migrate to a different IP

[CT]

Overview
- internal DNS server with RFC1918 IP (old ip)
- wish to move to a global unique IP but still remain internal (new ip)
- keep the same name

Clients would still use the old IP until the migration had been completed.

What would be the preferred method to "forward" all requests from
the old IP to the new IP..?

The final config will be with the new box on the new IP address

or am i barking up the wrong tree ??

Thx
Charles

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Trouble with 9.7.1-P2 on RHEL 5

[CT]

I have successfully built on CentOS 5.5 (32bit)
(I do a very simple install with no desktop.. )

BIND 9.7.1-P2 built with '--prefix=/usr/local' 
'--sysconfdir=/etc/namedb' '--disable-openssl-version-check' 
'--with-openssl=yes'


Some notes I had made
---
Compiling from source is very simple once you have the necessary 
dependancies.


Needed to compile bind from source:
-- openssl
-- make
are installed during the default installation

We need to install a few extra packages via yum.
These package will also pull in a few of their own dependancies.

-- yum install openssl-devel
-- yum install gcc
-- yum install autoconf

---
hth
Charles


Timothy Holtzen wrote:

Has anyone been able to get 9.7.1-P2 to build with pkcs11 and run on
RHEL/CentOS 5?  I appear to be able to configure and make without any
problems but when I go to run it I get the following error in the log.

named[14899]: starting BIND 9.7.1-P2 -c /etc/named.conf -t /var/named/chroot
named[14899]: built with '--with-libtool' '--localstatedir=/var'
'--disable-threads' '--enable-ipv6' '--disable-static' '--with-pic'
'--disable-openssl-version-check'
'--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-gssapi=yes'
'--disable-isc-spnego'
named[14899]: using up to 4096 sockets
named[14899]: initializing DST: no engine
named[14899]: exiting (due to fatal error)

> From what I have been able to deduce this means that bind can't find or
use the pkcs11 encryption engine.  Compiling without the "--with-pkcs11"
option produces a functional executable.  Stangely the exact same
configuration options worked just fine with 9.7.0 so something seems to
have changed between those releases.  My ultimate goal is to do a full
DNSSEC depolyment so I'm guessing the pkcs11 option is going to be
required if I want to generate and manage keys etc.  Anyone have any
ideas?  I suspect that I'm missing some encription library or something.




-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFMdZX2DADXcoYj2ZwRAuggAJ49JS5iERRDzRuzZu7D9B3c8Ui7bQCcCb0R
deKtj3MANUTquQilmCJ7Dsw=
=tHat
-END PGP SIGNATURE-
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec questions

[CT]

I just migrated my dns server to bind 9.7.1-P2

KSK
dnssec-keygen -r /dev/urandom -a RSASHA256 -b 2048 -f KSK $zone

ZSK
dnssec-keygen -r /dev/urandom -a RSASHA256 -b 1024 $zone

SIGN
dnssec-signzone -S -C -g -a -H 10 -3  -K  $zone

Per my isc class and the book I received by Jeremy C. Reid ..
you still need to "include" your keys in the zone file either

via
$include /KSK
$include /ZSK1
$include /ZSK2
or
(cat *.key > allkeys) which is what I have done..
$include /allkeys

I thought the use of -S (smart signing) that this was no longer 
necessary ..?


Thx
Charles



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec questions

[CT]

On 08/27/2010 11:32 AM, Alan Clegg wrote:

On 8/27/2010 11:42 AM, CT wrote:


Per my isc class and the book I received by Jeremy C. Reid ..
you still need to "include" your keys in the zone file either

via
$include/KSK
$include/ZSK1
$include/ZSK2
or
(cat *.key>  allkeys) which is what I have done..
$include/allkeys

I thought the use of -S (smart signing) that this was no longer
necessary ..?





If you use "-S", dnssec-signzone pulls the keys into the zone file based
on the timing metadata.  You don't need to $INCLUDE the keys any longer.

AlanC



Alan..

Much thanks for the info.. I had to include the keys for my keyset 
upload to our registrar.. and it did require the keys either in the file

or with an include statement.. so a one time deal then..

Also discovered (was using 9.6.1-16.P3 before) the keyset does not 
change after re-signing the zone...


One less file to keep up with ..

