Re: 'managed-keys' is deprecated ??
Hi -T, I cannot reproduce this confusing warning message. Please use the absolute path /var/named/chroot/etc/named.root.key in https://bugzilla.redhat.com/show_bug.cgi?id=1972022 Best regards, Matthijs On 15-06-2021 07:46, ToddAndMargo via bind-users wrote: On 6/14/21 9:30 PM, Jim Popovitch via bind-users wrote: On Tue, 2021-06-15 at 14:27 +1000, Mark Andrews wrote: https://downloads.isc.org/isc/bind9/9.16.16/doc/arm/Bv9ARM.pdf The modern-day RTFM :-) -Jim P. "Just Google it." The new RTFM. Chuckle! And ' 'managed-keys' is deprecated" is a bug. I just reported: named-checkconf gives confusing depreciated 'managed-keys' message https://bugzilla.redhat.com/show_bug.cgi?id=1972022 :'( -T ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need Help with BIND9
On 11.06.21 18:19, Sten Carlsen wrote: From my place I resolve both to: 98.191.108.149 keiththewebguy.com. does not actually have the two nameservers required though that is not the problem. (ns1 and ns2 have same IP) BIND seems to work ok but your local settings probably don't point your hosts to the right NS. On 14.06.21 14:26, techli...@phpcoderusa.com wrote: I do have the same IP in both "glue" records. GoDaddy calls them host records. those might be different records, haven't checked godaddy's dictionary. Server was probably off. Thank you for your help!! it's apparently down again. some registrars provide you with their own nameservers that don't go down, why don't you use those? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need Help with BIND9
Am 14.06.21 um 22:37 schrieb techli...@phpcoderusa.com: keiththewebguy.com [1]. does not actually have the two nameservers required though that is not the problem. (ns1 and ns2 have same IP) I have a VPS that runs Plesk and there is only one name server so for every domain I have hosted on that VPS the domains have the same name server for both host names (at the register) I think some call these glue records. we know that already and it's wrong you can't have proper DNS with only one nameserver you can't have proper DNS with two nameservers in the same network or on the same line if you can't provide the minimum of *two* completly independent nameservers you can't host DNS - it's that easy [harry@srv-rhsoft:~]$ nslookup ns1.thelounge.net 8.8.8.8 Server: 8.8.8.8 Address:8.8.8.8#53 Non-authoritative answer: Name: ns1.thelounge.net Address: 85.124.176.242 [harry@srv-rhsoft:~]$ nslookup ns2.thelounge.net 8.8.8.8 Server: 8.8.8.8 Address:8.8.8.8#53 Non-authoritative answer: Name: ns2.thelounge.net Address: 91.118.73.16 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need Help with BIND9
Am 15.06.21 um 10:31 schrieb Reindl Harald: Am 14.06.21 um 22:37 schrieb techli...@phpcoderusa.com: keiththewebguy.com [1]. does not actually have the two nameservers required though that is not the problem. (ns1 and ns2 have same IP) I have a VPS that runs Plesk and there is only one name server so for every domain I have hosted on that VPS the domains have the same name server for both host names (at the register) I think some call these glue records. we know that already and it's wrong you can't have proper DNS with only one nameserver you can't have proper DNS with two nameservers in the same network or on the same line if you can't provide the minimum of *two* completly independent nameservers you can't host DNS - it's that easy https://www.iana.org/help/nameserver-requirements Minimum number of name servers There must be at least two NS records listed in a delegation, and the hosts must not resolve to the same IP address. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help for Calculate DNS througputs
On 15/06/2021 08:12, PRAKASH CHAND wrote: Hi Prakash, Look at DNSPerf. It's an open source tool for benchmarking DNS servers. It has a component called resperf, specifically for resolvers. You could try to use that to find out how far you can push your resolvers. Make sure to measure the packet rate and the bandwidth from your resolvers towards the Internet. However, I would also caution you on the use of firewalls in front busy resolvers. If the firewalls try to keep state for every UDP packet traversing them, they will quickly fall over. Regards, Anand > Dear All, > > Good Morning to all Bind- users. > I need help for calculating DNS server throughput. > Actually, we are planning to purchase firewall so it is required for > purchasing according to load. > > I am using RHEL, I will be thankful if someone could guide us that how we can > calculate the throughput of > my DNS servers. I am running BIND 9.x.x. on RHEL server. > > Thanks & regards > Prakash Chand ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need Help with BIND9
