Re: Is it possible to move a zone between catalogs on the same secondary? It is.

[Aram Sargsyan]

> Wondering out loud:
> Maybe it should skip loading that particular member zone if the "coo" 
> proproperty already points to different catalog? Would that be more 
> resilient against race conditions when named is restarted?

That's an interesting suggestion, and I agree that it can solve the race 
between the two catalog zones in that particular case, but I think it should be 
acceptable for the operator that a member zone, which is in transition from 
catz1 to catz2, can be served by either of the catalog zones until the 
transition is over, and the entry with its "coo" property is removed from 
catz1. Skipping to load a member zone based only by the existence of a "coo" 
property can potentially leave the zone unloaded if it is still not added in 
the successor catalog zone. I.e. the "coo" property can be added into the old 
catalog zone in preparation, for example, hours before the member zone is added 
into the new catalog zone. 
  
Aram 
 
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to move a zone between catalogs on the same secondary? It is.

[Petr Špaček]

On 30. 04. 23 13:04, Aram Sargsyan wrote:

Hello, Jan-Piet,
 > however, when I stop and restart the consumer server, I have 
sometimes (not always) seen

 >
 > catz: catz_addmodzone_cb: zone 'z10.aa' will not be added because 
another catalog zone already contains an entry with that zone

 >
 >which is true, but it doesn't _seem_ to cause issues.

That's just working as designed. If a member zone exists in both catz1 
and catz2 catalog zones, and catz1 has a defined "coo" change of 
ownership property allowing a given member zone to be transferred to 
catz2, then there are two scenarios when a catalog zone consumer starts up:
1. It loads the member zone from catz1 first, then it sees the member 
zone exists also in catz2, and the "coo" property allows that, then the 
zone will be transferred from catz1 to catz2.
2. It loads the member zone from catz2 first, then it sees the member 
zone exists also in catz1, and there is no "coo" property allowing it to 
transfer from catz2 to catz1, so it emits the log message that you have 
seen, and continues serving the member zone from catz2.
That's why it's recommended to remove the transferred member zone from 
catz1, once it is established that all the consumers have successfully 
processed the change of ownership operation.


Wondering out loud:
Maybe it should skip loading that particular member zone if the "coo" 
proproperty already points to different catalog? Would that be more 
resilient against race conditions when named is restarted?


--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to move a zone between catalogs on the same secondary? It is.

[Aram Sargsyan]

Hello, Jan-Piet, 
  
> however, when I stop and restart the consumer server, I have sometimes (not 
> always) seen 
> 
> catz: catz_addmodzone_cb: zone 'z10.aa' will not be added because another 
> catalog zone already contains an entry with that zone 
>
>which is true, but it doesn't _seem_ to cause issues. 

That's just working as designed. If a member zone exists in both catz1 and 
catz2 catalog zones, and catz1 has a defined "coo" change of ownership property 
allowing a given member zone to be transferred to catz2, then there are two 
scenarios when a catalog zone consumer starts up: 
  
1. It loads the member zone from catz1 first, then it sees the member zone 
exists also in catz2, and the "coo" property allows that, then the zone will be 
transferred from catz1 to catz2. 
  
2. It loads the member zone from catz2 first, then it sees the member zone 
exists also in catz1, and there is no "coo" property allowing it to transfer 
from catz2 to catz1, so it emits the log message that you have seen, and 
continues serving the member zone from catz2. 
  
That's why it's recommended to remove the transferred member zone from catz1, 
once it is established that all the consumers have successfully processed the 
change of ownership operation. 
  
Aram 
 
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to move a zone between catalogs on the same secondary? It is.

[Jan-Piet Mens]

And yes, you can automate this with nsupdate to old and new catalog, 


Brilliant, Petr, thank you.

I saw some of the loviest log messages this week during coo from k-catz to
t-catz:

zone t-catz/IN: transferred serial 10: TSIG 't'
catz: t-catz: reload start
catz: updating catalog zone 't-catz' with serial 10
catz: deleting zone 'z10.aa' from catalog 'k-catz' - success
catz: adding zone 'z10.aa' from catalog 't-catz' - success
catz: t-catz: reload done: success
catz: catz_delzone_cb: zone 'z10.aa' deleted
zone z10.aa/IN: Transfer started.
zone z10.aa/IN: transferred serial 1: TSIG 't'

The spec says:

"The old owner may remove the member zone containing the coo property
 from $OLDCATZ once it has been established that all its consumers have
 processed the Change of Ownership."

however, when I stop and restart the consumer server, I have sometimes (not 
always) seen

catz: catz_addmodzone_cb: zone 'z10.aa' will not be added because 
another catalog zone already contains an entry with that zone

which is true, but it doesn't _seem_ to cause issues.

Once I remove the offending zone from the 'giving' catalog, the diagnostic
doesn't reappear.

All this is with today's git version.

Best regards,

-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to upgrade bind from 9.11 to 9.18 directly?

[Havard Eidnes via bind-users]

Hi,

a partial response:

> If it's possible, can anyone confirm zone transfers from master
> to slave would still work even if the servers ran different
> major versions?

Yes, "of course", because the details of that transfer is
specified by the DNS protocol standards.

Regards,

- Håvard
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to upgrade bind from 9.11 to 9.18 directly?

[Saleck]

Hi,

thank you Ondřej and Stacy, we'll start testing next week.

Kind regards,
David Bruha

Dne pátek 21. dubna 2023 10:03:26 CEST, Ondřej Surý napsal(a):
> Hi,
> 
> I can confirm that it’s ok to skip 9.16 and go straight to 9.18. There’s no
> need for the intermediate step. As usual, it’s recommended to do a test
> migration first if you want to be extra careful.
> 
> Ondrej
> --
> Ondřej Surý — ISC (He/Him)
> 
> My working hours and your working hours may be different. Please do not feel
> obligated to reply outside your normal working hours.
> > On 21. 4. 2023, at 9:41, Stacey Marshall 
> > wrote:
> > 
> > 
> > If it helps, my assessment was that one could skip 9.16 too.
> > 
> > I recognise that this is thanks to the hard effort that ISC work to
> > provide backward compatibility, and not by some accident.
> > 
> > On Solaris 11.4 current shipping versions of BIND are
> > 
> > $ pkg list -fa service/network/dns/bind
> > NAME (PUBLISHER) VERSION IFO
> > service/network/dns/bind 9.18.11.0.0-11.4.55.0.1.138.1 ---
> > service/network/dns/bind 9.16.33.0.0-11.4.54.0.1.138.0 ---
> > service/network/dns/bind 9.16.33.0.0-11.4.51.0.1.132.0 ---
> > service/network/dns/bind 9.16.33.0.0-11.4.50.0.1.126.2 ---
> > service/network/dns/bind 9.16.29.0.0-11.4.48.0.1.126.0 ---
> > service/network/dns/bind 9.11.37.0.0-11.4.45.0.1.119.0 ---
> > service/network/dns/bind 9.11.36.0.0-11.4.42.0.1.113.0 ---
> > ...
> > 
> > 
> > It is possible to update from Solaris 11.4.45.0.1.119.0 to
> > 11.4.55.0.1.138.1 and thereby skip 9.16 altogether.
> > 
> > Regards,
> > 
> > Stacey
> > 
> > * 9.18.11 uses OpenSSL v3
> > 
> > On 20 Apr 2023, at 17:26, Saleck wrote:
> > 
> > Hi,
> > 
> > we are currently running several bind 9.11 servers on Debian buster
> > machines. We would like to upgrade and wonder if we could skip version
> > 9.16 altogether or if it's a necessary middle step.
> > 
> > We have read both
> > 
> > https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-911-to-916
> > 
> > and
> > 
> > https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-t
> > o-918
> > 
> > and it looks like there should be nothing that would break (we use only
> > text and raw zone file types) if we did the direct 9.11 to 9.18 upgrade.
> > But better be safe then sorry. Therefore we are seeking advice. ;)
> > 
> > If it's possible, can anyone confirm zone transfers from master to slave
> > would still work even if the servers ran different major versions? I know
> > we won't be able to use TLS until both servers would run 9.18 but would
> > the regular transfers still work?
> > 
> > It would help us a great deal if anyone could confirm this or (and) warn
> > us if there is something that we are missing in our assessment.
> > 
> > Kind regards,
> > David Bruha




signature.asc
Description: This is a digitally signed message part.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to upgrade bind from 9.11 to 9.18 directly?

