Restrict dynamic updates to one domain - disallow subdomains

2023-02-13 Thread André Steden via bind-users 

Hello,

is it possible to restrict dynamic dns updates to one domain?

Allow this:

update add host1.example.de 86400 a 1.1.1.1
update add host2.example.de 86400 a 2.2.2.2

Deny this:

update add host1.subdomain1.example.de 86400 a 1.1.1.1
update add host2.anysubdomain.example.de 86400 a 2.2.2.2

What must i specify in the update-policy option for the example.de domain?

Regards, André
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Changing DNS servers (name only) for a DNSSEC enabled domain

2023-02-13 Thread Danilo Godec via bind-users 

Hello,


in the near future I will have to change NS records for one of my 
domains, as DNS servers currently use an old domain (not mine), that 
will be phased out. DNS servers will actually remain the same, only the 
domain name will change.


So, basically:

 * mydomain currently uses dns1.olddomain, dns2.olddomain,
   dns3.olddomain, ...
 * dns*.olddomain are the same servers as dns*.newdomain
 * mydomain has to change DNS server to dns1.newdomain, dns2.newdomain,
   dns3.newdomain, ...



Since DNSSEC is enabled on mydomain, I've been reading some instructions 
about doing this with DNSSEC and they say:


1. Disable DNSSEC at Registrar
2. Wait 24 hours
3. Disable DNSSEC at Name Server (remove DS-records)
4. Switch name servers
5. Wait 24 hours
6. Re-enable DNSSEC


Is this really necessary in this case, changing only DNS server names? I 
would like to avoid changing DS records at the registrar level as they 
don't provide a 'self-service' interface for managing them, so I have to 
go though their support and that's usually tedious.


If that is necessary, why?


   Thanks, Danilo

PS: If it matters, this is (still) a manually DNSSEC'd domain.-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [KASP] Key rollover

2023-02-13 Thread adrien sipasseuth 
Hi,

"You configure parental agents and named will check which DS’s are
published.  Named won’t complete the
roll until it knows the new DS is published."
=> what is parental agent ? i don't find this term in Bind documentation.
>From what I understand, you have to specify to Bind that the new DS is
published with the command: rndc dnssec -checkds -key 
published 

"If it was me, I'd set the KSK to not roll-over automatically, and
instead create a recurring reminder for yourself to initiate the KSK
roll-over manually? That way you'd never get caught out with a KSK
roll-over happening when you weren't prepared for it? "
=> I don't know if I can get a policy for ZSK and a manual method for KSK.
>From what I understand if I want to use a policy I have to remove
"auto-dnssec maintain;" which is necessary for the manual method right?

In the meantime, I wonder if I can't stay on the manual method even with a
bind 9.18? I read that the auto-dnssec directive might disappear in favor
of dnssec-policy. Does that mean that it might not be possible to do it
manually anymore? source here =>
https://kb.isc.org/v1/docs/dnssec-key-and-signing-policy

Regards,
Adrien

Le jeu. 9 févr. 2023 à 10:35, Mark Andrews  a écrit :

> You configure parental agents and named will check which DS’s are
> published.  Named won’t complete the
> roll until it knows the new DS is published.
>
> > On 9 Feb 2023, at 19:49, Nick Tait via bind-users <
> bind-users@lists.isc.org> wrote:
> >
> > On 9/02/23 05:17, adrien sipasseuth wrote:
> >> so it works BUT I need to know more than 48h in advance that the
> rollover is starting to submit the new KSK to my registar.
> >>
> >> How can I set this up if it's not with "public-safety"?
> > If it was me, I'd set the KSK to not roll-over automatically, and
> instead create a recurring reminder for yourself to initiate the KSK
> roll-over manually? That way you'd never get caught out with a KSK
> roll-over happening when you weren't prepared for it?
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Changing DNS servers (name only) for a DNSSEC enabled domain

2023-02-13 Thread Mark Elkins via bind-users 
If the IP addresses of the DNS servers (dns[123].olddomain and 
dns[123].newdomain) are staying the same - then you only need to send an 
update to change your domain from being hosted at olddomain to 
newdomain. Ideally, the newdomain would be created first (pointing to 
the same IP addresses as in olddomain) in the Registry, then after a day 
or two, have the olddomain in the Registry deleted - but it shouldn't 
really matter.


