third
(around 18:00UTC) ... was pretty much a non-event.  Dyn had mitigated
the attacks pretty effectively by that point.

Cheers,

Matthew




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The DDOS attack on DYN & RRL ?

[Matthew Seaman]

On 2016/10/31 14:53, Jim Popovitch wrote:
> On Mon, Oct 31, 2016 at 10:25 AM, Matthew Seaman
>  wrote:
>> This despite the fact that Dyn has a global anycast network with
>> plenty of bandwidth, points of presence all round the world and
>> each POP contains a bunch of top-of-the-line servers.
> 
> It seems to me that anycast is probably much worse in the Mirai botnet
> scenario unless each node is pretty much as robust as a traditional
> unicast node.

I couldn't really say whether unicast is more or less resistant to this
sort of attack -- I'd guess either way it would be down to the capacity
at each individual node.

It was Dyn's USA POPs that bore the brunt of the attack, presumably
because most of the Mirai bots were located in the USA.  Even so, it
still caused us plenty of grief in Europe.  Apparently the effects were
fairly minimal in the Far East.

Cheers,

Matthew






signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The DDOS attack on DYN & RRL ?

[Matthew Seaman]

On 10/31/16 12:41, MURTARI, JOHN wrote:
> God only knows, the DDOS hackers are probably on this listbut I
> have to ask what protections DYN had in place before the attack
> occurred.  RRL has been promoted as some protection against these
> types of attacks.  If they had it in place, did it help or was the
> pure volume of traffic the real issue?

Having been burned by the DDoS I can tell you that 'RRL' functionality
was pretty much irrelevant in this case.  This was not using DNS servers
as traffic amplifiers (which is what RRL mitigates against).

This was using millions of insecure IoT devices -- frequently web cams
-- to generate a massive overkill-level traffic surge -- lots of DNS
lookups -- that simply overwhelmed Dyn's servers.  This despite the fact
that Dyn has a global anycast network with plenty of bandwidth, points
of presence all round the world and each POP contains a bunch of
top-of-the-line servers.

Surviving DDoS is all about having more capacity available than your
attackers can fill up[*].  These Mirai botnets have upped the ante by a
wide margin.  I suspect that the DDoS protection companies, the big DNS
service providers, the TLD and the root operators are quietly but
franticly working on plans to beef up their defenses...

Cheers,

Matthew

[*] Even by proxy: anti-DDoS companies essentially have network capacity
available for hire as well as some pretty fancy traffic filtering
techniques.



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: compile and install from source

[Matthew Seaman]

On 31/03/2015 02:32, @lbutlr wrote:
>> Can you start the named process "by hand" -- the command line should be
>> > something like:
>> > 
>> > # /usr/local/sbin/named -u bind -c /etc/namedb/named.conf \
>> >-t /var/named

> Yes, that works without reporting any errors, so the issue appears to
> be with /usr/local/etc/rc.d/named startup script.

Since you're running FreeBSD 8.4, you will still have the startup
scripts from the base system -- /etc/rc.d/named These are quite capable
of starting up the ports version of named. Just set

   named_command="/usr/local/sbin/named"

in /etc/rc.conf

Actually, given you *aren't* using the ports, where did
/usr/local/etc/rc.d/named come from?  That's supplied exclusively by the
port.

> However, if I try to check rndc…
> 
> # /usr/local/sbin/rndc status
> rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
> 
> Now, it is true that there is no rndc.conf, but that is true all all three 
> name servers. There is a rndc.key in /var/named/etc/namedb/rndc.conf
> 
> I’m not sure why it is looking in (I assume /var/named/etc instead of)  
> /var/named/etc/namedb.
> 
> is named_chrootdir="/var/named" not correct?

There should be a symbolic link /etc/namedb -> /var/named/etc/namedb if
you're using the standard chroot setup in FreeBSD 8.4.  The default
location for rndc.conf is /etc/namedb/rndc.conf  but again, there would
usually be a symlink /etc/rndc.conf -> /etc/namedb/rndc.conf (which
means the actual location after chasing all the symlinks is
/var/named/etc/namedb/rndc.conf)  Similarly for rndc.key if you are
using that instead.

I usually added another symlink /usr/local/etc/rndc.conf ->
/etc/namedb/rndc.conf when using the ports version of named with the
system versions of the named configuration scripts.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.

PGP: http://www.infracaninophile.co.uk/pgpkey
JID: matt...@infracaninophile.co.uk



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: compile and install from source

[Matthew Seaman]

On 03/30/15 00:35, @lbutlr wrote:
> Downloaded and compiled bind-9.9.7 (FreeBSD 8.4-RELEASE) and it built fine 
> (./configure && make && make install).

On FreeBSD, building software out of the ports is definitely
recommended.  It does the usual configure and make dance, but you also
get the benefit of using the package management system, and any OS
specific patches that might need to be applied.  (Not that there are
many with BIND).

> If I try to start named (service named start), it starts this version instead 
> of the version in /usr/local/sbin
> 
> I found this in /etc/defaults/rc,conf:
> 
> named_enable="NO"   # Run named, the DNS server (or NO).
> named_program="/usr/sbin/named" # Path to named, if you want a different one.
> named_conf="/etc/namedb/named.conf" # Path to the configuration file
> #named_flags="" # Use this for flags OTHER than -u and -c
> named_uid="bind"# User to run named as
> named_chrootdir="/var/named"# Chroot directory (or "" not to auto-chroot 
> it)
> named_chroot_autoupdate="YES"   # Automatically install/update chrooted
>   # components of named. See /etc/rc.d/named.
> named_symlink_enable="YES"  # Symlink the chrooted pid file
> named_wait="NO" # Wait for working name service before exiting
> named_wait_host="localhost" # Hostname to check if named_wait is enabled
> named_auto_forward="NO" # Set up forwarders from /etc/resolv.conf
> named_auto_forward_only="NO"# Do "forward only" instead of "forward first”
> 
> So I changed the path (in /etc/rc.conf) to /usr/local/sbin/named
> 
> But now I get:
> 
> $ /etc/rc.d/named start
> Starting named.
> /etc/rc.d/named: WARNING: failed to start named
> 
> But nothing is logged in /var/log/messages
> 
> For now, I am pointing back to the old 9.8.4 version.

It's been a while since I ran FreeBSD 8.4 on any nameservers, but I
recall it working fine using the ports version of named and the
configuration files from the base system.

Can you start the named process "by hand" -- the command line should be
something like:

   # /usr/local/sbin/named -u bind -c /etc/namedb/named.conf \
-t /var/named

(assuming you want it to run chrooted)

If you've setup named to log to syslog, rather than just writing its own
files, then adding

   syslogd_flags="-l /var/named/var/run/log"

to /etc/rc.conf and restarting syslogd may get you some better logging
information.

Cheers,

Matthew






signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: OpenSSL problem: bind98-base FreeBSD port

[Matthew Seaman]

On 09/07/2012 01:40, Doug Barton wrote:
> On 07/08/2012 17:33, Matthew Pounsett wrote:
>>
>> On 2012/07/08, at 20:29, Matthew Pounsett wrote:
>>
>>>
>>> On 2012/07/08, at 20:26, Mark Andrews wrote:
>>>

 One can also build named w/o GOST support if one wants.  We statically
 link all the engines when building named on Windows.
>>>
>>> Unfortunately the port doesn't provide the config hooks to disable GOST 
>>> support.
>>
>> Actually.. how do you go about doing that anyway?  I was just taking a look 
>> at writing a patch for the port to allow GOST to be turned off, but BIND's 
>> configure script doesn't have any information in it about disabling 
>> individual ciphers.
> 
> I wouldn't accept it anyway. For better or worse, GOST is part of the
> protocol.

