Re: How to setup a backup NameServer?

2014-04-29 Thread Steven Carr 
On 29 April 2014 07:06, houguanghua  wrote:
> hi kevin,
>
> Stealth slaves can't be used as backup  NS server. This backup server can't
> be accessed by all internet users.
> It can only be accessed by users from one ISP.  It's used when all authority
> NSs are down, especially in case of DDoS attack.
>
> Guanghua Hou

That's not how DNS works, DNS is a distributed system for that precise reason.

Why would you only want users of a single ISP to be able to resolve a
domain if the primary nameservers are down? What happens if the
primary nameservers are down for more than SOA Expire time? your
secondaries will stop serving the zone anyway as they haven't been
able to refresh it from the primary master.

You asked this same question a few months ago without explaining why
you are wanting to do this and got roughly the same answers.

If you own the zone and know the IP address range used by the ISP then
you can create a separate view that contains your additional
nameserver that no one else will know about, though they still might
not be able to access it if the primary nameserver is down and the
additional nameserver isn't in the parent's glue records (clients
wouldn't be able to find it). But if you don't own the zone then there
is nothing you can do, it's not your zone to mess with.

If you're trying to mitigate DDoS look at bigger boxes, faster
bandwidth, packet filtering and DNS Anycast.

Steve
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: How to setup a backup NameServer?

2014-04-29 Thread houguanghua 
steven,
 
Yes, I had asked the same question months ago. 
I'm designing how to protect DNS for an ISP. The zones are not owned by the 
ISP.  The ISP wants to proect the DNS query during attacking.
So it's not standard DNS solution.  During the attacking, the backup server 
will provide the DNS query and it works even if it can't refresh zones from 
primary NS. Backup server is configured the private IP of this ISP. All local 
DNS servers of this ISP knows where is the backup server.
 
thanks,
Guanghua
 
> Date: Tue, 29 Apr 2014 08:19:34 +0100
> Subject: Re: How to setup a backup NameServer?
> From: sjc...@gmail.com
> To: houguang...@hotmail.com
> CC: bind-users@lists.isc.org
> 
> On 29 April 2014 07:06, houguanghua  wrote:
> > hi kevin,
> >
> > Stealth slaves can't be used as backup  NS server. This backup server can't
> > be accessed by all internet users.
> > It can only be accessed by users from one ISP.  It's used when all authority
> > NSs are down, especially in case of DDoS attack.
> >
> > Guanghua Hou
> 
> That's not how DNS works, DNS is a distributed system for that precise reason.
> 
> Why would you only want users of a single ISP to be able to resolve a
> domain if the primary nameservers are down? What happens if the
> primary nameservers are down for more than SOA Expire time? your
> secondaries will stop serving the zone anyway as they haven't been
> able to refresh it from the primary master.
> 
> You asked this same question a few months ago without explaining why
> you are wanting to do this and got roughly the same answers.
> 
> If you own the zone and know the IP address range used by the ISP then
> you can create a separate view that contains your additional
> nameserver that no one else will know about, though they still might
> not be able to access it if the primary nameserver is down and the
> additional nameserver isn't in the parent's glue records (clients
> wouldn't be able to find it). But if you don't own the zone then there
> is nothing you can do, it's not your zone to mess with.
> 
> If you're trying to mitigate DDoS look at bigger boxes, faster
> bandwidth, packet filtering and DNS Anycast.
> 
> Steve
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to setup a backup NameServer?

2014-04-29 Thread Niall O'Reilly 
At Tue, 29 Apr 2014 10:24:58 +,
houguanghua wrote:
> 
> Yes, I had asked the same question months ago. 
> I'm designing how to protect DNS for an ISP. The zones are not owned
> by the ISP. The ISP wants to proect the DNS query during attacking.
> So it's not standard DNS solution. During the attacking, the backup
> server will provide the DNS query and it works even if it can't
> refresh zones from primary NS.

  Which (or how many) zones do you expect your backup server to work
  for?

  /Niall
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to setup a backup NameServer?

2014-04-29 Thread /dev/rob0 
On Tue, Apr 29, 2014 at 11:49:49AM +0100, Niall O'Reilly wrote:
> At Tue, 29 Apr 2014 10:24:58 +,
> houguanghua wrote:
> > Yes, I had asked the same question months ago. 
> > I'm designing how to protect DNS for an ISP. The zones are not 
> > owned by the ISP. The ISP wants to proect the DNS query during 
> > attacking. So it's not standard DNS solution. During the 
> > attacking, the backup server will provide the DNS query and it 
> > works even if it can't refresh zones from primary NS.
> 
1.
>   Which (or how many) zones do you expect your backup server
>   to work for?
(and why these zones in particular?)

2. Do you have zone transfer access for these zones?
3. How will you detect the attack and switch over to this "backup 
   server"?

You're asking for features which do not exist, and are unlikely to be 
in high demand. You're probably going to have to do/hire some custom 
programming, or else rethink the solution. I suspect the latter is 
your best bet.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Promoting a slave to master gives syntax error

2014-04-29 Thread Theodotos Andreou 

Thanks for the tip Mark. Now all the zone files are cached as text.