[Ondřej Surý]

Hi,

I can confirm that it’s ok to skip 9.16 and go straight to 9.18. There’s no 
need for the intermediate step. As usual, it’s recommended to do a test 
migration first if you want to be extra careful.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 21. 4. 2023, at 9:41, Stacey Marshall  wrote:
> 
> 
> If it helps, my assessment was that one could skip 9.16 too.
> 
> I recognise that this is thanks to the hard effort that ISC work to provide 
> backward compatibility, and not by some accident.
> 
> On Solaris 11.4 current shipping versions of BIND are
> 
> $ pkg list -fa service/network/dns/bind 
> NAME (PUBLISHER) VERSION IFO 
> service/network/dns/bind 9.18.11.0.0-11.4.55.0.1.138.1 --- 
> service/network/dns/bind 9.16.33.0.0-11.4.54.0.1.138.0 --- 
> service/network/dns/bind 9.16.33.0.0-11.4.51.0.1.132.0 --- 
> service/network/dns/bind 9.16.33.0.0-11.4.50.0.1.126.2 --- 
> service/network/dns/bind 9.16.29.0.0-11.4.48.0.1.126.0 --- 
> service/network/dns/bind 9.11.37.0.0-11.4.45.0.1.119.0 --- 
> service/network/dns/bind 9.11.36.0.0-11.4.42.0.1.113.0 --- 
> ...
> 
> 
> It is possible to update from Solaris 11.4.45.0.1.119.0 to 11.4.55.0.1.138.1 
> and thereby skip 9.16 altogether.
> 
> Regards,
> 
> Stacey
> 
> * 9.18.11 uses OpenSSL v3
> 
> On 20 Apr 2023, at 17:26, Saleck wrote:
> 
> Hi,
> 
> we are currently running several bind 9.11 servers on Debian buster machines. 
> We would like to upgrade and wonder if we could skip version 9.16 altogether 
> or if it's a necessary middle step.
> 
> We have read both
> 
> https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-911-to-916
> 
> and
> 
> https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-to-918
> 
> and it looks like there should be nothing that would break (we use only text 
> and raw zone file types) if we did the direct 9.11 to 9.18 upgrade. But 
> better be safe then sorry. Therefore we are seeking advice. ;)
> 
> If it's possible, can anyone confirm zone transfers from master to slave 
> would still work even if the servers ran different major versions? I know we 
> won't be able to use TLS until both servers would run 9.18 but would the 
> regular transfers still work?
> 
> It would help us a great deal if anyone could confirm this or (and) warn us 
> if there is something that we are missing in our assessment.
> 
> Kind regards,
> David Bruha
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> bind-users mailing list 
> bind-users@lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to upgrade bind from 9.11 to 9.18 directly?

[Stacey Marshall]

If it helps, my assessment was that one could skip 9.16 too.

I recognise that this is thanks to the hard effort that ISC work to 
provide backward compatibility, and not by some accident.


On Solaris 11.4 current shipping versions of BIND are

$ pkg list -fa service/network/dns/bind
NAME (PUBLISHER)  VERSION
IFO
service/network/dns/bind  
9.18.11.0.0-11.4.55.0.1.138.1 ---
service/network/dns/bind  
9.16.33.0.0-11.4.54.0.1.138.0 ---
service/network/dns/bind  
9.16.33.0.0-11.4.51.0.1.132.0 ---
service/network/dns/bind  
9.16.33.0.0-11.4.50.0.1.126.2 ---
service/network/dns/bind  
9.16.29.0.0-11.4.48.0.1.126.0 ---
service/network/dns/bind  
9.11.37.0.0-11.4.45.0.1.119.0 ---
service/network/dns/bind  
9.11.36.0.0-11.4.42.0.1.113.0 ---

...


It is possible to update from Solaris 11.4.45.0.1.119.0 to 
11.4.55.0.1.138.1 and thereby skip 9.16 altogether.


Regards,

Stacey

* 9.18.11 uses OpenSSL v3

On 20 Apr 2023, at 17:26, Saleck wrote:


Hi,

we are currently running several bind 9.11 servers on Debian buster 
machines. We would
like to upgrade and wonder if we could skip version 9.16 altogether or 
if it's a necessary

middle step.

We have read both

https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-911-to-916[1]

and

https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-to-918[2]

and it looks like there should be nothing that would break (we use 
only text and raw zone
file types) if we did the direct 9.11 to 9.18 upgrade. But better be 
safe then sorry.

Therefore we are seeking advice. ;)

If it's possible, can anyone confirm zone transfers from master to 
slave would still work
even if the servers ran different major versions? I know we won't be 
able to use TLS until
both servers would run 9.18 but would the regular transfers still 
work?


It would help us a great deal if anyone could confirm this or (and) 
warn us if there is

something that we are missing in our assessment.

Kind regards,
David Bruha


[1] 
https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-911-to-916
[2] 
https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-to-918



--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list


ISC funds the development of this software with paid support 
subscriptions. Contact us at https://www.isc.org/contact/ for more 
information.



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it possible to upgrade bind from 9.11 to 9.18 directly?

[Saleck]

Hi,

we are currently running several bind 9.11 servers on Debian buster machines. 
We would 
like to upgrade and wonder if we could skip version 9.16 altogether or if it's 
a necessary 
middle step.

We have read both

https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-911-to-916[1]

and

https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-to-918[2]

and it looks like there should be nothing that would break (we use only text 
and raw zone 
file types) if we did the direct 9.11 to 9.18 upgrade. But better be safe then 
sorry. 
Therefore we are seeking advice. ;)

If it's possible, can anyone confirm zone transfers from master to slave would 
still work 
even if the servers ran different major versions? I know we won't be able to 
use TLS until 
both servers would run 9.18 but would the regular transfers still work?

It would help us a great deal if anyone could confirm this or (and) warn us if 
there is 
something that we are missing in our assessment.

Kind regards,
David Bruha


[1] https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-911-to-916
[2] 
https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-to-918


signature.asc
Description: This is a digitally signed message part.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to move a zone between catalogs on the same secondary?

[Petr Špaček]

On 19. 04. 23 19:23, Jan-Piet Mens wrote:

Any ideas?


is this the point at which I confess I've only now read about Change of
Ownership (coo) [1]?


Indeed. Chapter
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-catalog-zones#name-change-of-ownership-coo-pro
has an example how the process is supposed to work.

And yes, you can automate this with nsupdate to old and new catalog, 
just beware that you need to wait until the change is propagated to all 
secondaries before moving on. (AFAIK order of operations is important, 
do it exactly as specified.)


HTH.

Petr Špaček
Internet Systems Consortium



 -JP

[1] 
https://bind9.readthedocs.io/en/latest/chapter6.html#change-of-ownership-coo

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to move a zone between catalogs on the same secondary?

[Jan-Piet Mens]

Any ideas?


is this the point at which I confess I've only now read about Change of
Ownership (coo) [1]?

-JP

[1] https://bind9.readthedocs.io/en/latest/chapter6.html#change-of-ownership-coo
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it possible to move a zone between catalogs on the same secondary?

[Jan-Piet Mens]

I'm in the process of migrating a modest number of zones from one signer 
(OpenDNSSEC) to another (Knot-DNS). (The KSKs are identical so that should not 
be an issue for this question.)

Each of the signers have a catalog (manually maintained for ODS, automatically 
for Knot) which is transferred and consumed by BIND 9.18 secondaries; each of 
these have two catalog{} stanzas on each server.

The trouble I'm going to be running into is when a zone should move from catz-A 
to catz-B: in this case the zone must be removed from catz-A (whereupon it'll 
be deleted when the catalog is notified/transferred) and added to catz-B 
(whereupon it will be populated when the catalog is notified/transferred). 
During this (possibly quite short) time, the zone will not be available on the 
secondaries (REFUSED).

Is there a clever/elegant solution to this problem?

My first idea was to use the same zones-directory for each of the catalogs, but 
a) I don't know whether that's actually a supported configuration and b) it 
would likely not solve the issue because the catalog name is embedded in the 
__catz__...*.db zone filename.

Adding the zone to both catalogs won't work either (obviously) because the zone would 
"exist twice"; BIND catches that error and correctly logs it.

Any ideas? Bonus points if the solution can be automated. :)

Thank you,

-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it possible to do In-line Signing for local root zone

[Mundile]

I have local (private) root domain domainX.example and subdomains : 
subdomainY.domainX.example and subdomainZ.domainX.example. I can do chain of 
trust if all zones are In-line signed
zone "domainX.example" {
type master;
file "named.domainX.example";
key-directory "/var/named/keys/zones";
auto-dnssec maintain;
inline-signing yes;
};
zone "subdomainY.domainX.example" {
type master;
file "named.subdomainY.domainX.example";
key-directory "/var/named/keys/zones";
auto-dnssec maintain;
inline-signing yes;
};
zone "subdomainZ.domainX.example" {
type master;
file "named.subdomainZ.domainX.example";
key-directory "/var/named/keys/zones";
auto-dnssec maintain;
inline-signing yes;
};
Or  domainX.example MUST be manually assigned.

Sent from Mail for Windows 10

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use nsupdate with EDNS0?

[Dave Warren]

On 2019-01-17 08:03, Fumiya Obatake wrote:

Thank you for your reply.
Since it seems very difficult to realize, I will consider other solutions.


The obvious solution would be to use TCP.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use nsupdate with EDNS0?

[Fumiya Obatake]

Thank you for your reply.
Since it seems very difficult to realize, I will consider other solutions.

Sincerely,
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use nsupdate with EDNS0?

