from:"michael"

Bind-9.7.2-P2 install fails

2010-09-28 Thread michael

Hello,

Trying to upgrade to Bind-9.7.2-P2 on an older Linux system.

Can't locate warnings.pm in @INC (@INC contains:
/usr/lib/perl5/5.00503/i386-linux /usr/lib/perl5/5.00503
/usr/lib/perl5/site_perl/5.005/i386-linux
/usr/lib/perl5/site_perl/5.005 .) at ./bindkeys.pl line 20.
BEGIN failed--compilation aborted at ./bindkeys.pl line 20.
make[2]: *** [bind.keys.h] Error 2
make[2]: Leaving directory `/home/src/bind-9.7.2/bin/named'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory `/home/src/bind-9.7.2/bin'
make: *** [subdirs] Error 1

Ideas are most appreciated.

Thanks,

Michael...
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind-9.7.2-P2 install fails

2010-09-28 Thread michael

On Tue, Sep 28, 2010 at 6:10 PM, michael  wrote:
> Hello,
>
> On Tue, Sep 28, 2010 at 6:01 PM, fakessh  wrote:
>> Le mercredi 29 septembre 2010 02:34, michael a écrit :
>>> Hello,
>>>
>>> Trying to upgrade to Bind-9.7.2-P2 on an older Linux system.
>>>
>>> Can't locate warnings.pm in @INC (@INC contains:
>>> /usr/lib/perl5/5.00503/i386-linux /usr/lib/perl5/5.00503
>>> /usr/lib/perl5/site_perl/5.005/i386-linux
>>> /usr/lib/perl5/site_perl/5.005 .) at ./bindkeys.pl line 20.
>>> BEGIN failed--compilation aborted at ./bindkeys.pl line 20.
>>> make[2]: *** [bind.keys.h] Error 2
>>> make[2]: Leaving directory `/home/src/bind-9.7.2/bin/named'
>>> make[1]: *** [subdirs] Error 1
>>> make[1]: Leaving directory `/home/src/bind-9.7.2/bin'
>>> make: *** [subdirs] Error 1
>>>
>>> Ideas are most appreciated.
>>>
>>> Thanks,
>>>
>>> Michael...
>>> ___
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>> perl 5 .005003 is very older version of perl
>> it s probably buggy
>> try to upgrade perl 5.6 or try after to compile one new perl 5.6
>>
>> 
>
>
> Thanks for your reply.  The current version 9.6.2 which was also an
> upgrade from numerous older versions through the years went fine.  I
> am hoping not to have to upgrade to a newer perl.
>
> Thanks,
>
> Michael...
>
>>
>> --
>> gpg --keyserver pgp.mit.edu --recv-key 092164A7
>>
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind-9.7.2-P2 install fails

2010-09-28 Thread michael

Hello Mark,

Thanks for the reply!

I will try in a few hours --with-make-clean=no

Thanks,

Michael...

On Tue, Sep 28, 2010 at 6:47 PM, Mark Andrews  wrote:
>
> In message , 
> mich
> ael writes:
>> On Tue, Sep 28, 2010 at 6:10 PM, michael  wrote:
>> > Hello,
>> >
>> > On Tue, Sep 28, 2010 at 6:01 PM, fakessh  wrote:
>> >> Le mercredi 29 septembre 2010 02:34, michael a =E9crit=A0:
>> >>> Hello,
>> >>>
>> >>> Trying to upgrade to Bind-9.7.2-P2 on an older Linux system.
>> >>>
>> >>> Can't locate warnings.pm in @INC (@INC contains:
>> >>> /usr/lib/perl5/5.00503/i386-linux /usr/lib/perl5/5.00503
>> >>> /usr/lib/perl5/site_perl/5.005/i386-linux
>> >>> /usr/lib/perl5/site_perl/5.005 .) at ./bindkeys.pl line 20.
>> >>> BEGIN failed--compilation aborted at ./bindkeys.pl line 20.
>> >>> make[2]: *** [bind.keys.h] Error 2
>> >>> make[2]: Leaving directory `/home/src/bind-9.7.2/bin/named'
>> >>> make[1]: *** [subdirs] Error 1
>> >>> make[1]: Leaving directory `/home/src/bind-9.7.2/bin'
>> >>> make: *** [subdirs] Error 1
>> >>>
>> >>> Ideas are most appreciated.
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Michael...
>> >>> ___
>> >>> bind-users mailing list
>> >>> bind-users@lists.isc.org
>> >>> https://lists.isc.org/mailman/listinfo/bind-users
>> >>
>> >> perl 5 .005003 is very older version of perl
>> >> it s probably buggy
>> >> try to upgrade perl 5.6 or try after to compile one new perl 5.6
>> >>
>> >> 
>> >
>> >
>> > Thanks for your reply. =A0The current version 9.6.2 which was also an
>> > upgrade from numerous older versions through the years went fine. =A0I
>> > am hoping not to have to upgrade to a newer perl.
>
> You can tell configure not to do the "make clean" (--with-make-clean=no)
> or apply this patch to bind-9.7.2-P2/bin/named/Makefile.in.
>
> Mark
>
> Index: Makefile.in
> ===
> RCS file: /proj/cvs/prod/bind9/bin/named/Makefile.in,v
> retrieving revision 1.111
> diff -u -r1.111 Makefile.in
> --- Makefile.in 20 Jun 2010 23:46:44 -      1.111
> +++ Makefile.in 29 Sep 2010 01:29:12 -
> @@ -143,7 +143,10 @@
>        rm -f ${MANOBJS}
>
>  clean distclean maintainer-clean::
> -       rm -f ${TARGETS} ${OBJS} bind.keys.h
> +       rm -f ${TARGETS} ${OBJS}
> +
> +maintainer-clean::
> +       rm -f bind.keys.h
>
>  bind9.xsl.h: bind9.xsl ${srcdir}/convertxsl.pl
>        ${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
>> >
>> > Thanks,
>> >
>> > Michael...
>> >
>> >>
>> >> --
>> >> gpg --keyserver pgp.mit.edu --recv-key 092164A7
>> >>
>> >> ___
>> >> bind-users mailing list
>> >> bind-users@lists.isc.org
>> >> https://lists.isc.org/mailman/listinfo/bind-users
>> >>
>> >
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind-9.7.2-P2 install fails

2010-09-28 Thread michael

Hello Mark,

On Tue, Sep 28, 2010 at 6:53 PM, michael  wrote:
> Hello Mark,
>
> Thanks for the reply!
>
> I will try in a few hours --with-make-clean=no
>
> Thanks,
>
> Michael...

Success!

Thanks for the answer as well as many years of a great product!!

Michael...


>
> On Tue, Sep 28, 2010 at 6:47 PM, Mark Andrews  wrote:
>>
>> In message , 
>> mich
>> ael writes:
>>> On Tue, Sep 28, 2010 at 6:10 PM, michael  wrote:
>>> > Hello,
>>> >
>>> > On Tue, Sep 28, 2010 at 6:01 PM, fakessh  wrote:
>>> >> Le mercredi 29 septembre 2010 02:34, michael a =E9crit=A0:
>>> >>> Hello,
>>> >>>
>>> >>> Trying to upgrade to Bind-9.7.2-P2 on an older Linux system.
>>> >>>
>>> >>> Can't locate warnings.pm in @INC (@INC contains:
>>> >>> /usr/lib/perl5/5.00503/i386-linux /usr/lib/perl5/5.00503
>>> >>> /usr/lib/perl5/site_perl/5.005/i386-linux
>>> >>> /usr/lib/perl5/site_perl/5.005 .) at ./bindkeys.pl line 20.
>>> >>> BEGIN failed--compilation aborted at ./bindkeys.pl line 20.
>>> >>> make[2]: *** [bind.keys.h] Error 2
>>> >>> make[2]: Leaving directory `/home/src/bind-9.7.2/bin/named'
>>> >>> make[1]: *** [subdirs] Error 1
>>> >>> make[1]: Leaving directory `/home/src/bind-9.7.2/bin'
>>> >>> make: *** [subdirs] Error 1
>>> >>>
>>> >>> Ideas are most appreciated.
>>> >>>
>>> >>> Thanks,
>>> >>>
>>> >>> Michael...
>>> >>> ___
>>> >>> bind-users mailing list
>>> >>> bind-users@lists.isc.org
>>> >>> https://lists.isc.org/mailman/listinfo/bind-users
>>> >>
>>> >> perl 5 .005003 is very older version of perl
>>> >> it s probably buggy
>>> >> try to upgrade perl 5.6 or try after to compile one new perl 5.6
>>> >>
>>> >> 
>>> >
>>> >
>>> > Thanks for your reply. =A0The current version 9.6.2 which was also an
>>> > upgrade from numerous older versions through the years went fine. =A0I
>>> > am hoping not to have to upgrade to a newer perl.
>>
>> You can tell configure not to do the "make clean" (--with-make-clean=no)
>> or apply this patch to bind-9.7.2-P2/bin/named/Makefile.in.
>>
>> Mark
>>
>> Index: Makefile.in
>> ===
>> RCS file: /proj/cvs/prod/bind9/bin/named/Makefile.in,v
>> retrieving revision 1.111
>> diff -u -r1.111 Makefile.in
>> --- Makefile.in 20 Jun 2010 23:46:44 -      1.111
>> +++ Makefile.in 29 Sep 2010 01:29:12 -
>> @@ -143,7 +143,10 @@
>>        rm -f ${MANOBJS}
>>
>>  clean distclean maintainer-clean::
>> -       rm -f ${TARGETS} ${OBJS} bind.keys.h
>> +       rm -f ${TARGETS} ${OBJS}
>> +
>> +maintainer-clean::
>> +       rm -f bind.keys.h
>>
>>  bind9.xsl.h: bind9.xsl ${srcdir}/convertxsl.pl
>>        ${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
>>> >
>>> > Thanks,
>>> >
>>> > Michael...
>>> >
>>> >>
>>> >> --
>>> >> gpg --keyserver pgp.mit.edu --recv-key 092164A7
>>> >>
>>> >> ___
>>> >> bind-users mailing list
>>> >> bind-users@lists.isc.org
>>> >> https://lists.isc.org/mailman/listinfo/bind-users
>>> >>
>>> >
>>> ___
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
>>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

2023-01-17 Thread Michael Richardson

E R  wrote:
> I am planning on implementing the current version of BIND to replace the
> aging, undocumented authoritative servers I inherited.  I want to hide the
> primary server on our internal network and have two secondary servers be
> publicly available.  While reading the DNSSEC Guide
>  
recipes
> it seems to imply that I cannot have a hidden primary that handles all the
> DNSSEC stuff.

Many people do exactly that.
Check out the: “Bump in the Wire” Signing section.

In my opinion, this is the best way to do things, and the in-place signing is
just a total pain.

signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Finding dnssec validation failures in the logs

2023-01-24 Thread Michael Richardson

John Thurston  wrote:
> On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am
> writing "category dnssec" to a log file  at "severity info;"  When I look 
in
> the resulting log file, I'm guessing that lines like this:

> validating com/SOA: got insecure response; parent indicates it should be
> secure

> Are an indication I have a problem I should investigate.

Maybe.
It could be that DNSSEC is simply defending you against attackers who are
trying to race insecure answers to your queries in the belief that "nobody 
validates"

If it were systematic (every query, every query to some servers...) then you
should suspect that there is a on-path attacker modifying the responses.
That's unlikely in general,  but it's why we have DNSSEC.
It could also be the result of corrupted packets that survive the UDP
checksum, or which go through a middle box that "fixes" that.  Some satellite
systems do that.  I imagine that Alaska might have at least one satellite link.

It doesn't sound like it's systematic, so I think they are off-path
attackers, and it looks like it's queries on .com?

Most likely, there is little you can do.

signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: converting from opendnssec/openhsm?

2023-01-27 Thread Michael Richardson


Can you share a bit about why you want to get out of using
opendnssec/openhsm?

I would regard this as an opportunity to test key rollover with your parent
zone :-)

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works| network architect  [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Something other than port 53 is blocking the LAN based BIND9 Servers

2023-03-13 Thread Michael Richardson

Mike Lieberman  wrote:
> The newer router blocks my local BIND servers (ONLY not clients using
> downstream servers) from receiving anything from the Internet. OUR BIND
> servers still have the local networks, but nothing else.

Your explanation is rather obtuse, but I think you mean that your BIND
servers can not do recursive lookups.  Rather than receive/answer
authoritative queries.

Do your queries originate from port-53?  That is not the default anymore, AFAIK.

> The question I need resolved by the proper group/forum is: What port or
> technology is doing the blocking? The ISP has no idea.

No, the ISP probably has no idea.  Might even be their FTTH ONT system.

> I have tried three of the new routers but all blocked my servers. I
> tried a replacement EoL router and that works. Without changing
> anything on the network, other than the physical router, it was like
> flipping a switch.

I assume it's a GPON, and therefore you can't easily tcpdump on the outside
like you can with a plan PPPoE with VDSL.

signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind listener to an IPv6 from AnyIP subnet

2023-03-13 Thread Michael Richardson

Serg via bind-users  wrote:
> As an alternative approach I have tried to run with a configuration
> "listen-on-v6 { any; }", but it does behave in a way I need - it binds
> separate socket for each discovered IP address rather wildcard address
> of [::].

Bind needs to bind a new socket for each address so that it can easily know
which address is being communicated with.  While there are newer ways to do
this, they aren't that portable.

What is the problem with binding to all the addresses, if you then filter
which addresses will actually respond?

Many large authoritative resolvers put the anycast address on the lo, and then 
use
BGP to announce connectivity, and AFAIK, they all just listen on all
addresses, because sometimes you want to ask a specific server a question.

signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind listener to an IPv6 from AnyIP subnet

2023-03-13 Thread Michael Richardson

m...@at.encryp.ch wrote:
> Regarding the usage of [::] - due to usage of firewall I am able to
> block connections to the 53/udp and 53/tcp which are not coming to
> specific IP addresses or ranges, I do not need such filtering
> functionality within bind itself.

Bind doesn't listen to specific sockets because of security.
It does so because of connectivity and plumbing.

I think you are making your life hard for no benefit.

signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master file permission denied

2023-06-29 Thread Michael Richardson

Mark Andrews  wrote:
> where wrong and wouldn’t normally be that way.  Something or someone
> changed them.  It may have happened again.  We can’t see what you see

And, AppArmor can turn things into permission denied, which are rather
mysterious.  So, I'd ask for dmesg output too.

signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.18 unable to successfully transfer zone from axfrdns primary

2023-08-31 Thread Michael Sinatra

Right, BIND 9.18 now enforces Section 2.2 of RFC 5936, specifically, this:
"The AXFR server MUST copy the
Question section from the corresponding AXFR query message into the
first response message's Question section. For subsequent messages,
it MAY do the same or leave the Question section empty."

There are some older implementations out there that don't do this
correctly. I have a vendor supported IPAM implementation, where I have
gone back to the vendor and quoted the above, and they have fixed the
implementation.

michael

On 8/31/23 17:34, Ian Bobbitt wrote:
That gets me more information, and I think puts the problem onto
axfrdns. Thanks.

xfer-in: info: zone example.net/IN: Transfer started.
xfer-in: debug 1: zone example.net/IN: forced reload, requesting AXFR of
initial version from 198.51.100.1#53
xfer-in: info: transfer of 'example.net/IN' from 198.51.100.1#53:
connected using 198.51.100.1#53
xfer-in: debug 3: transfer of 'example.net/IN' from 198.51.100.1#53:
sent request data
xfer-in: debug 3: transfer of 'example.net/IN' from 198.51.100.1#53:
missing question section
xfer-in: error: transfer of 'example.net/IN' from 198.51.100.1#53:
failed while receiving responses: FORMERR

xfer-in: debug 1: zone example.net/IN: zone transfer finished: FORMERR
xfer-in: info: transfer of 'example.net/IN' from 198.51.100.1#53:
Transfer status: FORMERR

Looks like this isn't going to be solvable on my side.
https://gitlab.isc.org/isc-projects/bind9/-/blob/v9.18.17/lib/dns/xfrin.c?ref_type=tags#L1657-1663

Packet capture confirms that we are indeed not getting a response with
the question section.

I'm running the same version of dig, on the same system. Interesting
that dig isn't as strict about this.

-- Ian

On 8/31/23 7:58 PM, Mark Andrews wrote:
Set debug level 3 on the xfrin channel. There are some debug level
messages that really should be set to error level in lib/dns/xfrin.c
on FORMERR.

Also make sure you are running dig from the same version as later
versions are more strict in parsing responses from the wire.

On 1 Sep 2023, at 09:23, Ian Bobbitt wrote:

I have a system running BIND 9.18.17 that needs to transfer a zone
from djbdns/axfrdns. I receive FORMERRs, and haven't been able to get
any log messages indicating the problem.

xfer-in: info: zone example.net/IN: Transfer started.
xfer-in: info: transfer of 'example.net/IN' from 198.51.100.1#53:
connected using192.0.2.1 #53
xfer-in: error: transfer of 'example.net/IN' from 198.51.100.1#53:
failed while receiving responses: FORMERR
xfer-in: info: transfer of 'example.net/IN' from 198.51.100.1#53:
Transfer status: FORMERR
xfer-in: info: transfer of 'example.net/IN' from 198.51.100.1#53:
Transfer completed: 0 messages, 0 records, 0 bytes, 0.008 secs (0
bytes/sec) (serial 0)

This replaced a long obsolete system running 9.8.2 that was able to
successfully transfer the zone. I can also successfully transfer the
zone with `dig -t axfr ...` from the new system, which gives no
errors. named-checkzone on the resulting data also gives no errors,
and BIND is able to successfully load it as a primary.

How do I go about finding the cause of the FORMERR and resolve it?

-- Ian
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list

ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hyperlocal RFC8806 Root Mirror

2023-09-27 Thread Michael Richardson

Silva Carlos  wrote:
> On server A I configured HyperLocal. On Server B I did NOT configure
> HyperLocal.

> I ran the command "dig @localhost EXAMPLES" on both servers.
> EXAMPLES: blabla.sdf.dd or teste.com.eroterrter or world.nanana

> Problem: Both Servers report that "Query TIme = 0 ms". I understand that
> Server A should result in 0ms and Server B should have a non-zero time as
> Server B does not have a copy of the Root Zone DB.

> Question: Where am I going wrong? Am I missing some basic principle?

1. Server B could have cached the result already.
   Make sure you start it cold.
2. The query is probably taking between 0ms and 1ms, but rounds down to 0ms.

To be sure, you could tcpdump the network on server B.

signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind forgets my changes with nsupdate

2023-10-06 Thread Michael Richardson


In general, you don't want to mix dynamic update zones with ones that you
want to edit by hand.  I see that you are doing manual DNSSEC signing in your
cron job.

Your choices are:
a) do everything with dynamic update, and turn on automatic DNSSEC management
   in bind9.

b) do your DNSSEC signing inline.
   I blogged poorly about my setup:
   https://www.sandelman.ca/mcr/blog/sysadmin/bind9-dnssec-formula/

c) a mix of the above.
   My solution is not to mix dynamic update with other access.
   Instead, I put in CNAMEs in the signed zone to a sub-zone (or other zone)
   where I do exclusive dynamic update.  This isn't perfect, but it works
   well enough to allow dns-01 (certbot/LetsEncrypt) to be able to refresh my
   certificates.





signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind forgets my changes with nsupdate

2023-10-08 Thread Michael Richardson

201907-b...@planhack.com wrote:
>> My solution is not to mix dynamic update with other access.  Instead,
>> I put in CNAMEs in the signed zone to a sub-zone (or other zone) where
>> I do exclusive dynamic update.  This isn't perfect, but it works well
>> enough to allow dns-01 (certbot/LetsEncrypt) to be able to refresh my
>> certificates.

> Not perfect? What issues did you see? Thanks!

a) there are still a number of situations where systems do not follow CNAMEs 
when
   they should.  Particularly relating to RFC2317 reverse delegations.

b) using a second zones introduces additional possibilities for DNSSEC to be
   broken.

c) cruft accumulates in the second zone, and some of it does not get deleted.

d) updates to secondaries sometimes take longer than certbot is able to cope 
with.
   ("up-arrow-return" solves the problem if interactive.  Cron running a week
   later usually works)

--
]   Never tell me the odds!     | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works| network architect  [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[

signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

2023-11-04 Thread Michael Richardson


Given VPNs, RemoteAccess and the like, I strongly recommend against split-DNS
configurations.  They were great ideas in 1993, when all sites were concave,
but that's just not the case anymore.

Instead, I recommend having a sub-zone, "internal.example.com", or some other
convenient name.  Put a zone split ("NS" and "DS" records) there, and then
limit who can do queries to this zone by IP address.  You'd acceptlist all of
your VPN sites, the v4 (RFC1918) and v6 (subnet) prefixes for your remote
access clusters.

Split-DNS finally has some actual IETF definition at:
  
https://datatracker.ietf.org/doc/draft-ietf-add-split-horizon-authority/

I'm specifically arguing to do:
  
https://www.ietf.org/archive/id/draft-ietf-add-split-horizon-authority-06.html#name-internal-only-subdomains

It's just so much easier, particularly if you are starting from scratch.


signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

2023-11-05 Thread Michael Richardson


Greg Choules via bind-users  wrote:
> What would be better (IMHO) is for you to keep "example.com" as your
> external zone in an external (hopefully in a DMZ) primary server,
> serving the world with public addresses they need to reach, and
> internally create a new zone - "internal.example.com" (maybe also other
> "somethingX.example.com" too) as your internal zone in an internal
> primary server for serving internal clients with the addresses they
> need.

Would anyone be interested in formulating this into an IETF BCP RFC?
Or maybe a RIPE BCOP.
Your write up is excellent.  Worth keeping it somewhere.

> The reason for the delegation is DNSSEC. If you enable DNSSEC

Yes.

> That was a bit of an essay, but I hope at least some of it made sense.

:-)



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

tsig key not found

2024-01-17 Thread Michael Lipp


I'm running v9.16.42.

I have defined a key in named.conf:

|key "acme-dns01" { algorithm hmac-sha256; secret 
"+m8fujTWD3qb0LkJFP7HPCZAbLlWBMtwtbNPEkvAt7E="; };|


This has worked:

|$ rndc tsig-list view "Default"; type "static"; key "acme-dns01"; view 
"Default"; type "static"; key "local-ddns"; view "Default"; type 
"static"; key "rndc-key"; view "_bind"; type "static"; key "acme-dns01"; 
view "_bind"; type "static"; key "local-ddns"; view "_bind"; type 
"static"; key "rndc-key";|


I'm using the key in a |grant| (but this doesn't really matter):

|update-policy { grant acme-dns01 zonesub txt; };|

When I try to make use of the "key:secret" using |nsupdate|, it is sent 
as expected:


|;; TSIG PSEUDOSECTION: acme-dns01. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 
1705509748 300 16 tcU/8lYs1VEPZfcM5C3hZw== 13850 NOERROR 0 |


But I get a |BADKEY| in the response, which means that the key is 
unknown <https://bind9.readthedocs.io/en/v9.16.42/advanced.html#errors>.


This information can also be found in the log:

|| Jan 17 17:46:10 | named | 23910 | dnssec: debug 2: tsig key 
'acme-dns01': unknown key|


I couldn't find any additional required action to make the key known in 
the manual 
<https://bind9.readthedocs.io/en/v9.16.42/reference.html#key-statement-definition-and-usage>. 
It is defined globally and should be available in all views (and the 
output from tsig-list confirms this).


As this has been rejected as an error within minutes 
(https://gitlab.isc.org/isc-projects/bind9/-/issues/4539) it must be a 
user error. However, I have gone through the manual and a dozen of 
posting about how to set this up and couldn't find a single information 
about what's wrong. Could somebody please provide a hint? Thank you!


 - Michael

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: tsig key not found

2024-01-17 Thread Michael Lipp

Thanks a lot! I spent almost a day on testing different configurations 
and key names (examples often use fqdns for the key names and I thought 
this might be the cause of the problem).


I suppose I would eventually have found out about this if the response 
had been BADSIG (as decribed here 
https://bind9.readthedocs.io/en/v9.16.42/advanced.html#errors). As it 
is, I was too focused on finding a problem with defining a key at all. 
Maybe pointing out this would be an acceptable issue...


Thanks again!

 - Michael

Am 17.01.24 um 18:26 schrieb Anand Buddhdev:

On 17/01/2024 18:18, Michael Lipp wrote:

Hi Michael,


I have defined a key in named.conf:

|key "acme-dns01" { algorithm hmac-sha256; secret 
"+m8fujTWD3qb0LkJFP7HPCZAbLlWBMtwtbNPEkvAt7E="; };|


Your key algorithm is hmac-sha256, but see below...

[snip]


I'm using the key in a |grant| (but this doesn't really matter):

|update-policy { grant acme-dns01 zonesub txt; };|

When I try to make use of the "key:secret" using |nsupdate|, it is 
sent as expected:


|;; TSIG PSEUDOSECTION: acme-dns01. 0 ANY TSIG 
hmac-md5.sig-alg.reg.int. 1705509748 300 16 tcU/8lYs1VEPZfcM5C3hZw== 
13850 NOERROR 0 |


But I get a |BADKEY| in the response, which means that the key is 
unknown <https://bind9.readthedocs.io/en/v9.16.42/advanced.html#errors>.


Note the hmac-md5 there. You need to precede the key with hmac-sha256, 
without which, nsupdate defaults to hmac-md5 (documented in the 
nsupdate man page).


Regards,
Anand Buddhdev
RIPE NCC



--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem upgrading to 9.18 - important feature being removed

2024-02-26 Thread Michael Sinatra




On 2/26/24 13:41, Al Whaley wrote:
As far as I have been able to determine through some fairly extensive 
reading, a feature I depend on has fallen out of favor with the BIND 
developers, and is being removed.
DNSSEC in 9.18 has two automatic actions where the original code had 
just one, and the second cannot be disabled.

I am referring to the deprecated feature:

|auto-dnssec maintain;|

||Originally (under the above command) RR records for DNSSEC were 
maintained by bind, but the ZSK and KSK keys were maintained by me.  
This command is being discarded.  I understand that bind "sort of" 
supports this feature in 9.18 by allowing the DNSSEC policy statement to 
declare unlimited lifetime, but after careful reading of the 
documentation and reading a number of complaints, it turns out that bind 
may under various circumstances decide that it is appropriate not to use 
existing keys and decide that it knows best, and then it makes new 
ones.  This potential instability of course would be disastrous, and 
completely unnecessary.