Thank you for your help!! On 2021-06-15 00:39, Matus UHLAR - fantomas wrote: On 11.06.21 18:19, Sten Carlsen wrote: From my place I resolve both to: 98.191.108.149 keiththewebguy.com. does not actually have the two nameservers required though that is not the problem. (ns1 and ns2 have same IP) BIND seems to work ok but your local settings probably don't point your hosts to the right NS. On 14.06.21 14:26, techli...@phpcoderusa.com wrote: I do have the same IP in both "glue" records. GoDaddy calls them host records. those might be different records, haven't checked godaddy's dictionary. Server was probably off. Thank you for your help!! it's apparently down again. Since this is a test server I turn it and my internet connection off over night. I'll leave it on for now. some registrars provide you with their own nameservers that don't go down, why don't you use those? I understand. That would be easier. I am trying to learn BIND and after that I am going to learn Postfix and Dovecot mail. I am doing this for learning. Thanks!! -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need Help with BIND9
On 2021-06-15 01:31, Reindl Harald wrote: Am 14.06.21 um 22:37 schrieb techli...@phpcoderusa.com: keiththewebguy.com [1]. does not actually have the two nameservers required though that is not the problem. (ns1 and ns2 have same IP) I have a VPS that runs Plesk and there is only one name server so for every domain I have hosted on that VPS the domains have the same name server for both host names (at the register) I think some call these glue records. we know that already and it's wrong I would not argue that with you. you can't have proper DNS with only one nameserver you can't have proper DNS with two nameservers in the same network or on the same line if you can't provide the minimum of *two* completly independent nameservers you can't host DNS - it's that easy I would submit to you that a lot of people are running one name server for their websites. One name server seems to be the norm for Plesk. I think ISOPConfig and Webmin probably configure themselves in the same way. [harry@srv-rhsoft:~]$ nslookup ns1.thelounge.net 8.8.8.8 Server: 8.8.8.8 Address:8.8.8.8#53 Non-authoritative answer: Name: ns1.thelounge.net Address: 85.124.176.242 [harry@srv-rhsoft:~]$ nslookup ns2.thelounge.net 8.8.8.8 Server: 8.8.8.8 Address:8.8.8.8#53 Non-authoritative answer: Name: ns2.thelounge.net Address: 91.118.73.16 Thank You So Much For Your Feedback!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need Help with BIND9
On 2021-06-15 01:38, Reindl Harald wrote: Am 15.06.21 um 10:31 schrieb Reindl Harald: Am 14.06.21 um 22:37 schrieb techli...@phpcoderusa.com: keiththewebguy.com [1]. does not actually have the two nameservers required though that is not the problem. (ns1 and ns2 have same IP) I have a VPS that runs Plesk and there is only one name server so for every domain I have hosted on that VPS the domains have the same name server for both host names (at the register) I think some call these glue records. we know that already and it's wrong you can't have proper DNS with only one nameserver you can't have proper DNS with two nameservers in the same network or on the same line if you can't provide the minimum of *two* completly independent nameservers you can't host DNS - it's that easy https://www.iana.org/help/nameserver-requirements Minimum number of name servers There must be at least two NS records listed in a delegation, and the hosts must not resolve to the same IP address. Thanks!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need Help with BIND9
I think I stumbled upon a problem with the zone records for keiththewebguy.com. It could be the root issue you are having. If I run dig ns +trace keiththewebguy.com I got the following for the last record from your name servers: ns1.keiththewebguy.com. 86400 IN A 98.191.108.149 keiththewebguy.com. 86400 IN NS ns1. keiththewebguy.com. 86400 IN NS ns2. ;; Received 129 bytes from 98.191.108.149#53(ns2.keiththewebguy.com) in 84 ms If I run the same query for any other domain I get a fully qualified host name for the name servers(ie ns1.keiththewebguy.com not ns1. ). Lyle Giese LCR Computer Services, Inc. On 6/15/21 9:04 AM, techli...@phpcoderusa.com wrote: On 2021-06-15 01:38, Reindl Harald wrote: Am 15.06.21 um 10:31 schrieb Reindl Harald: Am 14.06.21 um 22:37 schrieb techli...@phpcoderusa.com: keiththewebguy.com [1]. does not actually have the two nameservers required though that is not the problem. (ns1 and ns2 have same IP) I have a VPS that runs Plesk and there is only one name server so for every domain I have hosted on that VPS the domains have the same name server for both host names (at the register) I think some call these glue records. we know that already and it's wrong you can't have proper DNS with only one nameserver you can't have proper DNS with two nameservers in the same network or on the same line if you can't provide the minimum of *two* completly independent nameservers you can't host DNS - it's that easy https://www.iana.org/help/nameserver-requirements Minimum number of name servers There must be at least two NS records listed in a delegation, and the hosts must not resolve to the same IP address. Thanks!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?