[Mark Andrews]

> On 17 Jan 2019, at 6:56 am, Mark Andrews  wrote:
> 
> While legal it is most definitely not a good idea. You first have to probe to 
> find out the EDNS buffer size. Then you may also need to deal with PMTUD 
> issues.  The you need to deal with broken middle boxes and fragmentation. 
> Dealing with all of this is done at the application level. Add to that TCP 
> still needs to be supported on the server anyway there really is no point in 
> trying. 
> 
> Named does not attempt to send larger than 512 byte updates via UDP.  There 
> are no plans to do so.

s/named/nsupdate/

> -- 
> Mark Andrews
> 
>> On 17 Jan 2019, at 00:14, Fumiya Obatake  wrote:
>> 
>> Is it possible to use nsupdate with edns0?
>> 
>> Hello, all.
>> I have some questions about nsupdate.
>> 
>> I try to update a set of TXT records over 512 bytes in all by using
>> nsupdate without -v option, and it makes TCP connection automatically.
>> In RFC2136, `An update transaction may be carried in a UDP datagram,
>> if the request fits, or in a TCP connection (at the discretion of the
>> requestor).`, so I guess this behavior is due to the not fitting
>> request packet (since over 512 bytes).
>> But RFC6891, EDNS0, should be able to use over 512 bytes DNS message.
>> I think this is applicable to DNS update, but no one refers to it as
>> far as I can see.
>> 
>> My question is:
>> 1. Does it violate RFC2136 to use EDNS0 with DNS Update?
>> 2. If not, does BIND have any plan to implement nsupdate with EDNS0?
>> 3. Or, is any other solution to update over 512 bytes message by UDP?
>> 
>> Best regards,
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use nsupdate with EDNS0?

[Mark Andrews]

While legal it is most definitely not a good idea. You first have to probe to 
find out the EDNS buffer size. Then you may also need to deal with PMTUD 
issues.  The you need to deal with broken middle boxes and fragmentation. 
Dealing with all of this is done at the application level. Add to that TCP 
still needs to be supported on the server anyway there really is no point in 
trying. 

Named does not attempt to send larger than 512 byte updates via UDP.  There are 
no plans to do so. 
-- 
Mark Andrews

> On 17 Jan 2019, at 00:14, Fumiya Obatake  wrote:
> 
> Is it possible to use nsupdate with edns0?
> 
> Hello, all.
> I have some questions about nsupdate.
> 
> I try to update a set of TXT records over 512 bytes in all by using
> nsupdate without -v option, and it makes TCP connection automatically.
> In RFC2136, `An update transaction may be carried in a UDP datagram,
> if the request fits, or in a TCP connection (at the discretion of the
> requestor).`, so I guess this behavior is due to the not fitting
> request packet (since over 512 bytes).
> But RFC6891, EDNS0, should be able to use over 512 bytes DNS message.
> I think this is applicable to DNS update, but no one refers to it as
> far as I can see.
> 
> My question is:
> 1. Does it violate RFC2136 to use EDNS0 with DNS Update?
> 2. If not, does BIND have any plan to implement nsupdate with EDNS0?
> 3. Or, is any other solution to update over 512 bytes message by UDP?
> 
> Best regards,
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it possible to use nsupdate with EDNS0?

[Fumiya Obatake]

Is it possible to use nsupdate with edns0?

Hello, all.
I have some questions about nsupdate.

I try to update a set of TXT records over 512 bytes in all by using
nsupdate without -v option, and it makes TCP connection automatically.
In RFC2136, `An update transaction may be carried in a UDP datagram,
if the request fits, or in a TCP connection (at the discretion of the
requestor).`, so I guess this behavior is due to the not fitting
request packet (since over 512 bytes).
But RFC6891, EDNS0, should be able to use over 512 bytes DNS message.
I think this is applicable to DNS update, but no one refers to it as
far as I can see.

My question is:
1. Does it violate RFC2136 to use EDNS0 with DNS Update?
2. If not, does BIND have any plan to implement nsupdate with EDNS0?
3. Or, is any other solution to update over 512 bytes message by UDP?

Best regards,
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [BIND] Re: Is it possible to...

[Jim Popovitch via bind-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2018-08-10 at 09:47 +1000, Mark Andrews wrote:
> > On 10 Aug 2018, at 5:46 am, Jim Popovitch via bind-users  > s...@lists.isc.org> wrote:
> > 
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> > 
> > Is it possible to...
> > 
> > 1) use text only zone files, and
> > 
> > 2) keep serials identical between those zone files and what is
> > published in DNS, and
> 
> That’s not even possible with manually edited files. There will
> always with every system be times when what is on disk does not
> match what is being published.  The world doesn’t allow for perfect
> synchronisation.  There will always be “edit, read” or “update,
> write”.
> 
> > 3) automatically handle signatures when adding new RRs, and
> > 
> > 4) not have any journal files.
> 
> Named is not designed to update zones without running the updates
> through a journal.  Flat files are really bad performance wise so
> we use a structured file (the journal) to record changes then write
> out the master file later when things are less time critical.
> 
> Even setting the delay between processing a update and starting to
> write the new master file to zero seconds will not achieve what you
> want.
> 
> UPDATE requires name servers to behave like a database.  Databases
> can’t behave like you are requesting.  You don’t go reading SQL
> database
> stores directly.
> 
> > Is all of that possible with a(ny)? recent version of Bind9?
> 
> No.
> 

Ok, and thank you for details.

- -Jim P.


-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAlttDdUACgkQJxVetMRa
JwUB/RAAjtJloOz51BI+MhbWcL763RHW9+ZXjb4XW3elHUTNCjharS+HAB+eWfEn
wV2DphvcKRZTvcOgrPWP6TUDMK+4t3wNKXC9q/AEhZbc4yp+U7jrLfozuxS2Tgrq
6FDpdLAoOBySQOzQYmo8Owc+yIpXYtqVp02NTx2eZvsQX5eLCW3IAIZW+fv3EQZ0
wnbhPzjdJE/qKFETrAbLGfYUDYfmPtsDA6yNaL+Oymwdq7BhmL2SeeTIGy0wLfbD
giripm6qSkRunpXBUNpLbiGijsRFYaxbgXXh/1JEaTc55Jmju5PBEYAwE1a9jHjG
33DxcEyaiM3WAzdkSyXgZ2T2R7wCmLGrg2tPXw9KSfuqIevRMa67yNC8oTyv9JZB
odFUVpE01xDVTnKQncezy9yL9wG9fdQMmbQOxexvzgTso5TFHvML/3CfpETlzA2t
wkt9Ku6GZDvs0kOqavPgiOshB2aEMbnp+eVuR+CdfwlSbPxvrwINM/FFK+WoyZ3J
kJWVsvpxaAyG0EgHw35P71tzgw3D+tc7ADnNNnpeErbxIOubBGgqBwzyoMbaBaX1
GfKu+0oVHuSEmt+E+r1WcMFhvNB/bLYYe4QJ8GtAXYQfJG9puo68z64aTZJK1Am0
V3cRZkXOakwYoHlIH+EDcBPtJ5TCZiE4fAG3IazW+ZNMV24Ek5g=
=q9os
-END PGP SIGNATURE-

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to...

[Mark Andrews]

> On 10 Aug 2018, at 5:46 am, Jim Popovitch via bind-users 
>  wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> Is it possible to...
> 
> 1) use text only zone files, and
> 
> 2) keep serials identical between those zone files and what is
> published in DNS, and

That’s not even possible with manually edited files. There will
always with every system be times when what is on disk does not
match what is being published.  The world doesn’t allow for perfect
synchronisation.  There will always be “edit, read” or “update, write”.

> 3) automatically handle signatures when adding new RRs, and
> 
> 4) not have any journal files.

Named is not designed to update zones without running the updates
through a journal.  Flat files are really bad performance wise so
we use a structured file (the journal) to record changes then write
out the master file later when things are less time critical.

Even setting the delay between processing a update and starting to
write the new master file to zero seconds will not achieve what you
want.

UPDATE requires name servers to behave like a database.  Databases
can’t behave like you are requesting.  You don’t go reading SQL database
stores directly.

> Is all of that possible with a(ny)? recent version of Bind9?

No.

> tia,
> 
> - -Jim P.
> -BEGIN PGP SIGNATURE-
> 
> iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAltsmgYACgkQJxVetMRa
> JwUWaw/9FU02HPacQQtH6AVhp3IFDlbvCcMgodcxzeYvIrFLiJU0pGUlkg31XqBd
> T4UZkZViaydmDBpZY2igPvBInF8ZzwrgWdLlpJIFNurdLe67nvptF0qcll+2ExHy
> 1O4tCK0wG76tOFeiDuB+NQN65227zvTLExGuRTDtYkDo/okqrhfWvmth1soBnuYm
> dnOXdxfINT8NQpDcpCTXm4pvZzyLbOveRUz6SdWRImLqeQloGhkVBCuLPgJED96J
> trwvs9HsRnC3YWzGIgbiUDjwovwQU8JWm/73aqcWSX8HDBh/8NBqIozXt4stxDtw
> nrJuuue3mZx6jD1uGOss84Q5zWNuT0swUebVlXlA4HsfqymBrkr9w6S2lI87m020
> X5Ve0fUX7PD+7d0GC5tav6+Jdxccb4m5RMuxZGkSsUssnufyddfSHI9KWf5o7kg0
> lPW4Jxk5Wa3NPJI4cKDiuHSoXw60ElkLq5yBNepB1KwlJm2DEsYP0NUmKBrPAdQ4
> H7JFD8JFtE6EDEBVOIAHm/LNX5e82FOTsJ7wSoOTwVswtad8q8YM3W0e+LFo8LqC
> LouN+bNCvAszLY0qeP2iVSCH4GpumyFMbOuXV8EdcRySEMDLvRaSSKF4OviDgvs+
> q0zVq1s5CMiXxXZj2RPx3iNiuEGCYq/p0+zV4nyjCuYa8VMZ5qM=
> =0y5L
> -END PGP SIGNATURE-
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it possible to...

