date:20230204

Re: Requesting Update-Policy Statements Sanity Check, Please

2023-02-04 Thread duluxoz


Thanks Mark (& Darren & Jan-Piet),

So I made those changes you suggested (Mark), but I'm still having 
issues (ie DHCP leases are not being added to the DNS zones), so I've 
included my Bind9 config:


~~~

acl "bogusnets" {
    !"internal_hosts";
    0.0.0.0/8;
    10.0.0.0/8;
    172.16.0.0/12;
    192.0.2.0/24;
    192.168.0.0/16;
    224.0.0.0/3;
};
acl "internal_hosts" {
    192.168.1.0/24;
    192.168.2.0/24;
};
acl "secondary_external_servers" {
    192.168.1.1/32;
    192.168.1.2/32;
};
acl "secondary_internal_servers" {
    192.168.2.1/32;
    192.168.2.2/32;
};
acl "servers_ddns" {
    "localhost";
    192.168.2.3/32;
};
acl "servers_rndc" {
    "localhost";
    192.168.2.3/32;
};
acl "stats_hosts" {
    192.168.2.0/24;
};
controls {
    inet 0.0.0.0 port 953 allow {
    "servers_rndc";
    } keys {
    "rndc.key";
    };
};
logging {
    channel "auth_servers_log" {
    file "/var/log/named/auth_servers.log" versions 3 size 512000 
suffix timestamp;

    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
    };
    channel "client_security_log" {
    file "/var/log/named/client_security.log" versions 3 size 
512000 suffix timestamp;

    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
    };
    channel "default_log" {
    file "/var/log/named/default.log" versions 3 size 512000 suffix 
timestamp;

    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
    };
    channel "default_debug_log" {
    file "/var/log/named/default_debug.log" versions 3 size 512000 
suffix timestamp;

    severity dynamic;
    print-time yes;
    print-severity yes;
    print-category yes;
    };
    channel "ddns_log" {
    file "/var/log/named/ddns.log" versions 3 size 512000 suffix 
timestamp;

    severity debug 1;
    print-time yes;
    print-severity yes;
    print-category yes;
    };
    channel "dnssec_log" {
    file "/var/log/named/dnssec.log" versions 3 size 512000 suffix 
timestamp;

    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
    };
    channel "queries_log" {
    file "/var/log/named/queries.log" versions 3 size 512000 suffix 
timestamp;

    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
    };
    channel "query_errors_log" {
    file "/var/log/named/query_errors.log" versions 3 size 512000 
suffix timestamp;

    severity dynamic;
    print-time yes;
    print-severity yes;
    print-category yes;
    };
    channel "zone_transfers_log" {
    file "/var/log/named/zone_transfers.log" versions 3 size 512000 
suffix timestamp;

    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
    };
    category "client" {
    "client_security_log";
    "default_debug";
    };
    category "dnssec" {
    "dnssec_log";
    "default_debug";
    };
    category "default" {
    "default_syslog";
    "default_debug";
    "default_log";
    };
    category "delegation-only" {
    "auth_servers_log";
    "default_debug";
    };
    category "edns-disabled" {
    "auth_servers_log";
    "default_debug";
    };
    category "lame-servers" {
    "auth_servers_log";
    "default_debug";
    };
    category "notify" {
    "zone_transfers_log";
    "default_debug";
    };
    category "resolver" {
    "auth_servers_log";
    "default_debug";
    };
    category "security" {
    "client_security_log";
    "default_debug";
    };
    category "update" {
    "ddns_log";
    "default_debug";
    };
    category "update-security" {
    "ddns_log";
    "default_debug";
    };
    category "xfer-in" {
    "zone_transfers_log";
    "default_debug";
    };
    category "xfer-out" {
    "zone_transfers_log";
    "default_debug";
    };
};
options {
    blackhole {
    "bogusnets";
    };
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    flush-zones-on-shutdown yes;
    managed-keys-directory "/var/named/dynamic";
    memstatistics yes;
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
    statistics-file "/var/named/data/named_stats.txt";
    version "Not Currently Available";
    disable-algorithms "." {
    "RSAMD5";
    "RSASHA1";
    "NSEC3RSASHA1";
    "DSA";
    };
    disable-ds-digests "." {
    "SHA-1";
    "GOST";
    };
    recursion no;
    allow-query {
    "localhost";
    };
    allow-transfer {
    "secondary_external_servers";
    "secondary_internal_servers";
    };
    multi-master no;
    zone-statistics yes;
};
primaries "servers_primaries" {
    192.168.2.

Re: Requesting Update-Policy Statements Sanity Check, Please

2023-02-04 Thread Mark Andrews

Add DHCID to the list of record types permitted to be updated by the DHCP 
server. 

-- 
Mark Andrews

> On 4 Feb 2023, at 21:15, duluxoz  wrote:
> 
> Thanks Mark (& Darren & Jan-Piet),
> 
> So I made those changes you suggested (Mark), but I'm still having issues (ie 
> DHCP leases are not being added to the DNS zones), so I've included my Bind9 
> config:
> 
> ~~~
> 
> acl "bogusnets" {
> !"internal_hosts";
> 0.0.0.0/8;
> 10.0.0.0/8;
> 172.16.0.0/12;
> 192.0.2.0/24;
> 192.168.0.0/16;
> 224.0.0.0/3;
> };
