Re: Stub zones, but secndary?

Have you looked at mirror zones for root? Zone type "mirror" = it's appropriate for "." but not for other zones. (Oh - and don't forget to disable ixfr for this zone when you do that - it's more efficient for the validation step) Details in the BIND ARM. Cathy On 19/11/2023 21:10, Elmar K.

Re: Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

On 02/06/2023 13:59, Jesus Cea wrote: > On 2/6/23 10:38, Cathy Almond wrote: >> Has this just started - as in, it worked before ... when? > > No idea. We have been biten by this because a new client. The issue > could be for ages, no idea.> That may be so. For the cli

Re: Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

On 01/06/2023 15:58, Jesus Cea wrote: I am getting errors "Name huawei.com (SOA) not subdomain of zone cloud.huawei.com". The problem raises when requesting on oauth-login.cloud.huawei.com . The problem was described in the mailing list:

Re: 9.16 needs more RAM then 9.11

On 19/04/2021 20:11, Klaus Darilion wrote: > Hello! > > On our servers where we use Bind 9.16, named needs approx. 29G RAM. On the > servers with Bind 9.11 named needs approx. 25G RAM. > > Is this a known issue? Are there some config options to tune memory > consumption? Are these resolvers,

Re: A And Cname-record

On 17/06/2020 22:44, Ejaz Ahmed wrote: > when i am trying to add A and CNAME record together  for the same > subdomain, getting an error as below, you all kind  assistance would be > highly appreciated thanks in  advance > > my records are as follows in zone  > > auotdiscover IN A 1.1.1.1 >

Re: NSEC3 salt change - temporary performance decline

On 29/01/2020 11:50, Klaus Darilion wrote: > Hello Niels! > > Thanks for bringing this to attention. I have reported it before [1][2] > without response. > > We see this regulary. AFAIS it happens actually always, but if the IXFR > is small, the performance decline is so short that you usually

Re: Question about CVE-2019-6477: TCP-pipelined queries can bypass tcp-clients limit

; > But are we sure that one would see multiple queries in the querylogs in case > of pipelining ? > > Thanks, > Veronique > > -Original Message- > From: Cathy Almond > Sent: 09 December 2019 10:05 > To: Veronique Lefebure > Subject: Re: FW: Question ab

Re: Question about CVE-2019-6477: TCP-pipelined queries can bypass tcp-clients limit

On 21/11/2019 14:40, Veronique Lefebure wrote: > Hi, > > I have a question regarding the vulnerability described in the mail below. > > If a client is using TCP-pipelining, and if querylog channel is enabled, what > will appear in the query log file for that client ? > Shall we see one line per

Re: Issues with Stub Zone

Echoing Chris Buxton - you may be better served by using static-stub rather than stub. Explanation here: https://bugs.isc.org/Ticket/Display.html?id=45734 Cathy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: Questions about delegation

Hi Bob(s), All good so far. It doesn't matter whether the authoritative servers for the delegated subdomain are in the parent or the delegated zone. (Actually, they could be somewhere completely different - and if they are, it just needs to be possible for recursive servers following the

Red Hat BIND Security Advisory CVE-2018-5742

versions of BIND from ISC, see: https://kb.isc.org/docs/aa-01310 (Please also note that BIND 9.9 and 9.10 from ISC are now EOL). Cathy Almond ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind

Re: 2 Questions - forward zone and DNS firewalling

On 26/10/2018 08:08, N6Ghost wrote: > maybe its just old habits, i think its a bad idea to build your > infrastructure in a way the needs forward zones to work. not when you > can build it with proper delegation. > > i just think when building namespaces proper delegation should be used > and

Re: Saurabh: Not getting the answer with AAAA record. Error FORMERR resolving 'gim8.pl/AAAA/IN comes.

