multi-master with mysql backend

[fddi]

Hello,
I would like to configure a multi-master configuration wirh 2 hosts and 
I have been thinking to mysql as a backend.
Is there any official or semi-official support in bind for using mysql 
as backend ?

Any kind of documentation on this ?


thank you

Riccardo

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Public Advisory on DNSSEC Failures with New DS Records

[Stephane Bortzmeyer]

On Fri, Feb 04, 2011 at 04:11:03PM -0800,
 Larissa Shapiro  wrote 
 a message of 37 lines which said:

> The full advisory is located at:
> 
> https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record

It is no longer a _public_ advisory.

The above URL redirects to
...

Bug or deliberate decision?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Public Advisory on DNSSEC Failures with New DS Records

[Cathy Almond]

Stephane,

It looks like something went awry on the website.  We've fixed it.
Thanks for the heads-up.

Cathy

On 07/02/11 08:49, Stephane Bortzmeyer wrote:
> On Fri, Feb 04, 2011 at 04:11:03PM -0800,
>  Larissa Shapiro  wrote 
>  a message of 37 lines which said:
> 
>> The full advisory is located at:
>>
>> https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record
> 
> It is no longer a _public_ advisory.
> 
> The above URL redirects to
> ...
> 
> Bug or deliberate decision?
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind makes RRSIG disappear?

[Cathy Almond]

Hi Gilles,

You've identified a corner-case bug - the logic is incorrect in the case
where the ACL holds "none" instead of being empty.

There's no compile-time option - but we are treating what you've
reported to us as a bug (RT #23120).  It is currently under
investigation/discussion.

Many thanks for bringing this to our attention.

Cathy


On 07/02/11 07:29, Gilles Massen wrote:
> Mark,
> 
> On 02/06/2011 10:41 PM, Mark Andrews wrote:
>> Mark Andrews writes:
>>>

> Does your configuration also have an "allow-update" setting
> (other than "none") for it, maybe only for the instance that
> is giving you trouble? In that case BIND will take it that you
> want it to do resigning as the RRSIGs approach expiry.

 The only allow-update is in the options section, and none.
>>>
>>> Get rid of the allow-update and allow the default of no acl to work.
>>
>> The test that decides that the zone may need to be re-signed doesn't
>> take the "none;" acl into account.  Currently it is
>> "if (acl != NULL || ssu != NULL)" and should become
>> "if ((acl != NULL && !isnone(acl)) || ssu != NULL)".
> 
> Thanks, this works indeed.
> 
> This raises a few questions, as I'd really like to understand bind's
> behavior:
> 
> - is there any description of exactly how/when Bind assumes signing
> authority over a zone? Or simply where some kind of zone-manipulating
> intelligence kicks in?
> 
> - is it possible to disable this kind of intelligence (possibly at
> compile time)?
> 
> - if not: a config switch (or compile-time option) would really be
> appreciated. The zone option "auto-dnssec off;" did not prevent bind
> from trying to sign the zone.
> 
> Best,
> Gilles
> 
> 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

openssl pkcs#11 engine patch

[Emil Natan]

Hi,

I try to build BIND 9.7.2-P3 with HSM support needed for DNSSEC on CentOS-5
box. Following the documentation (arm97, starting from page 27) I download
the openssl source (0.9.8l), apply the patch provided with BIND
(bin/pkcs11/openssl-0.9.8l-patch), no errors during the "configure" and
"make" phase but I finish with openssl that does not supports pkcs#11. I
tried to use both SCA6000 and SoftHSM pkcs#11 providers with no success.
Here is my configure line:

./Configure linux-generic32 -m32 -pthread
--pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so
--pk11-flavor=crypto-accelerator --prefix=/opt/pkcs11/usr

/opt/pkcs11/usr/lib/libpkcs11.so is the pkcs#11 provider shipped with
SCA6000 (actually copy of the original
/opt/sun/sca6000/lib/libpkcs11_sca.so).
Here is the error I get checking for pkcs#11 support:

/opt/pkcs11/usr/bin/openssl engine pkcs11
27876:error:25066067:DSO support routines:DLFCN_LOAD:could not load the
shared
library:dso_dlfcn.c:162:filename(/opt/pkcs11/usr/lib/engines/libpkcs11.so):
/opt/pkcs11/usr/lib/engines/libpkcs11.so: cannot open shared object file: No
such file or directory
27876:error:25070067:DSO support routines:DSO_load:could not load the shared
library:dso_lib.c:244:
27876:error:260B6084:engine routines:DYNAMIC_LOAD:dso not
found:eng_dyn.c:450:
27876:error:2606A074:engine routines:ENGINE_by_id:no such
engine:eng_list.c:419:id=pkcs11

/opt/pkcs11/usr/lib/engines/libpkcs11.so should be the pkcs#11 engine if I
understand this correctly, but it is not created. I checked all components
are 32-bit and there is no mixing of 32 and 64-bit objects as proposed in
README.pkcs11.

