Re: glue record
On Wed, May 13, 2009 at 11:46:29AM +0800, Tech W. wrote a message of 14 lines which said: > When an upper DNS returns a domain's authorised DNS server, will it > also returns the authorised DNS server's IP address? So glue record > works as this way? Why don't you test? Computer science is an experimental science. % dig @a.nic.fr A www.google.fr ; <<>> DiG 9.5.1-P1 <<>> @a.nic.fr A www.google.fr ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47237 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.google.fr. IN A ;; AUTHORITY SECTION: google.fr. 172800 IN NS ns1.google.com. google.fr. 172800 IN NS ns2.google.com. google.fr. 172800 IN NS ns3.google.com. google.fr. 172800 IN NS ns4.google.com. ;; Query time: 2 msec ;; SERVER: 192.93.0.129#53(192.93.0.129) ;; WHEN: Wed May 13 09:00:19 2009 ;; MSG SIZE rcvd: 124 No glue was sent back, since all google.fr nameservers are outside of google.fr. % dig @a.nic.fr A www.wanadoo.fr ; <<>> DiG 9.5.1-P1 <<>> @a.nic.fr A www.wanadoo.fr ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29937 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 5 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.wanadoo.fr.IN A ;; AUTHORITY SECTION: wanadoo.fr. 172800 IN NS ns11.wanadoo.fr. wanadoo.fr. 172800 IN NS ns.wanadoo.fr. wanadoo.fr. 172800 IN NS ns2.wanadoo.fr. wanadoo.fr. 172800 IN NS ns10.wanadoo.fr. ;; ADDITIONAL SECTION: ns.wanadoo.fr. 172800 IN A 80.12.255.24 ns2.wanadoo.fr. 172800 IN A 80.12.255.159 ns10.wanadoo.fr.172800 IN A 80.12.255.23 ns11.wanadoo.fr.172800 IN A 80.12.255.152 ;; Query time: 2 msec ;; SERVER: 192.93.0.129#53(192.93.0.129) ;; WHEN: Wed May 13 09:01:49 2009 ;; MSG SIZE rcvd: 180 Glue was sent back since wanadoo.fr's name servers are under wanadoo.fr (so you could not find their IP addresses, without the glue records). ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regexp issue in NAPTR rewrite
Mark Andrews wrote: In message <4a093b9c.5060...@afnic.fr>, sandoche BALAKRICHENAN writes: I want to rewrite a query of the form "sgtin.5.4.0.0.0.1.3.2.4.5.6.7.6.id.onsam.test" to "sgtin.5.4.0.0.0.1.3.2.4.5.6.7.6.id.onseu.test" using NAPTR rewrite. The NAPTR RR in the zone config is as follows: sgtin.5.4.0.0.0.1.3.2.4.5.6.7.6.id.onsam.testIN NAPTR 00"r""" "!^sgtin\.([0-9])$!\1.id.onseu.test!". BIND does not accept backref "\1" . It shows a syntax error. Is the above regexp correct? You failed to properly escape the string. >From RFC2168. Recall that the regular expression used \2 to extract a domain name from the CID, and \. for matching the literal '.' characters seperating the domain name components. Since '\' is the escape character, literal occurances of a backslash must be escaped by another backslash. For the case of the cid.urn.net record above, the regular expression entered into the zone file should be "/urn:cid:.+@([^\\.]+\\.)(.*)$/\\2/i". When the client code actually receives the record, the pattern will have been converted to "/urn:cid:.+@([^.]+\.)(.*)$/\2/i". Thanks. With double "\\" it works. begin:vcard fn:Sandoche BALAKRICHENAN n:;Sandoche BALAKRICHENAN org:AFNIC email;internet:sandoche.balakriche...@afnic.fr title:Ingenieur R&D note;quoted-printable:Move Together=0D=0A= x-mozilla-html:FALSE version:2.1 end:vcard ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
error while attempting to use nsupdate on a DNSSEC signed zone
Hello - (bind9.6.0-P1) I have set up a zone that is signed. It is an island of security zone for testing purposes. I have set up a TSIG key and set the allow-update to accept the key. I have followed every step, afaict, in the various how-tos on how to sign a zone. But when I try to do an update, I get an error. All the error says is signer "update.test.net" approved 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': adding an RR at 'blah.test.net' A 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure "failure" is all it says for a reason. I looked at the bind source, and there are some more useful error messages about keys etc. But all I am getting is "failure". If i do the same nsupdate without DNSSEC, it works. It appears there is something wrong with my setup and the regeneration of the RRSIG/NSEC keys is failing. (I have tried it with both NSEC and NSEC3 keys) I will put together a (simpler) named.conf and zone file that causes this and post that info, but I was hoping that maybe somebody has seen this and has an idea. Thanks -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: error while attempting to use nsupdate on a DNSSEC signed zone
I am running bind in a chroot jail, btw. I had this working a while ago, and left it for a while and then tried to set it up again, with no luck. I am sure it is something simple... -- Jack Tavares From: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares [j.tava...@f5.com] Sent: Wednesday, May 13, 2009 10:27 To: bind-users@lists.isc.org Subject: error while attempting to use nsupdate on a DNSSEC signed zone Hello - (bind9.6.0-P1) I have set up a zone that is signed. It is an island of security zone for testing purposes. I have set up a TSIG key and set the allow-update to accept the key. I have followed every step, afaict, in the various how-tos on how to sign a zone. But when I try to do an update, I get an error. All the error says is signer "update.test.net" approved 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': adding an RR at 'blah.test.net' A 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure "failure" is all it says for a reason. I looked at the bind source, and there are some more useful error messages about keys etc. But all I am getting is "failure". If i do the same nsupdate without DNSSEC, it works. It appears there is something wrong with my setup and the regeneration of the RRSIG/NSEC keys is failing. (I have tried it with both NSEC and NSEC3 keys) I will put together a (simpler) named.conf and zone file that causes this and post that info, but I was hoping that maybe somebody has seen this and has an idea. Thanks -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: error while attempting to use nsupdate on a DNSSEC signed zone
