Re: View selection via TSIG
In message 6913b169-0b0e-42e0-bc30-92d188036...@tcbug.org, Josh Paetzel write s: On Aug 19, 2009, at 11:07 AM, Kirk wrote: logging { channel my_log { file /var/log/bind/named.log versions 3 size 5m; severity warning; print-time yes; print-severity yes; print-category yes; }; category notify { my_log; }; }; I've changed the category to default to make sure that it can log that and it can. Thanks, Josh Paetzel Josh, I can't answer your question about views, but here is the pertinent logging statements I am using and seems to work. channel notify { file logs/notify_log versions 2 size 1m; print-time yes; }; category notify { notify; }; If you are running chroot you might wanna verify that named can log to the directory you listed in your logging statement. Thanks. That worked, and I was quickly able to see what I was doing wrong. My primary nameserver was matching an IP in one of the views. So all the notifies were seen by slave as being in that one view. IPs override keys. Acl matches are order sensitive. The !key is in the examples to prevent the signed message matching the view and moving onto the next one. Issue solved, thanks everyone who helped. Thanks, Josh Paetzel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse delegation - refused on my DNS
In message 001201ca21de$6eea36e0$4cbea4...@monnerie@is.it-management.at, Mi chael Monnerie writes: I'm still searching for the error. Also, sorry for the strangeness of the mail format, I used a webmail for = the last mails. This time it's Outlook, don't know if it's really any = better... at least not for correctly indenting old mail texts :-( Because you don't serve 164.69.212.in-addr.arpa and you tried to access the cache. You should slave 164.69.212.in-addr.arpa so you have the CNAMEs locally. This will also make the above dig directed at your server work as the answer will come from the zone rather than the cache. I did that now, helps :-)) =20 Note: the lookups are working remotely because interative resolvers ask for 57.48-28.164.69.212.in-addr.arpa rather that 57.164.69.212.in-addr.arpa as generated by the above dig. Ah, I get the point. I always tested from a remote side with dig @dns1.zmi.at -x 212.69.164.57 but that didn't work as this is not an open resolver. Slaving the zone = as you suggested enables even these lookups to work now. I think it's = good, as it helps remote sites to debug DNS when hunting an error. A plain dig -x 212.69.164.57 also works, so, do I have an issue or is everything OK with my = configuration? Thanks for all your help, to all three of you! mfg zmi All three servers are now answering which is good. drugs:marka 10:11 {371} % dig +nssearch 48-28.164.69.212.in-addr.arpa SOA ns4.zmi.at. hostmaster.ns4.zmi.at. 42 172800 14400 3628800 60 from server power4u.zmi.at in 2270 ms. SOA ns4.zmi.at. hostmaster.ns4.zmi.at. 42 172800 14400 3628800 60 from server dns1.zmi.at in 1534 ms. SOA ns4.zmi.at. hostmaster.ns4.zmi.at. 42 172800 14400 3628800 60 from server dns2.zmi.at in 357 ms. drugs:marka 10:12 {372} % You do however have a delegation mismatch. 48-28.164.69.212.in-addr.arpa. 86400 IN NS dns1.zmi.at. 48-28.164.69.212.in-addr.arpa. 86400 IN NS dns2.zmi.at. ;; Received 91 bytes from 82.98.222.6#53(dns2.serico.de) in 717 ms 48-28.164.69.212.in-addr.arpa. 3600 IN NS power4u.zmi.at. 48-28.164.69.212.in-addr.arpa. 3600 IN NS dns2.zmi.at. 48-28.164.69.212.in-addr.arpa. 3600 IN NS dns1.zmi.at. ;; Received 161 bytes from 212.69.162.197#53(dns1.zmi.at) in 999 ms Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Porblems with Lycos.com host lookup.
:53:36.286 lame-serv= ers: info: FORMERR resolving #39;a href=3Dhttp://bigmail1.lycosmail.lyco= s.com/A/INbigmail1.lycosmail.lycos.com/A/IN/a#39;: 209.202.248.142#53= /span/pre prespan style=3Dfont-family: Arial;05-Aug-2009 12:53:36.369 lame-serv= ers: info: FORMERR resolving #39;a href=3Dhttp://bigmail1.lycosmail.lyco= s.com/A/INbigmail1.lycosmail.lycos.com/A/IN/a#39;: 209.202.244.141#53= /span/pre prespan style=3Dfont-family: Arial;05-Aug-2009 12:53:36.453 lame-serv= ers: info: FORMERR resolving #39;a href=3Dhttp://bigmail1.lycosmail.lyco= s.com/A/INbigmail1.lycosmail.lycos.com/A/IN/a#39;: 209.202.248.141#53= /span/pre prespan style=3Dfont-family: Arial;05-Aug-2009 12:53:36.453 resolver:= debug 1: createfetch: a href=3Dhttp://bigmail1.lycosmail.lycos.com;bigm= ail1.lycosmail.lycos.com/a A/span/preprespan style=3Dfont-family:= Arial;05-Aug-2009 12:53:36.537 lame-servers: info: FORMERR resolving #3= 9;a href=3Dhttp://bigmail1.lycosmail.lycos.com/A/IN;bigmail1.lycosmail.l= ycos.com/A/IN/a#39;: 209.202.244.141#53/span/pre prespan style=3Dfont-family: Arial;05-Aug-2009 12:53:36.621 lame-serv= ers: info: FORMERR resolving #39;a href=3Dhttp://bigmail1.lycosmail.lyco= s.com/A/INbigmail1.lycosmail.lycos.com/A/IN/a#39;: 209.202.248.142#53= /span/pre prespan style=3Dfont-family: Arial;05-Aug-2009 12:53:36.704 lame-serv= ers: info: FORMERR resolving #39;a href=3Dhttp://bigmail1.lycosmail.lyco= s.com/A/INbigmail1.lycosmail.lycos.com/A/IN/a#39;: 209.202.244.142#53= /span/pre prespan style=3Dfont-family: Arial;05-Aug-2009 12:53:36.788 lame-serv= ers: info: FORMERR resolving #39;a href=3Dhttp://bigmail1.lycosmail.lyco= s.com/A/INbigmail1.lycosmail.lycos.com/A/IN/a#39;: 209.202.248.141#53= /span/pre prespan style=3Dfont-family: Arial;05-Aug-2009 12:57:31.142 resolver:= debug 1: createfetch: a href=3Dhttp://scansafe.com;scansafe.com/a A/= span/preprespan style=3Dfont-family: Arial;=A0/span/pre p class=3DMsoNormalspan style=3Dfont-size: 10pt; font-family: Arial;= The expected subdomain is returned, the only other FORMERR cases I=92ve seen (on google)= show span style=3D=A0/spanthe authority section not matching the ans= wer./span/p p class=3DMsoNormalspan style=3Dfont-size: 10pt; font-family: Arial;= =A0/span/p p class=3DMsoNormalspan style=3Dfont-size: 10pt; font-family: Arial;= A debug trace may be found at a href=3Dhttp://the.earth.li/%7Ehuggie/lycos-bind9-= issue.txthttp://the.earth.li/~huggie/lycos-bind9-issue.txt/a span style=3D=A0=A0/spanAny suggestions as to what the issue is or how it may be resolved would be very welcome./span/p p class=3DMsoNormalspan style=3Dfont-size: 10pt; font-family: Arial;= =A0/span/p p class=3DMsoNormalspan style=3Dfont-size: 10pt; font-family: Arial;= =A0/span/p p class=3DMsoNormalspan style=3Dfont-size: 10pt; font-family: Arial;= Kind Regards/span/pp class=3DMsoNormalbr/pp class=3DMsoNormalMat= tbrspan style=3Dfont-size: 10pt; font-family: Arial;/span/p --001485f79224cc3a450471a7360f-- --===8305037449375662968== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===8305037449375662968==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.6.1-P1 log message
In message alpine.lfd.2.01.0908250838190.14...@maplepark.com, David Forrest w rites: What do I have to do to correct whatever is causing this log message from named (9.6.1-P1-RedHat-9.6.1-4.P1.fc11)? validating @0x7f9f2c60c200: dns1.registeredsite.com.dlv.isc.org DS: must be s ecure failure This is ususally because named has fallen back to plain DNS. Please ensure that you have a clean EDNS path and any forwarders you use also have clean EDNS paths. A clean EDNS path will accept EDNS responses upto 4096 bytes in size. Firewalls and DNS proxies in SOHO routers are known devices which interfere with this. Sometimes intentionally (firewalls) and some unintentionally (SOHO routers). Firewalls must be configured to accept DNS responses bigger than 512 bytes. They and SOHO routers also need to handle fragmented responses. A flakey link can also cause fallback to plain EDNS when too many transactions timeout. The dlv namespace is marked as must-be-secure by named as a side effect of dnssec-lookaside clause. Mark Thanks in advance, Dave -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS maximum message size
In message c923553c0908260234q46fef3d4g2591d8ef3a532...@mail.gmail.com, Luis Silva writes: Hi, Can anyone tell me the maximum size for DNS messages using TCP? I scanned all RFCs that I knew, but I can't find the answer. The problem is that I'm integrating my BIND server with a DNS name server which can only send AXFR answers with a 65535 maximum message size. Thank you, LS DNS messages over TCP are limited to 65535 bytes due to there being only two bytes to encode the length in. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Named is causing my server to Kernel panic?
In message 4a96acd6.3070...@canbytel.com, Scott Baker writes: I have two DNS servers, and my slave server has been crashing repeatedly about once a week. It's crashing hard and bringing down the *whole* box. It's a F10 box, running: :rpm -q bind bind-9.5.1-3.P3.fc10.i386 Here is a shot from my cell phone of the kernel panic: http://www.perturb.org/tmp/named-crash.jpg My first thought is that it was bad hardware, so we swapped the HDs out to another server. *Everything* was new except the HDs and the crashes still occurred. I'm not sure what my next step is, but having it continue to crash is no good! The box is up to date on all software and kernel patches. It runs fine while it's up, it just randomly crashes. Help! -- Scott Baker - Canby Telcom System Administrator - RHCE - 503.266.8253 You need to report this to your OS vendor. Nothing a application does, and named is a application, should cause a kernel to panic. Named does nothing more any other application does. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic update response
In message freemail.20090801231709.18...@fm10.freemail.hu, bind jack writes: Hello, My question is about the fields in the dynamic update response. As RFC 2136 describes there are 2 possible dynamic update responses: I. The ZOCOUNT, PRCOUNT, UPCOUNT, COUNT fields and associated sections are = copied in the response packet II. Placing zeros (0) in the these count fields and not including any par= t of the original update Bind seems to follow the second rule. Is it possible to configure Bind server to copy the ZOCOUNT, PRCOUNT, UPCOU= NT and ADCOUNT fields and associated sections in the response packet? No. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: socket.c:4524: unexpected error:
and 9.4.3-P3 suddenly causes this failure. If you really see more of this after upgrading to 9.4.3-P3 from 9.4.3, I guess it's more likely because (e.g.) a change of query pattern. Or do you mean you upgraded from 9.4.2-P2 to 9.4.3-P3? Also, how often did it happen? While it's an unexpected error in this context, a system call (connect(2) in this case) can fail for any reason and the other part of named has some level of resilience to such cases. So, unless it's very frequent you may be able to ignore the warnings safely in practice. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig +trace failure
In message 200909030037.raa27...@nasdaq.hpl.hp.com, Andris Kalnozols writes: My 9.6.1-P1 dig programs (HP-UX and Linux) rather consistently fail when trying to trace the delegation of 231.84.192.IN-ADDR.ARPA. Out of curiousity, are others from different places on the Internet able to duplicate the failure? It's fixed in the next release. You should be able to verify this using the v9_6 from the BIND Forum CVS repository. Mark dig +trace 231.84.192.in-addr.arpa ; DiG 9.6.1-P1 +trace 231.84.192.in-addr.arpa ;; global options: +cmd . 431482 IN NS A.ROOT-SERVERS.NET. . 431482 IN NS J.ROOT-SERVERS.NET. . 431482 IN NS B.ROOT-SERVERS.NET. . 431482 IN NS D.ROOT-SERVERS.NET. . 431482 IN NS E.ROOT-SERVERS.NET. . 431482 IN NS H.ROOT-SERVERS.NET. . 431482 IN NS M.ROOT-SERVERS.NET. . 431482 IN NS L.ROOT-SERVERS.NET. . 431482 IN NS F.ROOT-SERVERS.NET. . 431482 IN NS G.ROOT-SERVERS.NET. . 431482 IN NS C.ROOT-SERVERS.NET. . 431482 IN NS K.ROOT-SERVERS.NET. . 431482 IN NS I.ROOT-SERVERS.NET. ;; Received 272 bytes from 15.243.224.30#53(15.243.224.30) in 1 ms 192.in-addr.arpa. 86400 IN NS Y.ARIN.NET. 192.in-addr.arpa. 86400 IN NS Z.ARIN.NET. 192.in-addr.arpa. 86400 IN NS CHIA.ARIN.NET. 192.in-addr.arpa. 86400 IN NS DILL.ARIN.NET. 192.in-addr.arpa. 86400 IN NS BASIL.ARIN.NET. 192.in-addr.arpa. 86400 IN NS HENNA.ARIN.NET. 192.in-addr.arpa. 86400 IN NS INDIGO.ARIN.NET. 192.in-addr.arpa. 86400 IN NS X.ARIN.NET. ;; Received 196 bytes from 192.36.148.17#53(I.ROOT-SERVERS.NET) in 299 ms 231.84.192.in-addr.arpa. 86400 IN NS mail.boston.accrue.com. 231.84.192.in-addr.arpa. 86400 IN NS ns1.accrue.com. ;; Received 95 bytes from 192.35.51.32#53(DILL.ARIN.NET) in 144 ms ;; Truncated, retrying in TCP mode. socket.c:2486: REQUIREsock) != ((void *)0)) (((const isc__magic_t *)(s ock))-magic == ((('I') 24 | ('O') 16 | ('i') 8 | ('o')) failed. Aborted -- Andris ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: socket.c:4524: unexpected error:
in advance, Ram 2009/8/31 JINMEI Tatuya / ...@l@C#:H(B jin...@isc.org: At Sun, 30 Aug 2009 11:01:08 +0300, Ram Akuka ramak...@gmail.com wrote: recently i upgraded my DNS to 9.4.3P3 (from 9.4.3). since then i can see the below error more often: 30-Aug-2009 02:27:24.925 general: error: socket.c:4524: unexpected erro r: 30-Aug-2009 02:27:24.925 general: error: 22/Invalid argument i can see there's an open bug on this issue - http://www.mail-archive.com/bind-users@lists.isc.org/msg03339.html, but i can't understand what's the effects of this bug. is there any way i can help solve this bug? can i know how this effects my service . should i expect some service interruption or anything like that ? should i consider downgrade to 9.4.2P2? First off, please identify the operating system and its version. This kind of thing can be highly dependent on OS-level details. Secondly, I suspect it's less likely that the difference from 9.4.3 and 9.4.3-P3 suddenly causes this failure. If you really see more of this after upgrading to 9.4.3-P3 from 9.4.3, I guess it's more likely because (e.g.) a change of query pattern. Or do you mean you upgraded from 9.4.2-P2 to 9.4.3-P3? Also, how often did it happen? While it's an unexpected error in this context, a system call (connect(2) in this case) can fail for any reason and the other part of named has some level of resilience to such cases. So, unless it's very frequent you may be able to ignore the warnings safely in practice. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: root and in-addr.arpa zone transfers
In message 20090912082415.ga13...@fantomas.sk, Matus UHLAR - fantomas writes: On Freitag 11 September 2009 Matus UHLAR - fantomas wrote: - it's quite useless to cache the .arpa and .in-addr.arpa since unlike other TLD's they are hierarchically organised so there won't be any valuable benefit from slaving them, only risks (see above). On 12.09.09 09:27, Michael Monnerie wrote: Every other point is OK, but I don't understand this one. They are all hierarchical, what's the difference with .in-addr.arpa? while there are many manual mistypes in root and other domains, there are (ne arly) no mistypes in .arpa and in-addr.arpa domains since these domains are accessed by software and miskates here are unlikely to happen (of course sw can have bugs but authors would soon notice it doesn't work). Whether in-addr.arpa is useful or not depends on where you are in the world and what the connectivity is like. There was a time when I would have recommended slaving the root and in-addr.arpa to every Australian site. When the one link connecting most of Australia went down this sort of think kept a vast majority of the internal communications within Australia working as you could find au and you could do reverse lookups of the Australian address blocks. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Modified a zone, so when it becomes available?
