Reverse Zone CIDR

2016-05-25 Thread Jonathan Del Campo
Hello,

We are trying to create a zone for a /23 subnet (192.168.222.0/23), but we
can't get the reverse zone working.

There is our config :

*/etc/named/domain.int.zonefile :*

zone "0/23.222.168.192.in-addr.arpa" IN {
type master;
file "dynamic/0-23.222.168.192.in-addr.arpa";
};



*/var/named/dynamic/0-23.222.168.192.in-addr.arpa :*
$ORIGIN .
$TTL 3600   ; 1 hour
0/23.222.168.192.in-addr.arpa IN SOAdns1.domain.int. sysadmin.domain.eu.
(
2013021143 ; serial
1200   ; refresh (20 minutes)
3600   ; retry (1 hour)
1209600; expire (2 weeks)
3600   ; minimum (1 hour)
)
NS  DNS1.domain.int.
$ORIGIN 0/23.222.168.192.in-addr.arpa.
$TTL 86400  ; 1 day
102   PTR vegeta.domain.int.
...


I don't know if the naming convention is correct ( 0-23 vs 0/23 ) ?

Can you please help ?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse Zone CIDR

2016-05-25 Thread Tony Finch
Jonathan Del Campo  wrote:
>
> We are trying to create a zone for a /23 subnet (192.168.222.0/23), but we
> can't get the reverse zone working.

What error messages do you get in your logs? Any other symptoms of
"not working"?

> I don't know if the naming convention is correct ( 0-23 vs 0/23 ) ?

There are a number of conventions in common use. I recommend 0-127 in this
case. https://tools.ietf.org/html/draft-ietf-dnsop-rfc2317bis

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode
German Bight: Cyclonic 4 or 5, occasionally 6 in north. Moderate, occasionally
rough in north. Fog patches and occasional rain. Moderate, occasionally very
poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Reverse Zone CIDR

2016-05-25 Thread Anand Buddhdev
Hi Jonathan,

If it's a /23, may I suggest creating two reverse zones, for each of the
/24s in that prefix? It's much simpler.

RFC 2317-style delegation, while possible for a /23, was designed for
IPv4 prefixes smaller than a /24.

Regards,

Anand Buddhdev
RIPE NCC

On 25/05/16 11:37, Jonathan Del Campo wrote:
> Hello,
> 
> We are trying to create a zone for a /23 subnet (192.168.222.0/23), but we
> can't get the reverse zone working.
> 
> There is our config :
> 
> */etc/named/domain.int.zonefile :*
> 
> zone "0/23.222.168.192.in-addr.arpa" IN {
> type master;
> file "dynamic/0-23.222.168.192.in-addr.arpa";
> };
> 
> 
> 
> */var/named/dynamic/0-23.222.168.192.in-addr.arpa :*
> $ORIGIN .
> $TTL 3600   ; 1 hour
> 0/23.222.168.192.in-addr.arpa IN SOAdns1.domain.int. sysadmin.domain.eu.
> (
> 2013021143 ; serial
> 1200   ; refresh (20 minutes)
> 3600   ; retry (1 hour)
> 1209600; expire (2 weeks)
> 3600   ; minimum (1 hour)
> )
> NS  DNS1.domain.int.
> $ORIGIN 0/23.222.168.192.in-addr.arpa.
> $TTL 86400  ; 1 day
> 102   PTR vegeta.domain.int.
> ...
> 
> 
> I don't know if the naming convention is correct ( 0-23 vs 0/23 ) ?
> 
> Can you please help ?
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Reverse Zone CIDR

2016-05-25 Thread Jonathan Del Campo
Thanks Anand,

I don't have any errors logs to answer Tony, but just the "dig +short -x
192.168.223.42" doesn't return anything.

So if I have to create two /24 reverse zones for my case, I will, but I was
hopping a smarter solution.

Should I have to create two reverses zones definition in my dhcpd.conf
file, like this ?

subnet 192.168.222.0 netmask 255.255.254.0 {
# pool d'adresses IP dynamiques
pool {
range 192.168.222.20 192.168.222.253;
range 192.168.223.20 192.168.223.250;
}

ddns-domainname "domain.int";
option routers  192.168.223.254; # default gateway
option subnet-mask  255.255.254.0;
option broadcast-address192.168.223.255;
next-server 192.168.200.19;
filename"undionly.kpxe";
allow bootp;
allow booting;

# Zone reverse
zone 222.168.192.in-addr.arpa. {
primary 192.168.200.1;
key mikros.int;
}

zone 223.168.192.in-addr.arpa. {
primary 192.168.200.1;
key mikros.int;
}
}


Thanks,

On Wed, May 25, 2016 at 11:52 AM, Anand Buddhdev  wrote:

