Re: Survey on the impact of software regulation on DNS systems

Hi, On Thursday, 27 March 2025 13:10:42 CET Peter 'PMc' Much wrote: > Finally got back to this one. Thank You, both of You! Not to worry, these emails are still as relevant now as they were back then :) > A mixture of both is very much what we already have. In Brussels, > for instance, 90% of th

Re: Survey on the impact of software regulation on DNS systems

On Sun, Feb 02, 2025 at 02:45:08PM -0500, Paul Kosinski via bind-users wrote: ! On Sat, 1 Feb 2025 14:47:35 + ! Marc wrote: ! ! "You have to get the bigger picture. Everything requires regulation otherwise big tech is going to fuck you. There are enough examples out there." ! ! The even big

Re: ECS subnet

> One follow-up question: it seems the IP is not shown in the RPZ log. Can this be adjusted? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.

Re: ECS subnet

> Am 25.02.2025 um 01:06 schrieb Evan Hunt : > > On Tue, Feb 18, 2025 at 08:40:53AM +0100, Rainer Duffner wrote: >>> ECS is not supported in the open source version of BIND so I guess >>> it might not get logged. > > The open source version doesn't *send* client-subnet requests, > or cache the r

Re: isc-bind service shutdown after update at 9.20.7-1.2.el8

nty of any kind. - Original Message - > From: "Michal Nowak" > To: "bind-users" > Sent: Tuesday, March 25, 2025 1:09:36 PM > Subject: Re: isc-bind service shutdown after update at 9.20.7-1.2.el8 > Hi, > > I can reproduce your problem when I se

RE: isc-bind service shutdown after update at 9.20.7-1.2.el8

rt de Michal Nowak Envoyé : 25 mars 2025 13:10 À : bind-users@lists.isc.org Objet : Re: isc-bind service shutdown after update at 9.20.7-1.2.el8 Hi, I can reproduce your problem when I setup chroot. Tho, I think this is the expected behaviour unless you setup the systemd notify socket inside the c

Re: isc-bind service shutdown after update at 9.20.7-1.2.el8

edBy=multi-user.target [root@dns_server]# cat /etc/opt/isc/scls/isc-bind/sysconfig/named # Command line options passed to named OPTIONS="-4 -t /var/named/chroot" Thanks a lot for your help! -- Joel Langlois -Message d'origine- De : bind-users De la part de Michal Now

Re: Custom DNS Filtering Plugin in BIND 9

On 3/19/25 9:40 AM, Mónika Kiss wrote: I have a domain categorization program written in C that dynamically determines the risk level of a queried domain. I need to integrate this categorization logic into a BIND 9 plugin that: Mónika, have you looked into Dynamically Loadable Zones? You migh

RE: isc-bind service shutdown after update at 9.20.7-1.2.el8

=multi-user.target [root@dns_server]# cat /etc/opt/isc/scls/isc-bind/sysconfig/named # Command line options passed to named OPTIONS="-4 -t /var/named/chroot" Thanks a lot for your help! -- Joel Langlois -Message d'origine- De : bind-users De la part de Michal Nowak Envoyé :

Re: isc-bind service shutdown after update at 9.20.7-1.2.el8

For BIND 9.20.7 and 9.21.6 we changed the service type from "forking" to "notify", also ExecStart now has the "-f" option: -[Service] -Type=forking -ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named +[Service] +Type=notify +ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named -f Coul

Re: Help with ISC-BIND 9.20.7 COPR package DOH support

Hi, > Need help with the COPR packages for BIND, they don’t seem to have DOH > enabled / working That's not the case, DNS-over-HTTPS should work just fine with our Copr packages. > Should have: compiled with DNS-over-HTTPS > It does not no? DNS-over-HTTPS support in BIND 9 is implemented usin

Re: Authoritative and caching

On 19-02-2025 12:04, Greg Choules wrote: Hi Danjel. To obtain a packet capture use tcpdump, which is probably installed already. If not, add it using your preferred package manager. You can dump to the screen, but I find it more useful to dump to a file, which can then be analysed offline in W

