Re: View selection via TSIG

2009-08-19 Thread Mark Andrews 

In message 6913b169-0b0e-42e0-bc30-92d188036...@tcbug.org, Josh Paetzel write
s:
 
 On Aug 19, 2009, at 11:07 AM, Kirk wrote:
 
 
  logging {
 channel my_log {
 file /var/log/bind/named.log versions 3 size 5m;
 severity warning;
 print-time yes;
 print-severity yes;
 print-category yes;
 };
 category notify {
 my_log;
 };
  };
  I've changed the category to default to make sure that it can log  
  that and it can.
  Thanks,
  Josh Paetzel
 
  Josh,
 
  I can't answer your question about views, but here is the pertinent  
  logging statements I am using and seems to work.
 
  channel notify {
  file logs/notify_log versions 2 size 1m;
  print-time yes;
  };
  category notify { notify; };
 
  If you are running chroot you might wanna verify that named can log  
  to the directory you listed in your logging statement.
 
 
 
 Thanks.  That worked, and I was quickly able to see what I was doing  
 wrong.  My primary nameserver was matching an IP in one of the  
 views.   So all the notifies were seen by slave as being in that one  
 view.  IPs override keys.

Acl matches are order sensitive.  The !key is in the examples to prevent
the signed message matching the view and moving onto the next one.
 
 Issue solved, thanks everyone who helped.
 
 Thanks,
 
 Josh Paetzel
 
 
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse delegation - refused on my DNS

2009-08-20 Thread Mark Andrews 

In message 001201ca21de$6eea36e0$4cbea4...@monnerie@is.it-management.at, Mi
chael Monnerie writes:
 I'm still searching for the error.
 Also, sorry for the strangeness of the mail format, I used a webmail for =
 the last mails. This time it's Outlook, don't know if it's really any =
 better... at least not for correctly indenting old mail texts :-(
 
  Because you don't serve 164.69.212.in-addr.arpa and you
  tried to access the cache. You should slave
  164.69.212.in-addr.arpa so you have the CNAMEs locally.
  This will also make the above dig directed at your server
  work as the answer will come from the zone rather than
  the cache.
 
 I did that now, helps :-))
 =20
  Note: the lookups are working remotely because interative
  resolvers ask for 57.48-28.164.69.212.in-addr.arpa rather
  that 57.164.69.212.in-addr.arpa as generated by the above
  dig.
 
 Ah, I get the point. I always tested from a remote side with
 dig @dns1.zmi.at -x 212.69.164.57
 but that didn't work as this is not an open resolver. Slaving the zone =
 as you suggested enables even these lookups to work now. I think it's =
 good, as it helps remote sites to debug DNS when hunting an error.
 
 A plain
 dig -x 212.69.164.57
 also works, so, do I have an issue or is everything OK with my =
 configuration?
 
 Thanks for all your help, to all three of you!
 mfg zmi
 

All three servers are now answering which is good.

drugs:marka 10:11 {371} % dig +nssearch 48-28.164.69.212.in-addr.arpa
SOA ns4.zmi.at. hostmaster.ns4.zmi.at. 42 172800 14400 3628800 60 from server 
power4u.zmi.at in 2270 ms.
SOA ns4.zmi.at. hostmaster.ns4.zmi.at. 42 172800 14400 3628800 60 from server 
dns1.zmi.at in 1534 ms.
SOA ns4.zmi.at. hostmaster.ns4.zmi.at. 42 172800 14400 3628800 60 from server 
dns2.zmi.at in 357 ms.
drugs:marka 10:12 {372} % 

You do however have a delegation mismatch.

48-28.164.69.212.in-addr.arpa. 86400 IN NS  dns1.zmi.at.
48-28.164.69.212.in-addr.arpa. 86400 IN NS  dns2.zmi.at.
;; Received 91 bytes from 82.98.222.6#53(dns2.serico.de) in 717 ms

48-28.164.69.212.in-addr.arpa. 3600 IN  NS  power4u.zmi.at.
48-28.164.69.212.in-addr.arpa. 3600 IN  NS  dns2.zmi.at.
48-28.164.69.212.in-addr.arpa. 3600 IN  NS  dns1.zmi.at.
;; Received 161 bytes from 212.69.162.197#53(dns1.zmi.at) in 999 ms

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Porblems with Lycos.com host lookup.

2009-08-21 Thread Mark Andrews 
:53:36.286 lame-serv=
 ers: info: FORMERR resolving #39;a href=3Dhttp://bigmail1.lycosmail.lyco=
 s.com/A/INbigmail1.lycosmail.lycos.com/A/IN/a#39;: 209.202.248.142#53=
 /span/pre
 prespan style=3Dfont-family: Arial;05-Aug-2009 12:53:36.369 lame-serv=
 ers: info: FORMERR resolving #39;a href=3Dhttp://bigmail1.lycosmail.lyco=
 s.com/A/INbigmail1.lycosmail.lycos.com/A/IN/a#39;: 209.202.244.141#53=
 /span/pre
 prespan style=3Dfont-family: Arial;05-Aug-2009 12:53:36.453 lame-serv=
 ers: info: FORMERR resolving #39;a href=3Dhttp://bigmail1.lycosmail.lyco=
 s.com/A/INbigmail1.lycosmail.lycos.com/A/IN/a#39;: 209.202.248.141#53=
 /span/pre
 prespan style=3Dfont-family: Arial;05-Aug-2009 12:53:36.453 resolver:=
  debug 1: createfetch: a href=3Dhttp://bigmail1.lycosmail.lycos.com;bigm=
 ail1.lycosmail.lycos.com/a A/span/preprespan style=3Dfont-family:=
  Arial;05-Aug-2009 12:53:36.537 lame-servers: info: FORMERR resolving #3=
 9;a href=3Dhttp://bigmail1.lycosmail.lycos.com/A/IN;bigmail1.lycosmail.l=
 ycos.com/A/IN/a#39;: 209.202.244.141#53/span/pre
 prespan style=3Dfont-family: Arial;05-Aug-2009 12:53:36.621 lame-serv=
 ers: info: FORMERR resolving #39;a href=3Dhttp://bigmail1.lycosmail.lyco=
 s.com/A/INbigmail1.lycosmail.lycos.com/A/IN/a#39;: 209.202.248.142#53=
 /span/pre
 prespan style=3Dfont-family: Arial;05-Aug-2009 12:53:36.704 lame-serv=
 ers: info: FORMERR resolving #39;a href=3Dhttp://bigmail1.lycosmail.lyco=
 s.com/A/INbigmail1.lycosmail.lycos.com/A/IN/a#39;: 209.202.244.142#53=
 /span/pre
 prespan style=3Dfont-family: Arial;05-Aug-2009 12:53:36.788 lame-serv=
 ers: info: FORMERR resolving #39;a href=3Dhttp://bigmail1.lycosmail.lyco=
 s.com/A/INbigmail1.lycosmail.lycos.com/A/IN/a#39;: 209.202.248.141#53=
 /span/pre
 prespan style=3Dfont-family: Arial;05-Aug-2009 12:57:31.142 resolver:=
  debug 1: createfetch: a href=3Dhttp://scansafe.com;scansafe.com/a A/=
 span/preprespan style=3Dfont-family: Arial;=A0/span/pre
 
 p class=3DMsoNormalspan style=3Dfont-size: 10pt; font-family: Arial;=
 The expected
 subdomain is returned, the only other FORMERR cases I=92ve seen (on google)=
  show span style=3D=A0/spanthe authority section not matching the ans=
 wer./span/p
 
 p class=3DMsoNormalspan style=3Dfont-size: 10pt; font-family: Arial;=
 =A0/span/p
 
 p class=3DMsoNormalspan style=3Dfont-size: 10pt; font-family: Arial;=
 A debug
 trace may be found at a href=3Dhttp://the.earth.li/%7Ehuggie/lycos-bind9-=
 issue.txthttp://the.earth.li/~huggie/lycos-bind9-issue.txt/a
 span style=3D=A0=A0/spanAny suggestions as to what the issue is
 or how it may be resolved would be very welcome./span/p
 
 p class=3DMsoNormalspan style=3Dfont-size: 10pt; font-family: Arial;=
 =A0/span/p
 
 p class=3DMsoNormalspan style=3Dfont-size: 10pt; font-family: Arial;=
 =A0/span/p
 
 p class=3DMsoNormalspan style=3Dfont-size: 10pt; font-family: Arial;=
 Kind
 Regards/span/pp class=3DMsoNormalbr/pp class=3DMsoNormalMat=
 tbrspan style=3Dfont-size: 10pt; font-family: Arial;/span/p
 
 
 --001485f79224cc3a450471a7360f--
 
 --===8305037449375662968==
 Content-Type: text/plain; charset=us-ascii
 MIME-Version: 1.0
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 --===8305037449375662968==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.6.1-P1 log message

2009-08-25 Thread Mark Andrews 

In message alpine.lfd.2.01.0908250838190.14...@maplepark.com, David Forrest w
rites:
 What do I have to do to correct whatever is causing this log message from 
 named (9.6.1-P1-RedHat-9.6.1-4.P1.fc11)?
 
 validating @0x7f9f2c60c200: dns1.registeredsite.com.dlv.isc.org DS: must be s
 ecure failure

This is ususally because named has fallen back to plain DNS.  Please
ensure that you have a clean EDNS path and any forwarders you use
also have clean EDNS paths.

A clean EDNS path will accept EDNS responses upto 4096 bytes in
size.  Firewalls and DNS proxies in SOHO routers are known devices
which interfere with this.  Sometimes intentionally (firewalls) and
some unintentionally (SOHO routers).

Firewalls must be configured to accept DNS responses bigger than
512 bytes.  They and SOHO routers also need to handle fragmented
responses.

A flakey link can also cause fallback to plain EDNS when too many
transactions timeout.

The dlv namespace is marked as must-be-secure by named as a side
effect of dnssec-lookaside clause.

Mark

 Thanks in advance,
 Dave
 -- 
 David Forrest 
 St. Louis, Missouri
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS maximum message size

2009-08-26 Thread Mark Andrews 

In message c923553c0908260234q46fef3d4g2591d8ef3a532...@mail.gmail.com, Luis 
Silva writes:
 Hi,
 Can anyone tell me the maximum size for DNS messages using TCP? I scanned
 all RFCs that I knew, but I can't find the answer. The problem is that I'm
 integrating my BIND server with a DNS name server which can only send AXFR
 answers with a 65535 maximum message size.
 
 Thank you,
 LS

DNS messages over TCP are limited to 65535 bytes due to
there being only two bytes to encode the length in.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Named is causing my server to Kernel panic?

2009-08-27 Thread Mark Andrews 

In message 4a96acd6.3070...@canbytel.com, Scott Baker writes:
 I have two DNS servers, and my slave server has been crashing repeatedly 
 about once a week. It's crashing hard and bringing down the *whole* box. 
 It's a F10 box, running:
 
 :rpm -q bind
 bind-9.5.1-3.P3.fc10.i386
 
 Here is a shot from my cell phone of the kernel panic:
 
 http://www.perturb.org/tmp/named-crash.jpg
 
 My first thought is that it was bad hardware, so we swapped the HDs out to 
 another server. *Everything* was new except the HDs and the crashes still 
 occurred. I'm not sure what my next step is, but having it continue to 
 crash is no good! The box is up to date on all software and kernel patches. 
 It runs fine while it's up, it just randomly crashes.
 
 Help!
 
 -- 
 Scott Baker - Canby Telcom
 System Administrator - RHCE - 503.266.8253

You need to report this to your OS vendor.  Nothing a application
does, and named is a application, should cause a kernel to panic.
Named does nothing more any other application does.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic update response

2009-09-01 Thread Mark Andrews 

In message freemail.20090801231709.18...@fm10.freemail.hu, bind jack writes:
 Hello,
 
 My question is about the fields in the dynamic update response.
 As RFC 2136 describes there are 2 possible dynamic update responses:
 
 I. The ZOCOUNT, PRCOUNT, UPCOUNT, COUNT fields and associated sections are =
 copied in the response packet
 II. Placing zeros (0) in the these count fields and not including any par=
 t of the original update
 Bind seems to follow the second rule.
 Is it possible to configure Bind server to copy the ZOCOUNT, PRCOUNT, UPCOU=
 NT and ADCOUNT fields and associated sections in the response packet?

No.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: socket.c:4524: unexpected error:

2009-09-02 Thread Mark Andrews 
  and 9.4.3-P3 suddenly causes this failure.  If you really see more of
  this after upgrading to 9.4.3-P3 from 9.4.3, I guess it's more likely
  because (e.g.) a change of query pattern.  Or do you mean you upgraded
  from 9.4.2-P2 to 9.4.3-P3?
 
  Also, how often did it happen?  While it's an unexpected error in this
  context, a system call (connect(2) in this case) can fail for any
  reason and the other part of named has some level of resilience to
  such cases.  So, unless it's very frequent you may be able to ignore
  the warnings safely in practice.
 
  ---
  JINMEI, Tatuya
  Internet Systems Consortium, Inc.
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig +trace failure

2009-09-02 Thread Mark Andrews 

In message 200909030037.raa27...@nasdaq.hpl.hp.com, Andris Kalnozols writes:
 My 9.6.1-P1 dig programs (HP-UX and Linux) rather consistently fail
 when trying to trace the delegation of 231.84.192.IN-ADDR.ARPA.
 Out of curiousity, are others from different places on the Internet
 able to duplicate the failure?

It's fixed in the next release.  You should be able to verify this
using the v9_6 from the BIND Forum CVS repository.

Mark

 dig +trace 231.84.192.in-addr.arpa
 
 ;  DiG 9.6.1-P1  +trace 231.84.192.in-addr.arpa
 ;; global options: +cmd
 .   431482  IN  NS  A.ROOT-SERVERS.NET.
 .   431482  IN  NS  J.ROOT-SERVERS.NET.
 .   431482  IN  NS  B.ROOT-SERVERS.NET.
 .   431482  IN  NS  D.ROOT-SERVERS.NET.
 .   431482  IN  NS  E.ROOT-SERVERS.NET.
 .   431482  IN  NS  H.ROOT-SERVERS.NET.
 .   431482  IN  NS  M.ROOT-SERVERS.NET.
 .   431482  IN  NS  L.ROOT-SERVERS.NET.
 .   431482  IN  NS  F.ROOT-SERVERS.NET.
 .   431482  IN  NS  G.ROOT-SERVERS.NET.
 .   431482  IN  NS  C.ROOT-SERVERS.NET.
 .   431482  IN  NS  K.ROOT-SERVERS.NET.
 .   431482  IN  NS  I.ROOT-SERVERS.NET.
 ;; Received 272 bytes from 15.243.224.30#53(15.243.224.30) in 1 ms
 
 192.in-addr.arpa.   86400   IN  NS  Y.ARIN.NET.
 192.in-addr.arpa.   86400   IN  NS  Z.ARIN.NET.
 192.in-addr.arpa.   86400   IN  NS  CHIA.ARIN.NET.
 192.in-addr.arpa.   86400   IN  NS  DILL.ARIN.NET.
 192.in-addr.arpa.   86400   IN  NS  BASIL.ARIN.NET.
 192.in-addr.arpa.   86400   IN  NS  HENNA.ARIN.NET.
 192.in-addr.arpa.   86400   IN  NS  INDIGO.ARIN.NET.
 192.in-addr.arpa.   86400   IN  NS  X.ARIN.NET.
 ;; Received 196 bytes from 192.36.148.17#53(I.ROOT-SERVERS.NET) in 299 ms
 
 231.84.192.in-addr.arpa. 86400  IN  NS  mail.boston.accrue.com.
 231.84.192.in-addr.arpa. 86400  IN  NS  ns1.accrue.com.
 ;; Received 95 bytes from 192.35.51.32#53(DILL.ARIN.NET) in 144 ms
 
 ;; Truncated, retrying in TCP mode.
 socket.c:2486: REQUIREsock) != ((void *)0))  (((const isc__magic_t *)(s
 ock))-magic == ((('I')  24 | ('O')  16 | ('i')  8 | ('o')) failed.
 Aborted
 
 
 --
 Andris
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: socket.c:4524: unexpected error:

2009-09-06 Thread Mark Andrews 
 in advance,
 
  Ram
 
 
  2009/8/31 JINMEI Tatuya / ...@l@C#:H(B jin...@isc.org:
   At Sun, 30 Aug 2009 11:01:08 +0300,
   Ram Akuka ramak...@gmail.com wrote:
  
   recently i upgraded my DNS  to 9.4.3P3 (from 9.4.3).
   since then i can see the below error more often:
   30-Aug-2009 02:27:24.925 general: error: socket.c:4524: unexpected erro
 r:
   30-Aug-2009 02:27:24.925 general: error: 22/Invalid argument
   i can see there's an open bug on this issue -
   http://www.mail-archive.com/bind-users@lists.isc.org/msg03339.html,
   but i can't understand what's the effects of this bug.
   is there any way i can help solve this bug? can i know how this
   effects my service . should i expect some service interruption or
   anything like that ?
   should i consider downgrade to 9.4.2P2?
  
   First off, please identify the operating system and its version.  This
   kind of thing can be highly dependent on OS-level details.
  
   Secondly, I suspect it's less likely that the difference from 9.4.3
   and 9.4.3-P3 suddenly causes this failure.  If you really see more of
   this after upgrading to 9.4.3-P3 from 9.4.3, I guess it's more likely
   because (e.g.) a change of query pattern.  Or do you mean you upgraded
   from 9.4.2-P2 to 9.4.3-P3?
  
   Also, how often did it happen?  While it's an unexpected error in this
   context, a system call (connect(2) in this case) can fail for any
   reason and the other part of named has some level of resilience to
   such cases.  So, unless it's very frequent you may be able to ignore
   the warnings safely in practice.
  
   ---
   JINMEI, Tatuya
   Internet Systems Consortium, Inc.
  
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
  --
  Mark Andrews, ISC
  1 Seymour St., Dundas Valley, NSW 2117, Australia
  PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root and in-addr.arpa zone transfers

2009-09-12 Thread Mark Andrews 

In message 20090912082415.ga13...@fantomas.sk, Matus UHLAR - fantomas writes:
  On Freitag 11 September 2009 Matus UHLAR - fantomas wrote:
   - it's quite useless to cache the .arpa and .in-addr.arpa since
   unlike other TLD's they are hierarchically organised so there won't
   be any valuable benefit from slaving them, only risks (see above).
 
 On 12.09.09 09:27, Michael Monnerie wrote:
  Every other point is OK, but I don't understand this one. They are all 
  hierarchical, what's the difference with .in-addr.arpa?
 
 while there are many manual mistypes in root and other domains, there are (ne
 arly) no
 mistypes in .arpa and in-addr.arpa domains since these domains are
 accessed by software and miskates here are unlikely to happen 
 (of course sw can have bugs but authors would soon notice it doesn't work).

Whether in-addr.arpa is useful or not depends on where you are in
the world and what the connectivity is like.  There was a time when
I would have recommended slaving the root and in-addr.arpa to every
Australian site.  When the one link connecting most of Australia
went down this sort of think kept a vast majority of the internal
communications within Australia working as you could find au and
you could do reverse lookups of the Australian address blocks.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Modified a zone, so when it becomes available?

