Re: measuring dns query

[Daniel Migault]

Hi,

Maybe you are looking for dnsperf and resperf [1]. We have done some
tests similar to these in [2] and [3], so maybe it helps. Replaying
captures of traffic may also be recommended especially to consider, for example,
queries with no answers. At least for DNSSEC this matters.

[1] http://www.nominum.com/resources/measurement-tools
[2] http://www.iepg.org/2010-11-ietf79/iepg79-mglt.pdf
[3] http://www-public.it-sudparis.eu/~lauren_m/articles/Migault-CNSM2010.pdf

BR
Daniel


On Thu, May 10, 2012 at 7:21 AM, PFUnix Mail  wrote:
> all,
>
> im looking for a way to measure dns queries and am looking for an opensource 
> solution if possible. any suggestions?
>
> i want to measure the time it takes for 1DNS query in bind vs. dns 
> Active-Directory integrated.
>
> thanks,
> B
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
Daniel Migault
Orange Labs / Security Lab
+33 (0) 1 45 29 60 52
+33 (0) 6 70 72 69 58
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

erros in logs

[Ben]

Hi,

I just enable bind as caching name server and when watching logs i got 
below erros.



error (network unreachable) resolving 
'www.indiaresultsalert.com//IN': 2001:503:a83e::2:30#53
error (network unreachable) resolving 'ns-797.awsdns-35.net/A/IN': 
2001:503:231d::2:30#53
error (network unreachable) resolving 'ns-797.awsdns-35.net//IN': 
2001:503:231d::2:30#53
error (network unreachable) resolving 'sant-ivan.narod.ru//IN': 
2001:678:13:0:194:85:105:17#53
error (network unreachable) resolving 'sant-ivan.narod.ru//IN': 
2001:678:16:0:194:85:252:62#53
error (network unreachable) resolving 'sant-ivan.narod.ru//IN': 
2001:678:18:0:194:190:124:17#53
error (network unreachable) resolving 'sant-ivan.narod.ru//IN': 
2001:678:14:0:193:232:156:17#53
error (network unreachable) resolving 'hdvideo.songspk.info//IN': 
2400:cb00:2049:1::adf5:3a7f#53
error (network unreachable) resolving 'hdvideo.songspk.info/A/IN': 
2400:cb00:2049:1::adf5:3b77#53
error (connection refused) resolving 'a.ns.mochimedia.net//IN': 
94.102.157.2#53
error (network unreachable) resolving 'www.youporn.com//IN': 
2600:1800:5::1#53
error (network unreachable) resolving 'ns-275.awsdns-34.com//IN': 
2001:503:a83e::2:30#53
error (network unreachable) resolving 'ns-275.awsdns-34.com//IN': 
2001:503:231d::2:30#53
error (network unreachable) resolving 'ns-1108.awsdns-10.org//IN': 
2001:500:e::1#53
error (network unreachable) resolving 'static.come2play.net//IN': 
2600:1802:4::1#53
error (network unreachable) resolving 'pubsub.pubnub.com//IN': 
2001:500:90:1::19#53
error (network unreachable) resolving 'starscream.dynalias.com//IN': 
2600:2001::75#53
error (network unreachable) resolving 'pubsub.pubnub.com/A/IN': 
2001:500:94:1::19#53
error (network unreachable) resolving 'd.adroll.com//IN': 
2001:500:90:1::21#53
error (network unreachable) resolving 'trgc.opt.fimserve.com//IN': 
2001:500:94:1::14#53
error (network unreachable) resolving 'a.adroll.com//IN': 
2001:500:94:1::21#53
DNS format error from 115.113.188.4#53 resolving www.esic.in/ for 
client 127.0.0.1#41692: invalid response

error (FORMERR) resolving 'www.esic.in//IN': 115.113.188.4#53
DNS format error from 117.240.232.196#53 resolving www.esic.in/ for 
client 127.0.0.1#41692: invalid response

error (FORMERR) resolving 'www.esic.in//IN': 117.240.232.196#53
error (network unreachable) resolving 'ws.amazon.com//IN': 
2001:500:90:1::31#53
error (network unreachable) resolving 'ns-921.amazon.com/A/IN': 
2001:500:94:1::31#53


Network unreachable mean, dns can not resolve query or something in 
network / firewall problem ?

some says format error and all.

