Re: Is it possible to use one KSK for multiple domains?

2008-11-20 Thread Stephane Bortzmeyer 
On Wed, Nov 19, 2008 at 09:55:52PM +0100,
 Adam Tkac <[EMAIL PROTECTED]> wrote 
 a message of 17 lines which said:

> If I understand correctly what RFC 4034, section 2.1.1 says "... If
> bit 7 has value 1, then the DNSKEY record holds a DNS zone key, and
> the DNSKEY RR's owner name MUST be the name of a zone..." it is
> impossible. Each zone has to have his own KSK and ZSK pair, hasn't
> it?

[Warning: still struggling with the subtleties of KSK/ZSK.]

The text you quote is for DNS publication. But you typically do not
put KSK in the DNS, no?

I would say, quoting Tolkien: one ZSK per zone, but only one KSK to
sign them all.

[AFNIC manages six TLD so the answer interests us, too.]

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help understanding lame server error

2008-11-20 Thread Scott Haneda 

On Nov 19, 2008, at 6:19 PM, Kevin Darcy wrote:

Scott Haneda wrote:
I have a good deal if lame server errors in my logs, which I am not  
entirely understanding.


19-Nov-2008 15:36:34.657 lame-servers: info: lame server resolving  
'170.73.234.209.in-addr.arpa' (in '73.234.209.in-addr.arpa'?):  
209.234.64.192#53
73.234.209.in-addr.arpa has been delegated to ns1.networkiowa.com  
(address 209.234.64.192), but that nameserver is not responding  
authoritatively for the zone. This is referred to technically as  
being "lame".


Fortunately one of the other delegated nameservers  
(storm.weather.net) *is* responding authoritatively. So the zone is  
not completely broken. But named is logging this as a warning. You  
can configure logging to ignore these lame-server conditions.


Generally I want to know, as there are cases where I mess up, and  
something bad happens.  I watch the logs, and know to fix it.  So I am  
not so much minding the data in my logs, but more just wanting to  
understand what is causing these lookups.


19-Nov-2008 15:36:34.955 lame-servers: info: lame server resolving  
'127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):  
209.183.48.20#53
19-Nov-2008 15:36:34.975 lame-servers: info: lame server resolving  
'221.250.53.206.in-addr.arpa' (in '250.53.206.in-addr.arpa'?):  
209.43.20.115#53
19-Nov-2008 15:36:34.989 lame-servers: info: lame server resolving  
'127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):  
209.183.52.20#53
19-Nov-2008 15:36:35.050 lame-servers: info: lame server resolving  
'127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):  
209.183.48.21#53
I assume, without looking, that the causes for these are similar to  
the example above.


Yes, I have thousands of these entries.  I usually use another NS to  
point my email server to, that one has become a little flakey, so I  
moved to using my own local NS on the same machine as the email server.


My server is not allowing recursions, other than to localnets.  
about the only thing hitting it is an email server. So I am not  
clear on why these lookups are happening, or why they are coming  
from all these other IP's
Most email software these days, as a default, performs reverse- 
lookups of connecting client addresses as a form of spam detection  
(because it's common knowledge that spammers are genetically  
incapable of populating reverse records). It is thus perfectly  
normal to see a lot of reverse-lookup traffic from email servers.


Correct, but that is what is strange.  I am very familiar with my  
email sever, and I am not doing reverse PTR record checking.  I am of  
course using some DNSBL's and DNSWL's as well, but no reverse checking.


Further, I have allowed only localnets to check recursively on this  
NS.  I know my IP range, and what machines would be hitting it.


BTW, if you want to determine where all of these reverse lookups  
were coming from, you could just turn on query logging. Why guess  
when you can tell for sure?


This is the core of my question, maybe someone can point me to docs,  
or help me understand a log line.  In the example above, I see field 1  
is the date, field 2 is the time, field 3 looks like the error  
description, field 4 is the level, and then there are the rest of the  
bits.  However, I thought the last part, was an IP and a port, telling  
me, that IP, asked on port 53, for a lookup of my server.  So in this  
case, why do I need to look at the query log, when I believe, this log  
tells me who is doing the lookup.


If this really was the email server doing this lookup, all the lines  
should share the same IP in common.  So let's assume that for a  
second, this is a reverse record lookup, that means my email server is  
asking of my NS for a record/response.  Should I not see my IP in  
those log lines?


Here is another example, I think not a reverse lookup for sure:
20-Nov-2008 00:36:38.470 lame-servers: info: lame server resolving  
'szi.szi.sv.gov.yu' (in 'szi.sv.gov.yu'?): 195.178.32.2#53


Doesn't that mean that 195.178.32.2 requested a lookup from my NS for  
szi.szi.sv.gov.yu?  I have an email server, and a bunch of web  
servers, the web servers do not have DNS lookups on, so those are not  
asking anything of my DNS server.  The only thing that should be, is  
the email server, but that is not adding up, since I do not have  
reverse lookup checking enabled.


