Re: "broken trust chain" for non-existing AAAA records

2010-12-01 Thread lst_hoe02 

Zitat von Mark Andrews :



Is this still with BIND 9.7.0-P1 or something more recent?  If it
is still BIND 9.7.0-P1 then please upgrade.  There really is no
point debugging validation failures in BIND 9.7.0-P1 anymore as the
validator has had really extensive changes since then.


Okay, compiled and installed Bind 9.7.2-P2 from source. We still have  
many "broken trust chain" in the logs, at first glance i would say  
even more. Is it possible by any means that this error is thrown  
because of timeout at some stage of processing?
Many of the "broken trust chain" errors resolve fine some seconds  
later and this would explain why most of the error are for   
queries as these are much slower on average. Can someone with  
code-insight confirm?


Regards

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

clarification on SOA

2010-12-01 Thread rams 
Hi,

I have one SOA record as follows in zone.

qa.com.   86400   IN SOA ramesh.com. qa.com. (
2009111903 ; serial
10800  ; refresh (3 hours)
3600   ; retry (1 hour)
2592000; expire (4 weeks 2 days)
300  ; minimum (1 day)
)

I queried for non exist domain against bind. Bind is returning SOA record
with 300 as TTL value. Is it correct? Because in my zone , SOA has 86400
TTL.

Please clarify me.

Thanks & Regards,
ramesh
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: clarification on SOA

2010-12-01 Thread Karl Auer 
On Wed, 2010-12-01 at 19:05 +0530, rams wrote:
> I have one SOA record as follows in zone.
> 
> qa.com.   86400   IN SOA ramesh.com. qa.com. (
> 2009111903 ; serial
> 10800  ; refresh (3 hours)
> 3600   ; retry (1 hour)
> 2592000; expire (4 weeks 2 days)
> 300  ; minimum (1 day)
> )
> 
> I queried for non exist domain against bind. Bind is returning SOA
> record with 300 as TTL value. Is it correct? Because in my zone , SOA
> has 86400 TTL.
> 
For NXDOMAIN, the TTL returned will be the lower value of the SOA TTL
and NCACHE/MINIMUM. So in this case, 300 seconds.

See RFC mumblemumble. I know this through being comprehensively
ejumacated on this very list because I thought the SOA TTL had to be
zero...

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF


signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: clarification on SOA

2010-12-01 Thread Matus UHLAR - fantomas 
On 01.12.10 19:05, rams wrote:
> I have one SOA record as follows in zone.
> 
> qa.com.   86400   IN SOA ramesh.com. qa.com. (
> 2009111903 ; serial
> 10800  ; refresh (3 hours)
> 3600   ; retry (1 hour)
> 2592000; expire (4 weeks 2 days)
> 300  ; minimum (1 day)
> )
> 
> I queried for non exist domain against bind. Bind is returning SOA record
> with 300 as TTL value. Is it correct? Because in my zone , SOA has 86400
> TTL.

it's correct, in case of NXDOMAIN responses, the TTL is set to value of SOA
minimum, which is 300 in this case.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: clarification on SOA

2010-12-01 Thread Emanuele (aka Skull) 
On 12/1/10 2:35 PM, rams wrote:
> Hi,
> 
> I have one SOA record as follows in zone.
> 
> qa.com .   86400   IN SOA ramesh.com .
> qa.com . (
> 2009111903 ; serial
> 10800  ; refresh (3 hours)
> 3600   ; retry (1 hour)
> 2592000; expire (4 weeks 2 days)
> 300  ; minimum (1 day)
> )
> 
> I queried for non exist domain against bind. Bind is returning SOA
> record with 300 as TTL value. Is it correct? Because in my zone , SOA
> has 86400 TTL.
> 
> Please clarify me.

See RFC 2308.

-- 
Paranoia is a disease unto itself. And may I add: the person standing
next to you may not be who they appear to be, so take precaution.
-
http://bofhskull.wordpress.com/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

US DNSSEC Key

2010-12-01 Thread John Williams 
I'm being told there is an RSA verification failure on the .US domain.  I''m 
getting details from the following;  http://dnsviz.net/d/us/dnssec/  I have a 
signed zone under us.  How does this affect my domain and other signed zones 
under .US?



