ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2018-02-19T21:08:27Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/78dig domainname not returning ips2018-02-19T21:08:27ZGhost Userdig domainname not returning ipsdig domainname
On Fedora 27
result
`
; <<>> DiG 9.11.2-P1-RedHat-9.11.2-1.P1.fc27 <<>> domainname
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 59086
;; flags: qr rd; QUERY: 1, ANSWER: 0, AU...dig domainname
On Fedora 27
result
`
; <<>> DiG 9.11.2-P1-RedHat-9.11.2-1.P1.fc27 <<>> domainname
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 59086
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d445b5c0309825e4 (echoed)
;; QUESTION SECTION:
;domainname. IN A
;; Query time: 0 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Mon Feb 19 10:55:36 MST 2018
;; MSG SIZE rcvd: 53
`
same command on ubuntu 16.04
`
; <<>> DiG 9.10.3-P4-Ubuntu <<>> domainname
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10164
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;domainname. IN A
;; ANSWER SECTION:
domainname. 600 IN A 192.168.0.1
domainname. 600 IN A 192.168.0.2
domainname. 600 IN A 192.168.0.3
;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Feb 19 10:53:41 MST 2018
;; MSG SIZE rcvd: 89
`
nslookup domainname lists the IPs.
What is going on?
Interesting. I have one dc that is 2012R2 the other two are 2008R2
if I "dig domainname @2012DC"
I get IPs
if I dig against my other two I do not.
on ubuntu I get IPs against all 3 DCshttps://gitlab.isc.org/isc-projects/bind9/-/issues/73Cloning Bind9 Repo Fails On Windows Due To Invalid Character In Folder Names2018-02-21T08:39:39ZGhost UserCloning Bind9 Repo Fails On Windows Due To Invalid Character In Folder NamesThe folder contrib/docker/ contains sub-folders with a colon (":") in the folder name. However, the colon is not allowed in folder names on Windows. Due to that, cloning the Bind9 repo fails.The folder contrib/docker/ contains sub-folders with a colon (":") in the folder name. However, the colon is not allowed in folder names on Windows. Due to that, cloning the Bind9 repo fails.https://gitlab.isc.org/isc-projects/bind9/-/issues/74Encrypt/ pseudonymize IP addresses in log files2018-02-21T18:11:16ZVicky Riskvicky@isc.orgEncrypt/ pseudonymize IP addresses in log filesUsers who need to store log files wish to minimize the possibility of leaking information that easily identifies users. Applying some encrpyption to obfuscate addresses provides some protection. There are several use cases:
1) With the ...Users who need to store log files wish to minimize the possibility of leaking information that easily identifies users. Applying some encrpyption to obfuscate addresses provides some protection. There are several use cases:
1) With the advent of GDPR, operators of public dns services (e.g. ISP resolvers) may require the ability to encrypt these logs as they are created, so the only stored data they have is at least anonymized. If the logs are leaked somehow, it will at least require some effort to de-anonymize them. These operators may need to be able to decrypt to uncover the original IP address, in case their analysis shows abuse that they need to block.
2) Operators of root servers, ccTLDs, gTLDs and other public services may wish to be able to share data for research purposes (e.g. with DNS-OARC's ditl program). In this case, it is preferable that the encryption not be reversible, and it is desirable to be able to run the encryption on an existing log file. This use case is already under discussion in RSSAC.
* It would be ideal to be able to apply this pseudonymization to both native BIND logs and dnstap log files.
* Performance is obviously an important consideration.
* This will need to work for both IPv4 and IPv6 addresses and the result fit into the space in the logs reserved for those addresses (which are obviously different lengths).
Relevant existing work:
* Bert Hubert has created a tool, 'ipcipher' `https://powerdns.org/ipcipher/` for Power DNS. He gave a presentation at NDSS DNS Privacy Workshop that described some of the issues with implementing this. Others have created additional implementations, including one by Frank Denis in C.
* There is also apparently a NIST standard for format-preserving encryption. (Paul Hoffman knows about this)
Other things that are needed:
* Tool you can pipe an existing pcap through that will produce a log file where IP addresses are encrypted (producing output that is irreversible)
* Utility that enables frequent key rotation for this processNot plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/36Database backend for storing and managing zone files2018-02-21T22:59:01ZVicky Riskvicky@isc.orgDatabase backend for storing and managing zone filesWhen we implemented dynDB it was thought this could be our generic database backend interface. However the only database module that exists is the RedHat FreeIPA (LDAP) module.