In message 4aaf7181.4040...@isc.org, Cathy Almond writes: Marcos Lorenzo de Santiago wrote: El mar, 15-09-2009 a las 07:04 -0300, Leonardo Rodrigues escribi=F3: Marcos Lorenzo de Santiago escreveu: When I modify a RR or add a new one on an existing zone, I have to restart master server to make the change available. Is there any other way to reload the zone without stopping bind? I've tried with: - rdnc reload [zone] - rndc reconfig [zone] - rndc refresh [zone] Am I missing anything? = 'rndc reload' is enough to make the zones being re-read and = new/updated records available. Problably you're missing: 1) to increment the zone serial ... if you dont do that, bind wont know = you updated the zone. That's important, ALWAYS update the serial when = changing/adding records; = I always update the serial, I know little but I know this ;) = 2) your DNS server itself is using another DNS server which is caching = the records, so cache needs to expire so new/updated records can be = seen. You can have your DNS server using itself (127.0.0.1) as DNS = server, that should solve if this is the problem; = This master server is its own server, so that's not the case... = After making changes to zone, updated serial, and rndc reload, I dig my zone and get always the old serial. The serial and the changes only appear when I '/etc/init.d/bind restart' it. = I use bind 9.5.1 on debian 5.0.3. = Any clue? = Thanks in advance. = Are your zone file modification timestamps being updated when you make changes? Regards, Cathy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users It sounds like the zone is configured for dynamic update. Reload has no effect if the zone is configured for dynamic update. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.5.2rc1 is now available.
--- Blind-Carbon-Copy To: bind-annou...@isc.org From: Mark Andrews ma...@isc.org Subject: BIND 9.5.2rc1 is now available. Date: Wed, 16 Sep 2009 14:45:09 +1000 Sender: ma...@drugs.dv.isc.org BIND 9.5.2rc1 is now available. BIND 9.5.2rc1 is a maintenance release candidate for BIND 9.5. BIND 9.5.2rc1 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.5.2rc1/bind-9.5.2rc1.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.5.2rc1/bind-9.5.2rc1.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.5.2rc1/bind-9.5.2rc1.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.2rc1/bind-9.5.2rc1.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at https://www.isc.org/about/openpgp. A binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.zip ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.debug.zip The PGP signature of the binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.debug.zip.sha512.asc Changes since 9.5.0. --- 9.5.2rc1 released --- 2672. [bug] Don't enable searching in 'host' when doing reverse lookups. [RT #20218] 2670. [bug] Unexpected connect failures failed to log enough information to be useful. [RT #20205] 2663. [func] win32: allow named to run as a service using NT AUTHORITY\LocalService as the account. [RT #19977] 2656. [func] win32: add a tools only check box to the installer which causes it to only install dig, host, nslookup, nsupdate and relevent dlls. [RT #19998] 2655. [doc] Document that key-directory does not affect rndc.key. [RT #20155] --- 9.5.2b1 released --- 2649. [bug] Set the domain for forward only zones. [RT #19944] 2648. [port] win32: isc_time_seconds() was broken. [RT #19900] 2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987] 2645. [port] gcc -m32 didn't work on amd64 and x86_64 platforms which default to 64 bits. [RT #19927] 2642. [bug] nsupdate could dump core on solaris when reading improperly formatted key files. [RT #20015] 2640. [security] A specially crafted update packet will cause named to exit. [RT #2] 2637. [func] Rationalize dnssec-signzone's signwithkey() calling. [RT #19959] 2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses. [RT #19716] 2633. [bug] Handle 15 bit rand() functions. [RT #19783] 2632. [func] util/kit.sh: warn if documentation appears to be out of date. [RT #19922] 2623. [bug] Named started seaches for DS non-optimally. [RT #19915] 2621. [doc] Made copyright boilterplate consistent. [RT #19833] 2920. [bug] Delay thawing the zone until the reload of it has completed successfully. [RT #19750] 2618. [bug] The sdb and sdlz db_interator_seek() methods could loop infinitely. [RT #19847] 2617. [bug] ifconfig.sh failed to emit an error message when run from the wrong location. [RT #19375] 2616. [bug] 'host' used the nameservers from resolv.conf even when a explicit nameserver was specified. [RT #19852] 2615. [bug] __attribute__((unused)) was in the wrong place for ia64 gcc builds. [RT #19854] 2614. [port] win32: 'named -v' should automatically be executed in the foreground. [RT #19844] 2610. [port] sunos: Change #2363 was not complete. [RT #19796] 2606. [bug] delegation-only was not being accepted in delegation-only type zones. [RT #19717] 2605. [bug] Accept DS responses from delegation only zones. [RT # 19296] 2603. [port] win32: handle .exe extension of named-checkzone and named-comilezone argv[0] names under windows. [RT #19767] 2602. [port] win32: fix debugging command line build of libisccfg. [RT #19767] 2599. [bug
Re: is TSIG key rollover possible?
In message 4ab072dc.2070...@nzrs.net.nz, Sebastian Castro writes: Hi everyone: I was reading the document Deprecation of HMAC-MD5 in DNS TSIG and TKEY Resource Records (http://www.ietf.org/id/draft-ietf-dnsext-tsig-md5-deprecated-03.txt) and I thought Darn, I must be prepared to do a TSIG renovation, so started researching how to do it. First step was checking if BIND supported a different algorithm, but the BIND ARM for BIND9.5 and 9.6 indicates The algorithm, hmac-md5, is the only one supported by BIND. That seemed strange, considering the document indicated above was originally proposed in 2008. So I used the source and found out other algorithms are supported in 9.5 and 9.6, so there is a mistake in the documentation. Anyway, TSIG rollover is an operation needed as indicated on RFC 2385: RFC 2385 quote - 6.2. Secret keys should be changed periodically. If the client host has been compromised, the server should suspend the use of all secrets known to that client. If possible, secrets should be stored in encrypted form. Secrets should never be transmitted in the clear over any network. This document does not address the issue on how to distribute secrets. Secrets should never be shared by more than two entities. RFC 2385 quote - but again the documentation indicates: Multiple keys may be present, but only the first is used. Which only applies to control channels keys. So, to coordinate the retirement of an old TSIG key and the introduction of a new one, it seems a close coordination between peers is needed in order to make it work, within a 'maintenance window' where the operations using the TSIG are not executed (in my particular interest, zone transfers)? Is it not possible to gradually introduce a new key, use both for a period of time and later retire the old one, similar to what is done in DNSSEC? Any experience on this matter that could be shared publicly or privately will be appreciated. Kind Regards Sebastian Castro ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS server works but keep getting host unreachable resolving error
In message 865284.37771...@web36203.mail.mud.yahoo.com, Shi Jin writes: host unreachable is one of the clearer error messages, so you need to do some digging. From the box that you've set up bind9 on you'll need to use dig to query the ISP's name servers. If that works, then you'll have to use tcpdump on that box to find out what named is doing. Doug Thank you very much. Your suggestion to use tcpdump actually is very helpful. It clearly shows: ICMP host 216.171.238.67 unreachable - admin prohibited, length 87 Yet you claim that dig to 216.171.238.67 works. I think you need to provide a full trace not the summary that a plain tcpdump gives. Add -Xvvv to the set of flags you used with tcpdump. So I think this most likely has to do with the firewall setup. Probably I should enable ICMP redirect? Could anyone confirm? And is this safe? Thank you very much. Shi ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error on make, help needed please.
In message 4ab8f7cc.6000...@actioncorp.biz, Laura Speck writes: Hi, I'm having a problem upgrading my current installation of bind. This is the error I am getting: http://pastebin.ca/1575360 I'm currently running OpenSSL 0.9.8k on Red Hat Linux release 7.1. If you are linking against OpenSSL 0.9.8k then these function will be found. It looks like the linker is finding a old libcrypto that is inconsistent to the header files named was compiled against. Mark Thanks in advance for any insight on why this is not working. Laura ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND with DLZ doesn't reconnect to the MySQL 5.x server after disconnect
In message 4ab9c360.7090...@dougbarton.us, Doug Barton writes: I recently added DLZ options to the BIND ports on FreeBSD, and a user has filed the following problem report: http://www.freebsd.org/cgi/query-pr.cgi?pr=139051 Does anyone have any comment on the patch suggested at the URL in the PR? http://www.shell-tips.com/2007/09/04/bind-950-patch-dlz-mysql-5-for-auto-recon nect/ Is this something that is likely to be included in a BIND distribution any time soon? Reconnect is already being set. B.T.W. the patch passes a pointer to the wrong type to mysql_options() see http://dev.mysql.com/doc/refman/5.1/en/mysql-options.html Thanks, Doug ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig ANY gives SERVFAIL / FORMERR
In message alpine.neb.2.01.0909231442321@t1.m.reedmedia.net, Jeremy C. Re ed writes: It looks like that the authoritative name server for youbei.cc actually did return some answers, but somehow bind gave a FORMERR for some unknown reasons, which I think it caused a SERVFAIL to be reported in turn. Interestingly, dig any youbei.cc +trace ran successfully and did not report any error. Does anyone know what might have caused this problem? My custom named logs: 23-Sep-2009 15:00:29.749 resolver: notice: FORMERR: Type didn't match (ANY != A) 23-Sep-2009 15:00:29.770 resolver: notice: FORMERR: Reply has no answer. named wants to know Is the question the same as the one we asked? I think 72dns.com has a broken DNS server. More modern versions of dig will also report the mismatch. The servers also answers queries with A records. It's a pity registries are not required to verify correct operation of the nameservers they are delegating to before accepting the delegation. If they were then a lot of this garbage would cease. It really isn't hard for a registry (or the registrar on behalf of the registry) to check that servers answer queries correctly. Just the almighty dollar has got in front of having a working system. Mark % dig any youbei.cc @ns1.72dns.com ;; Question section mismatch: got youbei.cc/A/IN ;; Question section mismatch: got youbei.cc/A/IN ;; Question section mismatch: got youbei.cc/A/IN ; DiG 9.7.0a2 any youbei.cc @ns1.72dns.com ;; global options: +cmd ;; connection timed out; no servers could be reached % % dig youbei.cc @ns1.72dns.com ; DiG 9.3.6-P1 youbei.cc @ns1.72dns.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 5189 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;youbei.cc. IN ;; ANSWER SECTION: youbei.cc. 3600IN A 211.155.230.241 ;; Query time: 436 msec ;; SERVER: 121.12.173.174#53(121.12.173.174) ;; WHEN: Thu Sep 24 07:07:46 2009 ;; MSG SIZE rcvd: 52 % ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.5.2 is now available.
--- Blind-Carbon-Copy To: bind-annou...@isc.org From: Mark Andrews ma...@isc.org Subject: BIND 9.5.2 is now available. Date: Thu, 24 Sep 2009 11:01:29 +1000 Sender: ma...@drugs.dv.isc.org BIND 9.5.2 is now available. BIND 9.5.2 is a maintenance release for BIND 9.5. BIND 9.5.2 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.5.2/bind-9.5.2.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.5.2/bind-9.5.2.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.5.2/bind-9.5.2.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.2/bind-9.5.2.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at https://www.isc.org/about/openpgp. A binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.zip ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.debug.zip The PGP signature of the binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.debug.zip.sha512.asc Changes since 9.5.0. --- 9.5.2 released --- 2681. [bug] IPSECKEY RR of gateway type 3 was not correctly decoded. [RT #20269] 2678. [func] Treat DS queries as if minimal-response yes; was set. [RT #20258] 2427. [func] Treat DNSKEY queries as if minimal-response yes; was set. [RT #18528] --- 9.5.2rc1 released --- 2672. [bug] Don't enable searching in 'host' when doing reverse lookups. [RT #20218] 2670. [bug] Unexpected connect failures failed to log enough information to be useful. [RT #20205] 2663. [func] win32: allow named to run as a service using NT AUTHORITY\LocalService as the account. [RT #19977] 2656. [func] win32: add a tools only check box to the installer which causes it to only install dig, host, nslookup, nsupdate and relevent dlls. [RT #19998] 2655. [doc] Document that key-directory does not affect rndc.key. [RT #20155] --- 9.5.2b1 released --- 2649. [bug] Set the domain for forward only zones. [RT #19944] 2648. [port] win32: isc_time_seconds() was broken. [RT #19900] 2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987] 2645. [port] gcc -m32 didn't work on amd64 and x86_64 platforms which default to 64 bits. [RT #19927] 2642. [bug] nsupdate could dump core on solaris when reading improperly formatted key files. [RT #20015] 2640. [security] A specially crafted update packet will cause named to exit. [RT #2] 2637. [func] Rationalize dnssec-signzone's signwithkey() calling. [RT #19959] 2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses. [RT #19716] 2633. [bug] Handle 15 bit rand() functions. [RT #19783] 2632. [func] util/kit.sh: warn if documentation appears to be out of date. [RT #19922] 2623. [bug] Named started seaches for DS non-optimally. [RT #19915] 2621. [doc] Made copyright boilterplate consistent. [RT #19833] 2920. [bug] Delay thawing the zone until the reload of it has completed successfully. [RT #19750] 2618. [bug] The sdb and sdlz db_interator_seek() methods could loop infinitely. [RT #19847] 2617. [bug] ifconfig.sh failed to emit an error message when run from the wrong location. [RT #19375] 2616. [bug] 'host' used the nameservers from resolv.conf even when a explicit nameserver was specified. [RT #19852] 2615. [bug] __attribute__((unused)) was in the wrong place for ia64 gcc builds. [RT #19854] 2614. [port] win32: 'named -v' should automatically be executed in the foreground. [RT #19844] 2610. [port] sunos: Change #2363 was not complete. [RT #19796] 2606. [bug] delegation-only was not being accepted in delegation-only type zones. [RT #19717] 2605. [bug] Accept DS responses from delegation only zones. [RT # 19296] 2603. [port
Re: BIND with DLZ doesn't reconnect to the MySQL 5.x server after?disconnect
In message 20090925184532.cf9cc...@raisa.eu.org, Emil Smolenski writes: Mark Andrews wrote: Reconnect is already being set. Hello. Indeed, I found following message in release notes of BIND 9.6.1-P1 ( http://oldwww.isc.org/sw/bind/view/?release=9.6.1-P1 ): Which you should have seen came *after* 9.6.1 was released. The CHANGES file is in reverse chronological order. 2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection. Requires MySQL 5.0.19 or later. [RT #19084] 2580. [bug] UpdateRej statistics counter could be incremented twice for one rejection. [RT #19476] --- 9.6.1 released --- dlz/mysql set MYSQL_OPT_RECONNECT option on connection. Requires MySQL 5.0.19 or later. [RT #19084] But there is no output from the second command: $ tar xf bind-9.6.1-P1.tar.gz $ grep -r MYSQL_OPT_RECONNECT bind-9.6.1-P1 $ I've tested it. BIND still doesn't reconnect. After applying patch mentioned earlier, BIND starts to work properly. I believe this patch should be commited (as is committed in 9.7.0a3): $ diff bind-9.7.0a3/contrib/dlz/drivers/dlz_mysql_driver.c \ bind-9.6.1-P1/contrib/dlz/drivers/dlz_mysql_driver.c 795,797d794 #ifdef MYSQL_OPT_RECONNECT my_bool auto_reconnect = 1; #endif 929,939d925 #ifdef MYSQL_OPT_RECONNECT /* enable automatic reconnection. */ if (mysql_options((MYSQL *) dbi-dbconn, MYSQL_OPT_RECONNECT, auto_reconnect) != 0) { isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_WARNING, mysql driver failed to set MYSQL_OPT_RECONNECT option, continuing); } #endif BTW, why there are only #ifdefs without #define in 9.7.0a3? Is user forced to set this option himself to make it work? No. MYSQL_OPT_RECONNECT is only in some versions of mysql. If you have a version which supports MYSQL_OPT_RECONNECT then MYSQL_OPT_RECONNECT will be defined. Mark -- am -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: *.dlv.isc.org DS: must be secure warnings [was: Re: 9.6.1-P1 log message]
