The signed domain file rewritten
Hi, I have a signed domain, with inline-signing yes and auto-dnssec maintain. Although the domain is static, the .signed and .signed.jnl files are being rewritten without apparent reason. They are about a month newer than the corresponding .jbk and base files. I notice that because of tripwire complaints. I guess I have to tweak that config, unless there's a way to prevent or foresee those rewritings. Why does bind rewrite that file? Best Ale -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: The signed domain file rewritten
The RRSIGs need to be regenerated periodically. This is the changes you are seeing. -- Mark Andrews > On 12 Nov 2019, at 20:42, Alessandro Vesely wrote: > > Hi, > > I have a signed domain, with inline-signing yes and auto-dnssec maintain. > > Although the domain is static, the .signed and .signed.jnl files are being > rewritten without apparent reason. They are about a month newer than the > corresponding .jbk and base files. > > I notice that because of tripwire complaints. I guess I have to tweak that > config, unless there's a way to prevent or foresee those rewritings. > > Why does bind rewrite that file? > > > Best > Ale > -- > > > > > > > > > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Using different OS for Master and Slaves
Is it good idea and possible to create Master and Slaves nameservers using different OSes. For example , Master OS =Centos 7 and Slaves Os=Ubuntu 18 or Windows 2016 Sent from Mail for Windows 10 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using different OS for Master and Slaves
Am 12.11.19 um 12:24 schrieb Mundile: > Is it good idea and possible to create Master and Slaves nameservers > using different OSes. > > For example , Master OS =Centos 7 and Slaves Os=Ubuntu 18 or Windows 2016 surely, zone transfers are working over a network protocol no matter what software or operating system is running the master as long both sides implement the protocl corretly it has to work ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using different OS for Master and Slaves
> Is it good idea and possible to create Master and Slaves nameservers using > different OSes. > For example , Master OS =Centos 7 and Slaves Os=Ubuntu 18 or Windows 2016 I guess that depends on what you want to achieve. If you want maximum diversity you might want to use different OSes *and* also different name server software for master and slave. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind9 for Windows
Hello, we are wondering if BIND9 is running under Windows Server 2019? Can somebody confirm it is running? Cause I am getting trouble to get it running with errors like a missing DLL. BR Adnré Abel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: .onion and dnssec
Erich Eckner wrote: > I have also a hard time, generating some useful debug output > - setting `-d 9` does not give additional information in the system log. You might find it is being written to the file named.run in named's working directory (this is the default_debug logging channel configuration). I generally use `rndc trace 11` to tell named to log details of resolution and validation, including sent and received DNS mesaages. It's very verbose but it can tell you what is happening to your .onion queries. Tony. -- f.anthony.n.finchhttp://dotat.at/ Mull of Kintyre to Ardnamurchan Point: North 5 to 7, becoming variable 2 or 3, then east 3 to 5 later. Rough or very rough, occasionally moderate later in shelter from easterly swell. Showers. Good occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: The signed domain file rewritten
On 11/12/19 4:42 AM, Alessandro Vesely wrote:
Hi,
I have a signed domain, with inline-signing yes and auto-dnssec maintain.
Although the domain is static, the .signed and .signed.jnl files are being
rewritten without apparent reason. They are about a month newer than the
corresponding .jbk and base files.
I notice that because of tripwire complaints. I guess I have to tweak that
config, unless there's a way to prevent or foresee those rewritings.
I use this in twpol.txt:
{
/etc-> $(SEC_BIN) (recurse=true) ;
!/etc/bind/zone ;
Why does bind rewrite that file?
Because someone forgot to put dynamic files in /var ? :P
https://en.wikipedia.org/wiki/Unix_filesystem
-Jim P.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Using different OS for Master and Slaves
Hi there, On Tue, 12 Nov 2019, Mundile wrote: Is it good idea and possible to create Master and Slaves nameservers using different OSes. For example , Master OS =Centos 7 and Slaves Os=Ubuntu 18 or Windows 2016 It depends on whether or not you enjoy pain. Sent from Mail for Windows 10 -- next part -- An HTML attachment was scrubbed... URL: <https://lists.isc.org/pipermail/bind-users/attachments/20191112/8a4e84c1/attachment-0001.htm> Perhaps you do. -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: .onion and dnssec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, 12 Nov 2019, Tony Finch wrote: Erich Eckner wrote: I have also a hard time, generating some useful debug output - setting `-d 9` does not give additional information in the system log. You might find it is being written to the file named.run in named's working directory (this is the default_debug logging channel configuration). I generally use `rndc trace 11` to tell named to log details of resolution and validation, including sent and received DNS mesaages. It's very verbose but it can tell you what is happening to your .onion queries. Thanks! I now get the desired log. I noticed, that there were *no* queries sent by the dns server at all (even when asking for subdomains of onion.eckner.net - which were successfully resolved by tor). I suspected, that the slave "." zone superseeds every other zone I have, and confirmed that by commenting out the other (slaved opennic) tlds which did *not* break the resolving. I replaced "." by a hint zone and now it works as intended: - - opennic tlds are resolved