> Hi Jonathan,
>
> If it's a /23, may I suggest creating two reverse zones, for each of the
> /24s in that prefix? It's much simpler.
>
> RFC 2317-style delegation, while possible for a /23, was designed for
> IPv4 prefixes smaller than a /24.
>
> Regards,
>
> Anand Buddhdev
> RIPE NCC
>
> On 25/05/16 11:37, Jonathan Del Campo wrote:
> > Hello,
> >
> > We are trying to create a zone for a /23 subnet (192.168.222.0/23), but
> we
> > can't get the reverse zone working.
> >
> > There is our config :
> >
> > */etc/named/domain.int.zonefile :*
> >
> > zone "0/23.222.168.192.in-addr.arpa" IN {
> > type master;
> > file "dynamic/0-23.222.168.192.in-addr.arpa";
> > };
> >
> >
> >
> > */var/named/dynamic/0-23.222.168.192.in-addr.arpa :*
> > $ORIGIN .
> > $TTL 3600   ; 1 hour
> > 0/23.222.168.192.in-addr.arpa IN SOAdns1.domain.int.
> sysadmin.domain.eu.
> > (
> > 2013021143 ; serial
> > 1200   ; refresh (20 minutes)
> > 3600   ; retry (1 hour)
> > 1209600; expire (2 weeks)
> > 3600   ; minimum (1 hour)
> > )
> > NS  DNS1.domain.int.
> > $ORIGIN 0/23.222.168.192.in-addr.arpa.
> > $TTL 86400  ; 1 day
> > 102   PTR vegeta.domain.int.
> > ...
> >
> >
> > I don't know if the naming convention is correct ( 0-23 vs 0/23 ) ?
> >
> > Can you please help ?
> >
> >
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse Zone CIDR

2016-05-25 Thread Tony Finch
Jonathan Del Campo  wrote:
>
> So if I have to create two /24 reverse zones for my case, I will, but I was
> hopping a smarter solution.

Oh, I had a brainfart, I read /23 as /25 :-) Yes, two /24s is the best
solution.

For smarter solutions, see the rfc2317bis I-D, though they are usually not
an option, depending on how the parent /16 zone is run.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode
Thames: Variable 3 or 4. Slight, occasionally moderate. Occasional drizzle.
Moderate, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: native-pkcs11 and smartcard-hsm

2016-05-25 Thread FUSTE Emmanuel
Le 24/05/2016 16:36, FUSTE Emmanuel a écrit :
> Le 23/05/2016 16:40, FUSTE Emmanuel a écrit :
>> Hello,
>>
>> I'm trying to use a smartcard-hsm usb stick (v1.2) with BIND 9.10.3-P4.
>> This stick is working with powerdns and support all crypto operations
>> required for basic DNSSEC support.
>>
>> But I get this warning/error:
>> "PKCS#11 provider has no digest service".
>> "This HSM will not work with BIND 9 using native PKCS#11."
>>
>> Bind version:
>> BIND 9.10.3-P4-Debian 
>> built by make with '--prefix=/usr' '--mandir=/usr/share/man'
>> '--libdir=/usr/lib/i386-linux-gnu' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/'
>> '--enable-threads' '--enable-largefile' '--with-libtool'
>> '--enable-shared' '--enable-static' '--with-openssl=/usr'
>> '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no'
>> '--enable-ipv6' '--enable-rrl' '--enable-filter-'
>> '--enable-native-pkcs11'
>> '--with-pkcs11=/usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so'
>> 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat
>> -Werror=format-security -fno-strict-aliasing
>> -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-fPIE -pie
>> -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2
>> -DDIG_SIGCHASE'
>> compiled by GCC 5.3.1 20160429
>> compiled with OpenSSL version: OpenSSL 1.0.2h  3 May 2016
>> linked to OpenSSL version: OpenSSL 1.0.2h  3 May 2016
>> compiled with libxml2 version: 2.9.3
>> linked to libxml2 version: 20903
>>
>> pkcs11-torens informations:
>> pkcs11-tokens -m /usr/lib/i386-linux-gnu/opensc-pkcs11.so
>> Warning: PKCS#11 provider has no digest service
>> This HSM will not work with BIND 9 using native PKCS#11.
>>
>> DEFAULTS
>>rand_token=0x80300368
>>best_rsa_token=0x80300368
>>best_dsa_token=(nil)
>>best_dh_token=(nil)
>>digest_token=(nil)
>>best_ec_token=(nil)
>>best_gost_token=(nil)
>>aes_token=(nil)
>>
>> TOKEN
>>address=0x80300368
>>slotID=0
>>label=SmartCard-HSM (UserPIN)
>>manufacturerID=www.CardContact.de
>>model=PKCS#15 emulated
>>serialNumber=DECC0100872
>>supported operations=0x6 (RAND,RSA)
>>
>> PKCS11 mechanism returned by pkcs11-tool:
>> pkcs11-tool -M
>> Using slot 0 with a present token (0x0)
>> Supported mechanisms:
>>  SHA-1, digest
>>  SHA256, digest
>>  SHA384, digest
>>  SHA512, digest
>>  MD5, digest
>>  RIPEMD160, digest
>>  GOSTR3411, digest
>>  ECDSA, keySize={192,320}, hw, sign, other flags=0x1d0
>>  ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d0
>>  ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other
>> flags=0x1d0
>>  ECDH1-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d0
>>  ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair, other
>> flags=0x1d0
>>  RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify
>>  RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify
>>  SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify
>>  SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify
>>  SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify
>>  SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify
>>  MD5-RSA-PKCS, keySize={1024,2048}, sign, verify
>>  RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify
>>  RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair
>>
>> Perhaps Bind require more, but all needed digest services are here.
>> Is something that will be fixed ? How could I help to get it fixed ?
>> Does anyone have any insights or suggestions?
>>
>> Thanks,
>>
>> Emmanuel.
>
> Ok, digging into docs and code give me some answers:
>
> In native PKCS11 mode, all crypto operations are offhanded to the HSM.
> This is totally crazy nowadays. HSM are HSM not PKCS11 crypto
> accelerators, a concept from the past on actual hardware for 99.99% of
> real use.
> If something like "sign-only" and "crypto-accelerator" OpenSSL-based
> PKCS#11 is not implemented too in the future, native-pkcs11 is a dead
> end. Option that should be select-able at runtime and which eventually
> permit to chose what to offload to the device in the crypto-accelerator
> mode (and perhaps on different devices etc ...).
>
> Will try to compile a modified openssl in sign-only mode for my token.
> I already successfully created keys with the pkcs11-keygen command and
> the used debian/ubuntu package already include native pkcs11 and openssl
> versions of named and dnssec tools (-pkcs11 variants).
> I was misguided by the "named -V" command which return the
> --enable-native-pkcs11 flag on the two binary but they are linked with
> different
> libisc libraries (cosmetic packaging problem).
>
> Will report results.
>
> Emmanuel.
>

