Re: problem for validate the script dnssec to isc dlv
> dns appear as my syncro. > yet I'm still at the same point > missing keys Your delegation for the domain fakessh.eu doesn't seem to be 100% correct yet though. If I ask the nameservers for .eu (like p.nic.eu) it tells me your domain belongs to 4 nameservers: ns0.xname.org ns1.xname.org ns1.novacrea.fr r13151.ovh.net If I ask the first one on that list, ns0.xname.org, it tells me you only have 3 nameservers: ns1.xname.org ns1.novacrea.fra r13151.ovh.net If I try to get a reply from ns1.xname.org it just goes into timeout here: [eivind@vimes ~]$ dig +dnssec ns fakessh.eu @ns1.xname.org ; <<>> DiG 9.6.-ESV-R3 <<>> +dnssec ns fakessh.eu @ns1.xname.org ;; global options: +cmd ;; connection timed out; no servers could be reached [eivind@vimes ~]$ If I try to get a reply from r13151.ovh.net I just get a servfail: [eivind@vimes ~]$ dig +dnssec ns fakessh.eu @r13151.ovh.net ; <<>> DiG 9.6.-ESV-R3 <<>> +dnssec ns fakessh.eu @r13151.ovh.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53023 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;fakessh.eu.IN NS ;; Query time: 55 msec ;; SERVER: 87.98.186.232#53(87.98.186.232) ;; WHEN: Mon Mar 28 10:02:33 2011 ;; MSG SIZE rcvd: 39 Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
can I set the second nameserver to a public dns cache?
Hello, I have only one nameserver for a domain. Can I set the second nameserver for this domain to a public dns cache? for example: abc.com. IN NS ns1.abc.com. abc.com. IN NS ns2.abc.com. ns2.abc.com. IN A 8.8.8.8 # 8.8.8.8 is google's public dns server Since DNS cache does a rec-resolver, so it will also answer with the correct result? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
is notify message going with UDP or TCP?
BIND master sends the notify message with TCP or UDP protocal? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I set the second nameserver to a public dns cache?
In message , terr y writes: > Hello, > > I have only one nameserver for a domain. > Can I set the second nameserver for this domain to a public dns cache? > for example: No. A cache is NOT authoritative for the zone. > abc.com. IN NS ns1.abc.com. > abc.com. IN NS ns2.abc.com. > > ns2.abc.com. IN A 8.8.8.8 # 8.8.8.8 is google's public dns server > > > Since DNS cache does a rec-resolver, so it will also answer with the > correct result? > > Thanks. > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: is notify message going with UDP or TCP?
In message , terr y writes: > BIND master sends the notify message with TCP or UDP protocal? UDP. > Thanks. > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I set the second nameserver to a public dns cache?
On Mon, Mar 28, 2011 at 08:25:46PM +0800, terry wrote: > Hello, > > I have only one nameserver for a domain. > Can I set the second nameserver for this domain to a public dns cache? > for example: > > > abc.com. IN NS ns1.abc.com. > abc.com. IN NS ns2.abc.com. > > ns2.abc.com. IN A 8.8.8.8 # 8.8.8.8 is google's public dns server > > > Since DNS cache does a rec-resolver, so it will also answer with the > correct result? You can set another peer nameserver to be a public, private, commercial, or other name server as follows: ; Zone file for abc.com. $TTLxxx @ IN SOA ... IN NS ns1.abc.com. IN NS google-public-dns-a.google.com. IN NS res060.ns.uu.net. [Note the blank space in front of the [unneeded] "IN" in each "NS" above: they each inherit the LHS from the record above.] Assuming that an IP address that is not yours will "never" change is a frightening assumption, especially when proved untrue. Don't plant someon else's IP address in your name space, unless there is a firm agreement between yourself and them about why it's there and how changes will be communicated. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I set the second nameserver to a public dns cache?
> Hello, > I have only one nameserver for a domain. > Can I set the second nameserver for this domain to a public dns cache? > for example: > abc.com. IN NS ns1.abc.com. > abc.com. IN NS ns2.abc.com. > ns2.abc.com. IN A 8.8.8.8 # 8.8.8.8 is google's public dns server No. Don't do that. A cache/resolver is not the same as an authoritative server. For example, it will not flag the cache contents as being authoritative (the AA flag). Get a proper secondary/slave nameserver somewhere, it doesn't need to be costly. Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: is notify message going with UDP or TCP?
On Mon, Mar 28, 2011 at 08:30:00PM +0800, terry wrote: > BIND master sends the notify message with TCP or UDP protocal? RFC 1996: 3.4. The transport protocol used for a NOTIFY transaction will be UDP unless the master has reason to believe that TCP is necessary; for example, if a firewall has been installed between master and slave, and only TCP has been allowed; or, if the changed RR is too large to fit in a UDP/DNS datagram. So, JUST AS WITH RESPONSES TO QUERIES, both UDP and TCP must be allowed for reliable service. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I set the second nameserver to a public dns cache?