V/R
Charles
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Performance hit on Query logging

[CT]

Hardware:   Dell PowerEdge 2850
OS: RHEL 5.5 32 bit (no X)
Bind:   BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
RAM:2 Gig
Processes:  Bind, ntp, ssh

My question(s):

1) How do I deternine the number of threads Bind is currently using ?
per the man page
-
  -n #cpus
   Create #cpus worker threads to take advantage of multiple 
CPUs. If not specified, named will try to determine the number of CPUs 
present and create one thread per CPU. If it is unable to determine the 
number of CPUs, a single worker thread will be created.


>ps aux |grep named
named 2443  9.1  8.7 250780 182296 ?   Ssl  Oct06 151:07 
/usr/sbin/named -u named



2) What is the preferred way to determine "named" utilization ?
Are there measurable impacts to Query response not reflected in CPU 
load, Memory or IO?


> top - u named
Cpu(s):  1.2%us,  0.6%sy,  0.0%ni, 98.0%id,  0.0%wa,  0.1%hi,  0.1%si, 
0.0%st

Mem:   2075176k total,  1864544k used,   210632k free,   201376k buffers
Swap:  2096472k total,0k used,  2096472k free,  1392584k cached
PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND
2443 named 25   0  244m 178m 2160 S  9.7  8.8 151:42.60 named


3) Could having query logging enabled cause DNS timeouts that would
be non-existent if query logging was disabled..?
The impact to CPU load of DNS Query Logging is 30% but when CPU load 
averages are less 10%, increase to 13% doesn't seem to be much to 
encourage disabling.



Charles

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Performance hit on Query logging

[CT]

On 10/07/2010 05:40 PM, Eivind Olsen wrote:

--On 7. oktober 2010 16.55.54 -0500 groups  wrote:

One party thinks that disabling query logging will give enormous
performance gains, while 30% is a lot.. IMHO it is very negligible in CPU
cycles when the named process only is taking up > 10% CPU..
and less than 10% in RAM...
Just looking for any suggested tests..


I'm not an expert on this, so take whatever I say here with a grain of
salt :D

You could run some dnsperf / resperf
() ?
Do some runs without query logging, then some with it enabled. Do the
tests in the same way. A rather static way of doing it would be to run
resperf against something you _know_ you have in your cache (like,
looking up "localhost" or the reverse of 127.0.0.1 or whatever). Do it
from the same server, or from another server in the same subnet, so you
avoid network performance.
resperf has a report tool which can easily make some nice graphs for
you, showing when BIND starts to struggle with sending the replies, and
another graph to tell you the latency / delay in replies.
This should give you some numbers, to see how much query logging would
impact you.

Regards
Eivind Olsen

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Eivind

My servers run on ESX , wo I can clone the prod box and configure the 
tools..


Thank you for the link.. and response.

Charles
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Equivalent query verbosity Bind vs Microsoft DNS (2008 Server)

[CT]

All..
We have 2008 M$ dns servers (running M$ DNS ) and bind servers on Linux
We are looking to tweak the M$ servers down to the same "level" as
the bind servers.. if possible..

the bind logging statement
-
 category lame-servers   { null; };
 category resolver { null; };
 category queries{ log_requests; };

channel log_requests
{
file "/var/log/named/queries.log" versions 10 size 100m;
print-time yes;
print-category yes;
print-severity yes;
};
-

So far, we have found the Microsoft KB198408 that says:

"The DNS server can generate a more detailed log than is practical to 
include in the Windows NT event log. This includes everything from 
simply including events excluded from the event log, to a summary of 
every packet in and out of the server."


It looks like there is a registry tweak needed..