Latest progress:

OpenSSL PKCS#11 patch does not permit to build a shared ver

Re: native-pkcs11 and smartcard-hsm

2016-05-25 Thread FUSTE Emmanuel
Le 25/05/2016 14:29, FUSTE Emmanuel a écrit :
> Le 24/05/2016 16:36, FUSTE Emmanuel a écrit :
>> Le 23/05/2016 16:40, FUSTE Emmanuel a écrit :
>>> Hello,
>>>
>>> I'm trying to use a smartcard-hsm usb stick (v1.2) with BIND 9.10.3-P4.
>>> This stick is working with powerdns and support all crypto operations
>>> required for basic DNSSEC support.
>>>
>>> But I get this warning/error:
>>> "PKCS#11 provider has no digest service".
>>> "This HSM will not work with BIND 9 using native PKCS#11."
>>>
>>> Bind version:
>>> BIND 9.10.3-P4-Debian 
>>> built by make with '--prefix=/usr' '--mandir=/usr/share/man'
>>> '--libdir=/usr/lib/i386-linux-gnu' '--infodir=/usr/share/info'
>>> '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/'
>>> '--enable-threads' '--enable-largefile' '--with-libtool'
>>> '--enable-shared' '--enable-static' '--with-openssl=/usr'
>>> '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no'
>>> '--enable-ipv6' '--enable-rrl' '--enable-filter-'
>>> '--enable-native-pkcs11'
>>> '--with-pkcs11=/usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so'
>>> 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat
>>> -Werror=format-security -fno-strict-aliasing
>>> -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-fPIE -pie
>>> -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2
>>> -DDIG_SIGCHASE'
>>> compiled by GCC 5.3.1 20160429
>>> compiled with OpenSSL version: OpenSSL 1.0.2h  3 May 2016
>>> linked to OpenSSL version: OpenSSL 1.0.2h  3 May 2016
>>> compiled with libxml2 version: 2.9.3
>>> linked to libxml2 version: 20903
>>>
>>> pkcs11-torens informations:
>>> pkcs11-tokens -m /usr/lib/i386-linux-gnu/opensc-pkcs11.so
>>> Warning: PKCS#11 provider has no digest service
>>> This HSM will not work with BIND 9 using native PKCS#11.
>>>
>>> DEFAULTS
>>> rand_token=0x80300368
>>> best_rsa_token=0x80300368
>>> best_dsa_token=(nil)
>>> best_dh_token=(nil)
>>> digest_token=(nil)
>>> best_ec_token=(nil)
>>> best_gost_token=(nil)
>>> aes_token=(nil)
>>>
>>> TOKEN
>>> address=0x80300368
>>> slotID=0
>>> label=SmartCard-HSM (UserPIN)
>>> manufacturerID=www.CardContact.de
>>> model=PKCS#15 emulated
>>> serialNumber=DECC0100872
>>> supported operations=0x6 (RAND,RSA)
>>>
>>> PKCS11 mechanism returned by pkcs11-tool:
>>> pkcs11-tool -M
>>> Using slot 0 with a present token (0x0)
>>> Supported mechanisms:
>>>   SHA-1, digest
>>>   SHA256, digest
>>>   SHA384, digest
>>>   SHA512, digest
>>>   MD5, digest
>>>   RIPEMD160, digest
>>>   GOSTR3411, digest
>>>   ECDSA, keySize={192,320}, hw, sign, other flags=0x1d0
>>>   ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d0
>>>   ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other
>>> flags=0x1d0
>>>   ECDH1-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d0
>>>   ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair, other
>>> flags=0x1d0
>>>   RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify
>>>   RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify
>>>   SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify
>>>   SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify
>>>   SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify
>>>   SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify
>>>   MD5-RSA-PKCS, keySize={1024,2048}, sign, verify
>>>   RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify
>>>   RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair
>>>
>>> Perhaps Bind require more, but all needed digest services are here.
>>> Is something that will be fixed ? How could I help to get it fixed ?
>>> Does anyone have any insights or suggestions?
>>>
>>> Thanks,
>>>
>>> Emmanuel.
>>
>> Ok, digging into docs and code give me some answers:
>>
>> In native PKCS11 mode, all crypto operations are offhanded to the HSM.
>> This is totally crazy nowadays. HSM are HSM not PKCS11 crypto
>> accelerators, a concept from the past on actual hardware for 99.99% of
>> real use.
>> If something like "sign-only" and "crypto-accelerator" OpenSSL-based
>> PKCS#11 is not implemented too in the future, native-pkcs11 is a dead
>> end. Option that should be select-able at runtime and which eventually
>> permit to chose what to offload to the device in the crypto-accelerator
>> mode (and perhaps on different devices etc ...).
>>
>> Will try to compile a modified openssl in sign-only mode for my token.
>> I already successfully created keys with the pkcs11-keygen command and
>> the used debian/ubuntu package already include native pkcs11 and openssl
>> versions of named and dnssec tools (-pkcs11 variants).
>> I was misguided by the "named -V" command which return the
>> --enable-native-pkcs11 flag on the two binary but they a