Re: Custom DNS Filtering Plugin in BIND 9

Hi, I get the impression that I'm still misunderstanding you or perhaps we don't have the same understanding of RPS / DLZ. Perhaps I need more coffee. On 3/21/25 2:31 AM, Mónika Kiss wrote: * Instead, I want the plugin to dynamically query this data by calling my existing C program or

Re: Help with ISC-BIND 9.20.7 COPR package DOH support

Hey Everyone, Need help with the COPR packages for BIND, they don’t seem to have DOH enabled / working sudo yum-config-manager --add-repo https://copr.fedorainfracloud.org/coprs/isc/bind/repo/epel-9/isc-bind-epel-9.repo sudo yum --enablerepo="copr:copr.fedorainfracloud.org:isc:bind" install is

Re: isc-bind service shutdown after update at 9.20.7-1.2.el8

This looks like named is not sending the systemd notifications to the supervisor. Is there anything unusual on your system? Are those stock ISC packages? Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside

Re: Bind internal name space geo-proximity

Hi Karol. The DNS model is that if a zone contains multiple records of the same type with the same owner name - e.g. google.com/NS - then all answers are returned in a response to a query: this is known as an RRSET. In the case of NS records, all RRSETs from anywhere must

Re: Custom DNS Filtering Plugin in BIND 9

It might, except it has been removed (now I admit I don’t remember in which version), because it was proprietary and never had any real users. It should work while it is still available, but I am not really keen on resurrecting the API for yet another proprietary thing. Ondrej -- Ondřej Surý —

Re: Custom DNS Filtering Plugin in BIND 9

Greg, not really, but unless the querying is blazingly fast, it needs to use asynchronous processing, and we don't have that now. It is not impossible to write something like this, but with no async-await mechanism in C, it might get complicated very soon. So, I would cross that bridge only i

Re: Custom DNS Filtering Plugin in BIND 9

On 3/19/25 10:02 AM, Ondřej Surý wrote: Thinking aloud - perhaps, we can extend the plugin API (and RPZ) in a way to add the classification to the message processing and then the RPZ processing could read the classification and take an action? This sounds like my understanding of what the Resp

Re: Custom DNS Filtering Plugin in BIND 9

I wrote a closed source filtering plugin for BIND and I found that the #1 issue is that there is no defined interface between a plugin and BIND internal data structures. Since data structures (may) have small changes between patch releases, this implies that with /every/ release of BIND, the plu

Re: ISC, GitHub, and CVE-2025-30066

> On 20. 3. 2025, at 23:12, John Thurston wrote: > > And since I know that ISC has projects at GitHub, and I suspect that ISC > projects would be a big, fat, juicy target for code injection, I feel like I > gotta ask . . Is ISC willing to weigh in and say if their projects may have > been aff

Re: Custom DNS Filtering Plugin in BIND 9

On Wednesday, March 19, 2025 4:05:29 PM CET you wrote: > Michael, > > you can hardly create a static list from all of the domains that can > possibly exists. > > I do understand the usefulness of dynamic classification. > > There’s just not a straightforward interface for it now. Somebody will h

Re: Upgrading the Bind Server issue

On Wed, 19 Mar 2025, Lowry-Schiller, Dell M CTR (USA) via bind-users wrote: > I run this command and it works fine  ./configure --prefix=/usr/local/b > ind-9.9.6 --sysconfdir=/etc --localstatedir=/var --enable-threads --with-ope > nssl I suspect this configure step did not work fine or you r

RE: Custom DNS Filtering Plugin in BIND 9

Maybe I'm not understanding all the nuances of the stated goal but doesn't RPZ handle this? Bob Sent from my Google Pixel 8a phone. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscription

Re: Custom DNS Filtering Plugin in BIND 9

Hi again,if this is something that is going to be open-source and the whole BIND 9 users community would benefit from this, I would love to hear and see more.Ondrej--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside you

Re: Custom DNS Filtering Plugin in BIND 9

On Wednesday, March 19, 2025 3:40:28 PM CET Mónika Kiss wrote: > Hello, > > Thank you for your response. > > I have a domain categorization program written in C that dynamically > determines the risk level of a queried domain. > I need to integrate this categorization logic into a BIND 9 plugin t

