Re: BIND | Cname chain resolution using forward ( CNAME&A returned but no use A) (#3995)
That is because forwarder is supposed to handle only zone
"bd.baidubce.com.", but addresses response is from bd.bcebos.com zone.
Therefore it queries contents of that according to global forwarders or
iteratively. BIND9 attempts to deliver the most authoritative answer it
can, so it ignores hints from server not authoritative for it. I do not
know a way to disable such behavior. Dns caches such as dnsmasq would
forward the reply as it is, but bind uses zones with authoritative
servers preferred. It does so to prevent unrelated servers pushing
invalid answers into your cache.
Workaround might be to forward also bd.bcebos.com. zone to the same
server. Can you share why should it return different addresses than the
authoritative servers offers?
I think if you need to override some addresses, RPZ might help you. At
least you would have a list of rules where the answer is modified. I
think most proper servers do it this way without ability to change the
behavior.
Just my 2 cents.
Regards,
Petr
On 04. 04. 23 8:08, Yang via bind-users wrote:
hi bind admin,
when i use bind-9.11 for my interdns, deviceip is 10.1.1.1,
i config
zone "bd.baidubce.com."
in { type forward ; forward only; forwarders { 10.10.10.10; }; };
1、when i dig @10.1.1.1 x.bd.bcebos.com.
2、10.10.10.10 return record "CNAME bd.bcebos.com., A 100.67.96.26, A
100.67.96.27" to device10.1.1.1
3、but device10.1.1.1 not return A 100.67.96.26, A 100.67.96.27 to me
4、device10.1.1.1 go to qurey bd.bcebos.com. recursive itself,and get
another record 110.242.70.8
i have questions
1、why config is forward only, but bind get CNAME & A,bind do not
return A to me,and query cname again itself?
thanks
--
Petr Menšík
Software Engineer, RHEL
Red Hat,http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC error resolving gpo.gov ?
No, unfortunately there is no way to disable it. It just creates both digests and there is no way to disable creation of SHA-1 in bind 9.11. dnssec-dsfromkey -2 can be used to output only SHA256 digest. I think automated process using dsset files does not offer switches to not generate them. With manual signing process it should be possible to delete SHA1 digest from dsset file before signing it with dnssec-signzone. I doubt it would work smoothly with inline signing directly from named. At least not in our RHEL8 version. Petr On 24. 03. 23 14:35, John W. Blue via bind-users wrote: Petr, Thanks for sharing that tidbit of info. Off the top of your head do you know if that can be disabled? John -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Petr Menšík Sent: Friday, March 24, 2023 8:32 AM To: bind-users@lists.isc.org Subject: Re: DNSSEC error resolving gpo.gov ? That is done also by bind 9.11, not only infoblox. It creates both digests on common operations. On 3/14/23 16:23, John W. Blue via bind-users wrote: Keep in mind that SHA1 may not have been included by choice. If gpo.gov is using Infoblox there is a, what I like to call, Infoblox-ism in play regarding DNSSEC where even if you choose RSA256 or RSA512 or whatever it will create a SHA1. John -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Stephane Bortzmeyer Sent: Tuesday, March 14, 2023 10:17 AM To: Alexandra Yang Cc: bind-users@lists.isc.org Subject: Re: DNSSEC error resolving gpo.gov ? On Tue, Mar 14, 2023 at 11:08:28AM -0400, Alexandra Yang wrote a message of 154 lines which said: I wonder if anyone can shed some light on this, our nameserver(BIND 9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov, here are the errors: "DS record for zone gpo.gov with keytag 18496 was created by digest algorithm 1 (SHA-1) which is deprecated." https://zonemaster.fr/en/result/9161c8485223705c -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Petr Menšík Software Engineer, RHEL Red Hat, https://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Petr Menšík Software Engineer, RHEL Red Hat, http://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND | Cname chain resolution using forward ( CNAME&A returned but no use A) (#3995)
i am very very sorry ,
the zone info of first mail -> zone "bd.baidubce.com." i write
wrong;
the wright info is zone "x.bd.bcebos.com."
please just see this mail,
when i use bind-9.11 for my interdns deviceip is 10.1.1.1, i config
zone "x.bd.bcebos.com."
in { type forward ; forward only; forwarders { 10.10.10.10; }; };
1,when i dig @10.1.1.1 x.bd.bcebos.com.
