RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

[Lightner, Jeff]

It doesn't.   The systemd script either succeeds or fails.   Any script that is 
dependent on it succeeding won't start.   

Again it is a change.  

In init you'd see a start had failed (or was hung).  

In systemd it simply sends the instruction to start everything that is supposed 
to start.   The upside of this approach is that the rest of your startup 
succeeds as it run asynchronously unless you've included a dependency for the 
thing that failed.It also means a hung script doesn't stop your boot in its 
tracks like it did in init.   You can login and troubleshoot things.

The downside is you don't get the pretty display showing OK or FAILED for each 
script during boot because boot completing is NOT dependent on ALL scripts 
succeeding.

If it is important to you that certain things be up you need to set up 
monitoring.  We do that with Nagios here.

-Original Message-
From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch
Sent: Wednesday, March 23, 2016 9:52 AM
To: Lightner, Jeff
Cc: bind-users@lists.isc.org
Subject: RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

Lightner, Jeff <jlight...@dsservices.com> wrote:
>
> With systemd the methodology isn't that BIND notifies other things 
> that it is up.  It is that other things, if dependent upon BIND, have 
> in their systemd files a requirement that BIND be up before they start.

Yes, but how does systemd know when BIND is up?

(The Red Hat and five-ten-sg RPMs don't seem to have an answer.)

Tony.
--
f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode 
Dogger, Fisher, German Bight, Humber: Northwest backing southwest 3 or 4, 
increasing 5 at times. Slight, occasionally moderate. Fog patches, rain at 
times. Moderate or good, occasionally very poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

[Lightner, Jeff]

Since there are BIND packages (9.9.4) for RHEL7/CentOS7 available from default 
repositories you could download those packages and extract the systemd files 
from them and examine what they've done.

With systemd the methodology isn't that BIND notifies other things that it is 
up.  It is that other things, if dependent upon BIND, have in their systemd 
files a requirement that BIND be up before they start. 

That is different than Sys V init in which things started one after the other.  
 The idea is a systemd boot is much faster as it doesn't make things wait 
because of order but rather only where there are dependencies.

Also as an FYI Carl Byington regularly post new builds he has done of BIND 
updates for RHEL/CentOS.  
The most recent email he sent was for BIND 9.10 and has a link to:
http://www.five-ten-sg.com/mapper/bind

I haven't used that myself but it probably also contains systemd examples you 
could extract.

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Tony Finch
Sent: Wednesday, March 23, 2016 8:36 AM
To: Reindl Harald
Cc: bind-users@lists.isc.org
Subject: Re: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

Reindl Harald  wrote:
>
> > The problem that I alluded to above is that if you have services 
> > that depend on the DNS, there should be a mechanism for the DNS 
> > server to say when it is ready and that it's OK to start services 
> > that need DNS. I don't know the right way to specify that to 
> > systemd: maybe it needs a socket unit file as well?
>
> or just don't use "-f" and Type=forking
>
> https://www.freedesktop.org/software/systemd/man/systemd.service.html
>
> If set to forking, it is expected that the process configured with 
> ExecStart= will call fork() as part of its start-up. The parent 
> process is expected to exit when start-up is complete and all communication 
> channels are set up.

BIND does not do that - it forks too early. It's a bit tiresome.

log_daemon_msg "Starting name server" "BIND"
start-stop-daemon --start --oknodo --pidfile $PIDFILE \
--name named --user named --group named \
--startas $TOP/bin/named \
-- -t $TOP -u named -c /etc/named.conf
i=$(( $? ? 100 : 0 ))
while   [ $i -lt 100 ] &&
! rndc status >/dev/null 2>&1
do  sleep 0.1
i=$((i+1))
done
chmod g+r $RUN/session.key
rndc status >/dev/null 2>&1
log_end_msg $?

Tony.
--
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode 
Fair Isle, Faeroes: South or southwest 5 or 6, occasionally 7 later. Moderate 
or rough, occasionally very rough. Rain or showers. Moderate or good, 
occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: about NS server authorize

[Lightner, Jeff]

As others said this isn't really a BIND issue.

EPP key is what some Registrars call the authorization code for domain 
registration transfers.   

Did you recently attempt to transfer this zone from one Registrar to another?   
Did you get confirmation that the transfer (not just the request for transfer) 
completed?   Before you requested the transfer did you unlock the domain?   If 
you don't unlock before transferring many Registrars will not only refuse the 
transfer but will block new transfer attempts for 30 days.


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of /dev/rob0
Sent: Monday, March 21, 2016 9:59 AM
To: bind-users@lists.isc.org
Subject: Re: about NS server authorize

On Mon, Mar 21, 2016 at 07:44:51PM +0800, supp...@cloudwebdns.com wrote:
> Hi,
> 
> ns5.cloudwebdns.com
> ns6.cloudwebdns.com
> 
> For these two nameservers (they are the native BIND 9), we can use 
> them to resolve the other domains like .com/.net/.org/.info etc.
> 
> But when we try to setup a .me domain to be resolved by them, from the 
> registrar's control panel, it gets failed, saying name server not 
> authorized.
> 
> This is may be something wrong around EPP and host object.

I don't know what this means.  It is not a BIND question in any case.

> Can you help setup the host object with these two nameservers into 
> .me's registry?

No, Matus was right.  It sounds like you need to go to the .me registry for 
support.  If they have not "authorized" your servers to be authoritative for 
.me zones, only they can help you.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: PCS, Corosync, Pacemaker, and Bind

[Lightner, Jeff]

You might want to try "ip a" vs ifconfig.   RHEL7 uses Network Manager and in 
the past I've found some things don't show up in ifconfig output when doing 
alias/virtual interfaces.  

Usually even when other products (e.g. Oracle RAC/GRID) create virtual 
interfaces they still show up as valid interfaces at host level.   I've not 
tried PCS/Corosync.

You might also look at arp output to see if it shows any traffic on a specific 
MAC.


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Phil Mayers
Sent: Wednesday, March 16, 2016 5:14 AM
To: bind-users@lists.isc.org
Subject: Re: PCS, Corosync, Pacemaker, and Bind

On 15/03/16 23:06, Mike Bernhardt wrote:

> So, I'm hoping that either
> 1) There is a way to tell BIND to use an IP address that is not on an 
> interface, or

I don't think there is.

I can think of all kinds of horrible workarounds - iptables SNAT, shell script 
doing a config-change & rndc reconfig on pcs failover.

But in general I'd agree with what Tony Finch said - give some thought to why 
you're caring about these source IPs.

TBH having used pcs/corosync I'm really curious what your use-case is. 
It seems massive overkill for having highly-available DNS.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Bind9 on VMWare

[Lightner, Jeff]

We chose to do BIND on physical for our externally authoritative servers.  

We use Windows DNS for internal.   

One thing you should do if you're doing virtual is be sure you don't have your 
guests running on the same node of a cluster.   If that node fails your DNS is 
going down.   Ideally if you have multiple VMWare clusters you'd put your 
guests on separate clusters.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Cloud DNS providers for secondary DNS

[Lightner, Jeff]

The OP mentioned notifying Registrars.   He'll also need to notify whoever his 
ISP is if he has arpa zones for reverse lookups and they are delegating to his 
name servers.


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John Levine
Sent: Tuesday, December 29, 2015 9:40 PM
To: bind-users@lists.isc.org
Subject: Re: Cloud DNS providers for secondary DNS

>Am 30.12.2015 um 03:12 schrieb Luis Daniel Lucio Quiroz:
>> You could use dyndns for that, but it is not free.
>
>do the provide anycast?

Yes, of course.  Dyn is one of the largest DNS providers in the world.

Their basic secondary service is $40/yr.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Why two lookups for a CNAME?

[Lightner, Jeff]

Because the purpose of DNS primarily is to equate a name with an IP as 
applications talk to IPs not to names.   When you have a CNAME you’re equating 
one name with another name.   That other name then has to be looked up so the 
application knows what IP access.

This saves time if you have multiple CNAMES to the same A record in that when 
you update DNS you only have to update that one A record.  You don’t have to 
use CNAMES to go to same IP – you could make each record an A record pointing 
to the same IP.   You’d then have to be sure you updated all the A records 
using that IP if you decided to change it to something else later (e.g. if you 
changed ISPs).

Obviously there is a small performance cost in CNAMES which is why you don’t 
want to have a CNAME to  another CNAME because that results in 3 lookups.   For 
most applications the single CNAME isn’t an issue but on occasion it is so you 
go the A record route instead.


From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Steve Arntzen
Sent: Wednesday, October 21, 2015 4:33 PM
To: bind-users
Subject: Why two lookups for a CNAME?


I'm sure there's a good, simple reason for this, I just can't seem to find the 
answer searching on the Internet.



Why does named perform a lookup for the A record when its IP is returned with 
the CNAME in the first answer?



Using dig, I find play.google.com is a CNAME for play.l.google.com.



When asked to resolve it, named will first look for play.google.com.  The 
result will include the CNAME and the IP of the A record.



Named then makes a second request to resolve the A record.



Thanks in advance,



Steve.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: init script

[Lightner, Jeff]

Which Linux or UNIX distribution and version are you using?

As Omer suggests most of them include a bind package with prebuilt init scripts 
- you can download the BIND package then extract the init scripts from it.   
(deb is for Debian derived Linux distros, rpm for Redhat derived distros - 
might be a different package setup for UNIX or other Linux distros)


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Omer Faruk SEN
Sent: Tuesday, September 29, 2015 9:25 AM
To: Leandro
Cc: bind-users@lists.isc.org
Subject: Re: init script

Use rpm or deb packages that have perfect init scripts in it

Sent via mobile device, excuse typos.

29 Eyl 2015 tarihinde 16:07 saatinde, Leandro  şunları 
yazdı:

> Hy guys, about init script to control de bind daemon; After 
> successfully build bind 9.10, Im doing:
> "bind -c /etc/named.conf -u bind" to start the service.
> and
> "killalll bind" to stop it.
> Now I would like to set an init script so I can set it to start on boot and 
> use the "service named start/stop/status" fashion command.
> Where can I get the init script for bind 9.10 ?
> 
> Regards,
> Leandro.
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Multiple A and PTR and the "main" ones?

[Lightner, Jeff]

Actually some mail servers DO check not only that a PTR exists but also that it 
is not "generic".   

Every once in a while we get someone complaining because one of the big sites 
(Ebay?) refuses to accept their email due the "generic" (as defined by that 
site's policies) nature of our PTR.   We typically ignore that because we've 
never seen this complaint from other mail servers and no one has ever provided 
a business use for the one site that is complaining.

Other than that I've never seen any complaint about what the actual PTR is so I 
can't imagine why you'd need more than one for the same IP.Just pick the 
one that helps identify you for anyone that cares to look at IPs vs names.   

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Reindl Harald
Sent: Friday, September 11, 2015 8:50 AM
To: bind-users@lists.isc.org
Subject: Re: Multiple A and PTR and the "main" ones?



Am 11.09.2015 um 14:42 schrieb Marek Kozlowski:
> On 09/11/2015 02:36 PM, Reindl Harald wrote:
>> STAY ON LIST - the last time i had enough of repeating that a answer 
>> on a public ML is not a invitation for private support i got 
>> moderated...
>
> Oups! Sorry! :-( Sorry! Sorry!
>
> I'm sending this with the whole "history" of our conversation.
>
>> it is my opinion backed by dealing with DNS and email for many years 
>> facing all problems left and right we never had because the strict 
>> policy here that one IP has only one PTR
>>
>> what "official bad practice" do you need when you can see the 
>> problems otherwise would not be possible at your own?
>
> In the sense: "`best current practice' says something opposite".
> BTW: Are we talking on multiple PTRs for mail servers only or multiple 
> PTRs in general?

well, in fact mailservers because for other services PTR's are not that 
important or verified at all - if they are not verified why bother about it?

but what would you gain by having multiple PTR records at all for whatever 
server? that's in fact the only relevant question


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: How to properly update chroot-bind

[Lightner, Jeff]

Since the OP says he's not in Production yet I'd strongly advise moving on to 
CentOS 7 for multiple reasons.  I has a new base version of BIND and also has a 
3.x kernel.

However, there is a learning curve because it also uses systemd rather than Sys 
V init.   The way bind-chroot runs is significantly different than it was on 
RHEL6 when you got to RHEL7.   (As noted CentOS versions are compiled from RHEL 
sources of the same versions.)

As noted previously on this list the version of  BIND you get with each major 
RHEL release (RHEL5, RHEL6, RHEL7) changes but the base version of BIND never 
gets updated to later BIND versions within each of these releases.  Instead 
RedHat backports security and some enhancements into the base they started with 
and add their own extended versioning.   This is true of CentOS because of its 
derivation.

There is someone on this list that does compile newer versions of BIND for RHEL 
so if you search the archive you can find newer versions than are shipped by 
RHEL/CentOS.   

Also CentOS does have extended repositories beyond those RHEL has so you may 
find something newer there.   

CentOS by the way is not supported so if you're using CentOS vs RHEL worrying 
about supported shouldn't be an issue for you.   (RHEL is supported if you 
pay for the subscriptions.)


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas
Sent: Tuesday, July 28, 2015 7:58 AM
To: bind-users@lists.isc.org
Subject: Re: How to properly update chroot-bind

Am 28.07.2015 um 10:56 schrieb Matus UHLAR - fantomas:
but you *never ever* should only update specific packages on a 
RHEL/CentOS system because that is *not supported and tested* at all

No? What are dependencies for, then?
Or don't yum/RPM support them in the way debian does?
(that is why it's quite easy to have mixed Debian... we have machine 
with mix of debian 5,6,7 and even 8... not that It's good idea)

On 28.07.15 11:22, Reindl Harald wrote:
CentOS is a RHEL clone except that there are no updates for older point 
releases

it was multiple times statet by the maintainers on the mailing list 
that you have to apply *all* errata updates nothing else is supported

it's not a matter of dependencies, it's just a matter of what 
combinations of packages are tested for regressions and the fact that 
there are no updates for RHEL without a good reason

how does dependencies help when there was a critical bug fixed in 
package A which may hit your updated version of package B because the 
combination of that versions never was tested

feel free to ignore that but you are at your own if things behave 
unexpected when the developers say just only use 'yum upgrade'
which applies also for minor releases, when CentOS 6.7 is out there 
will be no single update for CentOS 6.6 packages and hence yum 
upgrade brings you to CentOS 6.7 in a few weeks which is from that 
moment on the only supported CentOS 6.x

yes, this is a good explanation, I believe for the OP too.

not supported can of course mean working without problems, however I agree 
there's no point in only updating BIND itself.

Still, the OP can stick with provided BIND 9.8 that is in CentOS6, update to 
CentOS 7 or compile his own BIND version (and provide support for
themselves)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: stumped on sub domain addition

[Lightner, Jeff]

Your A record is working on a dig +trace and also working when I do dig 
@ns10.euca.us and dig @ns11.euca.us.

This suggests the record (or nxrecord) is cached somewhere for normal lookups 
and will likely be OK after that cache expires.

Record returned:
onqsolutions.euca.us.   21600   IN  A   209.236.238.19

In your SOA you have (in addition to the rest of the record):
2015072342  ; Serial 
That suggests you updated the record today (07/23) and it automatically updated 
serial number when you did it.

Jeffrey C. Lightner
Sr. UNIX/Linux Administrator
 
DS Services of America, Inc.
2300 Windy Ridge Pkwy
Suite 600 N
Atlanta, GA  30339-8461
 
P: 678-486-3516
C: 678-772-0018
F: 678-460-3603
E: jlight...@dsservices.com


-Original Message-
From: lists - euca [mailto:li...@euca.us] 
Sent: Thursday, July 23, 2015 2:23 PM
To: Lightner, Jeff
Cc: Bind Users Mailing List
Subject: Re: stumped on sub domain addition

Thanks for the responses.


On Jul 23, 2015, at 12:37 PM, Lightner, Jeff jlight...@dsservices.com wrote:

 Did you change the sequence/serial in the SOA and reload the zone?


No, I am using 'smbind' to administer bind, and it appears to not let me do 
that. I don't know if it does an 'auto reload' or not, but I've never had a 
problem with the 500+ domains that are on it as of yet, so I'm guessing it does.


  
 Doing dig tests for euca.us I get it's A record and for www.euca.us I get 
 is CNAME.  
  
 That suggests you didn't setup onqsolutions record properly.   Looking at 
 your www CNAME in your zone file might let you know how to setup the one for 
 onqsolutions.   Don't forget to put the dot at end of CNAME record like you 
 see for WWW.
  
 Jeffrey C. Lightner

 [snip]

 From: bind-users-boun...@lists.isc.org 
 [mailto:bind-users-boun...@lists.isc.org] On Behalf OfJohn Miller
 Sent: Thursday, July 23, 2015 1:17 PM
 Cc: Bind Users Mailing List
 Subject: Re: stumped on sub domain addition
  
 Hi Donovan,
 
 Your zone file(s) as well as your named.conf config would be best here.  We 
 really need more information from you than a single fqdn.



Here is the file that smbind created  (note that I have been making some 
changes):
$TTL   21600
@   IN  SOA ns10.euca.us. hostmaster.euca.us. (
2015072342  ; Serial
10800   ; Refresh
7200; Retry
604800  ; Expire
21600)  ; Negative Cache TTL
;
@   IN  NSns10.euca.us.
@   IN  NSns11.euca.us.
@   IN  A   209.236.238.19
@   IN  MX  10  mail.euca.us.
design  IN  CNAME   @
dev IN  CNAME   @
elatia  IN  A   209.236.238.19
ftp IN  A   209.236.238.19
mailIN  A   209.236.238.18
mail2   IN  A   209.236.238.18
ns10IN  A   209.236.238.21
ns11IN  A   209.236.238.22
onqsolutionsIN  A   209.236.238.19
www IN  CNAME   @
www-tek IN  CNAME   @


 
 John
 --
 John Miller
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: com.google how did they do that

[Lightner, Jeff]

Not all the new TLDs are company specific.   Some are more generic but useful 
to certain industries.

There are 2 or 3 TLDs that I assume will appear sooner or later and I really 
wish I had the capital to make them as I know as soon as they are available 
many companies will use them so they'd become nice revenue streams.

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mike Hoskins (michoski)
Sent: Wednesday, April 01, 2015 6:43 PM
To: Reindl Harald; bind-users@lists.isc.org
Subject: Re: com.google how did they do that

-Original Message-
From: Reindl Harald h.rei...@thelounge.net
Organization: the lounge interactive design
Date: Wednesday, April 1, 2015 at 2:44 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: com.google how did they do that


Am 01.04.2015 um 20:42 schrieb Thomas Schulz:
 As of the time I am sending this, you can point your browser to 
 http://com.google and get a web page. How did they get com.google to 
 resolve?

.google is just another new TLD

Wow.  I see the trend now -- .hp, .ibm, .cisco -- everyone will now have 
www.company.  (Please, let's not.)

..then again, I'd claim .evil if I had a few billions.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: subdomain with domain

[Lightner, Jeff]

You can do subdomains with the one zone file rather than having separate zones 
you just have to put a new ORIGIN for the subdomain.

In the domain file for domain after the SOA and existing records (NS, A, 
CNAME etc...) add a line:

$ORIGIN _msdcs.domain.; New subdomain 
Then add the records (A, CNAME, SRV etc...) that you want for that subdomain.   
(You don't need to add SOA, NS etc... unless they're different for the 
subdomain)





Jeffrey C. Lightner
Sr. UNIX Administrator
 
DS Services of America, Inc.
2300 Windy Ridge
Suite 600 N
Atlanta, GA  30339
 
P: 770-933-1400 ext.3516
C: 678-772-0018
F: 678-460-3603
E: jlight...@dsservices.com

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Graham Clinch
Sent: Wednesday, April 01, 2015 11:56 AM
To: Jeff Sadowski; bind-users@lists.isc.org
Subject: Re: subdomain with domain

 zone _msdcs.domain {
 [..]
  file data/db.192.168.1.2.slave;
 };
 zone domain {
 [..]
  file data/db.192.168.1.2.slave;
 };

Both zones are being backed by the same file, so one will be overwriting the 
other.  This may not be the cause of the half-working situation, but it won't 
be helping.  Do the bind logs (not sure where Fedora puts them though - 
/var/log/messages?) contain any errors?

Unless domain is really '192.168.1.2', I would suggest naming your file after 
the zone that it is going to contain - e.g.

file data/db._msdcs.domain;
and
file  data/db.domain;

Graham
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Recall: subdomain with domain

[Lightner, Jeff]

Lightner, Jeff would like to recall the message, subdomain with domain.
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Single slave zone definition for two view (cache file name problem)

[Lightner, Jeff]

It isn't really that hard to maintain two separate zone files for each domain.  
 We've been doing it for years.

It isn't really clear why you're using views if all your zone files are the 
same as you seem to imply.   Here we do views specifically because for some 
domains the zone files DO need to be different between internal and external 
views.While others are the same as I noted before it is very easy to simply 
edit one file then copy it to the other. 


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Konstantin Stefanov
Sent: Wednesday, March 18, 2015 6:31 AM
To: bind-users@lists.isc.org
Subject: Re: Single slave zone definition for two view (cache file name problem)

On 18.03.2015 13:22, Matus UHLAR - fantomas wrote:
 On 18.03.15 12:05, Constantin Stefanov wrote:
 I can't. It stopped working after upgrade to 9.10, but worked 
 before with 9.6. And the question is how to keep the config as 
 simple as it was before upgrade.

 I mean, the in-view definitions...
 
 On 18.03.15 13:10, Konstantin Stefanov wrote:
 So now I have to have two definitions for every slave zone in 
 different files. Well, it is the thing I did, but I do not like it.

 Requirement to have 2 synced definitions in 2 different places leads 
 to bugs.
 
 and what did you have before? 
 multiple definitions of the same zones with the same filenames, which 
 leads to bugs (although you were lucky not to encounter them)
Yes, I was lucky and everything worked for me as I thought it had to be.

 
 now you can have:
 
 definitions of zones with filename in one general view
 
 file with definitions of zones with in-view.
 
 multiple inclusions of the file in multiple views.
And now I am unlucky as I have to make my cofig more complex, confusing and 
bug-prone to achieve the same effect.

But I'm lucky enough to have three options to choose how to spoil my config.

 
 the only other way is stop using views...
 ... you still can stop using views.
And I can still stop using DNS.

If I only could stop using views, I would not ask the question.

