RE: rndc on local host: need named running?

[Woodworth, John R]

> My plan is to have two remote, authoritative name servers
> (master and slave) for my owned domains.  I would like to use rndc
> to control them from my local host.
>
> A couple of questions:

Tom,

I have a slightly unorthodox view on this which may even offer a bit more
security.  The answers are listed below inline.

>
> 1. Does named need to be running on the local host?

No, in fact you don't even need rndc installed locally or a
machine necessarily capable of running rndc.

You can invoke rndc via ssh using ssh keys and best of all the rndc
control port does not need to be exposed to the world.

An example use would be:
  #> ssh user@secrethost rndc reconfig

Which would invoke the 'rndc reconfig' command remotely.

A point of note would be the rndc *version* would also always be
in perfect synchronization with the local version of the server
further lowering the overall LOE (maintenance) for the remote client.


>
> 2. Can I use rndc from my local host which doesn't have a fixed
> ip address?


With this configuration it would not matter the source IP (apart from
ssh configuration).  I would also highly recommend some type of
"role account" to further increase security and minimize risk of
unintentionally allowing elevated privileges.

Most of all, as with any security tool if you are not at least familiar
with ssh and any risks associated, please step cautiously and minimally
familiarize yourself with it or avoid it.  Better safe than sorry.


Regards,
John


>
> Thanks.
>
> Best regards,
>
> -Tom
>

-- THESE ARE THE DROIDS TO WHOM I REFER:

This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SPF and domain keys

[Reindl Harald]

Am 29.08.2016 um 15:49 schrieb project722:

What about DKIM only? Can it be used instead of, or, as a "replacement"
for SPF? For example mails are signed with DKIM from the SMTP servers,
and the receiving servers are checking both SPF and DKIM. If the
receiving server detected a missing SPF would it allow mail through if
DKIM is present and valid? I suppose a lot of this depends on the SPF
policies enforced on the receiving side


anything - not only a lot - depends on the policies of the receiver and 
is different for every single destination server


in case of a spf-policyd there is no point to look at DKIM because SPF 
is running long before smtp data and so a "-all" SPF_FAIL would reject 
the message long before any headers containg DKIM are received at all




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc on local host: need named running?

[Tom Browder]

On Tuesday, August 30, 2016, Cathy Almond  wrote:

> On 28/08/2016 02:48, Lyle wrote:
> > Use any in the allow stanza.
>
> You'll be using a shared key for this to work anyway, but I'd suggest
> being slightly more paranoid than 'any' in the allow stanza - perhaps
> the address range in which your local machine is to be allocated its
> address?
>

Thanks, Cathy.

Best regards

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc on local host: need named running?

[Tom Browder]

On Tuesday, August 30, 2016, Woodworth, John R <
john.woodwo...@centurylink.com> wrote:
>
> I have a slightly unorthodox view on this which may even offer a bit more
>
> security.  The answers are listed below inline.
>
>  ...

Thanks, John.

Best regards,

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS views and zone transfers

[Bob Harold]

On Thu, Aug 25, 2016 at 12:56 PM, project722  wrote:

> I have successfully setup TSIG keys for "views" using a DNS master/server
> pair. Zone transfers are working as expected between the 2 servers for each
> view. Before we go live into production with this I need some clarification
> on a couple things. Our prod servers are also allowing zone transfers to a
> few other servers besides the slave server. We have an acl setup that looks
> similar to this:
>
> other_xfer_allowed_ns {
> x.x.x.x; // This is our Secondary DNS server
> 127.0.0.1; // localhost can make zone transfers
> x.x.x.x/24; // Server Farm Range is allowed to make zone-transfers
> x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
> x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
> x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
> }; // end of "other_xfer_allowed" ACL
>
> And in the "allow transfer" statement we have included that ACL. My
> question is:
>
> Now that we are using TSIG, will I need to get with the admins of all
> these other servers and provide them my TSIG key so they can request zone
> transfers? I would think somehting like that needs to be done since it was
> required to be configured on slave server, but I am not sure.
>

No, if you allowed the IP range in your ACL, they don't need the TSIG key.
It might be more secure to hand out TSIG keys and remove the IP ranges from
the ACL, so only the TSIG key will allow transfers, since IP addresses are
easier to spoof, but since a zone transfer requires TCP, spoofing is not
likely.

The TSIG key was required on the slave in order to get the right view, if I
remember correctly.