On 6/10/21 8:38 AM, Tony Finch wrote: PGNet Dev wrote: Has anyone here on-list figured out how to hook bind's internal signing process to *trigger* and external script to exec those API pushes? I have not, and I also want to be able to do this, and I also want scripting hooks for whenever any keys change so that I can stash them somewhere safer. Tony. fyi, @ automation of DS Record submit to registrar/parent, integrated with 'new' kasp/dnssec-policy support in bind https://gitlab.isc.org/isc-projects/bind9/-/issues/1890 the current feedback is " ... we think the best way is that the user scripts this by them self ... " and follows with " ... it is more likely that the CDS/CDNSKEY polling will be more common than pushing DS updates. A couple of TLDs have implemented this already and it looks like there is some movement on this topic in the Registrar world." Of course inaction by TLDs & Registrars has been years-long ... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need Help with BIND9
On 15.06.21 09:14, Lyle Giese wrote: I think I stumbled upon a problem with the zone records for keiththewebguy.com. It could be the root issue you are having. If I run dig ns +trace keiththewebguy.com I got the following for the last record from your name servers: ns1.keiththewebguy.com. 86400 IN A 98.191.108.149 keiththewebguy.com. 86400 IN NS ns1. keiththewebguy.com. 86400 IN NS ns2. this is the problem. OP's NS records point to nonexistent hosts, and these are authoritative, so after each nameserver fetches them, it uses them and fails. Most probably it's the "ns1" and "ns2" in zone end with "." which means that current $ORIGIN (apparently keiththewebguy.com) is not appended to them. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?
On 15-06-2021 16:32, PGNet Dev wrote: On 6/10/21 8:38 AM, Tony Finch wrote: PGNet Dev wrote: Has anyone here on-list figured out how to hook bind's internal signing process to *trigger* and external script to exec those API pushes? I have not, and I also want to be able to do this, and I also want scripting hooks for whenever any keys change so that I can stash them somewhere safer. Tony. fyi, @ automation of DS Record submit to registrar/parent, integrated with 'new' kasp/dnssec-policy support in bind https://gitlab.isc.org/isc-projects/bind9/-/issues/1890 the current feedback is " ... we think the best way is that the user scripts this by them self ... " A brief summary. Folks that are interested in the reasons why can read up and discuss here: https://gitlab.isc.org/isc-projects/bind9/-/issues/1890#note_220217 and follows with " ... it is more likely that the CDS/CDNSKEY polling will be more common than pushing DS updates. A couple of TLDs have implemented this already and it looks like there is some movement on this topic in the Registrar world." Of course inaction by TLDs & Registrars has been years-long ... You may be interested in the multi-signer project, that is now actively pushing for this: https://github.com/DNSSEC-Provisioning/Multi-signer/ Cheers, Matthijs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need Help with BIND9
Thank you for your help!! The zone file is the one I tool from Plesk when I had keiththewebguy.com parked there. All I did was change the IP addresses. I assume what you want me to do is add keiththewebguy.com to the two records making: ns1.keiththewebguy.com. 86400 IN A 98.191.108.149 keiththewebguy.com. 86400 IN NS ns1.keiththewebguy.com. keiththewebguy.com. 86400 IN NS ns2.keiththewebguy.com. From what I have read the SOA - "@ IN SOA ns1.keiththewebguy.com. ..." the ns1.keiththewebguy.com. should be the FQDN? That is the box host name plus the domain correct? Thanks!! On 2021-06-15 07:35, Matus UHLAR - fantomas wrote: On 15.06.21 09:14, Lyle Giese wrote: I think I stumbled upon a problem with the zone records for keiththewebguy.com. It could be the root issue you are having. If I run dig ns +trace keiththewebguy.com I got the following for the last record from your name servers: ns1.keiththewebguy.com. 86400 IN A 98.191.108.149 keiththewebguy.com. 86400 IN NS ns1. keiththewebguy.com. 86400 IN NS ns2. this is the problem. OP's NS records point to nonexistent hosts, and these are authoritative, so after each nameserver fetches them, it uses them and fails. Most probably it's the "ns1" and "ns2" in zone end with "." which means that current $ORIGIN (apparently keiththewebguy.com) is not appended to them. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 'managed-keys' is deprecated ??