Create a module that works with BIND via the dynDB interfac...When we implemented dynDB it was thought this could be our generic database backend interface. However the only database module that exists is the RedHat FreeIPA (LDAP) module.
Create a module that works with BIND via the dynDB interface, or otherwise enable an ISP (for example) to
* manage BIND zone files in an external database, updating and adding zone records directly in the database
* store them in wire-format so the time to serve them is not significantly slower than native named zone files
* this should enable 'dynamic' zone addition and deletion without restarting BIND
* support using a local database per BIND server with database replication so multiple BIND servers can get updates within ~5 minutes of update on the master
* MariaDB is suggested but the choice of database is flexibleNot plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/90remove "I:check flushtree clears adb correctly" from cacheclean in BIND 9.92018-02-22T13:06:41ZMark Andrewsremove "I:check flushtree clears adb correctly" from cacheclean in BIND 9.9The functionality to support this was only added in 9.10.0The functionality to support this was only added in 9.10.0BIND-9.9.13Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/1Add configure et al2018-02-23T07:19:38ZMark AndrewsAdd configure et alMark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/2The compilation is broken on Linux2018-02-23T07:20:56ZOndřej SurýThe compilation is broken on LinuxSee https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/jobs/1703See https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/jobs/1703Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/102[RT#43428] Silence some 'expected' logging messages2018-02-23T19:57:38ZVicky Riskvicky@isc.org[RT#43428] Silence some 'expected' logging messagesThe user is a high volume hosting provider.
Under attack scenarios, the amount of logging BIND is doing can make a difference.
This user would like to be able to silence some sorts of frequently-recurring messages that are 'expected', ...The user is a high volume hosting provider.
Under attack scenarios, the amount of logging BIND is doing can make a difference.
This user would like to be able to silence some sorts of frequently-recurring messages that are 'expected', because they are basically probing behavior from prospective attackers. An example would be an unsuccessful AXFR from a client that is not permitted to AXFR.
things that would ideally be logged at a higher level:
- Successful AXFR
- Terminated AXFR
- Unsuccessful AXFR from an authorized clientNot plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/107[RT#45306] RNDC & Views2018-02-23T20:23:34ZVicky Riskvicky@isc.org[RT#45306] RNDC & ViewsIt would be useful if rndc treated views as first-class objects.
Its command syntax has the [view] last, so while several commands act
on "all" when no target is specified, you can't say "all in this view".
There are a number of cases...It would be useful if rndc treated views as first-class objects.
Its command syntax has the [view] last, so while several commands act
on "all" when no target is specified, you can't say "all in this view".
There are a number of cases where one would like to do things to
all zones in a view.
The immediate example is this:
rndc freeze/thaw have the syntax:
freeze [zone [class [view]]]
thaw [zone [class [view]]]
I'm in the unfortunate situation of having to do a bulk renumbering
of a view that contains a lot (well, for me) of zones..., and I need
to do an atomic update, while not freezing other views.
For the next round, it would be useful to have something like:
rndc freeze -view internal # Freeze all zones in the "internal" view
...
rndc thaw -view internal
Other cases where a view as a whole seems to be a sensible target:
rndc flush
rndc notify
rndc refresh
rndc reload
rndc retransfer
rndc sync
Thanks.