2,10.10.10.10 return record "CNAME
bd.bcebos.com., bd.bcebos.com. A 100.67.96.26, A 100.67.96.27"
to device10.1.1.1
3,but device10.1.1.1 not return A 100.67.96.26, A 100.67.96.27 to me
4,device10.1.1.1 go to qurey bd.bcebos.com. recursive itself, and
get another record 110.242.70.8
i have questions
1,why config is forward only, bind get CNAME & A records from forwarders,
but bind do not return A record to me?and query cname domain
recursive again itself?
thanks
hi bind admin,
when i use bind-9.11 for my interdns?? deviceip is 10.1.1.1,
i config
zone "bd.baidubce.com."
in { type forward ; forward only; forwarders { 10.10.10.10; }; };
1??when i dig @10.1.1.1 x.bd.bcebos.com.
2??10.10.10.10 return record "CNAME bd.bcebos.com., A 100.67.96.26, A
100.67.96.27" to device10.1.1.1
3??but device10.1.1.1 not return A 100.67.96.26, A 100.67.96.27 to me
4??device10.1.1.1 go to qurey bd.bcebos.com. recursive itself??and get another
record 110.242.70.8
i have questions
1??why config is forward only?? but bind get CNAME & A??bind do not return
A to me??and query cname again itself??
thanks--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND | Cname chain resolution using forward ( CNAME&A returned but no use A) (#3995)
e-ID:
Content-Type: text/plain; charset="utf-8"; Format="flowed"
That is because forwarder is supposed to handle only zone
"bd.baidubce.com.", but addresses response is from bd.bcebos.com zone.
Therefore it queries contents of that according to global forwarders or
iteratively. BIND9 attempts to deliver the most authoritative answer it
can, so it ignores hints from server not authoritative for it. I do not
know a way to disable such behavior. Dns caches such as dnsmasq would
forward the reply as it is, but bind uses zones with authoritative
servers preferred. It does so to prevent unrelated servers pushing
invalid answers into your cache.
Workaround might be to forward also bd.bcebos.com. zone to the same
server. Can you share why should it return different addresses than the
authoritative servers offers?
I think if you need to override some addresses, RPZ might help you. At
least you would have a list of rules where the answer is modified. I
think most proper servers do it this way without ability to change the
behavior.
Just my 2 cents.
Regards,
Petr
On 04. 04. 23 8:08, Yang via bind-users wrote:
>
> hi?bind admin,
>
> ?when i use bind-9.11 for my interdns? deviceip is 10.1.1.1,
>
> i config
>
> zone "bd.baidubce.com."
>
> ?in?{ type forward ; forward only; forwarders { 10.10.10.10; }; };
>
>
> 1?when i dig @10.1.1.1 x.bd.bcebos.com.
>
> 2?10.10.10.10 return record "CNAME bd.bcebos.com., A 100.67.96.26, A
> 100.67.96.27" to device10.1.1.1
>
> 3?but device10.1.1.1 not return A 100.67.96.26, A 100.67.96.27 to me
>
> 4?device10.1.1.1 go to qurey bd.bcebos.com. recursive itself?and get
> another record 110.242.70.8
>
> i have questions
>
> 1?why config is forward only? but bind get CNAME & A?bind do not
> return A to me?and query cname again itself?
>
> ?thanks
>
>
--
Petr Men??k
Software Engineer, RHEL
Red Hat,http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-- next part --
An HTML attachment was scrubbed...
URL:
<https://lists.isc.org/pipermail/bind-users/attachments/20230404/42996e1b/attachment.htm>
--
Subject: Digest Footer
___
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
End of bind-users Digest, Vol 4219, Issue 1
***
--
Petr Menšík
Software Engineer, RHEL
Red Hat,http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC error resolving gpo.gov ?