> acl "internal_hosts" {
> 192.168.1.0/24;
> 192.168.2.0/24;
> };
> acl "secondary_external_servers" {
> 192.168.1.1/32;
> 192.168.1.2/32;
> };
> acl "secondary_internal_servers" {
> 192.168.2.1/32;
> 192.168.2.2/32;
> };
> acl "servers_ddns" {
> "localhost";
> 192.168.2.3/32;
> };
> acl "servers_rndc" {
> "localhost";
> 192.168.2.3/32;
> };
> acl "stats_hosts" {
> 192.168.2.0/24;
> };
> controls {
> inet 0.0.0.0 port 953 allow {
> "servers_rndc";
> } keys {
> "rndc.key";
> };
> };
> logging {
> channel "auth_servers_log" {
> file "/var/log/named/auth_servers.log" versions 3 size 512000 suffix 
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "client_security_log" {
> file "/var/log/named/client_security.log" versions 3 size 512000 
> suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "default_log" {
> file "/var/log/named/default.log" versions 3 size 512000 suffix 
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "default_debug_log" {
> file "/var/log/named/default_debug.log" versions 3 size 512000 suffix 
> timestamp;
> severity dynamic;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "ddns_log" {
> file "/var/log/named/ddns.log" versions 3 size 512000 suffix 
> timestamp;
> severity debug 1;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "dnssec_log" {
> file "/var/log/named/dnssec.log" versions 3 size 512000 suffix 
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "queries_log" {
> file "/var/log/named/queries.log" versions 3 size 512000 suffix 
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "query_errors_log" {
> file "/var/log/named/query_errors.log" versions 3 size 512000 suffix 
> timestamp;
> severity dynamic;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "zone_transfers_log" {
> file "/var/log/named/zone_transfers.log" versions 3 size 512000 
> suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> category "client" {
> "client_security_log";
> "default_debug";
> };
> category "dnssec" {
> "dnssec_log";
> "default_debug";
> };
> category "default" {
> "default_syslog";
> "default_debug";
> "default_log";
> };
> category "delegation-only" {
> "auth_servers_log";
> "default_debug";
> };
> category "edns-disabled" {
> "auth_servers_log";
> "default_debug";
> };
> category "lame-servers" {
> "auth_servers_log";
> "default_debug";
> };
> category "notify" {
> "zone_transfers_log";
> "default_debug";
> };
> category "resolver" {
> "auth_servers_log";
> "default_debug";
> };
> category "security" {
> "client_security_log";
> "default_debug";
> };
> category "update" {
> "ddns_log";
> "default_debug";
> };
> category "update-security" {
> "ddns_log";
> "default_debug";
> };
> category "xfer-in" {
> "zone_transfers_log";
> "default_debug";
> };
> category "xfer-out" {
> "zone_transfers_log";
> "default_debug";
> };
> };
> options {
> blackhole {
> "bogusnets";
> };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> flush-zones-on-shutdown yes;
> managed-keys-directory "/var/named/dynamic";
> memstatistics yes;
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> statistics-file "/var

Re: Requesting Update-Policy Statements Sanity Check, Please

2023-02-04 Thread duluxoz


Thanks Mark - that was the issue :-)

I really, really appreciate the help

Cheers

Dulux-Oz

On 04/02/2023 23:21, Mark Andrews wrote:

Add DHCID to the list of record types permitted to be updated by the DHCP 
server.


--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Resolve some hosts thats are dnssec signed differently

2023-02-04 Thread Matthias Fechner


Dear all,

I have a question regarding a setup I use at home.
It is for domain idefix.fechner.net.

I have at home a small server running with some services at it. As I do 
not have a public IP, I tunnel traffic using pf on FreeBSD and openvpn 
to route a public IP to my server at home.
This works nice but if I now access idefix.fechner.net it will always go 
outside to the internet and then back through the tunnel to my local 
server which is a real performance problem, as the internet connection 
here is really slow.


The complete domain is dnssec signed using the following configuration:
zone "fechner.net" {
    type master;
    file "../master/fechner.net/fechner.net";
    dnssec-policy "one-year-zsk";
    inline-signing yes;
};

Now I want to make sure if I access idefix.fechner.net that it does not 
use the tunnel but access it directly using the local address.


So the idea was to configure my named running at home to resolve some 
host names differently.


What is here recommended best practice doing it?

Just added a new domain fechner.net and overwrite some A records? I 
think that will break dnssec or?


Thanks for any pointer into the right direction.

Gruß
Matthias

--

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Requesting Update-Policy Statements Sanity Check, Please

Re: Requesting Update-Policy Statements Sanity Check, Please

Re: Requesting Update-Policy Statements Sanity Check, Please

Resolve some hosts thats are dnssec signed differently

4 matches

Site Navigation

Mail list logo

Footer information