Thanks,
Ben

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: erros in logs

[Niall O'Reilly]

On 10 May 2012, at 09:47, Ben wrote:

> I just enable bind as caching name server and when watching logs i got below 
> erros.

You seem to be noticing 3 kinds of error.

"Network unreachable" messages refer only to IPv6 destinations.
Perhaps you have IPv6 enabled on the system where you're running
named, but don't have any external IPv6 connectivity?

"Connection refused" or "format error" (duplicated confusingly as
"FORMERR") indicate that a remote name server has refused to handle
your request or has sent a badly-formed response.  You can expect
to see these all the time when you run a resolver.  There are
broken and misconfigured servers out there!

I hope this helps.

Niall O'Reilly

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: erros in logs

[Phil Mayers]

On 10/05/12 09:47, Ben wrote:

Hi,

I just enable bind as caching name server and when watching logs i got
below erros.


It looks like you have broken IPv6 connectivity - your machine believes 
it has an IPv6 address and possibly a default route, but it doesn't work.


Check your networking config.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Hi;

[William Thierry SAMEN]

Hi, Bind'ers,

i'm trying to have a TTL of a zone just by typing a command, but i can't
seen which command line i can used to have the solution.

Can someone have an idea? is it possible to found that?

PS: The zone file is not created by me. For example, i made a dig +dnssec
www.google.fr and i want to know what is the TTL of www.google.com
not the period of querry.

Thx

-- 
Cordialement.
Thierry *SAMEN.*
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hi;

[WBrown]

William Thierry wrote on 05/10/2012 08:02:57 AM:

> i'm trying to have a TTL of a zone just by typing a command, but i 
> can't seen which command line i can used to have the solution.
> 
> Can someone have an idea? is it possible to found that?
> 
> PS: The zone file is not created by me. For example, i made a dig 
+dnssec 
> www.google.fr and i want to know what is the TTL of www.google.com 
> not the period of querry.

Ask an authoritative server:

cowman@ns-homer:~$ dig @ns1.google.com www.google.com

; <<>> DiG 9.9.0 <<>> @ns1.google.com www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32683
;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.google.com.IN  A

;; ANSWER SECTION:
www.google.com. 604800  IN  CNAME   www.l.google.com.
www.l.google.com.   300 IN  A   173.194.73.103
www.l.google.com.   300 IN  A   173.194.73.147
www.l.google.com.   300 IN  A   173.194.73.105
www.l.google.com.   300 IN  A   173.194.73.106
www.l.google.com.   300 IN  A   173.194.73.99
www.l.google.com.   300 IN  A   173.194.73.104

;; Query time: 35 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Thu May 10 08:12:13 2012
;; MSG SIZE  rcvd: 148



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Hi;

[Todd Snyder]

When you do a dig, the TTL is the 2nd column:

;; ANSWER SECTION:
www.google.com. 604800  IN  CNAME   www.l.google.com.
www.l.google.com.   300 IN  A   74.125.225.20
www.l.google.com.   300 IN  A   74.125.225.19
www.l.google.com.   300 IN  A   74.125.225.18
www.l.google.com.   300 IN  A   74.125.225.16
www.l.google.com.   300 IN  A   74.125.225.17


Although, it will provide the TTL of the cached record if the record is cached, 
so it may not be the original TTL.

If you want to know the TTL, you can query the authoritative nameservers 
directly for the record:

# get their nameservers
# dig google.com NS

;; ANSWER SECTION:
google.com. 345600  IN  NS  ns4.google.com.
google.com. 345600  IN  NS  ns1.google.com.
google.com. 345600  IN  NS  ns3.google.com.
google.com. 345600  IN  NS  ns2.google.com.