Value:  LogLevel
   Added:SP4 (April 98)
   Type: DWORD (Bitfield)
   Default:  NoKey (Zero -- No logging)

   Function: Determines level of logging to file (Dns.log).
   #define DNS_LOG_LEVEL_ALL_PACKETS  0x
   #define DNS_LOG_LEVEL_NON_QUERY0x00fe
#define DNS_LOG_LEVEL_QUERY0x0001
   #define DNS_LOG_LEVEL_NOTIFY   0x0010
   #define DNS_LOG_LEVEL_UPDATE   0x0020
   #define DNS_LOG_LEVEL_QUESTIONS0x0100
   #define DNS_LOG_LEVEL_ANSWERS  0x0200
   #define DNS_LOG_LEVEL_SEND 0x1000
   #define DNS_LOG_LEVEL_RECV 0x2000
   #define DNS_LOG_LEVEL_UDP  0x4000
   #define DNS_LOG_LEVEL_TCP  0x8000
   #define DNS_LOG_LEVEL_DS_WRITE 0x0001
   #define DNS_LOG_LEVEL_DS_UPDATE0x0002
   #define DNS_LOG_LEVEL_FULL_PACKETS 0x0100
   #define DNS_LOG_LEVEL_WRITE_THROUGH0x8000

We will continue to search but hoped there might be some help on the list..

VR
Charles
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Script to creat PTR zone from zone file

[CT]

Looking to write a script to create the PTR records..
Not much on the Web..

Thx
CT
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Script to creat PTR zone from zone file

[CT]

Sukman wrote, On 10/30/2010 12:42 AM:

Looking to write a script to create the PTR records..
Not much on the Web..


I had some script that may help you... :)

Example of input file to be generated:

InstitutTeknologiBandung192.168.0.154   router2.id192.168.0.153
router1.id
local   192.168.0.157   ITB-local.id   192.168.0.158  local-ITB.id

Script that I did for this file:

#!/bin/sh

LOCALLIST="localfile"

echo "Start Node Script\n"
rm revlocal
 # Cut The Line
 if [ -e $LOCALLIST ]; then

   while read line
 do
   row1="$(echo $line | cut -d " " -f2 | cut -d "." -f4)"
   row2="$(echo $line | cut -d " " -f3 | cut -d "." -f1)"
   row3="$(echo $line | cut -d " " -f4 | cut -d "." -f4)"
   row4="$(echo $line | cut -d " " -f5 | cut -d "." -f1)"

 echo "$row1IN  PTRnode.$row2.net\n$row3IN  PTR
node.$row4.net"
 echo "$row1IN  PTRnode.$row2.net\n$row3IN  PTR
node.$row4.net">>  revlocal

 done<  $LOCALLIST

fi
echo "\nEnd Node Script"


Then, the output will be:

154  IN  PTR  router2.net
153  IN  PTR  router1.net
157  IN  PTR  ITB-local.net
158  IN  PTR  local-ITB.net


Best Regards :)

Suksmandhira H
Engineering Physics - ITB




Sukman

Thank you..

Charles
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Best Practices Query Logging, On or Off ?

[CT]

I am looking for a best practices for dns query logging

Versions in use on Linux...
- BIND 9.7.1-P2
- BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2


The minimum logging statement in my test named.conf (bind 9.7.1-P2)

logging
{
category lame-servers   { null; };
category resolver   { null; };
};

which I have tested still allows the dns (default)
to log to /var/log/messages

--
default The default category defines the logging options for
those categories where no specific configuration has
been defined.
--

I have also been made aware that query logging can give a machine up to 
a 30% performance hit but also with today's machines it is mostly 
negligible..


My question is :
Do folks normally use query logging as a forensic tool or are most Bind 
installations done without logging any queries ?


The powers that be seem to think the performance hit outweighs any 
forensic benefit...


Thx
Charles
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Best Practices Query Logging, On or Off ?

[CT]

Kevin Darcy wrote, On 11/18/2010 02:19 PM:

On 11/18/2010 1:36 PM, CT wrote:

I am looking for a best practices for dns query logging

Versions in use on Linux...
- BIND 9.7.1-P2
- BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2


The minimum logging statement in my test named.conf (bind 9.7.1-P2)

logging
{
category lame-servers { null; };
category resolver { null; };
};

which I have tested still allows the dns (default)
to log to /var/log/messages

--
default The default category defines the logging options for
those categories where no specific configuration has
been defined.


--

I have also been made aware that query logging can give a machine up
to a 30% performance hit but also with today's machines it is mostly
negligible..

My question is :
Do folks normally use query logging as a forensic tool or are most
Bind installations done without logging any queries ?

The powers that be seem to think the performance hit outweighs any
forensic benefit...


