Re: bind configuration/setup question
Alan, None of the files you listed (bind.keys, managed-keys.bind and managed-keys.bind.jnl) are in the bind installation directory, or the chroot that named is run in. I did add the following line in the named.conf file : managed-keys-directory /var/log; where /var/log is a writable directory for the userid named is run as. Re-hit the process with a kill -1 name.pid and the same errors are in the log file also touched blank managed-keys.bind and managed-keys.bind.jnl files in /var/log then re-hit the process with the same results. When I change the database directory to an OS writable directory in named.conf with this line in the options block: directory /var/log/namedb; // Directory where data files are stored the errors do not show up in the logs, but the database files are now writable to the OS. Note user permissions are set so the database files in /var/log/namedb and the/var/log/namedb directory is read only for the userid named is run as. Did I use the correct syntax for the managed-keys-directory options line, or is the problem there is not bind.keys file with the managed-keys statements? *The content of this message is my personal opinion only, and should not be construed as anything that has been through rigorous scrutiny of the professional groups who devote their life and work to the topics being discussed From: Alan Clegg a...@clegg.com To: mm half mm_ha...@yahoo.com Cc: bind-users@lists.isc.org bind-users@lists.isc.org Sent: Wednesday, August 28, 2013 1:34 PM Subject: Re: bind configuration/setup question On Aug 28, 2013, at 1:29 PM, Alan Clegg a...@clegg.com wrote: I believe that what you are seeing is the result of BIND 9.9 doing more things automatically, including bringing in a set of DNSSEC trust anchors (root and DLV) and not being able to create the file. You should be able to use the option bindkeys-file to set a location that is writable for this file. And as soon as I sent this I realized that I'd goofed. bind.keys is created on install (it is part of the problem, however). This file contains managed-keys statements that I refer to below (and it was supposed to be keystore not keystone -- spellcheck will be the death of the computer industry). It's also going to happen if you use managed-keys, as there is a keystone created that needs to be updated. See the managed-keys-directory option. This is where the problem lies. The fact that you have managed-keys requires BIND to create a journal of updates made to the trust-anchor material. Set managed-keys-directory to a writable directory and copy the managed-keys.bind and managed-keys.bind.jnl files there. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind configuration/setup question
Hello, Setup bind-9.9.2-P2 on a solaris 10 system using zones (an oracle implementation of OS virtualization), with a dns data/configuration zone and a dns zone. The dns data zone is on a private network and has the dns data tables for bind (directory where data files stored in named.conf options area), the bind installation, and bind configuration file, named.conf. The dns zone is on the internet routable public network, and has the dns data, bind installation, and bind configuration file available to it in a read only file system. Figured that since we have successfully run earlier versions of bind on dns servers with the data directory and data files as read only to the userid bind runs as, this would also work, and provide the added benefit of preventing the OS of the zone running bind on the public network from being able modify the data area at all. The dns server using this configuration seems to be running fine, but each time bind re-reads the named.conf file these messages appear in named.log : 28-Aug-2013 12:12:37.565 general: info: reloading zones succeeded 28-Aug-2013 12:12:37.572 general: notice: all zones loaded 28-Aug-2013 12:12:37.573 general: notice: running 28-Aug-2013 12:12:37.573 general: error: file.c:300: unexpected error: 28-Aug-2013 12:12:37.573 general: error: unable to convert errno to isc_result: 30: Read-only file system 28-Aug-2013 12:12:39.279 general: error: file.c:300: unexpected error: 28-Aug-2013 12:12:39.279 general: error: unable to convert errno to isc_result: 30: Read-only file system Is this error something to be worried about, or is it more of an info message? Also, is much even gained security wise by disallowing the OS to write to the dns data area? This particular error can be fixed by separating the dns data directory from the bind configuration and bind installation, and putting it on a writable file system for the public dns zone, but if the above error is only a warning thinking of keeping the data as read only also. Any suggestions are appreciated. Thanks *The content of this message is my personal opinion only, and should not be construed as anything that has been through rigorous scrutiny of the professional groups who devote their life and work to the topics being discussed___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind configuration/setup question
On Aug 28, 2013, at 12:53 PM, mm half mm_ha...@yahoo.com wrote: 28-Aug-2013 12:12:37.565 general: info: reloading zones succeeded 28-Aug-2013 12:12:37.572 general: notice: all zones loaded 28-Aug-2013 12:12:37.573 general: notice: running 28-Aug-2013 12:12:37.573 general: error: file.c:300: unexpected error: 28-Aug-2013 12:12:37.573 general: error: unable to convert errno to isc_result: 30: Read-only file system 28-Aug-2013 12:12:39.279 general: error: file.c:300: unexpected error: 28-Aug-2013 12:12:39.279 general: error: unable to convert errno to isc_result: 30: Read-only file system Is this error something to be worried about, or is it more of an info message? Also, is much even gained security wise by disallowing the OS to write to the dns data area?This particular error can be fixed by separating the dns data directory from the bind configuration and bind installation, and putting it on a writable file system for the public dns zone, but if the above error is only a warning thinking of keeping the data as read only also. Any suggestions are appreciated. When I see the words unexpected error coming out of software, I'm always concerned. I believe that what you are seeing is the result of BIND 9.9 doing more things automatically, including bringing in a set of DNSSEC trust anchors (root and DLV) and not being able to create the file. You should be able to use the option bindkeys-file to set a location that is writable for this file. It's also going to happen if you use managed-keys, as there is a keystone created that needs to be updated. See the managed-keys-directory option. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ipv4, ipV6 DNS BIND configuration and deployment
Dear Noel and Mark, Thanks for your input! After thinking about the ipv6 network configuration pros and cons, I decided to go for the ULA for my internal network and use the /64 creating static ips for my WAN. To get a set of ULA addresses I logged to: http://www.simpledns.com/private-ipv6.aspx All BIND configurations and Apache for the virtual hosts are working good so far. Ipv6 does connect direct using the OS X System Preferences Network Interface. I am going step by step and waiting to see if everything will be fine as the time runs. The good thing about ipv6 is that it free us to assign ips for every possible thing you can put your hands on out there. Mark, sorry, I did laugh when you said that my ISP should give me a /56 or /48. If with /64 I have plenty of addresses, I have no idea what I would do with /56 or /48. Probably I would open one ISP for myself and start to sell ips. Looks like we are thinking in gazillions now. That is very good! I am one happy cow now! On 8/4/13 7:17 PM, Noel Butler wrote: On Sun, 2013-08-04 at 13:28 -0700, Eduardo Bonsi wrote: Hello Everyone, I have some questions about ipV6 transition and DNS configuration! I am preparing to make my transition to a dual stack ipv4, ipv6 and I have some concerns in regards to the security of the network since ipv6 do not have NAT. My ISP gave me a Global 2602:000:000:000:000:000:000:000/64 Range and I can just turn on ipV6 on the router and set the network to automatic on the computer and I am connected through