# pick one, and ask for the record you want
# dig @ns4.google.com www.google.com A +norec

;; ANSWER SECTION:
www.google.com. 604800  IN  CNAME   www.l.google.com.
www.l.google.com.   300 IN  A   74.125.225.148
www.l.google.com.   300 IN  A   74.125.225.147
www.l.google.com.   300 IN  A   74.125.225.144
www.l.google.com.   300 IN  A   74.125.225.146
www.l.google.com.   300 IN  A   74.125.225.145

Cheers


From: bind-users-bounces+tsnyder=rim@lists.isc.org 
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of William 
Thierry SAMEN
Sent: Thursday, May 10, 2012 8:03 AM
To: bind-users@lists.isc.org
Subject: Hi;

Hi, Bind'ers,

i'm trying to have a TTL of a zone just by typing a command, but i can't seen 
which command line i can used to have the solution.

Can someone have an idea? is it possible to found that?

PS: The zone file is not created by me. For example, i made a dig +dnssec 
www.google.fr and i want to know what is the TTL of 
www.google.com
not the period of querry.

Thx

--
Cordialement.
Thierry SAMEN.

-
This transmission (including any attachments) may contain confidential 
information, privileged material (including material protected by the 
solicitor-client or other applicable privileges), or constitute non-public 
information. Any use of this information by anyone other than the intended 
recipient is prohibited. If you have received this transmission in error, 
please immediately reply to the sender and delete this information from your 
system. Use, dissemination, distribution, or reproduction of this transmission 
by unintended recipients is not authorized and may be unlawful.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC

[Tony Finch]

Barry Margolin  wrote:
>
> [Validation is] only untroublesome until someone screws things up on
> their auth server.  When one of your users can't access something.gov,
> they'll complain to YOU, even though it's mostly out of your hands.
>
> This is true for other problems on auth servers as well, of course.  But
> DNSSEC is new enough that there tend to be more failures of this kind,
> even by organizations that until now have seemed to know what they're
> doing.

Some of the early DNSSEC deployments (especially in .gov) did not use good
tooling. That's much less of a problem now. See for instance the big
DNSSEC deployments in Sweden, Czech, Brazil.

Even third party DNSSEC screwups have not caused us much trouble.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Faeroes: Northeasterly backing northerly, 4 or 5, increasing 6 or 7 for a time
in east. Moderate, becoming rough later in far east. Showers. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC

[Barry Margolin]

In article ,
 Tony Finch  wrote:

> Barry Margolin  wrote:
> >
> > [Validation is] only untroublesome until someone screws things up on
> > their auth server.  When one of your users can't access something.gov,
> > they'll complain to YOU, even though it's mostly out of your hands.
> >
> > This is true for other problems on auth servers as well, of course.  But
> > DNSSEC is new enough that there tend to be more failures of this kind,
> > even by organizations that until now have seemed to know what they're
> > doing.
> 
> Some of the early DNSSEC deployments (especially in .gov) did not use good
> tooling. That's much less of a problem now. See for instance the big
> DNSSEC deployments in Sweden, Czech, Brazil.
> 
> Even third party DNSSEC screwups have not caused us much trouble.

Every week or two someone complains in the Comcast Help Forum about 
being unable to resolve some .gov address, and the usual cause is that 
the domain operator messed up their DNSSEC.

But I agree that it's not as frequent as it was 6 months ago.  It also 
helps that Comcast can now work around it by configuring exceptions to 
DNSSEC checking.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC

[Daniel Ryšlink]

On 05/10/2012 04:33 PM, Barry Margolin wrote:

In article,
  Tony Finch  wrote:


Barry Margolin  wrote:

[Validation is] only untroublesome until someone screws things up on
their auth server.  When one of your users can't access something.gov,
they'll complain to YOU, even though it's mostly out of your hands.

This is true for other problems on auth servers as well, of course.  But
DNSSEC is new enough that there tend to be more failures of this kind,
even by organizations that until now have seemed to know what they're
doing.