On 22/05/2018 15:58, Tony Finch wrote: > Saurabh Srivastava wrote: > >> I have faced an issue on my RPZ Server. >> I have added the A record Entry & record entry for some domains. >> The RPZ Policy is running fine. >> But the werired response that i am getting with few domains are that when

Re: DNS Capacity issue help -- Recursive Query -- it seems some packets are dropped by DNS

On 10/04/2018 01:37, PENG, JUNAN wrote: > Hi, All > > I did recursive query capacity test. I used traffic generator to place 15K > QPS traffic to DNS 1 with FQDN1 (Note, FQDN1 can't be resolve by DNS1, it > need to forward it to DNS2 and TTL is set to 0) > > But during the test , I found

Re: servfail-ttl 0; option in the named.conf global section is crashing the named (BIND 9.10.6)

On 05/03/2018 05:50, Nagesh Thati wrote: > Hello, > > I have added a servfail-ttl 0; parameter in the named.conf file in the > global section and restarted the named, but named is not coming up and I > don't see any errors printing in the named.log. When I do a > named-checkconf on named.conf it

Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

On 22/02/2018 16:44, NNEX Support wrote: > I'm sorry to keep replying to myself but I believe I've found the line of > code that is causing this issue. Looking at validator.c, in the > check_deadlock function, 9.12.0rc1 says: > > ... > > if (parent->event != NULL && >

Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

The DNS-OARC reply size tester doesn't work with versions of BIND that are 9.10 and newer. This is because of the new probing process that we implemented that should be more resilient. But it does unfortunately 'break' getting sane results from the DNS-OARC reply size tester.

Re: Domain Not Resolving

On 22/11/2017 14:12, Ron Wingfield wrote: > . . .well, I've received a lot of comment from several people, _most > quite helpful and appreciated_; . . .some rather critical and > condescending.  Regardless, I'll just pursue this resolve while using > other resources .  (BTW, under consideration, "

Re: wildcard not working after record deleted

On 20/06/2017 14:17, Maria Iano wrote: > On Mon, Jun 19, 2017 at 09:08:33PM -0500, /dev/rob0 wrote: >> On Mon, Jun 19, 2017 at 06:19:31PM -0400, Maria Iano wrote: >>> We have a group of users that need to use a wildcard record in >>> their zone. Their wildcard works in general, but they have a

Re: Clean up dynamic names

On 14/02/2017 01:58, Grant Taylor via bind-users wrote: > On 02/08/2017 11:09 AM, Cuttler, Brian R (HEALTH) wrote: >> DHCP: >> I know DHCP will remove the info when the old lease expires, will it >> remove this information for me in the case of the device falling off >> line, and how can I

Re: Reverse IPv6

On 02/02/2017 02:52, Filho Arrais wrote: > Hi, > > Hello, > Excuse me the question, is there anything native to IPv6 like in IPv4 > for PTR input? > > $GENERATE 1-254 $ PTR 100.200.236.$.examplae.com . > > -- Bear in mind that that reverse populating your IPv6 space

Re: Reasons to upgrade?

On 18/01/2017 15:02, lbutlr wrote: > It looks like there are three version of Bindcurrently supported, 9.9.9, > 9.10, and 9.11. > > Are there specific reasons to move from 9.9 to 9.10 or 9.11 other than the > usual "it's newer and you're going to have to move at some point anyway"? > > Any

Respect for other posters and use of appropriate language on our community mailing lists

those list members who are posting in this manner being held for moderation or suspended indefinitely from this community. Cathy Almond ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users

Re: RRL BIND Recursive

On 18/10/2016 07:37, Mahdi Adnan wrote: > Hi, > > I have a few servers running a recursive DNS bind service, i configured > one of the servers to limit the rate of requests. > my configuration is: > > rate-limit { log-only yes; errors-per-second 8; nxdomains-per-second 8; > ipv4-prefix-length

Re: R: Reloading match-clients

On 14/10/2016 13:13, Matus UHLAR - fantomas wrote: > On 14.10.16 13:51, Job wrote: >> There is now way to update dinamically the match_clients without >> reconfig/reloading? What are you using the different views for, that the clients allowed to access them are changing so often? There may be a

Re: rndc on local host: need named running?