If I go further and build BIND as described in ARM when I try to create keys
using the pkcs11-keygen tool I get:

/chroot/named/sbin/pkcs11-keygen -b 1024 -l ksk
C_Initialize: Error = 0x00FF

Someone got this working?

The output of the configure command is attached.

Thanks.

ena


configure_output.txt.gz
Description: GNU Zip compressed data
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind makes RRSIG disappear?

[Evan Hunt]

> Thanks, this works indeed.
> 
> This raises a few questions, as I'd really like to understand bind's
> behavior:
> 
> - is there any description of exactly how/when Bind assumes signing
> authority over a zone? Or simply where some kind of zone-manipulating
> intelligence kicks in?
> 
> - is it possible to disable this kind of intelligence (possibly at
> compile time)?
> 
> - if not: a config switch (or compile-time option) would really be
> appreciated. The zone option "auto-dnssec off;" did not prevent bind
> from trying to sign the zone.

BIND will try to maintain the signatures in a zone if the zone is
configured to be dynamic--i.e, if it has an update-policy or allow-update
option.  It won't create signatures where there were none, but it will try
to keep existing RRSIGs up to date for you.

In this case, there's a bug where it thinks "update-policy { none; };"
counts as an update-policy statement.  So, the zone isn't dynamic and
shouldn't be re-signed, but named was confused and thought it was and
should.  This will be fixed in future releases.

The "auto-dnssec" option relates to automated changes based on timing
metadata stored with the key.  For example, you can schedule a key to be
published on a certain date, and named will insert the DNSKEY record into
the zone at the right time; or, you can schedule a key to become active,
and named will start signing with it.  But routine RRSIG maintenance
happens in *any* dynamic zone, with or without "auto-dnssec".

Having RRSIGs disappear from a zone when there's no private key available
for re-signing is probably a problem (at least, it would seem to violate
the principle of least astonishment).  I'll look into that.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind makes RRSIG disappear?

[Gilles Massen]

Evan,

Thanks for outlining this - it's much clearer now.


BIND will try to maintain the signatures in a zone if the zone is
configured to be dynamic--i.e, if it has an update-policy or allow-update
option.  It won't create signatures where there were none, but it will try
to keep existing RRSIGs up to date for you.


Not that I would need it, but doesn't this prevent someone from 
dynamically updating (including signatures) a signed zone?



The "auto-dnssec" option relates to automated changes based on timing
metadata stored with the key.  For example, you can schedule a key to be
published on a certain date, and named will insert the DNSKEY record into
the zone at the right time; or, you can schedule a key to become active,
and named will start signing with it.  But routine RRSIG maintenance
happens in *any* dynamic zone, with or without "auto-dnssec".

Having RRSIGs disappear from a zone when there's no private key available
for re-signing is probably a problem (at least, it would seem to violate
the principle of least astonishment).  I'll look into that.


I'd see this as a symptom: I would really prefer if this kind of magic 
only kicked in if explicitly enabled. Or, if that's not possibly for 
usability reason, have a config switch like "don't touch my data - ever".


Best,
Gilles

--
Fondation RESTENA


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind makes RRSIG disappear?

[Evan Hunt]

> >BIND will try to maintain the signatures in a zone if the zone is
> >configured to be dynamic--i.e, if it has an update-policy or allow-update
> >option.  It won't create signatures where there were none, but it will try
> >to keep existing RRSIGs up to date for you.
> 
> Not that I would need it, but doesn't this prevent someone from 
> dynamically updating (including signatures) a signed zone?

The reasoning is that if the zone is dynamic and named can see your private
key, then that's a hint that you would like named to keep your signatures
from expiring.  (Because after all, why wouldn't you?)

But, even if the zone is dynamic, if named can't see the private key, then
it should leave your RRSIGs alone.  If that's not how it's behaving, that's
a bug, and we'll address it very soon.

> I'd see this as a symptom: I would really prefer if this kind of magic 
> only kicked in if explicitly enabled. Or, if that's not possibly for 
> usability reason, have a config switch like "don't touch my data - ever".

I agree that option would be a good thing to have.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: multi-master with mysql backend

[pyh]

fddi writes: 


Hello,
I would like to configure a multi-master configuration wirh 2 hosts and I 
have been thinking to mysql as a backend.
Is there any official or semi-official support in bind for using mysql as 
backend ?
Any kind of documentation on this ? 




Try google with "bind dlz".
enabling mysql with bind gets bad performance from my experience. 


Regards.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users