I can think of one thing, which is my web stats server, which I would  
think, does resolve IP's to host names, in order to show a report of  
what domains are going to websites.  That being said, I would think,  
that I should see the source of the query IP in the lame server log  
line.


Is there a way to log the client IP on that line?

Thanks
--
Scott

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

2008-11-20 Thread Niall O'Reilly 
On Wed, 2008-11-19 at 21:55 +0100, Adam Tkac wrote:
> does anyone know if is it possible to sign multiple domains with one
> KSK?

Adam,

I suspect your question may need to be more specific.

Are you asking about the signing process itself, or rather 
about how certain aspects of this process need to be exposed
in the DNS?

The RFC-fragment you cite seems to me to require that each 
signed zone needs its set of [KZ]SK exposed in the DNS, but 
to be silent on whether a single key can be reused by appearing
as RDATA in the DNSKEY RRsets of multiple zones.

I haven't read 4033/4034 thoroughly, so it's possible I may 
have misunderstood completely.

Best regards,

Niall O'Reilly


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Workaround Solaris's kernel bug

2008-11-20 Thread Stacey Jonathan Marshall 

Thomas Schulz wrote:

Change 2489 says to define ISC_SOCKET_USE_POLLWATCH to workaround a
Solaris kernel bug about /dev/poll.  How do I know if I should define
this?  Should I just assume that if I am running Sloaris 8 then I need
to define ISC_SOCKET_USE_POLLWATCH?  Is there any down side to defining
this if it is not needed?

Tom Schulz
Applied Dynamics Intl.
[EMAIL PROTECTED]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
  

Tom,

This is CR 6724237 
 Which was first 
introduced in Solaris 8.  At this time there is no patch for Solaris 8, 
9 or 10 and therefore "ISC_SOCKET_USE_POLLWATCH" should be defined when 
building BIND 9 for those systems.


Stacey Marshall
Sun Microsystems Ltd.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Zone not propogating to slaves

2008-11-20 Thread Steve Koon 
I am getting on one of my slaves (69.25.129.117) yet on the other I get
the zone to come across from the master. Just a quirk here is that the
.117 slave has to be recycled before the zone comes across yet the .118
comes across when the master is recycle and a change has occurred in one
of the zones. By the way until this zone I have not had problems with
zones coming across to either slave although I have had to do a recycle
to the .117 to get them there.

 

Anyone know why I am getting this "not authoritative" message and no
zone file on .118 all of a sudden?

 

Thanks,

Steve

 

 

This is the log message in the 69.25.129.119 Master

 client 69.25.129.117#1305: transfer of 'manzanitavacation.com/IN': AXFR
started

client 69.25.129.117#1305: transfer of 'manzanitavacation.com/IN': AXFR
ended

 

This is the log message in the 69.25.129.118 slave

client 69.25.129.117#1304: received notify for zone
'manzanitavacation.com': not authoritative

 

This is the log message in the 69.25.129.117 slave

zone manzanitavacation.com/IN: Transfer started.

transfer of 'manzanitavacation.com/IN' from 69.25.129.119#53: connected
using 69.25.129.117#1305

zone manzanitavacation.com/IN: transferred serial 2008111901

transfer of 'manzanitavacation.com/IN' from 69.25.129.119#53: Transfer
completed: 1 messages, 8 records, 251 bytes, 0.109 secs (2302 bytes/sec)

zone manzanitavacation.com/IN: sending notifies (serial 2008111901)

 

 

 

=[1]== named.conf for 69.25.129.117 Slave =

options {

 

  directory "C:\WINDOWS\system32\dns\etc\named";

pid-file "C:\WINDOWS\system32\dns\etc\named\run\named.pid";

dump-file
"C:\WINDOWS\system32\dns\etc\named\dump\named_dump.db";

statistics-file
"C:\WINDOWS\system32\dns\etc\named\stats\named.stats";

zone-statistics yes; 

forwarders { 63.251.161.33; 216.231.41.2; };

allow-query {any;};

recursion yes;

//allow-recursion {69.25.129.119;};

allow-transfer {69.25.129.119;};

listen-on-v6 { any; };

};

 

// log to named\log\named.log events from info UP in severity (no debug)

// defaults to use 3 files in rotation

// failure messages up to this point are in the event log

logging{

channel my_log{

file
"C:\WINDOWS\system32\dns\etc\named\log\named.log" versions 3 size 250k;

severity info;

};

category default{

my_log;

};

};

 

#

zone manzanitavacation.com. in {

type slave;

file
"c:\windows\system32\dns\etc\named\zones\db.manzanitavacation.com.zone";

masters { 69.25.129.119; };

allow-notify {69.25.129.117;69.25.129.118; };

};

=[1]=

 

=[2]== named.conf for 69.25.129.119 Master =

options {

 

directory "C:\WINDOWS\system32\dns\etc";

dump-file "C:\WINDOWS\system32\dns\etc\named\dump\nameddump.db";

statistics-file
"C:\WINDOWS\system32\dns\etc\named\stats\named.stats";

pid-file "C:\WINDOWS\system32\dns\etc\named\run\named.pid";

recursion yes;

zone-statistics yes;

forwarders { 63.251.161.33 ; 63.251.161.1; };

