RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro
It doesn't. The systemd script either succeeds or fails. Any script that is dependent on it succeeding won't start. Again it is a change. In init you'd see a start had failed (or was hung). In systemd it simply sends the instruction to start everything that is supposed to start. The upside of this approach is that the rest of your startup succeeds as it run asynchronously unless you've included a dependency for the thing that failed.It also means a hung script doesn't stop your boot in its tracks like it did in init. You can login and troubleshoot things. The downside is you don't get the pretty display showing OK or FAILED for each script during boot because boot completing is NOT dependent on ALL scripts succeeding. If it is important to you that certain things be up you need to set up monitoring. We do that with Nagios here. -Original Message- From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch Sent: Wednesday, March 23, 2016 9:52 AM To: Lightner, Jeff Cc: bind-users@lists.isc.org Subject: RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro Lightner, Jeff <jlight...@dsservices.com> wrote: > > With systemd the methodology isn't that BIND notifies other things > that it is up. It is that other things, if dependent upon BIND, have > in their systemd files a requirement that BIND be up before they start. Yes, but how does systemd know when BIND is up? (The Red Hat and five-ten-sg RPMs don't seem to have an answer.) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Dogger, Fisher, German Bight, Humber: Northwest backing southwest 3 or 4, increasing 5 at times. Slight, occasionally moderate. Fog patches, rain at times. Moderate or good, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro
Since there are BIND packages (9.9.4) for RHEL7/CentOS7 available from default repositories you could download those packages and extract the systemd files from them and examine what they've done. With systemd the methodology isn't that BIND notifies other things that it is up. It is that other things, if dependent upon BIND, have in their systemd files a requirement that BIND be up before they start. That is different than Sys V init in which things started one after the other. The idea is a systemd boot is much faster as it doesn't make things wait because of order but rather only where there are dependencies. Also as an FYI Carl Byington regularly post new builds he has done of BIND updates for RHEL/CentOS. The most recent email he sent was for BIND 9.10 and has a link to: http://www.five-ten-sg.com/mapper/bind I haven't used that myself but it probably also contains systemd examples you could extract. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Tony Finch Sent: Wednesday, March 23, 2016 8:36 AM To: Reindl Harald Cc: bind-users@lists.isc.org Subject: Re: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro Reindl Haraldwrote: > > > The problem that I alluded to above is that if you have services > > that depend on the DNS, there should be a mechanism for the DNS > > server to say when it is ready and that it's OK to start services > > that need DNS. I don't know the right way to specify that to > > systemd: maybe it needs a socket unit file as well? > > or just don't use "-f" and Type=forking > > https://www.freedesktop.org/software/systemd/man/systemd.service.html > > If set to forking, it is expected that the process configured with > ExecStart= will call fork() as part of its start-up. The parent > process is expected to exit when start-up is complete and all communication > channels are set up. BIND does not do that - it forks too early. It's a bit tiresome. log_daemon_msg "Starting name server" "BIND" start-stop-daemon --start --oknodo --pidfile $PIDFILE \ --name named --user named --group named \ --startas $TOP/bin/named \ -- -t $TOP -u named -c /etc/named.conf i=$(( $? ? 100 : 0 )) while [ $i -lt 100 ] && ! rndc status >/dev/null 2>&1 do sleep 0.1 i=$((i+1)) done chmod g+r $RUN/session.key rndc status >/dev/null 2>&1 log_end_msg $? Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Fair Isle, Faeroes: South or southwest 5 or 6, occasionally 7 later. Moderate or rough, occasionally very rough. Rain or showers. Moderate or good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: about NS server authorize
As others said this isn't really a BIND issue. EPP key is what some Registrars call the authorization code for domain registration transfers. Did you recently attempt to transfer this zone from one Registrar to another? Did you get confirmation that the transfer (not just the request for transfer) completed? Before you requested the transfer did you unlock the domain? If you don't unlock before transferring many Registrars will not only refuse the transfer but will block new transfer attempts for 30 days. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of /dev/rob0 Sent: Monday, March 21, 2016 9:59 AM To: bind-users@lists.isc.org Subject: Re: about NS server authorize On Mon, Mar 21, 2016 at 07:44:51PM +0800, supp...@cloudwebdns.com wrote: > Hi, > > ns5.cloudwebdns.com > ns6.cloudwebdns.com > > For these two nameservers (they are the native BIND 9), we can use > them to resolve the other domains like .com/.net/.org/.info etc. > > But when we try to setup a .me domain to be resolved by them, from the > registrar's control panel, it gets failed, saying name server not > authorized. > > This is may be something wrong around EPP and host object. I don't know what this means. It is not a BIND question in any case. > Can you help setup the host object with these two nameservers into > .me's registry? No, Matus was right. It sounds like you need to go to the .me registry for support. If they have not "authorized" your servers to be authoritative for .me zones, only they can help you. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: PCS, Corosync, Pacemaker, and Bind
You might want to try "ip a" vs ifconfig. RHEL7 uses Network Manager and in the past I've found some things don't show up in ifconfig output when doing alias/virtual interfaces. Usually even when other products (e.g. Oracle RAC/GRID) create virtual interfaces they still show up as valid interfaces at host level. I've not tried PCS/Corosync. You might also look at arp output to see if it shows any traffic on a specific MAC. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Phil Mayers Sent: Wednesday, March 16, 2016 5:14 AM To: bind-users@lists.isc.org Subject: Re: PCS, Corosync, Pacemaker, and Bind On 15/03/16 23:06, Mike Bernhardt wrote: > So, I'm hoping that either > 1) There is a way to tell BIND to use an IP address that is not on an > interface, or I don't think there is. I can think of all kinds of horrible workarounds - iptables SNAT, shell script doing a config-change & rndc reconfig on pcs failover. But in general I'd agree with what Tony Finch said - give some thought to why you're caring about these source IPs. TBH having used pcs/corosync I'm really curious what your use-case is. It seems massive overkill for having highly-available DNS. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind9 on VMWare
We chose to do BIND on physical for our externally authoritative servers. We use Windows DNS for internal. One thing you should do if you're doing virtual is be sure you don't have your guests running on the same node of a cluster. If that node fails your DNS is going down. Ideally if you have multiple VMWare clusters you'd put your guests on separate clusters. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Cloud DNS providers for secondary DNS
The OP mentioned notifying Registrars. He'll also need to notify whoever his ISP is if he has arpa zones for reverse lookups and they are delegating to his name servers. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John Levine Sent: Tuesday, December 29, 2015 9:40 PM To: bind-users@lists.isc.org Subject: Re: Cloud DNS providers for secondary DNS >Am 30.12.2015 um 03:12 schrieb Luis Daniel Lucio Quiroz: >> You could use dyndns for that, but it is not free. > >do the provide anycast? Yes, of course. Dyn is one of the largest DNS providers in the world. Their basic secondary service is $40/yr. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Why two lookups for a CNAME?
Because the purpose of DNS primarily is to equate a name with an IP as applications talk to IPs not to names. When you have a CNAME you’re equating one name with another name. That other name then has to be looked up so the application knows what IP access. This saves time if you have multiple CNAMES to the same A record in that when you update DNS you only have to update that one A record. You don’t have to use CNAMES to go to same IP – you could make each record an A record pointing to the same IP. You’d then have to be sure you updated all the A records using that IP if you decided to change it to something else later (e.g. if you changed ISPs). Obviously there is a small performance cost in CNAMES which is why you don’t want to have a CNAME to another CNAME because that results in 3 lookups. For most applications the single CNAME isn’t an issue but on occasion it is so you go the A record route instead. From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Steve Arntzen Sent: Wednesday, October 21, 2015 4:33 PM To: bind-users Subject: Why two lookups for a CNAME? I'm sure there's a good, simple reason for this, I just can't seem to find the answer searching on the Internet. Why does named perform a lookup for the A record when its IP is returned with the CNAME in the first answer? Using dig, I find play.google.com is a CNAME for play.l.google.com. When asked to resolve it, named will first look for play.google.com. The result will include the CNAME and the IP of the A record. Named then makes a second request to resolve the A record. Thanks in advance, Steve. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: init script
Which Linux or UNIX distribution and version are you using? As Omer suggests most of them include a bind package with prebuilt init scripts - you can download the BIND package then extract the init scripts from it. (deb is for Debian derived Linux distros, rpm for Redhat derived distros - might be a different package setup for UNIX or other Linux distros) -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Omer Faruk SEN Sent: Tuesday, September 29, 2015 9:25 AM To: Leandro Cc: bind-users@lists.isc.org Subject: Re: init script Use rpm or deb packages that have perfect init scripts in it Sent via mobile device, excuse typos. 29 Eyl 2015 tarihinde 16:07 saatinde, Leandroşunları yazdı: > Hy guys, about init script to control de bind daemon; After > successfully build bind 9.10, Im doing: > "bind -c /etc/named.conf -u bind" to start the service. > and > "killalll bind" to stop it. > Now I would like to set an init script so I can set it to start on boot and > use the "service named start/stop/status" fashion command. > Where can I get the init script for bind 9.10 ? > > Regards, > Leandro. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Multiple A and PTR and the "main" ones?
Actually some mail servers DO check not only that a PTR exists but also that it is not "generic". Every once in a while we get someone complaining because one of the big sites (Ebay?) refuses to accept their email due the "generic" (as defined by that site's policies) nature of our PTR. We typically ignore that because we've never seen this complaint from other mail servers and no one has ever provided a business use for the one site that is complaining. Other than that I've never seen any complaint about what the actual PTR is so I can't imagine why you'd need more than one for the same IP.Just pick the one that helps identify you for anyone that cares to look at IPs vs names. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Reindl Harald Sent: Friday, September 11, 2015 8:50 AM To: bind-users@lists.isc.org Subject: Re: Multiple A and PTR and the "main" ones? Am 11.09.2015 um 14:42 schrieb Marek Kozlowski: > On 09/11/2015 02:36 PM, Reindl Harald wrote: >> STAY ON LIST - the last time i had enough of repeating that a answer >> on a public ML is not a invitation for private support i got >> moderated... > > Oups! Sorry! :-( Sorry! Sorry! > > I'm sending this with the whole "history" of our conversation. > >> it is my opinion backed by dealing with DNS and email for many years >> facing all problems left and right we never had because the strict >> policy here that one IP has only one PTR >> >> what "official bad practice" do you need when you can see the >> problems otherwise would not be possible at your own? > > In the sense: "`best current practice' says something opposite". > BTW: Are we talking on multiple PTRs for mail servers only or multiple > PTRs in general? well, in fact mailservers because for other services PTR's are not that important or verified at all - if they are not verified why bother about it? but what would you gain by having multiple PTR records at all for whatever server? that's in fact the only relevant question ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to properly update chroot-bind
Since the OP says he's not in Production yet I'd strongly advise moving on to CentOS 7 for multiple reasons. I has a new base version of BIND and also has a 3.x kernel. However, there is a learning curve because it also uses systemd rather than Sys V init. The way bind-chroot runs is significantly different than it was on RHEL6 when you got to RHEL7. (As noted CentOS versions are compiled from RHEL sources of the same versions.) As noted previously on this list the version of BIND you get with each major RHEL release (RHEL5, RHEL6, RHEL7) changes but the base version of BIND never gets updated to later BIND versions within each of these releases. Instead RedHat backports security and some enhancements into the base they started with and add their own extended versioning. This is true of CentOS because of its derivation. There is someone on this list that does compile newer versions of BIND for RHEL so if you search the archive you can find newer versions than are shipped by RHEL/CentOS. Also CentOS does have extended repositories beyond those RHEL has so you may find something newer there. CentOS by the way is not supported so if you're using CentOS vs RHEL worrying about supported shouldn't be an issue for you. (RHEL is supported if you pay for the subscriptions.) -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas Sent: Tuesday, July 28, 2015 7:58 AM To: bind-users@lists.isc.org Subject: Re: How to properly update chroot-bind Am 28.07.2015 um 10:56 schrieb Matus UHLAR - fantomas: but you *never ever* should only update specific packages on a RHEL/CentOS system because that is *not supported and tested* at all No? What are dependencies for, then? Or don't yum/RPM support them in the way debian does? (that is why it's quite easy to have mixed Debian... we have machine with mix of debian 5,6,7 and even 8... not that It's good idea) On 28.07.15 11:22, Reindl Harald wrote: CentOS is a RHEL clone except that there are no updates for older point releases it was multiple times statet by the maintainers on the mailing list that you have to apply *all* errata updates nothing else is supported it's not a matter of dependencies, it's just a matter of what combinations of packages are tested for regressions and the fact that there are no updates for RHEL without a good reason how does dependencies help when there was a critical bug fixed in package A which may hit your updated version of package B because the combination of that versions never was tested feel free to ignore that but you are at your own if things behave unexpected when the developers say just only use 'yum upgrade' which applies also for minor releases, when CentOS 6.7 is out there will be no single update for CentOS 6.6 packages and hence yum upgrade brings you to CentOS 6.7 in a few weeks which is from that moment on the only supported CentOS 6.x yes, this is a good explanation, I believe for the OP too. not supported can of course mean working without problems, however I agree there's no point in only updating BIND itself. Still, the OP can stick with provided BIND 9.8 that is in CentOS6, update to CentOS 7 or compile his own BIND version (and provide support for themselves) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: stumped on sub domain addition
Your A record is working on a dig +trace and also working when I do dig @ns10.euca.us and dig @ns11.euca.us. This suggests the record (or nxrecord) is cached somewhere for normal lookups and will likely be OK after that cache expires. Record returned: onqsolutions.euca.us. 21600 IN A 209.236.238.19 In your SOA you have (in addition to the rest of the record): 2015072342 ; Serial That suggests you updated the record today (07/23) and it automatically updated serial number when you did it. Jeffrey C. Lightner Sr. UNIX/Linux Administrator DS Services of America, Inc. 2300 Windy Ridge Pkwy Suite 600 N Atlanta, GA 30339-8461 P: 678-486-3516 C: 678-772-0018 F: 678-460-3603 E: jlight...@dsservices.com -Original Message- From: lists - euca [mailto:li...@euca.us] Sent: Thursday, July 23, 2015 2:23 PM To: Lightner, Jeff Cc: Bind Users Mailing List Subject: Re: stumped on sub domain addition Thanks for the responses. On Jul 23, 2015, at 12:37 PM, Lightner, Jeff jlight...@dsservices.com wrote: Did you change the sequence/serial in the SOA and reload the zone? No, I am using 'smbind' to administer bind, and it appears to not let me do that. I don't know if it does an 'auto reload' or not, but I've never had a problem with the 500+ domains that are on it as of yet, so I'm guessing it does. Doing dig tests for euca.us I get it's A record and for www.euca.us I get is CNAME. That suggests you didn't setup onqsolutions record properly. Looking at your www CNAME in your zone file might let you know how to setup the one for onqsolutions. Don't forget to put the dot at end of CNAME record like you see for WWW. Jeffrey C. Lightner [snip] From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf OfJohn Miller Sent: Thursday, July 23, 2015 1:17 PM Cc: Bind Users Mailing List Subject: Re: stumped on sub domain addition Hi Donovan, Your zone file(s) as well as your named.conf config would be best here. We really need more information from you than a single fqdn. Here is the file that smbind created (note that I have been making some changes): $TTL 21600 @ IN SOA ns10.euca.us. hostmaster.euca.us. ( 2015072342 ; Serial 10800 ; Refresh 7200; Retry 604800 ; Expire 21600) ; Negative Cache TTL ; @ IN NSns10.euca.us. @ IN NSns11.euca.us. @ IN A 209.236.238.19 @ IN MX 10 mail.euca.us. design IN CNAME @ dev IN CNAME @ elatia IN A 209.236.238.19 ftp IN A 209.236.238.19 mailIN A 209.236.238.18 mail2 IN A 209.236.238.18 ns10IN A 209.236.238.21 ns11IN A 209.236.238.22 onqsolutionsIN A 209.236.238.19 www IN CNAME @ www-tek IN CNAME @ John -- John Miller ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: com.google how did they do that
Not all the new TLDs are company specific. Some are more generic but useful to certain industries. There are 2 or 3 TLDs that I assume will appear sooner or later and I really wish I had the capital to make them as I know as soon as they are available many companies will use them so they'd become nice revenue streams. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mike Hoskins (michoski) Sent: Wednesday, April 01, 2015 6:43 PM To: Reindl Harald; bind-users@lists.isc.org Subject: Re: com.google how did they do that -Original Message- From: Reindl Harald h.rei...@thelounge.net Organization: the lounge interactive design Date: Wednesday, April 1, 2015 at 2:44 PM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Re: com.google how did they do that Am 01.04.2015 um 20:42 schrieb Thomas Schulz: As of the time I am sending this, you can point your browser to http://com.google and get a web page. How did they get com.google to resolve? .google is just another new TLD Wow. I see the trend now -- .hp, .ibm, .cisco -- everyone will now have www.company. (Please, let's not.) ..then again, I'd claim .evil if I had a few billions. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: subdomain with domain
You can do subdomains with the one zone file rather than having separate zones you just have to put a new ORIGIN for the subdomain. In the domain file for domain after the SOA and existing records (NS, A, CNAME etc...) add a line: $ORIGIN _msdcs.domain.; New subdomain Then add the records (A, CNAME, SRV etc...) that you want for that subdomain. (You don't need to add SOA, NS etc... unless they're different for the subdomain) Jeffrey C. Lightner Sr. UNIX Administrator DS Services of America, Inc. 2300 Windy Ridge Suite 600 N Atlanta, GA 30339 P: 770-933-1400 ext.3516 C: 678-772-0018 F: 678-460-3603 E: jlight...@dsservices.com -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Graham Clinch Sent: Wednesday, April 01, 2015 11:56 AM To: Jeff Sadowski; bind-users@lists.isc.org Subject: Re: subdomain with domain zone _msdcs.domain { [..] file data/db.192.168.1.2.slave; }; zone domain { [..] file data/db.192.168.1.2.slave; }; Both zones are being backed by the same file, so one will be overwriting the other. This may not be the cause of the half-working situation, but it won't be helping. Do the bind logs (not sure where Fedora puts them though - /var/log/messages?) contain any errors? Unless domain is really '192.168.1.2', I would suggest naming your file after the zone that it is going to contain - e.g. file data/db._msdcs.domain; and file data/db.domain; Graham ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Recall: subdomain with domain
Lightner, Jeff would like to recall the message, subdomain with domain. CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Single slave zone definition for two view (cache file name problem)
It isn't really that hard to maintain two separate zone files for each domain. We've been doing it for years. It isn't really clear why you're using views if all your zone files are the same as you seem to imply. Here we do views specifically because for some domains the zone files DO need to be different between internal and external views.While others are the same as I noted before it is very easy to simply edit one file then copy it to the other. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Konstantin Stefanov Sent: Wednesday, March 18, 2015 6:31 AM To: bind-users@lists.isc.org Subject: Re: Single slave zone definition for two view (cache file name problem) On 18.03.2015 13:22, Matus UHLAR - fantomas wrote: On 18.03.15 12:05, Constantin Stefanov wrote: I can't. It stopped working after upgrade to 9.10, but worked before with 9.6. And the question is how to keep the config as simple as it was before upgrade. I mean, the in-view definitions... On 18.03.15 13:10, Konstantin Stefanov wrote: So now I have to have two definitions for every slave zone in different files. Well, it is the thing I did, but I do not like it. Requirement to have 2 synced definitions in 2 different places leads to bugs. and what did you have before? multiple definitions of the same zones with the same filenames, which leads to bugs (although you were lucky not to encounter them) Yes, I was lucky and everything worked for me as I thought it had to be. now you can have: definitions of zones with filename in one general view file with definitions of zones with in-view. multiple inclusions of the file in multiple views. And now I am unlucky as I have to make my cofig more complex, confusing and bug-prone to achieve the same effect. But I'm lucky enough to have three options to choose how to spoil my config. the only other way is stop using views... ... you still can stop using views. And I can still stop using DNS. If I only could stop using views, I would not ask the question. -- Konstantin Stefanov, Research Computing Center M.V Lomonosov Moscow State University ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Single slave zone definition for two view (cache file name problem)