Re: Custom DNS Filtering Plugin in BIND 9

Michael, you can hardly create a static list from all of the domains that can possibly exists. I do understand the usefulness of dynamic classification. There’s just not a straightforward interface for it now. Somebody will have to invest into writing this :shrug: Ondrej -- Ondřej Surý — ISC

Re: Custom DNS Filtering Plugin in BIND 9

Thinking aloud - perhaps, we can extend the plugin API (and RPZ) in a way to add the classification to the message processing and then the RPZ processing could read the classification and take an action?But that’s quite a huge chunk of work.As I said, there was an attempt to rewrite dns64 as a plug

Re: Custom DNS Filtering Plugin in BIND 9

Hello, Thank you for your response. I have a domain categorization program written in C that dynamically determines the risk level of a queried domain. I need to integrate this categorization logic into a BIND 9 plugin that: - Calls the categorization function to analyze each incoming DNS que

Re: [DNSSEC] when remove KSK from file system

You can set 'purge-keys' to a value you feel comfortable with. By default it is set to 90 days, so after 90 days the key is completely hidden, it will be removed from disk. Best regards, Matthijs On 19-03-2025 09:29, adrien sipasseuth wrote: Hello, I use Bind 9.20.4, with KASP policy to set

Re: Custom DNS Filtering Plugin in BIND 9

On Wednesday, March 19, 2025 3:01:48 PM CET Bob McDonald wrote: > Maybe I'm not understanding all the nuances of the stated goal but doesn't > RPZ handle this? Was my first thought as well, works fine for me. In named.conf: options { // RPZ zone // Source: https://deteque.com/m3a

Re: Custom DNS Filtering Plugin in BIND 9

Hi Mónika, I concur the documentation is a bit scarce, have you looked at the existing plugins? This might give you a little bit of guidance. Additionally, we have at least one more MR with the unfinished plugin in the GitLab. It’s kind of old, but it is a different from the filter_a/filter_aaa

Re: Upgrading the Bind Server issue

Hi, I think you basically have couple of options: 1. use ISC provided packages: https://copr.fedorainfracloud.org/coprs/isc/; I would strongly recommend this option 2. learn what you are really doing and debug this properly. You haven't provided any actionable information. 3. oh, then there's

Re: Upgrading the Bind Server issue

Am 19.03.2025 um 13:23:09 Uhr schrieb Lowry-Schiller, Dell M CTR \(USA\) via bind-users: > Message: I am following the instructions provided in the knowledge > base and I am having issues with the upgrade of my bind server to > version 9.20.6 I am currently on version BIND 9.16.23-RH This indicat

Re: Authoritative and caching

On 16-03-2025 21:40, Greg Choules wrote: Hi. From what others have said, that makes sense. For BIND's static files to be under /etc and operational files (zone data, journals etc.) to be somewhere else. What are the permissions on /var/lib/bind/ and/or /var/cache/bind? Both is root:bind and

Re: Authoritative and caching

>I would either change ownership of "/etc/bind" and all files and folders >below that from "root" to "bind", or, if the group for user "bind" is also >"bind", leave ownership as root but change group permissions to rwx for >everything "/etc/bind" and below. You could try starting with just >"/et

Re: Authoritative and caching

It does, and it follows the FHS, so not in /etc. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 16. 3. 2025, at 17:08, Timothe Litt via bind-users > wrote: > > In the

Re: Authoritative and caching

On 15-Mar-25 18:16, Lee wrote: On Sat, Mar 15, 2025 at 5:25 PM Danjel Jungersen via bind-users wrote: Apparmor was also mentioned, I have no experience with that, and have not changed it in any way (to my knowledge)... On my machine, $ journalctl -l | grep apparmor | grep bind |more shows m

Re: Authoritative and caching

Sending from the correct alias this time! On Sun, 16 Mar 2025 at 09:03, Greg Choules wrote: > Thank you. > The problem is that named is running as user "bind" but that user > doesn't have file system permissions to create and write to files (the .jnl > and .jbk files at least) in places that it