Now I have a different problem. After converting alll the zones to 
master many zones failed to load because of this:


# grep example.com /var/log/syslog
29-Apr-2014 11:21:32.613 dns_rdata_fromtext: db.0.210.10.in-addr.arpa:26: near 
'android_b2b2b8cdeedf92d3.example.com.': bad name (check-names)
29-Apr-2014 11:21:32.629 dns_rdata_fromtext: db.0.255.10.in-addr.arpa:16: near 
'lim_iptgw1.example.com.': bad name (check-names)
29-Apr-2014 11:21:32.636 dns_rdata_fromtext: db.8.211.10.in-addr.arpa:45: near 
'tl-wr641g/642g.example.com.': bad name (check-names)
29-Apr-2014 11:21:32.646 dns_rdata_fromtext: db.2.255.10.in-addr.arpa:22: near 
'dc3-l2.example.com\032.': bad name (check-names)
29-Apr-2014 11:21:32.648 dns_rdata_fromtext: db.16.212.10.in-addr.arpa:28: near 
'android__sx.example.com.': bad name (check-names)
29-Apr-2014 11:21:32.664 dns_rdata_fromtext: db.254.255.10.in-addr.arpa:44: 
near 'cs1-6509-ktim2.example.com\032.': bad name (check-names)
29-Apr-2014 11:21:32.673 dns_rdata_fromtext: db.204.25.10.in-addr.arpa:21: near 
'ictlab_ls.example.com.': bad name (check-names)
29-Apr-2014 11:21:32.692 db.example.com:25: ---pc.example.com: bad 
owner name (check-names)
29-Apr-2014 11:21:32.692 zone example.com/IN: loading from master file 
db.example.com failed: bad owner name (check-names)
29-Apr-2014 11:21:32.692 zone example.com/IN: not loaded due to errors.

Any idea why? Is there a configuration setting to ignore these errors?

On 04/29/2014 09:53 AM, Mark Andrews wrote:

Set the masterfile-format.  Slaves default to raw,
masters default to text.

masterfile-format ( text | raw );

Mark

In message <535f4bb2.6000...@theo-andreou.org>, Theodotos Andreou writes:

Hello to all,

I have a task to clone a black box IPAM to a bind DNS server. Actually
the black box is using bind in the backend but the manufacturer does not
provide any shell access. Only a crappy GUI. So I do not have access to
the text zone files. Just the GUI.

In order to clone all the zones from the original DNS to the clone, I
setup a bind in slave config and allowed zone transfers for it. This is
a sample config:

/etc/bind/named.conf.local:

... Output omitted ...

zone "16.2.10.in-addr.arpa" {
  type slave;
  file "db.16.2.10.in-addr.arpa";
  masters { 10.1.12.61; };
};

zone "24.3.10.in-addr.arpa" {
  type slave;
  file "db.24.3.10.in-addr.arpa";
   masters { 10.1.12.61; };
};

... Output omitted ...

After bind restart, the zone transfers an all zones are completed
successfully. The resultant files are some sort of binary:

# file /var/cache/bind/db.24.3.10.in-addr.arpa
/var/cache/bind/db.24.3.10.in-addr.arpa: data

Now to promote the server to master I changed the configuration to:

/etc/bind/named.conf.local:

... Output omitted ...

zone "16.2.10.in-addr.arpa" {
  type master;
  file "db.16.2.10.in-addr.arpa";
};

zone "24.3.10.in-addr.arpa" {
  type master;
  file "db.24.3.10.in-addr.arpa";
};

... Output omitted ...

But when I restart bind I get a lot of errors like this:

   named[19773]: dns_master_load: db.24.3.10.in-addr.arpa:1: syntax error
   named[19773]: zone 24.3.10.in-addr.arpa/IN: loading from master file db.24.3
.10.in-addr.arpa failed: syntax error
   named[19773]: zone 24.3.10.in-addr.arpa/IN: not loaded due to errors.

Apparently the systems expects to see a zone file in text format but
because it's in binary it fails. I also tested it with:

# named-checkzone 24.3.10.in-addr.arpa /var/cache/bind/db.24.3.10.in-addr.arp
... Output omitted ...
dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax error
dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax error
dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax error
dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax error
dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax error
dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax error
dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:17: syntax error
/var/cache/bind/db.24.3.10.in-addr.arpa: file does not end with newline
zone 24.3.10.in-addr.arpa/IN: loading from master file /var/cache/bind/db.24.3
.10.in-addr.arpa failed: syntax error
zone 24.3.10.in-addr.arpa/IN: not loaded due to errors.

I know I must be doing something fundamentally wrong here but I couldn't
find a guide how to do this properly. Any ideas?

I am using bind version 9.9.5-3-Ubuntu ( the stock binary that comes
with Ubuntu 14.04 64 bit) and the compiled parameters are:
named[7817]: built with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads' '--enable-largefile'
'--with-libtool' '--enable-shared' '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'

Re: Promoting a slave to master gives syntax error

2014-04-29 Thread Tony Finch 
Theodotos Andreou  wrote:
>
> Now I have a different problem. After converting alll the zones to master many
> zones failed to load because of this:
>
> 29-Apr-2014 11:21:32.613 dns_rdata_fromtext: db.0.210.10.in-addr.arpa:26: 
> near 'android_b2b2b8cdeedf92d3.example.com.': bad name (check-names)
>
> Any idea why? Is there a configuration setting to ignore these errors?

Use "check-names warn;". The BIND 9 ARM says:

  check-names

  This option is used to restrict the character set and syntax of certain
  domain names in master files and/or DNS responses received from the
  network. The default varies according to zone type. For master zones the
  default is fail. For slave zones the default is warn. It is not
  implemented for hint zones.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Plymouth, North Biscay: Variable 4, becoming southerly or southwesterly 4 or 5
later. Moderate becoming rough in west. Thundery showers. Moderate,
occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone transfer doesn't work when I set allow-update statement

2014-04-29 Thread Jeronimo L. Cabral 
Dear, thanks for your help.

Please the last question: can I dynamically update a zone and -when
necessary- make a freeze, manually add/delete records, and after that make
a thaw to continue with the dynamic update In other words, a mix
betwwen dynamic and manually update.