In message <4b18a8f75a6384449755bc7784073e93603b776...@exch11.olympus.f5net.com > Hello - > > (bind9.6.0-P1) > > I have set up a zone that is signed. > It is an island of security zone for testing purposes. > > I have set up a TSIG key and set the allow-update > to accept the key. > > I have followed every step, afaict, in the various > how-tos on how to sign a zone. > > But when I try to do an update, I get an error. > > All the error says is > signer "update.test.net" approved > 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zon= > e 'test.net/IN': adding an RR at 'blah.test.net' A > 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zon= > e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure > "failure" is all it says for a reason. > > I looked at the bind source, and there are some more useful error messages = > about keys etc. > But all I am getting is "failure". > > If i do the same nsupdate without DNSSEC, it works. > It appears there is something wrong with my setup and the regeneration of t= > he RRSIG/NSEC > keys is failing. (I have tried it with both NSEC and NSEC3 keys) > > I will put together a (simpler) named.conf and zone file that causes this a= > nd post that info, > but I was hoping that maybe somebody has seen this and has an idea. > > Thanks > > > -- > Jack Tavares Have you told named where the private keys are (key-directory)? -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
--- On Wed, 13/5/09, Stephane Bortzmeyer wrote: > > Glue was sent back since wanadoo.fr's name servers are > under > wanadoo.fr . Ok please see dig info below. if I understand for it correctly, gdpu.cn is not under b.dns.cn, why b.dns.cn returns glues? Thanks. # dig gdpu.cn ns @B.DNS.cn ; <<>> DiG 9.5.0-P2 <<>> gdpu.cn ns @B.DNS.cn ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53380 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;gdpu.cn. IN NS ;; AUTHORITY SECTION: gdpu.cn.21600 IN NS dns1.gdpu.cn. gdpu.cn.21600 IN NS dns2.gdpu.cn. ;; ADDITIONAL SECTION: dns1.gdpu.cn. 21600 IN A 219.136.229.41 dns2.gdpu.cn. 21600 IN A 219.136.229.42 Need a Holiday? Win a $10,000 Holiday of your choice. Enter now.http://us.lrd.yahoo.com/_ylc=X3oDMTJxN2x2ZmNpBF9zAzIwMjM2MTY2MTMEdG1fZG1lY2gDVGV4dCBMaW5rBHRtX2xuawNVMTEwMzk3NwR0bV9uZXQDWWFob28hBHRtX3BvcwN0YWdsaW5lBHRtX3BwdHkDYXVueg--/SIG=14600t3ni/**http%3A//au.rd.yahoo.com/mail/tagline/creativeholidays/*http%3A//au.docs.yahoo.com/homepageset/%3Fp1=other%26p2=au%26p3=mailtagline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
On Wed, May 13, 2009 at 03:37:19PM +0800, Tech W. wrote a message of 39 lines which said: > if I understand for it correctly, gdpu.cn is not under b.dns.cn, True, but irrelevant. > why b.dns.cn returns glues? Because the name servers of gdpu.cn are under gdpu.cn. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
In article ,
"Tech W." wrote:
> --- On Wed, 13/5/09, Stephane Bortzmeyer wrote:
>
> >
> > Glue was sent back since wanadoo.fr's name servers are
> > under
> > wanadoo.fr .
>
>
> Ok please see dig info below.
> if I understand for it correctly, gdpu.cn is not under b.dns.cn, why b.dns.cn
> returns glues?
How would you look up anything in this domain if it didn't return glue?
To look up anything.gdpu.cn, you have to ask dns1.gdpu.cn or
dns2.gdpu.cn. This requires you to find the IP of dns{1,2}.gdpu.cn,
which you can only do by asking dns{1,2}.gdpu.cn. The glue keeps you
from getting stuck in this loop.
>
> Thanks.
>
>
> # dig gdpu.cn ns @B.DNS.cn
>
> ; <<>> DiG 9.5.0-P2 <<>> gdpu.cn ns @B.DNS.cn
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53380
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;gdpu.cn. IN NS
>
> ;; AUTHORITY SECTION:
> gdpu.cn.21600 IN NS dns1.gdpu.cn.
> gdpu.cn.21600 IN NS dns2.gdpu.cn.
>
> ;; ADDITIONAL SECTION:
> dns1.gdpu.cn. 21600 IN A 219.136.229.41
> dns2.gdpu.cn. 21600 IN A 219.136.229.42
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: error while attempting to use nsupdate on a DNSSEC signed zone
yes.
And I when I previously failed to specify the correct key-directory, I got an
error
"found no private keys, unable to generate any signatures"
I corrected that error and now get the "failure" message
everything is owned by named .
options {
dnssec-enable yes;
dnssec-validation yes;
key-directory "/config/namedb";
--
Jack Tavares
From: mark_andr...@isc.org [mark_andr...@isc.org]
Sent: Wednesday, May 13, 2009 10:38
To: Jack Tavares
Cc: bind-users@lists.isc.org
Subject: Re: error while attempting to use nsupdate on a DNSSEC signed zone
In message <4b18a8f75a6384449755bc7784073e93603b776...@exch11.olympus.f5net.com
> Hello -
>
> (bind9.6.0-P1)
>
> I have set up a zone that is signed.