what they call a SLAAC ipV6 automatic conf network, that runs using the machine MAC address in which I am not very happy to adopt. I well know there is a way to mask the MAC address to random addresses as a security measure but I am still not happy about it. Beside, there are all the BIND DNS configuration that needs to be routed or I am stack with a slow broke SLAAC connection that it works, but not to the level of the a DNS Server that I want to achieve. Therefore, as a network design after analyzing my options, I have decided to use the static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last bit of the ipv4 NAT addresses already in place. This static option does not expose the machine MAC addresses. However the addresses are directed connected through ipV6 bypassing the NAT environment. On BIND, the only change I have in the named.conf file is the, listen-on-v6 { any; }; listen-on-v6 ::1 and your dns server ipv6 address Therefore, here are my questions: 1. I am open to ideas or anything you think is best choosing the best internal network design for ipV6. Static IP assignments on your LAN, as far as your ISP is concerned they will just route your /64 via your routers IP. sure you can do auto assignments, but I think if they are servers its best to do static. 2. Since this static ipV6 deployment lacks the non-rotatable NAT environment, what are the security measures to take on BIND in regards to the recursive issues on ipV6? with ipv6, no more do you have security by accident (NAT) if you have a /64 your router will route for all, forget all the bad habits of the lazy ipv4 days, now you need to configure access lists on your router, but also play it safe and configure firewalls on each machine, especially if they are winblows boxes 3. Are there any other security issues that should I considerate? Don't be over aggressive with filtering, you do not mention the OS, but if its linux - ip6tables -P INPUT DROP ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD DROP ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A INPUT -d ff00::/8 -j ACCEPT ip6tables -A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -j LOG ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ... insert ACCEPT's for your lan and whatever other ipv6 addresses you need with full access here... ip6tables -A INPUT -p udp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT ip6tables -A INPUT -p tcp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT and.. importantly.. ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT# Destination unreachable ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT# Packet too big ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT# Time exceeded ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT# Parameter problem ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 135 -j ACCEPT ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 136 -j ACCEPT You *will* need the above accepts regardless since your default policy is DROP, if not, you may find ipv6 reachable problems, in fact, you may not even be able to connect outbound without types 135/136 (neighbour discovery) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list
Re: ipv4, ipV6 DNS BIND configuration and deployment
In message 5201cce6.2040...@pacbell.net, Eduardo Bonsi writes: Dear Noel and Mark, Thanks for your input! After thinking about the ipv6 network configuration pros and cons, I decided to go for the ULA for my internal network and use the /64 creating static ips for my WAN. To get a set of ULA addresses I logged to: http://www.simpledns.com/private-ipv6.aspx All BIND configurations and Apache for the virtual hosts are working good so far. Ipv6 does connect direct using the OS X System Preferences Network Interface. I am going step by step and waiting to see if everything will be fine as the time runs. The good thing about ipv6 is that it free us to assign ips for every possible thing you can put your hands on out there. Mark, sorry, I did laugh when you said that my ISP should give me a /56 or /48. If with /64 I have plenty of addresses, I have no idea what I would do with /56 or /48. Probably I would open one ISP for myself and start to sell ips. Looks like we are thinking in gazillions now. That is very good! I am one happy cow now! It's not about address other than having more than you will ever need per subnet. It's about not having to think about the size of a subnet. It's about using the same size subnet everywhere and everyone in the world using the same sized subnets. IPv6 addresses were made as big as they were so this was possible. Alternatives to the the current 128 bit addresses used 64 bits of addressing and variable sized subnets. Going to 128 bits and having /64 bits per subnet was seen as a good use of addresses space as it simplifies operational complexity. IPv6 nodes still need to support variable sized subnets in case this decision ended up being wrong in practice but it is hoped that we will never need to use that capability except when testing. You use a /64 per subnet. /60, /56, /52 and /48 give you 16, 256, 4096 and 65536 subnets to use respectively and are easily delegatable in ip6.arpa as they fall on nibble boundaries. Those are per site allocations. The smallest ISP's get /32's. Mark On 8/4/13 7:17 PM, Noel Butler wrote: On Sun, 2013-08-04 at 13:28 -0700, Eduardo Bonsi wrote: Hello Everyone, I have some questions about ipV6 transition and DNS configuration! I am preparing to make my transition to a dual stack ipv4, ipv6 and I have some concerns in regards to the security of the network since ipv6 do not have NAT. My ISP gave me a Global 2602:000:000:000:000:000:000:000/64 Range and I can just turn on ipV6 on the router and set the network to automatic on the computer and I am connected through what they call a SLAAC ipV6 automatic conf network, that runs using the machine MAC address in which I am not very happy to adopt. I well know there is a way to mask the MAC address to random addresses as a security measure but I am still not happy about it. Beside, there are all the BIND DNS configuration that needs to be routed or I am stack with a slow broke SLAAC connection that it works, but not to the level of the a DNS Server that I want to achieve. Therefore, as a network design after analyzing my options, I have decided to use the static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last bit of the ipv4 NAT addresses already in place. This static option does not expose the machine MAC addresses. However the addresses are directed connected through ipV6 bypassing the NAT environment. On BIND, the only change I have in the named.conf file is the, listen-on-v6 { any; }; listen-on-v6 ::1 and your dns server ipv6 address Therefore, here are my questions: 1. I am open to ideas or anything you think is best choosing the best internal network design for ipV6. Static IP assignments on your LAN, as far as your ISP is concerned they will just route your /64 via your routers IP. sure you can do auto assignments, but I think if they are servers its best to do static. 2. Since this static ipV6 deployment lacks the non-rotatable NAT environment, what are the security measures to take on BIND in regards to the recursive issues on ipV6? with ipv6, no more do you have security by accident (NAT) if you have a /64 your router will route for all, forget all the bad habits of the lazy ipv4 days, now you need to configure access lists on your router, but also play it safe and configure firewalls on each machine, especially if they are winblows boxes 3. Are there any other security issues that should I considerate? Don't be over aggressive with filtering, you do not mention the OS, but if its linux - ip6tables -P INPUT DROP ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD DROP ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A INPUT -d ff00::/8 -j ACCEPT ip6tables -A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -j LOG ip6tables -A INPUT -m conntrack
ipv4, ipV6 DNS BIND configuration and deployment