I have never experienced this, in either BIND 9.16 or BIND 9.18 
(including the latter with KASP set to not rotate any keys).  Can you 
elaborate as to where in the documentation and/or what complaints you 
have seen where correctly configured KASPs in 9.18.24+ decide to roll 
keys?  I'd certainly like to know if that's the case, for reasons 
described below.


I am sure there are the usual people that will assure me I don't or 
shouldn't want to do what I am doing, but I am experienced and have good 
reasons.  Yes I know that I can have bind update the DS records, but for 
good reason I definitely do not want to do that.  I need some syntax 
that assures my use of existing KSK and ZSK keys and prevents bind from 
changing them.


Actually, I do exactly what you're doing in several circumstances.  I 
use the deprecated `dnssec-keymgr` on a few different systems, including 
a signing service that I run, in order to maintain keys.  (As is 
probably the case with you, there's already some tooling built around 
generating, rotating, backing up, etc. of keys that I have not yet 
integrated with the newer KASP regime.) I *do* plan to refactor these 
different services to use KASP, but I still need to do some more 
testing/QA/etc.  On my personal domains (including the ironically-named 
one I am sending this from), I have mostly switched to 100% KASP.  KSKs 
properly don't rotate, and ZSKs do only if I request.


I wonder if the bind developers are open to allowing a command in the 
new policy statement structure that blocks this 'feature' of 
automatically updating ZSK and KSK?  If there is such a thing already, I 
will be delighted to hear that I had missed seeing it.


I believe the following KASP will do what you want it to do:

dnssec-policy pkcs11 {
keys {
zsk lifetime unlimited algorithm 13;
ksk lifetime unlimited algorithm 13;
};
signatures-refresh P26D;
signatures-validity P30D;
signatures-validity-dnskey P30D;
};

This policy has been running for about 6 months and BIND has never seen 
fit to roll any keys, ZSK or KSK.  (You can safely ignore the sig 
validity/refresh stuff; I add that for other reasons.)



A lot of pain and suffering in this world comes from people being sure 
they have a 'better idea' and everybody needs to do whatever.  This 
feels a bit like that.  A command that gives choice and real certainty 
would be great.


That's certainly true in a lot of cases.  We hear stories all of the 
time (and sometimes experience them) about how well-intentioned software 
developers try to reduce code complexity and end up inadvertently 
generating work for users and admins.  Some of that's inevitable as we 
keep up with evolving software and best-practices.  (It also provides 
some level of job security :-D.)


But in this case, I think the BIND developers did a good job ensuring 
there was a way to create policies that integrate well with 
key-management regimes external to BIND.


michael
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem upgrading to 9.18 - important feature being removed

2024-02-27 Thread Michael Richardson

Matthijs Mekking  wrote:
> As the main developer of dnssec-policy, I would like to confirm that
> what has been said by Michael and Nick are correct.

Cool.

> - When migrating to dnssec-policy, make sure the configuration matches
> your existing keys.

Is there a way to validate the policy against what's in a specific 
zone/directory?
Effectively, "do your key management stuff --just-kidding --verbose"?

> - Most issues that were shared on this list have to do with migrating
> to dnssec-policy.

Agreed: and it bit me, and I am still a bit shell shocked.

> - If you feel like the DS is stuck in 'rumoured' state you might need
> to run 'rndc dnssec -checkds seen' on the key.

okay, good to know this.
. o O ( Umbrella Academy )

> - It is not recommended to switch to dnssec-policy if you are currently
> in a rollover.

> I acknowledge that migration takes some care and I wish the process was
> easier. We have some ideas to make it less error prone, but I haven't
> found the time to work on that.

Are there open issues?

signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Problem with a certain domain

2024-05-31 Thread Michael Batchelder

> My go-to DNS debugging site at 
> 
> https://dnsviz.net/d/s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es/dnssec/
>  
> 
> appears to indicte there is more than one problem, but the most 
> serious one is probably this one: 
> 
> It might look like one or more of the publishing name servers responds 
> incorrectly when queried for an "empty non-terminal" name 
> (e.g. _domainkey...), which probably itself doesn't have any data on 
> that node, but has data on "names below". The correct response code 
> is then NOERROR with answer count=0 (aka. "NODATA"), not NXDOMAIN. 
> 
> When a recursor gets NXDOMAIN back, it is free to assume that the 
> queried-for name does not exist (which is obvious), and nothing exists 
> below that node either. See RFC 8020. 
> 
> Regards, 
> 
> - Håvard 

Håvard, w hat you say is correct about the NXDOMAIN RCODE . However, Thomas's 
logs and dig output suggest that the failure is a timeout, possibly because 
BIND/named is not responding. So I don't think that DNSViz error matches the 
problem description. Having said that, one or more problems with the relevant 
zones could be triggering something in BIND... 

Thomas, can you clarify whether all queries to 127.0.0.1/53 result in: 
;; communications error to 127.0.0.1#53: timed out 
when this problem occurs, or do just queries for 
s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es fail (or some level of 
failure in between all queries and the ones for that one domain)? And at that 
time, can you successfully query from the same system using a public resolver 
(e.g. "dig @9.9.9.9 s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es TXT")? 
And do you have BIND's logging for the queries that fail? 

Thanks, 
b. 

Michael Batchelder 
ISC Support 
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Problem with a certain domain

2024-06-04 Thread Michael Batchelder


> The newsletter is only sent out once a day, so I would have to wait 
> until tomorrow. I'll record it then. I have already experimented with 
> tshark and recorded port 53. 

When you run your packet capture, do not restrict your capture to only port 53. 
As a general rule, always keep your filtering as open as possible. That will 
allow for capturing potentially critical evidence such as ICMP error messages, 
ARP broadcasts, etc... or the absence of such things when they should be there. 
So at minimum add "icmp and arp" to your filter expression. 

> What I noticed as a network layman is that a certain 
> response takes much longer on server 1 with the problems than 
> on server 2. 

Your tshark snippets do not show "a certain response" taking much longer. That 
might be the explanation, but what you show is not proof of that. Your snippets 
only show response packets with varying amounts of separation between them. 
Without the request packet which generated the response, we can't calculate an 
actual time to respond, and have no way of knowing with certainty what the 
situation really is. Another general rulle: don't limit the amount of 
information you provide to those who are trying to help you or make them infer 
information. It's fine to mention only certain packets in an email, but put the 
full packet capture on a public resource somewhere accessible. 

Michael Batchelder 
ISC Support 
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Problem with a certain domain

2024-06-04 Thread Michael Batchelder

Thomas, 

I just incorrectly wrote: 

> So at minimum add "icmp and arp" to your filter expression. 

I did not mean to use the logical "and". Your minimum filter should be 
something like: 

"src port 53 or icmp or arp" 

Sorry for the confusion, 
Michael 

Michael Batchelder 
ISC Support 
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

SERVFAIL error during the evening

2024-06-13 Thread Michael Batchelder

Sami, 

After you regenerate your rndc key as Mark advised, you will need to provide us 
with more information, as what you've sent is not sufficient to troubleshoot 
your symptom. As a first step, take a packet capture on the resolver that shows 
incoming queries from the client and the corresponding outgoing queries from 
the resolver to upstream servers. When you capture packets, do not filter out 
TCP or ICMP or ARP. A tcpdump filter such as 'icmp or arp or port 53' should be 
sufficient. I would capture on all interfaces of the server (-i any). 

Send that capture file along with the BIND log segment which contains the 
failed queries. 

Michael Batchelder 
ISC Support 
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: can I provide invalid HTTPS values for testing?

2024-06-19 Thread Michael Richardson

Mark Andrews  wrote:
> Named and nsupdate validate input for types they know about (both text
> and wire). You would have to use versions that are not HTTPS aware and
> use unknown type format.

So, he could code it in Perl or Python or something which had a dynamic DNS
library.  Bind itself wouldn't validate the "ascii-hex" part when it receives
it.

signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: qname minimization: me too :(

2024-06-21 Thread Michael Batchelder

> Yes, sure. I grabbed three typical cases to analyze further, and
> currently trying to understand the proceedings - unsuccessfully, up
> to now. :(
>
> Case 1:
> ---
> Jun 19 17:42:12  conr named[24481]: lame-servers:
>info: success resolving '26.191.165.185.in-addr.arpa/PTR'
>after disabling qname minimization due to 'ncache nxdomain'
> 
> This one does not point back to me, but nevertheless I do not
> see the lame server.
> 
> Case 2:
> ---
> Jun 19 18:02:44  conr named[24481]: lame-servers:
>info: success resolving 'reactivite.fr.intra.daemon.contact/'
>after disabling qname minimization due to 'ncache nxdomain'
> 
> Here, for whatever reason, the client was not happy with the official
> answer on "reactivite.fr", and tried to append the search domain for
> internal hosts on my LAN.
> So this does absolutely point to me, only. The recursing LAN server
> asks the authoritative LAN server (same image, different view), and>
> that one basically says, this is bogus.
> 
> Case 3:
> ---
> Jun 19 18:28:48  conr named[24481]: lame-servers:
>info: success resolving
>
> '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.1.0.0.3.2.f.1.0.7.4.0.1.0.0.2.ip6.arpa/PTR'
>after disabling qname minimization due to 'ncache nxdomain'

Peter,

Case 1:

The 191.165.185.in-addr.arpa zone (@200.3.13.14) responds with NXDOMAIN to 
queries for any QTYPE for QNAME 191.165.185.in-addr.arpa.

Case 2:

The intra.daemon.contact zone (@195.154.230.217) responds with NXDOMAIN to 
queries for any QTYPE of QNAME intra.daemon.contact.

Case 3:

The f.1.0.7.4.0.1.0.0.2.ip6.arpa zone (@216.66.80.18) responds with NXDOMAIN to 
queries for any QTYPE for QNAME f.1.0.7.4.0.1.0.0.2.ip6.arpa

You'll need to fix these zones so that the response is NOERROR rather than 
NXDOMAIN.

b.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL error during the evening

2024-06-24 Thread Michael Batchelder

> Hello Michael
> Thank you for your response. Here is a pcap file and some logs.

Hello Sami,

Your pcap shows your resolver making thousands of queries that get no responses 
(or at least the pcap does not contain them). There's not much I can say, 
beyond that this does not appear to be a problem related to BIND. You will need 
to look at your infrastructure and beyond to determine why you are not getting 
responses to your queries.

One possibility may be in your infrastructure/network, where a firewall or 
other stateful inspection device is running out of resources to make additional 
state table entries. You will need to speak with the technical support of that 
device's vendor if you need help in assessing this.

Michael
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL error during the evening

2024-06-24 Thread Michael Batchelder

>> Hello Michael
>> Thank you for your response. Here is a pcap file and some logs.
> 
> Hello Sami,
>
> Your pcap shows your resolver making thousands of queries that get
> no responses (or at least the pcap does not contain them). There's
> not much I can say, beyond that this does not appear to be a > problem
> related to BIND.

Sami,

My co-worker helpfully pointed out something I missed when reviewing your 
packet capture. A large number of your resolution failures are because your 
BIND is configured to use QNAME minimization (a.k.a. "qmin") and the queries 
are to zones whose configuration is done incorrectly and breaks qmin.

The pcap indicates you have the 'qname-minimization strict' setting in your 
BIND configuration file. See the "qname-minimization" statement in the Options 
section of the BIND ARM 
(https://bind9.readthedocs.io/en/v9.16.25/reference.html#options-statement-definition-and-usage).
 For the general background on qmin, read RFCs 7816 and 9156.

I don't know of a reason why you would experience more qmin failures in the 
evening, other than the requests that fail are only made at that time. 
Regardless, if you want to stop the failures completely, you can change the 
'qname-minimization strict' setting to 'qname-minimization disabled'. The 
drawback is that your queries will no longer be minimized, so all authoritative 
servers will see the full query name during recursion.

As a compromise between doing nothing and fully disabling qmin, you can use the 
'qname-minimization relaxed' setting which will try qmin and if BIND encounters 
a zone which breaks qmin, then BIND will switch to not doing qmin and do normal 
recursion (equivalent to 'qname-minimization disabled') for that query.

Also, you should upgrade your version of BIND, as we can see that the qmin 
queries are those used in older versions of BIND. 

Michael
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL error during the evening

2024-06-26 Thread Michael Batchelder

 EOL'd versions are less likely to be 
addressed by listmembers (beyond indicating that you should upgrade).

> How can we ensure that this is a network-level issue?

Through standard network troubleshooting techniques, such as packet captures 
and firewall log inspection. Beyond that, you'll need to inquire elsewhere, as 
I indicated at the top of this message, as this is a list about BIND-related 
issues.

Michael
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Michael Dahlberg

On Tuesday, August 27th, 2024 at 4:21 AM, Ondřej Surý  wrote:

> the Docker images have been updated to use Alpine Linux as the base image
> and the bind9 binaries are now compiled from the source while building the
> Docker images. This is more in-line with the expected Docker (Podman) 
> workflow.

This sounds very cool!  Would it be possible to share how these container 
images were created, like what sort of dockerfile was used to generate them?

Thanks for the valuable work.

Mike
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

PLEASE READ: An Important Security Announcement from ISC

2012-02-07 Thread Michael McNally


PLEASE READ:  An important security announcement from ISC

  ISC has been notified by Haixin Duan (a professor at Tsinghua
  University in Beijing China, who is currently visiting the
  International Computer Science Institute (ICSI) at the University
  of California, Berkeley) about a DNS resolver vulnerability that
  potentially allows a party to keep a domain name in the cache
  even after that domain name has been expired

  ISC is evaluating the risk of this vulnerability, but his published
  paper shows how this was demonstrated, live across the Internet.
  It lists several DNS implementations and open resolver deployments
  as vulnerable. All BIND 9 versions are currently considered
  vulnerable.

  A more detailed description of this vulnerability and ISC's
  planned response can be found at:

 https://www.isc.org/software/bind/advisories/cve-2012-1033
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig -- only RRSIG present.

2012-02-12 Thread Michael Sinatra


On 02/12/12 09:40, dE . wrote:

I'm trying to see DNSSEC response of various sites; my DNS server is
8.8.8.8 (google's public DNS service)

Response is as such -

dig +dnssec -t SOA org

; <<>> DiG 9.8.1 <<>> +dnssec -t SOA org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20306
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;org. IN SOA

;; ANSWER SECTION:
org. 899 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info.
2009954959 1800 900 604800 86400
org. 899 IN RRSIG SOA 7 1 900 20120304071611 20120212061611 55440 org.
M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG
EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE
ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c=

;; Query time: 1371 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb 12 12:49:02 2012
;; MSG SIZE rcvd: 258

As we can see, the DNSKEY and DS RR is missing which's mandatory for
this to be of any use. So where is it?


Well, the DS RR resides in the parent, not in the zone you're querying. 
 You need to ask for it explicitly.  Although DNSKEY records are in the 
actual zone you're querying, you still need to ask for them explicitly. 
 They're there; you just need to ask for them.




If I explicitly specify the name server to be one of the root nameservers -

dig +dnssec -t SOA org 198.41.0.4


[snip]

Your dig foo is a bit off today.  Remember, to explicitly specify a name 
server, you need to prepend the IP address with @.  You meant to say:


dig +dnssec -t SOA org @198.41.0.4

What you ended up getting is the RRSIG for the root SOA and for the NSEC 
record for '198.41.0.4', since that doesn't exist in DNS.


michael

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig -- only RRSIG present.

2012-02-12 Thread Michael Sinatra


On 02/12/12 18:48, Mark Andrews wrote:


8.8.8.8 returns servfail for me.

Note a RFC 1035 caching server should be be able to resolve "dig ds org"
though it may not return the response from the parent zone.  It depends
on the cache state when the query is made.


Google seems to be okay at looking up DS records (when asked for them) 
for 2nd and 3rd level domains but not for TLDs.  Based on some 
experimentation with some obscure domains I own, it does seem to be 
properly querying the parent.  It just does the wrong thing for TLDs (at 
this point).


michael
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind dies with assertion failure

2012-02-14 Thread Michael Graff

It is a known issue, and is indeed a bug.  We're working on it already, so stay 
tuned.

--Michael

On Feb 14, 2012, at 12:44 PM, Alex wrote:

> Hi,
> 
> I have a fedora16 x86_64 box and named keeps dying with an assertion failure:
> 
> 14-Feb-2012 13:24:41.137 general: critical: rbtdb.c:1619:
> INSIST(!((void *)((node)->deadlink.prev) != (void *)(-1))) failed
> 14-Feb-2012 13:24:41.137 general: critical: exiting (due to assertion failure)
> 
> This is bind-9.8.2-0.2.rc1.fc16.x86_64. Is this a known issue? Is this
> indeed a bug or perhaps something otherwise wrong with the server?
> 
> How can I troubleshoot this further?
> 
> Thanks,
> Alex
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.9.0rc3 is now available

2012-02-17 Thread Michael McNally

Introduction

   BIND 9.9.0rc3 is the third release candidate for BIND 9.9.0

   This document summarizes changes from BIND 9.8 to BIND 9.9.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found
   on our web site at http://www.isc.org/downloads/all. There
   you will find additional information about each release,
   source code, and pre-compiled versions for Microsoft Windows
   operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

 new in 9.9.0rc3
   no new security fixes have been added

New Features

 new in 9.9.0rc3
   no new features have been added

 previously included in 9.9.0rc2

   NXDOMAIN redirection is now possible. This enables a resolver
   to respond to a client with locally-configured information
   when a query would otherwise have gotten an answer of "no
   such domain". This allows a recursive nameserver to provide
   alternate suggestions for misspelled domain names.  Note that
   names that are in DNSSEC-signed domains are exempted from
   this when validation is in use. [RT #23146]

   Improved scalability by using multiple threads to listen for
   and process queries. Previously named only listened for queries
   on one thread regardless of the number of overall threads
   used. [RT #22992]

   Improves startup and reconfiguration time by allowing zones
   to load in multiple threads.  [RT #25333]

   Improves initial start-up and server reload time by increasing
   the default size of the hash table the configuration parser
   uses to keep track of loaded zones and allowing it to grow
   dynamically to better handle systems with large numbers of
   zones.  [RT #26523]

   Improves the startup time for an authoritative server with a
   large number of zones by making the zone task table of variable
   size rather than fixed size.  This means that authoritative
   servers with many zones will be serving that zone data much
   sooner. [RT #24406]

   The new "inline-signing" option, in combination with the
   "auto-dnssec" option that was introduced in BIND 9.7, allows
   named to sign zones completely transparently.  Previously
   automatic zone signing only worked on master zones that were
   configured to be dynamic; now, it works on any master or slave
   zone. In a master zone with inline signing, the zone is loaded
   from disk as usual, and a second copy of the zone is created
   to hold the signed version.  The original zone file is not
   touched; all comments remain intact.  When you edit the zone
   file and reload, named detects the incremental changes that
   have been made to the raw version of the zone, and applies
   those changes to the signed version, adding signatures as
   needed. A slave zone with inline signing works similarly,
   except that instead of loading the zone from disk and then
   signing it, the slave transfers the zone from a master server
   and then signs it.  This enables "bump in the wire" signing:
   a dedicated signing server acting as an intermediary between
   a hidden master server (which provides the raw zone data) and
   a set of publicly accessible slave servers (which only serve
   the signed data). [RT #26224/23657]

   "rndc flushtree " command removes the specified name
   and all names under it from the cache. [RT #19970]

   "rndc sync" command dumps pending changes in a dynamic zone
   to disk without a freeze/thaw cycle. "rndc sync -clean" removes
   the journal file after syncing. "rndc freeze" no longer removes
   journal files. [RT #22473]

   The new "rndc signing" command provides greater visibility
   and control of the automatic DNSSEC signing process.  Options
   to this new command include "-list " which will show
   the current state of signing operations overall or per specified
   zone. [RT #23729]

   The "also-notify" option now takes the same syntax as "masters",
   thus it can use named master lists and TSIG keys. [RT #23508]

   "auto-dnssec" zones can now have NSEC3 parameters set prior
   to signing. [RT #23684]

   The "dnssec-signzone -D" option causes dnssec-signzone to
   write DNSSEC data to a separate output file. This allows you
   to put "$INCLUDE example.com.signed" into the zonefile for
   example.com, run "dnssec-signzone -SD example.com", and the
   result is a fully signed zone which did *not* overwrite your
   original zone file. Running the same command again will
   incrementally re-sign the zone, replacing only those signatures
   that need updating, rather than signing the entire zone from
   scratch. [RT #22896]

   "dnssec-signzone -R" forces removal of signatures that are
   not expired but were created by

bind public/private domain question

2012-02-21 Thread Marseglia, Michael

Hello,

  I'm looking for advice on an issue.  I have a publicly registered domain 
which we also use internally.  I have bind configured as a caching DNS server.  
Bind is configured to use four other Windows DNS servers as forwarders for the 
domain.  Bind should be using the root servers for anything not configured to 
forward.

  Bind replies with the correct name record when I perform a query using the 
fqdn for a machine.  However, the authority and additional portion of the query 
returns the root servers.

  The Windows DNS servers are returned if I perform a query for the NS records 
of the internal domain.

  Subsequent DNS queries using the fqdn show the appropriate, internal Windows 
DNS servers.

  I don't understand why BIND is attempting to resolve the private, internal 
domain using the root servers when I have a forwarders statement in my 
configuration file specifying our internal DNS servers.

  Is there an article that addresses this issue or can someone please point me 
to the correct resource so I can understand what is going on?


Thank you,

  Mike
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: bind public/private domain question

2012-02-21 Thread Marseglia, Michael

  3600IN  NS  host-dc2.myDomain.org.
myDomain.org.3600IN  NS  host-dc2.subA.myDomain.org.
myDomain.org.3600IN  NS  host-dc1.subB.myDomain.org.
myDomain.org.3600IN  NS  host-dc1.myDomain.org.
myDomain.org.3600IN  NS  host-dc1.subA.myDomain.org.
myDomain.org.3600IN  NS  host-dc2.subB.myDomain.org.
myDomain.org.3600IN  NS  host-dc3.subB.myDomain.org.

;; ADDITIONAL SECTION:
host-dc1.myDomain.org. 2554IN  A   1.1.1.1
host-dc2.myDomain.org. 3594IN  A   2.2.2.2
host-dc4.myDomain.org. 3596IN  A   3.3.3.3
host-dc1.subA.myDomain.org. 3502 IN  A   4.4.4.4
host-dc2.subA.myDomain.org. 3595 IN  A   5.5.5.5
host-dc1.subB.myDomain.org. 3591 IN  A   6.6.6.6
host-dc2.subB.myDomain.org. 2706 IN  A   7.7.7.7
host-dc3.subB.myDomain.org. 327 IN   A   8.8.8.8

;; Query time: 7 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 15:21:07 2012
;; MSG SIZE  rcvd: 349


5. query localhost using the target's fqdn a second time
root@lookup1b:/etc/bind# dig host-dc1.myDomain.org

; <<>> DiG 9.7.0-P1 <<>> host-dc1.myDomain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61403
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 7

;; QUESTION SECTION:
;host-dc1.myDomain.org.IN  A

;; ANSWER SECTION:
host-dc1.myDomain.org. 2549IN  A   1.1.1.1

;; AUTHORITY SECTION:
myDomain.org.3595IN  NS  host-dc2.subA.myDomain.org.
myDomain.org.3595IN  NS  host-dc1.myDomain.org.
myDomain.org.3595IN  NS  host-dc3.subB.myDomain.org.
myDomain.org.3595IN  NS  host-dc1.subA.myDomain.org.
myDomain.org.3595IN  NS  host-dc2.myDomain.org.
myDomain.org.3595IN  NS  host-dc1.subB.myDomain.org.
myDomain.org.3595IN  NS  host-dc4.myDomain.org.
myDomain.org.3595IN  NS  host-dc2.subB.myDomain.org.

;; ADDITIONAL SECTION:
host-dc2.myDomain.org. 3589IN  A   2.2.2.2
host-dc4.myDomain.org. 3591IN  A   3.3.3.3
host-dc1.subA.myDomain.org. 3497 IN  A   4.4.4.4
host-dc2.subA.myDomain.org. 3590 IN  A   5.5.5.5
host-dc1.subB.myDomain.org. 3586 IN  A   6.6.6.6
host-dc2.subB.myDomain.org. 2701 IN  A   7.7.7.7
host-dc3.subB.myDomain.org. 322 IN   A   8.8.8.8

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 15:21:12 2012
;; MSG SIZE  rcvd: 349

To answer your questions:
The Windows DNS servers should be authoritative for the Active Directory 
domain.  host-dc1.myDomain.org and host-dc2.myDomain.org are two of the NS 
servers.
The zone "myDomain.org" is Active Directory integrated.
The Windows DNS servers' forwarding configuration is to use opendns and if that 
fails resort to the root hints.
The Forward Lookup Zones for "myDomain.org" contains 99% private addresses.  
There are one or two external address, for www.myDomain.org, which are hosted 
outside the private network.

Also, when I query host-dc1 directly I get the following answer.  I notice 
there is no additional or authority section but I don't know why.
dig host-dc1.myDomain.org @host-dc1.myDomain.org
; <<>> DiG 9.7.0-P1 <<>> host-dc1.myDomain.org @host-dc1.myDomain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10793
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;host-dc1.myDomain.org.IN  A

;; ANSWER SECTION:
host-dc1.myDomain.org. 3600IN  A   1.1.1.1

;; Query time: 0 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Feb 21 16:03:35 2012
;; MSG SIZE  rcvd: 56


I don't understand why I get the root servers at step 3.  Sometimes when I 
perform these steps I will get the external DNS servers returned as the name 
servers or in the authoritative section.

Thank you,

  Mike

-Original Message-
From: Spain, Dr. Jeffry A. [mailto:spa...@countryday.net] 
Sent: Tuesday, February 21, 2012 3:15 PM
To: Marseglia, Michael
Cc: bind-users@lists.isc.org
Subject: RE: bind public/private domain question

> I'm looking for advice on an issue.  I have a publicly registered domain 
> which we also use internally.  I have bind configured as a caching DNS 
> server.  Bind is configured to use four other Windows DNS servers as 
> forwarders for the domain.  Bind should be using the root servers for 
> anything not configured to forward.