In message prayer.1.3.2.0909262248400.24...@hermes-1.csi.cam.ac.uk, Chris Tho mpson writes: Back in August there was some a thread on bind-users about messages of the shape validating @[hex]: [name].dlv.isc.org DS: must be secure failure (these are category dnssec severity warning) and on 31 August I wrote: We have been running two production recursive nameservers validating against dlv.isc.org since 9 June, and first saw a batch of messages (for both server s) like this on 20 July. We reported them to ISC and got suggestions along the lines of Mark's above, along with an admission that current versions of BIND give up on EDNS too easily in situations they maybe shouldn't, which may be fixed in future releases. Since then we have had a trickle of such warning messages in the logs. We assume that they are the result of temporary network glitches somewhere, but their frequency appears to be increasing, which is somewhat worrying. It's also not clear whether any client queries are actually failing as a result, or whether BIND is simply trying another dlv.isc.org nameserver with better luck. I have been looking at this again, and in fact there was a step function on 21 August when the messages rose from almost nil to 15-20 per day, and then fell back to almost nil after 15 September (we've seen just one since then). We have been running BIND 9.6.1-P1 throughout. I would be very interested to know whether other recursive nameserver operators validating via dlv.isc.org have seen a similar pattern. I am prepared to believe that the frequency is related to transient network errors or delays, but I have no idea whether they are likely to be local or at at the dlv.isc.org server end. One gets these or similar messages when named falls back to plain DNS as a result of multiple timeouts. Named tries EDNS advertising a 4096 byte UDP buffer, then after multiple timeouts it tries EDNS advertising a 512 byte UDP buffer, then after multiple timeouts it tries plain DNS. Named also had a bug where it would fallback a EDNS step when it didn't need to (like retrying w/ TCP). This made DNSSEC behind middleware that was dropping fragments difficult. 2564. [bug] Only take EDNS fallback steps when processing timeouts. [RT #19405] Some (perhaps not all) of the timeout causes are below. This list is not specific to DLV. (apparent) non responses to UDP queries can be due to lots of causes: *+ Firewalls/middleware that blocks DNS responses 512 *+ Firewalls/middleware that blocks fragments *+ Lack of support for out of order responses in NAT *+ Responses that require fragmentation but DF set. Most of these will be in the 1481-1500 bytes in size (IP in IP tunnels). Larger responses are usually fragmented by the sending OS and don't have DF set. Smaller response make it through a single layer of encapsulation. *+# Bad nameserver software that fails to respond to EDNS requests *+# Firewalls/proxies that block EDNS queries or queries/responses with one or more of DO, CD or AD set. * Congestion * Packet corruption * Appear lost due to long rtt times - load balancing probes taking too long - multiple satellite links - significant congestion causing long delays + indicates broken software # indicates fallback to plain DNS will be required A handful a day would suggest packet corruption/congestion as the likely cause. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig ANY gives SERVFAIL / FORMERR
In message 20090929122845.ga13...@nic.fr, Stephane Bortzmeyer writes: On Thu, Sep 24, 2009 at 07:16:35AM +1000, Mark Andrews ma...@isc.org wrote a message of 77 lines which said: It's a pity registries are not required to verify correct operation of the nameservers they are delegating to before accepting the delegation. Some do! http://www.afnic.fr/outils/zonecheck/_en The key word is required. I know some do, I just wish more did. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig ANY gives SERVFAIL / FORMERR
In message alpine.lfd.1.10.0909291125070.11...@newtla.xelerance.com, Paul Wou ters writes: On Wed, 30 Sep 2009, Mark Andrews wrote: http://www.afnic.fr/outils/zonecheck/_en The key word is required. I know some do, I just wish more did. I for one, welcome our new named-checkzone overlords. (especially if named-checkzone would fail to OK a zone with NSEC3RSASHA1 keys and re-used NSEC records :) NSEC3RSASHA1 w/ NSEC is fine and is required if you want to transition from RSASHA1 (w/ NSEC) to NSEC3RSASHA1 w/ NSEC3 w/o going insecure. NSEC + NSEC3PARAM however could be rejected as could having multiple NSEC3PARAM records. Paul Not named-checkzone (yet) but the following are in BIND 9.6.2. 2686. [bug] dnssec-signzone should clean the old NSEC chain when signing with NSEC3 and vice versa. [RT #20301] 2683. [bug] dnssec-signzone should clean out old NSEC3 chains when the NSEC3 parameters used to sign the zone change. [RT #20246] dnssec-signzone works on the zone as a whole so it is in the position to do this in a straight forward manner. Named, however, needs to support multiple NSEC3 chains (though not all may be complete) as it does its work incrementally but perhaps it could be argued that when you finish adding new NSEC3 chain incrementally the old one should be removed. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
In message prayer.1.3.2.0909291446310.21...@hermes-1.csi.cam.ac.uk, Chris Thom pson writes: DNSSEC certainly adds to the aggravation of having lots of piddling little reverse zones. Some people may just decide not to bother signing reverse zones (reverse lookup results should only be treated as a hint, anyway). DNSSEC makes no difference to the count of reverse zones unless you are depending on the nameserver filtering out records that shouldn't be loaded into a zone. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query Refused problem
Have you read the documentation that describes what allow-query does? varlistentry termcommandallow-query/command/term listitem para Specifies which hosts are allowed to ask ordinary DNS questions. commandallow-query/command may also be specified in the commandzone/command statement, in which case it overrides the commandoptions allow-query/command statement. If not specified, the default is to allow queries from all hosts. /para note para commandallow-query-cache/command is now used to specify access to the cache. /para /note /listitem /varlistentry varlistentry termcommandallow-query-cache/command/term listitem para Specifies which hosts are allowed to get answers from the cache. If commandallow-query-cache/command is not set then commandallow-recursion/command is used if set, otherwise commandallow-query/command is used if set unless commandrecursion no;/command is set in which case commandnone;/command is used, otherwise the default (commandlocalnets;/command commandlocalhost;/command) is used. /para /listitem /varlistentry Mark In message 4ac36444.9000...@whgl.uni-frankfurt.de, Sven Eschenberg writes: Dear list, This seems more tricky, then I thought. When I had no allow-query statement at all in my config, everything worked find (includign recursion) for all clients, that were in subnets directly attached to the server. The external view (authoriative, non recursive) did work for every client as supposed to. Now a client on a not directly attached subnet, with it's own view, could not resolve anything, except local zones on the server. (Though recursion was turned on for the view). External view's clients could nto recurse, though recursion was turned on, obviously to realyl recurse I'd need an allow-query statement. Adding an allow-query statement to the general config, limitied to the campus network made all local views work, but with the result, that no client matching the external view could looks up the authoriative zones. Now, I am wondering if I did set uop everything right afterall, here's what I did do: External view, no recursion, allow-query {any;} Not directly attached client with internal view: match on client's ip, allow recursion, allow query for the client's ip. all other internal views, matched by locally attached netowrks, no allow-query statement, allow recursion. This seems to work. I am wondering: Would it be harmfull to allow queries by any host (globally) as long as external clients (in their view) are not allowed any recursion? Would that be more feasible? Regards -Sven Sven Eschenberg schrieb: I got it fixxed with an allow-query statement. But this arises another question: Does bind implicitly add allow-queries for locally attached interfaces and the networks configured for these? I am asking, because it used to work for all the subnets directly attached to the machine. Regards -Sven Sven Eschenberg schrieb: Dear list, I have one client with a specific zone. When the client does a query for localhost on the nameserver, or a reverse lookup for 127.0.0.1, everything seems perfectly okay. As soon, as the client tries to lookup i.e. google.de or any external ip, I am getting query refused errors. Sep 30 14:21:40 gw named[28715]: client ip of matched client#1039: view watchdog: query (cache) 'www.google.de/A/IN' denied Sep 30 14:21:40 gw named[28715]: client ip of matched client#1040: view watchdog: query (cache) 'www.google.de/A/IN' denied The DNS-Server works as a recursor for the client. What puzzles me most is: I cloned another internal view, which works perfectly well for the clients matched by it. What might I be missing here, what can trigger a query refused answer like this? Regards -Sven ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742
Re: Zone File Permission Question
In message blu143-w25839d996784c2e16bdb91a2...@phx.gbl, Jim Williams writes: Hello=2C =20 I have what seems to be a very basic question that I have been unable to fi= nd an answer for. What determines the settings of the file permissions (and= how can I change those default settings) on zone files created during a zo= ne transfer=2C BIND or the OS (Solaris)?=20 =20 thanks - jw As with any other process the umask() is used. Hotmail=AE has ever-growing storage! Don=92t worry about storage limits. Ch= eck it out. =0A= _=0A= Insert movie times and more without leaving Hotmail=AE.=0A= http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=3DTXT_TAGLM_WL_HM_Tut= orial_QuickAdd_062009= -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query Refused problem
In message 200910011237.09...@zmi.at, Michael Monnerie writes: On Donnerstag 01 Oktober 2009 Mark Andrews wrote: =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Specifies which hosts are allowed to = get answers =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 from the cache. =A0If commandallow-query-cache/command is not set then commandallow-recursion/command is used if set, otherwise commandallow-query/command is used if set unless commandrecursion no;/command is set in which case commandnone;/command is used, otherwise the default (commandlocalnets;/command commandlocalhost;/command) is used. Not exactly a good explanation. At least, I've read it twice and still = don't exactly know where the if..else..elseif... parts connect. Maybe = someone could change that to pseudocode with if statements, or make it = several sentences so it's clear where if..unless..except..otherwise = parts start and end. mfg zmi -- = if (set(allow-query-cache)) use allow-query-cache; else if (set(allow-recursion)) use allow-recursion; else if (set(allow-query)) use allow-query; else if (set(recursion no;)) use { none; }; else use { localnets; localhost; }; // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: wwwkeys.eu.pgp.net Key-ID: 1C1209B4 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Glue record miunderstanding
In message 73e2882f-00b3-41cb-b46d-351774486...@conundrum.com, Matthew Pounse tt writes: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01-Oct-2009, at 19:03, Scott Haneda wrote: So I see my NS is listed in the additional section. This to me tells me there is in fact glue, so I should consider the report at http://i ntodns.com/hostwizard.com to be inaccurate? Yeah, I just ran a few queries and can't figure out what exactly it's complaining about. Matt It's making a observation (i in a blue circle) that there were not additional records for ns1.nacio.com being returned by ns1.hostwizard.com presumable because ns1.hostwizard.com doesn't serve the zone that contains ns1.nacio.com. There is nothing wrong with this. These records are NOT GLUE records. Only parent servers return GLUE records. That being said there would be a error condition if the address (A/) record for ns1.hostwizard.com didn't exist except as glue. The way to check for that is to make a query for ns1.hostwizard.com and follow all the delegations until you get to the zone that serves ns1.hostwizard.com. Modern versions of named attempt to detect glue only delegations and refuse to load zones that contain have them. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind, dnssec, udp fragmentation woes.
You really want to work out what is being blocked, EDNS?, responses bigger that 512 bytes? DNSSEC? fragmented responses? With a clean path all of these should succeed but only the last one won't have tc set. This does a plain DNS query, a EDNS query that limits the response to 512 bytes, a DNSSEC query that limits the response to 512 bytes, a DNSSEC query that limits the response to something that would not normally be fragmented but exceeds 512 bytes, a DNSSEC query that will normally be fragmented. % dig soa se @192.36.133.107 +norec +ignore % dig soa se @192.36.133.107 +norec +ignore +bufsize=512 % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=1200 % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=512 +dnssec % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=1200 +dnssec % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=4096 +dnssec Named does the following by default. Ensure you have a up to date version of namesd dig dnskey se @192.36.133.107 +norec +ignore +bufsize=4096 +dnssec dig dnskey se @192.36.133.107 +norec +ignore +bufsize=512 +dnssec dig dnskey se @192.36.133.107 +norec +ignore Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind, dnssec, udp fragmentation woes.
In message 1254502519.14277.16.ca...@dv6d4k1-u, Nicholas Wheeler writes: On Fri, 2009-10-02 at 13:22 +1000, Mark Andrews wrote: You really want to work out what is being blocked, EDNS?, responses bigger that 512 bytes? DNSSEC? fragmented responses? With a clean path all of these should succeed but only the last one won't have tc set. This does a plain DNS query, a EDNS query that limits the response to 512 bytes, a DNSSEC query that limits the response to 512 bytes, a DNSSEC query that limits the response to something that would not normally be fragmented but exceeds 512 bytes, a DNSSEC query that will normally be fragmented. =20 % dig soa se @192.36.133.107 +norec +ignore=20 % dig soa se @192.36.133.107 +norec +ignore +bufsize=3D512 The above two work, the below four do not work (connection timed out; no servers could be reached).=20 (note: I replaced se with my domain.tld, and the @ with my server). % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=3D1200 % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=3D512 +dnssec % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=3D1200 +dnssec % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=3D4096 +dnssec =20 Mark Thanks for the help, but I don't know what this implies, other than nothing dnssec-related with udp works ;) It means you have a device in the path that doesn't like UDP answer bigger that 512 bytes *and* also doesn't like having DO set. ; DiG 9.3.6-P1 dnskey se @192.36.133.107 +norec +ignore +bufsize=512 +dnssec ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 52624 ;; flags: qr aa tc ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;se.IN DNSKEY ;; Query time: 334 msec ;; SERVER: 192.36.133.107#53(192.36.133.107) ;; WHEN: Tue Oct 6 09:16:58 2009 ;; MSG SIZE rcvd: 31 Now what you need to do is use a packet sniffer to see which devices are blocking the queries/responses (there may be more than one). You may also want to talk to the manufactures first. They should be able to tell you how to configure your boxes to work correctly to support DNSSEC. As things are curently configured you won't get DNSSEC working. You may need to upgrade firmware or even replace some boxes. The IP330 was introduced in 1999 so it may not have firmware that handles DNSSEC properly. Mark Thanks, --=20 Nicholas Wheeler Systems Administrator Development Infostructure --=-4uanAoS33Xc7mxoOFN+w Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEABECAAYFAkrGMHQACgkQ8xWIEdi0CHEavwCdGACm3VOyfctcd/IfmiW2upIK Q2YAnAhSkPdnAgvPqzJg6Nzod4EKNuXc =//Z9 -END PGP SIGNATURE- --=-4uanAoS33Xc7mxoOFN+w-- --===2355657698356755570== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===2355657698356755570==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SIBLING GLUE address records (A or AAAA)
In message hadipa$o6...@sepe.rau.edu.uy, Sergio Ramirez writes: Hi, In the following example, the authoritive server for zone .xx has configured the delegations of the zones example.xx and otherexample.xx: example.xx NS ns1.example.xx example.xx NS ns2.example.xx ns1.example.xx A 11.22.33.44 ns2.example.xx A 11.22.33.55 otherexample.xx NS ns3.example.xx otherexample.xx NS ns4.example.xx the bind report these messages: ns3.example.xx has no SIBLING GLUE address records (A or ) ns4.example.xx has no SIBLING GLUE address records (A or ) because the glue records are not configured in the zone .xx, for ns3.example.xx and ns4.example.xx Are these glue records requiered ? I understand that is not. Is this right ? Regards, -- Sergio R. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Whether SIBLING GLUE is needed or not depends on what other glue there is. Take this example. The sibling glue is required for the delegation to work. otherexample.xx NS ns3.example.xx otherexample.xx NS ns4.example.xx example.xx NS ns1.otherexample.xx example.xx NS ns2.otherexample.xx There are even more complicated examples that require out of zone glue to work. Working out which glue is accepted is a trade-off between being able to track down bad data and having a delegation work. Named accepts and returns glue that is under the parent. Bad glue is then traceable. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem on CNAME configuration.
In message 20091005212435.ga26...@laperouse.bortzmeyer.org, Stephane Bortzmey er writes: On Mon, Oct 05, 2009 at 04:41:24PM +0200, Cyril Gaudin - Rodacom c.gau...@rodacom.fr wrote a message of 72 lines which said: Maybe squid didn't append domainname in the dns request? squid.conf: # TAG: append_domain # Appends local domain name to hostnames without any dots in # them. append_domain must begin with a period. # # Be warned there are now Internet names with no dots in # them using only top-domain names, so setting this may # cause some Internet sites to become unavailable. And such names should not be in use. Only heirachical host names should be in use now. Heirachical hostnames contain interior periods. RFC 921 actually said what was supposed to happen. Unfortunately some operators of TLD's failed to pay attention. Just because DNS servers didn't block a record being added that didn't make it correct for them to add it. # #Example: # append_domain .yourdomain.com # #Default: # none ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with rndc
In message 20091009082853.201...@gmx.net, Tom Schmitt writes: Hi, I'm running Bind 9.6.1-P1 on a Solaris 10-Box as a slave with different vie= ws and it is running fine. Now I want to use rndc. I don't have a rndc.conf, only a rndc.key. If I try something like rndc reload rndc reconfig rndc stop rndc halt it is working fine and does what I expect it to do. But if I try one of these two commands: rndc refresh example.com rndc retransfer example.com I get an errormessage from rndc: rndc: 'refresh' failed: not found or rndc: 'retransfer' failed: not found Specify the class and view I get this with every domain I tried. I checked if I use the correct rndc a= nd the version is 9.6.1-P1. Can anyone give me a hint what I'm doing wrong? Thanks, Tom. -- = GRATIS f=FCr alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding new RR?
