Re: can I provide invalid HTTPS values for testing?

2024-06-19 Thread Michael Richardson 

Mark Andrews  wrote:
> Named and nsupdate validate input for types they know about (both text
> and wire). You would have to use versions that are not HTTPS aware and
> use unknown type format.

So, he could code it in Perl or Python or something which had a dynamic DNS
library.  Bind itself wouldn't validate the "ascii-hex" part when it receives
it.



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem upgrading to 9.18 - important feature being removed

2024-02-27 Thread Michael Richardson 

Matthijs Mekking  wrote:
> As the main developer of dnssec-policy, I would like to confirm that
> what has been said by Michael and Nick are correct.

Cool.

> - When migrating to dnssec-policy, make sure the configuration matches
> your existing keys.

Is there a way to validate the policy against what's in a specific 
zone/directory?
Effectively, "do your key management stuff --just-kidding --verbose"?

> - Most issues that were shared on this list have to do with migrating
> to dnssec-policy.

Agreed: and it bit me, and I am still a bit shell shocked.

> - If you feel like the DS is stuck in 'rumoured' state you might need
> to run 'rndc dnssec -checkds seen' on the key.

okay, good to know this.
. o O ( Umbrella Academy )

> - It is not recommended to switch to dnssec-policy if you are currently
> in a rollover.

> I acknowledge that migration takes some care and I wish the process was
> easier. We have some ideas to make it less error prone, but I haven't
> found the time to work on that.

Are there open issues?



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

2023-11-05 Thread Michael Richardson 

Greg Choules via bind-users  wrote:
> What would be better (IMHO) is for you to keep "example.com" as your
> external zone in an external (hopefully in a DMZ) primary server,
> serving the world with public addresses they need to reach, and
> internally create a new zone - "internal.example.com" (maybe also other
> "somethingX.example.com" too) as your internal zone in an internal
> primary server for serving internal clients with the addresses they
> need.

Would anyone be interested in formulating this into an IETF BCP RFC?
Or maybe a RIPE BCOP.
Your write up is excellent.  Worth keeping it somewhere.

> The reason for the delegation is DNSSEC. If you enable DNSSEC

Yes.

> That was a bit of an essay, but I hope at least some of it made sense.

:-)



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

2023-11-04 Thread Michael Richardson 

Given VPNs, RemoteAccess and the like, I strongly recommend against split-DNS
configurations.  They were great ideas in 1993, when all sites were concave,
but that's just not the case anymore.

Instead, I recommend having a sub-zone, "internal.example.com", or some other
convenient name.  Put a zone split ("NS" and "DS" records) there, and then
limit who can do queries to this zone by IP address.  You'd acceptlist all of
your VPN sites, the v4 (RFC1918) and v6 (subnet) prefixes for your remote
access clusters.

Split-DNS finally has some actual IETF definition at:
  
https://datatracker.ietf.org/doc/draft-ietf-add-split-horizon-authority/

I'm specifically arguing to do:
  
https://www.ietf.org/archive/id/draft-ietf-add-split-horizon-authority-06.html#name-internal-only-subdomains

It's just so much easier, particularly if you are starting from scratch.


signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind forgets my changes with nsupdate

2023-10-08 Thread Michael Richardson 

201907-b...@planhack.com wrote:
>> My solution is not to mix dynamic update with other access.  Instead,
>> I put in CNAMEs in the signed zone to a sub-zone (or other zone) where
>> I do exclusive dynamic update.  This isn't perfect, but it works well
>> enough to allow dns-01 (certbot/LetsEncrypt) to be able to refresh my
>> certificates.

> Not perfect? What issues did you see? Thanks!

a) there are still a number of situations where systems do not follow CNAMEs 
when
   they should.  Particularly relating to RFC2317 reverse delegations.

b) using a second zones introduces additional possibilities for DNSSEC to be
   broken.

c) cruft accumulates in the second zone, and some of it does not get deleted.

d) updates to secondaries sometimes take longer than certbot is able to cope 
with.
   ("up-arrow-return" solves the problem if interactive.  Cron running a week
   later usually works)

--
]   Never tell me the odds!     | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works| network architect  [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[






signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind forgets my changes with nsupdate

2023-10-06 Thread Michael Richardson 

In general, you don't want to mix dynamic update zones with ones that you
want to edit by hand.  I see that you are doing manual DNSSEC signing in your
cron job.