Thanks again,

JeLo


On Fri, Apr 25, 2014 at 6:04 PM, Evan Hunt  wrote:

> On Fri, Apr 25, 2014 at 05:29:30PM -0300, Jeronimo L. Cabral wrote:
> > But the master zone is not refreshed until I execute "service bind9
> > restart" ("service bind9 reload" doesn't refresh the master zone).
>
> The zone has been updated, but the changes are stored in a journal file
> ("zonefile.jnl").  You can look at the contents of the journal file
> with "named-journalprint ".
>
> If you want to dump the current version of the zone to disk so you
> can look at the whole thing, use "rndc sync ".
>
> (That's assuming this is a fairly recent BIND.  If it doesn't support
> sync, use "rndc freeze ; rndc thaw ".)
>
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Cross compile bind failing, vis3 ???

2014-04-29 Thread Olsen, Richard William (Rick) CTR DISA PEO-MA (US) 
Well, I tried with the BUILD_CC and BUILD_CFLAGS set. I hadn't noticed the 
cross compile test during configuration before since it has been working for 
the T1000 and T5140 builds. Now though it has "no" for the cross compile test.

Here is my configure command: (this is in a script that sets path to the 
solaris studio bin)

BUILD_CC=cc BUILD_CFLAGS="-Xa -fast -xstrconst -xchip=ultraT3 -xarch=sparcvis3 
-mt -m64" ./configure --with-openssl=/usr/local/ssl --enable-full-report 
--without-gost --exec-prefix=/usr --libexecdir=/usr/lib/libexec 
--includedir=/usr/include

Even after I edit the configure script to have cross_compile=yes, it still 
responds with no during the configuration.

-Original Message-
From: Mark Andrews [mailto:ma...@isc.org] 
Sent: Monday, April 28, 2014 12:05 PM
To: Olsen, Richard William (Rick) CTR DISA PEO-MA (US)
Cc: bind-users@lists.isc.org
Subject: Re: Cross compile bind failing, vis3 ???


You are cross compiling.  You need to set BUILD_* so that the host tools
are properly built.

% grep BUILD README 
BUILD_CC
BUILD_CFLAGS (optional)
BUILD_CPPFLAGS (optional)
BUILD_LDFLAGS (optional)
BUILD_LIBS (optional)
% 

Mark

In message , "Olsen, Richard William (Rick) CTR DISA PEO-MA (US)" writes:
> 
> We have a remote site that we are providing a bind package for. They want a ta
> rgeted build and sent us the compile options as 
> 
> -xtarget=T3 -xarch=sparcvis3 -xchip=ultraT3 -xcache=8/16/4:6144/64/24
> 
> The build system is using Sun Studio 12.3 cc on T5140  (UtltraSPARC-T2+ hardwa
> re running Solaris 10 05/08.) 
> 
> isainfo -x 
>sparcv9: asi_blk_init vis2 vis popc
>sparc: asi_blk_init vis2 vis poppc v8plus div32 mul32
> 
> Now the problem. I can compile the openssl using his requested parameters but 
> the bind fails.
> 
> "./gen -s . -c > include/dns/enumclass.h
> Ld.so.1: gen: fatal: hardware capability (CA_SUNW_HW_1) unsupported: 0x500 [ V
> IS3 FMAF ]
> Bash: line 1  killed ./gen -s . -c > include/dns/enumclass.h
> *** Error code 1
> The following command caused the error:
> For I in isc isccc dns isccfg bind9 lwres tests nulldir; do \
>   if [ "$i" != "nulldir" -a -d $i ]; then \
>   echo "making all in `pwd'/$i"; \
>   (cd $i; make DESTDIR="/blah/blah/bind-9.9.5-S1/lib" all ) || exi
> t 1; \
>   fi; \
> done
> make: Fatal error: Command failed for target 'subdirs'
> "
> 
> Does bind not support Vis 3 architecture?
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone transfer doesn't work when I set allow-update statement

2014-04-29 Thread Sten Carlsen 

On 29/04/14 14.50, Jeronimo L. Cabral wrote:
> Dear, thanks for your help.
>
> Please the last question: can I dynamically update a zone and -when
> necessary- make a freeze, manually add/delete records, and after that
> make a thaw to continue with the dynamic update In other words, a
> mix betwwen dynamic and manually update.
>
I do this, not often, works as expected. Do be careful not to interfere
with the DHCP administered entries.
> Thanks again,
>
> JeLo
>
>
> On Fri, Apr 25, 2014 at 6:04 PM, Evan Hunt  > wrote:
>
> On Fri, Apr 25, 2014 at 05:29:30PM -0300, Jeronimo L. Cabral wrote:
> > But the master zone is not refreshed until I execute "service bind9
> > restart" ("service bind9 reload" doesn't refresh the master zone).
>
> The zone has been updated, but the changes are stored in a journal
> file
> ("zonefile.jnl").  You can look at the contents of the journal file
> with "named-journalprint ".
>
> If you want to dump the current version of the zone to disk so you
> can look at the whole thing, use "rndc sync ".
>
> (That's assuming this is a fairly recent BIND.  If it doesn't support
> sync, use "rndc freeze ; rndc thaw ".)
>
> --
> Evan Hunt -- e...@isc.org 
> Internet Systems Consortium, Inc.
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone transfer doesn't work when I set allow-update statement

2014-04-29 Thread /dev/rob0 
On Tue, Apr 29, 2014 at 09:50:11AM -0300, Jeronimo L. Cabral wrote:
> Please the last question: can I dynamically update a zone and
> -when necessary- make a freeze, manually add/delete records, and
> after that make a thaw to continue with the dynamic update
> In other words, a mix betwwen dynamic and manually update.

That's precisely what freeze/thaw is for.

Do note, however, that you lose the zone's history (which is 
necessary for IXFR, and perhaps a matter of interest otherwise)
when you do this. My suggestion is that you learn to be more
comfortable with nsupdate procedures, and stop using freeze/thaw.