In message 20091015135428.ga19...@fantomas.sk, Matus UHLAR - fantomas writes: On 15.10.09 21:29, aihua zhang wrote: recently,i want to modify source code of BIND9.6.1 to adding new RR. Don't do that. You bind will be incompatible with any other DNS server and it could lead to As long as the type is registered it doesn't matter. Now,i just begin to check RR to see how it work,but i find this method exhausting me.i don't think this way is effective,so i'm very appreciate some one could give me a guid, or some example:souce code is perfect You have lots of examples. see lib/dns/rdata/*/*.[ch] This is where the rdata are defined. Just run make clean then make once you have created the new files so that the build process can find them. Better try to explain what do you want to achieve -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Nslookup not showng TTL
In message 76d7097b-28a4-4bbb-a2c8-05bf5b822...@conundrum.com, Matthew Pounse tt writes: On 15-Oct-2009, at 16:03, John Horne wrote: On Thu, 2009-10-15 at 13:15 -0400, Kevin Darcy wrote: Removing features from nslookup gets us that much closer to KILLING and BURYING it. Forever. So why does the ISC still distribute it? (Although I guess the answer may simply be because people still use it.) There was a while there that nslookup printed a big warning banner telling you not to use it because it'd been deprecated and would go away any day now. That doesn't seem to be there anymore, sadly. I kinda wish it would just vanish. We lost the battle to get rid of nslookup. Index: bin/dig/nslookup.c === RCS file: /proj/cvs/prod/bind9/bin/dig/nslookup.c,v retrieving revision 1.122 diff -u -r1.122 nslookup.c --- bin/dig/nslookup.c 6 May 2009 23:47:50 - 1.122 +++ bin/dig/nslookup.c 15 Oct 2009 12:45:26 - @@ -373,6 +373,7 @@ printrdata(rdata); } dns_rdata_reset(rdata); + printf(\tttl = %u\n, rdataset-ttl); loopresult = dns_rdataset_next(rdataset); } } -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problems with include in acl file
In message 4adb44a5.2060...@htt-consult.com, Robert Moskowitz writes: Chris Thompson wrote: On Oct 18 2009, Joseph S D Yao wrote: On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote: I am trying to build up an environment where the user can maintain custom files and leave the basic files alone. So I have a named.acl that works, I add an include line: acl hdanets { 192.168.1.0/24; // hda network include custom.acl; }; and get the error: Starting named: Error in named configuration: named.acl:3: missing ';' before '' ... Glancing through the 9.6 ARM https://www.isc.org/files/Bv9.6ARM.pdf, it seems to me that include is a statement, and needs to be parsed outside of any other statements, not inside a statement. That's what it *says* ... but it is being economical with the truth! Inside the acl statement the parser would expect to see IP addresses, networks in the ip.ad.dr.ess/xx format, keys with the name prepended by the keyword key, and the names of other ACLs. When it encounters the word include in this context, it parses it as the name of an ACL - after which, the '' is out of place. As long ago as BIND 9.2, you'll find this in the CHANGES file: 764. [func] Configuration files now allow include directives in more places, such as inside the view statement. [RT #377, #728, #860] Roughly, include can occur instead of a keyword in any list where all list elements are introduced by keywords; e.g. view, options, logging, zone. But not acl because the elements there do not (in general) start with keywords. Oh, fiddlesticks ;)' This complicates matters. It would have made it very easy to bootstrap into this process if this was supported. acl's can include other acls. I'm having a hard time seeing why you need to include a file here. include custom.acl; // defines acl customacl acl hdanets { 92.168.1.0/24; // hda network customacl; }; For the whole truth, you need to look at lib/isccfg/namedconf.c and lib/isccfg/parser.c and work out in exactly which cases cfg_parse_mapbody in the latter gets called :-( I am not much into reading c code. I never really programmed in c. Did do some programming in b So reading someone elses script and recommending changes has been challenging enough! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: refuse in notify slave
In message 4adfe607.4050...@gmail.com, Nelson Serafica writes: I have multiple ip address on my primary ns server. (eth0 , eth0:1 , eth0:2). Let's say eth0 is 1.2.3.4, eth0:1 is 2.3.4.5 and th0:2 is 3.4.5.6. I have a slave ns server but everytime I do rnd c reload and check secondary ns on syslog, I see refused notify from non-master: 1.2.3.4#48499 where 1.2.3.4 is the ip of eth0. Is it possible the ip address that will send to slave will be 4.5.6.7 (eth0:2) and not 1.2.3.4 (eth0)? notify-source ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: isc.org has signed delegation
In message 4adfeaab.8060...@north-winds.org, Loren M. Lang writes: I just noticed that isc.org has a signed delegation from the .org name servers. I am curious what registrar you went through to get this. --=20 Loren M. Lang lor...@north-winds.org http://www.north-winds.org/ It was added as part of the Friend and Family step. We worked directly with the registry. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have a *.domain.com A record
In message 4ae5c6cc.8020...@ou.edu, Peter Laws writes: Hey! RTFRFC! :-) Except a scanning of that RFC doesn't say anything about not using them, only in clarifying RFC 1034's intentions regarding wildcards. So, why is it a very bad idea? Peter What is legal and what works well are two very differnet things. Wild cards lead to more application traffic than populating the zone with the actual domains that are in use. If you are in a position to know all the names in use (and a virtual web hoster is) then wild cards should not be used. Wild cards are designed for the case where it is impossible to know all the names in use which is why there were mainly use for MX records to get mail to mail gateways. Other uses are often administrators being lazy and as a result everyone else picks up the cost of that laziness. Yes, there is a real cost if a web browser makes a http connection only to be told the virtual address does not exists. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: libbind ns_sign() and ns_verify() parameter in_timesigned not documented
In message 4ae58fd9.8020...@sun.com, Stacey Jonathan Marshall writes: The tsig manual page description for ns_sign() and ns_verify() include a parameter named in_timesigned of type time_t. However there is no description of this parameter as there is for the others: $ less libbind-6.0/doc/tsig.cat3 TSIG LOCALTSI G NAME ns_sign, ns_sign_tcp, ns_sign_tcp_init, ns_verify, ns_verify_tcp, ns_verify_tcp_init, ns_find_tsig -- TSIG system SYNOPSIS int ns_sign(u_char *msg, int *msglen, int msgsize, int error, void *k, const u_char *querysig, int querysiglen, u_char *sig, int *siglen, time_t in_timesigned); ... int ns_verify(u_char *msg, int *msglen, void *k, const u_char *querysig, int querysiglen, u_char *sig, int *siglen, time_t in_timesigned, int nostrip); From a cursory review it does not seem to be used unless error == ns_r_badtime. Could someone describe the purpose of parameter? Theoretically a client can take the bad time response and compute a time delta and use it to adjust the timestamp in future communications to the server. This allows the client to correct for clock skew if it wants. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding EDNS Responses.
In message 001501ca5785$257c7220$21011...@china.huawei.com, Ashwin writes: Hi All, RFC 2671 mentions in Section 5.3 Responders who do not understand these protocol extensions are expected to send a response with RCODE NOTIMPL, FORMERR, or SERVFAIL. However the above mentioned error codes are shared [SERVFAIL, NOTIMPL] are shared, so how do we ascertain that the error code returned is an indication that a particular server is non-EDNS, since the error might be returned due to some other reason also. So essentially my query is how do we decide that a particular server is EDNS or not? Can it be assumed that each time the above three error codes are returned , it signifies that the DNS server is not EDNS capable? You assume it is EDNS if it is in response to a EDNS query and retry w/o EDNS. It the problem is EDNS the plain DNS query will succeed. If it is not EDNS the plain EDNS query will fail. Regards Ashwin -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding EDNS Responses.
It's not a perfect world. Even getting back a EDNS response does not indicate that the server understands EDNS. In message 002301ca579c$56deb0f0$21011...@china.huawei.com, Ashwin writes: In message 001501ca5785$257c7220$21011...@china.huawei.com, Ashwin writes: Hi All, RFC 2671 mentions in Section 5.3 Responders who do not understand these protocol extensions are expected to send a response with RCODE NOTIMPL, FORMERR, or SERVFAIL. However the above mentioned error codes are shared [SERVFAIL, NOTIMPL] are shared, so how do we ascertain that the error code returned is an indication that a particular server is non-EDNS, since the error might be returned due to some other reason also. So essentially my query is how do we decide that a particular server is EDNS or not? Can it be assumed that each time the above three error codes are returned , it signifies that the DNS server is not EDNS capable? Hi Mark, You assume it is EDNS if it is in response to a EDNS query and retry w/o EDNS. It the problem is EDNS the plain DNS query will succeed. If it is not EDNS the plain EDNS query will fail. Thanks for you response. I have a doubt though. I send out an EDNS query, for the response the following possibilities a) Success, with OPT RR, I assume server is EDNS capable b) Failure with RCODE NOTIMPL, FORMERR, or SERVFAIL with or without OPT RR. In b) I do not know whether server is EDNS or not, since server might return NOTIMPL SERVFAIL error codes for some other reason also. If I consider the case that retry with plain DNS query is success and assume EDNS was problem, I think maybe its not correct because SERVFAIL might happen for some other reason at the time EDNS query is sent, but that error is resolved by the time the plain DNS query is sent. So even though server is EDNS i would assume it is non-EDNS. The idea is to identify whether a server supports EDNS through a first query, and then subsequent requests we send based on this identification. One could call it a pseudo-caching of the EDNS feature for servers. I hope I made myself clear :( Regards Ashwin -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to debug
In message e1b1ab9e0910281921j612d2982le3170b6dc3d60...@mail.gmail.com, aihua zhang writes: HI, I have already analysis where to add new RR,and how to make it works. But i don't contact automake tool before, so reading so large configure and makefiles make me feel so bad. I try to understand ,but it just myself alone to do this , so anyone can give some guide how to debug the source code =A1=A2 how to modify makefile and test result! I'll repeat what I said before make clean then make. You don't need to touch configure or the Makefiles. You just need to do a clean build. The process will look in lib/dns/rdata and find the files there. Mark Thanks very much=A3=A1 --=20 Best regards! --001485354cc2c8f4fa0477099043 Content-Type: text/html; charset=GB2312 Content-Transfer-Encoding: quoted-printable divHI,/div divnbsp;nbsp;nbsp; /div divnbsp; Inbsp; have already analysis where to add new RR,and how to ma= ke it works./div divnbsp;But i don#39;t contactnbsp;nbsp;automake tool before, so read= ing so large configure and makefiles make me feel so bad.nbsp;I try to und= erstand ,but it just myself alone to do this ,nbsp;so anyone can give some= guidenbsp;how to debug the source codenbsp;=A1=A2nbsp;hownbsp;to modif= y makefilenbsp;and test result!/div divnbsp;/div divnbsp;Thanks very much=A3=A1br clear=3Dallbr-- brBest regards!= brbr/div --001485354cc2c8f4fa0477099043-- --===8156758388202099534== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===8156758388202099534==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Feature request - disable internal recursion cache
In message 4aeb00d0.8030...@doit.wisc.edu, Michael Hare writes: For those of us that are still running auth and recursive on the same IP, I believe the benefit would be to deploy a best practices recursive only nameserver on a different machine/IP address without getting, in my case, possibly hundreds of thousands of clients to change their DNS resolver IP address. In the surface, I too find this to be an interesting idea. -Michael It's much easier to move authoritative servers to new addresses. Just change the delegation and the iterative traffic will follow. You can keep the old server as a stealth slave. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: One A record fails on one server on Sunday evening
In message 961092e10911030921x3ff3ce60xdb3d1f0534159...@mail.gmail.com, Josh Luthman writes: How do I export the cache dump? rndc dumpdb on the first execute took a few seconds, but after updatedb locate named_dump.db (as it suggested it would store it there) returns nothing. The man page for rndc doesn't say anything about these commands either. You need to look at either of the following locations. The latter is used when dump-file contains a absolute path. chrootdirectorydump-file chrootdump-file chroot (as specified by -t on the command line) directory (as specified by the directory clause in named.conf and defaults to .) dump-file (as specified by the dump-file clause in named.conf and defaults to named_dump.db) e.g. chroot = /choot directory = /var/named dump-file = named_dump.db gives /choot/var/named/named_dump.db chroot = /var/named directory = . dump-file = named_dump.db gives /var/named/./named_dump.db chroot = (not set as -t not used) directory = /var/named dump-file = named_dump.db gives /var/named/named_dump.db chroot = /chroot directory = /var/named dump-file = /data/named_dump.db gives /chroot/data/named_dump.db Mark Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 When you have eliminated the impossible, that which remains, however improbable, must be the truth. --- Sir Arthur Conan Doyle -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PTR zone /28 not working
First you should ask your ISP to fix the names of the nameservers in the delegation of 224/28.66.6.190.in-addr.arpa. It looks like they left the final period off the names. This is a relatively common stuff up. 225.66.6.190.in-addr.arpa. 2000 IN CNAME 225.224/28.66.6.190.in-addr.arpa. 224/28.66.6.190.in-addr.arpa. 2000 IN NS ns2.mincex.cu.66.6.190.in-addr.arpa. 224/28.66.6.190.in-addr.arpa. 2000 IN NS ns1.mincex.cu.66.6.190.in-addr.arpa. ;; Received 114 bytes from 200.55.128.3#53(ns1.etecsa.net) in 1536 ms [Note: I only found this because you have now given me the real domain names involved.] Next you should configure your nameservers to be stealth slaves for 66.6.190.in-addr.arpa. If your ISP blocks this, find another ISP as they don't know what they are doing. You *need* this to allow internal reverse lookups to succeed when the external link is down. zone 66.6.190.in-addr.arpa { type slave; notify no; // don't send notify messages to the offical servers masters { 200.55.128.3; 200.55.128.4; 200.55.128.10; 200.55.128.11; }; file 66.6.190.in-addr.arpa.db; allow-transfer { none; }; }; The PTR records go in the 224/28.66.6.190.in-addr.arpa zone for which one of you machines will be master and the other slave. On ns1.mincex.cu: zone 224/28.66.6.190.in-addr.arpa { type master; file 224-28.66.6.190.in-addr.arpa.db; }; 224-28.66.6.190.in-addr.arpa.db: $TTL 38400 @ SOA ns1.mincex.cu. chismoso.mincex.cu. 2009110401 10800 3600 604800 38400 @ NS ns1.mincex.cu. @ NS ns2.mincex.cu. 226 PTR ns1.mincex.cu. 227 PTR ns2.mincex.cu. On ns2.mincex.cu: zone 224/28.66.6.190.in-addr.arpa { type slave; master { 190.6.66.226; }; file 224-28.66.6.190.in-addr.arpa.db; }; In message 58636e100911051001u195d5c86rb80905a0e91c1...@mail.gmail.com, joans 4nz writes: --===4159216347487687440== Content-Type: multipart/alternative; boundary=0015175defdc1141090477a385b9 --0015175defdc1141090477a385b9 Content-Type: text/plain; charset=ISO-8859-1 Hi, Thank you Mr Mark Andrews for your answer, and yes, I want help. I am sorry about my first message, I repeat bellow, so I change all CCC.BBB.AAA.in-addr.arpa's to my real numbers. Thank you one more time, but i don't understand very well your answers. You said: Well you don't serve 66.6.190.in-addr.arpa and you don't allow recursion. You should make yourself a stealth slave for 66.6.190.in-addr.arpa. That way reverse lookups will continue to work when your external link goes down. It will also allow remote tools to not require recursion to be enabled to find the CNAME records when they query your server. So do I must configure the zone 66.6.190.in-addr.arpa. as slave in my named.conf, and in the zone file do I must write the same SOA configuration of my ISP for this zone with the same serial, mail address, . and in NS records write this? IN NS ns1.etecsa.net ;My ISP name server IN NS ns2.etecsa.net ;My ISP name server IN NS ns3.etecsa.net ;My ISP name server IN NS ns4.etecsa.net ;My ISP name server IN NS ns1.mincex.cu ;My name server # 1 IN NS ns2.mincex.cu ;My name server # 2 Is that correct? Because I don't know if my ISP allow transfer a copy of this zone to my DNS servers, I think is not allowed. You said: The zone's name is 224/28.66.6.190.in-addr.arpa, 226.66.6.190.in-addr.arpa in not part of the zone. Why not? If my new ip range address are from 190.6.66.25 to 190.6.66.238, I think 224/28.66.6.190.in-addr.arpa include 226.66.6.190.in-addr.arpa address. Please explain me more about it? 226.66.6.190.in-addr.arpa does not end in 224/28.66.6.190.in-addr.arpa so it is not part of the 224/28.66.6.190.in-addr.arpa zone. This has nothing to do with which IP addresses you are using. It is related to which DNS namespaces are in use. Mark - Hi, I use Bind-9.4.2 running on FreeBSD-7.2. Last week my DNS was reconfigured to a new IP address pool by my ISP and by me from a /29 to /28 address range. Using How is my DNS I check my domain and all is good except reverse lookup. My ISP also reconfigured the PTR zone and delegate the reverse zone like RFC-2317 and this is the change executed by my ISP. 224/28 IN NS ns1.mincex.cu 224/28 IN NS ns2.mincex.cu 225IN CNAME 225.224/28.66.6.190.in-addr.arpa. 226IN CNAME 226.224/28.66.6.190.in-addr.arpa. 227IN CNAME 227.224/28.66.6.190.in-addr.arpa. 228IN CNAME 228.224/28.66.6.190.in-addr.arpa. 229IN CNAME 229.224/28.66.6.190.in-addr.arpa. 230IN CNAME 230.224/28.66.6.190.in-addr.arpa. 231IN CNAME 231.224/28.66.6.190.in-addr.arpa. 232IN CNAME 232.224/28.66.6.190.in-addr.arpa. 233IN CNAME 233.224/28.66.6.190.in-addr.arpa. 234
Re: Reverse DNS Dig returning PTR results only with trace option
. IN PTR ;; ANSWER SECTION: 228.134.254.63.in-addr.arpa. 3599 INPTR test228.moneytreesystems.com. ;; AUTHORITY SECTION: 228.134.254.63.in-addr.arpa. 7057 INNS ns1.cyzap.net. 228.134.254.63.in-addr.arpa. 7057 INNS ns2.cyzap.net. ;; ADDITIONAL SECTION: ns1.cyzap.net. 12523 IN A 63.254.134.3 ns2.cyzap.net. 1723IN A 64.253.181.53 ;; Query time: 7 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Nov 10 11:11:56 2009 ;; MSG SIZE rcvd: 164 - Now I can do a dig for an hour or so. But again I run into same problem. It wont return PTR record unless I explicitly do dig on ns1.cyzap.net. Also, the last did showing ns1.cyzap.net as Authority NS for this IP. But trace showing ns1.moneytreesystems.com as final sender. Could someone shed a light on this? Overall, I was trying to achieve delegation of subnet from ns1.cyzap.net to ns1.moneytreesystems.com. I tried RFC 2317, but that is suing CNAME and having a lot of problem. So I just delegated each one of single IP on my /28 subnet from ns1.cyzap.net to ns1.moneytreesystems.com.. Please have some suggestion to make it work completely with authoritative to be ns1.moneytreesystems.com. Thank you, Rajendra Adhikari ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse DNS Dig returning PTR results only with trace option