That's pretty short-sighted, IMO. Query logging allows one to find
misbehaving or misconfigured apps/servers/clients, active worms, etc. By
identifying those bad actors and correcting them, you reduce your query
volumes, usually much more than 30%. So, at the end of the day, what
benefit is there, really, in flying blind about one's query traffic?

Needless to say, we log all queries here. We even have a subsystem that
collects summaries of those query statistics from all of our remote
nameserver into a central repository for further mining/analysis.

- Kevin


Kevin..
I am one of the ones that "keep" all my query logs for forensics..
One of my co-workers was actually looking for "best practices" document, 
I will take a look in the ARM but don't remember seeing

anything in there when I read through it..

I am curious of the product you use to collect the data / logs..
if you can reply on list..

Thx
Charles
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Best Practices Query Logging, On or Off ?

[CT]

On 11/22/2010 01:01 AM, Ben McGinnes wrote:

On 22/11/10 5:05 PM, Doug Barton wrote:

On 11/21/2010 21:58, Ben McGinnes wrote:

On 22/11/10 7:12 AM, Doug Barton wrote:

On Thu, 18 Nov 2010, CT wrote:


- BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2


Really old, definitely needs upgrading.


That just means they're running RHEL 5 or CentOS 5.  If they have a
support contract with Red Hat, they may not be able to upgrade
without forfeiting their support and/or certification.  That
version will include back-ported security fixes.


I get that actually. However it doesn't change my recommendation.
Even with security patches BIND 9.3 is past EOL, and incapable of
doing modern DNSSEC.


Fair enough.  Red Hat probably need to find a middle ground for proper
updates of certain essential packages, like BIND, while working within
their upgrade path.  That, however, is a topic for another list.


Regards,
Ben



Yeah.. the "other guys" have to run RHEL..
Redhat only supports "their" version of bind..

I used to recompile SRC rpms.. until I went to the ISC class..
now I compile from source.. so so much simpler.. (once you have all the 
permissions set)..


>> - BIND 9.7.1-P2
> Not the latest version, you should probably consider upgrading.
I haven't really read the change log yet... but most likely will

Charles
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Primary Server Name Change

[CT]

Primary Name server
bind- 9.7.3
OS- CentOS 5.6
Authoritative for 2 zones using DNSSEC

This may be an obvious question but I will ask anyway.. :)

I want to change the name of the server
from
old.zone1.com
to
new.zone2.com

IP Address - no change

- change soa in master zone files
- work with slaves to make sure named.conf are correct

Other than that are there any gotchas.. ??

I am wondering if I will have to "unsign" my zones
and the upload new keysets to the registrar.

Thx
CT
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Once again.. :) Primary Server Name Change

[CT]

I accidentally borked the previous post..

Primary Name server
bind- 9.7.3
OS- CentOS 5.6

This may be an obvious question but I will ask anyway.. :)
I want to do a name change on the Primary for 2 zones using DNSSEC
- zone1
- zone2

- Old name - old.zone1.com
- New Name - new.zone2.com
- IP Address - no change

Changes that I am aware of :
- change at registrar - new name
- change soa in master zone files
- work with slaves to make sure named.conf are correct

Other than that are there any gotchas.. ??

I am wondering if I will have to "unsign" my zones
and the upload new keysets to the registrar.

Thx
CT
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Primary Server Name Change

[CT]

On 05/12/2011 08:15 PM, Mark Andrews wrote:

In message<4dcc225f.8000...@obsd.us>, CT writes:

Primary Name server
bind- 9.7.3
OS- CentOS 5.6
Authoritative for 2 zones using DNSSEC

This may be an obvious question but I will ask anyway.. :)

I want to change the name of the server
from
old.zone1.com
to
new.zone2.com

IP Address - no change

- change soa in master zone files
- work with slaves to make sure named.conf are correct

Other than that are there any gotchas.. ??

I am wondering if I will have to "unsign" my zones
and the upload new keysets to the registrar.

To do a graceful transition to a new nameserver you should.

* Commision the new nameserver.
* Add the new address records and wait for them to propogate to
   all authoritative servers and any cached negative responses for
   them to expire.
* Add the NS record for the new nameserver.
* Update the parent zone to ADD the new nameserver and glue.
* Wait for the old NS RRet and referrals to expire from caches.
* Remove the NS record for the old nameserver.
* Update the parent zone to REMOVE the old nameserver and glue.
* Wait for the intermediate NS RRet and referrals to expire from caches.
* Remove the old address records if they are no longer required.
* Decommision the old nameserver.