--
Konstantin Stefanov,

Research Computing Center
M.V Lomonosov Moscow State University
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Single slave zone definition for two view (cache file name problem)

[Lightner, Jeff]

4.x would be quite ancient.   Where are you getting those version numbers?   
You should be using 9.x these days so I suspect the BIND version isn't what you 
think it is.Is it possible the version you're reporting is you OS rather 
than your BIND?

What is reported when you run named -v?

Anyway what we do is in our views is simply name the internal zone files the 
same as external and prepend internal- to the name.

e.g. myzone.com = external zone file
internal-myzone.com = internal zone file.

If they're the same you can simply copy from one to the other.   Sometimes they 
are not the same which is why you have views in the first place.




-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Constantin Stefanov
Sent: Tuesday, March 17, 2015 10:37 AM
To: bind-users@lists.isc.org
Subject: Single slave zone definition for two view (cache file name problem)

Hello.

After upgrading from BIND 4.6 to 4.10.2, named requires that different slave 
zone have separate file for cache.

With 4.6 I had the following config:

named.conf:

view internal {
match /* match condition */;
include common.zones;
};

view external {
match /* match condition */;
include common.zones;
};

common.zones:

zone aaa.example.org {
type slave;
file slave/aaa.example.org;
masters {MASTERIP;};
};

It worked fine with 4.6 (although it was considered incorrect).

After upgrade to 4.10 named started complaining:

common.zones:3: writeable file 'slave/aaa.example.org': already in use:
common.zones:3

As I understand, now I need to have separate files for different views.

But is there a way to have them automatically assigned and to write something 
like:

file slave/aaa.example.org.${view_name}

or any other way to have only one defininition for common zones?

I found 'in-view' option, but again it requires two definitions for every zone: 
one with file and masters directives, and another with in-view option. 
Moreover, these two definitions must be in different files, as I have to 
include one in first view, and another (with
'in-view') in all other views, so I have to keep two separate files synced with 
one another.

So is it possible to have only one definition for slave zones that are shared 
between different views?

--
Konstantin Stefanov,

Research Computing Center
M.V Lomonosov Moscow State University
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Config large tuning and out of memory

[Lightner, Jeff]

CentOS 5.x does have a 64 bit version.   5.2 is quite old - they're up to 5.10 
or 5.11 these days.   I don't think you can just change from 32 bit to 64 bit - 
I think it requires a reinstall from the 64 bit installation media.  

 If you have do a reinstall you're better off going to at least CentOS 6 
because RHEL5 (and therefore CentOS 5) should be nearing end of life.   Even 
better would be to go to CentOS 7 given it is the latest release so will have a 
much longer lifespan..

If you're running any other applications on the server you'd want to verify 
they don't have a problem running on a 64 bit OS before doing any upgrade.  
Some applications are 32 bit only and may run fine on a 64 bit OS (you can 
usually install both 32 bit and 64 bit versions of most RPMs).However, 32 
bit applications may have reduced performance on a 64 bit OS.

If you do have to reinstall and choose to go to later release you'd of course 
want to be sure any applications will run on that later release.

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Rich Goodson
Sent: Tuesday, March 03, 2015 11:44 AM
To: Job
Cc: bind-users@lists.isc.org
Subject: Re: Config large tuning and out of memory

Job,

I won't go in to this in detail, as it's more complicated than your 32 bit 
system can't address more than 4GB of RAM, but your 32 bit OS is almost 
certainly your problem.  Most of your 16GB of RAM is unused due to OS 
limitations.  

I'd recommend upgrading to a 64 bit OS, then compile a 64 bit version of BIND 
with your compile time options. 

-Rich

 On Mar 3, 2015, at 10:05 AM, Job j...@colliniconsulting.it wrote:
 
 Hello Rich,
 we are on 32 bit system, CentOS 5.2
 
 Thank you
 
 
 Da: Rich Goodson [rgood...@gronkulator.com]
 Inviato: martedì 3 marzo 2015 17.01
 A: Job
 Cc: bind-users@lists.isc.org
 Oggetto: Re: Config large tuning and out of memory
 
 Is your binary 64 bit, or 32?
 
 Rich
 
 On Mar 3, 2015, at 9:54 AM, Job j...@colliniconsulting.it wrote:
 
 Hello,
 
 i recompiled Bind 9.10.1-P1 with system large tuning enabled.
 I have some hundreds of view (with DLZ) in our system.
 
 With this feature compiled in, bind does not start:
 
 Mar  3 16:50:45 cloud02gw named[13338]: reloading configuration failed: out 
 of memory
 
 I have 16 Gb of RAM, and about 14 almost free!
 
 Where is the matter?
 
 Thank you
 Francesco
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Request to provide procedure for bind upgrade

[Lightner, Jeff]

Good point.

Fedora isn't really a good choice for Production systems - it is bleeding edge 
with short life cycle (usually new version is out 6 months later and they only 
support the most recent 2.)

Fedora is used as a test bed for what ends up in RHEL later.   RHEL has much 
longer life cycle but requires a paid subscription for updates.   CentOS is a 
binary recompile from RHEL sources that doesn't require a paid subscription.   
The question is whether you need vendor support for the OS.  If yes then RHEL 
would be the way to go.  If not CentOS would work.

Note that RHEL6 and CentOS6 are NOT the same as Fedora 6 - they are much later. 
  Also RHEL7 and CentOS7 are out so if you're reloading to new OS you should 
start with those rather than RHEL6/CentOS6.


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Chuck Anderson
Sent: Monday, February 16, 2015 11:17 AM
To: Sundram Bharti
Cc: bind-users@lists.isc.org
Subject: Re: Request to provide procedure for bind upgrade

Fedora Core 6 is no longer supported.  It went End-Of-Life in 2007:

http://en.wikipedia.org/wiki/Fedora_%28operating_system%29#Releases

On Mon, Feb 16, 2015 at 10:16:37AM -0500, Sundram Bharti wrote:
 Hi Team,
 
 My DNS current version is BIND 9.8.4-P1 and OS is Fedora Core 
 release 6 (Zod).
 
 So could you let me know.
 
 _yum update named_ works for upgrade to current version, if yes then 
 what will be the fall back procedure of upgrade fails?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Request to provide procedure for bind upgrade

[Lightner, Jeff]

The package is “bind” not “named”.   The daemon is called “named”.   You can 
type “rpm –qf $(which named)” to determine which package installed that daemon. 
  (Likely it was bind.)

Also if you’re running the chroot’ed version you’d want the package 
“bind-chroot”.

I’d suggest you run “rpm –qa |grep –i bind” to see what BIND packages you have 
installed.   Note you should ignore things like “ypbind” if installed as that 
is part of NIS rather than BIND.

You can then do “yum list package” against packages to see if there are newer 
versions without installing them.

e.g.  if you saw things like bind-libs, bind-utils, bind, system-config-bind, 
bind-chroot in the output of “rpm –qa” (it will also show version on these)

Do “yum list bind-libs bind-utils bind system-config-bind bind-chroot” which 
will show you both the installed versions you have and the latest available 
packages for update in the repository.

Ideally you have more than one DNS server and would only update one, test it to 
be sure everything is working, then update the next one.



From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Sundram Bharti
Sent: Monday, February 16, 2015 10:17 AM
To: bind-users@lists.isc.org
Subject: Request to provide procedure for bind upgrade

Hi Team,

My DNS current version is BIND 9.8.4-P1 and OS is Fedora Core release 6 
(Zod).

So could you let me know.

yum update named works for upgrade to current version, if yes then what will 
be the fall back procedure of upgrade fails?



--

BR//

Sundram Bharti

+919717977886
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Getting Error || unable to convert errno to isc_result

[Lightner, Jeff]

On RHEL the kernel doesn't change within the main release (RHEL6) in this case 
will always be 2.6.32-xx and RHEL does the support including back porting 
bug and security fixes into their extended release (which isn't the same as the 
base kernel).   They do the same thing for the BIND release they support within 
the main RHEL release.

To go to a 3.x kernel one would have to go to RHEL7 but that isn't necessary 
given the way RedHat does support. 

Jeffrey C. Lightner
Sr. UNIX Administrator
 
DS Services of America, Inc.
2300 Windy Ridge
Suite 600 N
Atlanta, GA  30339
 
P: 678-486-3516
C: 678-772-0018
F: 678-460-3603
E: jlight...@dsservices.com


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Daniel Ryslink
Sent: Wednesday, February 11, 2015 3:33 PM
To: bind-users@lists.isc.org
Subject: Re: Getting Error || unable to convert errno to isc_result

Hello

What uncle Google found for me:

http://www.bind9.net/BIND-FAQ

Quote:

Q:
Why do I get the following errors:

general: errno2result.c:109: unexpected error:
general: unable to convert errno to isc_result: 14: Bad address
client: UDP client handler shutting down due to fatal receive error: 
unexpected error

A:
This is the result of a Linux kernel bug.
See: http://marc.theaimsgroup.com/?l=linux-netdevm=113081708031466w=2;

Kernel 2.6.32 end of support date was 6/1/2014, and if I am not mistaken, Bind 
9.8 is not supported anymore either (only branches 9.9 and 9.10)

I don't want to bother you with obvious answers, but IMO you should consider 
upgrading to supported versions of both your OS and BIND, since there were some 
serious security issues reported and patched lately and your vulnerable system 
may be at a risk.

Maybe ISC people will have some solution for you, but generally, people are 
encouraged to keep up with the supported versions.

--
Best Regards,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.rysl...@dialtelecom.cz
---
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
---

On 02/11/2015 01:04 PM, Md. Mahbubul Alam Reyad wrote:
 Hi Mukund

 Its bind-9.8.2-0.23 and the OS is Red Hat Enterprise Linux Server 
 release 6.0 (kernel- 2.6.32-431.17.1.el6.x86_64)

 Sincerely Yours
 ---
 Md. Mahbubul Alam Reyad
 Assistant Manager
 CORE-IP Network || Technology
 Cell: +880 1976672281 || Skype: new_reyad www.qubee.com.bd T +88 02 
 8812113 || F +88 02 8812115


 -Original Message-
 From: bind-users-boun...@lists.isc.org 
 [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mukund 
 Sivaraman
 Sent: Wednesday, February 11, 2015 5:43 PM
 To: Md. Mahbubul Alam Reyad
 Cc: bind-users@lists.isc.org
 Subject: Re: Getting Error || unable to convert errno to isc_result

 Hi Mahbubul

 On Wed, Feb 11, 2015 at 11:39:19AM +, Md. Mahbubul Alam Reyad wrote:
 Hi all

 Recently I am getting the following error in my DNS. Can anyone know the 
 reason, impact  solution of this error?

 general: error: unable to convert errno to isc_result: 92: Protocol 
 not available
 general: error: socket.c:1700: unexpected error:
 Which version of BIND is this? What OS (and its version) are you using it on?

   Mukund
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Getting Error || unable to convert errno to isc_result

[Lightner, Jeff]

Possible yes but I'd suspect it had been addressed if it were severe enough - I 
haven't actually looked at it.   Another poster suggested a later update to 
BIND that is available in RHEL repository that may have addressed it if the 
version the OP has doesn't.

I just wanted to make the note about RHEL's methodology as it confuses folks 
(and security scanning tools) that only look at the base upstream version 
component of a package name rather than RHEL's extended versioning in the name. 
  RedHat sends errata alerts when they address things to let folks know to 
update packages to their latest extended version. Just because you see a 
kernel 2.6.32 it doesn't mean it is exactly the same as the upstream vanilla 
version with that number.   It DOES mean that NEW features in upstream versions 
such as 3.x won't be there (unless of course a security issue that affects 3.x 
is found to also affect 2.6.32 at which point they'll backport).

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Daniel Ryslink
Sent: Wednesday, February 11, 2015 5:04 PM
To: bind-users@lists.isc.org
Subject: Re: Getting Error || unable to convert errno to isc_result

Okay, sorry, did not know about the backporting.

Still, isn't it possible that this old bug is still present in this version of 
RHEL6?

--
S pozdravem,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.rysl...@dialtelecom.cz
---
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
---

On 02/11/2015 10:32 PM, Lightner, Jeff wrote:
 On RHEL the kernel doesn't change within the main release (RHEL6) in this 
 case will always be 2.6.32-xx and RHEL does the support including back 
 porting bug and security fixes into their extended release (which isn't the 
 same as the base kernel).   They do the same thing for the BIND release they 
 support within the main RHEL release.

 To go to a 3.x kernel one would have to go to RHEL7 but that isn't necessary 
 given the way RedHat does support.



 -Original Message-
 From: bind-users-boun...@lists.isc.org 
 [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Daniel Ryslink
 Sent: Wednesday, February 11, 2015 3:33 PM
 To: bind-users@lists.isc.org
 Subject: Re: Getting Error || unable to convert errno to isc_result

 Hello

 What uncle Google found for me:

 http://www.bind9.net/BIND-FAQ

 Quote:

 Q:
 Why do I get the following errors:

 general: errno2result.c:109: unexpected error:
 general: unable to convert errno to isc_result: 14: Bad address
 client: UDP client handler shutting down due to fatal receive error:
 unexpected error

 A:
 This is the result of a Linux kernel bug.
 See: http://marc.theaimsgroup.com/?l=linux-netdevm=113081708031466w=2;

 Kernel 2.6.32 end of support date was 6/1/2014, and if I am not 
 mistaken, Bind 9.8 is not supported anymore either (only branches 9.9 
 and 9.10)

 I don't want to bother you with obvious answers, but IMO you should consider 
 upgrading to supported versions of both your OS and BIND, since there were 
 some serious security issues reported and patched lately and your vulnerable 
 system may be at a risk.

 Maybe ISC people will have some solution for you, but generally, people are 
 encouraged to keep up with the supported versions.

 --
 Best Regards,
 Daniel Ryšlink
 System Administrator

 Dial Telecom a. s.
 Křižíkova 36a/237
 186 00 Praha 3, Česká Republika
 Tel.:+420.226204627
 daniel.rysl...@dialtelecom.cz
 ---
 www.dialtelecom.cz
 Dial Telecom, a.s.
 Jednoduše se připojte
 ---

 On 02/11/2015 01:04 PM, Md. Mahbubul Alam Reyad wrote:
 Hi Mukund

 Its bind-9.8.2-0.23 and the OS is Red Hat Enterprise Linux Server 
 release 6.0 (kernel- 2.6.32-431.17.1.el6.x86_64)

 Sincerely Yours
 ---
 Md. Mahbubul Alam Reyad
 Assistant Manager
 CORE-IP Network || Technology
 Cell: +880 1976672281 || Skype: new_reyad www.qubee.com.bd T +88 02
 8812113 || F +88 02 8812115


 -Original Message-
 From: bind-users-boun...@lists.isc.org 
 [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mukund 
 Sivaraman
 Sent: Wednesday, February 11, 2015 5:43 PM
 To: Md. Mahbubul Alam Reyad
 Cc: bind-users@lists.isc.org
 Subject: Re: Getting Error || unable to convert errno to isc_result

 Hi Mahbubul

 On Wed, Feb 11, 2015 at 11:39:19AM +, Md. Mahbubul Alam Reyad wrote:
 Hi all

 Recently I am getting the following error in my DNS. Can anyone know the 
 reason, impact  solution of this error?

 general: error: unable to convert errno to isc_result: 92: Protocol 
 not available
 general: error: socket.c:1700: unexpected error:
 Which version of BIND is this? What OS (and its version

RE: SRV records etc

[Lightner, Jeff]

SRV definitely still required for some applications.   Some cloud based 
application providers have you add them to verify you own the domain to which 
they're tying their services so you don't use them to hijack other people's 
domains.

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry Margolin
Sent: Tuesday, February 10, 2015 9:14 PM
To: comp-protocols-dns-b...@isc.org
Subject: Re: SRV records etc

In article mailman.1603.1423618610.26362.bind-us...@lists.isc.org,
 Kevin Oberman rkober...@gmail.com wrote:

 HINFO is getting pretty rare. The security issues are pretty obvious 
 and its advantages are rather limited.

I thought they were deprecated ages ago, but I can't find anything official 
about that.

--
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Change in behaviour regarding ndots and searchlist

[Lightner, Jeff]

I've begun seeing this recently in nslookup on Windows workstations as well.
It appears it is appending search domains even when I've specified an FQDN.   
That is I have two search domains such as ex1.com and ex2.net and I typed short 
name ralph for nslookup or host it would give me ralph.ex1.com IP if it 
existed or ralph.ex2.net if the ralph.ex1.com didn't exist and the latter 
did.   Now what I'm seeing is even if I specify ralph.ex1.com it is looking 
up and failing on ralph.ex1.com.ex2.net.

If I put a dot at the end of the FQDN (e.g. ralph.ex1.com. instead of just 
ralph.ex1.com) it doesn't do that.The Windows admins recently built a 
couple of new domain controllers for Windows DNS so I assumed it had something 
to do with those.   Do you by any chance have Windows DNS in your environment?

There was an article posted last week to this forum regarding bleed over of 
internal domains to the internet and vice-versa when one is using a domain 
internally that might be registered to someone else externally which is the 
case in our environment.It may also be that the issue is because the 
formerly externally registered domain appears to have gone to expired/renewal 
status recently and it may be the Registrar is somehow causing this bleed over 
effect in the way they present records.




-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark Andrews
Sent: Monday, September 15, 2014 5:16 AM
To: BIND Users
Subject: Re: Change in behaviour regarding ndots and searchlist


Partially qualified names are DANGEROUS.  You realy do not want to use them 
ever no matter how convient or useful they appear to be.

In message 20140915083532.ga29...@danton.fire-world.de, Sebastian Wiesinger w
rites:
 Hello,

 I noticed a change in the host tool in regard to how searches are done
 when there are = ndots dots in the query. In the following case
 ndots is always nonexistant in the configuration.

 With bind 9.8 (Debian 1:9.8.4.dfsg.P1):

 $ host -d test.example
 Trying test.example
 Received 105 bytes from 127.0.0.1#53 in 6 ms Trying
 test.example.office.example.com
 Trying test.example.backup.example.org
 Trying test.example.example.com
 Trying test.example.example.org
 Trying test.example.winzone.example.com
 Trying test.example.nms.example.com
 Host test.example not found: 3(NXDOMAIN) Received 104 bytes from
 127.0.0.1#53 in 1 ms


 With bind 9.9 (Debian 1:9.9.5.dfsg-4~bpo70, same on Ubuntu
 1:9.9.5.dfsg-3):

 $ host -d test.example
 Trying test.example
 Host test.example not found: 3(NXDOMAIN) Received 105 bytes from
 127.0.0.1#53 in 15 ms Received 105 bytes from 127.0.0.1#53 in 15 ms


 So with host from bind 9.8 the absolute name is tried first and
 after that the search list is tried.

 With bind 9.9 this is no longer the case.

 Does anyone know if that was a deliberate change? I liked the old
 behaviour because I could search for internal subdomains without
 specifying/knowing the full FQDN.

 As a workaround I raised the ndots value to 2 but that increases the
 number of queries because the searchlist is tried first for things
 like linux.org. Also it increases the potential for MITM as
 linux.org.example.com. is tried first.

 Regards

 Sebastian

 --
 GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0
 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS
 NOTICE THE SCYT HE.
 -- Terry Pratchett, The Fifth Elephant
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe  from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

__
CONFIDENTIALITY NOTICE: This e-mail may contain privileged

or confidential information and is for the sole use of the intended

recipient(s). If you are not the intended recipient, any disclosure,

copying, distribution, or use of the contents of this information

is prohibited and may be unlawful. If you have received this electronic

transmission in error, please reply immediately to the sender that

you have received the message in error, and delete it. Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Change in behaviour regarding ndots and searchlist

[Lightner, Jeff]

While the final dot has been required within zone files to prevent unwanted 
appendages to records it has NOT  been required by tools such as host and 
nslookup on either Windows or Linux/UNIX which routinely use search domains.  
 As I noted this is something that seems to have changed recently.It 
doesn't happen for every record either so we're just now looking into what has 
changed and as stated I suspect it is the new Windows Domain Controllers 
recently installed.

The article I mentioned posted last week does suggest that using short names is 
a bad idea now due to the new plethora of TLDs and the bleed over but that 
doesn't mean it never worked.The article says that what made short names 
work in the past was platform dependent so really wasn't a good idea even for 
internal systems.  Despite that it IS the way many people have run their 
environments for years.




-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Sebastian Wiesinger
Sent: Monday, September 15, 2014 9:50 AM
To: bind-users@lists.isc.org
Subject: Re: Change in behaviour regarding ndots and searchlist

* Barry Margolin bar...@alum.mit.edu [2014-09-15 15:18]:
 In article mailman.957.1410786839.26362.bind-us...@lists.isc.org,
  Steven Carr sjc...@gmail.com wrote:

  On 15 September 2014 13:29, Lightner, Jeff jlight...@dsservices.com wrote:
   I've begun seeing this recently in nslookup on Windows workstations as
   well.It appears it is appending search domains even when I've 
   specified
   an FQDN.   That is I have two search domains such as ex1.com and ex2.net
   and I typed short name ralph for nslookup or host it would give
   me ralph.ex1.com IP if it existed or ralph.ex2.net if the 
   ralph.ex1.com
   didn't exist and the latter did.   Now what I'm seeing is even if I 
   specify
   ralph.ex1.com it is looking up and failing on ralph.ex1.com.ex2.net.
 
  Without the final explicit . your name is not fully qualified.

 But if a name has more than ndots dots, it's supposed to be tried as
 given first, before adding search domains.

But currently (9.9) it will not add search domains at all. Which I find odd.

Regards

Sebastian

--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE) 'Are 
you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

__
CONFIDENTIALITY NOTICE: This e-mail may contain privileged

or confidential information and is for the sole use of the intended

recipient(s). If you are not the intended recipient, any disclosure,

copying, distribution, or use of the contents of this information

is prohibited and may be unlawful. If you have received this electronic

transmission in error, please reply immediately to the sender that

you have received the message in error, and delete it. Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Value of memory

[Lightner, Jeff]

Also remember that used reported by free in Linux on the first line 
includes memory pre-allocated to cache and buffers that is readily usable on 
demand so isn't really allocated to specific processes like you'd see in a 
similarly configured UNIX system.   Be sure when trying to determine used 
that you're looking at the values on the second line instead as that shows what 
you have when buffers/cached are not included in the totals.



-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Fajar A. Nugraha
Sent: Thursday, August 07, 2014 12:07 AM
To: Robert Moskowitz
Cc: bind-us...@isc.org
Subject: Re: Value of memory

On Thu, Aug 7, 2014 at 10:39 AM, Robert Moskowitz r...@htt-consult.com wrote:
 I have a server that is only running bind 9.8.2 (Centos 6.5).  It has
 2Gb memory and free reports ~1.7Gb used.