>
> Next,
>
> I setup views so that clients on the "internal" network when requesting a
> record would be presented with different records than clients on the
> outside. And at the moment there is only one zone that is required to have
> different records. However, It is my understanding that since views are
> based off source IP's, if I was to ONLY include that one zone in my
> "internal" view, if a record was requested for another zone from that same
> IP, they would probably get an nxdomain answer since that IP is limited to
> that one view.
>
> So, my question is, will I need to include all zones in both views so that
> all clients can get results, even though I would only have (at the moment)
> one zone that points to two different zone files? All others in both views
> would point to the same zone file, unless of course there is another zone
> we need to present a different view to for internal clients.
>

You have a few choices:
- Copies of zones in both views.  More memory used, more zone transfers,
but probably safest and best performance.  This is what I do.  The zones in
the two views will need to be in separate files, if they are "slave" zones,
otherwise Bind will get confused and complain, because it does not realize
that two different views are trying to write the same file.
- One view could 'forward' to the other view for zones it does not have.
(Doubles the query logging, if you have that turned on.)
- Views could do normal recursion for some zones if they can reach the
servers listed in the NS records and get the info from there.


>
> Now, last question.
>
> I have a concern about the allow-query statement. On our production server
> we have an ACL list we'll call it "trusted".
> We have an allow query statement in the global options to only allow
> queries from IP's in the trusted ACL. However every one of our zone entries
> in the conf file also has an "allow-query { any; }; statement. Doesn't that
> defeat the purpose of have a "trusted" ACL for queries? Is this bad design?
>

Seems like the 'any' would override the 'trusted'.  Probably not what you
wanted.

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1

[James Brown via bind-users]

System is a Mac mini (late-2009) running a new install of Mac OS X 10.11.6.

Installed OpenSSL 1.1.0 using:
./Configure --prefix=/usr/local shared darwin64-x86_64-cc 
enable-ec_nistp_64_gcc_128 no-ssl2 no-ssl3
make depend
make test
sudo make install

No problems encountered. Then I tried to install BIND 9.11.0rc1 with:

./configure --with-atf

It failed with:

checking for sched_yield... yes
checking for pthread_yield... no
checking for pthread_yield_np... yes
checking for sysconf... yes
checking for libtool... no
checking for OpenSSL library... using OpenSSL from /usr/local/lib and 
/usr/local/include
checking whether linking with OpenSSL works... yes
checking whether linking with OpenSSL requires -ldl… unknown


Can anyone help me with this?

Thanks,

James.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1

[John W. Blue]

I personally avoid all Apple products like the plauge.  Sadly, a iPhone 6s was 
foisted upon me by my place of employment.  Piece of junk.  Hate it.

achem.

Surely you can find some normal hardware to install unix on and then BIND, 
right?  Or.  How about throwing up a VM on the Mac and using that to do testing 
inside of as opposed to the base OS?

Failing all of that have you tried installing something that is not an RC?

John

Sent from Nine

From: James Brown via bind-users 
Sent: Aug 30, 2016 11:04 PM
To: bind-users@lists.isc.org
Subject: Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1

System is a Mac mini (late-2009) running a new install of Mac OS X 10.11.6.

Installed OpenSSL 1.1.0 using:
./Configure --prefix=/usr/local shared darwin64-x86_64-cc 
enable-ec_nistp_64_gcc_128 no-ssl2 no-ssl3
make depend
make test
sudo make install

No problems encountered. Then I tried to install BIND 9.11.0rc1 with:

./configure --with-atf

It failed with:

checking for sched_yield... yes
checking for pthread_yield... no
checking for pthread_yield_np... yes
checking for sysconf... yes
checking for libtool... no
checking for OpenSSL library... using OpenSSL from /usr/local/lib and 
/usr/local/include
checking whether linking with OpenSSL works... yes
checking whether linking with OpenSSL requires -ldl... unknown


Can anyone help me with this?

Thanks,

James.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1

[Mukund Sivaraman]

On Wed, Aug 31, 2016 at 02:02:45PM +1000, James Brown via bind-users wrote:
> System is a Mac mini (late-2009) running a new install of Mac OS X 10.11.6.
> 
> Installed OpenSSL 1.1.0 using:
> ./Configure --prefix=/usr/local shared darwin64-x86_64-cc 
> enable-ec_nistp_64_gcc_128 no-ssl2 no-ssl3
> make depend
> make test
> sudo make install
> 
> No problems encountered. Then I tried to install BIND 9.11.0rc1 with:
> 
> ./configure --with-atf
> 
> It failed with:
> 
> checking for sched_yield... yes
> checking for pthread_yield... no
> checking for pthread_yield_np... yes
> checking for sysconf... yes
> checking for libtool... no
> checking for OpenSSL library... using OpenSSL from /usr/local/lib and 
> /usr/local/include
> checking whether linking with OpenSSL works... yes
> checking whether linking with OpenSSL requires -ldl… unknown

Due to changes in OpenSSL 1.1.0, BIND doesn't support it
currently. We're in the process of adding support for it. For now, you
may use a version from the OpenSSL 1.0.2 Long Term Support series with
BIND.

