Re[2]: Configuring the location of named .jnl files
Anders Löwinger wrote: > Ivan Avery Frey wrote: > > > >We are only using update to provision the acme challenge as described > >by RFC 8555 8.4. Nothing else. > > Acme follows CNAMEs. I've redirected all challenges to my domains to a > separate subdomain, which allows dynamic updates. Works great! Yes, there's an item about this on the EFF blog: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation I wrote a followup which might be of interest on this list even though it isn't relevant to this specific problem: https://fanf.dreamwidth.org/123294.html Tony. -- f.anthony.n.finchhttps://dotat.at/ fight poverty, oppression, hunger, ignorance, disease, and aggression ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re[2]: Configuring the location of named .jnl files
-- Originalmeddelande -- Från: "Ivan Avery Frey" Till: "ML BIND Users" Skickat: 2021-04-27 02:13:02 Ämne: Re: Configuring the location of named .jnl files Hi Mark, We are only using update to provision the acme challenge as described by RFC 8555 8.4. Nothing else. Acme follows CNAMEs. I've redirected all challenges to my domains to a separate subdomain, which allows dynamic updates. Works great! Regards Anders Löwinger ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring the location of named .jnl files
Hi Mark, We are only using update to provision the acme challenge as described by RFC 8555 8.4. Nothing else. If certbot (the acme client) behaves as it should provisioning and deprovisioning the resource record, then our zone file doesn't really change. I will ask my colleague why he feels our security policy is the right one. Ivan. On Mon, 26 Apr 2021 at 19:53, Mark Andrews wrote: > > Well if you are not allowed to update the zone file for “security reasons” > then > allowing a journal to be written shouldn’t be allowed for the same “security > reasons”. > There is no difference between updating a zone file and updating a journal > from a > security perspective. > > Additionally you will just be adding more and more processing to the startup > of named > if you have a un-writeable zone file as every change to the zone through the > life of > the zone will have to be applied serially. You will also have problems if > you have > to roll the zones serial number as journals really aren’t designed to be used > with > a zone file that is not being consolidated regularly. Journals are not > designed to > have serial numbers loop over. Which instance of serial 5 are you referring > too if > there are multiple 5s in the journal. > > I suggest that you go back as re-examine your security policy. Even SELinux > moves > dynamically updatable zones to a writable directory so that the zone files > can be > updated. > > Mark > > > On 27 Apr 2021, at 03:26, Ivan Avery Frey wrote: > > > > Yes, I was using nsupdate to test my implementation. For security reasons > > the directory that holds the zone file is readonly for named. So named > > couldn't create its journal file there. I misinterpreted the reference > > manual for the description of the "journal" command. Where it mentioned > > that the "filename" could be overridden I wasn't thinking it could be a > > pathname. > > > > Just to clarify, I will be using the certbot client with the dns-rfc2136 > > plugin to receive my certificates. > > > > I wonder why they don't have a dns-local plugin. It would be a whole lot > > simpler. > > > > On Mon., Apr. 26, 2021, 09:57 Kevin Darcy via bind-users, > > wrote: > > [ Classification Level: GENERAL BUSINESS ] > > > > Ivan, > >I've never done the Let's Encrypt thing myself, but from my skim > > of the documentation, it appears they want you to place a TXT record in a > > specific part of your domain's namespace hierarchy. > > > > I sincerely hope you're not trying to write the TXT record directly to the > > journal file. That could lead to corruption, or, at the very least, your > > changes could be overwritten, since journal files are written dynamically. > > > > The safe way to update DNS programmatically is through the Dynamic Update > > extension to DNS, typically via the "nsupdate" command-line utility, or via > > various libraries/modules of scripting languages like Perl or Python. > > > > One of the bash-based ACME client implementations linked from Let's > > Encrypt's webpage, for instance, is github.com/bruncsak/ght-acme.sh, and > > for the DNS-01 challenge method, it feeds some commands to nsupdate. The > > code is rather crude, assuming no crypto-based authentication on the server > > side, among other things, but it's at least a start on a recommended way to > > update DNS data. Better than mucking around with journal files. > > > > There is a learning curve associated with Dynamic Update. On the server > > side, for instance, you'll need to establish permissions via allow-update. > > Limiting updates to localhost at least would protect your DNS data from > > unauthorized changes from remote hosts, but ideally, you'd generate a key > > and use that. > > > > > > - Kevin > > > > On Sun, Apr 25, 2021 at 7:39 PM Ivan Avery Frey > > wrote: > > I'm trying to obtain certificates from Let's Encrypt using the DNS-01 > > challenge method. > > > > I just want to confirm that there is no option to configure the > > directory for the .jnl files independently of the zone files. > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > ISC funds the development of this software with paid support subscriptions. > > Contact us at https://www.isc.org/contact/ for more information. > > > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > ISC funds the development of this software with paid support subscriptions. > > Contact us at https://www.isc.org/contact/ for more information. > > > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.