On 15-06-2021 07:46, ToddAndMargo via bind-users wrote: On 6/14/21 9:30 PM, Jim Popovitch via bind-users wrote: On Tue, 2021-06-15 at 14:27 +1000, Mark Andrews wrote: https://downloads.isc.org/isc/bind9/9.16.16/doc/arm/Bv9ARM.pdf The modern-day RTFM :-) -Jim P. "Just Google it." The new RTFM. Chuckle! And ' 'managed-keys' is deprecated" is a bug. I just reported: named-checkconf gives confusing depreciated 'managed-keys' message https://bugzilla.redhat.com/show_bug.cgi?id=1972022 :'( -T On 6/15/21 12:26 AM, Matthijs Mekking wrote: > Hi -T, > > I cannot reproduce this confusing warning message. Please use the > absolute path /var/named/chroot/etc/named.root.key in > https://bugzilla.redhat.com/show_bug.cgi?id=1972022 > > Best regards, > > Matthijs Hi Matthijs, OH POOP!!! I have TWO named.root.key's. The one in is the good one from Fedora 34 /etc/named.root.key and the one in /var/named/chroot/etc/named.root.key is the depreciated one from Fedora 33. I manually fixed the issue. Question: was the named-chroot RPM post installation script suppose to update named.root.key in chroot, or was I suppose to do that? Many thanks, -T ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: My FC33->FC34 bind-chroot upgrade notes
On 6/14/21 10:02 PM, ToddAndMargo via bind-users wrote:
Hi All,
Thank you all for the enormous help in me getting bind-chroot
working after upgrading to Fedora 34. Here are my notes.
Hope this helps someone else.
-T
Well, if at first you don't succeed, revise! See
changes to named.root.key
Broken bind-chroot repair after upgrading to Fedora 34:
# means root
$ means user
1) temporary workaround so you can surf the Internet for help:
Change /etc/resolv.conf to
# search your_domain
# nameserver your_IP
nameserver 208.67.222.123
2) in their "ultimate wisdom", the rpm maintainers disabled
the service after upgrading it. See the following bug I posted
on 2021-06-14:
Bind-chroot upgrade from FC3 to FC34 disables the service
breaking a server
https://bugzilla.redhat.com/show_bug.cgi?id=1972000
To repair:
# systemctl enable named-chroot.service
# systemctl start named-chroot.service
Other useful command(s):
# systemctl stopnamed-chroot.service
# systemctl status named-chroot.service
# systemctl restart named-chroot.service
3) the new version of bind-chroot enables "dns security validation" by
default.
Make sure you do not have two `named.root.key` kicking around. One in
/etc/named.root.key
and one in
/var/named/chroot/etc/named.root.key
The bad one is the one that starts with `managed-keys {`, which is
depreciated.
The good one starts with `trust-anchors {`
If the one in chroot is bad:
# mv /var/named/chroot/etc/named.root.key
/var/named/chroot/etc/named.root.key.deprediated
# mv /etc/named.root.key /var/named/chroot/etc/named.root.key
# ln -s /var/named/chroot/etc/named.root.key /etc/named.root.key
To repair, place the following in your named.conf:
by itself at the bottom:
include "/etc/named.root.key";
Note: the actual location is: /var/named/chroot/etc/named.root.key
add the following to your "options" block:
dnssec-validation yes;
Other useful command(s):
Validation check:
$ delv @$IP com ds
$ delv @208.67.222.123 com ds
; fully validated
...
