subject:"Re\: Complete DNS fake root setup example"

Re: Complete DNS fake root setup example

2016-01-20 Thread Bob Harold

On Wed, Jan 20, 2016 at 12:12 PM, MURTARI, JOHN  wrote:
> Folks,
>
> Had to do some testing where we wanted our own insulated
> fake root environment. We wanted to start from simulated root name servers.
> I was surprised I couldn’t find a complete example even after some extensive
> searches.
>
>
>
> The concepts are easy, but the devil is in the details.   We
> had done this before, but no one ever kept notes so I figured by posting it
> on the list it will eventually find its way into Google.   Here are the
> setup instructions below, name & ip address have been changed to protect the
> innocent!   Your comments/suggestions are welcome!
>

Not a bad idea.  Some comments:

/etc/resolv.conf should point to a recursive resolver, not a
non-recursive authoritative server.  Hosts 6,7,12, and 13 should all
be non-recursive authoritative servers.  There should be a separate
resolver.

Looks like the contents of "db.bongo.com" were not fully anonymized.

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Complete DNS fake root setup example

2016-01-20 Thread MURTARI, JOHN

--- Original msg
On Wed, Jan 20, 2016 at 05:12:44PM +, MURTARI, JOHN wrote:
> Folks,
> Had to do some testing where we wanted our own
> insulated fake root environment. We wanted to start
> from simulated root name servers.  I was surprised I
> couldn't find a complete example even after some
> extensive searches.
> 
> The concepts are easy, but the devil is in the
> details.  We had done this before, but no one ever
> kept notes so I figured by posting it on the list it
> will eventually find its way into Google.  Here are
> the setup instructions below, name & ip address have
> been changed to protect the innocent!  Your
> comments/suggestions are welcome!

The key parts are the root hints and the trust anchors. You can see
several such fake root configurations in the BIND 9 system tests (look
in bin/tests/system), e.g., the resolver system test.
Mukund
--- Original msg

Thanks for that.  I took a look in the distribution at the directories you 
mentioned. There is very little explanatory text.  Not so sure someone
would find it useful in setting up their own fake root and a delegation
path.

John


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Complete DNS fake root setup example

2016-01-20 Thread btb


On 2016.01.20 12.12, MURTARI, JOHN wrote:

Folks,

 Had to do some testing where we wanted our own
insulated fake root environment. We wanted to start from simulated root
name servers.  I was surprised I couldn’t find a complete example even
after some extensive searches.

 The concepts are easy, but the devil is in the
details.   We had done this before, but no one ever kept notes so I
figured by posting it on the list it will eventually find its way into
Google.   Here are the setup instructions below, name & ip address have
been changed to protect the innocent!   Your comments/suggestions are
welcome!


my suggestion would be to not use other people's domain names and ip 
addresses when protecting the innocent.  after all, they're innocent 
too, and i'd imagine you wouldn't want them using your domain name in 
their examples ;) .  various rfcs [6761, 3330, others] provide for these 
needs.


-ben
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Complete DNS fake root setup example

2016-01-20 Thread Mukund Sivaraman

Hi John

On Wed, Jan 20, 2016 at 05:12:44PM +, MURTARI, JOHN wrote:
> Folks,
> Had to do some testing where we wanted our own
> insulated fake root environment. We wanted to start
> from simulated root name servers.  I was surprised I
> couldn't find a complete example even after some
> extensive searches.
> 
> The concepts are easy, but the devil is in the
> details.  We had done this before, but no one ever
> kept notes so I figured by posting it on the list it
> will eventually find its way into Google.  Here are
> the setup instructions below, name & ip address have
> been changed to protect the innocent!  Your
> comments/suggestions are welcome!

The key parts are the root hints and the trust anchors. You can see
several such fake root configurations in the BIND 9 system tests (look
in bin/tests/system), e.g., the resolver system test.

Mukund


signature.asc
Description: PGP signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Complete DNS fake root setup example

RE: Complete DNS fake root setup example

Re: Complete DNS fake root setup example

Re: Complete DNS fake root setup example

4 matches

Site Navigation

Mail list logo

Footer information