As the addresses of the new and old nameservers are the same you
can shorten this process a little.

* Add the new address records and wait for them to propogate to
   all authoritative servers and any cached negative responses for
   them to expire.
* Update the NS RRset
  + Add the NS record for the new nameserver.
  + Remove the NS record for the old nameserver.
* Update the parent zone
  + Update the parent zone to ADD the new nameserver and glue.
  + Update the parent zone to REMOVE the old nameserver and glue.
* Wait for the old NS RRet and referrals to expire from caches.
* Remove the old address records if they are no longer required.

In all cases you re-sign the zone whenever you make changes to it.


Thx
CT
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Mark,
Thank you for your very succinct response..

Exactly what I needed..

CT
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Split PTR zone (internal and external)

[CT]

I am wondering what might be a good "workaround" for this
legacy setup...

Will do my best to explain..

IP Space
- 1 Class B Global Unique (used Externally and Internally)
- 1 Class B RFC1918

DNS Setup

External DNS (Linux - Bind 9.8.x)
- example-ext.com DNS domain
- authoritative for PTR Global Unique

Mid Teir DNS  (Linux - Bind 9.8.x)
- Mixture of Class B Global and RFC 1918
- not accessible "from the Internet"
- forwards all RFC 1918 PTR to the Internal DNS
- can resolve any Internal / External A records

Internal DNS(MS DNS - w/DDNS)
- only internal DNS zones (i.e. inside.example.com)
- MS DNS use Mid Tier DNS for "external" name resolution (i.e. isc.org)
- Has the *same* Global Unique Class B PTR as the External DNS
**

Scenario

- internal hosts using the Internal DNS can not resolve  External PTR
for example-ext.com. since a valid PTR zone already exists..

The only solution that I have come up with is to manually
put the "external" PTR records in the AD PTR Zone file.

Not sure if there is a resolution to do in MS DNS but will ask the same
question in that group.  Wanted to start here..

Thx
CT

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Split PTR zone (internal and external)

[CT]

On 7/28/2011 4:58 PM, Kevin Darcy wrote:

On 7/28/2011 12:26 PM, CT wrote:

I am wondering what might be a good "workaround" for this
legacy setup...

Will do my best to explain..

IP Space
- 1 Class B Global Unique (used Externally and Internally)
- 1 Class B RFC1918

DNS Setup

External DNS (Linux - Bind 9.8.x)
- example-ext.com DNS domain
- authoritative for PTR Global Unique

Mid Teir DNS  (Linux - Bind 9.8.x)
- Mixture of Class B Global and RFC 1918
- not accessible "from the Internet"
- forwards all RFC 1918 PTR to the Internal DNS
- can resolve any Internal / External A records

Internal DNS(MS DNS - w/DDNS)
- only internal DNS zones (i.e. inside.example.com)
- MS DNS use Mid Tier DNS for "external" name resolution (i.e. isc.org)
- Has the *same* Global Unique Class B PTR as the External DNS
**

Scenario

- internal hosts using the Internal DNS can not resolve  External PTR
for example-ext.com. since a valid PTR zone already exists..

The only solution that I have come up with is to manually
put the "external" PTR records in the AD PTR Zone file.

Not sure if there is a resolution to do in MS DNS but will ask the same
question in that group.  Wanted to start here..
Delegate out the relevant /24 ranges as subzones of your main /16 
in-addr.arpa zone. Define only the internal reverse subzones in your 
"Internal DNS" and then use slave/stub/forward to resolve all of the 
external ones.



- Kevin


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Much Thanks..
I will see if the /16 can be delegated out..

CT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

forward question

[CT]

We have a public DNS in our DMZ

- Some of the servers in the DMZ provide certain services to services on 
the

inside.
- Currently, certain servers use the Internal AD DNS Servers for resolution
on a internal DNS domain to provide the services via firewall rules.

I would like all DMZ clients to use the Public DNS and "forward" the 
internal

DNS queries to the Internal AD DNS servers.

zone transfer to the Public DNS from Internal DNS is not an option..