> On Fri, Apr 25, 2014 at 6:04 PM, Evan Hunt  wrote:
> 
> > On Fri, Apr 25, 2014 at 05:29:30PM -0300, Jeronimo L. Cabral 
> > wrote:
> > > But the master zone is not refreshed until I execute
> > > "service bind9 restart" ("service bind9 reload" doesn't
> > > refresh the master zone).
> >
> > The zone has been updated, but the changes are stored in a 
> > journal file ("zonefile.jnl").  You can look at the contents
> > of the journal file with "named-journalprint ".
> >
> > If you want to dump the current version of the zone to disk so 
> > you can look at the whole thing, use "rndc sync ".
> >
> > (That's assuming this is a fairly recent BIND.  If it doesn't 
> > support sync, use "rndc freeze ; rndc thaw ".)
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Promoting a slave to master gives syntax error

2014-04-29 Thread Sten Carlsen 
You might want to look at the output of:
dig axfr example.com

This gives also the contents of the zone, nicely sorted but with an
added SOA at the end.

I would suggest to use it for comparison with the files to look for some
of those interesting endings (~~.com\032.) Those really look odd to me.


On 29/04/14 14.22, Theodotos Andreou wrote:
> Thanks for the tip Mark. Now all the zone files are cached as text.
>
> Now I have a different problem. After converting alll the zones to
> master many zones failed to load because of this:
>
> # grep example.com /var/log/syslog
> 29-Apr-2014 11:21:32.613 dns_rdata_fromtext:
> db.0.210.10.in-addr.arpa:26: near
> 'android_b2b2b8cdeedf92d3.example.com.': bad name (check-names)
> 29-Apr-2014 11:21:32.629 dns_rdata_fromtext:
> db.0.255.10.in-addr.arpa:16: near 'lim_iptgw1.example.com.': bad name
> (check-names)
> 29-Apr-2014 11:21:32.636 dns_rdata_fromtext:
> db.8.211.10.in-addr.arpa:45: near 'tl-wr641g/642g.example.com.': bad
> name (check-names)
> 29-Apr-2014 11:21:32.646 dns_rdata_fromtext:
> db.2.255.10.in-addr.arpa:22: near 'dc3-l2.example.com\032.': bad name
> (check-names)
> 29-Apr-2014 11:21:32.648 dns_rdata_fromtext:
> db.16.212.10.in-addr.arpa:28: near 'android__sx.example.com.': bad
> name (check-names)
> 29-Apr-2014 11:21:32.664 dns_rdata_fromtext:
> db.254.255.10.in-addr.arpa:44: near 'cs1-6509-ktim2.example.com\032.':
> bad name (check-names)
> 29-Apr-2014 11:21:32.673 dns_rdata_fromtext:
> db.204.25.10.in-addr.arpa:21: near 'ictlab_ls.example.com.': bad name
> (check-names)
> 29-Apr-2014 11:21:32.692 db.example.com:25: ---pc.example.com:
> bad owner name (check-names)
> 29-Apr-2014 11:21:32.692 zone example.com/IN: loading from master file
> db.example.com failed: bad owner name (check-names)
> 29-Apr-2014 11:21:32.692 zone example.com/IN: not loaded due to errors.
>
> Any idea why? Is there a configuration setting to ignore these errors?
>
> On 04/29/2014 09:53 AM, Mark Andrews wrote:
>> Set the masterfile-format.  Slaves default to raw,
>> masters default to text.
>>
>> masterfile-format ( text | raw );
>>
>> Mark
>>
>> In message <535f4bb2.6000...@theo-andreou.org>, Theodotos Andreou
>> writes:
>>> Hello to all,
>>>
>>> I have a task to clone a black box IPAM to a bind DNS server. Actually
>>> the black box is using bind in the backend but the manufacturer does
>>> not
>>> provide any shell access. Only a crappy GUI. So I do not have access to
>>> the text zone files. Just the GUI.
>>>
>>> In order to clone all the zones from the original DNS to the clone, I
>>> setup a bind in slave config and allowed zone transfers for it. This is
>>> a sample config:
>>>
>>> /etc/bind/named.conf.local:
>>>
>>> ... Output omitted ...
>>>
>>> zone "16.2.10.in-addr.arpa" {
>>>   type slave;
>>>   file "db.16.2.10.in-addr.arpa";
>>>   masters { 10.1.12.61; };
>>> };
>>>
>>> zone "24.3.10.in-addr.arpa" {
>>>   type slave;
>>>   file "db.24.3.10.in-addr.arpa";
>>>masters { 10.1.12.61; };
>>> };
>>>
>>> ... Output omitted ...
>>>
>>> After bind restart, the zone transfers an all zones are completed
>>> successfully. The resultant files are some sort of binary:
>>>
>>> # file /var/cache/bind/db.24.3.10.in-addr.arpa
>>> /var/cache/bind/db.24.3.10.in-addr.arpa: data
>>>
>>> Now to promote the server to master I changed the configuration to:
>>>
>>> /etc/bind/named.conf.local:
>>>
>>> ... Output omitted ...
>>>
>>> zone "16.2.10.in-addr.arpa" {
>>>   type master;
>>>   file "db.16.2.10.in-addr.arpa";
>>> };
>>>
>>> zone "24.3.10.in-addr.arpa" {
>>>   type master;
>>>   file "db.24.3.10.in-addr.arpa";
>>> };
>>>
>>> ... Output omitted ...
>>>
>>> But when I restart bind I get a lot of errors like this:
>>>
>>>named[19773]: dns_master_load: db.24.3.10.in-addr.arpa:1: syntax
>>> error
>>>named[19773]: zone 24.3.10.in-addr.arpa/IN: loading from master
>>> file db.24.3
>>> .10.in-addr.arpa failed: syntax error
>>>named[19773]: zone 24.3.10.in-addr.arpa/IN: not loaded due to
>>> errors.
>>>
>>> Apparently the systems expects to see a zone file in text format but
>>> because it's in binary it fails. I also tested it with:
>>>
>>> # named-checkzone 24.3.10.in-addr.arpa
>>> /var/cache/bind/db.24.3.10.in-addr.arp
>>> ... Output omitted ...
>>> dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax
>>> error
>>> dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax
>>> error
>>> dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax
>>> error
>>> dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax
>>> error
>>> dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax
>>> error
>>> dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax
>>> error
>>> dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:17: syntax
>>> error
>>> /var/cache/bind/db.24.3.10.in-addr.arpa: file does not end wit

