DNSSEC questions
Hi, I've got a bunch of DNSSEC questions. Any advice would be appreciated. The context is a little VM with six little zones, soon to be upgraded to debian-11 and bind-9.16.15. I haven't signed my zones before but now is the time. I'm going to rotate KSKs annually because it's finally so easy to on debian stable. Thanks for that. I know it won't be totally automatic, and that's OK, but I'd like to check that I have the right idea of what to monitor for and what to do each time. Q: Is it OK to use exact multiples for ksk/zsk lifetimes (e.g. 366d/61d)? I assume it's OK if there aren't too many keys to generate at once. Q: Regarding "parent-propagation-delay" and CDS/CDNSKEY RRs: Assuming the registrar doesn't process them, does this equate to how long it takes me to notice there's a new DS to upload, plus how long it takes me to upload it via the registrar's website, plus how long it takes the registrar to publish the uploaded DS? Or is it, having instructed the registrar to add/remove a DS, how long after I've seen it published/withdrawn in the DNS and have run "rndc dnssec -checkds -key ID published/withdrawn ZONE" that the parent can be expected to propagate the DS addition/removal to all their servers? Or does "rndc dnssec -checkds" make "parent-propagation-delay" irrelevant except when the parent processes CDS/CDNSKEY RRs? I assume the last. Q: Are CDS/CDNSKEY RRs always in the zone, or just temporarily there for a short time before and after KSK rollovers? I don't see them in the wild, so I assume the latter. I ask for monitoring purposes. What to monitor for withdrawal? I'm thinking I might want to monitor for DNSKEY additions and removals instead. More on that below. Q: When would you want a DS RR for a ZSK (i.e. dnssec-dsfromkey -A)? Q: Any idea why example.com has two KSK DNSKEY RRs? Might they be mid-rollover at the moment? There's only a DS for one of them. Perhaps it's just an example. Q: What software could a registrar use to process CDS/CDNSKEY automatically? Just curious. Q: Do any/many registrars support CDS/CDNSKEY/RFC7344 yet? It seems not. Q: Is a "key-directory" option value that doesn't start with "/" relative to the "directory" option (i.e. a subdirectory)? I assume it is. Q: Does the signed zone always have a serial that is the serial in the unsigned zone file plus one? If so, can I continue to use the following scheme for serials: a 10-digit number consisting of the date followed by a 2-digit sequence number, where I increment the serial in the zone file by one whenever I change the zone multiple times on the same day? e.g. serial in 1st zone file = 2021091000 signed and published as 202109101 serial in 2nd zone file = 2021091001 signed and published as 202109102 i.e. Is it OK that the never-published serial in a new unsigned zone file is the same as the previously/currently published serial in the signed zone? Or is it better to increment the serial in the file by 2 instead of 1? Q: Does the following sound right as a process for managing KSK rollovers? - Monitor for the appearance of new KSK DNSKEY RRs that bind creates (or monitor for the appearance of new CDS RRs) - Manually upload the DS RRs for the new KSKs via the registrar's website - Wait for the new DS RRs to appear in the DNS - Run "rndc dnssec -checkds -key ID published ZONE" to inform bind - Wait for bind to sign the ZSKs with the new KSKs - Wait a few TTLs - Manually delete the DS RRs for the old KSKs via the registrar's website - Wait for the old DS RRs to disappear from the DNS - Run "rndc dnssec -checkds -key ID withdrawn ZONE" to inform bind cheers, raf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC questions
Hi raf, On 09-08-2021 10:08, raf via bind-users wrote: Hi, I've got a bunch of DNSSEC questions. Any advice would be appreciated. The context is a little VM with six little zones, soon to be upgraded to debian-11 and bind-9.16.15. I haven't signed my zones before but now is the time. I'm going to rotate KSKs annually because it's finally so easy to on debian stable. Thanks for that. I know it won't be totally automatic, and that's OK, but I'd like to check that I have the right idea of what to monitor for and what to do each time. Q: Is it OK to use exact multiples for ksk/zsk lifetimes (e.g. 366d/61d)? > I assume it's OK if there aren't too many keys to generate at once. Yes. Q: Regarding "parent-propagation-delay" and CDS/CDNSKEY RRs: Assuming the registrar doesn't process them, does this equate to how long it takes me to notice there's a new DS to upload, plus how long it takes me to upload it via the registrar's website, plus how long it takes the registrar to publish the uploaded DS? Or is it, having instructed the registrar to add/remove a DS, how long after I've seen it published/withdrawn in the DNS and have run "rndc dnssec -checkds -key ID published/withdrawn ZONE" that the parent can be expected to propagate the DS addition/removal to all their servers? Or does "rndc dnssec -checkds" make "parent-propagation-delay" irrelevant except when the parent processes CDS/CDNSKEY