Re: My FC33->FC34 bind-chroot upgrade notes
On 6/15/21 11:54 PM, G.W. Haywood via bind-users wrote: Hi there, On Wed, 16 Jun 2021, ToddAndMargo wrote: Re: My FC33->FC34 bind-chroot upgrade notes I hope this is the last time I have to revise this! ... Unfortunately perhaps not. :'( ... # means root $ means user ... Sometimes, in your configuration file extracts, you use '#' meaning 'this line is a comment'. I guess this is a write-up for a novice. The non-novices here have overlooked it, but I'm much closer to the novice end of the BIND user spectrum than they are and If I were a *complete* novice, I'd find these uses of '#' very confusing. Which lines? BIND is a hair puller at times. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: My FC33->FC34 bind-chroot upgrade notes
Am 16.06.21 um 09:31 schrieb ToddAndMargo via bind-users: ... # means root $ means user ... Sometimes, in your configuration file extracts, you use '#' meaning 'this line is a comment'. I guess this is a write-up for a novice. The non-novices here have overlooked it, but I'm much closer to the novice end of the BIND user spectrum than they are and If I were a *complete* novice, I'd find these uses of '#' very confusing. Which lines? lines starting with # -- here it is a comment sign Change /etc/resolv.conf back to search your_domain nameserver your_IP # nameserver 208.67.222.123 -- here it is meant as command running as root Then restart the service: # systemctl restart bind-named.service ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?
PGNet Dev wrote: > > With a NOTIFY, something like _your_ old listener > > nsnotifyd: handle DNS NOTIFY messages by running a command > https://dotat.at/prog/nsnotifyd/ > > Don't know yet how dusty that is, or relevant to current bind 9.16+, etc. -- > -- but the general 'respond immediately to a NOTIFY' sounds quite useful. Maaybe. Bare NOTIFY can say which zone's keys have changed, but not what the state transition is, so it isn't what I would consider to be a complete solution. However, NOTIFY as specified is a slightly odd protocol - I say "as specified" because no-one implements the odd parts, for good reasons. It allows the initiator to include records in the answer section as a "hint" about what has changed. There's no security, and no provision for transmitting more than one rrtype at a time, or for transmitting the new serial number, so it's fairly useless :-) It also says that future revisions might specify what it means to have a non-zero number of records in the authority and/or additional section. So I think it might be worth using these odd parts for a more complete NOTIFY-for-keys, something like opcode = NOTIFY ; question section qtype = DNSKEY qname = ; additional section name = type = TXT rdata = And nsnotifyd would need a little hacking to grab the state transition code out of the packet. (nsnotifyd is adequate as it is - it works, its users have not reported bugs - but it is based on very old C resolver APIs for parsing DNS packets, so it should only be allowed to talk to friends.) https://datatracker.ietf.org/doc/html/rfc1996 (I remember NOTIFY's RFC number because it is the RFC whose number matches its year of publication.) Tony. -- f.anthony.n.finchhttps://dotat.at/ an equitable and peaceful international order ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?
On 6/16/21 7:04 AM, Tony Finch wrote: Maaybe. Bare NOTIFY can say which zone's keys have changed, but not what the state transition is, so it isn't what I would consider to be a complete solution. Pulling the thread a bit more, Jan-Piet Mens @ "Alert, backup, whatever on DNS NOTIFY with nsnotifyd" https://jpmens.net/2015/06/16/alert-on-dns-notify/ appears to refer to that same challenge, "This is a very welcome alternative to doing it in Perl, as I did when I wanted to be notified of new and changed KSK in a zone." --> "Being notified of new and changed KSK in a zone" https://jpmens.net/2015/03/05/being-notified-of-new-an-changed-ksk-in-the-zone/ & implements a "key-listen.pl" script that listens for & reacts to KSK changes. From just reading (don't see the source code?), it's triggered by the NOTIFY from NSD and subsequently polls for DNSSKEY RRSet ... I don't yet know if what specific state transition info is carried in that _NOTIFY_, or it it's sufficient. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?
@jpmens was kind enough to share the original basis for the simple perl script
referenced above,
which to recollection was 'mainly an example taken from the Net::DNS
documentation.'
