Re: Value of a DNSSEC validating resolver
Hi there, On Sat, 2 Dec 2023, Mark Andrews wrote: On Fri, 1 Dec 2023, John Thurston wrote: > Can someone make a good case to me for continuing to perform DNSSEC > validation on my central resolvers? Think of a recursive server as a town water treatment plant. You could filter and treat at every house and sometimes you still do like boiling water for baby formula but on the most part what you get out of it is good enough for consumption as is. Thank you for that outstandlingly useful analogy, I hope to use it! -- 73, Ged. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
sub-subdomian not being resolved NXDOMAIN.
Hello Bind Community, Im trying to resolve sub-subdomain without making each level as separate zone file. I have domain.my (name of domain changed) in main zone (the host I serve it from is ns.domain.my) - this works fine, I delegated sub domain my.domain.my by adding: my.domain.my IN NS ns.domain.my; I added this zone to config file and created zone file for it. - this also works fine I can without any issues add subdomain to my.domain.my in my.domain.my zone file. I would like to resolve sub-subdomain like: this.is.also.my.domain.my from same my.domain.my zone file. from my understanding I could add wildcard: "*.is.also.my.domain.my. IN A ip.addr" record (and handle it later on server), or by adding " this.is.also.my.domain.my. IN A ip.add" record. Both don't work sadly. I also tested "is.also.my.domain.my. A ip.address" which also dont work - so it looks like im missing something. Was this feature disable/removed from bind9 or I forgot to set something in my config file? I'm using bind9 9.11.5 -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: sub-subdomian not being resolved NXDOMAIN.
Ancient BIND version, but won’t mention it beyond that. Others are going to. This should work fine. Having multiple levels of labels in the zone shouldn’t be a problem. But you’re not providing enough detail to troubleshoot. You’re going to have to show the config and zone files to really get any help. And just just providing snippets of the files might not show where the problem is. You also should provide the “dig” output and the precise errors you get back (e.g. the SOA record returned in the NXDOMAIN response might provide clues). On Sat, Dec 2, 2023 at 4:47 PM Michał Półrolniczak < michal.polrolnic...@gmail.com> wrote: > Hello Bind Community, > > Im trying to resolve sub-subdomain without making each level as separate > zone file. > > I have domain.my (name of domain changed) in main zone (the host I serve > it from is ns.domain.my) - this works fine, I delegated sub domain > my.domain.my by adding: > > my.domain.my IN NS ns.domain.my; I added this zone to config file and > created zone file for it. - this also works fine > > I can without any issues add subdomain to my.domain.my in my.domain.my > zone file. > > I would like to resolve sub-subdomain like: this.is.also.my.domain.my > from same my.domain.my zone file. > from my understanding I could add wildcard: "*.is.also.my.domain.my. IN A > ip.addr" record (and handle it later on server), or by adding " > this.is.also.my.domain.my. IN A ip.add" record. > Both don't work sadly. > > I also tested "is.also.my.domain.my. A ip.address" which also dont work - > so it looks like im missing something. > > Was this feature disable/removed from bind9 or I forgot to set something > in my config file? > > I'm using bind9 9.11.5 > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Value of a DNSSEC validating resolver
Preface: Please don’t read any judgement of DNSSEC’s value into this question. Just looking for the opportunity to understand DNSSEC better from some world-class experts if any care to respond. When a client (or any DNS-speaker) is doing validation, doesn’t it set CD on queries through a forwarder? In that sense, the intermediate servers do not filter “bad answers.” Or is my understanding incorrect? Or do you mean the data that the forwarder is using internally has been filtered of bad answers? On Fri, Dec 1, 2023 at 1:40 PM Mark Andrews wrote: > A validating resolver is a prerequisite for validating clients to work. > Clients don’t have direct access to the authoritative servers so the can’t > retrieve good answers if the recursive servers don’t filter out the bad > answers. > > Think of a recursive server as a town water treatment plant. You could > filter and treat at every house and sometimes you still do like boiling > water for baby formula but on the most part what you get out of it is good > enough for consumption as is. > > > -- > Mark Andrews > > On 2 Dec 2023, at 08:14, John Thurston wrote: > > > > At first glance, the concept of a validating resolver seemed like a good > idea. But in practice, it is turning out to be a hassle. > > I'm starting to think, "If my clients want their answers validated, they > should do it." If they *really* care about the quality of the answers they > get, why should my clients be trusting *me* to validate them? > > Can someone make a good case to me for continuing to perform DNSSEC > validation on my central resolvers? > > -- > -- > Do things because you should, not just because you can. > > John Thurston907-465-8591john.thurs...@alaska.gov > Department of Administration > State of Alaska > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Fwd: sub-subdomian not being resolved NXDOMAIN.