Hello Everyone, I have some questions about ipV6 transition and DNS configuration! I am preparing to make my transition to a dual stack ipv4, ipv6 and I have some concerns in regards to the security of the network since ipv6 do not have NAT. My ISP gave me a Global 2602:000:000:000:000:000:000:000/64 Range and I can just turn on ipV6 on the router and set the network to automatic on the computer and I am connected through what they call a SLAAC ipV6 automatic conf network, that runs using the machine MAC address in which I am not very happy to adopt. I well know there is a way to mask the MAC address to random addresses as a security measure but I am still not happy about it. Beside, there are all the BIND DNS configuration that needs to be routed or I am stack with a slow broke SLAAC connection that it works, but not to the level of the a DNS Server that I want to achieve. Therefore, as a network design after analyzing my options, I have decided to use the static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last bit of the ipv4 NAT addresses already in place. This static option does not expose the machine MAC addresses. However the addresses are directed connected through ipV6 bypassing the NAT environment. On BIND, the only change I have in the named.conf file is the, listen-on-v6 { any; }; Therefore, here are my questions: 1. I am open to ideas or anything you think is best choosing the best internal network design for ipV6. 2. Since this static ipV6 deployment lacks the non-rotatable NAT environment, what are the security measures to take on BIND in regards to the recursive issues on ipV6? 3. Are there any other security issues that should I considerate? Many Thanks! Eduardo -- Eduardo Bonsi System - Network Admin beart...@pacbell.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ipv4, ipV6 DNS BIND configuration and deployment
In message 51feb96d.3070...@pacbell.net, Eduardo Bonsi writes: Hello Everyone, I have some questions about ipV6 transition and DNS configuration! I am preparing to make my transition to a dual stack ipv4, ipv6 and I have some concerns in regards to the security of the network since ipv6 do not have NAT. My ISP gave me a Global 2602:000:000:000:000:000:000:000/64 Truly, your ISP should be giving you a /48 or as a minumum a /56. A /64 is is single subnet. Your ISP will be getting addresses based on giving customers a /56 or /48. Range and I can just turn on ipV6 on the router and set the network to automatic on the computer and I am connected through what they call a SLAAC ipV6 automatic conf network, that runs using the machine MAC address in which I am not very happy to adopt. I well know there is a way to mask the MAC address to random addresses as a security measure but I am still not happy about it. And why are you not happy? Because someone said their was a issue with it. Do you understand the reasoning behind the issue and does it apply to your use of the network because in many cases it doesn't. Too often I see people complaining that MAC addresses are buried in IPv6 addresses when in reality it is *not* a security issue for the use case. Modern IPv6 stacks use both types of address for different purposes. Saying one is unhappy is quite often a knee jerk reaction that doesn't standup to rigorous analysis. This is not to say you havn't done that analysis but given modern stacks I find complaints like this just don't stack up. Beside, there are all the BIND DNS configuration that needs to be routed or I am stack with a slow broke SLAAC connection that it works, but not to the level of the a DNS Server that I want to achieve. Therefore, as a network design after analyzing my options, I have decided to use the static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last bit of the ipv4 NAT addresses already in place. This static option does not expose the machine MAC addresses. However the addresses are directed connected through ipV6 bypassing the NAT environment. On BIND, the only change I have in the named.conf file is the, listen-on-v6 { any; }; Therefore, here are my questions: 1. I am open to ideas or anything you think is best choosing the best internal network design for ipV6. Get more address space from your ISP. Use tempory addresses. 2. Since this static ipV6 deployment lacks the non-rotatable NAT environment, what are the security measures to take on BIND in regards to the recursive issues on ipV6? Same as with IPv4. Locally connected networks are allowed to recurse. 3. Are there any other security issues that should I considerate? Many Thanks! Eduardo -- Eduardo Bonsi System - Network Admin beart...@pacbell.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ipv4, ipV6 DNS BIND configuration and deployment
On Sun, 2013-08-04 at 13:28 -0700, Eduardo Bonsi wrote: Hello Everyone, I have some questions about ipV6 transition and DNS configuration! I am preparing to make my transition to a dual stack ipv4, ipv6 and I have some concerns in regards to the security of the network since ipv6 do not have NAT. My ISP gave me a Global 2602:000:000:000:000:000:000:000/64 Range and I can just turn on ipV6 on the router and set the network to automatic on the computer and I am connected through what they call a SLAAC ipV6 automatic conf network, that runs using the machine MAC address in which I am not very happy to adopt. I well know there is a way to mask the MAC address to random addresses as a security measure but I am still not happy about it. Beside, there are all the BIND DNS configuration that needs to be routed or I am stack with a slow broke SLAAC connection that it works, but not to the level of the a DNS Server that I want to achieve. Therefore, as a network design after analyzing my options, I have decided to use the static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last bit of the ipv4 NAT addresses already in place. This static option does not expose the machine MAC addresses. However the addresses are directed connected through ipV6 bypassing the NAT environment. On BIND, the only change I have in the named.conf file is the, listen-on-v6 { any; }; listen-on-v6 ::1 and your dns server ipv6 address Therefore, here are my questions: 1. I am open to ideas or anything you think is best choosing the best internal network design for ipV6. Static IP assignments on your LAN, as far as your ISP is concerned they will just route your /64 via your routers IP. sure you can do auto assignments, but I think if they are servers its best to do static. 2. Since this static ipV6 deployment lacks the non-rotatable NAT environment, what are the security measures to take on BIND in regards to the recursive issues on ipV6? with ipv6, no more do you have security by accident (NAT) if you have a /64 your router will route for all, forget all the bad habits of the lazy ipv4 days, now you need to configure access lists on your router, but also play it safe and configure firewalls on each machine, especially if they are winblows boxes 3. Are there any other security issues that should I considerate? Don't be over aggressive with filtering, you do not mention the OS, but if its linux - ip6tables -P INPUT DROP ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD DROP ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A INPUT -d ff00::/8 -j ACCEPT ip6tables -A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -j LOG ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ... insert ACCEPT's for your lan and whatever other ipv6 addresses you need with full access here... ip6tables -A INPUT -p udp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT ip6tables -A INPUT -p tcp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT and.. importantly.. ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT# Destination unreachable ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT# Packet too big ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT# Time exceeded ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT# Parameter problem ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 135 -j ACCEPT ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 136 -j ACCEPT You *will* need the above accepts regardless since your default policy is DROP, if not, you may find ipv6 reachable problems, in fact, you may not even be able to connect outbound without types 135/136 (neighbour discovery) signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ipv4, ipV6 DNS BIND configuration and deployment
