Re: DNSVIZ errors

2025-04-20 Thread akritrim® Intelligence via bind-users

Thank you for your help. it does give insights into the problem.

if you check dnsviz history, this does not happen everytime.

the bind version is BIND 
9.20.8-1+0~20250416.117+debian12~1.gbp1ea9dd-Debian


obtained from: https://www.isc.org/download/  —->  
https://bind.debian.net/bind


there are no firewalls or load balancers. these are directly connected 
to internet. i was running BIND 9.18 official debian package and got no 
errors like this.



On 21/04/2025 4:46 am, Crist Clark wrote:
The version of BIND and where you got it would be a good start. Any 
load
balancers, firewalls, etc. between the server and internet that might 
touch

the DNS records?

True DNSSEC gurus please check my math.

DNSvis is correct. You're not sending the proper NSEC3 records. Like 
the
RFC says, "It takes three to tango," or NSEC3 denial of existence. You 
sent

two. For a name where two levels of label don't exists,

l5tz4.1i89a.akritrim.net

You should send back three NSEC3 records,

1) NSEC3 record that proves 1i89a.akritrim.net (
18QMAAOCT0HPNGCPD9MLONVAK13DS8HT) does not exist.
2) NSEC3 record for akritrim.net (N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P).
3) NSEC3 record proving the wildcard, *.akritrim.net (
6L23GRBE4JIMA1A0G8DSBBUT32V6VCO1), does not exist.

But you're not, you're only sending two,

N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P.akritrim.net. 600 IN NSEC3 1 0 0 -
QDO3A5R9G64L616H1K2FF3SUMFPPRV3J A NS SOA MX TXT  RRSIG DNSKEY
NSEC3PARAM CDS CDNSKEY CAA

67QJN06FLKRQCT38S4FF08EP31NDRL8S.akritrim.net. 600 IN NSEC3 1 0 0 -
6LPNNJIVL1267OV5QQSBFLMFIDHMHJ8P TXT RRSIG

Those are two I'd expect to see for (2) and (3), but where is (1)?

But it's weirder. For this name,

ebzoq.ik7ub.akritrim.net

You are sending three NSEC3, but one doesn't look like the right one. 
You

should send,

1) NSEC3 record that proves 1i89a.akritrim.net (
S2NOKIAA732BLNNSEMCJ8KV74H6ICUEP) does not exist.
2) NSEC3 record for akritrim.net (N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P).
3) NSEC3 record proving the wildcard, *.akritrim.net (
6L23GRBE4JIMA1A0G8DSBBUT32V6VCO1), does not exist.

But these get sent,

N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P.akritrim.net. 600 IN NSEC3 1 0 0 -
QDO3A5R9G64L616H1K2FF3SUMFPPRV3J A NS SOA MX TXT  RRSIG DNSKEY
NSEC3PARAM CDS CDNSKEY CAA

I559SEFHCJO35HED2LU4N68B44CA281V.akritrim.net. 600 IN NSEC3 1 0 0 -
KOGD0HOUD9R7BAB4LKQR2E9ALI57C7N0 A  RRSIG CAA

67QJN06FLKRQCT38S4FF08EP31NDRL8S.akritrim.net. 600 IN NSEC3 1 0 0 -
6LPNNJIVL1267OV5QQSBFLMFIDHMHJ8P TXT RRSIG

The first and last are the same two we got previously and line up with 
(2)
and (3). But we get this other one that doesn't line up with (1). But 
what

I /think/ that might be is the record that would prove
ebzoq.ik7ub.akritrim.net (IAT39F3MSSGS2D4O255VNHB67V2GCNVI) does not 
exist

in its place.

On Sun, Apr 20, 2025 at 10:29 AM akritrim® Intelligence™ via bind-users 
<

bind-users@lists.isc.org> wrote:

i didn't specifically ask for your help. i don't know why you replied. 
yes

i do need help but this doesn't mean i can read your mind.

so let me know what 'bits' of information should i share that will
meaningfully help me. ( this is equivalent to saying '
if you need anything specific let me know.')

today language models are more context aware.

and if you don't want to share what do you 'need' then leave it be, i
don't want your help.