  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: US DNSSEC Key

2010-12-01 Thread lst_hoe02 

Zitat von John Williams :


I'm being told there is an RSA verification failure on the .US domain.  I''m
getting details from the following;  http://dnsviz.net/d/us/dnssec/  I have a
signed zone under us.  How does this affect my domain and other signed zones
under .US?



As far as i know you are only affected if the DS pointing to your zone  
is validated by the invalid DNSKEY...

But i'm just at the beginning to learn DNSSEC

Regards

Andreas


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.7.2-P3, 9.6.2-P3, 9.6-ESV-R3 and 9.4-ESV-R4 are now available

2010-12-01 Thread Sue Graves 
We've published four releases that contain various security and bug fixes.
The detailed Security Advisories are located at:
http://www.isc.org/advisories

Guidance as to recommended upgrades are available at:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories

BIND 9.7.2-P3 Release Note
http://ftp.isc.org/isc/bind9/9.7.2-P3/RELEASE-NOTES-BIND-9.7.2-P3.txt

BIND 9.6.2-P3 Release Note
http://ftp.isc.org/isc/bind9/9.6.2-P3/RELEASE-NOTES-BIND-9.6.2-P3.txt

BIND 9.6-ESV-R3 Release Note
http://ftp.isc.org/isc/bind9/9.6-ESV-R3/RELEASE-NOTES-BIND-9.6-ESV-R3.txt

BIND 9.4-ESV-R4 Release Note
http://ftp.isc.org/isc/bind9/9.4-ESV-R4/RELEASE-NOTES-BIND-9.4-ESV-R4.txt

DOWNLOADS are available from our website or ftp site:

9.4-ESV-R4
ftp://ftp.isc.org/isc/bind9/9.4-ESV-R4/bind-9.4-ESV-R4.tar.gz
ftp://ftp.isc.org/isc/bind9/9.4-ESV-R4/BIND9.4-ESV-R4.debug.zip
ftp://ftp.isc.org/isc/bind9/9.4-ESV-R4/BIND9.4-ESV-R4.zip

9.6-ESV-R3
ftp://ftp.isc.org/isc/bind9/9.6-ESV-R3/bind-9.6-ESV-R3.tar.gz
ftp://ftp.isc.org/isc/bind9/9.6-ESV-R3/BIND9.6-ESV-R3.debug.zip
ftp://ftp.isc.org/isc/bind9/9.6-ESV-R3/BIND9.6-ESV-R3.zip

9.6.2-P3
ftp://ftp.isc.org/isc/bind9/9.6.2-P3/bind-9.6.2-P3.tar.gz
ftp://ftp.isc.org/isc/bind9/9.6.2-P3/BIND9.6.2-P3.debug.zip
ftp://ftp.isc.org/isc/bind9/9.6.2-P3/BIND9.6.2-P3.zip

9.7.2-P3
ftp://ftp.isc.org/isc/bind9/9.7.2-P3/bind-9.7.2-P3.tar.gz
ftp://ftp.isc.org/isc/bind9/9.7.2-P3/BIND9.7.2-P3.debug.zip
ftp://ftp.isc.org/isc/bind9/9.7.2-P3/BIND9.7.2-P3.zip
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: US DNSSEC Key

2010-12-01 Thread Casey Deccio 
On Wed, Dec 1, 2010 at 7:36 AM, John Williams  wrote:
> I'm being told there is an RSA verification failure on the .US domain.  I''m
> getting details from the following;  http://dnsviz.net/d/us/dnssec/  I have a
> signed zone under us.  How does this affect my domain and other signed zones
> under .US?
>

It shouldn't affect things, as it is currently configured, since the
invalid signature is not a necessary link in the chain of trust.  The
SEP key (id=2058) matching the DS RRs properly authenticates the
DNSKEY RRset, so the signature covering the DNSKEY RRset made by key
23777 is irrelevant.

However, the fact that the signature is invalid might raise some
eyebrows, as it might be a symptom of something else that may cause
errors in the future.  The .us support is probably the right group to
ask about it.