--
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
Download smime.p7s
application/pkcs7-signature 4.4KiBNot plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/95dyndb system test fails intermittently2018-02-23T22:52:07ZOndřej Surýdyndb system test fails intermittentlyThree failures have been observed so far:
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/1603
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/2081
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/2082
```
S:dyndb:Thu Feb 22 12...Three failures have been observed so far:
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/1603
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/2081
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/2082
```
S:dyndb:Thu Feb 22 12:21:06 UTC 2018
T:dyndb:1:A
A:dyndb:System test dyndb
I:dyndb:PORTRANGE:5300 - 5399
I:adding test1.ipv4.example.nil. A 10.53.0.10 (1)
I:adding test2.ipv4.example.nil. A 10.53.0.11 (2)
I:adding test3.ipv4.example.nil. A 10.53.0.12 (3)
I:adding test4.ipv6.example.nil. AAAA 2001:db8::1 (4)
I:deleting test1.ipv4.example.nil. A (was 10.53.0.10) (5)
I:deleting test2.ipv4.example.nil. A (was 10.53.0.11) (6)
I:deleting test3.ipv4.example.nil. A (was 10.53.0.12) (7)
I:deleting test4.ipv6.example.nil. AAAA (was 2001:db8::1) (8)
I:checking parameter logging (9)
I:checking dyndb still works after reload
I:ns1 server reload successful
I:adding test5.ipv4.example.nil. A 10.53.0.10 (10)
I:adding test6.ipv6.example.nil. AAAA 2001:db8::1 (11)
I:deleting test5.ipv4.example.nil. A (was 10.53.0.10) (12)
I:deleting test6.ipv6.example.nil. AAAA (was 2001:db8::1) (13)
I:exit status: 1
R:dyndb:FAIL
E:dyndb:Thu Feb 22 12:21:11 UTC 2018
```
Repacked artifacts (removed .o, .a and .libs) from the first failure attached: [dyndb-artifacts.tar.xz](/uploads/70ad65f49760afedb72f03d53ee14231/dyndb-artifacts.tar.xz)BIND-9.13.0Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/64Request: dig function "+nssearch" should print the names/IP-addresses of serv...2018-02-24T19:57:45ZCarsten StrotmannRequest: dig function "+nssearch" should print the names/IP-addresses of servers timing outThe dig function "+nssearch" is a very helpful feature to quickly check if all authoritative servers of a domain are online. However if a authoritative server is not reachable, "dig" will silently fail for these servers. Example:
All se...The dig function "+nssearch" is a very helpful feature to quickly check if all authoritative servers of a domain are online. However if a authoritative server is not reachable, "dig" will silently fail for these servers. Example:
All servers running
```
$ dig dnsworkshop.org +nssearch
SOA ns3.myinfrastructure.org. hostmaster.strotmann.de. 1039 10800 3600 2419200 900 from server 5.45.109.212 in 33 ms.
SOA ns3.myinfrastructure.org. hostmaster.strotmann.de. 1039 10800 3600 2419200 900 from server 185.92.221.212 in 44 ms.
```
One server missing
```
$ dig dnsworkshop.org +nssearch
SOA ns3.myinfrastructure.org. hostmaster.strotmann.de. 1039 10800 3600 2419200 900 from server 185.92.221.212 in 42 ms.
```
It would be helpful if "dig" would report the domain-names and/or IP-Addresses of servers failing to provide an answer.https://gitlab.isc.org/isc-projects/bind9/-/issues/71xfer system test fails intermittently2018-02-25T21:41:10ZMichał Kępieńxfer system test fails intermittentlyOne failure has been observed so far:
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/1180
```
S:xfer:Fri Feb 16 12:14:54 UTC 2018
T:xfer:1:A
A:System test xfer
I:testing basic zone transfer functionality
I:testing TSIG signed zone ...One failure has been observed so far:
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/1180
```
S:xfer:Fri Feb 16 12:14:54 UTC 2018
T:xfer:1:A
A:System test xfer
I:testing basic zone transfer functionality
I:testing TSIG signed zone transfers
I:reload servers for in preparation for ixfr-from-differences tests
I:ns1 server reload successful
I:ns2 server reload successful
I:ns3 server reload successful
I:ns6 server reload successful
I:ns7 server reload successful
I:updating master zones for ixfr-from-differences tests
I:ns1 server reload successful
I:ns2 server reload successful
I:ns6 server reload successful
I:ns7 server reload successful
I:testing zone is dumped after successful transfer
I:testing ixfr-from-differences yes;
Only in dig.out.ns3 (missing from dig2.good):
> example. 86400 IN SOA ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600
> a01.example. 3600 IN A 0.0.0.0
> apl01.example. 3600 IN APL !1:10.0.0.1/32 1:10.0.0.0/24
> example. 86400 IN SOA ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600
Only in dig2.good (missing from dig.out.ns3):
< example. 86400 IN SOA ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600
< a01.example. 3600 IN A 0.0.0.1
< apl01.example. 3600 IN APL !1:10.0.0.1/32 1:10.0.0.1/24
< example. 86400 IN SOA ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600
I:failed
I:testing ixfr-from-differences master; (master zone)
I:testing ixfr-from-differences master; (slave zone)
I:testing ixfr-from-differences slave; (master zone)
I:testing ixfr-from-differences slave; (slave zone)
I:check that a multi-message uncompressable zone transfers
I:testing that incorrectly signed transfers will fail...
