Re: Only one DS key comes back in query

On Mon, May 16, 2022 at 2:41 PM frank picabia wrote: > I've been using open source for decades. Long enough that I rarely need > to use lists for help. > > Here's the RFC mentioning reserved domain name use: > https://www.rfc-editor.org/rfc/rfc2606.html > Those reservations are for testing and

Re: Getting the name of responding server(s)

On Tue, 7 Sept 2021 at 03:45, Stephane Bortzmeyer wrote: > The only solution is chasing the delegations from the root (which is > what dig +trace is doing). Caching speeds it, this is why it is > better to go through your resolver than using dig +trace. Yeah, you can pretty reliably get the

Broken signatures on packages.sury.org

Beginning today, I'm seeing the following errors on systems that use the ISC Debian packages: Err:5 https://packages.sury.org/bind buster InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key I haven't seen any official word from ISC

Re: Forwarded lookup failing on no valid RRSIG

On Fri, 18 Dec 2020 at 18:08, Nicolas Bock wrote: > Thanks Mark. Am I correct then that I need to either convince the > administrator of that DNS to enable DNSSEC or configure my DNS with > `dnssec-validation = no`? > The upstream administrator isn't required to be validating DNSSEC for this to

Re: checkzone from stdin?

On Wed, 8 Apr 2020 at 15:55, Anand Buddhdev wrote: > Note that it would work with "cat file | ..." but I absolutely hate the > cat-pipe combination. I've been known to mark down interviewees who > offer a solution that involves cats and pipes :) > That was just a minimal example to demonstrate

Re: checkzone from stdin?

fortunately, we don’t backport new features, so either you need to > follow the 9.17 track or backport the patch yourself. It should be fairly > straightforward to backport it to 9.16 branch since the codebases don’t > differ much yet. > > Ondrej > -- > Ondřej Surý — ISC > >

checkzone from stdin?

It looks to me like named-checkzone isn't able to read a zone file from stdin. % cat example.com.db | named-checkzone example.com - zone example.com/IN: loading from master file - failed: file not found zone example.com/IN: not loaded due to errors. % cat example.com.db | named-checkzone

Re: CloudSmith repository missing

On Wed, 9 Oct 2019 at 19:14, Ondřej Surý wrote: > Hi Matt, > > sorry for the confusion with the CloudSmith repositories. We’ve been > experimenting with the different models, and we’ve decided to keep the BIND > 9 packages closer to the official distributions, that means that the > packages for

CloudSmith repository missing

Hi! It looks like the BIND Cloudsmith repository, which was there earlier this week, is no longer present. Hit:9 https://packages.icinga.com/debian icinga-stretch InRelease > Ign:10 https://dl.cloudsmith.io/public/isc/bind/deb/debian stretch > InRelease > Err:11

Re: Problem with zone delegation with private gTLD

On Tue, 9 Apr 2019 at 06:32, Tony Finch wrote: > > Matthew Pounsett wrote: > > > > RFC2606 reserves test, example, invalid, and localhost, for "testing > > and documentation," > > However you must either disable validation or set up your own root zone to

Re: Problem with zone delegation with private gTLD

On Mon, 8 Apr 2019 at 14:33, Matus UHLAR - fantomas wrote: > > I don't find any of existing domains suitable for more permanent usage. Yes, and I believe that's the desirable situation. More permanent uses (such as the (mis)use of .local you mentioned) should make use of registered domains to

Re: Problem with zone delegation with private gTLD

On Mon, 8 Apr 2019 at 10:35, Xavier Humbert wrote: > > On 08/04/2019 13:05, Matus UHLAR - fantomas wrote: > > I believe there should be reserved gTLD for such usage. > > Is this not what the TLD /.invalid/ is supposed to be ? RFC2606 reserves test, example, invalid, and localhost, for "testing

Re: bind and certbot with dns-challenge

On Sun, 17 Mar 2019 at 13:34, Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > > > I mean, sure you can use it perfectly, only not good if hosting hundreds > > or thousands domains > > Why can't you use BIND to host hundreds or thousands of domains? > You definitely can. My

Re: Operational Notification: Extremely large zone transfers can result in corrupted journal files or server process termination

On 13 July 2018 at 06:04, Michał Kępień wrote: > Hopefully this will shed some light on the matter: > > https://gitlab.isc.org/isc-projects/bind9/issues/339#note_12805 > > That is helpful, thanks. That comment says the issue requires a journal entry of over 4G, however the original bug