Casey
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC with 9.7.2-P2

2010-12-01 Thread David Forrest 

On Tue, 16 Nov 2010, Mark Andrews wrote:



Isn't sufficient to configure the root trust anchor inside "managed-keys {};"
statement? If I understand correctly the key should be automatically
updated, shouldn't it?


For 9.7 yes.



I just updated to 9.7.2-P3 and got this message on start:
Dec  1 10:52:01 maplepark named[20356]: starting BIND 9.7.2-P3 -u named
Dec  1 10:52:01 maplepark named[20356]: built with defaults
Dec  1 10:52:01 maplepark named[20356]: using up to 4096 sockets
Dec  1 10:52:01 maplepark named[20356]: loading configuration from 
'/etc/named.conf'
Dec  1 10:52:01 maplepark named[20356]: reading built-in trusted keys from file 
'/etc/bind.keys'

I had removed that file for -P2 but the sudo make install of -P3 re-wrote it:
[...@maplepark:~/src/bind-9.7.2-P3]$grep bind.keys typescript 
/usr/bin/install -c -m 644 ./bind.keys /etc

so it is back.


I do have a managed-keys statement in my named.conf:
managed-keys {
  "." initial-key 257 3 8 
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";

};

and it seems to run OK so far.

My question is whether the built-in trusted keys (/etc/bind.keys) is 
necessary or not in 9.7.2-P3.  I am assuming it is as the make step set it 
up.


Dave
--
David Forrest e-mail drf @ maplepark.com
Maple Park Development Corporation  http://xen.maplepark.com
St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX)
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC with 9.7.2-P2

2010-12-01 Thread lst_hoe02 

Zitat von David Forrest :


On Tue, 16 Nov 2010, Mark Andrews wrote:



Isn't sufficient to configure the root trust anchor inside  
"managed-keys {};"

statement? If I understand correctly the key should be automatically
updated, shouldn't it?


For 9.7 yes.



I just updated to 9.7.2-P3 and got this message on start:
Dec  1 10:52:01 maplepark named[20356]: starting BIND 9.7.2-P3 -u named
Dec  1 10:52:01 maplepark named[20356]: built with defaults
Dec  1 10:52:01 maplepark named[20356]: using up to 4096 sockets
Dec  1 10:52:01 maplepark named[20356]: loading configuration from  
'/etc/named.conf'
Dec  1 10:52:01 maplepark named[20356]: reading built-in trusted  
keys from file '/etc/bind.keys'


I had removed that file for -P2 but the sudo make install of -P3 re-wrote it:
[...@maplepark:~/src/bind-9.7.2-P3]$grep bind.keys typescript  
/usr/bin/install -c -m 644 ./bind.keys /etc

so it is back.


I do have a managed-keys statement in my named.conf:
managed-keys {
  "." initial-key 257 3 8  
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";

};

and it seems to run OK so far.

My question is whether the built-in trusted keys (/etc/bind.keys) is  
necessary or not in 9.7.2-P3.  I am assuming it is as the make step  
set it up.


It is a DLV needed as a trust ancor until DNSSEC is chained from the  
DNS root downwards. See http://www.isc.org/solutions/dlv for details.


Regards

Andreas


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dynamic DNS with secondary nameserver?

2010-12-01 Thread Sean Thomas Caron 

Hi folks,

We have an ISC DHCP server here feeding dynamic DNS updates to a BIND  
9 machine and it has generally been working fine.


Now I am trying to add a slave nameserver to the zone and it works  
fine for the static hosts but none of the dynamic DNS updates seem to  
propagate to the slave.


On the master, I have the dynamic sub-domain configured as follows:

zone "ddns.sph.umich.edu" in {
type master;
file "/etc/bind/ddns.sph.umich.edu.hosts";
notify yes;
allow-update { key dhcpupdate; };
};

This works great; the DHCP server feeds updates to the primary DNS  
server, no problem.