 

#forward first;

 

listen-on-v6 { any; };

dnssec-enable yes;

};

 

key "rndc-key" { algorithm hmac-md5; secret ??"; };

 

controls {

inet 127.0.0.1 port 953 allow { localhost; } keys {
"rndc-key"; };

};

 

logging{

channel my_log{

file
"C:\WINDOWS\system32\dns\etc\named\log\named.log" versions 3 size 250k;

severity info;

};

category default{

my_log;

};

};

 

#

zone manzanitavacation.com. in {

type master;

file
"c:\windows\system32\dns\etc\named\zones\manzanitavacation.com.zone";

};

 

=[3]== named.conf for 69.25.129.118 Slave ==

options {

 

  directory "C:\WINDOWS\system32\dns\etc\named";

pid-file "C:\WINDOWS\system32\dns\etc\named\run\named.pid";

dump-file
"C:\WINDOWS\system32\dns\etc\named\dump\named_dump.db";

statistics-file
"C:\WINDOWS\system32\dns\etc\named\stats\named.stats";

zone-statistics yes; 

forwarders { 63.251.161.33; 216.231.41.2; };

allow-query {any;};

recursion yes;

//allow-recursion {69.25.129.119;};

allow-transfer {69.25.129.119;};

listen-on-v6 { any; };

};

 

// log to named\log\named.log events from info UP in severity (no debug)

// defaults to use 3 files in rotation

// failure messages up to this point are in the event log

logging{

channel my_log{

file
"C:\WINDOWS\system32\dns\etc\named\log\named.log" versions

Re: Is it possible to use one KSK for multiple domains?

2008-11-20 Thread Chris Thompson 

On Nov 19 2008, Adam Tkac wrote:


does anyone know if is it possible to sign multiple domains with one KSK?

If I understand correctly what RFC 4034, section 2.1.1 says "... If bit 7
has value 1, then the DNSKEY record holds a DNS zone key, and the DNSKEY
RR's owner name MUST be the name of a zone..." it is impossible. Each zone
has to have his own KSK and ZSK pair, hasn't it?


It depends what you mean. The owner name has to be different, obviously,
but the DNSKEY records for the KSK(s) (or ZSK(s), for that matter) could
have identical rdata in different zones: i.e. they could specify the same
encryption key. Whether this would be a *good* thing to do is doubtful:
it wouldn't seem to save you anything in the signing process. Even if both
KSKs and ZSKs in different zones had identical rdata, the RRSIG records
for the DNSKEY RRset would not (because the owner name gets fed into the
hashed data).

--
Chris Thompson
Email: [EMAIL PROTECTED]

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

2008-11-20 Thread Chris Thompson 

On Nov 20 2008, Stephane Bortzmeyer wrote:

[...snipped...]

[Warning: still struggling with the subtleties of KSK/ZSK.]

The text you quote is for DNS publication. But you typically do not
put KSK in the DNS, no?


Sure you do. How could a validator use it if you didn't? Perhaps
you meant: you would keep the private half of the KSK more securely
locked up than the private half of the ZSK?

The usual setup in a signed zone is

 DNSKEY RRset at zone apex: one RR for each KSK and for each ZSK
 RRSIG RRs for the DNSKEY RRset: one signed with each KSK
 and one signed with each ZSK
 RRSIG RRs for all other RRsets: one signed with each ZSK

(allowing for multiple KSKs and ZSKs because of rollover).

That is, KSKs are used only to sign the DNSKEY RRset, and those
RRSIGs would typically be generated offline, even if the private
halves of the ZSKs are online.

--
Chris Thompson
Email: [EMAIL PROTECTED]

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Workaround Solaris's kernel bug

2008-11-20 Thread J.D. Bronson 

At 10:18 AM 11/20/2008 +, you wrote:
This is CR 6724237 
 Which was 
first introduced in Solaris 8.  At this time there is no patch for 
Solaris 8, 9 or 10 and therefore "ISC_SOCKET_USE_POLLWATCH" should 
be defined when building BIND 9 for those systems.


Stacey Marshall
Sun Microsystems Ltd.


So is there a version *public release* of Bind9 that we can compile 
right out of the box that will work correctly on Solaris 10 (10/08) and if so

which version is it?

-JD 


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

2008-11-20 Thread Adam Tkac 
On Thu, Nov 20, 2008 at 09:18:01AM +, Niall O'Reilly wrote:
> On Wed, 2008-11-19 at 21:55 +0100, Adam Tkac wrote:
> > does anyone know if is it possible to sign multiple domains with one
> > KSK?
> 
>   Adam,
> 
>   I suspect your question may need to be more specific.

Right you are.