In message 4af9dfba.6040...@cyzap.com, Raj Adhikari writes: Thanks Chris for the reply. Actually, let me put my question the other way. How can one delegate the classless subnet to other DNS? Actually, one of our ISP could not delegate classless subnet to our server ns1.cyzap.net. I am trying to help them in delegating the classless subnet to us. So this scenario is simulating our ISP and us. I was just testing with one of our other subnets checking if delegation will work. Unfortunately, we both are using windows DNS. Windows just have RFC 2317 way on configuring the delegation on it KB article using CNAME, which I think has lots of problems. But I am following this BIND way for delegation. I think, in windows the DNS configuration is more or less similar to BIND. In this scenario, lets say ns1.cyzap.net is my ISP and ns1.monetreesystems.com is us. ns1.cyzap.net owns 63.254.134.0/24 and ns1.moneytreesystems.com take a subnet 134.224/28 from them. So isn't there a way for ns1.cyzap.net to delegate the subnet to ns1.moneytreesystems.com? Do ns1.cyzap.net again have to talk to their upper ISP to delegate directly to us? What if upper ISP also need to ask their upper tier ISP. It seems I am lacking some basic concept here about the owner of the subnet. If a true owner delegates the subnet to its client ISP, can't this ISP again delegate the classless subnet agin to its client ISP? Thank you, Rajendra Adhikari You tell your ISP where the delegation needs to point. If your ISP controls the exclosing name in the DNS namespace they update it there or they pass on your request to where they got their address space from. Repeat until the delegation is added to the parent zone. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse DNS Dig returning PTR results only with trace option
talking about. People complaining on forums about having botched their RFC 2317 configs, probably *don't*. In this scenario, lets say ns1.cyzap.net is my ISP and ns1.monetreesystems.com is us. ns1.cyzap.net owns 63.254.134.0/24 and ns1.moneytreesystems.com take a subnet 134.224/28 from them. So isn't there a way for ns1.cyzap.net to delegate the subnet to ns1.moneytreesystems.com? The /24 is delegated to ns1.cyzap.net. Zone delegation is on octet boundaries. So the next available boundary for delegation would be /32, i.e. delegating each of the 16 usable addresses (or perhaps just the 14 usable addresses) individually. Do ns1.cyzap.net again have to talk to their upper ISP to delegate directly to us? No, that doesn't help. What would the /16 nameservers delegate? They've already delegated 134.254.63.in-addr.arpa, there's nothing more you can expect of them. - Kevin Chris Hills wrote: On 10/11/09 18:25, Raj Adhikari wrote: Now I can do a dig for an hour or so. But again I run into same problem. It wont return PTR record unless I explicitly do dig on ns1.cyzap.net. Also, the last did showing ns1.cyzap.net as Authority NS for this IP. But trace showing ns1.moneytreesystems.com as final sender. Could someone shed a light on this? 254.63.in-addr.arpa.86400 IN NS NS3.MCLEODUSA.NET. 254.63.in-addr.arpa.86400 IN NS NS1.MCLEODUSA.NET. 254.63.in-addr.arpa.86400 IN NS NS2.MCLEODUSA.NET. ;; Received 112 bytes from 192.42.93.32#53(y.arin.net) in 173 ms 228.134.254.63.in-addr.arpa. 7200 INNS ns1.cyzap.net. 228.134.254.63.in-addr.arpa. 7200 INNS ns2.cyzap.net. ;; Received 90 bytes from 209.253.113.19#53(NS3.MCLEODUSA.NET) in 159 ms 228.134.254.63.in-addr.arpa. 3600 INNS ns2.moneytreesystems.com. 228.134.254.63.in-addr.arpa. 3600 INNS ns1.moneytreesystems.com. ;; BAD (HORIZONTAL) REFERRAL ;; Received 160 bytes from 64.253.181.53#53(ns2.cyzap.net) in 167 ms You should not chain a delegation in this manner. Either make the servers ns1.cyzap.net. and ns2.cyzap.net. authoritative for 228.134.254.63.in-addr.arpa. or have your ISP change the NS records to point directly to ns1.moneytreesystems.com. and ns2.moneytreesystems.com. The cyzap servers do not respond with the authority bit set (aa in dig). Regards, Chris ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Modifying Mixed Case Mid-level Domain Names to be all Lower Case
In message 200911151416.nafeg2n5083...@dc.cis.okstate.edu, Martin McCormick w rites: Hauke Lampe writes: When BIND writes zone files, it uses $origin to group records that share a common base name. Just update delete/add all records and the mixed case $origin disappears. It did. Many thanks. Note, all those scripts that got confused are actually broken. You may want to fix them anyway. Mark Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS records visible only for LAN computers
In message snt114-w6194bd51e06259d620d29387...@phx.gbl, Peter Macko writes: Setup:I have a domain example.com that is hosted on DNS under control of my= internet provider.Web server www.example.com is hosted by another company.= I have setup a local DNS for computers on my LAN. I have a LDAP server on L= AN. Question:I want to make LDAP visible only for computers on LAN without alte= ring DNS (of the internet provider).The name of LDAP server should be ldap.= example.com. Is it possible to do it? I can think of two solutions:1) I could create master zone for example.com = on DNS (on LAN). This way I have to create A record for www.example.com=2Cb= ut if internet provider changed ip address of the web-server=2C computers o= n lan would not reachwww.example.com and I would have to update A record on= local DNS. 2) Another solution is to create zonefile for subdomain local.example.com o= n LAN DNS=2C so ldap.local.example.com.But this is not exactly what I want. What is the correct solution? Why don't you just create the zone ldap.example.com locally and transfer it between your local servers? zone ldap.example.com { ... allow-query { localnets; }; }; $TTL 3600 @ SOA internal.example.com. peter_macko.msn.com. 1 1200 600 36 180 @ NS internal.example.com. @ A IPv4 address of ldap server @ IPv6 address of ldap server Thank you =20 _ Windows Live: Friends get your Flickr=2C Yelp=2C and Digg updates when they= e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/so= cial-network-basics.aspx?ocid=3DPID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092= 010= -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to defense against ddos attack to dns?
In message blu149-w13ef74e1e2eba2fe9dd3f385...@phx.gbl, MontyRee writes: Hello, all. I have operated some dns servers and I'm curious what should I do if ddos attck to my dns servers. So do you know how to defense against dns dddos attack like root server? Surely, various ddos attack may be occurred. My idea is.. -. filtering 53/udp traffic that the byte is over 512 byte -. rate-limit against 53/udp queries (but useless if the attack spoof the source ip) -. deny recursion -. anycast? Is ther any comments or proposal? How you defend against a DoS attack depends on the actual attack and what services you are attempting to provide and to whom. You want to minimise collateral damage and some of the methods above are likely to introduce collateral damage. Thanks in advance. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: confused wiht the full resolver and stub resolver
In message 396ef6ed-a5a2-4c55-afd4-496b85278...@menandmice.com, Chris Buxton writes: On Nov 16, 2009, at 11:46 PM, aihua zhang wrote: HI, Thanks for your help! Now I'm analysis the lib function providing by the bind . bind software has three data format:struct format, wire format and the text format, from my understanding, it presents the RR in different three types.in them text format is the string type storing in the db, but i don't understand the wire format ,is that mean the data receive from the network and storing in the buffer ? and another question is struct format using environment is what ? This is mostly beyond my expertise, but I guess that wire format is the binary format used in the UDP packet. Struct format probably relates to the return value of the stub resolver library functions. Chris Buxton Professional Services Men Mice The text format is what is in master files and is what dig displays. This is standardized. The wire format is what is sent between machines. This is also how named and libdns store records internally with all compression pointers expanded. This is standardized. The struct format is a way to break down individual records into their components if they are known. This is useful for C programs that need to examine specific fields. This is not standardized. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Secondaries of MS AD Integrated Zones
In message b07d01c0-86c2-45e6-ac8e-6fc3472d9...@menandmice.com, Chris Buxton writes: On Nov 17, 2009, at 5:01 PM, jim.siffe...@tektronix.com jim.siffe...@tektr onix.com wrote: Hi all, Most of our internal DNS zones are mastered in Microsoft DNS (2k3 R2) as AD Integrated zones. Currently, those zones are slaved from a single MS DNS se rver to our BIND 9 servers that handle recursion. Is there a reliable way to use multiple masters when slaving AD Integrated zones to BIND? In the O'Reilly book DNS on Windows Server 2003 a section on p. 324 calle d BIND Secondaries for Active Directory-Integrated Zones says serial number s can vary on otherwise synchronized MS DNS Servers, potentially causing a se rver to respond with an incorrect lower serial number. Hello Jim, The book is correct. Furthermore, if using multiple AD servers as masters, th ey can apply updates in different orders, so the IXFR mechanism breaks. I believe the only way to make this work would be to use the statement multi -master true; inside your zone statement. My understanding is that named (th e slave) will not compare versions between the two servers, essentially treat ing each DC's copy of the zone as separate and distinct. Thus, if it has to s witch over to the second-listed master, it will request a full zone transfer rather than an IXFR. multi-master true; still assumes correct zone serial number maintenance. It just prevents the warnings about serial number going backwards which is a normal side effect of having multiple masters vs a master with multiple addresses. Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insecure response BIND 9.7.0b2
In message alpine.lfd.2.01.0911191304100.24...@maplepark.com, David Forrest w rites: Logged: Nov 19 12:13:45 maplepark named[23329]: validating @0x17b7980: dlv.isc.org SOA: got insecure response; parent indicates it should be secure What does this mean? It means named fellback to making a plain DNS query due to multiple timeouts, or getting a SERVFAIL response to the EDNS queries, or something stipped out the RRSIGs or there was a attempt to poison the cache. The validator then rejected the answer as it knew it should be getting a secure response. In most cases named will re-do the query and get a good answer unless there is a configuration failure. Unfortunately there are nameservers that don't respond to EDNS queries. There are also firewalls that block DNS/UDP responses bigger 512 bytes or block EDNS queries/responses 10 years after the introduction of EDNS. There are also middleware that blocks/drops DNS/UDP responses that are fragmented. All of these things result in DNS lookups timing out which is indistinguishable from plain packet loss. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loading zone: creating database: out of memory
At somepoint memory has to run out :-) Is this a 32 bit build or a 64 bit build? Have you set the per process resource limits appropriately. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation works with DLV, but not with just trusted-key
Or one could use DLV to provide the trust linkage. dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 1 11A4026F4E09B1C106AAF3AC81A37AA537B8A3E6 dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 2 6B026928292D452A5CC37B3EF327F27F50A29936CB31E664EB066D71 A476E282 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation works with DLV, but not with just trusted-key
In message 200911252202.napm2asg000...@drugs.dv.isc.org, Mark Andrews writes: Or one could use DLV to provide the trust linkage. dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 1 11A4026F4E09B1C106AAF3AC81A37AA537B8A3E6 dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 2 6B026928292D452A5CC37B3EF327F27F50A29936CB31E664EB066D71 A476E 282 Should have read the subject more closely. :-) In any case as Alan said, there needs to be a trusted path from a trust anchor to the data. DLV provides that trusted path. ORG will soon once they leave the friends and family stage. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Building 9.6.1-P2 for 32-bit Redhat RHEL 5.4
In message 8761a2bbe915df46bb20e017c891e48ca...@ferrari.coherent.cohtech.co.uk , Howard Wilkinson writes: I am trying to build a package based on 9.6.1-P2. The target platform is a 32 -bit ix86 environment. The build platform is a RHEL 5.4 x86_64 system. I have managed to build the native x86_64 package without problem, but I am getting a failure when building the package using a target setting equal to one of i 386,i586 and i686. The error is a message from the assembler saying that suffix or operands inv alid for 'xadd' This occurs when compiling lib/isc/stats.c. At present I do not have a 32-bit build environment I can try to natively bui ld this on, and was hoping that somebody could suggest how I can get round th is problem in the build environment I am using. Regards, HOward. Coherent Technology Limited, 23 Northampton Square, Finsbury, London EC1V 0HL , United Kingdom Telephone: +44 20 7690 7075 Mobile: +44 7980 639379 Company Email: coher...@cohtech.com Website: http://www.cohtech.com http://w ww.cohtech.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ./configure --build=i686-unknown-linux-gnu CC=gcc -m32 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zonechecks test failing on 9.[456]
In message 4b1313c7.1040...@dougbarton.us, Doug Barton writes: I'm getting the failures logged below on all the recent versions of BIND. I went back and tested 9.6.1-P1 and it fails too, so it doesn't look like something that was introduced with the latest patches. This is on FreeBSD 9-current, and I don't think my args for configure are particularly exotic. For example on 9.6: --localstatedir=/var --disable-linux-caps --with-randomdev=/dev/random --with-openssl=/usr --with-libxml2=/usr/local --with-idn=/usr/local --with-libiconv=/usr/local STD_CDEFINES=-DDIG_SIGCHASE=1 --enable-ipv6 --enable-threads --prefix=/usr/local Also, is it weird that while 9.4 and 9.6 actually errored out, 9.5 just stopped? Any suggestions? Doug The test was written assuming we would make these errors fatal (they are currently warning). The result status is currently ignored. The UPDATE code would also need to re-run these checks after every update and reject those which would prevent the zone loading which it currently doesn't do. Mark -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ 9.4.3-P4 S:zonechecks:Sun Nov 29 14:50:37 PST 2009 T:zonechecks:1:A A:System test zonechecks I: checking that we detect a NS which refers to a CNAME I:failed (status) I: checking that we detect a NS which is below a DNAME I:failed (status) I: checking that we detect a NS which has no address records (A/) I:failed (status) I: checking that we detect a NS which has no records I:failed (status) I: checking that we detect a NS which looks like a A record (fail) I: checking that we detect a NS which looks like a A record (warn=default) I: checking that we detect a NS which looks like a A record (ignore) I: checking that we detect a NS which looks like a record (fail) I: checking that we detect a NS which looks like a record (warn=default) I: checking that we detect a NS which looks like a record (ignore) I:exit status: 1 R:PASS E:zonechecks:Sun Nov 29 14:50:47 PST 2009 *** Error code 1 Stop in dns/bind94/work/bind-9.4.3-P4/bin/tests/system. *** Error code 1 Stop in dns/bind94/work/bind-9.4.3-P4/bin/tests. 9.5.2-P1 S:zonechecks:Sun Nov 29 15:04:59 PST 2009 T:zonechecks:1:A A:System test zonechecks I: checking that we detect a NS which refers to a CNAME I:failed (status) I: checking that we detect a NS which is below a DNAME I:failed (status) I: checking that we detect a NS which has no address records (A/) I:failed (status) I: checking that we detect a NS which has no records I:failed (status) I: checking that we detect a NS which looks like a A record (fail) I: checking that we detect a NS which looks like a A record (warn=default) I: checking that we detect a NS which looks like a A record (ignore) I: checking that we detect a NS which looks like a record (fail) I: checking that we detect a NS which looks like a record (warn=default) I: checking that we detect a NS which looks like a record (ignore) I:exit status: 1 R:PASS E:zonechecks:Sun Nov 29 15:05:09 PST 2009 9.6.1-P2 S:zonechecks:Sun Nov 29 15:20:29 PST 2009 T:zonechecks:1:A A:System test zonechecks I: checking that we detect a NS which refers to a CNAME I:failed (status) I: checking that we detect a NS which is below a DNAME I:failed (status) I: checking that we detect a NS which has no address records (A/) I:failed (status) I: checking that we detect a NS which has no records I:failed (status) I: checking that we detect a NS which looks like a A record (fail) I: checking that we detect a NS which looks like a A record (warn=default) I: checking that we detect a NS which looks like a A record (ignore) I: checking that we detect a NS which looks like a record (fail) I: checking that we detect a NS which looks like a record (warn=default) I: checking that we detect a NS which looks like a record (ignore) I:exit status: 1 R:PASS E:zonechecks:Sun Nov 29 15:20:39 PST 2009 *** Error code 1 Stop in dns/bind96/work/bind-9.6.1-P2/bin/tests/system. *** Error code 1 Stop in dns/bind96/work/bind-9.6.1-P2/bin/tests. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CLASS support
In message 20091130214313.9fff2114...@mx.isc.org, JFC Morfin writes: At 19:36 30/11/2009, Florian Weimer wrote: I understand that. But I need to use Private Use classes. The question is how do I do it? Use CLASS999 and similar identifiers (just like TYPE999 for types). I guessed the format from the code. But it fails. named-checkconf says that CLASS999 does not match view\default class? thx jfc Views are class specific. Just define multiple views. view in { }; view myclass CLASS999 { }; ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone vs domain
In message 402431.44413...@web112611.mail.gq1.yahoo.com, gmspro writes: What's the main difference between zone and domain? It's confusing to me,I'm searching though,i got once,zone is a portion of do main. Can someone give example to clear things up? example.net.SOA ns.example.net. hostmaster.example.net. ( 1 3600 1200 360 1200 ) example.net.NS ns.example.net. ns.example.net. A 1.2.3.4 www.example.net. A 1.2.3.5 All the above form a zone which would be called example.net. example.net, ns.example.net and www.example.net are individual domains within the zone. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse zone file in external view not transferring to slave server??