via their slave zones (before, they were not: I could comment them out and still resolve) - - normal tlds are resolved via hint root zone (I think) - - onion. is forwarded to tor thanks a lot! I have another (minor) question, though: To my understanding, the difference between "forward first;" and "forward only;" is, that the former caches and the latter forwards all queries. However, I see the same behaviour in the log for both. Where is my mistake? cheers, Erich -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3KsgIACgkQCu7JB1Xa e1o+rg/8Cdvrih+r9bYtwGSu12GTQtzVrSJY8Xtmjcoh4O4QJPZ/CRCEP/q3ok2Z mgDVoVp+whJRnVZJIPHJKx+Iq8PJ5Gp9RTH26gWpZ4jMxpilTnSLC9SVY5CSsMeY CFZ6A5QEGg5I2fzZKVUa6CbKW/3AjqrcbOASoORarWEdZRIv9U/CwfS8D0o2zywW rH4CEqVswx0SWwFtBLkY5+C/90AkEOB40W1RJymHMJK3+r+AQdnj/p3BXHwA2VbD 8R4tK3VoTWd4exuXet8JCvGHM7uJZVBfkChGy+uCBiY9oY0CHLGnc1dEp0E4QcVX 6V58YHehPgYJ4S1OQVJzk4F2I3PD4Bp47pKCxOhTwhRt9VnlYCK3XGD0sOSbccJa KxloL3D8RLSE7l/kQk7mcnH2cdSZVCuJUPYraK38zBumwh6uFGKHiRyhYWhsBZEU ODdDn1hPsPfe/X/cEdBMpt/zv2J7HMrm15MBYDCxw3obnmPlsibc4ztlf71yyflN lJJvvkJgDmT+jpjazVWs/1NJd7vvTp6QrsQwPnGjQNTxmh+FDvTP6BT9qWjQxcd8 bFgqdziI7gFH26FwfzKpC9TkZFxga4Bg5PI5F2M1k0sAEe7ykwsOvukQVNZL9VYO CD/s5qpvrmAEuI5oO49oYiY4+7tfxOrxyY0CumRoWObpmq+zRJc= =9vdi -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: .onion and dnssec
Erich Eckner wrote: > > To my understanding, the difference between "forward first;" and "forward > only;" is, that the former caches and the latter forwards all queries. > However, I see the same behaviour in the log for both. Where is my mistake? My understanding is that first vs. only is related to fallback behaviour, though I don't know what kind of forwarding failures cause named to revert to iterating. [I don't use forwarding myself, but I view `forward first` with deep suspicion since it looks like the kind of thing that turns misconfigurations into performance problems and mysterious weirdness.] Tony. -- f.anthony.n.finchhttp://dotat.at/ Wight, Portland, Plymouth: West or northwest 6 to gale 8, decreasing 4 or 5. Moderate or rough, occasionally very rough at first in Plymouth, then occasionally slight later. Thundery showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using different OS for Master and Slaves
Am 12.11.19 um 14:00 schrieb G.W. Haywood via bind-users: > Hi there, > > On Tue, 12 Nov 2019, Mundile wrote: > >> Is it good idea and possible to create Master and Slaves nameservers >> using different OSes. >> For example , Master OS =Centos 7 and Slaves Os=Ubuntu 18 or Windows >> 2016 > > It depends on whether or not you enjoy pain there shouldn't be any pain from a technical point of view and there is one security case which could be solved with mixing: a zero day exploit: when both nameservers for a domain are running different software it's not that easy to shut down the whole domain with two packets ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: The signed domain file rewritten
On Tue 12/Nov/2019 12:09:06 +0100 Mark Andrews wrote: > The RRSIGs need to be regenerated periodically. This is the changes you are > seeing. > It doesn't seem to happen every day, but can happen again on the next day. Can the period be controlled? Best Ale -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: The signed domain file rewritten
Alessandro Vesely wrote: > > It doesn't seem to happen every day, but can happen again on the next day. > Can > the period be controlled? It depends on the size of the zone (bigger zone -> more frequent upates), how widely scattered the RRSIG expiry times are (which depends on how the zone is updated and how it was originally signed), how long ago it was signed (the expiry times have a bit of jitter so they should gradually spread out over) and on the sig-validity-interval setting. Tony. -- f.anthony.n.finchhttp://dotat.at/ Viking, North Utsire, South Utsire: Easterly or northeasterly 4 to 6, becoming cyclonic 2 for a time. Rough becoming moderate. Rain. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: The signed domain file rewritten
On Tue 12/Nov/2019 13:39:30 +0100 Jim Popovitch via bind-users wrote:
> On 11/12/19 4:42 AM, Alessandro Vesely wrote:
>> Hi,
>>
>> I have a signed domain, with inline-signing yes and auto-dnssec maintain.
>>
>> Although the domain is static, the .signed and .signed.jnl files are being
>> rewritten without apparent reason. They are about a month newer than the
>> corresponding .jbk and base files.
>>
>> I notice that because of tripwire complaints. I guess I have to tweak that
>> config, unless there's a way to prevent or foresee those rewritings.
>>
>
> I use this in twpol.txt:
>
> {
> /etc -> $(SEC_BIN) (recurse=true) ;
> !/etc/bind/zone ;
>
>
Yeah, that's a possibility.
Not that I rely on tripwire more than I should, but leaving the zone outside
the controlled area means to blindly sign whatever happens to be in the zone.
Best
Ale
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: The signed domain file rewritten
On Tue 12/Nov/2019 18:18:52 +0100 Tony Finch wrote: > Alessandro Vesely wrote: >> >> It doesn't seem to happen every day, but can happen again on the next day. >> Can >> the period be controlled? > > It depends on the size of the zone (bigger zone -> more frequent upates), > how widely scattered the RRSIG expiry times are (which depends on how the > zone is updated and how it was originally signed), how long ago it was > signed (the expiry times have a bit of jitter so they should gradually > spread out over) and on the sig-validity-interval setting. That makes sense. I left sig-validity-interval at its default (30 days) and from October 19 to November 11 (the dates of the files) there are 23 days, while 30 * (1 - 1/4) = 22.5. Looking closer, I realized that the next day signature was not rewritten in the same view. Perhaps the jitter can be cured by setting a multiple of 4 as the validity interval... Thank you for the detailed explanation Ale -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