Mark, I really did not mean things that way when I used the word happy. Let say that I am concerned with it and that means if anyone can express their views towards being more secure with ipv6, I am sure to considerate it. We probably diverge on opinions about exposing MAC addresses as a public address and that is ok and maybe it is not a big deal anyway. Thanks for your views on the issue! Eduardo On 8/4/13 6:12 PM, Mark Andrews wrote: In message 51feb96d.3070...@pacbell.net, Eduardo Bonsi writes: Hello Everyone, I have some questions about ipV6 transition and DNS configuration! I am preparing to make my transition to a dual stack ipv4, ipv6 and I have some concerns in regards to the security of the network since ipv6 do not have NAT. My ISP gave me a Global 2602:000:000:000:000:000:000:000/64 Truly, your ISP should be giving you a /48 or as a minumum a /56. A /64 is is single subnet. Your ISP will be getting addresses based on giving customers a /56 or /48. Range and I can just turn on ipV6 on the router and set the network to automatic on the computer and I am connected through what they call a SLAAC ipV6 automatic conf network, that runs using the machine MAC address in which I am not very happy to adopt. I well know there is a way to mask the MAC address to random addresses as a security measure but I am still not happy about it. And why are you not happy? Because someone said their was a issue with it. Do you understand the reasoning behind the issue and does it apply to your use of the network because in many cases it doesn't. Too often I see people complaining that MAC addresses are buried in IPv6 addresses when in reality it is *not* a security issue for the use case. Modern IPv6 stacks use both types of address for different purposes. Saying one is unhappy is quite often a knee jerk reaction that doesn't standup to rigorous analysis. This is not to say you havn't done that analysis but given modern stacks I find complaints like this just don't stack up. Beside, there are all the BIND DNS configuration that needs to be routed or I am stack with a slow broke SLAAC connection that it works, but not to the level of the a DNS Server that I want to achieve. Therefore, as a network design after analyzing my options, I have decided to use the static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last bit of the ipv4 NAT addresses already in place. This static option does not expose the machine MAC addresses. However the addresses are directed connected through ipV6 bypassing the NAT environment. On BIND, the only change I have in the named.conf file is the, listen-on-v6 { any; }; Therefore, here are my questions: 1. I am open to ideas or anything you think is best choosing the best internal network design for ipV6. Get more address space from your ISP. Use tempory addresses. 2. Since this static ipV6 deployment lacks the non-rotatable NAT environment, what are the security measures to take on BIND in regards to the recursive issues on ipV6? Same as with IPv4. Locally connected networks are allowed to recurse. 3. Are there any other security issues that should I considerate? Many Thanks! Eduardo -- Eduardo Bonsi System - Network Admin beart...@pacbell.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- BEARTCOMMUNICATIONS Eduardo Bonsi System - Network Admin beart...@pacbell.net webmas...@beart.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Configuration
DNS is not the place to solve that problem, it's the routing layer. Use Bgp Luke :-) Sent from my iPad On 08/05/2013, at 15:24, Sten Carlsen st...@s-carlsen.dk wrote: I believe your major point is the routing tables because they determine how the response is trying to get out. On 08/05/13 22:22, Steven Carr wrote: You will need to have some form of automation in place to update the DNS zone to change the IP address which should now be accessed when one of the links goes down. You will also need to ensure you have a low TTL value on the records you want to update on link change so that the records are refreshed quickly. On 8 May 2013 20:40, Ward, Mike S mw...@ssfcu.org wrote: Hello all, I was wondering if someone could me out. I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate networks Lets call them A and B. My Linux Server can listen on A's Network as well as B's network. I'm using fictitious IPs and names A 111.111.111.1 B 555.555.555.1 Secondary A 111.111.222.1 Redhat Bind Bind is listening on both IP addresses and we have a secondary server at 111.111.222.1 If A the ISP has a backbone router problem how can I get people trying to get to our web servers to use B's network? I have been think of different ways to do this, but have come up empty. Our network is really simple I just want to be able to use diverse ISPS in case we lose one we still have the other. Can anyone help me out. Any help appreciated. Thanks. == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Configuration
On May 9, 2013, at 8:44 AM, Carlos Martinez carlosm3...@gmail.com wrote: DNS is not the place to solve that problem, it's the routing layer. Yes, but *sometimes* DNS is the right layer for this… For example, if you have 2 sites (so you can remain up when a meteor / flood / avalanche hits one), if you need better latency, etc. I guess the short answer is Redundancy is hard, lets go shopping… Use Bgp Luke :-) Sent from my iPad On 08/05/2013, at 15:24, Sten Carlsen st...@s-carlsen.dk wrote: I believe your major point is the routing tables because they determine how the response is trying to get out. On 08/05/13 22:22, Steven Carr wrote: You will need to have some form of automation in place to update the DNS zone to change the IP address which should now be accessed when one of the links goes down. You will also need to ensure you have a low TTL value on the records you want to update on link change so that the records are refreshed quickly. On 8 May 2013 20:40, Ward, Mike S mw...@ssfcu.org wrote: Hello all, I was wondering if someone could me out. I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate networks Lets call them A and B. My Linux Server can listen on A's Network as well as B's network. I'm using fictitious IPs and names A 111.111.111.1 B 555.555.555.1 Secondary A 111.111.222.1 Redhat Bind Bind is listening on both IP addresses and we have a secondary server at 111.111.222.1 If A the ISP has a backbone router problem how can I get people trying to get to our web servers to use B's network? I have been think of different ways to do this, but have come up empty. Our network is really simple I just want to be able to use diverse ISPS in case we lose one we still have the other. Can anyone help me out. Any help appreciated. Thanks. == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- After you'd known Christine for any length of time, you found yourself fighting a desire to look into her ear to see if you could spot daylight coming the other way. -- (Terry Pratchett, Maskerade) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Configuration
I don't know how it's done, I'm not a networking guru, but here we have 2 upstream providers and somehow we route out through both, and both can route in to our /16 network. No messing with DNS changes depending on which ISP is having problems, As Clarke's third law states, Any sufficiently advanced technology is indistinguishable from magic. Bill Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND Configuration
Sounds like they are using BGP for routing. That's probably the way we are going to go. That way we don't have to make any crazy changes in our bind configurations. Thanks all for the replies. -Original Message- From: bind-users-bounces+mward=ssfcu@lists.isc.org [mailto:bind-users-bounces+mward=ssfcu@lists.isc.org] On Behalf Of wbr...@e1b.org Sent: Thursday, May 09, 2013 7:17 AM To: bind-users@lists.isc.org Subject: Re: BIND Configuration I don't know how it's done, I'm not a networking guru, but here we have 2 upstream providers and somehow we route out through both, and both can route in to our /16 network. No messing with DNS changes depending on which ISP is having problems, As Clarke's third law states, Any sufficiently advanced technology is indistinguishable from magic. Bill Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND Configuration
