permissions for DNSSEC zone signing

2013-07-23 Thread David Newman
FreeBSD 9.1-RELEASE-p4, BIND 9.9.3-P1 ESV installed from ports What are the correct directory and file permissions for DNSSEC static zone signing with bind? By default, everything in /var/named/etc/namedb is owned by bind except for the master directory. For example: drwxr-xr-x bind wheel dynami

Re: permissions for DNSSEC zone signing

2013-07-23 Thread David Newman
On 7/23/13 3:44 PM, Mark Andrews wrote: > In message <51ef00af.4090...@networktest.com>, David Newman writes: >> FreeBSD 9.1-RELEASE-p4, BIND 9.9.3-P1 ESV installed from ports >> >> What are the correct directory and file permissions for DNSSEC static >> zone si

Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"

2013-07-24 Thread David Newman
On 7/24/13 2:29 AM, Stephane Bortzmeyer wrote: > I'm trying "auto-dnssec maintain;" with a BIND 9.9.3-P1. My > configuration is: > > options { > directory "/tmp/bind"; > key-directory "/tmp/bind"; Not sure if this is the problem, but have you tried with "managed-keys-directory" i

Re: How to get AD flag

2013-08-02 Thread David Newman
On 8/1/13 10:48 PM, rams wrote: > Thanks david, > This the response i get > dig +short rs.dns-oarc.net txt @ > rst.x3827.rs.dns-oarc.net . > rst.x3837.x3827.rs.dns-oarc.net . > rst.x3843.x3837.x3827.r

moving DNSSEC to a hidden master

2013-10-01 Thread David Newman
Is there a recommended order of operations when moving DNSSEC-enabled nameservers to a hidden-master setup? I'm hoping it's just as simple as moving all these files into place on the hidden master: *.key *.private managed-keys.bind *.jbk *.jnl *.signed *.signed.jnl If not, what do I need to do?

Re: moving DNSSEC to a hidden master

2013-10-01 Thread David Newman
On 10/1/13 2:16 PM, David Newman wrote: > Is there a recommended order of operations when moving DNSSEC-enabled > nameservers to a hidden-master setup? Actually, this is really a more general question: Is there a recommended order of operations when migrating zones between any two DNSSEC-e

Re: moving DNSSEC to a hidden master

2013-10-03 Thread David Newman
Thanks all for your responses. On 10/1/13 6:42 PM, Mark Andrews wrote: > As Alan said copy the .key and .private files over. > > Disable updating on the old master. > > Transfer the zone contents by setting up as a slave > using "masterfile-format text"; or using by using dig. > This will give y

Re: moving DNSSEC to a hidden master

2013-10-04 Thread David Newman
resume. > > On 04/10/13 02.12, David Newman wrote: >> Thanks all for your responses. >> >> On 10/1/13 6:42 PM, Mark Andrews wrote: >>> As Alan said copy the .key and .private files over. >>> >>> Disable updating on the old master. >>> >&

inactivating and deleting DNSSEC keys

2013-10-08 Thread David Newman
bind 9.9.4 How to troubleshoot issues when keys are supposed to be invalidated or deleted on specific dates, but aren't? In this case, a KSK was supposed to be inactivated on 29 September 2013 and deleted on 9 October 2013. >From the .key file: ; This is a key-signing key, keyid 56989, for netw

Re: inactivating and deleting DNSSEC keys

2013-10-08 Thread David Newman
On 10/8/13 3:51 PM, Alan Clegg wrote: > > On Oct 8, 2013, at 6:42 PM, David Newman > wrote: > >> bind 9.9.4 >> >> How to troubleshoot issues when keys are supposed to be >> invalidated or deleted on specific dates, but aren't? >> >> In

Re: inactivating and deleting DNSSEC keys

2013-10-09 Thread David Newman
On 10/8/13 5:54 PM, Mark Andrews wrote: > In message <52548a5d.3070...@networktest.com>, David Newman writes: >> bind 9.9.4 >> >> How to troubleshoot issues when keys are supposed to be invalidated or >> deleted on specific dates, but aren't? >&g

Re: inactivating and deleting DNSSEC keys

2013-10-09 Thread David Newman
On 10/9/13 1:24 PM, Mark Andrews wrote: >> In UTC terms, we've already passed the key's deletion date. Can I >> retroactively extend the key's deletion date? > > Yes. The files are not removed. You will need to tell named to re-read > the .private file using "rndc signzone" after setting the ti

Re: Install DNS Server

2013-10-10 Thread David Newman
On 10/10/13 4:26 AM, Lightner, Jeff wrote: > CentOS does put > bug and security fixes in (or RedHat does and CentOS gets them because > they build from RHEL source) but you still end up with something very > old (BIND 9.3.x) that most folks on this list don’t want to talk about > because it is lon

Re: Need guidance on configuring DNSSEC

2013-10-11 Thread David Newman
On 10/11/13 7:32 AM, Vishal Gandhi wrote: > We are planning to sign local zone (fdu.local). Is it required to sign > the parent zone (fdu.edu ) as well or we can live with > it unsigned? > What are pros and cons of signing parent zone (fdu.edu )? DNSSEC is based o