> 
>   Are you asking about the signing process itself, or rather 
>   about how certain aspects of this process need to be exposed
>   in the DNS?
> 
>   The RFC-fragment you cite seems to me to require that each 
>   signed zone needs its set of [KZ]SK exposed in the DNS, but 
>   to be silent on whether a single key can be reused by appearing
>   as RDATA in the DNSKEY RRsets of multiple zones.
> 
>   I haven't read 4033/4034 thoroughly, so it's possible I may 
>   have misunderstood completely.
> 
>   Best regards,
> 
>   Niall O'Reilly
> 

I know people which maintains many domains so they would like to use
scenario like this:
- each zone has his own ZSK
- all ZSKs are signed with one KSK and corresponding DS is in parent
  zone

So, in theory, validation will look like:
- get myzone.tld. DS from tld.
- validate myzone.tld. DNSKEY (= validate KSK)
- validate all ZSKs with myzone.tld. KSK

If I understand correctly to section 2.1.1 of RFC 4034 then when I
want validate for example "myzone1.tld." ZSK there are only two ways:
- get myzone1.tld. DS from tld. zone
- get another myzone1.tld. key which will validate it

It isn't possible to validate myzone1.tld. with key from other zone,
for example myzone2.tld., is it?

Regards, Adam

-- 
Adam Tkac, Red Hat, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help understanding lame server error

2008-11-20 Thread Mark Andrews 

In message <[EMAIL PROTECTED]>, Scott Haneda writ
es:
> On Nov 19, 2008, at 6:19 PM, Kevin Darcy wrote:
> 
> Here is another example, I think not a reverse lookup for sure:
> 20-Nov-2008 00:36:38.470 lame-servers: info: lame server resolving  
> 'szi.szi.sv.gov.yu' (in 'szi.sv.gov.yu'?): 195.178.32.2#53
> 
> Doesn't that mean that 195.178.32.2 requested a lookup from my NS for  
> szi.szi.sv.gov.yu?  I have an email server, and a bunch of web  
> servers, the web servers do not have DNS lookups on, so those are not  
> asking anything of my DNS server.  The only thing that should be, is  
> the email server, but that is not adding up, since I do not have  
> reverse lookup checking enabled.

No.  195.178.32.2 is ns3.nic.yu which is lame (not serving)
the zone it is listed as serving.

szi.sv.gov.yu.  86400   IN  NS  ns3.nic.yu.
szi.sv.gov.yu.  86400   IN  NS  odisej.telekom.yu.
szi.sv.gov.yu.  86400   IN  NS  ns.szi.sv.gov.yu.
szi.sv.gov.yu.  86400   IN  NS  ns1.nic.yu.
;; Received 185 bytes from 147.91.8.6#53(NS1.NIC.yu) in 147 ms

szi.sv.gov.yu.  74897   IN  NS  ns1.nic.yu.
szi.sv.gov.yu.  74897   IN  NS  ns3.nic.yu.
szi.sv.gov.yu.  74897   IN  NS  odisej.telekom.yu.
szi.sv.gov.yu.  74897   IN  NS  ns.szi.sv.gov.yu.
;; Received 185 bytes from 195.178.32.2#53(ns3.nic.yu) in 163 ms

> I can think of one thing, which is my web stats server, which I would  
> think, does resolve IP's to host names, in order to show a report of  
> what domains are going to websites.  That being said, I would think,  
> that I should see the source of the query IP in the lame server log  
> line.

Why?  The log is there so you know which lookup (by name)
is failing and which server is broken.
 
> Is there a way to log the client IP on that line?

No.  At this depth named doesn't care which client asked.
It's resolving the query for all clients that ask for that
name and type.  When it has a answer it will send the
response back.  All the resolver has is a function to send
the callback data to.

Mark
 
> Thanks
> --
> Scott
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

2008-11-20 Thread Stephane Bortzmeyer 
On Thu, Nov 20, 2008 at 11:55:17AM +,
 Chris Thompson <[EMAIL PROTECTED]> wrote 
 a message of 33 lines which said:

>> The text you quote is for DNS publication. But you typically do not
>> put KSK in the DNS, no?
>
> Sure you do. How could a validator use it if you didn't? 

Because it is published as a trust anchor?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help understanding lame server error

2008-11-20 Thread Dan 
Have you tried looking up the client IP from another line in the logs from the 
same time?


-Original Message-
From: Scott Haneda <[EMAIL PROTECTED]>

Date: Thu, 20 Nov 2008 00:45:26 
To: BIND Users Mailing List
Subject: Re: Help understanding lame server error


On Nov 19, 2008, at 6:19 PM, Kevin Darcy wrote:
> Scott Haneda wrote:
>> I have a good deal if lame server errors in my logs, which I am not  
>> entirely understanding.
>>
>> 19-Nov-2008 15:36:34.657 lame-servers: info: lame server resolving  
>> '170.73.234.209.in-addr.arpa' (in '73.234.209.in-addr.arpa'?):  
>> 209.234.64.192#53
> 73.234.209.in-addr.arpa has been delegated to ns1.networkiowa.com  
> (address 209.234.64.192), but that nameserver is not responding  
> authoritatively for the zone. This is referred to technically as  
> being "lame".
>
> Fortunately one of the other delegated nameservers  
> (storm.weather.net) *is* responding authoritatively. So the zone is  
> not completely broken. But named is logging this as a warning. You  
> can configure logging to ignore these lame-server conditions.

