Stealth NS records
I saw a zone check on intodns.com shows, Stealth NS records were sent: ns2.xxx.com ns1.xxx.com So what's a stealth NS record? thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Stealth NS records
On 30.03.18 15:44, PANG J. wrote: I saw a zone check on intodns.com shows, Stealth NS records were sent: ns2.xxx.com ns1.xxx.com So what's a stealth NS record? http://massivedns.com/blog/dns-report-tutorials/what-are-stealth-ns-records/ maybe I could explain more deeply if you have sent the domain. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Followup: BIND 9.10.6-P1 dnssec update zone A record
Removed the signing files: domain.com.* and re-ran the siging process with
named not running.
With a new 'domain.com.signed' file created by the signing process and in
the named.conf zone section:
file "domain.com.signed";
Started named and everything appears to be working fine.
https://dnssec-debugger.verisignlabs.com
Showing all green indicators!
Not all green at first, reloaded the browser and now all Ok again.
Thanks muchly,
-kim
On Thu, Mar 29, 2018 at 6:24 PM, Kim Culhan wrote:
>
> un "rndc zonestatus " on it.
> > Then I look for the "serial:" and "signed serial:" values.On Thu, Mar
> 29, 2018 at 5:17 PM, Douglas C. Stephens wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Kim,
>>
>> I run BIND 9.11 so this might or might not translate down to BIND 9.10.
>>
>> When this happens to me, I run "rndc zonestatus " on it.
>> Then I look for the "serial:" and "signed serial:" values.
>>
>
> Running rndc zonestatus
>
> FWIW returns serial: and signed serial: which are not the same and are from
> 1 day ago.
>
> Normally, you would be correct in only needing to increment the
>> unsigned SOA serial to at least +1 larger than the "serial:" value
>> shown by the above output. Sometimes, however, to make BIND load the
>> update, I need to increase the SOA serial in the unsigned zone file to
>> be higher than the SOA serial signed zone file. Then run "rndc reload
>> ".
>>
>> Another thing to check is whether you're actually checking the zone
>> serial of a slave instead of at the master BIND doing the signing. If
>> so, are they higher than the signed zone serial at your master?
>>
>
> ATM there are 2 masters, I'm working on 1 now.
>
>
>>
>> Also, something that looks odd to me compared with my live running
>> config is your "file" line. Does that "domain.com.signed" filespec
>> actually point to the BIND-maintained .signed file, or does it means
>> something else? If the latter, then I would guess you have a
>> "domain.com.signed.signed" file alongside it which is the one
>
> maintained by BIND.
>>
>
> Yes, this is true: domain.com.signed.signed
>
>>
>> I'm also using "auto-dnssec maintain" and "inline-signing yes", but my
>> zone "file" points to my unsigned zone file, while the .signed version
>> (and its .signed.jnl) is wholly created and maintained by BIND.
>
>
> I have those files but I don't know how to get BIND to maintain them.
>
> That appears to be the problem.
>
> This helps, I'm not sure where to go from here though.
>
> I've googled this for hours and keep thinking the solution is just another
> google away but just now I'm not so sure.
>
>>
>>
> Hope this helps.
>
>
> This helps and thanks for replying to my post.
>
> -kim
>
>
>> On 3/29/2018 3:15 PM, Kim Culhan wrote:
>> > Some additional info here, from named.conf, dnssec config:
>> >
>> > options { directory "/var/named"; [lines omitted] dnssec-validation
>> > auto; managed-keys-directory "/var/named/keys";
>> >
>> > From the zone section;
>> >
>> > file "domain.com.signed"; key-directory "/var/named/keys/domain.com
>> > "; auto-dnssec maintain; inline-signing yes;
>> >
>> > Zone file is in /var/named
>> >
>> > Sorry did not include this in the original post.
>> >
>> > thanks -kim
>> >
>> > --
>> >
>> >
>> >
>> > ___ Please visit
>> > https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> > from this list
>> >
>> > bind-users mailing list bind-users@lists.isc.org
>> > https://lists.isc.org/mailman/listinfo/bind-users
>> >
>>
>> - --
>> Douglas C. Stephens | Network Systems Analyst
>> Enterprise Information Services | Phone: (515) 294-6102
>> Ames Laboratory, US DOE | Email: steph...@ameslab.gov
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v2.0.17 (MingW32)
>>
>> iEYEARECAAYFAlq9V+MACgkQ46phdn656QQGdgCfdyHd1QaeNvrF1v2p+yXqdqtE
>> pisAoIQPCgKPMKUJpP/mCLITTgP43+1P
>> =D7S2
>> -END PGP SIGNATURE-
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cause BIND 9.10.6-P1 running dnssec to update zone A record
On 2018-03-29 (11:58 MDT), Kim Culhan wrote: > > Made a change to an ip address in an A record and bind is still showing the > old > address. > Updated the serial and it doesn't show the new serial either. > > How can I get bind to update from the data in the zone file? > > I 've restarted named and used rndc to reload and have not > found how to get it to update. Sound like you are editing the wrong file. rndc relaid reloads the files, if the change is not being rejected, you need to figure out where the right file is. -- The voice of the majority is no proof of justice. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
error reading private key file, ddns_update update failed not found
Good Afternoon,
I have a newly configured bind9 server with two dynamic zones that I
cannot seem to get working. I've ensured I have a key-directory
configured and I've confirmed that the keys exist and are readable by
bind but I'm unable to resolve the issue. The zones themselves work
fine, but dynamic updates are failing. If it's relevant, bind is
running inside an LXD container.