Your choices are:
a) do everything with dynamic update, and turn on automatic DNSSEC management
   in bind9.

b) do your DNSSEC signing inline.
   I blogged poorly about my setup:
   https://www.sandelman.ca/mcr/blog/sysadmin/bind9-dnssec-formula/

c) a mix of the above.
   My solution is not to mix dynamic update with other access.
   Instead, I put in CNAMEs in the signed zone to a sub-zone (or other zone)
   where I do exclusive dynamic update.  This isn't perfect, but it works
   well enough to allow dns-01 (certbot/LetsEncrypt) to be able to refresh my
   certificates.





signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hyperlocal RFC8806 Root Mirror

2023-09-27 Thread Michael Richardson 

Silva Carlos  wrote:
> On server A I configured HyperLocal. On Server B I did NOT configure
> HyperLocal.

> I ran the command "dig @localhost EXAMPLES" on both servers.
> EXAMPLES: blabla.sdf.dd or teste.com.eroterrter or world.nanana

> Problem: Both Servers report that "Query TIme = 0 ms". I understand that
> Server A should result in 0ms and Server B should have a non-zero time as
> Server B does not have a copy of the Root Zone DB.

> Question: Where am I going wrong? Am I missing some basic principle?

1. Server B could have cached the result already.
   Make sure you start it cold.
2. The query is probably taking between 0ms and 1ms, but rounds down to 0ms.

To be sure, you could tcpdump the network on server B.



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master file permission denied

2023-06-29 Thread Michael Richardson 

Mark Andrews  wrote:
> where wrong and wouldn’t normally be that way.  Something or someone
> changed them.  It may have happened again.  We can’t see what you see

And, AppArmor can turn things into permission denied, which are rather
mysterious.  So, I'd ask for dmesg output too.



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind listener to an IPv6 from AnyIP subnet

2023-03-13 Thread Michael Richardson 

m...@at.encryp.ch wrote:
> Regarding the usage of [::] - due to usage of firewall I am able to
> block connections to the 53/udp and 53/tcp which are not coming to
> specific IP addresses or ranges, I do not need such filtering
> functionality within bind itself.

Bind doesn't listen to specific sockets because of security.
It does so because of connectivity and plumbing.

I think you are making your life hard for no benefit.



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind listener to an IPv6 from AnyIP subnet

2023-03-13 Thread Michael Richardson 

Serg via bind-users  wrote:
> As an alternative approach I have tried to run with a configuration
> "listen-on-v6 { any; }", but it does behave in a way I need - it binds
> separate socket for each discovered IP address rather wildcard address
> of [::].

Bind needs to bind a new socket for each address so that it can easily know
which address is being communicated with.  While there are newer ways to do
this, they aren't that portable.

What is the problem with binding to all the addresses, if you then filter
which addresses will actually respond?

Many large authoritative resolvers put the anycast address on the lo, and then 
use
BGP to announce connectivity, and AFAIK, they all just listen on all
addresses, because sometimes you want to ask a specific server a question.



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Something other than port 53 is blocking the LAN based BIND9 Servers

2023-03-13 Thread Michael Richardson 

Mike Lieberman  wrote:
> The newer router blocks my local BIND servers (ONLY not clients using
> downstream servers) from receiving anything from the Internet. OUR BIND
> servers still have the local networks, but nothing else.

Your explanation is rather obtuse, but I think you mean that your BIND
servers can not do recursive lookups.  Rather than receive/answer
authoritative queries.

Do your queries originate from port-53?  That is not the default anymore, AFAIK.

> The question I need resolved by the proper group/forum is: What port or
> technology is doing the blocking? The ISP has no idea.

No, the ISP probably has no idea.  Might even be their FTTH ONT system.

> I have tried three of the new routers but all blocked my servers. I
> tried a replacement EoL router and that works. Without changing
> anything on the network, other than the physical router, it was like
> flipping a switch.

I assume it's a GPON, and therefore you can't easily tcpdump on the outside
like you can with a plan PPPoE with VDSL.





signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: converting from opendnssec/openhsm?

2023-01-27 Thread Michael Richardson 

Can you share a bit about why you want to get out of using
opendnssec/openhsm?

I would regard this as an opportunity to test key rollover with your parent
zone :-)

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works| network architect  [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Finding dnssec validation failures in the logs

2023-01-24 Thread Michael Richardson 

John Thurston  wrote:
> On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am
> writing "category dnssec" to a log file  at "severity info;"  When I look 
in
> the resulting log file, I'm guessing that lines like this:

> validating com/SOA: got insecure response; parent indicates it should be
> secure

> Are an indication I have a problem I should investigate.