On the slave, I set it up as so:

zone "ddns.sph.umich.edu" in {
type slave;
masters { 141.211.51.166; };
notify no;
file "/etc/bind/ddns.sph.umich.edu.hosts";
};

When a host comes up on DHCP, the primary server picks it up fine:


server 141.211.51.166

Default server: 141.211.51.166
Address: 141.211.51.166#53

sph-2006-0090-test.ddns.sph.umich.edu

Server: 141.211.51.166
Address:141.211.51.166#53

Name:   sph-2006-0090-test.ddns.sph.umich.edu
Address: 141.211.11.190
sph-2006-0090-test.ddns.sph.umich.edu	text =  
"31ce446f626045a4f8fe4933f448b613c6"





But it never seems to propagate over to the slave:


server 141.211.51.66

Default server: 141.211.51.66
Address: 141.211.51.66#53

sph-2006-0090-test.ddns.sph.umich.edu

Server: 141.211.51.66
Address:141.211.51.66#53

** server can't find  
sph-2006-0090-test.ddns.sph.umich.edu.sph.umich.edu: SERVFAIL




I used 'rndc freeze' on the DDNS sub-domain then edited the zone file  
to have a really short refresh interval:


ddns.sph.umich.edu  IN SOA  dns.sph.umich.edu. hostmaster.sph.umich.edu. (
2007024409 ; serial
3600   ; refresh (1 hour)
1800   ; retry (30 minutes)
2419200; expire (4 weeks)
86400  ; minimum (1 day)
)


Then re-enabled it with 'rndc unfreeze' but it still doesn't seem to  
have made a difference. Even after waiting an hour, the additions to  
the dynamic DNS zone never propagate to the slave. I'm not even sure  
if those values are honored when dynamic DNS is enabled.


Most sites that I have seen discussing dynamic DNS only use one DNS  
server, so I am not exactly sure how this should be set up, or if this  
was ever intended to work this way. Is it possible? Or should I just  
make only the master a NS for the dynamic subdomain and leave the  
slave for static stuff only?


I feel like if it was going to work, I have it set up correctly..

Thanks,

-Sean


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic DNS with secondary nameserver?

2010-12-01 Thread Sten Carlsen 
How did you tell the primary server who to notify?

It should be listed in a NS RR. You can also look at the also-notify 
option.

Is the slave allowed to transfer the zone, if not even a notify will not
work.


On 01/12/10 21:09, Sean Thomas Caron wrote:
> Hi folks,
>
> We have an ISC DHCP server here feeding dynamic DNS updates to a BIND
> 9 machine and it has generally been working fine.
>
> Now I am trying to add a slave nameserver to the zone and it works
> fine for the static hosts but none of the dynamic DNS updates seem to
> propagate to the slave.
>
> On the master, I have the dynamic sub-domain configured as follows:
>
> zone "ddns.sph.umich.edu" in {
> type master;
> file "/etc/bind/ddns.sph.umich.edu.hosts";
> notify yes;
> allow-update { key dhcpupdate; };
> };
>
> This works great; the DHCP server feeds updates to the primary DNS
> server, no problem.
>
> On the slave, I set it up as so:
>
> zone "ddns.sph.umich.edu" in {
> type slave;
> masters { 141.211.51.166; };
> notify no;
> file "/etc/bind/ddns.sph.umich.edu.hosts";
> };
>
> When a host comes up on DHCP, the primary server picks it up fine:
>
>> server 141.211.51.166
> Default server: 141.211.51.166
> Address: 141.211.51.166#53
>> sph-2006-0090-test.ddns.sph.umich.edu
> Server:141.211.51.166
> Address:141.211.51.166#53
>
> Name:sph-2006-0090-test.ddns.sph.umich.edu
> Address: 141.211.11.190
> sph-2006-0090-test.ddns.sph.umich.edutext =
> "31ce446f626045a4f8fe4933f448b613c6"
>>
>
>
> But it never seems to propagate over to the slave:
>
>> server 141.211.51.66
> Default server: 141.211.51.66
> Address: 141.211.51.66#53
>> sph-2006-0090-test.ddns.sph.umich.edu
> Server:141.211.51.66
> Address:141.211.51.66#53
>
> ** server can't find
> sph-2006-0090-test.ddns.sph.umich.edu.sph.umich.edu: SERVFAIL
>>
>
> I used 'rndc freeze' on the DDNS sub-domain then edited the zone file
> to have a really short refresh interval:
>
> ddns.sph.umich.eduIN SOAdns.sph.umich.edu.
> hostmaster.sph.umich.edu. (
> 2007024409 ; serial
> 3600   ; refresh (1 hour)
> 1800   ; retry (30 minutes)
> 2419200; expire (4 weeks)
> 86400  ; minimum (1 day)
> )
>
>
> Then re-enabled it with 'rndc unfreeze' but it still doesn't seem to
> have made a difference. Even after waiting an hour, the additions to
> the dynamic DNS zone never propagate to the slave. I'm not even sure
> if those values are honored when dynamic DNS is enabled.
>
> Most sites that I have seen discussing dynamic DNS only use one DNS
> server, so I am not exactly sure how this should be set up, or if this
> was ever intended to work this way. Is it possible? Or should I just
> make only the master a NS for the dynamic subdomain and leave the
> slave for static stuff only?
>
> I feel like if it was going to work, I have it set up correctly..
>
> Thanks,
>
> -Sean
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic DNS with secondary nameserver?

