Reverse Zone CIDR
Hello, We are trying to create a zone for a /23 subnet (192.168.222.0/23), but we can't get the reverse zone working. There is our config : */etc/named/domain.int.zonefile :* zone "0/23.222.168.192.in-addr.arpa" IN { type master; file "dynamic/0-23.222.168.192.in-addr.arpa"; }; */var/named/dynamic/0-23.222.168.192.in-addr.arpa :* $ORIGIN . $TTL 3600 ; 1 hour 0/23.222.168.192.in-addr.arpa IN SOAdns1.domain.int. sysadmin.domain.eu. ( 2013021143 ; serial 1200 ; refresh (20 minutes) 3600 ; retry (1 hour) 1209600; expire (2 weeks) 3600 ; minimum (1 hour) ) NS DNS1.domain.int. $ORIGIN 0/23.222.168.192.in-addr.arpa. $TTL 86400 ; 1 day 102 PTR vegeta.domain.int. ... I don't know if the naming convention is correct ( 0-23 vs 0/23 ) ? Can you please help ? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse Zone CIDR
Jonathan Del Campo wrote: > > We are trying to create a zone for a /23 subnet (192.168.222.0/23), but we > can't get the reverse zone working. What error messages do you get in your logs? Any other symptoms of "not working"? > I don't know if the naming convention is correct ( 0-23 vs 0/23 ) ? There are a number of conventions in common use. I recommend 0-127 in this case. https://tools.ietf.org/html/draft-ietf-dnsop-rfc2317bis Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode German Bight: Cyclonic 4 or 5, occasionally 6 in north. Moderate, occasionally rough in north. Fog patches and occasional rain. Moderate, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse Zone CIDR
Hi Jonathan, If it's a /23, may I suggest creating two reverse zones, for each of the /24s in that prefix? It's much simpler. RFC 2317-style delegation, while possible for a /23, was designed for IPv4 prefixes smaller than a /24. Regards, Anand Buddhdev RIPE NCC On 25/05/16 11:37, Jonathan Del Campo wrote: > Hello, > > We are trying to create a zone for a /23 subnet (192.168.222.0/23), but we > can't get the reverse zone working. > > There is our config : > > */etc/named/domain.int.zonefile :* > > zone "0/23.222.168.192.in-addr.arpa" IN { > type master; > file "dynamic/0-23.222.168.192.in-addr.arpa"; > }; > > > > */var/named/dynamic/0-23.222.168.192.in-addr.arpa :* > $ORIGIN . > $TTL 3600 ; 1 hour > 0/23.222.168.192.in-addr.arpa IN SOAdns1.domain.int. sysadmin.domain.eu. > ( > 2013021143 ; serial > 1200 ; refresh (20 minutes) > 3600 ; retry (1 hour) > 1209600; expire (2 weeks) > 3600 ; minimum (1 hour) > ) > NS DNS1.domain.int. > $ORIGIN 0/23.222.168.192.in-addr.arpa. > $TTL 86400 ; 1 day > 102 PTR vegeta.domain.int. > ... > > > I don't know if the naming convention is correct ( 0-23 vs 0/23 ) ? > > Can you please help ? > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse Zone CIDR
Thanks Anand, I don't have any errors logs to answer Tony, but just the "dig +short -x 192.168.223.42" doesn't return anything. So if I have to create two /24 reverse zones for my case, I will, but I was hopping a smarter solution. Should I have to create two reverses zones definition in my dhcpd.conf file, like this ? subnet 192.168.222.0 netmask 255.255.254.0 { # pool d'adresses IP dynamiques pool { range 192.168.222.20 192.168.222.253; range 192.168.223.20 192.168.223.250; } ddns-domainname "domain.int"; option routers 192.168.223.254; # default gateway option subnet-mask 255.255.254.0; option broadcast-address192.168.223.255; next-server 192.168.200.19; filename"undionly.kpxe"; allow bootp; allow booting; # Zone reverse zone 222.168.192.in-addr.arpa. { primary 192.168.200.1; key mikros.int; } zone 223.168.192.in-addr.arpa. { primary 192.168.200.1; key mikros.int; } } Thanks, On Wed, May 25, 2016 at 11:52 AM, Anand Buddhdev wrote: > Hi Jonathan, > > If it's a /23, may I suggest creating two reverse zones, for each of the > /24s in that prefix? It's much simpler. > > RFC 2317-style delegation, while possible for a /23, was designed for > IPv4 prefixes smaller than a /24. > > Regards, > > Anand Buddhdev > RIPE NCC > > On 25/05/16 11:37, Jonathan Del Campo wrote: > > Hello, > > > > We are trying to create a zone for a /23 subnet (192.168.222.0/23), but > we > > can't get the reverse zone working. > > > > There is our config : > > > > */etc/named/domain.int.zonefile :* > > > > zone "0/23.222.168.192.in-addr.arpa" IN { > > type master; > > file "dynamic/0-23.222.168.192.in-addr.arpa"; > > }; > > > > > > > > */var/named/dynamic/0-23.222.168.192.in-addr.arpa :* > > $ORIGIN . > > $TTL 3600 ; 1 hour > > 0/23.222.168.192.in-addr.arpa IN SOAdns1.domain.int. > sysadmin.domain.eu. > > ( > > 2013021143 ; serial > > 1200 ; refresh (20 minutes) > > 3600 ; retry (1 hour) > > 1209600; expire (2 weeks) > > 3600 ; minimum (1 hour) > > ) > > NS DNS1.domain.int. > > $ORIGIN 0/23.222.168.192.in-addr.arpa. > > $TTL 86400 ; 1 day > > 102 PTR vegeta.domain.int. > > ... > > > > > > I don't know if the naming convention is correct ( 0-23 vs 0/23 ) ? > > > > Can you please help ? > > > > > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse Zone CIDR
Jonathan Del Campo wrote: > > So if I have to create two /24 reverse zones for my case, I will, but I was > hopping a smarter solution. Oh, I had a brainfart, I read /23 as /25 :-) Yes, two /24s is the best solution. For smarter solutions, see the rfc2317bis I-D, though they are usually not an option, depending on how the parent /16 zone is run. Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Thames: Variable 3 or 4. Slight, occasionally moderate. Occasional drizzle. Moderate, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: native-pkcs11 and smartcard-hsm
Le 24/05/2016 16:36, FUSTE Emmanuel a écrit : > Le 23/05/2016 16:40, FUSTE Emmanuel a écrit : >> Hello, >> >> I'm trying to use a smartcard-hsm usb stick (v1.2) with BIND 9.10.3-P4. >> This stick is working with powerdns and support all crypto operations >> required for basic DNSSEC support. >> >> But I get this warning/error: >> "PKCS#11 provider has no digest service". >> "This HSM will not work with BIND 9 using native PKCS#11." >> >> Bind version: >> BIND 9.10.3-P4-Debian >> built by make with '--prefix=/usr' '--mandir=/usr/share/man' >> '--libdir=/usr/lib/i386-linux-gnu' '--infodir=/usr/share/info' >> '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' >> '--enable-threads' '--enable-largefile' '--with-libtool' >> '--enable-shared' '--enable-static' '--with-openssl=/usr' >> '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' >> '--enable-ipv6' '--enable-rrl' '--enable-filter-' >> '--enable-native-pkcs11' >> '--with-pkcs11=/usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so' >> 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat >> -Werror=format-security -fno-strict-aliasing >> -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-fPIE -pie >> -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 >> -DDIG_SIGCHASE' >> compiled by GCC 5.3.1 20160429 >> compiled with OpenSSL version: OpenSSL 1.0.2h 3 May 2016 >> linked to OpenSSL version: OpenSSL 1.0.2h 3 May 2016 >> compiled with libxml2 version: 2.9.3 >> linked to libxml2 version: 20903 >> >> pkcs11-torens informations: >> pkcs11-tokens -m /usr/lib/i386-linux-gnu/opensc-pkcs11.so >> Warning: PKCS#11 provider has no digest service >> This HSM will not work with BIND 9 using native PKCS#11. >> >> DEFAULTS >>rand_token=0x80300368 >>best_rsa_token=0x80300368 >>best_dsa_token=(nil) >>best_dh_token=(nil) >>digest_token=(nil) >>best_ec_token=(nil) >>best_gost_token=(nil) >>aes_token=(nil) >> >> TOKEN >>address=0x80300368 >>slotID=0 >>label=SmartCard-HSM (UserPIN) >>manufacturerID=www.CardContact.de >>model=PKCS#15 emulated >>serialNumber=DECC0100872 >>supported operations=0x6 (RAND,RSA) >> >> PKCS11 mechanism returned by pkcs11-tool: >> pkcs11-tool -M >> Using slot 0 with a present token (0x0) >> Supported mechanisms: >> SHA-1, digest >> SHA256, digest >> SHA384, digest >> SHA512, digest >> MD5, digest >> RIPEMD160, digest >> GOSTR3411, digest >> ECDSA, keySize={192,320}, hw, sign, other flags=0x1d0 >> ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d0 >> ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other >> flags=0x1d0 >> ECDH1-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d0 >> ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair, other >> flags=0x1d0 >> RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify >> RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify >> SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify >> SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify >> SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify >> SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify >> MD5-RSA-PKCS, keySize={1024,2048}, sign, verify >> RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify >> RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair >> >> Perhaps Bind require more, but all needed digest services are here. >> Is something that will be fixed ? How could I help to get it fixed ? >> Does anyone have any insights or suggestions? >> >> Thanks, >> >> Emmanuel. > > Ok, digging into docs and code give me some answers: > > In native PKCS11 mode, all crypto operations are offhanded to the HSM. > This is totally crazy nowadays. HSM are HSM not PKCS11 crypto > accelerators, a concept from the past on actual hardware for 99.99% of > real use. > If something like "sign-only" and "crypto-accelerator" OpenSSL-based > PKCS#11 is not implemented too in the future, native-pkcs11 is a dead > end. Option that should be select-able at runtime and which eventually > permit to chose what to offload to the device in the crypto-accelerator > mode (and perhaps on different devices etc ...). > > Will try to compile a modified openssl in sign-only mode for my token. > I already successfully created keys with the pkcs11-keygen command and > the used debian/ubuntu package already include native pkcs11 and openssl > versions of named and dnssec tools (-pkcs11 variants). > I was misguided by the "named -V" command which return the > --enable-native-pkcs11 flag on the two binary but they are linked with > different > libisc libraries (cosmetic packaging problem). > > Will report results. > > Emmanuel. > Latest progress: OpenSSL PKCS#11 patch does not permit to build a shared ver
Re: native-pkcs11 and smartcard-hsm
Le 25/05/2016 14:29, FUSTE Emmanuel a écrit : > Le 24/05/2016 16:36, FUSTE Emmanuel a écrit : >> Le 23/05/2016 16:40, FUSTE Emmanuel a écrit : >>> Hello, >>> >>> I'm trying to use a smartcard-hsm usb stick (v1.2) with BIND 9.10.3-P4. >>> This stick is working with powerdns and support all crypto operations >>> required for basic DNSSEC support. >>> >>> But I get this warning/error: >>> "PKCS#11 provider has no digest service". >>> "This HSM will not work with BIND 9 using native PKCS#11." >>> >>> Bind version: >>> BIND 9.10.3-P4-Debian >>> built by make with '--prefix=/usr' '--mandir=/usr/share/man' >>> '--libdir=/usr/lib/i386-linux-gnu' '--infodir=/usr/share/info' >>> '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' >>> '--enable-threads' '--enable-largefile' '--with-libtool' >>> '--enable-shared' '--enable-static' '--with-openssl=/usr' >>> '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' >>> '--enable-ipv6' '--enable-rrl' '--enable-filter-' >>> '--enable-native-pkcs11' >>> '--with-pkcs11=/usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so' >>> 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat >>> -Werror=format-security -fno-strict-aliasing >>> -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-fPIE -pie >>> -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 >>> -DDIG_SIGCHASE' >>> compiled by GCC 5.3.1 20160429 >>> compiled with OpenSSL version: OpenSSL 1.0.2h 3 May 2016 >>> linked to OpenSSL version: OpenSSL 1.0.2h 3 May 2016 >>> compiled with libxml2 version: 2.9.3 >>> linked to libxml2 version: 20903 >>> >>> pkcs11-torens informations: >>> pkcs11-tokens -m /usr/lib/i386-linux-gnu/opensc-pkcs11.so >>> Warning: PKCS#11 provider has no digest service >>> This HSM will not work with BIND 9 using native PKCS#11. >>> >>> DEFAULTS >>> rand_token=0x80300368 >>> best_rsa_token=0x80300368 >>> best_dsa_token=(nil) >>> best_dh_token=(nil) >>> digest_token=(nil) >>> best_ec_token=(nil) >>> best_gost_token=(nil) >>> aes_token=(nil) >>> >>> TOKEN >>> address=0x80300368 >>> slotID=0 >>> label=SmartCard-HSM (UserPIN) >>> manufacturerID=www.CardContact.de >>> model=PKCS#15 emulated >>> serialNumber=DECC0100872 >>> supported operations=0x6 (RAND,RSA) >>> >>> PKCS11 mechanism returned by pkcs11-tool: >>> pkcs11-tool -M >>> Using slot 0 with a present token (0x0) >>> Supported mechanisms: >>> SHA-1, digest >>> SHA256, digest >>> SHA384, digest >>> SHA512, digest >>> MD5, digest >>> RIPEMD160, digest >>> GOSTR3411, digest >>> ECDSA, keySize={192,320}, hw, sign, other flags=0x1d0 >>> ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d0 >>> ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other >>> flags=0x1d0 >>> ECDH1-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d0 >>> ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair, other >>> flags=0x1d0 >>> RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify >>> RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify >>> SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify >>> SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify >>> SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify >>> SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify >>> MD5-RSA-PKCS, keySize={1024,2048}, sign, verify >>> RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify >>> RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair >>> >>> Perhaps Bind require more, but all needed digest services are here. >>> Is something that will be fixed ? How could I help to get it fixed ? >>> Does anyone have any insights or suggestions? >>> >>> Thanks, >>> >>> Emmanuel. >> >> Ok, digging into docs and code give me some answers: >> >> In native PKCS11 mode, all crypto operations are offhanded to the HSM. >> This is totally crazy nowadays. HSM are HSM not PKCS11 crypto >> accelerators, a concept from the past on actual hardware for 99.99% of >> real use. >> If something like "sign-only" and "crypto-accelerator" OpenSSL-based >> PKCS#11 is not implemented too in the future, native-pkcs11 is a dead >> end. Option that should be select-able at runtime and which eventually >> permit to chose what to offload to the device in the crypto-accelerator >> mode (and perhaps on different devices etc ...). >> >> Will try to compile a modified openssl in sign-only mode for my token. >> I already successfully created keys with the pkcs11-keygen command and >> the used debian/ubuntu package already include native pkcs11 and openssl >> versions of named and dnssec tools (-pkcs11 variants). >> I was misguided by the "named -V" command which return the >> --enable-native-pkcs11 flag on the two binary but they a
Re: Reverse Zone CIDR
On Wed, May 25, 2016 at 12:06:40PM +0100, Tony Finch wrote: > Jonathan Del Campo wrote: > > > > So if I have to create two /24 reverse zones for my case, I will, > > but I was hopping a smarter solution. > > Oh, I had a brainfart, I read /23 as /25 :-) I figured that was what you were thinking. :) > Yes, two /24s is the best solution. > > For smarter solutions, see the rfc2317bis I-D, though they are > usually not an option, depending on how the parent /16 zone is run. In this case, being a netblock from RFC 1918, another choice is to actually run that /16 zone ... 168.192.in-addr.arpa. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
New BIND Releases 9.9.9-P1 and 9.10.4-P1 (was: "Re: BIND 9.10.4 may have a fatal crash defect.")
On 5/17/16 11:08 PM, Michael McNally wrote: > Though this flaw can occur with any compiler, it's substantially more > likely to lead to a crash when BIND is compiled on the x86_64 platform > using the 'clang' compiler and a difference in the node structure between > BIND 9.9 and 9.10 makes the failure more likely to occur in BIND 9.10. > However, operators who are running one of the affected versions (BIND 9.9.9, > BIND 9.10.4, or BIND 9.9.9-S1) should replace those versions as soon as > updated releases are available. > > Having identified what we believe to be the root cause, we are currently, > with the help of some volunteers who were previously experiencing crashes > in their operational environments, testing a candidate fix with (so far) > good results. If no further failures occur, we expect to issue patch > releases for all of the April 28 releases (BIND 9.9.9, BIND 9.10.4, and > BIND 9.9.9-S1) New versions of BIND which contain a fix to prevent the red/black tree (RBT) race condition which was causing INSIST assertions in BIND 9.10.4 (and could potentially also have occurred in 9.9.9 and 9.9.9-S1) have been released. The public releases are available through the ISC website, https://www.isc.org/downloads In addition to the fix to prevent the RBT assertions, the new releases also contain changes to the Windows builds, correcting a problem which made installation difficult on some Windows versions due to an interaction with User Account Control (UAC) and and fixing a bug that could cause an assertion after an "rndc stats" command (on Windows only.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users