RE: Questions about "dnssec validation" statement
Thanks I'll try that.
-Original Message-
From: Evan Hunt
Sent: Thursday, March 6, 2025 1:46 PM
To: Chris Isaksen
Cc: bind-users@lists.isc.org
Subject: Re: Questions about "dnssec validation" statement
On Thu, Mar 06, 2025 at 12:56:08PM +, Chris Isaksen wrote:
> I was wondering if dnssec validation could be set to auto in the
> options section and then set it to 'no' in a particular zone?
>
> We would like to use "dnssec validation auto" but a few forwarding
> zones we have, we know do not use dnssec and queries fail if it's not
> set to no.
"validate-except { domain1; domain2; ... };"
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
Confidentiality Notice
This email including all attachments is confidential and intended solely for
the use of the individual or entity to which it is addressed. This
communication may contain information that is protected from disclosure under
State and/or Federal law. Please notify the sender immediately if you have
received this communication in error and delete this email from your system. If
you are not the intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Authoritative and caching
I'm so sorry, but I have to trouble you guys again.
The help below helped, I have no errors from checkconf or checkzone, but
from journalctl I get:
/etc/bind/zones/db.jungersen.dk.jbk: create: permission denied
and
/etc/bind/zones/db.jungersen.dk.signed.jnl: create: permission denied
and some more, but I think these 2 are the causes.
But if I try:
root@ns1:/etc/bind/zones# ps auxw|grep named
bind 57446 0.1 1.2 147948 48140 ? Ssl 17:12 0:01
/usr/sbin/named -f -4 -u bind
root 57472 0.0 0.0 6332 2036 pts/1 S+ 17:21 0:00 grep
named
It look to me like the user is "bind"
I also have:
drwxrwsr-x 2 root bind 4096 Mar 15 16:54 zones
I have added write permission for the bind group.
I have also tried to change owner to bind, same result.
I have .key .private and .state files is /var/cache/bind
What does these errors mean?
I assume that the files that it tries to write are supposed to be written(?)
And why is it rejected?
BR
Danjel
On 12-03-2025 23:49, Mark Andrews wrote:
I shouldn’t have tried to write that on the phone from memory.
dnssec-policy “unlimited” {
keys { csk lifetime unlimited algorithm ECDSAP256SHA256; };
};
zone "jungersen.dk” {
type master;
file "/etc/bind/zones/db.jungersen.dk”;
allow-transfer { 192.168.20.11; };
dnssec-policy "unlimited";
};
Mark
On 13 Mar 2025, at 09:13, Danjel Jungersen wrote:
On 20-02-2025 08:40, Mark Andrews wrote:
The zone is available publicly, but from public serveres not hosted by me
(one.com).
And points to my external ip.
My internal bind redirects local traffic directly to local servers on local
ip's.
DNSSEC is designed to stop spoofed answers being accepted. When you create a
local zone that overrides what is in the public zones you are effectively
spoofing answers. As you have a DNSSEC signed public zone if you want to have
these spoofed answers accepted you need to do one of the following:
1) create a working chain of trust that links to your private zone content
Long 1 is the best long term solution
So this is the way I will try to go.
You currently have the following DS which means you are using ECDSAP256SHA256
(13) as the DNSSEC key algorithm.
jungersen.dk. 7200 IN DS 26658 13 2
23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52
I would add “dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256;
};” to your internal primary if you choose to do 1 or 3. This will add a
DNSKEY record to the zone and cause it to be signed. You can then take the
generated DNSKEY and install it as a trust anchor on the postfix boxes.
You will need to do some reading first. Others here can give you more advice.
I have now read a lot, and I think that actually understood some of it.
I have:
zone "jungersen.dk" {
type master;
file "/etc/bind/zones/db.jungersen.dk";
allow-transfer { 192.168.20.11; };
dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };
};
in named.conf.local
I throws an error, /etc/bind/named.conf.local:15: expected string near '{'
Line 15 is the dnssec-policy line.
If I uncomment this line all is well.
