Re: incorrect section name: $ORIGIN
@lbutlr wrote: > > No. I was under the impression that when bind reloaded (rndc reload > and/or service named stop/start and/or service named reload) and saw a > new serial number, it would generate a new .signed file for that zone as > part of the process of refreshing its information and notifying the > slaves. It's all incremental these days, because regenerating the signed zone from scratch can be very expensive. In general, if you are using modern features like update-policy and auto-dnssec, then `named` considers that it has complete responsibility for the zone files (because it needs to be able to update them whenever necessary), which is why you have to explicitly freeze and thaw them. As far as I know, inline-signing doesn't allow you to escape this requirement, but I don't use it so I may be wrong. > So, right now, given that I did not freeze/thaw nor did I make the edits > via nsupdate, how do I get the .signed files to be regenerated from the > existing example.com zone file? Stop the server, delete the .signed and .signed.jnl files, and restart the server. Tony. -- f.anthony.n.finchhttp://dotat.at/ sovereignty rests with the people and authority in a democracy derives from the people ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: incorrect section name: $ORIGIN
> On 5 Feb 2019, at 04:57, Tony Finch wrote: > > @lbutlr wrote: >> >> OK, then how do I get Bind9.122 to update the .signed files? > > Did you see my previous message? I did not, sorry. > https://lists.isc.org/pipermail/bind-users/2019-February/101335.html >> Are you doing `rndc freeze` and `rndc thaw` before and after editing the > >> unsigned zone file? No. I was under the impression that when bind reloaded (rndc reload and/or service named stop/start and/or service named reload) and saw a new serial number, it would generate a new .signed file for that zone as part of the process of refreshing its information and notifying the slaves. It appears that I need an entirely different workflow that the one I've been using for the last couple of decades of editing the zone files and reloading the DNS server. So, to update a zone now I should either use nsupdate to make the changes, or I should rndc freeze, edit the file, rndc thaw. >> How are you checking the signed zone? dig +dnssec example.com @127.0.0.1 So, right now, given that I did not freeze/thaw nor did I make the edits via nsupdate, how do I get the .signed files to be regenerated from the existing example.com zone file? -- Two, Four, Six, Eight! Time to Transubstantiate! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: incorrect section name: $ORIGIN
@lbutlr wrote: > > OK, then how do I get Bind9.122 to update the .signed files? Did you see my previous message? https://lists.isc.org/pipermail/bind-users/2019-February/101335.html Tony. -- f.anthony.n.finchhttp://dotat.at/ Southeast Iceland: Easterly 7 to severe gale 9, occasionally storm 10 in west, veering southerly 4 later in south. Rough or very rough, becoming very rough or high. Rain then snow. Moderate or poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: incorrect section name: $ORIGIN
On 4 Feb 2019, at 05:34, Tony Finch wrote: > nsupdate doesn't take zone files as input; OK, then how do I get Bind9.122 to update the .signed files? -- Can't seem to face up to the facts Tense and nervous and I can't relax Can't sleep, bed's on fire Don't touch me I'm a real live wire ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: incorrect section name: $ORIGIN
On 2/4/19 9:47 AM, Alan Clegg wrote: > On 2/4/19 7:03 AM, @lbutlr wrote: > >> # nsupdate -d -v -l example.com >> Creating key... >> namefromtext >> keycreate >> incorrect section name: $ORIGIN > > I'd recommend that you use nsupdate in interactive mode first. The point of this which I had forgotten by the time I got done with the examples was: The file that you pass in to `nsupdate` is the "update add" and "update delete" commands that I gave samples of in the previous mail. Also, you probably don't want/need the "-v" command line option on nsupdate. AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: incorrect section name: $ORIGIN