Re: Authoritative and caching

On Sat, Mar 15, 2025 at 5:25 PM Danjel Jungersen via bind-users wrote: > > Apparmor was also mentioned, I have no experience with that, and have not > changed it in any way (to my knowledge)... On my machine, $ journalctl -l | grep apparmor | grep bind |more shows many lines like Dec 14 08:00

Re: Authoritative and caching

Off-list I was asked. root@ns1:/etc/bind# ls -la total 60 drwxr-sr-x  3 root bind 4096 Mar 15 16:31 . drwxr-xr-x 71 root root 4096 Jan  6 08:40 .. -rw-r--r--  1 root root 2403 Jul 27  2024 bind.keys -rw-r--r--  1 root root  255 Jul 27  2024 db.0 -rw-r--r--  1 root root  271 Jul 27  2024 db.12

Re: Authoritative and caching

On Sat, Mar 15, 2025 at 12:32 PM Danjel Jungersen via bind-users < bind-users@lists.isc.org> wrote: > I'm so sorry, but I have to trouble you guys again. > > The help below helped, I have no errors from checkconf or checkzone, but > from journalctl I get: > /etc/bind/zones/db.jungersen.dk.jbk: cre

Re: Authoritative and caching

Hi Danjel. Please send "ls -al" of both "/etc/bind" and "/etc/bind/zones" Thanks, Greg On Sat, 15 Mar 2025 at 16:32, Danjel Jungersen via bind-users < bind-users@lists.isc.org> wrote: > I'm so sorry, but I have to trouble you guys again. > > The help below helped, I have no errors from checkconf

RE: Questions about "dnssec validation" statement

Thanks I'll try that. -Original Message- From: Evan Hunt Sent: Thursday, March 6, 2025 1:46 PM To: Chris Isaksen Cc: bind-users@lists.isc.org Subject: Re: Questions about "dnssec validation" statement On Thu, Mar 06, 2025 at 12:56:08PM +, Chris Isaksen wrote: >

Re: Authoritative and caching

I'm so sorry, but I have to trouble you guys again. The help below helped, I have no errors from checkconf or checkzone, but from journalctl I get: /etc/bind/zones/db.jungersen.dk.jbk: create: permission denied and /etc/bind/zones/db.jungersen.dk.signed.jnl: create: permission denied and some

Re: BIND 9.20.6: spurious recursive lookup failures after longish uptime

> From: "Havard Eidnes via bind-users" > Sent: Thursday, March 13, 2025 7:21:32 AM > The reason is that the "how to reproduce the problem" bit is > quite fuzzy. Yeah. :-( In general, without logs or similar, it is impossible to diagnose this sort of problem by DNS results alone. Unless zon

Re: BIND 9.20.6: spurious recursive lookup failures after longish uptime

On 3/13/25 12:21, Havard Eidnes via bind-users wrote: I wondered a while whether this would be more appropriate to post here or as an issue in ISC's gitlab, but came to the conclusion that for now the best place would be here. The reason is that the "how to reproduce the problem" bit is quite fu

Re: rndc: 'reload' failed: unexpected error

Hi Duan. Firstly, please upgrade to the latest BIND as 9.11 is very old now and has many security flaws that will not be fixed because it is obsolete. Secondly, after you have upgraded try it again and if the problem still exists, come back here. Cheers, Greg > On 13 Mar 2025, at 09:23, Duan D

Re: Authoritative and caching

I shouldn’t have tried to write that on the phone from memory. dnssec-policy “unlimited” { keys { csk lifetime unlimited algorithm ECDSAP256SHA256; }; }; zone "jungersen.dk” { type master; file "/etc/bind/zones/db.jungersen.dk”; allow-transfer { 192.168.20.11; };

Re: Authoritative and caching

On 20-02-2025 08:40, Mark Andrews wrote: The zone is available publicly, but from public serveres not hosted by me (one.com). And points to my external ip. My internal bind redirects local traffic directly to local servers on local ip's. DNSSEC is designed to stop spoofed answers being accepte

Re: Using a PCIe HSM card with BIND

Hi Sergio, the BIND 9 documentation covers this: https://bind9.readthedocs.io/en/v9.18.34/chapter5.html#pkcs-11-cryptoki-support Since you are using OpenSSL you must ensure that Legacy engines are enabled. I would however recommend switching to 9.20.6 that has support for more modern OpenSSL Pr

Re: Questions about "dnssec validation" statement

Hi Chris If you've got your global options set similarly to this options { dnssec-validation auto; // Global validation enabled // ... other options ... }; Have you been able to try something along the lines of this? zone "no-dnssec.example" { type forward; forwarders { 192.0.2.1;

Re: bind crashes with assertion, maybe due to many ephemeral network devices?

