Re: Bug in Bind 9.8 or am I doing something wrong?
On Sep 6 2011, Mark Andrews wrote: [...] Named doesn't yet have the ability to disable DNSSEC validation for specified namespaces. Yet? Is there a hint of a future change there? -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bug in Bind 9.8 or am I doing something wrong?
I was following Mark Andrew's discussion with a user about DNSSEC and played with it here and found an issue. Not sure if I am doing something wrong or if there is a bug somewhere. We have a Windows AD domain and use Bind 9.8 on our Linux servers for most DNS resolution. In order to politely setup things, I forwarded the queries for AD zones to the Windows server: zone chaseprod.local{ type forward; forwarders {10.0.100.205;};}; This seemed to work until I added some stuff for DNSSEC to my named.conf. In the global option section, I have: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; And as a general option, I added: include /etc/bind.keys; Under Bind 9.8.0-P4 and Bind 9.8.1 (compiled from source with no special options under SLES 10), resolution of a valid record in the forwarded zone fails when I added the above dnssec options: ; DiG 9.8.0-P4 @127.0.0.1 chasew8s1.corp.chaseprod.local ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 58140 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;chasew8s1.corp.chaseprod.local.IN A ;; AUTHORITY SECTION: . 10794 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2011090600 1800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Sep 6 08:43:25 2011 ;; MSG SIZE rcvd: 123 If I comment out dnssec-validation auto and the include for bind.keys, the resolution for the forwarded zone works: ; DiG 9.8.0-P4 @127.0.0.1 chasew8s1.corp.chaseprod.local ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 7529 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 3 ;; QUESTION SECTION: ;chasew8s1.corp.chaseprod.local.IN A ;; ANSWER SECTION: chasew8s1.corp.chaseprod.local. 2599 IN A 10.0.102.10 chasew8s1.corp.chaseprod.local. 2599 IN A 10.0.100.205 ;; AUTHORITY SECTION: . 517399 IN NS l.root-servers.net. . 517399 IN NS d.root-servers.net. . 517399 IN NS k.root-servers.net. . 517399 IN NS i.root-servers.net. . 517399 IN NS a.root-servers.net. . 517399 IN NS g.root-servers.net. . 517399 IN NS m.root-servers.net. . 517399 IN NS b.root-servers.net. . 517399 IN NS j.root-servers.net. . 517399 IN NS f.root-servers.net. . 517399 IN NS h.root-servers.net. . 517399 IN NS e.root-servers.net. . 517399 IN NS c.root-servers.net. ;; ADDITIONAL SECTION: j.root-servers.net. 604029 IN 2001:503:c27::2:30 l.root-servers.net. 604031 IN A 199.7.83.42 m.root-servers.net. 604061 IN A 202.12.27.33 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Sep 6 08:42:47 2011 ;; MSG SIZE rcvd: 351 Is this a bug or am I doing something wrong? Thanks, Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
Lyle Giese l...@lcrcomputer.net wrote: zone chaseprod.local{ type forward; forwarders {10.0.100.205;};}; This seemed to work until I added some stuff for DNSSEC to my named.conf. In order to forward a zone in the presence of DNSSEC validation, the zone has to have a valid delegation in the public DNS. You can't use forwarding to splice some private namespace onto the public DNS. There is a new static-stub zone type which should avoid this problem, though it has a number of other differences from a forwarding configuration. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty, Forth, Tyne: Southwest veering northwest 5 to 7, increasing gale 8 for a time. Moderate or rough, occasionally very rough in Forties. Rain or squally showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
On 9/6/2011 9:13 AM, Tony Finch wrote: Lyle Giesel...@lcrcomputer.net wrote: zone chaseprod.local{ type forward; forwarders {10.0.100.205;};}; This seemed to work until I added some stuff for DNSSEC to my named.conf. In order to forward a zone in the presence of DNSSEC validation, the zone has to have a valid delegation in the public DNS. You can't use forwarding to splice some private namespace onto the public DNS. There is a new static-stub zone type which should avoid this problem, though it has a number of other differences from a forwarding configuration. Tony. Changing zone to: zone chaseprod.local{ type static-stub; server-addresses {10.0.100.205;};}; And adding back in the DNSSEC stuff, it's still broke, but the output from dig changes. ; DiG 9.8.0-P4 @127.0.0.1 chasew8s1.corp.chaseprod.local ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached Very informative. But if I disable DNSSEC, resolution using a static-stub zone does work. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
On Sep 6, 2011, at 7:32 AM, Lyle Giese wrote: On 9/6/2011 9:13 AM, Tony Finch wrote: Lyle Giesel...@lcrcomputer.net wrote: zone chaseprod.local{ type forward; forwarders {10.0.100.205;};}; This seemed to work until I added some stuff for DNSSEC to my named.conf. In order to forward a zone in the presence of DNSSEC validation, the zone has to have a valid delegation in the public DNS. You can't use forwarding to splice some private namespace onto the public DNS. There is a new static-stub zone type which should avoid this problem, though it has a number of other differences from a forwarding configuration. Tony. Changing zone to: zone chaseprod.local{ type static-stub; server-addresses {10.0.100.205;};}; And adding back in the DNSSEC stuff, it's still broke, but the output from dig changes. ; DiG 9.8.0-P4 @127.0.0.1 chasew8s1.corp.chaseprod.local ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached Very informative. But if I disable DNSSEC, resolution using a static-stub zone does work. If named is logging, is there anything interesting in the log from this test? A response from ISC would be useful here. It's pretty normal to mix DNSSEC validation for public namespace with add-on private namespace. Is it true that enterprise networks using BIND 9.8 need to have a two-step resolution process, as shown below? When did this start? (I haven't tested because nearly every customer already uses this kind of strategy.) client - internal resolver - internal auth (unsigned) - forwarders in the DMZ with DNSSEC validation enabled Is the situation different when the resolving/caching/validating name server is also authoritative for (some of) the internal namespace? Regards, Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bug in Bind 9.8 or am I doing something wrong?