4.x would be quite ancient. Where are you getting those version numbers? You should be using 9.x these days so I suspect the BIND version isn't what you think it is.Is it possible the version you're reporting is you OS rather than your BIND? What is reported when you run named -v? Anyway what we do is in our views is simply name the internal zone files the same as external and prepend internal- to the name. e.g. myzone.com = external zone file internal-myzone.com = internal zone file. If they're the same you can simply copy from one to the other. Sometimes they are not the same which is why you have views in the first place. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Constantin Stefanov Sent: Tuesday, March 17, 2015 10:37 AM To: bind-users@lists.isc.org Subject: Single slave zone definition for two view (cache file name problem) Hello. After upgrading from BIND 4.6 to 4.10.2, named requires that different slave zone have separate file for cache. With 4.6 I had the following config: named.conf: view internal { match /* match condition */; include common.zones; }; view external { match /* match condition */; include common.zones; }; common.zones: zone aaa.example.org { type slave; file slave/aaa.example.org; masters {MASTERIP;}; }; It worked fine with 4.6 (although it was considered incorrect). After upgrade to 4.10 named started complaining: common.zones:3: writeable file 'slave/aaa.example.org': already in use: common.zones:3 As I understand, now I need to have separate files for different views. But is there a way to have them automatically assigned and to write something like: file slave/aaa.example.org.${view_name} or any other way to have only one defininition for common zones? I found 'in-view' option, but again it requires two definitions for every zone: one with file and masters directives, and another with in-view option. Moreover, these two definitions must be in different files, as I have to include one in first view, and another (with 'in-view') in all other views, so I have to keep two separate files synced with one another. So is it possible to have only one definition for slave zones that are shared between different views? -- Konstantin Stefanov, Research Computing Center M.V Lomonosov Moscow State University ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Config large tuning and out of memory
CentOS 5.x does have a 64 bit version. 5.2 is quite old - they're up to 5.10 or 5.11 these days. I don't think you can just change from 32 bit to 64 bit - I think it requires a reinstall from the 64 bit installation media. If you have do a reinstall you're better off going to at least CentOS 6 because RHEL5 (and therefore CentOS 5) should be nearing end of life. Even better would be to go to CentOS 7 given it is the latest release so will have a much longer lifespan.. If you're running any other applications on the server you'd want to verify they don't have a problem running on a 64 bit OS before doing any upgrade. Some applications are 32 bit only and may run fine on a 64 bit OS (you can usually install both 32 bit and 64 bit versions of most RPMs).However, 32 bit applications may have reduced performance on a 64 bit OS. If you do have to reinstall and choose to go to later release you'd of course want to be sure any applications will run on that later release. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Rich Goodson Sent: Tuesday, March 03, 2015 11:44 AM To: Job Cc: bind-users@lists.isc.org Subject: Re: Config large tuning and out of memory Job, I won't go in to this in detail, as it's more complicated than your 32 bit system can't address more than 4GB of RAM, but your 32 bit OS is almost certainly your problem. Most of your 16GB of RAM is unused due to OS limitations. I'd recommend upgrading to a 64 bit OS, then compile a 64 bit version of BIND with your compile time options. -Rich On Mar 3, 2015, at 10:05 AM, Job j...@colliniconsulting.it wrote: Hello Rich, we are on 32 bit system, CentOS 5.2 Thank you Da: Rich Goodson [rgood...@gronkulator.com] Inviato: martedì 3 marzo 2015 17.01 A: Job Cc: bind-users@lists.isc.org Oggetto: Re: Config large tuning and out of memory Is your binary 64 bit, or 32? Rich On Mar 3, 2015, at 9:54 AM, Job j...@colliniconsulting.it wrote: Hello, i recompiled Bind 9.10.1-P1 with system large tuning enabled. I have some hundreds of view (with DLZ) in our system. With this feature compiled in, bind does not start: Mar 3 16:50:45 cloud02gw named[13338]: reloading configuration failed: out of memory I have 16 Gb of RAM, and about 14 almost free! Where is the matter? Thank you Francesco ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Request to provide procedure for bind upgrade
Good point. Fedora isn't really a good choice for Production systems - it is bleeding edge with short life cycle (usually new version is out 6 months later and they only support the most recent 2.) Fedora is used as a test bed for what ends up in RHEL later. RHEL has much longer life cycle but requires a paid subscription for updates. CentOS is a binary recompile from RHEL sources that doesn't require a paid subscription. The question is whether you need vendor support for the OS. If yes then RHEL would be the way to go. If not CentOS would work. Note that RHEL6 and CentOS6 are NOT the same as Fedora 6 - they are much later. Also RHEL7 and CentOS7 are out so if you're reloading to new OS you should start with those rather than RHEL6/CentOS6. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Chuck Anderson Sent: Monday, February 16, 2015 11:17 AM To: Sundram Bharti Cc: bind-users@lists.isc.org Subject: Re: Request to provide procedure for bind upgrade Fedora Core 6 is no longer supported. It went End-Of-Life in 2007: http://en.wikipedia.org/wiki/Fedora_%28operating_system%29#Releases On Mon, Feb 16, 2015 at 10:16:37AM -0500, Sundram Bharti wrote: Hi Team, My DNS current version is BIND 9.8.4-P1 and OS is Fedora Core release 6 (Zod). So could you let me know. _yum update named_ works for upgrade to current version, if yes then what will be the fall back procedure of upgrade fails? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Request to provide procedure for bind upgrade
The package is “bind” not “named”. The daemon is called “named”. You can type “rpm –qf $(which named)” to determine which package installed that daemon. (Likely it was bind.) Also if you’re running the chroot’ed version you’d want the package “bind-chroot”. I’d suggest you run “rpm –qa |grep –i bind” to see what BIND packages you have installed. Note you should ignore things like “ypbind” if installed as that is part of NIS rather than BIND. You can then do “yum list package” against packages to see if there are newer versions without installing them. e.g. if you saw things like bind-libs, bind-utils, bind, system-config-bind, bind-chroot in the output of “rpm –qa” (it will also show version on these) Do “yum list bind-libs bind-utils bind system-config-bind bind-chroot” which will show you both the installed versions you have and the latest available packages for update in the repository. Ideally you have more than one DNS server and would only update one, test it to be sure everything is working, then update the next one. From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Sundram Bharti Sent: Monday, February 16, 2015 10:17 AM To: bind-users@lists.isc.org Subject: Request to provide procedure for bind upgrade Hi Team, My DNS current version is BIND 9.8.4-P1 and OS is Fedora Core release 6 (Zod). So could you let me know. yum update named works for upgrade to current version, if yes then what will be the fall back procedure of upgrade fails? -- BR// Sundram Bharti +919717977886 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Getting Error || unable to convert errno to isc_result
On RHEL the kernel doesn't change within the main release (RHEL6) in this case will always be 2.6.32-xx and RHEL does the support including back porting bug and security fixes into their extended release (which isn't the same as the base kernel). They do the same thing for the BIND release they support within the main RHEL release. To go to a 3.x kernel one would have to go to RHEL7 but that isn't necessary given the way RedHat does support. Jeffrey C. Lightner Sr. UNIX Administrator DS Services of America, Inc. 2300 Windy Ridge Suite 600 N Atlanta, GA 30339 P: 678-486-3516 C: 678-772-0018 F: 678-460-3603 E: jlight...@dsservices.com -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Daniel Ryslink Sent: Wednesday, February 11, 2015 3:33 PM To: bind-users@lists.isc.org Subject: Re: Getting Error || unable to convert errno to isc_result Hello What uncle Google found for me: http://www.bind9.net/BIND-FAQ Quote: Q: Why do I get the following errors: general: errno2result.c:109: unexpected error: general: unable to convert errno to isc_result: 14: Bad address client: UDP client handler shutting down due to fatal receive error: unexpected error A: This is the result of a Linux kernel bug. See: http://marc.theaimsgroup.com/?l=linux-netdevm=113081708031466w=2; Kernel 2.6.32 end of support date was 6/1/2014, and if I am not mistaken, Bind 9.8 is not supported anymore either (only branches 9.9 and 9.10) I don't want to bother you with obvious answers, but IMO you should consider upgrading to supported versions of both your OS and BIND, since there were some serious security issues reported and patched lately and your vulnerable system may be at a risk. Maybe ISC people will have some solution for you, but generally, people are encouraged to keep up with the supported versions. -- Best Regards, Daniel Ryšlink System Administrator Dial Telecom a. s. Křižíkova 36a/237 186 00 Praha 3, Česká Republika Tel.:+420.226204627 daniel.rysl...@dialtelecom.cz --- www.dialtelecom.cz Dial Telecom, a.s. Jednoduše se připojte --- On 02/11/2015 01:04 PM, Md. Mahbubul Alam Reyad wrote: Hi Mukund Its bind-9.8.2-0.23 and the OS is Red Hat Enterprise Linux Server release 6.0 (kernel- 2.6.32-431.17.1.el6.x86_64) Sincerely Yours --- Md. Mahbubul Alam Reyad Assistant Manager CORE-IP Network || Technology Cell: +880 1976672281 || Skype: new_reyad www.qubee.com.bd T +88 02 8812113 || F +88 02 8812115 -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mukund Sivaraman Sent: Wednesday, February 11, 2015 5:43 PM To: Md. Mahbubul Alam Reyad Cc: bind-users@lists.isc.org Subject: Re: Getting Error || unable to convert errno to isc_result Hi Mahbubul On Wed, Feb 11, 2015 at 11:39:19AM +, Md. Mahbubul Alam Reyad wrote: Hi all Recently I am getting the following error in my DNS. Can anyone know the reason, impact solution of this error? general: error: unable to convert errno to isc_result: 92: Protocol not available general: error: socket.c:1700: unexpected error: Which version of BIND is this? What OS (and its version) are you using it on? Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Getting Error || unable to convert errno to isc_result
Possible yes but I'd suspect it had been addressed if it were severe enough - I haven't actually looked at it. Another poster suggested a later update to BIND that is available in RHEL repository that may have addressed it if the version the OP has doesn't. I just wanted to make the note about RHEL's methodology as it confuses folks (and security scanning tools) that only look at the base upstream version component of a package name rather than RHEL's extended versioning in the name. RedHat sends errata alerts when they address things to let folks know to update packages to their latest extended version. Just because you see a kernel 2.6.32 it doesn't mean it is exactly the same as the upstream vanilla version with that number. It DOES mean that NEW features in upstream versions such as 3.x won't be there (unless of course a security issue that affects 3.x is found to also affect 2.6.32 at which point they'll backport). -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Daniel Ryslink Sent: Wednesday, February 11, 2015 5:04 PM To: bind-users@lists.isc.org Subject: Re: Getting Error || unable to convert errno to isc_result Okay, sorry, did not know about the backporting. Still, isn't it possible that this old bug is still present in this version of RHEL6? -- S pozdravem, Daniel Ryšlink System Administrator Dial Telecom a. s. Křižíkova 36a/237 186 00 Praha 3, Česká Republika Tel.:+420.226204627 daniel.rysl...@dialtelecom.cz --- www.dialtelecom.cz Dial Telecom, a.s. Jednoduše se připojte --- On 02/11/2015 10:32 PM, Lightner, Jeff wrote: On RHEL the kernel doesn't change within the main release (RHEL6) in this case will always be 2.6.32-xx and RHEL does the support including back porting bug and security fixes into their extended release (which isn't the same as the base kernel). They do the same thing for the BIND release they support within the main RHEL release. To go to a 3.x kernel one would have to go to RHEL7 but that isn't necessary given the way RedHat does support. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Daniel Ryslink Sent: Wednesday, February 11, 2015 3:33 PM To: bind-users@lists.isc.org Subject: Re: Getting Error || unable to convert errno to isc_result Hello What uncle Google found for me: http://www.bind9.net/BIND-FAQ Quote: Q: Why do I get the following errors: general: errno2result.c:109: unexpected error: general: unable to convert errno to isc_result: 14: Bad address client: UDP client handler shutting down due to fatal receive error: unexpected error A: This is the result of a Linux kernel bug. See: http://marc.theaimsgroup.com/?l=linux-netdevm=113081708031466w=2; Kernel 2.6.32 end of support date was 6/1/2014, and if I am not mistaken, Bind 9.8 is not supported anymore either (only branches 9.9 and 9.10) I don't want to bother you with obvious answers, but IMO you should consider upgrading to supported versions of both your OS and BIND, since there were some serious security issues reported and patched lately and your vulnerable system may be at a risk. Maybe ISC people will have some solution for you, but generally, people are encouraged to keep up with the supported versions. -- Best Regards, Daniel Ryšlink System Administrator Dial Telecom a. s. Křižíkova 36a/237 186 00 Praha 3, Česká Republika Tel.:+420.226204627 daniel.rysl...@dialtelecom.cz --- www.dialtelecom.cz Dial Telecom, a.s. Jednoduše se připojte --- On 02/11/2015 01:04 PM, Md. Mahbubul Alam Reyad wrote: Hi Mukund Its bind-9.8.2-0.23 and the OS is Red Hat Enterprise Linux Server release 6.0 (kernel- 2.6.32-431.17.1.el6.x86_64) Sincerely Yours --- Md. Mahbubul Alam Reyad Assistant Manager CORE-IP Network || Technology Cell: +880 1976672281 || Skype: new_reyad www.qubee.com.bd T +88 02 8812113 || F +88 02 8812115 -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mukund Sivaraman Sent: Wednesday, February 11, 2015 5:43 PM To: Md. Mahbubul Alam Reyad Cc: bind-users@lists.isc.org Subject: Re: Getting Error || unable to convert errno to isc_result Hi Mahbubul On Wed, Feb 11, 2015 at 11:39:19AM +, Md. Mahbubul Alam Reyad wrote: Hi all Recently I am getting the following error in my DNS. Can anyone know the reason, impact solution of this error? general: error: unable to convert errno to isc_result: 92: Protocol not available general: error: socket.c:1700: unexpected error: Which version of BIND is this? What OS (and its version
RE: SRV records etc
SRV definitely still required for some applications. Some cloud based application providers have you add them to verify you own the domain to which they're tying their services so you don't use them to hijack other people's domains. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry Margolin Sent: Tuesday, February 10, 2015 9:14 PM To: comp-protocols-dns-b...@isc.org Subject: Re: SRV records etc In article mailman.1603.1423618610.26362.bind-us...@lists.isc.org, Kevin Oberman rkober...@gmail.com wrote: HINFO is getting pretty rare. The security issues are pretty obvious and its advantages are rather limited. I thought they were deprecated ages ago, but I can't find anything official about that. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Change in behaviour regarding ndots and searchlist
I've begun seeing this recently in nslookup on Windows workstations as well. It appears it is appending search domains even when I've specified an FQDN. That is I have two search domains such as ex1.com and ex2.net and I typed short name ralph for nslookup or host it would give me ralph.ex1.com IP if it existed or ralph.ex2.net if the ralph.ex1.com didn't exist and the latter did. Now what I'm seeing is even if I specify ralph.ex1.com it is looking up and failing on ralph.ex1.com.ex2.net. If I put a dot at the end of the FQDN (e.g. ralph.ex1.com. instead of just ralph.ex1.com) it doesn't do that.The Windows admins recently built a couple of new domain controllers for Windows DNS so I assumed it had something to do with those. Do you by any chance have Windows DNS in your environment? There was an article posted last week to this forum regarding bleed over of internal domains to the internet and vice-versa when one is using a domain internally that might be registered to someone else externally which is the case in our environment.It may also be that the issue is because the formerly externally registered domain appears to have gone to expired/renewal status recently and it may be the Registrar is somehow causing this bleed over effect in the way they present records. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark Andrews Sent: Monday, September 15, 2014 5:16 AM To: BIND Users Subject: Re: Change in behaviour regarding ndots and searchlist Partially qualified names are DANGEROUS. You realy do not want to use them ever no matter how convient or useful they appear to be. In message 20140915083532.ga29...@danton.fire-world.de, Sebastian Wiesinger w rites: Hello, I noticed a change in the host tool in regard to how searches are done when there are = ndots dots in the query. In the following case ndots is always nonexistant in the configuration. With bind 9.8 (Debian 1:9.8.4.dfsg.P1): $ host -d test.example Trying test.example Received 105 bytes from 127.0.0.1#53 in 6 ms Trying test.example.office.example.com Trying test.example.backup.example.org Trying test.example.example.com Trying test.example.example.org Trying test.example.winzone.example.com Trying test.example.nms.example.com Host test.example not found: 3(NXDOMAIN) Received 104 bytes from 127.0.0.1#53 in 1 ms With bind 9.9 (Debian 1:9.9.5.dfsg-4~bpo70, same on Ubuntu 1:9.9.5.dfsg-3): $ host -d test.example Trying test.example Host test.example not found: 3(NXDOMAIN) Received 105 bytes from 127.0.0.1#53 in 15 ms Received 105 bytes from 127.0.0.1#53 in 15 ms So with host from bind 9.8 the absolute name is tried first and after that the search list is tried. With bind 9.9 this is no longer the case. Does anyone know if that was a deliberate change? I liked the old behaviour because I could search for internal subdomains without specifying/knowing the full FQDN. As a workaround I raised the ndots value to 2 but that increases the number of queries because the searchlist is tried first for things like linux.org. Also it increases the potential for MITM as linux.org.example.com. is tried first. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYT HE. -- Terry Pratchett, The Fifth Elephant ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer __ CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Change in behaviour regarding ndots and searchlist
While the final dot has been required within zone files to prevent unwanted appendages to records it has NOT been required by tools such as host and nslookup on either Windows or Linux/UNIX which routinely use search domains. As I noted this is something that seems to have changed recently.It doesn't happen for every record either so we're just now looking into what has changed and as stated I suspect it is the new Windows Domain Controllers recently installed. The article I mentioned posted last week does suggest that using short names is a bad idea now due to the new plethora of TLDs and the bleed over but that doesn't mean it never worked.The article says that what made short names work in the past was platform dependent so really wasn't a good idea even for internal systems. Despite that it IS the way many people have run their environments for years. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Sebastian Wiesinger Sent: Monday, September 15, 2014 9:50 AM To: bind-users@lists.isc.org Subject: Re: Change in behaviour regarding ndots and searchlist * Barry Margolin bar...@alum.mit.edu [2014-09-15 15:18]: In article mailman.957.1410786839.26362.bind-us...@lists.isc.org, Steven Carr sjc...@gmail.com wrote: On 15 September 2014 13:29, Lightner, Jeff jlight...@dsservices.com wrote: I've begun seeing this recently in nslookup on Windows workstations as well.It appears it is appending search domains even when I've specified an FQDN. That is I have two search domains such as ex1.com and ex2.net and I typed short name ralph for nslookup or host it would give me ralph.ex1.com IP if it existed or ralph.ex2.net if the ralph.ex1.com didn't exist and the latter did. Now what I'm seeing is even if I specify ralph.ex1.com it is looking up and failing on ralph.ex1.com.ex2.net. Without the final explicit . your name is not fully qualified. But if a name has more than ndots dots, it's supposed to be tried as given first, before adding search domains. But currently (9.9) it will not add search domains at all. Which I find odd. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer __ CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Value of memory
Also remember that used reported by free in Linux on the first line includes memory pre-allocated to cache and buffers that is readily usable on demand so isn't really allocated to specific processes like you'd see in a similarly configured UNIX system. Be sure when trying to determine used that you're looking at the values on the second line instead as that shows what you have when buffers/cached are not included in the totals. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Fajar A. Nugraha Sent: Thursday, August 07, 2014 12:07 AM To: Robert Moskowitz Cc: bind-us...@isc.org Subject: Re: Value of memory On Thu, Aug 7, 2014 at 10:39 AM, Robert Moskowitz r...@htt-consult.com wrote: I have a server that is only running bind 9.8.2 (Centos 6.5). It has 2Gb memory and free reports ~1.7Gb used. I am looking at replacing this server with an armv7 board running Redsleeve (until Centos 7 is out and stable for armv7). I have a choice of boards, one with 1Gb memory ($60) and one with 2Gb memory ($90). This server servers out my zones and supports the couple handfull of systems on my net. I would like to eventually get to DNSSEC, but that is another stalled project. About the only meaningful difference between the two boards (btw, Cubieboard2 and Cubietruck) for my needs is the memory. I know more memory is better, but how much better? Oh, why the move to arm? Power consumption. ROI for the C2 board is one year just on power saving. It depends on how much load your server currently handle, and how your cache is configured. I'd start with looking at your server load. Arm still have lower per-core performance compared to x86, so if you currently see high CPU utilization by named, I'd stick with x86. Next see how your memory cache is configured. That should be where bind uses most memory. AFAIK by default max-cache-size is unlimited and max-cache-ttl is set to several days. See how much memory bind currently uses for cache, and then you can try configuring those two parameters (e.g. set an explicit max-cache-size to 512MB) and see how much memory bind (and the rest of the OS) uses then, and how well it performs. If it's still acceptable, then you can probably go with the 1GB board. Cache can reduce the number of queries issued upstream and is very important on busy servers, but if you serve a relatively low number of queries from your clients then you won't see much difference between (e.g.) 512MB and 1GB cache. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer __ CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Does bind read /etc/hosts?