On 28/08/2016 02:48, Lyle wrote: > Use any in the allow stanza. You'll be using a shared key for this to work anyway, but I'd suggest being slightly more paranoid than 'any' in the allow stanza - perhaps the address range in which your local machine is to be allocated its address?

Re: named and use of resolv.conf? - how to "learn" this

On 03/08/2016 14:59, Matthew Pounsett wrote: > > > On 2 August 2016 at 19:50, Evan Hunt > wrote: > > On Tue, Aug 02, 2016 at 05:04:33PM -0400, Matthew Pounsett wrote: > > Yes it will. But, as far as I understand, it uses the recursive code > paths

Notice: scheduled maintenance on lists.isc.org commencing 0200 UTC Thursday June 23 2016

ISC's Operations Team will be performing software upgrades on lists.isc.org commencing on Thursday June 23 2016 at 0200 UTC Our online mailing list information and list archives will be unavailable during this period, and any postings to the lists will be held and distributed once the maintenance

Re: Bind bind high recv-q

On 04/12/2015 12:34, Tony Finch wrote: > Søren Andersen wrote: >> >> I'm experiencing some strange problems with my bind installation. - I >> notice my bind recv-q is quite high sometimes.. therefore my DNS clients >> can experience DNS lookup to take 1-4 secs. My bind is running

Re: root hints operation

On 17/11/2015 02:31, Grant Taylor wrote: ... > The idea that a (maliciously) blank root.hints file would prevent BIND > from using the compiled in version is new to me. If someone *could* maliciously replace a file on your DNS server with a blank one, you have more problems than just a blank root

Re: Negation in view match-clients ACL doesn't work?

On 04/08/2015 21:29, Darcy Kevin (FCA) wrote: The short answer is that that is how address-match-lists work: a non-negated match allows access, a negated match denies access, and if there is *no* match, access is denied. The only real reason to use a negated match, therefore, is when what

Re: rndc status field meaning please

Hi, I don't think we do document the output from rndc status explicitly line by line in the BIND Administrator Manual, so I'll respond to your questions below, and I'll see about getting the documentation updated. For anything else you need to know, please refer to the manuals

Re: BIND slave server ignoring responses to all UDP-based SOA queries (zone refresh) for hours at a time

What can happen (and this is really really subtle) is that if there are some source ports that named could randomly select, but where intermediate firewalls or filters are just dropping, either the SOA refresh queries, or the responses, then named can 'get stuck' on using and re-using the same

Re: delay between nsupdate and NOTIFY

On 05/06/2015 07:39, Charles Musser wrote: Adjust serial-query-rate. This also controls the notify rate in BIND 9.9. A seperate control notify-rate is coming in BIND 9.11. Today we tried increasing serial-query-rate from our original value of 1000 up to 5000 for a while, and then up to

Re: Issue in calling same zone in more than one VIEW

On 29/05/2015 10:39, Gaurav Kansal wrote: Thanks for information. Is there any other way by which I can define the zone (which are same for all views) outside the view or anything else by which I don't need to replicate the file for all the views. Regards, Gaurav Kansal -Original

Re: Different answer when querying @server from different clients

On 08/03/2015 16:00, Steven Carr wrote: On 8 March 2015 at 13:50, Barry S. Finkel bsfin...@att.net wrote: Using +trace with @8.8.8.8 ignores the @8.8.8.8, as that server is never queried when the query starts at the root and moves down the DNS tree to authorized servers. Incorrect,

Re: named assertion failure

On 06/01/2015 04:11, James Brown wrote: Running BIND 9.10.1-P1 on Mac OS X 10.10.1. It’s been running fine - no problems until this morning, when I got: 06-Jan-2015 01:33:33.356 transfer of 'rpz.spamhaus.org/IN/external' http://rpz.spamhaus.org/IN/external' from 199.168.90.51#53: Transfer

Re: BIND listen backlog too small

On 16/10/2014 23:52, Shawn Zhou wrote: Thanks Mark. That's what I was looking for! On Thursday, October 16, 2014 3:36 PM, Mark Andrews ma...@isc.org wrote: 2fd63cf5 (Mark Andrews 2003-04-10 02:16:11 + 279) tcp-listen-queue integer; More info here too:

Re: something about rrl

On 22/09/2014 11:55, 陈超 wrote: Dear developers, I've recently encountered a problem with the response rate limit of bind-9.9.5. That is,after I configured RRL and started named,I noticed for those queries,BIND9 would do recursion first,and check the rate limit to decide whether it

Re: bind-9.10.0-P2 memory leak?

