Re: Problem with zone delegation with private gTLD
On Tue, 9 Apr 2019 at 06:32, Tony Finch wrote: > > Matthew Pounsett wrote: > > > > RFC2606 reserves test, example, invalid, and localhost, for "testing > > and documentation," > > However you must either disable validation or set up your own root zone to > use them. [ RFC 6761 has more details than RCF 2606 about how to use these > names. ] Yes, that's right. The reason I referenced 2606 is that the subject under discussion was the reason for the reservation, and 6761 defers to 2606 for that. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with zone delegation with private gTLD
Matthew Pounsett wrote: > > RFC2606 reserves test, example, invalid, and localhost, for "testing > and documentation," However you must either disable validation or set up your own root zone to use them. [ RFC 6761 has more details than RCF 2606 about how to use these names. ] Tony. -- f.anthony.n.finchhttp://dotat.at/ Shannon, Rockall: East or southeast 3 or 4, occasionally 5 in Rockall and later also in Shannon. Moderate, occasionally rough at first and later in far west Shannon. Showers. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with zone delegation with private gTLD
On Mon, 8 Apr 2019 at 14:33, Matus UHLAR - fantomas wrote: > > I don't find any of existing domains suitable for more permanent usage. Yes, and I believe that's the desirable situation. More permanent uses (such as the (mis)use of .local you mentioned) should make use of registered domains to ensure uniqueness. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with zone delegation with private gTLD
On 08/04/2019 13:05, Matus UHLAR - fantomas wrote: > I believe there should be reserved gTLD for such usage. On Mon, 8 Apr 2019 at 10:35, Xavier Humbert wrote: Is this not what the TLD /.invalid/ is supposed to be ? On 08.04.19 13:18, Matthew Pounsett wrote: RFC2606 reserves test, example, invalid, and localhost, for "testing and documentation," which seems to fit this use-case. 'invalid' doesn't seem to me to be intended for use as a generic private TLD though, as was suggested up-thread. However, if the OP is setting up a private network, with no Internet connection, for a demonstration, then any TLD at all could be used; a private root will be required regardless. for temporary testing, .test may be suitable. .local is reserved for mDNS (I've had to disable mdns, because someone uses .local in company network), home.arpa for HNCP (won't the above happen here too?) I don't find any of existing domains suitable for more permanent usage. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with zone delegation with private gTLD
On Mon, 8 Apr 2019 at 10:35, Xavier Humbert wrote: > > On 08/04/2019 13:05, Matus UHLAR - fantomas wrote: > > I believe there should be reserved gTLD for such usage. > > Is this not what the TLD /.invalid/ is supposed to be ? RFC2606 reserves test, example, invalid, and localhost, for "testing and documentation," which seems to fit this use-case. 'invalid' doesn't seem to me to be intended for use as a generic private TLD though, as was suggested up-thread. However, if the OP is setting up a private network, with no Internet connection, for a demonstration, then any TLD at all could be used; a private root will be required regardless. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with zone delegation with private gTLD
If you're doing stuff at really small scale, you can just define your own root zone and put all of the records into it, including records in the "phishing" subdomain, and any reverse records you care about (in the "in-addr.arpa" and/or "ip6.arpa" subdomains). For that matter, if you only have 1 BIND instance, you don't need to worry about recursion or master/slave replication. BIND might complain if you only have 1 NS record associated with a given zone name (since the standard says a minimum of 2), but you could just make up a fictitious nameserver with a fictitious address, and BIND will quickly figure out that it doesn't exist and stop trying to use it. - Kevin On Mon, Apr 8, 2019 at 5:51 AM Karl Lovink via bind-users < bind-users@lists.isc.org> wrote: > Hello, > I am trying to set up a private gTLD with BIND9 and underneath that gTLD > a subdomain. The subdomain runs on another BIND9 server. > > The problem I'am facing is that the BIND9 server of the gTLD gives a > NXDOMAIN > for the ns record of the subdomain. If have no clue what is wrong. > > Can somebody point me out what is wrong in my configuration. > > named.conf snippet > view "phishing" { > match-clients { phishing_net; }; > recursion yes; > > zone "lab" { > type master; > file "/etc/bind/gTLD/lab"; > }; > }; > > gTLD lab zone: > $TTL 60 ; TTL 60 seconds > $ORIGIN lab. > @ IN SOA vdns01.lab. hostmaster.vdns01.mgmt.lab. ( > 2019040801 > 10800 > 3600 > 604800 > 38400 ) > > IN NS vdns01.lab. > IN MX mail.lab. > > vdns01 IN A 192.168.111.200 > mailIN A 192.168.10.103 > > $ORIGIN acme.lab. > @ IN NS ns1.acme.lab. > IN NS vdns01.lab. > ns1.acme.lab. IN A 192.168.10.42 > > > > Greetz, > Karl > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with zone delegation with private gTLD
On 4/8/19 3:42 PM, Karl Lovink via bind-users wrote: > I cannot use a registered domain name because I’am building a phishing demo > environment and I do not want to use an internet connection. How exactly is this different from using private TLD domain? In any way, you have to provide authoritative server for that zone. You can copy original root zone or create your own root. In any case you have to host your domain. In private DNS space, chance to get collision is almost non-existent, you can choose anything you want. example domains might be useful enough. You need NS and A records in root zone, and authoritative host on your zone. Some example can be found in BIND bin/tests/system/resolver [1]. > > Met vriendelijke groet, > Karl > > On 8 Apr 2019, at 13:06, Matus UHLAR - fantomas wrote: > >>> Karl Lovink via bind-users wrote: I am trying to set up a private gTLD with BIND9 and underneath that gTLD a subdomain. >> 1. https://gitlab.isc.org/isc-projects/bind9/tree/master/bin/tests/system/resolver Regards, Petr -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with zone delegation with private gTLD