Re: Configuring the location of named .jnl files
Well if you are not allowed to update the zone file for “security reasons” then allowing a journal to be written shouldn’t be allowed for the same “security reasons”. There is no difference between updating a zone file and updating a journal from a security perspective. Additionally you will just be adding more and more processing to the startup of named if you have a un-writeable zone file as every change to the zone through the life of the zone will have to be applied serially. You will also have problems if you have to roll the zones serial number as journals really aren’t designed to be used with a zone file that is not being consolidated regularly. Journals are not designed to have serial numbers loop over. Which instance of serial 5 are you referring too if there are multiple 5s in the journal. I suggest that you go back as re-examine your security policy. Even SELinux moves dynamically updatable zones to a writable directory so that the zone files can be updated. Mark > On 27 Apr 2021, at 03:26, Ivan Avery Frey wrote: > > Yes, I was using nsupdate to test my implementation. For security reasons the > directory that holds the zone file is readonly for named. So named couldn't > create its journal file there. I misinterpreted the reference manual for the > description of the "journal" command. Where it mentioned that the "filename" > could be overridden I wasn't thinking it could be a pathname. > > Just to clarify, I will be using the certbot client with the dns-rfc2136 > plugin to receive my certificates. > > I wonder why they don't have a dns-local plugin. It would be a whole lot > simpler. > > On Mon., Apr. 26, 2021, 09:57 Kevin Darcy via bind-users, > wrote: > [ Classification Level: GENERAL BUSINESS ] > > Ivan, >I've never done the Let's Encrypt thing myself, but from my skim > of the documentation, it appears they want you to place a TXT record in a > specific part of your domain's namespace hierarchy. > > I sincerely hope you're not trying to write the TXT record directly to the > journal file. That could lead to corruption, or, at the very least, your > changes could be overwritten, since journal files are written dynamically. > > The safe way to update DNS programmatically is through the Dynamic Update > extension to DNS, typically via the "nsupdate" command-line utility, or via > various libraries/modules of scripting languages like Perl or Python. > > One of the bash-based ACME client implementations linked from Let's Encrypt's > webpage, for instance, is github.com/bruncsak/ght-acme.sh, and for the DNS-01 > challenge method, it feeds some commands to nsupdate. The code is rather > crude, assuming no crypto-based authentication on the server side, among > other things, but it's at least a start on a recommended way to update DNS > data. Better than mucking around with journal files. > > There is a learning curve associated with Dynamic Update. On the server side, > for instance, you'll need to establish permissions via allow-update. Limiting > updates to localhost at least would protect your DNS data from unauthorized > changes from remote hosts, but ideally, you'd generate a key and use that. > > >- Kevin > > On Sun, Apr 25, 2021 at 7:39 PM Ivan Avery Frey > wrote: > I'm trying to obtain certificates from Let's Encrypt using the DNS-01 > challenge method. > > I just want to confirm that there is no option to configure the > directory for the .jnl files independently of the zone files. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org __
Re: Configuring the location of named .jnl files
Yes, I was using nsupdate to test my implementation. For security reasons the directory that holds the zone file is readonly for named. So named couldn't create its journal file there. I misinterpreted the reference manual for the description of the "journal" command. Where it mentioned that the "filename" could be overridden I wasn't thinking it could be a pathname. Just to clarify, I will be using the certbot client with the dns-rfc2136 plugin to receive my certificates. I wonder why they don't have a dns-local plugin. It would be a whole lot simpler. On Mon., Apr. 26, 2021, 09:57 Kevin Darcy via bind-users, < bind-users@lists.isc.org> wrote: > [ Classification Level: GENERAL BUSINESS ] > > Ivan, >I've never done the Let's Encrypt thing myself, but from my > skim of the documentation, it appears they want you to place a TXT record > in a specific part of your domain's namespace hierarchy. > > I sincerely hope you're not trying to write the TXT record directly to the > journal file. That could lead to corruption, or, at the very least, your > changes could be overwritten, since journal files are written dynamically. > > The safe way to update DNS programmatically is through the Dynamic Update > extension to DNS, typically via the "nsupdate" command-line utility, or via > various libraries/modules of scripting languages like Perl or Python. > > One