Re: Operational Notification: Extremely large zone transfers can result in corrupted journal files or server process termination

On 9 July 2018 at 16:22, Klaus Darilion wrote: > What is an "extraordinarily large zone transfer"? We do have regularly > AXFR and IXFRs around 2GB. Is this "extraordinarily large"? > I've also been curious about this. Are we talking millions of records, tens or hundreds of millions, or

Re: inline-signing: SOA serial out of sync

On 14 June 2018 at 10:16, Axel Rau wrote: > > Am 14.06.2018 um 16:12 schrieb Alan Clegg : > > Additionally, I read this as "the records changed are in an included > file" -- is the serial number in the "including" zone being incremented? > > Yes. > > I think at this point you're going to need to

Re: inline-signing: SOA serial out of sync

On 14 June 2018 at 06:27, Axel Rau wrote: > > Am 07.06.2018 um 13:36 schrieb Axel Rau : > > > occasionally named 9.11.3 fails to increment SOA serial like here: > > file: 2018060605 dns: 2018060604 > > > It just happened again. An included zone file has been changed from 2 TLSA > RRs to one: > -

Re: BIND rejecting key to update a zone

On 8 June 2018 at 11:01, Mark E. Jeftovic wrote: > I've started a fresh install here and started over and still having the > same issue, even when I crank the debug trace up to 5, I'm not seeing > anything additional in the logs: > > Another long shot... any chance there is an overlapping ACL in

Re: inline-signing: SOA serial out of sync

On 7 June 2018 at 07:36, Axel Rau wrote: > Hi all, > > occasionally named 9.11.3 fails to increment SOA serial like here: > > file: 2018060605 dns: 2018060604 > > zone file was edited by script and a rndc reload given. > [...] > Manual fixing requires another cycle with zone file

Re: Can we define masters as hostsname?

On 23 May 2018 at 07:37, Blason R wrote: > Hi Guys, > > Can we define masters as hostname instead of IP address? I guess its not > possible but wondering if community can shed come light on this? > > The short answer.. no, you can't do that. The definition for the slave zone

Re: Intermittent "failure trying master... operation canceled" on zone refresh

On 17 May 2018 at 17:05, Rob Moser wrote: > We're running a series of RHEL 7.4 machines (kernel version > 3.10.0-693.1.1.el7.x86_64) running bind version 9.9.4-RedHat-9.9.4-51.el7. > Our configuration consists of a hidden master and three hidden > slave/recursive resolvers.

Re: also-notify and allow-notify

On 17 May 2018 at 13:30, Blason R wrote: > Hi, > > I have RPZ installed on server and its acting as a master server but > somehow port setting is not working on master > > [...] > > So here I am sending notification to 192.168.5.49 on port 4545; my > queries are > > How do

Re: BIND source distribution missing?

On 4 May 2018 at 12:23, Evan Hunt wrote: > On Fri, May 04, 2018 at 04:19:43PM +, Evan Hunt wrote: > > You're right, something's broken. I see it too, and not just on chrome. > > I'll escalate. Thanks for bringing this to our attention. > > It's fixed now. > > Thanks Evan!

Re: BIND source distribution missing?

On 4 May 2018 at 08:18, Anand Buddhdev wrote: > > Also, needs an update to its 'welcome' file, because > > BIND doesn't seem to be distributed from there anymore. > > I can see all the BIND downloads at: > > ftp://ftp.isc.org/isc/bind9/ > > Ah yes, there they

BIND source distribution missing?

Hi ISC! I'm writing to let you know there seems to be a bug on the ISC web site. Coming from MacOS Chrome, I'm only being offered the binary Windows distribution of BIND for download from and from . Browser-detection bug

Re: Release Strategy Clarification

On 26 April 2018 at 13:42, Victoria Risk wrote: > > > You have correctly interpreted the chart in the blog post, but you don’t > have to update in January, just when there is a bug you need a fix for. If > that bug is a security bug, the red block means, we will issue a security

Release Strategy Clarification

This is a question for ISC about the new BIND release plan which I thought might be a useful clarification for others as well. I didn't notice this when the new plan was first presented in March, but the key text in the legend of the Example Release Plan[0] for the red blocks is "a release that

