Re: DNSSEC: support for single keys?
On 09/12/2013 12:46 AM, Mark Andrews wrote: > In message <523080dd.6010...@restena.lu>, Gilles Massen writes: >> I'm seeing weird things (multiple RRSIGs when enabling NSEC3) so I'd >> like to know if these are likely to be bugs or if I'm in unchartered >> territory... > > Fixed in the next maintainence release. > > 3635. [bug] Signatures were not being removed from a zone with > only KSK keys for a algorithm. [RT #24439] > Great, thanks! As long as the maintenance release is not available, are there workarounds? Like not using NSEC3, calling rndc signing -clear all, ... or will the multiple signatures turn up whenever a single KSK is present? Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind9 - multiple identical CNAME records in single resultset (cid-*.calendar.live.com)
Hello, we are facing issues using bind9 as resolving nameservers for our users. The problem is in resolving domains such as cid-*.calendar.live.com, e.g. cid-20e76408fdfb6414.calendar.live.com Bind discards the result with the following message in syslog: named[1403]: error (FORMERR) resolving 'cid-20e76408fdfb6414.calendar.live.com/A/IN': 213.199.180.53#53 resolving the domain via dig +trace works: dig +trace cid-20e76408fdfb6414.calendar.live.com ; <<>> DiG 9.8.1-P1 <<>> +trace cid-20e76408fdfb6414.calendar.live.com cid-20e76408fdfb6414.calendar.live.com. 3600 IN CNAME na.calendar.live.com. na.calendar.live.com. 3600IN CNAME calendar.live.com. na.calendar.live.com. 3600IN CNAME calendar.live.com. calendar.live.com. 3600IN A 65.54.251.146 ;; Received 151 bytes from 65.55.226.140#53(65.55.226.140) in 119 ms We guess the problem is in the 2 (identical) CNAME records for the same domain received in a single result set from ns*.msft.net, bind9 discards these packets as invalid/FORMERR. Resolving the CNAME will create a valid cache entry, resolving the A record afterwards will work. Using unbound, we are able to resolve domains properly directly. We are looking for assistance with this, something as easy as a configuration option to allow the (invalid?) packet to be processed properly as unbound does would be great. Of course adjusting the Microsoft nameservers to comply with the RFC would be better, but we already tried to contact Microsoft (domains@, msnhst@, opsimt@) about the issue, but so far there was no response. The cid-*.calendar.live.com domains are used to identify the calendars of users, the all point to the same records. Using bind9, this does not work, so live.com calendar is broken (for all of our users). Sincerly, Torsten Glaeser ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind9 - multiple identical CNAME records in single resultset (cid-*.calendar.live.com)
Upgrade. This is fixed in the current maintainence releases. 3452. [bug] Accept duplicate singleton records. [RT #32329] Mark In message <523175fe.1070...@rrzn.uni-hannover.de>, Hostmaster LUH writes: > Hello, > > > we are facing issues using bind9 as resolving nameservers for our users. > The problem is in resolving domains such as cid-*.calendar.live.com, e.g. > cid-20e76408fdfb6414.calendar.live.com > > Bind discards the result with the following message in syslog: > named[1403]: error (FORMERR) resolving > 'cid-20e76408fdfb6414.calendar.live.com/A/IN': 213.199.180.53#53 > > resolving the domain via dig +trace works: > dig +trace cid-20e76408fdfb6414.calendar.live.com > > ; <<>> DiG 9.8.1-P1 <<>> +trace cid-20e76408fdfb6414.calendar.live.com > > > cid-20e76408fdfb6414.calendar.live.com. 3600 IN CNAME > na.calendar.live.com. > na.calendar.live.com. 3600IN CNAME calendar.live.com. > na.calendar.live.com. 3600IN CNAME calendar.live.com. > calendar.live.com.3600IN A 65.54.251.146 > ;; Received 151 bytes from 65.55.226.140#53(65.55.226.140) in 119 ms > > We guess the problem is in the 2 (identical) CNAME records for the same > domain received in a single result set from ns*.msft.net, bind9 discards > these packets as invalid/FORMERR. > Resolving the CNAME will create a valid cache entry, resolving the A > record afterwards will work. > Using unbound, we are able to resolve domains properly directly. > > > We are looking for assistance with this, something as easy as a > configuration option to allow the (invalid?) packet to be processed > properly as unbound does would be great. > Of course adjusting the Microsoft nameservers to comply with the RFC > would be better, but we already tried to contact Microsoft (domains@, > msnhst@, opsimt@) about the issue, but so far there was no response. > > > The cid-*.calendar.live.com domains are used to identify the calendars > of users, the all point to the same records. > Using bind9, this does not work, so live.com calendar is broken (for all > of our users). > > > > Sincerly, > Torsten Glaeser > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from > this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC: support for single keys?