I'm having difficulty understanding your configuration. Would you please 
provide relevant portions of your bind configuration files and some 
configuration details for your Windows DNS servers. In particular with regard 
t

BIND 9.9.0rc4 is now available

2012-02-23 Thread Michael McNally

Introduction

   BIND 9.9.0rc4 is the fourth release candidate for BIND 9.9.0

   This document summarizes changes from BIND 9.8 to BIND 9.9.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found
   on our web site at http://www.isc.org/downloads/all. There
   you will find additional information about each release,
   source code, and pre-compiled versions for Microsoft Windows
   operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

 new in 9.9.0rc4
   no new security fixes have been added

New Features

 new in 9.9.0rc4
   no new features have been added

 previously included in 9.9.0rc3

   NXDOMAIN redirection is now possible. This enables a resolver
   to respond to a client with locally-configured information
   when a query would otherwise have gotten an answer of "no
   such domain". This allows a recursive nameserver to provide
   alternate suggestions for misspelled domain names.  Note that
   names that are in DNSSEC-signed domains are exempted from
   this when validation is in use. [RT #23146]

   Improved scalability by using multiple threads to listen for
   and process queries. Previously named only listened for queries
   on one thread regardless of the number of overall threads
   used. [RT #22992]

   Improves startup and reconfiguration time by allowing zones
   to load in multiple threads.  [RT #25333]

   Improves initial start-up and server reload time by increasing
   the default size of the hash table the configuration parser
   uses to keep track of loaded zones and allowing it to grow
   dynamically to better handle systems with large numbers of
   zones.  [RT #26523]

   Improves the startup time for an authoritative server with a
   large number of zones by making the zone task table of variable
   size rather than fixed size.  This means that authoritative
   servers with many zones will be serving that zone data much
   sooner. [RT #24406]

   The new "inline-signing" option, in combination with the
   "auto-dnssec" option that was introduced in BIND 9.7, allows
   named to sign zones completely transparently.  Previously
   automatic zone signing only worked on master zones that were
   configured to be dynamic; now, it works on any master or slave
   zone. In a master zone with inline signing, the zone is loaded
   from disk as usual, and a second copy of the zone is created
   to hold the signed version.  The original zone file is not
   touched; all comments remain intact.  When you edit the zone
   file and reload, named detects the incremental changes that
   have been made to the raw version of the zone, and applies
   those changes to the signed version, adding signatures as
   needed. A slave zone with inline signing works similarly,
   except that instead of loading the zone from disk and then
   signing it, the slave transfers the zone from a master server
   and then signs it.  This enables "bump in the wire" signing:
   a dedicated signing server acting as an intermediary between
   a hidden master server (which provides the raw zone data) and
   a set of publicly accessible slave servers (which only serve
   the signed data). [RT #26224/23657]

   "rndc flushtree " command removes the specified name
   and all names under it from the cache. [RT #19970]

   "rndc sync" command dumps pending changes in a dynamic zone
   to disk without a freeze/thaw cycle. "rndc sync -clean" removes
   the journal file after syncing. "rndc freeze" no longer removes
   journal files. [RT #22473]

   The new "rndc signing" command provides greater visibility
   and control of the automatic DNSSEC signing process.  Options
   to this new command include "-list " which will show
   the current state of signing operations overall or per specified
   zone. [RT #23729]

   The "also-notify" option now takes the same syntax as "masters",
   thus it can use named master lists and TSIG keys. [RT #23508]

   "auto-dnssec" zones can now have NSEC3 parameters set prior
   to signing. [RT #23684]

   The "dnssec-signzone -D" option causes dnssec-signzone to
   write DNSSEC data to a separate output file. This allows you
   to put "$INCLUDE example.com.signed" into the zonefile for
   example.com, run "dnssec-signzone -SD example.com", and the
   result is a fully signed zone which did *not* overwrite your
   original zone file. Running the same command again will
   incrementally re-sign the zone, replacing only those signatures
   that need updating, rather than signing the entire zone from
   scratch. [RT #22896]

   "dnssec-signzone -R" forces removal of signatures that are
   not expired but were created by

BIND 9.9.0 is now available

2012-02-29 Thread Michael McNally

Introduction

   BIND 9.9.0 is the first production release of BIND 9.9.

   This document summarizes changes from BIND 9.8 to BIND 9.9.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found
   on our web site at http://www.isc.org/downloads/all. There
   you will find additional information about each release,
   source code, and pre-compiled versions for Microsoft Windows
   operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

New Features

   The new "inline-signing" option, in combination with the
   "auto-dnssec" option that was introduced in BIND 9.7, allows
   named to sign zones completely transparently.  Previously
   automatic zone signing only worked on master zones that were
   configured to be dynamic; now, it works on any master or slave
   zone. In a master zone with inline signing, the zone is loaded
   from disk as usual, and a second copy of the zone is created
   to hold the signed version.  The original zone file is not
   touched; all comments remain intact.  When you edit the zone
   file and reload, named detects the incremental changes that
   have been made to the raw version of the zone, and applies
   those changes to the signed version, adding signatures as
   needed. A slave zone with inline signing works similarly,
   except that instead of loading the zone from disk and then
   signing it, the slave transfers the zone from a master server
   and then signs it.  This enables "bump in the wire" signing:
   a dedicated signing server acting as an intermediary between
   a hidden master server (which provides the raw zone data) and
   a set of publicly accessible slave servers (which only serve
   the signed data). [RT #26224/23657]

   NXDOMAIN redirection is now possible. This enables a resolver
   to respond to a client with locally-configured information
   when a query would otherwise have gotten an answer of "no
   such domain". This allows a recursive nameserver to provide
   alternate suggestions for misspelled domain names.  Note that
   names that are in DNSSEC-signed domains are exempted from
   this when validation is in use. [RT #23146]

   "rndc flushtree " command removes the specified name
   and all names under it from the cache. [RT #19970]

   "rndc sync" command dumps pending changes in a dynamic zone
   to disk without a freeze/thaw cycle. "rndc sync -clean" removes
   the journal file after syncing. "rndc freeze" no longer removes
   journal files. [RT #22473]

   The new "rndc signing" command provides greater visibility
   and control of the automatic DNSSEC signing process.  Options
   to this new command include "-list " which will show
   the current state of signing operations overall or per specified
   zone. [RT #23729]

   "auto-dnssec" zones can now have NSEC3 parameters set prior
   to signing. [RT #23684]

   Improves the startup time for an authoritative server with a
   large number of zones by making the zone task table of variable
   size rather than fixed size.  This means that authoritative
   servers with many zones will be serving that zone data much
   sooner. [RT #24406]

   Improves scalability by using multiple threads to listen for
   and process queries. Previously named only listened for queries
   on one thread regardless of the number of overall threads
   used. [RT #22992]

   Improves startup and reconfiguration time by allowing zones
   to load in multiple threads.  [RT #25333]

   Improves initial start-up and server reload time by increasing
   the default size of the hash table the configuration parser
   uses to keep track of loaded zones and allowing it to grow
   dynamically to better handle systems with large numbers of
   zones.  [RT #26523]

   The "also-notify" option now takes the same syntax as "masters",
   thus it can use named master lists and TSIG keys. [RT #23508]

   The "dnssec-signzone -D" option causes dnssec-signzone to
   write DNSSEC data to a separate output file. This allows you
   to put "$INCLUDE example.com.signed" into the zonefile for
   example.com, run "dnssec-signzone -SD example.com", and the
   result is a fully signed zone which did *not* overwrite your
   original zone file. Running the same command again will
   incrementally re-sign the zone, replacing only those signatures
   that need updating, rather than signing the entire zone from
   scratch. [RT #22896]

   "dnssec-signzone -R" forces removal of signatures that are
   not expired but were created by a key which no longer exists.
   [RT #22471]

   "dnssec-signzone -X" option allows signatures on DNSKEY records
   to have a different expiration date from other sig

Re: More than 4k TXT entries

2012-02-29 Thread Michael Graff

more than 4k will exceed the default settings for EDNS0 UDP responses.

If you dig @ your server, with +tcp, do you get a reply?  If not, perhaps you 
are not allowing TCP connections to port 53?

What error you are getting may be of help.

--Michael

On Feb 29, 2012, at 1:20 PM, Darvin Denmian wrote:

> Hi
> 
> I would like to know if there is some limitation in Bind regard:
> 
>- Max number of TXT entries for a specific domain
> or
>- Max size of a zone file
> 
> I'm asking this because one of the domains configured in my Bind
> server have more than 4k TXT entries and its zone file have more than
> 400KB.
> 
> So my problem is
> 
> When I perform a DNS query , requesting the last TXT entries that I've
> added, I receive no answer from my Bind server.
> 
> Do you have some ideia of what is happening?
> 
> I hope you can help me and .understand my Brazilian English :p .
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: More than 4k TXT entries

2012-02-29 Thread Michael Graff

Actually, no, there isn't enough information in your reply to help you debug.

Please issue, from a machine not your DNS server:

$ dig @your-server-address +tcp domain.name TXT

A TXT record has a maximum length of around 64k per TXT record, and each part 
of the text record can be 255 bytes, if memory serves.  However, this is well 
beyond practical limits.

The size of the zone is not really important compared to the size of the 
individual TXT record at a specific name.  There is no maximum that spreads 
across names, but there are practical limits.

If you just have a long string of TXT records, each at its own name like in 
your example, you should not be running into problems.

--Michael


On Feb 29, 2012, at 1:48 PM, Darvin Denmian wrote:

> Hi,
> 
> Graff, thanks for you reply...
> 
> As you can see below my server is accepting DNS connections:
> 
> ACCEPT udp  --  anywhere anywhereudp dpt:domain
> ACCEPT tcp  --  anywhere anywheretcp dpt:domain
> 
> and the service is up and running:
> 
> # netstat -ntplu | grep -i named
> tcp0  0 XXX.XXX.XX.XXX:53   0.0.0.0:*
> LISTEN  7547/named
> tcp0  0 XXX.XXX.XX.XXX:53   0.0.0.0:*
> LISTEN  7547/named
> tcp0  0 127.0.0.1:9530.0.0.0:*
>  LISTEN  7547/named
> udp0  0 XXX.XXX.XX.XXX:53   0.0.0.0:*
> 7547/named
> udp0  0 XXX.XXX.XX.XXX:53   0.0.0.0:*
> 7547/named
> 
> The zone file is composed of a lot of TXT records...below a small
> piece of the file:
> 
> spf_1 900 IN TXT "v=spf1 ip4:XX.XX.XXX.XX/28 ip4:XX.XX.XXX.XX ?all"
> spf_10001 900 IN TXT "v=spf1 ip4:XX.XX.XXX.XX/28 ip4:XX.XX.XXX.XX ?all"
> spf_10003 900 IN TXT "v=spf1 ip4:XX.XX.XXX.XX/28 ip4:XX.XX.XXX.XX ?all"
> spf_10004 900 IN TXT "v=spf1 ip4:XX.XX.XXX.XX/28 ip4:XX.XX.XXX.XX ?all"
> spf_10008 900 IN TXT "v=spf1 ip4:XX.XX.XXX.XX/28 ip4:XX.XX.XXX.XX ?all"
> ...
> spf_16416 900 IN TXT "v=spf1 ip4:XX.XX.XXX.XX/28 ip4:XX.XX.XXX.XX ?all"
> spf_16417 900 IN TXT "v=spf1 ip4:XX.XX.XXX.XX/28 ip4:XX.XX.XXX.XX ?all"
> spf_16418 900 IN TXT "v=spf1 ip4:XX.XX.XXX.XX/28 ip4:XX.XX.XXX.XX ?all"
> spf_16419 900 IN TXT "v=spf1 ip4:XX.XX.XXX.XX/28 ip4:XX.XX.XXX.XX ?all"
> spf_16420 900 IN TXT "v=spf1 ip4:XX.XX.XXX.XX/28 ip4:XX.XX.XXX.XX ?all"
> 
> I hope those informations can help you to help me :)
> 
> Regards!
> 
> 
> On Wed, Feb 29, 2012 at 4:25 PM, Michael Graff  wrote:
>> more than 4k will exceed the default settings for EDNS0 UDP responses.
>> 
>> If you dig @ your server, with +tcp, do you get a reply?  If not, perhaps 
>> you are not allowing TCP connections to port 53?
>> 
>> What error you are getting may be of help.
>> 
>> --Michael
>> 
>> On Feb 29, 2012, at 1:20 PM, Darvin Denmian wrote:
>> 
>>> Hi
>>> 
>>> I would like to know if there is some limitation in Bind regard:
>>> 
>>>- Max number of TXT entries for a specific domain
>>> or
>>>- Max size of a zone file
>>> 
>>> I'm asking this because one of the domains configured in my Bind
>>> server have more than 4k TXT entries and its zone file have more than
>>> 400KB.
>>> 
>>> So my problem is
>>> 
>>> When I perform a DNS query , requesting the last TXT entries that I've
>>> added, I receive no answer from my Bind server.
>>> 
>>> Do you have some ideia of what is happening?
>>> 
>>> I hope you can help me and .understand my Brazilian English :p .
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>> unsubscribe from this list
>>> 
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.6-ESV-R6rc2 is now available

2012-03-13 Thread Michael McNally

Introduction

  BIND 9.6-ESV-R6rc2 is the second release candidate for BIND 9.6-ESV-R6.

  This document summarizes changes from BIND 9.6-ESV-R5 to BIND
  9.6-ESV-R6rc2.  Please see the CHANGES file in the source code
  release for a complete list of all changes.  Please see the CHANGES
  file in the source code release for a complete list of all changes.

Download

  The latest versions of BIND 9 software can always be found on our
  web site at http://www.isc.org/downloads/all. There you will find
  additional information about each release, source code, and
  pre-compiled versions for Microsoft Windows operating systems.

Support

  Product support information is available on
  http://www.isc.org/services/support for paid support options.
  Free support is provided by our user community via a mailing list.
  Information on all public email lists is available at
  https://lists.isc.org/mailman/listinfo.

Security Fixes

 Previously included in 9.6-ESV-R6rc1

  + BIND 9 nameservers performing recursive queries could cache an
invalid record and subsequent queries for that record could
crash the resolvers with an assertion failure. [RT #26590]
[CVE-2011-4313]

Feature Changes

 Previously included in 9.6-ESV-R6rc1

  + Improves initial start-up and server reload time by increasing
the default size of the hash table the configuration parser
uses to keep track of loaded zones and allowing it to grow
dynamically to better handle systems with large numbers of
zones.  [RT #26523]

  + --enable-developer, a new composite argument to the configure
script, enables a set of build options normally disabled but
frequently selected in test or development builds, specifically:
enable_fixed_rrset, with_atf, enable_filter_, enable_rpz_nsip,
enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and
Darwin, also enable_exportlib) [RT #27103]

Bug Fixes

 Newly added in 9.6-ESV-R6rc2

  + Corrects a potential overflow problem in the computation of
RRSIG expiration times. [RT #23311]

  + The maximum number of NSEC3 iterations for a DNSKEY RRset was
not being properly computed.  [RT #26543]

  + Error reporting has been improved for failures encountered
when sending or receiving network packets.  In particular
some memory allocation failures were being logged as "unexpected
error" - these will now be reported accurately.  A new
ISC_R_UNSET result code has also been added to cover those
situations where there is no error code returned by the OS
sockets implementation.  [RT #27336]

  + Corrects an INSIST failure by addressing race conditions in
the handling of rbtnode.deadlink. [RT #27738]

  + SOA refresh queries could be treated as cancelled despite
succeeding over the loopback interface. [RT #27782]

  + When replacing an NS RRset, BIND now restricts the TTL of the
new NS RRset to no more than that of the NS RRset it replaces
to fix a timing problem that can arise when removing a delegation. 
[RT #27792/27884]

  + Raw zones with with more than 512 records in a RRset previously
failed to load. [RT #27863]

 Previously included in 9.6-ESV-R6rc1

  + Some query patterns could cause responses not to be returned
in cyclic order though "rrset-order cyclic" was set.  [RT
#27170/27185]

  + named-compilezone now longer emits "dump zone to " message
when writing to stdout.  [RT #27109]

  + Sets isc_socket_ipv6only() on the IPv6 control channels.  This
addresses IPv6 socket binding problems that can occur in some
configurations when bindv6only=1 is set globally.   [RT #22249]

  + named now reports a syntax error when a TXT record longer than
255 characters is configured.  [RT #26956]

  + Addresses race conditions in the resolver code that can cause
named to abort.   [RT #26889]

  + Fixed a bug that could cause named to crash while loading a
zone with invalid DNSKEY records.  [RT #26913]

  + Prevents  dig -6 +trace from terminating with an error when
encountering a root nameserver without an  record. RT #26906]

  + An unusual corner-case buffer handling issue in zone transfers
is corrected.  The symptom was that zones that contain record
types that do not compress when converted to wire format could
fail to transfer.  [RT #26796]

  + Addresses a selection of minor resource leaks (that were
identified via code checking tools but which have not been
reported from any production environments).  [RT #26624]

  + Fixed a corner case race condition in the validator that may
cause an assert in a multi-threaded build of BIND.  [RT #26478]

  + named now correctly validates DNSSEC positive wildcard responses
from NSEC3 signed zones. [RT #26200]

  + The order in which we process the reactivation of a dead node
in cache and the incrementing of its reference count created a
small timing window during which an inconsistency could be
detected and an a

BIND 9.7.5rc2 is now available

2012-03-13 Thread Michael McNally

Introduction

  BIND 9.7.5rc2 is the second release candidate for BIND 9.7.5.

  This document summarizes changes from BIND 9.7.4 to BIND 9.7.5rc2.
  Please see the CHANGES file in the source code release for a
  complete list of all changes.

Download

  The latest versions of BIND 9 software can always be found on our
  web site at http://www.isc.org/downloads/all. There you will find
  additional information about each release, source code, and
  pre-compiled versions for Microsoft Windows operating systems.

Support

  Product support information is available on
  http://www.isc.org/services/support for paid support options.
  Free support is provided by our user community via a mailing list.
  Information on all public email lists is available at
  https://lists.isc.org/mailman/listinfo.

Security Fixes

 Previously included in 9.7.5rc1

  + BIND 9 nameservers performing recursive queries could cache an
invalid record and subsequent queries for that record could
crash the resolvers with an assertion failure. [RT #26590]
[CVE-2011-4313]

Feature Changes

 Previously included in 9.7.5rc1

  + It is now possible to explicitly disable DLV in named.conf by
specifying "dnssec-lookaside no;". This is the default, but the
ability to configure it makes it clearly visible to administrators.
[RT #24858]

  + --enable-developer, a new composite argument to the configure
script, enables a set of build options normally disabled but
frequently selected in test or development builds, specifically:
enable_fixed_rrset, with_atf, enable_filter_, enable_rpz_nsip,
enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and
Darwin, also enable_exportlib) [RT #27103]

Bug Fixes

 Newly added in 9.7.5rc2

  + Corrects a potential overflow problem in the computation of
RRSIG expiration times. [RT #23311]

  + The maximum number of NSEC3 iterations for a DNSKEY RRset was
not being properly computed.  [RT #26543]

  + Error reporting has been improved for failures encountered
when sending or receiving network packets.  In particular
some memory allocation failures were being logged as "unexpected
error" - these will now be reported accurately.  A new
ISC_R_UNSET result code has also been added to cover those
situations where there is no error code returned by the OS
sockets implementation.  [RT #27336]

  + Corrects an INSIST failure by addressing race conditions in
the handling of rbtnode.deadlink. [RT #27738]

  + SOA refresh queries could be treated as cancelled despite
succeeding over the loopback interface. [RT #27782]

  + When replacing an NS RRset, BIND now restricts the TTL of the
new NS RRset to no more than that of the NS RRset it replaces
to fix a timing problem that can arise when removing a delegation.
[RT #27792/27884]

  + Raw zones with with more than 512 records in a RRset previously
failed to load. [RT #27863]

  + Make sure automatic key maintenance is started when "rndc reconfig" 
is issued if "auto-dnssec maintain" is turned on. [RT #26805]

  + Windows builds are now restricted to a single listener thread
until incompatibility with the multiple listeners code can be
addressed [RT #27696]

  +  responses could be returned in the additional section even
when filter--on-v4 was in use. [RT #27292]

 Previously included in 9.7.5rc1

  + Some query patterns could cause responses not to be returned
in cyclic order though "rrset-order cyclic" was set.  [RT
#27170/27185]

  + named-compilezone now longer emits "dump zone to " message
when writing to stdout.  [RT #27109]

  + Sets isc_socket_ipv6only() on the IPv6 control channels.  This
addresses IPv6 socket binding problems that can occur in some
configurations when bindv6only=1 is set globally.   [RT #22249]

  + named now reports a syntax error when a TXT record longer than
255 characters is configured.  [RT #26956]

  + Addresses race conditions in the resolver code that can cause
named to abort.   [RT #26889]

  + Fixed a bug that could cause named to crash while loading a
zone with invalid DNSKEY records.  [RT #26913]

  + Prevents  dig -6 +trace from terminating with an error when
encountering a root nameserver without an  record. RT #26906]

  + Prevents DNSKEY state change events from being missed by ensuring
that the timestamps used to determine which keys are in use are
set appropriately.  [RT #26874]

  + When processing a list of keys, named now consistently compares
them with the same timestamp. [RT #26883]

  + Fixed a corner case race condition in the validator that may
cause an assert in a multi-threaded build of BIND.  [RT #26478]

  + Poor error handling could cause named to hang during shutdown.
[RT #26372]

  + named now correctly validates DNSSEC positive wildcard responses
from NSEC3 signed zones. [RT #26200]

  + The order in which we process the rea

BIND 9.8.2rc2 is now available

2012-03-13 Thread Michael McNally

Introduction
 
  BIND 9.8.2rc2 is the second release candidate for BIND 9.8.2.

  This document summarizes changes from BIND 9.8.1 to BIND 9.8.2rc2.
  Please see the CHANGES file in the source code release for a complete
  list of all changes.

Download
   
  The latest versions of BIND 9 software can always be found on our
  web site at http://www.isc.org/downloads/all. There you will find
  additional information about each release, source code, and
  pre-compiled versions for Microsoft Windows operating systems.

Support

  Product support information is available on
  http://www.isc.org/services/support for paid support options. Free
  support is provided by our user community via a mailing list.
  Information on all public email lists is available at
  https://lists.isc.org/mailman/listinfo.

Security Fixes

 Previously included in 9.8.2rc1

  + BIND 9 nameservers performing recursive queries could cache an
invalid record and subsequent queries for that record could
crash the resolvers with an assertion failure. [RT #26590]
[CVE-2011-4313]

Feature Changes

 Newly added in 9.8.2rc2

  + RPZ implementation now conforms to version 3 of the specification.
[RT #27316] 

 Previously included in 9.8.2rc1

  + It is now possible to explicitly disable DLV in named.conf by
specifying "dnssec-lookaside no;". This is the default, but the
ability to configure it makes it clearly visible to administrators.
[RT #24858]

  + --enable-developer, a new composite argument to the configure
script, enables a set of build options normally disabled but
frequently selected in test or development builds, specifically:
enable_fixed_rrset, with_atf, enable_filter_, enable_rpz_nsip,
enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and
Darwin, also enable_exportlib) [RT #27103]

Bug Fixes

 Newly added in 9.8.2rc2

  + Corrects a potential overflow problem in the computation of
RRSIG expiration times. [RT #23311]

  + The maximum number of NSEC3 iterations for a DNSKEY RRset was
not being properly computed.  [RT #26543]

  + Error reporting has been improved for failures encountered
when sending or receiving network packets.  In particular
some memory allocation failures were being logged as "unexpected
error" - these will now be reported accurately.  A new
ISC_R_UNSET result code has also been added to cover those
situations where there is no error code returned by the OS
sockets implementation.  [RT #27336]

  + Corrects an INSIST failure by addressing race conditions in
the handling of rbtnode.deadlink. [RT #27738]

  + SOA refresh queries could be treated as cancelled despite
succeeding over the loopback interface. [RT #27782]

  + When replacing an NS RRset, BIND now restricts the TTL of the
new NS RRset to no more than that of the NS RRset it replaces
to fix a timing problem that can arise when removing a delegation.
[RT #27792/27884]

  + Raw zones with with more than 512 records in a RRset previously
failed to load. [RT #27863]

  + Make sure automatic key maintenance is started when "rndc reconfig"
is issued if "auto-dnssec maintain" is turned on. [RT #26805]

  + Windows builds are now restricted to a single listener thread
until incompatibility with the multiple listeners code can be
addressed [RT #27696]

  +  responses could be returned in the additional section even
when filter--on-v4 was in use. [RT #27292]

  + An error handling an out of memory condition could cause a stored
rdataset to be freed twice using DNS64. [RT #27762]

 Previously included in 9.8.2rc1

  + Some query patterns could cause responses not to be returned
in cyclic order though "rrset-order cyclic" was set.  [RT
#27170/27185]

  + named-compilezone now longer emits "dump zone to " message
when writing to stdout.  [RT #27109]

  + Sets isc_socket_ipv6only() on the IPv6 control channels.  This
addresses IPv6 socket binding problems that can occur in some
configurations when bindv6only=1 is set globally.   [RT #22249]

  + named now reports a syntax error when a TXT record longer than
255 characters is configured.  [RT #26956]

  + Addresses race conditions in the resolver code that can cause
named to abort.   [RT #26889]

  + Fixed a bug that could cause named to crash while loading a
zone with invalid DNSKEY records.  [RT #26913]

  + Prevents  dig -6 +trace from terminating with an error when
encountering a root nameserver without an  record. RT #26906]

  + Prevents DNSKEY state change events from being missed by ensuring
that the timestamps used to determine which keys are in use are
set appropriately.  [RT #26874]

  + When processing a list of keys, named now consistently compares
them with the same timestamp. [RT #26883]

  + Fixed a corner case race condition in the validator that may
cause an assert in a multi-threaded build of

Re: zone transfer with DIG: SOA duplicate

2012-03-19 Thread Michael Sinatra


On 03/19/12 10:33, hugo hugoo wrote:

Dear all,

I have this strange behaviour when I do a zone transfer with the
following commande:

dig @name_server zone_name AXFR


==> I received 2 SOA records (duplicates).

