Re: Freeze/thaw and signed zone files
On 23/02/2019 05:28, @lbutlr wrote: > I did try manually updating vi nsupdate -l > >> zone example.com >> update add example.com. 86400 IN SOA ns1.example.net. >> admin.example.com. 2019022200 3600 300 1209600 3600 >> update add konamicode.example.com. 86400 IN CNAME www.example.com [1]. >> send > ; Communication with ::1#53 failed: timed out > update failed: FORMERR > > Why is it defaulting to IPv6? This system is not setup for IPv6. Do I have to > setup named.conf to listen on ::1? Obviously your machine *is* setup for IPv6, it's just not configured, named sees the capability, so tries it. I bet ifconfig shows it, below is an example from this pc which does not use IPv6... lo: inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 probably eth0 does as well eth0: inet6 fe80::e2cb:4eff:feda:9842 prefixlen 64 scopeid 0x20 You might also want to read up on gai.conf and set some precedence's, I dont use it, but on slackware I dont have the problems you have, it might help - I recall having to use it well over 10 years ago on a few centos servers we inherited at the time. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [2] and ODF [3] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.example.com [2] http://www.adobe.com/ [3] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 23 Feb 2019, at 14:45, Mark Andrews wrote: > On IPv6 why wouldn’t you support it? Our ISP does not support it. We get 5 static IPv4 addresses and no IPv6 at all. -- Critics look at actresses one of two ways: you're either bankable or boinkable. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On IPv6 why wouldn’t you support it? The world ran out of IPv4 addresses years ago and IPv4 is only limping along now due to ISPs spending big money to put in CGN boxes which you are paying for. Turning on IPv6 reduces the required size of these CGN boxes with on average 70% of residential traffic switching to it. This in turn reduces costs. Named will already be using IPv6 for queries it is making as that is enabled by default. -- Mark Andrews > On 23 Feb 2019, at 06:28, @lbutlr wrote: > > I did try manually updating vi nsupdate -l > >> zone example.com >> update add example.com. 86400 IN SOA ns1.example.net. >> admin.example.com. 2019022200 3600 300 1209600 3600 >> update add konamicode.example.com. 86400 IN CNAME www.example.com. >> send > ; Communication with ::1#53 failed: timed out > update failed: FORMERR > > Why is it defaulting to IPv6? This system is not setup for IPv6. Do I have to > setup named.conf to listen on ::1? > > Also, confusingly, despite the error the zone WAS updated. > > -- > There used to be such simple directions, back in the days before they > invented parallel universes - Up and Down, Right and Left, Backward and > Forward, Past and Future... But normal directions don't work in the > multiverse, which has far too many dimensions for anyone to find their > way. So new ones have to be invented so that the way can be found. Like: > East of the Sun, West of the Moon Or: Behind the North Wind. Or: At the > Back of Beyond. Or: There and Back Again. Or: Beyond the Fields We > Know. --Lords and Ladies > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 22 Feb 2019, at 12:28, @lbutlr wrote: > ; Communication with ::1#53 failed: timed out I am still getting this error whenever I try to make a change in the zone with nsupdate -l, should I not worry about it? I mean, the records appear to be updating… 路♀️ -- First we must assume a spherical cow. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 22 Feb 2019, at 12:12, Tony Finch wrote: > Get it from the link above, if you want :-) Doh! OK, got it, installed it, changed the path to perl, and that’s pretty slick. -- "I don't think the kind of friends I'd have would care.” ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
I did try manually updating vi nsupdate -l > zone example.com > update add example.com. 86400 IN SOA ns1.example.net. admin.example.com. > 2019022200 3600 300 1209600 3600 > update add konamicode.example.com. 86400 IN CNAME www.example.com. > send ; Communication with ::1#53 failed: timed out update failed: FORMERR Why is it defaulting to IPv6? This system is not setup for IPv6. Do I have to setup named.conf to listen on ::1? Also, confusingly, despite the error the zone WAS updated. -- There used to be such simple directions, back in the days before they invented parallel universes - Up and Down, Right and Left, Backward and Forward, Past and Future... But normal directions don't work in the multiverse, which has far too many dimensions for anyone to find their way. So new ones have to be invented so that the way can be found. Like: East of the Sun, West of the Moon Or: Behind the North Wind. Or: At the Back of Beyond. Or: There and Back Again. Or: Beyond the Fields We Know. --Lords and Ladies ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
