Re: Securing zone transfer and DDNS
Dnia 7 listopada 2011 3:47 Doug Barton napisał(a):
> First question, why use 2 keys? The combination of a key and an address
> match list should be enough. Second question, what version of BIND are
> you using? It probably doesn't matter, but it's good form to include
> that information.
Because I want to try set multiple key. Currently I have only one server
(localhost - 127.0.0.1) but in future on real working network I would have to
setup more than one server and I don't know how. I will have to simply add new
key to the allow-update or allow-transfer option?
Bind version is: 9.7.4
> > Unfortunately when I add to the keys option in server section more
> > than one key the named doesn't start anymore. Format of the key
> > option in the book is different than in the manual. When I remove
> > whole server section everything works ok. Is the keys section
> > important? For what this section is for? How can I use one key to
> > secure zone transfer to one host and other to secure zone transfer to
> > other host? It is possible?
>
> Doesn't look that way. The ARM is your best source for config info.
Maybe this is a stupid question but what is ARM?
> The include directive is related to adding an external file to your
> named.conf. Unless that's what you're intending to do, you probably
> don't want it here.
The key is in a external file.
> > server 127.0.0.1 { keys { "key"; }; };
>
> The term "keys" here would seem to indicate that you can add multiple
> keys per server, but ...
>
> > zone "my.zone" in { type master; file "my.zone"; allow-transfer { key
> > "key"; }; allow-update { key "key"; }; };
>
> I don't see anything in the ARM about including key directives in the
> allow-update or allow-transfer grammar.
Without that (keys only in server section) I can transfer whole domain (dig
my.zone axfr) without passing any key.
> You can probably also get some useful information by using named-checkconf.
Named-checkconf returning an error with "}" expected after ";" and ";" expected
after "}".
--
Pozdrawiam,
Aleksander Kurczyk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Securing zone transfer and DDNS
On 07/11/11 14:31, Aleksander Kurczyk wrote: Maybe this is a stupid question but what is ARM? Google for "bind ARM". 1st hit. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Securing zone transfer and DDNS
Administrator's Reference Manual. Bob Davis National Agricultural Library robert.dav...@ars.usda.gov 301.504.5859 -Original Message- From: bind-users-bounces+robert.davis1=ars.usda@lists.isc.org [mailto:bind-users-bounces+robert.davis1=ars.usda@lists.isc.org] On Behalf Of Phil Mayers Sent: Monday, November 07, 2011 9:47 AM To: bind-users@lists.isc.org Subject: Re: Securing zone transfer and DDNS On 07/11/11 14:31, Aleksander Kurczyk wrote: > Maybe this is a stupid question but what is ARM? Google for "bind ARM". 1st hit. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Securing zone transfer and DDNS
> Bind version is: 9.7.4
Upgrade; 9.8.1 is current. (In addition, you're reading a book called
BIND 10 -- even though the book doesn't once mention that software!)
> Maybe this is a stupid question but what is ARM?
BIND 9 Administrator Reference Manual. It is provided in multiple
formats within the BIND source distribution. (doc/arm/*)
[...]
I assume what you probably want to do is something like this:
key "my.key" {
algorithm HMAC-MD5;
secret "";
};
key "my.key2" {
...
};
acl xferkey {
key my.key2;
};
zone "example.net" IN {
type master;
file "example.net";
allow-update {
key "my.key";
};
allow-transfer {
xferkey;
};
};
Create your keys with the dnssec-keygen utility (check its manual page).
Instead of allow-update, I'd like to suggest you read up on the `grant'
statement which allows a much finer granularity on DDNS.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Securing zone transfer and DDNS
> Create your keys with the dnssec-keygen utility (check its manual page). Or 'ddns-confgen' is somewhat simpler. Its output is already in the format named.conf wants, and the keys it generates can be repurposed for other uses than DDNS. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Securing zone transfer and DDNS
Dnia 7 listopada 2011 15:59 Jan-Piet Mens napisał(a):
> > Bind version is: 9.7.4
>
> Upgrade; 9.8.1 is current. (In addition, you're reading a book called
> BIND 10 -- even though the book doesn't once mention that software!)
I'm using Mac OS X 10.4.11 Tiger on G4 400 MHz PPC Mac and BIND 9.7.4 is the
last version that I'm able to use.
> I assume what you probably want to do is something like this:
>
> key "my.key" {
> algorithm HMAC-MD5;
> secret "";
> };
> key "my.key2" {
> ...
> };
>
> acl xferkey {
> key my.key2;
> };
>
> zone "example.net" IN {
> type master;
> file "example.net";
> allow-update {
> key "my.key";
> };
> allow-transfer {
> xferkey;
> };
> };
That's what I'm trying to do :) but what's with the server section? On the book
it's both in the master and slave (zone tranasfer) named.conf files.
> Instead of allow-update, I'd like to suggest you read up on the `grant'
> statement which allows a much finer granularity on DDNS.
I have trying:
update-policy { grant key subdomain my.zone any; }; (described in this book)
but it doesn't work.
--
Pozdrawiam,
Aleksander Kurczyk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Securing zone transfer and DDNS
Are you saying you cannot compile from source, or that you must use the vendor supplied version of bind? On Nov 7, 2011, at 10:04, Aleksander Kurczyk wrote: > I'm using Mac OS X 10.4.11 Tiger on G4 400 MHz PPC Mac and BIND 9.7.4 is the > last version that I'm able to use. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Securing zone transfer and DDNS
Dnia 7 listopada 2011 17:29 Michael Graff napisał(a): > Are you saying you cannot compile from source, or that you must use the > vendor supplied version of bind? I have tried to compile version 9.8.1 but make exited with some errors. I have compiled version 9.7.4. The version of BIND supplied with this version of OS X (10.4.11) is 9.4.x. I'm using Xcode tools 2.5 (gcc 3.3 and 4.0) supplied with Tiger. -- Pozdrawiam, Aleksander Kurczyk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: Securing zone transfer and DDNS
In message <85ecc83.4a6e4d68.4eb81652.18...@o2.pl>,
=?UTF-8?Q?Aleksander_Kurczyk?= writ
es:
> Dnia 7 listopada 2011 17:29 Michael Graff napisaÅ(a):
> > Are you saying you cannot compile from source, or that you must use the
> vendor supplied version of bind?
> I have tried to compile version 9.8.1 but make exited with some errors. I
> have compiled version 9.7.4. The version of BIND supplied with this
> version of OS X (10.4.11) is 9.4.x. I'm using Xcode tools 2.5 (gcc 3.3
> and 4.0) supplied with Tiger.
Please send a full transcript of the compile of 9.8.1 to bind9-b...@isc.org.
Tiger is getting long in the tooth now but named should still compile on it
however we don't have version of MacOS that old to do test builds on anymore.
As for your zone transfer problem. Specify the key to use in the masters
clause.
masters { 1.2.3.4 key xferkey; };
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: several master ip's for a slave zone
In article , Mark Andrews wrote: > Transfer graph loops prevent expire working as a safeguard against > loss of connectivity to the master source. Some people may consider that a feature. Of course, they could also just set the expire time really high. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
