From: Sam Sgro (sam_at_freeswan.org)
Date: Fri Oct 18 2002 - 21:48:34 CEST
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 17 Oct 2002, Brian J. Murrell wrote:
> My impression is that some versions of BIND work, some do not? BIND 9
> seems to be promising? Is this an issue with the DNS hosting the
> CNAME records or the one hosting the KEY/TXT records or the DNS server
> where the query starts? If the latter, aye-karumba, if the first,
> yuck and if the second, well that is a more easily dealt with problem.
As I recall, the problem lies with the DNS server where the query starts. It
begins to look up the KEY record, encounters the first CNAME, and then
promptly forgets that it was looking for a KEY record as it follows the CNAME.
> Is there any "know-to-work" versions of BIND for this setup? Latest
> perhaps?
I don't think there was any detailed analysis of precisely when this bug was
fixed in BIND. I've encountered failures with 8 (8.2.2-P5, specifically) but
not with any 9 system I've encountered. You're welcome to set up the CNAME
and experiment!
> It will be so much easier to explain to my service provider
> to install a single CNAME record that to have them install and update
> TXT/KEY records.
I agree with you. However, if done right, you shouldn't have to do this more
than once.
For example, you could have one VPN gateway mediate OE connections for your
entire network. For example, my /27 subnet has TXT records, created with
"ipsec showhostkey --txt 66.199.181.29" for each IP; and one KEY record
inserted for 66.199.181.29, created by "ipsec showhostkey". Make a
floppy backup of your secret key and secure it, in case you have to wipe that
gateway machine at any point.
I've done this, and haven't had reason to alter anything for months.
Regardless of the inconvenience, it may be the simplest way to fix the
problem at the moment.
We don't view the above recommendation as being the final work on the topic.
We want to support ISPs delegating their reverse maps by this method. Given
that we can't forcefully upgrade every DNS server on the internet, having OE
fail for seemingly random customers is pointless. We've been kicking around a
few potential fixes for the problem, and are aiming to have the solution
implemented in FreeS/WAN 2.00.
> Thanx for any input you may have. Success/fail reports on versions of
> BIND would be helpful to me and other list readers/searchers in
> general I think.
I'd also like to hear those reports; I've not had time to research this
properly. For the curious, you can check the version of a BIND-based DNS
server with this dig command:
dig @server.name version.bind. txt chaos
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPbBllEOSC4btEQUtAQGfQgP/c1GlgZCR4ASFyjNPdmkt+kMHhGQ7IBHg
RF69J681iKqpP0y1bEHgSbi5t5AeYfI9fijgkmv3dlTg/Rj6rE2OymuSxcu8sE+W
ktN10CeJmnCUak1Qtxb2RqAyJUawT1YJvA/EPYcyA442z5I1L3c7pBhvtHYYPx6H
vuWc/3KXdk0=
=UvOr
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sun Oct 20 2002 - 05:20:29 CEST