2010-12-01 Thread Niall O'Reilly 
On 01/12/10 20:09, Sean Thomas Caron wrote:
> ** server can't find
> sph-2006-0090-test.ddns.sph.umich.edu.sph.umich.edu: SERVFAIL

With NOTIFY enabled on master and slave, what you are
trying to do should "just work".

Do you mean to have ".sph.umich.edu" repeated?
If not, something is confused, and tracking it
down will be useful.  Perhaps a trailing dot is
inadvertently omitted.  Experience is not always
enough to protect one from this error, as I know.
8-)

Apart from that, what serial number is active on
each server, and what's showing in your logs?

With default logging (I've never done any tuning),
the master should have log entries like this:

sending notifies (serial xx)

On the slave, you should see corresponding ones:

received notify for zone

IHTH

Niall O'Reilly
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic DNS with secondary nameserver?

2010-12-01 Thread Sean Thomas Caron 

Hi Sten,

Thanks for the response; you made me re-think the issue in such a way  
that I ended up solving the problem (I think).


I was going to copy and paste the NS definitions in the main zone file  
to show how I had defined the two nameservers for the subdomain and  
found that I had missed a period in there.


ddns.sph.umich.edu. IN  NS  ns2.sph.umich.edu.
  ^ forgot this!

I also had to rndc freeze the dynamic subdomain, go back into the zone  
file for the subdomain, and add the slave nameserver in there as well:


ddns.sph.umich.edu  IN SOA  dns.sph.umich.edu. hostmaster.sph.umich.edu. (
2007024415 ; serial
3600   ; refresh (1 hour)
1800   ; retry (30 minutes)
2419200; expire (4 weeks)
86400  ; minimum (1 day)
)
NS  dns.sph.umich.edu.
NS  ns2.sph.umich.edu.
^ added this line.

I was a little confused because the dynamic subdomain has been split  
off into a different file from the main zone file and I erroneously  
assumed that the DDNS subdomain would "inherit" the NS records defined  
for the parent zone. Limited experience with DDNS so I wasn't sure how  
much of that ddns.sph.umich.edu.hosts file was actually being used and  
how much of the magic was in the journal file.


So I will continue to monitor this but I think I am all set now; sorry  
to trouble everyone with this query. Indeed it works with slaves, as  
one would expect, as long as you watch the typos and keep your files  
straight!


Best,

-Sean


Quoting Sten Carlsen :


How did you tell the primary server who to notify?

It should be listed in a NS RR. You can also look at the also-notify
option.

Is the slave allowed to transfer the zone, if not even a notify will not
work.


On 01/12/10 21:09, Sean Thomas Caron wrote:

Hi folks,

We have an ISC DHCP server here feeding dynamic DNS updates to a BIND
9 machine and it has generally been working fine.

Now I am trying to add a slave nameserver to the zone and it works
fine for the static hosts but none of the dynamic DNS updates seem to
propagate to the slave.

On the master, I have the dynamic sub-domain configured as follows:

zone "ddns.sph.umich.edu" in {
type master;
file "/etc/bind/ddns.sph.umich.edu.hosts";
notify yes;
allow-update { key dhcpupdate; };
};

This works great; the DHCP server feeds updates to the primary DNS
server, no problem.