On Mon, Mar 28, 2011 at 11:35:06PM +1100, Mark Andrews wrote: ... > No. A cache is NOT authoritative for the zone. ... Of course right. I concentrated on the form and missed the substance. I was thinking of a service that will serve your DNS for you - which a caching server is not. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
it is, I'm coming I do not understand the need to recreate and validate the file keyset-en ... I then recreate a good record with the key in this file and my past signatures are good. I did not understand correctly the operation of dlv keyset files and I recreated downgrade bind to the stable version 9.3 of CentOS 5.5 and using webmin. can you give me the command to use to create files Keyset I did not find any documentation regarding the creation of this type of file I will update my blog more precisely with the new guidelines thanks for your good support thanks mark andrews thanks Torinthiel thanks eivind olsen thanks evan hunt thanks dan mahoney thanks michel graff Le lundi 28 mars 2011 à 10:04 +0200, Eivind Olsen a écrit : > > dns appear as my syncro. > > yet I'm still at the same point > > missing keys > > Your delegation for the domain fakessh.eu doesn't seem to be 100% correct > yet though. > > If I ask the nameservers for .eu (like p.nic.eu) it tells me your domain > belongs to 4 nameservers: > > ns0.xname.org > ns1.xname.org > ns1.novacrea.fr > r13151.ovh.net > > If I ask the first one on that list, ns0.xname.org, it tells me you only > have 3 nameservers: > > ns1.xname.org > ns1.novacrea.fra > r13151.ovh.net > > If I try to get a reply from ns1.xname.org it just goes into timeout here: > > [eivind@vimes ~]$ dig +dnssec ns fakessh.eu @ns1.xname.org > > ; <<>> DiG 9.6.-ESV-R3 <<>> +dnssec ns fakessh.eu @ns1.xname.org > ;; global options: +cmd > ;; connection timed out; no servers could be reached > [eivind@vimes ~]$ > > If I try to get a reply from r13151.ovh.net I just get a servfail: > > [eivind@vimes ~]$ dig +dnssec ns fakessh.eu @r13151.ovh.net > > ; <<>> DiG 9.6.-ESV-R3 <<>> +dnssec ns fakessh.eu @r13151.ovh.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53023 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;fakessh.eu.IN NS > > ;; Query time: 55 msec > ;; SERVER: 87.98.186.232#53(87.98.186.232) > ;; WHEN: Mon Mar 28 10:02:33 2011 > ;; MSG SIZE rcvd: 39 > > Regards > Eivind Olsen > eiv...@aminor.no > > -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: can I set the second nameserver to a public dns cache?
No. But you can use a public (commercial or non-commerical) secondary DNS service. Google "secondary dns" or "free secondary dns". You will find a number of services and reviews. Be careful in selecting - many charge or limit you based on the number of queries and/or zones. QOS and reliablity vary, as do levels of support. Note that not all secondary services use BIND. Many of the free services don't yet support DNSSEC, don't accept NOTIFY (polling instead) or are un-reliable. Most don't support IPV6 and don't have any QOS guarantee. Also, for any serious use, you want geographic separation for disaster-tolerance. Nonetheless, you can find reasonable free services. Commercial services also vary the same parameters as well as price and support. I settled on puck.nether.net/dns for my personal domain, which seems to stay current with BIND, has been reliable, supports IPV6 and NOTIFY and is located in Chicago. But your milage (and criteria) may vary. - This communication may not represent my employer's views, if any, on the matters discussed. -Original Message- From: terry [mailto:te...@list.dnsbed.com] Sent: Monday, March 28, 2011 08:26 To: bind-users Subject: can I set the second nameserver to a public dns cache? Hello, I have only one nameserver for a domain. Can I set the second nameserver for this domain to a public dns cache? for example: abc.com. IN NS ns1.abc.com. abc.com. IN NS ns2.abc.com. ns2.abc.com. IN A 8.8.8.8 # 8.8.8.8 is google's public dns server Since DNS cache does a rec-resolver, so it will also answer with the correct result? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
SV: ip6.arpa help
Great slides, thanks! Still looks like there is a long way to go until there is a standard implementation for reverse DNS ipv6 for large subnets. My problem is that before you put too much effort into it you want to see how other solved this problem or maybe get a standard of some kind. So my approach will probably be to delegate ip6.arpa for enterprise customers and to ignore or use wildcard for the private customers. Don't know if this will cause any problem thou!? Do they use reverse lookups as a lame security function in IPv6 as well? Cheers, Mattias -Ursprungligt meddelande- Från: bind-users-bounces+mattias.o.andersson=gavle...@lists.isc.org [mailto:bind-users-bounces+mattias.o.andersson=gavle...