Re: Bug in Bind 9.8 or am I doing something wrong?
On Sep 6 2011, Mark Andrews wrote: [...] Named doesn't yet have the ability to disable DNSSEC validation for specified namespaces. Yet? Is there a hint of a future change there? -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bug in Bind 9.8 or am I doing something wrong?
I was following Mark Andrew's discussion with a user about DNSSEC and
played with it here and found an issue. Not sure if I am doing
something wrong or if there is a bug somewhere.
We have a Windows AD domain and use Bind 9.8 on our Linux servers for
most DNS resolution. In order to politely setup things, I forwarded the
queries for AD zones to the Windows server:
zone chaseprod.local{
type forward;
forwarders {10.0.100.205;};};
This seemed to work until I added some stuff for DNSSEC to my named.conf.
In the global option section, I have:
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
And as a general option, I added:
include /etc/bind.keys;
Under Bind 9.8.0-P4 and Bind 9.8.1 (compiled from source with no special
options under SLES 10), resolution of a valid record in the forwarded
zone fails when I added the above dnssec options:
; DiG 9.8.0-P4 @127.0.0.1 chasew8s1.corp.chaseprod.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 58140
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;chasew8s1.corp.chaseprod.local.IN A
;; AUTHORITY SECTION:
. 10794 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2011090600
1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 6 08:43:25 2011
;; MSG SIZE rcvd: 123
If I comment out dnssec-validation auto and the include for bind.keys,
the resolution for the forwarded zone works:
; DiG 9.8.0-P4 @127.0.0.1 chasew8s1.corp.chaseprod.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 7529
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 3
;; QUESTION SECTION:
;chasew8s1.corp.chaseprod.local.IN A
;; ANSWER SECTION:
chasew8s1.corp.chaseprod.local. 2599 IN A 10.0.102.10
chasew8s1.corp.chaseprod.local. 2599 IN A 10.0.100.205
;; AUTHORITY SECTION:
. 517399 IN NS l.root-servers.net.
. 517399 IN NS d.root-servers.net.
. 517399 IN NS k.root-servers.net.
. 517399 IN NS i.root-servers.net.
. 517399 IN NS a.root-servers.net.
. 517399 IN NS g.root-servers.net.
. 517399 IN NS m.root-servers.net.
. 517399 IN NS b.root-servers.net.
. 517399 IN NS j.root-servers.net.
. 517399 IN NS f.root-servers.net.
. 517399 IN NS h.root-servers.net.
. 517399 IN NS e.root-servers.net.
. 517399 IN NS c.root-servers.net.
;; ADDITIONAL SECTION:
j.root-servers.net. 604029 IN 2001:503:c27::2:30
l.root-servers.net. 604031 IN A 199.7.83.42
m.root-servers.net. 604061 IN A 202.12.27.33
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 6 08:42:47 2011
;; MSG SIZE rcvd: 351
Is this a bug or am I doing something wrong?
Thanks,
Lyle Giese
LCR Computer Services, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
Lyle Giese l...@lcrcomputer.net wrote:
zone chaseprod.local{
type forward;
forwarders {10.0.100.205;};};
This seemed to work until I added some stuff for DNSSEC to my named.conf.
In order to forward a zone in the presence of DNSSEC validation, the zone
has to have a valid delegation in the public DNS. You can't use forwarding
to splice some private namespace onto the public DNS.
There is a new static-stub zone type which should avoid this problem,
though it has a number of other differences from a forwarding
configuration.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Forties, Cromarty, Forth, Tyne: Southwest veering northwest 5 to 7, increasing
gale 8 for a time. Moderate or rough, occasionally very rough in Forties. Rain
or squally showers. Moderate or good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
On 9/6/2011 9:13 AM, Tony Finch wrote:
Lyle Giesel...@lcrcomputer.net wrote:
zone chaseprod.local{
type forward;
forwarders {10.0.100.205;};};
This seemed to work until I added some stuff for DNSSEC to my named.conf.
In order to forward a zone in the presence of DNSSEC validation, the zone
has to have a valid delegation in the public DNS. You can't use forwarding
to splice some private namespace onto the public DNS.
There is a new static-stub zone type which should avoid this problem,
though it has a number of other differences from a forwarding
configuration.
Tony.
Changing zone to:
zone chaseprod.local{
type static-stub;
server-addresses {10.0.100.205;};};
And adding back in the DNSSEC stuff, it's still broke, but the output
from dig changes.
; DiG 9.8.0-P4 @127.0.0.1 chasew8s1.corp.chaseprod.local
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Very informative. But if I disable DNSSEC, resolution using a
static-stub zone does work.
Lyle Giese
LCR Computer Services, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
On Sep 6, 2011, at 7:32 AM, Lyle Giese wrote:
On 9/6/2011 9:13 AM, Tony Finch wrote:
Lyle Giesel...@lcrcomputer.net wrote:
zone chaseprod.local{
type forward;
forwarders {10.0.100.205;};};
This seemed to work until I added some stuff for DNSSEC to my named.conf.