On the slave, I set it up as so:

zone "ddns.sph.umich.edu" in {
type slave;
masters { 141.211.51.166; };
notify no;
file "/etc/bind/ddns.sph.umich.edu.hosts";
};

When a host comes up on DHCP, the primary server picks it up fine:


server 141.211.51.166

Default server: 141.211.51.166
Address: 141.211.51.166#53

sph-2006-0090-test.ddns.sph.umich.edu

Server:141.211.51.166
Address:141.211.51.166#53

Name:sph-2006-0090-test.ddns.sph.umich.edu
Address: 141.211.11.190
sph-2006-0090-test.ddns.sph.umich.edutext =
"31ce446f626045a4f8fe4933f448b613c6"





But it never seems to propagate over to the slave:


server 141.211.51.66

Default server: 141.211.51.66
Address: 141.211.51.66#53

sph-2006-0090-test.ddns.sph.umich.edu

Server:141.211.51.66
Address:141.211.51.66#53

** server can't find
sph-2006-0090-test.ddns.sph.umich.edu.sph.umich.edu: SERVFAIL




I used 'rndc freeze' on the DDNS sub-domain then edited the zone file
to have a really short refresh interval:

ddns.sph.umich.eduIN SOAdns.sph.umich.edu.
hostmaster.sph.umich.edu. (
2007024409 ; serial
3600   ; refresh (1 hour)
1800   ; retry (30 minutes)
2419200; expire (4 weeks)
86400  ; minimum (1 day)
)


Then re-enabled it with 'rndc unfreeze' but it still doesn't seem to
have made a difference. Even after waiting an hour, the additions to
the dynamic DNS zone never propagate to the slave. I'm not even sure
if those values are honored when dynamic DNS is enabled.

Most sites that I have seen discussing dynamic DNS only use one DNS
server, so I am not exactly sure how this should be set up, or if this
was ever intended to work this way. Is it possible? Or should I just
make only the master a NS for the dynamic subdomain and leave the
slave for static stuff only?

I feel like if it was going to work, I have it set up correctly..

Thanks,

-Sean


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!"





___
bind-users mailing list
bind-user

Last transfer time?

2010-12-01 Thread Chip Marshall 
Just curious if there's an official and accurate way to
determine the last sucessful transfer time of a slave zone from
a BIND server.

-- 
Chip Marshall 
http://weblog.2bithacker.net/  KB1QYWPGP key ID 43C4819E
v4sw5PUhw4/5ln5pr5FOPck4ma4u6FLOw5Xm5l5Ui2e4t4/5ARWb7HKOen6a2Xs5IMr2g6CM
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Last transfer time?

2010-12-01 Thread Nuno Paquete 
Just check the logs.

No dia 1 de Dez de 2010, às 20:45, "Chip Marshall"  
escreveu:

> Just curious if there's an official and accurate way to
> determine the last sucessful transfer time of a slave zone from
> a BIND server.
> 
> -- 
> Chip Marshall 
> http://weblog.2bithacker.net/  KB1QYWPGP key ID 43C4819E
> v4sw5PUhw4/5ln5pr5FOPck4ma4u6FLOw5Xm5l5Ui2e4t4/5ARWb7HKOen6a2Xs5IMr2g6CM
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC with 9.7.2-P2

2010-12-01 Thread David Forrest 

On Wed, 1 Dec 2010, lst_ho...@kwsoft.de wrote:


Zitat von David Forrest :


On Tue, 16 Nov 2010, Mark Andrews wrote:



Isn't sufficient to configure the root trust anchor inside "managed-keys 
{};"

statement? If I understand correctly the key should be automatically
updated, shouldn't it?


For 9.7 yes.



I just updated to 9.7.2-P3 and got this message on start:
Dec  1 10:52:01 maplepark named[20356]: starting BIND 9.7.2-P3 -u named
Dec  1 10:52:01 maplepark named[20356]: built with defaults
Dec  1 10:52:01 maplepark named[20356]: using up to 4096 sockets
Dec  1 10:52:01 maplepark named[20356]: loading configuration from 
'/etc/named.conf'
Dec  1 10:52:01 maplepark named[20356]: reading built-in trusted keys from 
file '/etc/bind.keys'


I had removed that file for -P2 but the sudo make install of -P3 re-wrote 
it:
[...@maplepark:~/src/bind-9.7.2-P3]$grep bind.keys typescript 
/usr/bin/install -c -m 644 ./bind.keys /etc

so it is back.


