On 22.02.10 17:21, Geoff Sweet wrote:
The problem is that editing the options list to:
options {
directory /var/named;
dump-file /var/named/data/cache_dump.db;
statistics-file /var/named/data/named_stats.txt;
On 22.02.10 16:26, Geoff Sweet wrote:
I have an on-going problem that has totally stumped me. I have a CentOS
5.3 server that I am using the builtin Bind (9.3) to serve our zones. Our
ISP has provisioned us a block of IP's and has delegated our name servers
as authoritative for the reverse
Hello Everyone
I have a problem with Bind 9.3.6-P1 (included in Solaris 10) but honestly I
don't even understand if it is wrong Bind behaviour or my ignorance. It does
apply only to some specific cases when external domain delegation is also
somewhat broken. My server is caching only. Let me show
In article mailman.529.1266923597.21153.bind-us...@lists.isc.org,
Michal Wesolowski gmic...@gmail.com wrote:
Hello Everyone
I have a problem with Bind 9.3.6-P1 (included in Solaris 10) but honestly I
don't even understand if it is wrong Bind behaviour or my ignorance. It does
apply only to
I'm running 9.3 on RHEL 5.4.
My options are:
options {
directory /var/named;
query-source address 10.0.0.3;
allow-query { internaldns; externaldns; dswadnsalias; };
allow-recursion { internaldns; externaldns; };
blackhole { blackhats; };
version
sorry for replying directly, still have some problems with gmail UI.
-- Forwarded message --
From: Michal Wesolowski gmic...@gmail.com
Date: Tue, Feb 23, 2010 at 2:47 PM
Subject: Re: IPv6 client and negative cache - some doubts
To: Sam Wilson sam.wil...@ed.ac.uk
On Tue, Feb 23,
Hi everybody,
I just setup my dns using bind-9.6.1-P2
when I try to ping the server with a hostname, that's ok.
i.e.
#ping www.superease.net
PING www.superease.net (202.68.195.36) 56(84) bytes of data.
But when I try to ping the server without hostname,
#ping superease.net
ping: unknown host
You need an A record for the domain itself:
superease.net. IN A 202.68.195.36
www IN A 202.68.195.36
The first one (terminated by the dot) tells it lookup for the domain
name superease.net itself. The dot is important - without it this
would try to lookup
On Sat, Feb 20, 2010 at 12:31:38AM +,
Evan Hunt e...@isc.org wrote
a message of 36 lines which said:
To answer the question, those values are the NSEC3PARAM data for the
zone, as defined in RFC 5155. [...] flags of 1 means opt-out and 0
means no opt-out;
It is not exactly what the RFC
On Sat, Feb 20, 2010 at 09:15:23PM +,
Evan Hunt e...@isc.org wrote
a message of 22 lines which said:
We have plans to improve this in 9.7.x (where x probably equals 1)
in a couple of ways: first, by making it possible to assign each key
an explicit successor key and warn the user if a
On Tue, Feb 23, 2010 at 10:41:37PM +0800,
Cefull Lo cef...@gmail.com wrote
a message of 89 lines which said:
But when I try to ping the server without hostname,
[Technicality: there *is* a hostname, superease.net *is* an hostname.]
Here the zone file
There is no A or record for @
In article mailman.538.1266936679.21153.bind-us...@lists.isc.org,
Lightner, Jeff jlight...@water.com wrote:
You need an A record for the domain itself:
superease.net. IN A 202.68.195.36
www IN A 202.68.195.36
The first one (terminated by the dot) tells
On Tue, Feb 23, 2010 at 09:50:29AM -0500,
Lightner, Jeff jlight...@water.com wrote
a message of 66 lines which said:
superease.net. IN A 202.68.195.36
...
The dot is important
Using @ would be simpler and would allow the zone file to be used for
other zones as well.
On Tue, Feb 23, 2010 at 09:53:37AM -0500,
jcarrol...@cfl.rr.com jcarrol...@cfl.rr.com wrote
a message of 9 lines which said:
However, whenever someone tries to nslookup (or dig) an external
site (i.e. cnn.com) they get REFUSED. If I back down to the 9.3
version all is well.
allow-query and
Right - Thanks for pointing it out.
