Bind 9.9.3 configuration message: missing 'file' entry
For bind 9.9.3 build on Ubuntu 12.04LTS x64, I see log messages, for example,
"/etc/bind/named.conf.local:4: zone 'jaspain.biz': missing 'file' entry" for
each slave zone configured for inline signing. The file clause is, in fact,
present in the configuration file, for example:
zone "jaspain.biz" {
type slave;
file "/var/cache/bind/jaspain.biz.db";
key-directory "/var/lib/bind/jaspain.biz";
auto-dnssec maintain;
inline-signing yes;
masters { stealthMasters; };
notify explicit;
also-notify { publicSlaves; };
allow-transfer { localhost; transferees; };
};
The message does not occur for a similar slave zone that does not have
key-directory, auto-dnssec, or inline-signing configured. The bind9 service
appears to be functioning normally despite this log message.
The message originates from the code in /lib/bind9/check.c starting in line
1798.
isc_result_t res1;
obj = NULL;
tresult = cfg_map_get(zoptions, "file", &obj);
obj = NULL;
res1 = cfg_map_get(zoptions, "inline-signing", &obj);
if ((tresult != ISC_R_SUCCESS &&
(ztype == MASTERZONE || ztype == HINTZONE)) ||
(ztype == SLAVEZONE && res1 == ISC_R_SUCCESS)) {
cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
"zone '%s': missing 'file' entry",
znamestr);
result = tresult;
}
Based on the code comments starting at line 1785, is the conditional expression
of the "if" statement incorrectly parenthesized? Should it be as follows?
if (tresult != ISC_R_SUCCESS &&
(ztype == MASTERZONE || ztype == HINTZONE ||
(ztype == SLAVEZONE && res1 == ISC_R_SUCCESS))) {
Thanks. Jeff.
Jeffry A. Spain, Network Administrator
Cincinnati Country Day School
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
does zone trump forward?
I've only ever come across bind configs where forwarding is in place to
locate certain zones, then all other queries are handled by either
recursion or authoritatively. But what about the other way around, where
I'm master for a few zones but forward the rest? Consider this:
view "the-internet" {
recursion no;
type forward;
forwarders { 8.8.8.8; };
zone "example.com" {
type master
file "example.com"
..
}
Whats confusing me is the implied configuration setting of forward first
when the forward statement is used. If it truly forwards first, then I see
an odd logical scenario happening. All queries are sent to the forwarder
before being handled by localhost. Then, once the forwarder recognizes that
I'm the master of example.com, why would a loop not occur if the forwarder
matches this view?
To ask the question another way, does the zone statement take precedence on
matching queries over any forwarding?
Thanks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: does zone trump forward?
As I understand AUTHORITATIVE trumps anything. For example, from an inside
intranet name server forward the root (".") to somewhere on your edge, sprinkle
in a few internal-only authoritative zones, and enjoy. This is certainly not
the only choice, but it functions pretty well.
Len
>
> From: Jonathan Reed
>To: bind-users
>Sent: Sunday, June 2, 2013 12:10 PM
>Subject: does zone trump forward?
>
>
>
>I've only ever come across bind configs where forwarding is in place to locate
>certain zones, then all other queries are handled by either recursion or
>authoritatively. But what about the other way around, where I'm master for a
>few zones but forward the rest? Consider this:
>
>
>view "the-internet" {
> recursion no;
> type forward;
> forwarders { 8.8.8.8; };
> zone "example.com" {
>
> type master
> file "example.com"
> ..
>}
>
>
>Whats confusing me is the implied configuration setting of forward first when
>the forward statement is used. If it truly forwards first, then I see an odd
>logical scenario happening. All queries are sent to the forwarder before being
>handled by localhost. Then, once the forwarder recognizes that I'm the master
>of example.com, why would a loop not occur if the forwarder matches this view?
>To ask the question another way, does the zone statement take precedence on
>matching queries over any forwarding?
>
>
>Thanks
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
>
>___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
any requests
All, Can anyone explain me the purpose of ANY requests sent to cache dns servers? I plan to block these kind of requests on the dns cache servers in order to avoid any amplification attack. But I was wondering if complaints can come if I do such limitation. Thanks in advance for your help. Hugo, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: any requests
On 02.06.13 20:28, hugo hugoo wrote: Can anyone explain me the purpose of ANY requests sent to cache dns servers? their point is to give every available information for the given domain. I plan to block these kind of requests on the dns cache servers in order to avoid any amplification attack. Don't do that. The main usage it for debugging your servers. Alko, only your clients should be allowed to query your cache servers - does anyone attack your clients? But I was wondering if complaints can come if I do such limitation. hard to say, but as I stated before: don't do that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: does zone trump forward?
On 02.06.13 15:10, Jonathan Reed wrote:
I've only ever come across bind configs where forwarding is in place to
locate certain zones, then all other queries are handled by either
recursion or authoritatively. But what about the other way around, where
I'm master for a few zones but forward the rest? Consider this:
view "the-internet" {
recursion no;
this disables queries for any domain not specified locally.
The server will answer SERVFAIL
type forward;
the "type" does not belong to view definition.
forwarders { 8.8.8.8; };
and forwarders are in fact useless when you have "recursion no".
They would only be used for BIND-initiated queries (e.g. used for sending
NOTIFY requests).
zone "example.com" {
type master
file "example.com"
..
}
Whats confusing me is the implied configuration setting of forward first
when the forward statement is used. If it truly forwards first, then I see
an odd logical scenario happening. All queries are sent to the forwarder
before being handled by localhost. Then, once the forwarder recognizes that
I'm the master of example.com, why would a loop not occur if the forwarder
matches this view?
local domains are served locally. Only recursive queries are being
forwarded.