Logs:
Mar 29 15:50:39 bind named[99]: client 192.168.0.3#2093/key
ddns_update: signer "ddns_update" approved
Mar 29 15:50:39 bind named[99]: client 192.168.0.3#2093/key
ddns_update: updating zone 'mcguire.local/IN': adding an RR at 'am335x-
opt.mcguire.local' A 192.168.0.165
Mar 29 15:50:39 bind named[99]: client 192.168.0.3#2093/key
ddns_update: updating zone 'mcguire.local/IN': adding an RR at 'am335x-
opt.mcguire.local' TXT "3154a902d1b045a4064274c0d6b5
Mar 29 15:50:39 bind named[99]: dns_dnssec_findzonekeys2: error reading
private key file mcguire.local/RSASHA256/43356: file not found
Mar 29 15:50:39 bind named[99]: dns_dnssec_findzonekeys2: error reading
private key file mcguire.local/RSASHA256/43345: file not found
Mar 29 15:50:39 bind named[99]: client 192.168.0.3#2093/key
ddns_update: updating zone 'mcguire.local/IN': found no active private
keys, unable to generate any signatures
Mar 29 15:50:39 bind named[99]: client 192.168.0.3#2093/key
ddns_update: updating zone 'mcguire.local/IN': RRSIG/NSEC/NSEC3 update
failed: not found
Zone config:
zone "0.168.192.in-addr.arpa" IN {
type master;
file "/etc/bind/zones/db.0.168.192.in-addr.arpa.signed";
auto-dnssec maintain;
key-directory "/etc/bind/keys";
inline-signing yes;
allow-update { key DDNS_UPDATE; };
};
zone "mcguire.local" IN {
type master;
file "/etc/bind/zones/db.mcguire.local.signed";
auto-dnssec maintain;
key-directory "/etc/bind/keys";
inline-signing yes;
allow-update { key DDNS_UPDATE; };
};
Key directory and relevant keys:
File: /etc/bind/keys/
[...]
Access: (0755/drwxr-xr-x) Uid: (0/root) Gid:
( 112/bind)
-rw-r--r-- 1 bind bind 627 Mar 28 12:11 K0.168.192.in-
addr.arpa.+008+04239.key
-rw-r- 1 bind bind 1776 Mar 28 12:11 K0.168.192.in-
addr.arpa.+008+04239.private
-rw-r--r-- 1 bind bind 972 Mar 28 12:12 K0.168.192.in-
addr.arpa.+008+05959.key
-rw-r- 1 bind bind 3316 Mar 28 12:12 K0.168.192.in-
addr.arpa.+008+05959.private
-rw-r--r-- 1 bind bind 955 Mar 28 12:11 Kmcguire.local.+008+43345.key
-rw-r- 1 bind bind 3316 Mar 28 12:11
Kmcguire.local.+008+43345.private
-rw-r--r-- 1 bind bind 610 Mar 28 12:11 Kmcguire.local.+008+43356.key
-rw-r- 1 bind bind 1776 Mar 28 12:11
Kmcguire.local.+008+43356.private
Any ideas?
Regards,
-Ryan___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: error reading private key file, ddns_update update failed not found
On Fri, March 30, 2018 4:57 pm, Ryan McGuire wrote: > Mar 29 15:50:39 bind named[99]: dns_dnssec_findzonekeys2: error > reading private key file mcguire.local/RSASHA256/43356: file not > > found > Mar 29 15:50:39 bind named[99]: dns_dnssec_findzonekeys2: error > reading private key file mcguire.local/RSASHA256/43345: file not >found Recent experience has been that the 'key file not found' problem an result from replacing the key files in the key directory. When the zone is signed, bind retains the key files which existed at that time by including them in the signed zone files. There may be a better way to fix this, but I found it necessary to re-sign the zone after removing the existing signed zones files: As in: rm domain.zone.* then resign the zone. In the process of Googling for a solution to this problem for days I found only one more 'sophisticated' approach to this problem. This is probably not the best way to do this, but it gets the server up and running again in a few minutes. Maybe someone will followup to this 'solution' with the correct way and it may be you didn't make the mistake I did and re-generate the keys. thanks -kim ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
