bind-users Digest, Vol 2086, Issue 1
Brian Alaimo
balaimo at infoblox.com
Wed Apr 8 15:15:15 UTC 2015
sounds good. thanks
-----Original Message-----
From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of bind-users-request at lists.isc.org
Sent: Wednesday, April 08, 2015 10:39 AM
To: bind-users at lists.isc.org
Subject: bind-users Digest, Vol 2086, Issue 1
Send bind-users mailing list submissions to
bind-users at lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-request at lists.isc.org
You can reach the person managing the list at
bind-users-owner at lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."
Today's Topics:
1. Dynamic ACL (Ali Jawad)
2. Native pkcs#11 and auto-dnssec feature (Catalin Leanca)
3. Need assistance with configuring external zone on a 2nd
CentOS 7 bind v9.4.4 dns slave (William Clarke)
----------------------------------------------------------------------
Message: 1
Date: Wed, 8 Apr 2015 14:06:53 +0200
From: Ali Jawad <alijawad1 at gmail.com>
To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Dynamic ACL
Message-ID:
<CA+bb48WU8y6TSTnb=iXRT=dkQfzEd0f9wC1FJk+0S+YNOCD0Ww at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi
I am running BIND 9.10 and I have looked through various options including
DLZ and RPZ but I am still not sure if they can do what I need or if i need
to look at something different. Here is my scenario and I would appreciate
if you could advice me.
- I do have 6 different Geo ACLs and a default ACL
- Each ACL has its own zone file , users get served based on Geo
location. If the users are not part of any geo location they are
served the
default ACL and zone files.
- For a few hundred users I want to asign their IPs to specific Geo
locations even if they do not belong to those locations. I want
to do this
on the fly without having to edit zone files and if possible
without having
to reload BIND. I want to keep it as dynamic as possible.
Any input please ?
Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150408/1b7aa0ee/attachment-0001.html>
------------------------------
Message: 2
Date: Wed, 08 Apr 2015 16:52:26 +0300
From: Catalin Leanca <catalinl at rotld.ro>
To: bind-users at lists.isc.org
Subject: Native pkcs#11 and auto-dnssec feature
Message-ID: <5525329A.4020309 at rotld.ro>
Content-Type: text/plain; charset=utf-8; format=flowed
Hello,
I'm trying to configure bind 9.10.2 to work with native pkcs#11 linked
to nShield Connect HSM.
When accesing keys in HSM a PIN code is required as keys are protected
by a softcard.
dnssec-keyfromlabel command accepts reading PIN from file (using
"pin-source" keyword),but others
like dnssec-signzone don't have something similar and the PIN has to be
entered manualy.
My question is about auto-dnssec feature that maintain zone by
internally signing RRs.
How this feature will work without a PIN since BIND needs access to
private key when it needs
to resign automatically and i did't find a way to provide the PIN
throught configuration files ?
Best regards,
Catalin LEANCA
------------------------------
Message: 3
Date: Wed, 08 Apr 2015 10:38:45 -0400
From: William Clarke <wclarke at simons-rock.edu>
To: bind-users at lists.isc.org
Subject: Need assistance with configuring external zone on a 2nd
CentOS 7 bind v9.4.4 dns slave
Message-ID: <55253D75.2060002 at simons-rock.edu>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Resending because the message was over 40K... I removed most of the
internal\external zones and logs to shorten the message.
We have a split DNS chrooted master\slave setup running on CentOS 5.11.
I have 3 named.conf files below, Working master, working slave and a new
CentOS 7 non-working slave that I'm trying to spin up. The internal
zones do get transferred\updated however theexternal zones aren't
transferring at all, the master doesn't even have any mentioning of
external transfers for this specific slave. I have a hunch that this is
either happening because I don't have multiple network adapters
configured ie split DNS for slave or possibly a hostname issue. I tried
to basically mirror the setup of my new slave all except the ip address.
My new slave is 192.168.1.224. The instructions I followed to set this
up was from:
http://www.ehowstuff.com/how-to-setup-bind-chroot-dns-server-on-centos-7-0-vps/
Any assistance would be greatly appreciated, please let me know if\what
other info you might need from me.