Generally I want to know, as there are cases where I mess up, and  
something bad happens.  I watch the logs, and know to fix it.  So I am  
not so much minding the data in my logs, but more just wanting to  
understand what is causing these lookups.

>> 19-Nov-2008 15:36:34.955 lame-servers: info: lame server resolving  
>> '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):  
>> 209.183.48.20#53
>> 19-Nov-2008 15:36:34.975 lame-servers: info: lame server resolving  
>> '221.250.53.206.in-addr.arpa' (in '250.53.206.in-addr.arpa'?):  
>> 209.43.20.115#53
>> 19-Nov-2008 15:36:34.989 lame-servers: info: lame server resolving  
>> '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):  
>> 209.183.52.20#53
>> 19-Nov-2008 15:36:35.050 lame-servers: info: lame server resolving  
>> '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):  
>> 209.183.48.21#53
> I assume, without looking, that the causes for these are similar to  
> the example above.

Yes, I have thousands of these entries.  I usually use another NS to  
point my email server to, that one has become a little flakey, so I  
moved to using my own local NS on the same machine as the email server.

>> My server is not allowing recursions, other than to localnets.  
>> about the only thing hitting it is an email server. So I am not  
>> clear on why these lookups are happening, or why they are coming  
>> from all these other IP's
> Most email software these days, as a default, performs reverse- 
> lookups of connecting client addresses as a form of spam detection  
> (because it's common knowledge that spammers are genetically  
> incapable of populating reverse records). It is thus perfectly  
> normal to see a lot of reverse-lookup traffic from email servers.

Correct, but that is what is strange.  I am very familiar with my  
email sever, and I am not doing reverse PTR record checking.  I am of  
course using some DNSBL's and DNSWL's as well, but no reverse checking.

Further, I have allowed only localnets to check recursively on this  
NS.  I know my IP range, and what machines would be hitting it.

> BTW, if you want to determine where all of these reverse lookups  
> were coming from, you could just turn on query logging. Why guess  
> when you can tell for sure?

This is the core of my question, maybe someone can point me to docs,  
or help me understand a log line.  In the example above, I see field 1  
is the date, field 2 is the time, field 3 looks like the error  
description, field 4 is the level, and then there are the rest of the  
bits.  However, I thought the last part, was an IP and a port, telling  
me, that IP, asked on port 53, for a lookup of my server.  So in this  
case, why do I need to look at the query log, when I believe, this log  
tells me who is doing the lookup.

If this really was the email server doing this lookup, all the lines  
should share the same IP in common.  So let's assume that for a  
second, this is a reverse record lookup, that means my email server is  
asking of my NS for a record/response.  Should I not see my IP in  
those log lines?

Here is another example, I think not a reverse lookup for sure:
20-Nov-2008 00:36:38.470 lame-servers: info: lame server resolving  
'szi.szi.sv.gov.yu' (in 'szi.sv.gov.yu'?): 195.178.32.2#53

Doesn't that mean that 195.178.32.2 requested a lookup from my NS for  
szi.szi.sv.gov.yu?  I have an email server, and a bunch of web  
servers, the web servers do not have DNS lookups on, so those are not  
asking anything of my DNS server.  The only thing that should be, is  
the email server, but that is not adding up, since I do not have  
reverse lookup checking enabled.

I can think of one thing, which is my web stats server, which I would  
think, does resolve IP's to host names, in order to show a report of  
what domains are going to websites.  That being said, I would th

Re: Is it possible to use one KSK for multiple domains?

2008-11-20 Thread Niall O'Reilly 
On Thu, 2008-11-20 at 14:15 +0100, Adam Tkac wrote:
> It isn't possible to validate myzone1.tld. with key from other zone,
> for example myzone2.tld., is it?

No, but Chris explained better than I did what I had in mind.

On Thu, 2008-11-20 at 11:43 +, Chris Thompson wrote:
> the DNSKEY records for the KSK(s) (or ZSK(s), for that matter) could
> have identical rdata in different zones: i.e. they could specify the
> same
> encryption key. Whether this would be a *good* thing to do is
> doubtful:

/Niall


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Workaround Solaris's kernel bug

2008-11-20 Thread Davenport, Steve M 
Is the correct procedure to make this define:

STD_CDEFINES='-DISC_SOCKET_USE_POLLWATCH' 
export STD_CDEFINES 
./configure
make


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thomas Schulz
Sent: Wednesday, November 19, 2008 4:25 PM
To: bind-users@lists.isc.org
Subject: Workaround Solaris's kernel bug

Change 2489 says to define ISC_SOCKET_USE_POLLWATCH to workaround a
Solaris kernel bug about /dev/poll.  How do I know if I should define
this?  Should I just assume that if I am running Sloaris 8 then I need
to define ISC_SOCKET_USE_POLLWATCH?  Is there any down side to defining
this if it is not needed?