I do have a managed-keys statement in my named.conf:
managed-keys {
 "." initial-key 257 3 8 
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";

};

and it seems to run OK so far.

My question is whether the built-in trusted keys (/etc/bind.keys) is 
necessary or not in 9.7.2-P3.  I am assuming it is as the make step set it 
up.


It is a DLV needed as a trust ancor until DNSSEC is chained from the DNS root 
downwards. See http://www.isc.org/solutions/dlv for details.


Regards

Andreas



The startup of named with the builtin trusted keys and my managed-keys 
statement creates two identical separate mkeys files and their mkeys.jnl 
counterparts for the root . :
-rw-r--r--  1 named users698 2010-12-01 04:47 
3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys
-rw-r--r--  1 named users512 2010-12-01 04:47 
3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys.jnl
-rw-r--r--  1 named users698 2010-12-01 04:51 
3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys
-rw-r--r--  1 named users512 2010-12-01 04:51 
3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys.jnl


both of which show a key id == 19036

which seems odd.  I do have two views, though, for internal (recursive) 
and external (non-recursive) purposes.


Oh well,  it works as both views seem to authenticate DNSSEC:

[maplepark.com (view: external)]
1044 queries resulted in successful answer
1140 queries resulted in authoritative answer
  17 queries resulted in nxrrset
  79 queries resulted in NXDOMAIN
   5 requested transfers completed
[maplepark.com (view: internal)]
 333 queries resulted in successful answer
1129 queries resulted in authoritative answer
   4 queries resulted in nxrrset
 792 queries resulted in NXDOMAIN

Thanks,
Dave
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Query status refused afer upgrading from 9.7.2-P2 to 9.7.2-P3

2010-12-01 Thread David S. 
Dear All,

My BIND is running on CentOS 5.5 64bit, I'm getting problem after
upgrading from 9.7.2-P2 to 9.7.2-P3, see below to detail may upgrade
process:
1. download bind
2. tar -zxvf bind.xxx
3. sudo ./configure --perfix=/usr/loca/named
4. sudo make
5. sudo make install

Restart the bind service, and I found query denied from internet to my
public domain. My Bind is configured using split dns and before upgrade
bind service is very well.

Anyone help me?

-- 
-
--
Best regards,
David
http://blog.pnyet.web.id

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query status refused afer upgrading from 9.7.2-P2 to 9.7.2-P3

2010-12-01 Thread Mark Andrews 

In message <4cf723ef.4050...@pnyet.web.id>, "David S." writes:
> Dear All,
> 
> My BIND is running on CentOS 5.5 64bit, I'm getting problem after
> upgrading from 9.7.2-P2 to 9.7.2-P3, see below to detail may upgrade
> process:
> 1. download bind
> 2. tar -zxvf bind.xxx
> 3. sudo ./configure --perfix=/usr/loca/named
> 4. sudo make
> 5. sudo make install
> 
> Restart the bind service, and I found query denied from internet to my
> public domain. My Bind is configured using split dns and before upgrade
> bind service is very well.
> 
> Anyone help me?

Perhaps a allow-query statement is now working which wasn't before?

Mark

2969.   [security]  Fix acl type processing so that allow-query works
in options and view statements.  Also add a new
set of tests to verify proper functioning.

CVSS: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N)
CVE-2010-3615, VU#510208. [RT #22418]

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Upgraded to bind 9.5.1-P3

2010-12-01 Thread Stelios Georgi 
I've just upgraded my version of bind on my Solaris 10 servers to 9.5.1-P3, and 
it worked for a week until the TTL's expired after 7 days.
I've restarted the named daemon but it fails to update any of slave servers. 
It's deemed useless as currently none of my internal DNS zones are accessible 
via my primary DNS server.

I can conduct an external non-authoritative lookup but all internal 
authoritative responses are failing..

Does anyone have any insight or has experienced this type of problem.

Regards Stel.