 I am looking at replacing this server with an armv7 board running
 Redsleeve (until Centos 7 is out and stable for armv7).  I have a
 choice of boards, one with 1Gb memory ($60) and one with 2Gb memory ($90).

 This server servers out my zones and supports the couple handfull of
 systems on my net.  I would like to eventually get to DNSSEC, but that
 is another stalled project.

 About the only meaningful difference between the two boards (btw,
 Cubieboard2 and Cubietruck) for my needs is the memory.  I know more
 memory is better, but how much better?

 Oh, why the move to arm?  Power consumption.  ROI for the C2 board is
 one year just on power saving.

It depends on how much load your server currently handle, and how your cache is 
configured.

I'd start with looking at your server load. Arm still have lower per-core 
performance compared to x86, so if you currently see high CPU utilization by 
named, I'd stick with x86.

Next see how your memory cache is configured. That should be where bind uses 
most memory. AFAIK by default max-cache-size is unlimited and max-cache-ttl is 
set to several days. See how much memory bind currently uses for cache, and 
then you can try configuring those two parameters (e.g. set an explicit 
max-cache-size to 512MB) and see how much memory bind (and the rest of the OS) 
uses then, and how well it performs. If it's still acceptable, then you can 
probably go with the 1GB board.

Cache can reduce the number of queries issued upstream and is very important on 
busy servers, but if you serve a relatively low number of queries from your 
clients then you won't see much difference between
(e.g.) 512MB and 1GB cache.

--
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

__
CONFIDENTIALITY NOTICE: This e-mail may contain privileged

or confidential information and is for the sole use of the intended

recipient(s). If you are not the intended recipient, any disclosure,

copying, distribution, or use of the contents of this information

is prohibited and may be unlawful. If you have received this electronic

transmission in error, please reply immediately to the sender that

you have received the message in error, and delete it. Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Does bind read /etc/hosts?

[Lightner, Jeff]

The confusion can come in because some UNIX variants (notably HP-UX) nslookup 
was modified to honor /etc/nsswitch.conf so it DOES check /etc/hosts if files 
precedes dns.

However, in most things (e.g. Linux, Solaris) nslookup (and the newer host 
command) do not look at /etc/hosts regardless of nsswitch.conf setting.



-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Niall O'Reilly
Sent: Tuesday, July 15, 2014 6:57 AM
To: houguanghua
Cc: bind-users@lists.isc.org
Subject: Re: Does bind read /etc/hosts?

At Tue, 15 Jul 2014 10:28:30 +,
houguanghua wrote:

 Before Bind consults authority NS, does it access /etc/hosts? In my
 testing, it does not even seem to access /etc/hosts.

  That's right.  BIND tools (dig, ...) are DNS tools.
  Local files aren't part of the DNS.

  For more information, please see
http://serverfault.com/questions/498500/why-does-the-host-command-not-resolve-entries-in-etc-hosts

  Best regards,
  Niall O'Reilly
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

__
CONFIDENTIALITY NOTICE: This e-mail may contain privileged

or confidential information and is for the sole use of the intended

recipient(s). If you are not the intended recipient, any disclosure,

copying, distribution, or use of the contents of this information

is prohibited and may be unlawful. If you have received this electronic

transmission in error, please reply immediately to the sender that

you have received the message in error, and delete it. Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

whois expiration limit?

[Lightner, Jeff]

Hi,  I know this is the BIND list but I’m thinking folks who deal with DNS 
probably may be able to answer this question about whois.

We recently transferred and renewed a domain by 2 years which pushed its 
expiration to 01/25/2025.   The order confirmation shows that expiration and 
looking at the domain at the Registrar’s web site under our account it shows 
that expiration as well.   However, when running whois both here and at the 
Registrar’s site it shows expiration 01/25/2024.  It makes me wonder if there 
is a 10 year limit in whois since 2024 would be within 10 years but 2025 would 
be outside of it.

I didn’t see anything in RFC 3912 describing whois that even suggests a limit 
for expirations dates.

Not a big deal as I may be dead by then either way – just wondering if anyone 
knows of a reason this would occur.

Please don’t suggest I contact the Registrar.  I already did and they seemed as 
clueless as I am.










Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: whois expiration limit?

[Lightner, Jeff]

Thanks.  My thinking was the limit was on the whois database since the 
Registrar was telling me it was registered for more than 10 years.

It appears based on this Registration FAQ regarding “compliance” that the 
registrar may simply be showing it as 2024 because they can’t really report 
2025 and be in compliance.

I was just having a hard time finding anything that mentioned the 10 year limit 
even though it seemed likely that was the issue.

Hopefully you’re correct that the Registrar will automatically adjust it before 
2024.   I’ll set myself a reminder for next year and prompt them if they don’t 
automatically update it themselves so we don’t have to remember in 2024 that we 
already paid for another year.






From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Dave 
Warren
Sent: Wednesday, February 19, 2014 4:17 PM
To: bind-users@lists.isc.org
Subject: Re: whois expiration limit?

On 2014-02-19 20:44, Lightner, Jeff wrote:
Hi,  I know this is the BIND list but I’m thinking folks who deal with DNS 
probably may be able to answer this question about whois.

We recently transferred and renewed a domain by 2 years which pushed its 
expiration to 01/25/2025.   The order confirmation shows that expiration and 
looking at the domain at the Registrar’s web site under our account it shows 
that expiration as well.   However, when running whois both here and at the 
Registrar’s site it shows expiration 01/25/2024.  It makes me wonder if there 
is a 10 year limit in whois since 2024 would be within 10 years but 2025 would 
be outside of it.

I didn’t see anything in RFC 3912 describing whois that even suggests a limit 
for expirations dates.

Not a big deal as I may be dead by then either way – just wondering if anyone 
knows of a reason this would occur.

Please don’t suggest I contact the Registrar.  I already did and they seemed as 
clueless as I am.

http://www.icann.org/en/resources/compliance/faqs#7

Each registrar has the flexibility to offer initial and renewal registrations 
in one-year increments, provided that the maximum remaining unexpired term 
shall not exceed ten years.

In reality, they'll probably issue the renewal automagically once you're under 
the 9-year mark and the domain is renewal-eligible.



--

Dave Warren

http://www.hireahit.com/

http://ca.linkedin.com/in/davejwarren







Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Same internal and external zone

[Lightner, Jeff]

There is nothing that precludes you from having the same zone on different DNS 
servers.   You make each authoritative so that any look up that hits that DNS 
server gets that server's records.   You can then have separate entries for 
some items and the same for others.

We do that here with at least one domain where our internal Windows servers 
keeps track of internally USED IPs and our external facing DNS servers keep 
track of externally reachable IPs.  For the few records where we want to have 
the internal user use the externally reachable IP we just add the record to 
both.







-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Joshua Smith
Sent: Friday, February 14, 2014 1:03 PM
To: Sarath
Cc: bind-users@lists.isc.org
Subject: Re: Same internal and external zone

Can you not delegate xyz.xyz.example.com to route 53 on your internal name 
server?

--
Josh Smith
KD8HRX

Email/jabber: juice...@gmail.com
Phone: 304.237.9369(c)

Sent from my iPhone.

 On Feb 14, 2014, at 12:53 PM, Sarath sar...@slashroot.in wrote:

 Hi All,

 I have a situation where the same domain for example xyz.example.com is both 
 internal and external.

 The internal xyz.example.com is on an internal host (private address ) which 
 is the default DNS server for all internal hosts (all hosts use this DNS 
 server in their resolve.conf ) And the external xyz.example.com is on another 
 public ip server (aws route 53 ).

 The problem is i have a hostname for example xyz.xyz.example.com which
 is on the public DNS server..and my local network hosts cannot Resolve
 that hostname which is on the public DNS server (route 53)

 The reason is because local DNS server is also authoritative for 
 xyz.example.com, and as it does not find xyz.xyz.example.com on the local 
 zone it gives no reply..

 I cannot add the record of xyz.xyz.example.com on my local DNS server (which 
 is bind )because that host is DNS load balanced using route 53 health checks..

 Is there any other solution to get this done in bind, like adding a cname 
 also won't work..

 Please let me know if there is some solution or workaround for this

 Thanks
 Sarath
 
 Powered by BigRock.com

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Adding DS records

[Lightner, Jeff]

FYI:  web.com recently bought NetSol and at least one other Registrar that 
escapes me at the moment.   It might be worthwhile to see if any of their 
companies do this as you might have an easier time transferring and avoid some 
of the common games Registrars play to prevent it.

I heartily recommend that you NOT go to GoDaddy.Once they have your domain 
they play all sorts of games to keep it.

On that subject.  If you DO decided to transfer domains from one registrar to 
another be sure to do the following at the old Registrar BEFORE requesting the 
transfer at the new one:
1)  Turn off domain lock - most Registrars have this enabled by default now.
2)   Turn off private registration if enabled.
3)   Insure the administrative contact email is one you can send email to them 
from and can receive emails from them.
4)   Obtain the transfer authorization code.   Most Registrar web sites have 
transfer buttons that are easy to find but these are for transferring domains 
TO them rather than AWAY.  Usually you have to do some research on their sites 
to find how to generate the code.

Jeffrey C. Lightner
Sr. UNIX Administrator

DS Waters of America, Inc.
5660 New Northside Drive NW
Suite 250
Atlanta, GA  30328






-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Thomas Schulz
Sent: Friday, December 20, 2013 12:59 PM
To: bind-users@lists.isc.org
Subject: Re: Adding DS records

  If I was a NetSol customer, I would ask them, Why not?
 
 And if I were a NetSol customer, I would ask myself, Why?

 If I were a capitalist, I'd vote with my wallet and go somewhere with
 the features I want.

Well, we started with them back when they were the only company registering 
domain names. And up to now there were no problems (other than perhaps price).

Any recomendations for another company for a  .com domain in the US?
I suppose that I could always use the DLV, but I would rather not.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena®, Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Performance Tuning RHEL 5 and Bind

[Lightner, Jeff]

Any reason you're using RHEL5 as opposed to RHEL6 if you're building new 
servers?   RHEL5 is very long in the tooth and will go EOL sooner than RHEL6.   
Since you're using a BIND package not shipped with RHEL5 there's no reason on 
that account not to move up to RHEL6.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
wbr...@e1b.org
Sent: Monday, October 21, 2013 9:47 AM
To: bind-users@lists.isc.org
Subject: Re: Performance Tuning RHEL 5 and Bind

 From: Alan Clegg a...@clegg.com

 Fix your windows clients.

You can't fix stupid.




Confidentiality Notice:
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that you 
may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or telephone 
and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Install DNS Server

[Lightner, Jeff]

Any reason why you’re using CentOS 5.7 given that 6.4 (and maybe later) is 
available?

if this is a new system you really ought to think about use the 6.x stuff.   
5.x is long in the tooth even though still supported it has many older upstream 
packages of things including BIND.   CentOS does put bug and security fixes in 
(or RedHat does and CentOS gets them because they build from RHEL source) but 
you still end up with something very old (BIND 9.3.x) that most folks on this 
list don’t want to talk about because it is long past EOL for BIND.





From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Sten 
Carlsen
Sent: Thursday, October 10, 2013 6:38 AM
To: Chandran Manikandan
Cc: bind-users@lists.isc.org
Subject: Re: Install DNS Server

Hi

I do that and more on an ATOM machine with 2GB RAM. I use Postfix instead of 
qmail but see no reason qmail would not work.

I installed all the relevant RPMs, configured them and it works.

One thing to remember is that you need two or more DNS servers, I do that by 
being a stealth master with several slaves on my 3rd party provider.

On 10/10/13 12.27, Chandran Manikandan wrote:
Hi All,
I am running Centos 5.7 32 bit server machine.
I have installed and successfully run qmail,web,ftp with the same machine.
Now am DNS hosting with third party. I would like to install and keep DNS 
hosting myself.
How to do that , How to install Dns server with the same machine or different 
machine as well what is the complete procedure and steps.

Any one help me.

--
Thanks,
Manikandan.C
System Administrator




___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list



bind-users mailing list

bind-users@lists.isc.orgmailto:bind-users@lists.isc.org

https://lists.isc.org/mailman/listinfo/bind-users



--

Best regards



Sten Carlsen



No improvements come from shouting:



   MALE BOVINE MANURE!!!





Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: chroot/etc/named/ directory?

[Lightner, Jeff]

Haven't done it on RHEL/CentOS 6.x yet but in RHEL5 with the bind-chroot 
installed I've always had:
/var/named/chroot as the jail for BIND.
/var/named/chroot/etc = Location of global config files such as named.conf
/var/named/chroot/var/named = Location of the zone files.

I don't see a /var/named/chroot/etc/named in RHEL5 but then again that is based 
on BIND 9.3.  RHEL6 is almost certainly based on a higher upstream version.   
Since CentOS is built from RHEL source it would have that higher version as 
well.






-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Mike 
Hoskins (michoski)
Sent: Wednesday, February 13, 2013 12:44 PM
To: bind-users@lists.isc.org
Subject: Re: chroot/etc/named/ directory?

-Original Message-

From: Robert Moskowitz r...@htt-consult.com
Date: Wednesday, February 13, 2013 10:53 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: chroot/etc/named/ directory?

I am upgrading my server from bind-9.3.6 via Centos 5.5 to 9.8.2 in
Centos 6.3.

I have and will run bind chrooted and on my test setup I noticed a 'new'
subdirectory in the chroot tree:

/var/named/chroot/etc/named/

I cannot find any documentation as what is indended to be placed in
this subdirectory.  my includes for named.conf?

I am assuming the pki subdirectory is for DNSSEC related files, but I
have not found any documentation indicating so.  But then I have not
plowed through DNSSEC documention in depth yet.

If you installed bind*-chroot, it will populate the /var/named/chroot 
hierarchy.  It's not strictly required (though I would suggest it), but if you 
intend to run BIND chrooted /var/named/chroot is essentially /.
You'll have to place the usual things BIND needs to operate under that 
directory -- configs, zones, etc.  Assuming this came from the chroot RPM, 
you'll already have other essential pieces for chroot such as your 
null/random/zero devices.  Since you mention CentOS, you'll likely also want to 
pay attention to things like ROOTDIR in /etc/sysconfig/named.

Having said all that, you might search the archives (SRPMS have been provided 
by community members) or other sources for a newer BIND while you're at 
it...9.8.2 isn't ancient, but also not technically up to date
now.  I am personally waiting for 9.9.3 to leave beta, but 9.8.4-P1 probably 
makes sense for you today.  This won't affect your chroot setup, just something 
worth considering since you're upgrading.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: SOA issue

[Lightner, Jeff]

Also make sure you’ve incremented the serial number in the zone file by at 
least 1.





From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Chris Buxton
Sent: Wednesday, February 13, 2013 12:58 PM
To: Paul A
Cc: bind-us...@isc.org
Subject: Re: SOA issue

On Feb 13, 2013, at 9:22 AM, Paul A wrote:


Can anyone tell help me figure out why this SOA is not changing no matter what 
I do. The zone was edited and has a new SOA but no matter what I do bind 
doesn’t reload the zone with the new SOA. I tried rndc freeze/unfreeze and 
still nothing. Short of reloading bind what else can I do.

TIA, Paul

named-compilezone -o - sturdymemorial.orghttp://sturdymemorial.org/ 
db.sturdymemorial
zone sturdymemorial.org/IN:http://sturdymemorial.org/IN: loaded serial 
2013021307
sturdymemorial.orghttp://sturdymemorial.org/.   86400 
IN SOA  reuben.meganet.nethttp://reuben.meganet.net/. 
postmaster.naisp.nethttp://postmaster.naisp.net/. 2013021307 10800 3600 
604800 600
OK

Your zone only has an SOA record. A zone without NS records will not load.

If that's not really the issue, because you've edited the output above, a 
couple of hints:

- rndc reload zone is unnecessary if rndc freeze zone executes correctly. A 
dynamic zone (one that you would freeze and thaw) cannot be reloaded. Thawing 
the zone effectively reloads it.

- Do not edit a dynamic zone's zone file without first freezing it. Otherwise, 
when you freeze it, the data in memory will be written to disk, overwriting 
your changes.

- Are you sure you're editing the right file?

Chris Buxton
BlueCat Networks


rndc reload sturdymemorial.orghttp://sturdymemorial.org/
zone reload up-to-date


dig @localhost  sturdymemorial.orghttp://sturdymemorial.org/ soa

; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 57470
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;sturdymemorial.org.IN  SOA

;; ANSWER SECTION:
sturdymemorial.orghttp://sturdymemorial.org/. 600 IN  SOA 
reuben.meganet.nethttp://reuben.meganet.net/. 
postmaster.naisp.nethttp://postmaster.naisp.net/. 2012011801 10800 3600 
604800 600

from the log file

named[26675]: received control channel command 'reload 
sturdymemorial.orghttp://sturdymemorial.org/'
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.orgmailto:bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: How can I migrate my Domain from ISP hosted to my own BIND server?

[Lightner, Jeff]

To expand on that.  The steps Manish wrote are what you do internally.

What Sten is writing is external – your domains are “registered” somewhere and 
the “Registrar” points to the appropriate DNS servers – you’ll need to insure 
that it is pointing to your internal DNS servers.

You can find out the registrar by running “whois” on your domains.

Often when you have external hosting the hosting provider is also acting as 
your Registrar and using their own DNS servers.  You’ll need to co-ordinate 
with them if that is the case.   Also sometimes in hosting setups if you’ve 
paid someone else to do your web design and hosting they are the actual 
Registrant (owner of the domain from ICANN’s point of view) so you may have to 
verify who owns the domains first.  We’ve dealt with some of these hosting 
companies on acquisitions that took the position that they “owned” the domain 
and didn’t have to give it up – Sometimes it takes some legal work to get them 
to understand that registering a domain doesn’t make them “owner” when it is a 
name they registered on behalf of a client so they were doing it only as an 
agent (IANAL).





From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Sten 
Carlsen
Sent: Friday, December 14, 2012 6:04 AM
To: bind-users@lists.isc.org
Subject: Re: How can I migrate my Domain from ISP hosted to my own BIND server?

You can find an external DNS provider (I use one that is free) and have them 
slave your zones. Just make your TTLs suitable, so even if your own server 
dies, the zones will be served from the provider for weeks.

Changes will propagate fast.

On 14/12/12 11:40, Mark Andrews wrote:



In message 
CA+z6RjG4vg3TJej+Z8tKXycRpYTucSUYV-UVJVuRr=ly3zs...@mail.gmail.commailto:CA+z6RjG4vg3TJej+Z8tKXycRpYTucSUYV-UVJVuRr=ly3zs...@mail.gmail.com

, Manish Rane writes:

Hi Team,



I need to migrate my domain which is hosted at my ISP on to my own

internal BIND server and have my own NS record. Does anyone steps I

need to take care of or complete procedure?



1. take a copy of the zone and make your server a master for it.

2. set up new slaves from the new master.

3. make the old master a slave from this new master.

4. add the new NS records and associated addresses records.

5. wait for the old NS RRset to clear the caches as well as any negative

   cache entries for the address records for the new servers.

6. update the parent NS RRset to be the final state.  Add glue as necessary.

   remove old glue records that are no longer necessary.

7. remove the old NS records from the zone.

8. wait for the combined NS RRset to clear caches.

9. decommision old nameservers.





--

Thanks and Regards,

Manish R

___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

 from this list



bind-users mailing list

bind-users@lists.isc.orgmailto:bind-users@lists.isc.org

https://lists.isc.org/mailman/listinfo/bind-users



--

Best regards



Sten Carlsen



No improvements come from shouting:

   MALE BOVINE MANURE!!!





Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: restart named; missing TCP socket

[Lightner, Jeff]

Why use rndc to stop then the init script to start?   Is there no 
/etc/rc.d/rc.named restart?   On RHEL5 the init script has a restart option so 
it will stop then start.

If a socket is open then it could take a finite amount of time for it to close 
making it unavailable on the restart if you haven't given it time enough to 
cleanup.

If no restart option in init maybe try to add a sleep to your command line:
Rndc stop;sleep 5;/etc/rc.d/rc.named start





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Tony 
Finch
Sent: Wednesday, December 12, 2012 8:20 AM
To: bind-users@lists.isc.org
Subject: restart named; missing TCP socket

I have had a few instances recently when named has failed to re-open its TCP 
listening socket after a restart. This is particularly likely if I try to 
bounce it quickly with a command line like

# rndc stop; /etc/rc.d/rc.named start

The servers in question are recursive (apart from a few local zones) with 
simple ACLs. (I have had the same problem on servers with less simple ACLs too.)

listen-on-v6   { ::1; };
listen-on  { 127.0.0.1; };
allow-query{ localhost; };
allow-transfer { localhost; };

What do others do to avoid this problem?

Tony.
--
f.anthony.n.finch  d...@dotat.at  http://dotat.at/ Forties, Cromarty: East, 
veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, 
occasionally poor at first.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Performance tuning

[Lightner, Jeff]

For question 1:
“Loading” is a function of the web site not DNS.  Your first question could 
have to do what the default site is in your web configuration and what kind of 
rewrite rules are getting you to the other.

If it were me I’d probably do some timed “host” or “dig” commands for the two 
records to verify name resolution itself wasn’t a problem.

I guess it MIGHT be a minutely slower to resolve www if it is a CNAME to the 
other as opposed to both being A records.   However, since this is a fairly 
common practice I doubt it is likely to be of major importance in overall 
timing.

From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Adamiec, Lawrence
Sent: Monday, November 26, 2012 1:13 PM
To: bind-users@lists.isc.org
Subject: Re: Performance tuning

To the best of my knowledge, there are no problems with our DNS.  We only host 
25 domains.

The report must also address these two specific questions:


  1.  Why does www.kentlaw.iit.eduhttp://www.kentlaw.iit.edu load quicker 
than kentlaw.iit.eduhttp://kentlaw.iit.edu in any browser?
  2.  What happens if we remove the forwarders option from named.conf?
I can't duplicate the issue in Q1 and I'm trying to determine a way of testing 
Q2.

Larry

On Mon, Nov 26, 2012 at 11:39 AM, Doug Barton 
do...@dougbarton.usmailto:do...@dougbarton.us wrote:
What a delightfully vague requirement. :)

I would push back a bit on exactly what problems are attempted to be
solved here. The BIND defaults are about as efficient as they can be,
especially so in later versions.