In message 4b1576eb.2020...@netscape.net, Kaya Saman writes: Hi, now that I have my zones and reverse files sorted out I have managed to come across a problem which seems I had before even beginning any of this! Basically for some reason my reverse zone for the external view isn't transferring to my slave server this is quite strange as all the other forward zones for the external view work fine?? Here is config: named.conf file snippit for both servers: view external { match-clients { any; !192.168.0.0/22; !127.0.0.1; }; Acl's are first match. What you had devolves to match-clients { any; }; Try. match-clients { !192.168.0.0/22; !127.0.0.1; any; }; Adjust all the other acls allow-recursion { 127.0.0.1; }; include /etc/opt/csw/bind/named.conf.external; }; named.conf.external file from master server: zone optiplex-networks.com { type master; file /var/named/optiplex-networks-external.db; allow-query { any; !192.168.0.0/22; 192.168.1.101; }; }; zone 2.178.81.in-addr.arpa { type master; file /var/named/81.178.2.rev; allow-query { any; !192.168.0.0/22; 192.168.1.101; }; }; named.conf.external file from slave server: zone optiplex-networks.com { type slave; file /var/named/optiplex-networks-external.db; masters { 192.168.1.100; }; allow-notify { 192.168.1.100; }; allow-query { any; !192.168.0.0/22; 192.168.1.100; }; }; zone 2.178.81.in-addr.arpa { type slave; file /var/named/81.178.2.rev; masters { 192.168.1.100; }; allow-notify { 192.168.1.100; }; allow-query { any; !192.168.0.0/22; 192.168.1.100; }; }; If any one can help me figure out why this is happening as the reverse zone for my internal view works perfectly fine with similar config and all the other forward zones for the external work perfectly fine?? Many thanks, --Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inverse query:PTR RR or OPCODE=1 ?
In message 4591889.164031259808158905.javamail.corem...@app183.163.com, lipen g967 writes: when I read the RFC1035, I noticed the opcode defination in the DNS message head . It said that when opcode = 1 the message did Inverse query. but in the packet I capatured when I used nslookup to do inverse query ,the inverse query packet use the opcode = 0 and the question segment with RR TYPE PTR. Can someone explain this ? Am I wrong about understanding the inverse query ? Thank a lot . Nslookup does normal queries into the .ARPA namespace to do reverse lookups. Inverse lookups were a concept that really only worked in the dentist surgery senario (one server providing the entire DNS view). Inverse queries were deprecated years ago http://www.ietf.org/rfc/rfc3425.txt. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable Refused answer
In message dcf41a2c-d461-4e78-82cd-0add12051...@menandmice.com, Chris Buxton writes: On Dec 3, 2009, at 10:16 AM, Kevin Darcy wrote: Chris Buxton wrote: On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote: Hello! I can't find in docs how disable answer (Refused), if recursion for IP is not allowed? Something like this should work: _ view caching-server { match-recursive-only yes; blackhole { ! authorized-clients; any; }; // any other resolution configuration goes here }; This should work --- one of the scariest phrases in the computing field :-) True, true. It means, of course, The docs suggest this will work, but I have n't actually tested it. Unfortunately, blackhole can only appear the (global) options clause: I'm happy to be corrected. You'd never know this from reading the BIND ARM. From the description of the view statement: Many of the options given in the options statement can also be used within a view statement, and then apply only when resolving queries with that view. There is no definitive list of the options that can or can not be used in a v iew. Likewise, the description of the blackhole statement makes no mention of the fact that it's not valid inside a view. doc/misc/options gives a definitive list. It is built from the parser. So, to the original poster, we're back to it can't be done with BIND configu ration. Of course, you could hack the BIND source code... Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FORMERR
The SOA record in the negative response didn't match the delegation. cloudfront.net != stl2.cloudfront.net Mark In message alpine.neb.2.01.0912041447110.12...@t1.m.reedmedia.net, Jeremy C. Reed writes: The upcoming BIND 9.7.0 has several logging improvements, for example: 04-Dec-2009 14:46:41.020 resolver: notice: DNS format error from 216.137.38.22#53 resolving d2rdfnizen5apl.stl2.cloudfront.net/ for client 127.0.0.1#53764: invalid response 04-Dec-2009 14:46:41.060 resolver: notice: DNS format error from 216.137.38.23#53 resolving d2rdfnizen5apl.stl2.cloudfront.net/ for client 127.0.0.1#53764: invalid response The comments in the source for that one is: /* * The responder is insane. */ Also the query-errors logging (already in recent BIND releases) says: 04-Dec-2009 14:46:41.060 query-errors: debug 1: client 127.0.0.1#53764: query failed (SERVFAIL) for d2rdfnizen5apl.stl2.cloudfront.net/IN/ at query.c:4673 That line number in my code has: /* * Something has gone wrong. */ 04-Dec-2009 14:46:41.060 query-errors: debug 2: fetch completed at resolver.c:3024 for d2rdfnizen5apl.stl2.cloudfront.net/ in 0.079283: failure/success [domain:stl2.cloudfront.net,referral:0,restart:2,qrysent:2,timeout:0,lame:0, neterr:0,badresp:2,adberr:0,findfail:0,valfail:0] /* * Something bad happened. */ Sorry, even with the new logging, this one is not answered adequately... will need to look further. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Signing with the KSK and ZSK
In message 2ac8e9ad0912072303u6327b50eoc06cbfe232632...@mail.gmail.com, xu dong writes: Hi folks, i have a question about signing zone files with the ksk and the zsk, as i know,when signing the zone files i have to use the ksk and zsk both,just as following: *dnssec-signzone -o domain-name -t -k KSK zone-name ZSK* but i want to sign the ZSK with KSK first,and then sign the zone files with zsk,so how can i do? Firstly you don't sign keys or files, you sign RRsets or zones. '-x' will tell the signer to the DNSKEY RRset only using KSK's. Secondly don't over specify the command line. 'dnssec-signzone -x -o domain-name master-file' is enough in most cases. dnssec-signzone will look at the DNSKEY records in the master-file and workout what is needed. The options are there for when you want dnssec-signzone to do something non-standard. Mark Thanks. --=20 - Xudong email=a3=baxudon...@gmail.com Beijing,China -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: managed-keys.bind's directory problem
In message 20091210.162242.460114267490885968.fujiw...@pyon.org, fujiw...@wid e.ad.jp writes: I'm using BIND 9.7.0b3 an DLV (dns-lookaside auto;). The named tried to write managed-keys.bind file into the named's working directory. The current BIND 9 requires the working directory is writable by named (From ARM). But I think the working directory should not be writable by named and some OSs' default configuration set the working directory not writable. Then those OS's are misconfiguring named. This has been a requirement since the BIND 4 days. It's just named has not complained and there has been loss of functionality as a result. On some OS's this is the only way to get a core file for debugging as there is no way to specify anything other than the current working directory. Note there is no requirement for named's config files to be below the working directory. ../master-files/ or /master-files/ or /var/named/master-files could all be used instead of ./master-files The working directory does not have to be /var/named. It is usable to avoid named's unknown BUG which may break the working directory. For example, FreeBSD changes the working directory's owner/group/permission configured by /etc/mtree/BIND.chroot.dist and it sets the working directory not writable by named. I changed /etc/mtree/BIND.chroot.dist in my FreeBSD box, but I don't like this solution. I'm very happy if I can change the managed-keys.bind path. We will look into that. - - From BIND 9.7.0b3 ARM: In the current implementation, the managed keys database is stored as a master-format zone file called managed-keys.bind. When the key database is changed, the zone is updated. As with any other dynamic zone, changes will be written into a journal file, managed-keys.bind.jnl. They are committed to the master file as soon as possible afterward; in the case of the managed key database, this will usually occur within 30 seconds. So, whenever named is using automatic key maintenace, those two files can be expected to exist in the working directory. (For this reason among others, the working directory should be always be writable by named.) If the dnssec-lookaside option is set to auto, named will automatically initialize a managed key for the zone dlv.isc.org. The key that is used to initialize the key maintenance process is built into named, and can be overridden from bindkeys-file. --- -- Kazunori Fujiwara, JPRS ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: managed-keys.bind's directory problem
In message alpine.bsf.2.00.0912131720060.1...@qbhto.arg, Doug Barton writes: On Fri, 11 Dec 2009, Mark Andrews wrote: In message 20091210.162242.460114267490885968.fujiw...@pyon.org, fujiwara @wid e.ad.jp writes: I'm using BIND 9.7.0b3 an DLV (dns-lookaside auto;). The named tried to write managed-keys.bind file into the named's working directory. The current BIND 9 requires the working directory is writable by named (From ARM). But I think the working directory should not be writable by named and some OSs' default configuration set the working directory not writable. Then those OS's are misconfiguring named. Or, named is acting in an unsafe way. :) For example, see https://lists.isc.org/pipermail/bind-users/2008-August/071912.html for my proposal to separate the idea of working directory from configuration directory, and some of the reasons why. To repeat my primary objection, if the named user can write to the configuration directory it can change the contents of named.conf. That's a security problem. directory has *always* specified the working directory. This has been a requirement since the BIND 4 days. It's just named has not complained Actually it does complain: named[970]: the working directory is not writable and there has been loss of functionality as a result. I would argue that this really hasn't been the case for FreeBSD, up till this point there has been a workaround for all of the functionality that users have asked for. On some OS's this is the only way to get a core file for debugging as there is no way to specify anything other than the current working directory. Once again, I assert that this is a design flaw in named. Processes should not be dumping random stuff into the same directory where their configuration files go. It may have been acceptable back in the BIND 4 days, but it's time to move on. Note there is no requirement for named's config files to be below the working directory. This is something that I'll explore. I still prefer the solution to separate the idea of config and working directories. Imagine a scenario where the configuration stuff is on a read-only partition for example. Or OS maintainers shouldn't have put configuration files in the working directory. They were originally seperate. OS maintainers could have kept them seperate. The working directory does not have to be /var/named. In FreeBSD (as in other OSs that I looked at for examples) that's the root of the chroot directory structure. I'm very happy if I can change the managed-keys.bind path. We will look into that. That would be good. I would argue that for any new feature configurability for its file location(s) should be a requirement. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1
In message prayer.1.3.2.0912151543550.32...@hermes-1.csi.cam.ac.uk, Chris Tho mpson writes: (But it's not too obvious to me that adding support for a new signing algorithm should necessarily be considered a major functional change.) If it was *just* adding a new signing algorithm then yes it would be a minor change. A lot more happened under the hood to support the new algorithms on all platforms. Remember crypto support on some platforms is pretty old and doesn't support SHA256/512 + RSA directly so we had to use more primative methods on these platforms. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: questions on bind cache with views
In message 35686be10912170139j3d89c414n1da84870b47c9...@mail.gmail.com, Youn g H. writes: Hello, I have config the bind-9.6.1 with multi-views and recursion yes. But I found bind always deny the query to its cache, the log shows: Dec 17 17:30:42 localhost named[15603]: client 113.96.221.24#54412: view tel: query: www.126.com IN A + Dec 17 17:30:42 localhost named[15603]: client 113.96.221.24#54412: view tel: query (cache) 'www.126.com/A/IN' denied You need to look at your acl settings. Named default to allowing local machines to recurse. allow-query-cache Specifies which hosts are allowed to get answers from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localnets; localhost;) is used. view tel looks as: view tel { match-clients { key telkey; any; }; allow-update {key telkey;}; zone my.zone { type master; file /usr/local/bind/etc/my.zone.db; }; }; Please help me, thanks in advance. // Young. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clients-per-query message is harmful or not?