[Jim Popovitch via bind-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Is it possible to...

1) use text only zone files, and

2) keep serials identical between those zone files and what is
published in DNS, and

3) automatically handle signatures when adding new RRs, and

4) not have any journal files.


Is all of that possible with a(ny)? recent version of Bind9?

tia,

- -Jim P.
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAltsmgYACgkQJxVetMRa
JwUWaw/9FU02HPacQQtH6AVhp3IFDlbvCcMgodcxzeYvIrFLiJU0pGUlkg31XqBd
T4UZkZViaydmDBpZY2igPvBInF8ZzwrgWdLlpJIFNurdLe67nvptF0qcll+2ExHy
1O4tCK0wG76tOFeiDuB+NQN65227zvTLExGuRTDtYkDo/okqrhfWvmth1soBnuYm
dnOXdxfINT8NQpDcpCTXm4pvZzyLbOveRUz6SdWRImLqeQloGhkVBCuLPgJED96J
trwvs9HsRnC3YWzGIgbiUDjwovwQU8JWm/73aqcWSX8HDBh/8NBqIozXt4stxDtw
nrJuuue3mZx6jD1uGOss84Q5zWNuT0swUebVlXlA4HsfqymBrkr9w6S2lI87m020
X5Ve0fUX7PD+7d0GC5tav6+Jdxccb4m5RMuxZGkSsUssnufyddfSHI9KWf5o7kg0
lPW4Jxk5Wa3NPJI4cKDiuHSoXw60ElkLq5yBNepB1KwlJm2DEsYP0NUmKBrPAdQ4
H7JFD8JFtE6EDEBVOIAHm/LNX5e82FOTsJ7wSoOTwVswtad8q8YM3W0e+LFo8LqC
LouN+bNCvAszLY0qeP2iVSCH4GpumyFMbOuXV8EdcRySEMDLvRaSSKF4OviDgvs+
q0zVq1s5CMiXxXZj2RPx3iNiuEGCYq/p0+zV4nyjCuYa8VMZ5qM=
=0y5L
-END PGP SIGNATURE-

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to filter (*.)wpad.* with RPZ?

[Grant Taylor via bind-users]

On 11/30/2017 12:04 AM, Daniel Stirnimann wrote:

I doubt you can use RPZ for that.


The testing that I did made me think that RPZ wouldn't be able to do it.

I wonder if Response Policy Service (DNSRPS) can do it.


We use https://dnsdist.org/ for that, our rule:

-- WPAD Name Collission Vulnerability
-- US-CERT TA16-144A. Redirect to landing page
addAction(RegexRule("^wpad\\."),SpoofAction("192.168.1.2", "2001:DB8::2"))


Thank you for the information.  I'll check that out.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to filter (*.)wpad.* with RPZ?

[Daniel Stirnimann]

I doubt you can use RPZ for that.

We use https://dnsdist.org/ for that, our rule:

-- WPAD Name Collission Vulnerability
-- US-CERT TA16-144A. Redirect to landing page
addAction(RegexRule("^wpad\\."),SpoofAction("192.168.1.2", "2001:DB8::2"))

Daniel

On 29.11.17 19:12, Grant Taylor via bind-users wrote:
> Is it possible to filter (*.)wpad.* with RPZ?  Or do I need to look into 
> Response Policy Service and try to filter that way?
> 
> I've used RPZ for various different things over the years, but I don't 
> quite know how to match a wild card on the right hand side.
> 
> Context:  I'd like to prevent ""misconfigurations like the following and 
> I was hoping that RPZ could be utilized:
> 
> Link - Anybody else having issues with wpad.domain.name?
>   - 
> https://www.reddit.com/r/networking/comments/732r5n/anybody_else_having_issues_with_wpaddomainname/
> 
> Link - Alert (TA16-144A) WPAD Name Collision Vulnerability
>   - https://www.us-cert.gov/ncas/alerts/TA16-144A
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it possible to filter (*.)wpad.* with RPZ?

[Grant Taylor via bind-users]

Is it possible to filter (*.)wpad.* with RPZ?  Or do I need to look into 
Response Policy Service and try to filter that way?


I've used RPZ for various different things over the years, but I don't 
quite know how to match a wild card on the right hand side.


Context:  I'd like to prevent ""misconfigurations like the following and 
I was hoping that RPZ could be utilized:


Link - Anybody else having issues with wpad.domain.name?
 - 
https://www.reddit.com/r/networking/comments/732r5n/anybody_else_having_issues_with_wpaddomainname/


Link - Alert (TA16-144A) WPAD Name Collision Vulnerability
 - https://www.us-cert.gov/ncas/alerts/TA16-144A



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to have separate query logs for different views?

[Peter Olsson]

On Tue, Mar 10, 2015 at 02:05:50PM -0400, Bob Harold wrote:
> Note that named includes the name of the view in the query log lines, so
> you could copy them from the query log to separate files, even in real
> time, if desired.
> 
> tail -f named-queries | awk '/ view inside / {print $0 >
> named-queries-inside; next} / view outside / {print $0 >
> named-queries-outside; next} {print $0 > named-queries-other}' &
> 
> (not tested, but have used similar before)
 
Ok, I'm officially blind... Should have seen this myself.
This will solve my problem.

Thanks!

Peter Olsson
 
> 
> -- 
> Bob Harold
> hostmaster, UMnet, ITcom
> Information and Technology Services (ITS)
> rharo...@umich.edu
> 734-647-6524 desk
> 
> On Mon, Mar 9, 2015 at 9:55 PM, Alan Clegg  wrote:
> 
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> >
> > On 3/9/15 3:04 AM, Peter Olsson wrote:
> > > Hello!
> > >
> > > Is it possible to have separate query logs for different views?
> > >
> > > I tried putting this in the view block, but it failed with "unknown
> > > option 'logging'":
> > >
> > > logging { channel logging_query { file
> > > "/var/log/named/query-inside.log" versions 30 size 5M; print-time
> > > yes; severity debug; }; };
> >
> > Nope.  Logging is global only, not per view.
> >
> > AlanC
> > -BEGIN PGP SIGNATURE-
> > Comment: GPGTools - https://gpgtools.org
> >
> > iQEcBAEBCgAGBQJU/k8MAAoJEOW2o5eiJADbLAcH/R00aujdwht4RNRrfGbgIWRM
> > 057lnBKLMvWRR2IJmJBRcOvJW3teVXYCwlu4BYhfswKTfFbX9Xnb8ZfnmZuHurEv
> > 2Itmv2R4Fx1RG3U4JLfxZRlgjBKdiVXHnITO94h9YygY7F91M1MjtdPa5SqcC5DA
> > Ij2dr4kD6ePxJjkaWOsId96T5X6FAQYboWAFeY6dvHxmU3DFafXyDybD7tV00AOX
> > qNgQMTuh6uM3mopqQonMFpr2O9O8eypZaioX4+53g34X9ID7lnfeDnkE8FikvwzW
> > lmTMLLHai5myi4TMkWB6dNJ2nICWpG2hCOkdkEb1UdGCJMEod2mqGQpzrT1QS1k=
> > =vfB1
> > -END PGP SIGNATURE-
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >

> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to have separate query logs for different views?

[Bob Harold]

Note that named includes the name of the view in the query log lines, so
you could copy them from the query log to separate files, even in real
time, if desired.

tail -f named-queries | awk '/ view inside / {print $0 >
named-queries-inside; next} / view outside / {print $0 >
named-queries-outside; next} {print $0 > named-queries-other}' &

(not tested, but have used similar before)



-- 
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharo...@umich.edu
734-647-6524 desk

On Mon, Mar 9, 2015 at 9:55 PM, Alan Clegg  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 3/9/15 3:04 AM, Peter Olsson wrote:
> > Hello!
> >
> > Is it possible to have separate query logs for different views?
> >
> > I tried putting this in the view block, but it failed with "unknown
> > option 'logging'":
> >
> > logging { channel logging_query { file
> > "/var/log/named/query-inside.log" versions 30 size 5M; print-time
> > yes; severity debug; }; };
>
> Nope.  Logging is global only, not per view.
>
> AlanC
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - https://gpgtools.org
>
> iQEcBAEBCgAGBQJU/k8MAAoJEOW2o5eiJADbLAcH/R00aujdwht4RNRrfGbgIWRM
> 057lnBKLMvWRR2IJmJBRcOvJW3teVXYCwlu4BYhfswKTfFbX9Xnb8ZfnmZuHurEv
> 2Itmv2R4Fx1RG3U4JLfxZRlgjBKdiVXHnITO94h9YygY7F91M1MjtdPa5SqcC5DA
> Ij2dr4kD6ePxJjkaWOsId96T5X6FAQYboWAFeY6dvHxmU3DFafXyDybD7tV00AOX
> qNgQMTuh6uM3mopqQonMFpr2O9O8eypZaioX4+53g34X9ID7lnfeDnkE8FikvwzW
> lmTMLLHai5myi4TMkWB6dNJ2nICWpG2hCOkdkEb1UdGCJMEod2mqGQpzrT1QS1k=
> =vfB1
> -END PGP SIGNATURE-
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to have separate query logs for different views?