One SOA record is at the end of the received information.


Is this normal?


Yes.

In recent versions of dig, you can use the following option, as 
documented in the man page:


   +[no]onesoa
   Print only one (starting) SOA record when performing an 
AXFR. The

   default is to print both the starting and ending SOA records.


michael
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name Resolution issue with one domain

2012-03-19 Thread Michael Sinatra


On 03/19/12 13:28, babu dheen wrote:

Dear Support,
I am trying to resolve www.dubaiairport.com
<http://www.dubaiairport.com> from my GW BIND server as below. But not
getting any output
$ dig A www.dubaiairport.com <http://www.dubaiairport.com>
; <<>> DiG 9.3.4-P1 <<>> A www.dubaiairport.com
<http://www.dubaiairport.com>
;; global options: printcmd
;; connection timed out; no servers could be reached
Whereas, when i try through dubaiairport.com NS, i am getting the
response as below. What could be the problem. Any idea?
$ dig @213.42.52.79 A www.dubaiairport.com <http://www.dubaiairport.com>
; <<>> DiG 9.3.4-P1 <<>> @213.42.52.79 A www.dubaiairport.com
<http://www.dubaiairport.com>
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48514
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.dubaiairport.com. IN A
;; ANSWER SECTION:
www.dubaiairport.com <http://www.dubaiairport.com>. 7200 IN A 213.42.55.169
;; Query time: 127 msec
;; SERVER: 213.42.52.79#53(213.42.52.79)
;; WHEN: Mon Mar 19 23:25:35 2012
;; MSG SIZE rcvd: 54


When you see this sort of situation, a good guess is that there is an 
authority mismatch and some/all of the authoritative NS records listed 
in the child zone are not responding.  In this case, there is an 
authority mismatch:


dig +trace ns dubaiairport.com

[skip root response]

dubaiairport.com.   172800  IN  NS  dcaowa01.dubaiairport.com.
dubaiairport.com.   172800  IN  NS  svr-b003.dubaiairport.com.
[RRSIG deleted]
;; Received 608 bytes from 192.12.94.30#53(192.12.94.30) in 724 ms

dubaiairport.com.   7200IN  NS  secdns.dubaiairport.com.
dubaiairport.com.   7200IN  NS  auhans2.ecompany.ae.
dubaiairport.com.   7200IN  NS  dxbans2.ecompany.ae.
dubaiairport.com.   7200IN  NS  dxbans1.ecompany.ae.
dubaiairport.com.   7200IN  NS  dcaowa01.dubaiairport.com.
dubaiairport.com.   7200IN  NS  auhans1.ecompany.ae.
dubaiairport.com.   7200IN  NS  svr-b003.dubaiairport.com.
;; Received 323 bytes from 213.42.52.79#53(213.42.52.79) in 279 ms

One of the above DNS servers, secdns.dubaiairport.com, isn't responding 
for me.  Sometimes that's enough to cause intermittent timeouts for dig.


dig +nssearch dubaiairport.com
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 
86400 7200 from server 213.42.52.79 in 278 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 
86400 7200 from server 195.229.237.52 in 278 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 
86400 7200 from server 194.170.1.99 in 282 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 
86400 7200 from server 213.42.52.75 in 288 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 
86400 7200 from server 194.170.1.6 in 289 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 
86400 7200 from server 194.170.1.7 in 293 ms.
;; connection timed out; no servers could be reached [referring to 
secdns.dubaiairport.com]


michael



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

troubleshooting bind

2012-04-09 Thread Marseglia, Michael

Hello,

  I'm troubleshooting a DNS issue we recently experienced where records were 
unresolveable, response NXDOMAIN, from the caching DNS server.  I flushed the 
cache using rndc flush and I received the host's ip.

  There were no errors in the system log so I'm enabling debug logging should 
it occur again.  I'm still not sure what caused the NXDOMAIN response it so I'm 
reviewing my BIND config and taking a look at the default values.

  When configuring BIND for an internal corporate network with a thousand 
clients should any of the default values be tweaked?  I've searched for tuning 
guidance but I haven't found any yet.

  I've taken interest in the tcp-clients, max-ncache-ttl, max-cache-ttl, 
cleaning-interval and max-cache-size values.  These are all currently set to 
default.

  I'm guessing in a more volatile network with DHCP and frequent 
provisioning/deprovisioning of hosts I would want to lower the max-ncache-ttl 
and max-cache-ttl values.  Is this correct?

  Regarding the tcp-clients option, where can I find the current connection 
count and how do I know if I'm coming close to this number?  In what type of 
environment would it be expected to hit the default threshold of 100?

  Lastly, if max-cache-size is set to unlimited what happens if BIND consumes 
all the available memory?  Will the linux kernel terminate the process?  How 
can I find the value of the current cache size?



Mike Marseglia
Network Engineer, CharterCARE
p: 401-456-2331
c: 401-248-4867
e: michael.marseg...@chartercare.org
t: @mmars


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Operational Notification -- Segmentation Fault in resolver.c Affects BIND 9.6-ESV-R6, 9.7.5, 9.8.2, & 9.9.0

2012-04-30 Thread Michael McNally

Operational Notification -- Segmentation Fault in resolver.c
Affects BIND 9.6-ESV-R6, 9.7.5, 9.8.2, & 9.9.0

Summary:

   ISC has discovered a race condition in the resolver code that
   can cause a recursive nameserver running BIND 9.6-ESV-R6, 9.7.5,
   9.8.2, or 9.9.0 to crash with a segmentation fault. Authoritative-only
   servers are not affected, but recursive-only or recursive-authoritative
   hybrid servers are at risk of crashing because of this bug.

Posting date: 30 April 2012

Program Impacted: BIND

Versions affected: 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0.

Description:

   ISC is issuing an operational notification for users running ISC
   BIND 9.6-ESV-R6, 9.7.5, 9.8.2 or 9.9.0.

   A race condition has been discovered in resolver.c that can
   result in a recursive nameserver running one of these versions
   to crash with a segmentation fault.

   This defect is not considered a security issue, as no known
   method for deliberately triggering it exists. It depends on a
   matter of random timing between multiple threads executing the
   resolver code. However, the nature of the bug is such that the
   probability of encountering the crash condition eventually
   increases in proportion to the number of queries being resolved
   as well as the number of queries being resolved simultaneously.
   Consequently, busy recursing nameservers and nameservers with
   more threads processing simultaneously are at higher risk of
   encountering this bug.

   This defect was introduced accidentally in change #3241 which
   appeared for the first time in the specified release versions.
   Prior release versions (9.6-ESV-R5-P1, 9.7.4-P1, and 9.8.1-P1
   and any earlier versions) are not affected by this bug.

   ISC is preparing replacement release versions with a delivery
   target of mid-May 2012 and a source code patch is currently
   available in the ISC Knowledge Base article:
   https://kb.isc.org/article/AA-00664

Solution:

   Authoritative-only servers do not need to address this issue.

   If you have not upgraded yet to the affected versions, postpone
   updating until they are replaced by 9.6-ESV-R7, 9.7.6, 9.8.3,
   or 9.9.1, which are to be released in mid-May 2012 and which
   will include a fix for this issue along with several minor bug
   fixes.

   If you have already upgraded a recursive server to one of the
   affected versions, you have the option of reverting to a prior
   release version, waiting for the May release of superseding
   packages including the fix, or applying the source code patch
   from ISC and rebuilding BIND.

   The source code patch can be found as an attachment to the ISC
   Knowledge Base article https://kb.isc.org/article/AA-00664

- Do you have Questions? Questions regarding this advisory should
  go to supp...@isc.org.

- Additional information on our Operational Notifications is here:
  https://www.isc.org/software/notifications, and Phased Disclosure
  Process is here: https://www.isc.org/security-vulnerability-disclosure-policy

Legal Disclaimer:

   Internet Systems Consortium (ISC) is providing this notice on
   an "AS IS" basis. No warranty or guarantee of any kind is expressed
   in this notice and none should be inferred. ISC expressly excludes
   and disclaims any warranties regarding this notice or materials
   referred to in this notice, including, without limitation, any
   implied warranty of merchantability, fitness for a particular
   purpose, absence of hidden defects, or of non-infringement. Your
   use of, or reliance on, this notice or materials referred to in
   this notice is at your own risk. ISC may change this notice at
   any time.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: random-device purpose in DNSSEC

2012-05-10 Thread Michael Graff

Some signature methods require this, some do not.  RSA should not (in general) 
but RSA encryption in practice may.  Signing is different, in that you know 
both halves (encrypted and cleartext) so it should not require padding.

I think DSA does require randomness in signing.

--Michael

On May 10, 2012, at 2:41 PM, Alexander Gurvitz wrote:

> Hello all.
> 
> What random device used for ?
> ARM says "Entropy is primarily needed for DNSSEC operations,
> such as ... dynamic update of signed zones". I don't get why signing a zone
> requires any randomness.
> 
> This bothers me as I'm implementing DNSSEC now, and I know that my systems
> are low at entropy, and BIND default random-device is /dev/random,
> and it (the device) blocks when there's no entropy available.
> 
> Does BIND really needs that entropy, and how much ?
> 
> Regards,
> Alexander Gurvitz,
> net-me.net
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.9.1 is now available

2012-05-21 Thread Michael McNally

Introduction

   BIND 9.9.1 is the latest production release of BIND 9.9.

   This document summarizes changes from BIND 9.9.0 to BIND 9.9.1.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

*  Windows binary packages distributed by ISC are now built and linked
   against OpenSSL 1.0.0i

New Features

*  None

Feature Changes

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

*  A note will be added to the README in future releases to explain
   that the improved scalability provided by using multiple threads
   to listen for and process queries (change 3137, RT #22992) does
   not provide any performance benefit when running BIND on versions
   of the linux kernel that do not include the 'lockless UDP transmit
   path' changes that were incorporated in 2.6.39.  (Some linux
   distributors may have provided this functionality under their
   own version numbering systems).

Bug Fixes

*  The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239]

*  Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732]

*  named-checkconf now correctly validates dns64 clients acl
   definitions. [RT #27631]

*  Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

*  Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

*  Improves DNS64 reverse zone performance. [RT #28563]

*  Adds wire format lookup method to sdb. [RT #28563]

*  Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571]

*  Prevents intermittent named crashes following an rndc reload [RT
   #28606]

*  Resolves inconsistencies in locating DNSSEC keys where zone names
   contain characters that require special mappings [RT #28600]

*  A new flag -R  has been added to queryperf for running tests
   using non-recursive queries.  It also now builds correctly on
   MacOS version 10.7 (darwin)  [RT #28565]

*  Named no longer crashes if gssapi is enabled in named.conf but
   was not compiled into the binary [RT #28338]

*  SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534]

*  Prevents named crashes as a result of dereferencing a NULL pointer
   in zmgr_start_xfrin_ifquota if the zone was being removed while
   there were zone transfers still pending [RT #28419]

*  Corrects a parser bug that could cause named to crash while
   reading a malformed zone file. [RT #28467]

*  Ensures that when a client recurses its status fields are
   consistently set so that named doesn't fail on an INSIST in
   client.c:exit_check. [RT #28346]

*  Fixed a problem preventing proper use of 64 bit time values in
   libbind. [RT # 26542]

*  isccc/cc.c:table_fromwire could fail to free an allocated object
   on error, leading to a possible memory leak condition. [RT #28265]

*  Fixed a build error on systems without ENOTSUP.  [RT #28200]

*  The header file isc/hmacsha.h is now installed when building
   BIND. [RT #28169]

*   responses will no longer be returned in the additional
   section when filter--on-v4 is in use.  (Prior to this change,
   they would be returned for some query types). [RT #27292]


Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.8.3 is now available

2012-05-21 Thread Michael McNally

Introduction

   BIND 9.8.3 is the latest production release of BIND 9.8.

   This document summarizes changes from BIND 9.8.2 to BIND 9.8.3.

   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available at http://www.isc.org/support
   for paid support options. Free support is provided by our user
   community via a mailing list.  Information on all public email
   lists is available at https://lists.isc.org/mailman/listinfo.

Security Fixes

*  Windows binary packages distributed by ISC are now built and linked
   against OpenSSL 1.0.0i

New Features

*  None

Feature Changes

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

Bug Fixes

*  The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239]

*  Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732]

*  named-checkconf now correctly validates dns64 clients acl
   definitions. [RT #27631]

*  Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

*  Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

*  Improves DNS64 reverse zone performance. [RT #28563]

*  Adds wire format lookup method to sdb. [RT #28563]

*  Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571]

*  Resolves inconsistencies in locating DNSSEC keys where zone names
   contain characters that require special mappings [RT #28600]

*  A new flag -R  has been added to queryperf for running tests
   using non-recursive queries.  It also now builds correctly on
   MacOS version 10.7 (darwin)  [RT #28565]

*  Named no longer crashes if gssapi is enabled in named.conf but
   was not compiled into the binary [RT #28338]

*  SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534]

Thank You

   Thank you to everyone who assisted us in making this release
   possible.  If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.7.6 is now available

2012-05-21 Thread Michael McNally

Introduction

   BIND 9.7.6 is the latest production release of BIND 9.7.

   This document summarizes changes from BIND 9.7.5 to BIND 9.7.6.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on http://www.isc.org/support
   for paid support options.  Free support is provided by our user
   community via a mailing list.  Information on all public email
   lists is available at https://lists.isc.org/mailman/listinfo.

Security Fixes

*  Windows binary packages distributed by ISC are now built and linked
   against OpenSSL 1.0.0i

New Features

*  None

Feature Changes

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

Bug Fixes

*  The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239]

*  Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732]

*  Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

*  Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

*  Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571]

*  Resolves inconsistencies in locating DNSSEC keys where zone names
   contain characters that require special mappings [RT #28600]

*  A new flag -R  has been added to queryperf for running tests
   using non-recursive queries.  It also now builds correctly on
   MacOS version 10.7 (darwin)  [RT #28565]

*  Named no longer crashes if gssapi is enabled in named.conf but
   was not compiled into the binary [RT #28338]

*  SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534]

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.6-ESV-R7 is now available

2012-05-21 Thread Michael McNally

Introduction

   BIND 9.6-ESV-R7 is the most recent release of BIND 9.6-ESV.

   BIND 9.6-ESV is an Extended Support Version of BIND 9.

   This document summarizes changes from BIND 9.6-ESV-R6 to BIND
   9.6-ESV-R7.  Please see the CHANGES file in the source code
   release for a complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on http://www.isc.org/support
   for paid support options.  Free support is provided by our user
   community via a mailing list.  Information on all public email
   lists is available at https://lists.isc.org/mailman/listinfo.

Security Fixes

*  Windows binary packages distributed by ISC are now built and linked
   against OpenSSL 1.0.0i

New Features

*  None

Feature Changes

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

Bug Fixes

*  The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239]

*  Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732]

*  Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

*  Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

*  Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571]

*  A new flag -R  has been added to queryperf for running tests
   using non-recursive queries.  It also now builds correctly on
   MacOS version 10.7 (darwin)  [RT #28565]

*  Named no longer crashes if gssapi is enabled in named.conf but
   was not compiled into the binary [RT #28338]

*  SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534]

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recommended value for max-cache-size for cache-only shared hosts..

2012-05-31 Thread Michael Graff

Hmm, I don't quite think this is a good idea.  BIND 9 (since 9.5) manages 
memory quite well, but it will happily consume all you have and go into swap.

I'd set it high enough (on a dedicated machine) to use plenty of RAM, but low 
enough to not cause other OS components to swap out or BIND itself to swap.  
75% or 85% range seems like a good starting point.

--Michael

On May 31, 2012, at 8:18 PM, Doug Barton wrote:

> On 5/31/2012 1:51 PM, blrmaani wrote:
> 
>> Question:
>> what is the recommended configuration for 'max-cache-size' for optimum
>> usage ? 
> 
> You should not restrict the size of the cache at all if you want the
> best performance. BIND will use as much memory as it needs in order to
> satisfy the requests of your users.
> 
> 
> -- 
>If you're never wrong, you're not trying hard enough
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recommended value for max-cache-size for cache-only shared hosts..

2012-05-31 Thread Michael Graff

It's really something you'll have to set, and monitor.  I'd start with 1 GB, 
and see how close it gets to that in (say) a week.  If it takes a few hours, 
you might need to go up to 2 or 4, and see how that works.  It may never hit 
the memory limit.  Also note that there is 10% to 20% overhead, so if you set a 
1 GB limit, it's really more like a 1.1GB to 1.2GB limit.  This is because the 
cache is not the only thing that uses memory, of course, and the limit is only 
for the cache.

Remember that the cache is only used as a cache, and is not required for 
operation.  Technically, BIND 9 could run with a very, very small cache.  The 
default of 32 MB is actually a fairly new thing.  It used to be unlimited, but 
that means BIND will hit some operating system imposed limit, and that is more 
painful than self-management.

--Michael

On Jun 1, 2012, at 12:26 AM, blr maani wrote:

> Doug,
>   hmmm.. 75%-85% seems too large because the host runs email application in 
> addition to cache-and-forward-only BIND (for better local caching). So, I was 
> wondering if there are any best/proven practice/recommendations for such 
> shared application hosts ? 
> 
> The default value is 32MB. We have 8GB RAM. I don't know if its better to 
> start with 1GB (1/8th of RAM)?
> 
> thanks
> blr
> 
> 
> On Thu, May 31, 2012 at 8:17 PM, Michael Graff  wrote:
> Hmm, I don't quite think this is a good idea.  BIND 9 (since 9.5) manages 
> memory quite well, but it will happily consume all you have and go into swap.
> 
> I'd set it high enough (on a dedicated machine) to use plenty of RAM, but low 
> enough to not cause other OS components to swap out or BIND itself to swap.  
> 75% or 85% range seems like a good starting point.
> 
> --Michael
> 
> On May 31, 2012, at 8:18 PM, Doug Barton wrote:
> 
> > On 5/31/2012 1:51 PM, blrmaani wrote:
> >
> >> Question:
> >> what is the recommended configuration for 'max-cache-size' for optimum
> >> usage ?
> >
> > You should not restrict the size of the cache at all if you want the
> > best performance. BIND will use as much memory as it needs in order to
> > satisfy the requests of your users.
> >
> >
> > --
> >If you're never wrong, you're not trying hard enough
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.7.6-P1 is now available

2012-06-04 Thread Michael McNally

Introduction

   BIND 9.7.6-P1 is the latest production release of BIND 9.7.

   This document summarizes changes from BIND 9.7.5 to BIND 9.7.6-P1.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on http://www.isc.org/support
   for paid support options.  Free support is provided by our user
   community via a mailing list.  Information on all public email
   lists is available at https://lists.isc.org/mailman/listinfo.

Security Fixes

*  A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process.  [RT #29644]

*  Windows binary packages distributed by ISC are now built and linked
   against OpenSSL 1.0.1c

New Features

*  None

Feature Changes

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

Bug Fixes

*  The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239]

*  Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732]

*  Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

*  Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

*  Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571]

*  Resolves inconsistencies in locating DNSSEC keys where zone names
   contain characters that require special mappings [RT #28600]

*  A new flag -R  has been added to queryperf for running tests
   using non-recursive queries.  It also now builds correctly on
   MacOS version 10.7 (darwin)  [RT #28565]

*  Named no longer crashes if gssapi is enabled in named.conf but
   was not compiled into the binary [RT #28338]

*  SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534]

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.9.1-P1 is now available

2012-06-04 Thread Michael McNally

Introduction

   BIND 9.9.1-P1 is the latest production release of BIND 9.9.

   This document summarizes changes from BIND 9.9.0 to BIND 9.9.1-P1.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

*  A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process.  [RT #29644]

*  Windows binary packages distributed by ISC are now built and linked
   against OpenSSL 1.0.1c

New Features

*  None

Feature Changes

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

*  A note will be added to the README in future releases to explain
   that the improved scalability provided by using multiple threads
   to listen for and process queries (change 3137, RT #22992) does
   not provide any performance benefit when running BIND on versions
   of the linux kernel that do not include the 'lockless UDP transmit
   path' changes that were incorporated in 2.6.39.  (Some linux
   distributors may have provided this functionality under their
   own version numbering systems).

Bug Fixes

*  The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239]

*  Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732]

*  named-checkconf now correctly validates dns64 clients acl
   definitions. [RT #27631]

*  Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

*  Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

*  Improves DNS64 reverse zone performance. [RT #28563]

*  Adds wire format lookup method to sdb. [RT #28563]

*  Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571]

*  Prevents intermittent named crashes following an rndc reload [RT
   #28606]

*  Resolves inconsistencies in locating DNSSEC keys where zone names
   contain characters that require special mappings [RT #28600]

*  A new flag -R  has been added to queryperf for running tests
   using non-recursive queries.  It also now builds correctly on
   MacOS version 10.7 (darwin)  [RT #28565]

*  Named no longer crashes if gssapi is enabled in named.conf but
   was not compiled into the binary [RT #28338]

*  SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534]

*  Prevents named crashes as a result of dereferencing a NULL pointer
   in zmgr_start_xfrin_ifquota if the zone was being removed while
   there were zone transfers still pending [RT #28419]

*  Corrects a parser bug that could cause named to crash while
   reading a malformed zone file. [RT #28467]

*  Ensures that when a client recurses its status fields are
   consistently set so that named doesn't fail on an INSIST in
   client.c:exit_check. [RT #28346]

*  Fixed a problem preventing proper use of 64 bit time values in
   libbind. [RT # 26542]

*  isccc/cc.c:table_fromwire could fail to free an allocated object
   on error, leading to a possible memory leak condition. [RT #28265]

*  Fixed a build error on systems without ENOTSUP.  [RT #28200]

*  The header file isc/hmacsha.h is now installed when building
   BIND. [RT #28169]

*   responses will no longer be returned in the additional
   section when filter--on-v4 is in use.  (Prior to this change,
   they would be returned for some query types). [RT #27292]


Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing li

BIND 9.8.3-P1 is now available

2012-06-04 Thread Michael McNally

Introduction

   BIND 9.8.3-P1 is the latest production release of BIND 9.8.

   This document summarizes changes from BIND 9.8.2 to BIND 9.8.3-P1.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available at http://www.isc.org/support
   for paid support options. Free support is provided by our user
   community via a mailing list.  Information on all public email
   lists is available at https://lists.isc.org/mailman/listinfo.

Security Fixes

*  A condition has been corrected where improper handling of 
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process.  [RT #29644]

*  Windows binary packages distributed by ISC are now built and linked
   against OpenSSL 1.0.1c

New Features

*  None

Feature Changes

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

Bug Fixes

*  The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239]

*  Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732]

*  named-checkconf now correctly validates dns64 clients acl
   definitions. [RT #27631]

*  Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

*  Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

*  Improves DNS64 reverse zone performance. [RT #28563]

*  Adds wire format lookup method to sdb. [RT #28563]

*  Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571]

*  Resolves inconsistencies in locating DNSSEC keys where zone names
   contain characters that require special mappings [RT #28600]

*  A new flag -R  has been added to queryperf for running tests
   using non-recursive queries.  It also now builds correctly on
   MacOS version 10.7 (darwin)  [RT #28565]

*  Named no longer crashes if gssapi is enabled in named.conf but
   was not compiled into the binary [RT #28338]

*  SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534]

Thank You

   Thank you to everyone who assisted us in making this release
   possible.  If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.6-ESV-R7-P1 is now available

2012-06-04 Thread Michael McNally

Introduction

   BIND 9.6-ESV-R7-P1 is the most recent release of BIND 9.6-ESV.

   BIND 9.6-ESV is an Extended Support Version of BIND 9.

   This document summarizes changes from BIND 9.6-ESV-R6 to BIND
   9.6-ESV-R7-P1.  Please see the CHANGES file in the source code
   release for a complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on http://www.isc.org/support
   for paid support options.  Free support is provided by our user
   community via a mailing list.  Information on all public email
   lists is available at https://lists.isc.org/mailman/listinfo.

Security Fixes

*  A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process.  [RT #29644]

*  Windows binary packages distributed by ISC are now built and linked
   against OpenSSL 1.0.1c

New Features

*  None

Feature Changes

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

Bug Fixes

*  The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239]

*  Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732]

*  Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

*  Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

*  Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571]

*  A new flag -R  has been added to queryperf for running tests
   using non-recursive queries.  It also now builds correctly on
   MacOS version 10.7 (darwin)  [RT #28565]

*  Named no longer crashes if gssapi is enabled in named.conf but
   was not compiled into the binary [RT #28338]

*  SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534]

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: VMware & Bind

2012-06-05 Thread Michael Sinatra




On Tue, 5 Jun 2012, Manson, John wrote:


Will bind run on VMware?


Yes.  I have a few machines running BIND 9.9.x on FreeBSD as a guest os on 
vmware.


michael
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: OT: cached memory

2012-06-14 Thread Michael Graff

On Jun 13, 2012, at 5:02 PM, Dan Letkeman wrote:

> I understand the concept, as I have read many documents like that.  I
> am more interested in a real world example of how much free memory for
> caching is recommended for an average server.
> 
> Dan.

It depends on many things, but what I'd do to find the optimum cache size is:

(1)  Start with some limit, say 128 MB.
(2)  Observe the server's performance over time, and memory usage.
(3)  Pick some reasonable time, like "I want it to hit the max memory size in 3 
days" or "one week"
(4)  If it reaches the maximum too quickly, add more cache size.

I suspect this is one metric that would help greatly to add to the XML stats... 
 Cache hit rate is sort of a standard metric.

--Michael

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Moving DNS out of non-cooperative provider

2012-06-18 Thread Michael Graff

Eventually, if you have done the parent delegations (through where you register 
your zone) and have updated the new NS records to point only to the new spot, 
the old zone will only be used by that provider, and nowhere else.  So, if com 
points to the new set of name servers, and example.com has the new set, 
99.% of the world will be good.

The case exists where oldprovider.net's users (say, mail servers, etc) may 
continue using their copy of the zone.  However, I doubt you care overly much 
about that unless oldprovider.net is huge. 