Logging of CDS/CDNSKEY generation for workflow
https://gitlab.isc.org/isc-projects/bind9/-/issues/1748
#!/usr/bin/perl -w
use strict;
use Net::DNS::Nameserver;
sub notification {
my ($qname, $qclass, $qtype, $peer, $packet) = @_;
# We are being notified (NOTIFY) for domain $qname.
print "WOW. Got NOTIFY for $qname!\n";
# Submit this notification to your monitoring system. In
# the case of Nagios, you could update a database table
# from which it later reads the result, or you can
# implement a passive notification, etc.
return ('NOERROR', [], [], [],
{ aa => 1, opcode => 'NS_NOTIFY_OP'});
}
sub handler {
my ($qname, $qclass, $qtype, $peer) = @_;
my (@ans, @auth, @add);
return ('SERVFAIL', \@ans, \@auth, \@add);
}
my $ns = Net::DNS::Nameserver->new(
LocalAddr=> '127.0.0.2',
LocalPort=> 53,
ReplyHandler => \&handler, # Unused, but needs defining
NotifyHandler => \¬ification,
Verbose => 0,
Debug=> 0,
) || die("Can't create nameserver object: $!");
$ns->main_loop;
He also mentioned
Logging of CDS/CDNSKEY generation for workflow
https://gitlab.isc.org/isc-projects/bind9/-/issues/1748
which requests:
Would it be possible to log CDS/CDNSKEY generation in such a way as that a
"simple" workflow can be implemented in order to create tooling which reacts on
the log and performs a dynamic update on a parent zone.
Whenever a CDS/CDNSKEY is published in a child zone, BIND could create
a log record indicating for which zone this has occurred.
and appears to have been implemented (?), but not committed/released.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: My FC33->FC34 bind-chroot upgrade notes
On 6/16/21 2:16 AM, Reindl Harald wrote: Am 16.06.21 um 09:31 schrieb ToddAndMargo via bind-users: ... # means root $ means user ... Sometimes, in your configuration file extracts, you use '#' meaning 'this line is a comment'. I guess this is a write-up for a novice. The non-novices here have overlooked it, but I'm much closer to the novice end of the BIND user spectrum than they are and If I were a *complete* novice, I'd find these uses of '#' very confusing. Which lines? lines starting with # -- here it is a comment sign Change /etc/resolv.conf back to search your_domain nameserver your_IP # nameserver 208.67.222.123 -- here it is meant as command running as root Then restart the service: # systemctl restart bind-named.service Does this alteration at the top make it any clearer? Note: at the command prompt, I use the following terminology: # means run as root $ means run as user Inside a file, "#" mean it is a comment ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
A question on logging
Hi All,
In my named.conf
logging {
channel update_debug {
# file
"/var/named/chroot/var/named/slaves/named-update-debug.log";
file "slaves/named-update-debug.log";
severity debug 3;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_info{
file "slaves/named-auth.info";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category update { update_debug; };
category security { security_info; };
};
Questions:
1) is there some pruning of old stuff mechanism to
keep my drive from being over run with logging
data?
2) If I want to comment out the section, is there
a block comment that can be used at the top
and bottom of my logging statement that will
keep me from having to put a # in front of
every line?