... Heh thanks, yeah...initially I was erring on the side of caution and using 9.9.x because it's served us well (~20k recursive clients without any significant problems). Meanwhile we've been keeping a close eye on community comments, and to be honest opinions wax and wane. Just as I think

Re: unable to obtain neither an IPv4 nor an IPv6 dispatch

On 24/07/2014 01:35, Matthew Calder wrote: At the moment I'm limited to using 2 UDP listeners per interface. When stress testing I can see that only 2 out of 4 CPUs are being used, I'm guessing because I'm limited to 2 listeners. Any suggestions for what could be limiting BIND from using a

Re: Bind 9.9.5 high CPU and when will Bind9.8 EOL?

Have a look at reducing -n to the number of physical cores (which might be 4 or 8) and then also have a look at -U (number of listening tasks per interface). Multiple listeners defaults to -n (number of worker threads). It's worth trying some tuning experiments from n/2 to n-1. What works best

Re: unable to obtain neither an IPv4 nor an IPv6 dispatch

It might have something to do with the number of CPUs that named detects when it starts, which (by default) drives how many listening tasks it starts per listening interface. BIND 9.10 changed the defaults slightly, but you can also control how many listening tasks per interface using the -U

Re: Problem dlz_mysql_driver

On 04/06/2014 08:25, Claudia Koch wrote: Hello, I've a installation of bind 9.4.0 with dlz_mysql_driver and I have a zone test.de. In this zone I have a record *.dev IN A 1.2.3.4 With dig a.dev.test.de I've get the answer 1.2.3.4. Now I like to do a update to debian 7.0 and I compile

Re: stub zones

On 02/06/2014 23:38, John Miller wrote: So... without stub zones, you know the drill: your local resolver follows delegation, starting from the root nameservers. Delegation happens, and life is good. If you're running views, then things work fine as well: your view just needs to be

Re: Bind vs flood

On 28/02/2014 17:57, Chris Buxton wrote: On Feb 28, 2014, at 2:12 AM, Jason Brown jason.br...@kcom.com mailto:jason.br...@kcom.com wrote: But, it will respond with a valid response (your choice) and therefore not create a servfail due to trying.. that’s my point. ** Nope. RPZ only

Re: how to modify the cache

Use a stub zone if you want to override published NSes _without_ crossing the very-important boundary between iterative and recursive resolution. Actually no - use static-stub (newer versions of BIND) - otherwise the NS records received from the zone may override the NS that you want to use.

Re: changing NSEC3 salt

On 05/02/2014 18:54, David Newman wrote: The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every time a zone's ZSK changes. Is this just a matter of a new 'rndc signing' command, or is some action needed to remove the old salt? thanks dn rndc signing -nsec3param ... I

Re: changing NSEC3 salt

On 06/02/2014 12:58, Timothe Litt wrote: On 06-Feb-14 05:56, Cathy Almond wrote: On 05/02/2014 18:54, David Newman wrote: The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every time a zone's ZSK changes. Is this just a matter of a new 'rndc signing' command, or is some action

Re: Unable to transfer IPv4 reverse zone

On 19/12/2013 23:32, Daniel Lintott wrote: I have now tried recreating the zone file on the master, removed and re-added the configuration for the zone on both master and slave, yet still I am unable to transfer the zone. I have also added the following logging to the master server:

Re: Unable to transfer IPv4 reverse zone

It might be a silly question - but have you checked how many instances of named you have running on the master (thinking that you might not be 'talking to' the one you think you are)? Cathy ___ Please visit