Tom Schulz
Applied Dynamics Intl.
[EMAIL PROTECTED]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

2008-11-20 Thread Chris Thompson 

On Nov 20 2008, Stephane Bortzmeyer wrote:


On Thu, Nov 20, 2008 at 11:55:17AM +,
Chris Thompson <[EMAIL PROTECTED]> wrote 
a message of 33 lines which said:



The text you quote is for DNS publication. But you typically do not
put KSK in the DNS, no?


Sure you do. How could a validator use it if you didn't? 


Because it is published as a trust anchor?


In theory, I suppose that's true: the named.conf trusted-keys entries are
just the textual representation of a KSK. (I've not seen a secure zone
actually configured to leave out the KSK, though, so I'm not sure this
would work.)

But who wants to publish trust anchors? Much better to get the KSK 
validated from the parent zone (DS record) or a trusted source (DLV record).

And neither of those have enough data to actually *reconstruct* the KSK.

--
Chris Thompson
Email: [EMAIL PROTECTED]

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help understanding lame server error

2008-11-20 Thread Leonard Mills 
Scott wrote at about Thursday, November 20, 2008 12:45:26 AM:
...

>> 19-Nov-2008 15:36:34.955 lame-servers: info: lame server resolving 
>> '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?): 
>> 209.183.48.20#53

> However, I thought the last part, was an IP and a port, telling me, that IP, 
> asked on port 53, for a lookup of my server.  

The part after the last colon on those log lines identifies
the server to which the lookup was performed; i.e. the lame server.

Hope this helps,

Len



  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help understanding lame server error

2008-11-20 Thread bsfinkel 
>20-Nov-2008 00:36:38.470 lame-servers: info: lame server resolving  
>'szi.szi.sv.gov.yu' (in 'szi.sv.gov.yu'?): 195.178.32.2#53

This message means that your DNS server sent a query for

 szi.szi.sv.gov.yu

and through recursion was directed to the nameserver at IP address

 195.178.32.2

But that nameserver has a problem - it is not authoritative for the
zone in question.  This is a problem with the remote name server.
The parent says that it is authoritative, but the server in question
is not authoritative.

I do not know if BIND caches lame server information.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: [EMAIL PROTECTED]
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: bind-users Digest, Vol 3, Issue 3

2008-11-20 Thread Rob Rathwell 
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, November 20, 2008 7:51 AM
To: bind-users@lists.isc.org
Subject: bind-users Digest, Vol 3, Issue 3

Send bind-users mailing list submissions to
bind-users@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]

You can reach the person managing the list at
[EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."


Today's Topics:

   1. Re: Workaround Solaris's kernel bug (J.D. Bronson)
   2. Re: Is it possible to use one KSK for multiple domains?
  (Adam Tkac)
   3. Re: Is it possible to use one KSK for multiple domains?
  (Adam Tkac)
   4. Re: Help understanding lame server error  (Mark Andrews)
   5. Re: Is it possible to use one KSK for multiple domains?
  (Stephane Bortzmeyer)
   6. Re: Is it possible to use one KSK for multiple domains?
  (Stephane Bortzmeyer)
   7. Re: Help understanding lame server error ([EMAIL PROTECTED])


--

Message: 1
Date: Thu, 20 Nov 2008 06:04:39 -0600
From: "J.D. Bronson" <[EMAIL PROTECTED]>
Subject: Re: Workaround Solaris's kernel bug
To: BIND Users Mailing List 
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"; format=flowed

At 10:18 AM 11/20/2008 +, you wrote:
>This is CR 6724237 
> Which was 
>first introduced in Solaris 8.  At this time there is no patch for 
>Solaris 8, 9 or 10 and therefore "ISC_SOCKET_USE_POLLWATCH" should 
>be defined when building BIND 9 for those systems.
>
>Stacey Marshall
>Sun Microsystems Ltd.

So is there a version *public release* of Bind9 that we can compile 
right out of the box that will work correctly on Solaris 10 (10/08) and
if so
which version is it?

-JD 



--

Message: 2
Date: Thu, 20 Nov 2008 14:15:47 +0100
From: Adam Tkac <[EMAIL PROTECTED]>
Subject: Re: Is it possible to use one KSK for multiple domains?
To: [EMAIL PROTECTED], BIND Users Mailing List

Cc: [EMAIL PROTECTED]
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii

On Thu, Nov 20, 2008 at 09:18:01AM +, Niall O'Reilly wrote:
> On Wed, 2008-11-19 at 21:55 +0100, Adam Tkac wrote:
> > does anyone know if is it possible to sign multiple domains with one
> > KSK?
> 
>   Adam,
> 
>   I suspect your question may need to be more specific.