4) check (and repair) your configurations:
named.conf:
# named-checkconf -l -t /var/named/chroot /etc/named.conf
Note: if you get the following error message,
`/etc/named.root.key:1: option 'managed-keys' is
deprecated`
you may have to seperate named.root.conf files. This will
read the one in chroot.
Zones:
# named-checkzone -t directory domain filename
Note: the "domain name" in the following comes from named.conf
zone, not `domainname`. For example:
zone "abc.local" {
type master;
file "slaves/rent-a-nerd.hosts";
allow-update { key DHCP_UPDATER; };
};
The "domain" is the name of the "zone". "abc.local" in the above
# named-checkzone -t /var/named/chroot/var/named/slaves
abc.local abc.hosts
zone abc.local/IN: loaded serial 265
OK
# named-checkzone -t /var/named/chroot/var/named/slaves
255.168.192.in-addr.arpa abc.hosts.rev
zone 255.168.192.in-addr.arpa/IN: loaded serial 213
OK
5) restart the bind-chroot service:
Change /etc/resolv.conf back to
search your_domain
nameserver your_IP
# nameserver 208.67.222.123
# systemctl restart named-chroot.service
check for and repair errors with:
$ systemctl status named-chroot.service
# tail -f /var/log/messages
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Need Help with BIND9
Yep, that fixed it. Lyle On 6/15/21 2:23 PM, techli...@phpcoderusa.com wrote: Thank you for your help!! The zone file is the one I tool from Plesk when I had keiththewebguy.com parked there. All I did was change the IP addresses. I assume what you want me to do is add keiththewebguy.com to the two records making: ns1.keiththewebguy.com. 86400 IN A 98.191.108.149 keiththewebguy.com. 86400 IN NS ns1.keiththewebguy.com. keiththewebguy.com. 86400 IN NS ns2.keiththewebguy.com. From what I have read the SOA - "@ IN SOA ns1.keiththewebguy.com. ..." the ns1.keiththewebguy.com. should be the FQDN? That is the box host name plus the domain correct? Thanks!! On 2021-06-15 07:35, Matus UHLAR - fantomas wrote: On 15.06.21 09:14, Lyle Giese wrote: I think I stumbled upon a problem with the zone records for keiththewebguy.com. It could be the root issue you are having. If I run dig ns +trace keiththewebguy.com I got the following for the last record from your name servers: ns1.keiththewebguy.com. 86400 IN A 98.191.108.149 keiththewebguy.com. 86400 IN NS ns1. keiththewebguy.com. 86400 IN NS ns2. this is the problem. OP's NS records point to nonexistent hosts, and these are authoritative, so after each nameserver fetches them, it uses them and fails. Most probably it's the "ns1" and "ns2" in zone end with "." which means that current $ORIGIN (apparently keiththewebguy.com) is not appended to them. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?