Can anyone tell me what is wrong with this line?
I have copy pasted it from the suggestion, and have read some online, to me it
looks good.
BR
Danjel
--
Med venlig hilsen/Kind regards
Danjel Jungersen
Mail: dan...@jungersen.dk
Mobile: +45 20 42 20 11
Jungersen Grafisk ApS,
Holsbjergvej 39, DK-2620 Albertslund,
Denmark.
Tel: +45 43 64 10 00
WEBSHOP: PRINTLIGHT.DK | WWW.JUNGERSEN.DK
Logo --
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Authoritative and caching
Hi Danjel.
Please send "ls -al" of both "/etc/bind" and "/etc/bind/zones"
Thanks, Greg
On Sat, 15 Mar 2025 at 16:32, Danjel Jungersen via bind-users <
bind-users@lists.isc.org> wrote:
> I'm so sorry, but I have to trouble you guys again.
>
> The help below helped, I have no errors from checkconf or checkzone, but
> from journalctl I get:
> /etc/bind/zones/db.jungersen.dk.jbk: create: permission denied
> and
> /etc/bind/zones/db.jungersen.dk.signed.jnl: create: permission denied
>
> and some more, but I think these 2 are the causes.
>
> But if I try:
> root@ns1:/etc/bind/zones# ps auxw|grep named
> bind 57446 0.1 1.2 147948 48140 ?Ssl 17:12 0:01
> /usr/sbin/named -f -4 -u bind
> root 57472 0.0 0.0 6332 2036 pts/1S+ 17:21 0:00 grep
> named
>
> It look to me like the user is "bind"
>
> I also have:
> drwxrwsr-x 2 root bind 4096 Mar 15 16:54 zones
>
> I have added write permission for the bind group.
>
> I have also tried to change owner to bind, same result.
>
> I have .key .private and .state files is /var/cache/bind
>
> What does these errors mean?
> I assume that the files that it tries to write are supposed to be
> written(?)
>
> And why is it rejected?
>
> BR
> Danjel
> On 12-03-2025 23:49, Mark Andrews wrote:
>
> I shouldn’t have tried to write that on the phone from memory.
>
> dnssec-policy “unlimited” {
> keys { csk lifetime unlimited algorithm ECDSAP256SHA256; };
> };
>
> zone "jungersen.dk” {
> type master;
> file "/etc/bind/zones/db.jungersen.dk”;
> allow-transfer { 192.168.20.11; };
> dnssec-policy "unlimited";
> };
>
> Mark
>
>
> On 13 Mar 2025, at 09:13, Danjel Jungersen
> wrote:
>
> On 20-02-2025 08:40, Mark Andrews wrote:
>
> The zone is available publicly, but from public serveres not hosted by me
> (one.com).
> And points to my external ip.
> My internal bind redirects local traffic directly to local servers on local
> ip's.
>
> DNSSEC is designed to stop spoofed answers being accepted. When you create a
> local zone that overrides what is in the public zones you are effectively
> spoofing answers. As you have a DNSSEC signed public zone if you want to
> have these spoofed answers accepted you need to do one of the following:
>
> 1) create a working chain of trust that links to your private zone content
> Long 1 is the best long term solution
>
> So this is the way I will try to go.
>
> You currently have the following DS which means you are using ECDSAP256SHA256
> (13) as the DNSSEC key algorithm.
> jungersen.dk. 7200 IN DS 26658 13 2
> 23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52
>
> I would add “dnssec-policy { csk lifetime unlimited algorithm
> ECDSAP256SHA256; };” to your internal primary if you choose to do 1 or 3.
> This will add a DNSKEY record to the zone and cause it to be signed. You can
> then take the generated DNSKEY and install it as a trust anchor on the
> postfix boxes.
>
> You will need to do some reading first. Others here can give you more advice.
>
>
> I have now read a lot, and I think that actually understood some of it.