People who are looking for DNSSEC records will still go to the correct 
places - because the IP addresses at those places are not changing.


On 2023/02/13 17:58, Danilo Godec via bind-users wrote:

Hello,


in the near future I will have to change NS records for one of my 
domains, as DNS servers currently use an old domain (not mine), that 
will be phased out. DNS servers will actually remain the same, only 
the domain name will change.


So, basically:

  * mydomain currently uses dns1.olddomain, dns2.olddomain,
dns3.olddomain, ...
  * dns*.olddomain are the same servers as dns*.newdomain
  * mydomain has to change DNS server to dns1.newdomain,
dns2.newdomain, dns3.newdomain, ...



Since DNSSEC is enabled on mydomain, I've been reading some 
instructions about doing this with DNSSEC and they say:


1. Disable DNSSEC at Registrar
2. Wait 24 hours
3. Disable DNSSEC at Name Server (remove DS-records)
4. Switch name servers
5. Wait 24 hours
6. Re-enable DNSSEC


I personally prefer,

Create the Domain on the new nameservers, sign it, send the new DS 
record to the Registry. This probably means loading the DS record via 
the old (existing) Registrar. Wait 24 hours (propagation time) then 
update (swap) the Nameservers at the Registry to the new Nameservers.

Wait a day or two then remove the domain from the old servers.
As long as one of the DS records matches the DNSKEY on either the old or 
new Nameservers - DNSSEC should validate.


The problem is - not many Registrars allow a foreign DS record to be 
loaded in their system for uploading to the Registry. I do allow the 
client to do this. Don't think it has ever happened though.






Is this really necessary in this case, changing only DNS server names? 
I would like to avoid changing DS records at the registrar level as 
they don't provide a 'self-service' interface for managing them, so I 
have to go though their support and that's usually tedious.


If that is necessary, why?


   Thanks, Danilo

PS: If it matters, this is (still) a manually DNSSEC'd domain.


--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 



Posix SystemsVCARD for MJ Elkins

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Restrict dynamic updates to one domain - disallow subdomains

2023-02-13 Thread Jan-Piet Mens 

is it possible to restrict dynamic dns updates to one domain?


I think 'name' is what you're after:

grant key-name name host1.example.de. A;

You will be aware that the type list can take multiple space-separated values.

-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Ubuntu service file is missing Restart parameter

2023-02-13 Thread Petr Menšík 

Hi Blažej,

Just my 2 cents:

I think Restart=on-failure is not a good default value. named.service 
may fail for different reasons. If the reason is configuration failure, 
I do not think it should retry many times only to result to sleep before 
another retries. Until manual configuration change, this won't work. I 
would not recommend using that on distribution package.


On the other hand, Restart=on-abnormal might help in few specific cases. 
Sending SIGSEGV signal or occasional trigger of assertion failure would 
be still catched by it and the service would be restarted. But it won't 
restart when the port is already taken, address is not available or typo 
in configuration were made. I think that is a good default value and I 
plan it including into Fedora and later RHEL updates.


Anyway, bind9 repository does not contain any systemd unit file, so such 
requests have to be directed to whatever source it were used. I admit 
contributing fine tuned default service file might be good idea, I guess 
differences should not be significant between distributions.


Regards,
Petr

On 2/5/23 15:46, Blažej Krajňák wrote:

Hi Ondrej,

sorry, I really thought it's clear enough, but as I just found, the
problem presents in releases for Ubuntu 20.04, 18.04 and maybe older
also.

It's all about the content of /lib/systemd/system/named.service

Release for Ubuntu Jammy 22.04 LTS (1:9.18.1-1ubuntu1.3) contains
"Restart=on-failure" parameter.

