From strenholme.usenet at gmail.com Tue Feb 1 00:04:40 2011 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Mon, 31 Jan 2011 22:04:40 -0700 Subject: Going backwards? In-Reply-To: <1296500769.12317.1418202705@webmail.messagingengine.com> References: <20110128123159.GA18561@smp.if.uj.edu.pl> <1296500769.12317.1418202705@webmail.messagingengine.com> Message-ID: > Forgive me for my ignorance if I'm making a stupid mistake, but, > what happened to the version numbers? I have not made a new release of MaraDNS 2.0 yet. Yarin has contributed a number of patches, and I would like to integrate his patches before making a new MaraDNS 2.0 release; MaraDNS 2.0 users can use the supplied patch. Here are the three maintained branches of MaraDNS: 1.3: A deprecated branch; only maintained with security fixes and only until December 21, 2012. Distributed as source code. Has only the deprecated MaraDNS 1.x recursive resolver. 1.4: The "legacy" branch of MaraDNS; I still maintain this branch with security and other bug fixes for the foreseeable future. Distributed as source code and as a Windows binary. Has both the deprecated MaraDNS 1.x recursive resolver and Deadwood (so people can slowly make the transition to the new recursor) 2.0: The present branch of MaraDNS. The legacy recursive code is completely removed and replaced with Deadwood. Distributed only as source code. Since MaraDNS 1.4 presently has all of the features MaraDNS 2.0 has (but this will change when I get a chance to integrate your patches), and since the exploit in question was a 0-day exploit, I plain simply did not have time to make a release of all three branches of MaraDNS to patch the exploit. It didn't help that Valgrind was giving me false alarms about memory leaks in Deadwood, and I had to spend time verifying the reports were false alarms (if Valgrind says the memory is "possibly lost", it can be a false alarm). I will release 2.0 again in the next week or two, integrating Yarin's patches in this release. - Sam From shaanlumley at gmail.com Tue Feb 1 09:16:23 2011 From: shaanlumley at gmail.com (Shaan) Date: Tue, 1 Feb 2011 16:16:23 +0200 Subject: Nameserver issues In-Reply-To: <116.CDA9@winter.webconquest.com> References: <116.CDA9@winter.webconquest.com> Message-ID: Hi Remco Thanks for the reply. Where I'm getting confused is, is how do I get ns1.example.com and ns2 to be the nameservers for the domain? The domain is with namecheap, where I have the A record pointing to #.#.#.50, and I have registered the nameservers at namecheap, with ns1 pointing to #.#.#.50 and ns2 pointing to #.#.#.51. I've added the required entry in mararc to point to the db file, and in the db file I just have ns1.example.com. NS #.#.#.50 ns2.example.com. NS #.#.#.51 Is that all that needs to be done or am I still missing something? Thanks! On Fri, Jan 28, 2011 at 08:35, Remco Rijnders wrote: > On Thu, Jan 27, 2011 at 11:10:59PM +0200, Shaan wrote: > >> At the moment, I have example.com registered at Namecheap, with the host >> records pointing my VPS. The A record for the domain is pointing to the >> main >> IP of the VPS. I've then also registered ns1.example.com and >> ns2.example.comto the main and secondary IP's of the VPS. >> >> >> On the VPS I've installed MaraDNS and got it running, with the most basic >> settings: >> csv2 = {} >> bind_address = "#.#.#.50, #.#.#.51" >> chroot_dir = "/etc/maradns" >> no_fingerprint = 0 >> >> What I'm trying to achieve is, is to have Namecheap handle the DNS for >> .com's, .net's. etc but MaraDNS handle DNS for .co.za's. So what I'd like >> to >> be able to do is use the VPS to host the nameservers ns1.example.com and >> ns2.example.com for the .co.za's. >> >> The .co.za's need 2 nameservers to be registered, and do not work with >> Namecheaps FreeDNS at all! >> >> Is it even possible to do this with MaraDNS, and if so how could I get it >> working? >> >> Thankyou in advance :) >> > > Hi Shaan, > > Yes, maradns can do this for you. In fact, MaraDNS can serve