The confusion can come in because some UNIX variants (notably HP-UX) nslookup was modified to honor /etc/nsswitch.conf so it DOES check /etc/hosts if files precedes dns. However, in most things (e.g. Linux, Solaris) nslookup (and the newer host command) do not look at /etc/hosts regardless of nsswitch.conf setting. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Niall O'Reilly Sent: Tuesday, July 15, 2014 6:57 AM To: houguanghua Cc: bind-users@lists.isc.org Subject: Re: Does bind read /etc/hosts? At Tue, 15 Jul 2014 10:28:30 +, houguanghua wrote: Before Bind consults authority NS, does it access /etc/hosts? In my testing, it does not even seem to access /etc/hosts. That's right. BIND tools (dig, ...) are DNS tools. Local files aren't part of the DNS. For more information, please see http://serverfault.com/questions/498500/why-does-the-host-command-not-resolve-entries-in-etc-hosts Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer __ CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
whois expiration limit?
Hi, I know this is the BIND list but I’m thinking folks who deal with DNS probably may be able to answer this question about whois. We recently transferred and renewed a domain by 2 years which pushed its expiration to 01/25/2025. The order confirmation shows that expiration and looking at the domain at the Registrar’s web site under our account it shows that expiration as well. However, when running whois both here and at the Registrar’s site it shows expiration 01/25/2024. It makes me wonder if there is a 10 year limit in whois since 2024 would be within 10 years but 2025 would be outside of it. I didn’t see anything in RFC 3912 describing whois that even suggests a limit for expirations dates. Not a big deal as I may be dead by then either way – just wondering if anyone knows of a reason this would occur. Please don’t suggest I contact the Registrar. I already did and they seemed as clueless as I am. Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer How and Why I Should Support Bottled Water! Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today! - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: whois expiration limit?
Thanks. My thinking was the limit was on the whois database since the Registrar was telling me it was registered for more than 10 years. It appears based on this Registration FAQ regarding “compliance” that the registrar may simply be showing it as 2024 because they can’t really report 2025 and be in compliance. I was just having a hard time finding anything that mentioned the 10 year limit even though it seemed likely that was the issue. Hopefully you’re correct that the Registrar will automatically adjust it before 2024. I’ll set myself a reminder for next year and prompt them if they don’t automatically update it themselves so we don’t have to remember in 2024 that we already paid for another year. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Dave Warren Sent: Wednesday, February 19, 2014 4:17 PM To: bind-users@lists.isc.org Subject: Re: whois expiration limit? On 2014-02-19 20:44, Lightner, Jeff wrote: Hi, I know this is the BIND list but I’m thinking folks who deal with DNS probably may be able to answer this question about whois. We recently transferred and renewed a domain by 2 years which pushed its expiration to 01/25/2025. The order confirmation shows that expiration and looking at the domain at the Registrar’s web site under our account it shows that expiration as well. However, when running whois both here and at the Registrar’s site it shows expiration 01/25/2024. It makes me wonder if there is a 10 year limit in whois since 2024 would be within 10 years but 2025 would be outside of it. I didn’t see anything in RFC 3912 describing whois that even suggests a limit for expirations dates. Not a big deal as I may be dead by then either way – just wondering if anyone knows of a reason this would occur. Please don’t suggest I contact the Registrar. I already did and they seemed as clueless as I am. http://www.icann.org/en/resources/compliance/faqs#7 Each registrar has the flexibility to offer initial and renewal registrations in one-year increments, provided that the maximum remaining unexpired term shall not exceed ten years. In reality, they'll probably issue the renewal automagically once you're under the 9-year mark and the domain is renewal-eligible. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer How and Why I Should Support Bottled Water! Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today! - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Same internal and external zone
There is nothing that precludes you from having the same zone on different DNS servers. You make each authoritative so that any look up that hits that DNS server gets that server's records. You can then have separate entries for some items and the same for others. We do that here with at least one domain where our internal Windows servers keeps track of internally USED IPs and our external facing DNS servers keep track of externally reachable IPs. For the few records where we want to have the internal user use the externally reachable IP we just add the record to both. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Joshua Smith Sent: Friday, February 14, 2014 1:03 PM To: Sarath Cc: bind-users@lists.isc.org Subject: Re: Same internal and external zone Can you not delegate xyz.xyz.example.com to route 53 on your internal name server? -- Josh Smith KD8HRX Email/jabber: juice...@gmail.com Phone: 304.237.9369(c) Sent from my iPhone. On Feb 14, 2014, at 12:53 PM, Sarath sar...@slashroot.in wrote: Hi All, I have a situation where the same domain for example xyz.example.com is both internal and external. The internal xyz.example.com is on an internal host (private address ) which is the default DNS server for all internal hosts (all hosts use this DNS server in their resolve.conf ) And the external xyz.example.com is on another public ip server (aws route 53 ). The problem is i have a hostname for example xyz.xyz.example.com which is on the public DNS server..and my local network hosts cannot Resolve that hostname which is on the public DNS server (route 53) The reason is because local DNS server is also authoritative for xyz.example.com, and as it does not find xyz.xyz.example.com on the local zone it gives no reply.. I cannot add the record of xyz.xyz.example.com on my local DNS server (which is bind )because that host is DNS load balanced using route 53 health checks.. Is there any other solution to get this done in bind, like adding a cname also won't work.. Please let me know if there is some solution or workaround for this Thanks Sarath Powered by BigRock.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Adding DS records
FYI: web.com recently bought NetSol and at least one other Registrar that escapes me at the moment. It might be worthwhile to see if any of their companies do this as you might have an easier time transferring and avoid some of the common games Registrars play to prevent it. I heartily recommend that you NOT go to GoDaddy.Once they have your domain they play all sorts of games to keep it. On that subject. If you DO decided to transfer domains from one registrar to another be sure to do the following at the old Registrar BEFORE requesting the transfer at the new one: 1) Turn off domain lock - most Registrars have this enabled by default now. 2) Turn off private registration if enabled. 3) Insure the administrative contact email is one you can send email to them from and can receive emails from them. 4) Obtain the transfer authorization code. Most Registrar web sites have transfer buttons that are easy to find but these are for transferring domains TO them rather than AWAY. Usually you have to do some research on their sites to find how to generate the code. Jeffrey C. Lightner Sr. UNIX Administrator DS Waters of America, Inc. 5660 New Northside Drive NW Suite 250 Atlanta, GA 30328 -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Thomas Schulz Sent: Friday, December 20, 2013 12:59 PM To: bind-users@lists.isc.org Subject: Re: Adding DS records If I was a NetSol customer, I would ask them, Why not? And if I were a NetSol customer, I would ask myself, Why? If I were a capitalist, I'd vote with my wallet and go somewhere with the features I want. Well, we started with them back when they were the only company registering domain names. And up to now there were no problems (other than perhaps price). Any recomendations for another company for a .com domain in the US? I suppose that I could always use the DLV, but I would rather not. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena®, Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Performance Tuning RHEL 5 and Bind
Any reason you're using RHEL5 as opposed to RHEL6 if you're building new servers? RHEL5 is very long in the tooth and will go EOL sooner than RHEL6. Since you're using a BIND package not shipped with RHEL5 there's no reason on that account not to move up to RHEL6. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of wbr...@e1b.org Sent: Monday, October 21, 2013 9:47 AM To: bind-users@lists.isc.org Subject: Re: Performance Tuning RHEL 5 and Bind From: Alan Clegg a...@clegg.com Fix your windows clients. You can't fix stupid. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Install DNS Server
Any reason why you’re using CentOS 5.7 given that 6.4 (and maybe later) is available? if this is a new system you really ought to think about use the 6.x stuff. 5.x is long in the tooth even though still supported it has many older upstream packages of things including BIND. CentOS does put bug and security fixes in (or RedHat does and CentOS gets them because they build from RHEL source) but you still end up with something very old (BIND 9.3.x) that most folks on this list don’t want to talk about because it is long past EOL for BIND. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Sten Carlsen Sent: Thursday, October 10, 2013 6:38 AM To: Chandran Manikandan Cc: bind-users@lists.isc.org Subject: Re: Install DNS Server Hi I do that and more on an ATOM machine with 2GB RAM. I use Postfix instead of qmail but see no reason qmail would not work. I installed all the relevant RPMs, configured them and it works. One thing to remember is that you need two or more DNS servers, I do that by being a stealth master with several slaves on my 3rd party provider. On 10/10/13 12.27, Chandran Manikandan wrote: Hi All, I am running Centos 5.7 32 bit server machine. I have installed and successfully run qmail,web,ftp with the same machine. Now am DNS hosting with third party. I would like to install and keep DNS hosting myself. How to do that , How to install Dns server with the same machine or different machine as well what is the complete procedure and steps. Any one help me. -- Thanks, Manikandan.C System Administrator ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer How and Why I Should Support Bottled Water! Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today! - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: chroot/etc/named/ directory?
Haven't done it on RHEL/CentOS 6.x yet but in RHEL5 with the bind-chroot installed I've always had: /var/named/chroot as the jail for BIND. /var/named/chroot/etc = Location of global config files such as named.conf /var/named/chroot/var/named = Location of the zone files. I don't see a /var/named/chroot/etc/named in RHEL5 but then again that is based on BIND 9.3. RHEL6 is almost certainly based on a higher upstream version. Since CentOS is built from RHEL source it would have that higher version as well. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Mike Hoskins (michoski) Sent: Wednesday, February 13, 2013 12:44 PM To: bind-users@lists.isc.org Subject: Re: chroot/etc/named/ directory? -Original Message- From: Robert Moskowitz r...@htt-consult.com Date: Wednesday, February 13, 2013 10:53 AM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: chroot/etc/named/ directory? I am upgrading my server from bind-9.3.6 via Centos 5.5 to 9.8.2 in Centos 6.3. I have and will run bind chrooted and on my test setup I noticed a 'new' subdirectory in the chroot tree: /var/named/chroot/etc/named/ I cannot find any documentation as what is indended to be placed in this subdirectory. my includes for named.conf? I am assuming the pki subdirectory is for DNSSEC related files, but I have not found any documentation indicating so. But then I have not plowed through DNSSEC documention in depth yet. If you installed bind*-chroot, it will populate the /var/named/chroot hierarchy. It's not strictly required (though I would suggest it), but if you intend to run BIND chrooted /var/named/chroot is essentially /. You'll have to place the usual things BIND needs to operate under that directory -- configs, zones, etc. Assuming this came from the chroot RPM, you'll already have other essential pieces for chroot such as your null/random/zero devices. Since you mention CentOS, you'll likely also want to pay attention to things like ROOTDIR in /etc/sysconfig/named. Having said all that, you might search the archives (SRPMS have been provided by community members) or other sources for a newer BIND while you're at it...9.8.2 isn't ancient, but also not technically up to date now. I am personally waiting for 9.9.3 to leave beta, but 9.8.4-P1 probably makes sense for you today. This won't affect your chroot setup, just something worth considering since you're upgrading. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: SOA issue
Also make sure you’ve incremented the serial number in the zone file by at least 1. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Chris Buxton Sent: Wednesday, February 13, 2013 12:58 PM To: Paul A Cc: bind-us...@isc.org Subject: Re: SOA issue On Feb 13, 2013, at 9:22 AM, Paul A wrote: Can anyone tell help me figure out why this SOA is not changing no matter what I do. The zone was edited and has a new SOA but no matter what I do bind doesn’t reload the zone with the new SOA. I tried rndc freeze/unfreeze and still nothing. Short of reloading bind what else can I do. TIA, Paul named-compilezone -o - sturdymemorial.orghttp://sturdymemorial.org/ db.sturdymemorial zone sturdymemorial.org/IN:http://sturdymemorial.org/IN: loaded serial 2013021307 sturdymemorial.orghttp://sturdymemorial.org/. 86400 IN SOA reuben.meganet.nethttp://reuben.meganet.net/. postmaster.naisp.nethttp://postmaster.naisp.net/. 2013021307 10800 3600 604800 600 OK Your zone only has an SOA record. A zone without NS records will not load. If that's not really the issue, because you've edited the output above, a couple of hints: - rndc reload zone is unnecessary if rndc freeze zone executes correctly. A dynamic zone (one that you would freeze and thaw) cannot be reloaded. Thawing the zone effectively reloads it. - Do not edit a dynamic zone's zone file without first freezing it. Otherwise, when you freeze it, the data in memory will be written to disk, overwriting your changes. - Are you sure you're editing the right file? Chris Buxton BlueCat Networks rndc reload sturdymemorial.orghttp://sturdymemorial.org/ zone reload up-to-date dig @localhost sturdymemorial.orghttp://sturdymemorial.org/ soa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 57470 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;sturdymemorial.org.IN SOA ;; ANSWER SECTION: sturdymemorial.orghttp://sturdymemorial.org/. 600 IN SOA reuben.meganet.nethttp://reuben.meganet.net/. postmaster.naisp.nethttp://postmaster.naisp.net/. 2012011801 10800 3600 604800 600 from the log file named[26675]: received control channel command 'reload sturdymemorial.orghttp://sturdymemorial.org/' ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer How and Why I Should Support Bottled Water! Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today! - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How can I migrate my Domain from ISP hosted to my own BIND server?
To expand on that. The steps Manish wrote are what you do internally. What Sten is writing is external – your domains are “registered” somewhere and the “Registrar” points to the appropriate DNS servers – you’ll need to insure that it is pointing to your internal DNS servers. You can find out the registrar by running “whois” on your domains. Often when you have external hosting the hosting provider is also acting as your Registrar and using their own DNS servers. You’ll need to co-ordinate with them if that is the case. Also sometimes in hosting setups if you’ve paid someone else to do your web design and hosting they are the actual Registrant (owner of the domain from ICANN’s point of view) so you may have to verify who owns the domains first. We’ve dealt with some of these hosting companies on acquisitions that took the position that they “owned” the domain and didn’t have to give it up – Sometimes it takes some legal work to get them to understand that registering a domain doesn’t make them “owner” when it is a name they registered on behalf of a client so they were doing it only as an agent (IANAL). From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Sten Carlsen Sent: Friday, December 14, 2012 6:04 AM To: bind-users@lists.isc.org Subject: Re: How can I migrate my Domain from ISP hosted to my own BIND server? You can find an external DNS provider (I use one that is free) and have them slave your zones. Just make your TTLs suitable, so even if your own server dies, the zones will be served from the provider for weeks. Changes will propagate fast. On 14/12/12 11:40, Mark Andrews wrote: In message CA+z6RjG4vg3TJej+Z8tKXycRpYTucSUYV-UVJVuRr=ly3zs...@mail.gmail.commailto:CA+z6RjG4vg3TJej+Z8tKXycRpYTucSUYV-UVJVuRr=ly3zs...@mail.gmail.com , Manish Rane writes: Hi Team, I need to migrate my domain which is hosted at my ISP on to my own internal BIND server and have my own NS record. Does anyone steps I need to take care of or complete procedure? 1. take a copy of the zone and make your server a master for it. 2. set up new slaves from the new master. 3. make the old master a slave from this new master. 4. add the new NS records and associated addresses records. 5. wait for the old NS RRset to clear the caches as well as any negative cache entries for the address records for the new servers. 6. update the parent NS RRset to be the final state. Add glue as necessary. remove old glue records that are no longer necessary. 7. remove the old NS records from the zone. 8. wait for the combined NS RRset to clear caches. 9. decommision old nameservers. -- Thanks and Regards, Manish R ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer How and Why I Should Support Bottled Water! Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today! - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: restart named; missing TCP socket
Why use rndc to stop then the init script to start? Is there no /etc/rc.d/rc.named restart? On RHEL5 the init script has a restart option so it will stop then start. If a socket is open then it could take a finite amount of time for it to close making it unavailable on the restart if you haven't given it time enough to cleanup. If no restart option in init maybe try to add a sleep to your command line: Rndc stop;sleep 5;/etc/rc.d/rc.named start -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Tony Finch Sent: Wednesday, December 12, 2012 8:20 AM To: bind-users@lists.isc.org Subject: restart named; missing TCP socket I have had a few instances recently when named has failed to re-open its TCP listening socket after a restart. This is particularly likely if I try to bounce it quickly with a command line like # rndc stop; /etc/rc.d/rc.named start The servers in question are recursive (apart from a few local zones) with simple ACLs. (I have had the same problem on servers with less simple ACLs too.) listen-on-v6 { ::1; }; listen-on { 127.0.0.1; }; allow-query{ localhost; }; allow-transfer { localhost; }; What do others do to avoid this problem? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Performance tuning
For question 1: “Loading” is a function of the web site not DNS. Your first question could have to do what the default site is in your web configuration and what kind of rewrite rules are getting you to the other. If it were me I’d probably do some timed “host” or “dig” commands for the two records to verify name resolution itself wasn’t a problem. I guess it MIGHT be a minutely slower to resolve www if it is a CNAME to the other as opposed to both being A records. However, since this is a fairly common practice I doubt it is likely to be of major importance in overall timing. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Adamiec, Lawrence Sent: Monday, November 26, 2012 1:13 PM To: bind-users@lists.isc.org Subject: Re: Performance tuning To the best of my knowledge, there are no problems with our DNS. We only host 25 domains. The report must also address these two specific questions: 1. Why does www.kentlaw.iit.eduhttp://www.kentlaw.iit.edu load quicker than kentlaw.iit.eduhttp://kentlaw.iit.edu in any browser? 2. What happens if we remove the forwarders option from named.conf? I can't duplicate the issue in Q1 and I'm trying to determine a way of testing Q2. Larry On Mon, Nov 26, 2012 at 11:39 AM, Doug Barton do...@dougbarton.usmailto:do...@dougbarton.us wrote: What a delightfully vague requirement. :) I would push back a bit on exactly what problems are attempted to be solved here. The BIND defaults are about as efficient as they can be, especially so in later versions. Doug On 11/26/2012 11:01 AM, Adamiec, Lawrence wrote: Hi, I have been tasked with authoring a DNS report to achieve optimal performance. The report must include: CPU usage memory usage bandwidth usage throughput latency I have found some information regarding the number of queries processed per minute but nothing of value for the above areas. Is there some documentation that discusses the above areas? We are running BIND 9.6-ESV-R5-P1, Solaris 10 on a SPARC server. My report will include the fact we must upgrade from BIND 9.6-ESV-R5-P1 Thank you in advance. Larry Lawrence Adamiec UNIX Mgr IIT Chicago-Kent College of Law Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer How and Why I Should Support Bottled Water! Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today! - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Moving BIND from Solaris to Linux
The reason I did the full discussion is that many shops are moving from proprietary UNIX (Solaris, AIX, HP-UX) or Windows to Linux solutions.If they are moving much infrastructure but just starting with BIND then he needs to consider what I wrote. Also I don't really agree that Ubuntu is the best solution. One could run CentOS which has no subscription fee but is binarily compatible with RHEL then download and compile BIND for it.In an organization using Solaris they presumably have professional administrators and are more likely to find folks with RHEL experience when hiring staff that will fill totally comfortable with CentOS. If continuity and staffing aren't considerations and this is truly going to be a one off he could use Suse or Slackware or any one of a thousand Linux distros (or even one of the *BSD distros - since BSD is where Solaris came from originally). If it's a one off best is truly subjective. There are many people that detest Ubuntu and many people that love it -though the din from the former seems to have overwhelmed the latter since Unity desktop and other moves by Canonical :-) -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Fajar A. Nugraha Sent: Monday, October 01, 2012 9:58 AM To: bind-users@lists.isc.org Subject: Re: Moving BIND from Solaris to Linux One idea would be to use RHEL but still download and compile your own BIND on top of it. Yup, IIRC there are (S)RPM for latest bind versios posted on this list. However, if the only thing on your RHEL server is BIND you have to wonder why you're paying RedHat a subscription. Yeah. If you only need latest binary, ubuntu (plus it's ppa) is probably a better choice, e.g https://launchpad.net/~hauke/+archive/bind9 Then again, the OP only mentions open source apps, with no mention of Oracle and such. So using latest ubuntu LTS is probably a better choice in that case. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dig from workstation to answer?