> bind crashes with assertion, maybe due to many ephemeral network devices? Looking at the symptoms and your description, I actually think this is a problem of interfaces appearing during the network interface scan and then disappearing before named can process them. I would suggest to disable th

Re: bind crashes with assertion, maybe due to many ephemeral network devices?

Hi Ondrej, thanks for the fast answer :) On Mon, 10 Mar 2025, Ondřej Surý wrote: bind crashes with assertion, maybe due to many ephemeral network devices? Looking at the symptoms and your description, I actually think this is a problem of interfaces appearing during the network interface sc

RE: Some operational questions about TSIG / XoT

.html - https://dnsprivacy.org/encrypted-zone-transfer/ - https://bind9.readthedocs.io/en/stable/chapter7.html#tsig Not directly related: - https://kb.isc.org/docs/aa-00851#example-3-adding-a-second-server Perhaps the footnote "Further information on TSIG" could use a re-reference

Re: Questions about "dnssec validation" statement

On Thu, Mar 06, 2025 at 12:56:08PM +, Chris Isaksen wrote: > I was wondering if dnssec validation could be set to auto in the options > section and then set it to 'no' in a particular zone? > > We would like to use "dnssec validation auto" but a few forwarding zones > we have, we know do not

Re: Just a suspicion for now: Memory leak in 9.20.4?

> On 14 Feb 2025, at 09:49, Borja Marcos via bind-users > wrote: > > Signed PGP part > > >> On 13 Feb 2025, at 14:46, Ondřej Surý wrote: >> >> There’s official KB article on the topic: >> https://kb.isc.org/docs/bind-memory-consumption-explained - you actually >> need to use jeprof and u

RE: Questions about "dnssec validation" statement

05 AM To: Chris Isaksen Cc: bind-users@lists.isc.org Subject: Re: Questions about "dnssec validation" statement Hi Chris If you've got your global options set similarly to this options { dnssec-validation auto; // Global validation enabled // ... other options ... }; Have

Re: Questions about automatic KSK and using an additional stand-by KSK

Hey again! On 03.03.25 3:18 PM, Matthijs Mekking wrote: > Hi Bernd, > > Sorry for taking a long time to answer these questions: > No worries I had/have not time pressure. >> 1) Timing Options: >> >> I didn't grasped yet all the defaults and their calculated interaction >> when I let `bind9` ma

RE: XoT Testing: TLS peer certificate verification failed

> -Original Message- > From: Petr Špaček > Sent: Tuesday, March 4, 2025 6:11 PM > To: Robert Wagner ; Klaus Darilion > > Cc: bind-us...@isc.org > Subject: Re: XoT Testing: TLS peer certificate verification failed > > > I think I have solved the mistery: B

Re: XoT Testing: TLS peer certificate verification failed

I think I have solved the mistery: Bind (or openssl, who ever does the validation) requires Subject Alternative Name. Regardless if using the hostname or the IP address, they must be in the subject alternative name. When using self-signed certificates, it is probably best to put both in the SAN

Re: XoT Testing: TLS peer certificate verification failed

fied to be working in both the latest version of MS IE and Firefox (as of 2005/05/12)... RW From: bind-users on behalf of Klaus Darilion via bind-users Sent: Tuesday, March 4, 2025 8:55 AM To: Klaus Darilion ; Ondřej Surý Cc: bind-us...@isc.org Subject: RE:

RE: XoT Testing: TLS peer certificate verification failed

-certificate.crt -subj "/CN=xot-test-primary.ops.nic.at" -addext "subjectAltName=DNS:xot-test-primary.ops.nic.at,IP:193.46.106.51" regards Klaus From: bind-users On Behalf Of Klaus Darilion via bind-users Sent: Tuesday, March 4, 2025 11:31 AM To: Ondřej Surý Cc: bind-us...@isc.

