bind-users Digest, Vol 3, Issue 3
Rob Rathwell
rob.rathwell at sjrb.ca
Thu Nov 20 17:59:59 UTC 2008
bind-users-request at lists.isc.org
-----Original Message-----
From: bind-users-bounces at lists.isc.org
[mailto:bind-users-bounces at lists.isc.org] On Behalf Of
bind-users-request at lists.isc.org
Sent: Thursday, November 20, 2008 7:51 AM
To: bind-users at lists.isc.org
Subject: bind-users Digest, Vol 3, Issue 3
Send bind-users mailing list submissions to
bind-users at lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-request at lists.isc.org
You can reach the person managing the list at
bind-users-owner at lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."
Today's Topics:
1. Re: Workaround Solaris's kernel bug (J.D. Bronson)
2. Re: Is it possible to use one KSK for multiple domains?
(Adam Tkac)
3. Re: Is it possible to use one KSK for multiple domains?
(Adam Tkac)
4. Re: Help understanding lame server error (Mark Andrews)
5. Re: Is it possible to use one KSK for multiple domains?
(Stephane Bortzmeyer)
6. Re: Is it possible to use one KSK for multiple domains?
(Stephane Bortzmeyer)
7. Re: Help understanding lame server error (Dan at spore.ath.cx)
----------------------------------------------------------------------
Message: 1
Date: Thu, 20 Nov 2008 06:04:39 -0600
From: "J.D. Bronson" <jbronson at hanadarko.com>
Subject: Re: Workaround Solaris's kernel bug
To: BIND Users Mailing List <bind-users at lists.isc.org>
Message-ID: <20081120120436.42DB237195 at cheyenne.hanadarko.com>
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 10:18 AM 11/20/2008 +0000, you wrote:
>This is CR 6724237
><http://bugs.opensolaris.org/view_bug.do?bug_id=6724237> Which was
>first introduced in Solaris 8. At this time there is no patch for
>Solaris 8, 9 or 10 and therefore "ISC_SOCKET_USE_POLLWATCH" should
>be defined when building BIND 9 for those systems.
>
>Stacey Marshall
>Sun Microsystems Ltd.
So is there a version *public release* of Bind9 that we can compile
right out of the box that will work correctly on Solaris 10 (10/08) and
if so
which version is it?
-JD
------------------------------
Message: 2
Date: Thu, 20 Nov 2008 14:15:47 +0100
From: Adam Tkac <atkac at redhat.com>
Subject: Re: Is it possible to use one KSK for multiple domains?
To: Niall.oReilly at ucd.ie, BIND Users Mailing List
<bind-users at lists.isc.org>
Cc: bind-users at isc.org
Message-ID:
<20081120131547.GA2699 at evileye.atkac.englab.brq.redhat.com>
Content-Type: text/plain; charset=us-ascii
On Thu, Nov 20, 2008 at 09:18:01AM +0000, Niall O'Reilly wrote:
> On Wed, 2008-11-19 at 21:55 +0100, Adam Tkac wrote:
> > does anyone know if is it possible to sign multiple domains with one
> > KSK?
>
> Adam,
>
> I suspect your question may need to be more specific.
Right you are.
>
> Are you asking about the signing process itself, or rather
> about how certain aspects of this process need to be exposed
> in the DNS?
>
> The RFC-fragment you cite seems to me to require that each
> signed zone needs its set of [KZ]SK exposed in the DNS, but
> to be silent on whether a single key can be reused by appearing
> as RDATA in the DNSKEY RRsets of multiple zones.
>
> I haven't read 4033/4034 thoroughly, so it's possible I may
> have misunderstood completely.
>
> Best regards,
>
> Niall O'Reilly
>
I know people which maintains many domains so they would like to use
scenario like this:
- each zone has his own ZSK
- all ZSKs are signed with one KSK and corresponding DS is in parent
zone
So, in theory, validation will look like:
- get myzone.tld. DS from tld.