Doug


On 11/26/2012 11:01 AM, Adamiec, Lawrence wrote:
 Hi,

 I have been tasked with authoring a DNS report to achieve optimal
 performance.  The report must include:

 CPU usage
 memory usage
 bandwidth usage
 throughput
 latency

 I have found some information regarding the number of queries processed
 per minute but nothing of value for the above areas.

 Is there some documentation that discusses the above areas?

 We are running BIND 9.6-ESV-R5-P1, Solaris 10 on a SPARC server.  My
 report will include the fact we must upgrade from BIND 9.6-ESV-R5-P1

 Thank you in advance.

 Larry

 Lawrence Adamiec
 UNIX Mgr
 IIT Chicago-Kent College of Law










Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Moving BIND from Solaris to Linux

[Lightner, Jeff]

The reason I did the full discussion is that many shops are moving from 
proprietary UNIX (Solaris, AIX, HP-UX) or Windows to Linux solutions.If 
they are moving much infrastructure but just starting with BIND then he needs 
to consider what I wrote.

Also I don't really agree that Ubuntu is the best solution.   One could run 
CentOS which has no subscription fee but is binarily compatible with RHEL then 
download and compile BIND for it.In an organization using Solaris they 
presumably have professional administrators and are more likely to find folks 
with RHEL experience when hiring staff that will fill totally comfortable with 
CentOS.   If continuity and staffing aren't considerations and this is truly 
going to be a one off he could use Suse or Slackware or any one of a thousand 
Linux distros (or even one of the *BSD distros - since BSD is where Solaris 
came from originally).

If it's a one off best is truly subjective.  There are many people that 
detest Ubuntu and many people that love it -though the din from the former 
seems to have overwhelmed the latter since Unity desktop and other moves by 
Canonical :-)





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Fajar A. Nugraha
Sent: Monday, October 01, 2012 9:58 AM
To: bind-users@lists.isc.org
Subject: Re: Moving BIND from Solaris to Linux

 One idea would be to use RHEL but still download and compile your own BIND on 
 top of it.

Yup, IIRC there are (S)RPM for latest bind versios posted on this list.

  However, if the only thing on your RHEL server is BIND you have to wonder 
 why you're paying RedHat a subscription.

Yeah. If you only need latest binary, ubuntu (plus it's ppa) is probably a 
better choice, e.g
https://launchpad.net/~hauke/+archive/bind9

Then again, the OP only mentions open source apps, with no mention of Oracle 
and such. So using latest ubuntu LTS is probably a better choice in that case.

--
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dig from workstation to answer?

[Lightner, Jeff]

I know that dig +trace can be used to see the path of name resolution starting 
from root server down to final answer.

What I’m wondering is if there is some set of options that would go from 
workstation to final answer?   That is to say only go to the root server if 
that is where the DNS topology internally sends me.

For example from my workstation if I search an internal domain we use I know 
which internal DNS server it goes to ask the question.   That DNS server in 
turn may refer to a separate internal DNS server which is authoritative for the 
domain or has the record cached.   A dig +trace is useless because the root 
servers know nothing about the domain.   I’ve found various things that give me 
parts of the information but wonder if there isn’t something that would do 
something like trace so I can see each DNS server that was referred to in such 
lookups.









Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Zone Transfer issue on BIND9

[Lightner, Jeff]

You're putting the allow transfer on each zone?   I don't think that's your 
issue but it seems odd to me.  Here we do it at the view level.

Also it appears you're using the same IP for at least two of your views - for 
view transfers to work properly here we setup virtual IPs on the DNS servers 
and set the ACLs appropriately.
i.e. our real IPs are in the ACL we used prior to setting up views and are 
now only used for the main [external] view and we have different ACLs for the 
virtual IPs used within the internal view.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Phil 
Mayers
Sent: Friday, August 24, 2012 7:41 AM
To: bind-users@lists.isc.org
Subject: Re: Zone Transfer issue on BIND9

On 24/08/12 12:09, sn...@email.it wrote:
 Hi there,
 I have an issue related to zone transfer which I couldn't fix. I've
 found a presumable fix googling a lot but it doesn't seem to work.

You haven't said *how* it isn't working. Be specific.

Note that the FAQ link you reference puts the server {} block INSIDE the 
view. You have it in the global config. That seems like something to 
investigate.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: What can cause excessive amount of _dns-sd queries?

[Lightner, Jeff]

Maybe blocking access by that IP will force the customer's tech folks to 
contact you?





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
wbr...@e1b.org
Sent: Thursday, August 23, 2012 10:05 AM
To: Eivind Olsen
Cc: bind-users-bounces+wbrown=e1b@lists.isc.org; bind-users@lists.isc.org
Subject: Re: What can cause excessive amount of _dns-sd queries?

Elvind wrote on 08/23/2012 09:18:06 AM:

 Yeah, now I'm just wondering which OS / application / malware /
 whatever could be responsible for this :)

Someone trying to use ZeroCOnf:  http://zeroconf.org  I believe Macs come 
configured to use it by default, Linux and Windows can be configured to use it.

 (no, the client isn't directly under my control, it belongs to some
customer)

Good luck with that!



Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: 2 dns records for same server

[Lightner, Jeff]

That is to say don't put the external servers in /etc/resolv.conf on your 
clients - only put the internal one there.  (Or the Windows equivalent setup 
should only see your internal DNS server.)

I would correct the prior post not to say EVER but rather not directly.   
Often in an internal/external configuration only the external server queries 
the internet and the internal one forwards requests it gets to the external 
one.   It doesn't matter if the external server the internal DNS server is 
pointing to also has records for the domains because the internal server would 
already have answered for the domains it is authoritative for before trying to 
forward.   We have internal/external setup here for one domain and have no 
problems doing this.   (Oddly enough we also have views but that's another 
story...)







-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
wbr...@e1b.org
Sent: Monday, August 20, 2012 8:24 AM
To: Dwayne Hottinger
Cc: bind-users@lists.isc.org
Subject: Re: 2 dns records for same server

Dwayne wrote on 08/19/2012 07:37:39 PM:
 My hosts get the ip's of all 3 dns
 servers when they recieve dhcp information.

I think this is the issue.  The internal clients should only point to the 
internal DNS server.  They should never be querying the DNS that returns the 
public IP addresses EVER!




Confidentiality Notice:
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that you 
may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or telephone 
and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Can't receive emails from another machine

[Lightner, Jeff]

To check whether BIND is your problem simply run dig -t MX domainname on 
the host that is trying to send the email to your mail host.  If it returns the 
right IP address for your mail host then BIND isn't the problem.

For iptables/postfix this isn't really the right forum.   You might want to try 
posting your question at some place like LinuxQuestions.org..





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Stayvoid
Sent: Monday, July 30, 2012 8:23 PM
To: bind-users@lists.isc.org
Subject: Can't receive emails from another machine

Hello,

I'm using Postfix.
I can send / receive emails from / to localhost via telnet. [1] But I can't 
receive emails from another machine.

I guess that there are three variants:
1. Postfix doesn't work properly;
2. Bind doesn't work properly;
3. IPTables doesn't work properly.

I can't be 100% sure but I think that it's not connected with Postfix.
So I have to check Bind or / and IPTables.

I hope that you'll help me to check my Bind settings.
What should I paste?

Thanks

[1] https://help.ubuntu.com/community/Postfix#Testing
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: disabling Any requests

[Lightner, Jeff]

Your answer was clearly meant to be tongue in cheek but I'm not sure you 
understood.

The OP wasn't asking how to stop all (any) lookups - it was how to stop dig -t 
any which isn't the same thing at all.  Presumably they still want to allow 
dig -t mx, dig www... etc...

Personally I don't know why dig -t any would be a problem.   It's not exactly 
the same as doing an axfr transfer of the zone - it still only gets limited 
information.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Chuck Swiger
Sent: Thursday, July 12, 2012 9:39 AM
To: Dns Administrator
Cc: bind-users@lists.isc.org
Subject: Re: disabling Any requests

On Jul 12, 2012, at 2:27 AM, Dns Administrator wrote:
 Hi  bind-users,
please excuse my ignorance being a novice to dns, but is there some way of 
 disabling or choking Any type requests?

Sure-- a firewall or even taking a pair of wire-cutters to the ethernet cable 
will accomplish that.  :-)

Regards,
--
-Chuck

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Loaded zone files query

[Lightner, Jeff]

That assumes its Linux and is being logged to local /var/log/messages.   For 
other *nix the log location and name is apt to be different.






-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Carl 
Byington
Sent: Tuesday, July 10, 2012 3:47 PM
To: bind-users@lists.isc.org
Subject: Re: Loaded zone files query

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 2012-07-10 at 13:22 -0600, Kirk Hoganson wrote:
 Does anyone know of a simple way to discover how many zone files bind
 has successfully loaded after the daemon starts?

cd /var/log
rm -f named.temp*
grep 'named' messages | \
   csplit --prefix=named.temp - '/named.*starting BIND/' /dev/null f=$(ls -1 
named.temp* | tail -1) grep 'zone.*loaded serial' $f | wc -l rm -f named.temp*

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAk/8ho4ACgkQL6j7milTFsHHRQCdGJGLBpyPQkQYaQh6zxsd7zO1
qMkAnAvd76dFQM48foc6nJSunR3jMFnZ
=i2k4
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: bind dies with assertion failure

[Lightner, Jeff]

As mentioned more than once on this list.  Redhat starts with an upstream 
version of a given package (say BIND 9.7) then backports security and bug fixes 
from later upstream versions into theirs and add extended versioning (say 
9.7-2.3.1).  One would have to check Redhat's version to see what fixes it 
actually contains.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Phil 
Mayers
Sent: Tuesday, July 03, 2012 3:47 AM
To: bind-users@lists.isc.org
Subject: Re: bind dies with assertion failure

On 07/03/2012 01:16 AM, Oscar Ricardo Silva wrote:
 I *THINK* I found the reason for why we're exposed to this bug ... It
 would appear that Redhat based their BIND package on 9.8.2rc1.  Guess
 where the patch for this bug was applied?  9.8.2rc2.

Are you sure about this?

 From what I can see in our local yum repo of the RHEL6 ISOs, it shipped with 
bind 9.7.

Sure that isn't a local package, or you're joined into a non-production channel?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: bind dies with assertion failure

[Lightner, Jeff]

I disagree about this being off topic.   It IS in fact a BIND question but like 
many BIND implementations is specific to the user's setup.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Oscar Ricardo Silva
Sent: Tuesday, July 03, 2012 10:33 AM
To: bind-users@lists.isc.org
Subject: Re: bind dies with assertion failure

(Sorry, forgot to include the right Subject line so re-sending)


  Message: 1
  Date: Mon, 02 Jul 2012 17:40:51 -0500   From: Oscar Ricardo Silva 
  osc...@mail.utexas.edu   To: bind-users@lists.isc.org   Subject: Re: 
  bind dies with assertion failure   Message-ID: 
  4ff22373.2000...@mail.utexas.edu
  Content-Type: text/plain; charset=ISO-8859-1; format=flowed I may have 
  missed something but has this been patched in a 9.8.x version   of BIND?  
  According to the 9.9.0 release notes this has been addressed   but just 
  wondering about the availability for other vulnerable versions.
Also, is there a known trigger?
 
  The reason I'm running is that we're currently running the stock version   
  of BIND available with RHEL6.  It's their policy to backport patches and   
  if there's a patch available then they may apply it faster rather than   
  deploying a new version.
 
 
 
  Oscar


Since this problem is likely being caused by the version of BIND provided by 
Redhat and not with the release version, this issue is not pertinent to the 
list. I don't want to clutter up the list with off-topic conversations.

If anyone is interested in Redhat's response we can take the conversation 
offlist but I'm not hopeful they'll do anything about it.
While it's always better to compile and install from the latest stable version, 
it's also nice to use their package management system especially when you have 
to deal with multiple systems.



Oscar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Compiling and testing on Fedora

[Lightner, Jeff]

Turning off SELinux also requires a reboot after changing mode.





From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Shawn Bakhtiar
Sent: Thursday, June 21, 2012 1:19 AM
To: bind-us...@isc.org
Subject: RE: Compiling and testing on Fedora



Did you turn OFF SELinux?

promptsetenforce 0

Then run the test,
 From: dan.lut...@level3.commailto:dan.lut...@level3.com
 To: bind-us...@isc.orgmailto:bind-us...@isc.org
 Subject: Compiling and testing on Fedora
 Date: Wed, 20 Jun 2012 23:33:08 +

 Hi all,

 I've had a major problem with using Fedora Core (10 through 15), when 
 compiling and running make test:

 A:System test acl
 I:Couldn't start server ns2 (pid=17344)
 R:FAIL
 S:allow_query:Wed Jun 20 23:21:47 GMT 2012
 T:allow_query:1:A
 A:System test allow_query
 I:Couldn't start server ns2 (pid=17368)
 R:FAIL
 S:addzone:Wed Jun 20 23:22:01 GMT 2012
 T:addzone:1:A
 A:System test addzone
 I:Couldn't start server ns2 (pid=17393)
 R:FAIL
 S:autosign:Wed Jun 20 23:22:15 GMT 2012
 T:autosign:1:A
 A:System test autosign
 I:generating keys and preparing zones
 I:Couldn't start server ns1 (pid=17734)
 R:FAIL
 S:builtin:Wed Jun 20 23:22:35 GMT 2012
 T:builtin:1:A
 A:System test builtin
 I:Couldn't start server ns1 (pid=17755)
 R:FAIL
 S:cacheclean:Wed Jun 20 23:22:49 GMT 2012
 T:cacheclean:1:A
 A:System test cacheclean
 I:Couldn't start server ns1 (pid=17776)
 R:FAIL

 I'm running the bin/tests/system/ifconfig.sh up script, and see the lo:1 
 through lo:7 interfaces come up. I don't have this problem on any of my 
 Solaris systems, just the Fedora servers. I do have several lo: interfaces 
 already defined, and they cannot be removed

 Has anyone seen such an issue, and if so, how did you fix it?

 Dan Luther
 Operations Engineer
 Systems Operation Engineering
 Level 3 Communications
 One Technology Center, Tulsa OK 74103
 p: 918-547-4370
 e: dan.lut...@level3.commailto:dan.lut...@level3.com


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 bind-users mailing list
 bind-users@lists.isc.orgmailto:bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users





Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Moving DNS out of non-cooperative provider

[Lightner, Jeff]

Just to verify - when you say old provider you're just talking about 
somewhere you had pointed your DNS records to and NOT the actual Registrar for 
the domain?

If it is the Registrar you have to make changes at the Registrar's site to 
change which DNS servers to use.  If they're not being cooperative that might 
be problematical.  (I wouldn't think they'd prevent you from changing which DNS 
servers to use for your domain - even the putzes that like to lock domains when 
you try to transfer to a registrar still allow you to control your DNS setup 
within their sites but I guess it's possible they could do it if they were also 
your hosting provider and didn't want you pointing away from their web servers.)





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Tom 
Diehl
Sent: Monday, June 18, 2012 12:19 PM
To: Alexander Gurvitz
Cc: bind-users@lists.isc.org
Subject: Re: Moving DNS out of non-cooperative provider

On Mon, 18 Jun 2012, Alexander Gurvitz wrote:

 Can someone enlighten me on the following scenario (I guess it's
 explained somewhere, but can't find the info.):

 example.com was served by ns.OLDprovider.net example.com owner wants
 to move his domain to ns.NEWprovider.net oldprovider.net is not
 cooperating, and continues to serve example.com 172800 NS
 ns.OLDprovider.net (*.gtld-servers.net and ns.newprovider.com now
 serve example.com 172800 NS ns.NEWprovider.net)

 Recursive resolver ns.isp.com queried for www.example.com every few
 minutes, and currently have example.com 45892 NS ns.OLDprovider.net in
 it's cache. www.example.com have TTL of 3600.
 Thus each hour ns.isp.com queries ns.OLDprovider.net, with each query
 gets new NS record, and... refreshes the NS TTL ?

 Will ns.isp.com EVER query ns.NEWprovider.net ?

 I'd be happy to know how BIND behaves, but also how other servers may
 behave in this case.

It is not a question of how bind behaves. It is a question of how does dns 
work. Bottom line is, setup nameservers with $NEWPROVIDER and change the 
nameserver records with your registrar and move on. All will be well when the 
ttl's time out.

Until the ttl's timeout, resolvers with the old nameservers cached will still 
query them. Once the ttl's time out the new servers will be queried.

Hope this helps,

--
Tom Diehl   tdi...@rogueind.com  Spamtrap address mtd...@rogueind.com




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: multiple ints: views or separate records?

[Lightner, Jeff]

As far as influence it seems you could restrict the connections on virtual IPs 
to specific subnets so that they don’t have a choice.  This can be done via 
ACLs in the views and/or via firewall rules (e.g. in iptables if this were a 
Linux host).

From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Jonathan Reed
Sent: Friday, May 25, 2012 3:52 PM
To: bind-users@lists.isc.org
Subject: multiple ints: views or separate records?

Hi,

I have a few systems with multiple physical and virtual interfaces. One system 
has a single A record but im considering splitting it up. I'd like to persuade 
users to talk with a specific interface depending mostly on the app and 
sometimes from the subnet where their request originates. I want to keep things 
really easy for the users. What's your experience in influencing that decision 
while keeping things dead simple? keeping in mind that they have the potential 
of communicating with the system from a number of different angles.

Is using views my best approach? Or would it be recommended to just settle and 
publish a bunch of CNAMEs (or A) and having them stick to using those? Or 
maintain both? Said another way, how well have your users adapted to name 
changes?

Thanks.









Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Split DNS and zone transfers

[Lightner, Jeff]

You can also do it by IP in views but need separate IPs for each view.   You 
can do that with virtual IPs on the same NICs as the primary IPs.   Such 
virtual IPs of course have to be in the same subnet as the primary and also 
you’d need to insure firewall (including host level if any) is opened for the 
new IPs.







From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Eric 
Chandler
Sent: Monday, April 16, 2012 11:47 AM
To: bind-users@lists.isc.org
Subject: RE: Split DNS and zone transfers

I’ve been pointed to the right place to figure this out.  The answer is in 
using TSIG.  That saved me a lot of time. I searched everywhere but the 
most-obvious place – the bind9 faq.


Eric Chandler
Systems Architect

From: bind-users-bounces+eric.chandler=vonage@lists.isc.org 
[mailto:bind-users-bounces+eric.chandler=vonage@lists.isc.org] On Behalf Of 
Eric Chandler
Sent: Monday, April 16, 2012 11:36 AM
To: bind-users@lists.isc.org
Subject: Split DNS and zone transfers

I have a situation where I need to filter out our private infrastructure from 
our public-facing DNS servers. This is certainly something that should have 
been done a long time ago, but I just recently took over the spot. Now, I’ve 
seen plenty of examples using views and separate zonefiles, but what I can’t 
find are examples of the same domain zone-xfering both zonefiles.

Our DNS infrastructure is large and the configuration varies from server type 
to server type. Some are configured to be the primary auth servers – facing the 
Internet. Others are public-facing, but accessed only by customer devices, and 
still others service our internal systems. I would like to get us down to just 
1 set of configuration files across the board, using views as the way to do it, 
but what I can’t get around are split zone transfers.

In this example, we have a straightforward example of a split zone:

view trusted {

 match-clients { 192.168.23.0/24; }; // our network

  recursion yes;

  // other view statements as required

  zone example.com {

   type master;

   // private zone file including local hosts

   file 
internal/master.example.comhttp://www.zytrax.com/books/dns/ch6/mydomain-internal.html;

  };

  // add required zones

 };

view badguys {

 match-clients {any; }; // all other hosts

 // recursion not supported

 recursion no;

 // other view statements as required

 zone example.com {

   type master;

   // public only hosts

   file 
external/master.example.comhttp://www.zytrax.com/books/dns/ch6/mydomain-external.html;

  };

  // add required zones

 };

Now, what I would like to have are slave servers that would zone-xfer both the 
internal and external-flavored files for example.com and serve them using the 
same view structure. The hidden masters can generate the split zone files based 
on private IP address ranges, but I see no way to  use zone transfers to get 
both types of files replicated to the many slave servers that I would need to 
get them to.

This obviously won’t work, but this is what I’m after from a logical sense.


view trusted {

 match-clients { 192.168.23.0/24; }; // our network

  recursion yes;

  // other view statements as required

  zone example.com {

   type slave;

masters = { 1.2.3.4, 4.5.6.7 };

   // private zone file including local hosts

   file 
internal/master.example.comhttp://www.zytrax.com/books/dns/ch6/mydomain-internal.html;

  };

  // add required zones

 };

view badguys {

 match-clients {any; }; // all other hosts

 // recursion not supported

 recursion no;

 // other view statements as required

 zone example.com {

   type slave;

masters = { 1.2.3.4, 4.5.6.7 };

   // public only hosts

   file 
external/master.example.comhttp://www.zytrax.com/books/dns/ch6/mydomain-external.html;

  };

  // add required zones

 };

I suppose I could set up another pair of hidden masters to serve up the 
internal zones, or another pair of IP addrs on the masters, but I’m hoping not 
to go down that road.

Thanks,

Eric Chandler
Systems Architect

[Description: cid:image009.gif@01CB4E82.96E92D50]
23 Main Street, Holmdel, NJ 07733
•: 732.203.7437
•: 732.284.8504 (iPhone)
•: eric.chand...@vonage.commailto:eric.chand...@vonage.com
þ: www.vonage.comhttp://www.vonage.com/
[Description: cid:image010.jpg@01CB4E82.96E92D50]

NOTE: The information contained in this email message is considered 
confidential and proprietary to the sender and is intended solely
for review and use by the named recipient.  Any unauthorized review, use or 
distribution is strictly prohibited. If you have received this
message in error, please advise the sender by reply email and delete the message






Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy 

RE: Restricting access keeping identical data across views

[Lightner, Jeff]

Is signing not done at zone file level?

For our views even when the zones are identical I keep separate copies for the 
internal and external views so I would have thought this wouldn't be an issue.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Niall O'Reilly
Sent: Wednesday, March 28, 2012 5:38 AM
To: Jon A.
Cc: bind-users@lists.isc.org
Subject: Re: Restricting access  keeping identical data across views


On 28 Mar 2012, at 02:16, Jon A. wrote:

 I'm looking for a best practice to keep zone data across multiple views on 
 multiple servers sync

FWIW, you're not alone.

I have three views too, internal, external, and mendacious.
The last is for coercing unregistered clients connecting to
LANs where registration is required.