[Alan Clegg]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 3/9/15 3:04 AM, Peter Olsson wrote:
> Hello!
> 
> Is it possible to have separate query logs for different views?
> 
> I tried putting this in the view block, but it failed with "unknown
> option 'logging'":
> 
> logging { channel logging_query { file
> "/var/log/named/query-inside.log" versions 30 size 5M; print-time
> yes; severity debug; }; };

Nope.  Logging is global only, not per view.

AlanC
-BEGIN PGP SIGNATURE-
Comment: GPGTools - https://gpgtools.org

iQEcBAEBCgAGBQJU/k8MAAoJEOW2o5eiJADbLAcH/R00aujdwht4RNRrfGbgIWRM
057lnBKLMvWRR2IJmJBRcOvJW3teVXYCwlu4BYhfswKTfFbX9Xnb8ZfnmZuHurEv
2Itmv2R4Fx1RG3U4JLfxZRlgjBKdiVXHnITO94h9YygY7F91M1MjtdPa5SqcC5DA
Ij2dr4kD6ePxJjkaWOsId96T5X6FAQYboWAFeY6dvHxmU3DFafXyDybD7tV00AOX
qNgQMTuh6uM3mopqQonMFpr2O9O8eypZaioX4+53g34X9ID7lnfeDnkE8FikvwzW
lmTMLLHai5myi4TMkWB6dNJ2nICWpG2hCOkdkEb1UdGCJMEod2mqGQpzrT1QS1k=
=vfB1
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it possible to have separate query logs for different views?

[Peter Olsson]

Hello!

Is it possible to have separate query logs for different views?

I tried putting this in the view block, but it failed with
"unknown option 'logging'":

logging {
channel logging_query {
file "/var/log/named/query-inside.log" versions 30 size 
5M;
print-time yes;
severity debug;
};
};
 
Thanks!

-- 
Peter Olsson
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [RI-DISCUSS] Is it possible to block or modify DNS' resolution of a malware address?

[Stewart Dean]

Came up with this as a simple straight-forward quick answer
http://www.malwaredomains.com/bhdns.html

My thanks to everyone who responded so quickly!

Our phishing email looked like this

You have exceeded the storage capacity of your designated mail box and
is thus required to revalidate immediately.
you may not receive/send mails until your mailbox is revalidated,
revalidation increases your mailbox storage capacity and is fast and easy.
Please click here
 to
revalidate your mailbox.
- Admin


Note that even tho my internal DNS server is now authoritative for 10001mb.com, 
anyone who's swallowed the bait (before I set up the dummy domain) gets a cookie 
set in the browser that keeps them going to that malign webpage even after the 
address resolution call times out :(


On 4/1/2011 10:36 AM, Jose Nazario wrote:

On Apr 1, 2011, at 10:22 AM, Stewart Dean wrote:


That is, if we know that a symbolic address is malign, is there some way to 
refuse to resolve it or change its resolution when an internal users asks for 
its resolution from the internal DNS server?

All my Google searching turns up DNSBLs and blocking incoming mail from BLed 
addresses, but this is another matter...



hrm .. i may have mis-read this. i was thinking you didn't want to do the 
standard DNSBL approach (have your local DNS servers become authoritative for 
the zone and control its resolution). i was thinking you wanted to do this off 
the DNS servers, hence the network-centric approach (read the DNS traffic and 
rewrite it as needed).

_
jose nazario, ph.d. j...@arbor.net
sr. manager of security research, arbor networks
http://asert.arbor.net/



--

"One must think like a hero to behave like a merely decent human being." - May 
Sarton
"Having overcome your worst fear, the thing you are most vulnerable to, that is 
the definition of heroic.

Also, it's such a worthwhile human activity. The most." -Fran Liebowitz

Funny how it's women who see the real heroism (that of going on, of being true) 
so clearly.

Stewart Dean, Unix System Admin, Bard College, New York 12504 sd...@bard.edu
voice: 845-758-7475, fax: 845-758-7035

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Is it possible to block resolution of a malware address?

[Baird, Josh]

We typically override malware-ish domains's by creating a zone on our
caching servers for them and create a wildcard similar to:

*   IN  A   127.0.0.1

That way, when clients try to resolve xyz.com, our caching/resolvers
return 127.0.0.1, not the real IP address.

Josh

-Original Message-
From: bind-users-bounces+jbaird=follett@lists.isc.org
[mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf
Of Stewart Dean
Sent: Friday, April 01, 2011 10:22 AM
To: bind-users@lists.isc.org
Subject: Is it possible to block resolution of a malware address?

That is, if we know that a symbolic address is malign, is there some way
to 
refuse to resolve it or change its resolution when an internal users
asks for 
its resolution?

All my Google searching turns up DNSBLs and blocking incoming mail from
BLed 
addresses, but this is another matter...

Thanks in advance...
-- 

Stewart Dean, Unix System Admin, Henderson Computer Resources
Center of Bard College, Annandale-on-Hudson, New York  12504
sd...@bard.edu  voice: 845-758-7475, fax: 845-758-7035
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to block resolution of a malware address?

[Eivind Olsen]

> That is, if we know that a symbolic address is malign, is there some way
> to
> refuse to resolve it or change its resolution when an internal users asks
> for
> its resolution?

Two different ways of doing this:

- configure your BIND to believe it's authoritative for the address(es) in
question by configuring it as a zone

or, if you run a recent enough version of BIND:
- set up RPZ, it really is easy to implement (and has the advantage of
scaling nicely with multiple servers as well - configure the RPZ zone
somewhere and let normal zone transfers copy it to the other servers you
have as well)

Regards
Eivind Olsen
eiv...@aminor.no


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it possible to block resolution of a malware address?

[Stewart Dean]

That is, if we know that a symbolic address is malign, is there some way to 
refuse to resolve it or change its resolution when an internal users asks for 
its resolution?


All my Google searching turns up DNSBLs and blocking incoming mail from BLed 
addresses, but this is another matter...


Thanks in advance...
--

Stewart Dean, Unix System Admin, Henderson Computer Resources
Center of Bard College, Annandale-on-Hudson, New York  12504
sd...@bard.edu  voice: 845-758-7475, fax: 845-758-7035
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it Possible to Log nxdomain Responses?

[Anand Buddhdev]

On 17/11/2010 15:23, Stephane Bortzmeyer wrote:

> On Wed, Nov 17, 2010 at 07:48:55AM -0600,
>  Martin McCormick  wrote 
>  a message of 22 lines which said:
> 
>> It would be nice to log each nxdomain for a while so we can verify
>> that the new deligated zone we are about to install fixed the
>> problem.
> 
> May be with dnscap :
> 
> dnscap -e x -g -w nxdomain-%s-%u.pcap
>
>This will keep NXDOMAIN responses

I like dnscap. It also has an option to specify a regex to match on the
QNAME, and capture packets for certain domain names / zones. This is a
useful feature to use on servers which host more than one zone.

Regards,

Anand
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it Possible to Log nxdomain Responses?

[Stephane Bortzmeyer]

On Wed, Nov 17, 2010 at 07:48:55AM -0600,
 Martin McCormick  wrote 
 a message of 22 lines which said:

> It would be nice to log each nxdomain for a while so we can verify
> that the new deligated zone we are about to install fixed the
> problem.

May be with dnscap :

dnscap -e x -g -w nxdomain-%s-%u.pcap
   
   This will keep NXDOMAIN responses

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it Possible to Log nxdomain Responses?

[Phil Mayers]

On 17/11/10 13:48, Martin McCormick wrote:

We are chasing down some problems in which clients are trying to
resolve lookups to a domain related to Microsoft Active
Directory zones. We were able to determine that clients were
querying this AD zone when it was thought they weren't needing
to do so.

We enabled querylogging for a short time and saw a
specific test system querying the domain and we were able to
dump the cache of the master DNS running bind9.7.1 and saw
numerous nxdomains for that zone. It would be nice to log each
nxdomain for a while so we can verify that the new deligated
zone we are about to install fixed the problem.


You could maybe do this with wireshark:

tshark -R dns.flags.rcode==3 -s 1600 -i any -T fields \
 -e ip.src -e ip.dst -e dns.qry.name
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it Possible to Log nxdomain Responses?

[Martin McCormick]

We are chasing down some problems in which clients are trying to
resolve lookups to a domain related to Microsoft Active
Directory zones. We were able to determine that clients were
querying this AD zone when it was thought they weren't needing
to do so.