In message <52316c02.90...@restena.lu>, Gilles Massen writes: > > > On 09/12/2013 12:46 AM, Mark Andrews wrote: > > In message <523080dd.6010...@restena.lu>, Gilles Massen writes: > > >> I'm seeing weird things (multiple RRSIGs when enabling NSEC3) so I'd > >> like to know if these are likely to be bugs or if I'm in unchartered > >> territory... > > > > Fixed in the next maintainence release. > > > > 3635. [bug] Signatures were not being removed from a zone with > > only KSK keys for a algorithm. [RT #24439] > > > > Great, thanks! > > As long as the maintenance release is not available, are there > workarounds? Like not using NSEC3, calling rndc signing -clear all, ... > or will the multiple signatures turn up whenever a single KSK is present? You can use the next maintanence release candidates on the download page. > Gilles > > -- > Fondation RESTENA - DNS-LU > 6, rue Coudenhove-Kalergi > L-1359 Luxembourg > tel: (+352) 424409 > fax: (+352) 422473 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: compile error building 9.9.3-P2
Please disregard. -- Jack Tavares "How many more can we sell with this button?" From: bind-users-bounces+j.tavares=f5@lists.isc.org [bind-users-bounces+j.tavares=f5@lists.isc.org] on behalf of Jack Tavares [j.tava...@f5.com] Sent: Thursday, September 12, 2013 11:24 To: bind-us...@isc.org Subject: compile error building 9.9.3-P2 I am attempting to build 9.9.3-P2 in a chroot-ed 32 bit build environment and I get an redefinition error. Has anyone seen this and have a suggestion for how to fix this? my configure options are ./configure --with-openssl= --enable-fixed-rrset --enable-shared --enable-threads --enable-ipv6 --with-libtool --with-libxml2=no --with-pic --with-gssapi= STD_CDEFINES=-DDIG_SIGCHASE=1 Error message: In file included from code.h:70, from rdata.c:334: rdata/in_1/naptr_35.c:37: error: redefinition of 'txt_valid_regex' rdata/generic/naptr_35.c:36: error: previous definition of 'txt_valid_regex' was here rdata.c: In function 'dns_rdata_compare': rdata.c:416: error: duplicate case value rdata.c:416: error: previously used here rdata.c: In function 'dns_rdata_casecompare': rdata.c:447: error: duplicate case value rdata.c:447: error: previously used here rdata.c: In function 'dns_rdata_fromwire': rdata.c:524: error: duplicate case value rdata.c:524: error: previously used here rdata.c: In function 'dns_rdata_towire': rdata.c:586: error: duplicate case value rdata.c:586: error: previously used here rdata.c: In function 'dns_rdata_fromtext': rdata.c:741: error: duplicate case value rdata.c:741: error: previously used here rdata.c: In function 'rdata_totext': rdata.c:855: error: duplicate case value rdata.c:855: error: previously used here rdata.c: In function 'dns_rdata_fromstruct': rdata.c:929: error: duplicate case value rdata.c:929: error: previously used here rdata.c: In function 'dns_rdata_tostruct': rdata.c:956: error: duplicate case value rdata.c:956: error: previously used here rdata.c: In function 'dns_rdata_freestruct': rdata.c:969: error: duplicate case value rdata.c:969: error: previously used here rdata.c: In function 'dns_rdata_additionaldata': rdata.c:988: error: duplicate case value rdata.c:988: error: previously used here rdata.c: In function 'dns_rdata_digest': rdata.c:1011: error: duplicate case value rdata.c:1011: error: previously used here rdata.c: In function 'dns_rdata_checkowner': rdata.c:1027: error: duplicate case value rdata.c:1027: error: previously used here rdata.c: In function 'dns_rdata_checknames': rdata.c:1036: error: duplicate case value rdata.c:1036: error: previously used here make[2]: *** [rdata.lo] Error 1 make[2]: Leaving directory `/local/tavares/perforce/tmos-dns-bugs-bind/ports/bind/build/lib/dns' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/local/tavares/perforce/tmos-dns-bugs-bind/ports/bind/build/lib' make: *** [subdirs] Error 1 -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
compile error building 9.9.3-P2
I am attempting to build 9.9.3-P2 in a chroot-ed 32 bit build environment and I get an redefinition error. Has anyone seen this and have a suggestion for how to fix this? my configure options are ./configure --with-openssl= --enable-fixed-rrset --enable-shared --enable-threads --enable-ipv6 --with-libtool --with-libxml2=no --with-pic --with-gssapi= STD_CDEFINES=-DDIG_SIGCHASE=1 Error message: In file included from code.h:70, from rdata.c:334: rdata/in_1/naptr_35.c:37: error: redefinition of 'txt_valid_regex' rdata/generic/naptr_35.c:36: error: previous definition of 'txt_valid_regex' was here rdata.c: In function 'dns_rdata_compare': rdata.c:416: error: duplicate case value rdata.c:416: error: previously used here rdata.c: In function 'dns_rdata_casecompare': rdata.c:447: error: duplicate case value