Hello all, I was wondering if someone could me out. I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate networks Lets call them A and B. My Linux Server can listen on A's Network as well as B's network. I'm using fictitious IPs and names A 111.111.111.1 B 555.555.555.1 Secondary A 111.111.222.1 Redhat Bind Bind is listening on both IP addresses and we have a secondary server at 111.111.222.1 If A the ISP has a backbone router problem how can I get people trying to get to our web servers to use B's network? I have been think of different ways to do this, but have come up empty. Our network is really simple I just want to be able to use diverse ISPS in case we lose one we still have the other. Can anyone help me out. Any help appreciated. Thanks. == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Configuration
You will need to have some form of automation in place to update the DNS zone to change the IP address which should now be accessed when one of the links goes down. You will also need to ensure you have a low TTL value on the records you want to update on link change so that the records are refreshed quickly. On 8 May 2013 20:40, Ward, Mike S mw...@ssfcu.org wrote: Hello all, I was wondering if someone could me out. I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate networks Lets call them A and B. My Linux Server can listen on A's Network as well as B's network. I'm using fictitious IPs and names A 111.111.111.1 B 555.555.555.1 Secondary A 111.111.222.1 Redhat Bind Bind is listening on both IP addresses and we have a secondary server at 111.111.222.1 If A the ISP has a backbone router problem how can I get people trying to get to our web servers to use B's network? I have been think of different ways to do this, but have come up empty. Our network is really simple I just want to be able to use diverse ISPS in case we lose one we still have the other. Can anyone help me out. Any help appreciated. Thanks. == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Configuration
I believe your major point is the routing tables because they determine how the response is trying to get out. On 08/05/13 22:22, Steven Carr wrote: You will need to have some form of automation in place to update the DNS zone to change the IP address which should now be accessed when one of the links goes down. You will also need to ensure you have a low TTL value on the records you want to update on link change so that the records are refreshed quickly. On 8 May 2013 20:40, Ward, Mike S mw...@ssfcu.org wrote: Hello all, I was wondering if someone could me out. I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate networks Lets call them A and B. My Linux Server can listen on A's Network as well as B's network. I'm using fictitious IPs and names A 111.111.111.1 B 555.555.555.1 Secondary A 111.111.222.1 Redhat Bind Bind is listening on both IP addresses and we have a secondary server at 111.111.222.1 If A the ISP has a backbone router problem how can I get people trying to get to our web servers to use B's network? I have been think of different ways to do this, but have come up empty. Our network is really simple I just want to be able to use diverse ISPS in case we lose one we still have the other. Can anyone help me out. Any help appreciated. Thanks. == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Configuration
That's kind of how we do our DR... I have things scripted so that every update to our zone, results two versions of the zone file...the master server signs the first one and does its usual notifies, then the master signs the second and its scp'd to secondaries in another network. In the event we lose our connectivitywe can direct the remote slave to take over with with the alternate signed zone file. So that our main web presence will resolve to servers at our DR site.which we don't yet have :) - Original Message - You will need to have some form of automation in place to update the DNS zone to change the IP address which should now be accessed when one of the links goes down. You will also need to ensure you have a low TTL value on the records you want to update on link change so that the records are refreshed quickly. On 8 May 2013 20:40, Ward, Mike S mw...@ssfcu.org wrote: Hello all, I was wondering if someone could me out. I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate networks Lets call them A and B. My Linux Server can listen on A's Network as well as B's network. I'm using fictitious IPs and names A 111.111.111.1 B 555.555.555.1 Secondary A 111.111.222.1 Redhat Bind Bind is listening on both IP addresses and we have a secondary server at 111.111.222.1 If A the ISP has a backbone router problem how can I get people trying to get to our web servers to use B's network? I have been think of different ways to do this, but have come up empty. Our network is really simple I just want to be able to use diverse ISPS in case we lose one we still have the other. Can anyone help me out. Any help appreciated. Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind configuration and log error
Hi all I have in my messages log file many lines as follows but with different domains unreachable what does this mean: named[15490]: network unreachable resolving 'platinum.cs.umanitoba.ca/A/IN' also I can't dig or nslookup or ping my DNS server remotely what should I do to enable that? Regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind configuration and log error
On 23.05.12 12:56, Amira Othman wrote: I have in my messages log file many lines as follows but with different domains unreachable what does this mean: named[15490]: network unreachable resolving 'platinum.cs.umanitoba.ca/A/IN' also I can't dig or nslookup or ping my DNS server remotely what should I do to enable that? your server has apparently problems with internet conectivity. Is it behind firewall? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind configuration and log error
-Original Message- From: Matus UHLAR - fantomas uh...@fantomas.sk Date: Wednesday, May 23, 2012 4:04 AM To: bind-users@lists.isc.org Subject: Re: Bind configuration and log error On 23.05.12 12:56, Amira Othman wrote: I have in my messages log file many lines as follows but with different domains unreachable what does this mean: named[15490]: network unreachable resolving 'platinum.cs.umanitoba.ca/A/IN' also I can't dig or nslookup or ping my DNS server remotely what should I do to enable that? your server has apparently problems with internet conectivity. Is it behind firewall? i suppose it could be peering or some other internet anomaly as well, anything affecting connectivity? i'm in the middle of migrating several large sites from tiny to bind and had to work through errors in logs with firewall admins... allowing general 'any 53 udp/tcp' access and adjusting permissible udp payload size for edns are the two main examples which are well understood. that said, even after the firewall admins opened up access to any on 53 udp/tcp from the name servers i still see these in my logs...but only occasionally and typicaly for hosts that are far away geographically. after having the firewall configuration shown to me in plain text, i mostly wrote it off...how often do others see this? thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind configuration
Hi all I have configured bind9 on centos 5.8 but I still can't nslookup my domain. Below are my configuration: Named.conf key rndckey { algorithm hmac-md5; secret jQdcyY1HIkooWVB24Dr4uX5jrVcuZFNEJaGa9Q5e3otOjSrcMVGOwhACivlX; }; options { directory /var/named; pid-file /var/run/named/named.pid; zone cairosource { type master; notify no; file cairosource.zone; }; Zone file ; BIND db file for cairosource.com $TTL 86400 @ IN SOA nameserverof domain. mail account. ( 2012051810 28800 7200 864000 86400 ) NS ns1 localhost A 127.0.0.1 ns1 A server local ip mydomainname A server external ip any help please ? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind configuration
