From jeroen at os3.nl Sat Aug 2 18:12:19 2014 From: jeroen at os3.nl (Jeroen van der Ham) Date: Sat, 2 Aug 2014 20:12:19 +0200 Subject: [ldns-users] Signzone script for crontab use Message-ID: <81678C6C-9B5F-42BD-8F8F-F6CF0D7FC92B@os3.nl> Hi, Using NSD and the ldns toolset to re-sign zones, I?ve found that the default settings are not very ideal for use in cron. I initially wrote a three line wrapper script to circumvent this, but I?ve rewritten it now to generalise this a bit more. I?ve implemented it in Bash and Python (there?s no validation or error checking, use at your own risk): https://github.com/jeroenh/signzone Couple of observations for ldns: - It is annoying that ldns-signzone can?t just increase the serial. - The default expiry period is hard to use with cron, so I?ve changed it to be a month and 2 days, meaning you can just use ?1 1 1 * * signzone.py /usr/local/etc/nsd/example.org/example.org? (and have a couple of days in case something goes wrong) - It is annoying the way that ldns-signzone expects the key arguments. It expects to be pointed to the basename of the key files, and then attaches ?.private? to it. It would be a whole lot easier for both general and scripting use if a user could just give the ?.private? file directly. Regards, Jeroen. From lmxhappy at gmail.com Tue Aug 5 03:20:41 2014 From: lmxhappy at gmail.com (Liu Mingxing) Date: Tue, 5 Aug 2014 11:20:41 +0800 Subject: [ldns-users] string which does not conform with DNS protocol can be converted to ldns_rdf. Message-ID: <201408051120397346043@gmail.com> Hi, all, I found string which does not conform with DNS protocol can be converted to ldns_rdf. The string is like "(35)" This should be a ldns bug. Liu Mingxing -------------- next part -------------- An HTML attachment was scrubbed... URL: From lmxhappy at gmail.com Wed Aug 6 13:15:03 2014 From: lmxhappy at gmail.com (Liu Mingxing) Date: Wed, 6 Aug 2014 21:15:03 +0800 Subject: [ldns-users] =?gb2312?b?u9i4tDogUmU6ICBzdHJpbmcgd2hpY2ggZG9lcyBu?= =?gb2312?b?b3QgY29uZm9ybSB3aXRoIEROUyBwcm90b2NvbCBjYW4gYmUJY29u?= =?gb2312?b?dmVydGVkIHRvIGxkbnNfcmRmLg==?= References: <201408051120397346043@gmail.com>, <0BF2CF6C-341D-4B02-BCDD-6616F502C56D@nominet.org.uk> Message-ID: <2014080621150068746415@gmail.com> According to 2.3.1. Preferred name syntax in the rfc 1035, the char '(' or '0' is not a letter, digit, or hyphen. so, the string"(35)" is not a legal label or a legal domain name. I do not understand what do you mean about the relationship between label and hostname? CNNIC Liu Mingxing ???? Ray Bellis ????? 2014-08-06 16:00 ???? lmxhappy ??? Re: [ldns-users] string which does not conform with DNS protocol can be converted to ldns_rdf. On 5 Aug 2014, at 04:20, Liu Mingxing wrote: Hi, all, I found string which does not conform with DNS protocol can be converted to ldns_rdf. The string is like "(35)" This should be a ldns bug. That string is a legal DNS label, even if it's not permitted as part of a legal hostname. Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: From jelte.jansen at sidn.nl Wed Aug 6 13:37:27 2014 From: jelte.jansen at sidn.nl (Jelte Jansen) Date: Wed, 6 Aug 2014 15:37:27 +0200 Subject: [ldns-users] =?utf-8?b?5Zue5aSNOiBSZTogIHN0cmluZyB3aGljaCBkb2Vz?= =?utf-8?q?_not_conform_with_DNS_protocol_can_be_converted_to_ldns=5Frdf?= =?utf-8?q?=2E?= In-Reply-To: <2014080621150068746415@gmail.com> References: <201408051120397346043@gmail.com>, <0BF2CF6C-341D-4B02-BCDD-6616F502C56D@nominet.org.uk> <2014080621150068746415@gmail.com> Message-ID: <53E22F97.8080604@sidn.nl> RFC1035 is rather ambiguous about it, but there is a difference between a domain name (as it appears in the DNS), and a host name (a domain name pointing to a specific device); the rules as defined in 1035 (and 1194, and others, IIRC), generally apply to hostnames, not necessarily domain names. I am not sure whether this has been officially clarified and in which RFC that would be. But it has proven useful, by the way; as we now have a number of