rdata.c:447: error: previously used here rdata.c: In function 'dns_rdata_fromwire': rdata.c:524: error: duplicate case value rdata.c:524: error: previously used here rdata.c: In function 'dns_rdata_towire': rdata.c:586: error: duplicate case value rdata.c:586: error: previously used here rdata.c: In function 'dns_rdata_fromtext': rdata.c:741: error: duplicate case value rdata.c:741: error: previously used here rdata.c: In function 'rdata_totext': rdata.c:855: error: duplicate case value rdata.c:855: error: previously used here rdata.c: In function 'dns_rdata_fromstruct': rdata.c:929: error: duplicate case value rdata.c:929: error: previously used here rdata.c: In function 'dns_rdata_tostruct': rdata.c:956: error: duplicate case value rdata.c:956: error: previously used here rdata.c: In function 'dns_rdata_freestruct': rdata.c:969: error: duplicate case value rdata.c:969: error: previously used here rdata.c: In function 'dns_rdata_additionaldata': rdata.c:988: error: duplicate case value rdata.c:988: error: previously used here rdata.c: In function 'dns_rdata_digest': rdata.c:1011: error: duplicate case value rdata.c:1011: error: previously used here rdata.c: In function 'dns_rdata_checkowner': rdata.c:1027: error: duplicate case value rdata.c:1027: error: previously used here rdata.c: In function 'dns_rdata_checknames': rdata.c:1036: error: duplicate case value rdata.c:1036: error: previously used here make[2]: *** [rdata.lo] Error 1 make[2]: Leaving directory `/local/tavares/perforce/tmos-dns-bugs-bind/ports/bind/build/lib/dns' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/local/tavares/perforce/tmos-dns-bugs-bind/ports/bind/build/lib' make: *** [subdirs] Error 1 -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: compile error building 9.9.3-P2
In message <6134bb3286a31d4db61e57114e8ba7c0c6112...@seaembx01.olympus.f5net.com>, Jack Tavares writes: > I am attempting to build 9.9.3-P2 in a chroot-ed 32 bit build environment > and I get an redefinition error. > > Has anyone seen this and have a suggestion for how to fix this? > my configure options are > ./configure --with-openssl= --enable-fixed-rrset --enable-shared > --enable-threads --enable-ipv6 --with-libtool --with-libxml2=no --with- > pic --with-gssapi= STD_CDEFINES=-DDIG_SIGCHASE=1 Remove lib/dns/rdata/in_1/naptr_35.c. I suspect you have untarred over a existing source tree and in_1/naptr_35.c moved to generic/naptr_35.c between the two releases. Mark > Error message: > In file included from code.h:70, > from rdata.c:334: > rdata/in_1/naptr_35.c:37: error: redefinition of 'txt_valid_regex' > rdata/generic/naptr_35.c:36: error: previous definition of 'txt_valid_regex' > was here > rdata.c: In function 'dns_rdata_compare': > rdata.c:416: error: duplicate case value > rdata.c:416: error: previously used here > rdata.c: In function 'dns_rdata_casecompare': > rdata.c:447: error: duplicate case value > rdata.c:447: error: previously used here > rdata.c: In function 'dns_rdata_fromwire': > rdata.c:524: error: duplicate case value > rdata.c:524: error: previously used here > rdata.c: In function 'dns_rdata_towire': > rdata.c:586: error: duplicate case value > rdata.c:586: error: previously used here > rdata.c: In function 'dns_rdata_fromtext': > rdata.c:741: error: duplicate case value > rdata.c:741: error: previously used here > rdata.c: In function 'rdata_totext': > rdata.c:855: error: duplicate case value > rdata.c:855: error: previously used here > rdata.c: In function 'dns_rdata_fromstruct': > rdata.c:929: error: duplicate case value > rdata.c:929: error: previously used here > rdata.c: In function 'dns_rdata_tostruct': > rdata.c:956: error: duplicate case value > rdata.c:956: error: previously used here > rdata.c: In function 'dns_rdata_freestruct': > rdata.c:969: error: duplicate case value > rdata.c:969: error: previously used here > rdata.c: In function 'dns_rdata_additionaldata': > rdata.c:988: error: duplicate case value > rdata.c:988: error: previously used here > rdata.c: In function 'dns_rdata_digest': > rdata.c:1011: error: duplicate case value > rdata.c:1011: error: previously used here > rdata.c: In function 'dns_rdata_checkowner': > rdata.c:1027: error: duplicate case value > rdata.c:1027: error: previously used here > rdata.c: In function 'dns_rdata_checknames': > rdata.c:1036: error: duplicate case value > rdata.c:1036: error: previously used here > make[2]: *** [rdata.lo] Error 1 > make[2]: Leaving directory > `/local/tavares/perforce/tmos-dns-bugs-bind/ports/bind/build/lib/dns' > make[1]: *** [subdirs] Error 1 > make[1]: Leaving directory > `/local/tavares/perforce/tmos-dns-bugs-bind/ports/bind/build/lib' > make: *** [subdirs] Error 1 > > > > -- > Jack Tavares > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