Re: RRSIG query

On 10 April 2018 at 12:05, rams wrote: > Hi > Greetings!! > We have 1Million signed zone records in bind. My zone is going to > auto-resign after 3 days. If we change RRSIG expire date to greater than > two months from now then if restart bind, Can we avoid auto-resign

Re: clean up an ddns zone

On 23 March 2018 at 13:32, Meike Stone via bind-users < bind-users@lists.isc.org> wrote: > Hello, > > at the moment, I use ISC dhcpd to register all client names in the DNS > (Bind) via isc's ddns api. Every thing is working well. > But now, some notebook clients should get company access via

Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

On 10 March 2018 at 04:08, Matus UHLAR - fantomas wrote: > Cathy Almond wrote: >> >>> The rs.dns-oarc.net zone is broken because it returns a CNAME for >>> queries at the apex. >>> >> > On 09.03.18 15:23, Tony Finch wrote: > >> I just got a problem report from

Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

On 27 January 2018 at 19:11, Matthew Pounsett <m...@conundrum.com> wrote: > The only thing I can think of that has changed in that time, which has > ever caused me query issues, is the addition of DNS cookies in the default > query. Some broken authoritative servers will inco

Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

On 27 January 2018 at 16:24, NNEX Support wrote: > Good thought but no luck, it doesn’t matter how many times I run “dig txt > rs.dns-oarc.net” or how long I wait it continues to SERVFAIL until I run > "dig txt rs.dns-oarc.net +trace" Interestingly I've found that running >

Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

On 26 January 2018 at 16:23, NNEX Support wrote: > I'm sure I'm doing something wrong, but for the life of me I can't figure > out what. I'm running named 9.12 in a simple recursive setup (built from > source on CentOS 7). > > [...] > When I try to run "dig txt

Re: [Question] zone transfer issue with multiple views

On 8 December 2017 at 17:37, Eoin Kim wrote: > Hi, > > > Thanks for your help. But is it possible to do it without additional IP > address? I thought that I am not really bad with BIND but as soon as I > started using views, I'm going nowhere [image: ] > > > In order for

Re: Proper use of keyid in allow-transfer

On 7 December 2017 at 07:41, MURTARI, JOHN wrote: > > > The slave server defines the same key and is located at > 192.168.1.1. When we use the above on the master, transfers for any zone > work fine. If we remove the IP address and try a transfer we get >

Re: Email & PTR Issues

On 7 November 2017 at 10:31, James Pifer wrote: > Hello. I'm looking for help with an issue I've been fighting for some time. > > Background: > Running BIND 9.9. > Forwarding UDP & TCP Port 53 through firewall. > > I have issues emailing to certain domains. I use my own

Re: Query for newly added/modified data in zone fails at random

On 12 October 2017 at 11:03, Nikkilä, Tommi wrote: > Hi! > > > > My BIND (version 9.9.4-RedHat-9.9.4-51.el7) is displaying some odd > behavior. When updating a zone, BIND randomly refuses to return the newly > added and/or modified data for client. In my named.conf I have

Re: Strange recursor response time pattern

On 5 September 2017 at 11:56, Havard Eidnes wrote: > Hmm... > > some further local discussion has made me aware that us running > "collectd" for monitoring BIND may be contributing to the > problem; collectd fetches data each 10s by using the BIND- > configured

Re: botched KSK rollover

On 21 August 2017 at 07:18, Phil Mayers wrote: > > Gandi are another excellent registrar that I can recommend. They have a > comprehensive API for all their features, including uploading DNSSEC public > keys and consequent creation of the DS record. > > I'm hoping CDS

Re: Can bind works without defining root servers

On 15 August 2017 at 11:29, King, Harold Clyde (Hal) wrote: > How does Bind update the root servers? Does it go out and check, or is a > release made for each change? > Yes. :) BIND has a compiled-in root hints list that is kept up to date at each release, which can be overridden

Re: Enforce EDNS

On 6 February 2017 at 19:59, Mark Andrews wrote: > > Unfortunately we then need to decide what to do with servers that > don't answer EDNS + DNS COOKIE queries. Currently we fall back to > plain DNS which works except when there is a signed zone involved > and the server is

Re: Graphing BIND 9.11/9.10 Queries

On 19 January 2017 at 10:16, Phil Mayers wrote: > On 19/01/17 15:12, John W. Blue wrote: > >> Daniel, >> >> Thanks for sharing. I like the HTTP statistics channel but trying slice >> up the XML has been challenging. Going to be checking this combo out. >> > > We moved