Some of the early DNSSEC deployments (especially in .gov) did not use good
tooling. That's much less of a problem now. See for instance the big
DNSSEC deployments in Sweden, Czech, Brazil.

Even third party DNSSEC screwups have not caused us much trouble.

Every week or two someone complains in the Comcast Help Forum about
being unable to resolve some .gov address, and the usual cause is that
the domain operator messed up their DNSSEC.

But I agree that it's not as frequent as it was 6 months ago.  It also
helps that Comcast can now work around it by configuring exceptions to
DNSSEC checking.



What's the point of DNSSec when resolver administrators configure 
exceptions on regular basis? If you can't be sure when your resolver 
does or does not validate, why having signed zones in the first place? 
It's just seems to be another "shared illusion of security" similar to PKI.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC

[Warren Kumari]

On May 10, 2012, at 11:20 AM, Daniel Ryšlink wrote:

> 
> On 05/10/2012 04:33 PM, Barry Margolin wrote:
>> In article,
>>  Tony Finch  wrote:
>> 
>>> Barry Margolin  wrote:
 [Validation is] only untroublesome until someone screws things up on
 their auth server.  When one of your users can't access something.gov,
 they'll complain to YOU, even though it's mostly out of your hands.
 
 This is true for other problems on auth servers as well, of course.  But
 DNSSEC is new enough that there tend to be more failures of this kind,
 even by organizations that until now have seemed to know what they're
 doing.
>>> Some of the early DNSSEC deployments (especially in .gov) did not use good
>>> tooling. That's much less of a problem now. See for instance the big
>>> DNSSEC deployments in Sweden, Czech, Brazil.
>>> 
>>> Even third party DNSSEC screwups have not caused us much trouble.
>> Every week or two someone complains in the Comcast Help Forum about
>> being unable to resolve some .gov address, and the usual cause is that
>> the domain operator messed up their DNSSEC.
>> 
>> But I agree that it's not as frequent as it was 6 months ago.  It also
>> helps that Comcast can now work around it by configuring exceptions to
>> DNSSEC checking.
>> 
> 
> What's the point of DNSSec when resolver administrators configure exceptions 
> on regular basis? If you can't be sure when your resolver does or does not 
> validate, why having signed zones in the first place? It's just seems to be 
> another "shared illusion of security" similar to PKI.

Nope -- Comcast does a large amount of checking before turning off validation 
for a failing domain. 
This is (IMO) more secure than the alternative, which is to simply leave it 
failing, and have users move to a non-validatiing resolver instead…

W


> _
> __
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC

[Anand Buddhdev]

On 10/05/2012 17:20, Daniel Ryšlink wrote:

> What's the point of DNSSec when resolver administrators configure
> exceptions on regular basis? If you can't be sure when your resolver
> does or does not validate, why having signed zones in the first place?
> It's just seems to be another "shared illusion of security" similar to PKI.

Daniel,

For many companies the bottom line is revenue. If a large ISP's
customers can't resolve some popular domains, and start calling to
complain, it would flood their helpdesks, and they would lose revenue.
They cannot afford to be idealists.

Comcast has taken a pragmatic view. I'm glad to see they've turned on
validation, but I can see why they need to configure exceptions. Without
being able to manage exceptions, large ISPs are not going to turn on
validation.

Regards,

Anand
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC

[WBrown]

Warren wrote on 05/10/2012 11:50:30 AM:

> Nope -- Comcast does a large amount of checking before turning off 
> validation for a failing domain. 
> This is (IMO) more secure than the alternative, which is to simply 
> leave it failing, and have users move to a non-validatiing resolver 
instead?

Does Comcast have a process to re-enable validation once the issue is 
resolved?



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

KSK stays published 3 days after delete time

[Axel Rau]

All,

key 22924 of framail.de has a delete date of 2012-05-07T14:55:02 set.
It has been deleted from the repository at 2012-05-07T14:55:02.569706,
but is still included by named 9.9.0 in the zone framail.de
(as of 2012-05-10T19:51:32).