@lists.isc.org] För Persiko, Mark Skickat: den 18 mars 2011 18:43 Till: bind-users Ämne: RE: ip6.arpa help Hello, This was shared at RIPE61 and is pertinent to this discussion. It presents different approaches toward managing IPv6 PTR records for large subnets: http://ripe61.ripe.net/presentations/139-Ripe-61-rDNS-kzorba-freedman.pdf Thanks, Mark -Original Message- From: bind-users-bounces+mark.persiko=level3@lists.isc.org [mailto:bind-users-bounces+mark.persiko=level3@lists.isc.org] On Behalf Of Eivind Olsen Sent: Friday, March 18, 2011 7:07 AM To: bind-users Subject: Re: ip6.arpa help Den 18. mars 2011 kl. 10.07 skrev : > Are there any good information, maybe RFC, how reverse DNS should be done in > IPv6. Then I don't mean how to register a ip6.arpa and edit your zone-file in > bind. I mean how you solve the problem with generate 2^64 unique PTR records > for a single customer without filling your hard drive. =) I'm in a similar situation, and no, I don't know of a nice and easy way of doing this with current software. Pre-generating reverse records for any possible IPv6 address in your prefix(es) isn't going to work. Adding it to your own services/servers such as email servers etc, that's easy. But how can you know which of the 2^64 addresses your customer is going to be using? I've been toying with some ideas, not sure which one would actually work the best way: - don't add any IPv6 reverse records for customers - you could take the overhead of letting your customers either ask for specific reverse records to be implemented (through customer service? self service web interface?) - if your customers get assigned addresses from DHCPv6, you might consider letting it update the zones for you - in theory you could delegate the responsability for reverse records in the customers prefix to them, but I doubt many customers would actually bother running their own nameservers for this. - perhaps some alternative nameserver software is capable of generating the reverse records on the fly, based on some template, if there's not a specific record already defined? -- Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Logging the answers to queries
What is the logging option to log the answers? Example, in my bind logs, I can see these type of entries: 28-Mar-2011 09:54:20.034 queries: info: client 127.0.0.1#56237: query: www.isc.org IN A + But I can't find anything in the logs what the answer to the query was. I've searched the bind documentation as well. Thanks in advance for your help. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ISC BIND 9.6-ESV-R4 is now available
BIND 9.6-ESV-R4 is now available. Introduction BIND 9.6-ESV-R4 is a maintenance release for BIND 9.6-ESV. It is critical for those using DNSSEC validation, and strongly recommended otherwise. There was a defect in 9.6-ESV-R3 which affects DNSSEC validating resolvers; it may cause queries for .com names to fail with validation errors when DNSSEC records for the .com zone are initially inserted into the root zone on Thursday, 31 March 2011. BIND 9.6.3, 9.7.3, and 9.8.0 are not affected by this defect. 9.6.2 and earlier versions are affected. BIND 9.6.3 has been repackaged with the name 9.6-ESV-R4. Other than the version number, there are no functional differences between these versions. Upgrading to this release is urgent for operators of validating resolvers using BIND 9.6-ESV-R3 or earlier. Non-validating resolvers and authoritative-only name servers are not affected. If you cannot upgrade your server software before 31 March 2011, you may wish to disable validation before the .com DNSSEC records are inserted into the root zone, and re-enable it again a few days after. If your server is not updated and becomes affected, "rndc flushname com" should correct the problem, as would restarting the server. For a detailed list of changes in this release, see the file CHANGES in the source, or ftp://ftp.isc.org/isc/bind9/9.6-ESV-R4/CHANGES Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads. There you will find additional information about each release, source code, and some pre-compiled versions for certain operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
notify-source-v6 and transfer-source-v6 for BIND 9.8
Hi bind-users,
its been a while since my last config of BIND and I was just wondering if
notify-source-v6 transfer-source-v6 are still there for BIND 9.8.0?
the ARM says so.
when i do notify-source-v6 on a zone statement and reload it...
notify-source-v6 { 2001:470:1f05:1ae0::1;; };
transfer-source-v6 { 2001:470:1f05:1ae0::1; };
29-Mar-2011 16:21:04.147 general: info: received control channel command
'reload'
29-Mar-2011 16:21:04.147 general: info: loading configuration from
'/etc/namedb/named.conf'
29-Mar-2011 16:21:04.149 config: error: /etc/namedb/named.conf:141: expected
IPv6 address or '*' near '{'
29-Mar-2011 16:21:04.149 general: error: reloading configuration failed:
unexpected token
I've tried both zone and on the global options.