Re: BIND transferring zones with incorrect view

et.site" { > type slave; > masters { > 10.233.0.198; > }; > file "/var/named/slaves/intranet.site.LAN.hosts"; > }; > } > > > > On Dec 21, 2016, at 10:59 AM, Asai <a...@globalchangemusic.org> wrote: > > Yes, thank you. I think Mark’s l

Re: BIND transferring zones with incorrect view

On 20 December 2016 at 16:45, Asai wrote: > Greetings, > > Quick question. Using BIND 9.9.4. I have 2 zones. One for LAN traffic, > and one for WAN traffic. My secondary server is transferring the wrong > zones, so that my WAN zone has all the A records for my LAN

Re: semicolons in dig output

On Fri, Nov 4, 2016 at 13:51 Robert Edmonds <edmo...@mycre.ws> wrote: > Matthew Pounsett wrote: > > Was this actually a change between BIND 9.8 and 9.9? Was it deliberate, > or > > an accident that might be reversed at some point? > > It's this change: > &g

Re: Wildcard SRV record?

On 31 October 2016 at 12:35, Stephen Pape wrote: > Is there a better way for me to do this, or do I have to generate a > whole lot of specific CNAME records? > If your subdomains follow a predictable pattern, then this seems like a prime use of the $GENERATE statement. You

Re: acl

On 8 October 2016 at 09:57, Pol Hallen wrote: > 192.168.1/24 is not a valid netmask >> > > huh? > In linux and BSD I always use 192.168.1/24 (how shortcut of 192.168.1.0/24) > and so on... You're confusing network configuration with ACL syntax. Where you're using

Re: Multiple IPs Associated With A Single Name

On 29 September 2016 at 15:07, Tim Daneliuk wrote: > > > No, not really. It's for a private cloud microservices system we're > thinking through. We already run most/many of the various service > backends in user space so that the app devs and support folks can control >

Re: Multiple IPs Associated With A Single Name

On 29 September 2016 at 12:02, Tim Daneliuk wrote: > In the dark and dusty reaches of my elderly DNS experience, ISTR a way to > set up A records so that the request to resolve a name returns a *list > of associated IPs*. This is distinct from DNS RR (I think?) which >

Re: dig +trace = Bad Referral orBad Horizontal referral

g to have to share details of your configuration. > > On Tue, Sep 20, 2016 at 8:58 AM, Matthew Pounsett <m...@conundrum.com> > wrote: > >> >> >> On 16 September 2016 at 11:12, project722 <project...@gmail.com> wrote: >> >>> I have an interest

Re: dig +trace = Bad Referral orBad Horizontal referral

On 16 September 2016 at 11:12, project722 wrote: > I have an interesting problem. I started noticing that when I do a dig > +trace against one of the domains we are authoritative for, we get errors > from our nameservers for "Bad Referral" and you can see where it forwarded

Re: Question about dynamic IPv6-PTR-Generation

On 26 August 2016 at 15:41, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > >>> On 26.08.16 14:01, Matthew Pounsett wrote: > >> That's not necessarily true for IPv6, where even a modest network could >> have trillions of addresses that may need PTR records

Re: Question about dynamic IPv6-PTR-Generation

On 26 August 2016 at 13:45, Matus UHLAR - fantomas wrote: > On 26.08.16 07:34, Tom Tom wrote: > >> I'm searching a way to respond to IPv6-PTR-Queries like the >> "$GENERATE"-mechanism for IPv4 has done it. >> > > why? configuring single IP addresses or taking them from DHCP is

Re: Delegation questions

On 11 August 2016 at 10:14, Bob McDonald wrote: > > Currently, clients sending queries for domain child.example.com. to > server A get good results. > However, clients sending queries for domain child.example.com. to server > C get SERVFAIL because server C has no access

Re: Delegation questions

On 11 August 2016 at 09:13, Bob McDonald wrote: > I have a child domain that is delegated to a second site. Pretty > straightforward situation. In the parent zone I have NS records that point > to the DNS servers at the second site. > > The issue comes up when a slaved