I know that dig +trace can be used to see the path of name resolution starting from root server down to final answer. What I’m wondering is if there is some set of options that would go from workstation to final answer? That is to say only go to the root server if that is where the DNS topology internally sends me. For example from my workstation if I search an internal domain we use I know which internal DNS server it goes to ask the question. That DNS server in turn may refer to a separate internal DNS server which is authoritative for the domain or has the record cached. A dig +trace is useless because the root servers know nothing about the domain. I’ve found various things that give me parts of the information but wonder if there isn’t something that would do something like trace so I can see each DNS server that was referred to in such lookups. Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer How and Why I Should Support Bottled Water! Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today! - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Zone Transfer issue on BIND9
You're putting the allow transfer on each zone? I don't think that's your issue but it seems odd to me. Here we do it at the view level. Also it appears you're using the same IP for at least two of your views - for view transfers to work properly here we setup virtual IPs on the DNS servers and set the ACLs appropriately. i.e. our real IPs are in the ACL we used prior to setting up views and are now only used for the main [external] view and we have different ACLs for the virtual IPs used within the internal view. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Phil Mayers Sent: Friday, August 24, 2012 7:41 AM To: bind-users@lists.isc.org Subject: Re: Zone Transfer issue on BIND9 On 24/08/12 12:09, sn...@email.it wrote: Hi there, I have an issue related to zone transfer which I couldn't fix. I've found a presumable fix googling a lot but it doesn't seem to work. You haven't said *how* it isn't working. Be specific. Note that the FAQ link you reference puts the server {} block INSIDE the view. You have it in the global config. That seems like something to investigate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: What can cause excessive amount of _dns-sd queries?
Maybe blocking access by that IP will force the customer's tech folks to contact you? -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of wbr...@e1b.org Sent: Thursday, August 23, 2012 10:05 AM To: Eivind Olsen Cc: bind-users-bounces+wbrown=e1b@lists.isc.org; bind-users@lists.isc.org Subject: Re: What can cause excessive amount of _dns-sd queries? Elvind wrote on 08/23/2012 09:18:06 AM: Yeah, now I'm just wondering which OS / application / malware / whatever could be responsible for this :) Someone trying to use ZeroCOnf: http://zeroconf.org I believe Macs come configured to use it by default, Linux and Windows can be configured to use it. (no, the client isn't directly under my control, it belongs to some customer) Good luck with that! Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: 2 dns records for same server
That is to say don't put the external servers in /etc/resolv.conf on your clients - only put the internal one there. (Or the Windows equivalent setup should only see your internal DNS server.) I would correct the prior post not to say EVER but rather not directly. Often in an internal/external configuration only the external server queries the internet and the internal one forwards requests it gets to the external one. It doesn't matter if the external server the internal DNS server is pointing to also has records for the domains because the internal server would already have answered for the domains it is authoritative for before trying to forward. We have internal/external setup here for one domain and have no problems doing this. (Oddly enough we also have views but that's another story...) -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of wbr...@e1b.org Sent: Monday, August 20, 2012 8:24 AM To: Dwayne Hottinger Cc: bind-users@lists.isc.org Subject: Re: 2 dns records for same server Dwayne wrote on 08/19/2012 07:37:39 PM: My hosts get the ip's of all 3 dns servers when they recieve dhcp information. I think this is the issue. The internal clients should only point to the internal DNS server. They should never be querying the DNS that returns the public IP addresses EVER! Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Can't receive emails from another machine
To check whether BIND is your problem simply run dig -t MX domainname on the host that is trying to send the email to your mail host. If it returns the right IP address for your mail host then BIND isn't the problem. For iptables/postfix this isn't really the right forum. You might want to try posting your question at some place like LinuxQuestions.org.. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Stayvoid Sent: Monday, July 30, 2012 8:23 PM To: bind-users@lists.isc.org Subject: Can't receive emails from another machine Hello, I'm using Postfix. I can send / receive emails from / to localhost via telnet. [1] But I can't receive emails from another machine. I guess that there are three variants: 1. Postfix doesn't work properly; 2. Bind doesn't work properly; 3. IPTables doesn't work properly. I can't be 100% sure but I think that it's not connected with Postfix. So I have to check Bind or / and IPTables. I hope that you'll help me to check my Bind settings. What should I paste? Thanks [1] https://help.ubuntu.com/community/Postfix#Testing ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: disabling Any requests
Your answer was clearly meant to be tongue in cheek but I'm not sure you understood. The OP wasn't asking how to stop all (any) lookups - it was how to stop dig -t any which isn't the same thing at all. Presumably they still want to allow dig -t mx, dig www... etc... Personally I don't know why dig -t any would be a problem. It's not exactly the same as doing an axfr transfer of the zone - it still only gets limited information. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Chuck Swiger Sent: Thursday, July 12, 2012 9:39 AM To: Dns Administrator Cc: bind-users@lists.isc.org Subject: Re: disabling Any requests On Jul 12, 2012, at 2:27 AM, Dns Administrator wrote: Hi bind-users, please excuse my ignorance being a novice to dns, but is there some way of disabling or choking Any type requests? Sure-- a firewall or even taking a pair of wire-cutters to the ethernet cable will accomplish that. :-) Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Loaded zone files query
That assumes its Linux and is being logged to local /var/log/messages. For other *nix the log location and name is apt to be different. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Carl Byington Sent: Tuesday, July 10, 2012 3:47 PM To: bind-users@lists.isc.org Subject: Re: Loaded zone files query -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 2012-07-10 at 13:22 -0600, Kirk Hoganson wrote: Does anyone know of a simple way to discover how many zone files bind has successfully loaded after the daemon starts? cd /var/log rm -f named.temp* grep 'named' messages | \ csplit --prefix=named.temp - '/named.*starting BIND/' /dev/null f=$(ls -1 named.temp* | tail -1) grep 'zone.*loaded serial' $f | wc -l rm -f named.temp* -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAk/8ho4ACgkQL6j7milTFsHHRQCdGJGLBpyPQkQYaQh6zxsd7zO1 qMkAnAvd76dFQM48foc6nJSunR3jMFnZ =i2k4 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind dies with assertion failure
As mentioned more than once on this list. Redhat starts with an upstream version of a given package (say BIND 9.7) then backports security and bug fixes from later upstream versions into theirs and add extended versioning (say 9.7-2.3.1). One would have to check Redhat's version to see what fixes it actually contains. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Phil Mayers Sent: Tuesday, July 03, 2012 3:47 AM To: bind-users@lists.isc.org Subject: Re: bind dies with assertion failure On 07/03/2012 01:16 AM, Oscar Ricardo Silva wrote: I *THINK* I found the reason for why we're exposed to this bug ... It would appear that Redhat based their BIND package on 9.8.2rc1. Guess where the patch for this bug was applied? 9.8.2rc2. Are you sure about this? From what I can see in our local yum repo of the RHEL6 ISOs, it shipped with bind 9.7. Sure that isn't a local package, or you're joined into a non-production channel? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind dies with assertion failure
I disagree about this being off topic. It IS in fact a BIND question but like many BIND implementations is specific to the user's setup. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Oscar Ricardo Silva Sent: Tuesday, July 03, 2012 10:33 AM To: bind-users@lists.isc.org Subject: Re: bind dies with assertion failure (Sorry, forgot to include the right Subject line so re-sending) Message: 1 Date: Mon, 02 Jul 2012 17:40:51 -0500 From: Oscar Ricardo Silva osc...@mail.utexas.edu To: bind-users@lists.isc.org Subject: Re: bind dies with assertion failure Message-ID: 4ff22373.2000...@mail.utexas.edu Content-Type: text/plain; charset=ISO-8859-1; format=flowed I may have missed something but has this been patched in a 9.8.x version of BIND? According to the 9.9.0 release notes this has been addressed but just wondering about the availability for other vulnerable versions. Also, is there a known trigger? The reason I'm running is that we're currently running the stock version of BIND available with RHEL6. It's their policy to backport patches and if there's a patch available then they may apply it faster rather than deploying a new version. Oscar Since this problem is likely being caused by the version of BIND provided by Redhat and not with the release version, this issue is not pertinent to the list. I don't want to clutter up the list with off-topic conversations. If anyone is interested in Redhat's response we can take the conversation offlist but I'm not hopeful they'll do anything about it. While it's always better to compile and install from the latest stable version, it's also nice to use their package management system especially when you have to deal with multiple systems. Oscar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Compiling and testing on Fedora
Turning off SELinux also requires a reboot after changing mode. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Shawn Bakhtiar Sent: Thursday, June 21, 2012 1:19 AM To: bind-us...@isc.org Subject: RE: Compiling and testing on Fedora Did you turn OFF SELinux? promptsetenforce 0 Then run the test, From: dan.lut...@level3.commailto:dan.lut...@level3.com To: bind-us...@isc.orgmailto:bind-us...@isc.org Subject: Compiling and testing on Fedora Date: Wed, 20 Jun 2012 23:33:08 + Hi all, I've had a major problem with using Fedora Core (10 through 15), when compiling and running make test: A:System test acl I:Couldn't start server ns2 (pid=17344) R:FAIL S:allow_query:Wed Jun 20 23:21:47 GMT 2012 T:allow_query:1:A A:System test allow_query I:Couldn't start server ns2 (pid=17368) R:FAIL S:addzone:Wed Jun 20 23:22:01 GMT 2012 T:addzone:1:A A:System test addzone I:Couldn't start server ns2 (pid=17393) R:FAIL S:autosign:Wed Jun 20 23:22:15 GMT 2012 T:autosign:1:A A:System test autosign I:generating keys and preparing zones I:Couldn't start server ns1 (pid=17734) R:FAIL S:builtin:Wed Jun 20 23:22:35 GMT 2012 T:builtin:1:A A:System test builtin I:Couldn't start server ns1 (pid=17755) R:FAIL S:cacheclean:Wed Jun 20 23:22:49 GMT 2012 T:cacheclean:1:A A:System test cacheclean I:Couldn't start server ns1 (pid=17776) R:FAIL I'm running the bin/tests/system/ifconfig.sh up script, and see the lo:1 through lo:7 interfaces come up. I don't have this problem on any of my Solaris systems, just the Fedora servers. I do have several lo: interfaces already defined, and they cannot be removed Has anyone seen such an issue, and if so, how did you fix it? Dan Luther Operations Engineer Systems Operation Engineering Level 3 Communications One Technology Center, Tulsa OK 74103 p: 918-547-4370 e: dan.lut...@level3.commailto:dan.lut...@level3.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer How and Why I Should Support Bottled Water! Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today! - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Moving DNS out of non-cooperative provider
Just to verify - when you say old provider you're just talking about somewhere you had pointed your DNS records to and NOT the actual Registrar for the domain? If it is the Registrar you have to make changes at the Registrar's site to change which DNS servers to use. If they're not being cooperative that might be problematical. (I wouldn't think they'd prevent you from changing which DNS servers to use for your domain - even the putzes that like to lock domains when you try to transfer to a registrar still allow you to control your DNS setup within their sites but I guess it's possible they could do it if they were also your hosting provider and didn't want you pointing away from their web servers.) -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Tom Diehl Sent: Monday, June 18, 2012 12:19 PM To: Alexander Gurvitz Cc: bind-users@lists.isc.org Subject: Re: Moving DNS out of non-cooperative provider On Mon, 18 Jun 2012, Alexander Gurvitz wrote: Can someone enlighten me on the following scenario (I guess it's explained somewhere, but can't find the info.): example.com was served by ns.OLDprovider.net example.com owner wants to move his domain to ns.NEWprovider.net oldprovider.net is not cooperating, and continues to serve example.com 172800 NS ns.OLDprovider.net (*.gtld-servers.net and ns.newprovider.com now serve example.com 172800 NS ns.NEWprovider.net) Recursive resolver ns.isp.com queried for www.example.com every few minutes, and currently have example.com 45892 NS ns.OLDprovider.net in it's cache. www.example.com have TTL of 3600. Thus each hour ns.isp.com queries ns.OLDprovider.net, with each query gets new NS record, and... refreshes the NS TTL ? Will ns.isp.com EVER query ns.NEWprovider.net ? I'd be happy to know how BIND behaves, but also how other servers may behave in this case. It is not a question of how bind behaves. It is a question of how does dns work. Bottom line is, setup nameservers with $NEWPROVIDER and change the nameserver records with your registrar and move on. All will be well when the ttl's time out. Until the ttl's timeout, resolvers with the old nameservers cached will still query them. Once the ttl's time out the new servers will be queried. Hope this helps, -- Tom Diehl tdi...@rogueind.com Spamtrap address mtd...@rogueind.com Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: multiple ints: views or separate records?