In message blu149-w57a261f59f90728f956cea85...@phx.gbl, MontyRee writes: Hello, all. my system is centos 4.x, bind 9.5.1-P3 and only recursion is allowed from some ranges. I can see lots of messages like below. so if I didn't set any clients-per-query value,some clients' queries may be droppped or not? clients-per-query is designed to prevent the nameserver being overwhelmed by a given query that doesn't resolve. It sets the number of simultanious clients that are acutally recursing on a given name. It value is increased if there is a successful resolution of that query after dropping some clients then slowly decays over time. Note UDP clients are expected to retry. clients-per-query reflects how many clients ask for a busy name/type in the time it takes to resolve that name/type. If it takes 200 ms resolve the query and you need 20 clients-per-query then the name/type is being asked for around 100 times a second. If some queries can be dropped,I want to set like clients-per-query 0. You actually want to set clients-per-query to around 20 based on these logs, the default is 10. 05-Oct-2009 16:04:46.228 resolver: notice: clients-per-query decreased to 14 05-Oct-2009 16:14:47.337 resolver: notice: clients-per-query increased to 19 05-Oct-2009 16:34:47.338 resolver: notice: clients-per-query decreased to 18 05-Oct-2009 16:54:47.339 resolver: notice: clients-per-query decreased to 17 05-Oct-2009 17:01:55.424 resolver: notice: clients-per-query increased to 22 05-Oct-2009 20:20:26.252 resolver: notice: clients-per-query increased to 15 05-Oct-2009 20:40:26.253 resolver: notice: clients-per-query decreased to 14 05-Oct-2009 21:00:26.253 resolver: notice: clients-per-query decreased to 13 05-Oct-2009 21:11:26.298 resolver: notice: clients-per-query increased to 15 Thanks in advance. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Notify storms
In message 91aa34af1001181327q7f5de882vf47052ed39d87...@mail.gmail.com, Todd writes: Good day all, We've run into a problem with our DNS servers. The way we update our masters is via a CVS Checkout and reload of the zones modified. Sometimes though, we need to reload the whole config for big changs/etc. When that happens, all 6 masters (I know, we're getting rid of some) send notifies to all 80+ (I know, we're getting rid of some) slaves for all 1800 zones. This causes all the slaves to verify all 1800 zones on 6 masters, which then delays the changes we made from actually getting to the slaves. Right now it's about 2.5 hours for all slaves to do all zones. We would like to make this better. We're trying to figure out what mechanism might be limiting the rate at which the slave does SOA checks against the master so it can perform that step quicker. We have looked at the zone transfer limits on the master/slave, but that is related to the transfer mechanism, not the SOA query. Can anyone help with ideas on this? Are we missing something obvious? serial-query-rate Cheers, Todd. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Upgrading BIND 9.2.1 to BIND 9.6.1-p3 on AIX
In message ofe366df90.6b8e5635-on482576b1.00241d55-482576b1.00247...@sg.ibm.com, Balanagaraju Munukutla writes: Hi we are running BIND 9.2.1 on AIX 5.3 TL11. Now, I would like to upgrade it to BIND 9.6.1-p3. Is this BIND version is stable? Can anybody help me to suggest how upgrade the BIND with minimal impact? I am running BIND in bind-jail. Apart from the allow-recursion acl now having a tighter defaults, BIND 9.6.1-P3 will just use the old config assuming that you don't have errors in your master files. If you do you should be correcting them anyway. Later versions of BIND are less forgiving of configuration errors. You can take correct master files from BIND 4.8 (+20 years ago) and use them unchanged in BIND 9.7.0. I would just compile named and then run it from the source tree with bin/named/named -g usual arguement, having first stopped the current version, and see what it reports. When you are happy that all errors are corrected you can install it and adjust your startup scripts to call /usr/local/sbin/named instead of the version that ships with aix. Mark Thanks for your help. Regards Nagaraj -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named 9.6.1 Filling wtmp
In message 6b845b73-065f-4e8b-afa5-408ecdbe7...@govnet.state.vt.us, David Kre indler writes: We have BIND 9.6.1-P3 running on several AIX 5.3 servers. On one of them, nam ed is filling /var/adm/wtmp with numerous entries like the following. This is not named (the program). It may be su or some other process that is logging changes in uid. Or it could be someone login in as the user named. Mark user pts/1 pts/1 7 1327240 1264089183 host-NN.domain Thu Jan 21 10: 53:03 EST 2010 named 8 2572472 1264089217Thu Jan 21 10: 53:37 EST 2010 named 8 2572472 1264089217Thu Jan 21 10: 53:37 EST 2010 named 8 2572472 1264089277Thu Jan 21 10: 54:37 EST 2010 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange CNAME issue
In message a9981203-ca2a-4ba2-b95b-08d992178...@mellmo.com, seren writes: Thanks for your response. I didn't know about the +trace option in dig. = After some more searching, I believe you are correct about the long = responses being related. The responses that fail all seem to exceed = 512-bytes. Why this would happen in multiple locations is a mystery but = perhaps our firewalls are configured similarly. I'll look into the = firewall settings on my end, but since there may be other devices out = there configured similarly I'll need to try and reduce my CNAMES to find = into a 512-byte response or switch them to A records. -seren Some filewall vendors / operators think that all UDP DNS responses are = 512 bytes of payload. This has not be the case offically for over a decade now with EDNS, and was never one in practice as there have always been servers that sent larger responses as long as I've been working with DNS, ~20 years now. Some filewall vendors / operators think that TCP DNS is only used for AXFR. This has *never* been the case. One or both of these may be the problem. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 - IXFR to slaves not working after manual zone edit.
First of all, decide where you want the delta to be computed. On the master or on the slaves? Currently you are asking all servers to compute the delta. Secondly if you are not using dynamic update to modify the master zone you don't need to freeze the master zone as named is NOT writing to it. Just replace and reload will work. Thirdly rndc freeze removes the journal. Fourthly ixfr-from-differences forces the slave to make AXFR requests. Lastly, dynamic zones and ixfr-from-differences are currently mutually exclusive. This may or may not change in future releases. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A question about PTR records
In message 139200.61342...@web110505.mail.gq1.yahoo.com, sasa sasa writes: Hi, What is the best practice when using PTR in an ISP? is it dividing IP block= s (like; x.x.x.in-addr.arpa.) and therefore having more than one PTR zo= ne file? or just use x.in-addr.arpa.and include everything inside that fi= le? regards, Whatever works best for you. If you are delegation parts of the in-addr.arpa namespace to others it is often easier to also delegate the namespace to yourself so that management is consistant. If you have RFC 2317 style delegations the parent zone, which contains the CNAMES, also needs to be transfered to ensure that reverse lookups continue to work on the subnet using that namespace. A smaller parent zone is useful in this case. Smaller zones also reduce the amount of data that needs to be transferred whenever a change happens. You can also mix and match. Note you can change schemes later if you want to. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6.1-P3 using more resources?
In message prayer.1.3.2.1001241549090@hermes-2.csi.cam.ac.uk, Chris Thomp son writes: On Friday, I wrote: We upgraded our main recursive nameservers (validating, via dlv.isc.org) from 9.6.1-P2 to 9.6.1-P3 a couple of days ago. CPU (and possibly memory) consumption have been quite a bit larger since then, and more worryingly, seems to be gradually increasing. I have looked for a co-incidental change in the query pattern that might explain this, without success so far. If anyone else has seen a similar effect as a result of upgrading, please let me know. I have found the cause, and it was not the upgrade to 9.6.1-P3 (so apologies for introducing any FUD about that) or a significant change to the query load. It was the result of adding -m record to the named argument list. I had put this in the startup script for when named was next restarted, and then half forgotten about it. I had in any case convinced myself that it was a trivial-cost option. Well, that turns out not to be the case ... It costs a ~16 bytes per memory allocation to perform the accounting in a 32 bit build. ~24 bytes in a 64 bit build. Plus some computing time. struct debuglink { ISC_LINK(debuglink_t) link; const void *ptr[DEBUGLIST_COUNT]; unsigned intsize[DEBUGLIST_COUNT]; const char *file[DEBUGLIST_COUNT]; unsigned intline[DEBUGLIST_COUNT]; unsigned intcount; }; With this we know where the memory that leaks was allocated and a starting point to find the defect. Mark (Using -m record was motivated by a unfreed-memory-at-shutdown abort that we observed with 9.6.1-P1 -- and not since -- and reported on bind9-bugs as RT #20675.) -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation question!
Also you did not *buy* the addresses from RIPE as RIPE does not *sell* addresses. You leased the addressed from RIPE. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: update failed: SERVFAIL
In message 2ac8e9ad1001250710s2489d1edpf5a247341bc2a...@mail.gmail.com, xu do ng writes: Hi, I have a problem about the DDNS ,When I nsupdated the master dns server under with dnssec,but it failed as following: *r...@root:/var/named/chroot/etc# nsupdate -d server 192.168.225.130 5353 update add test.net 900 A 5.5.5.5 Reply from SOA query: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32603 ;; flags: qr aa ; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;test.net.IN SOA ;; AUTHORITY SECTION: net. 300 IN SOA dns.net. dns.net. 2010011806 10800 60 604800 10800 Found zone name: net The master is: dns.net Sending update to 192.168.225.130#5353 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 30960 ;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; UPDATE SECTION: dns.net. 900 IN A 5.5.5.5 Reply from update query: ;; -HEADER- opcode: UPDATE, status: SERVFAIL, id: 30960 ;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 * But when i nsupdated the master dns server without dnssec, it succeed. So I don't know why? Did you look at the master's logs? Have you told named where the private keys are? Are the private keys readable by named? -- - Xudong email=a3=baxudon...@gmail.com Beijing,China - -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC DSSET KEYSET
+qMYkiBYczNvZ4zD4nh FR7ZVh6z046IcAzI8G1KD6n96GraXBXFJN2z+kE+B/gY xMy3xWfrIoxj/L8hEy3mqjpPXfcdtzrD3/bjf/og3Mrn WZJuawTcn3/ptMyQYbD5J7yr8xvpq7EjjclOR1u4WCXr pjEbRN/OmlPSSmM9RI/1w8/ONmCDJSIBaRgc8cMvHvgJ utPGMmW1ci/LTHVA7dBXb9K/fvOMyuJJMmN4p6Q6KQbY cNwwktZlkIBO8KdojAsI+Z904XvThCYgbA== ) isc.org.31 IN RRSIG DNSKEY 5 2 7200 20100224205023 ( 20100125205023 47407 isc.org. RNdtNlmH1MJasaAM2pM1/jo+fr0/UBauutDoR0TlZR1+ 5SeuE5LLs1rqGc3Q8poVgCEFVX6MtFDf78wrSn/aQ+YD ubvg/O8H8a98MyJaInHJZza265LnjsfVYJprExnnJFug olzIuAQ+F5obSWXKx/WdyXXzzwcD2qWXOovRo4FN6xyE KqdcaPECZfTJo8T+EqU5KpnHDvCyKf6F2v07GGyXe69t tRzgCsEIsYGoagLANNSGnb53DqHYQWVJaOEGoEQRa0Ox QrB8oGyvfCEE3AtFhR/UY9mq+rXDVRUkp9DeqqNRX1uf OCeIHgkjynUUq8iEsjwhzn+bRbtUR8aNgA== ) ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jan 29 08:08:37 2010 ;; MSG SIZE rcvd: 1496 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
In message c78b5f8c.46e43%wael.sha...@gmail.com, Wael Shaheen writes: Dear DNS Experts, This post is intended for discussion. The ISP I work for has HUGE dynamic IP pools that are full of spammers (of course). This huge volume of spam is actually influencing the decision for some of the international provider=B9s whether to give us links or not let alone the bad reputation and RBLs listing etc... As a solution the routing team was thinking to block port 25 for outgoing as some ISPs do. However, I do not see this to be a valid solution for many reasons such as clients that have email servers outside, or if decided to be redirected to spam filters then that will just cost the company too much. Luckily we have two set of DNS server farms; one that is serving static IP users and one that is dedicated only for dynamic IP users. The idea I have proposed is to deny these dynamic users from performing MX queries. So instead of blocking port 25 we can redirect the DNS port to the DNS farm that is dedicated for dynamic users, that will guarantee that no standard DNS port forwarded queries are going to external servers. Then we will block the MX and root queries for those dynamic clients. That will prevent them from using a locally installed DNS service on their machines or query MX records for targets they want to send spam to. Of course there will still be some challenges like if some spammers know the A record of the mail server they want to connect to or if they used the IP address of the targeted mail server also if they used open dns that works on non-standard ports, but then again I believe these users will stand out and will be identified more easily. I would appreciate any comments you may have. Sincerely, Wael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Firstly, cleanup / quarantine the machines that are spamming. This is the best thing you can do. A machine that is spamming is compromised and a compromised machine can do anything. Secondly, don't block the MX queries. MUAs can and do perform MX queries to check that addresses are valid before attempting to send anything. Thirdly, if you do block SMTP do it fully (traffic to and from port 25) and provide a mechanism to optout. If you publish, or provide information to those that publish, blocking lists ensure that they reflect the optout status of any IP address that has opted out. Blocking SMTP traffic is only masking the symptoms of the infection. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NOTIFY logging problem
In message c0ab6ee34cf7e8f660d78...@11.sub-97-53-216.myvzw.com, Frank Cusack writes: How can I get logs of all NOTIFY messages sent? logging { // use local0 instead of daemon channel local0_syslog { syslog local0; severity info; }; category notify{ local0_syslog; default_debug; }; }; The above only generates a summary log: zone XXX/IN/internet: sending notifies (serial 2010012700) I'd like to see a verification of every host a NOTIFY message was sent to. You need to be looking a debug 3. notify_log(notify-zone, ISC_LOG_DEBUG(3), sending notify to %s, addrbuf); -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NOTIFY logging problem
In message ed6e4c848e8fef4b16e71...@181.sub-97-18-81.myvzw.com, Frank Cusack writes: On February 1, 2010 11:35:15 AM +1100 Mark Andrews ma...@isc.org wrote: You need to be looking a debug 3. notify_log(notify-zone, ISC_LOG_DEBUG(3), sending notify to %s, addrbuf); ouch, debug 3 is probably way TMI. I guess I'll just patch the above to log at info. Why isn't that the default anyway? Seems to me that you aren't likely to have too many servers and the info level is already pretty verbose so you would expect (or at least *I* would expect) to have that amount of information. When you have 10+ zones with 10's of servers it gets noisy. Log to a file with debug 3; As it is, and I mean without turning on debug logging, I have to infer what servers notify was sent to based on AXFR/IXFR requests. (I try not to trust looking at config files when debugging because you can't be sure that the running config is the same as the on-disk config.) Anyway thanks for the pointer, it looks trivial to update. -frank -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how do I get a slave to send NOTIFY messages?
In message 20100131220833.a16...@gwyn.tux.org, Joseph S D Yao writes: The ARM, in Chapter 6, under Boolean Options [for some value of the word Boolean, I guess ;-)], says: Well it started out as a Boolean Option. :-) Boolean/Enumerated Options would be a more accurate description these days. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.4-ESV is now available
BIND 9.4-ESV is now available. BIND 9.4-ESV is a extended release version for BIND 9.4. BIND 9.4-ESV can be downloaded from ftp://ftp.isc.org/isc/bind9/9.4-ESV/bind-9.4-ESV.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.4-ESV/bind-9.4-ESV.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.4-ESV/bind-9.4-ESV.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.4-ESV/bind-9.4-ESV.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at https://www.isc.org/about/openpgp. A binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.zip ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.debug.zip The PGP signature of the binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.zip.asc ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.debug.zip.sha512.asc Changes since 9.4.0. --- 9.4-ESV released --- 2831. [security] Do not attempt to validate or cache out-of-bailiwick data returned with a secure answer; it must be re-fetched from its original source and validated in that context. [RT #20819] 2828. [security] Cached CNAME or DNAME RR could be returned to clients without DNSSEC validation. [RT #20737] 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] 2797. [bug] Don't decrement the dispatch manager's maxbuffers. [RT #20613] 2790. [bug] Handle DS queries to stub zones. [RT #20440] 2772. [security] When validating, track whether pending data was from the additional section or not and only return it if validates as secure. [RT #20438] --- 9.4-ESVb1 released --- 2698. [cleanup] configure --enable-libbind is deprecated. [RT #20090] 2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and S_IFREG are defined after including isc/stat.h. [RT #20309] 2690. [bug] win32: fix isc_thread_key_getspecific() prototype. [RT #20315] 2689. [bug] Correctly handle snprintf result. [RT #20306] 2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT, to decide to fetch the destination address. [RT #20305] 2681. [bug] IPSECKEY RR of gateway type 3 was not correctly decoded. [RT #20269] 2672. [bug] Don't enable searching in 'host' when doing reverse lookups. [RT #20218] 2525. [experimental] New logging category query-errors to provide detailed internal information about query failures, especially about server failures. (backported as a special exception to the general policy) [RT #19027] 2670. [bug] Unexpected connect failures failed to log enough information to be useful. [RT #20205] 2649. [bug] Set the domain for forward only zones. [RT #19944] 2648. [port] win32: isc_time_seconds() was broken. [RT #19900] 2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987] 2642. [bug] nsupdate could dump core on solaris when reading improperly formatted key files. [RT #20015] 2640. [security] A specially crafted update packet will cause named to exit. [RT #2] 2637. [func] Rationalize dnssec-signzone's signwithkey() calling. [RT #19959] 2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses. [RT #19716] 2633. [bug] Handle 15 bit rand() functions. [RT #19783] 2632. [func] util/kit.sh: warn if documentation appears to be out of date. [RT #19922] 2623. [bug] Named started seaches for DS non-optimally. [RT #19915] 2621. [doc] Made copyright boilterplate consistent. [RT #19833] 2920. [bug] Delay thawing the zone until the reload of it has completed successfully. [RT #19750] 2618. [bug] The sdb and sdlz db_interator_seek() methods could loop infinitely. [RT #19847] 2617. [bug] ifconfig.sh failed to emit an error message when run from the wrong
BIND 9.6.2 Release Candidate 1 is now available.