*
zone "internal.zone" in {
type forward;
forwarders {
xxx.xxx.xxx.1;  // ad server 1
xxx.xxx.xxx.2; // ad server 2
};
};
*****
Thx
CT


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward question

[CT]

Hello,

Do add "forward only;" to this zone statement.

Is this name server available/visible to the Internet ?
-->  add "allow-query" statement to limit who can query for your internal
zone.

Kind regards,

Marc Lampo
Security Officer
EURid



-Original Message-
From: CT [mailto:gro...@obsd.us]
Sent: 31 August 2011 11:17 PM
To: bind-users@lists.isc.org
Subject: forward question

We have a public DNS in our DMZ

- Some of the servers in the DMZ provide certain services to services on
the
inside.
- Currently, certain servers use the Internal AD DNS Servers for
resolution
on a internal DNS domain to provide the services via firewall rules.

I would like all DMZ clients to use the Public DNS and "forward" the
internal
DNS queries to the Internal AD DNS servers.

zone transfer to the Public DNS from Internal DNS is not an option..

*
zone "internal.zone" in {
  type forward;
  forwarders {
  xxx.xxx.xxx.1;  // ad server 1
  xxx.xxx.xxx.2; // ad server 2
      };
};
*
Thx
CT




Marc,
Thanks for the reply..

The Internal AD DNS is not visible to the Internet
and does not do queries directly to the Internet.

The Public DNS does allow recursion for the subnets in the DMZ via acl.

the allow-query statement does not work in a forward zone
-
checking named.conf
/etc/namedb/named.conf:72: option 'allow-query' is not allowed in 
'forward' zone 'internal.zone'

 now running rndc reload
rndc: 'reload' failed: failure


From all the searching, it seems the forward statement should work..

ns.example.com = Public DNS
ns.internal.example.com = Internal DNS

successful dig.. - PTR also successful.

-
-
r...@ns.example.com dig @192.168.100.1 internal-host.internal.example.com

; <<>> DiG 9.8.0-P4 <<>> @192.168.100.1 internal-host.internal.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21754
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;internal-host.internal.example.com.INA

;; ANSWER SECTION:
internal-host.internal.example.com.3600INA172.25.231.242

;; Query time: 0 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: Thu Sep  1 06:56:27 2011
;; MSG SIZE  rcvd: 55
-
-

CT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward question

[CT]

On 09/01/2011 07:59 AM, Vbvbrj wrote:

I had the same question a while ago. Using bind with forward only to an
AD DNS will get to errors for infrastructure, because of BIND caching
unable to disable for this forwarded zone. Also BIND does not redirect
all updates queries to AD DNS, while in an AD environment updates are
made very often. So is better to use this BIND as secondary zone, not as
a forward zone.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
so did you end up setting up a slave zone (for the internal AD DNS) on 
your public DNS server ?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward question

[CT]

On 09/01/2011 11:53 PM, Vbvbrj wrote:

On 01.09.2011 19:01, CT wrote:
so did you end up setting up a slave zone (for the internal AD DNS) 
on your public DNS server ?


No, for now I just left the AD DNS (Microsoft DNS) instead of BIND. I 
didn't have time to move all DNS servers to BIND and make them 
primary/slave for locale zone.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


I am still experimenting , if I find something out , I will post back..

best
CT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ZSK pre-publish

[CT]

I have a few static zones that I sign via script
keydir = directory for both KSK and ZSK
$zone = zone file
/usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K keydir $zone


Fetching KSK 4054/RSASHA256 from key repository.
Fetching ZSK 36948/RSASHA256 from key repository.
Fetching ZSK 65304/RSASHA256 from key repository.
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
   ZSKs: 2 active, 0 stand-by, 0 
revoked



My question is that both zsk's are published, how do I make 1 standby

Thx
CT


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ZSK pre-publish

[CT]

I have a few static zones that I sign via script
keydir = directory for both KSK and ZSK
$zone = zone file
/usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K keydir $zone


Fetching KSK 4054/RSASHA256 from key repository.
Fetching ZSK 36948/RSASHA256 from key repository.
Fetching ZSK 65304/RSASHA256 from key repository.
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
   ZSKs: 2 active, 0 stand-by, 0 
revoked