As far as influence it seems you could restrict the connections on virtual IPs to specific subnets so that they don’t have a choice. This can be done via ACLs in the views and/or via firewall rules (e.g. in iptables if this were a Linux host). From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Jonathan Reed Sent: Friday, May 25, 2012 3:52 PM To: bind-users@lists.isc.org Subject: multiple ints: views or separate records? Hi, I have a few systems with multiple physical and virtual interfaces. One system has a single A record but im considering splitting it up. I'd like to persuade users to talk with a specific interface depending mostly on the app and sometimes from the subnet where their request originates. I want to keep things really easy for the users. What's your experience in influencing that decision while keeping things dead simple? keeping in mind that they have the potential of communicating with the system from a number of different angles. Is using views my best approach? Or would it be recommended to just settle and publish a bunch of CNAMEs (or A) and having them stick to using those? Or maintain both? Said another way, how well have your users adapted to name changes? Thanks. Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer How and Why I Should Support Bottled Water! Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today! - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Split DNS and zone transfers
You can also do it by IP in views but need separate IPs for each view. You can do that with virtual IPs on the same NICs as the primary IPs. Such virtual IPs of course have to be in the same subnet as the primary and also you’d need to insure firewall (including host level if any) is opened for the new IPs. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Eric Chandler Sent: Monday, April 16, 2012 11:47 AM To: bind-users@lists.isc.org Subject: RE: Split DNS and zone transfers I’ve been pointed to the right place to figure this out. The answer is in using TSIG. That saved me a lot of time. I searched everywhere but the most-obvious place – the bind9 faq. Eric Chandler Systems Architect From: bind-users-bounces+eric.chandler=vonage@lists.isc.org [mailto:bind-users-bounces+eric.chandler=vonage@lists.isc.org] On Behalf Of Eric Chandler Sent: Monday, April 16, 2012 11:36 AM To: bind-users@lists.isc.org Subject: Split DNS and zone transfers I have a situation where I need to filter out our private infrastructure from our public-facing DNS servers. This is certainly something that should have been done a long time ago, but I just recently took over the spot. Now, I’ve seen plenty of examples using views and separate zonefiles, but what I can’t find are examples of the same domain zone-xfering both zonefiles. Our DNS infrastructure is large and the configuration varies from server type to server type. Some are configured to be the primary auth servers – facing the Internet. Others are public-facing, but accessed only by customer devices, and still others service our internal systems. I would like to get us down to just 1 set of configuration files across the board, using views as the way to do it, but what I can’t get around are split zone transfers. In this example, we have a straightforward example of a split zone: view trusted { match-clients { 192.168.23.0/24; }; // our network recursion yes; // other view statements as required zone example.com { type master; // private zone file including local hosts file internal/master.example.comhttp://www.zytrax.com/books/dns/ch6/mydomain-internal.html; }; // add required zones }; view badguys { match-clients {any; }; // all other hosts // recursion not supported recursion no; // other view statements as required zone example.com { type master; // public only hosts file external/master.example.comhttp://www.zytrax.com/books/dns/ch6/mydomain-external.html; }; // add required zones }; Now, what I would like to have are slave servers that would zone-xfer both the internal and external-flavored files for example.com and serve them using the same view structure. The hidden masters can generate the split zone files based on private IP address ranges, but I see no way to use zone transfers to get both types of files replicated to the many slave servers that I would need to get them to. This obviously won’t work, but this is what I’m after from a logical sense. view trusted { match-clients { 192.168.23.0/24; }; // our network recursion yes; // other view statements as required zone example.com { type slave; masters = { 1.2.3.4, 4.5.6.7 }; // private zone file including local hosts file internal/master.example.comhttp://www.zytrax.com/books/dns/ch6/mydomain-internal.html; }; // add required zones }; view badguys { match-clients {any; }; // all other hosts // recursion not supported recursion no; // other view statements as required zone example.com { type slave; masters = { 1.2.3.4, 4.5.6.7 }; // public only hosts file external/master.example.comhttp://www.zytrax.com/books/dns/ch6/mydomain-external.html; }; // add required zones }; I suppose I could set up another pair of hidden masters to serve up the internal zones, or another pair of IP addrs on the masters, but I’m hoping not to go down that road. Thanks, Eric Chandler Systems Architect [Description: cid:image009.gif@01CB4E82.96E92D50] 23 Main Street, Holmdel, NJ 07733 •: 732.203.7437 •: 732.284.8504 (iPhone) •: eric.chand...@vonage.commailto:eric.chand...@vonage.com þ: www.vonage.comhttp://www.vonage.com/ [Description: cid:image010.jpg@01CB4E82.96E92D50] NOTE: The information contained in this email message is considered confidential and proprietary to the sender and is intended solely for review and use by the named recipient. Any unauthorized review, use or distribution is strictly prohibited. If you have received this message in error, please advise the sender by reply email and delete the message Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer How and Why I Should Support Bottled Water! Do not relinquish your right to choose bottled water as a healthy
RE: Restricting access keeping identical data across views
Is signing not done at zone file level? For our views even when the zones are identical I keep separate copies for the internal and external views so I would have thought this wouldn't be an issue. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Niall O'Reilly Sent: Wednesday, March 28, 2012 5:38 AM To: Jon A. Cc: bind-users@lists.isc.org Subject: Re: Restricting access keeping identical data across views On 28 Mar 2012, at 02:16, Jon A. wrote: I'm looking for a best practice to keep zone data across multiple views on multiple servers sync FWIW, you're not alone. I have three views too, internal, external, and mendacious. The last is for coercing unregistered clients connecting to LANs where registration is required. What we have works. It will need a major overhaul for DNSSEC. I think I know what will be needed, but would find a BP or HOWTO helpful, provided it met my use-case closely enough. I'm not averse to contributing some effort to such a project. ATB Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Name Resolution issue with one domain
I don’t think the target is blocking as I get the following: dig www.dubaiairport.com ; DiG 9.8.1 www.dubaiairport.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 36668 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.dubaiairport.com. IN A ;; ANSWER SECTION: www.dubaiairport.com. 7200IN A 213.42.55.169 ;; AUTHORITY SECTION: dubaiairport.com. 172799 IN NS dcaowa01.dubaiairport.com. dubaiairport.com. 172799 IN NS svr-b003.dubaiairport.com. ;; Query time: 337 msec ;; SERVER: 192.94.73.20#53(192.94.73.20) ;; WHEN: Wed Mar 21 19:25:08 2012 ;; MSG SIZE rcvd: 100 The point is your firewall should NOT block outbound queries for port 53 or other ports. There is a well know cache poisoning attack based on knowing the outbound (source) port that is going to be used so the port should be randomized. Port 53 MUST be accessible on the target DNS server as that is the one that is going to answer the query. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of babu dheen Sent: Wednesday, March 21, 2012 3:14 PM To: Matus UHLAR - fantomas; bind-users@lists.isc.org Subject: Re: Name Resolution issue with one domain Dear All, When i executed #dig www.dubaiairport.comhttp://www.dubaiairport.com, i am getting bleow response ; DiG 9.3.4-P1 www.dubaiairport.comhttp://www.dubaiairport.com ;; global options: printcmd ;; connection timed out; no servers could be reached When i checked the firewall logs, as you all confirmed, traffic is leaving from both non standard and standard port. But firewall logs clearly shows that traffic from source port =53 and its getting dropped. But other DNS traffic towards various domains also going with source port 53 for which we have no issue. Is this port restriction done at remote domain firewall? Is there any way to enforce non standard port for this domain query at our BIND level from our side? Mar 21 21:50:26 start_time=2012-03-21 21:47:54 duration=151 policy_id=20 service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit sent=403 rcvd=0 src=10.1.1.1 dst=213.42.52.75 src_port=53 dst_port=53 src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75 port=53 session_id=512159 reason=Close - AGE OUT Mar 21 21:50:46 start_time=2012-03-21 21:49:15 duration=90 policy_id=24 service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit sent=927 rcvd=0 src=10.1.1.1 dst=213.42.52.79 src_port=53 dst_port=53 src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75 port=53 session_id=451904 reason=Close - AGE OUT Regards Babu From: Matus UHLAR - fantomas uh...@fantomas.sk To: bind-users@lists.isc.org Sent: Wednesday, 21 March 2012 11:41 AM Subject: Re: Name Resolution issue with one domain On 21.03.12 09:23, Mark Andrews wrote: Stupid firewall rules in front of the nameservers. They block traffic sent from port 53 which is the port lots of nameservers used to send query traffic. When will firewall administrators learn that the source ports can be anything, that they are not significant, and that blocking traffic based on the source port is stupid. maybe the admin set that up to force local servers using random ports, instead of 53, for outgoing requests. Nobody should use port 53 for _ougtoing_ requests. bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com 09:13:17.909493 211.30.172.21.53 213.42.52.75.53: 18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49) 09:13:22.918018 211.30.172.21.53 213.42.52.75.53: 18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49) 09:13:27.928099 211.30.172.21.53 213.42.52.75.53: 18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49) ; DiG 9.9.0rc2 -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com ;; global options: +cmd ;; connection timed out; no servers could be reached bsdi# -- Matus UHLAR - fantomas, uh...@fantomas.skmailto:uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer How and Why I Should Support Bottled Water! Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your
RE: forwarding @ to a different domain?
Just as a follow on to that prior thread. I was able to setup the CNAME for www and * at the Registrar without A records as indicated. Unfortunately the * at registrar equated to *. Meaning for example ftp.mydomain.com would work with that CNAME but the domain itself, mydomain.com, would not. Despite the ecommerce vendor (Amazon ultimately) saying one should NOT setup A records their response to us was to leave the two CNAMES (www and *) in place and setup an 3 A records for the domain itself. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of /dev/rob0 Sent: Sunday, January 08, 2012 6:33 PM To: bind-users@lists.isc.org Subject: Re: forwarding @ to a different domain? On Sunday 08 January 2012 09:48:42 enigmedia wrote: Hi All: I have a situation where I need to forward requests for mydomain.com and www.mydomain.com to a third party: mydomain.com is a real domain, and probably not yours. If for some reason you do not want to mention your real domain name, use example.com (or example.TLD for most top-level domains), which is reserved for examples. mydomain.myshopify.com (while still pointing other things like MX records elsewhere). I realize I can point a CNAME for WWW to mydomain.myshopify.com, but how do I point mydomain.com to this third party if there is no A record to point to? This is beginning to be a FAQ here, perhaps due to the popularity of such hosting services (which seem to have been designed by people who have a poor understanding of DNS.) This was my reply in a thread last month; refer to the entire thread for more: https://lists.isc.org/pipermail/bind-users/2011-December/085918.html -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: About root zones
if a root zone is not defined in named.conf I wonder if you really do NOT want to ever hit root zones you could make your own entry in named.conf that points to localhost for root zone and thereby avoid hitting any real root? -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Peter Andreev Sent: Wednesday, December 21, 2011 4:05 AM To: bind-users@lists.isc.org Subject: Re: About root zones 2011/12/21 Matus UHLAR - fantomas uh...@fantomas.sk: 2011/12/20 Mark Andrews ma...@isc.org: Named has a compiled in set of root hints. It is used if a root zone is not defined in named.conf. On 20.12.11 17:37, Peter Andreev wrote: Whether it means that without hint zone named still can perform iterative lookups for its internal purposes? 2011/12/20 Matus UHLAR - fantomas uh...@fantomas.sk: yes. On 21.12.11 12:17, Peter Andreev wrote: This fact is really disappointing. well, it's needed for proper functionality. What exactly seems to be your problem? Well, we run a bunch of authoritative-only slave servers and obviously they don't have to perform any kind of lookups. Some time ago user complained that one of these slave servers responses with wrong data. My colleague tried to investigate this issue, but without any success. Just in case we disabled additional-from-cache. That's why any sort of internal lookups looks very suspicious for me. Note that - only clients that are allowed to recurse are able to see date the type hint zone - only clients from local networks are allowed to recurse by default. You can tune this by configuring the allow-recursion option. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena®, Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: .TLD minimum number of nameservers rule
Or you could simply put a virtual IP address on the same name server (and any NATting required) and put it in as your second at the registrar. That is to say the Registrar would see the same name server with two different names and IPs so wouldn't know it was the same name server. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Anand Buddhdev Sent: Monday, December 12, 2011 9:32 AM To: nudge...@fastmail.fm Cc: bind-us...@isc.org Subject: Re: .TLD minimum number of nameservers rule On 12/12/2011 15:19, nudge...@fastmail.fm wrote: Sorry if this is slightly off-topic I've just discovered that the TLD where I've registered my domain requires a minimum of 2 nameservers for any subdomain, which is very sensible but I happen to have a special case on my hands. So I'd like to register a new domain elsewhere where they will allow a single nameserver execpt... I cant seem to find out what the rules are for other TLDs. *before* registering. Some kindly advise would be most welcome. I suspect that most, if not all registries will require you to provide at least 2 name servers, because this is highly recommended in one of the RFCs (forget which one now). It will be quite unusual to find a TLD which allows just one name server for a delegation. If your special domain doesn't need to be under a TLD, then you can create your own delegation for it in a domain you control, with just one name server if you like. Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
CNAME only zone?
Is it possible to create a zone file that only contains a CNAME? The request I got is to create a CNAME to point shop4water.com to shop4water.hostedbywebtstore.com. We own shop4water.com – hostedbywebstore.com is something external that we don’t own. I’ve reviewed past posts and searched the internet. I see things saying “you can’t have CNAME only” or “you can” or “you should use DNAME instead” and then others saying that “you can’t use CNAME or DNAME with any other record and the SOA itself is a record”. So my basic question is: Is it possible to do this? If so what should the zone file for shop4water.com look like? Is there another way to make queries for shop4water.com go to shop4water.hostedbywebtstore.com? Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: CNAME only zone?
I don't know what you mean by that. Apex of what exactly - my zone file? I can make a zone file that simply has a CNAME in it with no SOA, serial number etc...? As noted I do not own the target zone so I can't update any records there. Can you tell me exactly what the zone file should look like with the CNAME record at the apex? -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Phil Mayers Sent: Friday, December 09, 2011 11:41 AM To: bind-users@lists.isc.org Subject: Re: CNAME only zone? On 09/12/11 16:25, Lightner, Jeff wrote: Is it possible to create a zone file that only contains a CNAME? This comes up a lot, it seems. No. CNAME conflicts with any other record - including the SOA and NS records required at the apex. You will have to put an A record at the apex. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: CNAME only zone?
Also note that other workarounds will solve the same problem in a better way. Care to enlighten me as to what those workarounds would be? Also - why is it a registrar can do a CNAME only but we mere mortals can't? In fact documentation from Amazon (it is apparently their web store I've since learned) suggests doing it at registrar so I'll probably go that route but I'm wondering why it should work there but not on one of my delegated name servers. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of /dev/rob0 Sent: Friday, December 09, 2011 12:41 PM To: bind-users@lists.isc.org Subject: Re: CNAME only zone? On Friday 09 December 2011 10:25:36 Lightner, Jeff wrote: Is it possible to create a zone file that only contains a CNAME? As already answered, no. The request I got is to create a CNAME to point shop4water.com to shop4water.hostedbywebtstore.com. You can ask your registrar if they can/will do this in the parent com. zone. I have seen ugliness of this type from either Network Solutions or register.com before, not sure which. We own shop4water.com - hostedbywebstore.com is something external that we don't own. Do note that hostedbywebtstore is not the same as hostedbywebstore; we're sticklers for precise spelling. Also note that other workarounds will solve the same problem in a better way. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind 9.2.1 assertion failure
ISC who makes bind doesn't support it any longer. Mark is with ISC. What do you have this installed on? It may be something distro specific and if so you may need to get you question answered by whoever provided it to you. For example RedHat Enterprise Linux distributes a modified version of BIND 9.3.x which is also no longer supported by ISC. If you wanted mitigation for the recent attack you'd have to install RedHat's fix to their version. (Alternatively you can download and compile the ISC supported version but at that point RedHat would no longer support your version of BIND.) -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Florian Weimer Sent: Wednesday, December 07, 2011 1:37 PM To: Mark Andrews Cc: bind-us...@isc.org Subject: Re: bind 9.2.1 assertion failure * Mark Andrews: BIND 9.2.1 was released May 2002 and is no longer supported. Uhm, there are multiple sources for BIND support. At least one still provides some coverage for BIND 9.2. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
You can install Cygwin under Windoze and then get most Linux packages under that. Alternatively you can just install the Windows zip file for BIND and use the dig.exe it provides. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of wbr...@e1b.org Sent: Monday, November 28, 2011 1:03 PM To: Todd Snyder Cc: bind-users-bounces+wbrown=e1b@lists.isc.org; bind-users@lists.isc.org Subject: RE: Bind 9.9.0b2 inline signing... Todd wrote on 11/24/2011 11:29:14 AM: I don't understand why Windows doesn't include dig by default, even now. Free software hate? And grep and logrotate! At least the GnuWin32 project has a good version of grep. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Question About max-clients-per-query
Not an answer to your basic question but I did want to mention that on most UNIX/Linux terminal sessions you can hit Ctrl-s to stop scrolling and Ctrl-q to resume it. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Alan Shackelford Sent: Friday, November 18, 2011 10:32 AM To: bind-users@lists.isc.org Subject: Question About max-clients-per-query I had a situation a couple of days ago where a compromised machine in the DMZ portion of my network began sending an incredible number of queries to a couple of the primary internal DNS servers. The traffic was so intense that legitimate queries were unable to get through, or the customer timed out before the response came back. It took me a while to diagnose, because tailing the logs with querylog on was not possible. The data were coming too fast for my terminal to display them. Only after several Cntl-C commands was I able to escape from the tail, and a portion of the logs was displayed. Only queries from the compromised machine were visible. Nothing else got through during that time period. My customers and bosses are naturally furious. So is it possible to limit the number of queries for one name from one client, or even better, limit the number in a certain time, or the number of queries in a row from one client. If not we are going to have to be creative with some iptables or firewall rules. Thanks for any help you can lend. Alan V. Shackelford Sr. Systems Software Engineer The Johns Hopkins University and Johns Hopkins Medical Institutions Baltimore, Maryland USA 410-735-4773ashac...@jhmi.edu Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS Sinkhole in BIND
Rather a late response I think. When I setup the rules I spoke about RPZ was just a gleam in someone's eyes. My post discussed the relative merit of iptables vs. blackholes and didn't mention RPZ. RPZ may be a better solution but it requires one to stop and upgrade BIND to get it. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Michelle Konzack Sent: Wednesday, October 26, 2011 9:01 PM To: bind-users@lists.isc.org Subject: Re: DNS Sinkhole in BIND Hello Lightner, Jeff, Am 2011-10-17 13:28:43, hacktest Du folgendes herunter: While setting up blackholes in BIND works fine when I did this on Linux I found that setting up iptables to do drops for known bad IPs/ranges was slightly better as the traffic never gets to BIND in the first place as it is stopped at kernel level. It simply DROPs the packet without telling the bad guys why packets didn't go through. Example rules for various IPs that have annoyed me in the past: -A RH-Firewall-1-INPUT -s 68.222.240.22 -j DROP -A RH-Firewall-1-INPUT -s 203.142.82.222 -j DROP -A RH-Firewall-1-INPUT -s 217.54.97.137 -j DROP -A RH-Firewall-1-INPUT -s 217.219.20.226 -j DROP -A RH-Firewall-1-INPUT -s 218.212.248.7 -j DROP ...and you get the hell on you ass if you have several 1000 of them! In this case, bind9 with RPZ is cheaper. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux Internet Service Provider, Cloud Computing http://www.itsystems.tamay-dogan.net/ itsystems@tdnet Jabber linux4miche...@jabber.ccc.de Owner Michelle Konzack Gewerbe Strasse 3 Tel office: +49-176-86004575 77694 Kehl Tel mobil: +49-177-9351947 Germany Tel mobil: +33-6-61925193 (France) USt-ID: DE 278 049 239 Linux-User #280138 with the Linux Counter, http://counter.li.org/ Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS Sinkhole in BIND
While setting up blackholes in BIND works fine when I did this on Linux I found that setting up iptables to do drops for known bad IPs/ranges was slightly better as the traffic never gets to BIND in the first place as it is stopped at kernel level. It simply DROPs the packet without telling the bad guys why packets didn't go through. Example rules for various IPs that have annoyed me in the past: -A RH-Firewall-1-INPUT -s 68.222.240.22 -j DROP -A RH-Firewall-1-INPUT -s 203.142.82.222 -j DROP -A RH-Firewall-1-INPUT -s 217.54.97.137 -j DROP -A RH-Firewall-1-INPUT -s 217.219.20.226 -j DROP -A RH-Firewall-1-INPUT -s 218.212.248.7 -j DROP Of course you can do ranges as well in iptables. Also you should be sure that you're restricting things like recursion and cache to trusted environments (i.e. internal lookups) while still allowing lookups for domains you're authoritative for to the outside. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of TCPWave Customer Care Sent: Sunday, October 16, 2011 7:43 PM To: babu dheen Cc: bind-users@lists.isc.org Subject: Re: DNS Sinkhole in BIND Babu The following example defines two access control lists and uses an options statement to define how they are treated by the nameserver: acl black-hats { 10.0.2.0/24; 192.168.0.0/24; }; acl red-hats { 10.0.1.0/24; }; options { blackhole { black-hats; }; allow-query { red-hats; }; allow-recursion { red-hats; }; } This example contains two access control lists, black-hats and red-hats. Hosts in the black-hats list are denied access to the nameserver, while hosts in the red-hats list are given normal access. Regards TCPWave Customer Care On Sun, 2011-10-16 at 23:30 +0530, babu dheen wrote: Hi, Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition. Regards babu ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS Sinkhole in BIND
I’m confused – does the OP want to block or does he want to redirect. “block/redirect” are two different things. What I wrote will block. If he wants to redirect that’s fine but I don’t think he’d want to redirect to his real webserver – why send bogus traffic there and also take the risk that being so directed the bad user will be able to hack? Dropping the packet in DNS stops it cold. (Not saying they can’t get to web server’s via legitimate paths but it appears the OP has know malefactors.) Is the OP building a honeypot? From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Monday, October 17, 2011 3:52 PM To: babu dheen; Bind Users Mailing List; c...@cam.ac.uk Subject: Re: DNS Sinkhole in BIND I do this. There may now be a smarter way, but I have a small number so this is manageable for me: configure zones for each of the evil zones. Your server will appear authoritative and you can direct clients wherever you like. I direct some of mine to a virtualhost handing out 503 errors. -- Sent from my Palm Pre On Oct 17, 2011 13:46, babu dheen babudh...@yahoo.co.in wrote: YOu are obsolutely correct Chris.. I want to block/redirect all malware domain request intiated by clients by setting up DNS SINKHOLE in Redhat BIND server. --- On Mon, 17/10/11, Chris Thompson c...@cam.ac.uk wrote: From: Chris Thompson c...@cam.ac.uk Subject: Re: DNS Sinkhole in BIND To: Bind Users Mailing List bind-users@lists.isc.org Cc: babu dheen babudh...@yahoo.co.in Date: Monday, 17 October, 2011, 8:19 PM On Oct 16 2011, babu dheen wrote: Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition. All the replies to this so far seem to assume that he wants to block evil entities from using his nameservers. But Google seems to suggest that DNS Sinkhole usually refers to redirecting names that are being used for evil purposes to e.g. a local monitoring station - not the same thing at all. -- Chris Thompson Email: c...@cam.ac.ukhttp://in.mc1373.mail.yahoo.com/mc/compose?to=c...@cam.ac.uk Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: host versus nslookup
One thing that is different about nslookup on HP-UX (which doesn't have host) is that it actually respects nsswitch.conf so will give you results from /etc/hosts OR from name services whereas most implementations only do it from name services. Nslookup is deprecated meaning you should use host where possible. Also for DNS troubleshooting dig is a much better tool than nslookup or host. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Martin McCormick Sent: Wednesday, October 12, 2011 1:22 PM To: 'bind-users@lists.isc.org'; mar...@dc.cis.okstate.edu Subject: host versus nslookup Many years ago, various flavors of unix began distributing a utility called host which did almost the same thing as nslookup. Host is what I use most of the time, now, and I actually thought that nslookup on unix systems was maybe going away. A coworker recently asked me about nslookup on our FreeBSD system and I verified the behavior he was asking about. Other than a different output format, what are the advantages of having both host and nslookup. On the FreeBSD system in question, nslookup is definitely a different binary than is host so one is not hard-linked to the other. The behavior he was asking about was simply that all foreign domains that one looks up with nslookup report as non-authoritative since the DNS one is using isnot authoritative for, say, microsoft.com or yahoo.com. This is not a problem. I am just curious. Many thanks. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: host versus nslookup
So hitting yourself in the head with a shovel is better? :p -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of David Miller Sent: Wednesday, October 12, 2011 4:08 PM To: bind-users@lists.isc.org Subject: Re: host versus nslookup On 10/12/2011 3:01 PM, Kevin Darcy wrote: On 10/12/2011 1:21 PM, Martin McCormick wrote: Many years ago, various flavors of unix began distributing a utility called host which did almost the same thing as nslookup. Host is what I use most of the time, now, and I actually thought that nslookup on unix systems was maybe going away. A coworker recently asked me about nslookup on our FreeBSD system and I verified the behavior he was asking about. Other than a different output format, what are the advantages of having both host and nslookup. On the FreeBSD system in question, nslookup is definitely a different binary than is host so one is not hard-linked to the other. The behavior he was asking about was simply that all foreign domains that one looks up with nslookup report as non-authoritative since the DNS one is using isnot authoritative for, say, microsoft.com or yahoo.com. This is not a problem. I am just curious. nslookup has lots of problems. Four that I can cite off the top of my head: 1) most versions of nslookup will stop dead in their tracks if they can't reverse-resolve the name of whatever resolver they're trying to use (even though that's basically irrelevant to the actual lookup that the user requested) 2) nslookup will by default use a searchlist, but it does this completely invisibly by default (unless a debugging option is turned on), and thus will often mis-represent the real result of the query (e.g. you look up foo.example1.com, that gets a SERVFAIL, then unbeknownst to the user, nslookup tries the searchlist'ed name foo.example1.com.example2.com and reports the resulting NXDOMAIN as the final error of the lookup, thus obscuring the real error -- SERVFAIL) 3) the default output format of nslookup doesn't distinguish the result of the query from the identity of the resolver clearly enough, so unsophisticated users will often think that the name they're looking up actually resolves to the address of the DNS resolver, and much hilarity ensues (mis-routed trouble tickets, drama, confusion, etc.) 4) some versions of nslookup display atypical DNS responses (e.g. dangling CNAMEs, referrals) in very confusing, non-intuitive ways. - Kevin Use dig. Always use dig. If dig isn't installed - install dig and then use dig. Make dig part of your default set of packages on all boxes. host vs nslookup? is asking whether you should hit your self in the head with a small or large hammer. Put down the hammer and use dig. -DMM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Master and slave on same host
What do you mean you can’t have additional IPs? Even if you don’t have other network connections you can use virtual IPs on a single NIC. I have one server (not DNS) that has 30 virtual IPs on a single NIC. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Joseph L. Casale Sent: Tuesday, October 11, 2011 9:17 AM To: 'bind-users@lists.isc.org' Subject: Master and slave on same host I have an RHEL server running Bind 9.7 that needs to have a zone set to master and slave between two views. I don’t have the luxury of an additional IP, is this still possible with a single ip address? Thanks! jlc Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: CNAME or A record?