any kind of > DNS record for any kind of hostname, whether that's a real registered domain > name or just something you made up (though, the latter obviously never would > resolve for outside parties). > > Once you manage to have ns1.example.com and ns2 as the nameservers for > your domain, your DNS servers should be queried for any example.co.zarecords. > > Please note that some registrars have quite specific rules on what can and > can't be set as a nameserver for your domain. Possible speedbumps they might > introduce is checking the intended nameservers to see if they indeed have > the zone in question, check serial numbers, check that you don't register an > IPv6 only nameserver, etc. etc. I'm not sure if anything like this exists > for .za registrations. > > See the documentation on www.maradns.org how to create the zone file for > example.co.za . Using tools such as dig or nslookup you can check the > records on your server to see if they work as intended before changing the > nameservers over to yours. > > If you continue to experience issues, please write again and include > specifics on any errors you might get, software versions used, etc. > > Sincerely, > > Remco > From remco at webconquest.com Tue Feb 1 11:13:04 2011 From: remco at webconquest.com (Remco Rijnders) Date: Tue, 1 Feb 2011 17:13:04 +0100 Subject: Nameserver issues In-Reply-To: References: <116.CDA9@winter.webconquest.com> Message-ID: <147.F77E@winter.webconquest.com> On Tue, Feb 01, 2011 at 04:16:23PM +0200, Shaan wrote: >Where I'm getting confused is, is how do I get ns1.example.com and ns2 to be >the nameservers for the domain? > >The domain is with namecheap, where I have the A record pointing to >#.#.#.50, and I have registered the nameservers at namecheap, with ns1 >pointing to #.#.#.50 and ns2 pointing to #.#.#.51. > >I've added the required entry in mararc to point to the db file, and in the >db file I just have > >ns1.example.com. NS #.#.#.50 >ns2.example.com. NS #.#.#.51 > >Is that all that needs to be done or am I still missing something? Hi Shaan, If you have registered the domain through namecheap, they should allow you to point the nameservers to your chosen nameservers and IP addresses. That is, you don't have to do anything on your server or with maradns to do this, but have to arrange this through the registrar. You can check what the current nameservers for your domain are set to by doing: whois domain.co.za from a linux shell prompt, or by using a whois webinterface such as at http://whois.domaintools.com/ (on the registration tab). It is possible that you first have to register your nameservers with namecheap before you can use them for your domains, but that depends on their policies and interfaces. If you're still stuck on this, contact namecheap support as they should be able to help you further with this. Sincerely, Remco From yarin at warpmail.net Tue Feb 1 16:50:06 2011 From: yarin at warpmail.net (Yarin) Date: Tue, 01 Feb 2011 15:50:06 -0600 Subject: Going backwards? In-Reply-To: References: <20110128123159.GA18561@smp.if.uj.edu.pl><1296500769.12317.1418202705@webmail.messagingengine.com> Message-ID: <1296597006.23763.1418440651@webmail.messagingengine.com> Thanks for clearing that up. >> 1.4: The "legacy" branch of MaraDNS ... Has both the deprecated >> MaraDNS 1.x recursive resolver and Deadwood In this case, will compiling MaraDNS with --authonly produce the same thing as compiling the 2.0 branch MaraDNS? ----- Original message ----- From: "Sam Trenholme" To: list at maradns.org Date: Mon, 31 Jan 2011 22:04:40 -0700 Subject: Re: Going backwards? > Forgive me for my ignorance if I'm making a stupid mistake, but, > what happened to the version numbers? I have not made a new release of MaraDNS 2.0 yet. Yarin has contributed a number of patches, and I would like to integrate his patches before making a new MaraDNS 2.0 release; MaraDNS 2.0 users can use the supplied patch. Here are the three maintained branches of MaraDNS: 1.3: A deprecated branch; only maintained with security fixes and only until December 21, 2012. Distributed as source code. Has only the deprecated MaraDNS 1.x recursive resolver. 