Matthijs Mekking wrote: > > A brief summary. Folks that are interested in the reasons why can read > up and discuss here: > >https://gitlab.isc.org/isc-projects/bind9/-/issues/1890#note_220217 So the fundamental design issue here is related to edge-triggered vs. level-triggered activities, and which is easier to implement both for named and for the hostmaster's scripts. With an edge-triggered design you have to avoid falling into the trap of assuming that exactly-once is possible (it isn't!) so you need a closed feedback loop with retries. Specifically, for key management, named needs to be able to say, I have changed the state of this key, and keep saying that at every key refresh interval until some script confirms that it has done what it needs to do, before named moves on to the next state. (This applies to changes like newly created keys that need to be saved, as well as CDS state changes.) How should named say that a key has changed? It's a multithreaded program so it can't fork (not without a single-threaded helper process) so maybe it should fire off a message to a socket that the script machinery can listen to. (Maybe abuse NOTIFY for the purpose?) The feedback loop can be closed using an rndc command. The questions for a level-triggered design are more to do with introspection and performance. Introspection: how can I find out the state of the keys and the state of the world, detect if there is a mismatch, and know what needs to be done to get the world to match the keys? Performance: do I have to do this check every hour (or whatever the key maintenance interval is) for every zone, or is there some way to avoid futile repeated work? In a level-triggered design it must still be possible to configure named not to move on to the next state without confirmation from the script that it is safe to do so, e.g. using rndc, same as is needed in an edge-triggered design. In my case I'm storing keys in a git repository, encrypting the private parts with gpg, so I need to know about all key state changes, not just CDS changes. I can implement a level-triggered design using something like `git status` and/or `git diff` to detect mismatches (assuming my script only commits to the git repository when it is sure it has updated the world as required). That will perform OK at my small scale, but I'm not sure if I have the necessary introspection tools - I guess I'll have to grovel around in the guts of the key files to find out what needs doing? An edge-triggered design would be a bit easier since my script would just receive an instruction and act on it in an idempotent manner. No need for it to woek out what has changed or what needs doing, and it would clearly scale per change rather than per zone. Tony. -- f.anthony.n.finchhttps://dotat.at/ St Davids Head to Great Orme Head, including St Georges Channel: South or southwest 4 or 5, occasionally 6 near Anglesey, becoming variable 2 to 4 later. Slight, occasionally moderate. Fair at first, then occasional rain or drizzle. Moderate or good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?
On 6/15/21 4:40 PM, Tony Finch wrote: How should named say that a key has changed? It's a multithreaded program so it can't fork (not without a single-threaded helper process) so maybe it should fire off a message to a socket that the script machinery can listen to. (Maybe abuse NOTIFY for the purpose?) The feedback loop can be closed using an rndc command. With a NOTIFY, something like _your_ old listener nsnotifyd: handle DNS NOTIFY messages by running a command https://dotat.at/prog/nsnotifyd/ https://github.com/fanf2/nsnotifyd gets interesting. Don't know yet how dusty that is, or relevant to current bind 9.16+, etc. -- -- but the general 'respond immediately to a NOTIFY' sounds quite useful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need Help with BIND9
Dude!! Thanks!! On 2021-06-15 12:58, Lyle Giese wrote: Yep, that fixed it. Lyle On 6/15/21 2:23 PM, techli...@phpcoderusa.com wrote: Thank you for your help!! The zone file is the one I tool from Plesk when I had keiththewebguy.com parked there. All I did was change the IP addresses. I assume what you want me to do is add keiththewebguy.com to the two records making: ns1.keiththewebguy.com. 86400 IN A 98.191.108.149 keiththewebguy.com. 86400 IN NS ns1.keiththewebguy.com. keiththewebguy.com. 86400 IN NS ns2.keiththewebguy.com. From what I have read the SOA - "@ IN SOA ns1.keiththewebguy.com. ..." the ns1.keiththewebguy.com. should be the FQDN? That is the box host name plus the domain correct? Thanks!! On 2021-06-15 07:35, Matus UHLAR - fantomas wrote: On 15.06.21 09:14, Lyle Giese wrote: I think I stumbled upon a problem with the zone records for keiththewebguy.com. It could be the root issue you are having. If I run dig ns +trace keiththewebguy.com I got the following for the last record from your name servers: ns1.keiththewebguy.com. 86400 IN A 98.191.108.149 keiththewebguy.com. 86400 IN NS ns1. keiththewebguy.com. 86400 IN NS ns2. this is the problem. OP's NS records point to nonexistent hosts, and these are authoritative, so after each nameserver fetches them, it uses them and fails. Most probably it's the "ns1" and "ns2" in zone end with "." which means that current $ORIGIN (apparently keiththewebguy.com) is not appended to them. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: My FC33->FC34 bind-chroot upgrade notes
On 6/15/21 12:51 PM, ToddAndMargo via bind-users wrote:
On 6/14/21 10:02 PM, ToddAndMargo via bind-users wrote:
Hi All,
Thank you all for the enormous help in me getting bind-chroot
working after upgrading to Fedora 34. Here are my notes.
Hope this helps someone else.