What you responded to below was simply my agreement that one doesn't use DNS for web redirects. I didn't suggest he doesn't still need two records to get their in the first place. I should think it was clear from my original post in the thread that I was saying he should have two records and that my preference was A records. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of wbr...@e1b.org Sent: Wednesday, September 28, 2011 7:17 PM To: Lightner, Jeff Cc: bind-us...@isc.org Subject: RE: CNAME or A record? All true, but if you don't have some sort of DNS record for both example.com and www.example.com, then all the rewrite rules in the world won't help. For all we know, the web server doesn't care what the URL is since it is the only site hosted on that server and answers to all GETs. Jeff wrote on 09/28/2011 10:51:08 AM: +1 All of our redirects are either done by rewrite rules in Apache or Jboss or on our load balancer. We don’t do any in DNS. From: bind-users-bounces+jlightner=water@lists.isc.org [ mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of ?? Sent: Wednesday, September 28, 2011 10:43 AM To: feralert Cc: bind-us...@isc.org Subject: Re: CNAME or A record? this is the stuff what should be done by webserver rather than by DNS. i,e, Apache rewrite will do that. 在 2011-9-28 下午10:29,feralert feral...@gmail.com写道: Hi all, I'm sure this has been asked trillions of times but since I couldn't find any concrete answer/reference in google I am asking you guys in this list. Sorry if anyone thinks this a dumb question or something very obvious. The thing is that i want users redirected to 'www.domain.com' even when they just type the domain name 'domain.com'. In order to do so I am not sure if its best to have one A RR for each or have an A RR for the domain and a CNAME RR pointing to 'domain.com' for 'www.domain.com'. domain.com A 1.1.1.1 www.domain.com A 1.1.1.1 OR domain.com A 1.1.1.1 www.domain.com CNAME domain.com Any help appreciated. Thanks, Fred ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users AthenaR, Created for the Cause? Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- Stream: WBROWN Spam Not spam Forget previous vote___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: resolv record without domain
Right - the issue here is the lookup not the DNS record itself. On UNIX/Linux hosts the file is /etc/resolv.conf. However, I do see a DNS configuration issue here as well. There should NOT be a dot after name in the A record - that tells it NOT to append the domain name. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Warren Kumari Sent: Thursday, September 29, 2011 9:43 AM To: Gabriele Gabriele Cc: bind-users@lists.isc.org Subject: Re: resolv record without domain On Sep 29, 2011, at 9:25 AM, Gabriele Gabriele wrote: Hello dear mailinglist, I have a little problem with my bind configuration, I explain you the situation I have a domain example.com with many record and every things work well, now I need to resolv an name of my servers without specify the domain, for example; name. IN A 1.1.1.1 but if I try to resovl name by nslookup the dns told me the record Non-Exist... ie there a way to do it? Not 100% sure I understand the question, but what I think you need is a search path. In a linux box, add: search example.com to resolv.conf. On a mac it's under Network Preferences, Interface, Search Domains. somewhere similar on Windows. You can also hand this out via DHCP: option domain-search example.com; W thanks best regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: CNAME or A record?
If you set your SOA properly to use @ (which means this zone) your A records should be: domain.com. A 1.1.1.1 www A 1.1.1.1 The SOA should append the domain.com to every record not terminated by a dot so that www is read as www.domain.com. Similarly you put a dot at the end of domain.com A record to prevent it from being appended and read as domain.com.domain.com. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of feralert Sent: Wednesday, September 28, 2011 10:20 AM To: bind-us...@isc.org Subject: CNAME or A record? Hi all, I'm sure this has been asked trillions of times but since I couldn't find any concrete answer/reference in google I am asking you guys in this list. Sorry if anyone thinks this a dumb question or something very obvious. The thing is that i want users redirected to 'www.domain.com' even when they just type the domain name 'domain.com'. In order to do so I am not sure if its best to have one A RR for each or have an A RR for the domain and a CNAME RR pointing to 'domain.com' for 'www.domain.com'. domain.com A1.1.1.1 www.domain.com A1.1.1.1 OR domain.com A1.1.1.1 www.domain.com CNAME domain.com Any help appreciated. Thanks, Fred ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: CNAME or A record?
+1 All of our redirects are either done by rewrite rules in Apache or Jboss or on our load balancer. We don’t do any in DNS. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of ?? Sent: Wednesday, September 28, 2011 10:43 AM To: feralert Cc: bind-us...@isc.org Subject: Re: CNAME or A record? this is the stuff what should be done by webserver rather than by DNS. i,e, Apache rewrite will do that. 在 2011-9-28 下午10:29,feralert feral...@gmail.commailto:feral...@gmail.com写道: Hi all, I'm sure this has been asked trillions of times but since I couldn't find any concrete answer/reference in google I am asking you guys in this list. Sorry if anyone thinks this a dumb question or something very obvious. The thing is that i want users redirected to 'www.domain.comhttp://www.domain.com' even when they just type the domain name 'domain.comhttp://domain.com'. In order to do so I am not sure if its best to have one A RR for each or have an A RR for the domain and a CNAME RR pointing to 'domain.comhttp://domain.com' for 'www.domain.comhttp://www.domain.com'. domain.comhttp://domain.com A 1.1.1.1 www.domain.comhttp://www.domain.com A 1.1.1.1 OR domain.comhttp://domain.com A 1.1.1.1 www.domain.comhttp://www.domain.com CNAME domain.comhttp://domain.com Any help appreciated. Thanks, Fred ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: CNAME or A record?
Right – for simple domains I think having separate A records is best as I wrote. Many more complex domains (do digs on www.google.comhttp://www.google.com/, www.yahoo.comhttp://www.yahoo.com/ and www.microsoft.comhttp://www.microsoft.com/) use CNAME records but often enough it is because they aren’t actually using a www.example.comhttp://www.example.com/ pointing directly to example.com but rather to other servers in their domains. From: Ben Croswell [mailto:ben.crosw...@gmail.com] Sent: Wednesday, September 28, 2011 10:48 AM To: feralert Cc: bind-us...@isc.org; bind-users@lists.isc.org; Lightner, Jeff Subject: Re: CNAME or A record? Either is fine. Using the cname would require a single update if your ip changes, but prevents other records at the same level. So you couldn't attach mx for instance at example.comhttp://example.com and www.example.comhttp://www.example.com if you wanted to. Neither is wrong and both have pros and cons -Ben Croswell On Sep 28, 2011 10:43 AM, feralert feral...@gmail.commailto:feral...@gmail.com wrote: Thanks Jeff, But I really only wrote that as an example :) . The real question is what is best or what is recommended, two A RR (one for domain, one for www) or a single A RR for domain and a CNAME RR for www, is one way better than the other or can I choose either way? Cheers!, Fred. On Wed, Sep 28, 2011 at 4:30 PM, Lightner, Jeff jlight...@water.commailto:jlight...@water.com wrote: If you set your SOA properly to use @ (which means this zone) your A records should be: domain.comhttp://domain.com. A 1.1.1.1 www A 1.1.1.1 The SOA should append the domain.comhttp://domain.com to every record not terminated by a dot so that www is read as www.domain.comhttp://www.domain.com. Similarly you put a dot at the end of domain.comhttp://domain.com A record to prevent it from being appended and read as domain.com.domain.comhttp://domain.com.domain.com. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.orgmailto:water@lists.isc.org [mailto:bind-users-bounces+jlightnermailto:bind-users-bounces%2Bjlightner=water@lists.isc.orgmailto:water@lists.isc.org] On Behalf Of feralert Sent: Wednesday, September 28, 2011 10:20 AM To: bind-us...@isc.orgmailto:bind-us...@isc.org Subject: CNAME or A record? Hi all, I'm sure this has been asked trillions of times but since I couldn't find any concrete answer/reference in google I am asking you guys in this list. Sorry if anyone thinks this a dumb question or something very obvious. The thing is that i want users redirected to 'www.domain.comhttp://www.domain.com' even when they just type the domain name 'domain.comhttp://domain.com'. In order to do so I am not sure if its best to have one A RR for each or have an A RR for the domain and a CNAME RR pointing to 'domain.comhttp://domain.com' for 'www.domain.comhttp://www.domain.com'. domain.comhttp://domain.com A1.1.1.1 www.domain.comhttp://www.domain.com A1.1.1.1 OR domain.comhttp://domain.com A1.1.1.1 www.domain.comhttp://www.domain.com CNAME domain.comhttp://domain.com Any help appreciated. Thanks, Fred ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have
RE: Delegation check failed
I think it is safe to say the issue is the iis.se site is broken so far as delegation test goes. Another user reported to me that he had several domains return the same thing at this site. Thanks everyone for the replies. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Niall O'Reilly Sent: Wednesday, September 21, 2011 5:26 AM To: bind-users Subject: Re: Delegation check failed On 21 Sep 2011, at 02:08, Kevin Oberman wrote: dig confirms that .com had the glue for water.com. As does dnscheck.iis.se. Indeed, none of the test history (5 tests, today and yasterday) archived for water.com at this site shows any delegation problem. Only a warning is shown against the SOA: Failed to connect to smtpbh1.water.com (12.44.84.193). I guess that this means that an MX host is protected in some way. Is there some other dnscheck that people are using, and which is causing confusion? ATB Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Delegation check failed
I was the one asking about water.com. I'd started a separate thread hoping not to tromp on the OP of the earlier thread but apparently didn't succeed. I know the reason for the SOA/MX report so never asked about that. I did ask about the delegation messages but at this point as noted earlier I'm fairly convinced it is a bug in the way they do the test at iis.se rather than an actual issue. (Believe me - I'd HEAR VERY QUICKLY if water.com became inaccessible from the internet.) I was asking the question to see if there was a tweak I needed but based responses I don't think so. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Kevin Oberman Sent: Wednesday, September 21, 2011 12:30 PM To: Niall O'Reilly Cc: bind-users Subject: Re: Delegation check failed On Wed, Sep 21, 2011 at 2:25 AM, Niall O'Reilly niall.orei...@ucd.ie wrote: On 21 Sep 2011, at 02:08, Kevin Oberman wrote: dig confirms that .com had the glue for water.com. As does dnscheck.iis.se. Indeed, none of the test history (5 tests, today and yasterday) archived for water.com at this site shows any delegation problem. Only a warning is shown against the SOA: Failed to connect to smtpbh1.water.com (12.44.84.193). I guess that this means that an MX host is protected in some way. Is there some other dnscheck that people are using, and which is causing confusion? Matt, Are you running the Undelegated domain test or just the default Domain test? Only the Undelegated domain test is showing the error. It is still reporting it now. Nameserver dswadns1.water.com is listed for zone water.com without address information. Nameserver dswadns2.water.com is listed for zone water.com without address information. The SOA issue is sort of real. The preferred MX for the SOA contact is smtpbh1.water.com and attempts to connect to port 25 on that system time out, as does an attempt to smtpbh2. But smtp.water.com is fine so I don't this this an appropriate report, either. Again, the gtld servers do have the required glue. ; DiG 9.8.1 ns +norecurse water.com. @f.gtld-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 55373 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;water.com. IN NS ;; AUTHORITY SECTION: water.com. 172800 IN NS dswadns1.water.com. water.com. 172800 IN NS dswadns2.water.com. ;; ADDITIONAL SECTION: dswadns1.water.com. 172800 IN A 12.44.84.213 dswadns2.water.com. 172800 IN A 12.44.84.214 ;; Query time: 39 msec ;; SERVER: 192.35.51.30#53(192.35.51.30) ;; WHEN: Wed Sep 21 09:28:37 2011 ;; MSG SIZE rcvd: 105 Still looks like a bug in dnscheck to me. -- R. Kevin Oberman, Network Engineer - Retired E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: One IP in multiple zones
One thing we do is create a single alias zone with generic information in it to have multiple zones all go to the same IP. Typically the main zone we'll put in its own zone file and have named.conf associate that zone with that zone file. For other zones we tell named.conf to point to the alias zone file: Something like: @ IN SOA ns1.example.com. techuser.example.com. ( 2011091902 ; serial 10800 ; refresh 3600; retry 604800 ; expire 86400 ) ; Minimun TTL ; ; Name Servers ; IN NS ns1.example.com. IN NS ns2.example.com. ; ; Mail Servers ; IN MX 10 mail.example.com. ; Primary MX BH IN MX 30 mail.example.com. ; Primary MX BH ; ; Addresses ; ; @ IN A192.168.1.1 ; www IN A192.168.1.1 ; Any domain in named.conf pointing to this alias zone will be substituted automatically for the @ seen in this file whenever a lookup occurs. So if named.conf sent examplestore.com to the alias file it would see that examplestore.com and www.examplestore.com are both at 192.168.1.1. If named.conf also sent examplesite.com to the file then it would see that examplesite.com and www.examplesite.com are both at 192.168.1.1 as well. As noted by someone else you should only have one PTR record (we keep that in a separate arpa zone) that points to your primary domain. Note that in the above the NS (name server) and MX (mail) records point to your regular mail and name servers in a primary domain and are not relative to the alias domains like the www is. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Chuck Swiger Sent: Wednesday, September 21, 2011 4:15 PM To: Adamiec, Lawrence Cc: bind-users@lists.isc.org Subject: Re: One IP in multiple zones On Sep 21, 2011, at 12:56 PM, Adamiec, Lawrence wrote: Is it possible to have one IP in multiple zone files for forward lookups? Yes. What type of troubles would be encountered? None. This sort of thing is very commonly done, for example with shared/virtual webservers. Regards -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Delegation check failed
Can someone give me a better explanation of why this is saying my delegation failed than the FAQ does? In a separate thread I saw this recommendation to another user: I think the checking tool at http://dnscheck.iis.se/?test=undelegated may be what you need. You may find it useful to read the explanation at http://dnscheck.iis.se/?faq=1test=undelegated#f16 before running a test. Another good checking tool may be found at www.zonecheck.fr, but it's less obvious (to me) how to use it for your immediate purpose. On going there and testing water.com domain I see: Delegationjavascript:void(0); · Nameserver dswadns1.water.com is listed for zone water.com without address information. · Nameserver dswadns2.water.com is listed for zone water.com without address information. However, it clearly found the IPs of these name servers.The IPs were entered at the registrar some years ago lookups of our domains work fine. Additionally whois shows the correct IPs for the above name servers being returned by the Registrar. My zone file has A records with the correct IPs as shown below.: IN NS dswadns1.water.com. IN NS dswadns2.water.com. dswadns1IN A12.44.84.213 dswadns2IN A12.44.84.214 So I’m curious what exactly the above delegation messages are trying to tell me. The description in the FAQ doesn’t really seem illuminating to me. __ Jeffrey C. Lightner Sr. UNIX Administrator DS Waters of America, Inc. 5660 New Northside Drive NW Suite 250 Atlanta, GA 30328 P: 678-486-3516 C: 678-772-0018 F: 770-937-7360 E: jlight...@water.commailto:jlight...@water.com Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Delegation check failed
I didn't specify the IPs but it found them - that is to say when I input my first DNS server it automatically populated the IP address field. This was on the iis.se site as I noted in my original post. My read of glue records is that they are A records within a zone file for DNS servers that are part of the same domain as the zone being described. Based on that my glue records in water.com zone file for domain water.com in zone file water.com do exist as shown in my original post: dswadns1IN A12.44.84.213 dswadns2IN A12.44.84.214 Also it seems Glue records are only necessary for subdomains and I'm not using a subdomain here - I'm not trying to delegate to any subdomain. So both my Registrar and I have things associating dswadns1.water.com with IP 12.44.84.213 and dswadns2.water.com with 12.44.84.214. I'm still mystified as to what the delegation message is trying to tell me. -Original Message- From: Matthew Seaman [mailto:m.sea...@infracaninophile.co.uk] Sent: Tuesday, September 20, 2011 11:52 AM To: Lightner, Jeff Cc: bind-users@lists.isc.org Subject: Re: Delegation check failed On 20/09/2011 14:25, Lightner, Jeff wrote: On going there and testing water.com domain I see: Delegationjavascript:void(0); * Nameserver dswadns1.water.com is listed for zone water.com without address information. * Nameserver dswadns2.water.com is listed for zone water.com without address information. However, it clearly found the IPs of these name servers.The IPs were entered at the registrar some years ago lookups of our domains work fine. Additionally whois shows the correct IPs for the above name servers being returned by the Registrar. My zone file has A records with the correct IPs as shown below.: IN NS dswadns1.water.com. IN NS dswadns2.water.com. dswadns1IN A12.44.84.213 dswadns2IN A12.44.84.214 So I'm curious what exactly the above delegation messages are trying to tell me. The description in the FAQ doesn't really seem illuminating to me. This is the www.zonecheck.fr checking tool? Like it says quite clearly in the instructions, where the nameservers are part of the domain being checked then you need to give IP numbers too. If you do that, then the water.com domain passes the test albeit with a few warnings about everything being on the same network segment / same AS number. Yes, if you're checking a live domain correctly registered and with the right glue records in place, then zonecheck can find your nameservers without external prompting. If you're trying to check an unregistered domain, then zonecheck will definitely need those IP numbers. That's really all those messages are trying to tell you. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: syntax error in $GENERATE crashed all nameservers
No but you're missing the point. I don't think the OP was and I certainly wasn't suggesting it should have done what he meant to do. However, I DO think it should have errored out because it was invalid input. (That is to say unless you think negative numbers should be considered valid input for this command? Please don't respond that negative numbers are integers and therefore valid - that would be pure sophistry.) -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Thursday, August 18, 2011 1:26 PM To: Lightner, Jeff Cc: bind-users@lists.isc.org Subject: Re: syntax error in $GENERATE crashed all nameservers On Aug 18, 2011, at 10:28 AM, Lightner, Jeff wrote: It was certainly a typo and a user error in that regard. However, he was suggesting it was bug because it should have rejected input of negative numbers and I'll have to say I agree with that viewpoint. If I typed las instead of ls on a command line and found out that las meant lose all systems I'd certainly feel whoever had created such a program should have put some safeguards in to keep it from doing something so ridiculous. Ever work with Warren Teitelman? http://www.hacker-dictionary.com/terms/DWIM W -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of /dev/rob0 Sent: Wednesday, August 17, 2011 8:59 PM To: bind-users@lists.isc.org Subject: Re: syntax error in $GENERATE crashed all nameservers On Wed, Aug 17, 2011 at 04:45:38PM -0400, bl ton wrote: We had a syntax error in our inverse zone file using GENERATE and extra dash were added to the scope so '199--222' instead of '199-222': $GENERATE 199--222 $ PTR 10-100-60-$.dhcp-bl.indiana.edu. Ouch! Sorry to hear this! I would assume named will check the syntax error and refuse to load this zone just like it normally does, but instead it tries to generate millions of erroneous entry because it scanned '-222' to the stop which created a huge number for the named to loop through and the CPU at 100% and locked up 15 of our nameservers, some of those need power recycle to respond to console. This is the first bug of that type we have seen, it's my 12th year of running BIND for large site, another team member has nearly 20 years experience with BIND and we're surprised named doesn't catch the syntax error. Should a syntax error in inverse zone file cause named to locking up the machine? You're calling this a bug and a syntax error. I disagree. I'd call this a typo and a user error. But there is checking in forward file and same syntax error were caught: Aug 16 19:09:19 named named[4169]: 16-Aug-2011 19:09:19.609 general: error: dns_rdata_fromtext: buffer-0x42200470 : near '10.100.60.256': bad dotted quad Aug 16 20:00:02 named named[4169]: 16-Aug-2011 22:00:02.649 general: error: $GENERATE: Domain/test.example.edu:1496: bad dotted quad Aug 16 20:00:02 named named[4169]: 16-Aug-2011 22:00:02.649 general: error: zone test.example.edu/IN: loading from master file Domain/test.example.edufailed: bad dotted quad It's not the same error. You can create PTR names and values of anything you want. But the value for an A record is limited to the set of valid IPv4 addresses. Note that your A $GENERATE was quite happy until it reached 256. 4294967295.60.100.10.in-addr.arpa. IN PTR 10-100-60-4294967295.dhcp-bl.indiana.edu. -222.60.100.10.in-addr.arpa.IN PTR 10-100-60--222.dhcp-bl.indiana.edu. Those are both valid, as was the entire $GENERATE range. 10-100-60-255.dhcp-bl.indiana.edu. IN A 10.100.60.255 10-100-60-256.dhcp-bl.indiana.edu. IN A 10.100.60.256 First one is valid, second one is not. That said, I wouldn't have thought that a $GENERATE range could go over the top like that, so to speak. I could see calling that a possible bug. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message