Releases for
 Ubuntu Focal 20.04 LTS (1:9.16.1-0ubuntu2.12)
 Ubuntu Bionic 18.04 LTS (1:9.11.3+dfsg-1ubuntu1.18)
and maybe older also are missing "Restart" parameter.

I found this problem with friend, when Bind9 on Ubuntu 20.04 exited
with SIGV signal and keeps down (systemd did not restart the service).


Thanks


ne 5. 2. 2023 o 14:18 Ondřej Surý  napísal(a):

Hi,

it might seem like we do practice black magic, but we really don’t. Thus we 
can’t really help if you don’t provide more details like the content of the 
file, the source of the package(s), and the version of the package(s).

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.


On 5. 2. 2023, at 13:29, Blažej Krajňák  wrote:

Hi there,

I just discovered that default Bind9 systemd service file for Ubuntu
is missing "Restart" parameter. Is there any reason?
Service file for Debian contains "Restart=on-failure"


Thanks
Blažej
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Restrict dynamic updates to one domain - disallow subdomains

2023-02-13 Thread André Steden via bind-users 
But i don't want to specify all possible hostnames in the update-policy 
settings .


there are more than 350 hosts in the example.de domain.


Am 13.02.2023 um 20:06 schrieb Jan-Piet Mens:

is it possible to restrict dynamic dns updates to one domain?


I think 'name' is what you're after:

grant key-name name host1.example.de. A;

You will be aware that the type list can take multiple space-separated 
values.


-JP

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Restrict dynamic updates to one domain - disallow subdomains

2023-02-13 Thread Mark Andrews 
Step back and tell us what you are attempting to achieve.

e.g. I want my hosts to be able to update their address records.

grant admin-key subzone ANY;
grant * self . A ;

and use SIG(0) to sign the updates. The admin adds the public KEY record for 
the machine
using ‘admin-key’.

You generate a KEY record on the machine

% dnssec-keygen -T KEY -a RSASHA256 -n host -L 3600 ns1.example.com
Generating key 
pair+*.+*..+.+...+...+...++.+.+..+
 
...+...+.+.+...+..++...+.+.+*.+.+..+.+.+..+..+.+...+.+..+...+++...++...+.+..+..+*.+.+.+.+.+.+...+..+.+..+.+.+..+..+.+...+..++..+...++.+.++.+.+...+..+.+.+.+..+..++..++.+...+
 
Kns1.example.com.+008+18976
%

which produces the public key

% cat Kns1.example.com.+008+18976.key
ns1.example.com. 3600 IN KEY 512 3 8 
AwEAAaxeX1NDwHGxgBKNb/D9+JrwbRnoM+OIe/Y/f5X7gmXdiZ9xOjWM 
alGauUtKzx1VvX2QyDUMs8zimoK4L+MM+ghEsvPjUBAnBN+p3Urq+Ae/ 
mxCmNMzwm3At18MS4TwmzJFFOOZCyQ2eIp0DiW8G+JZTr/3tYmZmPvTO 
l4OSAZ3DRPQlwro2QH2gp2r3nIEdPbY4x5//H++5NSns6N2mAGo3fkA2 
b6EpINrQJ40NPIOq8fvWGs+oiGFl83xsCWpbbezjMebdvMFDTaEZBqPS 
vtqQCBfT7RRqIUebT6fKU3ZQh55Bah/5LJDIK3VDy05iAVVby/lCZ2YU IgGQm6NU1bM=
%

and you add to the zone like this

% awk '{print “update add", $0 } END { print "send" }’ 
Kns1.example.com.+008+18976.key | nsupdate -k admin-key.key
%

Add ‘BEGIN { print “zone ” }’ to the awk command if you are 
updating glue address records this way.

Then the host it updates its address records using the private part of the key 
pair

% nsupdate -k Kns1.example.com.+008+18976.private
update add ns1.example.com 3600 IN A 10.0.0.1
update add ns1.example.com 3600 IN  2001::1
send
%

You can do similar with TSIG by giving the key the same name as the machine but 
you also need to add key clauses for all the TSIG keys to named.conf.