-T
Here are my revised, revised note. Ed had to
straighten me out on some boo-boos:
Broken bind-chroot repair after upgrading to Fedora 34:
# means root
$ means user
1) temporary workaround so you can surf the Internet for help:
Change /etc/resolv.conf to
# search your_domain
# nameserver your_IP
nameserver 208.67.222.123
2) in their "ultimate wisdom", the rpm maintainers disabled
the service after upgrading it. See the following bug I posted
on 2021-06-14:
Bind-chroot upgrade from FC3 to FC34 disables the service
breaking a server
https://bugzilla.redhat.com/show_bug.cgi?id=1972000
To repair:
# systemctl enable named-chroot.service
# systemctl start named-chroot.service
Other useful command(s):
# systemctl stopnamed-chroot.service
# systemctl status named-chroot.service
# systemctl restart named-chroot.service
3) position named.conf and named.root.key:
When the bind-chroot service starts, it copies the following into
the chroot directory.
Don't you do it!
cp /etc/named.conf /var/named/chroot/etc/.
cp /etc/named.root.key /var/named/chroot/etc/.
So the ones in your /etc/ directory are your masters.
To trigger this:
a) make sure /etc/named/conf and /etc/named.root.key are your masters
b) stop name-bind
# systemctl stop named-chroot
c) make sure the follow do not exist:
/var/named/chroot/etc/named.conf
/var/named/chroot/etc/named.root.key
d) restart the service
# systemctl start named-chroot
4) the new version of bind-chroot enables "dns security validation" by
default.
Make sure you do not have two `named.root.key` kicking around. One in
/etc/named.root.key
and one in
/var/named/chroot/etc/named.root.key
The bad one is the one that starts with `managed-keys {`, which is
depreciated.
The good one starts with `trust-anchors {`
If the one in chroot is bad:
# mv /var/named/chroot/etc/named.root.key
/var/named/chroot/etc/named.root.key.deprediated
# mv /etc/named.root.key /var/named/chroot/etc/named.root.key
# ln -s /var/named/chroot/etc/named.root.key /etc/named.root.key
To repair, place the following in your named.conf:
by itself at the bottom:
include "/etc/named.root.key";
Note: the actual location is: /var/named/chroot/etc/named.root.key
add the following to your "options" block:
dnssec-validation yes;
Other useful command(s):
Validation check:
$ delv @$IP com ds
$ delv @208.67.222.123 com ds
; fully validated
...
5) check (and repair) your configurations:
named.conf:
# named-checkconf -l -t /var/named/chroot /etc/named.conf
Note: if you get the following error message,
`/etc/named.root.key:1: option 'managed-keys' is
deprecated`
you may have to seperate named.root.conf files. This will
read the one in chroot.
Zones:
# named-checkzone -t directory domain filename
Note: the "domain name" in the following comes from named.conf
zone, not `domainname`. For example:
zone "abc.local" {
type master;
file "slaves/rent-a-nerd.hosts";
allow-update { key DHCP_UPDATER; };
};
The "domain" is the name of the "zone". "abc.local" in the above
# named-checkzone -t /var/named/chroot/var/named/slaves
abc.local abc.hosts
zone abc.local/IN: loaded serial 265
OK
# named-checkzone -t /var/named/chroot/var/named/slaves
255.168.192.in-addr.arpa abc.hosts.rev
zone 255.168.192.in-addr.arpa/IN: loaded serial 213
OK
6) restart the bind-chroot service:
Change /etc/resolv.conf back to
search your_domain
nameserver your_IP
# nameserver 208.67.222.123
# systemctl restart named-chroot.service
check for and repair errors with:
$ systemctl status named-chroot.service
# tail -f /var/log/messages
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: My FC33->FC34 bind-chroot upgrade notes
On 6/15/21 6:59 PM, ToddAndMargo via bind-users wrote:
On 6/15/21 12:51 PM, ToddAndMargo via bind-users wrote:
On 6/14/21 10:02 PM, ToddAndMargo via bind-users wrote:
Hi All,
Thank you all for the enormous help in me getting bind-chroot
working after upgrading to Fedora 34. Here are my notes.
Hope this helps someone else.
-T
Here are my revised, revised note. Ed had to
straighten me out on some boo-boos:
I hope this is the last time I have to revise this!