Re: moving DNSSEC to a hidden master

2013-10-11 Thread David Newman
On 10/4/13 10:23 AM, David Newman wrote: > On 10/3/13 5:27 PM, Sten Carlsen wrote: >> This works for me and is the standard method: >> >> rndc freeze >> update serial >> rndc thaw > > Bingo. Thanks! Sorry, spoke too soon. I followed your instructions and

Re: moving DNSSEC to a hidden master

2013-10-13 Thread David Newman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/13/13 1:34 AM, Alan Clegg wrote: > > On Oct 12, 2013, at 7:59 PM, Alan Clegg wrote: > >> >> On Oct 11, 2013, at 10:54 PM, David Newman >> wrote: >> >>> 4. "Check that the new server is w

Re: moving DNSSEC to a hidden master [SOLVED]

2013-10-14 Thread David Newman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Alan, Thanks very much for your responses. Per my comments inline below, this actually wasn't broken to begin with, but I just wasn't seeing it. On 10/14/13 10:43 AM, Alan Clegg wrote: > > On Oct 13, 2013, at 9:03 PM, David

Re: moving DNSSEC to a hidden master [SOLVED]

2013-10-14 Thread David Newman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/14/13 12:39 PM, Alan Clegg wrote: >> In this case, I started with a serial of 2013092700, incremented >> it to 2013092701, and reloaded. 'dig soa' would still return >> 2013092700. >> >> Problem is, bind logged the current serial number as 2013

DNSSEC and split DNS

2013-10-23 Thread David Newman
What is the recommended practice for adding DNSSEC to an environment that currently uses split DNS? Apologies as I'm sure this has come up before, but most discussion I found on bind-users was from 1999, and this isn't covered in the ARM. I did find this draft (not RFC) from 2007, but even the au

Re: DNSSEC and split DNS

2013-10-23 Thread David Newman
f trust, with no delegation from parent domains. True? Thanks again dn > > Mark > > In message <526857a2.8050...@networktest.com>, David Newman writes: >> What is the recommended practice for adding DNSSEC to an environment >> that currently uses split DNS? >>

Re: DNSSEC and split DNS

2013-10-25 Thread David Newman
On 10/23/13 5:20 PM, Mark Andrews wrote: > In message <5268626c.8040...@networktest.com>, David Newman writes: >> On 10/23/13 4:28 PM, Mark Andrews wrote: >>> You sign all versions of the zone. >>> >>> As for key management you can: >>

Re: DNSSEC and split DNS

2013-10-28 Thread David Newman
On 10/25/13 6:11 PM, David Newman wrote: > > > On 10/23/13 5:20 PM, Mark Andrews wrote: >> In message <5268626c.8040...@networktest.com>, David Newman writes: >>> On 10/23/13 4:28 PM, Mark Andrews wrote: >>>>You sign all versions of the zone.

Re: DNSSEC and split DNS

2013-10-28 Thread David Newman
On 10/28/13 1:46 PM, Mark Andrews wrote: > In message <526eba87.7040...@networktest.com>, David Newman writes: >> >>> 3. Another internal nameserver gets intermittent dig +dnssec errors on >>> queries for internal resources. Sometimes after a restart, the result is

Re: Help on DNSSEC

2013-11-06 Thread David Newman
On 11/6/13 1:06 AM, Steven Carr wrote: > Start with chapter 11.4 "The DNS Security Extensions" in DNS & BIND > http://www.amazon.com/DNS-BIND-5th-Edition-Cricket/dp/0596100574 Lucas' "DNSSEC Mastery" is also a useful resource, not only about DNSSEC concepts but also about required prep work and tr

Re: Does anyone have DNSSEC problem with uscg.mil

2013-11-14 Thread David Newman
On 11/14/13 1:29 PM, Kevin Oberman wrote: > Don't forget that Google will white-list domains with known (by them) > broken DNSSEC and reply even though validation is broken, so using > 8.8.8.8 for checking on whether validation is broken is not the best idea. Really? Google sets the ad flag for k

DNSSEC and upgrading/restoring

2014-01-23 Thread David Newman
Are there any recommended practices/config changes needed when upgrading or restoring a bind 9.9.4 server using DNSSEC inline signing and auto maintain? Asking specifically about upgrading a server running on NanoBSD, but this question is really about upgrading or restoring any DNSSEC server with

Re: DNSSEC and upgrading/restoring

2014-01-27 Thread David Newman
for multiple domains. I'm concerned about keeping keys, serial numbers, and any other dynamic info in sync. Thanks! dn On 1/23/14 10:16 AM, David Newman wrote: > Are there any recommended practices/config changes needed when upgrading > or restoring a bind 9.9.4 server using DN

Re: DNSSEC and upgrading/restoring

2014-01-30 Thread David Newman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/28/14 3:49 AM, Alan Clegg wrote: > > On Jan 27, 2014, at 7:32 PM, David Newman > wrote: > >> Asking again, in a different and more generic form: When >> rebuilding a bind 9.9.4 server running DNSSEC with auto maintain,