Re: Promoting a slave to master gives syntax error

2014-04-29 Thread Theodotos Andreou 

On 04/29/2014 03:31 PM, Tony Finch wrote:

Theodotos Andreou  wrote:

Now I have a different problem. After converting alll the zones to master many
zones failed to load because of this:

29-Apr-2014 11:21:32.613 dns_rdata_fromtext: db.0.210.10.in-addr.arpa:26: near 
'android_b2b2b8cdeedf92d3.example.com.': bad name (check-names)

Any idea why? Is there a configuration setting to ignore these errors?

Use "check-names warn;". The BIND 9 ARM says:

   check-names

   This option is used to restrict the character set and syntax of certain
   domain names in master files and/or DNS responses received from the
   network. The default varies according to zone type. For master zones the
   default is fail. For slave zones the default is warn. It is not
   implemented for hint zones.

Tony.

Thanks Tony. That's exactly what I was looking for.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Promoting a slave to master gives syntax error

2014-04-29 Thread Theodotos Andreou 
The original server servers as primary DNS for our AD infrastructure. 
This could be one explanation about these peculiarities. But since the 
source DNS is tuned no to complain about strange names I prefer to have 
a similar configuration on the clone.


On 04/29/2014 04:17 PM, Sten Carlsen wrote:

You might want to look at the output of:
dig axfr example.com

This gives also the contents of the zone, nicely sorted but with an 
added SOA at the end.


I would suggest to use it for comparison with the files to look for 
some of those interesting endings (~~.com\032.) Those really look odd 
to me.



On 29/04/14 14.22, Theodotos Andreou wrote:

Thanks for the tip Mark. Now all the zone files are cached as text.

Now I have a different problem. After converting alll the zones to 
master many zones failed to load because of this:


# grep example.com /var/log/syslog
29-Apr-2014 11:21:32.613 dns_rdata_fromtext: 
db.0.210.10.in-addr.arpa:26: near 
'android_b2b2b8cdeedf92d3.example.com.': bad name (check-names)
29-Apr-2014 11:21:32.629 dns_rdata_fromtext: 
db.0.255.10.in-addr.arpa:16: near 'lim_iptgw1.example.com.': bad name 
(check-names)
29-Apr-2014 11:21:32.636 dns_rdata_fromtext: 
db.8.211.10.in-addr.arpa:45: near 'tl-wr641g/642g.example.com.': bad 
name (check-names)
29-Apr-2014 11:21:32.646 dns_rdata_fromtext: 
db.2.255.10.in-addr.arpa:22: near 'dc3-l2.example.com\032.': bad name 
(check-names)
29-Apr-2014 11:21:32.648 dns_rdata_fromtext: 
db.16.212.10.in-addr.arpa:28: near 'android__sx.example.com.': bad 
name (check-names)
29-Apr-2014 11:21:32.664 dns_rdata_fromtext: 
db.254.255.10.in-addr.arpa:44: near 
'cs1-6509-ktim2.example.com\032.': bad name (check-names)
29-Apr-2014 11:21:32.673 dns_rdata_fromtext: 
db.204.25.10.in-addr.arpa:21: near 'ictlab_ls.example.com.': bad name 
(check-names)
29-Apr-2014 11:21:32.692 db.example.com:25: 
---pc.example.com: bad owner name (check-names)
29-Apr-2014 11:21:32.692 zone example.com/IN: loading from master 
file db.example.com failed: bad owner name (check-names)

29-Apr-2014 11:21:32.692 zone example.com/IN: not loaded due to errors.

Any idea why? Is there a configuration setting to ignore these errors?

On 04/29/2014 09:53 AM, Mark Andrews wrote:

Set the masterfile-format.  Slaves default to raw,
masters default to text.

masterfile-format ( text | raw );

Mark

In message <535f4bb2.6000...@theo-andreou.org>, Theodotos Andreou 
writes:

Hello to all,

I have a task to clone a black box IPAM to a bind DNS server. Actually
the black box is using bind in the backend but the manufacturer 
does not
provide any shell access. Only a crappy GUI. So I do not have 
access to

the text zone files. Just the GUI.

In order to clone all the zones from the original DNS to the clone, I
setup a bind in slave config and allowed zone transfers for it. 
This is

a sample config:

/etc/bind/named.conf.local:

... Output omitted ...

zone "16.2.10.in-addr.arpa" {
  type slave;
  file "db.16.2.10.in-addr.arpa";
  masters { 10.1.12.61; };
};

zone "24.3.10.in-addr.arpa" {
  type slave;
  file "db.24.3.10.in-addr.arpa";
   masters { 10.1.12.61; };
};

... Output omitted ...

After bind restart, the zone transfers an all zones are completed
successfully. The resultant files are some sort of binary:

# file /var/cache/bind/db.24.3.10.in-addr.arpa
/var/cache/bind/db.24.3.10.in-addr.arpa: data

Now to promote the server to master I changed the configuration to:

/etc/bind/named.conf.local:

... Output omitted ...

zone "16.2.10.in-addr.arpa" {
  type master;
  file "db.16.2.10.in-addr.arpa";
};

zone "24.3.10.in-addr.arpa" {
  type master;
  file "db.24.3.10.in-addr.arpa";
};

... Output omitted ...

But when I restart bind I get a lot of errors like this:

   named[19773]: dns_master_load: db.24.3.10.in-addr.arpa:1: syntax 
error
   named[19773]: zone 24.3.10.in-addr.arpa/IN: loading from master 
file db.24.3

.10.in-addr.arpa failed: syntax error
   named[19773]: zone 24.3.10.in-addr.arpa/IN: not loaded due to 
errors.