GOST is not available in the version of OpenSSL in the FreeBSD base.

Here's a patch to turn off GOST from the dns/bind99 port when used with
openssl 1.0.x also from ports:

cvs diff: Diffing .
Index: Makefile
===
RCS file: /home/ncvs/ports/dns/bind99/Makefile,v
retrieving revision 1.9
diff -u -u -r1.9 Makefile
--- Makefile4 Jun 2012 21:51:34 -   1.9
+++ Makefile9 Jun 2012 08:59:45 -
@@ -209,6 +209,11 @@
${WRKSRC}/bin/named/Makefile.in.Dist > \
${WRKSRC}/bin/named/Makefile.in

+.if defined(WITH_OPENSSL_PORT)
+post-configure:
+   ${SED} -i~ -e 's:^#define HAVE_OPENSSL_GOST.*:/* #undef
HAVE_OPENSSL_GOST */:' ${WRKSRC}/config.h
+.endif
+
 PORTDOCS=  *
 PKGMESSAGE=${.CURDIR}/../bind97/pkg-message
 PKGINSTALL=${.CURDIR}/../bind97/pkg-install

The equivalent for dns/bind98 is almost identical.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW





signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind caching dns

[Matthew Seaman]

On 08/05/2012 10:09, Ben wrote:
> I am new with bind.I am trying to configure bind as caching server for
> our network.I configure it and it works successfully.
> 
> Can we get report or statistics something which shows which queries
> resolved from cache and which resolved from internet?

Yes. Add a section something like this (adapt for your own IP range and
whatever port number you prefer):

statistics-channels {
inet 192.0.2.1   port 8080 allow { trusted; };
inet 2001:db8::1 port 8080 allow { trusted; };
};

where 'trusted' is an ACL defining what IPs should be allowed to access
the statistical data.  You can now make HTTP queries like so:

   http://192.0.2.1:8080/

which will get you an XML document containing many statistics about the
performance of your named instance.  If you ever decide to set up an
authoritative server, you might consider adding 'zone-statistics yes;'
in the options { } section, but this doesn't make any difference to
recursive-only resolvers.

> bind has snmp mib for monitoring ?

Not to my knowledge.  It should be possible to write an agentx plugin
that translates from the XML data provided natively, but you'll have to
write your own MIBs since the standard one from RFC1612 seems to have
received little development since.  Indeed RFC3197
(https://www.ietf.org/rfc/rfc3197.txt) tells a cautionary tale.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc status number of zones

[Matthew Seaman]

On 01/03/2012 12:10, Emil Natan wrote:
> On Thu, Mar 1, 2012 at 1:26 PM, Matthew Seaman <
> m.sea...@infracaninophile.co.uk> wrote:
> 
>> > On 01/03/2012 11:20, Emil Natan wrote:
>>> > > Do any of you experience the same issue? Any ideas what I'm missing or
>>> > > what's wrong?
>> >
>> > Automatic empty zones?
>> >
>> >
> Thanks for the input. It seems you are right, adding "recursion no;" to
> named.conf which disables the automatic empty zones, reduces the number of
> zones to what I expect +1, which means named.conf with no "zone"
> statements, "rndc status" returns "number of zones: 1", when I have 7 zone
> statements, the number returned is 8. So I'm still missing something. Any
> ideas?

Try:

   zone-statistics yes;

and then dumping statistics, or looking at the XML statistics output.
In fact, there are 4 extra zones in the _bind view I'd expect you to see
as well as your configured zones:

[version.bind (view: _bind)]
[hostname.bind (view: _bind)]
[authors.bind (view: _bind)]
[id.server (view: _bind)]

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc status number of zones

[Matthew Seaman]

On 01/03/2012 11:20, Emil Natan wrote:
> Do any of you experience the same issue? Any ideas what I'm missing or
> what's wrong?

Automatic empty zones?

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding "@" to a different domain?

[Matthew Seaman]

On 08/01/2012 17:09, enigmedia (onl) wrote:
> How do I point requests for "http://mydomain.com"; and
> "http://www.mydomain.com"; to "http://mydomain.myshopify.com";?

Look up an A record (or ) for mydomain.myshopify.com, then
create a similar A (or ) record pointing to the same address in your
zone file.

If mydomain.myshopify.com is likely to change address (some HA/LB setups
can result in this) then you're out of luck, and you'll have to
use your webserver to redirect the traffic.

> Or is there no way to do this in DNS, and I need to instead point the
> domain to my webserver and set up a permanent redirect there?

Yes.  That would work, but it means that the people using your site will
see the URL change to http://mydomain.myshopify.com/

You might find it better to put the CNAME in for www.mydomain.com
pointing at mydomain.myshopify.com and then use a 301 redirect from
mydomain.com to www.mydomain.com -- so your users see the site as
www.mydomain.com.

Wouldn't it be nice if HTTP clients and servers understood
_http._tcp.mydomain.com SRV records?  That's becoming the standard
solution to this sort of problem nowadays, but unfortunately, the HTTP
specifications predate that idea and there is no client side support for
it generally available.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: multiple `zone' clauses for a single domain?

[Matthew Seaman]

On 25/11/2011 16:59, Marek Kozlowski wrote:
> Is it allowed to use a few `zone' clauses for a single domain? Is
> something like this correct:
> 
> zone "mickey.mouse.com" in {
> type master;
> file "pri/mickey-public.zone";
> allow-query { any; };
> allow-transfer { xfer; };
> };
> 
> zone "mickey.mouse.com" in {
> type master;
> file "pri/mickey-private.zone";
> allow-query { trusted; };
> allow-transfer { xfer; };
> };
> 
> where `mickey-public.zone' stores information on public hosts from my
> domain while `mickey-private.zone' stores hosts that should be
> visible/known only for trusted host?

This doesn't work -- you can't mix the data from two different zone
files in this way.  One zone file per zone is the rule. Although that
file can include others, this doesn't really provide scope for the sort
of thing you want to do.

> Should I duplicate all records from `mickey-public.zone' in
> `mickey-private.zone'?

Duplicating records like that is annoying and error prone.  It's a
better strategy to create separate zones for your private internal and
your public data.  So you can have example.com published to the world,
and example.local just for your private stuff.  Or you could create a
sub-domain of your globally published data eg. local.example.com
(Although in this case, if you delegate the private zone from the public
one, the delegation records and any glue will be publicly available,
which may not be desirable.)

> Do I *have* to use views to deal with such distinction or can I specify
> it just as above without views?

If you need to give different answers from the same server depending on
who is asking the question, then, yes, you definitely need views.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Puzzeling about IPv6

[Matthew Seaman]

On 19/11/2011 18:47, 夜神　岩男 wrote:
>> Oh, and given you've got 64bits to play with, so long as your random
>> numbers are up to scratch no need to worry about collisions.  You'ld
>> need to be assigning millions of addresses before you ran into that
>> problem.
> 
> Not to be an ass and this is likely a decade too early, but... this is
> direct echoes of what I heard 20 years ago.
> 
> Does systematic thinking belong in /32+ IPv6 addressing or is it in fact
> safe to just random it all away willy-nilly?