Thanks for fast replay. Yes ancient, because server is also ancient - yet it should work. I was able to pin point the issue. Looks like I was editing zone file, saving it, cat-ing it and it was fine, until it was "recovered" from journal file and overwrited by it each time, later bind was not loading file because of out-of-sync issue. After I clean up journal file, and redo zone file, both *.is.also.my.domain.my and other started to work. Thank you for infomation what should I include next time when I will have issue with bind9. niedz., 3 gru 2023 o 02:21 Crist Clark napisał(a): > Ancient BIND version, but won’t mention it beyond that. Others are going > to. > > This should work fine. Having multiple levels of labels in the zone > shouldn’t be a problem. But you’re not providing enough detail to > troubleshoot. You’re going to have to show the config and zone files to > really get any help. And just just providing snippets of the files might > not show where the problem is. You also should provide the “dig” output and > the precise errors you get back (e.g. the SOA record returned in the > NXDOMAIN response might provide clues). > > > On Sat, Dec 2, 2023 at 4:47 PM Michał Półrolniczak < > michal.polrolnic...@gmail.com> wrote: > >> Hello Bind Community, >> >> Im trying to resolve sub-subdomain without making each level as separate >> zone file. >> >> I have domain.my (name of domain changed) in main zone (the host I serve >> it from is ns.domain.my) - this works fine, I delegated sub domain >> my.domain.my by adding: >> >> my.domain.my IN NS ns.domain.my; I added this zone to config file and >> created zone file for it. - this also works fine >> >> I can without any issues add subdomain to my.domain.my in my.domain.my >> zone file. >> >> I would like to resolve sub-subdomain like: this.is.also.my.domain.my >> from same my.domain.my zone file. >> from my understanding I could add wildcard: "*.is.also.my.domain.my. IN >> A ip.addr" record (and handle it later on server), or by adding " >> this.is.also.my.domain.my. IN A ip.add" record. >> Both don't work sadly. >> >> I also tested "is.also.my.domain.my. A ip.address" which also dont work >> - so it looks like im missing something. >> >> Was this feature disable/removed from bind9 or I forgot to set something >> in my config file? >> >> I'm using bind9 9.11.5 >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> from this list >> >> ISC funds the development of this software with paid support >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > -- Pozdrawiam, Michał Półrolniczak -- Pozdrawiam, Michał Półrolniczak -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Value of a DNSSEC validating resolver
Clients need to send both cd=0 and cd=1 queries. The two types of queries address different failure scenarios. I tried hard to prevent the stupid just send cd=1 advice before it was published. Years before there was a wish to reduce the amount of work a validating resolver does. There was bad advice from that and the WG chair refused to reopen the issue. CD=1 addresses bad clocks and trust anchors in resolvers. CD=0 addresses bad authoritative servers and spoofed responses. You can start with either and try the other when validation fails. -- Mark Andrews > On 3 Dec 2023, at 12:31, Crist Clark wrote: > > > Preface: Please don’t read any judgement of DNSSEC’s value into this > question. Just looking for the opportunity to understand DNSSEC better from > some world-class experts if any care to respond. > > When a client (or any DNS-speaker) is doing validation, doesn’t it set CD on > queries through a forwarder? In that sense, the intermediate servers do not > filter “bad answers.” Or is my understanding incorrect? Or do you mean the > data that the forwarder is using internally has been filtered of bad answers? > > >> On Fri, Dec 1, 2023 at 1:40 PM Mark Andrews wrote: >> A validating resolver is a prerequisite for validating clients to work. >> Clients don’t have direct access to the authoritative servers so the can’t >> retrieve good answers if the recursive servers don’t filter out the bad >> answers. >> >> Think of a recursive server as a town water treatment plant. You could >> filter and treat at every house and sometimes you still do like boiling >> water for baby formula but on the most part what you get out of it is good >> enough for consumption as is. >> >> >> -- >> Mark Andrews >> On 2 Dec 2023, at 08:14, John Thurston wrote: >>> >>> At first glance, the concept of a validating resolver seemed like a good >>> idea. But in practice, it is turning out to be a hassle. >>> >>> I'm starting to think, "If my clients want their answers validated, they >>> should do it." If they *really* care about the quality of the answers they >>> get, why should my clients be trusting *me* to validate them? >>> >>> Can someone make a good case to me for continuing to perform DNSSEC >>> validation on my central resolvers? >>> >>> -- >>> -- >>> Do things because you should, not just because you can. >>> >>> John Thurston907-465-8591 >>> john.thurs...@alaska.gov >>> Department of Administration >>> State of Alaska >>> -- >>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from >>> this list >>> >>> ISC funds the development of this software with paid support subscriptions. >>> Contact us at https://www.isc.org/contact/ for more information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from >> this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