@lbutlr via bind-users wrote: > On 22 Feb 2019, at 09:54, Tony Finch wrote: > > You might want a config like > > > > zone "example.com" { > > type master; > > file "master/example.com”; > > Not example.com.signed? No, in inline-signing mode the zone you interact with is the unsigned version; the signed version belongs entirely to `named` and you don't touch it. > > Alternatively, with your current config you can update the zone using > > https://dotat.at/prog/nsdiff/ like this: > > > > nsdiff example.com master/example.com | nsupdate -l > > Where the second one of those is my example.com.signed file? No, the unsigned file, as I said. `nsdiff` works out the differences between the current live version of example.com (which it fetches by AXFR) and the new version (on disk in `master/example.com`) and produces a script for `nsupdate` that will make the live (signed) version match. Your config says the live version is in `master/example.com.signed`. It works in a similar way to inline-signing mode, except you have more control over how changes propagate from the unsigned version to the signed one. > Is nsdiff a separate package? It’s not on my FereeBSD 11.2 system with Bind > 9.12 Get it from the link above, if you want :-) Tony. -- f.anthony.n.finchhttp://dotat.at/ Portland, Plymouth, Biscay, East Fitzroy: Southeasterly 4 or 5, occasionally 6 in Plymouth and Fitzroy, becoming variable 3 or 4 later. Moderate or rough, occasionally very rough except in Portland. Fair, but rain in Fitzroy. Good, occasionally poor.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 22 Feb 2019, at 09:54, Tony Finch wrote: > You might want a config like > > zone "example.com" { > type master; > file "master/example.com”; Not example.com.signed? > update-policy local; > auto-dnssec maintain; > inline-signing yes; > }; > > Alternatively, with your current config you can update the zone using > https://dotat.at/prog/nsdiff/ like this: > > nsdiff example.com master/example.com | nsupdate -l Where the second one of those is my example.com.signed file? Is nsdiff a separate package? It’s not on my FereeBSD 11.2 system with Bind 9.12 -- Well boys, we got three engines out, we got more holes in us than a horse trader's mule, the radio is gone and we're leaking fuel and if we was flying any lower why we'd need sleigh bells on this thing... but we got one little budge on those Roosskies. At this height why they might harpoon us but they dang sure ain't gonna spot us on no radar screen! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
@lbutlr wrote: > > Nope, now the .signed file isn’t touched at all after the zone file is edited. > > zone "example.com" { > type master; > file "master/example.com.signed"; > update-policy local; > auto-dnssec maintain; > }; It sounds to me like you are expecting it to work in inline-signing mode, but you have not configured it that way. With the configuration above, `named` will never read or write to the unsigned zone. You might want a config like zone "example.com" { type master; file "master/example.com"; update-policy local; auto-dnssec maintain; inline-signing yes; }; Alternatively, with your current config you can update the zone using https://dotat.at/prog/nsdiff/ like this: nsdiff example.com master/example.com | nsupdate -l Tony. -- f.anthony.n.finchhttp://dotat.at/ Portland, Plymouth, Biscay, East Fitzroy: Southeasterly 4 or 5, occasionally 6 in Plymouth and Fitzroy, becoming variable 3 or 4 later. Moderate or rough, occasionally very rough except in Portland. Fair, but rain in Fitzroy. Good, occasionally poor.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
Grant Taylor via bind-users wrote: > > I'm sorry. I gave you the wrong command. You want "sync", not "flush". You don't need to sync as well as freeze: `rndc freeze` also syncs the zone. Tony. -- f.anthony.n.finchhttp://dotat.at/ Faeroes, Southeast Iceland: Southerly, veering southwesterly, 7 to severe gale 9, perhaps storm 10 later in Southeast Iceland. Very rough or high. Rain. Moderate, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 21 Feb 2019, at 20:43, Grant Taylor via bind-users wrote: > > On 2/21/19 6:28 PM, @lbutlr wrote: >> rndc reload did not recreate (or at least update the time stamp) on the >> .signed file. > > Hum. Maybe it's something different about how you're doing DNSSEC than I am. > > I have BIND managing DNSSEC for me via "auto-dnssec maintain;". So I don't > get .signed files. the .signed files were created when I first signed the zones with dnssec-signzone which is what gave me the dsset file containing the information I needed to add DNSSEC to my domain's registrar. dnssec-signzone -3 $(head -c 1000 /dev/random | shasum | cut -b 1-16) -A -N INCREMENT -o ZONE -t ZONEFILE I was assuming, perhaps wrongly, that these ,signed files continue to be required, as they were placed alongside the regular zone files. > I was just able to do the following: > > rndc freeze $ZONE > rndc sync -clean $ZONE > $EDITOR $ZONEFILE > rndc thaw $ZONE > rndc sign $ZONE > > I did have to manually do the "rndc sign" for DNSViz to be happy with the new > test entry. I don't know if that's expected or not. Overnight, many of my zones have new zone.signed.jnl files > Does your actual zone file have the DNSSEC records in it? That's where mine > are. I don't have a separate unsigned zone file. I have three files for each zone: example.com (less than 2K, unsigned, no DNSSEC info, contains $INCLUDE lines at the end for the two public keys. example.com.signed (12K, All the DNSSEC info) example.com.signed.jnl (Created by bind, about double the size of .signed and a binary file) This file is updated when I issue the rind sign ZONE command. > I believe so. Do you have a "managed-keys-directory" entry in your > named.conf file? (I do. My .key and .private files are in the specified > directory.) My private files are in that directory, I have the public ones in both the directory and the master/ directory Which is what seems to be needed (probably because of the include statement). In named.conf I have zone "example.com" { type master; file "master/example.com.signed"; update-policy local; auto-dnssec maintain; }; -- "Alas, earwax." ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 2/21/19 6:28 PM, @lbutlr wrote: rndc reload did not recreate (or at least update the time stamp) on the .signed file. Hum. Maybe it's something different about how you're doing DNSSEC than I am. I have BIND managing DNSSEC for me via "auto-dnssec maintain;". So I don't get .signed files. I was just able to do the following: rndc freeze $ZONE rndc sync -clean $ZONE $EDITOR $ZONEFILE rndc thaw $ZONE rndc sign $ZONE I did have to manually do the "rndc sign" for DNSViz to be happy with the new test entry. I don't know if that's expected or not. But at no point do I get the new subdomains I added to the zone added to the zone.signed The new record showed up exactly as expected. Granted, I only added an A record and didn't create a new sub-domain. I’ll try sync clean and see if I get further. Nope, now the .signed file isn’t touched at all after the zone file is edited. zone "example.com" { type master; file "master/example.com.signed"; update-policy local; auto-dnssec maintain; }; I don't have .signed files. So I am still with a zone file that contains two subdomains that are not represented in the .signed zone file, so do not load and nothing that I do seems to be able to recreate the .signed file with the correct information. Does your actual zone file have the DNSSEC records in it? That's where mine are. I don't have a separate unsigned zone file. Is the original random key that was generated at the time of signing kept somewhere? NSEC3 seems to contain a 16 character hex sting that recurs throughout the file. I believe so. Do you have a "managed-keys-directory" entry in your named.conf file? (I do. My .key and .private files are in the specified directory.) -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 21 Feb 2019, at 18:28, @lbutlr wrote: > Is the original random key that was generated at the time of signing kept > somewhere? NSEC3 seems to contain a 16 character hex sting that recurs > throughout the file. OK, I moved aside the signed file, resigned the domain using the 16 character string I found repeated in the original .signed file and the dsset file contained the same strings, and the signed file was created anew and it contains the new subdomains. So, that immediate problem is solved. First instance is on NSEC3PARAM parma line, so awk '/NSEC3PARAM 1/{ print $NF}’ zone.signed -- people didn't seem to be able to remember what it was like with the elves around. Life was certainly more interesting then, but usually because it was shorter. And it was more colourful, if you liked the colour of blood. --Lords and Ladies ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
>> OK, but rndc flush example.com results in: >> rndc: 'flush' failed: not found > > *FACEpalm* > > I'm sorry. I gave you the wrong command. You want "sync", not "flush". My > brain always thinks "flush the journal to disk" when it's really supposed to > be "sync the journal to disk". You can pass the optional "-clean" command to > cause BIND to remove the synced journal file. > > "flush" is flushing caches, and you can optionally specify a view. I'm > guessing that you don't have a view named "example.com". > >> Then service named stop, service named start. > > When you use the proper commands, you don't need to restart the named > service. You can also use rndc reload without needing to restart the named > service. rndc reload did not recreate (or at least update the time stamp) on the .signed file. But at no point do I get the new subdomains I added to the zone added to the zone.signed I’ll try sync clean and see if I get further. Nope, now the .signed file isn’t touched at all after the zone file is edited. zone "example.com" { type master; file "master/example.com.signed"; update-policy local; auto-dnssec maintain; }; So I am still with a zone file that contains two subdomains that are not represented in the .signed zone file, so do not load and nothing that I do seems to be able to recreate the .signed file with the correct information. Is the original random key that was generated at the time of signing kept somewhere? NSEC3 seems to contain a 16 character hex sting that recurs throughout the file. -- all your snowflakes are urine and you can't even find the cat ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 02/21/2019 02:03 PM, @lbutlr via bind-users wrote: OK, but rndc flush example.com results in: rndc: 'flush' failed: not found *FACEpalm* I'm sorry. I gave you the wrong command. You want "sync", not "flush". My brain always thinks "flush the journal to disk" when it's really supposed to be "sync the journal to disk". You can pass the optional "-clean" command to cause BIND to remove the synced journal file. "flush" is flushing caches, and you can optionally specify a view. I'm guessing that you don't have a view named "example.com". Then service named stop, service named start. When you use the proper commands, you don't need to restart the named service. You can also use rndc reload without needing to restart the named service. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 22/02/2019 07:03, @lbutlr via bind-users wrote: >> I don't recall if reloading or thawing will automatically re-sign the zone >> or if you need to also explicitly "rndc sign $ZONE". > > Sign recreates the .jnl file, but doesn't touch the .signed file. > > Doing the following recreated the .signed file, but still didn't add the new > subdomains. > > Freeze, flush, edit, thaw, > > Then service named stop, service named start. freeze, edit, thaw, rndc_reload is all thats needed -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