server1# named -v
BIND 9.8.0
server1# ldd /usr/sbin/named
/usr/sbin/named:
libcrypto.so.6 => /lib/libcrypto.so.6 (0x800826000)
libxml2.so.5 => /usr/local/lib/libxml2.so.5 (0x800ac6000)
libz.so.5 => /lib/libz.so.5 (0x800d16000)
libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x800e2b000)
libm.so.5 => /lib/libm.so.5 (0x801026000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x801146000)
libthr.so.3 => /lib/libthr.so.3 (0x801254000)
libc.so.7 => /lib/libc.so.7 (0x80136d000)
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: notify-source-v6 and transfer-source-v6 for BIND 9.8
On 03/28/11 17:37, Ivan R. Sy wrote:
Hi bind-users,
its been a while since my last config of BIND and I was just wondering if
notify-source-v6 transfer-source-v6 are still there for BIND 9.8.0?
the ARM says so.
when i do notify-source-v6 on a zone statement and reload it...
notify-source-v6 { 2001:470:1f05:1ae0::1;; };
transfer-source-v6 { 2001:470:1f05:1ae0::1; };
29-Mar-2011 16:21:04.147 general: info: received control channel command
'reload'
29-Mar-2011 16:21:04.147 general: info: loading configuration from
'/etc/namedb/named.conf'
29-Mar-2011 16:21:04.149 config: error: /etc/namedb/named.conf:141: expected
IPv6 address or '*' near '{'
29-Mar-2011 16:21:04.149 general: error: reloading configuration failed:
unexpected token
I've tried both zone and on the global options.
server1# named -v
BIND 9.8.0
Drop the curly brackets.
notify-source-v6 2001:470:1f05:1ae0::1;
transfer-source-v6 2001:470:1f05:1ae0::1;
Lyle Giese
LCR Computer Services, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
GUI for bind
Hello, I'm looking for a GUI for bind that meets the following requirements: (1) Must still be under development (and supported, either commercially or via community support) (2) Supports "accounts/groups" that will allow me to create user accounts that are able to modify only zone records assigned to the account/group. (3) Administrator access with the permissions to modify any zone record. (4) Should support most common features of bind. (5) Should support 100's of zone records. (6) Should be somewhat easy to use, so that "non-experts" can figure it out. The product does not have to be free... a commercial product is perfectly fine. I've spend some time searching around, but most of the GUI products either don't support bind or are no longer maintained... Any recommendations would be appreciated... Thanks JB ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: notify-source-v6 and transfer-source-v6 for BIND 9.8
On 29/03/2011 00:37, Ivan R. Sy wrote:
Hi Ivan,
> its been a while since my last config of BIND and I was just
> wondering if notify-source-v6 transfer-source-v6 are still there for BIND
> 9.8.0?
>
> the ARM says so.
>
> when i do notify-source-v6 on a zone statement and reload it...
>
> notify-source-v6 { 2001:470:1f05:1ae0::1;; };
> transfer-source-v6 { 2001:470:1f05:1ae0::1; };
>
> 29-Mar-2011 16:21:04.147 general: info: received control channel command
> 'reload'
> 29-Mar-2011 16:21:04.147 general: info: loading configuration from
> '/etc/namedb/named.conf'
> 29-Mar-2011 16:21:04.149 config: error: /etc/namedb/named.conf:141: expected
> IPv6 address or '*' near '{'
This error message is the hint: the notify-source-v6 option is expecting
to find an IP address, but instead found a '{'. Don't use curly braces
with these options: they only take one address (or an asterisk) as a
parameter.
Regards,
Anand Buddhdev
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: GUI for bind
We have used the commercial Men & Mice suite for 3 years now and have had great success with it. It meets all of your requirements listed below. It has an intuitive Windows based console as well as a web application that can be used to manage DNS, IPAM and DHCP. It works directly on top of BIND without any modifications. Josh -Original Message- From: bind-users-bounces+jbaird=follett@lists.isc.org [mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf Of Jorg B. Sent: Monday, March 28, 2011 6:55 PM To: bind-users Subject: GUI for bind Hello, I'm looking for a GUI for bind that meets the following requirements: (1) Must still be under development (and supported, either commercially or via community support) (2) Supports "accounts/groups" that will allow me to create user accounts that are able to modify only zone records assigned to the account/group. (3) Administrator access with the permissions to modify any zone record. (4) Should support most common features of bind. (5) Should support 100's of zone records. (6) Should be somewhat easy to use, so that "non-experts" can figure it out. The product does not have to be free... a commercial product is perfectly fine. I've spend some time searching around, but most of the GUI products either don't support bind or are no longer maintained... Any recommendations would be appreciated... Thanks JB ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