Is this a bug, triggered by my timing?
Should I wait one more maintenance cycle until deleting?

Axel 
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC

[Warren Kumari]

On May 10, 2012, at 12:52 PM, wbr...@e1b.org wrote:

> Warren wrote on 05/10/2012 11:50:30 AM:
> 
>> Nope -- Comcast does a large amount of checking before turning off 
>> validation for a failing domain. 
>> This is (IMO) more secure than the alternative, which is to simply 
>> leave it failing, and have users move to a non-validatiing resolver 
> instead?
> 
> Does Comcast have a process to re-enable validation once the issue is 
> resolved?
> 

Yup.

They have an overview of the technique here: 
http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01
and there have been discussions on it on DNSOP, starting here: 
http://www.ietf.org/mail-archive/web/dnsop/current/msg09489.html
and then continuing on, basically forever…

This doesn't really talk to their policies in depth, but they do have reasnable 
(and sane) policies…


W

> 
> 
> Confidentiality Notice: 
> This electronic message and any attachments may contain confidential or 
> privileged information, and is intended only for the individual or entity 
> identified above as the addressee. If you are not the addressee (or the 
> employee or agent responsible to deliver it to the addressee), or if this 
> message has been addressed to you in error, you are hereby notified that 
> you may not copy, forward, disclose or use any part of this message or any 
> attachments. Please notify the sender immediately by return e-mail or 
> telephone and delete this message from your system.
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

random-device purpose in DNSSEC

[Alexander Gurvitz]

Hello all.

What random device used for ?
ARM says "Entropy is primarily needed for DNSSEC operations,
such as ... dynamic update of signed zones". I don't get why signing a zone
requires any randomness.

This bothers me as I'm implementing DNSSEC now, and I know that my systems
are low at entropy, and BIND default random-device is /dev/random,
and it (the device) blocks when there's no entropy available.

Does BIND really needs that entropy, and how much ?

Regards,
Alexander Gurvitz,
net-me.net
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: KSK stays published 3 days after delete time

[Axel Rau]

Am 10.05.2012 um 21:32 schrieb Alexander Gurvitz:

> Did you delete it manually (at 2012-05-07T14:55:02.569706) ?
Yes; i.e. my script.
> If so, maybe it's still in the zone because BIND doesn't know the timing
> metadata anymore ?
I thought that would be in the journal or internal repository of named.

Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: random-device purpose in DNSSEC

[Warren Kumari]

On May 10, 2012, at 3:41 PM, Alexander Gurvitz wrote:

> Hello all.
> 
> What random device used for ?
> ARM says "Entropy is primarily needed for DNSSEC operations,
> such as ... dynamic update of signed zones". I don't get why signing a zone
> requires any randomness.
> 
> This bothers me as I'm implementing DNSSEC now, and I know that my systems
> are low at entropy, and BIND default random-device is /dev/random,
> and it (the device) blocks when there's no entropy available.

Multiple options:
1: install haveged (http://www.irisa.fr/caps/projects/hipsor/) -- this will 
provide you with much randomness [0].
2: buy a USB entropy widget (for example: http://www.entropykey.co.uk/)
3: See if there is a driver for your TPM -- many boxes have them, and many 
provide good randomness.
4: NOT RECOMMENDED: use /dev/urandom (only for testing)

> 
> Does BIND really needs that entropy, and how much ?

Yup. Well, BIND doesn't , but key generation does…

W
[0]: well, entropy, but I wanted to write much randomness… and I did...

> 
> Regards,
> Alexander Gurvitz,
> net-me.net
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: KSK stays published 3 days after delete time

[Axel Rau]

Am 10.05.2012 um 19:55 schrieb Axel Rau:

> key 22924 of framail.de has a delete date of 2012-05-07T14:55:02 set.
> It has been deleted from the repository at 2012-05-07T14:55:02.569706,
> but is still included by named 9.9.0 in the zone framail.de
> (as of 2012-05-10T19:51:32).

To clarify: I'm using inline-signing.
The repository is the key-directory configured in named.conf.
"Deleted" means: My script deleted it.

> 
> Is this a bug, triggered by my timing?
> Should I wait one more maintenance cycle until deleting?

"maintenance cycle" means dnssec-loadkeys-interval.

Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: random-device purpose in DNSSEC

[G.W. Haywood]

Hi there,

On Thu, 10 May 2012, Alexander Gurvitz wrote:


What random device used for ?


Cryptographic operations, loading libraries in random locations to
avoid insidious attacks, that kind of thing.


This bothers me as I'm implementing DNSSEC now, and I know that my systems
are low at entropy ...


You are not alone.  Take a look at 'haveged'.  Works for me.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: random-device purpose in DNSSEC

[Michael Graff]

Some signature methods require this, some do not.  RSA should not (in general) 
but RSA encryption in practice may.  Signing is different, in that you know 
both halves (encrypted and cleartext) so it should not require padding.

I think DSA does require randomness in signing.

--Michael

On May 10, 2012, at 2:41 PM, Alexander Gurvitz wrote:

> Hello all.
> 
> What random device used for ?
> ARM says "Entropy is primarily needed for DNSSEC operations,
> such as ... dynamic update of signed zones". I don't get why signing a zone
> requires any randomness.
> 
> This bothers me as I'm implementing DNSSEC now, and I know that my systems
> are low at entropy, and BIND default random-device is /dev/random,
> and it (the device) blocks when there's no entropy available.
> 
> Does BIND really needs that entropy, and how much ?
> 
> Regards,
> Alexander Gurvitz,
> net-me.net
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: KSK stays published 3 days after delete time

[Alexander Gurvitz]

On Thu, May 10, 2012 at 11:04 PM, Axel Rau  wrote:
>
>> Did you delete it manually (at 2012-05-07T14:55:02.569706) ?
> Yes; i.e. my script.
>> If so, maybe it's still in the zone because BIND doesn't know the timing
>> metadata anymore ?
> I thought that would be in the journal or internal repository of named.

I guess there's no such "internal repository". I guess bind meant to
look at the metadata from the key file, and now as it haven't the
file, it knows no timing data. It's not going to delete keys just
because the file is missing, because the key file can be purposely
missing if someone chooses to store keys offline. Though It's all my
guesses.

Alex
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: KSK stays published 3 days after delete time

[Evan Hunt]

> > key 22924 of framail.de has a delete date of 2012-05-07T14:55:02 set.
> > It has been deleted from the repository at 2012-05-07T14:55:02.569706,
> > but is still included by named 9.9.0 in the zone framail.de
> > (as of 2012-05-10T19:51:32).
> 
> To clarify: I'm using inline-signing.
> The repository is the key-directory configured in named.conf.
> "Deleted" means: My script deleted it.

Named won't delete the key from the zone unless you explicitly tell
it to do so.  For all it knows, your key file may have been removed
by mistake.

The correct way to remove a key from your zone is to schedule it
for deletion.  If it already has a successor published, then you can
schedule the event immediately:

   $ dnssec-settime -K  -D now Kframail.de.+007+13245
   $ rndc loadkeys framail.de

The -D option says "the key should be deleted after the specified
time", which in this case is "now".  "rndc loadkeys" tells named to
examine the keys in the repository and note any changes to the scheduled
events.  named will see that the specified KSK is scheduled for deletion,
it will remove it from the DNSKEY RRset, and it will resign the DNSKEY
RRset wth the remaining key(s).

After that's happened, you can remove the key file from the repository
if you wish.

If you still have a copy of the key file, put it back and follow the
above steps.  Otherwise, I suggest resigning the zone from scratch
with the remaining keys.  (Update the SOA serial number in the unsigned
zonefile to something higher than the current serial number in the
signed zone; move .signed and .signed.jnl to some other
location; restart named.  A new signed zone should be generated with
the correct keyset.)