Look at http://en.wikipedia.org/wiki/Birthday_paradox

With 64bits of host address space in a typical IPv6 network, you would
need to be allocating 6.1 million addresses to have a 1 in a million
chance of a collision.  You'ld need 5.1 billion addresses for a 1 in 2
chance of a collision.  If you get a collision in a typical network of
maybe several hundred machines, then suspect your random number
generator before anything else.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Puzzeling about IPv6

[Matthew Seaman]

On 17/11/2011 15:13, Michelle Konzack wrote:
> my ISP  is now offering an IPv6 /64  subnet  for
> free for each Server.  Not only Root-Servers but for realy ALL!
> 
> OK, however, I like to setup my VHosts to use  it,  but  I  am  puzzling
> around how to do this with bind9  (I run Debian)
> 
> I have gotten this:
> 
> IPs: 2a01:4f8:d12:1300:: /64
> Gateway: 2a01:4f8:d12:1300::1 /64
> Verwendbare IP-Adressen:
> 2a01:4f8:d12:1300::2 bis 2a01:4f8:d12:1300::::
> 
> sounds very much!
> 
> Question: How should I choose the IPs?

i) Use SLAAC -- your host will generate itself an IP from its MAC
address plus the network prefix obtained from the router.  You'll have
to confirm with Hetzner that they support this: I can't imagine that
they wouldn't.

ii) There's also DHCP6, but I think you'ld probably have to set up your
own dhcp6 server.  Try asking on the dhcp list if you need more info
about this.

iii) Just make one up, randomly.

# perl -le "for (1..4) { printf ':%x', rand(65536); } print;"
:dbc3:b0f9:28fa:2235

(adding your network prefix to that is left as an exercise)

Oh, and given you've got 64bits to play with, so long as your random
numbers are up to scratch no need to worry about collisions.  You'ld
need to be assigning millions of addresses before you ran into that problem.

iv) Any other way you can think of

None of these methods are anything much to do with bind -- that only
comes in once you've decided which IP to use, since then you'll need to
enter it into a zone file somehow and publish it in the DNS so the world
can find your servers.  This is exactly the same problem as for IPv4,
except with a larger address space.  DDNS is a good solution, but
maintaining zonefiles with a text editor also works.  See arpaname(1)
for how to convert the IP number into a PTR record for reverse lookups.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Port number in A record in zone file

[Matthew Seaman]

On 17/11/2011 14:41, Aleksander Kurczyk wrote:
> If not, it is possible to map traffic from 127.0.0.11:53,
> 127.0.0.12:53 and 127.0.0.13:53 to 127.0.0.1:2001, 127.0.0.1:2002 and
> 127.0.0.1:2003 or to setup new loopback interfaces for 127.0.0.11,
> 127.0.0.12 and 127.0.0.13 on Mac OS X or somehow do that?

If you're going to create all those alias IPs on the loopback, why not
just run a named on each of them directly?  No need to worry about port
translation then.

Setting up aliases is easy enough:

seedling:~:% sudo ifconfig lo0 inet 127.0.0.2 alias
Password:
seedling:~:% ifconfig lo0
lo0: flags=8049 mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff00
inet 127.0.0.2 netmask 0xff00

(deleting one is just: sudo ifconfig lo0 inet 127.0.0.2 -alias)

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [Best practice] Internal zone

[Matthew Seaman]

On 15/11/2011 12:50, Jeremy MAURO wrote:
> I asking you all for you best practice regarding your internal DNS and
> zones.
> 
> I have a 2 DNS servers used as Internal DNS and Resolvers, here is the
> dilemma, should I declare in each internal zone my NS with a glue record:
> 
> $ORIGIN example.internal.
> ; NS records
> IN  NS  ns1
> IN  NS  ns2
> ns1   IN  A10.10.10.10
> ns2  IN  A10.10.10.11
> 
> 
> Or should I point toward the NS server from my principal zone:
> 
> $ORIGIN example.internal.
> ; NS records
> IN  NS  ns1.principal.internal.
> IN  NS  ns2.principal.internal.
> 
> 
> Which one of those 2 samples is the best one and the closer from the
> RFCs? As far as I know, the second sample should be the best one since
> the RFC 1912 says "Some people get in the bad habit of putting in a glue
> record whenever they add an NS record 'just to make sure'."
> 
> Any opinion is approached.

If you've already got A (and PTR) records set up for your nameservers,
then there's no advantage to adding more A records in each zonefile.
Especially given that all those zones are served from the same set of
authoritative servers.

Having one A record for each nameserver makes it much easier if you ever
need to renumber the server.

In a more complex setup with different zones distributed over various
different sets of internal servers, having a unique A record for each
server makes it much clearer which server is actually serving which zone.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Syncing DNS zones with different names

[Matthew Seaman]

On 15/11/2011 07:19, Chris Balmain wrote:
> Let's say I have two domain names, d1.com and d2.com, and I want to
> synchronise all records underneath them (one-way sync, that is). So if I
> create an A record www.d1.com pointing at 1.2.3.4, www.d2.com is also
> automatically created, with the same value. So it's almost like a
> master/slave relationship, but the slave zone has a different name to
> the master.
> 
> Let's assume the two zones will be hosted on the same set of
> nameservers, so even the SOA and NS records will be identical between them.
> 
> I've been googling, but haven't found anything. Does anyone know if this
> is natively possible with Bind 9, or will I have to hack a script
> together to do a transfer from the d1.com zone and parse the data to
> build an equivalent zone file for d2.com?

DNAME

http://www.rfc-editor.org/rfc/rfc2672.txt

It's like CNAME, but for whole domains.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to show the Recursion behaviour of DNS Servers

[Matthew Seaman]

On 05/11/2011 19:37, Gaurav Kansal wrote:
> Is there any way in dig or nslookup utility to see the whole path which a
> DNS Server follows for giving me the answer.

dig +trace www.nkn.in

is pretty close to what you ask.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Blocking malware URL lookup using BIND

[Matthew Seaman]

On 25/10/2011 10:03, babu dheen wrote:
>  We are seeing huge number of malware request going to malware domains 
> performed by some malware infected clients. 
>  
>  All malware infected clients are trying to reach below URL . We would like 
> to know how we can block if any dns query come to 
> *.-0-0-0-0-0-0-0-0-0-0.info domain, should be redirected to 127.0.01.
>  
>  Sample malware domains
>  
>  
> 2-4-z-g-0-9-4-3-4-8-p-5-r-i-f-3-0-b-3-y-5-a-8-e-0-y-z-s-0-7-q-.0-0-0-0-0-0-0-0-0-0-0-0-0-21-0-0-0-0-0-0-0-0-0-0-0-0-0.info
>  
> u-r-k-w-5-b-s-7-m-2-p-s-n-j-2-7-3-3-1-q-2-0-i-5-g-9-1-i-0-p-7-.0-0-0-0-0-0-0-0-0-0-0-0-0-41-0-0-0-0-0-0-0-0-0-0-0-0-0.info
>  
> 9-9-e-d-p-b-2-e-r-c-7-1-3-p-v-5-0-b-3-1-1-n-3-h-4-9-i-6-1-r-7-.0-0-0-0-0-0-0-0-0-0-0-0-0-6-0-0-0-0-0-0-0-0-0-0-0-0-0.info

This is exactly what RPZ was designed for:

http://www.isc.org/files/TakingBackTheDNSrpz2.pdf

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mixing Algorithms for DNSSEC

[Matthew Seaman]

On 15/10/2011 20:32, Mark Elkins wrote:
> So what you are saying in practical terms is in order to migrate from
> RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
> cycle once a year) and then at exactly the same time start using
> RSASHA256 on the KSK's (which cycle every month) - making any existing
> ZSK using RSASHA1 (or their DS's in the parent) redundant after about a
> further month.