Re: Reverse Zone CIDR

2016-05-25 Thread /dev/rob0
On Wed, May 25, 2016 at 12:06:40PM +0100, Tony Finch wrote:
> Jonathan Del Campo  wrote:
> >
> > So if I have to create two /24 reverse zones for my case, I will, 
> > but I was hopping a smarter solution.
> 
> Oh, I had a brainfart, I read /23 as /25 :-)

I figured that was what you were thinking. :)

> Yes, two /24s is the best solution.
> 
> For smarter solutions, see the rfc2317bis I-D, though they are 
> usually not an option, depending on how the parent /16 zone is run.

In this case, being a netblock from RFC 1918, another choice is to 
actually run that /16 zone ... 168.192.in-addr.arpa.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


New BIND Releases 9.9.9-P1 and 9.10.4-P1 (was: "Re: BIND 9.10.4 may have a fatal crash defect.")

2016-05-25 Thread Michael McNally
On 5/17/16 11:08 PM, Michael McNally wrote:

> Though this flaw can occur with any compiler, it's substantially more
> likely to lead to a crash when BIND is compiled on the x86_64 platform
> using the 'clang' compiler and a difference in the node structure between
> BIND 9.9 and 9.10 makes the failure more likely to occur in BIND 9.10.
> However, operators who are running one of the affected versions (BIND 9.9.9,
> BIND 9.10.4, or BIND 9.9.9-S1) should replace those versions as soon as
> updated releases are available.
> 
> Having identified what we believe to be the root cause, we are currently,
> with the help of some volunteers who were previously experiencing crashes
> in their operational environments, testing a candidate fix with (so far)
> good results.  If no further failures occur, we expect to issue patch
> releases for all of the April 28 releases (BIND 9.9.9, BIND 9.10.4, and
> BIND 9.9.9-S1)

New versions of BIND which contain a fix to prevent the red/black tree (RBT)
race condition which was causing INSIST assertions in BIND 9.10.4 (and could
potentially also have occurred in 9.9.9 and 9.9.9-S1) have been released.

The public releases are available through the ISC website,
https://www.isc.org/downloads

In addition to the fix to prevent the RBT assertions, the new releases
also contain changes to the Windows builds, correcting a problem which
made installation difficult on some Windows versions due to an
interaction with User Account Control (UAC) and and fixing a bug that
could cause an assertion after an "rndc stats" command (on Windows only.)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users