Re: Questions about CVE-2024-11187

Hi Petr, Thank you for the quick response. Yes, I said it before, the utilization stayed high. :) I checked it now and I can see increased network traffic, memory and disk utilization for the same time period. Kind Regards, Laszlo On Tue, 4 Mar 2025 at 09:14, Petr Špaček wrote: > On 04. 03. 25

RE: XoT Testing: TLS peer certificate verification failed

From: Ondřej Surý Sent: Tuesday, March 4, 2025 10:05 AM To: Klaus Darilion Cc: bind-us...@isc.org Subject: Re: XoT Testing: TLS peer certificate verification failed Sounds like this: https://gitlab.isc.org/isc-projects/bind9/-/issues/3896 -- Ondřej Surý — ISC (He/Him) My working hours and your

Re: Questions about CVE-2024-11187

On 04. 03. 25 9:53, Laszlo Szollosi wrote: Many thanks for your response. By mitigation, I mean we have seen an increase in resource utilization, but it would have been much worse without the 'minimal-responses' setting (reduced impact). By prevention, I mean we would not have had the impact a

RE: XoT Testing: TLS peer certificate verification failed

May it be, that the validation is just broken? Even when using dig, and explicitely use the hostname of the Primary (which uses its hostname in its certificate) in @... and tls-hostname, the verification fails due to hostname mismatch: # dig @xot-test-primary.ops.nic.at test.klaus +tls axfr +tl

Re: XoT Testing: TLS peer certificate verification failed

Sounds like this: https://gitlab.isc.org/isc-projects/bind9/-/issues/3896--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.On 4. 3. 2025, at 10:01, Klaus Darilion via bind-users wrote:

Re: Questions about CVE-2024-11187

Hi Petr, Many thanks for your response. By mitigation, I mean we have seen an increase in resource utilization, but it would have been much worse without the 'minimal-responses' setting (reduced impact). By prevention, I mean we would not have had the impact at all. By a spike, I mean the CPU util

Re: Is there any config to disable bind9 retry for rcode refused

Returning REFUSED to ANY is anti-pmsocial as it requires every resolver in the world to special case this  There are better mechanisms to deal with it like returning TC=1 or BADCOOKIE if there is only a client cookie or returning one of the RRsets at the name. -- Mark AndrewsOn 4 Mar 2025, at 18:21

Re: Is there any config to disable bind9 retry for rcode refused

Hi Neil. I don't think there is. Perhaps you should suggest it in a Gitlab issue? Just to be clear, though, please can you give an example of what you mean? A real life one would be best. Either a binary pcap or +vvv to screen of the query BIND makes and the REFUSED it receives followed by it retr

Re: Where are ISC docs for log file codings?

On Mon, 3 Mar 2025, Jan-Piet Mens wrote: You might want to begin your journey at [1], followed by [2]. [1] https://kb.isc.org/docs/aa-01031 [2] https://kb.isc.org/docs/aa-01526 Thanks. Thsi is in an area I did not search in earlier. Brett -- Visit https://lists.isc.org/mailman/listinfo/bind-u

Re: Where are ISC docs for log file codings?

It is documented in the Administrators Reference Manual (ARM). Look for the queries channel in the logging section. See Downloads on the ISC website for the ARM version appropriate for your release. e.g. https://downloads.isc.org/isc/bind9/9.20.6/doc/arm/html/reference.html#namedconf-statemen

Re: Where are ISC docs for log file codings?

On Mon, 3 Mar 2025, Michael Richardson wrote: Brett Delmage via bind-users wrote: > Specifically for me now that's the query log including the flags. But it > could be other log files too at times. I am running DNSSEC and primary, > secondary, and internal resolving servers so many log

Re: Where are ISC docs for log file codings?

Where is the documentation for how to interpret log file content? You might want to begin your journey at [1], followed by [2]. At least for querylogs you should find what you're looking for, many (most?) other logs will require a bit of experience to interpret. -JP [1] https://kb.i

Re: Where are ISC docs for log file codings?