--Michael

On Jun 18, 2012, at 8:49 AM, Alexander Gurvitz wrote:

> Can someone enlighten me on the following scenario
> (I guess it's explained somewhere, but can't find the info.):
> 
> example.com was served by ns.OLDprovider.net
> example.com owner wants to move his domain to ns.NEWprovider.net
> oldprovider.net is not cooperating, and continues to serve
> example.com 172800 NS ns.OLDprovider.net
> (*.gtld-servers.net and ns.newprovider.com now serve
> example.com 172800 NS ns.NEWprovider.net)
> 
> Recursive resolver ns.isp.com queried for www.example.com every few minutes,
> and currently have 
> example.com 45892 NS ns.OLDprovider.net
> in it's cache. www.example.com have TTL of 3600.
> Thus each hour ns.isp.com queries ns.OLDprovider.net,
> with each query gets new NS record, and... refreshes the NS TTL ?
> 
> Will ns.isp.com EVER query ns.NEWprovider.net ?
> 
> I'd be happy to know how BIND behaves, but also
> how other servers may behave in this case.
> 
> Regards,
> Alexander Gurvitz,
> net-me.net
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: OpenSSL problem: bind98-base FreeBSD port

2012-07-08 Thread Michael Sinatra


On 07/08/12 09:54, Matthew Pounsett wrote:

08-Jul-2012 16:45:00.352 initializing DST: openssl failure
08-Jul-2012 16:45:00.352 exiting (due to fatal error)


In particular the logs above suggest that named is unable to find the 
necessary openssl libraries.  In the case where openssl 1.x.x is 
compiled with shared libraries enabled, named can't see the openssl 
engines (necessary for GOST crypto support) in its chrooted environment.


What makes me doubt what I just said is that this has been an issue for 
more than a year now, so I am not sure why you have escaped it for so 
long.  I assume you had openssl 1.0.x installed before you upgraded 
it--or was it an earlier version?


At any rate, if you run make config in /usr/ports/security/openssl, it 
gives you the option of compiling the libraries statically.  I have 
successfully done this in the past and it has worked.  However, anything 
else that is currently depending on the openssl shared library from 
ports (as opposed to the bundled system) will need to be recompiled 
before it will work, as will bind 9.8.


Doug Barton may have some better ideas as to how best to make it all work.

michael

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.7.7b1 is now available

2012-08-10 Thread Michael McNally

Introduction

  BIND 9.7.7b1 is the first beta release of BIND 9.7.7

  This document summarizes changes from BIND 9.7.6 to BIND 9.7.7b1.
  Please see the CHANGES file in the source code release for a
  complete list of all changes.

Download

  The latest versions of BIND 9 software can always be found on our
  web site at http://www.isc.org/downloads/all. There you will find
  additional information about each release, source code, and
  pre-compiled versions for Microsoft Windows operating systems.

Support

  Product support information is available on
  http://www.isc.org/services/support for paid support options.
  Free support is provided by our user community via a mailing list.
  Information on all public email lists is available at
  https://lists.isc.org/mailman/listinfo.

Security Fixes

  - Prevents a named assert (crash) when validating caused by
using "Bad cache" data before it has been initialized.
[CVE-2012-3817]  [RT #30025]

  - A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior, including
termination of the named process. [CVE-2012-1667]  [RT #29644]

New Features

  - None

Feature Changes

  - Improves OpenSSL error logging [RT #29932]

  - nslookup now returns a nonzero exit code when it is unable
to get an answer.  [RT #29492]

Bug Fixes

  - Ensures that servers are expired from the ADB cache when the
timeout limit is reached so that their learned attributes can
be refreshed.  Prior to this change, servers that were
frequently queried might never have their entries removed and
reinitialized.  This is of particular importance to
DNSSEC-validating recursive servers that might erroneously
set "no-edns" for an authoritative server following a period
of intermittent connectivity. [RT #29856]

  - Adds additional resilience to a previous security change
(3218) by preventing RRSIG data from being added to cache
when a pseudo-record matching the covering type and proving
non-existence exists at a higher trust level. The earlier
change prevented this inconsistent data from being retrieved
from cache in response to client queries  - with this additional
change, the RRSIG records are no longer inserted into cache
at all. [RT #26809]

  - dnssec-settime will now issue a warning when the writing of
a new private key file would cause a change in the permissions
of the existing file. [RT #27724]

  - Fixes the defect introduced by change #3314 that was causing
failures when saving stub zones to disk (resulting in excessive
CPU usage in some cases).  [RT #29952]

  - It is now possible to using multiple control keys again -
this functionality was inadvertently broken by change #3924
(RT #28265) which addressed a memory leak. [RT #29694]

  - Reduces the potential build-up of stale RRsets in cache on a
busy recursive nameserver by re-using cached DS and RRSIG
rrsets when possible [RT #29446]

  - Upper-case/lower-case handling of RRSIG signer-names is now
handled consistently: RRSIG records are generated with the
signer-name in lower case. They are accepted with any case,
but if they fail to validate, we try again in lower case. [RT
#27451]

Thank You

  Thank you to everyone who assisted us in making this release
  possible. If you would like to contribute to ISC to assist us in
  continuing to make quality open source software, please visit our
  donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.8.4b1 is now available

2012-08-10 Thread Michael McNally

Introduction

  BIND 9.8.4b1 is the first beta release of BIND 9.8.4

  This document summarizes changes from BIND 9.8.3 to BIND 9.8.4b1.
  Please see the CHANGES file in the source code release for a
  complete list of all changes.  Download

  The latest versions of BIND 9 software can always be found on our
  web site at http://www.isc.org/downloads/all. There you will find
  additional information about each release, source code, and
  pre-compiled versions for Microsoft Windows operating systems.

Support

  Product support information is available on
  http://www.isc.org/services/support for paid support options.
  Free support is provided by our user community via a mailing list.
  Information on all public email lists is available at
  https://lists.isc.org/mailman/listinfo.

Security Fixes

  - Prevents a named assert (crash) when validating caused by
using "Bad cache" data before it has been initialized.
[CVE-2012-3817]  [RT #30025] A condition has been corrected
where improper handling of zero-length RDATA could cause
undesirable behavior, including termination of the named
process. [CVE-2012-1667]  [RT #29644]

New Features

  - Elliptic Curve Digital Signature Algorithm keys and signatures
in DNSSEC are now supported per RFC 6605. [RT #21918]

Feature Changes

  - Improves OpenSSL error logging [RT #29932]

  - nslookup now returns a nonzero exit code when it is unable
to get an answer.  [RT #29492]

Bug Fixes

  - All named tasks that perform task-exclusive operations now
share the same single task.  Prior to this change, there was
the possibility of a race condition between rndc operations
and other functions such as re-sizing the adb hash table.  If
the race condition was encountered, named would in most cases
terminate unexpectedly with an assert.  [RT #29872]

  - Ensures that servers are expired from the ADB cache when the
timeout limit is reached so that their learned attributes can
be refreshed.  Prior to this change, servers that were
frequently queried might never have their entries removed and
reinitialized.  This is of particular importance to
DNSSEC-validating recursive servers that might erroneously
set "no-edns" for an authoritative server following a period
of intermittent connectivity. [RT #29856]

  - Adds additional resilience to a previous security change
(3218) by preventing RRSIG data from being added to cache
when a pseudo-record matching the covering type and proving
non-existence exists at a higher trust level. The earlier
change prevented this inconsistent data from being retrieved
from cache in response to client queries  - with this additional
change, the RRSIG records are no longer inserted into cache
at all. [RT #26809]

  - dnssec-settime will now issue a warning when the writing of
a new private key file would cause a change in the permissions
of the existing file. [RT #27724]

  - Fixes the defect introduced by change #3314 that was causing
failures when saving stub zones to disk (resulting in excessive
CPU usage in some cases).  [RT #29952]

  - It is now possible to using multiple control keys again -
this functionality was inadvertently broken by change #3924
(RT #28265) which addressed a memory leak. [RT #29694]

  - Setting resolver-query-timeout too low could cause named
problems recovering after a loss of connectivity.  [RT #29623]

  - Reduces the potential build-up of stale RRsets in cache on a
busy recursive nameserver by re-using cached DS and RRSIG
rrsets when possible [RT #29446]

  - Corrects a failure to authenticate non-existence of resource
records in some circumstances when RPZ has been configured.
Also:
  + adds an optional "recursive-only yes|no" to the response-policy
statement
  + adds an optional "max-policy-ttl" to the response-policy
statement to limit the false data that "recursive-only
no" can introduce into resolvers' caches
  + introduces a predefined encoding of PASSTHRU policy by
adding "rpz-passthru" to be used as the target of CNAME
policy records (the old encoding is still accepted.)
  + adds a RPZ performance test to bin/tests/system/rpz when
queryperf is available.
[RT #26172]

  - Upper-case/lower-case handling of RRSIG signer-names is now
handled consistently: RRSIG records are generated with the
signer-name in lower case. They are accepted with any case,
but if they fail to validate, we try again in lower case. [RT
#27451]

Thank You

  Thank you to everyone who assisted us in making this release
  possible. If you would like to contribute to ISC to assist us in
  continuing to make quality open source software, please visit our
  donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium

___
Please visit https://lists

BIND 9.6-ESV-R8b1 is now available

2012-08-10 Thread Michael McNally

Introduction

  BIND 9.6-ESV-R8b1 is the first beta release of BIND 9.6-ESV-R8.

  BIND 9.6-ESV is an Extended Support Version of BIND.

  This document summarizes changes from BIND 9.6-ESV-R7 to BIND
  9.6-ESV-R8b1.  Please see the CHANGES file in the source code
  release for a complete list of all changes.

Download

  The latest versions of BIND 9 software can always be found on our
  web site at http://www.isc.org/downloads/all. There you will find
  additional information about each release, source code, and
  pre-compiled versions for Microsoft Windows operating systems.

Support

  Product support information is available on
  http://www.isc.org/services/support for paid support options.
  Free support is provided by our user community via a mailing list.
  Information on all public email lists is available at
  https://lists.isc.org/mailman/listinfo.

Security Fixes

  - Prevents a named assert (crash) when validating caused by
using "Bad cache" data before it has been initialized.
[CVE-2012-3817]  [RT #30025]

  - A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior, including
termination of the named process. [CVE-2012-1667] [RT #29644]

New Features

  - None

Feature Changes

  - Improves OpenSSL error logging [RT #29932]

  - nslookup now returns a nonzero exit code when it is unable
to get an answer.  [RT #29492]

Bug Fixes

  - Ensures that servers are expired from the ADB cache when the
timeout limit is reached so that their learned attributes can
be refreshed.  Prior to this change, servers that were
frequently queried might never have their entries removed and
reinitialized.  This is of particular importance to
DNSSEC-validating recursive servers that might erroneously
set "no-edns" for an authoritative server following a period
of intermittent connectivity. [RT #29856]

  - Adds additional resilience to a previous security change
(3218) by preventing RRSIG data from being added to cache
when a pseudo-record matching the covering type and proving
non-existence exists at a higher trust level. The earlier
change prevented this inconsistent data from being retrieved
from cache in response to client queries  - with this additional
change, the RRSIG records are no longer inserted into cache
at all. [RT #26809]

  - The tests on random jitter values that are used when handling
zone refreshes have been relaxed. Prior to this change named
could terminate unexpectedly when processing stub zones. [RT#
29821]

  - Fixes the defect introduced by change #3314 that was causing
failures when saving stub zones to disk (resulting in excessive
CPU usage in some cases).  [RT #29952]

  - It is now possible to using multiple control keys again -
this functionality was inadvertently broken by change #3924
(RT #28265) which addressed a memory leak. [RT #29694]

  - Setting resolver-query-timeout too low could cause named
problems recovering after a loss of connectivity.  [RT #29623]

  - Reduces the potential build-up of stale RRsets in cache on a
busy recursive nameserver by re-using cached DS and RRSIG
rrsets when possible [RT #29446]

  - Upper-case/lower-case handling of RRSIG signer-names is now
handled consistently: RRSIG records are generated with the
signer-name in lower case. They are accepted with any case,
but if they fail to validate, we try again in lower case. [RT
#27451]

Thank You

  Thank you to everyone who assisted us in making this release
  possible. If you would like to contribute to ISC to assist us
  in continuing to make quality open source software, please visit
  our donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.9.2b1 is now available

2012-08-10 Thread Michael McNally

Introduction

  BIND 9.9.2b1 is the first beta release of BIND 9.9.2.

  This document summarizes changes from BIND 9.9.1 to BIND 9.9.2b1.
  Please see the CHANGES file in the source code release for a
  complete list of all changes.  Download

  The latest versions of BIND 9 software can always be found on our
  web site at http://www.isc.org/downloads/all. There you will find
  additional information about each release, source code, and
  pre-compiled versions for Microsoft Windows operating systems.

Support

  Product support information is available on
  http://www.isc.org/services/support for paid support options.
  Free support is provided by our user community via a mailing list.
  Information on all public email lists is available at
  https://lists.isc.org/mailman/listinfo.

Security Fixes

  - Prevents a named assert (crash) when validating caused by using
"Bad cache" data before it has been initialized. [CVE-2012-3817]
[RT #30025]

  - A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior, including
termination of the named process. [CVE-2012-1667]  [RT #29644]

  - ISC_QUEUE handling for recursive clients was updated to address
a race condition that could cause a memory leak. This rarely
occurred with UDP clients, but could be a significant problem
for a server handling a steady rate of TCP queries. [CVE-2012-3868]
[RT #29539 & #30233]

New Features

  - Elliptic Curve Digital Signature Algorithm keys and signatures
in DNSSEC are now supported per RFC 6605. [RT #21918]

  - Introduces a new tool "dnssec-checkds" command that checks a
zone to determine which DS records should be published in the
parent zone, or which DLV records should be published in a DLV
zone, and queries the DNS to ensure that it exists. (Note: This
tool depends on python; it will not be built or installed on
systems that do not have a python interpreter.)  [RT #28099]

  - Introduces a new tool "dnssec-verify" that validates a signed
zone, checking for the correctness of signatures and NSEC/NSEC3
chains.  [RT #23673]

  - Adds configuration option "max-rsa-exponent-size ;" that
can be used to specify the maximum rsa exponent size that will
be accepted when validating [RT #29228]

Feature Changes

  - Improves OpenSSL error logging [RT #29932]

  - nslookup now returns a nonzero exit code when it is unable to
get an answer.  [RT #29492]

Bug Fixes

  - All named tasks that perform task-exclusive operations now share
the same single task.  Prior to this change, there was the
possibility of a race condition between rndc operations and
other functions such as re-sizing the adb hash table.  If the
race condition was encountered, named would in most cases
terminate unexpectedly with an assert.  [RT #29872]

  - Ensures that servers are expired from the ADB cache when the
timeout limit is reached so that their learned attributes can
be refreshed.  Prior to this change, servers that were frequently
queried might never have their entries removed and reinitialized.
This is of particular importance to DNSSEC-validating recursive
servers that might erroneously set "no-edns" for an authoritative
server following a period of intermittent connectivity. [RT
#29856]

  - Adds additional resilience to a previous security change (3218)
by preventing RRSIG data from being added to cache when a
pseudo-record matching the covering type and proving non-existence
exists at a higher trust level. The earlier change prevented
this inconsistent data from being retrieved from cache in
response to client queries  - with this additional change, the
RRSIG records are no longer inserted into cache at all. [RT
#26809]

  - dnssec-settime will now issue a warning when the writing of a
new private key file would cause a change in the permissions
of the existing file. [RT #27724]

  - Fixes the defect introduced by change #3314 that was causing
failures when saving stub zones to disk (resulting in excessive
CPU usage in some cases).  [RT #29952]

  - Address race condition in units tests: asyncload_zone and
asyncload_zt. [RT #26100]

  - It is now possible to using multiple control keys again - this
functionality was inadvertently broken by change #3924 (RT
#28265) which addressed a memory leak. [RT #29694]

  - Named now holds a zone table reference while performing an
asynchronous load of a zone.  This removes a race condition
that could cause named to crash when zones are added using rndc
addzone or by manually editing named's configuration file
followed by rndc reconfig/reload. [RT #28326]

  - Setting resolver-query-timeout too low could cause named problems
recovering after a loss of connectivity.  [RT #29623]

  - Reduces the potential build-up of stale RRsets in cache on a
busy recursive nameserve

BIND 9.9.2rc1 is now available

2012-09-05 Thread Michael McNally

Introduction

   BIND 9.9.2rc1 is the first release candidate of BIND 9.9.2.

   This document summarizes changes from BIND 9.9.1 to BIND 9.9.2rc1.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

 - Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized. [CVE-2012-3817]
   [RT #30025]
 - A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process. [CVE-2012-1667]  [RT #29644]
 - ISC_QUEUE handling for recursive clients was updated to address
   a race condition that could cause a memory leak. This rarely
   occurred with UDP clients, but could be a significant problem
   for a server handling a steady rate of TCP queries. [CVE-2012-3868]
   [RT #29539 & #30233]

New Features

 - Elliptic Curve Digital Signature Algorithm keys and signatures
   in DNSSEC are now supported per RFC 6605. [RT #21918]
 - Introduces a new tool "dnssec-checkds" command that checks a
   zone to determine which DS records should be published in the
   parent zone, or which DLV records should be published in a DLV
   zone, and queries the DNS to ensure that it exists. (Note: This
   tool depends on python; it will not be built or installed on
   systems that do not have a python interpreter.)  [RT #28099]
 - Introduces a new tool "dnssec-verify" that validates a signed
   zone, checking for the correctness of signatures and NSEC/NSEC3
   chains.  [RT #23673]
 - Adds configuration option "max-rsa-exponent-size ;" that
   can be used to specify the maximum rsa exponent size that will
   be accepted when validating [RT #29228]

Feature Changes

 - Improves OpenSSL error logging [RT #29932]
 - nslookup now returns a nonzero exit code when it is unable to
   get an answer.  [RT #29492]

Bug Fixes

 - When using DNSSEC inline signing with "rndc signing -nsec3param",
   a salt value of "-" can now be used to indicate 'no salt'.  [RT #30099]
 - Prevents race conditions (address use after free) that could be
   encountered when named is shutting down and releasing structures
   used to manage recursive clients.  [RT #30241]
 - Static-stub zones now accept "forward" and "fowarders" options
   (often needed for subdomains of the zone referenced to override
   global forwarding options).  These options are already available
   with traditional stub zones and their omission from zones of
   type "static-stub" was an inadvertent oversight. [RT #30482]
 - Limits the TTL of signed RRsets in cache when their RRSIGs are
   approaching expiry. This prevents the persistence in cache of
   invalid RRSIGs in order to assist recovery from a situation where
   zone re-signing doesn't occur in a timely manner.   With this
   change, named will attempt to obtain new RRSIGs from the
   authoritative server once the original ones have expired, and
   even if the TTL of the old records would in other circumstances
   cause them to be kept in cache for longer.  [RT #26429]
 - Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg()
   which are employed on Itanium systems to speed up lock management
   by making use of atomic operations.  Without the syntax correction
   it is possible that concurrent access to the same structures
   could accidentally occur with unpredictable results.  [RT #25181]
 - Improves OpenSSL error logging [RT #29932] 
 - The configure script now supports and detects libxml2-2.8.x
   correctly [RT #30440]
 - The host command should no longer assert on some architectures
   and builds while handling the time values used with the -w (wait
   forever) option.  [RT #18723]
 - Invalid zero settings for max-retry-time, min-retry-time,
   max-refresh-time, min-refresh-time will now be detected during
   parsing of named.conf and an error emitted instead of triggering
   an assertion failure on startup.  [RT #27730]
 - Removes spurious newlines from log messages in zone.c [RT #30675] 
 - When built with readline support (i.e. on a system with readline
   installed) nsupdate no longer terminates unexpectedly in interactive
   mode. [RT #29550]
 - All named tasks that perform task-exclusive operations now share
   the same single task.  Prior to this change, there was the
   possibility of a race condition between rndc operations and other
   functions such

BIND 9.8.4rc1 is now available

2012-09-05 Thread Michael McNally

Introduction

   BIND 9.8.4rc1 is the first release candidate of BIND 9.8.4

   This document summarizes changes from BIND 9.8.3 to BIND 9.8.4rc1.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

 - Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized. [CVE-2012-3817]
   [RT #30025]
 - A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process. [CVE-2012-1667]  [RT #29644]

New Features

 - Elliptic Curve Digital Signature Algorithm keys and signatures
   in DNSSEC are now supported per RFC 6605. [RT #21918]

Feature Changes

 - Improves OpenSSL error logging [RT #29932]
 - nslookup now returns a nonzero exit code when it is unable to
   get an answer.  [RT #29492]

Bug Fixes

 - Static-stub zones now accept "forward" and "fowarders" options
   (often needed for subdomains of the zone referenced to override
   global forwarding options).  These options are already available
   with traditional stub zones and their omission from zones of
   type "static-stub" was an inadvertent oversight. [RT #30482]
 - Limits the TTL of signed RRsets in cache when their RRSIGs are
   approaching expiry. This prevents the persistence in cache of
   invalid RRSIGs in order to assist recovery from a situation where
   zone re-signing doesn't occur in a timely manner.   With this
   change, named will attempt to obtain new RRSIGs from the
   authoritative server once the original ones have expired, and
   even if the TTL of the old records would in other circumstances
   cause them to be kept in cache for longer.  [RT #26429]
 - Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg()
   which are employed on Itanium systems to speed up lock management
   by making use of atomic operations.  Without the syntax correction
   it is possible that concurrent access to the same structures
   could accidentally occur with unpredictable results.  [RT #25181]
 - The configure script now supports and detects libxml2-2.8.x
   correctly [RT #30440]
 - The host command should no longer assert on some architectures
   and builds while handling the time values used with the -w (wait
   forever) option.  [RT #18723]
 - Invalid zero settings for max-retry-time, min-retry-time,
   max-refresh-time, min-refresh-time will now be detected during
   parsing of named.conf and an error emitted instead of triggering
   an assertion failure on startup.  [RT #27730]
 - Removes spurious newlines from log messages in zone.c [RT #30675] 
 - When built with readline support (i.e. on a system with readline
   installed) nsupdate no longer terminates unexpectedly in interactive
   mode. [RT #29550]
 - All named tasks that perform task-exclusive operations now share
   the same single task.  Prior to this change, there was the
   possibility of a race condition between rndc operations and other
   functions such as re-sizing the adb hash table.  If the race
   condition was encountered, named would in most cases terminate
   unexpectedly with an assert.  [RT #29872]
 - Ensures that servers are expired from the ADB cache when the
   timeout limit is reached so that their learned attributes can
   be refreshed.  Prior to this change, servers that were frequently
   queried might never have their entries removed and reinitialized.
   This is of particular importance to DNSSEC-validating recursive
   servers that might erroneously set "no-edns" for an authoritative
   server following a period of intermittent connectivity. [RT #29856]
 - Adds additional resilience to a previous security change (3218)
   by preventing RRSIG data from being added to cache when a
   pseudo-record matching the covering type and proving non-existence
   exists at a higher trust level. The earlier change prevented
   this inconsistent data from being retrieved from cache in response
   to client queries  - with this additional change, the RRSIG
   records are no longer inserted into cache at all. [RT #26809]
 - dnssec-settime will now issue a warning when the writing of a
   new private key file would cause a change in the permissions of
   the existing file. [RT #27724]
 - Fixes the defect introduced by change #3314 that was causing
   failures when saving stub zones to disk (resulting in exces

BIND 9.6-ESV-R8rc1 is now available

2012-09-05 Thread Michael McNally

Introduction

   BIND 9.6-ESV-R8rc1 is the first release candidate of BIND
   9.6-ESV-R8.

   BIND 9.6-ESV is an Extended Support Version of BIND.