Many thanks,
-T
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: My FC33->FC34 bind-chroot upgrade notes
On 16 June 2021 7:31 pm, ToddAndMargo wrote: > > Does this alteration at the top make it any clearer? > > Note: at the command prompt, I use the following terminology: ># means run as root >$ means run as user > Inside a file, "#" mean it is a comment Others might have better suggestions but the way I tend to do this is to simply prefix any commands that must be run as root with 'sudo', eg; $ sudo rndc reconfig $ tail /var/log/syslog Thus it’s hopefully clear which lines need to be run with root privileges and demonstrates using sudo to achieve this. Best, Richard. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: My FC33->FC34 bind-chroot upgrade notes
On 6/16/21 12:45 PM, Richard T.A. Neal wrote: On 16 June 2021 7:31 pm, ToddAndMargo wrote: Does this alteration at the top make it any clearer? Note: at the command prompt, I use the following terminology: # means run as root $ means run as user Inside a file, "#" mean it is a comment Others might have better suggestions but the way I tend to do this is to simply prefix any commands that must be run as root with 'sudo', eg; $ sudo rndc reconfig $ tail /var/log/syslog Thus it’s hopefully clear which lines need to be run with root privileges and demonstrates using sudo to achieve this. Best, Richard. I have used su for such in the past: $ su root -c "command and parameters" to make it obvious it is a root command. I personally can't stand the sudo command, so I usually avoid it. Lately, I just use # and $, but I can see now where that would cause some confusion. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: My FC33->FC34 bind-chroot upgrade notes
Am 16.06.21 um 20:31 schrieb ToddAndMargo via bind-users: On 6/16/21 2:16 AM, Reindl Harald wrote: Am 16.06.21 um 09:31 schrieb ToddAndMargo via bind-users: ... # means root $ means user ... Sometimes, in your configuration file extracts, you use '#' meaning 'this line is a comment'. I guess this is a write-up for a novice. The non-novices here have overlooked it, but I'm much closer to the novice end of the BIND user spectrum than they are and If I were a *complete* novice, I'd find these uses of '#' very confusing. Which lines? lines starting with # -- here it is a comment sign Change /etc/resolv.conf back to search your_domain nameserver your_IP # nameserver 208.67.222.123 -- here it is meant as command running as root Then restart the service: # systemctl restart bind-named.service Does this alteration at the top make it any clearer? Note: at the command prompt, I use the following terminology: # means run as root $ means run as user Inside a file, "#" mean it is a comment not really - either use the ubuntu "sudo everything" or just type "root: command" and "user: command" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A question on logging
On 16/06/2021 20:36, ToddAndMargo via bind-users wrote: Hi Todd, > Questions: > > 1) is there some pruning of old stuff mechanism to > keep my drive from being over run with logging > data? Yes, see section 4.2.9 of the BIND manual: https://bind9.readthedocs.io/ > 2) If I want to comment out the section, is there > a block comment that can be used at the top > and bottom of my logging statement that will > keep me from having to put a # in front of > every line? Yes, see section 4.1.2 of the manual. Regards, Anand ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A question on logging
Also… Logging is the topic most often searched on in our knowledge base. We have one article on logging that is read more often than any other, that we are planning to migrate to the ARM. https://kb.isc.org/docs/aa-01526 That article also references a webinar Carsten Strotmann presented earlier this year on how to use and manage logs that I would also recommend. He had a lot of practical tips. Vicky ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RHEL, Centos, Fedora rpm 9.16.17
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 https://www.five-ten-sg.com/mapper/bind contains links to the source rpm, and build instructions. This .src.rpm contains a .tar.gz file with the ARM documentation, so the rpm rebuild process does not need sphinx- build and associated dependencies. -BEGIN PGP SIGNATURE- iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYMqYhBUcY2FybEBmaXZl LXRlbi1zZy5jb20ACgkQL6j7milTFsEYgACeJssST9z3XssglZ/g9sgb0f0ixYwA njPtvTLlYWMCjd0NQA3Ruk9Bnse6 =He28 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How do I identify if bind9 is using 4 cores?
Hi Team, I have BIND 9.16.17-Ubuntu on ubuntu and have 4 cores. I have configured more /etc/default/bind9 OPTIONS="-n 4" And then restarted the services. How do I verify if bind9 has spawned 4 processes and distributed among those? TIA Manish R ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I identify if bind9 is using 4 cores?
Does this mean and I can assume that bind has started with 4 cores? CGroup: /system.slice/named.service `-3150 /usr/sbin/named -f -u bind -n 4 -- Thanks and Regards, Manish R On Thu, Jun 17, 2021 at 9:02 AM Manish Rane wrote: > Hi Team, > > I have BIND 9.16.17-Ubuntu on ubuntu and have 4 cores. I have configured > > more /etc/default/bind9 > OPTIONS="-n 4" > > And then restarted the services. How do I verify if bind9 has spawned 4 > processes and distributed among those? > > TIA > Manish R > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: My FC33->FC34 bind-chroot upgrade notes
On 6/16/21 2:52 PM, Reindl Harald wrote: Does this alteration at the top make it any clearer? Note: at the command prompt, I use the following terminology: # means run as root $ means run as user Inside a file, "#" mean it is a comment not really - either use the ubuntu "sudo everything" or just type "root: command" and "user: command" : that would confuse the dickens out of me. I program in Raku (Perl 6) and ":" has a bunch of special meanings that I always forget. So ":" give me a start. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