- validate myzone.tld. DNSKEY (= validate KSK)
- validate all ZSKs with myzone.tld. KSK
If I understand correctly to section 2.1.1 of RFC 4034 then when I
want validate for example "myzone1.tld." ZSK there are only two ways:
- get myzone1.tld. DS from tld. zone
- get another myzone1.tld. key which will validate it
It isn't possible to validate myzone1.tld. with key from other zone,
for example myzone2.tld., is it?
Regards, Adam
--
Adam Tkac, Red Hat, Inc.
------------------------------
Message: 3
Date: Thu, 20 Nov 2008 14:15:47 +0100
From: Adam Tkac <atkac at redhat.com>
Subject: Re: Is it possible to use one KSK for multiple domains?
To: Niall.oReilly at ucd.ie, BIND Users Mailing List
<bind-users at lists.isc.org>
Cc: bind-users at isc.org
Message-ID:
<20081120131547.GA2699 at evileye.atkac.englab.brq.redhat.com>
Content-Type: text/plain; charset=us-ascii
On Thu, Nov 20, 2008 at 09:18:01AM +0000, Niall O'Reilly wrote:
> On Wed, 2008-11-19 at 21:55 +0100, Adam Tkac wrote:
> > does anyone know if is it possible to sign multiple domains with one
> > KSK?
>
> Adam,
>
> I suspect your question may need to be more specific.
Right you are.
>
> Are you asking about the signing process itself, or rather
> about how certain aspects of this process need to be exposed
> in the DNS?
>
> The RFC-fragment you cite seems to me to require that each
> signed zone needs its set of [KZ]SK exposed in the DNS, but
> to be silent on whether a single key can be reused by appearing
> as RDATA in the DNSKEY RRsets of multiple zones.
>
> I haven't read 4033/4034 thoroughly, so it's possible I may
> have misunderstood completely.
>
> Best regards,
>
> Niall O'Reilly
>
I know people which maintains many domains so they would like to use
scenario like this:
- each zone has his own ZSK
- all ZSKs are signed with one KSK and corresponding DS is in parent
zone
So, in theory, validation will look like:
- get myzone.tld. DS from tld.
- validate myzone.tld. DNSKEY (= validate KSK)
- validate all ZSKs with myzone.tld. KSK
If I understand correctly to section 2.1.1 of RFC 4034 then when I
want validate for example "myzone1.tld." ZSK there are only two ways:
- get myzone1.tld. DS from tld. zone
- get another myzone1.tld. key which will validate it
It isn't possible to validate myzone1.tld. with key from other zone,
for example myzone2.tld., is it?
Regards, Adam
--
Adam Tkac, Red Hat, Inc.
------------------------------
Message: 4
Date: Fri, 21 Nov 2008 00:50:51 +1100
From: Mark Andrews <Mark_Andrews at isc.org>
Subject: Re: Help understanding lame server error
To: BIND Users Mailing List <bind-users at isc.org>
Message-ID: <200811201350.mAKDopkF023210 at drugs.dv.isc.org>
In message <8CACCF78-7617-4772-9ABF-DA29D692775E at newgeo.com>, Scott
Haneda writ
es:
> On Nov 19, 2008, at 6:19 PM, Kevin Darcy wrote:
>
> Here is another example, I think not a reverse lookup for sure:
> 20-Nov-2008 00:36:38.470 lame-servers: info: lame server resolving
> 'szi.szi.sv.gov.yu' (in 'szi.sv.gov.yu'?): 195.178.32.2#53
>
> Doesn't that mean that 195.178.32.2 requested a lookup from my NS for
> szi.szi.sv.gov.yu? I have an email server, and a bunch of web
> servers, the web servers do not have DNS lookups on, so those are not
> asking anything of my DNS server. The only thing that should be, is
> the email server, but that is not adding up, since I do not have
> reverse lookup checking enabled.
No. 195.178.32.2 is ns3.nic.yu which is lame (not serving)
the zone it is listed as serving.
szi.sv.gov.yu. 86400 IN NS ns3.nic.yu.
szi.sv.gov.yu. 86400 IN NS odisej.telekom.yu.
szi.sv.gov.yu. 86400 IN NS ns.szi.sv.gov.yu.
szi.sv.gov.yu. 86400 IN NS ns1.nic.yu.