RRs? I assume the last. No, with the latest version of BIND 9.16 you will have either tell named that the DS is published with the "rndc dnssec -checkds published" command, or you will have to configure parental-agents: parental-agents lists allow for a common set of parental agents to be easily used by multiple primary and secondary zones in their parental-agents lists. A parental agent is the entity that the zone has a relationship with to change its delegation information (defined in RFC 7344). BIND will query the parental agents to see if the new DS is actually published before withdrawing the old DNSSEC key. Q: Are CDS/CDNSKEY RRs always in the zone, or just temporarily there for a short time before and after KSK rollovers? I don't see them in the wild, so I assume the latter. I ask for monitoring purposes. What to monitor for withdrawal? I'm thinking I might want to monitor for DNSKEY additions and removals instead. More on that below. While not necessary, CDS and CDNSKEY RRs are always in the zone as long as the corresponding DS record is expected to be published. Q: When would you want a DS RR for a ZSK (i.e. dnssec-dsfromkey -A)? Never, DS is meant to refer to the key that signs the DNSKEY RRset, thus only applicable for KSK. Q: Any idea why example.com has two KSK DNSKEY RRs? Might they be mid-rollover at the moment? There's only a DS for one of them. Perhaps it's just an example. Most likely a mid-rollover, I will need more details on example.com to know for sure. Q: What software could a registrar use to process CDS/CDNSKEY automatically? Just curious. ... Q: Do any/many registrars support CDS/CDNSKEY/RFC7344 yet? It seems not. No, but I have heard about some registrars looking into it. Q: Is a "key-directory" option value that doesn't start with "/" relative to the "directory" option (i.e. a subdirectory)? I assume it is. The "key-directory" is an optional option that signals that the configured "key-directory" should be used. Currently it is the only key storage supported, but in the future it may be possible to have per-key storage. Q: Does the signed zone always have a serial that is the serial in the unsigned zone file plus one? If so, can I continue to use the following scheme for serials: a 10-digit number consisting of the date followed by a 2-digit sequence number, where I increment the serial in the zone file by one whenever I change the zone multiple times on the same day? e.g. serial in 1st zone file = 2021091000 signed and published as 202109101 serial in 2nd zone file = 2021091001 signed and published as 202109102 i.e. Is it OK that the never-published serial in a new unsigned zone file is the same as the previously/currently published serial in the signed zone? Or is it better to increment the serial in the file by 2 instead of 1? The serial used depends on the setting of "serial-update-method". Q: Does the following sound right as a process for managing KSK rollovers? - Monitor for the appearance of new KSK DNSKEY RRs that bind creates (or monitor for the appearance of new CDS RRs) - Manually upload the DS RRs for the new KSKs via the registrar's website - Wait for the new DS RRs to appear in the DNS - Run "rndc dnssec -checkds -key ID published ZONE" to inform bind - Wait for bind to sign the ZSKs with the new KSKs - Wait a few TTLs - Manually d
Re: DNSSEC questions
Hi Matthijs, On Mon, Aug 09, 2021 at 11:11:48AM +0200, Matthijs Mekking wrote: > Hi raf, > > On 09-08-2021 10:08, raf via bind-users wrote: > > Hi, > > > > I've got a bunch of DNSSEC questions. > > Any advice would be appreciated. > > > > The context is a little VM with six little zones, > > soon to be upgraded to debian-11 and bind-9.16.15. > > I haven't signed my zones before but now is the time. > > I'm going to rotate KSKs annually because it's > > finally so easy to on debian stable. Thanks for that. > > I know it won't be totally automatic, and that's OK, > > but I'd like to check that I have the right idea of > > what to monitor for and what to do each time. > > > > Q: Is it OK to use exact multiples for ksk/zsk lifetimes (e.g. 366d/61d)? > >I assume it's OK if there aren't too many keys to generate at once. > > Yes. > > > Q: Regarding "parent-propagation-delay" and CDS/CDNSKEY RRs: > > Assuming the registrar doesn't process them, does this equate to > > how long it takes me to notice there's a new DS to upload, > > plus how long it takes me to upload it via the registrar's website, > > plus how long it takes the registrar to publish the uploaded DS? > > Or is it, having instructed the registrar to add/remove a DS, > > how long after I've seen it published/withdrawn in the DNS and have > > run "rndc dnssec -checkds -key ID published/withdrawn ZONE" that > > the parent can be expected to propagate the DS addition/removal > > to all their servers? Or does "rndc dnssec -checkds" make > > "parent-propagation-delay" irrelevant except when the parent > > processes CDS/CDNSKEY RRs? I assume the last. > > No, with the latest version of BIND 9.16 you will have either tell named > that the DS is published with the "rndc dnssec -checkds published" command, > or you will have to configure parental-agents: > > parental-agents lists allow for a common set of parental agents to > be easily used by multiple primary and secondary zones in their > parental-agents lists. A parental agent is the entity that the zone > has a relationship with to change its delegation information > (defined in RFC 7344). > > > BIND will query the parental agents to see if the new DS is actually > published before withdrawing the old DNSSEC key. I won't be able to use parental-agents yet. Debian-11 only has bind-9.16.15 (to start with), and parental-agents was added in 9.16.19. Also, my new registrar doesn't implement RFC 7344 yet, but I suggested it, and they're considering it. In the meantime, I'll just use rndc. > > Q: Are CDS/CDNSKEY RRs always in the zone, or just temporarily > > there for a short time before and after KSK rollovers? > > I don't see them in the wild, so I assume the latter. > > I ask for monitoring purposes. What to monitor for withdrawal? > > I'm thinking I might want to monitor for DNSKEY additions and > > removals instead. More on that below. > > While not necessary, CDS and CDNSKEY RRs are always in the zone as long as > the corresponding DS record is expected to be published. That makes sense. > > Q: When would you want a DS RR for a ZSK (i.e. dnssec-dsfromkey -A)? > > Never, DS is meant to refer to the key that signs the DNSKEY RRset, thus > only applicable for KSK. > > > > Q: Any idea why example.com has two KSK DNSKEY RRs? > > Might they be mid-rollover at the moment? There's only a DS for one of > > them. > > Perhaps it's just an example. > > Most likely a mid-rollover, I will need more details on example.com to know > for sure. It's not important. I'm sure they have their reasons. > > Q: What software could a registrar use to process CDS/CDNSKEY automatically? > > Just curious. > > ... > > > > Q: Do any/many registrars support CDS/CDNSKEY/RFC7344 yet? It seems not. > > No, but I have heard about some registrars looking into it. > > > > > Q: Is a "key-directory" option value that doesn't start with "/" relative > > to the "directory" option (i.e. a subdirectory)? I assume it is. > > The "key-directory" is an optional option that signals that the configured > "key-directory" should be used. Currently it is the only key storage > supported, but in the future it may be possible to have per-key storage. I'll use an absolute path, just to be on the safe side. > > Q: Does the signed zone always have a serial that is the serial in the > > unsigned zone file plus one? If so, can I continue to use the following > > scheme for serials: a 10-digit number consisting of the date followed > > by a 2-digit sequence number, where I increment the serial in the zone > > file by one whenever I change the zone multiple times on the same day? > > e.g. > > serial in 1st zone file = 2021091000 signed and published as 202109101 > > serial in 2nd zone file = 2021091001 signed and published as 202109102 > > i.e. Is it OK that the never-published serial in
AW: Does BIND supports ANAME RR
> -Ursprüngliche Nachricht- > Von: bind-users Im Auftrag von Evan > Hunt > Gesendet: Samstag, 7. August 2021 20:21 > An: Gaurav Kansal > Cc: bind-users@lists.isc.org > Betreff: Re: Does BIND supports ANAME RR > > On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote: > > I need the help in figuring out whether BIND supports ANAME ? If yes, > > then from which version on wards ? > > No, it doesn't. The effort to standardize ANAME stalled, and I doubt > it'll be coming back. > > The new HTTPS and SVCB records look like a better approach anyway. > BIND will have support for those pretty soon. But honestly SVCB will not solve the ANAME problem. I will take years until all resolvers/client would support SVCB whereas ANAME would be implemented in the authoritative name server and hence would work for every client/resolver as client/resolver never sees the ANAME but only the A/ record. regards Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does BIND supports ANAME RR
On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote: > I need the help in figuring out whether BIND supports ANAME ? If yes, > then from which version on wards ? No, it doesn't. The effort to standardize ANAME stalled, and I doubt it'll be coming back. The new HTTPS and SVCB records look like a better approach anyway. BIND will have support for those pretty soon. On 09.08.21 13:55, Klaus Darilion via bind-users wrote: But honestly SVCB will not solve the ANAME problem. I will take years until all resolvers/client would support SVCB whereas ANAME would be implemented in the authoritative name server recursive - authoritative server is not there to resolve remote hostnames, if it doesn't provide recursion. (well, it COULD try to resolve just as it resolves NS IPS for sending notifies, but that's different). resolving on authoritative server could in fact help, and wouldn't need protocol change at all, but the problem above is crucial (what would you do in case of failure? refuse whole zone?) and hence would work for every client/resolver as client/resolver never sees the ANAME but only the A/ record. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: Does BIND supports ANAME RR