Working Master (CentOS 5.11 Bind 9.3.6-25-P1) named.conf:
/* This comment tests the subversion commit */
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named.stats";
recursive-clients 10000;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
# forward only;
forwarders {
# 64.212.106.84; //dns2.jfk.gblx.net
# 209.130.136.2; //dns1.roc.gblx.net
8.8.8.8; //google-public-dns-a.google.com
8.8.4.4; //google-public-dns-b.google.com
};
allow-recursion { 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12;};
};
logging {
channel update_debug {
file "/var/log/update-debug.log";
severity debug 3;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/named-auth.info";
severity debug 3;
print-category yes;
print-severity yes;
print-time yes;
};
category update { update_debug; };
category security { security_info; };
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
view "internal" {
match-clients {
!192.168.1.4; 10.0.0.0/8; 192.168.0.0/16; 127.0.0.0/8;
};
allow-transfer { key slave-internal; };
notify yes ;
also-notify { 192.168.1.222; 192.168.1.224; 192.168.1.227; };
notify-source 192.168.1.221 ;
zone "simons-rock.edu." IN {
type master;
file "internal/simons-rock.edu.internal.db";
};
zone "southberkshireconcerts.org." IN {
type master;
file "internal/southberkshireconcerts.org.int.db";
};
};
view "external" {
match-clients { any; };
allow-transfer { key slave-external; };
also-notify { 192.168.1.4; 192.168.1.224; 192.168.1.227; };
notify yes ;
notify-source 192.168.1.3 ;
zone "simons-rock.edu." IN {
type master;
file "external/simons-rock.edu.ext.db";
};
zone "southberkshireconcerts.org." IN {
type master;
file "external/southberkshireconcerts.org.ext.db";
};
};
#zone "." IN {
# type hint;
# file "named.ca";
#}
include "/etc/rndc.key";
include "/etc/transfer-internal.key";
include "/etc/transfer-external.key";
include "/etc/netreg-update.key";
-------------------------------------------------------------------------------------
Working slave (CentOS 5.11 Bind 9.3.6-25-P1) named.conf
/* This comment tests the subversion commit */
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named.stats";
recursive-clients 10000;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
# // query-source address * port 53;
# forward only;
forwarders {
# 64.212.106.84; //dns2.jfk.gblx.net
# 209.130.136.2; //dns1.roc.gblx.net
8.8.8.8; //google-public-dns-a.google.com
8.8.4.4; //google-public-dns-b.google.com
};
allow-recursion { 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12;};
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
view "internal" {
match-clients { 10.0.0.0/8; 192.168.0.0/16; 127.0.0.0/8; };
query-source address 192.168.1.222 ;
transfer-source 192.168.1.222 ;
allow-notify { 192.168.1.221; };
zone "simons-rock.edu." IN {
type slave;
masterfile-format text;
masters { 192.168.1.221; };
file "internal/simons-rock.edu.internal.db";
};
zone "southberkshireconcerts.org." IN {
type slave;
masterfile-format text;
masters { 192.168.1.221; };
file "internal/southberkshireconcerts.org.int.db";
};
};
view "external" {
match-clients { any; };
query-source address 192.168.1.4 ;
transfer-source 192.168.1.4 ;
allow-notify { 192.168.1.3; };
zone "simons-rock.edu." IN {
type slave;
masters { 192.168.1.3; };
file "external/simons-rock.edu.ext.db";
};
zone "southberkshireconcerts.org." IN {
type slave;
masters { 192.168.1.3; };
file "external/southberkshireconcerts.org.ext.db";
};
};
include "/etc/rndc.key";
include "/etc/transfer-internal.key";
include "/etc/transfer-external.key";
server 192.168.1.221 {
keys {
slave-internal;
};
};
server 192.168.1.3 {
keys {
slave-external;
};
};
------------------------------------------------------------------------------------------------------------
Non-working slave (CentOS 7.0 BIND 9.9.4-RedHat-9.9.4-18.el7_1.1)
named.conf:
/* This comment tests the subversion commit */
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursive-clients 10000;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
# // query-source address * port 53;
# forward only;
forwarders {
# 64.212.106.84; //dns2.jfk.gblx.net
# 209.130.136.2; //dns1.roc.gblx.net
8.8.8.8; //google-public-dns-a.google.com
8.8.4.4; //google-public-dns-b.google.com
};
allow-recursion { 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12;};