You don't have to wait.  There's nothing to stop you doing an early key
rollover for your ZSK, and switching algorithms.  Where you can either
revoke the old ZSK or change its expiry date -- once you've got the DS
records in the parent updated, of course.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: changing ttl of mx record

[Matthew Seaman]

On 10/10/2011 15:42, enigmedia wrote:
> Hi All: If I need to set a short TTL prior to an MX IP change, do I need to
> modify the TTL of the MX record, or just the A record the MX points to?
> (There's just a single A record for the MX).

You want to drop the TTL on the RR where the data -- the RHS of the
zonefile -- changes.  So if you have:

example.com.IN MX   10 smtp.example.com.
smtp.example.com.   IN A192.0.2.1

and you want to change that to

example.com.IN MX   10 smtp.example.com.
smtp.example.com.   IN A192.0.2.25

then you only need to shorten the TTL on the A record, not the MX record.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ZSK pre-publish

[Matthew Seaman]

On 03/10/2011 13:45, Torinthiel wrote:
> On 2011-10-01 11:40, Matthew Seaman wrote:

>> dnssec-signzone will grok all the built-in dates and do the right thing
>> when you sign the zone.

> BTW, how does dnssec-signzone behave when you pass -s option? Does it
> take into account that date when determining whether to use/publish key?
> Can one for example generate signatures for the future using
> dnssec-signzone, or is it possible only with careful manual inclusion?

If the date or offset you specify via the -s option is outside the
period of activation of a key, then dnsssec-signzone won't use that key
to sign that RR.  So if you're trying to manage keys manually you will
need to resign the zone once the activation date plus 1 hour has passed
-- assuming you take the defaults for '-s' -- to pick up the RRSIGs made
with the new key.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ZSK pre-publish

[Matthew Seaman]

On 01/10/2011 09:25, CT wrote:
> 
>> I have a few static zones that I sign via script
>> keydir = directory for both KSK and ZSK
>> $zone = zone file
>> /usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K keydir $zone
>>
>>
>> Fetching KSK 4054/RSASHA256 from key repository.
>> Fetching ZSK 36948/RSASHA256 from key repository.
>> Fetching ZSK 65304/RSASHA256 from key repository.
>> Verifying the zone using the following algorithms: RSASHA256.
>> Zone signing complete:
>> Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
>>ZSKs: 2 active, 0 stand-by, 0
>> revoked
>>
>>
>> My question is that both zsk's are published, how do I make 1 standby

> To be more specific , can I do this with the dnssec-signzone tool versus a
> $include/stand-by-key
> in the zone file

The trick is to use dnssec-settime modify the dates built into your key
by dnssec-keygen.  Or equivalently to use dnssec-keygen with appropriate
flags to set the 'Activate' date (not to mention Inactive and Delete)
some time in the future.

So --- this key is active now:

% dnssec-settime -p all Kinfracaninophile.co.uk.+005+04664.private
Created: Sat Aug 13 07:40:28 2011
Publish: Sat Aug 13 07:40:28 2011
Activate: Sat Sep 10 07:40:28 2011
Revoke: UNSET
Inactive: Sat Oct  8 07:40:28 2011
Delete: Sat Oct  8 07:40:28 2011

but this key is only published and will activate in a week:

% dnssec-settime -p all Kinfracaninophile.co.uk.+005+44132.private
Created: Sat Sep 10 09:01:24 2011
Publish: Thu Jan  1 01:00:00 1970
Activate: Sat Oct  8 09:01:24 2011
Revoke: UNSET
Inactive: Sat Nov  5 08:01:24 2011
Delete: Sat Nov  5 08:01:24 2011

dnssec-signzone will grok all the built-in dates and do the right thing
when you sign the zone.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "if exists host-name" for IPv6 DDNS?

[Matthew Seaman]

On 23/09/2011 00:39, Joachim Tingvold wrote:
> Or replace :: with _, 

'_' is an illegal character in hostnames in the DNS...

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation check failed

[Matthew Seaman]

On 20/09/2011 14:25, Lightner, Jeff wrote:
> On going there and testing water.com domain I see:
> Delegation
> 
> · Nameserver dswadns1.water.com is listed for zone water.com without 
> address information.
> 
> · Nameserver dswadns2.water.com is listed for zone water.com without 
> address information.
> However, it clearly found the IPs of these name servers.The IPs were 
> entered at the registrar some years ago lookups of our domains work fine.   
> Additionally whois shows the correct IPs for the above name servers being 
> returned by the Registrar.   My zone file has A records with the correct IPs 
> as shown below.:
> 
> IN NS   dswadns1.water.com.
> IN NS   dswadns2.water.com.
> dswadns1IN A12.44.84.213
> dswadns2IN A12.44.84.214
> 
> So I’m curious what exactly the above delegation messages are trying to tell 
> me.   The description in the FAQ doesn’t really seem illuminating to me.
> 

This is the www.zonecheck.fr checking tool?  Like it says quite clearly
in the instructions, where the nameservers are part of the domain being
checked then you need to give IP numbers too.  If you do that, then the
water.com domain passes the test albeit with a few warnings about
everything being on the same network segment / same AS number.

Yes, if you're checking a live domain correctly registered and with the
right glue records in place, then zonecheck can find your nameservers
without external prompting.  If you're trying to check an unregistered
domain, then zonecheck will definitely need those IP numbers.  That's
really all those messages are trying to tell you.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with nic.it

[Matthew Seaman]

On 20/09/2011 08:20, Lucio Crusca wrote:
> Hence I wonder if there existed any public DNS checker that could
> check a DNS which is not the NS pointed server yet,

http://dnscheck.iis.se/ has an 'undelegated domain test'

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Weird IPv6 issue?

[Matthew Seaman]

On 11/09/2011 21:00, m...@smtp.fakessh.eu wrote:
> I also think the creation of the reverse zone ipv6
> 
> i dont know how to

IPv6 reverse zones work in very much the same way as IPv4 reverse zones.

So, for an address 2001:8b0:151:1:e2cb:4eff:fe26:6481 you would generate
the LHS of a PTR record like so:

1.8.4.6.6.2.e.f.f.f.e.4.b.c.2.e.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa

Expand each colon separated field to 4 digits by inserting leading
zeros, drop the colons, reverse the order of the whole thing, add dots
between each hex digit and tack on .ip6.arpa on the end.  Or use
arpaname(1) which comes with bind.