> On 14 Feb 2023, at 07:55, André Steden via bind-users 
>  wrote:
> 
> But i don't want to specify all possible hostnames in the update-policy 
> settings .
> 
> there are more than 350 hosts in the example.de domain.
> 
> 
> Am 13.02.2023 um 20:06 schrieb Jan-Piet Mens:
>>> is it possible to restrict dynamic dns updates to one domain?
>> 
>> I think 'name' is what you're after:
>> 
>> grant key-name name host1.example.de. A;
>> 
>> You will be aware that the type list can take multiple space-separated 
>> values.
>> 
>> -JP
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Changing DNS servers (name only) for a DNSSEC enabled domain

2023-02-13 Thread Crist Clark 
What new DS record? The KSKs aren’t changing, are they? Why would they?

All that is changing is the NS RRset (and maybe SOA if you’re changing the
MNAME).

If the NS glue in the parent doesn’t agree with the canonical NS RRset in
the child, this is not a DNSSEC fail. This is as easy as changing any other
records in the zone.

I think all of these complications arise if you are not only changing NS
servers, but also changing registrars. I think that may be the implicit
assumption. That was not mentioned as part of this change.


On Mon, Feb 13, 2023 at 9:03 AM Mark Elkins via bind-users <
bind-users@lists.isc.org> wrote:

> If the IP addresses of the DNS servers (dns[123].olddomain and
> dns[123].newdomain) are staying the same - then you only need to send an
> update to change your domain from being hosted at olddomain to newdomain.
> Ideally, the newdomain would be created first (pointing to the same IP
> addresses as in olddomain) in the Registry, then after a day or two, have
> the olddomain in the Registry deleted - but it shouldn't really matter.
>
> People who are looking for DNSSEC records will still go to the correct
> places - because the IP addresses at those places are not changing.
> On 2023/02/13 17:58, Danilo Godec via bind-users wrote:
>
> Hello,
>
>
> in the near future I will have to change NS records for one of my domains,
> as DNS servers currently use an old domain (not mine), that will be phased
> out. DNS servers will actually remain the same, only the domain name will
> change.
>
> So, basically:
>
>
>- mydomain currently uses dns1.olddomain, dns2.olddomain,
>dns3.olddomain, ...
>- dns*.olddomain are the same servers as dns*.newdomain
>- mydomain has to change DNS server to dns1.newdomain, dns2.newdomain,
>dns3.newdomain, ...
>
>
>
> Since DNSSEC is enabled on mydomain, I've been reading some instructions
> about doing this with DNSSEC and they say:
>
> 1. Disable DNSSEC at Registrar
> 2. Wait 24 hours
> 3. Disable DNSSEC at Name Server (remove DS-records)
> 4. Switch name servers
> 5. Wait 24 hours
> 6. Re-enable DNSSEC
>
> I personally prefer,
>
> Create the Domain on the new nameservers, sign it, send the new DS record
> to the Registry. This probably means loading the DS record via the old
> (existing) Registrar. Wait 24 hours (propagation time) then update (swap)
> the Nameservers at the Registry to the new Nameservers.
> Wait a day or two then remove the domain from the old servers.
> As long as one of the DS records matches the DNSKEY on either the old or
> new Nameservers - DNSSEC should validate.
>
> The problem is - not many Registrars allow a foreign DS record to be
> loaded in their system for uploading to the Registry. I do allow the client
> to do this. Don't think it has ever happened though.
>
>
>
>
> Is this really necessary in this case, changing only DNS server names? I
> would like to avoid changing DS records at the registrar level as they
> don't provide a 'self-service' interface for managing them, so I have to go
> though their support and that's usually tedious.
>
> If that is necessary, why?
>
>
>Thanks, Danilo
>
> PS: If it matters, this is (still) a manually DNSSEC'd domain.
>
> --
>
> Mark James ELKINS  -  Posix Systems - (South) Africa
> m...@posix.co.za   Tel: +27.826010496 <+27826010496>
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
> [image: Posix Systems][image: VCARD for MJ Elkins]
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users