Maybe.
It could be that DNSSEC is simply defending you against attackers who are
trying to race insecure answers to your queries in the belief that "nobody 
validates"

If it were systematic (every query, every query to some servers...) then you
should suspect that there is a on-path attacker modifying the responses.
That's unlikely in general,  but it's why we have DNSSEC.
It could also be the result of corrupted packets that survive the UDP
checksum, or which go through a middle box that "fixes" that.  Some satellite
systems do that.  I imagine that Alaska might have at least one satellite link.

It doesn't sound like it's systematic, so I think they are off-path
attackers, and it looks like it's queries on .com?

Most likely, there is little you can do.



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

2023-01-17 Thread Michael Richardson 

E R  wrote:
> I am planning on implementing the current version of BIND to replace the
> aging, undocumented authoritative servers I inherited.  I want to hide the
> primary server on our internal network and have two secondary servers be
> publicly available.  While reading the DNSSEC Guide
>  
recipes
> it seems to imply that I cannot have a hidden primary that handles all the
> DNSSEC stuff.

Many people do exactly that.
Check out the: “Bump in the Wire” Signing section.

In my opinion, this is the best way to do things, and the in-place signing is
just a total pain.



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: automatic reverse and forwarding zones

2022-10-27 Thread Michael Richardson 

Havard Eidnes via bind-users  wrote:
>To "fill" an ip6.arpa zone for a /64 requires 18446744073709551616
> records (yes, that's about 18 x 10^18 if my math isn't off).  I predict
> you do not posess a machine capable of running BIND with that many
> records loaded -- I know we don't.

It sure would be nice to be able to set some kind of default (static) answer for
reverse zones.  While it has limited useability for IPv4, it would actually
be nice, and it seems a win for IPv6 reverse.

It probably does not play well with DNSSEC, although I was thinking about
whether some amount of wildcards in the signed reverse could help, but I
don't think so.




signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using nsupdate remotely

2022-07-12 Thread Michael Richardson 

Philip Prindeville  wrote:
> What do I need to do on both ends (remote DHCP server and central DNS
> server) to push updates over?

Your list is pretty accurate.

One thing that bites me regularly is that names of the TSIG keys matters, and
that if you have a trailing . in the key name, it matters too.



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: understanding keymgr handling of KSK

2022-05-08 Thread Michael Richardson via bind-users 
I found this message:

May  8 16:41:18 tilapia named[1268]: zone ox.org/IN: 
zone_rekey:dns_dnssec_keymgr failed: error occurred writing key to disk

It would be great if it could tell me the file name that failed to write, and
ideally what the error was (EPERM is my guess, but there could also be
AppArmor stupids for some people which are really hard to diagnose).

Is there a way to put all the keymgr logging into a different debug stream?
Ideally, I think I need it emailed to me daily :-)

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

understanding keymgr handling of KSK

2022-05-08 Thread Michael Richardson via bind-users 
 and I checked and I don't have a CDS published.

So what happened?  I shall troll my logs and see what else I can find out,
but there sure is a lot of stuff going on.  Maybe lots of flotsam from my
previous situation that needs to expunged.

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works|IoT architect   [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to allow recursion on my own (cross) domains only after upgrade to 9.16.27 (lack of additional-from-auth option) ?

2022-04-18 Thread Michael Richardson 


Mark Andrews  wrote:
> Unless you are pointing recursive clients directly at your
> authoritative servers there is no need. The recursive servers will
> lookup the CNAME target themselves. Additionally recursive servers just
> process the CNAME and ignore the rest of the response to prevent cache
> poisoning if there is more there.

I think that implicit in Mark's answer is that the additional data that was
being returned was just wasted bytes, since it could never be trusted by
clients so why waste bytes.   Thus the change?


signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

invalid prefix

2022-03-11 Thread Michael Richardson 

I upgraded to 9.18 from 9.11 or something that was in debian nulleye.

Mar 11 18:14:27 tilapia named[9206]: /etc/bind/named.conf.options:40: invalid 
prefix, bits [64..71] must be zero

Alas, line 40 has multiple IPv6 prefixes on it:

40   dns64 2607:f0b0:f:0:::/96 {
41  clients { 2607:f0b0:f::/56; 2a00:1098::/64; };
42  exclude { !2607:f0b0:f:3::184/128; 
!2607:f0b0:f:3:216:3eff:fe7c:d1f3/128; !2607:f0b0:f:2::30/128; };
42   mapped { !172.30.0.0/16; !10/8; !209.217.85.0/24; any; };
43};

I feel a bit annoyed by this error, because it's kinda nice to be able to
just paste in stuff from ifconfig output, etc. and then say, yeah, let's do
the entire subnet but I understand that often it's a clue that someone is
clueless.

But, it would be great if the message told me which prefix was actually a
problem.



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users