Re: caps compiling error

On 26/11/2013 16:56, Paul A wrote: Yeah I have compline Bind on that machine many times currently I'm on BIND 9.8.4-P2. Not sure what header file is missing. -Original Message- From: bind-users-bounces+razor=meganet@lists.isc.org

Re: Slave displaying all domain info when using $INCLUDE on master

On 05/09/13 09:54, Jobst Schmalenbach wrote: Hi. I have a master/slave combo, the master is ok, displays the correct info when queried, but the slave displays too much info, including the internal stuff. The master uses two zone files (*internal and *external) that each include

Re: redirecting root hints to fake internal root server

On 27/08/13 21:28, Kevin Darcy wrote: On 8/27/2013 1:07 PM, Colin Harvey wrote: My environment is firewalled from the real world. For queries on zones to which I'm not master, I want to recurse to a corporate server. nslookup some.internal.hostname.com internal.corporate.server works fine.

Re: Stalling slave transfers

On 15/05/13 15:58, Tony Finch wrote: Tom Sommer m...@tomsommer.dk wrote: That works fine, but I think I figured out the problem, it was due to the server having acquired a 2nd (autodiscovered) IPv6 address, and it was using that as transfer source. It would be very helpful if the logfile

Re: Stalling slave transfers

On 08/05/13 19:15, Tom Sommer wrote: On 5/8/13 12:25 PM, Cathy Almond wrote: On 08/05/13 08:26, Tom Sommer wrote: Hi, I have a problem with one of 3 slave servers, all set up the exact same way, with the exact same bind version and configuration. One slave has a problem transfering zones

Re: disabling lame server logging

On 26/02/13 21:34, Bryan Harris wrote: Hi Robert, On Feb 26, 2013, at 2:23 PM, Robert Moskowitz r...@htt-consult.com wrote: On 02/26/2013 01:57 PM, Doug Barton wrote: On 02/26/2013 10:38 AM, Robert Moskowitz wrote: I would like a scalpel for lame logging, but probably would not discover

Re: Define an internal zone with only a couple of A records, then forward to an external dns server

On 17/01/13 15:16, wbr...@e1b.org wrote: Alberto wrote on 01/17/2013 10:09:00 AM: - I want to define in my dns server a zone external_partner.com, which is the domain of our partner who manages it with his dns public server dns.external_partner.com. - I need to define into this zone a

Re: Noisy messages from BIND about root hints change

On 07/01/13 17:14, Chris Thompson wrote: One (but only one) of our recursive nameservers, running BIND 9.8.3-P4 we got a whole lot of messages in the log as a result of last week's change of address for d.root-servers.net: Jan 4 06:24:08 recdns1.csx.cam.ac.uk named[9496]: general: warning:

Re: Named stopped loging?

On 28/12/12 15:54, Manson, John wrote: Good Day Running 9.9.2 for about a month now with no worries. Today I noticed only the reload message in the namedlog and not the zone messages that are usually there after stopping and restarting the named process. Worked fine on the 26th but not

Re: Preference of Master Name Servers

On 06/12/12 14:12, Matus UHLAR - fantomas wrote: On 05.12.12 17:28, David Hall wrote: Question 1: In our secondary / slave name servers we specify the master name servers in the normal manner: zone mysample.me.uk { type slave; file m/y/db.mysample.me.uk; masters { 10.10.100.12;

Re: rndc sign, auto-dnssec maintain and TYPE65534 record stickyness?

On 26/11/12 14:47, Phil Mayers wrote: All, Up front, I should note that this was on a hidden master server which was running 9.7.0 (since updated). So it may not work this way on current versions of bind. We (well, I) had a little accident recently when rolling a ZSK. We use auto-dnssec

Re: Bind 9.9.2 ADB Question Update

On 15/11/12 15:49, Manson, John wrote: The adb grow-names process? does not appear to be related to recursive cache as I cleared cache while monitoring syslog and the counter kept increasing. However a reload did start the adb grow-names process anew. Both shown below . . . Nov 14