You'll need to have the reverse zone delegated to you -- usually by your
ISP and usually on the same /48 or /64 boundary used in routing.  Unlike
with IPv4, each label only counts for 16 addresses which is very much
less than the total of a typical allocation, so RFC 2317 style
delegation should become extinct.  Assuming you have $ORIGIN as
1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa, then a typical PTR record in
your zone file might look like:

1.8.4.6.6.2.e.f.f.f.e.4.b.c.2.e PTR ns0.infracaninophile.co.uk.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind time up.

[Matthew Seaman]

On 23/07/2011 09:22, Vbvbrj wrote:

> How to tell BIND to not stop listening on cable disconnected adapters?

Add to the options {} section of named.conf:

interface-interval 0;

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: I can't resolve one domain: nhs.uk

[Matthew Seaman]

Spam detection software, running on the system 
"lucid-nonsense.infracaninophile.co.uk", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
The administrator of that system for details.

Content preview:  On 17/06/2011 14:33, Andrew Benton wrote: > On Fri, 17 Jun
   2011 13:01:00 +0100 > Phil Mayers  wrote: > >> On
   17/06/11 12:10, Andrew Benton wrote: >>> >>> And it works well for every
  domain on the internet. Except for >>> www.nhs.uk - I can't resolve nhs.uk
   >> >> www.nhs.uk is, currently, a CNAME to >> www.prod.nhs.uk.akadns.net
  >> >> You might be suffering from the bind 9.8 CNAME issue. See the recent,
   >> repeated discussions in the archives, including a link to a quick >> 
one-line
   patch you can apply to see if it fixes it. > > Do you mean this patch? >
  > 
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/dns/bind98/files/patch-bin__named__query.c?rev=1.1
   > > I've just tried it and it made no difference. I'm not convinced of this
   > CNAME hypothesis. Could you point me towards the threads where it is >
  discussed? I'm new here. [...] 

Content analysis details:   (8.4 points, 5.0 required)

 pts rule name  description
 -- --
 3.6 HELO_DYNAMIC_IPADDR2   Relay HELO'd using suspicious hostname (IP addr
2)
 3.2 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
 0.7 TVD_RCVD_IPTVD_RCVD_IP
-0.0 T_RP_MATCHES_RCVD  Envelope sender domain matches handover relay
domain
 0.0 SPF_FAIL   SPF: sender does not match SPF record (fail)
[SPF failed: Please see 
http://www.openspf.org/Why?s=mfrom;id=m.seaman%40infracaninophile.co.uk;ip=81.187.76.166;r=lucid-nonsense.infracaninophile.co.uk]
-0.0 BAYES_20   BODY: Bayes spam probability is 5 to 20%
[score: 0.0552]
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature from 
author's
domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily 
valid
 1.0 RDNS_DYNAMIC   Delivered to internal network by host with
dynamic-looking rDNS

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

--- Begin Message ---
On 17/06/2011 14:33, Andrew Benton wrote:
> On Fri, 17 Jun 2011 13:01:00 +0100
> Phil Mayers  wrote:
> 
>> On 17/06/11 12:10, Andrew Benton wrote:
>>>
>>> And it works well for every domain on the internet. Except for
>>> www.nhs.uk - I can't resolve nhs.uk
>>
>> www.nhs.uk is, currently, a CNAME to
>> www.prod.nhs.uk.akadns.net
>>
>> You might be suffering from the bind 9.8 CNAME issue. See the recent, 
>> repeated discussions in the archives, including a link to a quick 
>> one-line patch you can apply to see if it fixes it.
> 
> Do you mean this patch?
> 
> http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/dns/bind98/files/patch-bin__named__query.c?rev=1.1
> 
> I've just tried it and it made no difference. I'm not convinced of this
> CNAME hypothesis. Could you point me towards the threads where it is
> discussed? I'm new here.

Works for me using the FreeBSD bind98 port:

lucid-nonsense:~:% /usr/local/bin/dig www.nhs.uk

; <<>> DiG 9.8.0-P2 <<>> www.nhs.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41398
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 9, ADDITIONAL: 9

;; QUESTION SECTION:
;www.nhs.uk.IN  A

;; ANSWER SECTION:
www.nhs.uk. 900 IN  CNAME   www.prod.nhs.uk.akadns.net.
www.prod.nhs.uk.akadns.net. 300 IN  A   217.64.234.65

;; AUTHORITY SECTION:
akadns.net. 75490   IN  NS  zc.akadns.org.
akadns.net. 75490   IN  NS  za.akadns.org.
akadns.net. 75490   IN  NS  zd.akadns.org.
akadns.net. 75490   IN  NS  usw2.akadns.net.
akadns.net. 75490   IN  NS  zb.akadns.org.
akadns.net. 75490   IN  NS  asia9.akadns.net.
akadns.net. 75490   IN  NS  use3.akadns.net.
akadns.net. 75490   IN  NS  eur1.akadns.net.
akadns.net. 75490   IN  NS  use4.akadns.net.

;; ADDITIONAL SECTION:
za.akadns.org.  7090IN  A   96.6.112.198
zb.akadns.org.  7090IN  A   64.211.42.194
zc.akadns.org.  7090IN  A   124.40.52.133
zd.akadns.org.  7090IN  A   72.246.46.4

Re: IPv4 & IPv6 named processes on a dual stack host

[Matthew Seaman]

On 24/05/2011 19:22, Timothy Stoddard wrote:
> Has any one run into a issue with two named processes running on the same
> host.  We want to begin serving up DNS on our IPv6 address space and do not
> want to duplicate each of our DNS servers.  We have started two named
> processes one with "-6" option.  All seems to be working.  I am concerned
> how journal files will be handled.  Question will the "-4" named process
> coexist with "-6" on the same box???

Curious. Why do you think you need two named processes?  One named
process is perfectly capable of listening and serving data on both IPv4
and IPv6 interfaces simultaneously.  So for instance this is from
named.conf on my own nameserver:

listen-on {
127.0.0.1;
81.187.76.162;
};
listen-on-v6 {
::1;
2001:8b0:151:1:e2cb:4eff:fe26:6481;
};

There's nothing particularly special about the option flags I'm using --
pretty much the default FreeBSD settings other than the changes required
to run the ports version of bind rather than the base system one:

% grep named_ /etc/rc.conf
named_enable="YES"
named_program="/usr/local/sbin/named"
named_flags="-c /etc/namedb/named.conf"

Not that it makes much difference to this question, but I'm running
FreeBSD stable/8 running bind-9.8.0 from ports similarly to you.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange queries in my DNS

[Matthew Seaman]

On 25/04/2011 13:30, Victor Hugo dos Santos wrote:
> Yes.. I already readed about DNS amplifier attack.. but in
> amplification attack, the query is about ".", but in my case, the
> queries isn't by the "root", but for "unused type" 

No -- confusion of terms: '.' is the *root* of the DNS hierarchy.
Nothing to do with the unix superuser.

The RESERVED0 type of the query is certainly odd.  Mu guess is that's a
programming mistake by whoever is trying to run a DoS, as it probably
means he's not going to get any data in the responses and hence no
amplification effect.

> about the configuration, I can't apply the "allow-query" to restrict
> my DNS, because this is a authoritative server of many domains and I
> have the recursion disabled to external views.