> On 09.08.21 13:55, Klaus Darilion via bind-users wrote: > >But honestly SVCB will not solve the ANAME problem. I will take years > > until all resolvers/client would support SVCB whereas ANAME would be > > implemented in the authoritative name server > > resolving on authoritative server could in fact help, and wouldn't need > protocol > change at all, but the problem above is crucial (what would you do in case > of failure? refuse whole zone?) Resolving is done when there is an incoming query, not on zone loading. So if the auth's resolver (either a full blown resolver or a stub resolver which forwards to another resolver) fails to resolve I would just forward this error to the client's resolver. regards Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Add DNS records automatically for static IP's
Thanks to all of you, is it possible to use nslookup in order to update DNS records from Linux hosts to a Windows DNS server (not BIND) ? Thanks a lot again! El jue, 5 ago 2021 a las 14:14, Cuttler, Brian R (HEALTH) () escribió: > > Roberto, > > I've been using nsupdate for that. > > I restricted my dynamic address pool, at the bottom end for infrastructure > and at the top end for static IP's and then I use nsupdate to add the entries. > There are other methods, which I learned mostly from this list and can attach > a copy of my site wiki article if you'd like to see it. > > Brian > > > -Original Message- > From: bind-users On Behalf Of Roberto Carna > Sent: Thursday, August 5, 2021 12:19 PM > To: ML BIND Users > Subject: Add DNS records automatically for static IP's > > ATTENTION: This email came from an external source. Do not open attachments > or click on links from unknown senders or unexpected emails. > > > Dear all, I know DDNS works with a DHCP server and dynamic IP's. When > IP changes, the hostname in DNS is updated. > > But I have this scenario: > > I have several hosts with static IP's / hostnames and I want to > register them to our private BIND DNS, and they should be updated if > the IP or hostname changes. > > Is there any way to do what I need ? Any Linux/Windows client to > install in the servers in order to register IP and hostname to aour > provate BIND ??? > > Special thanks! > ___ > Please visit > https://protect2.fireeye.com/v1/url?k=f79b63c4-a8005aca-f7999af1-0cc47aa88e08-87326f8873a8f70f&q=1&e=661620c9-7459-4c2c-b3e4-07a131bd2d04&u=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users > to unsubscribe from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at > https://protect2.fireeye.com/v1/url?k=f4271fb0-abbc26be-f425e685-0cc47aa88e08-eb2d0c2a090ba813&q=1&e=661620c9-7459-4c2c-b3e4-07a131bd2d04&u=https%3A%2F%2Fwww.isc.org%2Fcontact%2F > for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://protect2.fireeye.com/v1/url?k=b3f69bd9-ec6da2d7-b3f462ec-0cc47aa88e08-5673bd64038e4ed1&q=1&e=661620c9-7459-4c2c-b3e4-07a131bd2d04&u=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does BIND supports ANAME RR
On 09.08.21 13:55, Klaus Darilion via bind-users wrote: >But honestly SVCB will not solve the ANAME problem. I will take years > until all resolvers/client would support SVCB whereas ANAME would be > implemented in the authoritative name server resolving on authoritative server could in fact help, and wouldn't need protocol change at all, but the problem above is crucial (what would you do in case of failure? refuse whole zone?) On 09.08.21 14:37, Klaus Darilion via bind-users wrote: Resolving is done when there is an incoming query, not on zone loading. So if the auth's resolver (either a full blown resolver or a stub resolver which forwards to another resolver) fails to resolve I would just forward this error to the client's resolver. This would not change the fact that you are asking authoritative server to resolve record which is by definition not the job of authoritative server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does BIND supports ANAME RR
Every resolver on the planet already supports HTTPS and SVCB. Every authoritative server on the planet already supports HTTPS and SVCB via unknown record format. iOS is already making HTTPS queries for every webpage. I believe other browsers also make HTTPS queries today. Go look at your DNS traffic. The MR mentioned earlier allows named and the other tools to load and display the records in presentation format and to do the additional section processing. None of that it required to be able to return these records. It just makes it easier. Just about all the other DNS vendors also have code that can read and display presentation format. ANAME is dead. -- Mark Andrews > On 9 Aug 2021, at 21:53, Klaus Darilion via bind-users > wrote: > > >> >> -Ursprüngliche Nachricht- >> Von: bind-users Im Auftrag von Evan >> Hunt >> Gesendet: Samstag, 7. August 2021 20:21 >> An: Gaurav Kansal >> Cc: bind-users@lists.isc.org >> Betreff: Re: Does BIND supports ANAME RR >> >>> On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote: >>> I need the help in figuring out whether BIND supports ANAME ? If yes, >>> then from which version on wards ? >> >> No, it doesn't. The effort to standardize ANAME stalled, and I doubt >> it'll be coming back. >> >> The new HTTPS and SVCB records look like a better approach anyway. >> BIND will have support for those pretty soon. > > But honestly SVCB will not solve the ANAME problem. I will take years until > all resolvers/client would support SVCB whereas ANAME would be implemented in > the authoritative name server and hence would work for every client/resolver > as client/resolver never sees the ANAME but only the A/ record. > > regards > Klaus > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: Does BIND supports ANAME RR
Does every application that uses gethostbyname have a benefit of HTTPS/SVCB? That is what I meant. regards Klaus > -Ursprüngliche Nachricht- > Von: Mark Andrews > Gesendet: Montag, 9. August 2021 15:55 > An: Klaus Darilion > Cc: Evan Hunt ; Gaurav Kansal ; bind- > us...@lists.isc.org > Betreff: Re: Does BIND supports ANAME RR > > Every resolver on the planet already supports HTTPS and SVCB. Every > authoritative server on the planet already supports HTTPS and SVCB via > unknown record format. iOS is already making HTTPS queries for every > webpage. I believe other browsers also make HTTPS queries today. Go look > at your DNS traffic. > > The MR mentioned earlier allows named and the other tools to load and > display the records in presentation format and to do the additional section > processing. None of that it required to be able to return these records. It > just makes it easier. > > Just about all the other DNS vendors also have code that can read and > display presentation format. > > ANAME is dead. > -- > Mark Andrews > > > On 9 Aug 2021, at 21:53, Klaus Darilion via bind-users us...@lists.isc.org> wrote: > > > > > >> > >> -Ursprüngliche Nachricht- > >> Von: bind-users Im Auftrag von Evan > >> Hunt > >> Gesendet: Samstag, 7. August 2021 20:21 > >> An: Gaurav Kansal > >> Cc: bind-users@lists.isc.org > >> Betreff: Re: Does BIND supports ANAME RR > >> > >>> On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote: > >>> I need the help in figuring out whether BIND supports ANAME ? If yes, > >>> then from which version on wards ? > >> > >> No, it doesn't. The effort to standardize ANAME stalled, and I doubt > >> it'll be coming back. > >> > >> The new HTTPS and SVCB records look like a better approach anyway. > >> BIND will have support for those pretty soon. > > > > But honestly SVCB will not solve the ANAME problem. I will take years until > all resolvers/client would support SVCB whereas ANAME would be > implemented in the authoritative name server and hence would work for > every client/resolver as client/resolver never sees the ANAME but only the > A/ record. > > > > regards > > Klaus > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe > from this list > > > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Add DNS records automatically for static IP's
On Mon, Aug 9, 2021 at 8:46 AM Roberto Carna wrote: > Thanks to all of you, is it possible to use nslookup in order to > update DNS records from Linux hosts to a Windows DNS server (not BIND) Not nslookup, but nsupdate as Brian Cuttler said. nslookup is purely a query tool; nsupdate implements the DNS Update protocol, which is one of the mechanisms that Windows DNS server supports. So, yes, you can go Linux -> Windows using nsupdate. > El jue, 5 ago 2021 a las 14:14, Cuttler, Brian R (HEALTH) > () escribió: > > I've been using nsupdate for that. -- tale ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does BIND supports ANAME RR
No, and there’s no strong usercase for that. The ANAME was wrong on every level from the protocol perspective and I am glad it is gone. Ondřej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 9. 8. 2021, at 17:23, Klaus Darilion via bind-users > wrote: > > Does every application that uses gethostbyname have a benefit of HTTPS/SVCB? > That is what I meant. > regards > Klaus > >> -Ursprüngliche Nachricht- >> Von: Mark Andrews >> Gesendet: Montag, 9. August 2021 15:55 >> An: Klaus Darilion >> Cc: Evan Hunt ; Gaurav Kansal ; bind- >> us...@lists.isc.org >> Betreff: Re: Does BIND supports ANAME RR >> >> Every resolver on the planet already supports HTTPS and SVCB. Every >> authoritative server on the planet already supports HTTPS and SVCB via >> unknown record format. iOS is already making HTTPS queries for every >> webpage. I believe other browsers also make HTTPS queries today. Go look >> at your DNS traffic. >> >> The MR mentioned earlier allows named and the other tools to load and >> display the records in presentation format and to do the additional section >> processing. None of that it required to be able to return these records. >> It >> just makes it easier. >> >> Just about all the other DNS vendors also have code that can read and >> display presentation format. >> >> ANAME is dead. >> -- >> Mark Andrews >> >>> On 9 Aug 2021, at 21:53, Klaus Darilion via bind-users > us...