What we have works.  It will need a major overhaul for DNSSEC.
I think I know what will be needed, but would find a BP
or HOWTO helpful, provided it met my use-case closely enough.
I'm not averse to contributing some effort to such a project.

ATB
Niall O'Reilly

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Name Resolution issue with one domain

[Lightner, Jeff]

I don’t think the target is blocking as I get the following:

dig www.dubaiairport.com

;  DiG 9.8.1  www.dubaiairport.com
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 36668
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dubaiairport.com.  IN  A

;; ANSWER SECTION:
www.dubaiairport.com.   7200IN  A   213.42.55.169

;; AUTHORITY SECTION:
dubaiairport.com.   172799  IN  NS  dcaowa01.dubaiairport.com.
dubaiairport.com.   172799  IN  NS  svr-b003.dubaiairport.com.

;; Query time: 337 msec
;; SERVER: 192.94.73.20#53(192.94.73.20)
;; WHEN: Wed Mar 21 19:25:08 2012
;; MSG SIZE  rcvd: 100

The point is your firewall should NOT block outbound queries for port 53 or 
other ports.   There is a well know cache poisoning attack based on knowing the 
outbound (source) port that is going to be used so the port should be 
randomized.   Port 53 MUST be accessible on the target DNS server as that is 
the one that is going to answer the query.







From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of babu 
dheen
Sent: Wednesday, March 21, 2012 3:14 PM
To: Matus UHLAR - fantomas; bind-users@lists.isc.org
Subject: Re: Name Resolution issue with one domain

Dear All,

When i executed #dig www.dubaiairport.comhttp://www.dubaiairport.com, i am 
getting bleow response

;  DiG 9.3.4-P1  www.dubaiairport.comhttp://www.dubaiairport.com
;; global options:  printcmd
;; connection timed out; no servers could be reached

 When i checked the firewall logs, as you all confirmed, traffic is leaving 
from both non standard and standard port. But firewall logs clearly shows that 
traffic from source port =53 and its getting dropped. But other DNS traffic 
towards various domains also going with source port 53 for which we have no 
issue.

 Is this port restriction done at remote domain firewall?
 Is there any way to enforce non standard port for this domain query at our 
BIND level from our side?


Mar 21 21:50:26 start_time=2012-03-21 21:47:54 duration=151 policy_id=20 
service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit 
sent=403 rcvd=0 src=10.1.1.1 dst=213.42.52.75 src_port=53 dst_port=53 
src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75 port=53 
session_id=512159 reason=Close - AGE OUT

Mar 21 21:50:46 start_time=2012-03-21 21:49:15 duration=90 policy_id=24 
service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit 
sent=927 rcvd=0 src=10.1.1.1 dst=213.42.52.79 src_port=53 dst_port=53 
src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75  port=53 
session_id=451904 reason=Close - AGE OUT

Regards
Babu

From: Matus UHLAR - fantomas uh...@fantomas.sk
To: bind-users@lists.isc.org
Sent: Wednesday, 21 March 2012 11:41 AM
Subject: Re: Name Resolution issue with one domain

On 21.03.12 09:23, Mark Andrews wrote:
Stupid firewall rules in front of the nameservers.  They block
traffic sent from port 53 which is the port lots of nameservers
used to send query traffic.  When will firewall administrators learn
that the source ports can be anything, that they are not significant,
and that blocking traffic based on the source port is stupid.

maybe the admin set that up to force local servers using random ports,
instead of 53, for outgoing requests. Nobody should use port 53 for
_ougtoing_ requests.

bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
09:13:17.909493 211.30.172.21.53  213.42.52.75.53:  18071+$ [1au] A? 
www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
09:13:22.918018 211.30.172.21.53  213.42.52.75.53:  18071+$ [1au] A? 
www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
09:13:27.928099 211.30.172.21.53  213.42.52.75.53:  18071+$ [1au] A? 
www.dubaiairport.com. ar: OPT UDPsize=4096 (49)

;  DiG 9.9.0rc2  -b 0.0.0.0#53 www.dubaiairport.com 
@svr-b003.dubaiairport.com
;; global options: +cmd
;; connection timed out; no servers could be reached
bsdi#

--
Matus UHLAR - fantomas, uh...@fantomas.skmailto:uh...@fantomas.sk ; 
http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.orgmailto:bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your 

RE: forwarding @ to a different domain?

[Lightner, Jeff]

Just as a follow on to that prior thread.

I was able to setup the CNAME for www and * at the Registrar without A records 
as indicated.  Unfortunately the * at registrar equated to *. Meaning for 
example ftp.mydomain.com would work with that CNAME but the domain itself, 
mydomain.com, would not.   Despite the ecommerce vendor (Amazon ultimately) 
saying one should NOT setup A records their response to us was to leave the two 
CNAMES (www and *) in place and setup an 3 A records for the domain itself.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
/dev/rob0
Sent: Sunday, January 08, 2012 6:33 PM
To: bind-users@lists.isc.org
Subject: Re: forwarding @ to a different domain?

On Sunday 08 January 2012 09:48:42 enigmedia wrote:
 Hi All: I have a situation where I need to forward requests for
 mydomain.com and www.mydomain.com to a third party:

mydomain.com is a real domain, and probably not yours. If for some
reason you do not want to mention your real domain name, use
example.com (or example.TLD for most top-level domains), which is
reserved for examples.

 mydomain.myshopify.com (while still pointing other things like
 MX records elsewhere).

 I realize I can point a CNAME for WWW to
 mydomain.myshopify.com, but how do I point mydomain.com to
 this third party if there is no A record to point to?

This is beginning to be a FAQ here, perhaps due to the popularity of
such hosting services (which seem to have been designed by people who
have a poor understanding of DNS.)

This was my reply in a thread last month; refer to the entire thread
for more:

https://lists.isc.org/pipermail/bind-users/2011-December/085918.html
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: About root zones

[Lightner, Jeff]

if a root zone is not defined in named.conf

I wonder if you really do NOT want to ever hit root zones you could make your 
own entry in named.conf that points to localhost for root zone and thereby 
avoid hitting any real root?





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Peter Andreev
Sent: Wednesday, December 21, 2011 4:05 AM
To: bind-users@lists.isc.org
Subject: Re: About root zones

2011/12/21 Matus UHLAR - fantomas uh...@fantomas.sk:
 2011/12/20 Mark Andrews ma...@isc.org:

Named has a compiled in set of root hints.  It is used if
a root zone is not defined in named.conf.


 On 20.12.11 17:37, Peter Andreev wrote:

 Whether it means that without hint zone named still can perform
 iterative lookups for its internal purposes?


 2011/12/20 Matus UHLAR - fantomas uh...@fantomas.sk:

 yes.


 On 21.12.11 12:17, Peter Andreev wrote:

 This fact is really disappointing.


 well, it's needed for proper functionality. What exactly seems to be your
 problem?

Well, we run a bunch of authoritative-only slave servers and obviously
they don't have to perform any kind of lookups.
Some time ago user complained that one of these slave servers
responses with wrong data. My colleague tried to investigate this
issue, but without any success. Just in case we disabled
additional-from-cache.
That's why any sort of internal lookups looks very suspicious for me.


 Note that
 - only clients that are allowed to recurse are able to see date
  the type hint zone
 - only clients from local networks are allowed to recurse by default.
  You can tune this by configuring the allow-recursion option.

 --
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 Atheism is a non-prophet organization.
 ___

 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



--
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena®, Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: .TLD minimum number of nameservers rule

[Lightner, Jeff]

Or you could simply put a virtual IP address on the same name server (and any 
NATting required) and put it in as your second at the registrar.

That is to say the Registrar would see the same name server with two different 
names and IPs so wouldn't know it was the same name server.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Anand Buddhdev
Sent: Monday, December 12, 2011 9:32 AM
To: nudge...@fastmail.fm
Cc: bind-us...@isc.org
Subject: Re: .TLD minimum number of nameservers rule

On 12/12/2011 15:19, nudge...@fastmail.fm wrote:

 Sorry if this is slightly off-topic

 I've just discovered that the TLD where I've registered my domain requires a 
 minimum of 2 nameservers
 for any subdomain, which is very sensible but I happen to have a special case 
 on my hands.
 So I'd like to register a new domain elsewhere where they will allow a single 
 nameserver execpt...
 I cant seem to find out what the rules are for other TLDs. *before* 
 registering.
 Some kindly advise would be most welcome.

I suspect that most, if not all registries will require you to provide
at least 2 name servers, because this is highly recommended in one of
the RFCs (forget which one now). It will be quite unusual to find a TLD
which allows just one name server for a delegation.

If your special domain doesn't need to be under a TLD, then you can
create your own delegation for it in a domain you control, with just one
name server if you like.

Regards,

Anand Buddhdev
RIPE NCC
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

CNAME only zone?

[Lightner, Jeff]

Is it possible to create a zone file that only contains a CNAME?

The request I got is to create a CNAME to point shop4water.com to 
shop4water.hostedbywebtstore.com.

We own shop4water.com – hostedbywebstore.com is something external that we 
don’t own.

I’ve reviewed past posts and searched the internet.  I see things saying “you 
can’t have CNAME only” or “you can” or “you should use DNAME instead” and then 
others saying that “you can’t use CNAME or DNAME with any other record and the 
SOA itself is a record”.

So my basic question is:   Is it possible to do this?  If so what should the 
zone file for shop4water.com look like?   Is there another way to make queries 
for shop4water.com go to shop4water.hostedbywebtstore.com?











Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: CNAME only zone?

[Lightner, Jeff]

I don't know what you mean by that.  Apex of what exactly - my zone file?

I can make a zone file that simply has a CNAME in it with no SOA, serial number 
etc...?

As noted I do not own the target zone so I can't update any records there.

Can you tell me exactly what the zone file should look like with the CNAME 
record at the apex?







-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Phil 
Mayers
Sent: Friday, December 09, 2011 11:41 AM
To: bind-users@lists.isc.org
Subject: Re: CNAME only zone?

On 09/12/11 16:25, Lightner, Jeff wrote:
 Is it possible to create a zone file that only contains a CNAME?

This comes up a lot, it seems.

No. CNAME conflicts with any other record - including the SOA and NS
records required at the apex.

You will have to put an A record at the apex.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: CNAME only zone?

[Lightner, Jeff]

Also note that other workarounds will solve the same problem in a better way.

Care to enlighten me as to what those workarounds would be?

Also - why is it a registrar can do a CNAME only but we mere mortals can't?  In 
fact documentation from Amazon (it is apparently their web store I've since 
learned) suggests doing it at registrar so I'll probably go that route but I'm 
wondering why it should work there but not on one of my delegated name servers.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
/dev/rob0
Sent: Friday, December 09, 2011 12:41 PM
To: bind-users@lists.isc.org
Subject: Re: CNAME only zone?

On Friday 09 December 2011 10:25:36 Lightner, Jeff wrote:
 Is it possible to create a zone file that only contains a CNAME?

As already answered, no.

 The request I got is to create a CNAME to point shop4water.com to
 shop4water.hostedbywebtstore.com.

You can ask your registrar if they can/will do this in the parent
com. zone. I have seen ugliness of this type from either Network
Solutions or register.com before, not sure which.

 We own shop4water.com - hostedbywebstore.com is something external
 that we don't own.

Do note that hostedbywebtstore is not the same as hostedbywebstore;
we're sticklers for precise spelling.

Also note that other workarounds will solve the same problem in a
better way.
--
Offlist mail to this address is discarded unless
/dev/rob0 or not-spam is in Subject: header
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: bind 9.2.1 assertion failure

[Lightner, Jeff]

ISC who makes bind doesn't support it any longer.  Mark is with ISC.

What do you have this installed on?  It may be something distro specific and if 
so you may need to get you question answered by whoever provided it to you.

For example RedHat Enterprise Linux distributes a modified version of BIND 
9.3.x which is also no longer supported by ISC.  If you wanted mitigation for 
the recent attack you'd have to install RedHat's fix to their version.  
(Alternatively you can download and compile the ISC supported version but at 
that point RedHat would no longer support your version of BIND.)





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Florian Weimer
Sent: Wednesday, December 07, 2011 1:37 PM
To: Mark Andrews
Cc: bind-us...@isc.org
Subject: Re: bind 9.2.1 assertion failure

* Mark Andrews:

 BIND 9.2.1 was released May 2002 and is no longer supported.

Uhm, there are multiple sources for BIND support.  At least one still
provides some coverage for BIND 9.2.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Bind 9.9.0b2 inline signing...

[Lightner, Jeff]

You can install Cygwin under Windoze and then get most Linux packages under 
that.

Alternatively you can just install the Windows zip file for BIND and use the 
dig.exe it provides.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
wbr...@e1b.org
Sent: Monday, November 28, 2011 1:03 PM
To: Todd Snyder
Cc: bind-users-bounces+wbrown=e1b@lists.isc.org; bind-users@lists.isc.org
Subject: RE: Bind 9.9.0b2 inline signing...

Todd wrote on 11/24/2011 11:29:14 AM:

 I don't understand why Windows doesn't include dig by default, even
 now.  Free software hate?

And grep and logrotate!  At least the GnuWin32 project has a good version
of grep.



Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Question About max-clients-per-query

[Lightner, Jeff]

Not an answer to your basic question but I did want to mention that on most 
UNIX/Linux terminal sessions you can hit Ctrl-s to stop scrolling and 
Ctrl-q to resume it.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Alan 
Shackelford
Sent: Friday, November 18, 2011 10:32 AM
To: bind-users@lists.isc.org
Subject: Question About max-clients-per-query

I had a situation a couple of days ago where a compromised machine in the DMZ 
portion of my network began sending an incredible number of queries to a couple 
of the primary internal DNS servers. The traffic was so intense that legitimate 
queries were unable to get through, or the customer timed out before the 
response came back. It took me a while to diagnose, because tailing the logs 
with querylog on was not possible. The data were coming too fast for my 
terminal to display them. Only after several Cntl-C commands was I able to 
escape from the tail, and a portion of the logs was displayed. Only queries 
from the compromised machine were visible. Nothing else got through during that 
time period. My customers and bosses are naturally furious.

So is it possible to limit the number of queries for one name from one client, 
or even better, limit the number in a certain time, or the number of queries 
in a row from one client. If not we are going to have to be creative with 
some iptables or firewall rules.

Thanks for any help you can lend.

Alan V. Shackelford   Sr. Systems Software Engineer
The Johns Hopkins University and Johns Hopkins Medical Institutions
Baltimore, Maryland USA   410-735-4773ashac...@jhmi.edu






Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS Sinkhole in BIND

[Lightner, Jeff]

Rather a late response I think.

When I setup the rules I spoke about RPZ was just a gleam in someone's eyes.

My post discussed the relative merit of iptables vs. blackholes and didn't 
mention RPZ.  RPZ may be a better solution but it requires one to stop and 
upgrade BIND to get it.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Michelle Konzack
Sent: Wednesday, October 26, 2011 9:01 PM
To: bind-users@lists.isc.org
Subject: Re: DNS Sinkhole in BIND

Hello Lightner, Jeff,

Am 2011-10-17 13:28:43, hacktest Du folgendes herunter:
 While setting up blackholes in BIND works fine when I did this on
 Linux I found that setting up iptables to do drops for known bad
 IPs/ranges was slightly better as the traffic never gets to BIND in
 the first place as it is stopped at kernel level.  It simply DROPs the
 packet without telling the bad guys why packets didn't go through.

 Example rules for various IPs that have annoyed me in the past:
 -A RH-Firewall-1-INPUT -s 68.222.240.22 -j DROP
 -A RH-Firewall-1-INPUT -s 203.142.82.222 -j DROP
 -A RH-Firewall-1-INPUT -s 217.54.97.137 -j DROP
 -A RH-Firewall-1-INPUT -s 217.219.20.226 -j DROP
 -A RH-Firewall-1-INPUT -s 218.212.248.7 -j DROP

...and you get the hell on you ass if you have several 1000 of them!
In this case, bind9 with RPZ is cheaper.

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux
   Internet Service Provider, Cloud Computing
http://www.itsystems.tamay-dogan.net/

itsystems@tdnet Jabber  linux4miche...@jabber.ccc.de
Owner Michelle Konzack

Gewerbe Strasse 3   Tel office: +49-176-86004575
77694 Kehl  Tel mobil:  +49-177-9351947
Germany Tel mobil:  +33-6-61925193  (France)

USt-ID:  DE 278 049 239

Linux-User #280138 with the Linux Counter, http://counter.li.org/




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS Sinkhole in BIND

[Lightner, Jeff]

While setting up blackholes in BIND works fine when I did this on Linux I found 
that setting up iptables to do drops for known bad IPs/ranges was slightly 
better as the traffic never gets to BIND in the first place as it is stopped at 
kernel level.  It simply DROPs the packet without telling the bad guys why 
packets didn't go through.

Example rules for various IPs that have annoyed me in the past:
-A RH-Firewall-1-INPUT -s 68.222.240.22 -j DROP
-A RH-Firewall-1-INPUT -s 203.142.82.222 -j DROP
-A RH-Firewall-1-INPUT -s 217.54.97.137 -j DROP
-A RH-Firewall-1-INPUT -s 217.219.20.226 -j DROP
-A RH-Firewall-1-INPUT -s 218.212.248.7 -j DROP

Of course you can do ranges as well in iptables.

Also you should be sure that you're restricting things like recursion and cache 
to trusted environments (i.e. internal lookups) while still allowing lookups 
for domains you're authoritative for to the outside.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
TCPWave Customer Care
Sent: Sunday, October 16, 2011 7:43 PM
To: babu dheen
Cc: bind-users@lists.isc.org
Subject: Re: DNS Sinkhole in BIND

Babu

The following example defines two access control lists and uses an
options statement to define how they are treated by the nameserver:

acl black-hats { 10.0.2.0/24; 192.168.0.0/24; };
acl red-hats { 10.0.1.0/24;  };

options {
blackhole { black-hats; };
allow-query { red-hats; };
allow-recursion { red-hats; };
}

This example contains two access control lists, black-hats and red-hats.
Hosts in the black-hats list are denied access to the nameserver, while
hosts in the red-hats list are given normal access.

Regards
TCPWave Customer Care


On Sun, 2011-10-16 at 23:30 +0530, babu dheen wrote:
 Hi,

  Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit
 edition.

 Regards
 babu
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS Sinkhole in BIND

[Lightner, Jeff]

I’m confused – does the OP want to block or does he want to redirect.  
“block/redirect” are two different things.   What I wrote will block.   If he 
wants to redirect that’s fine but I don’t think he’d want to redirect to his 
real webserver – why send bogus traffic there and also take the risk that being 
so directed the bad user will be able to hack?   Dropping the packet in DNS 
stops it cold.   (Not saying they can’t get to web server’s via legitimate 
paths but it appears the OP has know malefactors.)   Is the OP building a 
honeypot?







From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Ryan 
Novosielski
Sent: Monday, October 17, 2011 3:52 PM
To: babu dheen; Bind Users Mailing List; c...@cam.ac.uk
Subject: Re: DNS Sinkhole in BIND

I do this. There may now be a smarter way, but I have a small number so this is 
manageable for me: configure zones for each of the evil zones. Your server will 
appear authoritative and you can direct clients wherever you like. I direct 
some of mine to a virtualhost handing out 503 errors.


-- Sent from my Palm Pre



On Oct 17, 2011 13:46, babu dheen babudh...@yahoo.co.in wrote:
YOu are obsolutely correct Chris.. I want to block/redirect all malware domain 
request intiated by clients by setting up DNS SINKHOLE in Redhat BIND server.



--- On Mon, 17/10/11, Chris Thompson c...@cam.ac.uk wrote:

From: Chris Thompson c...@cam.ac.uk
Subject: Re: DNS Sinkhole in BIND
To: Bind Users Mailing List bind-users@lists.isc.org
Cc: babu dheen babudh...@yahoo.co.in
Date: Monday, 17 October, 2011, 8:19 PM
On Oct 16 2011, babu dheen wrote:

 Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition.

All the replies to this so far seem to assume that he wants to block evil
entities from using his nameservers. But Google seems to suggest that
DNS Sinkhole usually refers to redirecting names that are being used
for evil purposes to e.g. a local monitoring station - not the same thing
at all.

-- Chris Thompson
Email: 
c...@cam.ac.ukhttp://in.mc1373.mail.yahoo.com/mc/compose?to=c...@cam.ac.uk








Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: host versus nslookup

[Lightner, Jeff]

One thing that is different about nslookup on HP-UX (which doesn't have host) 
is that it actually respects nsswitch.conf so will give you results from 
/etc/hosts OR from name services whereas most implementations only do it from 
name services.

Nslookup is deprecated meaning you should use host where possible.   Also for 
DNS troubleshooting dig is a much better tool than nslookup or host.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Martin McCormick
Sent: Wednesday, October 12, 2011 1:22 PM
To: 'bind-users@lists.isc.org'; mar...@dc.cis.okstate.edu
Subject: host versus nslookup

Many years ago, various flavors of unix began distributing a
utility called host which did almost the same thing as nslookup.
Host is what I use most of the time, now, and I actually thought
that nslookup on unix systems was maybe going away.

A coworker recently asked me about nslookup on our
FreeBSD system and I verified the behavior he was asking about.

Other than a different output format, what are the
advantages of having both host and nslookup.

On the FreeBSD system in question, nslookup is
definitely a different binary than is host so one is not
hard-linked to the other.

The behavior he was asking about was simply that all
foreign domains that one looks up with nslookup report as
non-authoritative since the DNS one is using isnot authoritative
for, say, microsoft.com or yahoo.com.

This is not a problem. I am just curious.

Many thanks.

Martin McCormick WB5AGZ  Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: host versus nslookup

[Lightner, Jeff]

So hitting yourself in the head with a shovel is better?  :p





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
David Miller
Sent: Wednesday, October 12, 2011 4:08 PM
To: bind-users@lists.isc.org
Subject: Re: host versus nslookup

On 10/12/2011 3:01 PM, Kevin Darcy wrote:
 On 10/12/2011 1:21 PM, Martin McCormick wrote:
 Many years ago, various flavors of unix began distributing a
 utility called host which did almost the same thing as nslookup.
 Host is what I use most of the time, now, and I actually thought
 that nslookup on unix systems was maybe going away.

 A coworker recently asked me about nslookup on our
 FreeBSD system and I verified the behavior he was asking about.

 Other than a different output format, what are the
 advantages of having both host and nslookup.

