Re: Unbound Configuration
--- I said: > Thinking that an absolutely empty unbound.conf file would be the > simplest, I tried it. It doesn't work. Nope. That is not true. I don't know how it happened, but my box wound up without a default route. An absolutely empty unbound.conf works just fine. Thanks, Ken CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
Re: Unbound Configuration
I said: > Thinking that an absolutely empty unbound.conf file > would be the simplest, I tried it. It doesn't work. However, unbound-checkconf likes it just fine. $ unbound-checkconf /var/unbound/etc/unbound.conf unbound-checkconf: no errors in /var/unbound/etc/unbound.conf CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
Re: Unbound Configuration
--- I asked: > What I would like to do now is make the *simplest > possible* unbound.conf file and get it working. Thinking that an absolutely empty unbound.conf file would be the simplest, I tried it. It doesn't work. Can anybody help me with the simplest possible unbound.conf file??? Thanks, Ken CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
Unbound Configuration
Thanks for all of the help so far, but I am completely failing. Nothing I have tried will make unbound work. What I would like to do now is make the *simplest possible* unbound.conf file and get it working. Then I want to add more and more stuff, to get the point I want. I have searched for such a tutorial on the internet, but can't find one. Can anybody help me out with the *simplest possible* unbound.conf file, just to get it working??? Thanks, Ken CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
Re: Hardware Random Number Generators (RNG)
--- Theo de Raadt wrote: > And I went out of my way to politely explain it to you I would like a more detailed explanation, because I don't yet understand. That's why I asked for literature I could read. Thanks, Ken CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
Re: Hardware Random Number Generators (RNG)
--- Theo de Raadt wrote: > And I don't give a rats ass about a cheap-ass garbage usb device > that can't even afford to allocate a proper usb device ID. > I don't care. I get that you think I'm wrong (and maybe I am!) but I don't yet understand why. Can you point me to some literature on the topic? Thanks, Ken PS I think the USB devices are probably a pretty good source of true entropy. CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
Re: Hardware Random Number Generators (RNG)
I wrote: >> How do I use a hardware random number generator to >> continuously seed /dev/random with new truly random numbers? --- Theo de Raadt wrote: > We consider these devices boring, because the kernel does a good enough job > creating random. > randomness only has a bootstrap problem. And these devices don't solve the > bootstrap problem. I'm thinking of headless servers, where randomness can ONLY come from the network. There is no keyboard, no mouse, etc. I'm also thinking of first boot after install, when keys are generated. I think that is what you mean by the bootstrap problem. Thanks, Ken PS I'm also thinking of very old hardware, without RDRAND in the CPU. Not to mention that you can't necessarily trust RDRAND! CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
Hardware Random Number Generators (RNG)
I have a few TrueRNG hardware random number generators. They are USB devices, and generally appear as modems. How do I use them to continuously seed /dev/random with new truly random numbers? It's got to be something very simple like tail -f /dev/TrueRNG > /dev/random or something like that. Right? Thanks, Ken CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
Re: Unbound Problems (Reverse Direction)
I appreciate your help! Either you solved the previous problem telling me to put $ORIGIN in my BIND zone files, or I had made a mistake with the 'set port=number' command in nslookup. In either case NSD is now working properly in both directions. But Unbound is only working correctly in the forward direction. I'm still doing something wrong, and I don't know what yet. Thanks, Ken CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
Unbound Problems (Reverse Direction)
Nope. I still don't have it working. NSD is working in both directions. Unbound is only working in the forward direction. Here is proof that both Unbound and NSD are working in the forward direction: 7 Soekris2# nslookup nas2 Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: nas2.Foo.Bar Address: 172.24.10.2 Here is proof that NSD is working in the reverse direction: 8 Soekris2# nslookup > server 127.0.0.1 Default server: 127.0.0.1 Address: 127.0.0.1#53 > set port=53053 > 172.24.10.2 Server: 127.0.0.1 Address:127.0.0.1#53053 2.10.24.172.in-addr.arpaname = nas2.foo.bar. But somehow, Unbound is not working in the reverse direction: 6 Soekris2# nslookup 172.24.10.2 Server: 127.0.0.1 Address:127.0.0.1#53 ** server can't find 2.10.24.172.in-addr.arpa: NXDOMAIN Here is the relevant part of my unbound.conf: # Use nsd to resolve local names. # Do not send these queries to the root servers. stub-zone: name: Foo.Bar. stub-addr: 127.0.0.1@53053 stub-zone: name: 10.24.172.in-addr.arpa. stub-addr: 127.0.0.1@53053 stub-zone: name: 20.24.172.in-addr.arpa. stub-addr: 127.0.0.1@53053 stub-zone: name: 30.24.172.in-addr.arpa. stub-addr: 127.0.0.1@53053 stub-zone: name: 2.168.192.in-arpa.arpa. stub-addr: 127.0.0.1@53053 stub-zone: name: 224.in-addr.arpa. stub-addr: 127.0.0.1@53053 stub-zone: name: 255.in-addr.arpa. stub-addr: 127.0.0.1@53053 Any ideas? What am I still doing wrong?? NSD is listening on port 53053, and works (as proved above) for resolving in the reverse direction. Why doesn't unbound work? CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