@lists.isc.org> wrote: >>> >>> -Ursprüngliche Nachricht- Von: bind-users Im Auftrag von Evan Hunt Gesendet: Samstag, 7. August 2021 20:21 An: Gaurav Kansal Cc: bind-users@lists.isc.org Betreff: Re: Does BIND supports ANAME RR >> On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote: >> I need the help in figuring out whether BIND supports ANAME ? If yes, >> then from which version on wards ? > > No, it doesn't. The effort to standardize ANAME stalled, and I doubt > it'll be coming back. > > The new HTTPS and SVCB records look like a better approach anyway. > BIND will have support for those pretty soon. >>> >>> But honestly SVCB will not solve the ANAME problem. I will take years until >> all resolvers/client would support SVCB whereas ANAME would be >> implemented in the authoritative name server and hence would work for >> every client/resolver as client/resolver never sees the ANAME but only the >> A/ record. >>> >>> regards >>> Klaus >>> ___ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe >> from this list >>> >>> ISC funds the development of this software with paid support >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does BIND supports ANAME RR
On Mon, Aug 09, 2021 at 01:55:50PM +0200, Klaus Darilion wrote: > But honestly SVCB will not solve the ANAME problem. I will take years > until all resolvers/client would support SVCB whereas ANAME would be > implemented in the authoritative name server and hence would work for > every client/resolver as client/resolver never sees the ANAME but only > the A/ record. Most browsers update themselves these days, so getting HTTPS/SVCB support rolled out in the client seems to be a lesser problem. Doing ANAME properly would require resolver upgrades. 99% of the reason for ANAME was that browser vendors were unwilling to use SRV. If they *are* willing to use HTTPS/SVCB - which looks promising at the moment - then the remaining use cases for ANAME aren't worth the complexity. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: Does BIND supports ANAME RR
Do you think that we can get rid of CNAME too? regards Klaus > -Ursprüngliche Nachricht- > Von: Ondřej Surý > Gesendet: Montag, 9. August 2021 19:19 > An: Klaus Darilion > Cc: Mark Andrews ; bind-users@lists.isc.org > Betreff: Re: Does BIND supports ANAME RR > > No, and there’s no strong usercase for that. The ANAME was wrong on every > level from the protocol perspective and I am glad it is gone. > > Ondřej > -- > Ondřej Surý — ISC (He/Him) > > My working hours and your working hours may be different. Please do not > feel obligated to reply outside your normal working hours. > > > On 9. 8. 2021, at 17:23, Klaus Darilion via bind-users us...@lists.isc.org> wrote: > > > > Does every application that uses gethostbyname have a benefit of > HTTPS/SVCB? That is what I meant. > > regards > > Klaus > > > >> -Ursprüngliche Nachricht- > >> Von: Mark Andrews > >> Gesendet: Montag, 9. August 2021 15:55 > >> An: Klaus Darilion > >> Cc: Evan Hunt ; Gaurav Kansal ; > bind- > >> us...@lists.isc.org > >> Betreff: Re: Does BIND supports ANAME RR > >> > >> Every resolver on the planet already supports HTTPS and SVCB. Every > >> authoritative server on the planet already supports HTTPS and SVCB via > >> unknown record format. iOS is already making HTTPS queries for every > >> webpage. I believe other browsers also make HTTPS queries today. Go > look > >> at your DNS traffic. > >> > >> The MR mentioned earlier allows named and the other tools to load and > >> display the records in presentation format and to do the additional > section > >> processing. None of that it required to be able to return these records. > >> It > >> just makes it easier. > >> > >> Just about all the other DNS vendors also have code that can read and > >> display presentation format. > >> > >> ANAME is dead. > >> -- > >> Mark Andrews > >> > >>> On 9 Aug 2021, at 21:53, Klaus Darilion via bind-users >> us...@lists.isc.org> wrote: > >>> > >>> > > -Ursprüngliche Nachricht- > Von: bind-users Im Auftrag von > Evan > Hunt > Gesendet: Samstag, 7. August 2021 20:21 > An: Gaurav Kansal > Cc: bind-users@lists.isc.org > Betreff: Re: Does BIND supports ANAME RR > > >> On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote: > >> I need the help in figuring out whether BIND supports ANAME ? If > yes, > >> then from which version on wards ? > > > > No, it doesn't. The effort to standardize ANAME stalled, and I doubt > > it'll be coming back. > > > > The new HTTPS and SVCB records look like a better approach anyway. > > BIND will have support for those pretty soon. > >>> > >>> But honestly SVCB will not solve the ANAME problem. I will take years > until > >> all resolvers/client would support SVCB whereas ANAME would be > >> implemented in the authoritative name server and hence would work for > >> every client/resolver as client/resolver never sees the ANAME but only the > >> A/ record. > >>> > >>> regards > >>> Klaus > >>> ___ > >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe > >> from this list > >>> > >>> ISC funds the development of this software with paid support > >> subscriptions. Contact us at https://www.isc.org/contact/ for more > >> information. > >>> > >>> > >>> bind-users mailing list > >>> bind-users@lists.isc.org > >>> https://lists.isc.org/mailman/listinfo/bind-users > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe > from this list > > > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does BIND supports ANAME RR
