Re: Restrict dynamic updates to one domain - disallow subdomains
I want an external server to be able to update all the hosts (A) records
inside the example.de domain.
But i don't want that the external server can create subdomain entries
inside the example.de domain.
Is this possible? What grant/deny rule must i use?
-André
Am 13.02.2023 um 23:33 schrieb Mark Andrews:
Step back and tell us what you are attempting to achieve.
e.g. I want my hosts to be able to update their address records.
grant admin-key subzone ANY;
grant * self . A ;
and use SIG(0) to sign the updates. The admin adds the public KEY record for
the machine
using ‘admin-key’.
You generate a KEY record on the machine
% dnssec-keygen -T KEY -a RSASHA256 -n host -L 3600 ns1.example.com
Generating key
pair+*.+*..+.+...+...+...++.+.+..+
...+...+.+.+...+..++...+.+.+*.+.+..+.+.+..+..+.+...+.+..+...+++...++...+.+..+..+*.+.+.+.+.+.+...+..+.+..+.+.+..+..+.+...+..++..+...++.+.++.+.+...+..+.+.+.+..+..++..++.+...+
Kns1.example.com.+008+18976
%
which produces the public key
% cat Kns1.example.com.+008+18976.key
ns1.example.com. 3600 IN KEY 512 3 8
AwEAAaxeX1NDwHGxgBKNb/D9+JrwbRnoM+OIe/Y/f5X7gmXdiZ9xOjWM
alGauUtKzx1VvX2QyDUMs8zimoK4L+MM+ghEsvPjUBAnBN+p3Urq+Ae/
mxCmNMzwm3At18MS4TwmzJFFOOZCyQ2eIp0DiW8G+JZTr/3tYmZmPvTO
l4OSAZ3DRPQlwro2QH2gp2r3nIEdPbY4x5//H++5NSns6N2mAGo3fkA2
b6EpINrQJ40NPIOq8fvWGs+oiGFl83xsCWpbbezjMebdvMFDTaEZBqPS
vtqQCBfT7RRqIUebT6fKU3ZQh55Bah/5LJDIK3VDy05iAVVby/lCZ2YU IgGQm6NU1bM=
%
and you add to the zone like this
% awk '{print “update add", $0 } END { print "send" }’
Kns1.example.com.+008+18976.key | nsupdate -k admin-key.key
%
Add ‘BEGIN { print “zone ” }’ to the awk command if you are
updating glue address records this way.
Then the host it updates its address records using the private part of the key
pair
% nsupdate -k Kns1.example.com.+008+18976.private
update add ns1.example.com 3600 IN A 10.0.0.1
update add ns1.example.com 3600 IN 2001::1
send
%
You can do similar with TSIG by giving the key the same name as the machine but
you also need to add key clauses for all the TSIG keys to named.conf.
On 14 Feb 2023, at 07:55, André Steden via bind-users
wrote:
But i don't want to specify all possible hostnames in the update-policy
settings .
there are more than 350 hosts in the example.de domain.
Am 13.02.2023 um 20:06 schrieb Jan-Piet Mens:
is it possible to restrict dynamic dns updates to one domain?
I think 'name' is what you're after:
grant key-name name host1.example.de. A;
You will be aware that the type list can take multiple space-separated values.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Restrict dynamic updates to one domain - disallow subdomains
Use external. You can create any rule you can think of with that.
> On 14 Feb 2023, at 20:29, André Steden wrote:
>
> I want an external server to be able to update all the hosts (A) records
> inside the example.de domain.
> But i don't want that the external server can create subdomain entries inside
> the example.de domain.
>
> Is this possible? What grant/deny rule must i use?
>
> -André
>
> Am 13.02.2023 um 23:33 schrieb Mark Andrews:
>> Step back and tell us what you are attempting to achieve.
>>
>> e.g. I want my hosts to be able to update their address records.
>>
>> grant admin-key subzone ANY;
>> grant * self . A ;
>>
>> and use SIG(0) to sign the updates. The admin adds the public KEY record for
>> the machine
>> using ‘admin-key’.