>
> I have:
> zone "jungersen.dk" {
> type master;
> file "/etc/bind/zones/db.jungersen.dk";
> allow-transfer { 192.168.20.11; };
> dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };
> };
>
> in named.conf.local
>
> I throws an error, /etc/bind/named.conf.local:15: expected string near '{'
>
> Line 15 is the dnssec-policy line.
>
> If I uncomment this line all is well.
>
> Can anyone tell me what is wrong with this line?
> I have copy pasted it from the suggestion, and have read some online, to me
> it looks good.
>
>
>
> BR
> Danjel
>
>
> --
> Med venlig hilsen/Kind regards
> Danjel Jungersen
> Mail: dan...@jungersen.dk
> Mobile: +45 20 42 20 11
>
> Jungersen Grafisk ApS,
> Holsbjergvej 39, DK-2620 Albertslund,
> Denmark.
> Tel: +45 43 64 10 00
>
> WEBSHOP: PRINTLIGHT.DK | WWW.JUNGERSEN.DK
>
>
> [image: Logo]
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Authoritative and caching
Off-list I was asked.
root@ns1:/etc/bind# ls -la
total 60
drwxr-sr-x 3 root bind 4096 Mar 15 16:31 .
drwxr-xr-x 71 root root 4096 Jan 6 08:40 ..
-rw-r--r-- 1 root root 2403 Jul 27 2024 bind.keys
-rw-r--r-- 1 root root 255 Jul 27 2024 db.0
-rw-r--r-- 1 root root 271 Jul 27 2024 db.127
-rw-r--r-- 1 root root 237 Jul 27 2024 db.255
-rw-r--r-- 1 root root 353 Jul 27 2024 db.empty
-rw-r--r-- 1 root root 270 Jul 27 2024 db.local
-rw-r--r-- 1 root bind 458 Jul 27 2024 named.conf
-rw-r--r-- 1 root bind 498 Jul 27 2024 named.conf.default-zones
-rw-r--r-- 1 root bind 737 Mar 13 08:41 named.conf.local
-rw-r--r-- 1 root bind 950 Jan 30 08:58 named.conf.options
-rw-r- 1 bind bind 100 Jan 3 15:27 rndc.key
drwxrwsr-x 2 root bind 4096 Mar 15 16:54 zones
-rw-r--r-- 1 root root 1317 Jul 27 2024 zones.rfc1918
root@ns1:/etc/bind/zones# ls -la
total 20
drwxrwsr-x 2 root bind 4096 Mar 15 16:54 .
drwxr-sr-x 3 root bind 4096 Mar 15 16:31 ..
-rw-rw-r-- 1 root bind 445 Jan 5 17:58 db.192.168
-rw-rw-r-- 1 root bind 509 Jan 5 17:12 db.jg1.jungersen.dk
-rw-rw-r-- 1 root bind 681 Mar 15 16:54 db.jungersen.dk
I was also aksed about the setgid bit, I have no reason/explanation for it.
Nor do I have any special wishes, so if it is best practice to do it
differently, I can change it.
Apparmor was also mentioned, I have no experience with that, and have
not changed it in any way (to my knowledge)...
if I have opened up too much in my effort to make it work, please let me
know, I wish to keep it as tight as possible.
:-)
Danjel
On 15-03-2025 17:31, Danjel Jungersen via bind-users wrote:
I'm so sorry, but I have to trouble you guys again.
The help below helped, I have no errors from checkconf or checkzone,
but from journalctl I get:
/etc/bind/zones/db.jungersen.dk.jbk: create: permission denied
and
/etc/bind/zones/db.jungersen.dk.signed.jnl: create: permission denied
and some more, but I think these 2 are the causes.
But if I try:
root@ns1:/etc/bind/zones# ps auxw|grep named
bind 57446 0.1 1.2 147948 48140 ? Ssl 17:12 0:01
/usr/sbin/named -f -4 -u bind
root 57472 0.0 0.0 6332 2036 pts/1 S+ 17:21 0:00 grep
named
It look to me like the user is "bind"
I also have:
drwxrwsr-x 2 root bind 4096 Mar 15 16:54 zones
I have added write permission for the bind group.