On April 20, 2025 5:17:46 PM UTC, "Ondřej Surý"  
wrote:

>
>> On 20. 4. 2025, at 17:57, akritrim® Intelligence™ via bind-users <
bind-users@lists.isc.org> wrote:
>>
>> anyways, if you need anything specific let me know.
>
>Well, I don't really need anything, you've asked for help here, not I.
I've already told you what is needed,
>you didn't follow my advice :shrug:. The bits of information you have
provided are not sufficient to meaningfully
>help you.
>
>Ondrej
>--
>Ondřej Surý (He/Him)
>ond...@isc.org
>
>My working hours and your working hours may be different. Please do not
feel obligated to reply outside your normal working hours.
>
>

akritrim® Intelligence™
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list

ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




--
akritrim® Intelligence™
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DNSVIZ errors

2025-04-20 Thread akritrim® Intelligence via bind-users
i didn't specifically ask for your help. i don't know why you replied. yes i do 
need help but this doesn't mean i can read your mind. 

so let me know what 'bits' of information should i share that will meaningfully 
help me. ( this is equivalent to saying ' 
if you need anything specific let me know.') 

today language models are more context aware.

and if you don't want to share what do you 'need' then leave it be, i don't 
want your help.


On April 20, 2025 5:17:46 PM UTC, "Ondřej Surý"  wrote:
>
>> On 20. 4. 2025, at 17:57, akritrim® Intelligence™ via bind-users 
>>  wrote:
>> 
>> anyways, if you need anything specific let me know.
>
>Well, I don't really need anything, you've asked for help here, not I. I've 
>already told you what is needed,
>you didn't follow my advice :shrug:. The bits of information you have provided 
>are not sufficient to meaningfully
>help you.
>
>Ondrej
>--
>Ondřej Surý (He/Him)
>ond...@isc.org
>
>My working hours and your working hours may be different. Please do not feel 
>obligated to reply outside your normal working hours.
>
>

akritrim® Intelligence™
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


DNSVIZ errors

2025-04-20 Thread akritrim® Intelligence via bind-users

Hi

I am getting the following error if i test the domain on dnsviz.net.

For example for domain example.org i get :

caikb.6tqs4.example.org/A has errors; select the "Denial of existence" 
DNSSEC option to see them.


On checking the denial of existence settings i get:


RRset status
Bogus (1)
caikb.6tqs4.example.org/A (NXDOMAIN)


Errors (2)
NSEC3 proving non-existence of caikb.6tqs4.example.org/A: No NSEC3 RR 
corresponds to the closest encloser of the SNAME 
(caikb.6tqs4.example.org). See RFC 5155, Sec. 8.4.
NSEC3 proving non-existence of caikb.6tqs4.example.org/A: No NSEC3 RR 
corresponds to the closest encloser of the SNAME 
(caikb.6tqs4.example.org). See RFC 5155, Sec. 8.4.



I do not get any errors on an existing subdomain like mail.example.org 
or even a non existent subdomain like htcghugfg.example.org


also not all domains managed by the server get this error, only some of 
them.


i have these parameters defined in dnssec policy:

nsec3param iterations 0 optout no salt-length 0;


any ideas will be welcome.


--
akritrim® Intelligence™
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DNSVIZ errors

2025-04-20 Thread akritrim® Intelligence via bind-users

Hello Ondrej

There are multiple domains with the error. The idea is not to obfuscate 
but give an example which covers all domains with these errors.


These errors are also intermittent.

This is not a permanent error. I have no errors in my logs. The dnssec 
configuration is below:


dnssec-policy mypolicy {
 nsec3param iterations 0 optout no salt-length 0;
 keys {
 ksk lifetime unlimited algorithm ecdsap256sha256;
 zsk lifetime 60d algorithm ecdsap256sha256;
 };
 inline-signing yes;
};

this domain akritrim.net is not broken. its your lists.bind.org mail 
server that was broken, which was fixed after i sent the email.


something in mailman/postfix was broken from your side.

the only thing broken on this domain and others is the scenario i mailed 
before.


anyways, if you need anything specific let me know.

cheers

On April 20, 2025 2:58:05 PM UTC, "Ondřej Surý"  wrote:
I wonder what’s the point of obfuscating the name making people unable 
to help you when you are putting the domain name that’s broken 
everywhere else in your email:


https://dnsviz.net/d/akritrim.net/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=

Anyway, you need to provide all the details about the domain name 
configuration and the related logs. You can’t expect help without 
sharing the full information about your problem.


Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not 
feel obligated to reply outside your normal working hours.


On 20. 4. 2025, at 16:31, akritrim® Intelligence™ via bind-users 
 wrote:


Hi

I am getting the following error if i test the domain on dnsviz.net.

For example for domain example.org i get :

caikb.6tqs4.example.org/A has errors; select the "Denial of existence" 
DNSSEC option to see them.


On checking the denial of existence settings i get:


RRset status
Bogus (1)
caikb.6tqs4.example.org/A (NXDOMAIN)


Errors (2)
NSEC3 proving non-existence of caikb.6tqs4.example.org/A: No NSEC3 RR 
corresponds to the closest encloser of the SNAME 
(caikb.6tqs4.example.org). See RFC 5155, Sec. 8.4.
NSEC3 proving non-existence of caikb.6tqs4.example.org/A: No NSEC3 RR 
corresponds to the closest encloser of the SNAME 
(caikb.6tqs4.example.org). See RFC 5155, Sec. 8.4.



I do not get any errors on an existing subdomain like mail.example.org 
or even a non existent subdomain like htcghugfg.example.org


also not all domains managed by the server get this error, only some 
of them.


i have these parameters defined in dnssec policy:

nsec3param iterations 0 optout no salt-length 0;


any ideas will be welcome.


--
akritrim® Intelligence™
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list


ISC funds the development of this software with paid support 
subscriptions. Contact us at https://www.isc.org/contact/ for more 
information.



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DNSVIZ errors

2025-04-21 Thread akritrim® Intelligence via bind-users
version: BIND 9.20.8-1+0~20250416.117+debian12~1.gbp1ea9dd-Debian 
(Stable Release)  (<>)
running on localhost: Linux x86_64 6.1.0-33-cloud-amd64 #1 SMP 
PREEMPT_DYNAMIC Debian 6.1.133-1 (2025-04-10)

boot time: Sun, 20 Apr 2025 15:40:59 GMT
last configured: Sun, 20 Apr 2025 15:40:59 GMT
configuration file: /etc/bind/named.conf
CPUs found: 1
worker threads: 1
number of zones: 10 (0 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
xfers first refresh: 0
soa queries in progress: 0
query logging is ON
response logging is OFF
memory profiling is INACTIVE
recursive clients: 0/900/1000
recursive high-water: 0
tcp clients: 0/150
TCP high-water: 25
server is up and running


is this any way related to this?

From 9.20.8 release notes:

Restore NSEC3 closest-encloser lookup improvements.

A performance improvement for finding the closest encloser when 
generating authoritative responses from NSEC3 zones was previously 
reverted after a bug was found that could trigger an assertion failure. 
([GL #4460], [GL #4950], and [GL #5108]) The bug has now been fixed, and 
the performance improvement has been restored. [GL #5204]




On 21/04/2025 7:12 pm, Mark Andrews wrote:

What does ‘rndc status’ return?

On 21 Apr 2025, at 13:05, akritrim® Intelligence™ via bind-users 
 wrote:


Thank you for your help. it does give insights into the problem.

if you check dnsviz history, this does not happen everytime.

the bind version is BIND 
9.20.8-1+0~20250416.117+debian12~1.gbp1ea9dd-Debian


obtained from: https://www.isc.org/download/  —->  
https://bind.debian.net/bind


there are no firewalls or load balancers. these are directly connected 
to internet. i was running BIND 9.18 official debian package and got 
no errors like this.



On 21/04/2025 4:46 am, Crist Clark wrote:
The version of BIND and where you got it would be a good start. Any 
load
balancers, firewalls, etc. between the server and internet that might 
touch

the DNS records?
True DNSSEC gurus please check my math.
DNSvis is correct. You're not sending the proper NSEC3 records. Like 
the
RFC says, "It takes three to tango," or NSEC3 denial of existence. 
You sent