OK -- an authoritative server should refuse to reply for a query for the
'.' zone from an arbitrary source, like so:

# dig @ns0.infracaninophile.co.uk . ANY

; <<>> DiG 9.6.2-P2 <<>> @ns0.infracaninophile.co.uk . ANY
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 43458
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;.  IN  ANY

;; Query time: 21 msec
;; SERVER: 81.187.76.162#53(81.187.76.162)
;; WHEN: Mon Apr 25 17:16:28 2011
;; MSG SIZE  rcvd: 17

So long as your server responds like that to external queries for the
'.' zone, whether type IN or type RESERVED0 or type whatever, then I
don't think you've got anything much to worry about.  20--30qps like
that should be trivial for any reasonable modern machine.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange queries in my DNS

[Matthew Seaman]

On 21/04/2011 19:54, Victor Hugo dos Santos wrote:
> Hello masters.
> 
> the last week I had a strange queries logged in my DNS. In this
> momment I only block the IP (77.204.11.139) source and forguet of this
> theme.
> 
> but, today.. I have the same query registered in my logs and from
> other source (208.100.46.116).
> 
> ==
> 21-Apr-2011 15:20:16.081 queries: info: client 208.100.46.116#1552:
> view externo: query: . ANY RESERVED0 +
> 21-Apr-2011 15:20:16.143 queries: info: client 208.100.46.116#6674:
> view externo: query: . ANY RESERVED0 +
> 21-Apr-2011 15:20:16.205 queries: info: client 208.100.46.116#21602:
> view externo: query: . ANY RESERVED0 +
> 21-Apr-2011 15:20:16.269 queries: info: client 208.100.46.116#55331:
> view externo: query: . ANY RESERVED0 +
> ==
> 
> 
> now, I have the new IP blocked, but if I unblock it.. the server show
> a 20/30 queries by second from this IP !!!
> 

This is an attempt to use your DNS servers as a traffic amplifier in a
DoS attack.  By sending a spoofed query for the root '.' the attackers
cause your DNSes to send kilobytes of the root zone to the target IP
(208.100.46.116 and 77.204.11.139 are the victims here, not the
perpetrators).  Do that against enough other DNS servers simultaneously
and it will flood the target host.

There are several variations on this -- see

http://meetings.ripe.net/ripe-52/presentations/ripe52-plenary-dnsamp.pdf

The best answer to this sort of thing is for network providers to filter
obviously spoofed traffic at their interchange points, but that is
(presumably) outside your control.  You can mitigate the problem by
caareful use of the 'allow-query', 'allow-query-cache' and
'additional-from-cache' directives in your BIND configuration so you
only answer recursive queries for your trusted networks.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW





signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: incorrect dns returned by public servers for our domain

[Matthew Seaman]

On 24/02/2011 04:14, Noel Butler wrote:
> You can pretty much remove the entire statement now, as all /8's are
> issued as of about two weeks ago.

This works for me:

lucid-nonsense:~/src/namedb:% cat acl-ipv4-bogons.conf
// @(#) $Id: acl-ipv4-bogons.conf 800 2011-02-03 20:22:12Z matthew $
//
// Networks listed by IANA as test, RFC 1918, Multicast, Experimental,
// etc. (RFC 5735)
//
// See: http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt

acl ipv4-bogons {
0.0.0.0/8;
10.0.0.0/8;
127.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
192.0.0.0/24;
192.0.2.0/24;
192.168.0.0/16;
198.18.0.0/15;
198.51.100.0/24;
203.0.113.0/24;
224.0.0.0/3;
};
//
// That's All Folks!
//

All of which are special purpose networks listed in RFC 5735 which you
shouldn't be seeing any DNS query traffic from on the open internet.
This bogon list is going to be static for the foreseeable future.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: can @ be CNAME?

[Matthew Seaman]

On 23/11/2010 08:07, Tech W. wrote:
> --- On Tue, 23/11/10, Matus UHLAR - fantomas  wrote:
>> From: Matus UHLAR - fantomas 

>>> can I set @ to a cname type? like:
>>>
>>> @  IN  CNAME  www.example.com.
>>
>> Certainly not. for a domain you have you need SOA and NS
>> records, and CNAME
>> is incompatible with both of them.
>>
> 
> But why @ can have an A RR?
> 
> @ IN A 12.34.56.78
> 
> This seems OK for us.

CNAME records are special.  You can't have any other records for a label
where you have a CNAME record (well, with the exception of RRSIG records
if you're using DNSSEC).  This is covered in great detail in any
introductory text on DNS.

The principle reason to want to have a CNAME record at the apex of a
zone is to make http://example.com/ be a synonym for
http://www.example.com/.  The way to deal with that is to turn it round
and make www.example.com be the CNAME record, and have the A record at
example.com.  Or just have A or  records at both example.com and
www.example.com

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse Configuration

[Matthew Seaman]

On 16/10/2010 21:48, Kevin Oberman wrote:
> To be completely clear, unless there is special software on the client
> to deal with PTRs, you really only want ONE PTR for each address. Most
> standard network tools tend to assume only one PTR per address and some
> get very confused when multiple PTRs are returned.

I'm intrigued as to what software it is that gets confused by having
multiple PTRs for IPs?  Given I've been running with exactly that
configuration for many years, and never noticed any problems nor had any
complaints.

Still, I hope this whole argument will be rendered moot with the advent
of IPv6, where addresses are available in such enormous bounty that the
sensible admin would not only assign an IP per network interface, but
pretty much an IP per service too.  No more fiddling about with TTLs or
waiting for changes to propagate should you need to shuffle things
about, and a natural consequence is that only one PTR would be needed
per .

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Protecting bind from DNS cache poisoning!!!

[Matthew Seaman]

On 08/08/2010 11:29:52, Shiva Raman wrote:

>I am running   Bind caching and bind authoritative servers with current
> 9.7  version. I would like
> to know the steps to be followed to protect bind from  DNS Cache poisoning.
> The bind DNS server
> is running behind the firewall which allows only DNS queries .

Run an up-to-date version of bind.  Be fanatical about applying security
patches promptly.

Don't allow recursion /at all/ for queries from the general public to
your authoritative servers, nor permit authoritative servers to send
additional data from cache.

Permit only your trusted clients to make recursive queries through your
recursive servers.

If you have sufficient DNS traffic to warrant it, it is very good to run
completely separate instances of bind as authoritative and recursive
servers -- use of virtualization techniques like FreeBSD jails can help
reduce hardware costs.

Otherwise, make use of the views feature to control who may or may not
perform recursive queries via your servers.

Allow bind to use as wide a range of port numbers as possible for UDP
traffic.

Make sure your firewalls don't do daft things like forcing any DNS
traffic to come from a limited range of source ports, or blocking large
UDP packets or EDNS.  Allow DNS queries over TCP as well as UDP.

Implement DNSSEC.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone syntax question

[Matthew Seaman]

On 24/07/2010 16:17:13, Joseph S D Yao wrote:
> Quick, knee-jerk, which of these is
> one day?
>   86300
>   68300
>   863000

It's a trick question, right?