2009-09-15 Thread Mark Andrews 

In message 4aaf7181.4040...@isc.org, Cathy Almond writes:
 Marcos Lorenzo de Santiago wrote:
  El mar, 15-09-2009 a las 07:04 -0300, Leonardo Rodrigues escribi=F3:
  Marcos Lorenzo de Santiago escreveu:
  When I modify a RR or add a new one on an existing zone, I have to
  restart master server to make the change available. Is there any other
  way to reload the zone without stopping bind?
 
  I've tried with:
- rdnc reload [zone]
- rndc reconfig [zone]
- rndc refresh [zone]
 
  Am I missing anything?
=
 
 
  'rndc reload' is enough to make the zones being re-read and =
 
  new/updated records available.
 
  Problably you're missing:
 
  1) to increment the zone serial ... if you dont do that, bind wont know =
 
  you updated the zone. That's important, ALWAYS update the serial when =
 
  changing/adding records;
  =
 
  I always update the serial, I know little but I know this ;)
  =
 
  2) your DNS server itself is using another DNS server which is caching =
 
  the records, so cache needs to expire so new/updated records can be =
 
  seen. You can have your DNS server using itself (127.0.0.1) as DNS =
 
  server, that should solve if this is the problem;
  =
 
  This master server is its own server, so that's not the case...
  =
 
  After making changes to zone, updated serial, and rndc reload, I dig my
  zone and get always the old serial. The serial and the changes only
  appear when I '/etc/init.d/bind restart' it.
  =
 
  I use bind 9.5.1 on debian 5.0.3.
  =
 
  Any clue?
  =
 
  Thanks in advance.
  =
 
 Are your zone file modification timestamps being updated when you make
 changes?
 
 Regards,
 
 Cathy
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

It sounds like the zone is configured for dynamic update.  Reload has
no effect if the zone is configured for dynamic update.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.5.2rc1 is now available.

2009-09-15 Thread Mark Andrews 
--- Blind-Carbon-Copy

To: bind-annou...@isc.org
From: Mark Andrews ma...@isc.org
Subject: BIND 9.5.2rc1 is now available.
Date: Wed, 16 Sep 2009 14:45:09 +1000
Sender: ma...@drugs.dv.isc.org


BIND 9.5.2rc1 is now available.

BIND 9.5.2rc1 is a maintenance release candidate for BIND 9.5.

BIND 9.5.2rc1 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.5.2rc1/bind-9.5.2rc1.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.5.2rc1/bind-9.5.2rc1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.5.2rc1/bind-9.5.2rc1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.2rc1/bind-9.5.2rc1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp.

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.zip
ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.2rc1/BIND9.5.2rc1.debug.zip.sha512.asc

Changes since 9.5.0.

--- 9.5.2rc1 released ---

2672.   [bug]   Don't enable searching in 'host' when doing reverse
lookups. [RT #20218]

2670.   [bug]   Unexpected connect failures failed to log enough
information to be useful. [RT #20205]

2663.   [func]  win32:  allow named to run as a service using
NT AUTHORITY\LocalService as the account. [RT #19977]

2656.   [func]  win32: add a tools only check box to the installer
which causes it to only install dig, host, nslookup,
nsupdate and relevent dlls.  [RT #19998]

2655.   [doc]   Document that key-directory does not affect
rndc.key.  [RT #20155]

--- 9.5.2b1 released ---

2649.   [bug]   Set the domain for forward only zones. [RT #19944]

2648.   [port]  win32: isc_time_seconds() was broken. [RT #19900]

2646.   [bug]   Incorrect cleanup on error in socket.c. [RT #19987]

2645.   [port]  gcc -m32 didn't work on amd64 and x86_64 platforms
which default to 64 bits. [RT #19927]

2642.   [bug]   nsupdate could dump core on solaris when reading
improperly formatted key files.  [RT #20015]

2640.   [security]  A specially crafted update packet will cause named
to exit. [RT #2]

2637.   [func]  Rationalize dnssec-signzone's signwithkey() calling.
[RT #19959]

2635.   [bug]   isc_inet_ntop() incorrectly handled 0.0/16 addresses.
[RT #19716]

2633.   [bug]   Handle 15 bit rand() functions. [RT #19783]

2632.   [func]  util/kit.sh: warn if documentation appears to be out of
date.  [RT #19922]

2623.   [bug]   Named started seaches for DS non-optimally. [RT #19915]

2621.   [doc]   Made copyright boilterplate consistent.  [RT #19833]

2920.   [bug]   Delay thawing the zone until the reload of it has
completed successfully.  [RT #19750]

2618.   [bug]   The sdb and sdlz db_interator_seek() methods could
loop infinitely. [RT #19847]

2617.   [bug]   ifconfig.sh failed to emit an error message when
run from the wrong location. [RT #19375]

2616.   [bug]   'host' used the nameservers from resolv.conf even
when a explicit nameserver was specified. [RT #19852]

2615.   [bug]   __attribute__((unused)) was in the wrong place
for ia64 gcc builds. [RT #19854]

2614.   [port]  win32: 'named -v' should automatically be executed
in the foreground. [RT #19844]

2610.   [port]  sunos: Change #2363 was not complete. [RT #19796]

2606.   [bug]   delegation-only was not being accepted in
delegation-only type zones. [RT #19717]

2605.   [bug]   Accept DS responses from delegation only zones.
[RT # 19296]

2603.   [port]  win32: handle .exe extension of named-checkzone and
named-comilezone argv[0] names under windows.
[RT #19767]

2602.   [port]  win32: fix debugging command line build of libisccfg.
[RT #19767]

2599.   [bug

Re: is TSIG key rollover possible?

2009-09-15 Thread Mark Andrews 

In message 4ab072dc.2070...@nzrs.net.nz, Sebastian Castro writes:
 Hi everyone:
 
 I was reading the document Deprecation of HMAC-MD5 in DNS TSIG and TKEY
 Resource Records
 (http://www.ietf.org/id/draft-ietf-dnsext-tsig-md5-deprecated-03.txt)
 and I thought Darn, I must be prepared to do a TSIG renovation, so
 started researching how to do it.
 
 First step was checking if BIND supported a different algorithm, but the
 BIND ARM for BIND9.5 and 9.6 indicates The algorithm, hmac-md5, is the
 only one supported by BIND. That seemed strange, considering the
 document indicated above was originally proposed in 2008. So I used the
 source and found out other algorithms are supported in 9.5 and 9.6, so
 there is a mistake in the documentation.
 
 Anyway, TSIG rollover is an operation needed as indicated on RFC 2385:
 
  RFC 2385 quote -
 6.2. Secret keys should be changed periodically.  If the client host
has been compromised, the server should suspend the use of all
secrets known to that client.  If possible, secrets should be stored
in encrypted form.  Secrets should never be transmitted in the clear
over any network.  This document does not address the issue on how to
distribute secrets. Secrets should never be shared by more than two
entities.
  RFC 2385 quote -
 
 but again the documentation indicates: Multiple keys may be present,
 but only the first is used.

Which only applies to control channels keys.
 
 So, to coordinate the retirement of an old TSIG key and the introduction
 of a new one, it seems a close coordination between peers is needed in
 order to make it work, within a 'maintenance window' where the
 operations using the TSIG are not executed (in my particular interest,
 zone transfers)? Is it not possible to gradually introduce a new key,
 use both for a period of time and later retire the old one, similar to
 what is done in DNSSEC?

 Any experience on this matter that could be shared publicly or privately
 will be appreciated.
 
 Kind Regards
 Sebastian Castro
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting host unreachable resolving error

2009-09-21 Thread Mark Andrews 

In message 865284.37771...@web36203.mail.mud.yahoo.com, Shi Jin writes:
 
  host unreachable is one of the clearer error messages, so
  you need
  to do some digging. From the box that you've set up bind9
  on you'll
  need to use dig to query the ISP's name servers. If that
  works, then
  you'll have to use tcpdump on that box to find out what
  named is doing.
  
  Doug
  
 Thank you very much.
 Your suggestion to use tcpdump actually is very helpful. It clearly shows:
  ICMP host 216.171.238.67 unreachable - admin prohibited, length 87

Yet you claim that dig to 216.171.238.67 works.  I think you need to provide
a full trace not the summary that a plain tcpdump gives.

Add  -Xvvv to the set of flags you used with tcpdump.

 So I think this most likely has to do with the firewall setup. Probably I 
 should enable ICMP redirect? Could anyone confirm? And
  is this safe?
 
 Thank you very much.
 Shi
 
 
   
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error on make, help needed please.

2009-09-22 Thread Mark Andrews 

In message 4ab8f7cc.6000...@actioncorp.biz, Laura Speck writes:
 Hi,
 
 I'm having a problem upgrading my current installation of bind. This is 
 the error I am getting:
 
 http://pastebin.ca/1575360
 
 I'm currently running OpenSSL 0.9.8k on Red Hat Linux release 7.1.

If you are linking against OpenSSL 0.9.8k then these function will
be found.  It looks like the linker is finding a old libcrypto that
is inconsistent to the header files named was compiled against.

Mark

 Thanks in advance for any insight on why this is not working.
 
 Laura
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND with DLZ doesn't reconnect to the MySQL 5.x server after disconnect

2009-09-23 Thread Mark Andrews 

In message 4ab9c360.7090...@dougbarton.us, Doug Barton writes:
 I recently added DLZ options to the BIND ports on FreeBSD, and a user
 has filed the following problem report:
 http://www.freebsd.org/cgi/query-pr.cgi?pr=139051
 
 Does anyone have any comment on the patch suggested at the URL in the
 PR?
 http://www.shell-tips.com/2007/09/04/bind-950-patch-dlz-mysql-5-for-auto-recon
 nect/
 
 Is this something that is likely to be included in a BIND distribution
 any time soon?

Reconnect is already being set.

B.T.W. the patch passes a pointer to the wrong type to mysql_options()
see http://dev.mysql.com/doc/refman/5.1/en/mysql-options.html
 
 Thanks,
 
 Doug
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig ANY gives SERVFAIL / FORMERR

2009-09-23 Thread Mark Andrews 

In message alpine.neb.2.01.0909231442321@t1.m.reedmedia.net, Jeremy C. Re
ed writes:
  It looks like that the authoritative name server for youbei.cc
  actually did return some answers, but somehow bind gave a FORMERR for
  some unknown reasons, which I think it caused a SERVFAIL to be
  reported in turn. Interestingly, dig any youbei.cc +trace ran
  successfully and did not report any error.
 
  Does anyone know what might have caused this problem?
 
 My custom named logs:
 
 23-Sep-2009 15:00:29.749 resolver: notice: FORMERR: Type didn't match (ANY != 
 A)
 23-Sep-2009 15:00:29.770 resolver: notice: FORMERR: Reply has no answer.
 
 named wants to know Is the question the same as the one we asked?
 
 I think 72dns.com has a broken DNS server.
 
More modern versions of dig will also report the mismatch.  The
servers also answers  queries with A records.

It's a pity registries are not required to verify correct operation
of the nameservers they are delegating to before accepting the
delegation.  If they were then a lot of this garbage would cease.
It really isn't hard for a registry (or the registrar on behalf of
the registry) to check that servers answer queries correctly.  Just
the almighty dollar has got in front of having a working system.

Mark

% dig any youbei.cc @ns1.72dns.com
;; Question section mismatch: got youbei.cc/A/IN
;; Question section mismatch: got youbei.cc/A/IN
;; Question section mismatch: got youbei.cc/A/IN

;  DiG 9.7.0a2  any youbei.cc @ns1.72dns.com
;; global options: +cmd
;; connection timed out; no servers could be reached
% 

% dig  youbei.cc @ns1.72dns.com

;  DiG 9.3.6-P1   youbei.cc @ns1.72dns.com
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 5189
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;youbei.cc. IN  

;; ANSWER SECTION:
youbei.cc.  3600IN  A   211.155.230.241

;; Query time: 436 msec
;; SERVER: 121.12.173.174#53(121.12.173.174)
;; WHEN: Thu Sep 24 07:07:46 2009
;; MSG SIZE  rcvd: 52
%



 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.5.2 is now available.

2009-09-23 Thread Mark Andrews 
--- Blind-Carbon-Copy

To: bind-annou...@isc.org
From: Mark Andrews ma...@isc.org
Subject: BIND 9.5.2 is now available.
Date: Thu, 24 Sep 2009 11:01:29 +1000
Sender: ma...@drugs.dv.isc.org


BIND 9.5.2 is now available.

BIND 9.5.2 is a maintenance release for BIND 9.5.

BIND 9.5.2 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.5.2/bind-9.5.2.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.5.2/bind-9.5.2.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.5.2/bind-9.5.2.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.2/bind-9.5.2.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp.

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.zip
ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.2/BIND9.5.2.debug.zip.sha512.asc

Changes since 9.5.0.

--- 9.5.2 released ---

2681.   [bug]   IPSECKEY RR of gateway type 3 was not correctly
decoded. [RT #20269]

2678.   [func]  Treat DS queries as if minimal-response yes;
was set. [RT #20258]

2427.   [func]  Treat DNSKEY queries as if minimal-response yes;
was set. [RT #18528]

--- 9.5.2rc1 released ---

2672.   [bug]   Don't enable searching in 'host' when doing reverse
lookups. [RT #20218]

2670.   [bug]   Unexpected connect failures failed to log enough
information to be useful. [RT #20205]

2663.   [func]  win32:  allow named to run as a service using
NT AUTHORITY\LocalService as the account. [RT #19977]

2656.   [func]  win32: add a tools only check box to the installer
which causes it to only install dig, host, nslookup,
nsupdate and relevent dlls.  [RT #19998]

2655.   [doc]   Document that key-directory does not affect
rndc.key.  [RT #20155]

--- 9.5.2b1 released ---

2649.   [bug]   Set the domain for forward only zones. [RT #19944]

2648.   [port]  win32: isc_time_seconds() was broken. [RT #19900]

2646.   [bug]   Incorrect cleanup on error in socket.c. [RT #19987]

2645.   [port]  gcc -m32 didn't work on amd64 and x86_64 platforms
which default to 64 bits. [RT #19927]

2642.   [bug]   nsupdate could dump core on solaris when reading
improperly formatted key files.  [RT #20015]

2640.   [security]  A specially crafted update packet will cause named
to exit. [RT #2]

2637.   [func]  Rationalize dnssec-signzone's signwithkey() calling.
[RT #19959]

2635.   [bug]   isc_inet_ntop() incorrectly handled 0.0/16 addresses.
[RT #19716]

2633.   [bug]   Handle 15 bit rand() functions. [RT #19783]

2632.   [func]  util/kit.sh: warn if documentation appears to be out of
date.  [RT #19922]

2623.   [bug]   Named started seaches for DS non-optimally. [RT #19915]

2621.   [doc]   Made copyright boilterplate consistent.  [RT #19833]

2920.   [bug]   Delay thawing the zone until the reload of it has
completed successfully.  [RT #19750]

2618.   [bug]   The sdb and sdlz db_interator_seek() methods could
loop infinitely. [RT #19847]

2617.   [bug]   ifconfig.sh failed to emit an error message when
run from the wrong location. [RT #19375]

2616.   [bug]   'host' used the nameservers from resolv.conf even
when a explicit nameserver was specified. [RT #19852]

2615.   [bug]   __attribute__((unused)) was in the wrong place
for ia64 gcc builds. [RT #19854]

2614.   [port]  win32: 'named -v' should automatically be executed
in the foreground. [RT #19844]

2610.   [port]  sunos: Change #2363 was not complete. [RT #19796]

2606.   [bug]   delegation-only was not being accepted in
delegation-only type zones. [RT #19717]

2605.   [bug]   Accept DS responses from delegation only zones.
[RT # 19296]

2603.   [port

Re: BIND with DLZ doesn't reconnect to the MySQL 5.x server after?disconnect

2009-09-25 Thread Mark Andrews 

In message 20090925184532.cf9cc...@raisa.eu.org, Emil Smolenski writes:
 Mark Andrews wrote:
 
  Reconnect is already being set.
 
  Hello. Indeed, I found following message in release notes of BIND
 9.6.1-P1 ( http://oldwww.isc.org/sw/bind/view/?release=9.6.1-P1 ):

Which you should have seen came *after* 9.6.1 was released.
The CHANGES file is in reverse chronological order.

2581.   [contrib]   dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
Requires MySQL 5.0.19 or later. [RT #19084]

2580.   [bug]   UpdateRej statistics counter could be incremented twice
for one rejection. [RT #19476]

--- 9.6.1 released ---

 dlz/mysql set MYSQL_OPT_RECONNECT option on connection. Requires MySQL
 5.0.19 or later. [RT #19084]
 
  But there is no output from the second command:
 
 $ tar xf bind-9.6.1-P1.tar.gz
 $ grep -r MYSQL_OPT_RECONNECT bind-9.6.1-P1
 $
 
  I've tested it. BIND still doesn't reconnect. After applying patch
 mentioned earlier, BIND starts to work properly.
 
 I believe this patch should be commited (as is committed in 9.7.0a3):
 
 $ diff bind-9.7.0a3/contrib/dlz/drivers/dlz_mysql_driver.c \
bind-9.6.1-P1/contrib/dlz/drivers/dlz_mysql_driver.c
 795,797d794
  #ifdef MYSQL_OPT_RECONNECT
  my_bool auto_reconnect = 1;
  #endif
 929,939d925
  #ifdef MYSQL_OPT_RECONNECT
/* enable automatic reconnection. */
  if (mysql_options((MYSQL *) dbi-dbconn, MYSQL_OPT_RECONNECT,
  auto_reconnect) != 0) {
   isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
  DNS_LOGMODULE_DLZ, ISC_LOG_WARNING,
  mysql driver failed to set 
  MYSQL_OPT_RECONNECT option, continuing);
}
  #endif
 
  BTW, why there are only #ifdefs without #define in 9.7.0a3? Is user
 forced to set this option himself to make it work?

No.  MYSQL_OPT_RECONNECT is only in some versions of mysql.  If you have
a version which supports MYSQL_OPT_RECONNECT then MYSQL_OPT_RECONNECT will
be defined.

Mark
 
 -- 
 am
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: *.dlv.isc.org DS: must be secure warnings [was: Re: 9.6.1-P1 log message]

2009-09-27 Thread Mark Andrews 

In message prayer.1.3.2.0909262248400.24...@hermes-1.csi.cam.ac.uk, Chris Tho
mpson writes:
 Back in August there was some a thread on bind-users about messages
 of the shape
 
   validating @[hex]: [name].dlv.isc.org DS: must be secure failure
 
 (these are category dnssec severity warning) and on 31 August I wrote:
 
 We have been running two production recursive nameservers validating against
 dlv.isc.org since 9 June, and first saw a batch of messages (for both server
 s)
 like this on 20 July. We reported them to ISC and got suggestions along the
 lines of Mark's above, along with an admission that current versions of BIND
 give up on EDNS too easily in situations they maybe shouldn't, which may be
 fixed in future releases.
 
 Since then we have had a trickle of such warning messages in the logs. We
 assume that they are the result of temporary network glitches somewhere,
 but their frequency appears to be increasing, which is somewhat worrying.
 It's also not clear whether any client queries are actually failing as a
 result, or whether BIND is simply trying another dlv.isc.org nameserver
 with better luck.
 
 I have been looking at this again, and in fact there was a step function
 on 21 August when the messages rose from almost nil to 15-20 per day, and
 then fell back to almost nil after 15 September (we've seen just one since
 then). We have been running BIND 9.6.1-P1 throughout.
 