In order to forward a zone in the presence of DNSSEC validation, the zone
has to have a valid delegation in the public DNS. You can't use forwarding
to splice some private namespace onto the public DNS.
There is a new static-stub zone type which should avoid this problem,
though it has a number of other differences from a forwarding
configuration.
Tony.
Changing zone to:
zone chaseprod.local{
type static-stub;
server-addresses {10.0.100.205;};};
And adding back in the DNSSEC stuff, it's still broke, but the output from
dig changes.
; DiG 9.8.0-P4 @127.0.0.1 chasew8s1.corp.chaseprod.local
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Very informative. But if I disable DNSSEC, resolution using a static-stub
zone does work.
If named is logging, is there anything interesting in the log from this test?
A response from ISC would be useful here. It's pretty normal to mix DNSSEC
validation for public namespace with add-on private namespace. Is it true that
enterprise networks using BIND 9.8 need to have a two-step resolution process,
as shown below? When did this start? (I haven't tested because nearly every
customer already uses this kind of strategy.)
client - internal resolver - internal auth (unsigned)
- forwarders in the DMZ with DNSSEC validation
enabled
Is the situation different when the resolving/caching/validating name server is
also authoritative for (some of) the internal namespace?
Regards,
Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Bug in Bind 9.8 or am I doing something wrong?
Lyle: If I understand your issue correctly, it is one that I also experienced
when using a Windows 2008 R2 DNS server to forward to a BIND 9.8.0 recursive
resolver configured to perform DNSSEC validation. By default Windows 2008 R2
DNS forwards queries with the CD flag set in the query, and it includes the OPT
pseudo-resource record with the DO bit set. The meaning of this to the BIND
resolver is supposed to be don't bother checking DNSSEC validity (CD bit set)
and return DNSSEC information (DO bit set). Unfortunately Windows can't do its
own DNSSEC validity checking since there is no way to successfully configure
trust anchors, i.e. Windows DNS isn't really ready for DNSSEC prime time. Thus
BIND returns answers to Windows even if DNSSEC validation would have failed.
You can alter these unfortunately configured flags in Windows DNS queries using
the command:
dnscmd /config /EnableEDnsProbes 0
The effect of this is to cause the Windows DNS server to send its queries
without the OPT pseudo-resource record in the Additional Records section of the
query. Thus there is no DO bit set, and as a fortunate side effect, the CD flag
in the standard DNS query flags field is cleared as well.
Under these circumstances, BIND will do DNSSEC validation properly as long as
you have dnssec-validation auto; in the configuration. It will return proper
SERVFAIL responses to Windows if DNSSEC validation fails.
See Dnscmd at http://technet.microsoft.com/en-us/library/cc772069(WS.10).aspx
for further details.
Hope this is relevant and helpful. Jeff.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
-Original Message-
From: bind-users-bounces+spainj=countryday@lists.isc.org
[mailto:bind-users-bounces+spainj=countryday@lists.isc.org] On Behalf Of
Lyle Giese
Sent: Tuesday, September 06, 2011 9:56 AM
To: bind-us...@isc.org
Subject: Bug in Bind 9.8 or am I doing something wrong?
I was following Mark Andrew's discussion with a user about DNSSEC and
played with it here and found an issue. Not sure if I am doing
something wrong or if there is a bug somewhere.
We have a Windows AD domain and use Bind 9.8 on our Linux servers for
most DNS resolution. In order to politely setup things, I forwarded the
queries for AD zones to the Windows server:
zone chaseprod.local{
type forward;
forwarders {10.0.100.205;};};
This seemed to work until I added some stuff for DNSSEC to my named.conf.
In the global option section, I have:
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
And as a general option, I added:
include /etc/bind.keys;
Under Bind 9.8.0-P4 and Bind 9.8.1 (compiled from source with no special
options under SLES 10), resolution of a valid record in the forwarded
zone fails when I added the above dnssec options:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
Mark, you remark somewhere that: Additionally .local is reserved for mDNS .. Make me wonder who reserved .local and specifically earmaked it to be used for mDNS. Iana http://www.iana.org/domains/root/db/ doesn't seem to know about this. Can you give some references? jaap ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
Jaap Akkerhuis j...@nlnetlabs.nl wrote: Additionally .local is reserved for mDNS .. Can you give some references? http://tools.ietf.org/html/draft-chapin-rfc2606bis Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Lundy, Fastnet: West or southwest, 6 to gale 8, decreasing 5 at times later. Rough or very rough. Showers, squally at first. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
Hi Jaap, At 15:42 06-09-2011, Jaap Akkerhuis wrote: Make me wonder who reserved .local and specifically earmaked it to be used for mDNS. Iana http://www.iana.org/domains/root/db/ doesn't seem to know about this. Can you give some references? See draft-cheshire-dnsext-multicastdns-14 which you may have read. :-) There is also a proposal for a Special-Use Domain Name (draft-cheshire-dnsext-special-names-01). Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