of the bash-based ACME client implementations linked from Let's > Encrypt's webpage, for instance, is github.com/bruncsak/ght-acme.sh, and > for the DNS-01 challenge method, it feeds some commands to nsupdate. The > code is rather crude, assuming no crypto-based authentication on the server > side, among other things, but it's at least a start on a recommended way to > update DNS data. Better than mucking around with journal files. > > There is a learning curve associated with Dynamic Update. On the server > side, for instance, you'll need to establish permissions via allow-update. > Limiting updates to localhost at least would protect your DNS data from > unauthorized changes from remote hosts, but ideally, you'd generate a key > and use that. > > >- Kevin > > On Sun, Apr 25, 2021 at 7:39 PM Ivan Avery Frey > wrote: > >> I'm trying to obtain certificates from Let's Encrypt using the DNS-01 >> challenge method. >> >> I just want to confirm that there is no option to configure the >> directory for the .jnl files independently of the zone files. >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring the location of named .jnl files
Ivan Avery Frey wrote: > I'm trying to obtain certificates from Let's Encrypt using the DNS-01 > challenge method. > > I just want to confirm that there is no option to configure the > directory for the .jnl files independently of the zone files. You have had a bunch of helpful replies already, but your question suggests to me that you might be making things more difficult than they need to be. I have tried out configurations with non-default journal names and I've decided it's more trouble than it is worth. For example, I added the -J option to named-compilezone to improve support for custom journal names, but the -j option for default journals is significantly more convenient. And it's much nicer when I don't have journal options in every zone{} clause in my config. I know what they say about assuming, but I'm going to guess that you want to put the jounal in a different directory because `named` complained that it did not have write access to the directory containing your zone file. If I'm right, you will soon find that `named` also wants to overwrite your zone file, and the message I sent yesterday will probably be helpful: https://lists.isc.org/pipermail/bind-users/2021-April/104472.html Tony. -- f.anthony.n.finchhttps://dotat.at/ Dover, Wight, Portland, Plymouth, North Biscay: Easterly or northeasterly 5 to 7, decreasing 3 or 4 later, then becoming variable later. Slight or moderate, becoming smooth or slight, occasionally rough at first in Plymouth and north Biscay. Fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring the location of named .jnl files
To echo what Kevin has said. A TXT record is what is needed in the ZONE file. Furthermore with Letsencrypt or any other CA you need to add a CAA record otherwise you run the risk of returning a SERVFAIL with whatever client goes to validate that record. https://letsencrypt.org/docs/caa/ This record should go in the same zone file as your TXT record. Hope that helps. Cameron On Mon, Apr 26, 2021 at 7:47 AM wrote: > Send bind-users mailing list submissions to > bind-users@lists.isc.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.isc.org/mailman/listinfo/bind-users > or, via email, send a message with subject or body 'help' to > bind-users-requ...@lists.isc.org > > You can reach the person managing the list at > bind-users-ow...@lists.isc.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of bind-users digest..." > > > Today's Topics: > >1. Re: Configuring the location of named .jnl files (Kevin Darcy) >2. Re: Using RNDC to control remote access to my BIND server > (Greg Donohoe) >3. Re: Using RNDC to control remote access to my BIND server > (Anand Buddhdev) >4. How to interpret BIND 9 JSON Counters (Dom Brown) > > > -- > > Message: 1 > Date: Mon, 26 Apr 2021 09:56:29 -0400 > From: Kevin Darcy > To: ML BIND Users > Subject: Re: Configuring the location of named .jnl files > Message-ID: > mskvkzyvcdc4g2mv90wgsf2h...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > [ Classification Level: GENERAL BUSINESS ] > > Ivan, >I've never done the Let's Encrypt thing myself, but from my skim > of the documentation, it appears they want you to place a TXT record in a > specific part of your domain's namespace hierarchy. > > I sincerely hope you're not trying to write the TXT record directly to the > journal file. That could lead to corruption, or, at the very least, your > changes could be overwritten, since journal files are written dynamically. > > The safe way to update DNS programmatically is through the Dynamic Update > extension to DNS, typically via the "nsupdate" command-line utility, or via > various libraries/modules of scripting languages like Perl or Python. > > One of the bash-based ACME client implementations linked from Let's > Encrypt's webpage, for instance, is github.com/bruncsak/ght-acme.sh, and > for the DNS-01 challenge method, it feeds some commands to nsupdate. The > code is rather crude, assuming no crypto-based authentication on the server > side, among other things, but it's at least a start on a recommended way to > update DNS data. Better than mucking around with journal files. > > There is a learning curve associated with Dynamic Update. On the server > side, for instance, you'll need to establish permissions via allow-update. > Limiting updates to localhost at least would protect your DNS data from > unauthorized changes from remote hosts, but ideally, you'd generate a key > and use that. > > > - Kevin > > On Sun, Apr 25, 2021 at 7:39 PM Ivan Avery Frey > > wrote: > > > I'm trying to obtain certificates from Let's Encrypt using the DNS-01 > > challenge method. > > > > I just want to confirm that there is no option to configure the > > directory for the .jnl files independently of the zone files. > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > ISC funds the development of this software with paid support > > subscriptions. Contact us at https://www.isc.org/contact/ for more > > information. > > > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > -- next part -- > An HTML attachment was scrubbed... > URL: < > https://lists.isc.org/pipermail/bind-users/attachments/20210426/a196f485/attachment-0001.htm > > > > -- > > Message: 2 > Date: Mon, 26 Apr 2021 15:04:27 +0100 > From: Greg Donohoe > To: Anand Buddhdev > Cc: bind-users@lists.isc.org > Subject: Re: Using RNDC to control remote access to my BIND server > Message-ID: > < > cambnh5rylckguhs+ztodxybkaxexeexq0czpp699uq9p8ue...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Thanks Anand. > When using this TSIG solutio
Re: Configuring the location of named .jnl files
[ Classification Level: GENERAL BUSINESS ] Ivan, I've never done the Let's Encrypt thing myself, but from my skim of the documentation, it appears they want you to place a TXT record in a specific part of your domain's namespace hierarchy. I sincerely hope you're not trying to write the TXT record directly to the journal file. That could lead to corruption, or, at the very least, your changes could be overwritten, since journal files are written dynamically. The safe way to update DNS programmatically is through the Dynamic Update extension to DNS, typically via the "nsupdate" command-line utility, or via various libraries/modules of scripting languages like Perl or Python. One of the bash-based ACME client implementations linked from Let's Encrypt's webpage, for instance, is github.com/bruncsak/ght-acme.sh, and for the DNS-01 challenge method, it feeds some commands to nsupdate. The code is rather crude, assuming no crypto-based authentication on the server side, among other things, but it's at least a start on a recommended way to update DNS data. Better than mucking around with journal files. There is a learning curve associated with Dynamic Update. On the server side, for instance, you'll need to establish permissions via allow-update. Limiting updates to localhost at least would protect your DNS data from unauthorized changes from remote hosts, but ideally, you'd generate a key and use that. - Kevin On Sun, Apr 25, 2021 at 7:39 PM Ivan Avery Frey wrote: > I'm trying to obtain certificates from Let's Encrypt using the DNS-01 > challenge method. > > I just want to confirm that there is no option to configure the > directory for the .jnl files independently of the zone files. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring the location of named .jnl files
Hi Ivan, Visit [1] and search "journal" zone option. Similar as "file". At least BIND 9.16 has support, it is also in man named.conf manual page in BIND 9.11. I think that is what you were looking for. Regards, Petr 1. https://bind9.readthedocs.io/en/v9_16_13/reference.html#zone-statement-grammar On 4/26/21 1:38 AM, Ivan Avery Frey wrote: > I'm trying to obtain certificates from Let's Encrypt using the DNS-01 > challenge method. > > I just want to confirm that there is no option to configure the > directory for the .jnl files independently of the zone files. -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB OpenPGP_signature Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring the location of named .jnl files
zone example { …; journal ; }; > On 26 Apr 2021, at 09:38, Ivan Avery Frey wrote: > > I'm trying to obtain certificates from Let's Encrypt using the DNS-01 > challenge method. > > I just want to confirm that there is no option to configure the > directory for the .jnl files independently of the zone files. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Configuring the location of named .jnl files
I'm trying to obtain certificates from Let's Encrypt using the DNS-01 challenge method. I just want to confirm that there is no option to configure the directory for the .jnl files independently of the zone files. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users