 I would be very interested to know whether other recursive nameserver
 operators validating via dlv.isc.org have seen a similar pattern. I am
 prepared to believe that the frequency is related to transient network
 errors or delays, but I have no idea whether they are likely to be local
 or at at the dlv.isc.org server end.

One gets these or similar messages when named falls back to plain
DNS as a result of multiple timeouts.  Named tries EDNS advertising
a 4096 byte UDP buffer, then after multiple timeouts it tries EDNS
advertising a 512 byte UDP buffer, then after multiple timeouts it
tries plain DNS.

Named also had a bug where it would fallback a EDNS step when it
didn't need to (like retrying w/ TCP).  This made DNSSEC behind
middleware that was dropping fragments difficult.

2564.   [bug]   Only take EDNS fallback steps when processing timeouts.
[RT #19405]

Some (perhaps not all) of the timeout causes are below.  This list is
not specific to DLV.

(apparent) non responses to UDP queries can be due to lots of causes:
*+ Firewalls/middleware that blocks DNS responses  512
*+ Firewalls/middleware that blocks fragments
*+ Lack of support for out of order responses in NAT
*+ Responses that require fragmentation but DF set.  Most of these will
  be in the 1481-1500 bytes in size (IP in IP tunnels).  Larger responses
  are usually fragmented by the sending OS and don't have DF set.  Smaller
  response make it through a single layer of encapsulation.
*+# Bad nameserver software that fails to respond to EDNS requests
*+# Firewalls/proxies that block EDNS queries or queries/responses with
  one or more of DO, CD or AD set.
* Congestion
* Packet corruption
* Appear lost due to long rtt times
  - load balancing probes taking too long
  - multiple satellite links
  - significant congestion causing long delays

+ indicates broken software
# indicates fallback to plain DNS will be required

A handful a day would suggest packet corruption/congestion as the likely
cause.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig ANY gives SERVFAIL / FORMERR

2009-09-29 Thread Mark Andrews 

In message 20090929122845.ga13...@nic.fr, Stephane Bortzmeyer writes:
 On Thu, Sep 24, 2009 at 07:16:35AM +1000,
  Mark Andrews ma...@isc.org wrote 
  a message of 77 lines which said:
 
  It's a pity registries are not required to verify correct operation
  of the nameservers they are delegating to before accepting the
  delegation.
 
 Some do!
 
 http://www.afnic.fr/outils/zonecheck/_en

The key word is required.  I know some do, I just wish more did.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig ANY gives SERVFAIL / FORMERR

2009-09-29 Thread Mark Andrews 

In message alpine.lfd.1.10.0909291125070.11...@newtla.xelerance.com, Paul Wou
ters writes:
 On Wed, 30 Sep 2009, Mark Andrews wrote:
 
  http://www.afnic.fr/outils/zonecheck/_en
 
  The key word is required.  I know some do, I just wish more did.
 
 I for one, welcome our new named-checkzone overlords.
 
 (especially if named-checkzone would fail to OK a zone with NSEC3RSASHA1 keys
 and re-used NSEC records :)

NSEC3RSASHA1 w/ NSEC is fine and is required if you want to transition
from RSASHA1 (w/ NSEC) to NSEC3RSASHA1 w/ NSEC3 w/o going insecure.

NSEC + NSEC3PARAM however could be rejected as could having multiple
NSEC3PARAM records.

 Paul

Not named-checkzone (yet) but the following are in BIND 9.6.2.

2686.   [bug]   dnssec-signzone should clean the old NSEC chain when
signing with NSEC3 and vice versa. [RT #20301]

2683.   [bug]   dnssec-signzone should clean out old NSEC3 chains when
the NSEC3 parameters used to sign the zone change.
[RT #20246]

dnssec-signzone works on the zone as a whole so it is in the position
to do this in a straight forward manner.  Named, however, needs to
support multiple NSEC3 chains (though not all may be complete) as
it does its work incrementally but perhaps it could be argued that
when you finish adding new NSEC3 chain incrementally the old one
should be removed.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC

2009-09-29 Thread Mark Andrews 

In message prayer.1.3.2.0909291446310.21...@hermes-1.csi.cam.ac.uk, Chris Thom
pson writes:
 DNSSEC certainly adds to the aggravation of having lots of piddling little
 reverse zones. Some people may just decide not to bother signing reverse
 zones (reverse lookup results should only be treated as a hint, anyway).

DNSSEC makes no difference to the count of reverse zones unless you
are depending on the nameserver filtering out records that shouldn't
be loaded into a zone.
 
Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query Refused problem

2009-09-30 Thread Mark Andrews 

Have you read the documentation that describes what allow-query does?

varlistentry
  termcommandallow-query/command/term
  listitem
para
  Specifies which hosts are allowed to ask ordinary
  DNS questions. commandallow-query/command may
  also be specified in the commandzone/command
  statement, in which case it overrides the
  commandoptions allow-query/command statement.
  If not specified, the default is to allow queries
  from all hosts.
/para
note
  para
commandallow-query-cache/command is now
used to specify access to the cache.
  /para
/note
  /listitem
/varlistentry

varlistentry
  termcommandallow-query-cache/command/term
  listitem
para
  Specifies which hosts are allowed to get answers
  from the cache.  If commandallow-query-cache/command
  is not set then commandallow-recursion/command
  is used if set, otherwise commandallow-query/command
  is used if set unless commandrecursion no;/command is
  set in which case commandnone;/command is used,
  otherwise the default (commandlocalnets;/command
  commandlocalhost;/command) is used.
/para
  /listitem
/varlistentry

Mark

In message 4ac36444.9000...@whgl.uni-frankfurt.de, Sven Eschenberg writes:
 Dear list,
 
 This seems more tricky, then I thought.
 
 When I had no allow-query statement at all in my config, everything 
 worked find (includign recursion) for all clients, that were in subnets 
 directly attached to the server. The external view (authoriative, non 
 recursive) did work for every client as supposed to.
 Now a client on a not directly attached subnet, with it's own view, 
 could not resolve anything, except local zones on the server. (Though 
 recursion was turned on for the view).
 External view's clients could nto recurse, though recursion was turned 
 on, obviously to realyl recurse I'd need an allow-query statement.
 
 Adding an allow-query statement to the general config, limitied to the 
 campus network made all local views work, but with the result, that no 
 client matching the external view could looks up the authoriative zones.
 
 Now, I am wondering if I did set uop everything right afterall, here's 
 what I did do:
 
 External view, no recursion, allow-query {any;}
 Not directly attached client with internal view: match on client's ip, 
 allow recursion, allow query for the client's ip.
 all other internal views, matched by locally attached netowrks, no 
 allow-query statement, allow recursion.
 
 This seems to work.
 
 I am wondering: Would it be harmfull to allow queries by any host 
 (globally) as long as external clients (in their view) are not allowed 
 any recursion? Would that be more feasible?
 
 Regards
 
 -Sven
 
 
 Sven Eschenberg schrieb:
  I got it fixxed with an allow-query statement.
  
  But this arises another question: Does bind implicitly add allow-queries 
  for locally attached interfaces and the networks configured for these?
  
  I am asking, because it used to work for all the subnets directly 
  attached to the machine.
  
  Regards
  
  -Sven
  
  Sven Eschenberg schrieb:
  Dear list,
 
  I have one client with a specific zone. When the client does a query 
  for localhost on the nameserver, or a reverse lookup for 127.0.0.1, 
  everything seems perfectly okay. As soon, as the client tries to 
  lookup i.e. google.de or any external ip, I am getting query refused 
  errors.
 
  Sep 30 14:21:40 gw named[28715]: client ip of matched client#1039: 
  view watchdog: query (cache) 'www.google.de/A/IN' denied
  Sep 30 14:21:40 gw named[28715]: client ip of matched client#1040: 
  view watchdog: query (cache) 'www.google.de/A/IN' denied
 
  The DNS-Server works as a recursor for the client.
 
  What puzzles me most is: I cloned another internal view, which works 
  perfectly well for the clients matched by it.
 
  What might I be missing here, what can trigger a query refused answer 
  like this?
 
  Regards
 
  -Sven
 
 
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
  
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742

Re: Zone File Permission Question

2009-09-30 Thread Mark Andrews 

In message blu143-w25839d996784c2e16bdb91a2...@phx.gbl, Jim Williams writes:
 Hello=2C
 =20
 I have what seems to be a very basic question that I have been unable to fi=
 nd an answer for. What determines the settings of the file permissions (and=
  how can I change those default settings) on zone files created during a zo=
 ne transfer=2C BIND or the OS (Solaris)?=20
 =20
 thanks - jw

As with any other process the umask() is used.
 
 Hotmail=AE has ever-growing storage! Don=92t worry about storage limits. Ch=
 eck it out.
 =0A=
 _=0A=
 Insert movie times and more without leaving Hotmail=AE.=0A=
 http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=3DTXT_TAGLM_WL_HM_Tut=
 orial_QuickAdd_062009=
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query Refused problem

2009-10-01 Thread Mark Andrews 

In message 200910011237.09...@zmi.at, Michael Monnerie writes:
 On Donnerstag 01 Oktober 2009 Mark Andrews wrote:
  =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Specifies which hosts are allowed to =
 get answers
  =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 from the cache. =A0If
  commandallow-query-cache/command is not set then
  commandallow-recursion/command is used if set, otherwise
  commandallow-query/command is used if set unless
  commandrecursion no;/command is set in which case
  commandnone;/command is used, otherwise the default
  (commandlocalnets;/command commandlocalhost;/command) is
  used.
 
 Not exactly a good explanation. At least, I've read it twice and still =
 
 don't exactly know where the if..else..elseif... parts connect. Maybe =
 
 someone could change that to pseudocode with if statements, or make it =
 
 several sentences so it's clear where if..unless..except..otherwise =
 
 parts start and end.
 
 mfg zmi
 -- =

if (set(allow-query-cache))
use allow-query-cache;
else if (set(allow-recursion))
use allow-recursion;
else if (set(allow-query))
use allow-query;
else if (set(recursion no;))
use { none; };
else
use { localnets; localhost; };
 
 // Michael Monnerie, Ing.BSc-  http://it-management.at
 // Tel: 0660 / 415 65 31  .network.your.ideas.
 // PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import
 // Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
 // Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Glue record miunderstanding

2009-10-01 Thread Mark Andrews 

In message 73e2882f-00b3-41cb-b46d-351774486...@conundrum.com, Matthew Pounse
tt writes:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 
 On 01-Oct-2009, at 19:03, Scott Haneda wrote:
 
  So I see my NS is listed in the additional section.  This to me  
  tells me there is in fact glue, so I should consider the report at http://i
 ntodns.com/hostwizard.com 
   to be inaccurate?
 
 Yeah, I just ran a few queries and can't figure out what exactly it's  
 complaining about.
 
 Matt

It's making a observation (i in a blue circle) that there were
not additional records for ns1.nacio.com being returned by
ns1.hostwizard.com presumable because ns1.hostwizard.com doesn't
serve the zone that contains ns1.nacio.com.  There is nothing wrong
with this.  These records are NOT GLUE records.  Only parent servers
return GLUE records.

That being said there would be a error condition if the address
(A/) record for ns1.hostwizard.com didn't exist except as glue.
The way to check for that is to make a query for ns1.hostwizard.com
and follow all the delegations until you get to the zone that serves
ns1.hostwizard.com.

Modern versions of named attempt to detect glue only delegations
and refuse to load zones that contain have them.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind, dnssec, udp fragmentation woes.

2009-10-01 Thread Mark Andrews 

You really want to work out what is being blocked, EDNS?, responses
bigger that 512 bytes? DNSSEC? fragmented responses?  With a clean
path all of these should succeed but only the last one won't have
tc set.  This does a plain DNS query, a EDNS query that limits
the response to 512 bytes, a DNSSEC query that limits the response
to 512 bytes, a DNSSEC query that limits the response to something
that would not normally be fragmented but exceeds 512 bytes, a
DNSSEC query that will normally be fragmented.

% dig soa se @192.36.133.107 +norec +ignore 
% dig soa se @192.36.133.107 +norec +ignore +bufsize=512
% dig dnskey se @192.36.133.107 +norec +ignore +bufsize=1200
% dig dnskey se @192.36.133.107 +norec +ignore +bufsize=512 +dnssec
% dig dnskey se @192.36.133.107 +norec +ignore +bufsize=1200 +dnssec
% dig dnskey se @192.36.133.107 +norec +ignore +bufsize=4096 +dnssec

Named does the following by default.  Ensure you have a up to date
version of namesd

dig dnskey se @192.36.133.107 +norec +ignore +bufsize=4096 +dnssec
dig dnskey se @192.36.133.107 +norec +ignore +bufsize=512 +dnssec
dig dnskey se @192.36.133.107 +norec +ignore

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind, dnssec, udp fragmentation woes.

2009-10-05 Thread Mark Andrews 

In message 1254502519.14277.16.ca...@dv6d4k1-u, Nicholas Wheeler writes:
 On Fri, 2009-10-02 at 13:22 +1000, Mark Andrews wrote:
  You really want to work out what is being blocked, EDNS?, responses
  bigger that 512 bytes? DNSSEC? fragmented responses?  With a clean
  path all of these should succeed but only the last one won't have
  tc set.  This does a plain DNS query, a EDNS query that limits
  the response to 512 bytes, a DNSSEC query that limits the response
  to 512 bytes, a DNSSEC query that limits the response to something
  that would not normally be fragmented but exceeds 512 bytes, a
  DNSSEC query that will normally be fragmented.
 =20
  % dig soa se @192.36.133.107 +norec +ignore=20
  % dig soa se @192.36.133.107 +norec +ignore +bufsize=3D512
 
 The above two work, the below four do not work (connection timed out; no
 servers could be reached).=20
 
 (note: I replaced se with my domain.tld, and the @ with my server).
 
 
  % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=3D1200
  % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=3D512 +dnssec
  % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=3D1200 +dnssec
  % dig dnskey se @192.36.133.107 +norec +ignore +bufsize=3D4096 +dnssec
 =20
  Mark
 
 Thanks for the help, but I don't know what this implies, other than
 nothing dnssec-related with udp works ;)

It means you have a device in the path that doesn't like UDP answer bigger
that 512 bytes *and* also doesn't like having DO set.

;  DiG 9.3.6-P1  dnskey se @192.36.133.107 +norec +ignore +bufsize=512 
+dnssec
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 52624
;; flags: qr aa tc ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;se.IN  DNSKEY

;; Query time: 334 msec
;; SERVER: 192.36.133.107#53(192.36.133.107)
;; WHEN: Tue Oct  6 09:16:58 2009
;; MSG SIZE  rcvd: 31

Now what you need to do is use a packet sniffer to see which devices
are blocking the queries/responses (there may be more than one).
You may also want to talk to the manufactures first.  They should
be able to tell you how to configure your boxes to work correctly
to support DNSSEC.

As things are curently configured you won't get DNSSEC working.
You may need to upgrade firmware or even replace some boxes.  The
IP330 was introduced in 1999 so it may not have firmware that handles
DNSSEC properly.

Mark

 Thanks,
 
 --=20
 Nicholas Wheeler
 Systems Administrator
 Development Infostructure
 
 --=-4uanAoS33Xc7mxoOFN+w
 Content-Type: application/pgp-signature; name=signature.asc
 Content-Description: This is a digitally signed message part
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.9 (GNU/Linux)
 
 iEYEABECAAYFAkrGMHQACgkQ8xWIEdi0CHEavwCdGACm3VOyfctcd/IfmiW2upIK
 Q2YAnAhSkPdnAgvPqzJg6Nzod4EKNuXc
 =//Z9
 -END PGP SIGNATURE-
 
 --=-4uanAoS33Xc7mxoOFN+w--
 
 --===2355657698356755570==
 Content-Type: text/plain; charset=us-ascii
 MIME-Version: 1.0
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 --===2355657698356755570==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SIBLING GLUE address records (A or AAAA)

2009-10-05 Thread Mark Andrews 

In message hadipa$o6...@sepe.rau.edu.uy, Sergio Ramirez writes:
 Hi,
 
In the following example, the authoritive server for
 zone .xx has configured the delegations of the zones example.xx
 and otherexample.xx:
 
 example.xx  NS  ns1.example.xx
 example.xx  NS  ns2.example.xx
 ns1.example.xx A  11.22.33.44
 ns2.example.xx A  11.22.33.55
 otherexample.xx NS ns3.example.xx
 otherexample.xx NS ns4.example.xx
 
 the bind report these messages:
 
 ns3.example.xx has no SIBLING GLUE address records (A or )
 ns4.example.xx has no SIBLING GLUE address records (A or )
 
 because the glue records are not configured in the zone .xx, for
 ns3.example.xx and ns4.example.xx
 
 Are these glue records requiered ?
 
 I understand that is not. Is this right ?
 
 Regards,
 --
 Sergio R.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

Whether SIBLING GLUE is needed or not depends on what other glue
there is.

Take this example.  The sibling glue is required for the delegation
to work.

otherexample.xx NS ns3.example.xx
otherexample.xx NS ns4.example.xx

example.xx NS ns1.otherexample.xx
example.xx NS ns2.otherexample.xx

There are even more complicated examples that require out of zone
glue to work.

Working out which glue is accepted is a trade-off between being
able to track down bad data and having a delegation work.  Named
accepts and returns glue that is under the parent.  Bad glue is
then traceable.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem on CNAME configuration.

2009-10-06 Thread Mark Andrews 

In message 20091005212435.ga26...@laperouse.bortzmeyer.org, Stephane Bortzmey
er writes:
 On Mon, Oct 05, 2009 at 04:41:24PM +0200,
  Cyril Gaudin - Rodacom c.gau...@rodacom.fr wrote 
  a message of 72 lines which said:
 
  Maybe squid didn't append domainname in the dns request?
 
 squid.conf:
 
 #  TAG: append_domain
 # Appends local domain name to hostnames without any dots in
 # them.  append_domain must begin with a period.
 #
 # Be warned there are now Internet names with no dots in
 # them using only top-domain names, so setting this may
 # cause some Internet sites to become unavailable.

And such names should not be in use.  Only heirachical host names
should be in use now.  Heirachical hostnames contain interior
periods.  RFC 921 actually said what was supposed to happen.
Unfortunately some operators of TLD's failed to pay attention.  Just
because DNS servers didn't block a record being added that didn't
make it correct for them to add it.

 #
 #Example:
 # append_domain .yourdomain.com
 #
 #Default:
 # none
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with rndc

2009-10-09 Thread Mark Andrews 

In message 20091009082853.201...@gmx.net, Tom Schmitt writes:
 Hi,
 
 I'm running Bind 9.6.1-P1 on a Solaris 10-Box as a slave with different vie=
 ws and it is running fine.
 
 Now I want to use rndc. I don't have a rndc.conf, only a rndc.key.
 If I try something like
 rndc reload
 rndc reconfig
 rndc stop
 rndc halt
 it is working fine and does what I expect it to do.
 
 But if I try one of these two commands:
 rndc refresh example.com
 rndc retransfer example.com
 I get an errormessage from rndc:
 rndc: 'refresh' failed: not found
 or
 rndc: 'retransfer' failed: not found

Specify the class and view
 
 I get this with every domain I tried. I checked if I use the correct rndc a=
 nd the version is 9.6.1-P1.
 Can anyone give me a hint what I'm doing wrong?
 