Brett Delmage via bind-users wrote: > Specifically for me now that's the query log including the flags. But it > could be other log files too at times. I am running DNSSEC and primary, > secondary, and internal resolving servers so many logs are of interest at > different times. I

Re: Questions about automatic KSK and using an additional stand-by KSK

Hi Bernd, Sorry for taking a long time to answer these questions: > 1) Timing Options: > > I didn't grasped yet all the defaults and their calculated interaction > when I let `bind9` manage the signing keys for a zone, which in the end > is just follows an RFC, if I'm right? I would like to "rep

Re: Questions about CVE-2024-11187

On 28. 02. 25 14:23, Laszlo Szollosi wrote: I'm hoping I can get some insight about the vulnerability mentioned above. We had been running BIND 9.20.4 in our infrastructure, and upgraded to 9.20.6 just recently. CVE-2024-12705 does not apply to our setup, yet we have a suspicion that we were im

Re: [bind-9.18.26] named crash with assertion failure

Sure, here is 9.18.26 with all the required patches: https://ftp.isc.org/isc/bind9/9.18.34/bind-9.18.34.tar.xz Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 28. 2. 202

Re: [bind-9.18.26] named crash with assertion failure

Hi Ondrej, Thank you for your prompt response. We recently upgraded to this version as it was marked as stable. It may take some time to upgrade to the latest version of bind-9.18. Meanwhile i was wondering if i can patch the fix (if available) to our current version or any workaround available

Re: [bind-9.18.26] named crash with assertion failure

Start with upgrading to the latest 9.18. You are 8 versions behind, and yes, bugs get fixed. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 27. 2. 2025, at 23:12, avije

Re: XoT Testing: TLS peer certificate verification failed

When validating a certificate, be sure to use the context of the DNS service... So, if your service runs under user BIND, you may need to su to BIND to test. This may help flush out issues where the ca.crt file was set so BIND could not read it. I don't know what happens when you set TLS to str

Re: Questions about automatic KSK and using an additional stand-by KSK

On 24.02.25 9:47 AM, Matthijs Mekking wrote: > Hi Bernd, > Hey Matthijs, Why not let us start all over again :) (I really do thank you so much for taking the time!) > Non-signing keys (for example a stand-by key), is a bit tricky in > dnssec-policy and not fully supported. > > In 9.18, I woul

Re: xfer-in: Transfer status: timed out (selective failures)

Thanks a lot, folks! The problem is solved - I put a "checksum" module between the firewall and the "nat" module (I have netgraph[1] modules), and that works now as expected. Apparently, when NAT-rewriting the address of a /locally created/ packet, at the time of rewriting the checksum has not

Re: Anycast DNS VIPs network IPv4

Hi Karol. If I understand you correctly, the choice of address to use is up to you and how it works best in your network. The DNS service addresses only need to be relevant to the network they sit in and the clients that need to reach them. In a private network, any 10 etc. address would work, as l

Re: xfer-in: Transfer status: timed out (selective failures)

On Tuesday, February 25, 2025 2:20:45 AM CET Crist Clark wrote: > Another thing to consider, especially if you are playing wild games routing > through tunnels and such, is to verify the server has a route back to the > client. If something in the LAN can reach it, like the first dump, but > off-ne

Re: Questions about automatic KSK and using an additional stand-by KSK

On 24-02-2025 11:51, Bernd Naumann wrote: ... In 9.18, I would suggest to disable inline-signing and just add the DNSKEY record to the zone. Don't put the key files for the stand-by key in the 'key-directory', this should only hold signing keys. Jep I've done that; except "Don't put the ke

RE: Policy-dnssec timeline step by step

Yes, the ZSK rollover got weird when the DS had not reach omnipresent state yet. Why is that? -Original Message- From: bind-users On Behalf Of Matthijs Mekking Sent: Friday, February 21, 2025 2:30 PM To: bind-users@lists.isc.org Subject: Re: Policy-dnssec timeline step by step Hi

Re: xfer-in: Transfer status: timed out (selective failures)