If you mean stop publishing CNAME as meaning “the server for this service is …” then yes. HTTPS can be published along side MX, A, and . Just start doing it. Mark -- Mark Andrews > On 10 Aug 2021, at 07:13, Klaus Darilion wrote: > > Do you think that we can get rid of CNAME too? > > regards > Klaus > >> -Ursprüngliche Nachricht- >> Von: Ondřej Surý >> Gesendet: Montag, 9. August 2021 19:19 >> An: Klaus Darilion >> Cc: Mark Andrews ; bind-users@lists.isc.org >> Betreff: Re: Does BIND supports ANAME RR >> >> No, and there’s no strong usercase for that. The ANAME was wrong on every >> level from the protocol perspective and I am glad it is gone. >> >> Ondřej >> -- >> Ondřej Surý — ISC (He/Him) >> >> My working hours and your working hours may be different. Please do not >> feel obligated to reply outside your normal working hours. >> >>> On 9. 8. 2021, at 17:23, Klaus Darilion via bind-users > us...@lists.isc.org> wrote: >>> >>> Does every application that uses gethostbyname have a benefit of >> HTTPS/SVCB? That is what I meant. >>> regards >>> Klaus >>> -Ursprüngliche Nachricht- Von: Mark Andrews Gesendet: Montag, 9. August 2021 15:55 An: Klaus Darilion Cc: Evan Hunt ; Gaurav Kansal ; >> bind- us...@lists.isc.org Betreff: Re: Does BIND supports ANAME RR Every resolver on the planet already supports HTTPS and SVCB. Every authoritative server on the planet already supports HTTPS and SVCB via unknown record format. iOS is already making HTTPS queries for every webpage. I believe other browsers also make HTTPS queries today. Go >> look at your DNS traffic. The MR mentioned earlier allows named and the other tools to load and display the records in presentation format and to do the additional >> section processing. None of that it required to be able to return these records. It just makes it easier. Just about all the other DNS vendors also have code that can read and display presentation format. ANAME is dead. -- Mark Andrews > On 9 Aug 2021, at 21:53, Klaus Darilion via bind-users >>> us...@lists.isc.org> wrote: > > >> >> -Ursprüngliche Nachricht- >> Von: bind-users Im Auftrag von >> Evan >> Hunt >> Gesendet: Samstag, 7. August 2021 20:21 >> An: Gaurav Kansal >> Cc: bind-users@lists.isc.org >> Betreff: Re: Does BIND supports ANAME RR >> > On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote: > I need the help in figuring out whether BIND supports ANAME ? If >>> yes, > then from which version on wards ? No, it doesn't. The effort to standardize ANAME stalled, and I doubt it'll be coming back. The new HTTPS and SVCB records look like a better approach anyway. BIND will have support for those pretty soon. >> >> But honestly SVCB will not solve the ANAME problem. I will take years >>> until > all resolvers/client would support SVCB whereas ANAME would be > implemented in the authoritative name server and hence would work for > every client/resolver as client/resolver never sees the ANAME but only the > A/ record. >> >> regards >> Klaus >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe > from this list >> >> ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >>> ___ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe >> from this list >>> >>> ISC funds the development of this software with paid support >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does BIND supports ANAME RR
Dear Admin, Has anybody used advance features of bind DoT and DoH, Kindly help me to configure DoT and DoH in DNS with bind BIND 9.17.16+CentOS 7.9. With Regards Divya - Original Message - From: "Ondřej Surý" To: "klaus darilion" Cc: bind-users@lists.isc.org Sent: Monday, August 9, 2021 10:48:54 PM Subject: Re: Does BIND supports ANAME RR No, and there’s no strong usercase for that. The ANAME was wrong on every level from the protocol perspective and I am glad it is gone. Ondřej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 9. 8. 2021, at 17:23, Klaus Darilion via bind-users > wrote: > > Does every application that uses gethostbyname have a benefit of HTTPS/SVCB? > That is what I meant. > regards > Klaus > >> -Ursprüngliche Nachricht- >> Von: Mark Andrews >> Gesendet: Montag, 9. August 2021 15:55 >> An: Klaus Darilion >> Cc: Evan Hunt ; Gaurav Kansal ; bind- >> us...