I inherited a lot of zones and never went back and changed them. The @
is something I do use in alias zones - we have a couple hundred domains
and many of them go to the same IP and using @ I'm able to use a single
zone file to incorporate the ones that all go
Stephane Bortzmeyer wrote:
We have plans to improve this in 9.7.x (where x probably equals 1)
in a couple of ways: first, by making it possible to assign each key
an explicit successor key and warn the user if a key is set to
expire without a successor; second, by making it possible to
On Tue, 23 Feb 2010, jcarrol...@cfl.rr.com wrote:
Due to an security audit I have been given the task of upgrading our BIND
from 9.3 to a new version (9.7 is preferred). Using the package from
sunfreeware.com (Solaris 10/X86) the upgrade seem to work well. However,
whenever someone tries to
This mailing list rocks.
Many thanks to Stephane Bortzmeyer and Jay Ford. Both where spot on with
allow-query. Now BIND 9.7 resolves to the outside.
JC
jcarrol...@cfl.rr.com wrote:
Please do not crucify me.
Due to an security audit I have been given the task of upgrading our BIND
@ IN MX 10 mail.man169.com.
Try adding here:
@ IN A 202.68.195.36
www IN A 202.68.195.36___
bind-users mailing list
bind-users@lists.isc.org
Try caused recursion / non authorative.
On Feb 23, 2010 3:47 PM, Timothy Holtzen t...@nebrwesleyan.edu wrote:
I have seen references out there about cache hit rates of 50-70% being
normal. However I'm confused as to how to measure/calculate hit ratio?
I can't seem to find any good references
On 23.02.10 09:53, jcarrol...@cfl.rr.com wrote:
Due to an security audit I have been given the task of upgrading our BIND
from 9.3 to a new version (9.7 is preferred). Using the package from
sunfreeware.com (Solaris 10/X86) the upgrade seem to work well. However,
whenever someone tries to
On Feb 23 2010, Matus UHLAR - fantomas wrote:
since 9.5, the default for allow-recursion is { localhost; localnets; };
previous versions used iirc { all; };
Actually, that change was made in 9.4. (Some of the cross-inheritance of
the different query-* access controls wasn't there until
To answer the question, those values are the NSEC3PARAM data for the
zone, as defined in RFC 5155. [...] flags of 1 means opt-out and 0
means no opt-out;
It is not exactly what the RFC says:
The Opt-Out flag is not used and is set to zero.
True. I oversimplified a bit.
When you
I try to play with the new toy, DNSSEC timing meta-data in key files.
% dnssec-settime -v 3 Ktoto.fr.+008+42555
dnssec-settime: fatal: Key toto.fr/RSASHA256/42555 has incompatible format
version 1.2, use -f to force upgrade to new version.
OK, I upgrade:
% dnssec-settime -v 3 -f
I'm not sure it is a good idea. BIND is already quite loaded in
features. Why not relying on dedicated free software such as
OpenDNSSEC http://www.opendnssec.org/?
AFAIK, OpenDNSSEC works fine with 9.7. (And it rocks and everyone
should check it out.) But there's room for both approaches.
On Tue, Feb 23, 2010 at 02:56:15PM +0100,
Stephane Bortzmeyer bortzme...@nic.fr wrote
a message of 17 lines which said:
Trying to add/delete DNSSEC keys with dynamic update (first time I try
that), the nsupdate client gets a FORMERR and BIND logs:
Some details:
* I use NSEC3 with opt-out
*
In production I am running BIND 9.6.1-P3 on Solaris 9,
sun4u sparc SUNW,Sun-Fire-V240. When I start BIND I get this message:
Jan 25 11:03:17 dns1 named[9673]: [ID 873579 daemon.notice]
built with '--prefix=/export/home/named/bind'
'--with-openssl=/krb5'
Stephane Bortzmeyer wrote:
There is nothing about key rollover, it seems? How do you handle it?
I don't.
(Well, for now the plan is to do it once a year by hand. Then, we'll see...)
Regards,
Eugene
signature.asc
Description: OpenPGP digital signature
On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote:
(Well, for now the plan is to do it once a year by hand. Then, we'll see...)
For the record, NIST recommends to roll the ZSK every three months, and
the KSK every two years.
Thanks,
-- Nicholas
signature.asc
Description: This is a
Nicholas Wheeler wrote:
On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote:
(Well, for now the plan is to do it once a year by hand. Then, we'll see...)