   This document summarizes changes from BIND 9.6-ESV-R7 to BIND
   9.6-ESV-R8rc1.  Please see the CHANGES file in the source code
   release for a complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

 - Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized. [CVE-2012-3817]
   [RT #30025]
 - A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process. [CVE-2012-1667] [RT #29644]

New Features

 - None

Feature Changes

 - Improves OpenSSL error logging [RT #29932]
 - nslookup now returns a nonzero exit code when it is unable to
   get an answer.  [RT #29492]

Bug Fixes

 - The configure script now supports and detects libxml2-2.8.x
   correctly [RT #30440]
 - The host command should no longer assert on some architectures
   and builds while handling the time values used with the -w (wait
   forever) option.  [RT #18723]
 - Invalid zero settings for max-retry-time, min-retry-time,
   max-refresh-time, min-refresh-time will now be detected during
   parsing of named.conf and an error emitted instead of triggering
   an assertion failure on startup.  [RT #27730]
 - Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg()
   which are employed on Itanium systems to speed up lock management
   by making use of atomic operations.  Without the syntax correction
   it is possible that concurrent access to the same structures
   could accidentally occur with unpredictable results.  [RT #25181]
 - Removes spurious newlines from log messages in zone.c [RT #30675]
 - When built with readline support (i.e. on a system with readline
   installed) nsupdate no longer terminates unexpectedly in interactive
   mode. [RT #29550]
 - Ensures that servers are expired from the ADB cache when the
   timeout limit is reached so that their learned attributes can
   be refreshed.  Prior to this change, servers that were frequently
   queried might never have their entries removed and reinitialized.
   This is of particular importance to DNSSEC-validating recursive
   servers that might erroneously set "no-edns" for an authoritative
   server following a period of intermittent connectivity. [RT
   #29856]
 - Adds additional resilience to a previous security change (3218)
   by preventing RRSIG data from being added to cache when a
   pseudo-record matching the covering type and proving non-existence
   exists at a higher trust level. The earlier change prevented
   this inconsistent data from being retrieved from cache in response
   to client queries  - with this additional change, the RRSIG
   records are no longer inserted into cache at all. [RT #26809]
 - The tests on random jitter values that are used when handling
   zone refreshes have been relaxed. Prior to this change named
   could terminate unexpectedly when processing stub zones. [RT#
   29821]
 - Fixes the defect introduced by change #3314 that was causing
   failures when saving stub zones to disk (resulting in excessive
   CPU usage in some cases).  [RT #29952]
 - It is now possible to using multiple control keys again - this
   functionality was inadvertently broken by change #3924 (RT #28265)
   which addressed a memory leak. [RT #29694]
 - Setting resolver-query-timeout too low could cause named problems
   recovering after a loss of connectivity.  [RT #29623]
 - Reduces the potential build-up of stale RRsets in cache on a
   busy recursive nameserver by re-using cached DS and RRSIG rrsets
   when possible [RT #29446]
 - Upper-case/lower-case handling of RRSIG signer-names is now
   handled consistently: RRSIG records are generated with the
   signer-name in lower case. They are accepted with any case, but
   if they fail to validate, we try again in lower case. [RT #27451]

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
f

BIND 9.7.7rc1 is now available

2012-09-05 Thread Michael McNally

Introduction 

   BIND 9.7.7rc1 is the first release candidate of BIND 9.7.7

   This document summarizes changes from BIND 9.7.6 to BIND 9.7.7rc1.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

 - Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized. [CVE-2012-3817]
   [RT #30025]
 - A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process. [CVE-2012-1667]  [RT #29644]

New Features

 - None

Feature Changes

 - Improves OpenSSL error logging [RT #29932]
 - nslookup now returns a nonzero exit code when it is unable to
   get an answer.  [RT #29492]

Bug Fixes

 - Limits the TTL of signed RRsets in cache when their RRSIGs are
   approaching expiry. This prevents the persistence in cache of
   invalid RRSIGs in order to assist recovery from a situation where
   zone re-signing doesn't occur in a timely manner.   With this
   change, named will attempt to obtain new RRSIGs from the
   authoritative server once the original ones have expired, and
   even if the TTL of the old records would in other circumstances
   cause them to be kept in cache for longer.  [RT #26429]
 - The configure script now supports and detects libxml2-2.8.x
   correctly [RT #30440]
 - The host command should no longer assert on some architectures
   and builds while handling the time values used with the -w (wait
   forever) option.  [RT #18723]
 - Invalid zero settings for max-retry-time, min-retry-time,
   max-refresh-time, min-refresh-time will now be detected during
   parsing of named.conf and an error emitted instead of triggering
   an assertion failure on startup.  [RT #27730]
 - Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg()
   which are employed on Itanium systems to speed up lock management
   by making use of atomic operations.  Without the syntax correction
   it is possible that concurrent access to the same structures
   could accidentally occur with unpredictable results.  [RT #25181]
 - Removes spurious newlines from log messages in zone.c [RT #30675] 
 - When built with readline support (i.e. on a system with readline
   installed) nsupdate no longer terminates unexpectedly in interactive
   mode. [RT #29550]
 - Ensures that servers are expired from the ADB cache when the
   timeout limit is reached so that their learned attributes can
   be refreshed.  Prior to this change, servers that were frequently
   queried might never have their entries removed and reinitialized.
   This is of particular importance to DNSSEC-validating recursive
   servers that might erroneously set "no-edns" for an authoritative
   server following a period of intermittent connectivity. [RT
   #29856]
 - Adds additional resilience to a previous security change (3218)
   by preventing RRSIG data from being added to cache when a
   pseudo-record matching the covering type and proving non-existence
   exists at a higher trust level. The earlier change prevented
   this inconsistent data from being retrieved from cache in response
   to client queries  - with this additional change, the RRSIG
   records are no longer inserted into cache at all. [RT #26809]
 - dnssec-settime will now issue a warning when the writing of a
   new private key file would cause a change in the permissions of
   the existing file. [RT #27724]
 - Fixes the defect introduced by change #3314 that was causing
   failures when saving stub zones to disk (resulting in excessive
   CPU usage in some cases).  [RT #29952]
 - It is now possible to using multiple control keys again - this
   functionality was inadvertently broken by change #3924 (RT #28265)
   which addressed a memory leak. [RT #29694]
 - Reduces the potential build-up of stale RRsets in cache on a
   busy recursive nameserver by re-using cached DS and RRSIG rrsets
   when possible [RT #29446]
 - Upper-case/lower-case handling of RRSIG signer-names is now
   handled consistently: RRSIG records are generated with the
   signer-name in lower case. They are accepted with any case, but
   if they fail to validate, we try again in lower case. [RT #27451]

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to ma

BIND 9.9.1-P3 is now available

2012-09-12 Thread Michael McNally

Introduction

   BIND 9.9.1-P3 is the latest production release of BIND 9.9.

   This document summarizes changes from BIND 9.9.0 to BIND 9.9.1-P3.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

   Prevents a named assert (crash) when queried for a record whose
   RDATA exceeds 65535 bytes.  [RT #30416]

   Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized.  [RT #30025]

   ISC_QUEUE handling for recursive clients was updated to address
   a race condition that could cause a memory leak.  This rarely
   occurred with UDP clients, but could be a significant problem
   for a server handling a steady rate of TCP queries.  [RT #29539
   & #30233]

   A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process.  [RT #29644]

New Features

   None

Feature Changes

   BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

   A note will be added to the README in future releases to explain
   that the improved scalability provided by using multiple threads
   to listen for and process queries (change 3137, RT #22992) does
   not provide any performance benefit when running BIND on versions
   of the linux kernel that do not include the 'lockless UDP transmit
   path' changes that were incorporated in 2.6.39.  (Some linux
   distributors may have provided this functionality under their
   own version numbering systems).

Bug Fixes

   Fixes the defect introduced by change #3314 that was causing
   failures when saving stub zones to disk (resulting in excessive
   CPU usage in some cases).  [RT #29952]

   The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239]

   Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732]

   named-checkconf now correctly validates dns64 clients acl
   definitions. [RT #27631]

   Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

   Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

   Improves DNS64 reverse zone performance. [RT #28563]

   Adds wire format lookup method to sdb. [RT #28563]

   Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571]

   Prevents intermittent named crashes following an rndc reload [RT #28606]

   Resolves inconsistencies in locating DNSSEC keys where zone names
   contain characters that require special mappings [RT #28600]

   A new flag -R  has been added to queryperf for running tests
   using non-recursive queries.  It also now builds correctly on
   MacOS version 10.7 (darwin)  [RT #28565]

   Named no longer crashes if gssapi is enabled in named.conf but
   was not compiled into the binary [RT #28338]

   SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534]

   Prevents named crashes as a result of dereferencing a NULL pointer
   in zmgr_start_xfrin_ifquota if the zone was being removed while
   there were zone transfers still pending [RT #28419]

   Corrects a parser bug that could cause named to crash while
   reading a malformed zone file. [RT #28467]

   Ensures that when a client recurses its status fields are
   consistently set so that named doesn't fail on an INSIST in
   client.c:exit_check. [RT #28346]

   Fixed a problem preventing proper use of 64 bit time values in
   libbind. [RT # 26542]

   isccc/cc.c:table_fromwire could fail to free an allocated object
   on error, leading to a possible memory leak condition. [RT #28265]

   Fixed a build error on systems without ENOTSUP.  [RT #28200] 

   The header file isc/hmacsha.h is now installed when building
   BIND. [RT #28169]

    responses will no longer be returned in the additional
   sect

BIND 9.6-ESV-R7-P3 is now available

2012-09-12 Thread Michael McNally

Introduction

   BIND 9.6-ESV-R7-P3 is the latest production release of BIND
   9.6-ESV.

   BIND 9.6-ESV is an Extended Support Version of BIND 9.

   This document summarizes changes from BIND 9.6-ESV-R6 to BIND
   9.6-ESV-R7-P3.  Please see the CHANGES file in the source code
   release for a complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on http://www.isc.org/support
   for paid support options.  Free support is provided by our user
   community via a mailing list.  Information on all public email
   lists is available at https://lists.isc.org/mailman/listinfo.

Security Fixes

   Prevents a named assert (crash) when queried for a record whose
   RDATA exceeds 65535 bytes.  [RT #30416]

   Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized.  [RT #30025]

   A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process.  [RT #29644]

New Features

   None

Feature Changes

   BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

Bug Fixes

   Fixes the defect introduced by change #3314 that was causing
   failures when saving stub zones to disk (resulting in excessive
   CPU usage in some cases).  [RT #29952]

   The tests on random jitter values that are used when handling
   zone refreshes have been relaxed.  Prior to this change named
   could terminate unexpectedly when processing stub zones.  [RT#
   19821]

   The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239]

   Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732]

   Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

   Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

   Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571]

   A new flag -R  has been added to queryperf for running tests
   using non-recursive queries.  It also now builds correctly on
   MacOS version 10.7 (darwin)  [RT #28565]

   Named no longer crashes if gssapi is enabled in named.conf but
   was not compiled into the binary [RT #28338]

   SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534]

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.7.6-P3 is now available

2012-09-12 Thread Michael McNally

Introduction

   BIND 9.7.6-P3 is the latest production release of BIND 9.7.

   This document summarizes changes from BIND 9.7.5 to BIND 9.7.6-P3.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on http://www.isc.org/support
   for paid support options.  Free support is provided by our user
   community via a mailing list.  Information on all public email
   lists is available at https://lists.isc.org/mailman/listinfo.

Security Fixes

   Prevents a named assert (crash) when queried for a record whose
   RDATA exceeds 65535 bytes.  [RT #30416]

   Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized.  [RT #30025]

   A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process.  [RT #29644]

New Features

   None

Feature Changes

   BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

Bug Fixes

   Fixes the defect introduced by change #3314 that was causing
   failures when saving stub zones to disk (resulting in excessive
   CPU usage in some cases).  [RT #29952]

   The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239]

   Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732]

   Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

   Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

   Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571]

   Resolves inconsistencies in locating DNSSEC keys where zone names
   contain characters that require special mappings [RT #28600]

   A new flag -R  has been added to queryperf for running tests
   using non-recursive queries.  It also now builds correctly on
   MacOS version 10.7 (darwin)  [RT #28565]

   Named no longer crashes if gssapi is enabled in named.conf but
   was not compiled into the binary [RT #28338]

   SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534]

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.8.3-P3 is now available

2012-09-12 Thread Michael McNally

Introduction

   BIND 9.8.3-P3 is the latest production release of BIND 9.8.

   This document summarizes changes from BIND 9.8.2 to BIND 9.8.3-P3.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.


Support

   Product support information is available on http://www.isc.org/support
   for paid support options. Free support is provided by our user
   community via a mailing list.  Information on all public email
   lists is available at https://lists.isc.org/mailman/listinfo.

Security Fixes

   Prevents a named assert (crash) when queried for a record whose
   RDATA exceeds 65535 bytes.  [RT #30416]

   Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized.  [RT #30025]

   A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process.  [RT #29644]

New Features

   None

Feature Changes

   BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

Bug Fixes

   Fixes the defect introduced by change #3314 that was causing
   failures when saving stub zones to disk (resulting in excessive
   CPU usage in some cases).  [RT #29952]

   The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239]

   Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732]

   named-checkconf now correctly validates dns64 clients acl
   definitions. [RT #27631]

   Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

   Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

   Improves DNS64 reverse zone performance. [RT #28563]

   Adds wire format lookup method to sdb. [RT #28563]

   Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571]

   Resolves inconsistencies in locating DNSSEC keys where zone names
   contain characters that require special mappings [RT #28600]

   A new flag -R  has been added to queryperf for running tests
   using non-recursive queries.  It also now builds correctly on
   MacOS version 10.7 (darwin)  [RT #28565]

   Named no longer crashes if gssapi is enabled in named.conf but
   was not compiled into the binary [RT #28338]

   SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534]

Thank You

   Thank you to everyone who assisted us in making this release
   possible.  If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ISC Security Advisory: A Specially Crafted Resource Record Could Cause named to Terminate

2012-09-12 Thread Michael McNally

Note:

  This email advisory is provided for your information. The most
  up to date advisory information will always be at:
  https://kb.isc.org/article/AA-00778 please use this URL for the
  most up to date advisory information.

---

CVE-2012-4244: A specially crafted Resource Record could cause named
   to terminate

A nameserver can be caused to exit with a REQUIRE exception if it
can be induced to load a specially crafted resource record.

CVE: CVE-2012-4244
Document Version:  2.0
Posting date: 12 September 2012
Program Impacted: BIND
Versions affected:
   9.0.x -> 9.6.x, 9.4-ESV->9.4-ESV-R5-P1, 9.6-ESV->9.6-ESV-R7-P2,
   9.7.0->9.7.6-P2, 9.8.0->9.8.3-P2, 9.9.0->9.9.1-P2
Severity: Critical
Exploitable: Remotely

Description:

   If a record with RDATA in excess of 65535 bytes is loaded into
   a nameserver, a subsequent query for that record will cause named
   to exit with an assertion failure.

   Please Note: Versions of BIND 9.4 and 9.5 are also affected, but
   these branches are beyond their "end of life" (EOL) and no longer
   receive testing or security fixes from ISC. For current information
   on which versions are actively supported, please see
   http://www.isc.org/software/bind/versions.

Impact:

   This vulnerability can be exploited remotely against recursive
   servers by inducing them to query for records provided by an
   authoritative server. It affects authoritative servers if a zone
   containing this type of resource record is loaded from file or
   provided via zone transfer.

CVSS Score:  7.8

CVSS Equation:  (AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Workarounds:  None are known at this time.

Active exploits:  No known active exploits.

Solution: 

   Upgrade to the patched version or new release most closely related
   to your current version of BIND.

   The patched versions (-P3) of BIND can be downloaded from
   http://www.isc.org/downloads/all.  The new release versions will
   be available within the next week.

   BIND 9 version 9.7.7, 9.7.6-P3
   BIND 9 version 9.6-ESV-R8, 9.6-ESV-R7-P3
   BIND 9 version 9.8.4, 9.8.3-P3
   BIND 9 version 9.9.2, 9.9.1-P3


Document Revision History:

   1.0 - 4 Sept., 2012  Advance Notification to Phase 1
   1.1 - 6 Sept. 2012 Corrected error in Description (65535 bytes)
   1.2 - 11 Sept. 2012 Phase 2 & 3 notified
   2.0 - 12 Sept. 2012 Phase 4 - Public Released

Related Documents:

   See our BIND Security Matrix for a complete listing of Security
   Vulnerabilities and versions affected.

   If you'd like more information on our Forum or product support
   please visit www.isc.org/software/guild or www.isc.org/support.

Do you still have questions?  Questions regarding this advisory
should go to security-offi...@isc.org

Note: ISC patches only currently supported versions. When possible
we indicate EOL versions affected.

ISC Security Vulnerability Disclosure Policy:  Details of our current
security advisory policy and practice can be found here:
https://www.isc.org/security-vulnerability-disclosure-policy

The Knowledge Base article https://kb.isc.org/article/AA-00778 is
the complete and official security advisory document.  There is
also a summary article located on our website and linking to here:
https://www.isc.org/software/bind/advisories/cve-2012-4244

Legal Disclaimer: 

   Internet Systems Consortium (ISC) is providing this notice on
   an "AS IS" basis. No warranty or guarantee of any kind is expressed
   in this notice and none should be implied. ISC expressly excludes
   and disclaims any warranties regarding this notice or materials
   referred to in this notice, including, without limitation, any
   implied warranty of merchantability, fitness for a particular
   purpose, absence of hidden defects, or of non-infringement. Your
   use or reliance on this notice or materials referred to in this
   notice is at your own risk. ISC may change this notice at any
   time.  A stand-alone copy or paraphrase of the text of this
   document that omits the document URL is an uncontrolled copy.
   Uncontrolled copies may lack important information, be out of
   date, or contain factual errors.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6-ESV-R7-P3 is now available

2012-09-13 Thread Michael McNally


On 9/13/12 2:01 AM, pangj wrote:

> Should we use the latest 9.9 version of BIND instead of others 9.x?

At the current moment, ISC develops and provides patches for four
different version sequences of BIND 9:

  BIND 9.6-ESV
  BIND 9.7
  BIND 9.8
& BIND 9.9

They are intended to serve slightly different functions for different
users.

BIND 9.6-ESV is an "Extended Support Version" of BIND (as indicated
by the "-ESV" suffix.  Though 9.6 is no longer being actively developed,
ISC made a commitment to continue supporting the existing code with
security patches and bug fixes through March 2013.

BIND 9.7 is about to reach its "End of Life" (aka EOL.)  It was
originally predicted to reach its final version in August 2012,
after which it would receive no more updates (except possibly in
very unusual circumstances.)  Its EOL has been pushed back to
this month, but when BIND 9.7.7 comes out (before the end of this
month) that is expected to be the final release version of BIND 9.7.
Consequently you should not now be changing to the 9.7 line but if
you are on 9.7 you can upgrade to 9.7.6-P3 or 9.7.7 while you
make plans to migrate to 9.8 or 9.9.

BIND 9.8 will be the next version to become an Extended Support Version
and will be supported for several years hence.  BIND 9.8 is stable,
reasonably mature, and will be supported with some feature improvements
and all bug fixes.

And BIND 9.9 is the version which is currently receiving the most
development effort for new features and functionality.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6-ESV-R7-P3 is now available

2012-09-14 Thread Michael McNally


On 9/13/12 3:03 PM, Michael McNally wrote:


BIND 9.8 will be the next version to become an Extended Support Version
and will be supported for several years hence.  BIND 9.8 is stable,
reasonably mature, and will be supported with some feature improvements
and all bug fixes.


I erred when composing this response to list user "pangj."

Actually BIND 9.9 will be the basis for the next sequence of
Extended Support Versions.

BIND 9.8 is scheduled to continue to receive support and
improvements and no End of Life date has been announced for
it (for full details, see: https://www.isc.org/software/bind/versions )
but going forward, BIND 9.9 is going to be the basis for the next
ESV.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Moving from "type forward" to "type static-stub"

2012-09-21 Thread Michael Sinatra

On 9/20/12 5:49 PM, Oscar Ricardo Silva wrote:

> If I'm correct, it will send non-recursive queries to the listed servers
> and will honor delegations. I've tested this configuration in our lab
> and it all appears to be working.

Yup, static stub will do exactly that.

> With our configuration, are there any downsides to changing from forward
> zones to static-stub?  Any gotchas I should know about?

I am pretty sure that the recursive server will still cache the entries
it receives from the static-stub server.  If your goal is for
"instantaneous" updates on your recursives when your authoritatives get
update, I don't think it will work as well as just slaving the zones.

If the goal is for the recursives to see an internal view of the zones,
then static-stub will work great.

> At this time we
> don't have dnssec validation turned on.  We tried it and had too many
> problems with misconfigured domains not resolving properly so backed out.

It's time to back in again (front in?).  Now that Comcast is validating,
any mistakes that people make will get fixed right quick.  1.7 million
people doing validation is good incentive to get things right and fix
them quickly.  At UC Berkeley, validation has been turned on for four
years now and only a handful of domains have required "special handling."

All of the emphasis on signing for DNSSEC is great, but DNSSEC can't
really work without validation.

michael
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 10.in-addr.arpa Forwarder Zone

2012-09-28 Thread Michael McNally

On 9/27/12 4:06 PM, Eric R wrote:

When I query for, as an example, 1.2.3.10.inaddr.arpa (PTR),
I expect BIND to query the 1.2.3.4 forwarder and return the
response provided by 1.2.3.4.  With BIND version 9.6.1-P1,
this works as expected. However with version 9.9.1-P3, BIND

> does not attempt to query the forwarder and instead immediately
> returns an NXDOMAIN response.

Empty zone behavior has changed in 9.9, and the 10.0.0.0/8 zone
is part of the changes.

You can find a good explanation of the differences in this ISC
Knowledge Base article:

  https://deepthought.isc.org/article/AA-00804

Michael McNally
ISC Support

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 10.in-addr.arpa Forwarder Zone

2012-09-28 Thread Michael McNally


On 9/28/12 9:38 AM, Michael McNally wrote:


Empty zone behavior has changed in 9.9, and the 10.0.0.0/8 zone
is part of the changes.

You can find a good explanation of the differences in this ISC
Knowledge Base article:

   https://deepthought.isc.org/article/AA-00804


Oh drat -- that's the wrong empty zone article.

The information you want is in *this* article:

  https://deepthought.isc.org/article/AA-00803

Please forgive my error..

Michael McNally
ISC Support

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.7.7 is now available

2012-10-09 Thread Michael McNally

Introduction

   BIND 9.7.7 is the latest production release of BIND 9.7.

   This document summarizes changes from BIND 9.7.6 to BIND 9.7.7.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on our
   web site at http://www.isc.org/downloads/all. There you will find
   additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options. Free
   support is provided by our user community via a mailing list.
   Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

*  A deliberately constructed combination of records could cause
   named to hang while populating the additional section of a
   response. [CVE-2012-5166] [RT #31090]

*  Prevents a named assert (crash) when queried for a record whose
   RDATA exceeds 65535 bytes  [CVE-2012-4244]  [RT #30416]

*  Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized. [CVE-2012-3817]
   [RT #30025]

*  A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process. [CVE-2012-1667]  [RT #29644]

New Features

*  None

Feature Changes

*  Improves OpenSSL error logging [RT #29932]

*  nslookup now returns a nonzero exit code when it is unable to get
   an answer.  [RT #29492]

Bug Fixes

*  Uses binary mode to open raw files on Windows.  [RT #30944]

*  Limits the TTL of signed RRsets in cache when their RRSIGs are
   approaching expiry. This prevents the persistence in cache of
   invalid RRSIGs in order to assist recovery from a situation where
   zone re-signing doesn't occur in a timely manner.   With this
   change, named will attempt to obtain new RRSIGs from the
   authoritative server once the original ones have expired, and even
   if the TTL of the old records would in other circumstances cause
   them to be kept in cache for longer.  [RT #26429]

*  The configure script now supports and detects libxml2-2.8.x
   correctly [RT #30440]

*  The host command should no longer assert on some architectures and
   builds while handling the time values used with the -w (wait
   forever) option.  [RT #18723]

*  Invalid zero settings for max-retry-time, min-retry-time,
   max-refresh-time, min-refresh-time will now be detected during
   parsing of named.conf and an error emitted instead of triggering an
   assertion failure on startup.  [RT #27730] 

*  Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg()
   which are employed on Itanium systems to speed up lock management
   by making use of atomic operations.  Without the syntax correction
   it is possible that concurrent access to the same structures could
   accidentally occur with unpredictable results.  [RT #25181]

*  Removes spurious newlines from log messages in zone.c [RT #30675]

*  When built with readline support (i.e. on a system with readline
   installed) nsupdate no longer terminates unexpectedly in
   interactive mode. [RT #29550] 

*  Ensures that servers are expired from the ADB cache when the
   timeout limit is reached so that their learned attributes can be
   refreshed.  Prior to this change, servers that were frequently
   queried might never have their entries removed and reinitialized.
   This is of particular importance to DNSSEC-validating recursive
   servers that might erroneously set "no-edns" for an authoritative
   server following a period of intermittent connectivity. [RT #29856]

*  Adds additional resilience to a previous security change (3218) by
   preventing RRSIG data from being added to cache when a
   pseudo-record matching the covering type and proving non-existence
   exists at a higher trust level. The earlier change prevented this
   inconsistent data from being retrieved from cache in response to
   client queries  - with this additional change, the RRSIG records
   are no longer inserted into cache at all. [RT #26809]

*  dnssec-settime will now issue a warning when the writing of a new
   private key file would cause a change in the permissions of the
   existing file. [RT #27724]

*  Fixes the defect introduced by change #3314 that was causing
   failures when saving stub zones to disk (resulting in excessive CPU
   usage in some cases).  [RT #29952]

*  It is now possible to using multiple control keys again - this
   functionality was inadvertently broken by change #3924 (RT #28265)
   which addressed a memory leak. [RT #29694]

*  Reduces the potential build-up of stale RRsets in cache on a busy
   recursive nameserver by re-using cached DS and RRSIG rrsets when
   possible [RT #29446]

*  Upper-case/lower-case handling of RRSIG signer-names i

BIND 9.9.2 is now available

2012-10-09 Thread Michael McNally

Introduction

   BIND 9.9.2 is the latest production release of BIND 9.9.

   This document summarizes changes from BIND 9.9.1 to BIND 9.9.2.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on our
   web site at http://www.isc.org/downloads/all. There you will find
   additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options. Free
   support is provided by our user community via a mailing list.
   Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

*  A deliberately constructed combination of records could cause named
   to hang while populating the additional section of a response.
   [CVE-2012-5166] [RT #31090]

*  Prevents a named assert (crash) when queried for a record whose
   RDATA exceeds 65535 bytes.  [CVE-2012-4244]  [RT #30416]

*  Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized. [CVE-2012-3817]
   [RT #30025] 

*  A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process. [CVE-2012-1667]  [RT #29644]

*  ISC_QUEUE handling for recursive clients was updated to address a
   race condition that could cause a memory leak. This rarely occurred
   with UDP clients, but could be a significant problem for a server
   handling a steady rate of TCP queries. [CVE-2012-3868]  [RT #29539
   & #30233]

New Features

*  Elliptic Curve Digital Signature Algorithm keys and signatures in
   DNSSEC are now supported per RFC 6605. [RT #21918]

*  Introduces a new tool "dnssec-checkds" command that checks a zone
   to determine which DS records should be published in the parent
   zone, or which DLV records should be published in a DLV zone, and
   queries the DNS to ensure that it exists. (Note: This tool depends
   on python; it will not be built or installed on systems that do not
   have a python interpreter.)  [RT #28099]

*  Introduces a new tool "dnssec-verify" that validates a signed zone,
   checking for the correctness of signatures and NSEC/NSEC3 chains.
   [RT #23673]

*  Adds configuration option "max-rsa-exponent-size ;" that can
   be used to specify the maximum rsa exponent size that will be
   accepted when validating [RT #29228]

Feature Changes

*  Improves OpenSSL error logging [RT #29932]

*  nslookup now returns a nonzero exit code when it is unable to get
   an answer.  [RT #29492]

Bug Fixes

*  Uses binary mode to open raw files on Windows.  [RT #30944]

*  When using DNSSEC inline signing with "rndc signing -nsec3param", a
   salt value of "-" can now be used to indicate 'no salt'.
   [RT #30099]

*  Prevents race conditions (address use after free) that could be
   encountered when named is shutting down and releasing structures
   used to manage recursive clients.  [RT #30241] 

*  Static-stub zones now accept "forward" and "fowarders" options
   (often needed for subdomains of the zone referenced to override
   global forwarding options).  These options are already available
   with traditional stub zones and their omission from zones of type
   "static-stub" was an inadvertent oversight. [RT #30482] 

*  Limits the TTL of signed RRsets in cache when their RRSIGs are
   approaching expiry. This prevents the persistence in cache of
   invalid RRSIGs in order to assist recovery from a situation where
   zone re-signing doesn't occur in a timely manner.   With this
   change, named will attempt to obtain new RRSIGs from the
   authoritative server once the original ones have expired, and even
   if the TTL of the old records would in other circumstances cause
   them to be kept in cache for longer.  [RT #26429]

*  Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg()
   which are employed on Itanium systems to speed up lock management
   by making use of atomic operations.  Without the syntax correction
   it is possible that concurrent access to the same structures could
   accidentally occur with unpredictable results.  [RT #25181]

*  Improves OpenSSL error logging [RT #29932]

*  The configure script now supports and detects libxml2-2.8.x
   correctly [RT #30440]

*  The host command should no longer assert on some architectures and
   builds while handling the time values used with the -w (wait
   forever) option.  [RT #18723]

*  Invalid zero settings for max-retry-time, min-retry-time,
   max-refresh-time, min-refresh-time will now be detected during
   parsing of named.conf and an error emitted instead of triggering an
   assertion failure on startup.  [RT #27730] 

*  Removes spurious newlines from log messages in zone.c [RT #30675]

*

BIND 9.9.1-P4 is now available

2012-10-09 Thread Michael McNally

Introduction

   BIND 9.9.1-P4 is the latest production release of BIND 9.9.1 (BIND
   9.9.2 is also available for download and is the latest production
   release of BIND 9.9).