My question is that both zsk's are published, how do I make 1 standby

Thx
CT



To be more specific , can I do this with the dnssec-signzone tool versus a
$include/stand-by-key
in the zone file
Thx
CT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ZSK pre-publish

[CT]

On 10/01/2011 04:40 AM, Matthew Seaman wrote:

On 01/10/2011 09:25, CT wrote:

I have a few static zones that I sign via script
keydir = directory for both KSK and ZSK
$zone = zone file
/usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K keydir $zone


Fetching KSK 4054/RSASHA256 from key repository.
Fetching ZSK 36948/RSASHA256 from key repository.
Fetching ZSK 65304/RSASHA256 from key repository.
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
   ZSKs: 2 active, 0 stand-by, 0 revoked


My question is that both zsk's are published, how do I make 1 standby

To be more specific , can I do this with the dnssec-signzone tool versus a
$include/stand-by-key
in the zone file

The trick is to use dnssec-settime modify the dates built into your key
by dnssec-keygen.  Or equivalently to use dnssec-keygen with appropriate
flags to set the 'Activate' date (not to mention Inactive and Delete)
some time in the future.

So --- this key is active now:

% dnssec-settime -p all Kinfracaninophile.co.uk.+005+04664.private
Created: Sat Aug 13 07:40:28 2011
Publish: Sat Aug 13 07:40:28 2011
Activate: Sat Sep 10 07:40:28 2011
Revoke: UNSET
Inactive: Sat Oct  8 07:40:28 2011
Delete: Sat Oct  8 07:40:28 2011

but this key is only published and will activate in a week:

% dnssec-settime -p all Kinfracaninophile.co.uk.+005+44132.private
Created: Sat Sep 10 09:01:24 2011
Publish: Thu Jan  1 01:00:00 1970
Activate: Sat Oct  8 09:01:24 2011
Revoke: UNSET
Inactive: Sat Nov  5 08:01:24 2011
Delete: Sat Nov  5 08:01:24 2011

dnssec-signzone will grok all the built-in dates and do the right thing
when you sign the zone.

Cheers,

Matthew



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Matthew..
I have never usedthe dnssec-settime before..
Thank you ..
CT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

zone syntax question

[CT]

old zone file
---
$ORIGIN .
$TTL 3600
example.com IN SOA  ns.example.com. root.example.com (
2010071402 ; serial
10800  ; refresh (3 hours)
3600   ; retry (1 hour)
345600 ; expire (4 days)
86400  ; minimum (1 day)
)
NS  example.com.

$ORIGIN example.com.
A   192.168.1.1
MX  10 ns.example.com.
www CNAMEexample.com.
-

proposed new file
-
$TTL 3600
example.com.IN SOA  ns.example.com.root.example.com (
2010071403  ;serial
3h  ;refresh
1h  ;retry
1w  ;expire
1h  ;ncache
)
IN  NS  ns.example.com.
IN  MX 10   ns.example.com.

;localhost   IN  A   127.0.0.1
IN  A   192.168.1.1
www CNAMEexample.com.


My question...
Will my proposed set up work on the "old bind" version..
and it is syntactically correct ??

Thx
Charles
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec-keymgr

[CT]

All.
Not much on the subject other than a few posts.
didn't find anything in my last ARM search either..

Thx
CT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-keymgr

[CT]

I have a working test box based on:
http://bind-users-forum.2342410.n4.nabble.com/Automatic-Key-Management-td4317.html
https://kb.isc.org/docs/aa-00711

It  appears that the  dnssec-keymgr will keep track of the ZSK keys but 
I will need to re-sign the zone

on changes or weekly.
Current zsk creation script doesn't always get the timing correct

Current box now uses dnssec-signzone
/usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K private 
example.net

via script to change the serial # and resign the zone .

Is it a better way to use rndc |?

rndc loadkeys example.net||
rndc signing -nsec3param 1 0 10 03F92714 example.net.|
||Thx
CT

On 10/18/18 12:05 PM, CT wrote:

All.
Not much on the subject other than a few posts.
didn't find anything in my last ARM search either..

