Bind seems to loose track of DNSSEC keys
Hi, I've setup a few domains with DNSSEC and ran into a problem. There's not much to be found (apart from a similar problem on this list: https://lists.isc.org/pipermail/bind-users/2013-January/089416.html) therefore I hope somebody here can help me out. I have a hidden master with a couple of zones, two public authoritative slave servers. The master runs Bind 9.9.2, the slaves run NSD. All systems are running OpenBSD 5.3-stable. I use "auto-dnssec maintain;" and "inline-signing yes;". I largely followed the instructions on https://kb.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html At first, everything seemed OK. The zones are signed and pass the test at dnsviz.net. Reloading a zone after changing the unsigned zone file works OK. The problem is that after some time Bind seems to loose track of the keys for most of the zones. At this moment, only one of the zones is OK: # rndc signing -list z74.nl Done signing with key 16845/RSASHA256 Done signing with key 37936/RSASHA256 All other zones report: # rndc signing -list z74.net No signing records found I haven't figured out at which moment this happens (after restarting the system or Bind, after a zone reload or some other event or at random). There's no clue in the log file. The command "rndc loadkeys " doesn't help unfortunately. The only work around I found so far is to stop bind, remove the signed zone files and journal files and start Bind (which is rather annoying, because you can easily end up with out-of-sync SOA records). BTW: The reason for not running 9.9.4 is that there is only a 9.9.2 package available for OpenBSD 5.3. However, on a test system with OpenBSD -current and Bind 9.9.4 the problem persists. I hope somebody can give me a hint how to solve this. Thanks, Maurice Janssen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Distinguishing between parent and DLV sigs
I know DLV probably won't live forever, but lookaside zones might for some time. It doesn't look as it bind distinguishes between a signature in the parent, or a signature in DLV (with "dnssec-lookaside auto"). Am I missing something? If I'm not, could the log message: validating X: ZONE RR got insecure response;parent indicates it should be secure ...be disambiguated? Maybe: [parent|] indicates it should be secure Version is 9.9.3-rpz2+rl.13204.02-P2 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind seems to loose track of DNSSEC keys
In message <52528314.4010...@z74.net>, Maurice Janssen writes: > Hi, > > I've setup a few domains with DNSSEC and ran into a problem. There's not > much to be found (apart from a similar problem on this list: > https://lists.isc.org/pipermail/bind-users/2013-January/089416.html) > therefore I hope somebody here can help me out. > > I have a hidden master with a couple of zones, two public authoritative > slave servers. > The master runs Bind 9.9.2, the slaves run NSD. All systems are running > OpenBSD 5.3-stable. I use "auto-dnssec maintain;" and "inline-signing > yes;". > > I largely followed the instructions on > https://kb.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9- > A-Walk-through.html > At first, everything seemed OK. The zones are signed and pass the test > at dnsviz.net. Reloading a zone after changing the unsigned zone file > works OK. > > The problem is that after some time Bind seems to loose track of the > keys for most of the zones. > At this moment, only one of the zones is OK: > > # rndc signing -list z74.nl > Done signing with key 16845/RSASHA256 > Done signing with key 37936/RSASHA256 > > All other zones report: > > # rndc signing -list z74.net > No signing records found The "signing" records show the progress of the initial signing of the zone. The only reason they are not removed automatically is so that the operator can know when the zone is fully signed to start the timer for adding DS records to the parent zone. Named uses incremential signing which can take some time with really large zones. With small zones it takes seconds. These records are not required for named to continue to sign the zone. Named uses the RRSIG records combined with sig-validity-interval to workout what needs to be re-signed and when. It uses the DNSKEY records in the zone to look for the private keys. As for why they are disappearing, I suspect that we are just failing to preserve them at some point which is a minor bug that needs to be addressed. As long as the zone has completed signing there removal shouldn't cause problems. > I haven't figured out at which moment this happens (after restarting the > system or Bind, after a zone reload or some other event or at random). > There's no clue in the log file. > > The command "rndc loadkeys " doesn't help unfortunately. The only > work around I found so far is to stop bind, remove the signed zone files > and journal files and start Bind (which is rather annoying, because you > can easily end up with out-of-sync SOA records). > > > BTW: The reason for not running 9.9.4 is that there is only a 9.9.2 > package available for OpenBSD 5.3. However, on a test system with > OpenBSD -current and Bind 9.9.4 the problem persists. > > I hope somebody can give me a hint how to solve this. > > Thanks, > Maurice Janssen > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ARIN IP assignments
I have a client who has been assigned a /20 from ARIN. They asked me to help them with their DNS. The DNS for me is the easy part. except... ARIN has told them that you use the DNS to set up the routing so that the traffic for this /20 gets routed to the correct up-stream provider. Is this correct? If so, where in DNS do you set up routing. if it's not correct, what am I missing? I always thought DNS had 100% nothing to do with routing on the 'net. Boy am I confused. TIA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ARIN IP assignments
In message <525349b3.6090...@paz.bz>, Jim Pazarena writes: > I have a client who has been assigned a /20 from ARIN. > > They asked me to help them with their DNS. > > The DNS for me is the easy part. except... > > ARIN has told them that you use the DNS to set up the routing so that > the traffic for this /20 gets routed to the correct up-stream provider. I think this is a case of "$ethnicity whispers". If they have a /20 then they need to setup 16 reverse zones, one for each /24 in the /20. If they are delegating smaller blocks to others then they may need to swip the smaller block. If those blocks are between /21 and /24 inclusive this will allow for reverse delegations direct from arin to the client. If those blocks are for a /25 or longer they may want to look at RFC 2317 style delegations or allow the client to dynamically update their part of the reverse zone. Mark > Is this correct? If so, where in DNS do you set up routing. > if it's not correct, what am I missing? I always thought DNS had 100% > nothing to do with routing on the 'net. Boy am I confused. > > TIA > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