 On the FreeBSD system in question, nslookup is
 definitely a different binary than is host so one is not
 hard-linked to the other.

 The behavior he was asking about was simply that all
 foreign domains that one looks up with nslookup report as
 non-authoritative since the DNS one is using isnot authoritative
 for, say, microsoft.com or yahoo.com.

 This is not a problem. I am just curious.

 nslookup has lots of problems. Four that I can cite off the top of my
 head:
 1) most versions of nslookup will stop dead in their tracks if they
 can't reverse-resolve the name of whatever resolver they're trying to
 use (even though that's basically irrelevant to the actual lookup that
 the user requested)
 2) nslookup will by default use a searchlist, but it does this
 completely invisibly by default (unless a debugging option is turned
 on), and thus will often mis-represent the real result of the query
 (e.g. you look up foo.example1.com, that gets a SERVFAIL, then
 unbeknownst to the user, nslookup tries the searchlist'ed name
 foo.example1.com.example2.com and reports the resulting NXDOMAIN as
 the final error of the lookup, thus obscuring the real error -- SERVFAIL)
 3) the default output format of nslookup doesn't distinguish the
 result of the query from the identity of the resolver clearly enough,
 so unsophisticated users will often think that the name they're
 looking up actually resolves to the address of the DNS resolver, and
 much hilarity ensues (mis-routed trouble tickets, drama, confusion, etc.)
 4) some versions of nslookup display atypical DNS responses (e.g.
 dangling CNAMEs, referrals) in very confusing, non-intuitive ways.


 - Kevin

Use dig.

Always use dig.  If dig isn't installed - install dig and then use dig.
Make dig part of your default set of packages on all boxes.

host vs nslookup? is asking whether you should hit your self in the
head with a small or large hammer.

Put down the hammer and use dig.

-DMM

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Master and slave on same host

[Lightner, Jeff]

What do you mean you can’t have additional IPs?   Even if you don’t have other 
network connections you can use virtual IPs on a single NIC.   I have one 
server (not DNS) that has 30 virtual IPs on a single NIC.







From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Joseph L. Casale
Sent: Tuesday, October 11, 2011 9:17 AM
To: 'bind-users@lists.isc.org'
Subject: Master and slave on same host

I have an RHEL server running Bind 9.7 that needs to have a zone set to master 
and
slave between two views. I don’t have the luxury of an additional IP, is this 
still possible
with a single ip address?

Thanks!
jlc





Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: CNAME or A record?

[Lightner, Jeff]

What you responded to below was simply my agreement that one doesn't use DNS 
for web redirects.   I didn't suggest he doesn't still need two records to 
get their in the first place.

I should think it was clear from my original post in the thread that I was 
saying he should have two records and that my preference was A records.

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
wbr...@e1b.org
Sent: Wednesday, September 28, 2011 7:17 PM
To: Lightner, Jeff
Cc: bind-us...@isc.org
Subject: RE: CNAME or A record?

All true, but if you don't have some sort of DNS record for both 
example.com and www.example.com, then all the rewrite rules in the world 
won't help.

For all we know, the web server doesn't care what the URL is since it is 
the only site hosted on that server and answers to all GETs.

Jeff wrote on 09/28/2011 10:51:08 AM:

 +1
 
 All of our redirects are either done by rewrite rules in Apache or 
 Jboss or on our load balancer.   We don’t do any in DNS.
 
 
 
 
 From: bind-users-bounces+jlightner=water@lists.isc.org [
 mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf 
Of ??
 Sent: Wednesday, September 28, 2011 10:43 AM
 To: feralert
 Cc: bind-us...@isc.org
 Subject: Re: CNAME or A record?
 
 this is the stuff what should be done by webserver rather than by 
 DNS. i,e, Apache rewrite will do that.
 在 2011-9-28 下午10:29，feralert feral...@gmail.com写道：
  Hi all,
  
  I'm sure this has been asked trillions of times but since I couldn't
  find any concrete answer/reference in google I am asking you guys in
  this list. Sorry if anyone thinks this a dumb question or something
  very obvious.
  
  The thing is that i want users redirected to 'www.domain.com' even
  when they just type the domain name 'domain.com'.
  In order to do so I am not sure if its best to have one A RR for each
  or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
  for 'www.domain.com'.
  
  
  domain.com A 1.1.1.1
  www.domain.com A 1.1.1.1
  
  OR
  
  domain.com A 1.1.1.1
  www.domain.com CNAME domain.com
  
  
  Any help appreciated.
  
  
  Thanks,
  Fred
  ___
  Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list
  
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 
 AthenaR, Created for the Cause? 
 Making a Difference in the Fight Against Breast Cancer
 
 -
 CONFIDENTIALITY NOTICE: This e-mail may contain privileged or 
 confidential information and is for the sole use of the intended 
 recipient(s). If you are not the intended recipient, any disclosure,
 copying, distribution, or use of the contents of this information is
 prohibited and may be unlawful. If you have received this electronic
 transmission in error, please reply immediately to the sender that 
 you have received the message in error, and delete it. Thank you.
 --
 
 
 Stream: WBROWN

 
 Spam
 Not spam
 Forget previous vote___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: resolv record without domain

[Lightner, Jeff]

Right - the issue here is the lookup not the DNS record itself.   On UNIX/Linux 
hosts the file is /etc/resolv.conf.

However, I do see a DNS configuration issue here as well.  There should NOT be 
a dot after name in the A record - that tells it NOT to append the domain 
name.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Warren Kumari
Sent: Thursday, September 29, 2011 9:43 AM
To: Gabriele Gabriele
Cc: bind-users@lists.isc.org
Subject: Re: resolv record without domain


On Sep 29, 2011, at 9:25 AM, Gabriele Gabriele wrote:

 Hello dear mailinglist,
 I have a little problem with my bind configuration, I explain you the 
 situation
 I have a domain example.com with many record and every things work well, now 
 I need to resolv an name of my servers without specify the domain,

 for example;


 name. IN A 1.1.1.1


 but if I try to resovl name by nslookup the dns told me the record 
 Non-Exist...

 ie there a way to do it?

Not 100% sure I understand the question, but what I think you need is a search 
path.

In a linux box, add:
search example.com
to resolv.conf.

On a mac it's under Network Preferences, Interface, Search Domains.
somewhere similar on Windows.

You can also hand this out via DHCP:
option domain-search example.com;

W




 thanks

 best regards
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: CNAME or A record?

[Lightner, Jeff]

If you set your SOA properly to use @ (which means this zone) your A 
records should be:

domain.com. A   1.1.1.1
www A   1.1.1.1

The SOA should append the domain.com to every record not terminated by a dot 
so that www is read as www.domain.com.  Similarly you put a dot at the end 
of domain.com A record to prevent it from being appended and read as 
domain.com.domain.com.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
feralert
Sent: Wednesday, September 28, 2011 10:20 AM
To: bind-us...@isc.org
Subject: CNAME or A record?

Hi all,

I'm sure this has been asked trillions of times but since I couldn't
find any concrete answer/reference in google I am asking you guys in
this list. Sorry if anyone thinks this a dumb question or something
very obvious.

The thing is that i want users redirected to 'www.domain.com' even
when they just type the domain name 'domain.com'.
In order to do so I am not sure if its best to have one A RR for each
or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
for 'www.domain.com'.


domain.com   A1.1.1.1
www.domain.com   A1.1.1.1

OR

domain.com   A1.1.1.1
www.domain.com   CNAME  domain.com


Any help appreciated.


Thanks,
Fred
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: CNAME or A record?

[Lightner, Jeff]

+1

All of our redirects are either done by rewrite rules in Apache or Jboss or on 
our load balancer.   We don’t do any in DNS.







From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of ??
Sent: Wednesday, September 28, 2011 10:43 AM
To: feralert
Cc: bind-us...@isc.org
Subject: Re: CNAME or A record?


this is the stuff what should be done by webserver rather than by DNS. i,e, 
Apache rewrite will do that.
在 2011-9-28 下午10:29，feralert 
feral...@gmail.commailto:feral...@gmail.com写道：
 Hi all,

 I'm sure this has been asked trillions of times but since I couldn't
 find any concrete answer/reference in google I am asking you guys in
 this list. Sorry if anyone thinks this a dumb question or something
 very obvious.

 The thing is that i want users redirected to 
 'www.domain.comhttp://www.domain.com' even
 when they just type the domain name 'domain.comhttp://domain.com'.
 In order to do so I am not sure if its best to have one A RR for each
 or have an A RR for the domain and a CNAME RR pointing to 
 'domain.comhttp://domain.com'
 for 'www.domain.comhttp://www.domain.com'.


 domain.comhttp://domain.com A 1.1.1.1
 www.domain.comhttp://www.domain.com A 1.1.1.1

 OR

 domain.comhttp://domain.com A 1.1.1.1
 www.domain.comhttp://www.domain.com CNAME domain.comhttp://domain.com


 Any help appreciated.


 Thanks,
 Fred
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 bind-users mailing list
 bind-users@lists.isc.orgmailto:bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users





Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: CNAME or A record?

[Lightner, Jeff]

Right – for simple domains I think having separate A records is best as I 
wrote.  Many more complex domains (do digs on 
www.google.comhttp://www.google.com/, www.yahoo.comhttp://www.yahoo.com/ 
and www.microsoft.comhttp://www.microsoft.com/) use CNAME records but often 
enough it is because they aren’t actually using a 
www.example.comhttp://www.example.com/ pointing directly to example.com but 
rather to other servers in their domains.







From: Ben Croswell [mailto:ben.crosw...@gmail.com]
Sent: Wednesday, September 28, 2011 10:48 AM
To: feralert
Cc: bind-us...@isc.org; bind-users@lists.isc.org; Lightner, Jeff
Subject: Re: CNAME or A record?


Either is fine. Using the cname would require a single update if your ip 
changes, but prevents other records at the same level. So you couldn't attach 
mx for instance at example.comhttp://example.com and 
www.example.comhttp://www.example.com if you wanted to.

Neither is wrong and both have pros and  cons

-Ben Croswell
On Sep 28, 2011 10:43 AM, feralert 
feral...@gmail.commailto:feral...@gmail.com wrote:
 Thanks Jeff,

 But I really only wrote that as an example :) . The real question is
 what is best or what is recommended, two A RR (one for domain, one for
 www) or a single A RR for domain and a CNAME RR for www, is one way
 better than the other or can I choose either way?

 Cheers!,
 Fred.



 On Wed, Sep 28, 2011 at 4:30 PM, Lightner, Jeff 
 jlight...@water.commailto:jlight...@water.com wrote:
 If you set your SOA properly to use @ (which means this zone) your A 
 records should be:

 domain.comhttp://domain.com. A   1.1.1.1
 www A   1.1.1.1

 The SOA should append the domain.comhttp://domain.com to every record 
 not terminated by a dot so that www is read as 
 www.domain.comhttp://www.domain.com.  Similarly you put a dot at the end 
 of domain.comhttp://domain.com A record to prevent it from being appended 
 and read as domain.com.domain.comhttp://domain.com.domain.com.





 -Original Message-
 From: 
 bind-users-bounces+jlightner=water@lists.isc.orgmailto:water@lists.isc.org
  
 [mailto:bind-users-bounces+jlightnermailto:bind-users-bounces%2Bjlightner=water@lists.isc.orgmailto:water@lists.isc.org]
  On Behalf Of feralert
 Sent: Wednesday, September 28, 2011 10:20 AM
 To: bind-us...@isc.orgmailto:bind-us...@isc.org
 Subject: CNAME or A record?

 Hi all,

 I'm sure this has been asked trillions of times but since I couldn't
 find any concrete answer/reference in google I am asking you guys in
 this list. Sorry if anyone thinks this a dumb question or something
 very obvious.

 The thing is that i want users redirected to 
 'www.domain.comhttp://www.domain.com' even
 when they just type the domain name 'domain.comhttp://domain.com'.
 In order to do so I am not sure if its best to have one A RR for each
 or have an A RR for the domain and a CNAME RR pointing to 
 'domain.comhttp://domain.com'
 for 'www.domain.comhttp://www.domain.com'.


 domain.comhttp://domain.com   A1.1.1.1
 www.domain.comhttp://www.domain.com   A1.1.1.1

 OR

 domain.comhttp://domain.com   A1.1.1.1
 www.domain.comhttp://www.domain.com   CNAME  domain.comhttp://domain.com


 Any help appreciated.


 Thanks,
 Fred
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.orgmailto:bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 Athena(r), Created for the Cause(tm)
 Making a Difference in the Fight Against Breast Cancer

 -
 CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
 information and is for the sole use of the intended recipient(s). If you are 
 not the intended recipient, any disclosure, copying, distribution, or use of 
 the contents of this information is prohibited and may be unlawful. If you 
 have received this electronic transmission in error, please reply 
 immediately to the sender that you have received the message in error, and 
 delete it. Thank you.
 --


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 bind-users mailing list
 bind-users@lists.isc.orgmailto:bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users





Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have

RE: Delegation check failed

[Lightner, Jeff]

I think it is safe to say the issue is the iis.se site is broken so far as 
delegation test goes.   Another user reported to me that he had several domains 
return the same thing at this site.

Thanks everyone for the replies.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Niall O'Reilly
Sent: Wednesday, September 21, 2011 5:26 AM
To: bind-users
Subject: Re: Delegation check failed


On 21 Sep 2011, at 02:08, Kevin Oberman wrote:

 dig confirms that .com had the glue for water.com.

As does dnscheck.iis.se.
Indeed, none of the test history (5 tests, today and yasterday)
archived for water.com at this site shows any delegation problem.
Only a warning is shown against the SOA:

Failed to connect to smtpbh1.water.com (12.44.84.193).

I guess that this means that an MX host is protected in some way.

Is there some other dnscheck that people are using, and which
is causing confusion?

ATB
Niall O'Reilly

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



Proud partner. Susan G. Komen for the Cure.


Please consider our environment before printing this e-mail or attachments.

--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Delegation check failed

[Lightner, Jeff]

I was the one asking about water.com.  I'd started a separate thread hoping not 
to tromp on the OP of the earlier thread but apparently didn't succeed.

I know the reason for the SOA/MX report so never asked about that.

I did ask about the delegation messages but at this point as noted earlier I'm 
fairly convinced it is a bug in the way they do the test at iis.se rather than 
an actual issue.   (Believe me - I'd HEAR VERY QUICKLY if water.com became 
inaccessible from the internet.)   I was asking the question to see if there 
was a tweak I needed but based responses I don't think so.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Kevin Oberman
Sent: Wednesday, September 21, 2011 12:30 PM
To: Niall O'Reilly
Cc: bind-users
Subject: Re: Delegation check failed

On Wed, Sep 21, 2011 at 2:25 AM, Niall O'Reilly niall.orei...@ucd.ie wrote:

 On 21 Sep 2011, at 02:08, Kevin Oberman wrote:

 dig confirms that .com had the glue for water.com.

As does dnscheck.iis.se.
Indeed, none of the test history (5 tests, today and yasterday)
archived for water.com at this site shows any delegation problem.
Only a warning is shown against the SOA:

Failed to connect to smtpbh1.water.com (12.44.84.193).

I guess that this means that an MX host is protected in some way.

Is there some other dnscheck that people are using, and which
is causing confusion?

Matt,

Are you running the Undelegated domain test or just the default
Domain test? Only the
Undelegated domain test is showing the error. It is still reporting it now.
Nameserver dswadns1.water.com is listed for zone water.com without
address information.

Nameserver dswadns2.water.com is listed for zone water.com without
address information.

The SOA issue is sort of real. The preferred MX for the SOA contact is
smtpbh1.water.com
and attempts to connect to port 25 on that system time out, as does an
attempt to smtpbh2.
But smtp.water.com is fine so I don't this this an appropriate report, either.

Again, the gtld servers do have the required glue.
;  DiG 9.8.1  ns +norecurse water.com. @f.gtld-servers.net.
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 55373
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;water.com. IN  NS

;; AUTHORITY SECTION:
water.com.  172800  IN  NS  dswadns1.water.com.
water.com.  172800  IN  NS  dswadns2.water.com.

;; ADDITIONAL SECTION:
dswadns1.water.com. 172800  IN  A   12.44.84.213
dswadns2.water.com. 172800  IN  A   12.44.84.214

;; Query time: 39 msec
;; SERVER: 192.35.51.30#53(192.35.51.30)
;; WHEN: Wed Sep 21 09:28:37 2011
;; MSG SIZE  rcvd: 105

Still looks like a bug in dnscheck to me.
--
R. Kevin Oberman, Network Engineer - Retired
E-mail: kob6...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



Proud partner. Susan G. Komen for the Cure.


Please consider our environment before printing this e-mail or attachments.

--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: One IP in multiple zones

[Lightner, Jeff]

One thing we do is create a single alias zone with generic information in it 
to have multiple zones all go to the same IP.

Typically the main zone we'll put in its own zone file and have named.conf 
associate that zone with that zone file.

For other zones we tell named.conf to point to the alias zone file:

Something like:
@   IN SOA  ns1.example.com. techuser.example.com.  (
2011091902  ; serial
10800   ; refresh
3600; retry
604800  ; expire
86400 ) ; Minimun TTL
;
; Name Servers
;
IN NS   ns1.example.com.
IN NS   ns2.example.com.
;
; Mail Servers
;
IN MX   10  mail.example.com.  ; Primary MX BH
IN MX   30  mail.example.com.  ; Primary MX BH
;
; Addresses
;
;
@   IN A192.168.1.1
;
www IN A192.168.1.1
;

Any domain in named.conf pointing to this alias zone will be substituted 
automatically for the @ seen in this file whenever a lookup occurs.

So if named.conf sent examplestore.com to the alias file it would see that 
examplestore.com and www.examplestore.com are both at 192.168.1.1.

If named.conf also sent examplesite.com to the file then it would see that 
examplesite.com and www.examplesite.com are both at 192.168.1.1 as well.

As noted by someone else you should only have one PTR record (we keep that in a 
separate arpa zone) that points to your primary domain.

Note that in the above the NS (name server) and MX (mail) records point to your 
regular mail and name servers in a primary domain and are not relative to the 
alias domains like the www is.






-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Chuck Swiger
Sent: Wednesday, September 21, 2011 4:15 PM
To: Adamiec, Lawrence
Cc: bind-users@lists.isc.org
Subject: Re: One IP in multiple zones

On Sep 21, 2011, at 12:56 PM, Adamiec, Lawrence wrote:
 Is it possible to have one IP in multiple zone files for forward lookups?

Yes.

 What type of troubles would be encountered?

None.  This sort of thing is very commonly done, for example with 
shared/virtual webservers.

Regards
--
-Chuck

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



Proud partner. Susan G. Komen for the Cure.


Please consider our environment before printing this e-mail or attachments.

--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Delegation check failed

[Lightner, Jeff]

Can someone give me a better explanation of why this is saying my delegation 
failed than the FAQ does?

In a separate thread I saw this recommendation to another user:

I think the checking tool at
  http://dnscheck.iis.se/?test=undelegated
  may be what you need.

  You may find it useful to read the explanation at
  http://dnscheck.iis.se/?faq=1test=undelegated#f16
  before running a test.

  Another good checking tool may be found at www.zonecheck.fr,
  but it's less obvious (to me) how to use it for your immediate
  purpose.

On going there and testing water.com domain I see:
Delegationjavascript:void(0);

· Nameserver dswadns1.water.com is listed for zone water.com without 
address information.

· Nameserver dswadns2.water.com is listed for zone water.com without 
address information.
However, it clearly found the IPs of these name servers.The IPs were 
entered at the registrar some years ago lookups of our domains work fine.   
Additionally whois shows the correct IPs for the above name servers being 
returned by the Registrar.   My zone file has A records with the correct IPs as 
shown below.:

IN NS   dswadns1.water.com.
IN NS   dswadns2.water.com.
dswadns1IN A12.44.84.213
dswadns2IN A12.44.84.214

So I’m curious what exactly the above delegation messages are trying to tell 
me.   The description in the FAQ doesn’t really seem illuminating to me.






__
Jeffrey C. Lightner
Sr. UNIX Administrator

DS Waters of America, Inc.
5660 New Northside Drive NW
Suite 250
Atlanta, GA  30328

P: 678-486-3516
C: 678-772-0018
F: 770-937-7360
E: jlight...@water.commailto:jlight...@water.com







Proud partner. Susan G. Komen for the Cure.

 Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Delegation check failed

[Lightner, Jeff]

I didn't specify the IPs but it found them - that is to say when I input my 
first DNS server it automatically populated the IP address field.  This was on 
the iis.se site as I noted in my original post.

My read of glue records is that they are A records within a zone file for DNS 
servers that are part of the same domain as the zone being described.

Based on that my glue records in water.com zone file for domain water.com in 
zone file water.com do exist as shown in my original post:
dswadns1IN A12.44.84.213
dswadns2IN A12.44.84.214

Also it seems Glue records are only necessary for subdomains and I'm not using 
a subdomain here - I'm not trying to delegate to any subdomain.

So both my Registrar and I have things associating dswadns1.water.com with IP 
12.44.84.213 and dswadns2.water.com with 12.44.84.214.   I'm still mystified as 
to what the delegation message is trying to tell me.





-Original Message-
From: Matthew Seaman [mailto:m.sea...@infracaninophile.co.uk]
Sent: Tuesday, September 20, 2011 11:52 AM
To: Lightner, Jeff
Cc: bind-users@lists.isc.org
Subject: Re: Delegation check failed

On 20/09/2011 14:25, Lightner, Jeff wrote:
 On going there and testing water.com domain I see:
 Delegationjavascript:void(0);

 * Nameserver dswadns1.water.com is listed for zone water.com without 
 address information.

 * Nameserver dswadns2.water.com is listed for zone water.com without 
 address information.
 However, it clearly found the IPs of these name servers.The IPs were 
 entered at the registrar some years ago lookups of our domains work fine.   
 Additionally whois shows the correct IPs for the above name servers being 
 returned by the Registrar.   My zone file has A records with the correct IPs 
 as shown below.:

 IN NS   dswadns1.water.com.
 IN NS   dswadns2.water.com.
 dswadns1IN A12.44.84.213
 dswadns2IN A12.44.84.214

 So I'm curious what exactly the above delegation messages are trying to tell 
 me.   The description in the FAQ doesn't really seem illuminating to me.


This is the www.zonecheck.fr checking tool?  Like it says quite clearly
in the instructions, where the nameservers are part of the domain being
checked then you need to give IP numbers too.  If you do that, then the
water.com domain passes the test albeit with a few warnings about
everything being on the same network segment / same AS number.

