| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 1957.1 | | CHEFS::dhcp47.olo.dec.com::hattos | I'm back - as a matter of fact | Fri May 16 1997 08:32 | 12 |
| Well,
Can you tell us what version of UCX (oops TCP/IP services) and what ECO
level.
I have recently had a similar zone transfer issue with VMS, not transferring
when configured as secondary, not allowing transfer when primary.
There are a number of notes in the UCX notes conference none of which really
help, but I think that it is fixed in the latest ECO release of 4.0...
Stuart
|
| 1957.2 | | STAR::PRYAN | | Tue May 20 1997 17:52 | 25 |
| There is a web page with OpenVMS firewall FAQs on it. The URL is:
http://kaler.zko.dec.com it is accessible internally only. The UCX ECOs that
you
need (I don't know what version OS or UCX you are running are:
OpenVMS Alpha V6.2 UCX V4.0 ECO4
OpenVMS Alpha V6.2 UCX V4.1 ECO3
OpenVMS Alpha V7.0, 7.1 UCX V4.0A ECO4
OpenVMS Alpha V7.0, 7.1 UCX V4.1 ECO3
OpenVMS VAX V6.1, V6.2, V7.0, V7.1 UCX V4.0 ECO4
OpenVMS VAX V6.1, V6.2, V7.0, V7.1 UCX V4.1 ECO3
These are all available from the aforementioned web page
The Alta Vista Firewall V1 for OpenVMS does not do zone transfers.
I will be posting additional information and possible a work around shortly.
Paul Ryan
OpenVMS INternet Products Group
|
| 1957.3 | OpenVMS Firewall V1 - zone transfers | STAR::PRYAN | | Fri May 23 1997 12:31 | 44 |
| One possible method for doing zone transfers is with a split DNS (split brain)
1. run a name server on the bastion host, configured as a secondary for
your domain i.e domain_name.com and also for any in-addr.arpa domains in
which it needs to resolve addresses.
2. run a primary name server inside the firewall for domain_name.com
3. run a name server outside your firewall, configured as a primary master
for your domain; no zone transfer from an internal name sever is necessary
since this version of your zone data is'nt the same as the internal version.
This "external" name sever will contain only bar minimum information that
the "Internet name server needs.
4. Your ISP or Internet name server will be configured as asecondary name server
for your external primary name server.
A good book on this subject is DNS and Bind by O'Reilly and Associates
also, the file name equivalent in OpenVMS to Unix can be found in the
Digital TCP/IP Services for OpenVMS manual, Chapter 5
Yet another possibility, and I have not tried this, is to configur the
generic proxy that comes with the firewall as a DNS proxy. The Unix group
has done this and we may do this for the next version. If this is enough
interest, this can be researched further. The unix people have a URL at:
http://sector.gmt.dec.com/firewall/dns/3.html
Some of what it says is:
"
The DNS in AFWU V3.0 works totally differently to the normal name server on
Digital
UNIX, and you need to understand that, in order to customise it. It is not
possible to
"blow the whole thing away" and use a normal hidden DNS configuration ... I'll
try
to explain how I understand it works.
There are three relevant processes for DNS on the firewall now. One runs dnsd -
the
DNS proxy. The other two run the normal DNS named, but on unusual port numbers.
The
first uses /usr/dfws/named.red as its directory, and runs on port 7001; the
second uses
/usr/dfws/named.blue as its directory, and runs on port 7000. "
Paul Ryan
OpenVMS Internet Products Group
|
| 1957.4 | OpenVMS zone transfers - secure_zone | STAR::PRYAN | | Fri May 23 1997 15:41 | 8 |
| In reference to note 1957.1
I think what you are looking for is a UCX ECO that contains BIND version 4.9.3
that allows secure_zone. I will look into it.Probrably won't know till Tuesday
5/27
Paul Ryan
OpenVMS Internet Products Group
|
| 1957.5 | | WOTVAX::dhcp57.olo.dec.com::hattos | I'm back - as a matter of fact | Wed May 28 1997 08:31 | 7 |
| Paul,
That would be appreciated as I am supposed to go back to site to fix it this
week.
Many thanks,
Stuart
|
| 1957.6 | | STAR::PRYAN | | Wed May 28 1997 10:33 | 18 |
| Today, 5/28 I heard back from the UCX group about the version of bind.
first pass at answer--
current UCX based on version before 4.9.3, but was an enhanced version,
so maybe something is in there. Current version, to be out with UCX 6.0
(or whatever it will be called), being ported from 4.9.3. Ben is
going to check for details, so by tomorrow or Friday I should be able
to send a few more details, but doesn't sound good for current versions
(through the upcoming 4.2).
If this versin does not allow for secure_zone then you still have the options
of "split-brain" or possibly reconfiguring the generic proxy as a DNS proxy.
I will look into the latter (DNS proxy) and see what the Unix group did and
how much work it will take to create a DNS proxy
Paul Ryan
OpenVMS Internet Products Group
|
| 1957.7 | UCX 4.1 and 4.2 does not have BIND 4.9.3 | STAR::PRYAN | | Wed May 28 1997 11:26 | 7 |
| I recieved a reply from the UCX group
results are in -- code for UCX 4.1 and 4.2 does not have that option.
can't do secure_zone
this leaves split brain or DNS proxy
|
| 1957.8 | screend now an option | STAR::PRYAN | | Thu May 29 1997 11:56 | 8 |
| I just learned that we have an implementation of screend.
It has NOT been field tested and there is no documentation
If someone wants to be a beta site then we might be able to release it ?
Any one interested ??
Paul Ryan
OpenVMS Internet Products Group
|