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-lookaside auto and managed-keys-zone problem with certain views

[Matthew Seaman]

On 18/07/2010 17:58:15, Evan Hunt wrote:
>> Is there a way of using dnssec-lookaside and forcing bind not to
>> maintain a managed-keys-zone for certain views?
> 
> Sure, just do it the old way, without "dnssec-lookaside auto".
> Put these in the view statement:
> 
> dnssec-lookaside . trust-anchor dlv.isc.org;
> 
> trusted-keys {
> dlv.isc.org. 257 3 5 
> "BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 
> brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 
> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 
> ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk 
> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM 
> QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
> };
> 
> (Except, you know, get the key text from a secure channel or from the
> signed bind9 distribution, not from email...)

Well, it's a better work around than what I have been doing, but not
having the RFC 5011 behaviour is quite a disappointment.  Now I have
presentiments of disaster should the DLV key have to be rolled for
whatever reason.

Think I'll just drop the external-chaos view.  Some script kiddie
working out I'm running the latest version of bind is likely to be lower
risk and a lot less harmful than dealing with broken dnssec chains of trust.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec-lookaside auto and managed-keys-zone problem with certain views

[Matthew Seaman]

Dear list,

Is there a way of using dnssec-lookaside and forcing bind not to
maintain a managed-keys-zone for certain views?  Or allowing it to start
up if the files are missing for some views?  I have within my named.conf
this view, designed to hide bind.version and so forth from the world at
large:

view "external-chaos" chaos {
match-clients   { !trusted; };
allow-query { none; };
zone "."{ type hint; file "/dev/null"; };
};

The 'trusted' acl is just a list of my local networks.

However, this seems to cause bind to fail to restart cleanly, as bind
never generates any managed-keys-zone file for this view.  Now, I can
work around this by deleting all of the managed-keys-zone files from the
working directory every time I need to restart named, but that's not ideal.

Cheers,

Matthew

Full named.conf:

// $Id: named.conf 763 2010-07-18 09:25:15Z matthew $

// Refer to the named.conf(5) and named(8) man pages for details.  If
// you are ever going to setup a primary server, make sure you've
// understood the hairy details of how DNS is working.  Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amount of useless Internet traffic.

// Access control lists.  Not just anybody is allowed to make use of
// this service.
acl trusted {
127.0.0.1;
::1;
81.187.76.160/29;
81.187.220.164;
2001:8b0:151:1::/64;
};

acl secondaries {
127.0.0.1;  // localhost
::1;// localhost (IPv6)
81.187.76.162;  // ns0.infracaninophile.co.uk
2001:8b0:151:1:e2cb:4eff:fe26:6481; // ns0.infracaninophile.co.uk (IPv6)
81.187.81.32;   // secondary-dns.co.uk  (A&A)
2001:8b0:0:81::51bb:5120;   // secondary-dns.co.uk  (A&A, IPv6)
81.187.81.30;   // secondary-ns.co.uk   (A&A)
2001:8b0:0:81::51bb:5116;   // secondary-ns.co.uk   (A&A, IPv6)
2001:8b0::2021; // dns2.aaisp.net.uk
};

include "/etc/namedb/acl-ipv4-bogons.conf";
include "/etc/namedb/acl-ipv6-bogons.conf";

acl bogon {
// Filter out the bogon networks.  These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc.

// Allow 127.0.0.1, ::1 specifically
!127.0.0.1;
!::1;

 // See: http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
ipv4-bogons;
// See: http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
ipv6-bogons;
};

logging {
channel dnssec_log {
file "/var/log/dnssec" versions 5 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug;
};
channel named_log {
file "/var/log/named.log" versions 5 size 20m;
print-time yes;
severity debug;
};
category default  { default_syslog; default_debug; };
category queries  { named_log; default_debug; };
category dnssec   { dnssec_log; };
category security { named_log; default_syslog; };
category config   { default_syslog; };
category resolver { named_log; };
category xfer-in  { named_log; };
category xfer-out { named_log; };
category notify   { named_log; };
category client   { named_log; };
category network  { named_log; };
category update   { named_log; };
category lame-servers { named_log; };
};

statistics-channels {
inet *  port 8080 allow { trusted; };
inet :: port 8080 allow { trusted; };
};

options {
directory   "/etc/namedb/working";
pid-file"/var/run/named/pid";
dump-file   "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
memstatistics-file  "/var/stats/named.memstats";
zone-statistics yes;

// Listen only on the loopback and on the 1ary IPv4 and IPv6
// network addresss, not the jail or tunnel IPs.
listen-on {
127.0.0.1;
81.187.76.162;
};
listen-on-v6 {
::1;
2001:8b0:151:1:e2cb:4eff:fe26:6481;
};
query-source   address 81.187.76.162 port *;
query-source-v6address 2001:8b0:151:1:e2cb:4eff:fe26:6481 port *;
transfer-source81.187.76.162 port *;
transfer-source-v6 2001:8b0:151:1:e2cb:4eff:fe26:6481 port *;
notify-source  81.187.76.162 port *;
notify-source-v6   2001:8b0:151:1:e2cb:4eff:fe26:6481 port *;
use-v4-udp-ports   { range 1024 65535; };
use-v6-udp-ports   { range 1024 65535; };
// We have no dynamic interfaces, so don't check for changes
interface-interval 0;

// B**s to Verisign -- with bind-9.2.2.rc3 we can have
// delegation only from the TLDs
root-delegation-only exclude { "ad"; "af"; "ar"; "biz"; "cr"; "cu";
   "de"; "dm"; "fr"; "id"; "lu"; "lv";

Re: DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481

[Matthew Seaman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/06/2010 18:49:44, Casey Deccio wrote:
> This has been fixed.  The problem had to do with establishing a canonical
> ordering of RRs within an RRset for the purposes of verifying an RRSIG.
> dnspython's default comparison operators don't follow canonical ordering
> from RFC 4034, so I had to make some provisions to order properly.  This
> didn't affect A RRsets with multiple RRs because the order of A-type rdata
> was the same using both orderings.
> 
> Thanks for bringing this to my attention.

Excellent. Thank you very much indeed -- I'm glad to have been of service.

Cheers,

Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwGoNIACgkQ8Mjk52CukIzVVwCfTOVmg0meReYFd389TP1D+D96
25EAnRFSXO7JIcaGic1ME49upIkPq+lR
=VZlY
-END PGP SIGNATURE-
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481

[Matthew Seaman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


I'm DNSSEC enabling the .ip6.arpa zone for my IPv6 allocation and
registering it with dlv.isc.org.  Using bind-9.7.0-p2 dnssec tools.

Everything seems to be working well, but when I test using the Sandia
Labs dnsviz.net tool I get inconsistent results.

My mail, etc. server on 2001:8b0:151:1:e2cb:4eff:fe26:6481 appears as
'bogus'

http://dnsviz.net/d/1.8.4.6.6.2.e.f.f.f.e.4.b.c.2.e.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/dnssec/

Yet my personal laptop on 2001:8b0:151:1:fa1e:dfff:feda:c0bb is all good:

http://dnsviz.net/d/b.b.0.c.a.d.e.f.f.f.f.d.e.1.a.f.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/dnssec/

What am I doing wrong?