Right you are.

> 
>   Are you asking about the signing process itself, or rather 
>   about how certain aspects of this process need to be exposed
>   in the DNS?
> 
>   The RFC-fragment you cite seems to me to require that each 
>   signed zone needs its set of [KZ]SK exposed in the DNS, but 
>   to be silent on whether a single key can be reused by appearing
>   as RDATA in the DNSKEY RRsets of multiple zones.
> 
>   I haven't read 4033/4034 thoroughly, so it's possible I may 
>   have misunderstood completely.
> 
>   Best regards,
> 
>   Niall O'Reilly
> 

I know people which maintains many domains so they would like to use
scenario like this:
- each zone has his own ZSK
- all ZSKs are signed with one KSK and corresponding DS is in parent
  zone

So, in theory, validation will look like:
- get myzone.tld. DS from tld.
- validate myzone.tld. DNSKEY (= validate KSK)
- validate all ZSKs with myzone.tld. KSK

If I understand correctly to section 2.1.1 of RFC 4034 then when I
want validate for example "myzone1.tld." ZSK there are only two ways:
- get myzone1.tld. DS from tld. zone
- get another myzone1.tld. key which will validate it

It isn't possible to validate myzone1.tld. with key from other zone,
for example myzone2.tld., is it?

Regards, Adam

-- 
Adam Tkac, Red Hat, Inc.


--

Message: 3
Date: Thu, 20 Nov 2008 14:15:47 +0100
From: Adam Tkac <[EMAIL PROTECTED]>
Subject: Re: Is it possible to use one KSK for multiple domains?
To: [EMAIL PROTECTED], BIND Users Mailing List

Cc: [EMAIL PROTECTED]
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii

On Thu, Nov 20, 2008 at 09:18:01AM +, Niall O'Reilly wrote:
> On Wed, 2008-11-19 at 21:55 +0100, Adam Tkac wrote:
> > does anyone know if is it possible to sign multiple domains with one
> > KSK?
> 
>   Adam,
> 
>   I suspect your question may need to be more specific.

Right you are.

> 
>   Are you asking about the signing process itself, or rather 
>   about how certain aspects of this process need to be exposed
>   in the DNS?
> 
>   The RFC-fragment you cite seems to me to require that each 
>   signed zone needs

Re: socket: too many open file descriptors

2008-11-20 Thread pollex 
On 19 nov, 13:32, JINMEI Tatuya / 神明達哉 <[EMAIL PROTECTED]> wrote:
> At Wed, 19 Nov 2008 04:03:23 -0800 (PST),
>
> pollex <[EMAIL PROTECTED]> wrote:
> > > Running bind9 9.3.4-2etch3 on Debian etch 4.0(last stable version with
> > > apt-get install bind9) and I continue to get "socket: too many open
> > > file descriptors" messages.
> > The version of bind is "BIND 9.3.4-P1.1"
> > And the error appears when named open around of 1000 sockets:
> > lsof | grep named | wc -l
> > 968
>
> "9.3.4-P1.1" still seems to be a Debian specific version, but if this
> is featurewise equivalent to 9.3.5-P1, you should at least upgrade to
> 9.3.5-P2 (and build it with a large value of ISC_SOCKET_MAXSOCKETS).
> In fact, I'd rather more strongly recommend 9.3.6.
>
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
> ___
> bind-users mailing list
> [EMAIL PROTECTED]://lists.isc.org/mailman/listinfo/bind-users

Hi
how is the exact command line to compile with 4096 FDs?
./configure --ISC_SOCKET_MAXSOCKETS='4096'?

thanks again
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: socket: too many open file descriptors

2008-11-20 Thread JINMEI Tatuya / 神明達哉 
At Thu, 20 Nov 2008 04:30:00 -0800 (PST),
pollex <[EMAIL PROTECTED]> wrote:

> > "9.3.4-P1.1" still seems to be a Debian specific version, but if this
> > is featurewise equivalent to 9.3.5-P1, you should at least upgrade to
> > 9.3.5-P2 (and build it with a large value of ISC_SOCKET_MAXSOCKETS).
> > In fact, I'd rather more strongly recommend 9.3.6.

First off, there was a typo in my previous response:
ISC_SOCKET_MAXSOCKETS should have been ISC_SOCKET_FDSETSIZE.

> how is the exact command line to compile with 4096 FDs?
> ./configure --ISC_SOCKET_MAXSOCKETS='4096'?

Replacing the macro name with the correct one, and assuming you're
using a bsh variant such as zsh and bash:

% STD_CDEFINES='-DISC_SOCKET_FDSETSIZE=4096' ./configure

But again, I'd rather strongly recommend 9.3.6.  Then you won't have
to care about ISC_SOCKET_MAXSOCKETS or any other annoying details
about FD consumption in the first place.  There should be no reason
for someone considering an upgrade to 9.3.5-P2 not to rather use
9.3.6.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to use one KSK for multiple domains?