RE: no servers could be reached
Also has a wrong name: Should be resolv.conf NOT resolve.conf. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Michael McNally Sent: Thursday, July 28, 2011 3:47 PM To: bind-users@lists.isc.org Subject: Re: no servers could be reached On 7/28/11 12:16 AM, uifid...@gmail.com wrote: my /etc/resolve.conf Note: ^^^ named-checkzone named-checkconf passed, I suppose the configure works but only get no servers could be reached.What's wrong with my config? Your resolv.conf is in the wrong place. Let's see what happens when that occurs: With resolv.conf in place: Chickamin-River:~ $ dig www.isc.org ; DiG 9.6.0-APPLE-P2 www.isc.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 5913 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.isc.org. IN A ;; ANSWER SECTION: www.isc.org. 263 IN A 149.20.64.42 ;; Query time: 49 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jul 28 11:42:34 2011 ;; MSG SIZE rcvd: 45 With resolv.conf in the wrong place: Chickamin-River:~ $ mv /etc/resolv.conf /etc/resolv.conf.moved Chickamin-River:~ $ dig www.isc.org ; DiG 9.6.0-APPLE-P2 www.isc.org ;; global options: +cmd ;; connection timed out; no servers could be reached ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: about the dig
Or as previously pointed out it WILL work if you specify a name server at invocation. That is to say you MUST either do dig @server... OR have a resolve.conf that specifies servers to attempt if not specified at invocation. (And before anyone else says it - You can of course still specify a server at invocation to bypass the ones in /etc/resolv.conf.) -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of eugene tsuno Sent: Tuesday, July 19, 2011 10:53 AM To: bind-users@lists.isc.org Subject: Re: about the dig Feng: I think G.W is pointing out that in the absence of resolv.conf, dig uses the localhost to connect to the bind server. Just tcpdump the loopback interface, and you will see it. So the reason resolution works is because you are running bind on that server. It would not work on any client which isn't running bind. We generally put the entry in so we know where our DNS requests are going, the loopback or a real interface. In doesn't have to be that way, you don't have to use the bind server on the box itself. On 7/19/11 3:54 AM, Feng He wrote: On Tue, Jul 19, 2011 at 2:47 PM, G.W. Haywood b...@jubileegroup.co.uk wrote: man resolv.conf If this file doesn't exist the only name server to be queried will be on the local machine; the domain name is determined from the hostname and the domain search path is constructed from the domain name. Nothing around the resolv.conf, I was talking about dig. Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- eugene tsuno NOAA Boulder/NOC 325 broadway, boulder,co 80305 303-497-6392 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: RFC 6303 and automatic empty zones
Expecting the future - Planning your life around it is something sales folks like to do and most of the rest of us call vaporware - it's always going to be available the 2nd quarter of next year. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Evan Hunt Sent: Thursday, July 14, 2011 11:16 AM To: Chris Thompson Cc: bind-users@lists.isc.org Subject: Re: RFC 6303 and automatic empty zones Now that RFC 6303 http://www.rfc-editor.org/rfc/rfc6303.txt has been published, and includes the fourteen RFC 1918 reverse zones (section 4.1), can we expect future versions of BIND to have them as automatic empty zones - i.e. the #ifdef notyet in bin/named/server.c to disappear? Yes. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: better performance with 32 bit ! why?
I'm not sure I agree with that - multiple single threaded processes can be distributed across cores/CPUs. That is to say ONE single thread process doesn't gain from multiple cores but more than one can because they don't have to compete against each other on the same core. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Wednesday, June 29, 2011 9:59 AM To: iharrathi@orange-ftgroup.com Cc: bind-users@lists.isc.org Subject: Re: better performance with 32 bit ! why? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Not necessarily. They are not apples to apples. Multi-core machines only excel at multi-threaded computational loads. I don't know how BIND does or does not qualify. I suspect, however, there may be some other differences between the two chips anyhow (cache size differences, etc.). On 06/29/2011 09:33 AM, iharrathi@orange-ftgroup.com wrote: on server1(64 bit) i have 2 Intel E5310 *quad*-core 1.6Ghz and on server2(32 bit) i have 2 Intel Xeon *dual*-core 2.33Ghz. means 8*1.6 Ghz on server1 and 4*2.33 on server2. 8*1.6 is better and faster than 4*2.33, no? // /Regards / /Issam Harrathi./ / The 64 bit server(server1) is faster than the 32 bit server (server2). / Really? I thought you said the 64 bit server had a CPU with 1.6GHz cores, and the 32 bit server had 2.33GHz cores? Regards Eivind Olsen IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles et peuvent etre protegees par la loi. Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus. Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler a l expediteur et effacer ce message et tous les fichiers eventuellement attaches. Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite. Tout message electronique est susceptible d alteration. A ce titre, le Groupe France Telecom decline toute responsabilite notamment s il a ete altere, deforme ou falsifie. De meme, il appartient au destinataire de s assurer de l absence de tout virus. IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is intended only for the named recipient(s) above. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message. Any unauthorized view, usage or disclosure ofthis message is prohibited. Since e-mail messages may not be reliable, France Telecom Group shall not be liable for any message if modified, changed or falsified. Additionally the recipient should ensure they are actually virus free. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4LL5gACgkQmb+gadEcsb7iMwCg08huQWUMJ/I2COhwc7mzN5ix 6mwAnifUFtFJi5fQb10Tpf1iaul9Nn7X =HbQB -END PGP SIGNATURE- Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind restart needed to reflect changes to dynamic zone in multipleviews
I wonder if pointing to different file names with one being a symbolic link to the other would work? That way you'd only have to create and update the one file but the transfer would transfer two separate files. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Brian J. Murrell Sent: Friday, June 24, 2011 10:21 AM To: bind-us...@isc.org Subject: Re: bind restart needed to reflect changes to dynamic zone in multipleviews On 11-06-24 09:57 AM, Lyle Giese wrote: It's expected behavior in a way. Given your explanation, indeed. :-) You are probably making this change in the internal view and the internal named process knows about the change and reloads the zone. The external view's process is unaware of the change and does not reload. A. I guess I had not considered how BIND handles views and that it's done with a separate process per view. But I only have one named process, so I suppose it's threading for each view. 1) You could send a periodic rndc reload to the external view process. Except that I only have the one process. Any thoughts on how to do this in such a case? 2) Since this appears to be an rbl zone, use rbldnsd instead of named to serve this zone. Yeah, I suppose I could. It would solve this specific use case, but I don't know that this RBL zone is the extent of this problem. I'd have to examine further where there are zones shared by multiple views. I'm guessing though that rbldnsd doesn't support remote update, yes? That would be limiting for my purposes here. Cheers, b. Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS attacking
You can blacklist things in named.conf but we've found it more efficient to simply have iptables drop packets from the offending IPs so they never even get to BIND. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Jeff Pang Sent: Wednesday, May 25, 2011 6:54 AM To: Niall O'Reilly Cc: bind-users Subject: Re: DNS attacking 2011/5/25 Niall O'Reilly niall.orei...@ucd.ie: Which of your DNS systems: resolvers or authoritative? Where is the source of the attack: within your (or your customers') networks, or out on the Internet? Thanks. My nameservers are authoritative server only. -- Jeff Pang www.DNSbed.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Getting different name resolution for news.google.com from masterand slave BIND
Yes. I verified this with our chief network engineer this morning. Yesterday on doing dig @ns1.google.com (or @ns2 or @ns3 or @ns4) my results for the master were always the same IPs indicated in my initial post for the master whereas those from my slave were always the ones indicated in that same post for the slave. I should have mentioned that. As noted in a reply to another email this morning it appears both servers now get the same list of IPs (which is the list that only the slave was getting yesterday). Since we made no change I suspect this had more to do with how Google's NS servers were handling things than how we were querying. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Eivind Olsen Sent: Tuesday, May 24, 2011 7:26 PM To: bind-users@lists.isc.org Subject: RE: Getting different name resolution for news.google.com from masterand slave BIND Lightner, Jeff wrote: The master is dswadns1.water.com at 12.44.84.213 and the slave is dswadns2.water.com at 12.44.84.214. So, they leave your network in the same way, through the same router etc? Are they configured to use any forwarders? Stub-zones? Etc? Or do they both talk directly out to the Internet? Or, how about.. what do you get if you query the same Google nameserver from both your hosts? Do you get the same results if you for example query ns1.google.com from with dig on both your nameservers, or do you then also get different answers? How about if you check from a single of your nameservers, doing manual queries to all 4 Google nameservers (ns1 - 4)? Same result from all 4, or different results? Regards Eivind Olsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Getting different name resolution for news.google.com from master and slave BIND
Is anyone else seeing odd results with news.google.com? My BIND 9 master and slave are getting different results. If I go out to other sites such as Kloth.net or iptools.com they also get different results from each other and different from what my master and slave are reporting. I'm running BIND 9.3 (The RedHat version that has backported patches and enhancements from later BIND versions in it so please don't tell me to use a newer version.) On doing some research I found that Google has made a couple of changes in the past week or so affecting their news stuff.The one that seems like it might explain why Kloth.net, iptools.com and my server get different answers is the May 13th introduction of news near you discussed in this article: http://www.pcmag.com/article2/0,2817,2385369,00.asp That is aimed at mobile devices but I could see how they might also try to make it work with static sites. However it wouldn't explain why both my servers coming from the same location would get different results. I'm thinking maybe there is something else obvious I'm missing. I am not caching on these servers and have bounced named on both but it didn't help. Does anyone have any ideas? Other than the fact that they're master and slave with different IPs and setup to talk to each other the named.conf on both hosts is the same. They both have the same OS and same hardware. Also we have some Windows DNS servers in house and they seem to be giving the same results as my slave so the master appears to be the odd man out. When I run dig news.google.com from my BIND 9 master I'm getting: ; DiG 9.3.4-P1 news.google.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 46508 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 2 ;; QUESTION SECTION: ;news.google.com. IN A ;; ANSWER SECTION: news.google.com.603615 IN CNAME news.l.google.com. news.l.google.com. 300 IN A 72.14.209.99 news.l.google.com. 300 IN A 72.14.209.104 ;; AUTHORITY SECTION: google.com. 170523 IN NS ns1.google.com. google.com. 170523 IN NS ns2.google.com. google.com. 170523 IN NS ns3.google.com. google.com. 170523 IN NS ns4.google.com. ;; ADDITIONAL SECTION: ns3.google.com. 344424 IN A 216.239.36.10 ns4.google.com. 343339 IN A 216.239.38.10 ;; Query time: 6 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue May 24 14:17:14 2011 ;; MSG SIZE rcvd: 190 Yet on my slave I get: ; DiG 9.3.4-P1 news.google.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 30872 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;news.google.com. IN A ;; ANSWER SECTION: news.google.com.603986 IN CNAME news.l.google.com. news.l.google.com. 300 IN A 74.125.65.99 news.l.google.com. 300 IN A 74.125.65.103 news.l.google.com. 300 IN A 74.125.65.104 news.l.google.com. 300 IN A 74.125.65.105 news.l.google.com. 300 IN A 74.125.65.106 news.l.google.com. 300 IN A 74.125.65.147 ;; AUTHORITY SECTION: google.com. 171986 IN NS ns4.google.com. google.com. 171986 IN NS ns1.google.com. google.com. 171986 IN NS ns2.google.com. google.com. 171986 IN NS ns3.google.com. ;; Query time: 5 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue May 24 14:18:03 2011 ;; MSG SIZE rcvd: 222 Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Getting different name resolution for news.google.com from master and slave BIND
They aren't in different subnets from an internet perspective and are not geographically separated. (Yes I know not best practice but I don't make those decisions.) The master is dswadns1.water.com at 12.44.84.213 and the slave is dswadns2.water.com at 12.44.84.214. The fact they are not in different locations or in a separate subnet is why I don't understand why I'd be getting separate location specific IPs handed to the two servers. -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Tuesday, May 24, 2011 4:06 PM To: Lightner, Jeff Cc: bind-users@lists.isc.org Subject: Re: Getting different name resolution for news.google.com from master and slave BIND On May 24, 2011, at 2:28 PM, Lightner, Jeff wrote: Is anyone else seeing odd results with news.google.com? My BIND 9 master and slave are getting different results. Presumably your slave and master are in different subnets? Google (and many other large networks) perform geolocation and hand out A records that a close to your resolver. Presumably we believe that 72.14.209.99 is (network wise) close to your master and 74.125.65.99 is close to your slave. If you provide IPs and actual locations for your slaves and master I can check W If I go out to other sites such as Kloth.net or iptools.com they also get different results from each other and different from what my master and slave are reporting. I'm running BIND 9.3 (The RedHat version that has backported patches and enhancements from later BIND versions in it so please don't tell me to use a newer version.) On doing some research I found that Google has made a couple of changes in the past week or so affecting their news stuff.The one that seems like it might explain why Kloth.net, iptools.com and my server get different answers is the May 13th introduction of news near you discussed in this article: http://www.pcmag.com/article2/0,2817,2385369,00.asp That is aimed at mobile devices but I could see how they might also try to make it work with static sites. However it wouldn't explain why both my servers coming from the same location would get different results. I'm thinking maybe there is something else obvious I'm missing. I am not caching on these servers and have bounced named on both but it didn't help. Does anyone have any ideas? Other than the fact that they're master and slave with different IPs and setup to talk to each other the named.conf on both hosts is the same. They both have the same OS and same hardware. Also we have some Windows DNS servers in house and they seem to be giving the same results as my slave so the master appears to be the odd man out. When I run dig news.google.com from my BIND 9 master I'm getting: ; DiG 9.3.4-P1 news.google.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 46508 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 2 ;; QUESTION SECTION: ;news.google.com. IN A ;; ANSWER SECTION: news.google.com.603615 IN CNAME news.l.google.com. news.l.google.com. 300 IN A 72.14.209.99 news.l.google.com. 300 IN A 72.14.209.104 ;; AUTHORITY SECTION: google.com. 170523 IN NS ns1.google.com. google.com. 170523 IN NS ns2.google.com. google.com. 170523 IN NS ns3.google.com. google.com. 170523 IN NS ns4.google.com. ;; ADDITIONAL SECTION: ns3.google.com. 344424 IN A 216.239.36.10 ns4.google.com. 343339 IN A 216.239.38.10 ;; Query time: 6 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue May 24 14:17:14 2011 ;; MSG SIZE rcvd: 190 Yet on my slave I get: ; DiG 9.3.4-P1 news.google.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 30872 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;news.google.com. IN A ;; ANSWER SECTION: news.google.com.603986 IN CNAME news.l.google.com. news.l.google.com. 300 IN A 74.125.65.99 news.l.google.com. 300 IN A 74.125.65.103 news.l.google.com. 300 IN A 74.125.65.104 news.l.google.com. 300 IN A 74.125.65.105 news.l.google.com. 300 IN A 74.125.65.106 news.l.google.com. 300 IN A 74.125.65.147 ;; AUTHORITY SECTION: google.com. 171986 IN NS ns4.google.com. google.com. 171986 IN NS ns1.google.com. google.com. 171986 IN NS ns2.google.com. google.com. 171986 IN NS ns3.google.com. ;; Query time: 5 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue May 24 14:18:03 2011 ;; MSG SIZE rcvd
RE: Migrate domains to different DNS servers
By re-delegate do you mean at the Registrars and ISPs? If so and if you have more than one DNS server for redundancy (as you should) then you can replace one server at a time using the same name/IP on the new server as on the old server. When we did this a few years back we simply moved the network cables from old server to new server (after configuring the new server of course). Of course you'd want to disable any notification/transfer from old BIND8 to new BIND9 prior to doing that. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Torinthiel Sent: Wednesday, April 20, 2011 5:59 AM To: bind-users@lists.isc.org Subject: Re: Migrate domains to different DNS servers Dnia 2011-04-20 17:25 listus...@gmail.com napisał(a): Hello all, We have a couple of BIND 8 DNS servers that we want to decommission, obviously we need to migrate the domains to other DNS servers first, which ordinarily involves zone transfer and domain re-delegation. However, we do not have control over a lot of the domains (think hundreds) on the BIND 8 servers, meaning we cannot re-delegate. In what sense you don't have control? I assume you don't have administrative access to the BIND8 boxes. Do you have AXFR access to BIND8 boxes and/or do you have the zone files? Do you have access to registrar, where you have registered your domains? Also, important factor is whether the DNS for those domains are in-zone or out-zone i.e. assume you have example.com. Are NS servers ns1.example.com (in-zone) or ns1.otherdomain.com (out-zone) One important problem is data. If you don't have access to zones' contents (either via AXFR or having zone files) then how would you know what your new nameservers should respond? Assuming you have data, here are your options for delegation If you have access to registrar, you can freely change the servers domain is delegated to, so you can simply change that delegation. i.e. domain was delegated to ns1.domain.com, now is to ns3.domain.com or ns1.newdomain.com In case of out-zone nameservers that's only a name change. In case of in-zone nameservers, it's either name and IP address change, or only IP address change. If you don't have registrar access, you have out-zone nameservers and you control (can change RR in) the zone that nameservers are, you can change the A/ records for NS, which will be a variation of your idea. If you don't have registrar access and either you have in-zone nameservers, or can't control A/ records of out-zone nameservers, than AFAIK you're out of luck. A desperate measure (if you want to call it) is to transfer the zones to the new DNS infrastructure then change the A record of the old DNS to use the IP address of the new DNS. Effectively the old DNS becomes an alias of the new DNS. Possible problem: glue records. With internal NS and no access to registrar you have no way to update glue records, so domain will still be delegated to old servers. Regards, Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: children whose zones do not reflect the delegation from the parent
I'm wondering if the issue isn't because you've not told your ISP what your name servers are. You have to do that for reverse delegations to get to your servers. (This is in addition to telling your Registrar.) -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Phil Mayers Sent: Wednesday, March 30, 2011 5:34 AM To: bind-users@lists.isc.org Subject: Re: children whose zones do not reflect the delegation from the parent On 03/30/2011 04:45 AM, ben thielsen wrote: both fail to do so. so - it would seem to me that at least somehow, in some sense, the delegation is broken. however, if queried further It does seem a bit broken - there's no SOA for 33.50.in-addr.arpa i.e. no zone there. for a /24 within that /16, both servers now work properly, and further delegate to other servers [and themselves]: So probably they've got a zone for many of the child block e.g. x.33.50.in-addr.arpa. ...but not the parent one, which is lazy. which leaves me sort of scratching my head. on the one hand, pretty much everything i've learned about dns says that it shouldn't work, but yet it seems to. added to that, the way delegation has been done The reason it works is that, at each point down in the delegation, nameservers are asking for the full name i.e. 1.151.33.50.in-addr.arpa/PTR ..and of course, the broken nameserver do have this, so it works even though 33.50.in-addr.arpa doesn't exist. But you're right, the delegation does look wrong (to me at least). The absence of a proper delegation means that a lookup for a non-existent IP returns with SERVFAIL rather than NXDOMAIN e.g. dig -x 50.33.44.255 - SERVFAIL because they don't have the zone for 44 and don't have the parent zone either versus dig -x 50.33.151.255 - NXDOMAIN ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: dns RR method is not equal balanced?