Apparently the systems expects to see a zone file in text format but
because it's in binary it fails. I also tested it with:

# named-checkzone 24.3.10.in-addr.arpa 
/var/cache/bind/db.24.3.10.in-addr.arp

... Output omitted ...
dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax 
error
dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax 
error
dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax 
error
dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax 
error
dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax 
error
dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax 
error
dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:17: syntax 
error
/var/cache/bind/db.24.3.10.in-addr.arpa: file does not end with 
newline
zone 24.3.10.in-addr.arpa/IN: loading from master file

How to disable DNSSEC/EDNS for lwresd

2014-04-29 Thread Tomas Hozza 
Hi.

I'm trying to disable DNSSEC/EDNS for the lwresd using the
following lwresd.conf:

options {
directory "/var/named/";

dnssec-enable no;
dnssec-validation no;

pid-file "/run/named/lwresd.pid";
session-keyfile "/run/named/session.key";
};

lwres {
search {example1.;};
ndots 1;
};

But it seems that the 'dnssec-enable no;' statement has no
influence on the EDNS usage in queries sent by lwresd.

I was able to disable EDNS when lwres is run as named
using:

server 0.0.0.0/0 {
edns no;
};

server ::/0 {
edns no;
};

in the configuration. However I was not able to disable EDNS
when running lwresd.

We have a user that would like to disable EDNS to reduce the
overhead it adds and improve the performance. The DNSSEC is
not a priority for them.

Is there way to disable DNSSEC/EDNS for lwresd?

Thank you in advance.


Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.   http://cz.redhat.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cross compile bind failing, vis3 ???

2014-04-29 Thread Mark Andrews 

You do it something like this.  Note the argument to --host MUST NOT
match what sh config.guess returns.

./configure CC=cc CFLAGS="-Xa -fast -xstrconst -xchip=ultraT3 -xarch=sparcvis3 
-mt -m64" --host=sparcvis3-sun-solaris2.10 --with-randomdev=/dev/random 
--with-ecdsa=no --with-gost=no BUILD_CC=cc BUILD_CFLAGS=

Note there is a call to ../../tools/gengrandom that fails at the
moment when cross compiling so run "make -k" or run 'make' until
it fails on genrandom, cd to bin/tools and run 'rm genrandom
genrandom.o' then 'make gengrandom CC=cc CFLAGS=""' then restart
the original make.  This should result in a generic sparc build of
gengrandom which should run all on sparc processors.

Mark

In message 
, "Olsen, 
Richard William (Rick) CTR DISA PEO-MA (US)" wri
tes:
> --=_NextPart_000_004E_01CF6388.DB10FF20
> Content-Type: text/plain;
>   charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> 
> Well, I tried with the BUILD_CC and BUILD_CFLAGS set. I hadn't noticed the 
> cross compile test during configuration before since it has be
> en working for the T1000 and T5140 builds. Now though it has "no" for the 
> cross compile test.
> 
> Here is my configure command: (this is in a script that sets path to the 
> solaris studio bin)
> 
> BUILD_CC=cc BUILD_CFLAGS="-Xa -fast -xstrconst -xchip=ultraT3 
> -xarch=sparcvis3 -mt -m64" ./configure --with-openssl=/usr/local/ssl --enab
> le-full-report --without-gost --exec-prefix=/usr 
> --libexecdir=/usr/lib/libexec --includedir=/usr/include
> 
> Even after I edit the configure script to have cross_compile=yes, it still 
> responds with no during the configuration.
> 
> -Original Message-
> From: Mark Andrews [mailto:ma...@isc.org] 
> Sent: Monday, April 28, 2014 12:05 PM
> To: Olsen, Richard William (Rick) CTR DISA PEO-MA (US)
> Cc: bind-users@lists.isc.org
> Subject: Re: Cross compile bind failing, vis3 ???
> 
> 
> You are cross compiling.  You need to set BUILD_* so that the host tools
> are properly built.
> 
> % grep BUILD README 
>   BUILD_CC
>   BUILD_CFLAGS (optional)
>   BUILD_CPPFLAGS (optional)
>   BUILD_LDFLAGS (optional)
>   BUILD_LIBS (optional)
> % 
> 
> Mark
> 
> In message 
>  >, "Olsen, Richard William (Rick) CTR DISA PEO-MA (US)" writes:
> > 
> > We have a remote site that we are providing a bind package for. They want a 
> > ta
> > rgeted build and sent us the compile options as 
> > 
> > -xtarget=T3 -xarch=sparcvis3 -xchip=ultraT3 -xcache=8/16/4:6144/64/24
> > 
> > The build system is using Sun Studio 12.3 cc on T5140  (UtltraSPARC-T2+ 
> > hardwa
> > re running Solaris 10 05/08.) 
> > 
> > isainfo -x 
> >sparcv9: asi_blk_init vis2 vis popc
> >sparc: asi_blk_init vis2 vis poppc v8plus div32 mul32
> > 
> > Now the problem. I can compile the openssl using his requested parameters 
> > but 
> > the bind fails.
> > 
> > "./gen -s . -c > include/dns/enumclass.h
> > Ld.so.1: gen: fatal: hardware capability (CA_SUNW_HW_1) unsupported: 0x500 
> > [ V
> > IS3 FMAF ]
> > Bash: line 1  killed ./gen -s . -c > include/dns/enumclass.h
> > *** Error code 1
> > The following command caused the error:
> > For I in isc isccc dns isccfg bind9 lwres tests nulldir; do \
> > if [ "$i" != "nulldir" -a -d $i ]; then \
> > echo "making all in `pwd'/$i"; \
> > (cd $i; make DESTDIR="/blah/blah/bind-9.9.5-S1/lib" all ) || exi
> > t 1; \
> > fi; \
> > done
> > make: Fatal error: Command failed for target 'subdirs'
> > "
> > 
> > Does bind not support Vis 3 architecture?
> > 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> 
> --=_NextPart_000_004E_01CF6388.DB10FF20
> Content-Type: application/x-pkcs7-signature; name="smime.p7s"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="smime.p7s"
> 
> MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIISpzCCA3Aw
> ggJYoAMCAQICAQUwDQYJKoZIhvcNAQEFBQAwWzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4g
> R292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxFjAUBgNVBAMTDURvRCBSb290
> IENBIDIwHhcNMDQxMjEzMTUwMDEwWhcNMjkxMjA1MTUwMDEwWjBbMQswCQYDVQQGEwJVUzEYMBYG
> A1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEWMBQGA1UE
> AxMNRG9EIFJvb3QgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMAswfaNO6z/
> PzzWcb64dCIH7HBBFfyrQOMHqsHD2J/+2kw6vz/I2Ch7SzYBwKxFJcPSDgqPhRhkED0aE3Aqb47X
> 3I2Ts0EPOCHNravCPSoF01cRNw3NjFH5k+PMRkkhjhS0zcsUPjjNcjHuqxLyZeo0LlZd/+5jdctt
> upE0/J7z9C0cvlDEQt9ZiP9qs/qobD3LVnFxBZa7n4DlgEVZZ0Gw68OtYKSAdQYXnA70Q+CZDhv7
> f/WzzLKBgrH9MsG4vkGkZLVgOlpRMIzO3kEsGUdcSRBkuXSph0GvfW66wbihv2UxOgRn+bW7jpKK
> AGO4seaMOF+D/1DVO6Jda7IQzGMCAwEAAaM/MD0wHQYDVR0OBBYEFEl0uwxeunr+AlTve6DGlcYJ
> gHCWMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCYkY0/
> ici79cBpcyk7Nay6swh2PXAJkumERCEBfRR2G+5RbB2NFTctezFp9JpEuK9GzDT6I8sDJxnSgyF1
> K+fgG5km3IRAleio0sz2WFxm7z9KlxCCHboKot1bBiudp2RO

