Sorbs List on Bind Help

Hello list, I was wondering if anybody could advise please, on the line below that I always seem to get in my Bind 9.8.4 logs: error (unexpected RCODE SERVFAIL) resolving 'dul.dnsbl.sorbs.net/A/IN':174.36.198.232#53 I know what it generally stands for, that is the name server was unable to

[Question] bind 9.11 source code for openssl_link.c

Hi all, Have a question at OpenSSL code on bind9.11.3. from target file : openssl_link.c I read source code, it's looks like so that the "lock_callback" function may define it in case of OpenSSL version more than 1.0 or less than 1.1. *1 However, I looks like the code line number 206 (in

Re: EDNS, 9.12 and archives.gov

Thank you Mark. Your insight and detail is always helpful and immensely appreciated. For what it's worth, I will make it a point to reach out to the relevant parties to grouse to the extent possible about the damage done by DNS servers authoritative for DNSSEC signed zones that aren't properly

Re: EDNS, 9.12 and archives.gov

Archives.org is served by the following servers. archives.gov. 300 IN NS sauthns1.qwest.net. archives.gov. 300 IN NS sauthns2.qwest.net. Those servers return BADVERS to EDNS(0) queries with a EDNS option present. BADVERS is NEVER a valid rcode to

Re: DNS64 & nslookup

Firstly, you can tell nslookup to make queries “nslookup -query=”. nslookup is a really old tool which is why it make A queries by default. It predates even the concept of IPv6 (which dates from ~1995). The same also applies to dig which is slightly younger than nslookup. Secondly, I

Re: DNS64 & nslookup

On Apr 11, 2018, at 4:26 PM, Mark Boolootian wrote: >>> As far as I know, a host with on an IPv6 address is only ever >>> going to perform lookups. I'd be very interested to know >>> if there are cases where that isn't true. >> >> Well, if you run nslookup or dig -t a,

Re: DNS64 & nslookup

>> As far as I know, a host with on an IPv6 address is only ever >> going to perform lookups. I'd be very interested to know >> if there are cases where that isn't true. > > Well, if you run nslookup or dig -t a, you're asking for A records > explicitly. Ah, true that. Does nslookup do

Re: DNS64 & nslookup

On Apr 11, 2018, at 3:49 PM, Mark Boolootian wrote: > >>> I'll give those tools a try, but I don't understand how my client is >>> requesting >> an A record. It only has IPv6 networking. DNS64 should be requesting an >> A record, but that the client should see is the converted

Re: DNS64 & nslookup

DNS64 server takes a lookup and if there are NOT records at the name it then performs a A lookup for the same name and maps the results into records and returns them. There are additional caveats but that is the basic process. It does NOT take a A lookup and return record. A

Re: DNS64 & nslookup

According to what I've read, that's exactly what DNS64 does. It converts A records to records. (For mixed networks, it just passes through records, but that's not in my configuration): "DNS64 is a mechanism for synthesizing resource records (RRs) from A RRs." -

Re: DNS64 & nslookup

>> I'll give those tools a try, but I don't understand how my client is >> requesting > an A record. It only has IPv6 networking. DNS64 should be requesting an > A record, but that the client should see is the converted record. Is that > not right? > > Nope-- DNS requests aren't going to

Re: DNS64 & nslookup

On Apr 11, 2018, at 3:32 PM, Rick Tillery wrote: > I'll give those tools a try, but I don't understand how my client is > requesting an A record. It only has IPv6 networking. DNS64 should be > requesting an A record, but that the client should see is the converted

Re: DNS64 & nslookup

Because nslookup and dig are specialised DNS testing tools. They don’t use getaddrinfo to perform test lookups. getaddrinfo is the function that most applications use as part of the connection process. > On 12 Apr 2018, at 8:33 am, Rick Tillery wrote: > > I'll give

Re: DNS64 & nslookup

I'll give those tools a try, but I don't understand how my client is requesting an A record. It only has IPv6 networking. DNS64 should be requesting an A record, but that the client should see is the converted record. Is that not right? Rick On Wed, Apr 11, 2018, 5:27 PM Chuck Swiger

Re: DNS64 & nslookup

On Apr 11, 2018, at 3:09 PM, Rick Tillery wrote: > I appear to have my NAT64+DN64 IPv6 -> IPv4 network configured correctly, as > I can access IPv4 only Internet sites, e.g. from my browser. But some tools > don't seem to work the way I think they should. > > One

Re: BIND question

I am seeing the below error when a zone is signed without an A record for zone. However there is a an CNAME record for the same top-level domain (zone), could this be causing the below error and why? dnssec-signzone: error: dns_master_load: :33: zonename: CNAME and other data dnssec-signzone:

DNS64 & nslookup

I appear to have my NAT64+DN64 IPv6 -> IPv4 network configured correctly, as I can access IPv4 only Internet sites, e.g. from my browser. But some tools don't seem to work the way I think they should. One example is nslookup. If do nslookup ipv4.google.com, I get: $ nslookup ipv4.google.com