protocols that use underscores in domain names (often to convey information *about* hostnames or domains), like DKIM and SRV. The underscore could be used without fear of conflicting with existing host names. In reality, most software doesn't actually do too much checking on this level anyway; and any binary data is often accepted and served without much complaints. Don't know if i still have it, but I ran a website once on a name that had a dot within a label. But it is considered bad practice to actually do things like that ;) One could consider adding a 'check_valid_hostname(ldns_dname *)' function or something, but I would personally not enable that by default in the ldns_dname structure itself; garbage in garbage out. Jelte On 08/06/2014 03:15 PM, Liu Mingxing wrote: > According to 2.3.1. Preferred name syntax in the rfc 1035, the char '(' > or '0' is not a letter, digit, or hyphen. > > so, the string"(35)" is not a legal label or a legal domain name. > > I do not understand what do you mean about the relationship > between label and hostname? > > ------------------------------------------------------------------------ > CNNIC > Liu Mingxing > > *????* Ray Bellis > *?????* 2014-08-06 16:00 > *????* lmxhappy > *???* Re: [ldns-users] string which does not conform with DNS > protocol can be converted to ldns_rdf. > > On 5 Aug 2014, at 04:20, Liu Mingxing > wrote: > >> Hi, all, >> I found >> string which does not conform with DNS protocol can be converted to ldns_rdf. >> >> The string is like "(35)" >> >> >> This should be a ldns bug. > > That string is a legal DNS label, even if it's not permitted as part of > a legal hostname. > > Ray > > > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > From tewinget at gmail.com Wed Aug 27 03:44:08 2014 From: tewinget at gmail.com (Thomas Winget) Date: Tue, 26 Aug 2014 23:44:08 -0400 Subject: [ldns-users] DNSSEC && OpenSSL In-Reply-To: References: Message-ID: Looks like I have to subscribe first, makes sense. ---------- Forwarded message ---------- From: "Thomas Winget" Date: Aug 26, 2014 11:22 PM Subject: DNSSEC && OpenSSL To: Cc: Hey all, I'm considering using ldns (or OpenDNSSEC) in a C++ project, but due to recent events with OpenSSL there's a certain apprehension in the project toward using something that depends on it. Are there any plans to move toward something like Mozilla's NSS, or perhaps offer it as an option? Thanks in advance for your replies, and rest assured that I'm not afraid of a resounding "no". If it comes down to it, the terms of the ldns license are fantastic (thanks a bunch!) and I can modify it to use something else if needed. If we do end up modifying it, we'll be sure to look into making a pull request! (side note: I hope that by sending this from my email that I will get replies to it, but if not someone can shoot me an email at tewinget at gmail.com and I'll subscribe to the mailing list.) -- Thomas Winget Computer Engineering Purdue University '12 -------------- next part -------------- An HTML attachment was scrubbed... URL: From willem at nlnetlabs.nl Wed Aug 27 08:52:14 2014 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 27 Aug 2014 10:52:14 +0200 Subject: [ldns-users] DNSSEC && OpenSSL In-Reply-To: References: Message-ID: <53FD9C3E.2050400@nlnetlabs.nl> Hi Thomas, We are not planning for Mozilla's NSS support yet. Libressl should work though... (haven't tried myself yet) Regards, -- Willem Op 27-08-14 om 05:44 schreef Thomas Winget: > Looks like I have to subscribe first, makes sense. > > ---------- Forwarded message ---------- > From: "Thomas Winget" > > Date: Aug 26, 2014 11:22 PM > Subject: DNSSEC && OpenSSL > To: > > Cc: > > Hey all, > > I'm considering using ldns (or OpenDNSSEC) in a C++ project, but due to > recent events with OpenSSL there's a certain apprehension in the project > toward using something that depends on it. Are there any plans to move > toward something like Mozilla's NSS, or perhaps offer it as an option? > > Thanks in advance for