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: random-device purpose in DNSSEC

[Mark Andrews]

In message 
, Alexander Gurvitz writes:
> Hello all.
> 
> What random device used for ?
> ARM says "Entropy is primarily needed for DNSSEC=A0operations,
> such as ... dynamic update of signed zones". I don't get why signing a zone
> requires any randomness.

It doesn't for RSA.  However DSA does require randomness.
 
> This bothers me as I'm implementing DNSSEC now, and I know that my systems
> are low at entropy, and BIND default random-device is /dev/random,
> and it (the device) blocks when there's no entropy available.
> 
> Does BIND really needs that entropy, and how much ?

Yes, if you are using DSA.
 
> Regards,
> Alexander Gurvitz,
> net-me.net
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri=
> be from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: KSK stays published 3 days after delete time

[Mark Andrews]

In message 
, Alexander Gurvitz writes:
> On Thu, May 10, 2012 at 11:04 PM, Axel Rau  wrote:
> >
> >> Did you delete it manually (at 2012-05-07T14:55:02.569706) ?
> > Yes; i.e. my script.
> >> If so, maybe it's still in the zone because BIND doesn't know the timing
> >> metadata anymore ?
> > I thought that would be in the journal or internal repository of named.
> 
> I guess there's no such "internal repository". I guess bind meant to
> look at the metadata from the key file, and now as it haven't the
> file, it knows no timing data. It's not going to delete keys just
> because the file is missing, because the key file can be purposely
> missing if someone chooses to store keys offline. Though It's all my
> guesses.

That's about it.  Named only keeps the next event time internally.
To fix this restore the K* files.  Named should then detect and
process them when it does its next scan for new keys..
 
> Alex
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC

[Mark Andrews]

In message <532c3631-d503-4dc0-88c9-600a90564...@kumari.net>, Warren Kumari wri
tes:
> 
> On May 10, 2012, at 12:52 PM, wbr...@e1b.org wrote:
> 
> > Warren wrote on 05/10/2012 11:50:30 AM:
> > =
> 
> >> Nope -- Comcast does a large amount of checking before turning off =
> 
> >> validation for a failing domain. =
> 
> >> This is (IMO) more secure than the alternative, which is to simply =
> 
> >> leave it failing, and have users move to a non-validatiing resolver =
> 
> > instead?
> > =
> 
> > Does Comcast have a process to re-enable validation once the issue is =
> 
> > resolved?
> > =
> 
> 
> Yup.
> 
> They have an overview of the technique here: http://tools.ietf.org/html/dra=
> ft-livingood-negative-trust-anchors-01
> and there have been discussions on it on DNSOP, starting here: http://www.i=
> etf.org/mail-archive/web/dnsop/current/msg09489.html
> and then continuing on, basically forever=85
> 
> This doesn't really talk to their policies in depth, but they do have reasn=
> able (and sane) policies=85
> 
> 
> W

It's also not a proceedure that will scale.  It also impacted on
any down stream validators.

Note doing this will mark any data as insecure so as long as the
application is paying attention to the security status of the data
returned, and it should be if it is depending apon it, there should
be no issues other than what would occur if a trust anchor was
removed.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Multiple zones with single key pair

[Alexander Gurvitz]

Hello,

Multiple zones with a single key - is possible with BIND ?

Regards,
Alexander Gurvitz,
net-me.net
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Multiple zones with single key pair

[Spain, Dr. Jeffry A.]

> Multiple zones with a single key - is possible with BIND ?

There was a recent discussion on this topic. See thread beginning at 
https://lists.isc.org/pipermail/bind-users/2012-April/087481.html. Jeff.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC

[Jan-Piet Mens]

> Comcast has taken a pragmatic view. I'm glad to see they've turned on
> validation, but I can see why they need to configure exceptions. Without
> being able to manage exceptions, large ISPs are not going to turn on
> validation.

Indeed, which brings on the question why BIND (still) doesn't have the
a "negative trust anchor" feature.

-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users