I:initial correctly-signed transfer should succeed
I:ns4 server reload successful
I:unsigned transfer
I:bad keydata
I:partially-signed transfer
I:unknown key
I:incorrect key
I:check that we ask for and get a EDNS EXPIRE response (8)
I:ns7 zone refresh queued
I:test smaller transfer TCP message size (9)
I:test mapped zone with out of zone data (10)
I:test that a zone with too many records is rejected (AXFR) (11)
I:test that a zone with too many records is rejected (IXFR) (12)
I:exit status: 1
R:FAIL
E:xfer:Fri Feb 16 12:15:47 UTC 2018
```
Contents of `bin/tests/system/xfer/` [attached](/uploads/1cffe78f2f386e67b3348c12d6077636/xfer.tar.gz).BIND-9.13.0Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/66ixfr system test fails intermittently2018-02-26T23:21:18ZMichał Kępieńixfr system test fails intermittentlyTwo different failure modes, both seem to be related to timing at first glance:
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/1050
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/1092
```
S:ixfr:Thu Feb 15 19:54:14 UTC 2018
T:i...Two different failure modes, both seem to be related to timing at first glance:
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/1050
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/1092
```
S:ixfr:Thu Feb 15 19:54:14 UTC 2018
T:ixfr:1:A
A:System test ixfr
I:testing initial AXFR
server reload successful
I:testing successful IXFR
zone refresh queued
I:testing AXFR fallback after IXFR failure
zone refresh queued
I:testing ixfr-from-differences option
server reload successful
I:failed to get incremental response
I:testing request-ixfr option in view vs zone
I: this result should be AXFR
server reload successful
I: this result should be AXFR
I: success: AXFR it was
I: this result should be IXFR
server reload successful
I: success: IXFR it was
I:testing DiG's handling of a multi message AXFR style IXFR response
I:test 'dig +notcp ixfr=<value>' vs 'dig ixfr=<value> +notcp' vs 'dig ixfr=<value>'
I:exit status: 1
R:FAIL
E:ixfr:Thu Feb 15 19:54:51 UTC 2018
```
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/1083
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/1095
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/1129
```
S:ixfr:Thu Feb 15 23:40:59 UTC 2018
T:ixfr:1:A
A:System test ixfr
I:testing initial AXFR
server reload successful
I:testing successful IXFR
zone refresh queued
I:testing AXFR fallback after IXFR failure
zone refresh queued
I:testing ixfr-from-differences option
server reload successful
I:testing request-ixfr option in view vs zone
I: this result should be AXFR
server reload successful
I: this result should be AXFR
I:failed to get nonincremental response in 2nd AXFR test
I: this result should be IXFR
server reload successful
I: success: IXFR it was
I:testing DiG's handling of a multi message AXFR style IXFR response
I:test 'dig +notcp ixfr=<value>' vs 'dig ixfr=<value> +notcp' vs 'dig ixfr=<value>'
I:exit status: 1
R:FAIL
E:ixfr:Thu Feb 15 23:41:29 UTC 2018
```
I grabbed the test artifacts from all the jobs listed above lest they get removed.BIND-9.13.0Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/98Put git-replay-merge in source tree2018-02-27T22:40:51ZEvan HuntPut git-replay-merge in source treeLet's please have the latest version of `git-replay-merge` in `util/git-replay-merge.sh` (or `util/git/git-replay-merge.sh`, if you think we might be creating other special-use git tools). That way, whenever we check out the BIND repo on...Let's please have the latest version of `git-replay-merge` in `util/git-replay-merge.sh` (or `util/git/git-replay-merge.sh`, if you think we might be creating other special-use git tools). That way, whenever we check out the BIND repo on a new machine, we'll have the script right there. (As a bonus, it'll be under version control, which is always nice.)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/96Update contributors guide and move it at top level, so it's recognised by GitLab2018-03-01T14:26:20ZOndřej SurýUpdate contributors guide and move it at top level, so it's recognised by GitLabGitLab can recognise file called `CONTRIBUTING.md` at the top level, we should move `doc/dev/contrib.md` to this more visible place and update it with up-to-date information.GitLab can recognise file called `CONTRIBUTING.md` at the top level, we should move `doc/dev/contrib.md` to this more visible place and update it with up-to-date information.Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/122nsupdate system test fails for BIND < 9.122018-03-01T20:55:17ZMark Andrewsnsupdate system test fails for BIND < 9.12`I:nsupdate:ensure 'check-mx warn' allows adding MX records containing an address with a warning`
subtest fails because `nsupdate` is called with `-4`.`I:nsupdate:ensure 'check-mx warn' allows adding MX records containing an address with a warning`
subtest fails because `nsupdate` is called with `-4`.Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/118BIND 9.10 cookie system test failing2018-03-01T21:48:10ZMark AndrewsBIND 9.10 cookie system test failingas at 35117c19014bf80d46f4b29b96214df6c55c5ecb the cookie system test is failing
<pre>
S:cookie/:Wed 28 Feb 2018 07:14:52 AEDT
T:cookie/:1:A
A:cookie/:System test cookie/
I:cookie/:PORTRANGE:5300 - 5399
../conf.sh: line 280: ns3/named.c...as at 35117c19014bf80d46f4b29b96214df6c55c5ecb the cookie system test is failing
<pre>
S:cookie/:Wed 28 Feb 2018 07:14:52 AEDT
T:cookie/:1:A
A:cookie/:System test cookie/
I:cookie/:PORTRANGE:5300 - 5399
../conf.sh: line 280: ns3/named.conf: No such file or directory
../conf.sh: line 280: ns4/named.conf: No such file or directory
../conf.sh: line 280: ns5/named.conf: No such file or directory
../conf.sh: line 280: ns6/named.conf: No such file or directory
I:cookie:checking that named-checkconf detects error in bad-cookie-badhex.conf
I:cookie:checking that named-checkconf detects error in bad-cookie-toolong.conf
I:cookie:checking COOKIE token returned to empty COOKIE option (1)
I:cookie:checking COOKIE token returned to empty COOKIE option (+sit) (2)
I:cookie:checking response size without COOKIE (3)
/Users/marka/git/bind9/bin/dig/dig: '.example' is not a legal name (empty label)
I:cookie:failed
I:cookie:checking response size without valid COOKIE (4)
I:cookie:checking response size without valid COOKIE (+sit) (5)
I:cookie:checking response size with COOKIE (6)
I:cookie:checking response size with COOKIE (+sit) (7)
I:cookie:checking response size with COOKIE recursive (8)
I:cookie:checking response size with COOKIE recursive (+sit) (9)
I:cookie:checking COOKIE is learnt for TCP retry (10)
I:cookie:checking COOKIE is learnt for TCP retry (+sit) (11)
I:cookie:checking for COOKIE value in adb (12)
I:cookie:exit status: 1
R:cookie/:FAIL
E:cookie/:Wed 28 Feb 2018 07:14:56 AEDT
</pre>Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/120BIND 9.11 addzone fails.2018-03-04T22:14:15ZMark AndrewsBIND 9.11 addzone fails.<pre>
S:addzone:Tue Feb 27 17:37:24 PST 2018
T:addzone:1:A
A:addzone:System test addzone
I:addzone:PORTRANGE:5400 - 5499
I:Couldn't start server ns1 (pid=12843)
I:failed
R:addzone:FAIL
E:addzone:Tue Feb 27 17:37:39 PST 2018
</pre><pre>
S:addzone:Tue Feb 27 17:37:24 PST 2018
T:addzone:1:A
A:addzone:System test addzone
I:addzone:PORTRANGE:5400 - 5499
I:Couldn't start server ns1 (pid=12843)
I:failed
R:addzone:FAIL
E:addzone:Tue Feb 27 17:37:39 PST 2018
</pre>Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/132fix changes entry2018-03-08T01:57:39ZMark Andrewsfix changes entryhttps://gitlab.isc.org/isc-projects/bind9/-/issues/131Add util/check-changes to CI for master2018-03-08T02:24:42ZMark AndrewsAdd util/check-changes to CI for master