your replies, and rest assured that I'm not afraid > of a resounding "no". If it comes down to it, the terms of the ldns > license are fantastic (thanks a bunch!) and I can modify it to use > something else if needed. If we do end up modifying it, we'll be sure > to look into making a pull request! > > (side note: I hope that by sending this from my email that I will get > replies to it, but if not someone can shoot me an email at > tewinget at gmail.com and I'll subscribe to the > mailing list.) > > -- > Thomas Winget > Computer Engineering > Purdue University '12 > > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > From jaap at NLnetLabs.nl Wed Aug 27 09:50:08 2014 From: jaap at NLnetLabs.nl (Jaap Akkerhuis) Date: Wed, 27 Aug 2014 11:50:08 +0200 Subject: [ldns-users] DNSSEC && OpenSSL In-Reply-To: <53FD9C3E.2050400@nlnetlabs.nl> References: <53FD9C3E.2050400@nlnetlabs.nl> Message-ID: <201408270950.s7R9o8sM011441@bela.nlnetlabs.nl> Willem Toorop writes: > Hi Thomas, > > We are not planning for Mozilla's NSS support yet. > Libressl should work though... (haven't tried myself yet) > Another thing to look at is PolarSSL . And no, no experience. One think to watch for is whether the alternatives have enough features to support ldns fully. jaap From dot at dotat.at Wed Aug 27 11:04:47 2014 From: dot at dotat.at (Tony Finch) Date: Wed, 27 Aug 2014 12:04:47 +0100 Subject: [ldns-users] DNSSEC && OpenSSL In-Reply-To: References: Message-ID: Thomas Winget wrote: > > I'm considering using ldns (or OpenDNSSEC) in a C++ project, but due to > recent events with OpenSSL there's a certain apprehension in the project > toward using something that depends on it. Are there any plans to move > toward something like Mozilla's NSS, or perhaps offer it as an option? Note that most of the recent problems in OpenSSL have been in its TLS and DTLS protocol handling. Its underlying crypto primitives are much less problematic. DNSSEC software generally doesn't use TLS or DTLS (it links with libcrypto but not libssl) so depending on OpenSSL is not too worrying. But don't let that discourage you from adding support for other crypto libraries if you want to :-) Tony. -- f.anthony.n.finch http://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. From tewinget at gmail.com Wed Aug 27 18:06:54 2014 From: tewinget at gmail.com (Thomas Winget) Date: Wed, 27 Aug 2014 14:06:54 -0400 Subject: [ldns-users] DNSSEC && OpenSSL In-Reply-To: References: Message-ID: Well damn, I didn't necessarily expect a reply overnight, let alone 3. Neat! Tony, thanks for the info on libcrypto vs libssl, we'll keep that in mind! At some point we're going to want SSL support in our project for other things though, and it looks like we might go with NSS, so if we do and do end up modifying ldns to use it (optionally) we'll definitely PR it. Until then, take care all and thanks again! On Wed, Aug 27, 2014 at 7:04 AM, Tony Finch wrote: > Thomas Winget wrote: > > > > I'm considering using ldns (or OpenDNSSEC) in a C++ project, but due to > > recent events with OpenSSL there's a certain apprehension in the project > > toward using something that depends on it. Are there any plans to move > > toward something like Mozilla's NSS, or perhaps offer it as an option? > > Note that most of the recent problems in OpenSSL have been in its TLS and > DTLS protocol handling. Its underlying crypto primitives are much less > problematic. DNSSEC software generally doesn't use TLS or DTLS (it links > with libcrypto but not libssl) so depending on OpenSSL is not too > worrying. > > But don't let that discourage you from adding support for other crypto > libraries if you want to :-) > > Tony. > -- > f.anthony.n.finch http://dotat.at/ > Trafalgar: Cyclonic in northwest, otherwise mainly northerly or > northwesterly > 5 or 6. Slight or moderate. Showers in northwest. Good. > -- Thomas Winget Computer Engineering Purdue University '12 -------------- next part -------------- An HTML attachment was scrubbed... URL: