Re: Question About Internal Recursive Resolvers

2022-10-14 Thread Matus UHLAR - fantomas
On 14.10.22 12:08, Bob McDonald wrote: I'm thinking about redesigning an internal DNS environment. To begin with, all internal DNS zones would reside on non-recursive servers only. why? That said, all clients would connect to recursive resolvers. don't they now? The question is this; do I

Re: Question About Internal Recursive Resolvers

2022-10-14 Thread JW λ John Woodworth
Hi Greg,Great points!  I must have forgotten how messy this got :) ./John Original message From: Greg Choules Hi John.Yes, you *could* forward and that was a setup I inherited a good few years ago. The appeal is obvious: it's easy to do; just chuck queries over there and get ans

Re: Question About Internal Recursive Resolvers

2022-10-14 Thread Greg Choules via bind-users
Hi John. Yes, you *could* forward and that was a setup I inherited a good few years ago. The appeal is obvious: it's easy to do; just chuck queries over there and get answers. But forwarding keeps the RD bit set, meaning that the server being forwarded to should a) have recursion enabled (though it

RE: Question About Internal Recursive Resolvers

2022-10-14 Thread JW λ John Woodworth
Hi Bob,I've been able to do this with 'forward' zones.  The config would go in the resolver but the files would not./John Original message From: Bob McDonald I'm thinking about redesigning an internal DNS environment. To beginwith, all internal DNS zones would reside on non-recu

Re: Question About Internal Recursive Resolvers

2022-10-14 Thread Greg Choules via bind-users
Hi Bob. In a previous life I did just this. Large resolvers for customers and internal users, defaulting to the Internet but with specific configuration to internal auth-only servers for private zones (I used stub but static-stub and mirror are alternatives - they each behave slightly differently).

Question About Internal Recursive Resolvers

2022-10-14 Thread Bob McDonald
I'm thinking about redesigning an internal DNS environment. To begin with, all internal DNS zones would reside on non-recursive servers only. That said, all clients would connect to recursive resolvers. The question is this; do I use an internal root with pointers to the internal zones (as well as

secure/tls access for statistics-channels ?

2022-10-14 Thread PGNet Dev
on named -v BIND 9.18.7 (Stable Release) i've setup statistics, statistics-channels { inet 10.53.53.53 port 5353 allow { sec_trusted; }; inet 127.0.0.1 port 5353 allow {

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread PGNet Dev
Which parental-agent to use is up to you. Something you trust. for the moment, let's say 1.1.1.1 But if you don't have parental-agents set up, the list of keys to check will be empty. Hence the "not found" result. i added zone "example.com" IN { type master; file "/

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread Matthijs Mekking
Which parental-agent to use is up to you. Something you trust. You can also configure multiple, if so then all parental agents will perform the DS check and only if all parental agents agree (have seen the DS), BIND will set the DS as "seen published in the parent" and the rollover will contin

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread PGNet Dev
This is a log level bug. This log happens when BIND want to check the parental-agents if the DS has been published. But if you don't have parental-agents set up, the list of keys to check will be empty. Hence the "not found" result. Thanks for reporting, this will be fixed in the next release,

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread Ondřej Surý
In addition to what Matthijs said, please make sure that all path components in /data/chroot/named/keys/dnssec/example.com/ need to have correct permissions, this is easy to get wrong. I've burnt on this too many times. Easiest way how to test is switching to the user that n

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread Matthijs Mekking
Hi, This is a log level bug. This log happens when BIND want to check the parental-agents if the DS has been published. But if you don't have parental-agents set up, the list of keys to check will be empty. Hence the "not found" result. Thanks for reporting, this will be fixed in the next re

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread PGNet Dev
hi Think ownership, permission and things like SELinux, AppArmore depending on your OS. on this box, no SELinux or AppArmor in my named.conf directory "/namedb/production"; and for my domain's dnssec key-directory "/keys/dnssec/example.com"; pathnames are relative to chro

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread Sandro
On 14-10-2022 15:26, PGNet Dev wrote: zone "example.com" IN { type master; file "/namedb/master/example.com.zone"; dnssec-policy "pgnd"; key-directory "/keys/dnssec/example.com"; update-policy { grant pgnd-external-rndc-key z

new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread PGNet Dev
i run, named -v BIND 9.18.7 (Stable Release) i've setup dnssec-policy operation for a number of domain. keys are all generated, KSK-derived DS Records are pushed to registrar->root, and all DNSSEC-analyzer tools online report all's good. i can see no functional probl