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
view "internal" {
match-clients { 10.0.0.0/8; 192.168.0.0/16; 127.0.0.0/8; };
query-source address 192.168.1.224 ;
transfer-source 192.168.1.224 ;
allow-notify { 192.168.1.221; };
zone "simons-rock.edu." IN {
type slave;
masterfile-format text;
masters { 192.168.1.221; };
file "internal/simons-rock.edu.internal.db";
};
zone "southberkshireconcerts.org." IN {
type slave;
masterfile-format text;
masters { 192.168.1.221; };
file "internal/southberkshireconcerts.org.int.db";
};
};
view "external" {
match-clients { any; };
query-source address 192.168.1.224 ;
transfer-source 192.168.1.224 ;
allow-notify { 192.168.1.3; };
zone "simons-rock.edu." IN {
type slave;
masters { 192.168.1.3; };
file "external/simons-rock.edu.ext.db";
};
zone "southberkshireconcerts.org." IN {
type slave;
masters { 192.168.1.3; };
file "external/southberkshireconcerts.org.ext.db";
};
};
include "/etc/rndc.key";
include "/etc/transfer-internal.key";
include "/etc/transfer-external.key";
server 192.168.1.221 {
keys {
slave-internal;
};
};
server 192.168.1.3 {
keys {
slave-external;
};
};
--------------------------------------------------------------------------
Some error logs from non-working slave:
--------------------------------------------------------------------------
Apr 2 13:40:29 localhost named[9800]: zone
93.81.208.in-addr.arpa/IN/external: refresh: non-authoritative answer
from master 192.168.1.3#53 (source 192.168.1.224#0)
Apr 2 13:40:31 localhost named[9800]: zone
southberkshireconcerts.org/IN/external: Transfer started.
Apr 2 13:40:31 localhost named[9800]: transfer of
'southberkshireconcerts.org/IN/external' from 192.168.1.3#53: connected
using 192.168.1.224#42883
Apr 2 13:40:31 localhost named[9800]: transfer of
'southberkshireconcerts.org/IN/external' from 192.168.1.3#53: failed
while receiving responses: REFUSED
Apr 2 13:40:31 localhost named[9800]: transfer of
'southberkshireconcerts.org/IN/external' from 192.168.1.3#53: Transfer
completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: zone
southberkshireconcerts.org/IN/external: Transfer started.
Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: transfer of
'southberkshireconcerts.org/IN/external' from 192.168.1.3#53: connected
using 192.168.1.224#42188
Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: transfer of
'southberkshireconcerts.org/IN/external' from 192.168.1.3#53: failed
while receiving responses: REFUSED
Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: transfer of
'southberkshireconcerts.org/IN/external' from 192.168.1.3#53: Transfer
completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
Apr 02 13:54:10 letitroost.simons-rock.edu named[9800]: zone
89111.cn/IN/internal: refresh: non-authoritative answer from master
192.168.1.221#53 (source 192.168.1.224#0)
Apr 02 13:54:11 letitroost.simons-rock.edu named[9800]: zone
89.81.208.in-addr.arpa/IN/external: refresh: non-authoritative answer
from master 192.168.1.3#53 (source 192.168.1.224#0)
Apr 02 13:54:21 letitroost.simons-rock.edu named[9800]: zone
93.81.208.in-addr.arpa/IN/external: refresh: non-authoritative answer
from master 192.168.1.3#53 (source 192.168.1.224#0)
Apr 02 13:54:42 letitroost.simons-rock.edu named[9800]: zone
evilman.cn/IN/internal: refresh: non-authoritative answer from master
192.168.1.221#53 (source 192.168.1.224#0)
Apr 02 13:54:53 letitroost.simons-rock.edu named[9800]: zone
95.81.208.in-addr.arpa/IN/external: refresh: non-authoritative answer
from master 192.168.1.3#53 (source 192.168.1.224#0)
Apr 02 13:55:18 letitroost.simons-rock.edu named[9800]: zone
92.81.208.in-addr.arpa/IN/external: refresh: non-authoritative answer
from master 192.168.1.3#53 (source 192.168.1.224#0)
--
William Clarke
ITS System Administrator
Bard College at Simon's Rock
84 Alford Road
Great Barrington, MA 01230
(413) 528-7428 (voice)
(413) 528-7405 (fax)
wclarke at simons-rock.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150408/403a9498/attachment.html>
------------------------------
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
End of bind-users Digest, Vol 2086, Issue 1
*******************************************
More information about the bind-users
mailing list