2008-11-20 Thread Mark Andrews 

In message <[EMAIL PROTECTED]>, Chris Tho
mpson writes:
> On Nov 20 2008, Stephane Bortzmeyer wrote:
> 
> >On Thu, Nov 20, 2008 at 11:55:17AM +,
> > Chris Thompson <[EMAIL PROTECTED]> wrote 
> > a message of 33 lines which said:
> >
> >>> The text you quote is for DNS publication. But you typically do not
> >>> put KSK in the DNS, no?
> >>
> >> Sure you do. How could a validator use it if you didn't? 
> >
> >Because it is published as a trust anchor?
> 
> In theory, I suppose that's true: the named.conf trusted-keys entries are
> just the textual representation of a KSK. (I've not seen a secure zone
> actually configured to leave out the KSK, though, so I'm not sure this
> would work.)
> 
> But who wants to publish trust anchors? Much better to get the KSK 
> validated from the parent zone (DS record) or a trusted source (DLV record).
> And neither of those have enough data to actually *reconstruct* the KSK.
 
s/reconstruct/identify/

> -- 
> Chris Thompson
> Email: [EMAIL PROTECTED]
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Got error mssg when I started ISC Bind service

2008-11-20 Thread Amir 
I received an error mssg when I tried to start ISC Bind I just installed on
my server (Windows 2003 server):
"Could not start the ISC Bind service on local computer. Error 1069: The
service did not start due to a logon failure." How do I start the service
and how do I get rid of that error?

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone not propogating to slaves

2008-11-20 Thread Niall O'Reilly 
On Wed, 2008-11-19 at 19:36 -0800, Steve Koon wrote:
[ ... ] 
> Anyone know why I am getting this “not authoritative” message and no
> zone file on .118 all of a sudden?
[ ... ]
> This is the log message in the 69.25.129.118 slave
> 
> client 69.25.129.117#1304: received notify for zone
> 'manzanitavacation.com': not authoritative

118 is telling you that it won't act on a notify from 117
because ...

[ ... ]
> =[3]== named.conf for 69.25.129.118 Slave ==
[ ... ]
> zone manzanitavacation.com. in {
> 
> type slave;
> 
> file "c:\windows\system32\dns\etc\named\zones
> \db.manzanitavacation.com.zone";
> 
> masters { 69.25.129.119; };
> 
> allow-notify {69.25.129.117;69.25.129.118; };
> 
> };

... you've told it to accept only 119 as a master. 

[Log message might better say this more plainly.]

You have a few options.

 1. Read the ARM and work out how to avoid sending useless
NOTIFY messages, while keeping the useful ones.

 2. Leave things the way they are, and live with noisy logs.

 3. Allow one or other (but not both -- you need to avoid
loops in your update-propagation graph!) slave to act
as intermediate master for the other.

Beir bua!
/Niall



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Zone not propogating to slaves

2008-11-20 Thread Steve Koon 
Ah, Thanks for pointing out my errors.

:)

Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Niall O'Reilly
Sent: Thursday, November 20, 2008 3:45 PM
To: BIND Users Mailing List
Subject: Re: Zone not propogating to slaves

On Wed, 2008-11-19 at 19:36 -0800, Steve Koon wrote:
[ ... ] 
> Anyone know why I am getting this "not authoritative" message and no
> zone file on .118 all of a sudden?
[ ... ]
> This is the log message in the 69.25.129.118 slave
> 
> client 69.25.129.117#1304: received notify for zone
> 'manzanitavacation.com': not authoritative

118 is telling you that it won't act on a notify from 117
because ...

[ ... ]
> =[3]== named.conf for 69.25.129.118 Slave ==
[ ... ]
> zone manzanitavacation.com. in {
> 
> type slave;
> 
> file "c:\windows\system32\dns\etc\named\zones
> \db.manzanitavacation.com.zone";
> 
> masters { 69.25.129.119; };
> 
> allow-notify {69.25.129.117;69.25.129.118; };
> 
> };

... you've told it to accept only 119 as a master. 

[Log message might better say this more plainly.]

You have a few options.

 1. Read the ARM and work out how to avoid sending useless
NOTIFY messages, while keeping the useful ones.

 2. Leave things the way they are, and live with noisy logs.

 3. Allow one or other (but not both -- you need to avoid
loops in your update-propagation graph!) slave to act
as intermediate master for the other.

Beir bua!
/Niall



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Got error mssg when I started ISC Bind service

2008-11-20 Thread Jukka Pakkanen 
Check the event log, any more specific info?  Maybe not enough rights in the
/etc/namedb folder, the process needs to be able to write to that directory.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Amir
Sent: 21. marraskuuta 2008 1:42
To: bind-users@lists.isc.org
Subject: Got error mssg when I started ISC Bind service

I received an error mssg when I tried to start ISC Bind I just installed on
my server (Windows 2003 server):
"Could not start the ISC Bind service on local computer. Error 1069: The
service did not start due to a logon failure." How do I start the service
and how do I get rid of that error?

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users