 Thanks,
 Tom.
 -- =
 
 GRATIS f=FCr alle GMX-Mitglieder: Die maxdome Movie-FLAT!
 Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: adding new RR?

2009-10-15 Thread Mark Andrews 

In message 20091015135428.ga19...@fantomas.sk, Matus UHLAR - fantomas writes:
 On 15.10.09 21:29, aihua zhang wrote:
  recently,i want to modify source code of BIND9.6.1 to adding new RR.
 
 Don't do that. You bind will be incompatible with any other DNS server and
 it could lead to

As long as the type is registered it doesn't matter. 

  Now,i just begin to check  RR to see how it work,but i find this method
  exhausting me.i don't think this way is effective,so i'm very appreciate
  some one  could give me a guid, or some example:souce code is perfect

You have lots of examples. see lib/dns/rdata/*/*.[ch]  This is where the
rdata are defined.   Just run make clean then make once you have
created the new files so that the build process can find them.
 
 Better try to explain what do you want to achieve
 -- 
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 42.7 percent of all statistics are made up on the spot. 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Nslookup not showng TTL

2009-10-15 Thread Mark Andrews 

In message 76d7097b-28a4-4bbb-a2c8-05bf5b822...@conundrum.com, Matthew Pounse
tt writes:
 
 On 15-Oct-2009, at 16:03, John Horne wrote:
 
  On Thu, 2009-10-15 at 13:15 -0400, Kevin Darcy wrote:
 
  Removing features from nslookup gets us that much closer to KILLING  
  and
  BURYING it. Forever.
 
  So why does the ISC still distribute it?
  (Although I guess the answer may simply be because people still use
  it.)
 
 There was a while there that nslookup printed a big warning banner  
 telling you not to use it because it'd been deprecated and would go  
 away any day now.   That doesn't seem to be there anymore, sadly.   I  
 kinda wish it would just vanish.

We lost the battle to get rid of nslookup.

Index: bin/dig/nslookup.c
===
RCS file: /proj/cvs/prod/bind9/bin/dig/nslookup.c,v
retrieving revision 1.122
diff -u -r1.122 nslookup.c
--- bin/dig/nslookup.c  6 May 2009 23:47:50 -   1.122
+++ bin/dig/nslookup.c  15 Oct 2009 12:45:26 -
@@ -373,6 +373,7 @@
printrdata(rdata);
}
dns_rdata_reset(rdata);
+   printf(\tttl = %u\n, rdataset-ttl);
loopresult = dns_rdataset_next(rdataset);
}
}
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with include in acl file

2009-10-18 Thread Mark Andrews 

In message 4adb44a5.2060...@htt-consult.com, Robert Moskowitz writes:
 
 
 Chris Thompson wrote:
  On Oct 18 2009, Joseph S D Yao wrote:
 
  On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote:
  I am trying to build up an environment where the user can maintain 
  custom files and leave the basic files alone.
 
  So I have a named.acl that works, I add an include line:
 
  acl hdanets {
  192.168.1.0/24; // hda network
  include custom.acl;
  };
 
 
  and get the error:
 
  Starting named:
  Error in named configuration:
  named.acl:3: missing ';' before ''
  ...
 
 
  Glancing through the 9.6 ARM https://www.isc.org/files/Bv9.6ARM.pdf,
  it seems to me that include is a statement, and needs to be parsed
  outside of any other statements, not inside a statement.  
 
  That's what it *says* ... but it is being economical with the truth!
 
   Inside the
  acl statement the parser would expect to see IP addresses, networks in
  the ip.ad.dr.ess/xx format, keys with the name prepended by the keyword
  key, and the names of other ACLs.  When it encounters the word
  include in this context, it parses it as the name of an ACL - after
  which, the '' is out of place.
 
  As long ago as BIND 9.2, you'll find this in the CHANGES file:
 
  764.   [func]  Configuration files now allow include directives
 in more places, such as inside the view 
  statement.
 [RT #377, #728, #860]
 
  Roughly, include can occur instead of a keyword in any list where all
  list elements are introduced by keywords; e.g. view, options, 
  logging,
  zone. But not acl because the elements there do not (in general) 
  start
  with keywords.
 
 Oh, fiddlesticks  ;)'
 
 This complicates matters.  It would have made it very easy to bootstrap 
 into this process if this was supported.

acl's can include other acls.
I'm having a hard time seeing why you need to include a file here.

include custom.acl;   // defines acl customacl

acl hdanets {
92.168.1.0/24; // hda network
customacl;
};

  For the whole truth, you need to look at lib/isccfg/namedconf.c and
  lib/isccfg/parser.c and work out in exactly which cases cfg_parse_mapbody
  in the latter gets called :-( 
 
 I am not much into reading c code.  I never really programmed in c.  Did 
 do some programming in b
 
 So reading someone elses script and recommending changes has been 
 challenging enough!
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: refuse in notify slave

2009-10-21 Thread Mark Andrews 

In message 4adfe607.4050...@gmail.com, Nelson Serafica writes:
 I have multiple ip address on my primary ns server. (eth0 , eth0:1 , eth0:2).
  Let's say eth0 is 1.2.3.4, eth0:1 is 
 2.3.4.5 and th0:2 is 3.4.5.6. I have a slave ns server but everytime I do rnd
 c reload and check secondary ns on syslog, 
 I see
 
 refused notify from non-master: 1.2.3.4#48499
 
 where 1.2.3.4 is the ip of eth0. Is it possible the ip address that will send
  to slave will be 4.5.6.7 (eth0:2) and not 
 1.2.3.4 (eth0)?

notify-source
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: isc.org has signed delegation

2009-10-21 Thread Mark Andrews 

In message 4adfeaab.8060...@north-winds.org, Loren M. Lang writes:
 
 I just noticed that isc.org has a signed delegation from the .org name
 servers.  I am curious what registrar you went through to get this.
 --=20
 Loren M. Lang
 lor...@north-winds.org
 http://www.north-winds.org/

It was added as part of the Friend and Family step.  We worked
directly with the registry.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can I have a *.domain.com A record

2009-10-26 Thread Mark Andrews 

In message 4ae5c6cc.8020...@ou.edu, Peter Laws writes:
 Hey!  RTFRFC!  :-)
 
 Except a scanning of that RFC doesn't say anything about not using them, 
 only in clarifying RFC 1034's intentions regarding wildcards.
 
 So, why is it a very bad idea?
 
 Peter

What is legal and what works well are two very differnet things.

Wild cards lead to more application traffic than populating the
zone with the actual domains that are in use.  If you are in a
position to know all the names in use (and a virtual web hoster is)
then wild cards should not be used.  Wild cards are designed for
the case where it is impossible to know all the names in use which
is why there were mainly use for MX records to get mail to mail
gateways.  Other uses are often administrators being lazy and as a
result everyone else picks up the cost of that laziness.  Yes, there
is a real cost if a web browser makes a http connection only to be
told the virtual address does not exists.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: libbind ns_sign() and ns_verify() parameter in_timesigned not documented

2009-10-26 Thread Mark Andrews 

In message 4ae58fd9.8020...@sun.com, Stacey Jonathan Marshall writes:
 The tsig manual page description for ns_sign() and ns_verify() include a 
 parameter named in_timesigned of type time_t.  However there is no 
 description of this parameter as there is for the others:
 
 $ less libbind-6.0/doc/tsig.cat3
 TSIG LOCALTSI
 G
 
 NAME
  ns_sign, ns_sign_tcp, ns_sign_tcp_init, ns_verify, ns_verify_tcp,
  ns_verify_tcp_init, ns_find_tsig -- TSIG system
 
 SYNOPSIS
  int
  ns_sign(u_char *msg, int *msglen, int msgsize, int error, void *k,
  const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
  time_t in_timesigned);
 
 ...
  int
  ns_verify(u_char *msg, int *msglen, void *k, const u_char *querysig,
  int querysiglen, u_char *sig, int *siglen, time_t in_timesigned,
  int nostrip);
 
 
  From a cursory review it does not seem to be used unless error == 
 ns_r_badtime.
 Could someone describe the purpose of parameter? 

Theoretically a client can take the bad time response and compute
a time delta and use it to adjust the timestamp in future communications
to the server.  This allows the client to correct for clock skew
if it wants.
 
Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Regarding EDNS Responses.

2009-10-28 Thread Mark Andrews 

In message 001501ca5785$257c7220$21011...@china.huawei.com, Ashwin writes:
 
 Hi All,
 
  RFC 2671 mentions in Section 5.3
 
 Responders who do not understand these protocol extensions are
 expected to send a response with RCODE NOTIMPL, FORMERR, or
 SERVFAIL.
 
 However the above mentioned error codes are shared [SERVFAIL, NOTIMPL] are
 shared, so how do we ascertain that the error code returned is an indication
 that a particular server is non-EDNS, since the error might be returned due
 to some other reason also.
 
 So essentially my query is how do we decide that a particular server is EDNS
 or not? Can it be assumed that each time the above three error codes are
 returned , it signifies that the DNS server is not EDNS capable?

You assume it is EDNS if it is in response to a EDNS query and retry
w/o EDNS.  It the problem is EDNS the plain DNS query will succeed.
If it is not EDNS the plain EDNS query will fail.

  
 Regards
 
 Ashwin

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Regarding EDNS Responses.

2009-10-28 Thread Mark Andrews 

It's not a perfect world.  Even getting back a EDNS response does not
indicate that the server understands EDNS.

In message 002301ca579c$56deb0f0$21011...@china.huawei.com, Ashwin writes:
 
 In message 001501ca5785$257c7220$21011...@china.huawei.com, Ashwin writes:
  
  Hi All,
  
   RFC 2671 mentions in Section 5.3
  
  Responders who do not understand these protocol extensions are
  expected to send a response with RCODE NOTIMPL, FORMERR, or
  SERVFAIL.
  
  However the above mentioned error codes are shared [SERVFAIL, NOTIMPL] are
  shared, so how do we ascertain that the error code returned is an
 indication
  that a particular server is non-EDNS, since the error might be returned
 due
  to some other reason also.
  
  So essentially my query is how do we decide that a particular server is
 EDNS
  or not? Can it be assumed that each time the above three error codes are
  returned , it signifies that the DNS server is not EDNS capable?
 
 
 Hi Mark,
  You assume it is EDNS if it is in response to a EDNS query and retry
  w/o EDNS.  It the problem is EDNS the plain DNS query will succeed.
  If it is not EDNS the plain EDNS query will fail.
   
 Thanks for you response. I have a doubt though.
 
   I send out an EDNS query, for the response the following possibilities
   a) Success, with OPT RR, I assume server is EDNS capable
   b) Failure with RCODE NOTIMPL, FORMERR, or SERVFAIL with or without
 OPT RR.
 
 In b) I do not know whether server is EDNS or not, since server might return
 NOTIMPL  SERVFAIL error codes for some other reason also. If I consider the
 case that retry with plain DNS query is success and assume EDNS was problem,
 I think maybe its not correct because SERVFAIL might happen for some other
 reason at the time EDNS query is sent, but that error is resolved by the
 time the plain DNS query is sent. So even though server is EDNS i would
 assume it is non-EDNS.
 
 The idea is to identify whether a server supports EDNS through a first
 query, and then subsequent requests we send based on this identification.
 One could call it a pseudo-caching of the EDNS feature for servers.
 
 I hope I made myself clear :(
 
  Regards
  
  Ashwin
 
 -- 
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to debug

2009-10-28 Thread Mark Andrews 

In message e1b1ab9e0910281921j612d2982le3170b6dc3d60...@mail.gmail.com, aihua
 zhang writes:
 
 HI,
 
   I  have already analysis where to add new RR,and how to make it works.
  But i don't contact  automake tool before, so reading so large configure
 and makefiles make me feel so bad. I try to understand ,but it just myself
 alone to do this , so anyone can give some guide how to debug the source
 code =A1=A2 how to modify makefile and test result!

I'll repeat what I said before make clean then make.  You don't
need to touch configure or the Makefiles.  You just need to do a
clean build.  The process will look in lib/dns/rdata and find the
files there.

Mark

  Thanks very much=A3=A1
 
 --=20
 Best regards!
 
 --001485354cc2c8f4fa0477099043
 Content-Type: text/html; charset=GB2312
 Content-Transfer-Encoding: quoted-printable
 
 divHI,/div
 divnbsp;nbsp;nbsp; /div
 divnbsp; Inbsp; have already analysis where to add new RR,and how to ma=
 ke it works./div
 divnbsp;But i don#39;t contactnbsp;nbsp;automake tool before, so read=
 ing so large configure and makefiles make me feel so bad.nbsp;I try to und=
 erstand ,but it just myself alone to do this ,nbsp;so anyone can give some=
  guidenbsp;how to debug the source codenbsp;=A1=A2nbsp;hownbsp;to modif=
 y makefilenbsp;and test result!/div
 
 divnbsp;/div
 divnbsp;Thanks very much=A3=A1br clear=3Dallbr-- brBest regards!=
 brbr/div
 
 --001485354cc2c8f4fa0477099043--
 
 --===8156758388202099534==
 Content-Type: text/plain; charset=us-ascii
 MIME-Version: 1.0
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 --===8156758388202099534==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Feature request - disable internal recursion cache

2009-10-30 Thread Mark Andrews 

In message 4aeb00d0.8030...@doit.wisc.edu, Michael Hare writes:
 For those of us that are still running auth and recursive on the same 
 IP, I believe the benefit would be to deploy a best practices recursive 
 only nameserver on a different machine/IP address without getting, in my 
 case, possibly hundreds of thousands of clients to change their DNS 
 resolver IP address.
 
 In the surface, I too find this to be an interesting idea.
 
 -Michael

It's much easier to move authoritative servers to new addresses.
Just change the delegation and the iterative traffic will follow.
You can keep the old server as a stealth slave.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: One A record fails on one server on Sunday evening

2009-11-03 Thread Mark Andrews 

In message 961092e10911030921x3ff3ce60xdb3d1f0534159...@mail.gmail.com, Josh 
Luthman writes:
 How do I export the cache dump?
 
 rndc dumpdb on the first execute took a few seconds, but after updatedb 
 locate named_dump.db (as it suggested it would store it there) returns
 nothing.  The man page for rndc doesn't say anything about these commands
 either.


You need to look at either of the following locations.  The latter
is used when dump-file contains a absolute path.

chrootdirectorydump-file

chrootdump-file

chroot (as specified by -t on the command line)
directory (as specified by the directory clause in named.conf
 and defaults to .)
dump-file (as specified by the dump-file clause in named.conf and
  defaults to named_dump.db)

e.g.
chroot = /choot
directory = /var/named
dump-file = named_dump.db

gives /choot/var/named/named_dump.db

chroot = /var/named
directory = .
dump-file = named_dump.db

gives /var/named/./named_dump.db

chroot = (not set as -t not used)
directory = /var/named
dump-file = named_dump.db

gives /var/named/named_dump.db

chroot = /chroot
directory = /var/named
dump-file = /data/named_dump.db

gives /chroot/data/named_dump.db

Mark

 Josh Luthman
 Office: 937-552-2340
 Direct: 937-552-2343
 1100 Wayne St
 Suite 1337
 Troy, OH 45373
 
 When you have eliminated the impossible, that which remains, however
 improbable, must be the truth.
 --- Sir Arthur Conan Doyle
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PTR zone /28 not working

2009-11-05 Thread Mark Andrews 

First you should ask your ISP to fix the names of the nameservers
in the delegation of 224/28.66.6.190.in-addr.arpa.  It looks like
they left the final period off the names.  This is a relatively
common stuff up.

225.66.6.190.in-addr.arpa. 2000 IN  CNAME   
225.224/28.66.6.190.in-addr.arpa.
224/28.66.6.190.in-addr.arpa. 2000 IN   NS  
ns2.mincex.cu.66.6.190.in-addr.arpa.
224/28.66.6.190.in-addr.arpa. 2000 IN   NS  
ns1.mincex.cu.66.6.190.in-addr.arpa.
;; Received 114 bytes from 200.55.128.3#53(ns1.etecsa.net) in 1536 ms

[Note: I only found this because you have now given me the real domain names
involved.]

Next you should configure your nameservers to be stealth slaves for
66.6.190.in-addr.arpa.  If your ISP blocks this, find another ISP
as they don't know what they are doing.  You *need* this to allow
internal reverse lookups to succeed when the external link is down.

zone 66.6.190.in-addr.arpa {
type slave;
notify no;  // don't send notify messages to the offical servers
masters { 200.55.128.3; 200.55.128.4; 200.55.128.10; 200.55.128.11; };
file 66.6.190.in-addr.arpa.db;
allow-transfer { none; };
};

The PTR records go in the 224/28.66.6.190.in-addr.arpa zone for which one
of you machines will be master and the other slave.

On ns1.mincex.cu:

zone 224/28.66.6.190.in-addr.arpa {
type master;
file 224-28.66.6.190.in-addr.arpa.db;
};

224-28.66.6.190.in-addr.arpa.db:
$TTL 38400
@ SOA ns1.mincex.cu. chismoso.mincex.cu. 2009110401 10800 3600 604800 38400
@ NS ns1.mincex.cu.
@ NS ns2.mincex.cu.
226 PTR ns1.mincex.cu.
227 PTR ns2.mincex.cu.

On ns2.mincex.cu:

zone 224/28.66.6.190.in-addr.arpa {
type slave;
master { 190.6.66.226; };
file 224-28.66.6.190.in-addr.arpa.db;
};


In message 58636e100911051001u195d5c86rb80905a0e91c1...@mail.gmail.com, joans
4nz writes:
 --===4159216347487687440==
 Content-Type: multipart/alternative; boundary=0015175defdc1141090477a385b9
 
 --0015175defdc1141090477a385b9
 Content-Type: text/plain; charset=ISO-8859-1
 
 Hi,
 
 Thank you Mr Mark Andrews for your answer, and yes, I want help. I am sorry
 about my first message, I repeat bellow, so I change all
 CCC.BBB.AAA.in-addr.arpa's to my real numbers. Thank you one more time, but
 i don't understand very well your answers.
 
 You said: Well you don't serve 66.6.190.in-addr.arpa and you don't allow
 recursion. You should make yourself a stealth slave for
 66.6.190.in-addr.arpa. That way reverse lookups will continue to work when
 your external link goes down. It will also allow remote tools to not require
 recursion to be enabled to find the CNAME records when they query your
 server.
 
 So do I must configure the zone 66.6.190.in-addr.arpa. as slave in my
 named.conf, and in the zone file do I must write the same SOA configuration
 of my ISP for this zone with the same serial, mail address, . and in NS
 records write this?
 
  IN   NS   ns1.etecsa.net   ;My ISP name server
  IN   NS   ns2.etecsa.net   ;My ISP name server
  IN   NS   ns3.etecsa.net   ;My ISP name server
  IN   NS   ns4.etecsa.net   ;My ISP name server
  IN   NS   ns1.mincex.cu   ;My name server # 1
  IN   NS   ns2.mincex.cu   ;My name server # 2
 
 Is that correct? Because I don't know if my ISP allow transfer a copy of
 this zone to my DNS servers, I think is not allowed.
 
 You said: The zone's name is 224/28.66.6.190.in-addr.arpa,
 226.66.6.190.in-addr.arpa in not part of the zone.
 
 Why not? If my new ip range address are from 190.6.66.25 to 190.6.66.238, I
 think 224/28.66.6.190.in-addr.arpa include 226.66.6.190.in-addr.arpa
 address. Please explain me more about it?