Re: Bind 9.9.2 ADB Question Update

On 15/11/12 16:17, Cathy Almond wrote: On 15/11/12 15:49, Manson, John wrote: The adb grow-names process? does not appear to be related to recursive cache as I cleared cache while monitoring syslog and the counter kept increasing. However a reload did start the adb grow-names process anew

Re: Problem with ACL in named.conf

On 30/08/12 03:19, GS Bryan wrote: My BIND version, as shown by 'named -v' is BIND 9.9.1-P1-RedHat-9.9.1-2.P1.el6. 'named-checkconf /etc/named.conf' doesn't throw any error messages whatsoever. -- Bryan S.G. You're correct - named-checkconf doesn't see the problem, but named errors

Re: Problem with ACL in named.conf

On 30/08/12 03:17, GS Bryan wrote: hmm... that explains it. Damn, DNSMadeEasy needs to have notify notices sent to a different IP set than their nameserver service. This means that I have to hardcode this myself. Another question then, if zone 'example.net' has the NS records of

Re: What does deleted from unreachable cache mean?

On 02/08/12 19:00, Michael Hoskins (michoski) wrote: -Original Message- From: Peter Olsson p...@leissner.se Date: Thursday, August 2, 2012 10:25 AM To: Cathy Almond cat...@isc.org Cc: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Re: What does deleted from unreachable

Re: What does deleted from unreachable cache mean?

On 19/07/12 00:49, Peter Olsson wrote: Hello! After my latest bind upgrade our slave server started occasionally writing these messages to the log: master 2a02:::::2#53 (source ::#0) deleted from unreachable cache master 62.xxx.xxx.2#53 (source 0.0.0.0#0) deleted from

Re: BIND 9.8.3-P2 is now available

On 30/07/12 06:50, John Marshall wrote: On 25/07/2012 04:04, Cathy Almond wrote: Introduction BIND 9.8.3-P2 is the latest production release of BIND 9.8. Would whoever is responsible for release announcements please note that this wasn't announced on bind-announce. I haven't had time

ISC Security Advisory: High TCP Query Load Can Trigger a Memory Leak in BIND 9

ISC Security Advisory: Note: This email advisory is provided for your information. The most up to date advisory information will always be at: https://kb.isc.org/article/AA-00730 please use this URL for the most up to date advisory information. Title: High TCP Query Load Can Trigger a Memory

ISC Security Advisory: Heavy DNSSEC Validation Load Can Cause a Bad Cache Assertion Failure in BIND9

Note: This email advisory is provided for your information. The most up to date advisory information will always be at: https://kb.isc.org/article/AA-00729 please use this URL for the most up to date advisory information. Title: Heavy DNSSEC Validation Load Can Cause a Bad Cache Assertion Failure

BIND 9.7.6-P2 is now available

Introduction BIND 9.7.6-P2 is the latest production release of BIND 9.7. This document summarizes changes from BIND 9.7.5 to BIND 9.7.6-P2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can

BIND 9.6-ESV-R7-P2 is now available

Introduction BIND 9.6-ESV-R7-P2 is the latest production release of BIND 9.6-ESV. BIND 9.6-ESV is an Extended Support Version of BIND 9. This document summarizes changes from BIND 9.6-ESV-R6 to BIND 9.6-ESV-R7-P2. Please see the CHANGES file in the source code release for a

BIND 9.8.3-P2 is now available

Introduction BIND 9.8.3-P2 is the latest production release of BIND 9.8. This document summarizes changes from BIND 9.8.2 to BIND 9.8.3-P2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can

BIND 9.9.1-P2 is now available

Introduction BIND 9.9.1-P2 is the latest production release of BIND 9.9. This document summarizes changes from BIND 9.9.0 to BIND 9.9.1-P2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can

Re: BIND 9.9.1-P1 reload bug

On 12/07/12 08:20, Michael Hoskins (michoski) wrote: stupid question: i spent all of five minutes looking around isc.org -- but i did click all the top-level bind-related links, and couldn't find a pointer to rt to search for this ticket. does it require a support contract, is it

Re: BIND CPU load problems

On 10/07/12 13:08, Phil Mayers wrote: On 10/07/12 12:56, Shon Stephens wrote: Dear Mike, I am not being hit with a Denial of Service attack and the query logging doesn't appear to be any different from other hosts in the DNS complex. There are no errors in logs or messages files either.