Mukund


signature.asc
Description: PGP signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1

[Vinícius Ferrão]

Unnecessary hate.

OS X is a pretty standard Unix and it’s POSIX certified instead of Linux for 
example.

BIND9 simply does not compile with OpenSSL 1.1 yet.

On Aug 31, 2016, at 01:20, John W. Blue 
mailto:john.b...@rrcic.com>> wrote:

I personally avoid all Apple products like the plauge.  Sadly, a iPhone 6s was 
foisted upon me by my place of employment.  Piece of junk.  Hate it.

achem.

Surely you can find some normal hardware to install unix on and then BIND, 
right?  Or.  How about throwing up a VM on the Mac and using that to do testing 
inside of as opposed to the base OS?

Failing all of that have you tried installing something that is not an RC?

John

Sent from Nine

From: James Brown via bind-users 
mailto:bind-users@lists.isc.org>>
Sent: Aug 30, 2016 11:04 PM
To: bind-users@lists.isc.org
Subject: Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1

System is a Mac mini (late-2009) running a new install of Mac OS X 10.11.6.

Installed OpenSSL 1.1.0 using:
./Configure --prefix=/usr/local shared darwin64-x86_64-cc 
enable-ec_nistp_64_gcc_128 no-ssl2 no-ssl3
make depend
make test
sudo make install

No problems encountered. Then I tried to install BIND 9.11.0rc1 with:

./configure --with-atf

It failed with:

checking for sched_yield... yes
checking for pthread_yield... no
checking for pthread_yield_np... yes
checking for sysconf... yes
checking for libtool... no
checking for OpenSSL library... using OpenSSL from /usr/local/lib and 
/usr/local/include
checking whether linking with OpenSSL works... yes
checking whether linking with OpenSSL requires -ldl… unknown


Can anyone help me with this?

Thanks,

James.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1

[John W. Blue]

Heh.  I did say "personally" and for me being locked out of doing what I want 
to do when I want to do it really helps me decide between something that is 
useful or junk.  And besides, I am cheap.



As an aside .. I remember I went into coworkers office for the first time.  It 
was like a small shrine to Steve Jobs and all things Apple.  There was even 
these small bonzi trees all over the place.  lol.  I had such a mental 
over-the-top-roll of the eyes that I just kind of stood there looking around.

That poor soul.

At least he seemed happy.

Sent from Nine

From: Vinícius Ferrão 
Sent: Aug 30, 2016 11:36 PM
To: John W. Blue
Cc: bind-users@lists.isc.org
Subject: Re: Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1

Unnecessary hate.

OS X is a pretty standard Unix and it's POSIX certified instead of Linux for 
example.

BIND9 simply does not compile with OpenSSL 1.1 yet.

On Aug 31, 2016, at 01:20, John W. Blue 
mailto:john.b...@rrcic.com>> wrote:

I personally avoid all Apple products like the plauge.  Sadly, a iPhone 6s was 
foisted upon me by my place of employment.  Piece of junk.  Hate it.

achem.

Surely you can find some normal hardware to install unix on and then BIND, 
right?  Or.  How about throwing up a VM on the Mac and using that to do testing 
inside of as opposed to the base OS?

Failing all of that have you tried installing something that is not an RC?

John

Sent from Nine

From: James Brown via bind-users 
mailto:bind-users@lists.isc.org>>
Sent: Aug 30, 2016 11:04 PM
To: bind-users@lists.isc.org
Subject: Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1

System is a Mac mini (late-2009) running a new install of Mac OS X 10.11.6.

Installed OpenSSL 1.1.0 using:
./Configure --prefix=/usr/local shared darwin64-x86_64-cc 
enable-ec_nistp_64_gcc_128 no-ssl2 no-ssl3
make depend
make test
sudo make install

No problems encountered. Then I tried to install BIND 9.11.0rc1 with:

./configure --with-atf

It failed with:

checking for sched_yield... yes
checking for pthread_yield... no
checking for pthread_yield_np... yes
checking for sysconf... yes
checking for libtool... no
checking for OpenSSL library... using OpenSSL from /usr/local/lib and 
/usr/local/include
checking whether linking with OpenSSL works... yes
checking whether linking with OpenSSL requires -ldl... unknown


Can anyone help me with this?

Thanks,

James.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1

[Mark Andrews]

OpenSSL changed the API between OpenSSL 1.0.2 and OpenSSL 1.1.0 and
it is not backwards compatible.  Almost everything written for
OpenSSL 1.0.2 and earlier needs to be re-written for OpenSSL 1.1.0.

We have not yet completed that process.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users