Yes, if you're checking a live domain correctly registered and with the
right glue records in place, then zonecheck can find your nameservers
without external prompting.  If you're trying to check an unregistered
domain, then zonecheck will definitely need those IP numbers.  That's
really all those messages are trying to tell you.

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW




Proud partner. Susan G. Komen for the Cure.


Please consider our environment before printing this e-mail or attachments.

--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: syntax error in $GENERATE crashed all nameservers

[Lightner, Jeff]

No but you're missing the point.   I don't think the OP was and I certainly 
wasn't suggesting it should have done what he meant to do.   However, I DO 
think it should have errored out because it was invalid input.   (That is to 
say unless you think negative numbers should be considered valid input for this 
command? Please don't respond that negative numbers are integers and therefore 
valid - that would be pure sophistry.)

-Original Message-
From: Warren Kumari [mailto:war...@kumari.net] 
Sent: Thursday, August 18, 2011 1:26 PM
To: Lightner, Jeff
Cc: bind-users@lists.isc.org
Subject: Re: syntax error in $GENERATE crashed all nameservers


On Aug 18, 2011, at 10:28 AM, Lightner, Jeff wrote:

 It was certainly a typo and a user error in that regard.
 
 However, he was suggesting it was bug because it should have rejected input 
 of negative numbers and I'll have to say I agree with that viewpoint.   If I 
 typed las instead of ls on a command line and found out that las meant 
 lose all systems I'd certainly feel whoever had created such a program 
 should have put some safeguards in to keep it from doing something so 
 ridiculous.

Ever work with Warren Teitelman?

http://www.hacker-dictionary.com/terms/DWIM

W

 
 
 
 
 
 -Original Message-
 From: bind-users-bounces+jlightner=water@lists.isc.org 
 [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
 /dev/rob0
 Sent: Wednesday, August 17, 2011 8:59 PM
 To: bind-users@lists.isc.org
 Subject: Re: syntax error in $GENERATE crashed all nameservers
 
 On Wed, Aug 17, 2011 at 04:45:38PM -0400, bl ton wrote:
 We had a syntax error in our inverse zone file using GENERATE and
 extra dash were added to the scope so '199--222' instead of
 '199-222':
 
 $GENERATE 199--222 $ PTR 10-100-60-$.dhcp-bl.indiana.edu.
 
 Ouch! Sorry to hear this!
 
 I would assume named will check the syntax error and refuse to load
 this zone just like it normally does, but instead it tries to
 generate millions of erroneous entry because it scanned '-222' to
 the stop which created a huge number for the named to loop through
 and the CPU at 100% and locked up 15 of our nameservers, some of
 those need power recycle to respond to console.
 
 This is the first bug of that type we have seen, it's my 12th year
 of running BIND for large site, another team member has nearly 20
 years experience with BIND and we're surprised named doesn't catch
 the syntax error.
 
 Should a syntax error in inverse zone file cause named to locking
 up the machine?
 
 You're calling this a bug and a syntax error. I disagree. I'd call
 this a typo and a user error.
 
 But there is checking in forward file and same syntax error were
 caught:
 
 Aug 16 19:09:19 named named[4169]: 16-Aug-2011 19:09:19.609
 general: error: dns_rdata_fromtext: buffer-0x42200470 : near
 '10.100.60.256': bad dotted quad
 Aug 16 20:00:02 named named[4169]: 16-Aug-2011 22:00:02.649
 general: error: $GENERATE: Domain/test.example.edu:1496: bad
 dotted quad
 Aug 16 20:00:02 named named[4169]: 16-Aug-2011 22:00:02.649
 general: error: zone test.example.edu/IN: loading from master
 file Domain/test.example.edufailed: bad dotted quad
 
 It's not the same error. You can create PTR names and values of
 anything you want. But the value for an A record is limited to the
 set of valid IPv4 addresses. Note that your A $GENERATE was quite
 happy until it reached 256.
 
 4294967295.60.100.10.in-addr.arpa.  IN  PTR 
 10-100-60-4294967295.dhcp-bl.indiana.edu.
 -222.60.100.10.in-addr.arpa.IN  PTR 
 10-100-60--222.dhcp-bl.indiana.edu.
 
 Those are both valid, as was the entire $GENERATE range.
 
 10-100-60-255.dhcp-bl.indiana.edu.  IN  A   10.100.60.255
 10-100-60-256.dhcp-bl.indiana.edu.  IN  A   10.100.60.256
 
 First one is valid, second one is not.
 
 That said, I wouldn't have thought that a $GENERATE range could go
 over the top like that, so to speak. I could see calling that a
 possible bug.
 --
Offlist mail to this address is discarded unless
/dev/rob0 or not-spam is in Subject: header
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 
 
 Proud partner. Susan G. Komen for the Cure.
 
 
 Please consider our environment before printing this e-mail or attachments.
 
 --
 CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
 information and is for the sole use of the intended recipient(s). If you are 
 not the intended recipient, any disclosure, copying, distribution, or use of 
 the contents of this information is prohibited and may be unlawful. If you 
 have received this electronic transmission in error, please reply immediately 
 to the sender that you have received the message

RE: no servers could be reached

[Lightner, Jeff]

Also has a wrong name:  Should be resolv.conf NOT resolve.conf.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Michael McNally
Sent: Thursday, July 28, 2011 3:47 PM
To: bind-users@lists.isc.org
Subject: Re: no servers could be reached

On 7/28/11 12:16 AM, uifid...@gmail.com wrote:
 my /etc/resolve.conf

Note: ^^^

 named-checkzone named-checkconf passed, I suppose the configure works
 but only get no servers could be reached.What's wrong with my config?

Your resolv.conf is in the wrong place.  Let's see what happens when
that occurs:

With resolv.conf in place:

 Chickamin-River:~ $ dig www.isc.org

 ;  DiG 9.6.0-APPLE-P2  www.isc.org
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 5913
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;www.isc.org. IN  A

 ;; ANSWER SECTION:
 www.isc.org.  263 IN  A   149.20.64.42

 ;; Query time: 49 msec
 ;; SERVER: 8.8.8.8#53(8.8.8.8)
 ;; WHEN: Thu Jul 28 11:42:34 2011
 ;; MSG SIZE  rcvd: 45


With resolv.conf in the wrong place:


 Chickamin-River:~ $ mv /etc/resolv.conf /etc/resolv.conf.moved
 Chickamin-River:~ $ dig www.isc.org

 ;  DiG 9.6.0-APPLE-P2  www.isc.org
 ;; global options: +cmd
 ;; connection timed out; no servers could be reached
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



Proud partner. Susan G. Komen for the Cure.


Please consider our environment before printing this e-mail or attachments.

--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: about the dig

[Lightner, Jeff]

Or as previously pointed out it WILL work if you specify a name server at 
invocation.

That is to say you MUST either do dig @server... OR have a resolve.conf 
that specifies servers to attempt if not specified at invocation.   (And before 
anyone else says it - You can of course still specify a server at invocation to 
bypass the ones in /etc/resolv.conf.)





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
eugene tsuno
Sent: Tuesday, July 19, 2011 10:53 AM
To: bind-users@lists.isc.org
Subject: Re: about the dig

Feng:

I think G.W is pointing out that in the absence of resolv.conf, dig uses
the localhost to connect
to the bind server.  Just tcpdump the loopback interface, and you will
see it.

So the reason resolution works is because you are running bind on that
server.  It would not work
on any client which isn't running bind.

We generally put the entry in so we know where our DNS requests are
going, the loopback or
a real interface.  In doesn't have to be that way, you don't have to use
the bind server on
the box itself.


On 7/19/11 3:54 AM, Feng He wrote:
 On Tue, Jul 19, 2011 at 2:47 PM, G.W. Haywood b...@jubileegroup.co.uk wrote:

 man resolv.conf

  If  this file doesn't exist the only name server to be queried will be on 
 the local machine; the domain name is determined from the
   hostname and the domain search path is constructed from the domain 
 name.

 Nothing around the resolv.conf, I was talking about dig.
 Thanks.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


--
eugene tsuno
NOAA Boulder/NOC
325 broadway, boulder,co 80305
303-497-6392

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



Proud partner. Susan G. Komen for the Cure.


Please consider our environment before printing this e-mail or attachments.

--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: RFC 6303 and automatic empty zones

[Lightner, Jeff]

Expecting the future - Planning your life around it is something sales folks 
like to do and most of the rest of us call vaporware - it's always going to be 
available the 2nd quarter of next year.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Evan 
Hunt
Sent: Thursday, July 14, 2011 11:16 AM
To: Chris Thompson
Cc: bind-users@lists.isc.org
Subject: Re: RFC 6303 and automatic empty zones

 Now that RFC 6303 http://www.rfc-editor.org/rfc/rfc6303.txt has been
 published, and includes the fourteen RFC 1918 reverse zones (section 4.1),
 can we expect future versions of BIND to have them as automatic empty
 zones - i.e. the #ifdef notyet in bin/named/server.c to disappear?

Yes.

--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



Proud partner. Susan G. Komen for the Cure.


Please consider our environment before printing this e-mail or attachments.

--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: better performance with 32 bit ! why?

[Lightner, Jeff]

I'm not sure I agree with that - multiple single threaded processes can
be distributed across cores/CPUs.   That is to say ONE single thread
process doesn't gain from multiple cores but more than one can because
they don't have to compete against each other on the same core.

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Ryan Novosielski
Sent: Wednesday, June 29, 2011 9:59 AM
To: iharrathi@orange-ftgroup.com
Cc: bind-users@lists.isc.org
Subject: Re: better performance with 32 bit ! why?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Not necessarily. They are not apples to apples. Multi-core machines only
excel at multi-threaded computational loads. I don't know how BIND does
or does not qualify. I suspect, however, there may be some other
differences between the two chips anyhow (cache size differences, etc.).

On 06/29/2011 09:33 AM, iharrathi@orange-ftgroup.com wrote:
 on server1(64 bit) i have 2 Intel E5310 *quad*-core 1.6Ghz and on
 server2(32 bit) i have 2 Intel Xeon *dual*-core 2.33Ghz.
 means 8*1.6 Ghz on server1 and 4*2.33 on server2.
  
 8*1.6 is better and faster than 4*2.33, no?
 // 
 /Regards /
 /Issam Harrathi./
  
  
 
/ The 64 bit server(server1) is faster than the 32 bit server
(server2).
 /
 Really? I thought you said the 64 bit server had a CPU with 1.6GHz
cores,
 and the 32 bit server had 2.33GHz cores?
 
 Regards
 Eivind Olsen
 



 IMPORTANT.Les informations contenues dans ce message electronique y
compris les fichiers attaches sont strictement confidentielles
 et peuvent etre protegees par la loi.
 Ce message electronique est destine exclusivement au(x)
destinataire(s) mentionne(s) ci-dessus.
 Si vous avez recu ce message par erreur ou s il ne vous est pas
destine, veuillez immediatement le signaler  a l expediteur et effacer
ce message 
 et tous les fichiers eventuellement attaches.
 Toute lecture, exploitation ou transmission des informations contenues
dans ce message est interdite.
 Tout message electronique est susceptible d alteration.
 A ce titre, le Groupe France Telecom decline toute responsabilite
notamment s il a ete altere, deforme ou falsifie.
 De meme, il appartient au destinataire de s assurer de l absence de
tout virus.
 
 IMPORTANT.This e-mail message and any attachments are strictly
confidential and may be protected by law. This message is
 intended only for the named recipient(s) above.
 If you have received this message in error, or are not the named
recipient(s), please immediately notify the sender and delete this
e-mail message.
 Any unauthorized view, usage or disclosure ofthis message is
prohibited.
 Since e-mail messages may not be reliable, France Telecom Group shall
not be liable for any message if modified, changed or falsified.
 Additionally the recipient should ensure they are actually virus free.



 
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


- -- 
-  _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$| |__| |  | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4LL5gACgkQmb+gadEcsb7iMwCg08huQWUMJ/I2COhwc7mzN5ix
6mwAnifUFtFJi5fQb10Tpf1iaul9Nn7X
=HbQB
-END PGP SIGNATURE-
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: bind restart needed to reflect changes to dynamic zone in multipleviews

[Lightner, Jeff]

I wonder if pointing to different file names with one being a symbolic
link to the other would work? That way you'd only have to create and
update the one file but the transfer would transfer two separate files.

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Brian J. Murrell
Sent: Friday, June 24, 2011 10:21 AM
To: bind-us...@isc.org
Subject: Re: bind restart needed to reflect changes to dynamic zone in
multipleviews

On 11-06-24 09:57 AM, Lyle Giese wrote:
 
 It's expected behavior in a way.

Given your explanation, indeed.  :-)

 You are probably making this change in
 the internal view and the internal named process knows about the
change
 and reloads the zone.
 
 The external view's process is unaware of the change and does not
reload.

A.  I guess I had not considered how BIND handles views and that
it's done with a separate process per view.  But I only have one named
process, so I suppose it's threading for each view.

 1) You could send a periodic rndc reload to the external view process.

Except that I only have the one process.  Any thoughts on how to do this
in such a case?

 2) Since this appears to be an rbl zone, use rbldnsd instead of named
to
 serve this zone.

Yeah, I suppose I could.  It would solve this specific use case, but I
don't know that this RBL zone is the extent of this problem.  I'd have
to examine further where there are zones shared by multiple views.  I'm
guessing though that rbldnsd doesn't support remote update, yes?  That
would be limiting for my purposes here.

Cheers,
b.
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS attacking

[Lightner, Jeff]

You can blacklist things in named.conf but we've found it more efficient to 
simply have iptables drop packets from the offending IPs so they never even get 
to BIND.

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Jeff 
Pang
Sent: Wednesday, May 25, 2011 6:54 AM
To: Niall O'Reilly
Cc: bind-users
Subject: Re: DNS attacking

2011/5/25 Niall O'Reilly niall.orei...@ucd.ie:



Which of your DNS systems: resolvers or authoritative?

Where is the source of the attack: within your (or your
customers') networks, or out on the Internet?


Thanks. My nameservers are authoritative server only.

-- 
Jeff Pang
www.DNSbed.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Getting different name resolution for news.google.com from masterand slave BIND

[Lightner, Jeff]

Yes.   I verified this with our chief network engineer this morning.

Yesterday on doing dig @ns1.google.com (or @ns2 or @ns3 or @ns4) my
results for the master were always the same IPs indicated in my initial
post for the master whereas those from my slave were always the ones
indicated in that same post for the slave.   I should have mentioned
that.

As noted in a reply to another email this morning it appears both
servers now get the same list of IPs (which is the list that only the
slave was getting yesterday).   Since we made no change I suspect this
had more to do with how Google's NS servers were handling things than
how we were querying.

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Eivind Olsen
Sent: Tuesday, May 24, 2011 7:26 PM
To: bind-users@lists.isc.org
Subject: RE: Getting different name resolution for news.google.com from
masterand slave BIND

Lightner, Jeff wrote:

 The master is dswadns1.water.com at 12.44.84.213 and the slave is
 dswadns2.water.com at 12.44.84.214.

So, they leave your network in the same way, through the same router
etc?
Are they configured to use any forwarders? Stub-zones? Etc? Or do they
both talk directly out to the Internet?

Or, how about.. what do you get if you query the same Google nameserver
from both your hosts? Do you get the same results if you for example
query
ns1.google.com from with dig on both your nameservers, or do you then
also
get different answers? How about if you check from a single of your
nameservers, doing manual queries to all 4 Google nameservers (ns1 - 4)?
Same result from all 4, or different results?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Getting different name resolution for news.google.com from master and slave BIND

[Lightner, Jeff]

Is anyone else seeing odd results with news.google.com?   My BIND 9
master and slave are getting different results.   If I go out to other
sites such as Kloth.net or iptools.com they also get different results
from each other and different from what my master and slave are
reporting.

 

I'm running BIND 9.3 (The RedHat version that has backported patches and
enhancements from later BIND versions in it so please don't tell me to
use a newer version.)

 

On doing some research I found that Google has made a couple of changes
in the past week or so affecting their news stuff.The one that seems
like it might explain why Kloth.net, iptools.com and my server get
different answers is the May 13th introduction of news near you
discussed in this article:

http://www.pcmag.com/article2/0,2817,2385369,00.asp

 

That is aimed at mobile devices but I could see how they might also try
to make it work with static sites.   However it wouldn't explain why
both my servers coming from the same location would get different
results.   I'm thinking maybe there is something else obvious I'm
missing.

 

I am not caching on these servers and have bounced named on both but it
didn't help.

 

Does anyone have any ideas?   Other than the fact that they're master
and slave with different IPs and setup to talk to each other the
named.conf on both hosts is the same.   They both have the same OS and
same hardware.   Also we have some Windows DNS servers in house and they
seem to be giving the same results as my slave so the master appears to
be the odd man out.

  

When I run dig news.google.com from my BIND 9 master I'm getting:

;  DiG 9.3.4-P1  news.google.com

;; global options:  printcmd

;; Got answer:

;; -HEADER- opcode: QUERY, status: NOERROR, id: 46508

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 2

 

;; QUESTION SECTION:

;news.google.com.   IN  A

 

;; ANSWER SECTION:

news.google.com.603615  IN  CNAME   news.l.google.com.

news.l.google.com.  300 IN  A   72.14.209.99

news.l.google.com.  300 IN  A   72.14.209.104

 

;; AUTHORITY SECTION:

google.com. 170523  IN  NS  ns1.google.com.

google.com. 170523  IN  NS  ns2.google.com.

google.com. 170523  IN  NS  ns3.google.com.

google.com. 170523  IN  NS  ns4.google.com.

 

;; ADDITIONAL SECTION:

ns3.google.com. 344424  IN  A   216.239.36.10

ns4.google.com. 343339  IN  A   216.239.38.10

 

;; Query time: 6 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue May 24 14:17:14 2011

;; MSG SIZE  rcvd: 190

 

Yet on my slave I get:

;  DiG 9.3.4-P1  news.google.com

;; global options:  printcmd

;; Got answer:

;; -HEADER- opcode: QUERY, status: NOERROR, id: 30872

;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 4, ADDITIONAL: 0

 

;; QUESTION SECTION:

;news.google.com.   IN  A

 

;; ANSWER SECTION:

news.google.com.603986  IN  CNAME   news.l.google.com.

news.l.google.com.  300 IN  A   74.125.65.99

news.l.google.com.  300 IN  A   74.125.65.103

news.l.google.com.  300 IN  A   74.125.65.104

news.l.google.com.  300 IN  A   74.125.65.105

news.l.google.com.  300 IN  A   74.125.65.106

news.l.google.com.  300 IN  A   74.125.65.147

 

;; AUTHORITY SECTION:

google.com. 171986  IN  NS  ns4.google.com.

google.com. 171986  IN  NS  ns1.google.com.

google.com. 171986  IN  NS  ns2.google.com.

google.com. 171986  IN  NS  ns3.google.com.

 

;; Query time: 5 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue May 24 14:18:03 2011

;; MSG SIZE  rcvd: 222
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Getting different name resolution for news.google.com from master and slave BIND

[Lightner, Jeff]

They aren't in different subnets from an internet perspective and are
not geographically separated.   (Yes I know not best practice but I
don't make those decisions.)   

The master is dswadns1.water.com at 12.44.84.213 and the slave is
dswadns2.water.com at 12.44.84.214.

The fact they are not in different locations or in a separate subnet is
why I don't understand why I'd be getting separate location specific
IPs handed to the two servers.

-Original Message-
From: Warren Kumari [mailto:war...@kumari.net] 
Sent: Tuesday, May 24, 2011 4:06 PM
To: Lightner, Jeff
Cc: bind-users@lists.isc.org
Subject: Re: Getting different name resolution for news.google.com from
master and slave BIND


On May 24, 2011, at 2:28 PM, Lightner, Jeff wrote:

 Is anyone else seeing odd results with news.google.com?   My BIND 9
master and slave are getting different results.  


Presumably your slave and master are in different subnets?

Google (and many other large networks) perform geolocation and hand out
A records that a close to your resolver. Presumably we believe that
72.14.209.99 is (network wise) close to your master and 74.125.65.99 is
close to your slave.

If you provide IPs and actual locations for your slaves and master I can
check

W


 If I go out to other sites such as Kloth.net or iptools.com they also
get different results from each other and different from what my master
and slave are reporting.
  
 I'm running BIND 9.3 (The RedHat version that has backported patches
and enhancements from later BIND versions in it so please don't tell me
to use a newer version.)
  
 On doing some research I found that Google has made a couple of
changes in the past week or so affecting their news stuff.The one
that seems like it might explain why Kloth.net, iptools.com and my
server get different answers is the May 13th introduction of news near
you discussed in this article:
 http://www.pcmag.com/article2/0,2817,2385369,00.asp
  
 That is aimed at mobile devices but I could see how they might also
try to make it work with static sites.   However it wouldn't explain why
both my servers coming from the same location would get different
results.   I'm thinking maybe there is something else obvious I'm
missing.
  
 I am not caching on these servers and have bounced named on both but
it didn't help.   
  
 Does anyone have any ideas?   Other than the fact that they're master
and slave with different IPs and setup to talk to each other the
named.conf on both hosts is the same.   They both have the same OS and
same hardware.   Also we have some Windows DNS servers in house and they
seem to be giving the same results as my slave so the master appears to
be the odd man out.
  
 When I run dig news.google.com from my BIND 9 master I'm getting:
 ;  DiG 9.3.4-P1  news.google.com
 ;; global options:  printcmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 46508
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 2
  
 ;; QUESTION SECTION:
 ;news.google.com.   IN  A
  
 ;; ANSWER SECTION:
 news.google.com.603615  IN  CNAME   news.l.google.com.
 news.l.google.com.  300 IN  A   72.14.209.99
 news.l.google.com.  300 IN  A   72.14.209.104
  
 ;; AUTHORITY SECTION:
 google.com. 170523  IN  NS  ns1.google.com.
 google.com. 170523  IN  NS  ns2.google.com.
 google.com. 170523  IN  NS  ns3.google.com.
 google.com. 170523  IN  NS  ns4.google.com.
  