Re: NSD Problems (Reverse Direction)
I asked: >> nsd works only in the forward direction: from a name to an IP address. >> I'm using my named zone files from way back. --- Amelia A Lewis wrote: > $ORIGIN > > You haven't got one. You have a comment saying what the origin is, > but no $ORIGIN directive in the example supplied. Adding the $ORIGIN directive solved the problem. Thank you, Ken CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
NSD Problems (Reverse Direction)
What am I doing wrong??? I'm using nsd on OpenBSD. nsd works only in the forward direction: from a name to an IP address. I'm using my named zone files from way back. nsd-checkzone says that the zone files are good. Here are the startup logs for nsd: -- Jul 8 20:30:20 Soekris2 nsd[85856]: nsd starting (NSD 4.2.4) Jul 8 20:30:21 Soekris2 nsd[78426]: zone 10.24.172.in-addr.arpa read with success Jul 8 20:30:21 Soekris2 nsd[78426]: zone 20.24.172.in-addr.arpa read with success Jul 8 20:30:21 Soekris2 nsd[78426]: zone 30.24.172.in-addr.arpa read with success Jul 8 20:30:21 Soekris2 nsd[78426]: zone 2.168.192.in-addr.arpa read with success Jul 8 20:30:21 Soekris2 nsd[78426]: zone Foo.Bar read with success Jul 8 20:30:21 Soekris2 nsd[78426]: nsd started (NSD 4.2.4), pid 71631 -- nsd works in the forward direction (not shown). nsd fails in the reverse direction: -- 117 Soekris2# nslookup > server 127.0.0.1 Default server: 127.0.0.1 Address: 127.0.0.1#53 > set port 53053 > 172.24.20.1 Server: 127.0.0.1 Address:127.0.0.1#53 ** server can't find 1.20.24.172.in-addr.arpa: NXDOMAIN -- Here is an example reverse-direction file: db.20.24.172.in-addr.arpa -- ; ; BIND reverse data file for 20.24.172.in-arpa.arpa. ; ; Origin added to names not ending in a dot:20.24.172.in-addr.arpa. $TTL3h @ IN SOA Soekris1.Foo.Bar. root.Soekris1.Foo.Bar. ( 2020070501 ; Serial 10800 ; Refresh 3 hours 3600 ; Retry 1 hour 604800 ; Expire1 week 3600 ) ; Negative Caching 1 hour ; Name Servers ;IN NS Cherub.Foo.Bar. ;IN NS Tux.Foo.Bar. IN NS Soekris1.Foo.Bar. IN NS Soekris2.Foo.Bar. IN NS PcEngines1.Foo.Bar. IN NS PcEngines2.Foo.Bar. ; Network Name 0 IN PTR Wired.20. 1 IN PTR WirelessAccess.Foo.Bar. 2 IN PTR WirelessRouter.Foo.Bar. -- Any ideas? Why would nsd work in the forward direction, but not in the reverse direction, if all of the zone files are good? What is different between nsd and named? CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
Re: nsd Will Not Start At Boot
--- Ian Darwin wrote: > Try doing it by the book, i.e., rcctl start nsd > If it fails silently, try rcctl -d start nsd Thanks for that. I haven't upgraded my OpenBSD boxes in some years, so I didn't know about it. I have nsd working now, serving up my local DNS names. Unbound is still not working. I have a hunch, but cannot find it in the man pages, that somehow they have to talk to each other. Is this true? I tried a very simple unbound.conf file, and it didn't work. The very simple config file was from https://nlnetlabs.nl/documentation/unbound/howto-setup/ -- server: interface: 0.0.0.0 interface: ::0 access-control: 192.168.0.0/16 allow access-control: ::1 allow verbosity: 1 -- On startup of nsd with "rcctl -d start nsd", it complains: error: connect (127.0.0.1@8952): Connection refused My /var/nsd/etc/nsd.conf file does not have @8952 in it anyplace. I haven't been able to figure out how to get DNS for other sites on the Internet. ping OpenBSD.org ping: no address associated with name Any ideas? Any help? What should I be reading?? Thanks, Ken Hendrickson CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
nsd Will Not Start At Boot
Probably not a bug. But I need help! I've read the fine manual(s). Many times. I still can't figure it out. The nsd daemon will not start at boot time. It will start and run by hand later. There is NOTHING in the logs indicating what the failure was. In fact, the logs indicate that everything is OK, and nsd did start! Jul 5 22:32:32 Soekris2 nsd[51297]: nsd starting (NSD 4.2.4) Jul 5 22:32:32 Soekris2 nsd[16350]: zone 10.24.172.in-addr.arpa read with success Jul 5 22:32:33 Soekris2 nsd[16350]: zone 20.24.172.in-addr.arpa read with success Jul 5 22:32:33 Soekris2 nsd[16350]: zone 2.168.192.in-addr.arpa read with success Jul 5 22:32:33 Soekris2 nsd[16350]: zone FakeZone.com read with success Jul 5 22:32:33 Soekris2 nsd[16350]: nsd started (NSD 4.2.4), pid 52261 But when I check with ps, or dig, or nslookup, nsd is obviously not running and not working. nsd-checkconf says my nsd.conf file is OK. nsd-checkzone says all my zone files are OK. I have tried putting "rcctl enable nsd" in the /etc/rc.conf.local file. That did not help. I have used nsd-control-setup to generate keys and self-signed certificates, and I have turned remote-control on and off. Nothing works. If I try to start nsd the same way the scripts do, I get nsd(failed). $ /etc/rc.d/nsd start nsd(failed) It will start and run by hand later. $ nsd -u _nsd -t /var/nsd [2020-07-05 23:56:47.489] nsd[54059]: notice: nsd starting (NSD 4.2.4) Now nsd is resolving names properly. But it wasn't running until starting by hand. It failed when the start-up scripts tried to start it. unbound starts up OK at boot time. But nsd won't. Google does not reveal any solution. The manual pages do not give me the clue I need to get this working. Any help? Please? Thanks, Ken Hendrickson PS I cannot control anything below this line. I didn't type it, and I can't remove it. CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.