two. For a name where two levels of label don't exists,
l5tz4.1i89a.akritrim.net
You should send back three NSEC3 records,
1) NSEC3 record that proves 1i89a.akritrim.net (
18QMAAOCT0HPNGCPD9MLONVAK13DS8HT) does not exist.
2) NSEC3 record for akritrim.net (N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P).
3) NSEC3 record proving the wildcard, *.akritrim.net (
6L23GRBE4JIMA1A0G8DSBBUT32V6VCO1), does not exist.
But you're not, you're only sending two,
N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P.akritrim.net. 600 IN NSEC3 1 0 0 -
QDO3A5R9G64L616H1K2FF3SUMFPPRV3J A NS SOA MX TXT  RRSIG DNSKEY
NSEC3PARAM CDS CDNSKEY CAA
67QJN06FLKRQCT38S4FF08EP31NDRL8S.akritrim.net. 600 IN NSEC3 1 0 0 -
6LPNNJIVL1267OV5QQSBFLMFIDHMHJ8P TXT RRSIG
Those are two I'd expect to see for (2) and (3), but where is (1)?
But it's weirder. For this name,
ebzoq.ik7ub.akritrim.net
You are sending three NSEC3, but one doesn't look like the right one. 
You

should send,
1) NSEC3 record that proves 1i89a.akritrim.net (
S2NOKIAA732BLNNSEMCJ8KV74H6ICUEP) does not exist.
2) NSEC3 record for akritrim.net (N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P).
3) NSEC3 record proving the wildcard, *.akritrim.net (
6L23GRBE4JIMA1A0G8DSBBUT32V6VCO1), does not exist.
But these get sent,
N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P.akritrim.net. 600 IN NSEC3 1 0 0 -
QDO3A5R9G64L616H1K2FF3SUMFPPRV3J A NS SOA MX TXT  RRSIG DNSKEY
NSEC3PARAM CDS CDNSKEY CAA
I559SEFHCJO35HED2LU4N68B44CA281V.akritrim.net. 600 IN NSEC3 1 0 0 -
KOGD0HOUD9R7BAB4LKQR2E9ALI57C7N0 A  RRSIG CAA
67QJN06FLKRQCT38S4FF08EP31NDRL8S.akritrim.net. 600 IN NSEC3 1 0 0 -
6LPNNJIVL1267OV5QQSBFLMFIDHMHJ8P TXT RRSIG
The first and last are the same two we got previously and line up 
with (2)
and (3). But we get this other one that doesn't line up with (1). But 
what

I /think/ that might be is the record that would prove
ebzoq.ik7ub.akritrim.net (IAT39F3MSSGS2D4O255VNHB67V2GCNVI) does not 
exist

in its place.
On Sun, Apr 20, 2025 at 10:29 AM akritrim® Intelligence™ via 
bind-users <

bind-users@lists.isc.org> wrote:
i didn't specifically ask for your help. i don't know why you 
replied. yes

i do need help but this doesn't mean i can read your mind.
so let me know what 'bits' of information should i share that will
meaningfully help me. ( this is equivalent to saying '
if you need anything specific let me know.')
today language models are more context aware.
and if you don't want to share what do you 'need' then leave it be, 
i

don't want your help.
On April 20, 2025 5:17:46 PM UTC, "Ondřej Surý"  
wrote:

>
>> On 20. 4. 2025, at 17:57, akritrim® Intelligence™ via bind-users <
bind-users@lists.isc.org> wrote:
>>
>> anyways, if you need anything specific let me know.
&

Re: DNSVIZ errors

2025-05-15 Thread akritrim® Intelligence via bind-users
i didn’t receive your reply but saw this on lists archive so replying to 
you:




Do be aware that Ondrej is a member of ISC, the organization that 
develops
BIND. He is also one of the maintainers of the Debian release of BIND 
which

you are using.

Why should i be aware? Is he is a threat or something??

In general, claiming that everyone but you is wrong is not exactly a
teamplayer mentality, and creates aversion towards getting you the help 
you're
asking for. Not just Ondrej or the other developers ISC employs, the 
entire

list really.

I claim no such thing.

Or going even further than that, any list, any support channel. Not even 
just
voluntary ones like this, even paid support channels aren't going to 
like
customers who act like that. Those are paid to help you and to be nice 
to you,
yes, but don't be surprised if it diminishes the quality of the help you 
are

to receive.

I don’t share your views.

Do consider it, in any case.

I wont. from someone who cant even search the internet

N.B.: A trademark office allowed you to get a trademark on the term
"Intelligence"?

TM is not a LEGAL symbol. again learn to google and not hurl accusations 
in public and make a fool of yourself.