I have also tried to change owner to bind, same result.
I have .key .private and .state files is /var/cache/bind
What does these errors mean?
I assume that the files that it tries to write are supposed to be
written(?)
And why is it rejected?
BR
Danjel
On 12-03-2025 23:49, Mark Andrews wrote:
I shouldn’t have tried to write that on the phone from memory.
dnssec-policy “unlimited” {
keys { csk lifetime unlimited algorithm ECDSAP256SHA256; };
};
zone "jungersen.dk” {
type master;
file "/etc/bind/zones/db.jungersen.dk”;
allow-transfer { 192.168.20.11; };
dnssec-policy "unlimited";
};
Mark
On 13 Mar 2025, at 09:13, Danjel Jungersen wrote:
On 20-02-2025 08:40, Mark Andrews wrote:
The zone is available publicly, but from public serveres not hosted by me
(one.com).
And points to my external ip.
My internal bind redirects local traffic directly to local servers on local
ip's.
DNSSEC is designed to stop spoofed answers being accepted. When you create a
local zone that overrides what is in the public zones you are effectively
spoofing answers. As you have a DNSSEC signed public zone if you want to have
these spoofed answers accepted you need to do one of the following:
1) create a working chain of trust that links to your private zone content
Long 1 is the best long term solution
So this is the way I will try to go.
You currently have the following DS which means you are using ECDSAP256SHA256
(13) as the DNSSEC key algorithm.
jungersen.dk. 7200 IN DS 26658 13 2
23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52
I would add “dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256;
};” to your internal primary if you choose to do 1 or 3. This will add a
DNSKEY record to the zone and cause it to be signed. You can then take the
generated DNSKEY and install it as a trust anchor on the postfix boxes.
You will need to do some reading first. Others here can give you more advice.
I have now read a lot, and I think that actually understood some of it.
I have:
zone "jungersen.dk" {
type master;
file "/etc/bind/zones/db.jungersen.dk";
allow-transfer { 192.168.20.11; };
dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };
};
in named.conf.local
I throws an error, /etc/bind/named.conf.local:15: expected string near '{'
Line 15 is the dnssec-policy line.
If I uncomment this line all is well.
Can anyone tell me what is wrong with this line?
I have copy pasted it from the suggestion, and have read some online, to me it
looks good.
BR
Da
Re: Authoritative and caching
On Sat, Mar 15, 2025 at 5:25 PM Danjel Jungersen via bind-users wrote: > > Apparmor was also mentioned, I have no experience with that, and have not > changed it in any way (to my knowledge)... On my machine, $ journalctl -l | grep apparmor | grep bind |more shows many lines like Dec 14 08:00:12 spot audit[922]: AVC apparmor="DENIED" operation="mknod" profile="named" name="/etc/bind/db.10.10.2.jbk" pid=922 comm="isc-net-0002" requested_mask="c" denied_mask="c" fsuid=116 ouid=116 Dec 14 08:00:12 spot audit[922]: AVC apparmor="DENIED" operation="mknod" profile="named" name="/etc/bind/db.home.net.jbk" pid=922 comm="isc-net-0003" requested_mask="c" denied_mask="c" fsuid=116 ouid=116 /etc/apparmor.d/usr.sbin.named on my machine has # /etc/bind should be read-only for bind and I'm clearly violating that assumption :( Rather than fix my bind config I fixed the apparmor config. If you go that way remember to do /etc/init.d/apparmor restart to have the new apparmor rules take effect. Regards, Lee -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Authoritative and caching
On Sat, Mar 15, 2025 at 12:32 PM Danjel Jungersen via bind-users <
bind-users@lists.isc.org> wrote:
> I'm so sorry, but I have to trouble you guys again.
>
> The help below helped, I have no errors from checkconf or checkzone, but
> from journalctl I get:
> /etc/bind/zones/db.jungersen.dk.jbk: create: permission denied
> and
> /etc/bind/zones/db.jungersen.dk.signed.jnl: create: permission denied
>
> and some more, but I think these 2 are the causes.