> It is an island of security zone for testing purposes.
>
> I have set up a TSIG key and set the allow-update
> to accept the key.
>
> I have followed every step, afaict, in the various
> how-tos on how to sign a zone.
>
> But when I try to do an update, I get an error.
>
> All the error says is
> signer "update.test.net" approved
> 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zon=
> e 'test.net/IN': adding an RR at 'blah.test.net' A
> 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zon=
> e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
> "failure" is all it says for a reason.
>
> I looked at the bind source, and there are some more useful error messages =
> about keys etc.
> But all I am getting is "failure".
>
> If i do the same nsupdate without DNSSEC, it works.
> It appears there is something wrong with my setup and the regeneration of t=
> he RRSIG/NSEC
> keys is failing. (I have tried it with both NSEC and NSEC3 keys)
>
> I will put together a (simpler) named.conf and zone file that causes this a=
> nd post that info,
> but I was hoping that maybe somebody has seen this and has an idea.
>
> Thanks
>
>
> --
> Jack Tavares
Have you told named where the private keys are (key-directory)?
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Cannot Delete Glue record
I have a glue (nameserver host) record which hasn't been used in years and I want to delete it (and ultimately re-use the name). Attempting a delete through UKreg (Fasthosts) gives me this: Error: NameServerHosts Delete (Nameserver deletion failed at registry: 420 Object association prohibits operation.) I cannot find any way to check what domains are attached to it, and UKreg support are unable to help (check manually was their answer). We don't have that many domains, so I've checked them all manually, both the zone files and what the registrar has listed as authoritive, but this glue record isn't used by us. Is there a way/tool which can check what domains are attached to a glue record. For reference, the name is ns0.broadbean.net Any advice appreciated. Thanks Luke ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
Oh yes, I have got it. Thanks. --- On Wed, 13/5/09, Stephane Bortzmeyer wrote: > From: Stephane Bortzmeyer > Subject: Re: glue record > To: "Tech W." > Cc: "Stephane Bortzmeyer" , bind-users@lists.isc.org > Received: Wednesday, 13 May, 2009, 3:40 PM > On Wed, May 13, 2009 at 03:37:19PM > +0800, > Tech W. > wrote > a message of 39 lines which said: > > > if I understand for it correctly, gdpu.cn is not under > b.dns.cn, > > True, but irrelevant. > > > why b.dns.cn returns glues? > > Because the name servers of gdpu.cn are under gdpu.cn. > > Need a Holiday? Win a $10,000 Holiday of your choice. Enter now.http://us.lrd.yahoo.com/_ylc=X3oDMTJxN2x2ZmNpBF9zAzIwMjM2MTY2MTMEdG1fZG1lY2gDVGV4dCBMaW5rBHRtX2xuawNVMTEwMzk3NwR0bV9uZXQDWWFob28hBHRtX3BvcwN0YWdsaW5lBHRtX3BwdHkDYXVueg--/SIG=14600t3ni/**http%3A//au.rd.yahoo.com/mail/tagline/creativeholidays/*http%3A//au.docs.yahoo.com/homepageset/%3Fp1=other%26p2=au%26p3=mailtagline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
Your domain is still broken. You need to remove the NS record for your internal host. $ dig @dns2.gdpu.cn gdpu.cn ns ;; ANSWER SECTION: gdpu.cn.3600IN NS dns1.gdpu.cn. gdpu.cn.3600IN NS dns2.gdpu.cn. gdpu.cn.3600IN NS dns4.dmz.local.** ;; ADDITIONAL SECTION: dns1.gdpu.cn. 3600IN A 219.136.229.41 dns2.gdpu.cn. 3600IN A 219.136.229.42 dns4.dmz.local. 3600IN A 10.55.11.11** On 13/5/09 11:18 AM, "Tech W." wrote: > > Oh yes, I have got it. Thanks. > > --- On Wed, 13/5/09, Stephane Bortzmeyer wrote: > >> From: Stephane Bortzmeyer >> Subject: Re: glue record >> To: "Tech W." >> Cc: "Stephane Bortzmeyer" , bind-users@lists.isc.org >> Received: Wednesday, 13 May, 2009, 3:40 PM >> On Wed, May 13, 2009 at 03:37:19PM >> +0800, >> Tech W. >> wrote >> a message of 39 lines which said: >> >>> if I understand for it correctly, gdpu.cn is not under >> b.dns.cn, >> >> True, but irrelevant. >> >>> why b.dns.cn returns glues? >> >> Because the name servers of gdpu.cn are under gdpu.cn. >> >> > > > Need a Holiday? Win a $10,000 Holiday of your choice. Enter > now.http://us.lrd.yahoo.com/_ylc=X3oDMTJxN2x2ZmNpBF9zAzIwMjM2MTY2MTMEdG1fZG1lY > 2gDVGV4dCBMaW5rBHRtX2xuawNVMTEwMzk3NwR0bV9uZXQDWWFob28hBHRtX3BvcwN0YWdsaW5lBHR > tX3BwdHkDYXVueg--/SIG=14600t3ni/**http%3A//au.rd.yahoo.com/mail/tagline/creati > veholidays/*http%3A//au.docs.yahoo.com/homepageset/%3Fp1=other%26p2=au%26p3=ma > iltagline > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
--- On Wed, 13/5/09, Kal Feher wrote: > From: Kal Feher > Subject: Re: glue record > To: bind-users@lists.isc.org > Received: Wednesday, 13 May, 2009, 5:34 PM > Your domain is still broken. You need > to remove the NS record for your > internal host. > I have requested the hostmaster, who said the DNS server has been joined Windows domain, and has the hostname of "dns4.dmz.local.". She can't remove this hostname from the windows DNS server. Once it was removed, after some time, it will be added into the name server automatically by windows. How can she handle this case? thanks. regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
On Wed, May 13, 2009 at 06:08:23PM +0800, Tech W. wrote a message of 27 lines which said: > She can't remove this hostname from the windows DNS server. Once it > was removed, after some time, it will be added into the name server > automatically by windows. How can she handle this case? Remove the allow-update directive. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
two NS servers on a single host