Re: BIND question

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Wed, 2018-04-11 at 21:06 +, praveen via bind-users wrote: > Is an "A" record mandatory entry for top-level domain (zone) when > using DNSSEC, DKIM, SPF and DMARC configuration? No. I have zones with all of that, with no A record at the apex,

Re: BIND and Windows DNS logging and archiving

Hi All, Sometime ago I posted about capturing DNS activity (queries and responses) for both BIND and Windows DNS, and my colleague had a tool which he ported to Windows for me. This tool is called dns-logger. His company NoSpaceships, has just released the dns-logger product, available free for

Re: Responding with a subset of an rrset

Hi there, On Wed, 11 Apr 2018, speijnik wrote: I'd need a way of returning a random pick of a limited number of records from a given rrset ... Something like this? 8<-- #!/usr/bin/perl -w use strict; use Net::DNS; use

BIND question

All, Operating BIND version "BIND 9.9.10-P1 (Extended Support Version)" DNSSEC signing in place. DKIM, SPF and DMARC records are also in place for top-level domain (zone). Is an "A" record mandatory entry for top-level domain (zone) when using DNSSEC, DKIM, SPF and DMARC configuration? Thanks

Re: EDNS, 9.12 and archives.gov

Ah, you are awesome Carl! Thank you!! And doh, stupid me. I was emailing the wrong people. On Wed, Apr 11, 2018 at 11:45 AM, Carl Byington wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Wed, 2018-04-11 at 11:28 -0700, Mark Boolootian wrote: > > >> I'm

Re: EDNS, 9.12 and archives.gov

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Wed, 2018-04-11 at 11:28 -0700, Mark Boolootian wrote: > I'm wondering if anyone from this august group > can clue me in to how I might config around this > issue for the archives.gov servers (assuming that > is possible). //

EDNS, 9.12 and archives.gov

Hi folks, I upgraded out of 9.10 and into 9.12 last week. Subsequent to that, I received complaints about hosts in archives.gov failing to resolve. We run validating recursive servers, and archives.gov is signed. I've poked at this but concluded I lack enough DNS foo to understand the

Responding with a subset of an rrset

Dear bind users, I'm currently looking for a way of making bind9 respond with a subset of an rrset. I'd need a way of returning a random pick of a limited number of records from a given rrset. ie. from an existing rrset containing 100 records I'd like to return 5 random records. >From what I've

Re: DNSSEC Question

I should have pointed out that BOTH servers have recursion turned on. Yeah, I know about having DNSSEC-enable=yes to not break downstream validation. (I inherited this setup...) BOTH are internal DNS servers with access to the internet to query the internet roots (no default forwarding active).

RE: BIND 9.9 cannot resolve PTR record but +trace can

On a case-by-case basis, one can use stub zones, conditional forwarding, etc. but if you're looking for a "break Internet standards" switch, I think you're going to be disappointed. Vix has stopped calling BIND a "reference" implementation of DNS, but it still tries to set a good example.

Re: BIND 9.9 cannot resolve PTR record but +trace can

Alinti Anand Buddhdev The delegation of 131.161.213.in-addr.arpa points to dns.est.com.tr and dns2.est.com.tr. But these two names are aliased to dns3.est.com.tr and dns4.est.com.tr. However, one cannot use alias names as targets of NS records. This is forbidden by RFC 2181,

Re: DNSSEC Question

Bob McDonald wrote: > > Server A > DNSSEC=yes > DNSSEC-validation=yes > Valid trust anchor for the root zone > DNSSEC validation seems to work correctly > Zone one.com. is setup as a forward zone to server B > > Server B > DNSSEC=no > DNSSEC-validation=N/A > authoritative

Re: BIND 9.9 cannot resolve PTR record but +trace can

Aras Yorgancı wrote: > > Our BIND 9.9 DNS servers cannot resolve PTR record of a mx server. So We > cannot established e-mail communication. This is because the delegation NS records point at CNAMEs, which is not allowed - if a resolver tries to chase CNAMEs in this

Re: BIND 9.9 cannot resolve PTR record but +trace can

The delegation of 131.161.213.in-addr.arpa points to dns.est.com.tr and dns2.est.com.tr. But these two names are aliased to dns3.est.com.tr and dns4.est.com.tr. However, one cannot use alias names as targets of NS records. This is forbidden by RFC 2181, section 10.3. The operator of this reverse

DNSSEC Question

Consider the follwing example: Server A DNSSEC=yes DNSSEC-validation=yes Valid trust anchor for the root zone DNSSEC validation seems to work correctly Zone one.com. is setup as a forward zone to server B Server B DNSSEC=no DNSSEC-validation=N/A authoritative and the master for one.com. When

BIND 9.9 cannot resolve PTR record but +trace can

Hi, Our BIND 9.9 DNS servers cannot resolve PTR record of a mx server. So We cannot established e-mail communication. [root@localhost ~]# dig @127.0.0.1 -x 213.161.131.25 ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> @127.0.0.1 -x 213.161.131.25 ; (1 server found) ;; global options: +cmd