> On 21 Feb 2019, at 13:41, Grant Taylor via bind-users > wrote: > > On 02/21/2019 01:34 PM, @lbutlr via bind-users wrote: >> I edited a zone file after issuing a rndc freeze command, added two new sub >> zones, changed the serial number, saved the file, and then did an rndc thaw. > > I don't see an "rndc flush " in there. OK, but rndc flush example.com results in: rndc: 'flush' failed: not found > rndc freeze $ZONE > rndc flush $ZONE > $EDITOR $ZONE > rndc thaw $ZONE Other than the flush, that is what I did. > I don't recall if reloading or thawing will automatically re-sign the zone or > if you need to also explicitly "rndc sign $ZONE”. Sign recreates the .jnl file, but doesn’t touch the .signed file. Doing the following recreated the .signed file, but still didn’t add the new subdomains. Freeze, flush, edit, thaw, Then service named stop, service named start. Had a previous subdomain gallery and it is listed in both the zone file and the signed file Zone: gallery CNAME www zone.signed: gallery CNAME www Added a new sub zone, cam Zone: cam CNAME www zone.signed: This matches up with the results from dig. So, now I do have a .signed file that has the serial number updated to match the zone file, but still doesn’t contain the new sub zones. So, I did the whole dance again. Freeze, flush, edit (change serial, add another subdomain, thaw, stop/start). Nothing. But the time stamp on the .signed file changes. And I misspoke earlier, the serial number in the signed file’s SOA didn’t change, but the serial numbers/dates in the RRSIG did update. -- This wasn't a proper land. The sky was blue, not flaming with all the colours of the aurora. And time was passing. To a creature not born subject to time, it was a sensation not unakin to falling. --Lords and Ladies ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 02/21/2019 01:34 PM, @lbutlr via bind-users wrote: I edited a zone file after issuing a rndc freeze command, added two new sub zones, changed the serial number, saved the file, and then did an rndc thaw. I don't see an "rndc flush " in there. Which means that BIND likely still has the journal of the zone. And BIND prefers the journal over the actual textual representation of the zone. zone serial (2019020105) unchanged. zone may fail to transfer to slaves. which is the previous serial number. I would expect this if you edited the zone file and the journal file wasn't flushed. So, I tried to move the .signed file aside, thinking maybe thaw might recreate it, But no, it complains the file doesn’t exist, so I put it back. I don't think this is related to DNSSEC. Is it possible for me to edit the zone file (as in with vim) and have bind update, or do I have to do everything through nsupdate and never access the zone files directly? Yes, it is certainly possible to edit zone files outside of BIND's control. rndc freeze $ZONE rndc flush $ZONE $EDITOR $ZONE rndc thaw $ZONE I don't recall if reloading or thawing will automatically re-sign the zone or if you need to also explicitly "rndc sign $ZONE". At this point, how do I get the zone updated? Use the method above, or some sort of dynamic update. If I try to dig for the new subdomains that are in the zone, they do not resolve, and all the information in DNS is the information that was there on 21090201. That sounds like the old contents of the zone which are still in the journal file. I am currently updating to bind912-9.12.3P1_3 to see if anything changes. I don't think changing the BIND version will change anything. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Freeze/thaw and signed zone files
I edited a zone file after issuing a rndc freeze command, added two new sub zones, changed the serial number, saved the file, and then did an rndc thaw. In var/log.messages I get zone serial (2019020105) unchanged. zone may fail to transfer to slaves. which is the previous serial number. So, I tried to move the .signed file aside, thinking maybe thaw might recreate it, But no, it complains the file doesn’t exist, so I put it back. Is it possible for me to edit the zone file (as in with vim) and have bind update, or do I have to do everything through nsupdate and never access the zone files directly? At this point, how do I get the zone updated? If I try to dig for the new subdomains that are in the zone, they do not resolve, and all the information in DNS is the information that was there on 21090201. I am currently updating to bind912-9.12.3P1_3 to see if anything changes. -- If you think that Mick Jagger will still be doing the whole rock star thing at age fifty, well, then, you are sorely, sorely mistaken. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users