Hello, I have a bind host installed. It has two public IP addresses. I want to give two NS records for my domain, each NS take each of the IP set in the host. more details, the host has two IPs: 61.145.121.59 211.66.80.59 surely policy reoute for two nics was enabled. I add these info into named.conf: mydomain.com. IN NS ns1.mydomain.com. mydomain.com. IN NS ns2.mydomain.com. ns1.mydomain.com. IN A 61.145.121.59 ns2.mydomain.com. IN A 211.66.80.59 There is only one named run in that host. Under this config, does it seem that there are two name servers exist for mydomain.com? Is it a right way? Thanks. Need a Holiday? Win a $10,000 Holiday of your choice. Enter now.http://us.lrd.yahoo.com/_ylc=X3oDMTJxN2x2ZmNpBF9zAzIwMjM2MTY2MTMEdG1fZG1lY2gDVGV4dCBMaW5rBHRtX2xuawNVMTEwMzk3NwR0bV9uZXQDWWFob28hBHRtX3BvcwN0YWdsaW5lBHRtX3BwdHkDYXVueg--/SIG=14600t3ni/**http%3A//au.rd.yahoo.com/mail/tagline/creativeholidays/*http%3A//au.docs.yahoo.com/homepageset/%3Fp1=other%26p2=au%26p3=mailtagline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
--- On Wed, 13/5/09, Stephane Bortzmeyer wrote: > > Remove the allow-update directive. > But she is running the windows DNS server not Bind.. Need a Holiday? Win a $10,000 Holiday of your choice. Enter now.http://us.lrd.yahoo.com/_ylc=X3oDMTJxN2x2ZmNpBF9zAzIwMjM2MTY2MTMEdG1fZG1lY2gDVGV4dCBMaW5rBHRtX2xuawNVMTEwMzk3NwR0bV9uZXQDWWFob28hBHRtX3BvcwN0YWdsaW5lBHRtX3BwdHkDYXVueg--/SIG=14600t3ni/**http%3A//au.rd.yahoo.com/mail/tagline/creativeholidays/*http%3A//au.docs.yahoo.com/homepageset/%3Fp1=other%26p2=au%26p3=mailtagline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
On Wed, May 13, 2009 at 09:04:07PM +0800, Tech W. wrote a message of 13 lines which said: > > Remove the allow-update directive. > > > > But she is running the windows DNS server not Bind.. Then it is probably off-topic for this list. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: two NS servers on a single host
On Wed, May 13, 2009 at 09:02:55PM +0800, Tech W. wrote a message of 34 lines which said: > I want to give two NS records for my domain, each NS take each of > the IP set in the host. Why? This would be completely useless. RFC 1034 and other documents call for at least two name servers, for redundancy reasons. If the two name servers are on the same host, what's the point? There would be no gain in reliability. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: two NS servers on a single host
In message <809645.28773...@web15601.mail.cnb.yahoo.com>, "Tech W." writes: > > Hello, > > I have a bind host installed. It has two public IP addresses. > I want to give two NS records for my domain, each NS take each of the IP set > in the host. > > more details, the host has two IPs: > 61.145.121.59 > 211.66.80.59 > > surely policy reoute for two nics was enabled. > > I add these info into named.conf: > > mydomain.com. IN NS ns1.mydomain.com. > mydomain.com. IN NS ns2.mydomain.com. > > ns1.mydomain.com. IN A 61.145.121.59 > ns2.mydomain.com. IN A 211.66.80.59 > > There is only one named run in that host. > Under this config, does it seem that there are two name servers exist for myd > omain.com? Is it a right way? > > Thanks. The two nameserver rule is to provide redundancy. Two names that refer to the same machine does not provide redundancy. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: two NS servers on a single host
On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote: On Wed, May 13, 2009 at 09:02:55PM +0800, Tech W. wrote a message of 34 lines which said: I want to give two NS records for my domain, each NS take each of the IP set in the host. Why? This would be completely useless. RFC 1034 and other documents call for at least two name servers, for redundancy reasons. If the two name servers are on the same host, what's the point? There would be no gain in reliability. If you have ever had the ip for your name server the target of a dos attack you could have blocked traffic to that ip and still had dns. Two networks to same host is network redundancy and has value. //Brad ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: two NS servers on a single host
In article , Bradley Giesbrecht wrote: > On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote: > > > On Wed, May 13, 2009 at 09:02:55PM +0800, > > Tech W. wrote > > a message of 34 lines which said: > > > >> I want to give two NS records for my domain, each NS take each of > >> the IP set in the host. > > > > Why? This would be completely useless. RFC 1034 and other documents > > call for at least two name servers, for redundancy reasons. If the two > > name servers are on the same host, what's the point? There would be no > > gain in reliability. > > If you have ever had the ip for your name server the target of a dos > attack you could have blocked traffic to that ip and still had dns. > > Two networks to same host is network redundancy and has value. But a in that case you would include one NS record for a host with two A records. Check the NS records for my own domain for an example. Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: two NS servers on a single host
It is network redundancy only in so far the DOS attack doesn't cause your CPU and memory to get slammed. If you're doing redundancy you really ought to do the whole thing by getting another server and putting IT on the other network. Then you don't have a single point of failure (unless they're both in the same data center). If you really want to do two different IPs on one host you could probably use views to accomplish this but that would be all within a single BIND setup so your theoretical DOS attack would probably cause both views to have issues. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bradley Giesbrecht Sent: Wednesday, May 13, 2009 10:22 AM To: Stephane Bortzmeyer Cc: bind-users@lists.isc.org Subject: Re: two NS servers on a single host On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote: > On Wed, May 13, 2009 at 09:02:55PM +0800, > Tech W. wrote > a message of 34 lines which said: > >> I want to give two NS records for my domain, each NS take each of >> the IP set in the host. > > Why? This would be completely useless. RFC 1034 and other documents > call for at least two name servers, for redundancy reasons. If the two > name servers are on the same host, what's the point? There would be no > gain in reliability. If you have ever had the ip for your name server the target of a dos attack you could have blocked traffic to that ip and still had dns. Two networks to same host is network redundancy and has value. //Brad ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: two NS servers on a single host