We enabled querylogging for a short time and saw a
specific test system querying the domain and we were able to
dump the cache of the master DNS running bind9.7.1 and saw
numerous nxdomains for that zone. It would be nice to log each
nxdomain for a while so we can verify that the new deligated
zone we are about to install fixed the problem.

Thank you.

Martin McCormick WB5AGZ  Stillwater, OK 
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: is it possible to dynamically update an RRSIG record?

[Jack Tavares]

>Jack Tavares wrote:
>> Looking at the code for libbind, specifically
>> res_nmkupdate,
>> there is no case statement for RRSIG records.
>>
>> In this case, I was trying to update the  TTL.
>> Is that not allowed intentionally?
>
>I think so. The TTL of a RRSIG RR *MUST* match the TTL value of the
>RRset it covers.
>
>Hugo

Hmm. Well then i guess one cannot update the TTL of the RRSIG itself, since if
it must match the RRset it covers, then the TTL on the RRSET must be changed
at which time bind would resign the records.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: is it possible to dynamically update an RRSIG record?

[Hugo Salgado Hernandez]

Jack Tavares wrote:
> Looking at the code for libbind, specifically
> res_nmkupdate,
> there is no case statement for RRSIG records.
>  
> In this case, I was trying to update the  TTL.
> Is that not allowed intentionally?

I think so. The TTL of a RRSIG RR *MUST* match the TTL value of the
RRset it covers.

Hugo

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

is it possible to dynamically update an RRSIG record?

[Jack Tavares]

Looking at the code for libbind, specifically
res_nmkupdate,
there is no case statement for RRSIG records.

In this case, I was trying to update the  TTL.
Is that not allowed intentionally?

Thank you


--
Jack Tavares
"How many more can we sell with this button?"


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [OT] Is it possible to set a ddns hostname to access a name-based virtual host?

[Barry Margolin]

In article ,
 Michael Milligan  wrote:

> Danny Mayer wrote:
> > Michael Milligan wrote:
> >> Just being more general.  A URL is a HTTP URI... Google has plenty of
> >> explanations.
> > 
> > That's nonsense. A URL was never just an HTTP URI. It's one example of
> > one but there have always been more than one type.
> 
> I wasn't clear.  A URL covers a subset of the URI space, as you say.
> Again, plenty of good (i.e., better than one-liner) explanations can be
> found on Google.

For the purposes of this discussion, though, the distinction between URL 
and URI is probably irrelevant.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [OT] Is it possible to set a ddns hostname to access a name-based virtual host?

[Michael Milligan]

Danny Mayer wrote:
> Michael Milligan wrote:
>> Just being more general.  A URL is a HTTP URI... Google has plenty of
>> explanations.
> 
> That's nonsense. A URL was never just an HTTP URI. It's one example of
> one but there have always been more than one type.

I wasn't clear.  A URL covers a subset of the URI space, as you say.
Again, plenty of good (i.e., better than one-liner) explanations can be
found on Google.

Regards,
Mike

-- 
Michael Milligan   -> mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [OT] Is it possible to set a ddns hostname to access a name-based virtual host?

[Danny Mayer]

Michael Milligan wrote:
> hongyi.z...@gmail.com wrote:
>>> You *must* reference the location using the same URI if you expect to
>>> see the same expected results.
>> Thanks  for  your  detailed  explanations.  Another issue: what do you
>> mean by saying URI?  What's the differences between URI and URL?
> 
> Just being more general.  A URL is a HTTP URI... Google has plenty of
> explanations.
> 

That's nonsense. A URL was never just an HTTP URI. It's one example of
one but there have always been more than one type.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [OT] Is it possible to set a ddns hostname to access a name-based virtual host?

[Michael Milligan]

hongyi.z...@gmail.com wrote:
> 
>> You *must* reference the location using the same URI if you expect to
>> see the same expected results.
> 
> Thanks  for  your  detailed  explanations.  Another issue: what do you
> mean by saying URI?  What's the differences between URI and URL?

Just being more general.  A URL is a HTTP URI... Google has plenty of
explanations.

> 
>> Regards,
>> Mike
> 
>> PS:  There are other maintenance problems with your approach too, but
> 
> What for example?

This biggest problem is when the IP of the original server changes, you
have to track that and periodically update your name.  Unless you take a
proxy approach.

Regards,
Mike

-- 
Michael Milligan   -> mi...@acmeps.com

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to set a ddns hostname to access a name-based virtual host?

[Barry Margolin]

In article , hongyi.z...@gmail.com wrote:

> On Friday, February 20, 2009 at 22:15, serge.fonvi...@gmail.com wrote:
> > Let me give an example to illustrate my problem:
> 
> > In the following url, the prola.aps.org is a name-based  virtual host:
> 
> > http://prola.aps.org/pdf/PRB/v1/i1/p1_1
> 
> > On  the other hand, my institute has subscribed to prola and many other
> > journals, so I want to use some self-made and easy-to-memory hostnames for
> > each  of them.  For example, I want to use the following url to access
> > the above one:
> 
> > http://myprola.myddns.org/pdf/PRB/v1/i1/p1_1
> 
> > Is this possible?
> 
> > You can specify a domainalias for every virtualhost in the apache
> > configuration (other http servers should support similar functionality)
> 
> I cann't figure it out.  I only have a web
> client  such  as  ie  or firefox to access the above url?  Do you mean
> that I must setup a local webserver, say by using apache to do that thing?

The operators of the dynamic DNS service may offer an HTTP redirect 
service that does this for you.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to set a ddns hostname to access a name-based virtual host?

[Serge Fonville]

When using apache (you haven't told what web server you are using) you can
define a virtual host which has a server name hongyi_zhao.changeip.net and a
serveralias of some_domain. then apache will respond to urls which have
either in the host header with the defined virtual host. This assumes that
either can be resolved to an IP from the requesting host.
Perhaps it is advisable to start googling for "virtual hosts" to further
determine how you should do it.

Hope this helps.

Regards,

Serge Fonville

On Fri, Feb 20, 2009 at 10:02 AM, Hongyi Zhao  wrote:

> Hi all,
>
> Suppose a file named file.pdf stored in the following web location:
>
> http://some_domain/path/to/file.pdf
>
> Where, the *some_domain* is a name-based virtual host.  In this case,
> is it possible to set a ddns hostname, say through
> http://www.changeip.net/, without using *some_domain* itself,  to
> access this file?
>
> --
> .: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it possible to set a ddns hostname to access a name-based virtual host?

[Hongyi Zhao]

Hi all,

Suppose a file named file.pdf stored in the following web location:   

http://some_domain/path/to/file.pdf

Where, the *some_domain* is a name-based virtual host.  In this case,
is it possible to set a ddns hostname, say through
http://www.changeip.net/, without using *some_domain* itself,  to
access this file?

-- 
.: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re[2]: Is it possible to set a ddns hostname to access a name-based virtual host?

[hongyi . zhao]

On Saturday, February 21, 2009 at 5:45, k...@chrysler.com wrote:
> Hongyi Zhao wrote:
>> Hi all,
>>
>> Suppose a file named file.pdf stored in the following web location:   
>>
>> http://some_domain/path/to/file.pdf
>>
>> Where, the *some_domain* is a name-based virtual host.  In this case,
>> is it possible to set a ddns hostname, say through
>> http://www.changeip.net/, without using *some_domain* itself,  to
>> access this file?
>>
>>   
> DNS can only control what IP address the client connects to. It doesn't
> have any effect on the "Host:" header that is sent in the HTTP request,
> and that's what a webserver uses to identify the target site, in a 
> named-based virtual hosting context.

> I think you want to use a proxy with URL-rewriting capability. SQUID 
> seems to be capable of this.

> Possibly some browser add-on might have a URL-rewriting capability too,
> haven't looked into that.

Thank you for your pertinent recommendations.

Warmly regards,
-- 
Hongyi Zhao  
Xinjiang Technical Institute of Physics and Chemistry
Chinese Academy of Sciences 
GnuPG DSA: 0xD108493
2009-2-21

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re[2]: [OT] Is it possible to set a ddns hostname to access a name-based virtual host?

[hongyi . zhao]

On Saturday, February 21, 2009 at 0:31, mi...@acmeps.com wrote:
> This is actually off topic for BIND-users...

> hongyi.z...@gmail.com wrote:
>> On Friday, February 20, 2009 at 19:51, serge.fonvi...@gmail.com wrote:
>>> Hi,
>> 
>>> Is it possible to set a ddns hostname, say through
>>> http://www.changeip.net/ , without using *some_domain* itself, to 
>>> access this file? 
>> 
>>> Not entirely sure what you are actually trying to achieve.
>>> Could you provide a concrete example of the situations you are trying to 
>>> achieve?
>> 
>> Let me give an example to illustrate my problem:
>> 
>> In the following url, the prola.aps.org is a name-based  virtual host:
>> 
>> http://prola.aps.org/pdf/PRB/v1/i1/p1_1
>> 
>> On  the other hand, my institute has subscribed to prola and many other
>> journals, so I want to use some self-made and easy-to-memory hostnames for
>> each  of them.  For example, I want to use the following url to access
>> the above one:
>> 
>> http://myprola.myddns.org/pdf/PRB/v1/i1/p1_1

> I fail to see how the later is more "easy-to-memory" than the former, but...