BIND 9.6.2 Release Candidate 1 is now available. BIND 9.6.2rc1 is a maintenance release candidate for BIND 9.6. BIND 9.6.2rc1 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.6.2rc1/bind-9.6.2rc1.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.6.2rc1/bind-9.6.2rc1.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.6.2rc1/bind-9.6.2rc1.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.6.2rc1/bind-9.6.2rc1.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at http://www.isc.org/files/pgpkey2009.txt. A binary kit for Windows XP, Windows 2003 and Windows 2008 is at ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.zip ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.debug.zip The PGP signature of the binary kit is at ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.zip.asc ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.debug.zip.sha512.asc Changes since 9.6.0: --- 9.6.2rc1 released --- 2838. [func] Backport support for SHA-2 DNSSEC algorithms, RSASHA256 and RSASHA512, from BIND 9.7. (This incorporates changes 2726 and 2738 from that release branch.) [RT #20871] 2837. [port] Prevent Linux spurious warnings about fwrite(). [RT #20812] 2831. [security] Do not attempt to validate or cache out-of-bailiwick data returned with a secure answer; it must be re-fetched from its original source and validated in that context. [RT #20819] 2828. [security] Cached CNAME or DNAME RR could be returned to clients without DNSSEC validation. [RT #20737] 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] 2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that was in the process of being created was not properly recorded in the zone. [RT #20786] 2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781] 2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define [RT #20771] 2818. [cleanup] rndc could return an incorrect error code when a zone was not found. [RT #20767] 2815. [bug] Exclusively lock the task when freezing a zone. [RT #19838] 2814. [func] Provide a definitive error message when a master zone is not loaded. [RT #20757] --- 9.6.2b1 released --- 2797. [bug] Don't decrement the dispatch manager's maxbuffers. [RT #20613] 2790. [bug] Handle DS queries to stub zones. [RT #20440] 2789. [bug] Fixed an INSIST in dispatch.c [RT #20576] 2786. [bug] Additional could be promoted to answer. [RT #20663] 2784. [bug] TC was not always being set when required glue was dropped. [RT #20655] 2783. [func] Return minimal responses to EDNS/UDP queries with a UDP buffer size of 512 or less. [RT #20654] 2782. [port] win32: use getaddrinfo() for hostname lookups. [RT #20650] 2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong. 2772. [security] When validating, track whether pending data was from the additional section or not and only return it if validates as secure. [RT #20438] 2765. [bug] Skip masters for which the TSIG key cannot be found. [RT #20595] 2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533] 2759. [doc] Add information about .jbk/.jnw files to the ARM. [RT #20303] 2758. [bug] win32: Added a workaround for a windows 2008 bug that could cause the UDP client handler to shut down. [RT #19176] 2757. [bug] dig: assertion failure could occur in connect timeout. [RT #20599] 2755. [doc] Clarify documentation of keyset- files in dnssec-signzone man page. [RT #19810] 2754. [bug] Secure-to-insecure transitions failed when zone was signed with NSEC3. [RT #20587] 2750. [bug] dig: assertion failure could occur when a server
Re: Queries for NSEC3 hashed owner names
In message 19306.52059.975062.462...@hadron.switch.ch, Alexander Gall writes: All of those are NSEC3-agnostic. They should not do any DNSSEC processing for the ch zone, because they don't support algorithm #7. Yes and no. Just because you are using a algorithm that is unsupported doesn't mean that you won't get queries looking for the break point between supported and unsupported algorithms. DS queries are used to find that break point. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Host/nslookup/dig queries wrong server
I know discussions like this are fun but it took 10 seconds to find the related change in CHANGES. 2616. [bug] 'host' used the nameservers from resolv.conf even when a explicit nameserver was specified. [RT #19852] And it has been applied to these branches. % grep 2616 9.?.x/CHANGES 9.4.x/CHANGES:2616. [bug] 'host' used the nameservers from resolv.conf even 9.5.x/CHANGES:2616. [bug] 'host' used the nameservers from resolv.conf even 9.6.x/CHANGES:2616. [bug] 'host' used the nameservers from resolv.conf even 9.7.x/CHANGES:2616. [bug] 'host' used the nameservers from resolv.conf even % Which correspond to these releases 9.4-ESV, 9.5.2, 9.6.2 and 9.7.0. Note: two of these are in the future so you need to look at the release candidates. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: curious CNAME answer?
In message blu149-w18aec33c220b5f6d2440e585...@phx.gbl, MontyRee writes: Hello, all. I have some curious question. below is a part of zone file at master dns(example.com). www IN CNAME www.down down IN NS ns3.example.com. wehn I dig query like below at server, $ dig @dns.example.com www.example.com the result is different.. if query from slave dns server, 192.168.2.1.domain xx.xx.xx.xx.30869: 45064* 2/2/2 CNAME[|domain] and the answer is www.example.com. 3600IN CNAME www.down.example.com. www.down.example.com. 27 IN A10.10.1.3 You offer recursion to xx.xx.xx.xx and dig set recursion desired by default so the CNAME is followed. if query from any other server, 192.168.2.1.domain xx.xx.xx.xx.47127: 58823*- 1/2/2 CNAME[|domain] and the answer is www.example.com. 3600IN CNAME www.down.example.com. You don't offer recursion to this client so named returns a CNAME and a referral to the child servers. my question is, Why the result is different by client? why first case answers A record also but the second case is cname only? Thanks in advance. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries for NSEC3 hashed owner names
In message 19306.62546.632032.348...@hadron.switch.ch, Alexander Gall writes: On 04 Feb 2010 15:39:55 +, Chris Thompson c...@cam.ac.uk said: On Feb 4 2010, Alexander Gall wrote: Of the 60 sources in my sample, 26 responded to version queries. All of them identified themselves as some version of BIND 5 9.5.0-P2 3 9.4.2-P2.1 3 9.4.2-P2 3 9.4.2-P1 3 9.3.4-P1 1 9.5.1-P3 1 9.5.0b3 1 9.4.1-P1 1 9.4.1 1 9.3.5-P2 1 9.3.5-P1 1 9.3.4-P1.2 1 9.3.4-P1.1 1 9.3.4 All of those are NSEC3-agnostic. They should not do any DNSSEC processing for the ch zone, because they don't support algorithm #7. Most of the above versions will not have this fix 2579. [bug] DNSSEC lookaside validation failed to handle unknow n algorithms. [RT #19479] which could lead to all sorts of confusion if they are validating via dlv.isc.org (say). Right, I forgot about that. It's definitely reproducable with BIND 9.3.3 with DLV enabled. BIND 9.3.3 was when named shifted from using the private type for DLV to a allocated type. dig txt ch. Perhaps SWITCH could filter these out and send messages to the whois technical contacts in a attempt to get these servers upgraded in the interests of a more secure and robust DNS? BIND 9.5.1-P3 does not make the queries in question. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent NXDOMAIN, (possibly) Bind or PowerDNS problem?
In message 260066.10841...@web63105.mail.re1.yahoo.com, Ian B writes: Hi All, I found a post on this list from July 2009 with the subject: Intermittent NXDOMAIN, Bind 9.2.3 config and PowerDNS problem? https://lists.isc.org/pipermail/bind-users/2009-July/077045.html I'm having exactly the same issue but with hostname dreamteam.afl.com.au A sample dig is as follows: $ dig dreamteam.afl.com.au ; DiG 9.3.4-P1 dreamteam.afl.com.au ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 22236 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;dreamteam.afl.com.au.IN A ;; ANSWER SECTION: dreamteam.afl.com.au. 30 IN CNAME afl.virtualsports.com.au. ;; AUTHORITY SECTION: com.au. 60 IN SOA stl-bpc-gslb1500-1.bigp ond.com. hostmaster.stl-bpc-gslb1500-1.bigpond.com. 4 10800 3600 604800 60 ;; Query time: 53 msec ;; SERVER: 203.161.127.1#53(203.161.127.1) ;; WHEN: Fri Feb 5 11:29:24 2010 ;; MSG SIZE rcvd: 147 My understanding of the issue is that the authoritative nameserver for dreamt eam.afl.com.au is returning the incorrect data in the 'AUTHORITY SECTION' cau sing PowerDNS to act unpredictably. Other DNS recursors may not have an issue with this, as they overlook the error. Is that a correct understanding? It looks like the two bigpond servers have been configured to serve a unofficial version of COM.AU. Normal query processing then causes the servers to find the unofficial version of COM.AU and return NXDOMAIN rather than a referral as they should. This is hard to avoid unless the normal query process rules are changed to not re-start the query after following a CNAME for a non-recursive query or only follow a CNAME if the target is in the same zone as the owner of the CNAME. The incorrect answer is then accepted and the cache is poisoned. One would think however that Telstra would have locked COM.AU out in the automatic provisioning systems for these servers as adding it can only be for nefarious purposes. Similarly any other infrastucture zones. Mark Thanks, Ian. ___ ___ Yahoo!7: Catch-up on your favourite Channel 7 TV shows easily, legally, and f or free at PLUS7. www.tv.yahoo.com.au/plus7 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]
In message 20100205143439.ga15...@evileye.atkac.englab.brq.redhat.com, Adam T kac writes: On Fri, Feb 05, 2010 at 06:22:26AM -0800, Alan Clegg wrote: I find this important enough to forward on to bind-users. Please not the importance of trust anchor management. We (= me and Paul Wouters) are working on dnssec-conf update. Sorry for troubles. Regards, Adam The better thing would be a a script to fetch the current keys nightly, perform a sanity check, then update or inform the administator and let them update the keys after inspection. I do something like this myself nightly. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: view and dynamic zone updated by dhcp
My bet is that you are sharing the master file of the zone being updated between views/zones. Don't do that. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.7.0 is now available
In message de2b86f683214c959a95e2718834f...@internal.corp.ds, ic.nssip writes: Hello everyone, I tried to install BIND 9.7.0 from www.sunfreeware.com on a Solaris 10, x86 machine that was running before BIND 9.6.1-P1 with no problems. The new install goes to the same directories, but for some reasons when I run named-checkconf for my default /etc/named.conf file I get: # /usr/local/sbin/named-checkconf none:0: open: /usr/local/etc/named.conf: file not found Do somebody knows if this error comes from the way the package was compiled or there is a change on default location for named.conf? Thank you, Julian The defaults have not changed. I suspect someone has changed the arguements given to configure when building the package. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange issue - please enlighten me
In message 20100220192646.gb14...@fantomas.sk, Matus UHLAR - fantomas writes: Marco Davids (SIDN) wrote: Anyone any clue? I am trying to understand why some resolvers handle this query well, while BIND 9.7.x returns a SERVFAIL. On 19.02.10 13:21, Alan Clegg wrote: acl...@yellow:~$ dig +short airfrance.fr ns webaf1.airfrance.fr. lasvegas.airfrance.fr. proof.rain.fr. acl...@yellow:~$ dig +short @webaf1.airfrance.fr. www.airfrance.fr acl...@yellow:~$ dig +short @lasvegas.airfrance.fr. www.airfrance.fr acl...@yellow:~$ dig +short @proof.rain.fr. www.airfrance.fr All three of these servers, however, provide NS responses: www.airfrance.fr. 87600 IN NS ns2isp2.airfrance.fr. www.airfrance.fr. 87600 IN NS ns2isp1.airfrance.fr. That's not right... all three of the servers are lame (as you noted from your logfile). airfrance.fr needs to fix their delegations. like other domains I have seen before, they delegated the www.airfrance.fr record to broken nameservers that can not return proper answers for ANY or NS requests. ryanair.com is one of those, ccs.cz/ccs.sk are another. I have no idea what kind of nameservers are they, but they're either broken o r their admins do not know how to properly configure zone delegation. No, NS delegations ni parent zones are NOT enough. Yet another misconfigured load balancer. When will DNS admins learn that the net has not been just A queries and you actually need to test that the load balancer can answer queries other that A queries. Mark ; DiG 9.3.6-P1 www.airfrance.fr @ns2isp2.airfrance.fr +norec +dnssec ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 56821 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 2048 ;; QUESTION SECTION: ;www.airfrance.fr. IN A ;; ANSWER SECTION: www.airfrance.fr. 60 IN A 193.57.244.36 ;; Query time: 351 msec ;; SERVER: 193.57.219.253#53(193.57.219.253) ;; WHEN: Sun Feb 21 09:46:07 2010 ;; MSG SIZE rcvd: 61 ; DiG 9.3.6-P1 www.airfrance.fr @ns2isp2.airfrance.fr +norec +dnssec ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 48998 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.airfrance.fr. IN ;; AUTHORITY SECTION: . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. ;; Query time: 353 msec ;; SERVER: 193.57.219.253#53(193.57.219.253) ;; WHEN: Sun Feb 21 09:46:12 2010 ;; MSG SIZE rcvd: 256 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Different handling of referrals by dig and nslookup
In message a5a893391002200851u131155c4h6fca226d27939...@mail.gmail.com, kalpe sh varyani writes: Hi Doug, Please find my response inline. On Sun, Feb 14, 2010 at 8:53 AM, Doug Barton do...@dougbarton.us wrote: On 02/13/10 18:42, kalpesh varyani wrote: Hi Rick, I am aware that it is a somewhat odd (but not incorrect, am I right ?) to put a non-recursive name server in the resolv.conf There are certain very specific circumstances where you might want to do this, but in general I can't see any reason to do this, and would not recommend it. but I am not able to understand the behavioral difference of ping/dig and nslookup. What is it that you want to understand? You seem quite focused on figuring out why they are behaving differently, is there some reason why you need to put a non-resolving name server in resolv.conf? I guess, I am in one of those specific circumstances. The reason I prefer to have non-resolving name server in resolv.conf is as follows: Name server A (the first name server with recursion no;) was not present earlier, and has been newly configured as a name server. Name server B, which was previously handling all the name resolution part has recursion yes; Also, I would like my 3rd linux system (from where I try resolving names) to send queries to its root servers, only in case my first name server fails to resolve the name and sends back a referral. This would ensure that my 3rd linux system doesnot send queries to its name server, which could have been handled by the name server B (that was specified in resolv.conf). This would ensure that the root name server's network wont have unnecesary DNS traffic. But logically shouldn't it be moving to the next name server when the first one fails even in the case of ping and dig. This is what, I think, one would expect from a resolver. dig is a DNS diagnostic tool. You asked for an answer, you got an answer. The fact that it didn't move on is not a mystery. nslookup is designed to get its answers from the system resolver, so the real question is, why did ping and nslookup behave differently? But that's really a question for your linux distro. My basic concern is that, if my 3rd linux system can resolve a name using any of the name servers specified in the resolv.conf, then it effectively means that the remote system (for which name resolution was done) is reachable from my linux system. And if that is the case, then a ping to that system should not fail in the name resolution part. Regards, Kalpesh ALL the nameservers listed in resolv.conf need to be to answer ALL of the question put to them. Multiple nameservers in resolv.conf are for redundancy. In practice to achieve this the servers listed in resolv.conf need to be recursive. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fwd: IPv6 client and negative cache - some doubts
. 3600IN SOA ns10.az.pl. admin.az.pl. 2009091500 10800 3600 604800 3600 ;; Query time: 334 msec ;; SERVER: 62.146.68.200#53(62.146.68.200) ;; WHEN: Wed Feb 24 09:13:32 2010 ;; MSG SIZE rcvd: 99 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update returns FORMERR: ran out of space
In message 20100223135615.ga30...@nic.fr, Stephane Bortzmeyer writes: Trying to add/delete DNSSEC keys with dynamic update (first time I try that), the nsupdate client gets a FORMERR and BIND logs: Feb 23 14:53:24 jezabel named[10174]: client ::1#29411: updating zone 'bortzm eyer.fr/IN': RRSIG/NSEC/NSEC3 update failed: ran out of space I checked the disk space (plenty) but I suspect that the problem is more complicated. Turn the debugging up to 3. The log message is a result of update_signatures() detecting a error. ran out of space usually means a fixed sized buffer is not big enough or the change exceeded a architectual limit of the protocol. Mark I can add A records just fine: Feb 23 14:55:46 jezabel named[10174]: client ::1#51231: updating zone 'bortzm eyer.fr/IN': adding an RR at 'created-dyn-1266933346-8636.bortzmeyer.fr' A BIND 9.7.0 built with '--without-idnlib' '--without-dlz' '--without-idn' '--w ith-libxml2=yes' '--enable-openssl' ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users