   This document summarizes changes from BIND 9.9.0 to BIND 9.9.1-P4.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on our
   web site at http://www.isc.org/downloads/all. There you will find
   additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options. Free
   support is provided by our user community via a mailing list.
   Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

*  A deliberately constructed combination of records could cause named
   to hang while populating the additional section of a response.
   [RT #31090]

*  Prevents a named assert (crash) when queried for a record whose
   RDATA exceeds 65535 bytes.  [RT #30416]

*  Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized.  [RT #30025] 

*  ISC_QUEUE handling for recursive clients was updated to address a
   race condition that could cause a memory leak.  This rarely
   occurred with UDP clients, but could be a significant problem for a
   server handling a steady rate of TCP queries.  [RT #29539 & #30233]

*  A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process.  [RT #29644]

New Features

* None

Feature Changes

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

*  A note will be added to the README in future releases to explain
   that the improved scalability provided by using multiple threads to
   listen for and process queries (change 3137, RT #22992) does not
   provide any performance benefit when running BIND on versions of
   the linux kernel that do not include the 'lockless UDP transmit
   path' changes that were incorporated in 2.6.39.  (Some linux
   distributors may have provided this functionality under their own
   version numbering systems).

Bug Fixes

*  Fixes the defect introduced by change #3314 that was causing
   failures when saving stub zones to disk (resulting in excessive CPU
   usage in some cases).  [RT #29952]

*  The locking strategy around the handling of iterative queries has
   been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239] 

*  Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732] 

*  named-checkconf now correctly validates dns64 clients acl
   definitions. [RT #27631] 

*  Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

*  Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

*  Improves DNS64 reverse zone performance. [RT #28563]

*  Adds wire format lookup method to sdb. [RT #28563]

*  Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571] 

*  Prevents intermittent named crashes following an rndc reload
   [RT #28606]

*  Resolves inconsistencies in locating DNSSEC keys where zone names
   contain characters that require special mappings [RT #28600]

*  A new flag -R  has been added to queryperf for running tests using
   non-recursive queries.  It also now builds correctly on MacOS
   version 10.7 (darwin)  [RT #28565] 

*  Named no longer crashes if gssapi is enabled in named.conf but was
   not compiled into the binary [RT #28338]

*  SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534]

*  Prevents named crashes as a result of dereferencing a NULL pointer
   in zmgr_start_xfrin_ifquota if the zone was being removed while
   there were zone transfers still pending [RT #28419] 

*  Corrects a parser bug that could cause named to crash while reading
   a malformed zone file. [RT #28467]

*  Ensures that when a client recurses its status fields are
   consistently set so that named doesn't fail on an INSIST in
   client.c:exit_check. [RT #28346] 

*  Fixed a problem preventing proper use of 64 bit time values in
   libbind. [RT # 26542] 

*  isccc/cc.c:table_fromwire could fail to free an allocated object on
   error, leading to a possi

BIND 9.8.3-P4 is now available

2012-10-09 Thread Michael McNally

Introduction

   BIND 9.8.3-P4 is the latest production release of BIND 9.8.3 (BIND
   9.8.4 is also available for download and is the latest production
   release of BIND 9.8).

   This document summarizes changes from BIND 9.8.2 to BIND 9.8.3-P4.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on our
   web site at http://www.isc.org/downloads/all. There you will find
   additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/support for paid support options. Free support
   is provided by our user community via a mailing list.  Information
   on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

*  A deliberately constructed combination of records could cause named
   to hang while populating the additional section of a response.
   [RT #31090]

*  Prevents a named assert (crash) when queried for a record whose
   RDATA exceeds 65535 bytes.  [RT #30416]

*  Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized.  [RT #30025] 

*  A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process.  [RT #29644]

New Features

*  None

Feature Changes

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities) [RT
   #28989]

Bug Fixes

*  Fixes the defect introduced by change #3314 that was causing
   failures when saving stub zones to disk (resulting in excessive CPU
   usage in some cases).  [RT #29952]

*  The locking strategy around the handling of iterative queries has
   been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239] 

*  Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732]

*  named-checkconf now correctly validates dns64 clients acl
   definitions. [RT #27631] 

*  Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

*  Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995] 

*  Improves DNS64 reverse zone performance. [RT #28563]

*  Adds wire format lookup method to sdb. [RT #28563] 

*  Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571] 

*  Resolves inconsistencies in locating DNSSEC keys where zone names
   contain characters that require special mappings [RT #28600]

*  A new flag -R  has been added to queryperf for running tests using
   non-recursive queries.  It also now builds correctly on MacOS
   version 10.7 (darwin)  [RT #28565] 

*  Named no longer crashes if gssapi is enabled in named.conf but was
   not compiled into the binary [RT #28338]

*  SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534] 

Thank You

   Thank you to everyone who assisted us in making this release
   possible.  If you would like to contribute to ISC to assist us in
   continuing to make quality open source software, please visit our
   donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.7.6-P4 is now available

2012-10-09 Thread Michael McNally

Introduction

   BIND 9.7.6-P4 is the latest production release of BIND 9.7.6 (BIND
   9.7.7 is also available for download, and is the latest production
   release of BIND 9.7).

   This document summarizes changes from BIND 9.7.5 to BIND 9.7.6-P4.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on our
   web site at http://www.isc.org/downloads/all. There you will find
   additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/support for paid support options.  Free support
   is provided by our user community via a mailing list.  Information
   on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

*  A deliberately constructed combination of records could cause named
   to hang while populating the additional section of a response.
   [RT #31090]

*  Prevents a named assert (crash) when queried for a record whose
   RDATA exceeds 65535 bytes.  [RT #30416]

*  Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized.  [RT #30025] 

*  A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process.  [RT #29644]

New Features

*  None

Feature Changes

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

Bug Fixes

*  Fixes the defect introduced by change #3314 that was causing
   failures when saving stub zones to disk (resulting in excessive CPU
   usage in some cases).  [RT #29952]

*  The locking strategy around the handling of iterative queries has
   been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239]

*  Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig.
   [RT #26732]

*  Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

*  Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

*  Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571]

*  Resolves inconsistencies in locating DNSSEC keys where zone names
   contain characters that require special mappings [RT #28600]

*  A new flag -R  has been added to queryperf for running tests using
   non-recursive queries.  It also now builds correctly on MacOS
   version 10.7 (darwin)  [RT #28565]

*  Named no longer crashes if gssapi is enabled in named.conf but was
   not compiled into the binary [RT #28338]

*  SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534] 

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us in
   continuing to make quality open source software, please visit our
   donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ISC New Releases: Why So Many Versions?

2012-10-09 Thread Michael McNally

Today, in response to CVE-2012-5166 (see this article for more
details:  https://kb.isc.org/article/AA-00801 ) ISC has released
eight new versions of BIND.

We realize this may be a little confusing for our users and so we
hope that this will explain the proliferation of releases and be
helpful to BIND users who are unsure which version to select.

Currently BIND has four supported development branches, BIND
9.6-ESV, 9.7, 9.8, and 9.9.  The software defect reported in
CVE-2012-5166 was reported to us after we had made public release
candidates for the next maintenance releases of each branch.
However, in the event of a security vulnerability, our policy is
to attempt to provide replacement versions which fix only the
security vulnerability, to minimize the exposure to operators that
other behavior changes may have an impact on their use of BIND.

Therefore, because of the unusual timing in the discovery of this
vulnerability we are releasing two versions for each development
branch.

Versions labeled with the suffix "-P4" are security-only versions
which include no other changes besides those necessary to address
CVE-2012-5166.

We are also releasing point releases which are release versions
superseding the previously published release candidates.  The point
release versions contain the security fix for CVE-2012-5166 *and*
contain the other bug fixes and functionality changes previously
included in the release candidates.

When selecting a replacement version you should choose a -P4 if
you are currently running a -P3 version and wish to receive ONLY
the security fix.

   9.6-ESV-R7-P4
   9.7.6-P4
   9.8.3-P4, or
   9.9.1-P4

Otherwise we recommend that you upgrade to the latest release version
of your branch, selecting from one of the releases below:

   9.6-ESV-R8
   9.7.7
   9.8.4
   9.9.2

Michael McNally
ISC Support
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ISC Security Advisory: Specially Crafted DNS Data Can Cause a Lockup in named

2012-10-09 Thread Michael McNally

CVE-2012-5166: Specially crafted DNS data can cause a lockup in named

A nameserver can be locked up if it can be induced to load a specially
crafted combination of resource records.

CVE: CVE-2012-5166
Document Version:  2.0
Posting date: 9 October 2012
Program Impacted: BIND
Versions affected:
   9.2.x -> 9.6.x, 9.4-ESV->9.4-ESV-R5-P1, 9.6-ESV->9.6-ESV-R7-P3,
   9.7.0->9.7.6-P3, 9.8.0->9.8.3-P3, 9.9.0->9.9.1-P3
Severity: Critical
Exploitable: 
Remotely

Description:

   If specific combinations of RDATA are loaded into a nameserver,
   either via cache or an authoritative zone, a subsequent query
   for a related record will cause named to lock up.

   Please Note: All versions of BIND 9.2, 9.3, 9.4 and 9.5 are also
   affected, but these branches are beyond their "end of life" (EOL)
   and no longer receive testing or security fixes from ISC. For
   current information on which versions are actively supported,
   please see http://www.isc.org/software/bind/versions.

Impact:

   A nameserver that has become locked-up due to the problem reported
   in this advisory will not respond to queries or control commands.
   Normal functionality cannot be restored except by terminating
   and restarting named.

   This vulnerability can be exploited remotely against recursive
   servers by inducing them to query for records provided by an
   authoritative server. It affects authoritative servers if one
   of the combinations of resource records is loaded from file,
   provided via zone transfer, or submitted to a zone via dynamic
   update.

CVSS Score:  7.8

CVSS Equation:  (AV:N/AC:L/Au:N/C:N/I:N/A:C)

   For more information on the Common Vulnerability Scoring System
   and to obtain your specific environmental score please visit:
   
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Workarounds:

   Setting the option 'minimal-responses' to 'yes' will prevent the lockup.

Active exploits: 

   No known active exploits.

Solution:

   Upgrade to the patched version or new release most closely related
   to your current version of BIND. The patched versions of BIND
   and new releases can be downloaded from
   http://www.isc.org/downloads/all.

   BIND 9 version 9.7.7, 9.7.6-P4
   BIND 9 version 9.6-ESV-R8, 9.6-ESV-R7-P4
   BIND 9 version 9.8.4, 9.8.3-P4
   BIND 9 version 9.9.2, 9.9.1-P4

Acknowledgement:

   ISC would like to thank Jake Montgomery of Dyn, Inc.

Document Revision History:

   1.0 - 1 Oct., 2012  Advance Notification to Phase 1
   1.1 - 8 Oct., 2012  Notification to Phase 3
   2.0 - 9 Oct., 2012  Notification to Phase 4 (Public)

Related Documents:

   See our BIND Security Matrix for a complete listing of Security
   Vulnerabilities and versions affected.  If you'd like more
   information on our Forum or product support please visit
   www.isc.org/software/guild or www.isc.org/support.

   Do you still have questions?  Questions regarding this advisory
   should go to security-offi...@isc.org

   Note: ISC patches only currently supported versions. When possible
   we indicate EOL versions affected.

   ISC Security Vulnerability Disclosure Policy:  Details of our
   current security advisory policy and practice can be found here:
   https://www.isc.org/security-vulnerability-disclosure-policy

   The Knowledge Base article https://kb.isc.org/article/AA-00801
   is the complete and official security advisory document.  There
   is also a summary article located on our website and linking to
   here: https://www.isc.org/software/bind/advisories/cve-2012-5166

Legal Disclaimer: 

   Internet Systems Consortium (ISC) is providing this notice on
   an "AS IS" basis. No warranty or guarantee of any kind is expressed
   in this notice and none should be implied. ISC expressly excludes
   and disclaims any warranties regarding this notice or materials
   referred to in this notice, including, without limitation, any
   implied warranty of merchantability, fitness for a particular
   purpose, absence of hidden defects, or of non-infringement. Your
   use or reliance on this notice or materials referred to in this
   notice is at your own risk. ISC may change this notice at any
   time.  A stand-alone copy or paraphrase of the text of this
   document that omits the document URL is an uncontrolled copy.
   Uncontrolled copies may lack important information, be out of
   date, or contain factual errors.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.8.4 is now available

2012-10-09 Thread Michael McNally

Introduction

   BIND 9.8.4 is the latest production release of BIND 9.8.

   This document summarizes changes from BIND 9.8.3 to BIND 9.8.4.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on our
   web site at http://www.isc.org/downloads/all. There you will find
   additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options. Free
   support is provided by our user community via a mailing list.
   Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

*  A deliberately constructed combination of records could cause named
   to hang while populating the additional section of a response.
   [CVE-2012-5166] [RT #31090]

*  Prevents a named assert (crash) when queried for a record whose
   RDATA exceeds 65535 bytes  [CVE-2012-4244]  [RT #30416]

*  Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized. [CVE-2012-3817]
   [RT #30025] 

*  A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process. [CVE-2012-1667]  [RT #29644]

New Features

*  Elliptic Curve Digital Signature Algorithm keys and signatures in
   DNSSEC are now supported per RFC 6605. [RT #21918]

Feature Changes

*  Improves OpenSSL error logging [RT #29932]

*  nslookup now returns a nonzero exit code when it is unable to get
   an answer.  [RT #29492]

Bug Fixes

*  Uses binary mode to open raw files on Windows.  [RT #30944]

*  Static-stub zones now accept "forward" and "fowarders" options
   (often needed for subdomains of the zone referenced to override
   global forwarding options).  These options are already available
   with traditional stub zones and their omission from zones of type
   "static-stub" was an inadvertent oversight. [RT #30482] 

*  Limits the TTL of signed RRsets in cache when their RRSIGs are
   approaching expiry. This prevents the persistence in cache of
   invalid RRSIGs in order to assist recovery from a situation where
   zone re-signing doesn't occur in a timely manner.   With this
   change, named will attempt to obtain new RRSIGs from the
   authoritative server once the original ones have expired, and even
   if the TTL of the old records would in other circumstances cause
   them to be kept in cache for longer.  [RT #26429]

*  Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg()
   which are employed on Itanium systems to speed up lock management
   by making use of atomic operations.  Without the syntax correction
   it is possible that concurrent access to the same structures could
   accidentally occur with unpredictable results.  [RT #25181]

*  The configure script now supports and detects libxml2-2.8.x
   correctly [RT #30440]

*  The host command should no longer assert on some architectures and
   builds while handling the time values used with the -w (wait
   forever) option.  [RT #18723]

*  Invalid zero settings for max-retry-time, min-retry-time,
   max-refresh-time, min-refresh-time will now be detected during
   parsing of named.conf and an error emitted instead of triggering an
   assertion failure on startup.  [RT #27730] 

*  Removes spurious newlines from log messages in zone.c [RT #30675]

*  When built with readline support (i.e. on a system with readline
   installed) nsupdate no longer terminates unexpectedly in
   interactive mode. [RT #29550] 

*  All named tasks that perform task-exclusive operations now share
   the same single task.  Prior to this change, there was the
   possibility of a race condition between rndc operations and other
   functions such as re-sizing the adb hash table.  If the race
   condition was encountered, named would in most cases terminate
   unexpectedly with an assert.  [RT #29872]

*  Ensures that servers are expired from the ADB cache when the
   timeout limit is reached so that their learned attributes can be
   refreshed.  Prior to this change, servers that were frequently
   queried might never have their entries removed and reinitialized.
   This is of particular importance to DNSSEC-validating recursive
   servers that might erroneously set "no-edns" for an authoritative
   server following a period of intermittent connectivity. [RT #29856]

*  Adds additional resilience to a previous security change (3218) by
   preventing RRSIG data from being added to cache when a
   pseudo-record matching the covering type and proving non-existence
   exists at a higher trust level. The earlier change prevented this
   inconsistent data from being retrieved from cache in response to
   client queries  - with this additional chang

BIND 9.6-ESV-R7-P4 is now available

2012-10-09 Thread Michael McNally

Introduction

   BIND 9.6-ESV-R7-P4 is the latest production release of BIND
   9.6-ESV-R7 (BIND 9.6-ESV-R8 is also available for download, and is
   the latest production release of BIND 9.6-ESV).

   BIND 9.6-ESV is an Extended Support Version of BIND 9.

   This document summarizes changes from BIND 9.6-ESV-R6 to BIND
   9.6-ESV-R7-P4.  Please see the CHANGES file in the source code
   release for a complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on our
   web site at http://www.isc.org/downloads/all. There you will find
   additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/support for paid support options.  Free support
   is provided by our user community via a mailing list.  Information
   on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

*  A deliberately constructed combination of records could cause named
   to hang while populating the additional section of a response.
   [RT #31090]

*  Prevents a named assert (crash) when queried for a record whose
   RDATA exceeds 65535 bytes.  [RT #30416]

*  Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized.  [RT #30025] 

*  A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process.  [RT #29644]

New Features

*  None

Feature Changes

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

Bug Fixes

*  Fixes the defect introduced by change #3314 that was causing
   failures when saving stub zones to disk (resulting in excessive CPU
   usage in some cases).  [RT #29952]

*  The tests on random jitter values that are used when handling zone
   refreshes have been relaxed.  Prior to this change named could
   terminate unexpectedly when processing stub zones.  [RT# 19821]

*  The locking strategy around the handling of iterative queries has
   been tuned to reduce unnecessary contention in a multi-threaded
   environment.  (Note that this may not provide a measurable
   improvement over previous versions of BIND, but it corrects the
   performance impact of change 3309 / RT #27995) [RT #29239]

*  Addresses a race condition that can cause named to to crash when
   the masters list for a zone is updated via rndc reload/reconfig
   [RT #26732]

*  Fixes a race condition in zone.c that can cause named to crash
   during the processing of rndc delzone [RT #29028]

*  Prevents a named segfault from resolver.c due to procedure
   fctx_finddone() not being thread-safe.  [RT #27995]

*  Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
   an assertion when flushing cache data. [RT #28571]

*  A new flag -R  has been added to queryperf for running tests using
   non-recursive queries.  It also now builds correctly on MacOS
   version 10.7 (darwin)  [RT #28565]

*  Named no longer crashes if gssapi is enabled in named.conf but was
   not compiled into the binary [RT #28338]

*  SDB now handles unexpected errors from back-end database drivers
   gracefully instead of exiting on an assert. [RT #28534] 

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us in
   continuing to make quality open source software, please visit our
   donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.6-ESV-R8 is now available

2012-10-09 Thread Michael McNally

Introduction

   BIND 9.6-ESV-R8 is the latest production release of BIND 9.6-ESV.

   BIND 9.6-ESV is an Extended Support Version of BIND.

   This document summarizes changes from BIND 9.6-ESV-R7 to BIND
   9.6-ESV-R8.  Please see the CHANGES file in the source code release
   for a complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on our
   web site at http://www.isc.org/downloads/all. There you will find
   additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options. Free
   support is provided by our user community via a mailing list.
   Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

*  A deliberately constructed combination of records could cause named
   to hang while populating the additional section of a response.
   [CVE-2012-5166] [RT #31090]

*  Prevents a named assert (crash) when queried for a record whose
   RDATA exceeds 65535 bytes  [CVE-2012-4244]  [RT #30416]

*  Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized. [CVE-2012-3817]
   [RT #30025] 

*  A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process. [CVE-2012-1667] [RT #29644]

New Features

*   None

Feature Changes

*  Improves OpenSSL error logging [RT #29932]

*  nslookup now returns a nonzero exit code when it is unable to get
   an answer.  [RT #29492]

Bug Fixes

*  Uses binary mode to open raw files on Windows.  [RT #30944]

*  The configure script now supports and detects libxml2-2.8.x
   correctly [RT #30440]

*  The host command should no longer assert on some architectures and
   builds while handling the time values used with the -w (wait
   forever) option.  [RT #18723]

*  Invalid zero settings for max-retry-time, min-retry-time,
   max-refresh-time, min-refresh-time will now be detected during
   parsing of named.conf and an error emitted instead of triggering an
   assertion failure on startup.  [RT #27730] 

*  Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg()
   which are employed on Itanium systems to speed up lock management
   by making use of atomic operations.  Without the syntax correction
   it is possible that concurrent access to the same structures could
   accidentally occur with unpredictable results.  [RT #25181]

*  Removes spurious newlines from log messages in zone.c [RT #30675]

*  When built with readline support (i.e. on a system with readline
   installed) nsupdate no longer terminates unexpectedly in
   interactive mode. [RT #29550] 

*  Ensures that servers are expired from the ADB cache when the
   timeout limit is reached so that their learned attributes can be
   refreshed.  Prior to this change, servers that were frequently
   queried might never have their entries removed and reinitialized.
   This is of particular importance to DNSSEC-validating recursive
   servers that might erroneously set "no-edns" for an authoritative
   server following a period of intermittent connectivity. [RT #29856]

*  Adds additional resilience to a previous security change (3218) by
   preventing RRSIG data from being added to cache when a
   pseudo-record matching the covering type and proving non-existence
   exists at a higher trust level. The earlier change prevented this
   inconsistent data from being retrieved from cache in response to
   client queries  - with this additional change, the RRSIG records
   are no longer inserted into cache at all. [RT #26809]

*  The tests on random jitter values that are used when handling zone
   refreshes have been relaxed. Prior to this change named could
   terminate unexpectedly when processing stub zones. [RT# 29821]

*  Fixes the defect introduced by change #3314 that was causing
   failures when saving stub zones to disk (resulting in excessive CPU
   usage in some cases).  [RT #29952]

*  It is now possible to using multiple control keys again - this
   functionality was inadvertently broken by change #3924 (RT #28265)
   which addressed a memory leak. [RT #29694]

*  Setting resolver-query-timeout too low could cause named problems
   recovering after a loss of connectivity.  [RT #29623]

*  Reduces the potential build-up of stale RRsets in cache on a busy
   recursive nameserver by re-using cached DS and RRSIG rrsets when
   possible [RT #29446]

*  Upper-case/lower-case handling of RRSIG signer-names is now handled
   consistently: RRSIG records are generated with the signer-name in
   lower case. They are accepted with any case, but if they fail to
   validate, we try again in lower case. [RT #27451]

Thank You

   Thank you to everyone who assisted us in making this relea

Re: ISC Bind in Active Directory

2012-10-18 Thread Michael Sinatra

On 10/18/12 11:03 AM, Aaron Thompson wrote:
> Hi All,
> 
> I'm hopping to get some feedback from people who use ISC Bind and DHCPD
> in Active Directory environments.
> 
> Currently we use Bind/DHCPD for dynamic DNS and DHCP.  It's been a
> pretty stable service, redundant and we are polling statistics with
> Cacti.  There is concern by Management of using a somewhat non standard
> approach for Active Directory SRV records being handled by ISC services
> and not AD.

Microsoft may tell management that it's non-standard, but it's not.
What you're describing is very common, especially among EDUs.

Management's attitude appears to be based on two myths:

1. You must use AD integrated DNS for your AD installation.
2. You must use DDNS for your AD installation (at least for the relevant
SRV records).

Neither of these are true, and plenty of places have gotten by for at
least a decade with *static* SRV records in a BIND server.

A few years ago, Gartner did a paper where they discussed "new features"
that Microsoft claims "require" AD-integrated DNS.  Gartner's conclusion
was that this is basically not true and that if the current BIND-AD
integration is working for you, then you should stick with it.

[snip]

> Overall it's been a very stable design for the last 5+ years.

It sounds like something that's not broken and shouldn't be fixed.
Again, this is the experience at other EDUs.

> If you have any relevant feed back I would appreciate it.  I'm looking
> for information on experience with Active Directory integration with ISC
> or if anyone has had problems/stability issues with AD doing DNS/DHCP or
> AD working with ISC.
> 
> Thanks in advance.
> 
> Here's a brief survey <http://www.surveymonkey.com/s/2VYNKWR> for
> Schools that have ISC running in an AD environment.
> 
> http://www.surveymonkey.com/s/2VYNKWR

Done, on behalf of the "other" Berkeley. :)

michael

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ISC Security Advisory: BIND 9 servers using DNS64 can be crashed by a crafted query

2012-12-04 Thread Michael McNally

A specific query can cause BIND nameservers using DNS64 to exit with a REQUIRE 
assertion failure.

CVE: CVE-2012-5688
Document Version:2.0
Posting date:04 Dec 2012
Program Impacted:BIND
Versions affected:   9.8.0->9.8.4, 9.9.0->9.9.2
Severity:Critical
Exploitable: Remotely

Description:

   BIND 9 nameservers using the DNS64 IPv6 transition mechanism are
   vulnerable to a software defect that allows a crafted query to
   crash the server with a REQUIRE assertion failure.  Remote
   exploitation of this defect can be achieved without extensive
   effort, resulting in a denial-of-service (DoS) vector against
   affected servers.

   Please Note: Support for DNS64 was added to BIND 9 in version
   9.8.0.  Therefore BIND 9 versions prior to 9.8.0 cannot be
   affected by this bug.  Also, nameservers running versions 9.8.0
   and greater can only be affected if DNS64 is turned on using the
   "dns64" configuration statement. If you are not using DNS64 you
   are not at risk.