I just take one for example, in my case, I've dozens of such hostnames
and,  if  can,  I'll make all of them have the same latter part, i.e.,
.myddns.org, thus "easy-to-memory".

>> 
>> Is this possible?
>> 

> Generally, no.  Virtual hosting involves setting, in almost all cases, a
> unique document root for each virtual host.  If you reference a file or
> location via a URI that uses a different hostname, then it either
> matches a different virtual host, or matches the default virtual host,
> but in either case the document root is almost certainly different, and
> thus the relative path (/pdf/PRB/v1/i1/P1_1 in your case) almost certain
> does not translate to the correct absolute path to get the right file or
> get you to the right generator, whatever the location references and/or
> triggers to send back content.

> You *must* reference the location using the same URI if you expect to
> see the same expected results.

Thanks  for  your  detailed  explanations.  Another issue: what do you
mean by saying URI?  What's the differences between URI and URL?

> Regards,
> Mike

> PS:  There are other maintenance problems with your approach too, but

What for example?

> you avoid those by just not even trying to do what you asked.


Regards,
-- 
Hongyi Zhao  
Xinjiang Technical Institute of Physics and Chemistry
Chinese Academy of Sciences 
GnuPG DSA: 0xD108493
2009-2-21

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to set a ddns hostname to access a name-based virtual host?

[Kevin Darcy]

Hongyi Zhao wrote:

Hi all,

Suppose a file named file.pdf stored in the following web location:   


http://some_domain/path/to/file.pdf

Where, the *some_domain* is a name-based virtual host.  In this case,
is it possible to set a ddns hostname, say through
http://www.changeip.net/, without using *some_domain* itself,  to
access this file?

  
DNS can only control what IP address the client connects to. It doesn't 
have any effect on the "Host:" header that is sent in the HTTP request, 
and that's what a webserver uses to identify the target site, in a 
named-based virtual hosting context.


I think you want to use a proxy with URL-rewriting capability. SQUID 
seems to be capable of this.


Possibly some browser add-on might have a URL-rewriting capability too, 
haven't looked into that.


- Kevin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [OT] Is it possible to set a ddns hostname to access a name-based virtual host?

[Michael Milligan]

This is actually off topic for BIND-users...

hongyi.z...@gmail.com wrote:
> On Friday, February 20, 2009 at 19:51, serge.fonvi...@gmail.com wrote:
>> Hi,
> 
>> Is it possible to set a ddns hostname, say through
>> http://www.changeip.net/ , without using *some_domain* itself, to 
>> access this file? 
> 
>> Not entirely sure what you are actually trying to achieve.
>> Could you provide a concrete example of the situations you are trying to 
>> achieve?
> 
> Let me give an example to illustrate my problem:
> 
> In the following url, the prola.aps.org is a name-based  virtual host:
> 
> http://prola.aps.org/pdf/PRB/v1/i1/p1_1
> 
> On  the other hand, my institute has subscribed to prola and many other
> journals, so I want to use some self-made and easy-to-memory hostnames for
> each  of them.  For example, I want to use the following url to access
> the above one:
> 
> http://myprola.myddns.org/pdf/PRB/v1/i1/p1_1

I fail to see how the later is more "easy-to-memory" than the former, but...

> 
> Is this possible?
> 

Generally, no.  Virtual hosting involves setting, in almost all cases, a
unique document root for each virtual host.  If you reference a file or
location via a URI that uses a different hostname, then it either
matches a different virtual host, or matches the default virtual host,
but in either case the document root is almost certainly different, and
thus the relative path (/pdf/PRB/v1/i1/P1_1 in your case) almost certain
does not translate to the correct absolute path to get the right file or
get you to the right generator, whatever the location references and/or
triggers to send back content.

You *must* reference the location using the same URI if you expect to
see the same expected results.

Regards,
Mike

PS:  There are other maintenance problems with your approach too, but
you avoid those by just not even trying to do what you asked.

-- 
Michael Milligan   -> mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re[4]: Is it possible to set a ddns hostname to access a name-based virtual host?

[hongyi . zhao]

On Friday, February 20, 2009 at 22:15, serge.fonvi...@gmail.com wrote:
> Let me give an example to illustrate my problem:

> In the following url, the prola.aps.org is a name-based  virtual host:

> http://prola.aps.org/pdf/PRB/v1/i1/p1_1

> On  the other hand, my institute has subscribed to prola and many other
> journals, so I want to use some self-made and easy-to-memory hostnames for
> each  of them.  For example, I want to use the following url to access
> the above one:

> http://myprola.myddns.org/pdf/PRB/v1/i1/p1_1

> Is this possible?

> You can specify a domainalias for every virtualhost in the apache
> configuration (other http servers should support similar functionality)

I cann't figure it out.  I only have a web
client  such  as  ie  or firefox to access the above url?  Do you mean
that I must setup a local webserver, say by using apache to do that thing?

Regards,
-- 
Hongyi Zhao  
Xinjiang Technical Institute of Physics and Chemistry
Chinese Academy of Sciences 
GnuPG DSA: 0xD108493
2009-2-20

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Re[2]: Is it possible to set a ddns hostname to access a name-based virtual host?

[Serge Fonville]

>
> Let me give an example to illustrate my problem:
>
> In the following url, the prola.aps.org is a name-based  virtual host:
>
> http://prola.aps.org/pdf/PRB/v1/i1/p1_1
>
> On  the other hand, my institute has subscribed to prola and many other
> journals, so I want to use some self-made and easy-to-memory hostnames for
> each  of them.  For example, I want to use the following url to access
> the above one:
>
> http://myprola.myddns.org/pdf/PRB/v1/i1/p1_1
>
> Is this possible?
>

You can specify a domainalias for every virtualhost in the apache
configuration (other http servers should support similar functionality)
This has nothing to do with DNS since all dns does is translate the hostname
you type in to an IP address the computer uses to connect to.
Every http request contains a 'host' header that is used by the webserver to
determine the documentroot to serve.

Hope this helps.

Regards,

Serge Fonville
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to set a ddns hostname to access a name-based virtual host?

[Sam Wilson]

In article , hongyi.z...@gmail.com wrote:

> On Friday, February 20, 2009 at 19:51, serge.fonvi...@gmail.com wrote:
> > Hi,
> 
> > Is it possible to set a ddns hostname, say through
> > http://www.changeip.net/ , without using *some_domain* itself, to 
> > access this file? 
> 
> > Not entirely sure what you are actually trying to achieve.
> > Could you provide a concrete example of the situations you are trying to 
> > achieve?
> 
> Let me give an example to illustrate my problem:
> 
> In the following url, the prola.aps.org is a name-based  virtual host:
> 
> http://prola.aps.org/pdf/PRB/v1/i1/p1_1
> 
> On  the other hand, my institute has subscribed to prola and many other
> journals, so I want to use some self-made and easy-to-memory hostnames for
> each  of them.  For example, I want to use the following url to access
> the above one:
> 
> http://myprola.myddns.org/pdf/PRB/v1/i1/p1_1
> 
> Is this possible?

This is what browser bookmarks are for, isn't it?

Sam
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re[2]: Is it possible to set a ddns hostname to access a name-based virtual host?

[hongyi . zhao]

On Friday, February 20, 2009 at 19:51, serge.fonvi...@gmail.com wrote:
> Hi,

> Is it possible to set a ddns hostname, say through
> http://www.changeip.net/ , without using *some_domain* itself, to 
> access this file? 

> Not entirely sure what you are actually trying to achieve.
> Could you provide a concrete example of the situations you are trying to 
> achieve?

Let me give an example to illustrate my problem:

In the following url, the prola.aps.org is a name-based  virtual host:

http://prola.aps.org/pdf/PRB/v1/i1/p1_1

On  the other hand, my institute has subscribed to prola and many other
journals, so I want to use some self-made and easy-to-memory hostnames for
each  of them.  For example, I want to use the following url to access
the above one:

http://myprola.myddns.org/pdf/PRB/v1/i1/p1_1

Is this possible?

Regards,
-- 
Hongyi Zhao  
Xinjiang Technical Institute of Physics and Chemistry
Chinese Academy of Sciences 
GnuPG DSA: 0xD108493
2009-2-20

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to set a ddns hostname to access a name-based virtual host?

[Serge Fonville]

Hi,

> Is it possible to set a ddns hostname, say through
>
http://www.changeip.net/ , without using *some_domain* itself, to
>
access this file?
> <http://www.changeip.net/>


Not entirely sure what you are actually trying to achieve.
Could you provide a concrete example of the situations you are trying to
achieve?

If you wan't the file to be accessible through multplile hosts
(differentaited through the host header, you need to configure the webserver
to handle these names.
If you wan't a hostname to be updated automatically when the server IP
address changes, you need to configure the approriate service to connect to
the ddns service.
If you want specifics about the ddns service provider, you should ask them.

>From changeip.net:

> Dynamic DNS gives you the ability to redirect your domain name to anywhere
> at any time.  Why wait 3 days for your ISP to update their DNS records
> when you can do it yourself, in seconds.  Get your free name now and it will
> be working within 5 minutes!
>

Hope this helps.