BIND transfers records to Windows DNS server

2014-04-29 Thread Roberto Carna 
Dear, I have this scenario:

1) Windows DNS with dynamic update zone (Windows clients)

2) BIND with manually update zone (Linux and Cisco clients)

Is there any way to transfer all BIND zone records to the Windows DNS
in order to have just one and complete zone in the Windows DNS server
???

Thanks a lot,

Roberto
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND transfers records to Windows DNS server

2014-04-29 Thread Kevin Darcy 

On 4/29/2014 3:12 PM, Roberto Carna wrote:

Dear, I have this scenario:

1) Windows DNS with dynamic update zone (Windows clients)

2) BIND with manually update zone (Linux and Cisco clients)

Is there any way to transfer all BIND zone records to the Windows DNS
in order to have just one and complete zone in the Windows DNS server
???

Not really, but, supposedly, modern versions of BIND understand 
GSS-TSIG, so you could, in theory, have the clients (or their DHCP 
servers) perform their dynamic updates to BIND, and that's what would 
host the "one and complete zone", which you could slave/stub as you wish 
to other DNS instances in your environment (e.g. Windows boxes), or have 
them resolve them iteratively if you have enough of a delegation chain 
to support that (e.g. an internal root zone). You'll have to kick the 
manual-editing habit, however, since it's too risky and/or disruptive to 
manually edit a dynamic-update-enabled zone. Use nsupdate instead.


You didn't mention Active Directory, but if that's what you're faced 
with, you could delegate the "underscore" zones to deal with that (see 
http://www.kuro5hin.org/story/2009/2/1/235152/2142)


- Kevin
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to setup a backup NameServer?

2014-04-29 Thread houguanghua 
system for that precise 
> > reason.
> > 
> > Why would you only want users of a single ISP to be able to resolve a
> > domain if the primary nameservers are down? What happens if the
> > primary nameservers are down for more than SOA Expire time? your
> > secondaries will stop serving the zone anyway as they haven't been
> > able to refresh it from the primary master.
> > 
> > You asked this same question a few months ago without explaining why
> > you are wanting to do this and got roughly the same answers.
> > 
> > If you own the zone and know the IP address range used by the ISP then
> > you can create a separate view that contains your additional
> > nameserver that no one else will know about, though they still might
> > not be able to access it if the primary nameserver is down and the
> > additional nameserver isn't in the parent's glue records (clients
> > wouldn't be able to find it). But if you don't own the zone then there
> > is nothing you can do, it's not your zone to mess with.
> > 
> > If you're trying to mitigate DDoS look at bigger boxes, faster
> > bandwidth, packet filtering and DNS Anycast.
> > 
> > Steve
> 
> -- next part --
> An HTML attachment was scrubbed...
> URL: 
> <https://lists.isc.org/pipermail/bind-users/attachments/20140429/008e076e/attachment-0001.html>
> 
> --
> 
> Message: 3
> Date: Tue, 29 Apr 2014 11:49:49 +0100
> From: "Niall O'Reilly" 
> To: houguanghua 
> Cc: "bind-users@lists.isc.org" 
> Subject: Re: How to setup a backup NameServer?
> Message-ID: 
> Content-Type: text/plain; charset=US-ASCII
> 
> At Tue, 29 Apr 2014 10:24:58 +,
> houguanghua wrote:
> > 
> > Yes, I had asked the same question months ago. 
> > I'm designing how to protect DNS for an ISP. The zones are not owned
> > by the ISP. The ISP wants to proect the DNS query during attacking.
> > So it's not standard DNS solution. During the attacking, the backup
> > server will provide the DNS query and it works even if it can't
> > refresh zones from primary NS.
> 
>   Which (or how many) zones do you expect your backup server to work
>   for?
> 
>   /Niall
> 
> 
> --
> 
> Message: 4
> Date: Tue, 29 Apr 2014 06:48:52 -0500
> From: /dev/rob0 
> To: bind-users@lists.isc.org
> Subject: Re: How to setup a backup NameServer?
> Message-ID: <20140429114852.gf32...@harrier.slackbuilds.org>
> Content-Type: text/plain; charset=us-ascii
> 
> On Tue, Apr 29, 2014 at 11:49:49AM +0100, Niall O'Reilly wrote:
> > At Tue, 29 Apr 2014 10:24:58 +,
> > houguanghua wrote:
> > > Yes, I had asked the same question months ago. 
> > > I'm designing how to protect DNS for an ISP. The zones are not 
> > > owned by the ISP. The ISP wants to proect the DNS query during 
> > > attacking. So it's not standard DNS solution. During the 
> > > attacking, the backup server will provide the DNS query and it 
> > > works even if it can't refresh zones from primary NS.
> > 
> 1.
> >   Which (or how many) zones do you expect your backup server
> >   to work for?
> (and why these zones in particular?)
> 
> 2. Do you have zone transfer access for these zones?
> 3. How will you detect the attack and switch over to this "backup 
>server"?
> 
> You're asking for features which do not exist, and are unlikely to be 
> in high demand. You're probably going to have to do/hire some custom 
> programming, or else rethink the solution. I suspect the latter is 
> your best bet.
> -- 
>   http://rob0.nodns4.us/
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to setup a backup NameServer?