;; Received 185 bytes from 147.91.8.6#53(NS1.NIC.yu) in 147 ms
szi.sv.gov.yu. 74897 IN NS ns1.nic.yu.
szi.sv.gov.yu. 74897 IN NS ns3.nic.yu.
szi.sv.gov.yu. 74897 IN NS odisej.telekom.yu.
szi.sv.gov.yu. 74897 IN NS ns.szi.sv.gov.yu.
;; Received 185 bytes from 195.178.32.2#53(ns3.nic.yu) in 163 ms
> I can think of one thing, which is my web stats server, which I would
> think, does resolve IP's to host names, in order to show a report of
> what domains are going to websites. That being said, I would think,
> that I should see the source of the query IP in the lame server log
> line.
Why? The log is there so you know which lookup (by name)
is failing and which server is broken.
> Is there a way to log the client IP on that line?
No. At this depth named doesn't care which client asked.
It's resolving the query for all clients that ask for that
name and type. When it has a answer it will send the
response back. All the resolver has is a function to send
the callback data to.
Mark
> Thanks
> --
> Scott
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
------------------------------
Message: 5
Date: Thu, 20 Nov 2008 15:10:03 +0100
From: Stephane Bortzmeyer <bortzmeyer at nic.fr>
Subject: Re: Is it possible to use one KSK for multiple domains?
To: cet1 at cam.ac.uk, BIND Users Mailing List <bind-users at lists.isc.org>
Cc: bind-users at isc.org
Message-ID: <20081120141003.GA19185 at nic.fr>
Content-Type: text/plain; charset=us-ascii
On Thu, Nov 20, 2008 at 11:55:17AM +0000,
Chris Thompson <cet1 at cam.ac.uk> wrote
a message of 33 lines which said:
>> The text you quote is for DNS publication. But you typically do not
>> put KSK in the DNS, no?
>
> Sure you do. How could a validator use it if you didn't?
Because it is published as a trust anchor?
------------------------------
Message: 6
Date: Thu, 20 Nov 2008 15:10:03 +0100
From: Stephane Bortzmeyer <bortzmeyer at nic.fr>
Subject: Re: Is it possible to use one KSK for multiple domains?
To: cet1 at cam.ac.uk, BIND Users Mailing List <bind-users at lists.isc.org>
Cc: bind-users at isc.org
Message-ID: <20081120141003.GA19185 at nic.fr>
Content-Type: text/plain; charset=us-ascii
On Thu, Nov 20, 2008 at 11:55:17AM +0000,
Chris Thompson <cet1 at cam.ac.uk> wrote
a message of 33 lines which said:
>> The text you quote is for DNS publication. But you typically do not
>> put KSK in the DNS, no?
>
> Sure you do. How could a validator use it if you didn't?
Because it is published as a trust anchor?
------------------------------
Message: 7
Date: Thu, 20 Nov 2008 14:50:46 +0000
From: Dan at spore.ath.cx
Subject: Re: Help understanding lame server error
To: "BIND Users Mailing List" <bind-users at lists.isc.org>
Message-ID:
<1647867224-1227192638-cardhu_decombobulator_blackberry.rim.net-13996785
67- at bxe344.bisx.prod.on.blackberry>
Content-Type: text/plain
Have you tried looking up the client IP from another line in the logs
from the same time?
-----Original Message-----
From: Scott Haneda <talklists at newgeo.com>
Date: Thu, 20 Nov 2008 00:45:26
To: BIND Users Mailing List<bind-users at lists.isc.org>
Subject: Re: Help understanding lame server error
On Nov 19, 2008, at 6:19 PM, Kevin Darcy wrote:
> Scott Haneda wrote:
>> I have a good deal if lame server errors in my logs, which I am not
>> entirely understanding.