Lyle: If I understand your issue correctly, it is one that I also experienced when using a Windows 2008 R2 DNS server to forward to a BIND 9.8.0 recursive resolver configured to perform DNSSEC validation. By default Windows 2008 R2 DNS forwards queries with the CD flag set in the query, and it includes the OPT pseudo-resource record with the DO bit set. The meaning of this to the BIND resolver is supposed to be don't bother checking DNSSEC validity (CD bit set) and return DNSSEC information (DO bit set). Unfortunately Windows can't do its own DNSSEC validity checking since there is no way to successfully configure trust anchors, i.e. Windows DNS isn't really ready for DNSSEC prime time. Thus BIND returns answers to Windows even if DNSSEC validation would have failed. You can alter these unfortunately configured flags in Windows DNS queries using the command: dnscmd /config /EnableEDnsProbes 0 The effect of this is to cause the Windows DNS server to send its queries without the OPT pseudo-resource record in the Additional Records section of the query. Thus there is no DO bit set, and as a fortunate side effect, the CD flag in the standard DNS query flags field is cleared as well. Under these circumstances, BIND will do DNSSEC validation properly as long as you have dnssec-validation auto; in the configuration. It will return proper SERVFAIL responses to Windows if DNSSEC validation fails. See Dnscmd at http://technet.microsoft.com/en-us/library/cc772069(WS.10).aspx for further details. Hope this is relevant and helpful. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School -Original Message- From: bind-users-bounces+spainj=countryday@lists.isc.org [mailto:bind-users-bounces+spainj=countryday@lists.isc.org] On Behalf Of Lyle Giese Sent: Tuesday, September 06, 2011 9:56 AM To: bind-us...@isc.org Subject: Bug in Bind 9.8 or am I doing something wrong? I was following Mark Andrew's discussion with a user about DNSSEC and played with it here and found an issue. Not sure if I am doing something wrong or if there is a bug somewhere. We have a Windows AD domain and use Bind 9.8 on our Linux servers for most DNS resolution. In order to politely setup things, I forwarded the queries for AD zones to the Windows server: zone chaseprod.local{ type forward; forwarders {10.0.100.205;};}; This seemed to work until I added some stuff for DNSSEC to my named.conf. In the global option section, I have: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; And as a general option, I added: include /etc/bind.keys; Under Bind 9.8.0-P4 and Bind 9.8.1 (compiled from source with no special options under SLES 10), resolution of a valid record in the forwarded zone fails when I added the above dnssec options: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
Mark, you remark somewhere that: Additionally .local is reserved for mDNS .. Make me wonder who reserved .local and specifically earmaked it to be used for mDNS. Iana http://www.iana.org/domains/root/db/ doesn't seem to know about this. Can you give some references? jaap ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
Jaap Akkerhuis j...@nlnetlabs.nl wrote: Additionally .local is reserved for mDNS .. Can you give some references? http://tools.ietf.org/html/draft-chapin-rfc2606bis Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Lundy, Fastnet: West or southwest, 6 to gale 8, decreasing 5 at times later. Rough or very rough. Showers, squally at first. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
Hi Jaap, At 15:42 06-09-2011, Jaap Akkerhuis wrote: Make me wonder who reserved .local and specifically earmaked it to be used for mDNS. Iana http://www.iana.org/domains/root/db/ doesn't seem to know about this. Can you give some references? See draft-cheshire-dnsext-multicastdns-14 which you may have read. :-) There is also a proposal for a Special-Use Domain Name (draft-cheshire-dnsext-special-names-01). Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users