Thx
CT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

SELinux / bind conflict

[Andrews, Harold G CTR USAF HQ AF GCIC/CT]

Hello,

 

I'm having a bit of difficulty setting up bind on FC11 (x64) which I'm
using in a standalone network environment (i.e. no external network
connectivity; essentially a closed dev network).  I loaded the package
from Red Hat and started it running as a service after building my zone
files and /etc/named.conf.  I'm not using chroot, just vanilla bind.
I've read a number of posts about conflicts with bind and SELinux which
seems to be the issue here.  When I set the named_write_master_zones
flag in SELinux, any actions related to starting or stopping the named
service seem to set the flag back to false.

 

> restorecon -R -v /var/named

> setsebool -P named_write_master_zones=1

 

Message log entry:

Sep 11 17:13:11 netmgr setsebool: The named_write_master_zones policy
boolean was changed to 1 by root

 

> service named restart

 

Message log entry:

Sep 11 17:13:19 netmgr setsebool: The named_write_master_zones policy
boolean was changed to 0 by root

Sep 11 17:13:19 netmgr named[3198]: received control channel command
'stop'

Sep 11 17:13:19 netmgr named[3198]: shutting down: flushing changes

Sep 11 17:13:19 netmgr named[3198]: stopping command channel on
127.0.0.1#953

Sep 11 17:13:19 netmgr named[3198]: stopping command channel on ::1#953

Sep 11 17:13:19 netmgr named[3198]: no longer listening on 127.0.0.1#53

Sep 11 17:13:19 netmgr named[3198]: no longer listening on
192.168.2.0#53

Sep 11 17:13:19 netmgr named[3198]: no longer listening on ::1#53

Sep 11 17:13:19 netmgr named[3198]: exiting

Sep 11 17:13:20 netmgr named[3270]: starting BIND
9.6.1-P1-RedHat-9.6.1-4.P1.fc11 -u named

Sep 11 17:13:20 netmgr named[3270]: built with
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
'--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var'
'--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static'
'--disable-openssl-version-check' '--with-dlz-ldap=yes'
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS=
-DDIG_SIGCHASE'

Sep 11 17:13:20 netmgr named[3270]: adjusted limit on open files from
1024 to 1048576

Sep 11 17:13:20 netmgr named[3270]: found 4 CPUs, using 4 worker threads

Sep 11 17:13:20 netmgr named[3270]: using up to 4096 sockets

Sep 11 17:13:20 netmgr named[3270]: loading configuration from
'/etc/named.conf'

Sep 11 17:13:20 netmgr named[3270]: using default UDP/IPv4 port range:
[1024, 65535]

Sep 11 17:13:20 netmgr named[3270]: using default UDP/IPv6 port range:
[1024, 65535]

Sep 11 17:13:20 netmgr named[3270]: listening on IPv4 interface lo,
127.0.0.1#53

Sep 11 17:13:20 netmgr named[3270]: listening on IPv4 interface eth0,
192.168.2.0#53

Sep 11 17:13:20 netmgr named[3270]: listening on IPv6 interface lo,
::1#53

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone:
127.IN-ADDR.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone:
254.169.IN-ADDR.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone:
2.0.192.IN-ADDR.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone:
255.255.255.255.IN-ADDR.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: D.F.IP6.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 8.E.F.IP6.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 9.E.F.IP6.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: A.E.F.IP6.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: B.E.F.IP6.ARPA

Sep 11 17:13:20 netmgr named[3270]: command channel listening on
127.0.0.1#953

Sep 11 17:13:20 netmgr named[3270]: command channel listening on ::1#953

Sep 11 17:13:20 netmgr named[3270]: the working directory is not
writable

Sep 11 17:13:20 netmgr named[3270]: zone 0.in-addr.arpa/IN: NS
'0.in-addr.arpa' has no address records (A or )

Sep 11 17:13:20 netmgr named[3270]: zone 0.in-addr.arpa/IN: loaded
serial 0

Sep 11 17:13:20 netmgr named[3270]: zone 1.0.0.127.in-addr.arpa/IN: NS
'1.0.0.127.in-addr.arpa' has no address records (A or )

Sep 11 17:13:20 netmgr named[3270]: zone 1.0.0.127.in-addr.arpa/IN:
loaded serial 0

Sep 11 17:13:20 netmgr named[3270]: zone 2.168.192.in-addr.arpa/IN: NS
'netmgr.2.168.192.in-addr.arpa' has no address records (A or )

Sep 11 17:13:20 netmgr named[3270]: zone 2