226.66.6.190.in-addr.arpa does not end in 224/28.66.6.190.in-addr.arpa
so it is not part of the 224/28.66.6.190.in-addr.arpa zone.  This
has nothing to do with which IP addresses you are using.  It is
related to which DNS namespaces are in use.

Mark

 -
 
 Hi,
 
 I use Bind-9.4.2 running on FreeBSD-7.2.
 
 Last week my DNS was reconfigured to a new IP address pool by my ISP and by
 me from a /29 to /28 address range.
 
 Using How is my DNS I check my domain and all is good except reverse
 lookup. My ISP also reconfigured the PTR zone and delegate the reverse zone
 like RFC-2317 and this is the change executed by my ISP.
 
 224/28   IN   NS   ns1.mincex.cu
 224/28   IN   NS   ns2.mincex.cu
 225IN   CNAME   225.224/28.66.6.190.in-addr.arpa.
 226IN   CNAME   226.224/28.66.6.190.in-addr.arpa.
 227IN   CNAME   227.224/28.66.6.190.in-addr.arpa.
 228IN   CNAME   228.224/28.66.6.190.in-addr.arpa.
 229IN   CNAME   229.224/28.66.6.190.in-addr.arpa.
 230IN   CNAME   230.224/28.66.6.190.in-addr.arpa.
 231IN   CNAME   231.224/28.66.6.190.in-addr.arpa.
 232IN   CNAME   232.224/28.66.6.190.in-addr.arpa.
 233IN   CNAME   233.224/28.66.6.190.in-addr.arpa.
 234

Re: Reverse DNS Dig returning PTR results only with trace option

2009-11-10 Thread Mark Andrews 
.   IN  PTR
 
 ;; ANSWER SECTION:
 228.134.254.63.in-addr.arpa. 3599 INPTR
 test228.moneytreesystems.com.
 
 ;; AUTHORITY SECTION:
 228.134.254.63.in-addr.arpa. 7057 INNS  ns1.cyzap.net.
 228.134.254.63.in-addr.arpa. 7057 INNS  ns2.cyzap.net.
 
 ;; ADDITIONAL SECTION:
 ns1.cyzap.net.  12523   IN  A   63.254.134.3
 ns2.cyzap.net.  1723IN  A   64.253.181.53
 
 ;; Query time: 7 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Tue Nov 10 11:11:56 2009
 ;; MSG SIZE  rcvd: 164
 
 -
 Now I can do a dig for an hour or so. But again I run into same problem.
 It wont return PTR record unless I explicitly do dig on ns1.cyzap.net.
 Also, the last did showing ns1.cyzap.net as Authority NS for this IP.
 But trace showing ns1.moneytreesystems.com as final sender.
 
 Could someone shed a light on this?
 
 Overall, I was trying to achieve delegation of subnet from ns1.cyzap.net
 to ns1.moneytreesystems.com. I tried RFC 2317, but that is suing CNAME
 and having a lot of problem. So I just delegated each one of single IP
 on my /28 subnet from ns1.cyzap.net to ns1.moneytreesystems.com.. Please
 have some suggestion to make it work completely with authoritative to be
 ns1.moneytreesystems.com.
 
 Thank you,
 Rajendra Adhikari
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse DNS Dig returning PTR results only with trace option

2009-11-10 Thread Mark Andrews 

In message 4af9dfba.6040...@cyzap.com, Raj Adhikari writes:
 Thanks Chris for the reply.
 Actually, let me put my question the other way.
 How can one delegate the classless subnet to other DNS?
 Actually, one of our ISP could not delegate classless subnet to our
 server ns1.cyzap.net. I am trying to help them in delegating the
 classless subnet to us. So this scenario is simulating our ISP and us. I
 was just testing with one of our other subnets checking if delegation
 will work. Unfortunately, we both are using windows DNS. Windows just
 have RFC 2317 way on configuring the delegation on it KB article using
 CNAME, which I think has lots of problems. But I am following this BIND
 way for delegation. I think, in windows the DNS configuration is more or
 less similar to BIND.
 
 In this scenario, lets say ns1.cyzap.net is my ISP and
 ns1.monetreesystems.com is us. ns1.cyzap.net owns 63.254.134.0/24 and
 ns1.moneytreesystems.com take a subnet 134.224/28 from them. So isn't
 there a way for ns1.cyzap.net to delegate the subnet to
 ns1.moneytreesystems.com? Do ns1.cyzap.net again have to talk to their
 upper ISP to delegate directly to us? What if upper ISP also need to ask
 their upper tier ISP. It seems I am lacking some basic concept here
 about the owner of the subnet. If a true owner delegates the subnet to
 its client ISP, can't this ISP again delegate the classless subnet agin
 to its client ISP?
 
 Thank you,
 Rajendra Adhikari
 
You tell your ISP where the delegation needs to point.  If your ISP
controls the exclosing name in the DNS namespace they update it
there or they pass on your request to where they got their address
space from.  Repeat until the delegation is added to the parent
zone.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse DNS Dig returning PTR results only with trace option

2009-11-11 Thread Mark Andrews 
 talking about. People complaining on forums about having
  botched their RFC 2317 configs, probably *don't*.
  In this scenario, lets say ns1.cyzap.net is my ISP and
  ns1.monetreesystems.com is us. ns1.cyzap.net owns 63.254.134.0/24 and
  ns1.moneytreesystems.com take a subnet 134.224/28 from them. So isn't
  there a way for ns1.cyzap.net to delegate the subnet to
  ns1.moneytreesystems.com? 
  The /24 is delegated to ns1.cyzap.net. Zone delegation is on octet
  boundaries. So the next available boundary for delegation would be
  /32, i.e. delegating each of the 16 usable addresses (or perhaps just
  the 14 usable addresses) individually.
  Do ns1.cyzap.net again have to talk to their
  upper ISP to delegate directly to us? 
  No, that doesn't help. What would the /16 nameservers delegate?
  They've already delegated 134.254.63.in-addr.arpa, there's nothing
  more you can expect of them.
 
  - Kevin
  Chris Hills wrote:
   
  On 10/11/09 18:25, Raj Adhikari wrote:
 
  Now I can do a dig for an hour or so. But again I run into same
  problem.
  It wont return PTR record unless I explicitly do dig on ns1.cyzap.net.
  Also, the last did showing ns1.cyzap.net as Authority NS for this IP.
  But trace showing ns1.moneytreesystems.com as final sender.
 
  Could someone shed a light on this?

  254.63.in-addr.arpa.86400   IN  NS  NS3.MCLEODUSA.NET.
  254.63.in-addr.arpa.86400   IN  NS  NS1.MCLEODUSA.NET.
  254.63.in-addr.arpa.86400   IN  NS  NS2.MCLEODUSA.NET.
  ;; Received 112 bytes from 192.42.93.32#53(y.arin.net) in 173 ms
 
  228.134.254.63.in-addr.arpa. 7200 INNS  ns1.cyzap.net.
  228.134.254.63.in-addr.arpa. 7200 INNS  ns2.cyzap.net.
  ;; Received 90 bytes from 209.253.113.19#53(NS3.MCLEODUSA.NET) in
  159 ms
 
  228.134.254.63.in-addr.arpa. 3600 INNS 
  ns2.moneytreesystems.com.
  228.134.254.63.in-addr.arpa. 3600 INNS 
  ns1.moneytreesystems.com.
  ;; BAD (HORIZONTAL) REFERRAL
  ;; Received 160 bytes from 64.253.181.53#53(ns2.cyzap.net) in 167 ms
 
  You should not chain a delegation in this manner. Either make the
  servers ns1.cyzap.net. and ns2.cyzap.net. authoritative for
  228.134.254.63.in-addr.arpa. or have your ISP change the NS records to
  point directly to ns1.moneytreesystems.com. and
  ns2.moneytreesystems.com. The cyzap servers do not respond with the
  authority bit set (aa in dig).
 
  Regards,
 
  Chris
 
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
  
 
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 

 
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Modifying Mixed Case Mid-level Domain Names to be all Lower Case

2009-11-15 Thread Mark Andrews 

In message 200911151416.nafeg2n5083...@dc.cis.okstate.edu, Martin McCormick w
rites:
 Hauke Lampe writes:
  When BIND writes zone files, it uses $origin to group records that share
  a common base name. Just update delete/add all records and the mixed
  case $origin disappears.
 
 It did. Many thanks.

Note, all those scripts that got confused are actually broken.  You may want
to fix them anyway.

Mark
 
 Martin McCormick WB5AGZ  Stillwater, OK 
 Systems Engineer
 OSU Information Technology Department Telecommunications Services Group
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS records visible only for LAN computers

2009-11-15 Thread Mark Andrews 

In message snt114-w6194bd51e06259d620d29387...@phx.gbl, Peter Macko writes:
 Setup:I have a domain example.com that is hosted on DNS under control of my=
  internet provider.Web server www.example.com is hosted by another company.=
 I have setup a local DNS for computers on my LAN. I have a LDAP server on L=
 AN.
 Question:I want to make LDAP visible only for computers on LAN without alte=
 ring DNS (of the internet provider).The name of LDAP server should be ldap.=
 example.com. Is it possible to do it?
 I can think of two solutions:1) I could create master zone for example.com =
 on DNS (on LAN). This way I have to create A record for www.example.com=2Cb=
 ut if internet provider changed ip address of the web-server=2C computers o=
 n lan would not reachwww.example.com and I would have to update A record on=
  local DNS.
 2) Another solution is to create zonefile for subdomain local.example.com o=
 n LAN DNS=2C so ldap.local.example.com.But this is not exactly what I want.
 What is the correct solution?

Why don't you just create the zone ldap.example.com locally and
transfer it between your local servers?

zone ldap.example.com {
...
allow-query  { localnets; };
};

$TTL 3600
@ SOA internal.example.com. peter_macko.msn.com. 1 1200 600 36 180
@ NS internal.example.com.
@ A IPv4 address of ldap server
@  IPv6 address of ldap server

 Thank you  =20
 _
 Windows Live: Friends get your Flickr=2C Yelp=2C and Digg updates when they=
  e-mail you.
 http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/so=
 cial-network-basics.aspx?ocid=3DPID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092=
 010=
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to defense against ddos attack to dns?

2009-11-16 Thread Mark Andrews 

In message blu149-w13ef74e1e2eba2fe9dd3f385...@phx.gbl, MontyRee writes:
 
 Hello, all.
  
 I have operated some dns servers and I'm curious what should I do if 
 ddos attck to my dns servers.
  
 So do you know how to defense against dns dddos attack like root server?
  
 Surely, various ddos attack may be occurred.
  
 My idea is..
  
 -. filtering 53/udp traffic that the byte is over 512 byte
 -. rate-limit against 53/udp queries
(but useless if the attack spoof the source ip)
 -. deny recursion 
 -. anycast?
  
 Is ther any comments or proposal?

How you defend against a DoS attack depends on the actual attack
and what services you are attempting to provide and to whom.  You
want to minimise collateral damage and some of the methods above
are likely to introduce collateral damage.

 Thanks in advance. 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: confused wiht the full resolver and stub resolver

2009-11-17 Thread Mark Andrews 

In message 396ef6ed-a5a2-4c55-afd4-496b85278...@menandmice.com, Chris Buxton 
writes:
 
 On Nov 16, 2009, at 11:46 PM, aihua zhang wrote:
 
  HI,
Thanks for your help! Now I'm analysis the lib function 
 providing by the bind . bind software has three data format:struct
 format, wire format and the text format, from my understanding, it
 presents the RR in different three types.in them text format is the
 string type storing in the db,   but i don't understand the wire format
 ,is that mean the data receive from the network and storing in the
 buffer ? and another question is struct format using environment is what
 ?
 
 This is mostly beyond my expertise, but I guess that wire format is the
 binary format used in the UDP packet. Struct format probably relates to
 the return value of the stub resolver library functions.
 
 Chris Buxton
 Professional Services
 Men  Mice

The text format is what is in master files and is what dig displays.
This is standardized.

The wire format is what is sent between machines.  This is also how
named and libdns store records internally with all compression
pointers expanded.  This is standardized.

The struct format is a way to break down individual records into
their components if they are known.  This is useful for C programs
that need to examine specific fields.  This is not standardized.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Secondaries of MS AD Integrated Zones

2009-11-17 Thread Mark Andrews 

In message b07d01c0-86c2-45e6-ac8e-6fc3472d9...@menandmice.com, Chris Buxton 
writes:
 On Nov 17, 2009, at 5:01 PM, jim.siffe...@tektronix.com jim.siffe...@tektr
 onix.com wrote:
 
  Hi all,
  
  Most of our internal DNS zones are mastered in Microsoft DNS (2k3 R2) as AD
  Integrated zones.  Currently, those zones are slaved from a single MS DNS se
 rver to our BIND 9 servers that handle recursion.  Is there a reliable way to
  use multiple masters when slaving AD Integrated zones to BIND?  
  
  In the O'Reilly book DNS on Windows Server 2003 a section on p. 324 calle
 d BIND Secondaries for Active Directory-Integrated Zones says serial number
 s can vary on otherwise synchronized MS DNS Servers, potentially causing a se
 rver to respond with an incorrect lower serial number.
 
 Hello Jim,
 
 The book is correct. Furthermore, if using multiple AD servers as masters, th
 ey can apply updates in different orders, so the IXFR mechanism breaks.
 
 I believe the only way to make this work would be to use the statement multi
 -master true; inside your zone statement. My understanding is that named (th
 e slave) will not compare versions between the two servers, essentially treat
 ing each DC's copy of the zone as separate and distinct. Thus, if it has to s
 witch over to the second-listed master, it will request a full zone transfer 
 rather than an IXFR.

multi-master true; still assumes correct zone serial number
maintenance.  It just prevents the warnings about serial number
going backwards which is a normal side effect of having multiple
masters vs a master with multiple addresses.
 
 Chris Buxton
 Professional Services
 Men  Mice
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Insecure response BIND 9.7.0b2

2009-11-19 Thread Mark Andrews 

In message alpine.lfd.2.01.0911191304100.24...@maplepark.com, David Forrest w
rites:
 Logged: 
 Nov 19 12:13:45 maplepark named[23329]:   validating @0x17b7980: 
 dlv.isc.org SOA: got insecure response; parent indicates it should be 
 secure
 
 What does this mean?

It means named fellback to making a plain DNS query due to multiple
timeouts, or getting a SERVFAIL response to the EDNS queries, or
something stipped out the RRSIGs or there was a attempt to poison
the cache.  The validator then rejected the answer as it knew it
should be getting a secure response.  In most cases named will re-do
the query and get a good answer unless there is a configuration failure.

Unfortunately there are nameservers that don't respond to EDNS
queries.  There are also firewalls that block DNS/UDP responses
bigger 512 bytes or block EDNS queries/responses 10 years after the
introduction of EDNS.  There are also middleware that blocks/drops
DNS/UDP responses that are fragmented.  All of these things result
in DNS lookups timing out which is indistinguishable from plain
packet loss.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: loading zone: creating database: out of memory

2009-11-24 Thread Mark Andrews 

At somepoint memory has to run out :-)
Is this a 32 bit build or a 64 bit build?
Have you set the per process resource limits appropriately.


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC validation works with DLV, but not with just trusted-key

2009-11-25 Thread Mark Andrews 

Or one could use DLV to provide the trust linkage.

dnssec-tools.org.dlv.isc.org. 3499 IN   DLV 54556 5 1 
11A4026F4E09B1C106AAF3AC81A37AA537B8A3E6
dnssec-tools.org.dlv.isc.org. 3499 IN   DLV 54556 5 2 
6B026928292D452A5CC37B3EF327F27F50A29936CB31E664EB066D71 A476E282

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC validation works with DLV, but not with just trusted-key

2009-11-25 Thread Mark Andrews 

In message 200911252202.napm2asg000...@drugs.dv.isc.org, Mark Andrews writes:
 
 Or one could use DLV to provide the trust linkage.
 
 dnssec-tools.org.dlv.isc.org. 3499 IN   DLV 54556 5 1 
 11A4026F4E09B1C106AAF3AC81A37AA537B8A3E6
 dnssec-tools.org.dlv.isc.org. 3499 IN   DLV 54556 5 2 
 6B026928292D452A5CC37B3EF327F27F50A29936CB31E664EB066D71 A476E
 282

Should have read the subject more closely. :-)

In any case as Alan said, there needs to be a trusted path from a
trust anchor to the data.  DLV provides that trusted path.  ORG
will soon once they leave the friends and family stage.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Building 9.6.1-P2 for 32-bit Redhat RHEL 5.4

2009-11-29 Thread Mark Andrews 

In message 8761a2bbe915df46bb20e017c891e48ca...@ferrari.coherent.cohtech.co.uk
, Howard Wilkinson writes:
 I am trying to build a package based on 9.6.1-P2. The target platform is a 32
 -bit ix86 environment. The build platform is a RHEL 5.4 x86_64 system. I have
  managed to build the native x86_64 package without problem, but I am getting
  a failure when building the package using a target setting equal to one of i
 386,i586 and i686.
  
 The error is a message from the assembler saying that suffix or operands inv
 alid for 'xadd'  This occurs when compiling lib/isc/stats.c.
  
 At present I do not have a 32-bit build environment I can try to natively bui
 ld this on, and was hoping that somebody could suggest how I can get round th
 is problem in the build environment I am using.
  
 Regards, HOward.
  
 Coherent Technology Limited, 23 Northampton Square, Finsbury, London EC1V 0HL
 , United Kingdom
 Telephone: +44 20 7690 7075 Mobile: +44 7980 639379
 Company Email: coher...@cohtech.com Website: http://www.cohtech.com http://w
 ww.cohtech.com/  
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

./configure --build=i686-unknown-linux-gnu CC=gcc -m32
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zonechecks test failing on 9.[456]

2009-11-29 Thread Mark Andrews 

In message 4b1313c7.1040...@dougbarton.us, Doug Barton writes:
 I'm getting the failures logged below on all the recent versions of
 BIND. I went back and tested 9.6.1-P1 and it fails too, so it doesn't
 look like something that was introduced with the latest patches.
 
 This is on FreeBSD 9-current, and I don't think my args for configure
 are particularly exotic. For example on 9.6:
 
 --localstatedir=/var --disable-linux-caps
 --with-randomdev=/dev/random --with-openssl=/usr
 --with-libxml2=/usr/local --with-idn=/usr/local
 --with-libiconv=/usr/local STD_CDEFINES=-DDIG_SIGCHASE=1
 --enable-ipv6 --enable-threads --prefix=/usr/local
 
 Also, is it weird that while 9.4 and 9.6 actually errored out, 9.5
 just stopped?
 
 Any suggestions?
 
 Doug

The test was written assuming we would make these errors fatal (they
are currently warning).  The result status is currently ignored.
The UPDATE code would also need to re-run these checks after every
update and reject those which would prevent the zone loading which
it currently doesn't do.