NOTICE
The information in this email and or any of the attachments may contain;
a. Confidential information of Cuscal Limited ('Cuscal') or third parties; and 
or
b. Legally privileged information of Cuscal or third parties and or
c. Copyright material of Cuscal or third parties.
If you are not an authorised recipient of this email, please contact Cuscal 
immediately by return email or by telephone on 61-2-8299 9000 and delete the 
email from your system.
We do not accept any liability in connection with any computer virus, data 
corruption, interruption or any damage generally as a result of transmission of 
this email.___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query status refused afer upgrading from 9.7.2-P2 to 9.7.2-P3

2010-12-01 Thread David S. 
Hi Mark,

Yes, bind work fine without allow-query statement in view.
Here is my named.conf and view:

options {
allow-query { "trusted"; };
};

view "mynetwork" in {
match-clients {"trusted"; };
recursion yes;
allow-transfer { "xfer"; };
additional-from-auth yes;
additional-from-cache yes;

view "internet" in {
match-clients { any; };
recursion no;
allow-transfer { "xfer"; };
additional-from-auth no;
additional-from-cache no;

Do you mean "allow-query" statement necessary need on view?

--
Best regards,
David
http://blog.pnyet.web.id


On 12/02/2010 12:04 PM, Mark Andrews wrote:
> In message <4cf723ef.4050...@pnyet.web.id>, "David S." writes:
>   
>> Dear All,
>>
>> My BIND is running on CentOS 5.5 64bit, I'm getting problem after
>> upgrading from 9.7.2-P2 to 9.7.2-P3, see below to detail may upgrade
>> process:
>> 1. download bind
>> 2. tar -zxvf bind.xxx
>> 3. sudo ./configure --perfix=/usr/loca/named
>> 4. sudo make
>> 5. sudo make install
>>
>> Restart the bind service, and I found query denied from internet to my
>> public domain. My Bind is configured using split dns and before upgrade
>> bind service is very well.
>>
>> Anyone help me?
>> 
> Perhaps a allow-query statement is now working which wasn't before?
>
> Mark
>
> 2969.   [security]  Fix acl type processing so that allow-query works
> in options and view statements.  Also add a new
> set of tests to verify proper functioning.
>
> CVSS: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N)
> CVE-2010-3615, VU#510208. [RT #22418]
>
> Mark
>   
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgraded to bind 9.5.1-P3

2010-12-01 Thread Noel Butler 
On Thu, 2010-12-02 at 17:09 +1100, Stelios Georgi wrote:
> I’ve just upgraded my version of bind on my Solaris 10 servers to
> 9.5.1-P3, and it worked for a week until the TTL’s expired after 7
> days.
> I’ve restarted the named daemon but it fails to update any of slave
> servers. It’s deemed useless as currently none of my internal DNS
> zones are accessible via my primary DNS server.
>  
> I can conduct an external non-authoritative lookup but all internal
> authoritative responses are failing..
>  
> Does anyone have any insight or has experienced this type of problem.
>  
> Regards Stel.
>  
>  

Logs are always a good place to start, daemon log preferably.
Do you run views? 
"rndc trace 9"  and tail the output file, reload the zones, your best
looking on a slave of course since they are the ones that cant update,
are you prepared to put a domain in a reply, it might help

Cheers
Noel



signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query status refused afer upgrading from 9.7.2-P2 to 9.7.2-P3

2010-12-01 Thread Noel Butler 
On Thu, 2010-12-02 at 13:15 +0700, David S. wrote:

> Hi Mark,
> 
> Yes, bind work fine without allow-query statement in view.
> Here is my named.conf and view:
> 
> options {
> allow-query { "trusted"; };
> };
> 


Correct


> view "mynetwork" in {
> match-clients {"trusted"; };
> recursion yes;
> allow-transfer { "xfer"; };
> additional-from-auth yes;
> additional-from-cache yes;
> 


zone  "foo" {
allow-query { any; };
}

zone "bar" {
 allow-query { any; };
}

> view "internet" in {
> match-clients { any; };
> recursion no;
> allow-transfer { "xfer"; };
> additional-from-auth no;
> additional-from-cache no;
> 

zone  "foo" {
allow-query { any; };
}

zone "bar" {
 allow-query { any; };
}


Cheers
Noel



signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users