1.4: The "legacy" branch of MaraDNS; I still maintain this branch with security and other bug fixes for the foreseeable future. Distributed as source code and as a Windows binary. Has both the deprecated MaraDNS 1.x recursive resolver and Deadwood (so people can slowly make the transition to the new recursor) 2.0: The present branch of MaraDNS. The legacy recursive code is completely removed and replaced with Deadwood. Distributed only as source code. Since MaraDNS 1.4 presently has all of the features MaraDNS 2.0 has (but this will change when I get a chance to integrate your patches), and since the exploit in question was a 0-day exploit, I plain simply did not have time to make a release of all three branches of MaraDNS to patch the exploit. It didn't help that Valgrind was giving me false alarms about memory leaks in Deadwood, and I had to spend time verifying the reports were false alarms (if Valgrind says the memory is "possibly lost", it can be a false alarm). I will release 2.0 again in the next week or two, integrating Yarin's patches in this release. - Sam From shaanlumley at gmail.com Wed Feb 2 02:28:19 2011 From: shaanlumley at gmail.com (Shaan) Date: Wed, 2 Feb 2011 09:28:19 +0200 Subject: Nameserver issues In-Reply-To: <147.F77E@winter.webconquest.com> References: <116.CDA9@winter.webconquest.com> <147.F77E@winter.webconquest.com> Message-ID: Thankyou Remco! On Tue, Feb 1, 2011 at 18:13, Remco Rijnders wrote: > On Tue, Feb 01, 2011 at 04:16:23PM +0200, Shaan wrote: > >> Where I'm getting confused is, is how do I get ns1.example.com and ns2 to >> be >> the nameservers for the domain? >> >> The domain is with namecheap, where I have the A record pointing to >> #.#.#.50, and I have registered the nameservers at namecheap, with ns1 >> pointing to #.#.#.50 and ns2 pointing to #.#.#.51. >> >> I've added the required entry in mararc to point to the db file, and in >> the >> db file I just have >> >> ns1.example.com. NS #.#.#.50 >> ns2.example.com. NS #.#.#.51 >> >> Is that all that needs to be done or am I still missing something? >> > > Hi Shaan, > > If you have registered the domain through namecheap, they should allow you > to point the nameservers to your chosen nameservers and IP addresses. That > is, you don't have to do anything on your server or with maradns to do this, > but have to arrange this through the registrar. > > You can check what the current nameservers for your domain are set to by > doing: > > whois domain.co.za > > from a linux shell prompt, or by using a whois webinterface such as at > http://whois.domaintools.com/ (on the registration tab). > > It is possible that you first have to register your nameservers with > namecheap before you can use them for your domains, but that depends on > their policies and interfaces. > > If you're still stuck on this, contact namecheap support as they should be > able to help you further with this. > > Sincerely, > > Remco > From strenholme.usenet at gmail.com Wed Feb 2 09:54:16 2011 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Wed, 2 Feb 2011 07:54:16 -0700 Subject: Nameserver issues In-Reply-To: References: <116.CDA9@winter.webconquest.com> <147.F77E@winter.webconquest.com> Message-ID: > Thankyou Remco! >>> Where I'm getting confused is, is how do I get ns1.example.com and ns2 to >>> be >>> the nameservers for the domain? This information is also available in MaraDNS' documentation: http://www.maradns.org/tutorial/authoritative.html#register Take care, - Sam From nicholas at periapt.co.uk Thu Feb 3 12:12:35 2011 From: nicholas at periapt.co.uk (Nicholas Bamber) Date: Thu, 03 Feb 2011 17:12:35 +0000 Subject: Where is the maraDNS 2.0 source code In-Reply-To: <20110128123159.GA18561@smp.if.uj.edu.pl> References: <20110128123159.GA18561@smp.if.uj.edu.pl> Message-ID: <4D4AE203.9050505@periapt.co.uk> Hi