Mark

 -- 
 
   Improve the effectiveness of your Internet presence with
   a domain name makeover!http://SupersetSolutions.com/
 
 9.4.3-P4
 
 S:zonechecks:Sun Nov 29 14:50:37 PST 2009
 T:zonechecks:1:A
 A:System test zonechecks
 I: checking that we detect a NS which refers to a CNAME
 I:failed (status)
 I: checking that we detect a NS which is below a DNAME
 I:failed (status)
 I: checking that we detect a NS which has no address records (A/)
 I:failed (status)
 I: checking that we detect a NS which has no records
 I:failed (status)
 I: checking that we detect a NS which looks like a A record (fail)
 I: checking that we detect a NS which looks like a A record (warn=default)
 I: checking that we detect a NS which looks like a A record (ignore)
 I: checking that we detect a NS which looks like a  record (fail)
 I: checking that we detect a NS which looks like a  record
 (warn=default)
 I: checking that we detect a NS which looks like a  record (ignore)
 I:exit status: 1
 R:PASS
 E:zonechecks:Sun Nov 29 14:50:47 PST 2009
 *** Error code 1
 
 Stop in dns/bind94/work/bind-9.4.3-P4/bin/tests/system.
 *** Error code 1
 
Stop in dns/bind94/work/bind-9.4.3-P4/bin/tests.
 
 
 9.5.2-P1
 
 S:zonechecks:Sun Nov 29 15:04:59 PST 2009
 T:zonechecks:1:A
 A:System test zonechecks
 I: checking that we detect a NS which refers to a CNAME
 I:failed (status)
 I: checking that we detect a NS which is below a DNAME
 I:failed (status)
 I: checking that we detect a NS which has no address records (A/)
 I:failed (status)
 I: checking that we detect a NS which has no records
 I:failed (status)
 I: checking that we detect a NS which looks like a A record (fail)
 I: checking that we detect a NS which looks like a A record (warn=default)
 I: checking that we detect a NS which looks like a A record (ignore)
 I: checking that we detect a NS which looks like a  record (fail)
 I: checking that we detect a NS which looks like a  record
 (warn=default)
 I: checking that we detect a NS which looks like a  record (ignore)
 I:exit status: 1
 R:PASS
 E:zonechecks:Sun Nov 29 15:05:09 PST 2009
 
 
 9.6.1-P2
 
 S:zonechecks:Sun Nov 29 15:20:29 PST 2009
 T:zonechecks:1:A
 A:System test zonechecks
 I: checking that we detect a NS which refers to a CNAME
 I:failed (status)
 I: checking that we detect a NS which is below a DNAME
 I:failed (status)
 I: checking that we detect a NS which has no address records (A/)
 I:failed (status)
 I: checking that we detect a NS which has no records
 I:failed (status)
 I: checking that we detect a NS which looks like a A record (fail)
 I: checking that we detect a NS which looks like a A record (warn=default)
 I: checking that we detect a NS which looks like a A record (ignore)
 I: checking that we detect a NS which looks like a  record (fail)
 I: checking that we detect a NS which looks like a  record
 (warn=default)
 I: checking that we detect a NS which looks like a  record (ignore)
 I:exit status: 1
 R:PASS
 E:zonechecks:Sun Nov 29 15:20:39 PST 2009
 *** Error code 1
 
 Stop in dns/bind96/work/bind-9.6.1-P2/bin/tests/system.
 *** Error code 1
 
 Stop in dns/bind96/work/bind-9.6.1-P2/bin/tests.
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CLASS support

2009-11-30 Thread Mark Andrews 

In message 20091130214313.9fff2114...@mx.isc.org, JFC Morfin writes:
 At 19:36 30/11/2009, Florian Weimer wrote:
   I understand that. But I need to use Private Use classes. The question
   is how do I do it?
 
 Use CLASS999 and similar identifiers (just like TYPE999 for types).
 
 I guessed the format from the code. But it fails.
 named-checkconf says that CLASS999 does not match view\default class?
 thx
 jfc

Views are class specific.  Just define multiple views.

view in {
};

view myclass CLASS999 {
};

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone vs domain

2009-11-30 Thread Mark Andrews 

In message 402431.44413...@web112611.mail.gq1.yahoo.com, gmspro writes:
 What's the main difference between zone and domain?
 It's confusing to me,I'm searching though,i got once,zone is a portion of do
 main.
 
 Can someone give example to clear things up?

example.net.SOA ns.example.net. hostmaster.example.net.  (
1 3600 1200 360 1200 )
example.net.NS ns.example.net.
ns.example.net. A  1.2.3.4
www.example.net. A 1.2.3.5

All the above form a zone which would be called example.net.

example.net, ns.example.net and www.example.net are individual domains
within the zone.

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse zone file in external view not transferring to slave server??

2009-12-01 Thread Mark Andrews 

In message 4b1576eb.2020...@netscape.net, Kaya Saman writes:
 Hi,
 
 now that I have my zones and reverse files sorted out I have managed to 
 come across a problem which seems I had before even beginning any of this!
 
 Basically for some reason my reverse zone for the external view isn't 
 transferring to my slave server this is quite strange as all the 
 other forward zones for the external view work fine??
 
 Here is config:
 
 
 
 named.conf file snippit for both servers:
 
 view external {
 match-clients { any; !192.168.0.0/22; !127.0.0.1; };

Acl's are first match.

What you had devolves to

match-clients { any; };

Try.
match-clients { !192.168.0.0/22; !127.0.0.1; any; };

Adjust all the other acls

 allow-recursion {
 127.0.0.1;
 };
 
 include /etc/opt/csw/bind/named.conf.external;
 
 };
 
 
 
 named.conf.external file from master server:
 
 
 
 zone optiplex-networks.com {
type master;
file /var/named/optiplex-networks-external.db;
allow-query { any; !192.168.0.0/22; 192.168.1.101; };
 };
 
 zone 2.178.81.in-addr.arpa {
type master;
file /var/named/81.178.2.rev;
allow-query { any; !192.168.0.0/22; 192.168.1.101; };
 };
 
 
 
 named.conf.external file from slave server:
 
 
 
 zone optiplex-networks.com {
type slave;
file /var/named/optiplex-networks-external.db;
masters { 192.168.1.100; };
allow-notify { 192.168.1.100; };
allow-query { any; !192.168.0.0/22; 192.168.1.100; };
 };
 
 zone 2.178.81.in-addr.arpa {
type slave;
file /var/named/81.178.2.rev;
masters { 192.168.1.100; };
allow-notify { 192.168.1.100; };
allow-query { any; !192.168.0.0/22; 192.168.1.100; };
 };
 
 
 
 If any one can help me figure out why this is happening as the reverse 
 zone for my internal view works perfectly fine with similar config and 
 all the other forward zones for the external work perfectly fine??
 
 Many thanks,
 
 --Kaya
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inverse query:PTR RR or OPCODE=1 ?

2009-12-02 Thread Mark Andrews 

In message 4591889.164031259808158905.javamail.corem...@app183.163.com, lipen
g967 writes:
 when I read the RFC1035, I noticed the opcode defination in the DNS
 message head . It said that when opcode = 1 the message did Inverse query.
 but in the packet  I capatured when I used nslookup to do inverse query
 ,the inverse query packet use the opcode = 0 and the question segment with
 RR TYPE PTR. Can someone explain this ?  Am I wrong about understanding the
 inverse query ? Thank a lot .

Nslookup does normal queries into the .ARPA namespace to do reverse
lookups.

Inverse lookups were a concept that really only worked in the dentist
surgery senario (one server providing the entire DNS view).  Inverse
queries were deprecated years ago http://www.ietf.org/rfc/rfc3425.txt.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Mark Andrews 

In message dcf41a2c-d461-4e78-82cd-0add12051...@menandmice.com, Chris Buxton 
writes:
 On Dec 3, 2009, at 10:16 AM, Kevin Darcy wrote:
  Chris Buxton wrote:
  On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote:
  Hello!
  
  I can't find in docs how disable answer (Refused), if recursion for IP is
  not allowed?
  
  
  Something like this should work:
  _
  
  view caching-server {
 match-recursive-only yes;
 blackhole { ! authorized-clients; any; };
 // any other resolution configuration goes here
  };
  
  
  This should work --- one of the scariest phrases in the computing field 
 :-)
 
 True, true. It means, of course, The docs suggest this will work, but I have
 n't actually tested it.
 
  Unfortunately, blackhole can only appear the (global) options clause:
 
 I'm happy to be corrected. You'd never know this from reading the BIND ARM.
 
 From the description of the view statement:
 
   Many of the options given in the options statement can also be used
   within a view statement, and then apply only when resolving queries
   with that view.
 
 There is no definitive list of the options that can or can not be used in a v
 iew. Likewise, the description of the blackhole statement makes no mention of
  the fact that it's not valid inside a view.

doc/misc/options gives a definitive list.  It is built from the parser.

 So, to the original poster, we're back to it can't be done with BIND configu
 ration. Of course, you could hack the BIND source code...
 
 Chris Buxton
 Professional Services
 Men  Mice
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: FORMERR

2009-12-04 Thread Mark Andrews 

The SOA record in the negative response didn't match the delegation.

cloudfront.net != stl2.cloudfront.net

Mark


In message alpine.neb.2.01.0912041447110.12...@t1.m.reedmedia.net, Jeremy C.
 Reed writes:
 The upcoming BIND 9.7.0 has several logging improvements, for example:
 
 04-Dec-2009 14:46:41.020 resolver: notice: DNS format error from 
 216.137.38.22#53 resolving d2rdfnizen5apl.stl2.cloudfront.net/ for 
 client 127.0.0.1#53764: invalid response
 
 04-Dec-2009 14:46:41.060 resolver: notice: DNS format error from 
 216.137.38.23#53 resolving d2rdfnizen5apl.stl2.cloudfront.net/ for 
 client 127.0.0.1#53764: invalid response
 
 The comments in the source for that one is:
 
 /*
  * The responder is insane.
  */
 
 Also the query-errors logging (already in recent BIND releases) says:
 
 04-Dec-2009 14:46:41.060 query-errors: debug 1: client 127.0.0.1#53764: 
 query failed (SERVFAIL) for d2rdfnizen5apl.stl2.cloudfront.net/IN/ 
 at query.c:4673
 
 That line number in my code has:
 /* 
  * Something has gone wrong.
  */
 
 04-Dec-2009 14:46:41.060 query-errors: debug 2: fetch completed at 
 resolver.c:3024 for d2rdfnizen5apl.stl2.cloudfront.net/ in 0.079283: 
 failure/success 
 [domain:stl2.cloudfront.net,referral:0,restart:2,qrysent:2,timeout:0,lame:0,
 neterr:0,badresp:2,adberr:0,findfail:0,valfail:0]
 
/*
 * Something bad happened.
 */
 
 Sorry, even with the new logging, this one is not answered adequately... 
 will need to look further.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Signing with the KSK and ZSK

2009-12-08 Thread Mark Andrews 

In message 2ac8e9ad0912072303u6327b50eoc06cbfe232632...@mail.gmail.com, xu 
dong writes:
 
 Hi folks, i have a question about signing zone files with the ksk and the
 zsk, as i know,when signing the zone files i have to use the ksk and zsk
 both,just as following:
 
 *dnssec-signzone -o domain-name -t -k KSK zone-name ZSK*
 but i want to sign the ZSK with KSK first,and then sign the zone files with
 zsk,so how can i do?

Firstly you don't sign keys or files, you sign RRsets or zones.

'-x' will tell the signer to the DNSKEY RRset only using KSK's.

Secondly don't over specify the command line.

'dnssec-signzone -x -o domain-name master-file'

is enough in most cases.  dnssec-signzone will look at the DNSKEY
records in the master-file and workout what is needed. 

The options are there for when you want dnssec-signzone to do
something non-standard.

Mark

 Thanks.
 --=20
 -
 Xudong
 email=a3=baxudon...@gmail.com
 Beijing,China
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: managed-keys.bind's directory problem

2009-12-10 Thread Mark Andrews 

In message 20091210.162242.460114267490885968.fujiw...@pyon.org, fujiw...@wid
e.ad.jp writes:
 I'm using BIND 9.7.0b3 an DLV (dns-lookaside auto;).
 
 The named tried to write managed-keys.bind file into the named's
 working directory.
 
 The current BIND 9 requires the working directory is writable by named
 (From ARM). But I think the working directory should not be writable
 by named and some OSs' default configuration set the working directory
 not writable.

Then those OS's are misconfiguring named.  This has been a requirement
since the BIND 4 days.  It's just named has not complained and there
has been loss of functionality as a result.  On some OS's this is the
only way to get a core file for debugging as there is no way to specify
anything other than the current working directory.

Note there is no requirement for named's config files to be below the
working directory.

../master-files/ or /master-files/ or /var/named/master-files could
all be used instead of ./master-files
 
The working directory does not have to be /var/named.

 It is usable to avoid named's unknown BUG which may break the working
 directory.
 
 For example, FreeBSD changes the working directory's
 owner/group/permission configured by /etc/mtree/BIND.chroot.dist and
 it sets the working directory not writable by named.
 
 I changed /etc/mtree/BIND.chroot.dist in my FreeBSD box, but I don't
 like this solution.

 I'm very happy if I can change the managed-keys.bind path.

We will look into that.

 -
 -
 From BIND 9.7.0b3 ARM:
 
   In the current implementation, the managed keys database is stored
   as a master-format zone file called managed-keys.bind. When the key
   database is changed, the zone is updated. As with any other dynamic
   zone, changes will be written into a journal file,
   managed-keys.bind.jnl. They are committed to the master file as soon
   as possible afterward; in the case of the managed key database, this
   will usually occur within 30 seconds. So, whenever named is using
   automatic key maintenace, those two files can be expected to exist
   in the working directory. (For this reason among others, the working
   directory should be always be writable by named.)
 
   If the dnssec-lookaside option is set to auto, named will
   automatically initialize a managed key for the zone dlv.isc.org. The
   key that is used to initialize the key maintenance process is built
   into named, and can be overridden from bindkeys-file.
 
 ---
 
 --
 Kazunori Fujiwara, JPRS
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: managed-keys.bind's directory problem

2009-12-13 Thread Mark Andrews 

In message alpine.bsf.2.00.0912131720060.1...@qbhto.arg, Doug Barton writes:
 On Fri, 11 Dec 2009, Mark Andrews wrote:
  In message 20091210.162242.460114267490885968.fujiw...@pyon.org, fujiwara
 @wid
  e.ad.jp writes:
  I'm using BIND 9.7.0b3 an DLV (dns-lookaside auto;).
 
  The named tried to write managed-keys.bind file into the named's
  working directory.
 
  The current BIND 9 requires the working directory is writable by named
  (From ARM). But I think the working directory should not be writable
  by named and some OSs' default configuration set the working directory
  not writable.
 
  Then those OS's are misconfiguring named.
 
 Or, named is acting in an unsafe way. :) For example, see 
 https://lists.isc.org/pipermail/bind-users/2008-August/071912.html for my 
 proposal to separate the idea of working directory from configuration 
 directory, and some of the reasons why.
 
 To repeat my primary objection, if the named user can write to the 
 configuration directory it can change the contents of named.conf. That's a 
 security problem.

directory has *always* specified the working directory.

  This has been a requirement since the BIND 4 days.  It's just named has 
  not complained
 
 Actually it does complain:
 named[970]: the working directory is not writable

  and there has been loss of functionality as a result.
 
 I would argue that this really hasn't been the case for FreeBSD, up till 
 this point there has been a workaround for all of the functionality that 
 users have asked for.

  On some OS's this is the only way to get a core file for debugging as 
  there is no way to specify anything other than the current working 
  directory.
 
 Once again, I assert that this is a design flaw in named. Processes should 
 not be dumping random stuff into the same directory where their 
 configuration files go. It may have been acceptable back in the BIND 4 
 days, but it's time to move on.
 
  Note there is no requirement for named's config files to be below the
  working directory.
 
 This is something that I'll explore. I still prefer the solution to 
 separate the idea of config and working directories. Imagine a scenario 
 where the configuration stuff is on a read-only partition for example.

Or OS maintainers shouldn't have put configuration files in the
working directory.  They were originally seperate.  OS maintainers
could have kept them seperate.

  The working directory does not have to be /var/named.
 
 In FreeBSD (as in other OSs that I looked at for examples) that's the root 
 of the chroot directory structure.
 
  I'm very happy if I can change the managed-keys.bind path.
 
  We will look into that.
 
 That would be good. I would argue that for any new feature configurability 
 for its file location(s) should be a requirement.
 
 
 Doug
 
 -- 
 
   Improve the effectiveness of your Internet presence with
   a domain name makeover!http://SupersetSolutions.com/
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1

2009-12-15 Thread Mark Andrews 

In message prayer.1.3.2.0912151543550.32...@hermes-1.csi.cam.ac.uk, Chris Tho
mpson writes:
 (But it's not too obvious to me that adding support for a new signing
 algorithm should necessarily be considered a major functional change.)

If it was *just* adding a new signing algorithm then yes it would be a minor
change.  A lot more happened under the hood to support the new algorithms
on all platforms.  Remember crypto support on some platforms is pretty
old and doesn't support SHA256/512 + RSA directly so we had to use more
primative methods on these platforms.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: questions on bind cache with views

2009-12-17 Thread Mark Andrews 

In message 35686be10912170139j3d89c414n1da84870b47c9...@mail.gmail.com, Youn
g H. writes:
 Hello,
 
 I have config the bind-9.6.1 with multi-views and recursion yes.
 But I found bind always deny the query to its cache, the log shows:
 
 Dec 17 17:30:42 localhost named[15603]: client 113.96.221.24#54412:
 view tel: query: www.126.com IN A +
 Dec 17 17:30:42 localhost named[15603]: client 113.96.221.24#54412:
 view tel: query (cache) 'www.126.com/A/IN' denied

You need to look at your acl settings.  Named default to allowing
local machines to recurse.

allow-query-cache
Specifies which hosts are allowed to get answers from the
cache. If allow-query-cache is not set then allow-recursion
is used if set, otherwise allow-query is used if set unless
recursion no; is set in which case none; is used, otherwise
the default (localnets; localhost;) is used.

 view tel looks as:
 
 view tel {
   match-clients {
   key telkey;
   any;
   };
   allow-update {key telkey;};
 
   zone my.zone {
type master;
file /usr/local/bind/etc/my.zone.db;
   };
 };
 
 
 Please help me, thanks in advance.
 
 // Young.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: clients-per-query message is harmful or not?

2009-12-22 Thread Mark Andrews 

In message blu149-w57a261f59f90728f956cea85...@phx.gbl, MontyRee writes:
 
 Hello, all.
  
 my system is centos 4.x, bind 9.5.1-P3 and only recursion is allowed from 
 some ranges.
 
 I can see lots of messages like below.
 so if I didn't set any clients-per-query value,some clients' queries may be 
 droppped or not? 

clients-per-query is designed to prevent the nameserver being
overwhelmed by a given query that doesn't resolve.  It sets the
number of simultanious clients that are acutally recursing on a
given name.  It value is increased if there is a successful resolution
of that query after dropping some clients then slowly decays over time.
Note UDP clients are expected to retry.

clients-per-query reflects how many clients ask for a busy name/type in
the time it takes to resolve that name/type.  If it takes 200 ms resolve
the query and you need 20 clients-per-query then the name/type is being
asked for around 100 times a second.

 If some queries can be dropped,I want to set like clients-per-query 0.   

You actually want to set clients-per-query to around 20 based on
these logs, the default is 10.
 