>>
>> You generate a KEY record on the machine
>>
>> % dnssec-keygen -T KEY -a RSASHA256 -n host -L 3600 ns1.example.com
>> Generating key
>> pair+*.+*..+.+...+...+...++.+.+..+
>>
>> ...+...+.+.+...+..++...+.+.+*.+.+..+.+.+..+..+.+...+.+..+...+++...++...+.+..+..+*.+.+.+.+.+.+...+..+.+..+.+.+..+..+.+...+..++..+...++.+.++.+.+...+..+.+.+.+..+..++..++.+...+
>> Kns1.example.com.+008+18976
>> %
>>
>> which produces the public key
>>
>> % cat Kns1.example.com.+008+18976.key
>> ns1.example.com. 3600 IN KEY 512 3 8
>> AwEAAaxeX1NDwHGxgBKNb/D9+JrwbRnoM+OIe/Y/f5X7gmXdiZ9xOjWM
>> alGauUtKzx1VvX2QyDUMs8zimoK4L+MM+ghEsvPjUBAnBN+p3Urq+Ae/
>> mxCmNMzwm3At18MS4TwmzJFFOOZCyQ2eIp0DiW8G+JZTr/3tYmZmPvTO
>> l4OSAZ3DRPQlwro2QH2gp2r3nIEdPbY4x5//H++5NSns6N2mAGo3fkA2
>> b6EpINrQJ40NPIOq8fvWGs+oiGFl83xsCWpbbezjMebdvMFDTaEZBqPS
>> vtqQCBfT7RRqIUebT6fKU3ZQh55Bah/5LJDIK3VDy05iAVVby/lCZ2YU IgGQm6NU1bM=
>> %
>>
>> and you add to the zone like this
>>
>> % awk '{print “update add", $0 } END { print "send" }’
>> Kns1.example.com.+008+18976.key | nsupdate -k admin-key.key
>> %
>>
>> Add ‘BEGIN { print “zone ” }’ to the awk command if you
>> are updating glue address records this way.
>>
>> Then the host it updates its address records using the private part of the
>> key pair
>>
>> % nsupdate -k Kns1.example.com.+008+18976.private
>> update add ns1.example.com 3600 IN A 10.0.0.1
>> update add ns1.example.com 3600 IN 2001::1
>> send
>> %
>>
>> You can do similar with TSIG by giving the key the same name as the machine
>> but you also need to add key clauses for all the TSIG keys to named.conf.
>>
>>> On 14 Feb 2023, at 07:55, André Steden via bind-users
>>> wrote:
>>>
>>> But i don't want to specify all possible hostnames in the update-policy
>>> settings .
>>>
>>> there are more than 350 hosts in the example.de domain.
>>>
>>>
>>> Am 13.02.2023 um 20:06 schrieb Jan-Piet Mens:
> is it possible to restrict dynamic dns updates to one domain?
I think 'name' is what you're after:
grant key-name name host1.example.de. A;
You will be aware that the type list can take multiple space-separated
values.
-JP
>>> --
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
>>> this list
>>>
>>> ISC funds the development of this software with paid support subscriptions.
>>> Contact us at https://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: named out of swap on NetBSD/amd64
Jan Schaumann via bind-users wrote: > Greg Choules wrote: > > - Are you stuck on 9.16.30 for some reason? If not, grab the latest 9.18 > > package. It will be less memory hungry generally and contain fixes for > > recent issues. > > Yeah, will give that a try. Upgrading to 9.18.11 by itself did not help, but setting an explicit 'max-cache-size' does seem to. The queries I'm doing right now are all unique second-level domain queries, so no caching takes place, while at the same time the cache grows proportionally with the queries. I'm guessing that without a set 'max-cache-size', this continues to grow until there is no more memory space left, we start swapping, and eventually get OOM killed. https://bind9.readthedocs.io/en/v9_18_11/reference.html claims that the default 'max-cache-size' is 90% of physical memory, but it seems that didn't work out here. Might it be that on NetBSD, bind doesn't correctly determine the physical memory amount? -Jan -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named out of swap on NetBSD/amd64
On 14/02/2023 16:09, Jan Schaumann via bind-users wrote: I'm guessing that without a set 'max-cache-size', this continues to grow until there is no more memory space left, we start swapping, and eventually get OOM killed. https://bind9.readthedocs.io/en/v9_18_11/reference.html claims that the default 'max-cache-size' is 90% of physical memory, but it seems that didn't work out here. Might it be that on NetBSD, bind doesn't correctly determine the physical memory amount? In your named log you may see a "max-cache-size" calculation like the one below (I don't have "max-cache-size" set in the config explicitly, implicit value of "90%" is used): 'max-cache-size 90%' - setting to 1729MB (out of 1922MB) It's from a 2 GB Linux cloud (KVM) instance and looking at the "free -m" command output, it makes sense. Do you see a calculation for your system? Does it make sense? Michal -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named out of swap on NetBSD/amd64
Michal Nowak wrote: > In your named log you may see a "max-cache-size" calculation like the one > below (I don't have "max-cache-size" set in the config explicitly, implicit > value of "90%" is used): > > 'max-cache-size 90%' - setting to 1729MB (out of 1922MB) Good call - I do see that: 'max-cache-size 90%' - setting to 5529MB (out of 6144MB) However, it only shows up once in the named logs I have dating back to February 8th, possibly from the earlier 9.16.30 version. Removing the 'max-cache-size' directive and restarting named (even with 'severity debug'), I don't see this line in the logs now. Not sure why that would be. That number seems right. I guess for the overall system load, that default value was too high, and my setting it (to 2GB, in this case) seems to have resolved the problem for me. -Jan -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