 ;; ADDITIONAL SECTION:
 ns3.google.com. 344424  IN  A   216.239.36.10
 ns4.google.com. 343339  IN  A   216.239.38.10
  
 ;; Query time: 6 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Tue May 24 14:17:14 2011
 ;; MSG SIZE  rcvd: 190
  
 Yet on my slave I get:
 ;  DiG 9.3.4-P1  news.google.com
 ;; global options:  printcmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 30872
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 4, ADDITIONAL: 0
  
 ;; QUESTION SECTION:
 ;news.google.com.   IN  A
  
 ;; ANSWER SECTION:
 news.google.com.603986  IN  CNAME   news.l.google.com.
 news.l.google.com.  300 IN  A   74.125.65.99
 news.l.google.com.  300 IN  A   74.125.65.103
 news.l.google.com.  300 IN  A   74.125.65.104
 news.l.google.com.  300 IN  A   74.125.65.105
 news.l.google.com.  300 IN  A   74.125.65.106
 news.l.google.com.  300 IN  A   74.125.65.147
  
 ;; AUTHORITY SECTION:
 google.com. 171986  IN  NS  ns4.google.com.
 google.com. 171986  IN  NS  ns1.google.com.
 google.com. 171986  IN  NS  ns2.google.com.
 google.com. 171986  IN  NS  ns3.google.com.
  
 ;; Query time: 5 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Tue May 24 14:18:03 2011
 ;; MSG SIZE  rcvd

RE: Migrate domains to different DNS servers

[Lightner, Jeff]

By re-delegate do you mean at the Registrars and ISPs?

If so and if you have more than one DNS server for redundancy (as you should) 
then you can replace one server at a time using the same name/IP on the new 
server as on the old server.   When we did this a few years back we simply 
moved the network cables from old server to new server (after configuring the 
new server of course).   Of course you'd want to disable any 
notification/transfer from old BIND8 to new BIND9 prior to doing that.

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Torinthiel
Sent: Wednesday, April 20, 2011 5:59 AM
To: bind-users@lists.isc.org
Subject: Re: Migrate domains to different DNS servers


Dnia 2011-04-20 17:25 listus...@gmail.com  napisał(a):

Hello all,

We have a couple of BIND 8 DNS servers that we want to decommission,
obviously we need to migrate the domains to other DNS servers first, which
ordinarily involves zone transfer and domain re-delegation. However, we do
not have control over a lot of the domains (think hundreds) on the BIND 8
servers, meaning we cannot re-delegate.

In what sense you don't have control?
I assume you don't have administrative access to the BIND8 boxes.
Do you have AXFR access to BIND8 boxes and/or do you have the zone files?
Do you have access to registrar, where you have registered your domains?
Also, important factor is whether the DNS for those domains are in-zone or 
out-zone
i.e. assume you have example.com. Are NS servers ns1.example.com (in-zone) 
or ns1.otherdomain.com (out-zone)

One important problem is data. If you don't have access to zones' contents 
(either via AXFR or having zone files) then how would you know what your new 
nameservers should respond?

Assuming you have data, here are your options for delegation

If you have access to registrar, you can freely change the servers domain is 
delegated to, so you can simply change that delegation. i.e. domain was 
delegated to ns1.domain.com, now is to ns3.domain.com or ns1.newdomain.com
In case of out-zone nameservers that's only a name change. In case of 
in-zone nameservers, it's either name and IP address change, or only IP 
address change.

If you don't have registrar access, you have out-zone nameservers and you 
control (can change RR in) the zone that nameservers are, you can change the 
A/ records for NS, which will be a variation of your idea.
If you don't have registrar access and either you have in-zone nameservers, 
or can't control A/ records of out-zone nameservers, than AFAIK you're 
out of luck.

A desperate measure (if you want to call it) is to transfer the zones to 
the
new DNS infrastructure then change the A record of the old DNS to use the 
IP
address of the new DNS. Effectively the old DNS becomes an alias of the new
DNS.

Possible problem: glue records. With internal NS and no access to registrar 
you have no way to update glue records, so domain will still be delegated to 
old servers.
Regards,
 Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: children whose zones do not reflect the delegation from the parent

[Lightner, Jeff]

I'm wondering if the issue isn't because you've not told your ISP what
your name servers are.   You have to do that for reverse delegations to
get to your servers.   (This is in addition to telling your Registrar.)

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Phil Mayers
Sent: Wednesday, March 30, 2011 5:34 AM
To: bind-users@lists.isc.org
Subject: Re: children whose zones do not reflect the delegation from the
parent

On 03/30/2011 04:45 AM, ben thielsen wrote:

 both fail to do so.  so - it would seem to me that at least somehow,
 in some sense, the delegation is broken.  however, if queried further

It does seem a bit broken - there's no SOA for 33.50.in-addr.arpa i.e. 
no zone there.

 for a /24 within that /16, both servers now work properly, and
 further delegate to other servers [and themselves]:

So probably they've got a zone for many of the child block e.g.

x.33.50.in-addr.arpa.

...but not the parent one, which is lazy.


 which leaves me sort of scratching my head.  on the one hand, pretty
 much everything i've learned about dns says that it shouldn't work,
 but yet it seems to.  added to that, the way delegation has been done

The reason it works is that, at each point down in the delegation, 
nameservers are asking for the full name i.e.

1.151.33.50.in-addr.arpa/PTR

..and of course, the broken nameserver do have this, so it works even 
though 33.50.in-addr.arpa doesn't exist. But you're right, the 
delegation does look wrong (to me at least). The absence of a proper 
delegation means that a lookup for a non-existent IP returns with 
SERVFAIL rather than NXDOMAIN e.g.

dig -x 50.33.44.255  - SERVFAIL because they don't have the zone for 
44 and don't have the parent zone either

versus

dig -x 50.33.151.255 - NXDOMAIN
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: dns RR method is not equal balanced?

[Lightner, Jeff]

Not to mention that RedHat just announced pending EOL of RHEL4 last
week.   RHEL5 has been out since around 2007 and RHEL6 was released
around the start of this year.

 



From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Ben Croswell
Sent: Tuesday, March 29, 2011 8:56 AM
To: Kay
Cc: bind-users@lists.isc.org
Subject: Re: dns RR method is not equal balanced?

 


First and foremost you shouldn't be running any version of BIND 8. That
is way out of date and open to a lot of exploits. 

That being said if by some
-Ben Croswell

On Mar 29, 2011 4:55 AM, Kay ch...@daumcorp.com wrote:
 Dear my friends.
 
 I use bind 8.4.7-REL on RHEL 4.4 OS and have thousands of domains.
 
 In my case ;
 some domain has 12 IPs but traffic of the server is not equal.
 The traffic of 11 IPs is same and just 1 IP is higher than others.
 
 Today, I moved the dns that is not equal to GSLB(F5) and set 
 address-return 2(Maximum Addresses Returned).
 And then, it's disappeared, equal traffic incoming completely.
 
 Is there some kind of bugs in bind that I use?
 or any idea?
 
 Thanks.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: RHEL5 BIND in PROD

[Lightner, Jeff]

If these are new servers that are only for BIND I'd suggest going with
RHEL6 rather than 5.6 - RHEL releases have very long life cycle.   When
I get a spare moment I intend to update our servers to RHEL6.

We use the RHEL5 BIND package for the reasons you give.  However, the
way RedHat does things is they go with a base release from upstream
(e.g. 9.3 is default for RHEL5.x) then backport security and bug fixes
from later base releases into that.   This causes confusion because
people will post here that they're using 9.3 which makes it look like
they aren't paying attention to later updates and all.  If you like the
latest greatest you could build your own but as I once said to the folks
at RedHat:  If I have a dedicated server that only runs BIND and I have
to build my own why should I pay for a subscription based Linux?.   

As you note they now have (as a bug request) a later version of the
base release available in RHEL 5.x but that isn't the one you'll get
updates for with yum.   I've suggested to RedHat that they do as they
did with Java where they made different base releases (e.g. Java 1.4.2,
Java 1.6.0) and provide updates for whichever (or both) you choose to
use.   

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Mike Diggins
Sent: Tuesday, March 15, 2011 9:45 AM
To: bind-us...@isc.org
Subject: RHEL5 BIND in PROD


I'm about to transition my name servers from Solaris 10 to RedHat Linux 
5.6. I'm debating whether to compile BIND directly from source as I 
usually do or use one of the RHEL packages, likely the newly released 
9.7.0-6.P2. I would like to make our DNS a little more appliance based
to 
ease some of the support burden. I'm also concerned with stability over 
new features. I'm interested to know what others are doing.

-Mike
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: R: Operating system recommendation

[Lightner, Jeff]

Linux people and their reinstalls?!

Somebody has confused Linux with Windows.  We've been running RedHat 
Eneterprise Linux (RHEL) systems commercially for several years (including our 
DNS servers) and the only time I reinstall is when I'm redeploying a system 
and/or want to go to a newer major release.   As the prior poster said RedHat 
is still supports RHEL4 (7 years or more) and RHEL5 (4 years or more) and has 
now relased RHEL6.

Redeployments don't require a reinstall - I simply do it (as I did for UNIX 
system) to get rid of the cruft that is invariably left behind by redeployments 
and in box upgrades from one major release to another.   I'd do the same on BSD 
if I were still running any of those systems. 

Don't confuse hobbyists who like to tinker and reinstall at the drop of a hat 
to undo their latest experiments with use of Linux in real data centers. 

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of fddi
Sent: Friday, March 11, 2011 4:18 AM
To: bind-users@lists.isc.org
Subject: Re: R: Operating system recommendation

bind performances are excellent also on FreeBSD and OpenBSD.
Myself if I were a big ISP I would use OpenBSD, mainly for a security 
point of view.


Riccardo


On 3/11/11 9:23 AM, Chiesa Stefano wrote:


 -Messaggio originale-
 Da: bind-users-bounces+stefano.chiesa=wki...@lists.isc.org 
 [mailto:bind-users-bounces+stefano.chiesa=wki...@lists.isc.org] Per conto di 
 pollex
 Inviato: mercoledì 9 marzo 2011 20.52
 A: comp-protocols-dns-b...@isc.org
 Oggetto: Operating system recommendation

 Hi, I want to know in your experience what is the best operating
 system to run bind for an ISP. We currently have Debian for the 5
 Cache servers and for the 2 Authoritative servers.
 We have around 111851 success querys in the cache servers and around
 7267 zones created in the authoritative servers.
 We are doing a major re analysis for all the arquitecture and Debian
 is changing to soon their versions and only have support for 1 version
 before so I dont know if this is best option

 Best regards and thanks
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


 Hello.
 The italian Registration Authorithy, that manages more than 2 millions .it 
 domains, runs theirs BIND dns server on UBUNTU.

 For futher info you can try to contact them at their email addresses:

 i...@registro.it
 hostmas...@registro.it

 http://www.nic.it/?set_language=en

 Hope this help.

 Ciao.
 Stefano.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: R: Operating system recommendation

[Lightner, Jeff]

I didn't make this a personal attack so don't know why you felt it necessary to 
go that route.  However, since you did, it is clear from your comments you are 
BSD fan boy and will say whatever you can, including outright fabrications to 
make your position seem more valid than those of others.   I've not seen an OS 
yet that couldn't be rootkitted and implying that RHEL is some how more 
susceptible to that and that BSD is somehow immune to that is completely 
disingenuous.

Many organizations choose to use commercial variants of Linux specifically 
because they prefer to have an external support entity available.   If you had 
to reinstall RHEL to perform a simple upgrade that says more about your lack of 
experience with the platform than it does with the platform itself.  In my 20 
years of Systems Administration experience I've often made suggestions some 
heeded and some ignored but always knew I wasn't the tail that wags the dog.   
You apparently think you are in your organization so congrats on that.

-Original Message-
From: Dan [mailto:d...@sunsaturn.com] 
Sent: Friday, March 11, 2011 12:33 PM
To: Lightner, Jeff
Cc: bind-users@lists.isc.org
Subject: RE: R: Operating system recommendation


Simply what I meant by their reinstall is going to a new major revision
or someone rootkitted your box. Either would not pose a problem on 
freebsd.

I have redeployed RHEL systems as well and it required a reinstall, the 
upgrade left to many unstabilites in the system, not just the cruft
you suggest.

Its clear from that statement you don't run any BSD's and cost your 
company money running RHEL vs Centos or anything free that a competent 
admin could run just as well, perhaps the bit of money your company 
could save you could use towards a ploy for a raise!


Dan.



On Fri, 11 Mar 2011, Lightner, Jeff wrote:

 Linux people and their reinstalls?!

 Somebody has confused Linux with Windows.  We've been running RedHat 
 Eneterprise Linux (RHEL) systems commercially for several years (including 
 our DNS servers) and the only time I reinstall is when I'm redeploying a 
 system and/or want to go to a newer major release.   As the prior poster said 
 RedHat is still supports RHEL4 (7 years or more) and RHEL5 (4 years or more) 
 and has now relased RHEL6.

 Redeployments don't require a reinstall - I simply do it (as I did for UNIX 
 system) to get rid of the cruft that is invariably left behind by 
 redeployments and in box upgrades from one major release to another.   I'd do 
 the same on BSD if I were still running any of those systems.

 Don't confuse hobbyists who like to tinker and reinstall at the drop of a hat 
 to undo their latest experiments with use of Linux in real data centers.

 -Original Message-
 From: bind-users-bounces+jlightner=water@lists.isc.org 
 [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
 fddi
 Sent: Friday, March 11, 2011 4:18 AM
 To: bind-users@lists.isc.org
 Subject: Re: R: Operating system recommendation

 bind performances are excellent also on FreeBSD and OpenBSD.
 Myself if I were a big ISP I would use OpenBSD, mainly for a security
 point of view.


 Riccardo


 On 3/11/11 9:23 AM, Chiesa Stefano wrote:


 -Messaggio originale-
 Da: bind-users-bounces+stefano.chiesa=wki...@lists.isc.org 
 [mailto:bind-users-bounces+stefano.chiesa=wki...@lists.isc.org] Per conto di 
 pollex
 Inviato: mercoledì 9 marzo 2011 20.52
 A: comp-protocols-dns-b...@isc.org
 Oggetto: Operating system recommendation

 Hi, I want to know in your experience what is the best operating
 system to run bind for an ISP. We currently have Debian for the 5
 Cache servers and for the 2 Authoritative servers.
 We have around 111851 success querys in the cache servers and around
 7267 zones created in the authoritative servers.
 We are doing a major re analysis for all the arquitecture and Debian
 is changing to soon their versions and only have support for 1 version
 before so I dont know if this is best option

 Best regards and thanks
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


 Hello.
 The italian Registration Authorithy, that manages more than 2 millions .it 
 domains, runs theirs BIND dns server on UBUNTU.

 For futher info you can try to contact them at their email addresses:

 i...@registro.it
 hostmas...@registro.it

 http://www.nic.it/?set_language=en

 Hope this help.

 Ciao.
 Stefano.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

 Proud partner. Susan G. Komen for the Cure.

 Please consider our environment before printing this e-mail or attachments

RE: Slaves and views

[Lightner, Jeff]

Haven't done it but don't see why not.   Since every entry in named.conf
specifies the zone file you can definitely have multiple zones all
pointing to the same zone file.  (We do that for many ancillary zones
that we want to point to our primary domain so have an aliases file that
uses the @ designation instead of hard coded domain names.)

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of John Wobus
Sent: Friday, March 04, 2011 11:46 AM
To: bind-users
Subject: Slaves and views

Hi,

Can a zone file a slave in one view and the same zone file
be served by another view?

I'm going to split our authoritative servers into internal
and external views.  My question concerns zones that we
secondary for other organizations, slaved to masters at
their sites.

I know I could configure each of their zones with separate files
in each the two views, listen/use an additional address that
accesses our local view, and tell these peer organizations to
notify and allow transfers from this additional address.
I'm not (yet) worried about dynamic updates, if there are
any.

Is there a way I can handle their zones without making
these other sites configure another address, and I still
run just one bind instance?

Other ideas are: running a separate bind instance for
these zones, or making one view a slave to the other.
Possibly forwarding of some kind, another thing I haven't
done much.

John Wobus
Cornell

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Please Help

[Lightner, Jeff]

IIRC the U.S. Government last year or the year before mandated all their
sites be DNSSEC compliant by early this year.  Maybe it is just a sign
they are actually doing it.

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Ryan Novosielski
Sent: Thursday, February 17, 2011 9:54 AM
To: Xiaoxu Huang
Cc: bind-users@lists.isc.org
Subject: Re: Please Help

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Glad to hear it was a help.

Does anyone happen to know if anything changed for .gov addresses just
last week? This problem appears to have come out of the clear blue sky
(not that there wasn't plenty of warning) so I have to assume that
something was just activated.

On 02/17/2011 09:47 AM, Xiaoxu Huang wrote:
 We have checked list archives and our side has increased the allowed
DNS
 packet size. Now we are fine to get correct answer for **.gov.
 
 Thanks for help and Best Regards,
 
 Xiao
 2/17/2011  
   
 
 -Original Message-
 From: bind-users-bounces+xhuang=graphnet@lists.isc.org
 [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On
Behalf Of
 Ryan Novosielski
 Sent: Wednesday, February 16, 2011 5:47 PM
 To: bind-users@lists.isc.org
 Subject: Re: Please Help
 
 I asked this same question this week. Check the list archives.
 
 On 02/16/2011 05:24 PM, Xiaoxu Huang wrote:
 From couple of our DNS servers, we are failed to get correct DNS
answer
 like followings:
 
 1) From server A
 
 # nslookup
 
 Default Server:  localhost
 
 Address:  127.0.0.1
 
 
 
 www.nyc.gov
 
 Server:  localhost
 
 Address:  127.0.0.1
 
 
 
 *** localhost can't find www.nyc.gov: Non-existent host/domain#
nslookup
 
 
 
 2) From server B:
 
 # nslookup
 
 www.nyc.gov
 
 ;; connection timed out; no servers could be reached
 
 
 
 3) Both servers run bind-9.7.2-P2
 
 
 
 Can any one help?
 
 
 
 Thanks and Best Regards,
 
 
 
 Xiao
 
 2/16/2011
 
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 

- -- 
-  _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$| |__| |  | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1dNnYACgkQmb+gadEcsb7mWwCfdLFwfTkc5pxTn/lyIaEQk2La
otcAoJLIkine7oyqXxix3wKRHReUa5F8
=B/pX
-END PGP SIGNATURE-
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: about the file command

[Lightner, Jeff]

BIND doesn't require you to use any views by default. 

The way views work one of them IS a default so order of views is important.  
You would use the default as your catch all.

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Terry.
Sent: Tuesday, February 08, 2011 9:16 AM
To: bind-users@lists.isc.org
Subject: Re: about the file command

2011/2/8 Matus UHLAR - fantomas uh...@fantomas.sk:
 On 08.02.11 17:40, Terry. wrote:
 Can BIND's file command referer to more than one zone file?
 For example,

   zone test.nsbeta.info {
type master;
file a.db;
file b.db;
   };

 When a record doesn't exist in a.db, BIND will continue to look for it in
 b.db.

 Afaik, no. Why would you want that?


For views catchall.

for example, named.conf has three views enabled by default, some users
have three veiws setup, but some have only two views setup, so I want
the catchall solution for the the lack of a view.

Any suggestion?

Regards,
Terry.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: get a domain's dns records

[Lightner, Jeff]

It checks for test.domain - I saw it do that for my zone.  For us it
isn't a subdomain but simply an A record.   Apparently when it found
your record it went ahead and did another check for your sub-zone.

I'm surprised that it does not check for ftp.zone.   Whenever we're
doing acquisitions here that is one of the zones I find at most sites
(though often enough it uses the same IP as the www.zone. 

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of p...@mail.nsbeta.info
Sent: Friday, January 21, 2011 9:21 AM
To: Dave Knight
Cc: comp-protocols-dns-b...@isc.org; Barry Margolin
Subject: Re: get a domain's dns records

Dave Knight writes: 


 
 I guess the tool just always assumes that there's probably a www
worthy asking about 
 

But how does the site know I have a sub domain test.nsbeta.info and its 
name servers? I didn't think that I have got this sub domain be public. 

Regards.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNSSEC with 9.7.2-P2

[Lightner, Jeff]

Not a hole if you look at the reasoning for Fedora itself.  It has a
short lifecycle and they expressly tell folks not to use it for
Production due to this.  It is meant to be bleeding edge for testing the
latest/greatest.   It is used as a test bed for what makes it into RHEL.


For Production (RPM based system) you should use RHEL or CentOS which
has a much longer life cycle.  (Speaking of which, RHEL6 was just put in
general release this week.)  Of course the downside to this is that they
often don't have the latest BIND packages built but they do backport
security fixes from later BIND packages into the earlier one and do add
some features from the later ones into the earlier one. 

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Phil Mayers
Sent: Friday, November 12, 2010 10:33 AM
To: bind-users@lists.isc.org
Subject: Re: DNSSEC with 9.7.2-P2

On 12/11/10 14:51, Alan Clegg wrote:
 On 11/12/2010 7:49 AM, David Forrest wrote:
 While running BIND 9.7.2-P2 built with defaults on F11

 [..]

 and, on checking named.conf, I found the entry for br. as:
 trusted-keys {
  br. 257 3 5

AwEAAdDoVnG9CyHbPUL2rTnE22uN66gQCrUW5W0NTXJBNmpZXP27w7PMNpyw3XCFQWP/XsT
0pdzeEGJ400kdbbPqXr2lnmEtWMjj3Z/ejR8mZbJ/6OWJQ0k/2YOyo6Tiab1NGbGfs513y6d
y1hOFpz+peZzGsCmcaCsTAv+DP/wmm+hNx94QqhVx0bmFUiCVUFKU3TS1GP415eykXvYDjNp
y6AM=;
 };

 If Fedora 11 (I'm assuming that is what F11 is) has built in
 trust-anchors in the distributed named.conf, someone needs to talk to
 them...

They have, by bundling a copy of dnssec-conf. In addition, there is no 
system scheduled cron job to update these IIRC - the expectation was 
that RPM updates would do the job - and sadly F11 is now off support, 
which is a bit of a hole in the reasoning :o(
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Rules against links or certain links?

[Lightner, Jeff]

I've noticed a couple of times on this list that if I post links for
certain on line sites with free tools like whois that they never seem to
make it to the list.

 

Is there some prohibition against posting those links that would cause
them to be filtered out?  I know at least one of them also has pay
services but it does provide free services including whois.  Today I
specifically didn't post that one but another one that (so far as I
know) is all free yet it hasn't appeared here either.

 


__

Jeff Lightner | UNIX/Linux Administrator | DS Waters of America, Inc |
5660 New Northside Drive, Ste 250 | Atlanta, GA 30328 
*: (Direct Dial) 770-486-3516 |*: (Cell) 678-772-0018 |
*:jlight...@water.com
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users