 05-Oct-2009 16:04:46.228 resolver: notice: clients-per-query decreased to 14
 05-Oct-2009 16:14:47.337 resolver: notice: clients-per-query increased to 19
 05-Oct-2009 16:34:47.338 resolver: notice: clients-per-query decreased to 18
 05-Oct-2009 16:54:47.339 resolver: notice: clients-per-query decreased to 17
 05-Oct-2009 17:01:55.424 resolver: notice: clients-per-query increased to 22
 05-Oct-2009 20:20:26.252 resolver: notice: clients-per-query increased to 15
 05-Oct-2009 20:40:26.253 resolver: notice: clients-per-query decreased to 14
 05-Oct-2009 21:00:26.253 resolver: notice: clients-per-query decreased to 13
 05-Oct-2009 21:11:26.298 resolver: notice: clients-per-query increased to 15
 
  
  
 Thanks in advance.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Notify storms

2010-01-18 Thread Mark Andrews 

In message 91aa34af1001181327q7f5de882vf47052ed39d87...@mail.gmail.com, Todd 
writes:
 Good day all,
 
 We've run into a problem with our DNS servers.  The way we update our
 masters is via a CVS Checkout and reload of the zones modified.
 Sometimes though, we need to reload the whole config for big
 changs/etc.  When that happens, all 6 masters (I know, we're getting
 rid of some) send notifies to all 80+ (I know, we're getting rid of
 some) slaves for all 1800 zones.  This causes all the slaves to verify
 all 1800 zones on 6 masters, which then delays the changes we made
 from actually getting to the slaves.  Right now it's about 2.5 hours
 for all slaves to do all zones.
 
 We would like to make this better.  We're trying to figure out what
 mechanism might be limiting the rate at which the slave does SOA
 checks against the master so it can perform that step quicker.  We
 have looked at the zone transfer limits on the master/slave, but that
 is related to the transfer mechanism, not the SOA query.
 
 Can anyone help with ideas on this?  Are we missing something obvious?

serial-query-rate

 
 Cheers,
 
 Todd.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrading BIND 9.2.1 to BIND 9.6.1-p3 on AIX

2010-01-20 Thread Mark Andrews 

In message 
ofe366df90.6b8e5635-on482576b1.00241d55-482576b1.00247...@sg.ibm.com, 
Balanagaraju Munukutla writes:
 Hi 
 
 we are running BIND 9.2.1 on AIX 5.3 TL11. Now, I would like to upgrade it 
 to BIND 9.6.1-p3.
 
 Is this BIND version is stable?
 
 Can anybody help me to suggest how upgrade the BIND with minimal impact? I 
 am running BIND in bind-jail.

Apart from the allow-recursion acl now having a tighter defaults,
BIND 9.6.1-P3 will just use the old config assuming that you don't
have errors in your master files.  If you do you should be correcting
them anyway.  Later versions of BIND are less forgiving of configuration
errors.

You can take correct master files from BIND 4.8 (+20 years ago) and
use them unchanged in BIND 9.7.0.

I would just compile named and then run it from the source tree
with bin/named/named -g usual arguement, having first stopped
the current version, and see what it reports.  When you are happy
that all errors are corrected you can install it and adjust your
startup scripts to call /usr/local/sbin/named instead of the
version that ships with aix.

Mark

 Thanks for your help.
 
 Regards
 Nagaraj

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named 9.6.1 Filling wtmp

2010-01-21 Thread Mark Andrews 

In message 6b845b73-065f-4e8b-afa5-408ecdbe7...@govnet.state.vt.us, David Kre
indler writes:
 We have BIND 9.6.1-P3 running on several AIX 5.3 servers. On one of them, nam
 ed is filling /var/adm/wtmp with numerous entries like the following.

This is not named (the program).  It may be su or some other process that
is logging changes in uid.  Or it could be someone login in as the user
named.

Mark
 
 user pts/1 pts/1 7 1327240   1264089183 host-NN.domain Thu Jan 21 10:
 53:03 EST 2010
  named   8 2572472   1264089217Thu Jan 21 10:
 53:37 EST 2010
  named   8 2572472   1264089217Thu Jan 21 10:
 53:37 EST 2010
  named   8 2572472   1264089277Thu Jan 21 10:
 54:37 EST 2010
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange CNAME issue

2010-01-21 Thread Mark Andrews 

In message a9981203-ca2a-4ba2-b95b-08d992178...@mellmo.com, seren writes:
 
 Thanks for your response. I didn't know about the +trace option in dig. =
 After some more searching, I believe you are correct about the long =
 responses being related. The responses that fail all seem to exceed =
 512-bytes. Why this would happen in multiple locations is a mystery but =
 perhaps our firewalls are configured similarly. I'll look into the =
 firewall settings on my end, but since there may be other devices out =
 there configured similarly I'll need to try and reduce my CNAMES to find =
 into a 512-byte response or switch them to A records.
 
  -seren

Some filewall vendors / operators think that all UDP DNS responses
are = 512 bytes of payload.  This has not be the case offically
for over a decade now with EDNS, and was never one in practice as
there have always been servers that sent larger responses as long
as I've been working with DNS, ~20 years now.

Some filewall vendors / operators think that TCP DNS is only used
for AXFR.  This has *never* been the case.

One or both of these may be the problem.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6 - IXFR to slaves not working after manual zone edit.

2010-01-21 Thread Mark Andrews 

First of all, decide where you want the delta to be computed.  On
the master or on the slaves?  Currently you are asking all servers
to compute the delta.

Secondly if you are not using dynamic update to modify the master
zone you don't need to freeze the master zone as named is NOT writing
to it.  Just replace and reload will work.

Thirdly rndc freeze removes the journal.

Fourthly ixfr-from-differences forces the slave to make AXFR requests.

Lastly, dynamic zones and ixfr-from-differences are currently
mutually exclusive.  This may or may not change in future releases.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A question about PTR records

2010-01-24 Thread Mark Andrews 

In message 139200.61342...@web110505.mail.gq1.yahoo.com, sasa sasa writes:
 
 Hi,
 What is the best practice when using PTR in an ISP? is it dividing IP block=
 s (like; x.x.x.in-addr.arpa.) and therefore having more than one PTR zo=
 ne file? or just use x.in-addr.arpa.and include everything inside that fi=
 le?
 regards,

Whatever works best for you.

If you are delegation parts of the in-addr.arpa namespace to others
it is often easier to also delegate the namespace to yourself so
that management is consistant.

If you have RFC 2317 style delegations the parent zone, which
contains the CNAMES, also needs to be transfered to ensure that
reverse lookups continue to work on the subnet using that namespace.
A smaller parent zone is useful in this case.

Smaller zones also reduce the amount of data that needs to be
transferred whenever a change happens.

You can also mix and match.  Note you can change schemes later if you
want to.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6.1-P3 using more resources?

2010-01-24 Thread Mark Andrews 

In message prayer.1.3.2.1001241549090@hermes-2.csi.cam.ac.uk, Chris Thomp
son writes:
 On Friday, I wrote:
 
 We upgraded our main recursive nameservers (validating, via dlv.isc.org)
 from 9.6.1-P2 to 9.6.1-P3 a couple of days ago. CPU (and possibly memory)
 consumption have been quite a bit larger since then, and more worryingly,
 seems to be gradually increasing.
 
 I have looked for a co-incidental change in the query pattern that might
 explain this, without success so far. If anyone else has seen a similar
 effect as a result of upgrading, please let me know.
 
 I have found the cause, and it was not the upgrade to 9.6.1-P3 (so apologies
 for introducing any FUD about that) or a significant change to the query
 load.
 
 It was the result of adding -m record to the named argument list. I had
 put this in the startup script for when named was next restarted, and
 then half forgotten about it. I had in any case convinced myself that
 it was a trivial-cost option. Well, that turns out not to be the case ...

It costs a ~16 bytes per memory allocation to perform the accounting
in a 32 bit build.  ~24 bytes in a 64 bit build.  Plus some computing
time.

struct debuglink {
ISC_LINK(debuglink_t)   link;
const void *ptr[DEBUGLIST_COUNT];
unsigned intsize[DEBUGLIST_COUNT];
const char *file[DEBUGLIST_COUNT];
unsigned intline[DEBUGLIST_COUNT];
unsigned intcount;
};

With this we know where the memory that leaks was allocated and a
starting point to find the defect.

Mark
 (Using -m record was motivated by a unfreed-memory-at-shutdown abort
 that we observed with 9.6.1-P1 -- and not since -- and reported on
 bind9-bugs as RT #20675.)
 
 -- 
 Chris Thompson
 Email: c...@cam.ac.uk
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question!

2010-01-26 Thread Mark Andrews 

Also you did not *buy* the addresses from RIPE as RIPE does not *sell*
addresses.  You leased the addressed from RIPE.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: update failed: SERVFAIL

2010-01-26 Thread Mark Andrews 

In message 2ac8e9ad1001250710s2489d1edpf5a247341bc2a...@mail.gmail.com, xu do
ng writes:
 Hi,
I have a problem about the DDNS ,When I nsupdated the master dns server
 under with dnssec,but it failed as following:
 
 *r...@root:/var/named/chroot/etc# nsupdate -d
  server 192.168.225.130 5353
  update add test.net 900 A 5.5.5.5
 
 Reply from SOA query:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id:  32603
 ;; flags: qr aa ; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
 ;; QUESTION SECTION:
 ;test.net.IN  SOA
 
 ;; AUTHORITY SECTION:
 net. 300 IN  SOA dns.net. dns.net.
 2010011806 10800 60 604800 10800
 
 Found zone name: net
 The master is: dns.net
 Sending update to 192.168.225.130#5353
 Outgoing update query:
 ;; -HEADER- opcode: UPDATE, status: NOERROR, id:  30960
 ;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
 ;; UPDATE SECTION:
dns.net. 900 IN  A   5.5.5.5
 
  Reply from update query:
 ;; -HEADER- opcode: UPDATE, status: SERVFAIL, id:  30960
 ;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
  *
 
 But when i nsupdated the master dns server without dnssec, it succeed. So I
 don't know why?

Did you look at the master's logs?
Have you told named where the private keys are?
Are the private keys readable by named?

 -- 
 -
 Xudong
 email=a3=baxudon...@gmail.com
 Beijing,China
 -
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC DSSET KEYSET

2010-01-28 Thread Mark Andrews 
+qMYkiBYczNvZ4zD4nh
FR7ZVh6z046IcAzI8G1KD6n96GraXBXFJN2z+kE+B/gY
xMy3xWfrIoxj/L8hEy3mqjpPXfcdtzrD3/bjf/og3Mrn
WZJuawTcn3/ptMyQYbD5J7yr8xvpq7EjjclOR1u4WCXr
pjEbRN/OmlPSSmM9RI/1w8/ONmCDJSIBaRgc8cMvHvgJ
utPGMmW1ci/LTHVA7dBXb9K/fvOMyuJJMmN4p6Q6KQbY
cNwwktZlkIBO8KdojAsI+Z904XvThCYgbA== )
isc.org.31 IN RRSIG DNSKEY 5 2 7200 20100224205023 (
20100125205023 47407 isc.org.
RNdtNlmH1MJasaAM2pM1/jo+fr0/UBauutDoR0TlZR1+
5SeuE5LLs1rqGc3Q8poVgCEFVX6MtFDf78wrSn/aQ+YD
ubvg/O8H8a98MyJaInHJZza265LnjsfVYJprExnnJFug
olzIuAQ+F5obSWXKx/WdyXXzzwcD2qWXOovRo4FN6xyE
KqdcaPECZfTJo8T+EqU5KpnHDvCyKf6F2v07GGyXe69t
tRzgCsEIsYGoagLANNSGnb53DqHYQWVJaOEGoEQRa0Ox
QrB8oGyvfCEE3AtFhR/UY9mq+rXDVRUkp9DeqqNRX1uf
OCeIHgkjynUUq8iEsjwhzn+bRbtUR8aNgA== )

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 29 08:08:37 2010
;; MSG SIZE  rcvd: 1496

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Deny MX queries for dynamic IP pools

2010-01-31 Thread Mark Andrews 

In message c78b5f8c.46e43%wael.sha...@gmail.com, Wael Shaheen writes:
 Dear DNS Experts,
 
 This post is intended for discussion.
 
 The ISP I work for has HUGE dynamic IP pools that are full of spammers (of
 course). This huge volume of spam is actually influencing the decision for
 some of the international provider=B9s whether to give us links or not let
 alone the bad reputation and RBLs listing etc...
 As a solution the routing team was thinking to block port 25 for outgoing as
 some ISPs do. However, I do not see this to be a valid solution for many
 reasons such as clients that have email servers outside, or if decided to be
 redirected to spam filters then that will just cost the company too much.
 
 Luckily we have two set of DNS server farms; one that is serving static IP
 users and one that is dedicated only for dynamic IP users. The idea I have
 proposed is to deny these dynamic users from performing MX queries.
 
 So instead of blocking port 25 we can redirect the DNS port to the DNS farm
 that is dedicated for dynamic users, that will guarantee that no standard
 DNS port forwarded queries are going to external servers. Then we will block
 the MX and root queries for those dynamic clients.
 That will prevent them from using a locally installed DNS service on their
 machines or query MX records for targets they want to send spam to.
 
 Of course there will still be some challenges like if some spammers know the
 A record of the mail server they want to connect to or if they used the IP
 address of the targeted mail server also if they used open dns that works on
 non-standard ports, but then again I believe these users will stand out and
 will be identified more easily.
 
 I would appreciate any comments you may have.
 
 Sincerely,
 Wael
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

Firstly, cleanup / quarantine the machines that are spamming.  This
is the best thing you can do.  A machine that is spamming is
compromised and a compromised machine can do anything.

Secondly, don't block the MX queries.  MUAs can and do perform MX
queries to check that addresses are valid before attempting to
send anything.

Thirdly, if you do block SMTP do it fully (traffic to and from port
25) and provide a mechanism to optout.  If you publish, or provide
information to those that publish, blocking lists ensure that they
reflect the optout status of any IP address that has opted out.
Blocking SMTP traffic is only masking the symptoms of the infection.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NOTIFY logging problem

2010-01-31 Thread Mark Andrews 

In message c0ab6ee34cf7e8f660d78...@11.sub-97-53-216.myvzw.com, Frank Cusack 
writes:
 How can I get logs of all NOTIFY messages sent?
 
 logging {
   // use local0 instead of daemon
   channel local0_syslog {
 syslog local0;
 severity info;
   };
   category notify{ local0_syslog; default_debug; };
 };
 
 The above only generates a summary log:
 
 zone XXX/IN/internet: sending notifies (serial 2010012700)
 
 I'd like to see a verification of every host a NOTIFY message was sent to.

You need to be looking a debug 3.

notify_log(notify-zone, ISC_LOG_DEBUG(3), sending notify to %s,
   addrbuf);

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NOTIFY logging problem

2010-01-31 Thread Mark Andrews 

In message ed6e4c848e8fef4b16e71...@181.sub-97-18-81.myvzw.com, Frank Cusack 
writes:
 On February 1, 2010 11:35:15 AM +1100 Mark Andrews ma...@isc.org wrote:
  You need to be looking a debug 3.
 
  notify_log(notify-zone, ISC_LOG_DEBUG(3), sending notify to %s,
 addrbuf);
 
 ouch, debug 3 is probably way TMI.  I guess I'll just patch the above
 to log at info.  Why isn't that the default anyway?  Seems to me that
 you aren't likely to have too many servers and the info level is
 already pretty verbose so you would expect (or at least *I* would expect)
 to have that amount of information.

When you have 10+ zones with 10's of servers it gets noisy.

Log to a file with debug 3;
 
 As it is, and I mean without turning on debug logging, I have to infer
 what servers notify was sent to based on AXFR/IXFR requests.  (I try not
 to trust looking at config files when debugging because you can't be sure
 that the running config is the same as the on-disk config.)
 
 Anyway thanks for the pointer, it looks trivial to update.
 
 -frank
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how do I get a slave to send NOTIFY messages?

2010-01-31 Thread Mark Andrews 

In message 20100131220833.a16...@gwyn.tux.org, Joseph S D Yao writes:
 The ARM, in Chapter 6, under Boolean Options [for some value of the word
 Boolean, I guess ;-)], says:

Well it started out as a Boolean Option. :-)
Boolean/Enumerated Options would be a more accurate description these days.
 
Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.4-ESV is now available

2010-02-01 Thread Mark Andrews 

BIND 9.4-ESV is now available.

BIND 9.4-ESV is a extended release version for BIND 9.4.

BIND 9.4-ESV can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.4-ESV/bind-9.4-ESV.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.4-ESV/bind-9.4-ESV.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.4-ESV/bind-9.4-ESV.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4-ESV/bind-9.4-ESV.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp.

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.zip
ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4-ESV/BIND9.4-ESV.debug.zip.sha512.asc

Changes since 9.4.0.

--- 9.4-ESV released ---

2831.   [security]  Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]

2828.   [security]  Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]

2827.   [security]  Bogus NXDOMAIN could be cached as if valid. [RT #20712]

2797.   [bug]   Don't decrement the dispatch manager's maxbuffers.
[RT #20613]

2790.   [bug]   Handle DS queries to stub zones. [RT #20440]

2772.   [security]  When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]

--- 9.4-ESVb1 released ---

2698.   [cleanup]   configure --enable-libbind is deprecated. [RT #20090]

2697.   [port]  win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
S_IFREG are defined after including isc/stat.h.
[RT #20309]

2690.   [bug]   win32: fix isc_thread_key_getspecific() prototype.
[RT #20315]

2689.   [bug]   Correctly handle snprintf result. [RT #20306]

2688.   [bug]   Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
to decide to fetch the destination address. [RT #20305]

2681.   [bug]   IPSECKEY RR of gateway type 3 was not correctly
decoded. [RT #20269]

2672.   [bug]   Don't enable searching in 'host' when doing reverse
lookups. [RT #20218]

2525.   [experimental]  New logging category query-errors to provide detailed
internal information about query failures, especially
about server failures.  (backported as a special
exception to the general policy) [RT #19027]

2670.   [bug]   Unexpected connect failures failed to log enough
information to be useful. [RT #20205]

2649.   [bug]   Set the domain for forward only zones. [RT #19944]

2648.   [port]  win32: isc_time_seconds() was broken. [RT #19900]

2646.   [bug]   Incorrect cleanup on error in socket.c. [RT #19987]

2642.   [bug]   nsupdate could dump core on solaris when reading
improperly formatted key files.  [RT #20015]

2640.   [security]  A specially crafted update packet will cause named
to exit. [RT #2]

2637.   [func]  Rationalize dnssec-signzone's signwithkey() calling.
[RT #19959]

2635.   [bug]   isc_inet_ntop() incorrectly handled 0.0/16 addresses.
[RT #19716]

2633.   [bug]   Handle 15 bit rand() functions. [RT #19783]

2632.   [func]  util/kit.sh: warn if documentation appears to be out of
date.  [RT #19922]

2623.   [bug]   Named started seaches for DS non-optimally. [RT #19915]

2621.   [doc]   Made copyright boilterplate consistent.  [RT #19833]

2920.   [bug]   Delay thawing the zone until the reload of it has
completed successfully.  [RT #19750]

2618.   [bug]   The sdb and sdlz db_interator_seek() methods could
loop infinitely. [RT #19847]

2617.   [bug]   ifconfig.sh failed to emit an error message when
run from the wrong

BIND 9.6.2 Release Candidate 1 is now available.

2010-02-03 Thread Mark Andrews 

BIND 9.6.2 Release Candidate 1 is now available.

BIND 9.6.2rc1 is a maintenance release candidate for BIND 9.6.