> Date: Wed, 13 May 2009 10:29:19 -0400 > From: "Jeff Lightner" > > It is network redundancy only in so far the DOS attack doesn't cause > your CPU and memory to get slammed. > > If you're doing redundancy you really ought to do the whole thing by > getting another server and putting IT on the other network. Then you > don't have a single point of failure (unless they're both in the same > data center). > > If you really want to do two different IPs on one host you could > probably use views to accomplish this but that would be all within a > single BIND setup so your theoretical DOS attack would probably cause > both views to have issues. There is no reason NOT to have redundancy (two hosts, two networks) no matter how small your network is. Google for "free dns hosting". You'll get back a very large number of hits. Use your google-foo to limit the search parameters some. You'll get back a slightly smaller, but still very large, number of hits. Investigate to see who has better services. Select one. Configure and configure at your domain registrar. You're back in service. Regards, Gregory Hicks > > -Original Message- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bradley > Giesbrecht > Sent: Wednesday, May 13, 2009 10:22 AM > To: Stephane Bortzmeyer > Cc: bind-users@lists.isc.org > Subject: Re: two NS servers on a single host > > > On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote: > > > On Wed, May 13, 2009 at 09:02:55PM +0800, > > Tech W. wrote > > a message of 34 lines which said: > > > >> I want to give two NS records for my domain, each NS take each of > >> the IP set in the host. > > > > Why? This would be completely useless. RFC 1034 and other documents > > call for at least two name servers, for redundancy reasons. If the two > > name servers are on the same host, what's the point? There would be no > > gain in reliability. > > If you have ever had the ip for your name server the target of a dos > attack you could have blocked traffic to that ip and still had dns. > > Two networks to same host is network redundancy and has value. > - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson "The best we can hope for concerning the people at large is that they be properly armed." --Alexander Hamilton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: error while attempting to use nsupdate on a DNSSEC signed zone
I've encountered a similar issue when using DSA keys with BIND 9.5.1-P1.
The dynamic records weren't added to a master zone signed with DSA keys
- the journal file doesn't get created at all, just similar messages
logged in syslog:
Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
default4: updating zone 'fred.com/IN': adding an RR at 'h2.fred.com' A
Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
default4: updating zone 'fred.com/IN': RRSIG/NSEC update failed: sign
failure
The solution was to sign every dynamic zone with RSASHA1 keys only.
Alex
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares
Sent: Wednesday, May 13, 2009 4:03 AM
To: unlisted-recipients
Cc: bind-users@lists.isc.org
Subject: RE: error while attempting to use nsupdate on a DNSSEC signed
zone
yes.
And I when I previously failed to specify the correct key-directory, I
got an error
"found no private keys, unable to generate any signatures"
I corrected that error and now get the "failure" message
everything is owned by named .
options {
dnssec-enable yes;
dnssec-validation yes;
key-directory "/config/namedb";
--
Jack Tavares
From: mark_andr...@isc.org [mark_andr...@isc.org]
Sent: Wednesday, May 13, 2009 10:38
To: Jack Tavares
Cc: bind-users@lists.isc.org
Subject: Re: error while attempting to use nsupdate on a DNSSEC signed
zone
In message
<4b18a8f75a6384449755bc7784073e93603b776...@exch11.olympus.f5net.com
> Hello -
>
> (bind9.6.0-P1)
>
> I have set up a zone that is signed.
> It is an island of security zone for testing purposes.
>
> I have set up a TSIG key and set the allow-update
> to accept the key.
>
> I have followed every step, afaict, in the various
> how-tos on how to sign a zone.
>
> But when I try to do an update, I get an error.
>
> All the error says is
> signer "update.test.net" approved
> 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external:
updating zon=
> e 'test.net/IN': adding an RR at 'blah.test.net' A
> 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external:
updating zon=
> e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
> "failure" is all it says for a reason.
>
> I looked at the bind source, and there are some more useful error
messages =
> about keys etc.
> But all I am getting is "failure".
>
> If i do the same nsupdate without DNSSEC, it works.
> It appears there is something wrong with my setup and the regeneration
of t=
> he RRSIG/NSEC
> keys is failing. (I have tried it with both NSEC and NSEC3 keys)
>
> I will put together a (simpler) named.conf and zone file that causes
this a=
> nd post that info,
> but I was hoping that maybe somebody has seen this and has an idea.