Broken bind-chroot repair after upgrading to Fedora 34:
# means root
$ means user
1) temporary workaround so you can surf the Internet for help:
Change /etc/resolv.conf to
# search your_domain
# nameserver your_IP
nameserver 208.67.222.123
2) in their "ultimate wisdom", the rpm maintainers disabled
the service after upgrading it.
To repair:
# systemctl enable named-chroot.service
# systemctl start named-chroot.service
Other useful command(s):
# systemctl stopnamed-chroot.service
# systemctl status named-chroot.service
# systemctl restart named-chroot.service
3) position named.conf and named.root.key:
When the bind-chroot service starts, it copies the following into
the chroot directory. Don't you do it! This will fail if it find
them there already. Then things get really confusing.
/etc/named.conf copies to /var/named/chroot/etc/.
/etc/named.root.key copies to /var/named/chroot/etc/.
The ones in your /etc directory are your masters.
When the named-chroot service is stopped. Make sure you do not have
two copies of either or both `/named/conf` and `named.root.key` kicking
around:
/etc/named.conf
/var/named/chroot/etc/named.conf <-- should not be there
when stopped
/etc/named.root.key
/var/named/chroot/etc/named.root.key <-- should not be there
when stopped
The ones in the chroot directory should have disappeared. Make sure you
only have one /etc/named.conf and /etc/named.root.key.
If you have two named.root.key's kicking around, the one that starts
with
trust-anchors {
is the good one.
To trigger the copy:
a) make sure /etc/named/conf and /etc/named.root.key are your masters
b) stop name-bind
# systemctl stop named-chroot
c) make sure the follow do not exist:
/var/named/chroot/etc/named.conf
/var/named/chroot/etc/named.root.key
d) update /etc/named.conf and /etc/named.root.key as desired
e) restart the service
# systemctl start named-chroot
4) the new version of bind-chroot enables "dns security validation" by
default.
Note: make sure /etc/named.root.key starts with `trust-anchors {`.
`managed-keys {` is depreciated.
Note: you should only have one named.root.key. /etc/named.root.key is
your master. If the named-chroot service is stopped, the one
in /var/named/chroot/etc should disappear.
To properly configure (repair), place the following in your named.conf:
add the following to your "options" block:
dnssec-validation yes;
by itself at the bottom:
include "/etc/named.root.key";
Then restart the service:
# systemctl restart bind-named.service
Other useful command(s):
Validation check:
$ delv @$IP com ds
$ delv @208.67.222.123 com ds
; fully validated
...
5) check (and repair) your configurations:
named.conf:
# named-checkconf -l -t /var/named/chroot /etc/named.conf
Zones:
# named-checkzone -t directory domain filename
Note: the "domain name" is theh "zone" name from named.conf
zone, not `domainname`. For example:
zone "abc.local" {
type master;
file "slaves/abc.hosts";
allow-update { key DHCP_UPDATER; };
};
The "domain" is the name of the "zone". "abc.local" in the above.
You should check both your forward and reverse zones.
Examples:
# named-checkzone -t /var/named/chroot/var/named/slaves
abc.local abc.hosts
zone abc.local/IN: loaded serial 265
OK
# named-checkzone -t /var/named/chroot/var/named/slaves
255.168.192.in-addr.arpa abc.hosts.rev
zone 255.168.192.in-addr.arpa/IN: loaded serial 213
OK
6) restart the bind-chroot service:
Change /etc/resolv.conf back to
search your_domain
nameserver your_IP
# nameserver 208.67.222.123
Restart the service:
# systemctl restart named-chroot.service
Check for and repair startup errors with:
$ systemctl status named-chroot.service
# tail -f /var/log/messages
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the developme
Re: My FC33->FC34 bind-chroot upgrade notes
Hi there, On Wed, 16 Jun 2021, ToddAndMargo wrote: Re: My FC33->FC34 bind-chroot upgrade notes I hope this is the last time I have to revise this! ... Unfortunately perhaps not. ... # means root $ means user ... Sometimes, in your configuration file extracts, you use '#' meaning 'this line is a comment'. I guess this is a write-up for a novice. The non-novices here have overlooked it, but I'm much closer to the novice end of the BIND user spectrum than they are and If I were a *complete* novice, I'd find these uses of '#' very confusing. -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