On 08/04/2019 13:05, Matus UHLAR - fantomas wrote: > I believe there should be reserved gTLD for such usage. Is this not what the TLD /.invalid/ is supposed to be ? Xavier -- Xavier Humbert CRT Supervision et Exploitation de Niveau 1 Rectorat de Nancy-Metz 03 83 86 27 39 signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with zone delegation with private gTLD
Karl Lovink via bind-users wrote: > I cannot use a registered domain name because I’am building a phishing > demo environment and I do not want to use an internet connection. It's not particularly easy to get a resolver to work without an Internet connection. You'll need to set up your own root zone, and configure your resolver with root hints pointing at your root server(s). I don't know if there's a handy how-to out there for this kind of testbed... Tony. -- f.anthony.n.finchhttp://dotat.at/ Sole: Cyclonic 5 or 6, becoming east 4 or 5. Rough, occasionally moderate at first in east. Thundery showers. Good, occasionally poor.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with zone delegation with private gTLD
I cannot use a registered domain name because I’am building a phishing demo environment and I do not want to use an internet connection. Met vriendelijke groet, Karl On 8 Apr 2019, at 13:06, Matus UHLAR - fantomas wrote: >> Karl Lovink via bind-users wrote: >>> I am trying to set up a private gTLD with BIND9 and underneath that gTLD >>> a subdomain. > > On 08.04.19 12:00, Tony Finch wrote: >> Why a TLD? >> >> You will have fewer problems if you get a properly registered domain and >> set up a subdomain of that for private use. > > many users/organizations use private TLDsm, just like they often use private > IP ranges instead of public. > > I believe there should be reserved gTLD for such usage. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > I wonder how much deeper the ocean would be without sponges. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with zone delegation with private gTLD
On 4/8/19 1:05 PM, Matus UHLAR - fantomas wrote: >> Karl Lovink via bind-users wrote: >>> I am trying to set up a private gTLD with BIND9 and underneath that gTLD >>> a subdomain. > > On 08.04.19 12:00, Tony Finch wrote: >> Why a TLD? >> >> You will have fewer problems if you get a properly registered domain and >> set up a subdomain of that for private use. > > many users/organizations use private TLDsm, just like they often use > private > IP ranges instead of public. > > I believe there should be reserved gTLD for such usage. > I believe there is test domain reserved for similar usage. Or home.arpa domain. Organizations should use their own (sub)domain, especially if they use DNSSEC. Individuals usually lack domain they can control. Organization often lack good practices to limit some subdomain for private usage. Complicated setup of secure delegation on some DNS providers might be responsible. I think dns search suffix might help with longer domains usage. But it is also considered insecure. -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problem with zone delegation with private gTLD
Matus UHLAR - fantomas wrote: > > many users/organizations use private TLDsm, just like they often use > private IP ranges instead of public. Smoking is popular too but that doesn't mean it's a good idea :-) > I believe there should be reserved gTLD for such usage. That's a very bad idea, because it would cause huge problems for the browser same origin security model. You'd leak intranet cookies and passwords anywhere that uses the reserved TLD. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forth, Tyne: Northeast 4, veering east 4 or 5. Moderate. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with zone delegation with private gTLD
Karl Lovink via bind-users wrote: I am trying to set up a private gTLD with BIND9 and underneath that gTLD a subdomain. On 08.04.19 12:00, Tony Finch wrote: Why a TLD? You will have fewer problems if you get a properly registered domain and set up a subdomain of that for private use. many users/organizations use private TLDsm, just like they often use private IP ranges instead of public. I believe there should be reserved gTLD for such usage. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with zone delegation with private gTLD
Karl Lovink via bind-users wrote: > I am trying to set up a private gTLD with BIND9 and underneath that gTLD > a subdomain. Why a TLD? You will have fewer problems if you get a properly registered domain and set up a subdomain of that for private use. Tony. -- f.anthony.n.finchhttp://dotat.at/ Selsey Bill to Lyme Regis: Variable 3 or less, becoming northeast 4 later. Smooth, becoming slight, occasionally moderate later offshore. Occasional rain. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problem with zone delegation with private gTLD
Hello, I am trying to set up a private gTLD with BIND9 and underneath that gTLD a subdomain. The subdomain runs on another BIND9 server. The problem I'am facing is that the BIND9 server of the gTLD gives a NXDOMAIN for the ns record of the subdomain. If have no clue what is wrong. Can somebody point me out what is wrong in my configuration. named.conf snippet view "phishing" { match-clients { phishing_net; }; recursion yes; zone "lab" { type master; file "/etc/bind/gTLD/lab"; }; }; gTLD lab zone: $TTL 60 ; TTL 60 seconds $ORIGIN lab. @ IN SOA vdns01.lab. hostmaster.vdns01.mgmt.lab. ( 2019040801 10800 3600 604800 38400 ) IN NS vdns01.lab. IN MX mail.lab. vdns01 IN A 192.168.111.200 mail IN A 192.168.10.103 $ORIGIN acme.lab. @ IN NS ns1.acme.lab. IN NS vdns01.lab. ns1.acme.lab. IN A 192.168.10.42 Greetz, Karl signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users