On 21/04/2025 8:25 pm, akritrim® Intelligence™ via bind-users wrote:
version: BIND 9.20.8-1+0~20250416.117+debian12~1.gbp1ea9dd-Debian 
(Stable Release)  (<>)
running on localhost: Linux x86_64 6.1.0-33-cloud-amd64 #1 SMP 
PREEMPT_DYNAMIC Debian 6.1.133-1 (2025-04-10)

boot time: Sun, 20 Apr 2025 15:40:59 GMT
last configured: Sun, 20 Apr 2025 15:40:59 GMT
configuration file: /etc/bind/named.conf
CPUs found: 1
worker threads: 1
number of zones: 10 (0 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
xfers first refresh: 0
soa queries in progress: 0
query logging is ON
response logging is OFF
memory profiling is INACTIVE
recursive clients: 0/900/1000
recursive high-water: 0
tcp clients: 0/150
TCP high-water: 25
server is up and running


is this any way related to this?

From 9.20.8 release notes:

Restore NSEC3 closest-encloser lookup improvements.

A performance improvement for finding the closest encloser when 
generating authoritative responses from NSEC3 zones was previously 
reverted after a bug was found that could trigger an assertion failure. 
([GL #4460], [GL #4950], and [GL #5108]) The bug has now been fixed, 
and the performance improvement has been restored. [GL #5204]




On 21/04/2025 7:12 pm, Mark Andrews wrote:

What does ‘rndc status’ return?

On 21 Apr 2025, at 13:05, akritrim® Intelligence™ via bind-users 
 wrote:


Thank you for your help. it does give insights into the problem.

if you check dnsviz history, this does not happen everytime.

the bind version is BIND 
9.20.8-1+0~20250416.117+debian12~1.gbp1ea9dd-Debian


obtained from: https://www.isc.org/download/  —->  
https://bind.debian.net/bind


there are no firewalls or load balancers. these are directly 
connected to internet. i was running BIND 9.18 official debian 
package and got no errors like this.



On 21/04/2025 4:46 am, Crist Clark wrote:
The version of BIND and where you got it would be a good start. Any 
load
balancers, firewalls, etc. between the server and internet that 
might touch

the DNS records?
True DNSSEC gurus please check my math.
DNSvis is correct. You're not sending the proper NSEC3 records. Like 
the
RFC says, "It takes three to tango," or NSEC3 denial of existence. 
You sent

two. For a name where two levels of label don't exists,
l5tz4.1i89a.akritrim.net
You should send back three NSEC3 records,
1) NSEC3 record that proves 1i89a.akritrim.net (
18QMAAOCT0HPNGCPD9MLONVAK13DS8HT) does not exist.
2) NSEC3 record for akritrim.net (N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P).
3) NSEC3 record proving the wildcard, *.akritrim.net (
6L23GRBE4JIMA1A0G8DSBBUT32V6VCO1), does not exist.
But you're not, you're only sending two,
N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P.akritrim.net. 600 IN NSEC3 1 0 0 -
QDO3A5R9G64L616H1K2FF3SUMFPPRV3J A NS SOA MX TXT  RRSIG DNSKEY
NSEC3PARAM CDS CDNSKEY CAA
67QJN06FLKRQCT38S4FF08EP31NDRL8S.akritrim.net. 600 IN NSEC3 1 0 0 -
6LPNNJIVL1267OV5QQSBFLMFIDHMHJ8P TXT RRSIG
Those are two I'd expect to see for (2) and (3), but where is (1)?
But it's weirder. For this name,
ebzoq.ik7ub.akritrim.net
You are sending three NSEC3, but one doesn't look like the right 
one. You

should send,
1) NSEC3 record that proves 1i89a.akritrim.net (
S2NOKIAA732BLNNSEMCJ8KV74H6ICUEP) does not exist.
2) NSEC3 record for akritrim.net (N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P).
3) NSEC3 record proving the wildcard, *.akritrim.net (
6L23GRBE4JIMA1A0G8DSBBUT32V6VCO1), does not exist.
But these get sent,
N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P.akritrim.net. 600 IN NSEC3 1 0 0 -
QDO3A5R9G64L616H1K2FF3SUMFPPRV3J A NS SOA MX TXT  RRSIG DNSKEY
NSEC3PARAM CDS CDNSKEY CAA
I559SEFHCJO35HED2LU4N68B44CA281V.akritrim.net. 600 IN NSEC3 1 0 0 -
KOGD0HOUD9R7BAB4LKQR2E9A