Use the full zone name in the zone definition. zone cairosource Regards Eivind Olsen Den 21. mai 2012 kl. 16:33 skrev Amira Othman a.oth...@cairosource.com: Hi all I have configured bind9 on centos 5.8 but I still can't nslookup my domain. Below are my configuration: Named.conf key rndckey { algorithm hmac-md5; secret jQdcyY1HIkooWVB24Dr4uX5jrVcuZFNEJaGa9Q5e3otOjSrcMVGOwhACivlX; }; options { directory /var/named; pid-file /var/run/named/named.pid; zone cairosource { type master; notify no; file cairosource.zone; }; Zone file ; BIND db file for cairosource.com $TTL 86400 @ IN SOA nameserverof domain. mail account. ( 2012051810 28800 7200 864000 86400 ) NS ns1 localhost A 127.0.0.1 ns1 A server local ip mydomainname A server external ip any help please ? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Catchall BIND configuration for DNS parking service
Hello there, I'm trying to configure BIND (BIND 9.7.3) as a catchall DNS server for a parking domain service. This is a way to let users/clients park their domains automatically by pointing primary and secondary DNS servers there. It should work with ANY TLD (both generic and countrycodes). In named.conf, I have created a test zone (for debugging porpuses, will be removed once working): zone working.test IN { type master; file parked.domains; }; and I have defined the . zone as master: zone . IN { type master; file parked.domains; }; So, as you see, both working.test and . use the same zone. The parked.domains zone looks like this: $TTL 86400 ; parked.domains zone @ IN SOA ns1.parkingdomini.com. postmaster.ns1.parkingdomini.com. ( 2011052800 86400 3600 604800 86400 ) NS ns1.parkingdomini.com. NS ns2.parkingdomini.com. MX 100 mail.parkingdomini.com. IN A 1.2.3.4 * IN A 1.2.3.4 Here is the problem: If I explicitly declare a zone in named.conf with parked.domains as zonefile, it behaves correctly. But as catchall is not anwering correctly. If I run: dig working.test @localhost ANY the ANSWER SECTION IS: ;; ANSWER SECTION: working.test. 86400 IN SOA ns1.parkingdomini.com. postmaster.ns1.parkingdomini.com. 2011052800 86400 3600 604800 86400 working.test. 86400 IN NS ns1.parkingdomini.com. working.test. 86400 IN NS ns2.parkingdomini.com. working.test. 86400 IN MX 100 mail.parkingdomini.com. working.test. 86400 IN A 1.2.3.4 while, if I dig anything else, the ANSWER SECTION IS: ;; ANSWER SECTION: somethingelse.test. 86400 IN A 1.2.3.4 Why? The zone defined is exactly the same. Any help is welcome. Thank you gian ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Catchall BIND configuration for DNS parking service
Named really isn't designed to be a catch all server. It's designed to serve the configured zones and only the configured zones. That being said the later versions of named allow zones to be added via rndc so the configuration effort required to add a new zone is much lower. e.g. rndc addzone 'example.com { type master; file parked.domains; };' However if even this is too much effort I would just use a specialised server that has been configured to know which label patterns identify end user zones and can generate canned responses based on that indentification. e.g. label.com label.com.au Mark In message 4df143b2.2090...@ipfrom.com, Gianfranco Pra Floriani writes: Hello there, I'm trying to configure BIND (BIND 9.7.3) as a catchall DNS server for a pa rking domain service. This is a way to let users/clients park their domains automatically by pointing primary and second ary DNS servers there. It should work with ANY TLD (both generic and countrycodes). In named.conf, I have created a test zone (for debugging porpuses, will be re moved once working): zone working.test IN { type master; file parked.domains; }; and I have defined the . zone as master: zone . IN { type master; file parked.domains; }; So, as you see, both working.test and . use the same zone. The parked.domains zone looks like this: $TTL 86400 ; parked.domains zone @ IN SOA ns1.parkingdomini.com. postmaster.ns1.parking domini.com. ( 2011052800 86400 3600 604800 86400 ) NS ns1.parkingdomini.com. NS ns2.parkingdomini.com. MX 100 mail.parkingdomini.com. IN A 1.2.3.4 * IN A 1.2.3.4 Here is the problem: If I explicitly declare a zone in named.conf with parked.domains as zonefil e, it behaves correctly. But as catchall is not anwering correctly. If I run: dig working.test @localhost ANY the ANSWER SECTION IS: ;; ANSWER SECTION: working.test. 86400 IN SOA ns1.parkingdomini.com. postma ster.ns1.parkingdomini.com. 2011052800 86400 3600 604800 86400 working.test. 86400 IN NS ns1.parkingdomini.com. working.test. 86400 IN NS ns2.parkingdomini.com. working.test. 86400 IN MX 100 mail.parkingdomini.com. working.test. 86400 IN A 1.2.3.4 while, if I dig anything else, the ANSWER SECTION IS: ;; ANSWER SECTION: somethingelse.test. 86400 IN A 1.2.3.4 Why? The zone defined is exactly the same. Any help is welcome. Thank you gian ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind configuration help
On 12/11/2009 00:32, Błażej Ślusarek wrote: Hi, first of all thanks to everyone for the interest and for pointing me out my mistakes :) I've already changed recursion and transfer to trusted acls. But unfortunately, I've been administering this server for a short time and as I'm reading more and more through the configuration, I'm starting to think that this DNS server is completely misconfigured. Before I ask my next question, I'll try to explain my situation a little: The server I'am administering is one of nine, let's say, units, which are parts of bigger organization (let's say organization.com, it doesn't really matter). They units are given domain names from first.organization.com to ninth.organization.com. Each unit's server is responsible for their subdomains, i.e. a.first.organization.com, b.first.organization.com, and so on... At the same time, they should be synchronized with the main dns server of the organization, let's say dns.organization.com, and also act as a dns server of it's own, providing information about i.e. for first, *.first.organization.com. I think my name cannot be resolved after some time problem (NXDOMAIN, I've checked it) lies somewhere in the synchronization part. I'll post a part of my zone file, which is responsible for the domain and which is, I think, the source of this problem: Hi, Are zone transfers completed over a VPN ? If yes, are you sure the slaves are reachable ? No evil packet filtering ? Laurent ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind configuration help
Sorry, but could You specify more accurately what is bad ? This is my first bind configuration, so probably I've made some mistakes, but I'd like to do it the right way in the end.:) On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote: allow-recursion { any; }; bad allow-transfer { any; }; bad It's usually a bad idea to allow any to use your server recursively, or allow any transfer zone data. Like an open dns-server. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind configuration help
From: Holger Honert [mailto:holger.hon...@signal-iduna.org] .. *Please be carefull when quoting, this was not me: Jukka Pakkanen schrieb: Sorry, but could You specify more accurately what is bad ? This is my first bind configuration, so probably I've made some mistakes, but I'd like to do it the right way in the end.:) On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON mailto:lca...@lncsa.com lca...@lncsa.com wrote: allow-recursion { any; }; bad allow-transfer { any; }; bad *This was mine: It's usually a bad idea to allow any to use your server recursively, or allow any transfer zone data. Like an open dns-server. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind configuration help
Security issues! Usually you only want *trusted* clients to use your server recursively. And you don't really want to allow *any* fetching your hosted zones for doing something bad, i.e. getting (unwanted!) infos over your network and infrastructure. Regards Holger Jukka Pakkanen schrieb: Sorry, but could You specify more accurately what is bad ? This is my first bind configuration, so probably I've made some mistakes, but I'd like to do it the right way in the end.:) On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote: allow-recursion { any; }; bad allow-transfer { any; }; bad It's usually a bad idea to allow any to use your server recursively, or allow any transfer zone data. Like an open dns-server. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users SIGNAL Krankenversicherung a. G., Sitz: Dortmund, HR B 2405, AG Dortmund IDUNA Vereinigte Lebensversicherung aG für Handwerk, Handel und Gewerbe, Sitz: Hamburg, HR B 2740, AG Hamburg Deutscher Ring Krankenversicherungsverein a.G., Sitz: Hamburg, HR B 4673, AG Hamburg, SIGNAL IDUNA Allgemeine Versicherung AG, Sitz: Dortmund, HR B 19108, AG Dortmund Vorstände: Reinhold Schulte (Vorsitzender), Wolfgang Fauter (stellv. Vorsitzender), Dr. Karl-Josef Bierth, Jens O. Geldmacher, Marlies Hirschberg-Tafel, Michael Johnigk, Ulrich Leitermann, Michael Petmecky, Dr. Klaus Sticker, Prof. Dr. Markus Warg Vorsitzender der Aufsichtsräte: Günter Kutz SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de 44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund 20351 Hamburg, Hausanschrift: Neue Rabenstraße 15-19, 20354 Hamburg attachment: holger_honert.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind configuration help