>
Maybe an apparmor problem?
I had to add write permissions to /etc/bind before bind would work for me
... which was probably my mis-configuration, but still.
file to be modified: /etc/apparmor.d/usr.sbin.named
Regards
Lee
But if I try:
> root@ns1:/etc/bind/zones# ps auxw|grep named
> bind 57446 0.1 1.2 147948 48140 ?Ssl 17:12 0:01
> /usr/sbin/named -f -4 -u bind
> root 57472 0.0 0.0 6332 2036 pts/1S+ 17:21 0:00 grep
> named
>
> It look to me like the user is "bind"
>
> I also have:
> drwxrwsr-x 2 root bind 4096 Mar 15 16:54 zones
>
> I have added write permission for the bind group.
>
> I have also tried to change owner to bind, same result.
>
> I have .key .private and .state files is /var/cache/bind
>
> What does these errors mean?
> I assume that the files that it tries to write are supposed to be
> written(?)
>
> And why is it rejected?
>
> BR
> Danjel
> On 12-03-2025 23:49, Mark Andrews wrote:
>
> I shouldn’t have tried to write that on the phone from memory.
>
> dnssec-policy “unlimited” {
> keys { csk lifetime unlimited algorithm ECDSAP256SHA256; };
> };
>
> zone "jungersen.dk” {
> type master;
> file "/etc/bind/zones/db.jungersen.dk”;
> allow-transfer { 192.168.20.11; };
> dnssec-policy "unlimited";
> };
>
> Mark
>
>
> On 13 Mar 2025, at 09:13, Danjel Jungersen
> wrote:
>
> On 20-02-2025 08:40, Mark Andrews wrote:
>
> The zone is available publicly, but from public serveres not hosted by me
> (one.com).
> And points to my external ip.
> My internal bind redirects local traffic directly to local servers on local
> ip's.
>
> DNSSEC is designed to stop spoofed answers being accepted. When you create a
> local zone that overrides what is in the public zones you are effectively
> spoofing answers. As you have a DNSSEC signed public zone if you want to
> have these spoofed answers accepted you need to do one of the following:
>
> 1) create a working chain of trust that links to your private zone content
> Long 1 is the best long term solution
>
> So this is the way I will try to go.
>
> You currently have the following DS which means you are using ECDSAP256SHA256
> (13) as the DNSSEC key algorithm.
> jungersen.dk. 7200 IN DS 26658 13 2
> 23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52
>
> I would add “dnssec-policy { csk lifetime unlimited algorithm
> ECDSAP256SHA256; };” to your internal primary if you choose to do 1 or 3.
> This will add a DNSKEY record to the zone and cause it to be signed. You can
> then take the generated DNSKEY and install it as a trust anchor on the
> postfix boxes.
>
> You will need to do some reading first. Others here can give you more advice.
>
>
> I have now read a lot, and I think that actually understood some of it.
>
> I have:
> zone "jungersen.dk" {
> type master;
> file "/etc/bind/zones/db.jungersen.dk";
> allow-transfer { 192.168.20.11; };
> dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };
> };
>
> in named.conf.local
>
> I throws an error, /etc/bind/named.conf.local:15: expected string near '{'
>
> Line 15 is the dnssec-policy line.
>
> If I uncomment this line all is well.
>
> Can anyone tell me what is wrong with this line?
> I have copy pasted it from the suggestion, and have read some online, to me
> it looks good.
>
>
>
> BR
> Danjel
>
>
> --
> Med venlig hilsen/Kind regards
> Danjel Jungersen
> Mail: dan...@jungersen.dk
> Mobile: +45 20 42 20 11
>
> Jungersen Grafisk ApS,
> Holsbjergvej 39, DK-2620 Albertslund,
> Denmark.
> Tel: +45 43 64 10 00
>
> WEBSHOP: PRINTLIGHT.DK | WWW.JUNGERSEN.DK
>
>
> [image: Logo]
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