Re: DNSSEC and upgrading/restoring

2014-01-31 Thread David Newman
On 1/31/14 3:10 AM, Tony Finch wrote: >> 2. For five domains, the log contains signature-has-expired warnings. >> >> In all five cases, these are for NSEC3PARAM records. >> >> Is any action needed on my part, for example manually doing NSEC3 >> signing of these zones? > > See if named has already

Re: DNSSEC and upgrading/restoring

2014-01-31 Thread David Newman
On 1/31/14 10:35 AM, Tony Finch wrote: > David Newman wrote: >> >> What action, if any, is needed? > > Does rndc sign make it wake up? Alas, no. There are a bunch of successful IXFR messages to slave servers but the dates in that NSEC3PARAM RRSIG did not change. >

Re: DNSSEC and upgrading/restoring

2014-02-04 Thread David Newman
On 2/2/14 5:39 AM, Tony Finch wrote: > David Newman wrote: >> On 1/31/14 10:35 AM, Tony Finch wrote: >>> David Newman wrote: >>>> >>>> What action, if any, is needed? >>> >>> Does rndc sign make it wake up? >> >> Alas, n

changing NSEC3 salt

2014-02-05 Thread David Newman
The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every time a zone's ZSK changes. Is this just a matter of a new 'rndc signing' command, or is some action needed to remove the old salt? thanks dn ___ Please visit https://lists.isc.org/m

Re: changing NSEC3 salt

2014-02-11 Thread David Newman
On 2/11/14 7:38 AM, Chris Thompson wrote: > On Feb 10 2014, Mark Andrews wrote: > >> In message <52f94ee2.7080...@ksu.edu>, "Lawrence K. Chen, P.Eng." writes: > [... snip ...] >>> On 02/06/14 15:07, Timothe Litt wrote: > [... snip ...] >>> > Note also the RFC 5155 recommendation: >>> >> The salt S

do not stupidly delete ZSK files

2015-07-29 Thread David Newman
I created then loaded then deleted a ZSK, all within an hour, so there's no backup. Yes, that was a dumb thing to do. Now when reloading that zone, named.log complains about the missing ZSK: 29-Jul-2015 17:18:19.439 general: warning: dns_dnssec_keylistfromrdataset: error reading private key file

Re: do not stupidly delete ZSK files

2015-07-29 Thread David Newman
On 7/29/15 6:24 PM, Evan Hunt wrote: > On Wed, Jul 29, 2015 at 05:56:20PM -0700, David Newman wrote: >> 29-Jul-2015 17:18:19.439 general: warning: >> dns_dnssec_keylistfromrdataset: error reading private key file >> example.com/RSASHA256/36114: file not found > > Dele

Re: do not stupidly delete ZSK files

2015-07-30 Thread David Newman
On 7/30/15 9:06 AM, Evan Hunt wrote: > On Wed, Jul 29, 2015 at 07:29:29PM -0700, David Newman wrote: >> It's a static zone. The zone file did not have the key in it. > > ... oh, it's inline-signing. Sorry, I also didn't mention that this is a hidden primary serve

Re: do not stupidly delete ZSK files

2015-07-30 Thread David Newman
On 7/30/15 10:37 AM, Evan Hunt wrote: > On Thu, Jul 30, 2015 at 10:30:33AM -0700, David Newman wrote: >> After that second procedure (and also chown'ing the keyfiles to the bind >> user), the command 'dig +dnssec +multi dnskey example.com' gives >> different r

Re: do not stupidly delete ZSK files

2015-07-31 Thread David Newman
On 7/31/15 4:33 AM, Tony Finch wrote: > David Newman wrote: >> On 7/30/15 10:37 AM, Evan Hunt wrote: >>> On Thu, Jul 30, 2015 at 10:30:33AM -0700, David Newman wrote: >>>> >>>> Hidden primary (not authoritative for this zone): Key still in zone > &g

ZSKs sign some RRsets but not others

2015-08-18 Thread David Newman
A newly minted ZSK signs a domain's SOA but not its A or MX records. What basic config step did I miss? For the domain 'trikids123.com' I created and installed a new ZSK with a key ID of 28053 using these commands: dnssec-keygen -a 8 -b 1024 trikids123.com chown bind:bind * # this is bind910 on

Re: intermittent failures and queries sent over TCP

2020-08-18 Thread David Newman
On 8/18/20 5:55 PM, Mark Andrews wrote: > If you are getting RST responses check your firewall settings. RST is often > forged > when TCP is blocked. The root servers normally accept TCP connections. > > % dig +tcp gmail.com @a.root-servers.net +dnssec Bingo. This query failed before adding a

intermittent failures and queries sent over TCP

2020-08-18 Thread David Newman via bind-users
bind 9.11.5.P4 on Debian 10 Greetings. I recently had to migrate a nameserver from FreeBSD to Debian. It works fine most of the time but I've noticed a few intermittent resolution failures. After "gmail.com" failed to resolve I took a packet capture using tcpdump to listen to the result of the co