Also it does no harm. SHA1 DS are still secure. If there are both SHA1 and SHA256 DS records present the SHA1 records are ignored by SHA256 capable validators and no you can’t just remove the SHA256 DS record and have the DS RRset validate. > On 4 Apr 2023, at 20:27, Petr Menšík wrote: > > No, unfortunately there is no way to disable it. It just creates both digests > and there is no way to disable creation of SHA-1 in bind 9.11. > dnssec-dsfromkey -2 can be used to output only SHA256 digest. > > I think automated process using dsset files does not offer switches to not > generate them. With manual signing process it should be possible to delete > SHA1 digest from dsset file before signing it with dnssec-signzone. I doubt > it would work smoothly with inline signing directly from named. At least not > in our RHEL8 version. > > Petr > > On 24. 03. 23 14:35, John W. Blue via bind-users wrote: >> Petr, >> >> Thanks for sharing that tidbit of info. Off the top of your head do you >> know if that can be disabled? >> >> John >> >> -Original Message- >> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Petr >> Menšík >> Sent: Friday, March 24, 2023 8:32 AM >> To: bind-users@lists.isc.org >> Subject: Re: DNSSEC error resolving gpo.gov ? >> >> That is done also by bind 9.11, not only infoblox. It creates both digests >> on common operations. >> >> On 3/14/23 16:23, John W. Blue via bind-users wrote: >>> Keep in mind that SHA1 may not have been included by choice. >>> >>> If gpo.gov is using Infoblox there is a, what I like to call, Infoblox-ism >>> in play regarding DNSSEC where even if you choose RSA256 or RSA512 or >>> whatever it will create a SHA1. >>> >>> John >>> >>> -Original Message- >>> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf >>> Of Stephane Bortzmeyer >>> Sent: Tuesday, March 14, 2023 10:17 AM >>> To: Alexandra Yang >>> Cc: bind-users@lists.isc.org >>> Subject: Re: DNSSEC error resolving gpo.gov ? >>> >>> On Tue, Mar 14, 2023 at 11:08:28AM -0400, Alexandra Yang >>> wrote a message of 154 lines which said: >>> I wonder if anyone can shed some light on this, our nameserver(BIND 9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov, here are the errors: >>> "DS record for zone gpo.gov with keytag 18496 was created by digest >>> algorithm 1 (SHA-1) which is deprecated." >>> https://zonemaster.fr/en/result/9161c8485223705c >>> >>> -- >>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >>> from this list >>> >>> ISC funds the development of this software with paid support subscriptions. >>> Contact us at https://www.isc.org/contact/ for more information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >> -- >> Petr Menšík >> Software Engineer, RHEL >> Red Hat, https://www.redhat.com/ >> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB >> >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from >> this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > -- > Petr Menšík > Software Engineer, RHEL > Red Hat, http://www.redhat.com/ > PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC regulatory requirements?
Hi all, I know this is a strange request. I am trying to encourage more people to deploy DNSSEC (either authoritative or recursive/validating). Are there any compliance or regulatory requirements that suggest/recommend the use of DNSSEC? The only one I know of is the very dated US OMB memo from 2008. I see several European domains have better DNSSEC deployment rates (such as .de). Are there any regulations or friendly recommendations from some kind of governing body at work here? Thank you. -Josh -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 回复: BIND | Cname chain resolution using forward ( CNAME&A returned but no use A) (#3995)
s.com. recursive itself?and get > another record 110.242.70.8 > > i have questions > > 1?why config is forward only? but bind get CNAME & A?bind do not > return A to me?and query cname again itself? > > ?thanks > > -- Petr Men??k Software Engineer, RHEL Red Hat,http://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB -- next part -- An HTML attachment was scrubbed... URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230404/42996e1b/attachment.htm> -- Subject: Digest Footer ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- End of bind-users Digest, Vol 4219, Issue 1 *** -- Petr Menšík Software Engineer, RHEL Red Hat,http://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB -- Petr Menšík Software Engineer, RHEL Red Hat,http://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