For the record, NIST recommends to roll the ZSK every three months, and
the KSK every two years.
And there are lots of other
On Tue, 23 Feb 2010, Alan Clegg wrote:
For the record, NIST recommends to roll the ZSK every three months, and
the KSK every two years.
And there are lots of other opinions on this timing as well.
Note that you cannot really talk about rolling key recommendations without
mentioning the key
Date: Tue, 23 Feb 2010 16:02:27 -0500
From: Alan Clegg acl...@isc.org
Sender: bind-users-bounces+oberman=es@lists.isc.org
Nicholas Wheeler wrote:
On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote:
(Well, for now the plan is to do it once a year by hand. Then, we'll
see...)
In message f677fefa1002230600n4694161cu315e5dd4beaaa...@mail.gmail.com, Micha
l Wesolowski writes:
sorry for replying directly, still have some problems with gmail UI.
-- Forwarded message --
From: Michal Wesolowski gmic...@gmail.com
Date: Tue, Feb 23, 2010 at 2:47 PM
In message 20100223135615.ga30...@nic.fr, Stephane Bortzmeyer writes:
Trying to add/delete DNSSEC keys with dynamic update (first time I try
that), the nsupdate client gets a FORMERR and BIND logs:
Feb 23 14:53:24 jezabel named[10174]: client ::1#29411: updating zone 'bortzm
eyer.fr/IN':
Now that OpenDNS the largest provider of public DNS supports DNSCurve
http://twitter.com/joebaptista/status/9555178362
Would it be possible to include DNScurve support in bind?
thanks
joe baptista
___
bind-users mailing list
bind-users@lists.isc.org
Hi!
Have any sense to blacklist the private address ranges on a server
that is facing Internet? I mean, this address ranges is not even routed
on the Internet.
There is a trick about this?
Thanks in advance!
--
Diosney
___
On 02/23/10 18:31, Joe Baptista wrote:
Now that OpenDNS the largest provider of public DNS supports DNSCurve
http://twitter.com/joebaptista/status/9555178362
Would it be possible to include DNScurve support in bind?
thanks
joe baptista
I'd love to see BIND adopt DNScurve...when it becomes
It would be nice to see it as an RFC. I agree with that. But from what I
know it will be a pretty cold day in hell before it becomes an RFC. I humbly
suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of
wackos. So it is unlikely he will ever be bothered to dance the IETF RFC
I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is
full of wackos. So it is unlikely he will ever be bothered to dance the
IETF RFC jig.
Is there a requirement that Dr. Bernstein must personally do the dancing?
Let someone else write the RFC, if it needs writing.
While
On 02/23/10 19:54, Joe Baptista wrote:
It would be nice to see it as an RFC. I agree with that. But from what I
know it will be a pretty cold day in hell before it becomes an RFC. I
humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is
full of wackos. So it is unlikely he will
On Tue, Feb 23, 2010 at 11:19 PM, Mark Andrews ma...@isc.org wrote:
In message f677fefa1002230600n4694161cu315e5dd4beaaa...@mail.gmail.com,
Micha
l Wesolowski writes:
sorry for replying directly, still have some problems with gmail UI.
-- Forwarded message --
From:
Hello,
for a 192.168.199.64/26 in zone file to delegate to a customer;
should i put subnet number:
64/26 IN NS ns1.example.com.
64/26 IN NS ns2.example.com.
or host ranges:
64-126 IN NS ns1.example.com.
64-126 IN NS ns2.example.com.
.
.
$GENERATE 65-126 $ CNAME $.65-126
thanks
Sasa
On Wed, Feb 24, 2010 at 2:01 PM, sasa sasa sasasa20...@yahoo.com wrote:
Hello,
for a 192.168.199.64/26 in zone file to delegate to a customer;
should i put subnet number:
64/26 IN NS ns1.example.com.
64/26 IN NS ns2.example.com.
or host ranges:
64-126 IN NS ns1.example.com.
64-126 IN NS
Nicholas Wheeler wrote:
On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote:
(Well, for now the plan is to do it once a year by hand. Then, we'll see...)
For the record, NIST recommends to roll the ZSK every three months, and
the KSK every two years.
Let me put it this way: by the time
44 matches
Mail list logo