>
> Thanks
>
>
> --
> Jack Tavares
Have you told named where the private keys are (key-directory)?
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: two NS servers on a single host
On May 13, 2009, at 7:29 AM, Jeff Lightner wrote: It is network redundancy only in so far the DOS attack doesn't cause your CPU and memory to get slammed. I would block the block the ip under attack upstream so no cpu or memory issues. I didn't claim anything other then there can be in fact value in having one computer on more then one network. This was in response to your comment "This would be completely useless" which I disagree with. //Brad If you're doing redundancy you really ought to do the whole thing by getting another server and putting IT on the other network. Then you don't have a single point of failure (unless they're both in the same data center). If you really want to do two different IPs on one host you could probably use views to accomplish this but that would be all within a single BIND setup so your theoretical DOS attack would probably cause both views to have issues. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bradley Giesbrecht Sent: Wednesday, May 13, 2009 10:22 AM To: Stephane Bortzmeyer Cc: bind-users@lists.isc.org Subject: Re: two NS servers on a single host On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote: On Wed, May 13, 2009 at 09:02:55PM +0800, Tech W. wrote a message of 34 lines which said: I want to give two NS records for my domain, each NS take each of the IP set in the host. Why? This would be completely useless. RFC 1034 and other documents call for at least two name servers, for redundancy reasons. If the two name servers are on the same host, what's the point? There would be no gain in reliability. If you have ever had the ip for your name server the target of a dos attack you could have blocked traffic to that ip and still had dns. Two networks to same host is network redundancy and has value. //Brad ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: error while attempting to use nsupdate on a DNSSEC signed zone
Thanks, but that is not my problem.
the error message you are getting at leasts give a hint:
Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
default4: updating zone 'fred.com/IN': RRSIG/NSEC update failed: sign
failure
My error says:
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone
'test.net/IN': prerequisites are OK
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: signer
"update.test.net" approved
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: update
'test.net/IN' approved
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone
'test.net/IN': update section prescan OK
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone
'test.net/IN': adding an RR at 'blarney.test.net' A
13-May-2009 22:04:59.665 client 127.0.0.1#4638: view external: updating zone
'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
"failure" that's it.
I am still having this problem.
It is intermittent.
one update will work.
than another update for the very same zone, using the very same key, will fail.
It works fine if I remove the signed zone.
I have tried removing from the chroot jail, in case I had an error in the setup
there and it
makes no difference.
the failure seems to be coming from dns_dnssec_sign, but it is just returning
ISC_R_FAILURE .
When I step through the code with the debug, it seems to work everytime
(naturally)
I am really scratching my head.
--
Jack Tavares
From: Alexa Petrean [apetr...@bluecatnetworks.com]
Sent: Wednesday, May 13, 2009 17:50
To: Jack Tavares
Cc: bind-users@lists.isc.org
Subject: RE: error while attempting to use nsupdate on a DNSSEC signed zone
I've encountered a similar issue when using DSA keys with BIND 9.5.1-P1.
The dynamic records weren't added to a master zone signed with DSA keys
- the journal file doesn't get created at all, just similar messages
logged in syslog:
Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
default4: updating zone 'fred.com/IN': adding an RR at 'h2.fred.com' A
Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
default4: updating zone 'fred.com/IN': RRSIG/NSEC update failed: sign
failure
The solution was to sign every dynamic zone with RSASHA1 keys only.
Alex
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares
Sent: Wednesday, May 13, 2009 4:03 AM
To: unlisted-recipients
Cc: bind-users@lists.isc.org
Subject: RE: error while attempting to use nsupdate on a DNSSEC signed
zone
yes.
And I when I previously failed to specify the correct key-directory, I
got an error
"found no private keys, unable to generate any signatures"
I corrected that error and now get the "failure" message
everything is owned by named .
options {
dnssec-enable yes;
dnssec-validation yes;
key-directory "/config/namedb";
--
Jack Tavares
From: mark_andr...@isc.org [mark_andr...@isc.org]
Sent: Wednesday, May 13, 2009 10:38
To: Jack Tavares
Cc: bind-users@lists.isc.org
Subject: Re: error while attempting to use nsupdate on a DNSSEC signed
zone
In message
<4b18a8f75a6384449755bc7784073e93603b776...@exch11.olympus.f5net.com
> Hello -
>
> (bind9.6.0-P1)
>
> I have set up a zone that is signed.
> It is an island of security zone for testing purposes.
>
> I have set up a TSIG key and set the allow-update
> to accept the key.
>
> I have followed every step, afaict, in the various
> how-tos on how to sign a zone.
>
> But when I try to do an update, I get an error.
>
> All the error says is
> signer "update.test.net" approved
> 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external:
updating zon=
> e 'test.net/IN': adding an RR at 'blah.test.net' A
> 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external:
updating zon=
> e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
> "failure" is all it says for a reason.
>
> I looked at the bind source, and there are some more useful error
messages =
> about keys etc.
> But all I am getting is "failure".
>
> If i do the same nsupdate without DNSSEC, it works.
> It appears there is something wrong with my setup and the regeneration
of t=
> he RRSIG/NSEC
> keys is failing. (I have tried it with both NSEC and NSEC3 keys)
>
> I will put together a (simpler) named.conf and zone file that causes
this a=
> nd post that info,
> but I was hoping that maybe somebody has seen this and has an idea.