Not to mention that RedHat just announced pending EOL of RHEL4 last week. RHEL5 has been out since around 2007 and RHEL6 was released around the start of this year. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Ben Croswell Sent: Tuesday, March 29, 2011 8:56 AM To: Kay Cc: bind-users@lists.isc.org Subject: Re: dns RR method is not equal balanced? First and foremost you shouldn't be running any version of BIND 8. That is way out of date and open to a lot of exploits. That being said if by some -Ben Croswell On Mar 29, 2011 4:55 AM, Kay ch...@daumcorp.com wrote: Dear my friends. I use bind 8.4.7-REL on RHEL 4.4 OS and have thousands of domains. In my case ; some domain has 12 IPs but traffic of the server is not equal. The traffic of 11 IPs is same and just 1 IP is higher than others. Today, I moved the dns that is not equal to GSLB(F5) and set address-return 2(Maximum Addresses Returned). And then, it's disappeared, equal traffic incoming completely. Is there some kind of bugs in bind that I use? or any idea? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: RHEL5 BIND in PROD
If these are new servers that are only for BIND I'd suggest going with RHEL6 rather than 5.6 - RHEL releases have very long life cycle. When I get a spare moment I intend to update our servers to RHEL6. We use the RHEL5 BIND package for the reasons you give. However, the way RedHat does things is they go with a base release from upstream (e.g. 9.3 is default for RHEL5.x) then backport security and bug fixes from later base releases into that. This causes confusion because people will post here that they're using 9.3 which makes it look like they aren't paying attention to later updates and all. If you like the latest greatest you could build your own but as I once said to the folks at RedHat: If I have a dedicated server that only runs BIND and I have to build my own why should I pay for a subscription based Linux?. As you note they now have (as a bug request) a later version of the base release available in RHEL 5.x but that isn't the one you'll get updates for with yum. I've suggested to RedHat that they do as they did with Java where they made different base releases (e.g. Java 1.4.2, Java 1.6.0) and provide updates for whichever (or both) you choose to use. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Mike Diggins Sent: Tuesday, March 15, 2011 9:45 AM To: bind-us...@isc.org Subject: RHEL5 BIND in PROD I'm about to transition my name servers from Solaris 10 to RedHat Linux 5.6. I'm debating whether to compile BIND directly from source as I usually do or use one of the RHEL packages, likely the newly released 9.7.0-6.P2. I would like to make our DNS a little more appliance based to ease some of the support burden. I'm also concerned with stability over new features. I'm interested to know what others are doing. -Mike ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: R: Operating system recommendation
Linux people and their reinstalls?! Somebody has confused Linux with Windows. We've been running RedHat Eneterprise Linux (RHEL) systems commercially for several years (including our DNS servers) and the only time I reinstall is when I'm redeploying a system and/or want to go to a newer major release. As the prior poster said RedHat is still supports RHEL4 (7 years or more) and RHEL5 (4 years or more) and has now relased RHEL6. Redeployments don't require a reinstall - I simply do it (as I did for UNIX system) to get rid of the cruft that is invariably left behind by redeployments and in box upgrades from one major release to another. I'd do the same on BSD if I were still running any of those systems. Don't confuse hobbyists who like to tinker and reinstall at the drop of a hat to undo their latest experiments with use of Linux in real data centers. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of fddi Sent: Friday, March 11, 2011 4:18 AM To: bind-users@lists.isc.org Subject: Re: R: Operating system recommendation bind performances are excellent also on FreeBSD and OpenBSD. Myself if I were a big ISP I would use OpenBSD, mainly for a security point of view. Riccardo On 3/11/11 9:23 AM, Chiesa Stefano wrote: -Messaggio originale- Da: bind-users-bounces+stefano.chiesa=wki...@lists.isc.org [mailto:bind-users-bounces+stefano.chiesa=wki...@lists.isc.org] Per conto di pollex Inviato: mercoledì 9 marzo 2011 20.52 A: comp-protocols-dns-b...@isc.org Oggetto: Operating system recommendation Hi, I want to know in your experience what is the best operating system to run bind for an ISP. We currently have Debian for the 5 Cache servers and for the 2 Authoritative servers. We have around 111851 success querys in the cache servers and around 7267 zones created in the authoritative servers. We are doing a major re analysis for all the arquitecture and Debian is changing to soon their versions and only have support for 1 version before so I dont know if this is best option Best regards and thanks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Hello. The italian Registration Authorithy, that manages more than 2 millions .it domains, runs theirs BIND dns server on UBUNTU. For futher info you can try to contact them at their email addresses: i...@registro.it hostmas...@registro.it http://www.nic.it/?set_language=en Hope this help. Ciao. Stefano. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: R: Operating system recommendation
I didn't make this a personal attack so don't know why you felt it necessary to go that route. However, since you did, it is clear from your comments you are BSD fan boy and will say whatever you can, including outright fabrications to make your position seem more valid than those of others. I've not seen an OS yet that couldn't be rootkitted and implying that RHEL is some how more susceptible to that and that BSD is somehow immune to that is completely disingenuous. Many organizations choose to use commercial variants of Linux specifically because they prefer to have an external support entity available. If you had to reinstall RHEL to perform a simple upgrade that says more about your lack of experience with the platform than it does with the platform itself. In my 20 years of Systems Administration experience I've often made suggestions some heeded and some ignored but always knew I wasn't the tail that wags the dog. You apparently think you are in your organization so congrats on that. -Original Message- From: Dan [mailto:d...@sunsaturn.com] Sent: Friday, March 11, 2011 12:33 PM To: Lightner, Jeff Cc: bind-users@lists.isc.org Subject: RE: R: Operating system recommendation Simply what I meant by their reinstall is going to a new major revision or someone rootkitted your box. Either would not pose a problem on freebsd. I have redeployed RHEL systems as well and it required a reinstall, the upgrade left to many unstabilites in the system, not just the cruft you suggest. Its clear from that statement you don't run any BSD's and cost your company money running RHEL vs Centos or anything free that a competent admin could run just as well, perhaps the bit of money your company could save you could use towards a ploy for a raise! Dan. On Fri, 11 Mar 2011, Lightner, Jeff wrote: Linux people and their reinstalls?! Somebody has confused Linux with Windows. We've been running RedHat Eneterprise Linux (RHEL) systems commercially for several years (including our DNS servers) and the only time I reinstall is when I'm redeploying a system and/or want to go to a newer major release. As the prior poster said RedHat is still supports RHEL4 (7 years or more) and RHEL5 (4 years or more) and has now relased RHEL6. Redeployments don't require a reinstall - I simply do it (as I did for UNIX system) to get rid of the cruft that is invariably left behind by redeployments and in box upgrades from one major release to another. I'd do the same on BSD if I were still running any of those systems. Don't confuse hobbyists who like to tinker and reinstall at the drop of a hat to undo their latest experiments with use of Linux in real data centers. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of fddi Sent: Friday, March 11, 2011 4:18 AM To: bind-users@lists.isc.org Subject: Re: R: Operating system recommendation bind performances are excellent also on FreeBSD and OpenBSD. Myself if I were a big ISP I would use OpenBSD, mainly for a security point of view. Riccardo On 3/11/11 9:23 AM, Chiesa Stefano wrote: -Messaggio originale- Da: bind-users-bounces+stefano.chiesa=wki...@lists.isc.org [mailto:bind-users-bounces+stefano.chiesa=wki...@lists.isc.org] Per conto di pollex Inviato: mercoledì 9 marzo 2011 20.52 A: comp-protocols-dns-b...@isc.org Oggetto: Operating system recommendation Hi, I want to know in your experience what is the best operating system to run bind for an ISP. We currently have Debian for the 5 Cache servers and for the 2 Authoritative servers. We have around 111851 success querys in the cache servers and around 7267 zones created in the authoritative servers. We are doing a major re analysis for all the arquitecture and Debian is changing to soon their versions and only have support for 1 version before so I dont know if this is best option Best regards and thanks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Hello. The italian Registration Authorithy, that manages more than 2 millions .it domains, runs theirs BIND dns server on UBUNTU. For futher info you can try to contact them at their email addresses: i...@registro.it hostmas...@registro.it http://www.nic.it/?set_language=en Hope this help. Ciao. Stefano. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments
RE: Slaves and views
Haven't done it but don't see why not. Since every entry in named.conf specifies the zone file you can definitely have multiple zones all pointing to the same zone file. (We do that for many ancillary zones that we want to point to our primary domain so have an aliases file that uses the @ designation instead of hard coded domain names.) -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of John Wobus Sent: Friday, March 04, 2011 11:46 AM To: bind-users Subject: Slaves and views Hi, Can a zone file a slave in one view and the same zone file be served by another view? I'm going to split our authoritative servers into internal and external views. My question concerns zones that we secondary for other organizations, slaved to masters at their sites. I know I could configure each of their zones with separate files in each the two views, listen/use an additional address that accesses our local view, and tell these peer organizations to notify and allow transfers from this additional address. I'm not (yet) worried about dynamic updates, if there are any. Is there a way I can handle their zones without making these other sites configure another address, and I still run just one bind instance? Other ideas are: running a separate bind instance for these zones, or making one view a slave to the other. Possibly forwarding of some kind, another thing I haven't done much. John Wobus Cornell ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Please Help
IIRC the U.S. Government last year or the year before mandated all their sites be DNSSEC compliant by early this year. Maybe it is just a sign they are actually doing it. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Thursday, February 17, 2011 9:54 AM To: Xiaoxu Huang Cc: bind-users@lists.isc.org Subject: Re: Please Help -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glad to hear it was a help. Does anyone happen to know if anything changed for .gov addresses just last week? This problem appears to have come out of the clear blue sky (not that there wasn't plenty of warning) so I have to assume that something was just activated. On 02/17/2011 09:47 AM, Xiaoxu Huang wrote: We have checked list archives and our side has increased the allowed DNS packet size. Now we are fine to get correct answer for **.gov. Thanks for help and Best Regards, Xiao 2/17/2011 -Original Message- From: bind-users-bounces+xhuang=graphnet@lists.isc.org [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Wednesday, February 16, 2011 5:47 PM To: bind-users@lists.isc.org Subject: Re: Please Help I asked this same question this week. Check the list archives. On 02/16/2011 05:24 PM, Xiaoxu Huang wrote: From couple of our DNS servers, we are failed to get correct DNS answer like followings: 1) From server A # nslookup Default Server: localhost Address: 127.0.0.1 www.nyc.gov Server: localhost Address: 127.0.0.1 *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup 2) From server B: # nslookup www.nyc.gov ;; connection timed out; no servers could be reached 3) Both servers run bind-9.7.2-P2 Can any one help? Thanks and Best Regards, Xiao 2/16/2011 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1dNnYACgkQmb+gadEcsb7mWwCfdLFwfTkc5pxTn/lyIaEQk2La otcAoJLIkine7oyqXxix3wKRHReUa5F8 =B/pX -END PGP SIGNATURE- Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: about the file command
BIND doesn't require you to use any views by default. The way views work one of them IS a default so order of views is important. You would use the default as your catch all. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Terry. Sent: Tuesday, February 08, 2011 9:16 AM To: bind-users@lists.isc.org Subject: Re: about the file command 2011/2/8 Matus UHLAR - fantomas uh...@fantomas.sk: On 08.02.11 17:40, Terry. wrote: Can BIND's file command referer to more than one zone file? For example, zone test.nsbeta.info { type master; file a.db; file b.db; }; When a record doesn't exist in a.db, BIND will continue to look for it in b.db. Afaik, no. Why would you want that? For views catchall. for example, named.conf has three views enabled by default, some users have three veiws setup, but some have only two views setup, so I want the catchall solution for the the lack of a view. Any suggestion? Regards, Terry. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: get a domain's dns records
It checks for test.domain - I saw it do that for my zone. For us it isn't a subdomain but simply an A record. Apparently when it found your record it went ahead and did another check for your sub-zone. I'm surprised that it does not check for ftp.zone. Whenever we're doing acquisitions here that is one of the zones I find at most sites (though often enough it uses the same IP as the www.zone. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of p...@mail.nsbeta.info Sent: Friday, January 21, 2011 9:21 AM To: Dave Knight Cc: comp-protocols-dns-b...@isc.org; Barry Margolin Subject: Re: get a domain's dns records Dave Knight writes: I guess the tool just always assumes that there's probably a www worthy asking about But how does the site know I have a sub domain test.nsbeta.info and its name servers? I didn't think that I have got this sub domain be public. Regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC with 9.7.2-P2
Not a hole if you look at the reasoning for Fedora itself. It has a short lifecycle and they expressly tell folks not to use it for Production due to this. It is meant to be bleeding edge for testing the latest/greatest. It is used as a test bed for what makes it into RHEL. For Production (RPM based system) you should use RHEL or CentOS which has a much longer life cycle. (Speaking of which, RHEL6 was just put in general release this week.) Of course the downside to this is that they often don't have the latest BIND packages built but they do backport security fixes from later BIND packages into the earlier one and do add some features from the later ones into the earlier one. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Phil Mayers Sent: Friday, November 12, 2010 10:33 AM To: bind-users@lists.isc.org Subject: Re: DNSSEC with 9.7.2-P2 On 12/11/10 14:51, Alan Clegg wrote: On 11/12/2010 7:49 AM, David Forrest wrote: While running BIND 9.7.2-P2 built with defaults on F11 [..] and, on checking named.conf, I found the entry for br. as: trusted-keys { br. 257 3 5 AwEAAdDoVnG9CyHbPUL2rTnE22uN66gQCrUW5W0NTXJBNmpZXP27w7PMNpyw3XCFQWP/XsT 0pdzeEGJ400kdbbPqXr2lnmEtWMjj3Z/ejR8mZbJ/6OWJQ0k/2YOyo6Tiab1NGbGfs513y6d y1hOFpz+peZzGsCmcaCsTAv+DP/wmm+hNx94QqhVx0bmFUiCVUFKU3TS1GP415eykXvYDjNp y6AM=; }; If Fedora 11 (I'm assuming that is what F11 is) has built in trust-anchors in the distributed named.conf, someone needs to talk to them... They have, by bundling a copy of dnssec-conf. In addition, there is no system scheduled cron job to update these IIRC - the expectation was that RPM updates would do the job - and sadly F11 is now off support, which is a bit of a hole in the reasoning :o( ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Rules against links or certain links?
I've noticed a couple of times on this list that if I post links for certain on line sites with free tools like whois that they never seem to make it to the list. Is there some prohibition against posting those links that would cause them to be filtered out? I know at least one of them also has pay services but it does provide free services including whois. Today I specifically didn't post that one but another one that (so far as I know) is all free yet it hasn't appeared here either. __ Jeff Lightner | UNIX/Linux Administrator | DS Waters of America, Inc | 5660 New Northside Drive, Ste 250 | Atlanta, GA 30328 *: (Direct Dial) 770-486-3516 |*: (Cell) 678-772-0018 | *:jlight...@water.com Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users