Holger Honert wrote: Security issues! Usually you only want *trusted* clients to use your server recursively. And you don't really want to allow *any* fetching your hosted zones for doing something bad, i.e. getting (unwanted!) infos over your network and infrastructure. If the infos are public, they're public, the only difference is that zone transfers are a more efficient way of fetching more than about 2 or 3 records in a single transaction, compared to querying each one individually. If you want your network and infrastructure infos to be private, then put them in a private zone that can't be queried from the Internet at all. - Kevin Regards Holger Jukka Pakkanen schrieb: Sorry, but could You specify more accurately what is bad ? This is my first bind configuration, so probably I've made some mistakes, but I'd like to do it the right way in the end.:) On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote: allow-recursion { any; }; bad allow-transfer { any; }; bad It's usually a bad idea to allow any to use your server recursively, or allow any transfer zone data. Like an open dns-server. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users SIGNAL Krankenversicherung a. G., Sitz: Dortmund, HR B 2405, AG Dortmund IDUNA Vereinigte Lebensversicherung aG für Handwerk, Handel und Gewerbe, Sitz: Hamburg, HR B 2740, AG Hamburg Deutscher Ring Krankenversicherungsverein a.G., Sitz: Hamburg, HR B 4673, AG Hamburg, SIGNAL IDUNA Allgemeine Versicherung AG, Sitz: Dortmund, HR B 19108, AG Dortmund Vorstände: Reinhold Schulte (Vorsitzender), Wolfgang Fauter (stellv. Vorsitzender), Dr. Karl-Josef Bierth, Jens O. Geldmacher, Marlies Hirschberg-Tafel, Michael Johnigk, Ulrich Leitermann, Michael Petmecky, Dr. Klaus Sticker, Prof. Dr. Markus Warg Vorsitzender der Aufsichtsräte: Günter Kutz SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de 44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund 20351 Hamburg, Hausanschrift: Neue Rabenstraße 15-19, 20354 Hamburg ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind configuration help
I can't quite agree with that. While public information is indeed public it is intended to be so for specific lookups not for zone transfers. Someone external to you asking get a zone transfer may be looking for what he can exploit. Maybe he can find that information anyway with enough digging but why make it easy for him? -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy Sent: Wednesday, November 11, 2009 12:53 PM To: bind-users@lists.isc.org Subject: Re: bind configuration help Holger Honert wrote: Security issues! Usually you only want *trusted* clients to use your server recursively. And you don't really want to allow *any* fetching your hosted zones for doing something bad, i.e. getting (unwanted!) infos over your network and infrastructure. If the infos are public, they're public, the only difference is that zone transfers are a more efficient way of fetching more than about 2 or 3 records in a single transaction, compared to querying each one individually. If you want your network and infrastructure infos to be private, then put them in a private zone that can't be queried from the Internet at all. - Kevin Regards Holger Jukka Pakkanen schrieb: Sorry, but could You specify more accurately what is bad ? This is my first bind configuration, so probably I've made some mistakes, but I'd like to do it the right way in the end.:) On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote: allow-recursion { any; }; bad allow-transfer { any; }; bad It's usually a bad idea to allow any to use your server recursively, or allow any transfer zone data. Like an open dns-server. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users SIGNAL Krankenversicherung a. G., Sitz: Dortmund, HR B 2405, AG Dortmund IDUNA Vereinigte Lebensversicherung aG für Handwerk, Handel und Gewerbe, Sitz: Hamburg, HR B 2740, AG Hamburg Deutscher Ring Krankenversicherungsverein a.G., Sitz: Hamburg, HR B 4673, AG Hamburg, SIGNAL IDUNA Allgemeine Versicherung AG, Sitz: Dortmund, HR B 19108, AG Dortmund Vorstände: Reinhold Schulte (Vorsitzender), Wolfgang Fauter (stellv. Vorsitzender), Dr. Karl-Josef Bierth, Jens O. Geldmacher, Marlies Hirschberg-Tafel, Michael Johnigk, Ulrich Leitermann, Michael Petmecky, Dr. Klaus Sticker, Prof. Dr. Markus Warg Vorsitzender der Aufsichtsräte: Günter Kutz SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de 44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund 20351 Hamburg, Hausanschrift: Neue Rabenstraße 15-19, 20354 Hamburg ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind configuration help
Jeff Lightner wrote: I can't quite agree with that. While public information is indeed public it is intended to be so for specific lookups not for zone transfers. Circular argument: allowing zone transfers is bad if one didn't intend to allow zone transfers. Someone external to you asking get a zone transfer may be looking for what he can exploit. Speculative argument: someone may do something bad with information that was intentionally made public. Maybe he can find that information anyway with enough digging but why make it easy for him? On the other hand, why make it harder for good and bad folks alike? Superfluous concealment often raises curiosity and attracts probing. (Don't even get me started on whether BIND version numbers should be suppressed/spoofed; I think you might be able to guess where I stand on that too). Why not allow knowledgeable experts to diagnose problems with your external-facing zones, or business partners to set up stealth slaves, if they wish, for architectural, performance and/or availability reasons, without having to reconfigure one's nameserver, and/or generate/distribute a TSIG key, every time they want to? Consider long and deep how much configuration complexity and churn raises opportunities for infrastructure breakins and/or denials of service, perhaps far more than simple information disclosures ever could... - Kevin P.S. I've already lost this argument in our own organization, so don't even bother with the practice what you preach observation. I can but offer advice to others to avoid such a ridiculous state of affairs. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy Sent: Wednesday, November 11, 2009 12:53 PM To: bind-users@lists.isc.org Subject: Re: bind configuration help Holger Honert wrote: Security issues! Usually you only want *trusted* clients to use your server recursively. And you don't really want to allow *any* fetching your hosted zones for doing something bad, i.e. getting (unwanted!) infos over your network and infrastructure. If the infos are public, they're public, the only difference is that zone transfers are a more efficient way of fetching more than about 2 or 3 records in a single transaction, compared to querying each one individually. If you want your network and infrastructure infos to be private, then put them in a private zone that can't be queried from the Internet at all. - Kevin Regards Holger Jukka Pakkanen schrieb: Sorry, but could You specify more accurately what is bad ? This is my first bind configuration, so probably I've made some mistakes, but I'd like to do it the right way in the end.:) On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote: allow-recursion { any; }; bad allow-transfer { any; }; bad It's usually a bad idea to allow any to use your server recursively, or allow any transfer zone data. Like an open dns-server. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users SIGNAL Krankenversicherung a. G., Sitz: Dortmund, HR B 2405, AG Dortmund IDUNA Vereinigte Lebensversicherung aG für Handwerk, Handel und Gewerbe, Sitz: Hamburg, HR B 2740, AG Hamburg Deutscher Ring Krankenversicherungsverein a.G., Sitz: Hamburg, HR B 4673, AG Hamburg, SIGNAL IDUNA Allgemeine Versicherung AG, Sitz: Dortmund, HR B 19108, AG Dortmund Vorstände: Reinhold Schulte (Vorsitzender), Wolfgang Fauter (stellv. Vorsitzender), Dr. Karl-Josef Bierth, Jens O. Geldmacher, Marlies Hirschberg-Tafel, Michael Johnigk, Ulrich Leitermann, Michael Petmecky, Dr. Klaus Sticker, Prof. Dr. Markus Warg Vorsitzender der Aufsichtsräte: Günter Kutz SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de 44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund 20351 Hamburg, Hausanschrift: Neue Rabenstraße 15-19, 20354 Hamburg ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