>
> Thanks
>
>
> --
> Jack Tavares
Have you told named where the private keys are (key-directory)?
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot Delete Glue record
Luke Hopkins wrote: I have a glue (nameserver host) record which hasn't been used in years and I want to delete it (and ultimately re-use the name). Attempting a delete through UKreg (Fasthosts) gives me this: Error: NameServerHosts Delete (Nameserver deletion failed at registry: 420 Object association prohibits operation.) I cannot find any way to check what domains are attached to it, and UKreg support are unable to help (check manually was their answer). We don't have that many domains, so I've checked them all manually, both the zone files and what the registrar has listed as authoritive, but this glue record isn't used by us. Is there a way/tool which can check what domains are attached to a glue record. For reference, the name is ns0.broadbean.net They should be able to look into the registry database to find this. It might be very difficult for you, as a customer, to ascertain, outside of the DNS protocol itself, what domain(s) might be delegated to that name. If your registry is lax about checking such things, it's conceivable that someone has delegated their domain(s) to your nameserver without your consent, in order to meet a 2-nameserver delegation requirement, while only actually having a single authoritative nameserver hosting the zone. In that scenario, if you have everything in a single "view", and open access to the cache, and with open recursion (or one of your "trusted" recursive clients went rogue), they might even be able to "poke" your nameserver periodically, in order to populate your cache with desired records, and thus leech off your resolution services. That's another reason why it's recommended to either a) strictly limit access to your cache (later versions of BIND do this more conveniently and by default), or b) have separate views for recursive and non-recursive (hosting) service. But I digress... One investigative approach would be to point that name at a valid address in your Internet-facing range, and record -- by using a sniffer, or bringing up a minimal nameserver and turning on query logging -- what queries you're getting, and for what zones. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: two NS servers on a single host
Jeff, my apologies. I read the quoting levels wrong. On May 13, 2009, at 8:01 AM, Bradley Giesbrecht wrote: On May 13, 2009, at 7:29 AM, Jeff Lightner wrote: It is network redundancy only in so far the DOS attack doesn't cause your CPU and memory to get slammed. I would block the block the ip under attack upstream so no cpu or memory issues. I didn't claim anything other then there can be in fact value in having one computer on more then one network. This was in response to your comment "This would be completely useless" which I disagree with. //Brad If you're doing redundancy you really ought to do the whole thing by getting another server and putting IT on the other network. Then you don't have a single point of failure (unless they're both in the same data center). If you really want to do two different IPs on one host you could probably use views to accomplish this but that would be all within a single BIND setup so your theoretical DOS attack would probably cause both views to have issues. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bradley Giesbrecht Sent: Wednesday, May 13, 2009 10:22 AM To: Stephane Bortzmeyer Cc: bind-users@lists.isc.org Subject: Re: two NS servers on a single host On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote: On Wed, May 13, 2009 at 09:02:55PM +0800, Tech W. wrote a message of 34 lines which said: I want to give two NS records for my domain, each NS take each of the IP set in the host. Why? This would be completely useless. RFC 1034 and other documents call for at least two name servers, for redundancy reasons. If the two name servers are on the same host, what's the point? There would be no gain in reliability. If you have ever had the ip for your name server the target of a dos attack you could have blocked traffic to that ip and still had dns. Two networks to same host is network redundancy and has value. //Brad ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: two NS servers on a single host
No worries. Compared to some posts directed my way in various forums (even this list) this was mild and I just wanted to set the record straight. In one list I'm on this kind of response would immediately result in a 3 day thread about why top posting (or bottom posting or in line posting or maybe all 3) is evil and causes cancer. :) -Original Message- From: Bradley Giesbrecht [mailto:b...@pixilla.com] Sent: Wednesday, May 13, 2009 1:17 PM To: Bradley Giesbrecht Cc: Jeff Lightner; bind-users@lists.isc.org Subject: Re: two NS servers on a single host Jeff, my apologies. I read the quoting levels wrong. On May 13, 2009, at 8:01 AM, Bradley Giesbrecht wrote: > > On May 13, 2009, at 7:29 AM, Jeff Lightner wrote: > >> It is network redundancy only in so far the DOS attack doesn't cause >> your CPU and memory to get slammed. > > I would block the block the ip under attack upstream so no cpu or > memory issues. > > I didn't claim anything other then there can be in fact value in > having one computer on more then one network. > > This was in response to your comment "This would be completely > useless" which I disagree with. > > //Brad > >> If you're doing redundancy you really ought to do the whole thing by >> getting another server and putting IT on the other network. Then >> you >> don't have a single point of failure (unless they're both in the same >> data center). >> >> If you really want to do two different IPs on one host you could >> probably use views to accomplish this but that would be all within a >> single BIND setup so your theoretical DOS attack would probably cause >> both views to have issues. >> >> -Original Message- >> From: bind-users-boun...@lists.isc.org >> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bradley >> Giesbrecht >> Sent: Wednesday, May 13, 2009 10:22 AM >> To: Stephane Bortzmeyer >> Cc: bind-users@lists.isc.org >> Subject: Re: two NS servers on a single host >> >> >> On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote: >> >>> On Wed, May 13, 2009 at 09:02:55PM +0800, >>> Tech W. wrote >>> a message of 34 lines which said: >>> I want to give two NS records for my domain, each NS take each of the IP set in the host. >>> >>> Why? This would be completely useless. RFC 1034 and other documents >>> call for at least two name servers, for redundancy reasons. If the >>> two >>> name servers are on the same host, what's the point? There would >>> be no >>> gain in reliability. >> >> If you have ever had the ip for your name server the target of a dos >> attack you could have blocked traffic to that ip and still had dns. >> >> Two networks to same host is network redundancy and has value. >> >> >> //Brad >> ___ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> >> Please consider our environment before printing this e-mail or >> attachments. >> -- >> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or >> confidential information and is for the sole use of the intended >> recipient(s). If you are not the intended recipient, any >> disclosure, copying, distribution, or use of the contents of this >> information is prohibited and may be unlawful. If you have received >> this electronic transmission in error, please reply immediately to >> the sender that you have received the message in error, and delete >> it. Thank you. >> -- > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: error while attempting to use nsupdate on a DNSSEC signed zone
In message , "Alexa Petrean" writes:
>
> I've encountered a similar issue when using DSA keys with BIND 9.5.1-P1.