@lists.isc.org >> Betreff: Re: Does BIND supports ANAME RR >> >> Every resolver on the planet already supports HTTPS and SVCB. Every >> authoritative server on the planet already supports HTTPS and SVCB via >> unknown record format. iOS is already making HTTPS queries for every >> webpage. I believe other browsers also make HTTPS queries today. Go look >> at your DNS traffic. >> >> The MR mentioned earlier allows named and the other tools to load and >> display the records in presentation format and to do the additional section >> processing. None of that it required to be able to return these records. >> It >> just makes it easier. >> >> Just about all the other DNS vendors also have code that can read and >> display presentation format. >> >> ANAME is dead. >> -- >> Mark Andrews >> >>> On 9 Aug 2021, at 21:53, Klaus Darilion via bind-users > us...@lists.isc.org> wrote: >>> >>> -Ursprüngliche Nachricht- Von: bind-users Im Auftrag von Evan Hunt Gesendet: Samstag, 7. August 2021 20:21 An: Gaurav Kansal Cc: bind-users@lists.isc.org Betreff: Re: Does BIND supports ANAME RR >> On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote: >> I need the help in figuring out whether BIND supports ANAME ? If yes, >> then from which version on wards ? > > No, it doesn't. The effort to standardize ANAME stalled, and I doubt > it'll be coming back. > > The new HTTPS and SVCB records look like a better approach anyway. > BIND will have support for those pretty soon. >>> >>> But honestly SVCB will not solve the ANAME problem. I will take years until >> all resolvers/client would support SVCB whereas ANAME would be >> implemented in the authoritative name server and hence would work for >> every client/resolver as client/resolver never sees the ANAME but only the >> A/ record. >>> >>> regards >>> Klaus >>> ___ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe >> from this list >>> >>> ISC funds the development of this software with paid support >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does BIND supports ANAME RR
Please, don’t reply to threads with unrelated subject matter. This is just good mailing list etiquette. Please create a new message, not a reply, and ask the question again. Mark > On 10 Aug 2021, at 13:48, Divya wrote: > > Dear Admin, > > Has anybody used advance features of bind DoT and DoH, Kindly help me to > configure DoT and DoH in DNS with bind BIND 9.17.16+CentOS 7.9. > > With Regards > Divya > > - Original Message - > From: "Ondřej Surý" > To: "klaus darilion" > Cc: bind-users@lists.isc.org > Sent: Monday, August 9, 2021 10:48:54 PM > Subject: Re: Does BIND supports ANAME RR > > No, and there’s no strong usercase for that. The ANAME was wrong on every > level from the protocol perspective and I am glad it is gone. > > Ondřej > -- > Ondřej Surý — ISC (He/Him) > > My working hours and your working hours may be different. Please do not feel > obligated to reply outside your normal working hours. > >> On 9. 8. 2021, at 17:23, Klaus Darilion via bind-users >> wrote: >> >> Does every application that uses gethostbyname have a benefit of >> HTTPS/SVCB? That is what I meant. >> regards >> Klaus >> >>> -Ursprüngliche Nachricht- >>> Von: Mark Andrews >>> Gesendet: Montag, 9. August 2021 15:55 >>> An: Klaus Darilion >>> Cc: Evan Hunt ; Gaurav Kansal ; bind- >>> us...@lists.isc.org >>> Betreff: Re: Does BIND supports ANAME RR >>> >>> Every resolver on the planet already supports HTTPS and SVCB. Every >>> authoritative server on the planet already supports HTTPS and SVCB via >>> unknown record format. iOS is already making HTTPS queries for every >>> webpage. I believe other browsers also make HTTPS queries today. Go look >>> at your DNS traffic. >>> >>> The MR mentioned earlier allows named and the other tools to load and >>> display the records in presentation format and to do the additional section >>> processing. None of that it required to be able to return these records. >>> It >>> just makes it easier. >>> >>> Just about all the other DNS vendors also have code that can read and >>> display presentation format. >>> >>> ANAME is dead. >>> -- >>> Mark Andrews >>> On 9 Aug 2021, at 21:53, Klaus Darilion via bind-users >> us...@lists.isc.org> wrote: > > -Ursprüngliche Nachricht- > Von: bind-users Im Auftrag von Evan > Hunt > Gesendet: Samstag, 7. August 2021 20:21 > An: Gaurav Kansal > Cc: bind-users@lists.isc.org > Betreff: Re: Does BIND supports ANAME RR > >>> On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote: >>> I need the help in figuring out whether BIND supports ANAME ? If yes, >>> then from which version on wards ? >> >> No, it doesn't. The effort to standardize ANAME stalled, and I doubt >> it'll be coming back. >> >> The new HTTPS and SVCB records look like a better approach anyway. >> BIND will have support for those pretty soon. But honestly SVCB will not solve the ANAME problem. I will take years until >>> all resolvers/client would support SVCB whereas ANAME would be >>> implemented in the authoritative name server and hence would work for >>> every client/resolver as client/resolver never sees the ANAME but only the >>> A/ record. regards Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >>> from this list ISC funds the development of this software with paid support >>> subscriptions. Contact us at https://www.isc.org/contact/ for more >>> information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-u