Re: bind configuration help
Hi, first of all thanks to everyone for the interest and for pointing me out my mistakes :) I've already changed recursion and transfer to trusted acls. But unfortunately, I've been administering this server for a short time and as I'm reading more and more through the configuration, I'm starting to think that this DNS server is completely misconfigured. Before I ask my next question, I'll try to explain my situation a little: The server I'am administering is one of nine, let's say, units, which are parts of bigger organization (let's say organization.com, it doesn't really matter). They units are given domain names from first.organization.com to ninth.organization.com. Each unit's server is responsible for their subdomains, i.e. a.first.organization.com, b.first.organization.com, and so on... At the same time, they should be synchronized with the main dns server of the organization, let's say dns.organization.com, and also act as a dns server of it's own, providing information about i.e. for first, *.first.organization.com. I think my name cannot be resolved after some time problem (NXDOMAIN, I've checked it) lies somewhere in the synchronization part. I'll post a part of my zone file, which is responsible for the domain and which is, I think, the source of this problem: *** $TTL604800 @ IN SOA dns.organization.com. first.organization.com. ( 2006120508 ; Serial 3600 ; Refresh 86400 ; Retry 2419200 ; Expire 604800); Negative Cache TTL ; NS first.organization.com. NS dns.organization.com. *** The problem is, I don't even know if *I* should synchronize with *them* (the main dns server) or vice versa, maybe it's not my problem at all. Also, who should I allow-update {} the zone, should the zone be of type master and what is the authoritative server for the zone: the one I'm administering or the main dns server or maybe both are ok? Thanks in advance:) On Wed, Nov 11, 2009 at 7:09 PM, Jeff Lightner jlight...@water.com wrote: I can't quite agree with that. While public information is indeed public it is intended to be so for specific lookups not for zone transfers. Someone external to you asking get a zone transfer may be looking for what he can exploit. Maybe he can find that information anyway with enough digging but why make it easy for him? -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy Sent: Wednesday, November 11, 2009 12:53 PM To: bind-users@lists.isc.org Subject: Re: bind configuration help Holger Honert wrote: Security issues! Usually you only want *trusted* clients to use your server recursively. And you don't really want to allow *any* fetching your hosted zones for doing something bad, i.e. getting (unwanted!) infos over your network and infrastructure. If the infos are public, they're public, the only difference is that zone transfers are a more efficient way of fetching more than about 2 or 3 records in a single transaction, compared to querying each one individually. If you want your network and infrastructure infos to be private, then put them in a private zone that can't be queried from the Internet at all. - Kevin Regards Holger Jukka Pakkanen schrieb: Sorry, but could You specify more accurately what is bad ? This is my first bind configuration, so probably I've made some mistakes, but I'd like to do it the right way in the end.:) On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote: allow-recursion { any; }; bad allow-transfer { any; }; bad It's usually a bad idea to allow any to use your server recursively, or allow any transfer zone data. Like an open dns-server. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users SIGNAL Krankenversicherung a. G., Sitz: Dortmund, HR B 2405, AG Dortmund IDUNA Vereinigte Lebensversicherung aG für Handwerk, Handel und Gewerbe, Sitz: Hamburg, HR B 2740, AG Hamburg Deutscher Ring Krankenversicherungsverein a.G., Sitz: Hamburg, HR B 4673, AG Hamburg, SIGNAL IDUNA Allgemeine Versicherung AG, Sitz: Dortmund, HR B 19108, AG Dortmund Vorstände: Reinhold Schulte (Vorsitzender), Wolfgang Fauter (stellv. Vorsitzender), Dr. Karl-Josef Bierth, Jens O. Geldmacher, Marlies Hirschberg-Tafel, Michael Johnigk, Ulrich Leitermann, Michael Petmecky, Dr. Klaus Sticker, Prof. Dr. Markus Warg Vorsitzender der Aufsichtsräte: Günter Kutz SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de 44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund 20351 Hamburg, Hausanschrift: Neue Rabenstraße 15-19, 20354 Hamburg ___ bind-users mailing list bind-users
Re: bind configuration help
On 10/11/2009 23:07, Błażej Ślusarek wrote: Hello, Hi I'd like to ask for help in setting up my DNS server. When I start the server, everything is fine, but only for some time. After the some time passes, my external domain name cannot be resolved from anywhere on the Internet. When I restart the Named, everything is back to normal after few seconds, again for the some time. Here are some fragments of my DNS configuration: *** options { directory /var/bind; forward first; forwarders { some.ip; }; allow-query { any; }; allow-recursion { any; }; bad listen-on-v6 { none; }; listen-on { 127.0.0.1; internal.ip; external.ip; }; zone my.domain.name IN { type master; file pri/costam.zone; allow-update { none; }; //allow-transfer { slaves; }; allow-transfer { any; }; bad notify yes; }; *** I've got no clue what could be the cause of this behavior. The server should provide service to internal and external networks and allow zone transfers. I'd also like to ask for correct iptables configuration for the above dns settings. I'm quite not sure that if I have the forwarders option, I have to enable port 53 in FORWARD chain, or maybe just INPUT and OUTPUT is enough. Also, what rules are necessary for the zone transfer to work? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind configuration help
Sorry, but could You specify more accurately what is bad ? This is my first bind configuration, so probably I've made some mistakes, but I'd like to do it the right way in the end.:) On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote: On 10/11/2009 23:07, Błażej Ślusarek wrote: Hello, Hi I'd like to ask for help in setting up my DNS server. When I start the server, everything is fine, but only for some time. After the some time passes, my external domain name cannot be resolved from anywhere on the Internet. When I restart the Named, everything is back to normal after few seconds, again for the some time. Here are some fragments of my DNS configuration: *** options { directory /var/bind; forward first; forwarders { some.ip; }; allow-query { any; }; allow-recursion { any; }; bad listen-on-v6 { none; }; listen-on { 127.0.0.1; internal.ip; external.ip; }; zone my.domain.name IN { type master; file pri/costam.zone; allow-update { none; }; //allow-transfer { slaves; }; allow-transfer { any; }; bad notify yes; }; *** I've got no clue what could be the cause of this behavior. The server should provide service to internal and external networks and allow zone transfers. I'd also like to ask for correct iptables configuration for the above dns settings. I'm quite not sure that if I have the forwarders option, I have to enable port 53 in FORWARD chain, or maybe just INPUT and OUTPUT is enough. Also, what rules are necessary for the zone transfer to work? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users