BIND 9.6.2rc1 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.6.2rc1/bind-9.6.2rc1.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.6.2rc1/bind-9.6.2rc1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/bind-9.6.2rc1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/bind-9.6.2rc1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at http://www.isc.org/files/pgpkey2009.txt.

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at

ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.zip
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.debug.zip

The PGP signature of the binary kit is at

ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.debug.zip.sha512.asc

Changes since 9.6.0:

--- 9.6.2rc1 released ---

2838.   [func]  Backport support for SHA-2 DNSSEC algorithms,
RSASHA256 and RSASHA512, from BIND 9.7.  (This
incorporates changes 2726 and 2738 from that
release branch.) [RT #20871]

2837.   [port]  Prevent Linux spurious warnings about fwrite().
[RT #20812]

2831.   [security]  Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]

2828.   [security]  Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]

2827.   [security]  Bogus NXDOMAIN could be cached as if valid. [RT #20712]

2825.   [bug]   Changing the setting of OPTOUT in a NSEC3 chain that
was in the process of being created was not properly
recorded in the zone. [RT #20786]

2823.   [bug]   rbtdb.c:getsigningtime() was missing locks. [RT #20781]

2819.   [cleanup]   Removed unnecessary DNS_POINTER_MAXHOPS define
[RT #20771]

2818.   [cleanup]   rndc could return an incorrect error code 
when a zone was not found. [RT #20767]

2815.   [bug]   Exclusively lock the task when freezing a zone.
[RT #19838]

2814.   [func]  Provide a definitive error message when a master
zone is not loaded. [RT #20757]

--- 9.6.2b1 released ---

2797.   [bug]   Don't decrement the dispatch manager's maxbuffers.
[RT #20613]

2790.   [bug]   Handle DS queries to stub zones. [RT #20440]

2789.   [bug]   Fixed an INSIST in dispatch.c [RT #20576]

2786.   [bug]   Additional could be promoted to answer. [RT #20663]

2784.   [bug]   TC was not always being set when required glue was
dropped. [RT #20655]

2783.   [func]  Return minimal responses to EDNS/UDP queries with a UDP
buffer size of 512 or less.  [RT #20654]

2782.   [port]  win32: use getaddrinfo() for hostname lookups.
[RT #20650]

2777.   [contrib]   DLZ MYSQL auto reconnect support discovery was wrong.

2772.   [security]  When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]

2765.   [bug]   Skip masters for which the TSIG key cannot be found.
[RT #20595]

2760.   [cleanup]   Corrected named-compilezone usage summary. [RT #20533]

2759.   [doc]   Add information about .jbk/.jnw files to
the ARM. [RT #20303]

2758.   [bug]   win32: Added a workaround for a windows 2008 bug
that could cause the UDP client handler to shut
down. [RT #19176]

2757.   [bug]   dig: assertion failure could occur in connect
timeout. [RT #20599]

2755.   [doc]   Clarify documentation of keyset- files in
dnssec-signzone man page. [RT #19810]

2754.   [bug]   Secure-to-insecure transitions failed when zone
was signed with NSEC3. [RT #20587]

2750.   [bug]   dig: assertion failure could occur when a server

Re: Queries for NSEC3 hashed owner names

2010-02-04 Thread Mark Andrews 

In message 19306.52059.975062.462...@hadron.switch.ch, Alexander Gall writes:

 All of those are NSEC3-agnostic.  They should not do any DNSSEC
 processing for the ch zone, because they don't support algorithm #7.

Yes and no.  Just because you are using a algorithm that is unsupported
doesn't mean that you won't get queries looking for the break point
between supported and unsupported algorithms.  DS queries are used
to find that break point.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Host/nslookup/dig queries wrong server

2010-02-04 Thread Mark Andrews 

I know discussions like this are fun but it took  10 seconds to find the
related change in CHANGES.

2616.   [bug]   'host' used the nameservers from resolv.conf even
when a explicit nameserver was specified. [RT #19852]

And it has been applied to these branches.

% grep 2616 9.?.x/CHANGES
9.4.x/CHANGES:2616. [bug]   'host' used the nameservers from 
resolv.conf even
9.5.x/CHANGES:2616. [bug]   'host' used the nameservers from 
resolv.conf even
9.6.x/CHANGES:2616. [bug]   'host' used the nameservers from 
resolv.conf even
9.7.x/CHANGES:2616. [bug]   'host' used the nameservers from 
resolv.conf even
%

Which correspond to these releases 9.4-ESV, 9.5.2, 9.6.2 and 9.7.0.
Note: two of these are in the future so you need to look at the
release candidates.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: curious CNAME answer?

2010-02-04 Thread Mark Andrews 

In message blu149-w18aec33c220b5f6d2440e585...@phx.gbl, MontyRee writes:
 Hello, all.
  
 I have some curious question.
 below is a part of zone file at master dns(example.com).
  
  
 www   IN  CNAME   www.down
 down  IN   NS ns3.example.com.
  
 wehn I dig query like below at server,
  
  
 $ dig @dns.example.com www.example.com 
  
  
 the result is different..
  
 if query from slave dns server,
  
 192.168.2.1.domain xx.xx.xx.xx.30869:  45064* 2/2/2 CNAME[|domain]
  
 and the answer is 
 www.example.com.   3600IN  CNAME   www.down.example.com.
 www.down.example.com. 27   IN  A10.10.1.3

You offer recursion to xx.xx.xx.xx and dig set recursion desired by
default so the CNAME is followed.

 if query from any other server, 
  
 192.168.2.1.domain xx.xx.xx.xx.47127:  58823*- 1/2/2 CNAME[|domain]
  
 and the answer is 
 www.example.com.   3600IN  CNAME   www.down.example.com.

You don't offer recursion to this client so named returns a CNAME
and a referral to the child servers.

 my question is,
 Why the result is different by client?
 why first case answers A record also but the second case is cname only?
  
  
 Thanks in advance.  
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Queries for NSEC3 hashed owner names

2010-02-04 Thread Mark Andrews 

In message 19306.62546.632032.348...@hadron.switch.ch, Alexander Gall writes:
 On 04 Feb 2010 15:39:55 +, Chris Thompson c...@cam.ac.uk said:
 
  On Feb 4 2010, Alexander Gall wrote:
  Of the 60 sources in my sample,
  26 responded to version queries.  All of them identified themselves as
  some version of BIND
  
  5 9.5.0-P2
  3 9.4.2-P2.1
  3 9.4.2-P2
  3 9.4.2-P1
  3 9.3.4-P1
  1 9.5.1-P3
  1 9.5.0b3
  1 9.4.1-P1
  1 9.4.1
  1 9.3.5-P2
  1 9.3.5-P1
  1 9.3.4-P1.2
  1 9.3.4-P1.1
  1 9.3.4
  
  All of those are NSEC3-agnostic.  They should not do any DNSSEC
  processing for the ch zone, because they don't support algorithm #7.
 
  Most of the above versions will not have this fix
 
  2579.   [bug]   DNSSEC lookaside validation failed to handle unknow
 n
  algorithms. [RT #19479]
 
  which could lead to all sorts of confusion if they are validating
  via dlv.isc.org (say).
 
 Right, I forgot about that.

It's definitely reproducable with BIND 9.3.3 with DLV enabled.  BIND
9.3.3 was when named shifted from using the private type for DLV
to a allocated type.

dig txt ch.

Perhaps SWITCH could filter these out and send messages to the whois
technical contacts in a attempt to get these servers upgraded in the
interests of a more secure and robust DNS?

BIND 9.5.1-P3 does not make the queries in question.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Intermittent NXDOMAIN, (possibly) Bind or PowerDNS problem?

2010-02-04 Thread Mark Andrews 

In message 260066.10841...@web63105.mail.re1.yahoo.com, Ian B writes:
 Hi All,
 
 I found a post on this list from July 2009 with the subject:
 Intermittent NXDOMAIN, Bind 9.2.3 config and PowerDNS problem?
 
 https://lists.isc.org/pipermail/bind-users/2009-July/077045.html
 
 I'm having exactly the same issue but with hostname dreamteam.afl.com.au
 
 A sample dig is as follows:
 
 $ dig dreamteam.afl.com.au 
 
 ;  DiG 9.3.4-P1  dreamteam.afl.com.au
 ;; global options:  printcmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 22236
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;dreamteam.afl.com.au.IN  A
 
 ;; ANSWER SECTION:
 dreamteam.afl.com.au. 30  IN  CNAME   afl.virtualsports.com.au.
 
 ;; AUTHORITY SECTION:
 com.au.   60  IN  SOA stl-bpc-gslb1500-1.bigp
 ond.com. hostmaster.stl-bpc-gslb1500-1.bigpond.com. 4 10800 3600 604800 60
 
 ;; Query time: 53 msec
 ;; SERVER: 203.161.127.1#53(203.161.127.1)
 ;; WHEN: Fri Feb  5 11:29:24 2010
 ;; MSG SIZE  rcvd: 147
 
 
 My understanding of the issue is that the authoritative nameserver for dreamt
 eam.afl.com.au is returning the incorrect data in the 'AUTHORITY SECTION' cau
 sing PowerDNS to act unpredictably. Other DNS recursors may not have an issue
 with this, as they overlook the error. Is that a correct understanding?

It looks like the two bigpond servers have been configured to serve
a unofficial version of COM.AU.  Normal query processing then causes
the servers to find the unofficial version of COM.AU and return
NXDOMAIN rather than a referral as they should.  This is hard to
avoid unless the normal query process rules are changed to not
re-start the query after following a CNAME for a non-recursive query
or only follow a CNAME if the target is in the same zone as the
owner of the CNAME.

The incorrect answer is then accepted and the cache is poisoned.

One would think however that Telstra would have locked COM.AU out
in the automatic provisioning systems for these servers as adding
it can only be for nefarious purposes.  Similarly any other
infrastucture zones.

Mark

 Thanks,
 Ian.
 
 
   ___
 ___
 Yahoo!7: Catch-up on your favourite Channel 7 TV shows easily, legally, and f
 or free at PLUS7. www.tv.yahoo.com.au/plus7
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]

2010-02-05 Thread Mark Andrews 

In message 20100205143439.ga15...@evileye.atkac.englab.brq.redhat.com, Adam T
kac writes:
 On Fri, Feb 05, 2010 at 06:22:26AM -0800, Alan Clegg wrote:
  I find this important enough to forward on to bind-users.
  
  Please not the importance of trust anchor management.
 
 We (= me and Paul Wouters) are working on dnssec-conf update. Sorry
 for troubles.
 
 Regards, Adam

The better thing would be a a script to fetch the current keys
nightly, perform a sanity check, then update or inform the administator
and let them update the keys after inspection.  I do something like
this myself nightly.
 
Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: view and dynamic zone updated by dhcp

2010-02-17 Thread Mark Andrews 

My bet is that you are sharing the master file of the zone being updated
between views/zones.  Don't do that.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC BIND 9.7.0 is now available

2010-02-18 Thread Mark Andrews 

In message de2b86f683214c959a95e2718834f...@internal.corp.ds, ic.nssip 
writes:
 Hello everyone,
 
 I tried to install BIND 9.7.0 from www.sunfreeware.com on a Solaris 10, x86 
 machine that was running before BIND 9.6.1-P1 with no problems.
 
 The new install goes to the same directories, but for some reasons when I 
 run named-checkconf for my default /etc/named.conf file I get:
 
 # /usr/local/sbin/named-checkconf
 none:0: open: /usr/local/etc/named.conf: file not found
 
 Do somebody knows if this error comes from the way the package was compiled 
 or there is a change on default location for named.conf?
 
 Thank you,
 Julian

The defaults have not changed.  I suspect someone has changed the
arguements given to configure when building the package.

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange issue - please enlighten me

2010-02-20 Thread Mark Andrews 

In message 20100220192646.gb14...@fantomas.sk, Matus UHLAR - fantomas writes:
  Marco Davids (SIDN) wrote:
  
   Anyone any clue? I am trying to understand why some resolvers handle
   this query well, while BIND 9.7.x returns a SERVFAIL.
 
 On 19.02.10 13:21, Alan Clegg wrote:
  acl...@yellow:~$ dig +short airfrance.fr ns
  webaf1.airfrance.fr.
  lasvegas.airfrance.fr.
  proof.rain.fr.
  
  acl...@yellow:~$ dig +short @webaf1.airfrance.fr. www.airfrance.fr
  acl...@yellow:~$ dig +short @lasvegas.airfrance.fr. www.airfrance.fr
  acl...@yellow:~$ dig +short @proof.rain.fr. www.airfrance.fr
  
  All three of these servers, however, provide NS responses:
  
  www.airfrance.fr.   87600   IN  NS  ns2isp2.airfrance.fr.
  www.airfrance.fr.   87600   IN  NS  ns2isp1.airfrance.fr.
  
  That's not right... all three of the servers are lame (as you noted
  from your logfile).
  
  airfrance.fr needs to fix their delegations.
 
 like other domains I have seen before, they delegated the www.airfrance.fr
 record to broken nameservers that can not return proper answers for ANY or
 NS requests. ryanair.com is one of those, ccs.cz/ccs.sk are another.
 
 I have no idea what kind of nameservers are they, but they're either broken o
 r
 their admins do not know how to properly configure zone delegation.
 No, NS delegations ni parent zones are NOT enough.

Yet another misconfigured load balancer.  When will DNS admins learn
that the net has not been just A queries and you actually need to
test that the load balancer can answer queries other that A queries.

Mark

;  DiG 9.3.6-P1  www.airfrance.fr @ns2isp2.airfrance.fr +norec +dnssec
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 56821
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 2048
;; QUESTION SECTION:
;www.airfrance.fr.  IN  A

;; ANSWER SECTION:
www.airfrance.fr.   60  IN  A   193.57.244.36

;; Query time: 351 msec
;; SERVER: 193.57.219.253#53(193.57.219.253)
;; WHEN: Sun Feb 21 09:46:07 2010
;; MSG SIZE  rcvd: 61


;  DiG 9.3.6-P1  www.airfrance.fr @ns2isp2.airfrance.fr +norec +dnssec 

;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 48998
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.airfrance.fr.  IN  

;; AUTHORITY SECTION:
.   518400  IN  NS  G.ROOT-SERVERS.NET.
.   518400  IN  NS  H.ROOT-SERVERS.NET.
.   518400  IN  NS  I.ROOT-SERVERS.NET.
.   518400  IN  NS  J.ROOT-SERVERS.NET.
.   518400  IN  NS  K.ROOT-SERVERS.NET.
.   518400  IN  NS  L.ROOT-SERVERS.NET.
.   518400  IN  NS  M.ROOT-SERVERS.NET.
.   518400  IN  NS  A.ROOT-SERVERS.NET.
.   518400  IN  NS  B.ROOT-SERVERS.NET.
.   518400  IN  NS  C.ROOT-SERVERS.NET.
.   518400  IN  NS  D.ROOT-SERVERS.NET.
.   518400  IN  NS  E.ROOT-SERVERS.NET.
.   518400  IN  NS  F.ROOT-SERVERS.NET.

;; Query time: 353 msec
;; SERVER: 193.57.219.253#53(193.57.219.253)
;; WHEN: Sun Feb 21 09:46:12 2010
;; MSG SIZE  rcvd: 256

 
 -- 
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different handling of referrals by dig and nslookup

2010-02-21 Thread Mark Andrews 

In message a5a893391002200851u131155c4h6fca226d27939...@mail.gmail.com, kalpe
sh varyani writes:
 Hi Doug,
 
 Please find my response inline.
 
 
 On Sun, Feb 14, 2010 at 8:53 AM, Doug Barton do...@dougbarton.us wrote:
 
  On 02/13/10 18:42, kalpesh varyani wrote:
 
  Hi Rick,
 
  I am aware that it is a somewhat odd (but not incorrect, am I right ?)
  to put a non-recursive name server in the resolv.conf
 
 
  There are certain very specific circumstances where you might want to do
  this, but in general I can't see any reason to do this, and would not
  recommend it.
 
 
 
  but I am not able
  to understand the behavioral difference of ping/dig and nslookup.
 
 
  What is it that you want to understand? You seem quite focused on figuring
  out why they are behaving differently, is there some reason why you need to
  put a non-resolving name server in resolv.conf?
 
 
 
 I guess, I am in one of those specific circumstances.
 The reason I prefer to have non-resolving name server in resolv.conf is as
 follows:
 
 Name server A (the first name server with recursion no;) was not present
 earlier, and has been newly configured as a name server. Name server B,
 which was previously handling all the name resolution part has recursion
 yes;
 
 Also, I would like my 3rd linux system (from where I try resolving names) to
 send queries to its root servers, only in case my first name server fails to
 resolve the name and sends back a referral. This would ensure that my 3rd
 linux system doesnot send queries to its name server, which could have been
 handled by the name server B (that was specified in resolv.conf). This would
 ensure that the root name server's network wont have unnecesary DNS
 traffic.
 
 
 
   But logically shouldn't it be moving to the next name server when the
  first one fails even in the case of ping and dig. This is what, I think,
  one would expect from a resolver.
 
 
  dig is a DNS diagnostic tool. You asked for an answer, you got an answer.
  The fact that it didn't move on is not a mystery. nslookup is designed to
  get its answers from the system resolver, so the real question is, why did
  ping and nslookup behave differently? But that's really a question for your
  linux distro.
 
 
 My basic concern is that, if my 3rd linux system can resolve a name using
 any of the name servers specified in the resolv.conf, then it effectively
 means that the remote system (for which name resolution was done) is
 reachable from my linux system. And if that is the case, then a ping to
 that system should not fail in the name resolution part.
 
 
 
 Regards,
 Kalpesh

ALL the nameservers listed in resolv.conf need to be to answer ALL of the
question put to them.  Multiple nameservers in resolv.conf are for
redundancy.  In practice to achieve this the servers listed in resolv.conf
need to be recursive.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fwd: IPv6 client and negative cache - some doubts

2010-02-23 Thread Mark Andrews 
.  3600IN  SOA ns10.az.pl. admin.az.pl. 
2009091500 10800 3600 604800 3600

;; Query time: 334 msec
;; SERVER: 62.146.68.200#53(62.146.68.200)
;; WHEN: Wed Feb 24 09:13:32 2010
;; MSG SIZE  rcvd: 99

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Update returns FORMERR: ran out of space

2010-02-23 Thread Mark Andrews 

In message 20100223135615.ga30...@nic.fr, Stephane Bortzmeyer writes:
 Trying to add/delete DNSSEC keys with dynamic update (first time I try
 that), the nsupdate client gets a FORMERR and BIND logs:
 
 Feb 23 14:53:24 jezabel named[10174]: client ::1#29411: updating zone 'bortzm
 eyer.fr/IN': RRSIG/NSEC/NSEC3 update failed: ran out of space
 
 I checked the disk space (plenty) but I suspect that the problem is
 more complicated.

Turn the debugging up to 3.  The log message is a result of
update_signatures() detecting a error.

ran out of space usually means a fixed sized buffer is not big
enough or the change exceeded a architectual limit of the protocol.

Mark

 I can add A records just fine:
 
 Feb 23 14:55:46 jezabel named[10174]: client ::1#51231: updating zone 'bortzm
 eyer.fr/IN': adding an RR at 'created-dyn-1266933346-8636.bortzmeyer.fr' A
 
 BIND 9.7.0 built with '--without-idnlib' '--without-dlz' '--without-idn' '--w
 ith-libxml2=yes' '--enable-openssl'
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

<    1   2   3   4   5   6   7   8   9   10   >