   For current information on which versions are actively supported,
   please see http://www.isc.org/software/bind/versions.

Impact:

   Any BIND 9 nameserver configured to use DNS64 is vulnerable to
   this defect and can be crashed by any client machine from which
   it accepts queries.

CVSS Score:  7.8

CVSS Equation:  (AV:N/AC:L/Au:N/C:N/I:N/A:C)

   For more information on the Common Vulnerability Scoring System
   and to obtain your specific environmental score please visit:
   
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Workarounds:

   Only BIND 9 servers which are configured to use DNS64 are
   vulnerable.  For those servers, disallowing queries from untrusted
   clients (a recommended practice in any case) will slightly
   mitigate a server's exposure, but no workarounds are available
   which will completely protect an affected server against
   exploitation of this bug.  If you are using DNS64 either disable
   it or upgrade to a fixed version.

Active exploits: 

   No known active exploits.

Solution: 

   Upgrade to the patched release most closely related to your
   current version of BIND. These can all be downloaded from
   http://www.isc.org/downloads/all.

   BIND 9 version 9.8.4-P1
   BIND 9 version 9.9.2-P1

Acknowledgements: 

   ISC would like to thank BlueCat Networks for bringing this defect to our 
attention.

Document Revision History:

   1.0 - 27 November 2012 Advance Notification to Phase One.
   1.1 - 03 December 2012 Notification to Phase Two and Phase Three
   2.0 - 04 December 2012 Notification to Phase Four (Public)

Related Documents:

   Japanese Translation:  https://kb.isc.org/article/AA-00832
   Spanish Translation:  https://kb.isc.org/article/AA-00834
   German Translation:  https://kb.isc.org/article/AA-00833

   See our BIND Security Matrix for a complete listing of Security
   Vulnerabilities and versions affected.

 http://www.isc.org/software/bind/security/matrix

   If you'd like more information on our Forum or product support
   please visit www.isc.org/software/guild or www.isc.org/support.
   Do you still have questions?  Questions regarding this advisory
   should go to security-offi...@isc.org

ISC Security Vulnerability Disclosure Policy: 
   Details of our current security advisory policy and practice can
   be found here:

   https://www.isc.org/security-vulnerability-disclosure-policy

   This Knowledge Base article https://kb.isc.org/article/AA-00828
   is the complete and official security advisory document.  There
   is also a summary article located on our website and linking to
   here: https://www.isc.org/software/bind/advisories/cve-2012-5688

Legal Disclaimer: 

   Internet Systems Consortium (ISC) is providing this notice on
   an "AS IS" basis. No warranty or guarantee of any kind is expressed
   in this notice and none should be implied. ISC expressly excludes
   and disclaims any warranties regarding this notice or materials
   referred to in this notice, including, without limitation, any
   implied warranty of merchantability, fitness for a particular
   purpose, absence of hidden defects, or of non-infringement. Your
   use or reliance on this notice or materials referred to in this
   notice is at your own risk. ISC may change this notice at any
   time.  A stand-alone copy or paraphrase of the text of this
   document that omits the document URL is an uncontrolled copy.
   Uncontrolled copies may lack important information, be out of
   date, or contain factual errors.

(c) 2001-2012 Internet Systems Consortium
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.9.2-P1 is now available

2012-12-04 Thread Michael McNally

Introduction

   BIND 9.9.2-P1 is a security-fix release, superceding BIND 9.9.2
   as the latest production release of BIND 9.9.

   This document summarizes changes from BIND 9.9.1 to BIND 9.9.2-P1.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

   Prevents named from aborting with a require assertion failure
   on servers with DNS64 enabled.  These crashes might occur as a
   result of  specific queries that are received.  (Note that this
   fix is a subset of a series of updates that will be included in
   full in BIND 9.8.5 and 9.9.3 as change #3388, RT #30996).
   [CVE-2012-5688] [RT #30792]

   A deliberately constructed combination of records could cause
   named to hang while populating the additional section of a
   response. [CVE-2012-5166] [RT #31090]

   Prevents a named assert (crash) when queried for a record whose
   RDATA exceeds 65535 bytes.  [CVE-2012-4244]  [RT #30416]

   Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized. [CVE-2012-3817]
   [RT #30025]

   A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process. [CVE-2012-1667]  [RT #29644]

   ISC_QUEUE handling for recursive clients was updated to address
   a race condition that could cause a memory leak. This rarely
   occurred with UDP clients, but could be a significant problem
   for a server handling a steady rate of TCP queries. [CVE-2012-3868]
   [RT #29539 & #30233]

New Features

   Elliptic Curve Digital Signature Algorithm keys and signatures
   in DNSSEC are now supported per RFC 6605. [RT #21918]

   Introduces a new tool "dnssec-checkds" command that checks a
   zone to determine which DS records should be published in the
   parent zone, or which DLV records should be published in a DLV
   zone, and queries the DNS to ensure that it exists. (Note: This
   tool depends on python; it will not be built or installed on
   systems that do not have a python interpreter.)  [RT #28099]

   Introduces a new tool "dnssec-verify" that validates a signed
   zone, checking for the correctness of signatures and NSEC/NSEC3
   chains.  [RT #23673]

   Adds configuration option "max-rsa-exponent-size ;" that
   can be used to specify the maximum rsa exponent size that will
   be accepted when validating [RT #29228]

Feature Changes

   Improves OpenSSL error logging [RT #29932]

   nslookup now returns a nonzero exit code when it is unable to
   get an answer.  [RT #29492]

Bug Fixes

   Uses binary mode to open raw files on Windows.  [RT #30944]

   When using DNSSEC inline signing with "rndc signing -nsec3param",
   a salt value of "-" can now be used to indicate 'no salt'.  [RT
   #30099]

   Prevents race conditions (address use after free) that could be
   encountered when named is shutting down and releasing structures
   used to manage recursive clients.  [RT #30241]

   Static-stub zones now accept "forward" and "fowarders" options
   (often needed for subdomains of the zone referenced to override
   global forwarding options).  These options are already available
   with traditional stub zones and their omission from zones of
   type "static-stub" was an inadvertent oversight. [RT #30482]

   Limits the TTL of signed RRsets in cache when their RRSIGs are
   approaching expiry. This prevents the persistence in cache of
   invalid RRSIGs in order to assist recovery from a situation where
   zone re-signing doesn't occur in a timely manner.   With this
   change, named will attempt to obtain new RRSIGs from the
   authoritative server once the original ones have expired, and
   even if the TTL of the old records would in other circumstances
   cause them to be kept in cache for longer.  [RT #26429]

   Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg()
   which are employed on Itanium systems to speed up lock management
   by making use of atomic operations.  Without the syntax correction
   it is possible that concurrent access to the same structures
   could accidentally occur with unpredictable results.  [RT #25181]

   Improves OpenSSL error logging [RT #29932] 

   The configure script now supports and detects libxml2-2.8.x
   correctly [RT #30440]

   The host command should no longer assert on some architectures
   an

BIND 9.8.4-P1 is now available

2012-12-04 Thread Michael McNally

Introduction

   BIND 9.8.4-P1 is a security-fix release, superceding BIND 9.8.4
   as the latest production release of BIND 9.8.

   This document summarizes changes from BIND 9.8.3 to BIND 9.8.4-P1.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

   Prevents named from aborting with a require assertion failure
   on servers with DNS64 enabled.  These crashes might occur as a
   result of  specific queries that are received.  (Note that this
   fix is a subset of a series of updates that will be included in
   full in BIND 9.8.5 and 9.9.3 as change #3388, RT #30996).
   [CVE-2012-5688] [RT #30792]

   A deliberately constructed combination of records could cause
   named to hang while populating the additional section of a
   response. [CVE-2012-5166] [RT #31090]

   Prevents a named assert (crash) when queried for a record whose
   RDATA exceeds 65535 bytes  [CVE-2012-4244]  [RT #30416]

   Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized. [CVE-2012-3817]
   [RT #30025]

   A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process. [CVE-2012-1667]  [RT #29644]

New Features

   Elliptic Curve Digital Signature Algorithm keys and signatures
   in DNSSEC are now supported per RFC 6605. [RT #21918]

Feature Changes

   Improves OpenSSL error logging [RT #29932]

   nslookup now returns a nonzero exit code when it is unable to
   get an answer.  [RT #29492]

Bug Fixes

   Uses binary mode to open raw files on Windows.  [RT #30944]

   Static-stub zones now accept "forward" and "fowarders" options
   (often needed for subdomains of the zone referenced to override
   global forwarding options).  These options are already available
   with traditional stub zones and their omission from zones of
   type "static-stub" was an inadvertent oversight. [RT #30482]

   Limits the TTL of signed RRsets in cache when their RRSIGs are
   approaching expiry. This prevents the persistence in cache of
   invalid RRSIGs in order to assist recovery from a situation where
   zone re-signing doesn't occur in a timely manner.   With this
   change, named will attempt to obtain new RRSIGs from the
   authoritative server once the original ones have expired, and
   even if the TTL of the old records would in other circumstances
   cause them to be kept in cache for longer.  [RT #26429]

   Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg()
   which are employed on Itanium systems to speed up lock management
   by making use of atomic operations.  Without the syntax correction
   it is possible that concurrent access to the same structures
   could accidentally occur with unpredictable results.  [RT #25181]

   The configure script now supports and detects libxml2-2.8.x
   correctly [RT #30440]

   The host command should no longer assert on some architectures
   and builds while handling the time values used with the -w (wait
   forever) option.  [RT #18723]

   Invalid zero settings for max-retry-time, min-retry-time,
   max-refresh-time, min-refresh-time will now be detected during
   parsing of named.conf and an error emitted instead of triggering
   an assertion failure on startup.  [RT #27730]

   Removes spurious newlines from log messages in zone.c [RT #30675]

   When built with readline support (i.e. on a system with readline
   installed) nsupdate no longer terminates unexpectedly in interactive
   mode. [RT #29550]

   All named tasks that perform task-exclusive operations now share
   the same single task.  Prior to this change, there was the
   possibility of a race condition between rndc operations and other
   functions such as re-sizing the adb hash table.  If the race
   condition was encountered, named would in most cases terminate
   unexpectedly with an assert.  [RT #29872]

   Ensures that servers are expired from the ADB cache when the
   timeout limit is reached so that their learned attributes can
   be refreshed.  Prior to this change, servers that were frequently
   queried might never have their entries removed and reinitialized.
   This is of particular importance to DNSSEC-validating recursive
   servers that might erroneously set "no-edns" for an authoritative
   server following a period of intermitt

CVE-2012-5689: BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ

2013-01-24 Thread Michael McNally

ISC has learned of the potential for an error condition in BIND 9
that can cause a nameserver to terminate with an assertion failure
when processing queries if it has been configured to use both DNS64
and Response Policy Zones (RPZ).

CVE:   CVE-2012-5689
Document Version:  2.0
Posting date:  24 January 2013
Program Impacted:  BIND 9
Versions affected: 9.8.0->9.8.4-P1, 9.9.0->9.9.2-P1
Severity:  Low 
Exploitable:   Remotely 

Description:

   An error condition may occur when a nameserver which is configured
   to use DNS64 performs a  lookup for a record with an A record
   rewrite rule in a Response Policy Zone (RPZ.)  If the RPZ is
   unable to provide a  record for the name, but does provide
   a rewritten A record, then the DNS64 processing code will attempt
   to remap that A record into a  record.  Due to a coding
   error, this interaction between the RPZ database and the DNS64
   remapping code can cause the named process to terminate with an
   assertion failure.

   ISC believes the number of deployed systems that are using RPZ
   rewrite rules and also using DNS64 is extremely small; furthermore,
   the problem has an easy workaround (see below).  However, ISC
   policy calls for disclosure of any potential vulnerability in
   BIND 9, regardless of how rarely the conditions for such a
   vulnerability may occur in production environments. Thus, despite
   the CVSS score, we assess the severity as Low, and will integrate
   the bug fix into the next beta release of the affected versions.
   No security patch release versions are planned, as the workaround
   is simple and affords complete protection.

   To prevent accidental exposure of those using these features in
   combination, future versions of BIND 9 will include code to
   prevent any exploitation of this bug, beginning with beta versions
   scheduled to be released on January 24, 2013.  However, the
   suggested workaround is a complete remedy for those who are using
   DNS64 in conjunction with RPZ, and is recommended in preference
   to running beta code in a production environment.

Impact:

   Only nameservers that are configured to use both DNS64 and
   Response Policy Zones, and which are maintaining A rewrite rules
   but not  rewrite rules, will be affected by this problem -
   in other words, only systems that are using RPZ to rewrite DNS
   records into A records, then attempting to remap those same A
   records into  via DNS64.  Systems that only use RPZ to
   generate NXDOMAIN or CNAME or NOERROR/NODATA responses, or to
   rewrite other resource record types besides A, will not trigger
   the bug.

CVSS Score:  7.8

CVSS Equation:  (AV:N/AC:L/Au:N/C:N/I:N/A:C)

   For more information on the Common Vulnerability Scoring System
   and to obtain your specific environmental score please visit:
   
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Workaround:

   If using DNS64 and Response Policy Zones together, make sure the
   RPZ contains a  rewrite rule for every A rewrite rule. If
   the RPZ provides a  answer without the assistance of DNS64,
   the bug is not triggered.

Active exploits: 

   None

Solution: 

   If you are currently running one of the affected versions, you
   have the following options:

   1.  Employ the workaround (see above).
   2.  Wait for BIND releases that include a fix preventing
   possible exploitation of the bug.

Acknowledgements:

   ISC would like to thank Pories Ediansyah of Institut Teknologi
   Bandung for bringing this defect to our attention.

Document Revision History:

   1.0 - 17 January 2013 Advance Notification to Phase One.
   1.1 - 23 January 2013 Notification to Phase Two and Phase Three
   2.0 - 24 January 2013 Notification to Phase Four (Public)

Related Documents:

   See our BIND Security Matrix for a complete listing of Security
   Vulnerabilities and versions affected.
   https://www.isc.org/software/bind/security/matrix

   If you'd like more information on our Forum or product support
   please visit www.isc.org/software/guild or www.isc.org/support.

   Do you still have questions?  Questions regarding this advisory
   should go to security-offi...@isc.org

   Note: ISC patches only currently supported versions:
   http://www.isc.org/software/bind/versions.  When possible we
   indicate EOL versions affected.

ISC Security Vulnerability Disclosure Policy: 

   Details of our current security advisory policy and practice can
   be found at: https://www.isc.org/security-vulnerability-disclosure-policy


This Knowledge Base article https://kb.isc.org/article/AA-00855 is
the complete and official security advisory document.  There is
also a summary article located on our website and linking to here:
https://www.isc.org/software/bind/advisories/cve-2012-5689.

Legal Disclaimer: 

   Internet Systems Consortium (ISC) is providing this notice on

BIND 9.8.5b1 is now available

2013-01-25 Thread Michael McNally

Introduction

   BIND 9.8.5b1 is the first beta release of BIND 9.8.5

   This document summarizes changes from BIND 9.8.4 to BIND 9.8.5b1.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

   Prevents named from aborting with a require assertion failure
   on servers with DNS64 enabled.  These crashes might occur as a
   result of specific queries that are received.  (CVE-2012-5688)
   [RT #30792 / #30996]

   Prevents a named assert (crash) when using RPZ to generate A
   records (but not  records) and DNS64 to generate  records
   from A records. [RT #32141]

   A deliberately constructed combination of records could cause
   named to hang while populating the additional section of a
   response. [RT #31090]

New Features

   Add support for the RFC 6742 ILNP record types (NID, LP, L32,
   and L64). [RT #31836]

Feature Changes

   Updates the built-in root hints for D.ROOT-SERVERS.NET whose
   IPv4 address changed to 199.7.91.13 (as of 3rd January 2013).
   Note that recursive servers running with an older set of root
   hints will still operate successfully because there are 12 other
   root servers whose addresses are correct and who will respond
   during root priming with the new root nameserver RRset.  [RT
   #32164]

   Adds RFC 6598 reverse zones to the built-in empty zones list:
   64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336]

   "named -V" can now report a source ID string.  (This is will be
   of most interest to developers and troubleshooters).  The source
   ID for ISC's production versions of BIND is defined in the "srcid"
   file in the build tree and is normally set to the most recent
   git hash. [RT #31494]

Bug Fixes

   dnssec-keygen and dnssec-setttime disallow setting the delete
   date to be sooner than the inactive date. [RT #31719]

   Update HSM PKCS#11 patches to openssl to add support for openssl
   versions 0.9.8x, 1.0.0j, and 1.0.1c. [RT #29749]

   ddns-confgen now accepts all the TSIG algorithms that it is
   documented as supporting when generating keys. [RT #31927]

   Missing 'managed-keys-directory' is now handled better.  Prior
   to this change, when misconfigured, named could loop and consume
   100% CPU.  [RT #30625]

   Handle cases where a port is reserved and cannot be used as the
   source for a query. [RT #31778]

   Correct a case where a negative response could incorrectly be
   flagged as being DNSSEC authenticated when it was not actually
   authenticated. [RT #32237]

   Fix missing includes in testing support library that caused it
   to fail to build on some platforms. [RT #32012]

   Return correct error code (FORMERR) when presented with malformed
   requests containing overly long domain names. [RT #29682]

   Instead of rejecting and logging a FORMERR, named now accepts
   duplicate singleton records in a DNS query response.  (In some
   situations, query responses may contain duplicates - and whilst
   this is not technically correct, BIND has been updated to be
   more tolerant).  [RT #32329]

   When named allocates an initial per-thread stack size, it first
   checks the operating system's default value, and if specified,
   uses that.  In the situation where it appears that none is
   provided, it uses an internal default.  This default has been
   increased from 64K to 1M to accommodate operating systems that
   require a larger initial stack.  [RT #32230]

   The allow-query-on ACL is now processed correctly in all situations.
   [RT #29486]

   The configure script now supports and detects libxml2-2.9.x
   correctly. [RT #32231]

   When loading a zone file, named now emits a warning if it
   encounters a non-blank owner name following $ORIGIN.  The reason
   for this is that when parsing a zone file, the blank owner name
   indicates that the current name (i.e. the name from the previous
   record that named loaded) should be used, even though $ORIGIN
   has changed.  Particularly when handling subdomains, this can
   result in those records being unexpectedly loaded with different
   labels than intended.   [RT #31848]

   Resolves a problem that when answering queries for nonexistent
   names via wildcard CNAME records, DNSSEC responses could fail
   to include the NSEC/NSEC3 records proving the lack of a better
   answer.  [RT #21409]

   Prevents a named abort  (assertion fail) during recovery

BIND 9.9.3b1 is now available

2013-01-25 Thread Michael McNally

Introduction

   BIND 9.9.3b1 is the first beta release of BIND 9.9.3.

   This document summarizes changes from BIND 9.9.2 to BIND 9.9.3b1.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

   Prevents named from aborting with a require assertion failure
   on servers with DNS64 enabled.  These crashes might occur as a
   result of specific queries that are received.  (CVE-2012-5688)
   [RT #30792 / #30996]

   Prevents a named assert (crash) when using RPZ to generate A
   records (but not  records) and DNS64 to generate  records
   from A records. [RT #32141]

New Features

   Add support for the RFC 6742 ILNP record types (NID, LP, L32,
   and L64). [RT #31836]

Feature Changes

   Updates the built-in root hints for D.ROOT-SERVERS.NET whose
   IPv4 address changed to 199.7.91.13 (as of 3rd January 2013).
   Note that recursive servers running with an older set of root
   hints will still operate successfully because there are 12 other
   root servers whose addresses are correct and who will respond
   during root priming with the new root nameserver RRset.  [RT
   #32164]

   Adds RFC 6598 reverse zones to the built-in empty zones list:
   64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336]

   Makes available a new XML schema (version 3.0) for the statistics
   channel that adds query type statistics at the zone level,
   flattens the XML tree and uses compressed format to optimize
   parsing. It also includes new XSL that permits charting via the
   Google Charts API on browsers that support javascript in XSL.
   To enable, build BIND with "configure --enable-newstats". [RT
   #30023]

   "named -V" can now report a source ID string.  (This is will be
   of most interest to developers and troubleshooters).  The source
   ID for ISC's production versions of BIND is defined in the "srcid"
   file in the build tree and is normally set to the most recent
   git hash. [RT #31494]

Bug Fixes

   dnssec-keygen and dnssec-setttime disallow setting the delete
   date to be sooner than the inactive date. [RT #31719]

   Update HSM PKCS#11 patches to openssl to add support for openssl
   versions 0.9.8x, 1.0.0j, and 1.0.1c. [RT #29749]

   ddns-confgen now accepts all the TSIG algorithms that it is
   documented as supporting when generating keys. [RT #31927]

   Missing 'managed-keys-directory' is now handled better.  Prior
   to this change, when misconfigured, named could loop and consume
   100% CPU.  [RT #30625]

   Now only the programs that use the readline library will link
   with it (nslookup and nsupdate). [RT #29810]

   When using 'rndc addzone' of a zone with with 'inline-signing
   yes;' named will first load the unsigned version and then
   afterwards successfully create the signed version.  (Prior to
   this fix, the addzone would fail).  [RT #31960]

   dnssec-checkds now emits a clear message when records are not
   found. This change also fixes a minor reporting problem whereby
   dnssec-checkds incorrectly reported that no DS records had been
   found for a KSK, despite having found and listed one. In addition,
   errors in the man pages (referencing the wrong utility) have
   been remedied. [RT #31968]

   dnssec-dsfromkey now no longer puts legal whitespace in DS hashes
   in order to inter-operate better with some overly-strict registrars.
   [RT #31951]

   Addresses portability issues (encountered when testing on HPUX)
   and corrects "rndc signing -nsec3param" to accept the full range
   of possible values.  [RT #31938]

   Named should no longer die on shutdown if running with 128 UDP
   dispatches per interface. [RT #31743]

   Some DNSSEC-related options (update-check-ksk, dnssec-loadkeys-interval,
   dnssec-dnskey-kskonly) are now accepted in slave zone definitions
   in named.conf when inline-signing is being used. [RT #31078]

   Addresses build problems encountered on NetBSD 6.0 (renames the
   'bool' parameter to avoid a namespace clash).  [RT #31515]

   When using the zone reload method of importing changes to named
   with in-line signing, changes to SOA record parameters (other
   than the serial number alone) in the un-signed zone will now
   trigger named to update the signed version of the zone.  Prior
   to this fix, if SOA parameters were updated while the server was
   offline but without any changes also being made to other recor

BIND 9.6-ESV-R9b1 is now available

2013-01-25 Thread Michael McNally

Introduction

   BIND 9.6-ESV-R9b1 is the first beta release of BIND 9.6-ESV-R9.

   BIND 9.6-ESV is an Extended Support Version of BIND.

   This document summarizes changes from BIND 9.6-ESV-R8 to BIND
   9.6-ESV-R9b1.  Please see the CHANGES file in the source code
   release for a complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

   Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized. [CVE-2012-3817]
   [RT #30025]

   A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process. [CVE-2012-1667] [RT #29644]

New Features

   None

Feature Changes

   Updates the built-in root hints for D.ROOT-SERVERS.NET whose
   IPv4 address changed to 199.7.91.13 (as of 3rd January 2013).
   Note that recursive servers running with an older set of root
   hints will still operate successfully because there are 12 other
   root servers whose addresses are correct and who will respond
   during root priming with the new root nameserver RRset.  [RT
   #32164]

   Adds RFC 6598 reverse zones to the built-in empty zones list:
   64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336]

Bug Fixes

   Handle cases where a port is reserved and cannot be used as the
   source for a query. [RT #31778]

   Correct a case where a negative response could incorrectly be
   flagged as being DNSSEC authenticated when it was not actually
   authenticated. [RT #32237]

   Add support for the RFC 6742 ILNP record types (NID, LP, L32,
   and L64). [RT #31836]

   Fix missing includes in testing support library that caused it
   to fail to build on some platforms. [RT #32012]

   Return correct error code (FORMERR) when presented with malformed
   requests containing overly long domain names. [RT #29682]

   Instead of rejecting and logging a FORMERR, named now accepts
   duplicate singleton records in a DNS query response.  (In some
   situations, query responses may contain duplicates - and whilst
   this is not technically correct, BIND has been updated to be
   more tolerant).  [RT #32329]

   When named allocates an initial per-thread stack size, it first
   checks the operating system's default value, and if specified,
   uses that.  In the situation where it appears that none is
   provided, it uses an internal default.  This default has been
   increased from 64K to 1M to accommodate operating systems that
   require a larger initial stack.  [RT #32230]

   The allow-query-on ACL is now processed correctly in all situations.
   [RT #29486]

   The configure script now supports and detects libxml2-2.9.x
   correctly. [RT #32231]

   When loading a zone file, named now emits a warning if it
   encounters a non-blank owner name following $ORIGIN.  The reason
   for this is that when parsing a zone file, the blank owner name
   indicates that the current name (i.e. the name from the previous
   record that named loaded) should be used, even though $ORIGIN
   has changed.  Particularly when handling subdomains, this can
   result in those records being unexpectedly loaded with different
   labels than intended.   [RT #31848]

   Resolves a problem that when answering queries for nonexistent
   names via wildcard CNAME records, DNSSEC responses could fail
   to include the NSEC/NSEC3 records proving the lack of a better
   answer.  [RT #21409]

   Prevents a named abort  (assertion fail) during recovery from
   an out of memory condition.  This crash would be encountered in
   module general: dst_api.c and logged as REQUIRE((&key->refs)->refs
   == 0).  [RT #32131]

   A new configure option --with-ecdsa has been added to force
   building with ECDSA, bypassing the script-based checks that this
   functionality is available in the build environment. The converse,
   --without-ecdsa, explicitly disables ECDSA support during the
   BIND build.  Both of these options have been added to assist
   cross-compilation to environments that do (or don't) support
   ECDSA, overriding the default build behaviour.   [RT #32078]

   XML statistics generated by Windows builds contained incorrectly
   formatted "boot-time" and "current-time" values.  [RT #32044]

   dig now prints the timezone as part of the timestamp in the
   "WHEN" line of the output.  [RT #2269]

   Fixes a race condition in acache.c that could cause named to
   cra

1 2 3 4 5 >

1 - 100 of 489 matches

Mail list logo