On 2/4/19 7:03 AM, @lbutlr wrote: > # nsupdate -d -v -l example.com > Creating key... > namefromtext > keycreate > incorrect section name: $ORIGIN I'd recommend that you use nsupdate in interactive mode first. --SNIP-- root@svlg-gateway:/etc/namedb# nsupdate -l > update add funnyrecord.boat 3600 in a 1.1.1.1 > send > quit --SNIP-- Here, I've added an A record "funnyrecord.boat" to the local nameserver. It was accepted (no error message) and the record was signed: --SNIP-- root@svlg-gateway:/etc/namedb# dig funnyrecord.boat +dnssec ; <<>> DiG 9.13.5 <<>> funnyrecord.boat +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35274 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 840786d22b259dd36f9300b85c584de5adea6d3ab34b6fde (good) ;; QUESTION SECTION: ;funnyrecord.boat. IN A ;; ANSWER SECTION: funnyrecord.boat. 3600IN A 1.1.1.1 funnyrecord.boat. 3600IN RRSIG A 8 2 3600 20190306143508 20190204133508 27363 boat. ULJiOVWd3jordtZZnp/1wUZul8Y6xLcEu0kh8mtCDFXGG2QlsKdyeZxb dO54X241NOJRN6dI2RKH05DtErlhFHjLpnrus4BahuZKbWeuOXApCZ4r +XPqManyq+3hyEFCJ8QM1fHSBbuDIyz7nKjr+T+xh/8pUowqNgMoBx+Y 08c= ;; Query time: 1 msec ;; SERVER: 44.127.8.1#53(44.127.8.1) ;; WHEN: Mon Feb 04 14:36:21 UTC 2019 ;; MSG SIZE rcvd: 253 --SNIP-- I can also remove records: --SNIP-- root@svlg-gateway:/etc/namedb# nsupdate -l > update delete funnyrecord.boat > send > quit root@svlg-gateway:/etc/namedb# dig funnyrecord.boat +dnssec ; <<>> DiG 9.13.5 <<>> funnyrecord.boat +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16202 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 044b781a89250d108be3c3345c584e25b636b5386f74056a (good) ;; QUESTION SECTION: ;funnyrecord.boat. IN A ;; AUTHORITY SECTION: boat. 300 IN SOA admin. ns1.boat. 169 3600 600 86400 300 boat. 300 IN RRSIG SOA 8 1 8600 20190306143720 20190204133720 27363 boat. rx9ZfD6u9O5Hz1+1KkUnr0kqq8k45ljYmTQj1kFb6xQ7HFG13XkMkzbl DDzjAoO1BIymYm8S1Kxq5lMXPNvAnPEChlhRW6xWVnWg4UyWnkzkzRCc hME2NdE4WxSDZ3MMAnEELk29whmYcPIKVQJPgYjtHFJ7KS23PgoWb0qp ciA= boat. 300 IN NSECalans-time-capsule.boat. NS SOA RRSIG NSEC DNSKEY TYPE65534 boat. 300 IN RRSIG NSEC 8 1 300 20190222045229 20190123035229 27363 boat. AevHxXgaJkotnUTv1jUJnBigUjkUO4gcI/V5AieuCR4cBdxMiRYa1WYS pI+qPQcAzgTf7p/0RCXq45CVrjiXCoh/eEaQgxlqASSCTabCgVE9i0Dw eVgE6NDXe4gtu3GEjhecCj3x3Xd2q6DEWYYQNJkg6fjjZr8xYCsjdYhw V88= canboat.boat. 300 IN NSECGoogle-Home-Mini.boat. A TXT RRSIG NSEC canboat.boat. 300 IN RRSIG NSEC 8 2 300 20190306143720 20190204133720 27363 boat. RGLL6h/nX4/MMt+b2w9BA8LAg3R+5oXn73KG6DAKP57Q1Ak+NyFBYeil 4Pkz5w7qgA4k4nRrriTJ0kmckTlaODfx1KWZEOR33nqctK37lOIaenmx Rd7d98qP7/+A0v68T5DSXI9ZNlx5688isxXo2ZTLP2bKFEWYbDZXBEtr DdM= ;; Query time: 1 msec ;; SERVER: 44.127.8.1#53(44.127.8.1) ;; WHEN: Mon Feb 04 14:37:25 UTC 2019 ;; MSG SIZE rcvd: 741 --SNIP-- Those are the basic things you can do with nsupdate... add and delete. Changes are done by deleting the old and then adding the new. The SOA record is updated automatically and all is well with the world. AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: incorrect section name: $ORIGIN
@lbutlr wrote: > > # nsupdate -d -v -l example.com nsupdate doesn't take zone files as input; instead it takes a list of (incremental) changes. The "invalid section" error refers to keywords in nsupdate syntax which refer to parts of DNS UPDATE messages: the prereq section, the update section, etc. See the INPUT FORMAT part of the nsupdate man page for details. You are trying to do what nsdiff does: http://dotat.at/prog/nsdiff/ which turns the difference between two zone files into an nsupdate script. Tony. -- f.anthony.n.finchhttp://dotat.at/ Channel Islands: South to southwest 6 to gale 8 decreasing 3 to 4 by dusk across west of area veering northwest then north this evening, locally variable 2 by midnight across east of area, after dusk backing southeast after dawn all areas, southeast to south 4 to 5. Rather rough to rough, decreasing moderate during afternoon, further decreasing slight to moderate during the evening slight overnight then slight to moderate by noon. Periods of rain and drizzle, especially south of area occasional mist with fog patches from mid-afternoon. Moderate to poor, locally very poor from mid-afternoon. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
incorrect section name: $ORIGIN
Here is a domain zone file for example.com which is hosted by covisp.net: $ORIGIN . $TTL 86400 ; 1 day example.com. IN SOA ns1.covisp.net. admin.example.com. ( 2019020100 ; serial 300; refresh (5 minutes) 300; retry (5 minutes) 18000 ; expire (5 hours) 604800 ; minimum (1 week) ) NS ns1.covisp.net. NS ns2.covisp.net. NS ns3.covisp.net. A 65.121.55.45 MX 10 mail.covisp.net. $ORIGIN example.com. webdav CNAME www.covisp.net. www CNAME www.covisp.net. $INCLUDE Kexample.com.+007+16695.key $INCLUDE Kexample.com.+007+34313.key named.conf: zone "example.com" { type master; file "master/example.com.signed"; update-policy local; auto-dnssec maintain; }; # nsupdate -d -v -l example.com Creating key... namefromtext keycreate incorrect section name: $ORIGIN syntax error So, what is wrong with $ORIGIN? Bind itself doesn't complain. -- THE PLEDGE OF ALLEGIANCE DOES NOT END WITH HAIL SATAN Bart chalkboard Ep. 1F16 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users