Regards,

Serge Fonville
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it possible to set a ddns hostname to access a name-based virtual host?

[Hongyi Zhao]

Hi all,

Suppose a file named file.pdf stored in the following web location:   

http://some_domain/path/to/file.pdf

Where, the *some_domain* is a name-based virtual host.  In this case,
is it possible to set a ddns hostname, say through
http://www.changeip.net/, without using *some_domain* itself,  to
access this file?

-- 
.: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

[Mark Andrews]

In message <[EMAIL PROTECTED]>, Chris Tho
mpson writes:
> On Nov 20 2008, Stephane Bortzmeyer wrote:
> 
> >On Thu, Nov 20, 2008 at 11:55:17AM +,
> > Chris Thompson <[EMAIL PROTECTED]> wrote 
> > a message of 33 lines which said:
> >
> >>> The text you quote is for DNS publication. But you typically do not
> >>> put KSK in the DNS, no?
> >>
> >> Sure you do. How could a validator use it if you didn't? 
> >
> >Because it is published as a trust anchor?
> 
> In theory, I suppose that's true: the named.conf trusted-keys entries are
> just the textual representation of a KSK. (I've not seen a secure zone
> actually configured to leave out the KSK, though, so I'm not sure this
> would work.)
> 
> But who wants to publish trust anchors? Much better to get the KSK 
> validated from the parent zone (DS record) or a trusted source (DLV record).
> And neither of those have enough data to actually *reconstruct* the KSK.
 
s/reconstruct/identify/

> -- 
> Chris Thompson
> Email: [EMAIL PROTECTED]
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

[Chris Thompson]

On Nov 20 2008, Stephane Bortzmeyer wrote:


On Thu, Nov 20, 2008 at 11:55:17AM +,
Chris Thompson <[EMAIL PROTECTED]> wrote 
a message of 33 lines which said:



The text you quote is for DNS publication. But you typically do not
put KSK in the DNS, no?


Sure you do. How could a validator use it if you didn't? 


Because it is published as a trust anchor?


In theory, I suppose that's true: the named.conf trusted-keys entries are
just the textual representation of a KSK. (I've not seen a secure zone
actually configured to leave out the KSK, though, so I'm not sure this
would work.)

But who wants to publish trust anchors? Much better to get the KSK 
validated from the parent zone (DS record) or a trusted source (DLV record).

And neither of those have enough data to actually *reconstruct* the KSK.

--
Chris Thompson
Email: [EMAIL PROTECTED]

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

[Niall O'Reilly]

On Thu, 2008-11-20 at 14:15 +0100, Adam Tkac wrote:
> It isn't possible to validate myzone1.tld. with key from other zone,
> for example myzone2.tld., is it?

No, but Chris explained better than I did what I had in mind.

On Thu, 2008-11-20 at 11:43 +, Chris Thompson wrote:
> the DNSKEY records for the KSK(s) (or ZSK(s), for that matter) could
> have identical rdata in different zones: i.e. they could specify the
> same
> encryption key. Whether this would be a *good* thing to do is
> doubtful:

/Niall


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

[Stephane Bortzmeyer]

On Thu, Nov 20, 2008 at 11:55:17AM +,
 Chris Thompson <[EMAIL PROTECTED]> wrote 
 a message of 33 lines which said:

>> The text you quote is for DNS publication. But you typically do not
>> put KSK in the DNS, no?
>
> Sure you do. How could a validator use it if you didn't? 

Because it is published as a trust anchor?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

[Adam Tkac]

On Thu, Nov 20, 2008 at 09:18:01AM +, Niall O'Reilly wrote:
> On Wed, 2008-11-19 at 21:55 +0100, Adam Tkac wrote:
> > does anyone know if is it possible to sign multiple domains with one
> > KSK?
> 
>   Adam,
> 
>   I suspect your question may need to be more specific.

Right you are.

> 
>   Are you asking about the signing process itself, or rather 
>   about how certain aspects of this process need to be exposed
>   in the DNS?
> 
>   The RFC-fragment you cite seems to me to require that each 
>   signed zone needs its set of [KZ]SK exposed in the DNS, but 
>   to be silent on whether a single key can be reused by appearing
>   as RDATA in the DNSKEY RRsets of multiple zones.
> 
>   I haven't read 4033/4034 thoroughly, so it's possible I may 
>   have misunderstood completely.
> 
>   Best regards,
> 
>   Niall O'Reilly
> 

I know people which maintains many domains so they would like to use
scenario like this:
- each zone has his own ZSK
- all ZSKs are signed with one KSK and corresponding DS is in parent
  zone

So, in theory, validation will look like:
- get myzone.tld. DS from tld.
- validate myzone.tld. DNSKEY (= validate KSK)
- validate all ZSKs with myzone.tld. KSK

If I understand correctly to section 2.1.1 of RFC 4034 then when I
want validate for example "myzone1.tld." ZSK there are only two ways:
- get myzone1.tld. DS from tld. zone
- get another myzone1.tld. key which will validate it

It isn't possible to validate myzone1.tld. with key from other zone,
for example myzone2.tld., is it?

Regards, Adam

-- 
Adam Tkac, Red Hat, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

[Chris Thompson]

On Nov 20 2008, Stephane Bortzmeyer wrote:

[...snipped...]

[Warning: still struggling with the subtleties of KSK/ZSK.]

The text you quote is for DNS publication. But you typically do not
put KSK in the DNS, no?


Sure you do. How could a validator use it if you didn't? Perhaps
you meant: you would keep the private half of the KSK more securely
locked up than the private half of the ZSK?

The usual setup in a signed zone is

 DNSKEY RRset at zone apex: one RR for each KSK and for each ZSK
 RRSIG RRs for the DNSKEY RRset: one signed with each KSK
 and one signed with each ZSK
 RRSIG RRs for all other RRsets: one signed with each ZSK

(allowing for multiple KSKs and ZSKs because of rollover).

That is, KSKs are used only to sign the DNSKEY RRset, and those
RRSIGs would typically be generated offline, even if the private
halves of the ZSKs are online.

--
Chris Thompson
Email: [EMAIL PROTECTED]

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

[Chris Thompson]

On Nov 19 2008, Adam Tkac wrote:


does anyone know if is it possible to sign multiple domains with one KSK?

If I understand correctly what RFC 4034, section 2.1.1 says "... If bit 7
has value 1, then the DNSKEY record holds a DNS zone key, and the DNSKEY
RR's owner name MUST be the name of a zone..." it is impossible. Each zone
has to have his own KSK and ZSK pair, hasn't it?


It depends what you mean. The owner name has to be different, obviously,
but the DNSKEY records for the KSK(s) (or ZSK(s), for that matter) could
have identical rdata in different zones: i.e. they could specify the same
encryption key. Whether this would be a *good* thing to do is doubtful:
it wouldn't seem to save you anything in the signing process. Even if both
KSKs and ZSKs in different zones had identical rdata, the RRSIG records
for the DNSKEY RRset would not (because the owner name gets fed into the
hashed data).

--
Chris Thompson
Email: [EMAIL PROTECTED]

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

[Niall O'Reilly]

On Wed, 2008-11-19 at 21:55 +0100, Adam Tkac wrote:
> does anyone know if is it possible to sign multiple domains with one
> KSK?

Adam,

I suspect your question may need to be more specific.

Are you asking about the signing process itself, or rather 
about how certain aspects of this process need to be exposed
in the DNS?

The RFC-fragment you cite seems to me to require that each 
signed zone needs its set of [KZ]SK exposed in the DNS, but 
to be silent on whether a single key can be reused by appearing
as RDATA in the DNSKEY RRsets of multiple zones.

I haven't read 4033/4034 thoroughly, so it's possible I may 
have misunderstood completely.

Best regards,

Niall O'Reilly


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

[Stephane Bortzmeyer]

On Wed, Nov 19, 2008 at 09:55:52PM +0100,
 Adam Tkac <[EMAIL PROTECTED]> wrote 
 a message of 17 lines which said:

> If I understand correctly what RFC 4034, section 2.1.1 says "... If
> bit 7 has value 1, then the DNSKEY record holds a DNS zone key, and
> the DNSKEY RR's owner name MUST be the name of a zone..." it is
> impossible. Each zone has to have his own KSK and ZSK pair, hasn't
> it?

[Warning: still struggling with the subtleties of KSK/ZSK.]

The text you quote is for DNS publication. But you typically do not
put KSK in the DNS, no?

I would say, quoting Tolkien: one ZSK per zone, but only one KSK to
sign them all.

[AFNIC manages six TLD so the answer interests us, too.]

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it possible to use one KSK for multiple domains?

[Adam Tkac]

Hi all,

does anyone know if is it possible to sign multiple domains with one KSK?

If I understand correctly what RFC 4034, section 2.1.1 says "... If bit 7
has value 1, then the DNSKEY record holds a DNS zone key, and the DNSKEY
RR's owner name MUST be the name of a zone..." it is impossible. Each zone
has to have his own KSK and ZSK pair, hasn't it?

Regards, Adam

-- 
Adam Tkac, Red Hat, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users