To ask the question another way, does the zone statement take precedence on
matching queries over any forwarding?
yes.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.3 configuration message: missing 'file' entry
On 02.06.13 14:27, Spain, Dr. Jeffry A. wrote:
For bind 9.9.3 build on Ubuntu 12.04LTS x64, I see log messages, for
example, "/etc/bind/named.conf.local:4: zone 'jaspain.biz': missing 'file'
entry" for each slave zone configured for inline signing. The file clause
is, in fact, present in the configuration file, for example:
zone "jaspain.biz" {
type slave;
file "/var/cache/bind/jaspain.biz.db";
key-directory "/var/lib/bind/jaspain.biz";
auto-dnssec maintain;
inline-signing yes;
masters { stealthMasters; };
notify explicit;
also-notify { publicSlaves; };
allow-transfer { localhost; transferees; };
};
Have you looked carefuly enough, and to the correct file if there is no
missed character that makes the configuration invalid?
Have you run named-checkconf with and without the given file as parameter?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.3 configuration message: missing 'file' entry
> Have you looked carefuly enough, and to the correct file if there is no > missed character that makes the configuration invalid? > Have you run named-checkconf with and without the given file as parameter? The log message is new since bind-9.9.2-P2 with no changes to the configuration files. The section of code in check.c referred to in my original post has been changed from 9.9.2-P2 to 9.9.3. I still believe that the "if" statement in check.c as now coded in 9.9.3 accounts for the log messages. Named-checkconf gives the same messages with or without the "file" clause and whether or not the path to the file is correct, and this is also consistent with the way the "if" statement is coded. Thanks. Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: any requests
> From: Matus UHLAR - fantomas > On 02.06.13 20:28, hugo hugoo wrote: > >I plan to block these kind of requests on the dns cache servers in order to > > avoid any amplification attack. > hard to say, but as I stated before: don't do that. Instead, use RRL to mitigate many kinds of amplification attacks instead of only those using ANY. See http://www.redbarn.org/dns/ratelimits Blocking DNS ANY requests is to DNS amplification DoS mitigation as blocking SMTP envelope Mail_From values of <> is to spam filtering. In early spam days, people who either knew far less than they pretended or had special agendas prescribed blocking the <> sender as almost the FUSSP, and never mind RFCs that require accepting mail from <>, the value of mail from <>, and the vast floods of spam that don't and never did involve the <> sender. Blocking DNS ANY or SMTP <> fit the old saying by H. L. Mencken: For every complex problem there is an answer that is clear, simple, and wrong. Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.3 configuration message: missing 'file' entry
In message <7610864823c0d04d89342623a3adc9de54c4a...@hopple.countryday.net>, "S
pain, Dr. Jeffry A." writes:
> For bind 9.9.3 build on Ubuntu 12.04LTS x64, I see log messages, for example,
> "/etc/bind/named.conf.local:4: zone 'jaspain.biz': missing 'file' entry" for
> each slave zone configured for inline signing. The file clause is, in fact,
> present in the configuration file, for example:
> zone "jaspain.biz" {
> type slave;
> file "/var/cache/bind/jaspain.biz.db";
> key-directory "/var/lib/bind/jaspain.biz";
> auto-dnssec maintain;
> inline-signing yes;
> masters { stealthMasters; };
> notify explicit;
> also-notify { publicSlaves; };
> allow-transfer { localhost; transferees; };
> };
>
> The message does not occur for a similar slave zone that does not have key-di
> rectory, auto-dnssec, or inline-signing configured. The bind9 service appears
> to be functioning normally despite this log message.
>
> The message originates from the code in /lib/bind9/check.c starting in line 1
> 798.
> isc_result_t res1;
> obj = NULL;
> tresult = cfg_map_get(zoptions, "file", &obj);
> obj = NULL;
> res1 = cfg_map_get(zoptions, "inline-signing", &obj);
> if ((tresult != ISC_R_SUCCESS &&
> (ztype == MASTERZONE || ztype == HINTZONE)) ||
> (ztype == SLAVEZONE && res1 == ISC_R_SUCCESS)) {
> cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
> "zone '%s': missing 'file' entry",
> znamestr);
> result = tresult;
> }
>
> Based on the code comments starting at line 1785, is the conditional expressi
> on of the "if" statement incorrectly parenthesized? Should it be as follows?
> if (tresult != ISC_R_SUCCESS &&
> (ztype == MASTERZONE || ztype == HINTZONE ||
> (ztype == SLAVEZONE && res1 == ISC_R_SUCCESS))) {
>
> Thanks. Jeff.
>
> Jeffry A. Spain, Network Administrator
> Cincinnati Country Day School
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
The brackets were wrong and we should have checked that obj was true.
Mark
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index b5658a1..33dd163 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -1930,8 +1930,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t
*voptions,
obj = NULL;
res1 = cfg_map_get(zoptions, "inline-signing", &obj);
if ((tresult != ISC_R_SUCCESS &&
- (ztype == MASTERZONE || ztype == HINTZONE)) ||
- (ztype == SLAVEZONE && res1 == ISC_R_SUCCESS)) {
+ (ztype == MASTERZONE || ztype == HINTZONE ||
+(ztype == SLAVEZONE && res1 == ISC_R_SUCCESS &&
+ cfg_obj_asboolean(obj) {
cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
"zone '%s': missing 'file' entry",
znamestr);
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.3 configuration message: missing 'file' entry
> The brackets were wrong and we should have checked that obj was true. The patch you provided makes the log message go away. The bind9 service appears to be working normally, and named-checkconf produces no output. Thanks. Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