everyone, I can see in the source code tarball the source code for deadwood. But if I understand correctly maraDNS 2.0 will still exist as a separate process. Hower I cannot find the source code for this. I am sure I will feel quite stupid when the answer is revealed. Nicholas From nicholas at periapt.co.uk Thu Feb 3 13:05:45 2011 From: nicholas at periapt.co.uk (Nicholas Bamber) Date: Thu, 03 Feb 2011 18:05:45 +0000 Subject: Where is the maraDNS 2.0 source code In-Reply-To: <4D4AE203.9050505@periapt.co.uk> References: <20110128123159.GA18561@smp.if.uj.edu.pl> <4D4AE203.9050505@periapt.co.uk> Message-ID: <4D4AEE79.4090705@periapt.co.uk> Hmm searching through the mailing list archive I can conclude I could just compile the 1.4.x code with AUTH_ONLY=1and call it 2.0.x On 03/02/11 17:12, Nicholas Bamber wrote: > Hi everyone, > > I can see in the source code tarball the source code for deadwood. But > if I understand correctly maraDNS 2.0 will still exist as a separate > process. Hower I cannot find the source code for this. I am sure I > will feel quite stupid when the answer is revealed. > > > Nicholas From nicholas at periapt.co.uk Thu Feb 3 17:49:53 2011 From: nicholas at periapt.co.uk (Nicholas Bamber) Date: Thu, 03 Feb 2011 22:49:53 +0000 Subject: Error messages should specify which zone contains the error? In-Reply-To: <4D4AEE79.4090705@periapt.co.uk> References: <20110128123159.GA18561@smp.if.uj.edu.pl> <4D4AE203.9050505@periapt.co.uk> <4D4AEE79.4090705@periapt.co.uk> Message-ID: <4D4B3111.5080504@periapt.co.uk> Hi Sam, I am in the process of taking over from Kai the Debian packaging for maradns. I am reviewing the bug reports as they currently stand. I thank you for how helpful you have been in the past. There is one bug report I think worth forwarding to you: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607739 When MaraDNS outputs a warning to the syslog about an error in a zone file, it doesn't actually specify which RR or zone the error is in. [See web page for example]. The warning about having an IP in the MX record actually applies to the test2.com zone, but is output at the end of parsing all zones. Ideally, the error should mention which RR or zone the problem is in. On a DNS server with a few hundred zones, it would make tracking down the problem a bit easier. Nicholas From strenholme.usenet at gmail.com Fri Feb 4 01:41:09 2011 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Thu, 3 Feb 2011 23:41:09 -0700 Subject: Where is the maraDNS 2.0 source code In-Reply-To: <4D4AEE79.4090705@periapt.co.uk> References: <20110128123159.GA18561@smp.if.uj.edu.pl> <4D4AE203.9050505@periapt.co.uk> <4D4AEE79.4090705@periapt.co.uk> Message-ID: (It's an obsolete tradition; but I'm an old Usenet poster [1] so I usually "top quote" and trim quotes instead of "bottom quote") >> I can see in the source code tarball the source code for deadwood. But if >> I understand correctly MaraDNS 2.0 will still exist as a separate process. >> However I cannot find the source code for this. Nothing stupid about it at all. MaraDNS 2.0 is normally available on http://maradns.org/download.html, but in light of last week's zero-day exploit [2], I have temporarily hidden MaraDNS 2.0 because I didn't have enough time to properly update all three maintained branches of MaraDNS. I should have 2.0 up again this weekend sometime. > Hmm searching through the mailing list archive I can conclude I could just > compile the 1.4.x code with AUTH_ONLY=1and call it 2.0.x 2.0.01 was, indeed, 1.4.05 with the makefiles modified to compile it "--authonly" (unlike 1.4, it is possible to compile 2.0 without IPv6 and without recursion). However, 2.0.02 will have some bugfixes and features Yarin has contributed which won't get in to the 1.4 (nor 1.3) branch of MaraDNS. As an aside, if you want to get a sense of security updates, we had one in 2010 and (so far) one in 2011. I just added security patches going as far back as 2007 and put them here: http://www.maradns.org/download/patches/ Currently, these are all security patches; all of them except the "parse segfault" and the "CVE-2011-0520" patches should be in the "stable" release; some of them may or may not be in the old Lenny release. The "parse segfault" bug (CVE-2010-2444) does not exist in MaraDNS 1.2 [3]; the CVE-2011-0520 bug does. http://security-tracker.debian.org/tracker/source-package/maradns Making sure these security patches are either applied or will not be applied to all branches of MaraDNS in Debian's repository should keep you busy until I can get 2.0.02 out the door this weekend sometime. - Sam [1] I just said my final goodbye to Usenet this year: http://groups.google.com/group/comp.lang.awk/msg/f73090134c3fc520?dmode=source and http://www.samiam.org/blog/20110111.html [2] To be fair to the reporter of the security bug, I have made it quite difficult to contact me because I got sick and tired of people who demanded free support from me in private email and always ignoring the "don't ask for free MaraDNS support" line in the page with my email address. I plan to, when I get a chance, to make the "security" page more visible and make a link to my email address visible there. [3] http://maradns.blogspot.com/2010/02/maradns-1403-and-130710-released.html From strenholme.usenet at gmail.com Sat Feb 5 21:50:16 2011 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Sat, 5 Feb 2011 19:50:16 -0700 Subject: Error messages should specify which zone contains the error? In-Reply-To: <4D4B3111.5080504@periapt.co.uk> References: <20110128123159.GA18561@smp.if.uj.edu.pl> <4D4AE203.9050505@periapt.co.uk> <4D4AEE79.4090705@periapt.co.uk> <4D4B3111.5080504@periapt.co.uk> Message-ID: > There is one bug report I think worth forwarding to you: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607739 I agree that this is a bug that should be fixed. I hope to make time to do so in the foreseeable future. Here is my backlog of MaraDNS bugs to fix: * There is an issue with maradns handling ANY queries that result in a DNS packet larger than 512 bytes in size. MaraDNS does not give a proper "truncated" reply, and it appears the tcp "zoneserver" program can't resolve these names either. * "make install" does not appear to install Deadwood in MaraDNS 2.0 * Add support for RFC2317-style reverse zone mapping * Add the hostname and/or domain when a DDIP MX record is seen I currently do not have a time frame of when I will be able to address these bugs. - Sam From strenholme.usenet at gmail.com Sat Feb 5 21:45:47 2011 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Sat, 5 Feb 2011 19:45:47 -0700 Subject: MaraDNS 2.0.02 released Message-ID: I have just released MaraDNS 2.0. This has the following updates * Documentation updates * Applied Corey's patch that fixes a typo in fetchzone.c * Applied Yarin's patch that makes the "install.locations" script more flexible * I have adapted Yarin's patch that makes email addresses like 'john\.doe at example.com' possible in SOA records. * Fixed an error message that stated we were running MaraDNS 1.2 (not 2.0) * Updated the copyright statement to have the year 2011 * Deadwood updated to Deadwood 3.0.02 * Fixed security vulnerability CVE-2011-0520 Because of the critical nature of CVE-2011-0520, all users of MaraDNS 2.0 are encouraged to update to 2.0.02 at their soonest convenience. It can be downloaded here: http://www.maradns.org/download.html - Sam From jefsey at jefsey.com Mon Feb 7 05:04:05 2011 From: jefsey at jefsey.com (jefsey) Date: Mon, 07 Feb 2011 11:04:05 +0100 Subject: MaraDNS 2.0.02 released In-Reply-To: References: Message-ID: <7.0.1.0.2.20110206231705.061caee0@jefsey.com> Impressive. Right in time. Thank you ! jfc At 03:45 06/02/2011, Sam Trenholme wrote: >I have just released MaraDNS 2.0. This has the following updates > >* Documentation updates > >* Applied Corey's patch that fixes a typo in fetchzone.c > >* Applied Yarin's patch that makes the "install.locations" script >more flexible > >* I