>>
>> 19-Nov-2008 15:36:34.657 lame-servers: info: lame server resolving
>> '170.73.234.209.in-addr.arpa' (in '73.234.209.in-addr.arpa'?):
>> 209.234.64.192#53
> 73.234.209.in-addr.arpa has been delegated to ns1.networkiowa.com
> (address 209.234.64.192), but that nameserver is not responding
> authoritatively for the zone. This is referred to technically as
> being "lame".
>
> Fortunately one of the other delegated nameservers
> (storm.weather.net) *is* responding authoritatively. So the zone is
> not completely broken. But named is logging this as a warning. You
> can configure logging to ignore these lame-server conditions.
Generally I want to know, as there are cases where I mess up, and
something bad happens. I watch the logs, and know to fix it. So I am
not so much minding the data in my logs, but more just wanting to
understand what is causing these lookups.
>> 19-Nov-2008 15:36:34.955 lame-servers: info: lame server resolving
>> '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):
>> 209.183.48.20#53
>> 19-Nov-2008 15:36:34.975 lame-servers: info: lame server resolving
>> '221.250.53.206.in-addr.arpa' (in '250.53.206.in-addr.arpa'?):
>> 209.43.20.115#53
>> 19-Nov-2008 15:36:34.989 lame-servers: info: lame server resolving
>> '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):
>> 209.183.52.20#53
>> 19-Nov-2008 15:36:35.050 lame-servers: info: lame server resolving
>> '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):
>> 209.183.48.21#53
> I assume, without looking, that the causes for these are similar to
> the example above.
Yes, I have thousands of these entries. I usually use another NS to
point my email server to, that one has become a little flakey, so I
moved to using my own local NS on the same machine as the email server.
>> My server is not allowing recursions, other than to localnets.
>> about the only thing hitting it is an email server. So I am not
>> clear on why these lookups are happening, or why they are coming
>> from all these other IP's
> Most email software these days, as a default, performs reverse-
> lookups of connecting client addresses as a form of spam detection
> (because it's common knowledge that spammers are genetically
> incapable of populating reverse records). It is thus perfectly
> normal to see a lot of reverse-lookup traffic from email servers.
Correct, but that is what is strange. I am very familiar with my
email sever, and I am not doing reverse PTR record checking. I am of
course using some DNSBL's and DNSWL's as well, but no reverse checking.
Further, I have allowed only localnets to check recursively on this
NS. I know my IP range, and what machines would be hitting it.
> BTW, if you want to determine where all of these reverse lookups
> were coming from, you could just turn on query logging. Why guess
> when you can tell for sure?
This is the core of my question, maybe someone can point me to docs,
or help me understand a log line. In the example above, I see field 1
is the date, field 2 is the time, field 3 looks like the error
description, field 4 is the level, and then there are the rest of the
bits. However, I thought the last part, was an IP and a port, telling
me, that IP, asked on port 53, for a lookup of my server. So in this
case, why do I need to look at the query log, when I believe, this log
tells me who is doing the lookup.
If this really was the email server doing this lookup, all the lines
should share the same IP in common. So let's assume that for a
second, this is a reverse record lookup, that means my email server is
asking of my NS for a record/response. Should I not see my IP in
those log lines?
Here is another example, I think not a reverse lookup for sure:
20-Nov-2008 00:36:38.470 lame-servers: info: lame server resolving
'szi.szi.sv.gov.yu' (in 'szi.sv.gov.yu'?): 195.178.32.2#53
Doesn't that mean that 195.178.32.2 requested a lookup from my NS for
szi.szi.sv.gov.yu? I have an email server, and a bunch of web
servers, the web servers do not have DNS lookups on, so those are not
asking anything of my DNS server. The only thing that should be, is
the email server, but that is not adding up, since I do not have
reverse lookup checking enabled.
I can think of one thing, which is my web stats server, which I would
think, does resolve IP's to host names, in order to show a report of
what domains are going to websites. That being said, I would think,
that I should see the source of the query IP in the lame server log
line.
Is there a way to log the client IP on that line?
Thanks
--
Scott
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
------------------------------
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
End of bind-users Digest, Vol 3, Issue 3
****************************************
More information about the bind-users
mailing list