Cheers,

Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwGWkEACgkQ8Mjk52CukIyFlwCgiaFHI4yzaZBNreBCo3RUCh93
0pUAn0nzjDwmNv+c4OKNoQmHD1ueQS7v
=Ncbf
-END PGP SIGNATURE-
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv6 reverse zones advise

[Matthew Seaman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/05/2010 12:44:32, a.sm...@ukgrid.net wrote:

>   we will shortly start using IPv6 reverse DNS, and having never used it
> before I thought Id ask those with some experience if they have any
> words of wisdom before I make any horrible mistakes ;) Ive already had a
> good read of a good many sites on the subject but still would like to
> check a couple of things.
> When creating IPv6 reverse zones can the subnet be as large or small as
> you like? Ive seen examples using /48 and /64, can this be effectively
> whatever you want?
> And following on from that if it is user definable, what would be the
> recommended way (size) forward? We are using flat file zone files. To me
> the simplest would seem to create the zones using large subnets and
> where necessary (as occasionally we are asked to do) delegate via the
> zone file some ranges to other DNS servers.
> Im not an expert in all of this really, but we get by on IPv4 so if
> anyone has any tips they would be greatfully recieved,
> 
> thanks Andy.

For an example IPv6 address -- say: 2001:8b0:151:1:240:5ff:fea5:8db7
the PTR record would be:

7.b.d.8.5.a.e.f.f.f.5.0.0.4.2.0.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa. IN
PTR

So zero fill each of the colon separated fields to 4 digits, reverse and
split into individual hex digits.  Now *each* hex digit in the address
is a label in the DNS, and you can delegate chunks of the address space
at any label (exactly as you can for forward zones).

This means that the smallest chunk of IP space you can delegate is 16
addresses, which is minuscule on the IPv6 scale of things.  The largest
chunk you could manage from a sigle zone file would be your whole
allocation.  That will likely be a /32, /48 or /64 depending on your ISP
and whether you're dealing directly with RIPE or not.  Assuming a /64
and that you want to keep everything in just one zone file, it would
look something like this:

% less 1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa
;
; @(#) $Id: 1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa 672 2010-04-13
08:32:21Z matthew $
;
; MJS 20031213: Reverse mappings for 2001:8b0:151:1/64 addresses
;

$TTL3600

@   IN  SOA ns0.infracaninophile.co.uk.
hostmaster.infracaninophile.co.uk. (
2008071000  ; Serial
10800   ; Refresh (3H)
3600; Retry   (1H)
604800  ; Expire  (1W)
43200 ) ; Minimum (12H)
NS  secondary-ns.co.uk.
NS  secondary-dns.co.uk.
;
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR net6.infracaninophile.co.uk.
;
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR gate6.infracaninophile.co.uk.
7.b.d.8.5.a.e.f.f.f.5.0.0.4.2.0 PTR
happy-idiot-talk.infracaninophile.co.uk.
[...etc...]

If you're using rtadv/rtsol, especially if you're combining that with
dynamic DNS, then having a zone for each /64 prefix you advertise would
make sense.

Cheers,

Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
  Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvoAMMACgkQ8Mjk52CukIzQ0ACcCyjiogNgoUu3+dBB3cELY86c
U4wAnRSqfR19RJ19d1bROnVVFFA63onk
=57I9
-END PGP SIGNATURE-
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind crashs sometimes.

[Matthew Seaman]

Cathy Almond wrote:

If you're running a BIND 9,6,1~ variant (I don't recognise
"bind96-9.6.1.2" as an ISC version string), the assert line number does
not tally with the source code for bind9/lib/isc/unix/socket.c.


That's the FreeBSD package name & version for bind-9.6.1-P2 but...


That assert location looks more like it would have come from a BIND
9.4.3~ socket.c module.

Are you maybe running half old - half new?  Did your libs get updated?


... the paths in the output indicate Nadir is running the version of
named bundled with the base FreeBSD system, which is bind-9.4.3-P2 on
FreeBSD-7.2.

Nasdir, if you've installed dns/bind96 from ports, then add the following
to /etc/rc.conf:

named_enable="YES"
named_program="/usr/local/sbin/named"
named_flags="-c /etc/namedb/named.conf"

Make sure that there are no instances of named running[*]:

  # ps -ax -o pid,comm | grep named | cut -d ' ' -f 1 | xargs kill

and restart named by:

  # /etc/rc.d/named start

This will run the ports version of named using named.conf and any zone data
etc. from /etc/namedb/ (Well, it runs chrooted by default, so it's really
/var/named/etc/namedb but there's a handy sym-link)

Cheers,

Matthew

[*] You should really stop the base system named /before/ installing the port
and editing rc.conf, but this will work if you forgot to do that.


Nadir Aliyev wrote:
 

Hello All, 


I have serious problem, after upgrade to new version.


Sometimes named crashs. 

Here is log. 


Dec 30 00:26:02 ns1
named[44042]:
/usr/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:2361:
INSIST(!sock->pending_accept) failed
Dec 30 00:26:02 ns1 kernel: Dec 30
00:26:02 ns1 named[44042]:
/usr/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:2361:
INSIST(!sock->pending_accept) failed
Dec 30 00:26:02 ns1 named[44042]:
exiting (due to assertion failure)
Dec 30 00:26:02 ns1 kernel: Dec 30
00:26:02 ns1 named[44042]: exiting (due to assertion failure)
Dec 30
00:26:18 ns1 kernel: pid 44042 (named), uid 0: exited on signal 6 (core
dumped) 

I did not find any solution for this problem. 


Bind version:
bind96-9.6.1.2 

OS: FreeBSD 7.2 

-- 

Nadir Aliyev 


ULTEL
ISP 


--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

$GENERATE and IPv6

[Matthew Seaman]

Is anyone out there using $GENERATE to create blocks of  and PTR records
for IPv6?  Particularly PTR records?

It seems easy enough to create  records automatically:

$ORIGIN infracaninophile.co.uk.
$GENERATE 0-255 2001-8b0-151-1-240-0-1234-${0,0,x}  
2001:8b0:151:1:240:0:1234:${0,0,x}

but how to create the corresponding PTR records?  Since the labels for 
.ip6.arpa records are single hex digits, then I'd have to have 16 $GENERATE
lines to create 256 PTR records like so:

$ORIGIN 1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa.
$GENERATE 0-15  ${0,0,x}.0.0.0.4.3.2.1.0.0.0.0.0.4.2.0 PTR 
2001-8b0-151-1-240-0-1234-${0,0,x}.infracaninophile.co.uk.
$GENERATE 16-31 ${0,0,x}.1.0.0.4.3.2.1.0.0.0.0.0.4.2.0 PTR 
2001-8b0-151-1-240-0-1234-${0,0,x}.infracaninophile.co.uk.
$GENERATE 32-47 ${0,0,x}.2.0.0.4.3.2.1.0.0.0.0.0.4.2.0 PTR 
2001-8b0-151-1-240-0-1234-${0,0,x}.infracaninophile.co.uk.
etc...

which seems to pretty much obviate the point of using $GENERATE in the
first place.  Other than writing a few scripts to generate the list
records directly are there any alternatives?

It would be handy if there was a format code eg 'P' that produced
reverse order hex digits separated by '.' -- so eg ${0,4,P} would 
expand to something like

0.0.0.0
1.0.0.0
2.0.0.0
...
d.f.0.0
e.f.0.0
f.f.0.0

for the example above.   

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   Flat 3
  7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
  Kent, CT11 9PW, UK



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users