Re: BIND 9.9.1-P1 reload bug

This just happened on our nameserver: 11-Jul-2012 13:54:01.711 general: info: received control channel command 'reload' 11-Jul-2012 13:54:01.712 general: info: loading configuration from '/etc/named.conf' 11-Jul-2012 13:54:01.891 general: critical: server.c:4436: fatal error: 11-Jul-2012

Re: getting edns disabling message in logs

On 04/07/12 20:14, Michael Hoskins (michoski) wrote: -Original Message- From: Tony Finch d...@dotat.at Date: Wednesday, July 4, 2012 7:54 AM To: Cathy Almond cat...@isc.org Cc: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Re: getting edns disabling message in logs

Re: getting edns disabling message in logs

On 04/07/12 07:12, Ben wrote: Hi Tony, Thanks for your kind response. Disabling EDNS due to firewall misconfiguration, raise any problem to DNS activity.? I mean my users face any name resolution problesms or ...?

Re: Bind 9.8.1-P1 is crashing again and again

On 02/07/12 14:32, Gaurav Kansal wrote: Dear Team, My BIND DNS Server is crashing again and again. I am getting these logs: Jul 2 12:03:33 gaurav named[30523]: query.c:5379: INSIST(!is_zone) failed, back trace Jul 2 12:03:33 gaurav named[30523]: #0 0x805a7a5 in

Re: Moving DNS out of non-cooperative provider

On 19/06/12 11:18, Alexander Gurvitz wrote: 3282. [bug] Restrict the TTL of NS RRset to no more than that of the old NS RRset when replacing it. [RT #27792] [RT #27884] Just to clarify - does this rule applies also while replacing

Re: journal rollforward failed: journal out of sync with zone

Is the journal file on the master (the source of the zone files that are transferred via cron jobs) or on the slave (the recipient of the zone files)? Why are you using ixfr-from-differences - what operational purpose does it serve for you? The other thing to consider also is your operational

Re:

On 13/03/12 20:46, Mark Andrews wrote: In message cb84b51a.4a53a%dan.mcdon...@austinenergy.com, Daniel McDonald writ es: On 3/13/12 8:20 AM, hugo hugoo hugo...@hotmail.com wrote: == do I have to create in zone toto.be the following NS record: titi.toto.be. TTL IN

Re: BIND 9.9.0 assertion failure

On 14/03/12 10:11, Eivind Olsen wrote: In BIND 9.9.0(CentOS 4.6) Mar 9 06:58:51 X named[17533]: general: critical: client.c:318: INSIST(client-gt;newstate lt;= 3) failed, back trace

Re: Can I set TTL served to users in bind?

On 09/03/12 08:22, Jeff Peng wrote: 于 2012-3-9 16:11, Drunkard Zhang 写道: I got some bind servers doing iteration resolution, and return the results to users. But I found that some names got too big TTLs, whose RRs can not be replaced correctly by new RRs in time. This leads to user‘s blame,

Re: Can't compile bind 9.8.1-P1 on Solaris

On 17/11/11 05:33, King, Harold Clyde (Hal) wrote: With great help I got Bind 9.8.1 to compile on solaris but I can not get Bind to start up. I am getting: 17-Nov-2011 00:31:23.609 initializing DST: openssl failure 17-Nov-2011 00:31:23.609 exiting (due to fatal error) Is anyone else

Re: (Non existing domain) query lookup logs in a seperate log file

On 13/11/11 07:59, babu dheen wrote: Dear Support, Can anyone help me how to enable a seperate log file for NXDOMAIN(Non exististance) DNS query lookup in BIND? Regards Papdheen M BIND doesn't log query responses - only queries received. There are statistics available on how many