2014-04-29 Thread Dave Warren 

On 2014-04-29 18:50, houguanghua wrote:

A lot of zones will be supported. All popular zones in the ISP.
Maybe the best solution is to hire some custom programming to develop 
private system.


How will you obtain copies of "all popular zones"? Are you just talking 
about zones you host, or things like Google?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to disable DNSSEC/EDNS for lwresd

2014-04-29 Thread Mark Andrews 

In message <483759859.6291670.1398781076480.javamail.zim...@redhat.com>, Tomas H
ozza writes:
> Hi.
> 
> I'm trying to disable DNSSEC/EDNS for the lwresd using the
> following lwresd.conf:
> 
> options {
>   directory "/var/named/";
> 
>   dnssec-enable no;
>   dnssec-validation no;
> 
>   pid-file "/run/named/lwresd.pid";
>   session-keyfile "/run/named/session.key";
> };
> 
> lwres {
>   search {example1.;};
>   ndots 1;
> };
> 
> But it seems that the 'dnssec-enable no;' statement has no
> influence on the EDNS usage in queries sent by lwresd.

"dnssec-enable no;" controls how named responds to DO=1 queries.
It is a no-op to lwresd as it is not processing DNS requests.
 
> I was able to disable EDNS when lwres is run as named
> using:
> 
> server 0.0.0.0/0 {
> edns no;
> };
> 
> server ::/0 {
> edns no;
> };

Just add the server clauses to lwresd.conf.

"lwresd -c lwresd.conf" is running as lwresd
"lwresd -C resolv.conf" is running as lwresd
"lwresd" is the same as "lwresd -C /etc/resolv.conf"

"named -c named.conf" (with a lwres clause) is running as both named and lwresd
"named -c named.conf" (without a lwres clause) is running as just named

> in the configuration. However I was not able to disable EDNS
> when running lwresd.
> 
> We have a user that would like to disable EDNS to reduce the
> overhead it adds and improve the performance. The DNSSEC is
> not a priority for them.
> 
> Is there way to disable DNSSEC/EDNS for lwresd?
> 
> Thank you in advance.
> 
> 
> Regards,
> -- 
> Tomas Hozza
> Software Engineer - EMEA ENG Developer Experience
> 
> PGP: 1D9F3C2D
> Red Hat Inc.   http://cz.redhat.com
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to setup a backup NameServer?

2014-04-29 Thread Ryan Novosielski 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/29/2014 07:48 AM, /dev/rob0 wrote:
> On Tue, Apr 29, 2014 at 11:49:49AM +0100, Niall O'Reilly wrote:
>> At Tue, 29 Apr 2014 10:24:58 +, houguanghua wrote:
>>> Yes, I had asked the same question months ago. I'm designing
>>> how to protect DNS for an ISP. The zones are not owned by the
>>> ISP. The ISP wants to proect the DNS query during attacking. So
>>> it's not standard DNS solution. During the attacking, the
>>> backup server will provide the DNS query and it works even if
>>> it can't refresh zones from primary NS.
>> 
> 1.
>> Which (or how many) zones do you expect your backup server to
>> work for?
> (and why these zones in particular?)
> 
> 2. Do you have zone transfer access for these zones? 3. How will
> you detect the attack and switch over to this "backup server"?
> 
> You're asking for features which do not exist, and are unlikely to
> be in high demand. You're probably going to have to do/hire some
> custom programming, or else rethink the solution. I suspect the
> latter is your best bet.

To add a little to that: if it's a feature that doesn't exist and no
one wants, that often (though not always) means it's not a good idea.
DNS has been around a long time; everyone else has solved this problem
some other way (a couple of which have already been mentioned here).
There are a lot of ugly things ISP's do to DNS; I loathe all of them.
I suspect many customers do to.

- -- 
 *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences*
 || \\UTGERS  |-*O*-
 ||_// Biomedical | Ryan Novosielski - Sr. Systems Programmer
 || \\ and Health | novos...@rutgers.edu - 973/972.0922 (2x0922)
 ||  \\  Sciences | OIT/Enterprise Infras. - ADMC 450, Newark
  `'
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlNgiOAACgkQmb+gadEcsb65CwCgkeyVR6z4EP8T9GiU1kIK8J9a
dnwAoKA9OCNBMLcX5JK0f0hoQ/GskxAp
=0H9x
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users