> The dynamic records weren't added to a master zone signed with DSA keys
> - the journal file doesn't get created at all, just similar messages
> logged in syslog:
>
> Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
> default4: updating zone 'fred.com/IN': adding an RR at 'h2.fred.com' A
> Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
> default4: updating zone 'fred.com/IN': RRSIG/NSEC update failed: sign
> failure
>
> The solution was to sign every dynamic zone with RSASHA1 keys only.
>
> Alex
DSA requires a good random number generator to be available to
named. RSA only required a good random number generator at
key creation time.
> -Original Message-
> From: bind-users-boun...@lists.isc.org
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares
> Sent: Wednesday, May 13, 2009 4:03 AM
> To: unlisted-recipients
> Cc: bind-users@lists.isc.org
> Subject: RE: error while attempting to use nsupdate on a DNSSEC signed
> zone
>
> yes.
> And I when I previously failed to specify the correct key-directory, I
> got an error
> "found no private keys, unable to generate any signatures"
>
> I corrected that error and now get the "failure" message
>
> everything is owned by named .
>
>
> options {
> dnssec-enable yes;
> dnssec-validation yes;
> key-directory "/config/namedb";
>
> --
> Jack Tavares
>
> From: mark_andr...@isc.org [mark_andr...@isc.org]
> Sent: Wednesday, May 13, 2009 10:38
> To: Jack Tavares
> Cc: bind-users@lists.isc.org
> Subject: Re: error while attempting to use nsupdate on a DNSSEC signed
> zone
>
> In message
> <4b18a8f75a6384449755bc7784073e93603b776...@exch11.olympus.f5net.com
> > Hello -
> >
> > (bind9.6.0-P1)
> >
> > I have set up a zone that is signed.
> > It is an island of security zone for testing purposes.
> >
> > I have set up a TSIG key and set the allow-update
> > to accept the key.
> >
> > I have followed every step, afaict, in the various
> > how-tos on how to sign a zone.
> >
> > But when I try to do an update, I get an error.
> >
> > All the error says is
> > signer "update.test.net" approved
> > 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external:
> updating zon=
> > e 'test.net/IN': adding an RR at 'blah.test.net' A
> > 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external:
> updating zon=
> > e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
> > "failure" is all it says for a reason.
> >
> > I looked at the bind source, and there are some more useful error
> messages =
> > about keys etc.
> > But all I am getting is "failure".
> >
> > If i do the same nsupdate without DNSSEC, it works.
> > It appears there is something wrong with my setup and the regeneration
> of t=
> > he RRSIG/NSEC
> > keys is failing. (I have tried it with both NSEC and NSEC3 keys)
> >
> > I will put together a (simpler) named.conf and zone file that causes
> this a=
> > nd post that info,
> > but I was hoping that maybe somebody has seen this and has an idea.
> >
> > Thanks
> >
> >
> > --
> > Jack Tavares
>
> Have you told named where the private keys are (key-directory)?
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
file descriptors and max-clients-per-query
Hello Everybody I'm running a bind 9.4.2-p2 and a 9.5.1-P1 both on a FreeBSD 6.x box as caching servers. let's call them ns1 and ns2 :P short after we shutdown server one we get error messages on the other server -> socket: too many open file descriptors I tried to recompile named with FD_SETSIZE=4096 as I saw in a earlier message on this list. today I realized that this compile knob didn't help. a) how can I check the file descriptor limit for bind on freebsd? b) how can I increase the file descriptor limits for bind on freebsd? c) is there an easy way to "trigger" this error? (for testing) something else that bothers me is the message: resolver: clients-per-query increased to 105 how can I find out which clients and/or queries and/or remote servers are responsible for this message? should I do something about that? tia Philippe ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
/dev/random in chroot jail causing errors with nsupdate of dnssec signed zone
So I posted a couple of message about how my nsupdates were failing intermittenly when attempting to update a signed zone. The only error I get in the log is: 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': prerequisites are OK 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: signer "update.test.net" approved 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: update 'test.net/IN' approved 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': update section prescan OK 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': adding an RR at 'newest4.test.net' A 14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure 14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': rolling back The keys are generated with RSASHA1 and use -r /dev/urandom I run named in chroot jail, at /var/named I created /var/named/dev/random with mknod -m644 /var/named/dev/random c 1 8 which mimics the major and minor number from the system ls -lL /dev/random crw-r--r--1 root root 1, 8 May 13 03:27 /dev/random The nsupdates fail, seemingly randomly. When I delete this /dev/random from the chroot, they work. So my question is: am I setting up the /dev/random incorrectly? should I not be creating /dev/random? (the how-tos I have seen all talk about re-creating /dev/null and /dev/random etc) Note: I also tried generating the keys not using /dev/urandom, and have the same inconsistent behavior with the chroot /dev/random present. -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