have adapted Yarin's patch that makes email addresses like >'john\.doe at example.com' possible in SOA records. > >* Fixed an error message that stated we were running MaraDNS 1.2 (not 2.0) > >* Updated the copyright statement to have the year 2011 > >* Deadwood updated to Deadwood 3.0.02 > >* Fixed security vulnerability CVE-2011-0520 > >Because of the critical nature of CVE-2011-0520, all users of MaraDNS >2.0 are encouraged to update to 2.0.02 at their soonest convenience. > >It can be downloaded here: > >http://www.maradns.org/download.html > >- Sam From MSands at EPLUS.com Mon Feb 7 09:18:15 2011 From: MSands at EPLUS.com (Mike Sands) Date: Mon, 7 Feb 2011 09:18:15 -0500 Subject: MaraDNS 2.0.02 released In-Reply-To: <7.0.1.0.2.20110206231705.061caee0@jefsey.com> References: <7.0.1.0.2.20110206231705.061caee0@jefsey.com> Message-ID: <2688766582E16041AFB400DD06CDCB790616BD47EF@EPEXMB02.epgpdom.com> Is it safe to assume that the issue with deadwood not being installed by the install scripts is also resolved or do we still need to perform that process manually? I didn't see it in the list of changes in the Changelog. -----Original Message----- From: list-bounces at maradns.org [mailto:list-bounces at maradns.org] On Behalf Of jefsey Sent: Monday, February 07, 2011 5:04 AM To: list at maradns.org; maradns list Subject: Re: MaraDNS 2.0.02 released Impressive. Right in time. Thank you ! jfc At 03:45 06/02/2011, Sam Trenholme wrote: >I have just released MaraDNS 2.0. This has the following updates > >* Documentation updates > >* Applied Corey's patch that fixes a typo in fetchzone.c > >* Applied Yarin's patch that makes the "install.locations" script >more flexible > >* I have adapted Yarin's patch that makes email addresses like >'john\.doe at example.com' possible in SOA records. > >* Fixed an error message that stated we were running MaraDNS 1.2 (not 2.0) > >* Updated the copyright statement to have the year 2011 > >* Deadwood updated to Deadwood 3.0.02 > >* Fixed security vulnerability CVE-2011-0520 > >Because of the critical nature of CVE-2011-0520, all users of MaraDNS >2.0 are encouraged to update to 2.0.02 at their soonest convenience. > >It can be downloaded here: > >http://www.maradns.org/download.html > >- Sam From strenholme.usenet at gmail.com Mon Feb 7 10:07:12 2011 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Mon, 7 Feb 2011 08:07:12 -0700 Subject: MaraDNS 2.0.02 released In-Reply-To: <2688766582E16041AFB400DD06CDCB790616BD47EF@EPEXMB02.epgpdom.com> References: <7.0.1.0.2.20110206231705.061caee0@jefsey.com> <2688766582E16041AFB400DD06CDCB790616BD47EF@EPEXMB02.epgpdom.com> Message-ID: > Is it safe to assume that the issue with deadwood not being installed by > the install scripts is also resolved No, I didn't get a chance to fix that. The only fixes I was able to integrate in to MaraDNS 2.0.02 were the security critical one and ones where a patch was submitted (Yarin's two patches and Corey's patch). I wouldn't have released MaraDNS 2.0.02 so soon, but I wanted to get a copy of MaraDNS 2 with the security problem fixed out there. I am aware of this issue and posted about it over the weekend: http://woodlane.webconquest.com/pipermail/list/2011-February/000799.html - Sam From strenholme.usenet at gmail.com Fri Feb 18 17:49:36 2011 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Fri, 18 Feb 2011 17:49:36 -0500 Subject: All MaraDNS issues resolved Message-ID: I finally got some free time this week (yay to vacation time) and have resolved all known MaraDNS issues: * William Summers pointed out that MaraDNS does not handle ANY queries that fit in 512 bytes. Fixed. * Nino pointed out that MaraDNS does not allow the RFC2317-compliant slashes in host names. Fixed. * Mike Sands pointed out that Deadwood does not install. Fixed. * Debian bug 607739 asked for the hostname to be visible if there is a DDIP MX record. Implemented. These bugfixes are in the latest MaraDNS snapshot: http://www.maradns.org/download/2.0/snap/ - Sam