Another thing to consider, especially if you are playing wild games routing through tunnels and such, is to verify the server has a route back to the client. If something in the LAN can reach it, like the first dump, but off-net gets no response, like the second, that’s a classic cause. On Mon, Fe

Re: xfer-in: Transfer status: timed out (selective failures)

On 24-Feb-25 17:54, Peter 'PMc' Much wrote: tcpdump was friendly enough to tell me I should use -vv option, only I didn't read that at first. Then it clearly shows that these packets have invalid checksums. :( And that is apparently reason enough to just drop them without notice. Now how they a

Re: ECS subnet

On Tue, Feb 18, 2025 at 08:40:53AM +0100, Rainer Duffner wrote: > > ECS is not supported in the open source version of BIND so I guess > > it might not get logged. The open source version doesn't *send* client-subnet requests, or cache the responses differently depending on client-subnet data incl

Re: xfer-in: Transfer status: timed out (selective failures)

On Mon, Feb 24, 2025 at 10:01:49PM +0100, Peter 'PMc' Much wrote: ! Packets do arrive, but are ignored. ! The local firewall is switched to pass-thru. ! ! I don't know what else could selectively swallow packets without ! notice. Okay, I figured it out. tcpdump was friendly enough to tell me I

Re: Questions about automatic KSK and using an additional stand-by KSK

On 24.02.25 11:51 AM, Bernd Naumann wrote: > > Mhm. But *how* is *everyone else* using DNSSEC then? > https://www.ripe.net/manage-ips-and-asns/dns/dnssec/dnssec-policy-and-practice-statement/#DNSSECPolicyandPracticeStatement-KeySigningKeyRoll-over Does someone know any other good DNSSEC Practic

Re: Using CNAME for _domainkey (DKIM)

My 2p is... You *shouldn't* do a lot of things, but people do anyway, because they can. If you maintain your own DKIM records then deliberately adding a CNAME upfront seems unnecessarily complicated. KISS. If someone else hosts them and CNAME is a pragmatic way to achieve that "ask them" behaviou

Re: Questions about automatic KSK and using an additional stand-by KSK

On 24.02.25 11:22 AM, Matthijs Mekking wrote: >> But what I don't understand; RFC 7583 explicit mentioned pre-publish of >> DSDATA of ZSK, but not for KSK (IIUC)? > > And I am confused about the phrase "DSDATA of ZSK". Sorry I'm not fully confident yet about the wording here and there... I thing

Re: Questions about automatic KSK and using an additional stand-by KSK

Hi Bernd, On 24-02-2025 10:12, Bernd Naumann wrote: Hi Matthijs, thanks for your response. On 24.02.25 9:47 AM, Matthijs Mekking wrote: Hi Bernd, Non-signing keys (for example a stand-by key), is a bit tricky in dnssec-policy and not fully supported. Yeah I figured that in the mean time :

Re: Questions about automatic KSK and using an additional stand-by KSK

Hi Matthijs, thanks for your response. On 24.02.25 9:47 AM, Matthijs Mekking wrote: > Hi Bernd, > > Non-signing keys (for example a stand-by key), is a bit tricky in > dnssec-policy and not fully supported. > Yeah I figured that in the mean time :/ But what I don't understand; RFC 7583 explic

Re: Questions about automatic KSK and using an additional stand-by KSK

Hi Bernd, Non-signing keys (for example a stand-by key), is a bit tricky in dnssec-policy and not fully supported. In 9.18, I would suggest to disable inline-signing and just add the DNSKEY record to the zone. Don't put the key files for the stand-by key in the 'key-directory', this should o

Re: Questions about automatic KSK and using an additional stand-by KSK

RFC 7583: DNSSEC Key Rollover Timing Considerations [1] describes the various roll-over strategies and the key states... [1] https://www.rfc-editor.org/rfc/rfc7583.html OpenPGP_signature.asc Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to u

Re: debsuryorg-archive-keyring

Somewhat related to this, the README in the bind.debian.net repository still includes scripting which sets up packages.sury.org as the repository, which no longer exists in the DNS. That could use some cleanup. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this l

  1   2   3   4   5   6   7   8   9   10   >