Re: host versus nslookup

On 12/10/11 23:09, Kevin Darcy wrote: As far as I know, only HP-UX has hacked nslookup to look at /etc/hosts. And I don't think it even looks at the switch file or other naming sources (e.g. Yellow Plague). HP-UX's nslookup enhancement is a one-off, I believe. For the record, on HP-UX it does

Re: R: Bind DLZ and Postgres 8.4.8

On 04/10/11 21:38, Job wrote: Hello, everything is fine, i patched the source tree! Thank you, regards! Francesco Whose source tree? Is it the patch something that would be useful/appropriate to share here? Regards, Cathy ___ Please visit

Re: what does dig +trace do?

On 31/08/11 16:36, Tom Schmitt wrote: What strikes me as odd is that the first query does return 4 (internal) root servers, but no glue records ? I have no idea why this is this way. Because +trace only displays the answer section of the responses by default. Try dig +trace +additional.

Re: CVE-2011-1910 vs bind 9.6-ESV-R4-P3

On 03/08/11 10:25, Issam Harrathi wrote: Hi all, when i see this about the affected version by the CVE-2011-1910: 9.6: 9.6.3, 9.6-ESV-R2, -R3, -R4, -R5b1 does this mean that the 9.6-ESV-R4-P1 is affected? I know it's a bit unwieldy and large at the moment (we have thoughts on how to remedy

Re: stub zone

On 25/07/11 20:55, ju wusuo wrote: Would like to use the BIND stub zone function, however, heard that ISC considers stopping support to stub zone in the future, is that true? I think we may have confused some people in the past about support for this because of what's written in the ARM about

Re: BIND 9.6.1-P3 Vulnerabilities

On 07/06/11 16:21, Borgia, Joe A CTR USAF AFMC AFRL/RIOS wrote: BIND 9.6.1-P3 seems to be a somewhat old release of BIND, and yet, I can find no vulnerabilities listed on the ISC Security Advisories pages. Am I missing something? Yes. :-( https://www.isc.org/software/bind/security/matrix

Re: Fwd: Re: Fwd: Re: Difference between netstat rndc status

On 05/07/11 06:25, Bind wrote: -Original Message- From: Bind b...@dci.ir To: Mark Andrews ma...@isc.org Date: Tue, 05 Jul 2011 09:55:03 +0430 Subject: Re: Fwd: Re: Difference between netstat rndc status Thanks for your best support and answers all the time. Could u explain

Re: EDNS request problem on TTL=0 data

On 27/06/11 16:39, Paul Wouters wrote: On Mon, 27 Jun 2011, Florian Weimer wrote: 1 Is this problem happening because EDNS failure is not remembered for forwarders? There is no realiable way to detect EDNS support in forwarders, so there isn't anything to remember, really. Sadly, the

Re: Resolver issue - drop in qps and memory leak

Hi Dennis, There are some fixes for cache management issues on recursive servers that have been released recently. This sounds like it might have been one of those problems. If you want to stay on 9.6, then I'd recommend 9.6-ESV-R4 to you Otherwise you might like to take a look at 9.7.3. Cathy

Re: Q on clients-per-query, max-clients-per-query

So, does BIND behave the same whether it is a single PC making 100 queries for the same record compared to 555 PCs making queries for the same record? That is, how does BIND treat clients-per-query, max-clients-per-query differently based upon the query requesters' IP address(es)? (I

Re: Public Advisory on DNSSEC Failures with New DS Records

Stephane, It looks like something went awry on the website. We've fixed it. Thanks for the heads-up. Cathy On 07/02/11 08:49, Stephane Bortzmeyer wrote: On Fri, Feb 04, 2011 at 04:11:03PM -0800, Larissa Shapiro laris...@isc.org wrote a message of 37 lines which said: The full advisory

Re: bind makes RRSIG disappear?

Hi Gilles, You've identified a corner-case bug - the logic is incorrect in the case where the ACL holds none instead of being empty. There's no compile-time option - but we are treating what you've reported to us as a bug (RT #23120). It is currently under investigation/discussion. Many thanks

  1   2   >