Re: named and use of resolv.conf? - how to "learn" this

On 2 August 2016 at 19:50, Evan Hunt <e...@isc.org> wrote: > On Tue, Aug 02, 2016 at 05:04:33PM -0400, Matthew Pounsett wrote: > > Yes it will. But, as far as I understand, it uses the recursive code > paths > > to do that, and won't consult resolv.conf. Yes? > &g

Re: named and use of resolv.conf? - how to "learn" this

On 2 August 2016 at 17:01, Ray Bellis <r...@isc.org> wrote: > On 02/08/2016 19:47, Matthew Pounsett wrote: > > > In the authoritative configuration, BIND has no need to do DNS lookups > > of its own, so it wouldn't be any use there. > > That's not strictly true - B

Re: named and use of resolv.conf? - how to "learn" this

On 2 August 2016 at 12:25, Spumonti Spumonti wrote: > (I've done several searches for this first but the general nature of some > of these terms returned way too many non-relevant responses) > > I was recently told that named does not use resolv.conf when resolving > names.

Re: Loading all zone files in a directory

On 23 July 2016 at 15:25, Danilo wrote: > Is there a way to get Bind to automatically include config files in a > directory? If not, might it make sense to place a feature request for > this with the Bind developers? If yes, what would the process be for > such a request? Or is

Re: Forward zone not working

On 17 May 2016 at 09:29, Woodworth, John R wrote: > > > > > >Ideally every machine should be registering its own PTR record in the > > > >DNS and addresses without machines shouldn't have PTR records. > > > >The only reason ISP did this is that they were too lazy

Re: Logging question about message 'update-security: error: client update denied'

On 16 May 2016 at 19:03, Josh Nielsen wrote: > Thank you for the response Mark. I'm still a little confused at what this > might mean though. Clearly the originating address is my slave DNS server > (every single one of the messages say "error: client 10.20.0.101"). > >

Re: Shared libraries loaded after chroot

On 16 May 2016 at 04:38, Marc Haber wrote: > I have filed Debian Bug #820974 (http://bugs.debian.org/820974) > accordingly. The Debian bind people suggest that I copy the respective > libraries to the chroot so that bind can find them. > Yeah, this has been the fix

Re: Forward record for WWW

On 5 May 2016 at 11:55, Stephane Bortzmeyer wrote: > On Thu, May 05, 2016 at 03:42:24PM +, > Cuttler, Brian R. (HEALTH) wrote > a message of 29 lines which said: > > > External record in the zone file is actually > > wadsworth.org. 300 IN A

Re: Nsupdate usage scenario

On 2 May 2016 at 16:38, wrote: > > > On Mon, May 2, 2016, at 12:15 PM, Jeremy C. Reed wrote: > > What about using a specific zone file just for the purpose of the single > > A record you want to maintain using dynamic updates? > > Well, this is a timely idea for another

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 2 May 2016 at 10:05, wrote: > General question -- > > When I want to change a zone file's data manually, say to add an A record, > what's the right procedure: > > If the zone is set up for dynamic updates, like the examples you've given, then in order to touch the

Re: also-notify and nsupdate doesnt work

On 2 May 2016 at 10:09, wrote: > hi, > > What you're describing sounds wrong. It shouldn't work that way. >> > what do you mean by "wrong" and which "it" should not work? :-) > > What I mean is, given a typical configuration, the brokenness you're observing shouldn't be broken.

Re: also-notify and nsupdate doesnt work

On 1 May 2016 at 23:57, wrote: > hi, > i have a setup with one normal and some hidden slaves. > i set up a zone with also-notify and all worked fine. > all slaves got notifies and updates. > now i added a key and policy to remote update the zone. > the updates with nsupdate woks

Re: Compiling BIND9 on CentOS 7

On 27 April 2016 at 08:34, Sean Son wrote: > Thank you for your response. Basically what I am trying to do is migrate > the BIND server from a Centos 5.11 machine to a CentOS 7.2 machine. The > BIND on CentOS 5.11 was compiled manually by source and its

Re: Adding CNAME for the root domain issue

On 27 April 2016 at 07:40, Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > On Wed, Apr 27, 2016 at 07:32:48AM -0700, > Matthew Pounsett <m...@conundrum.com> wrote > a message of 49 lines which said: > > > One of these days I'd like to lead a serious lobbying

Re: Adding CNAME for the root domain issue

On 27 April 2016 at 07:42, Baird, Josh wrote: > Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]? > > [1] > https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/ It's possible. We do a similar thing at eNom... we

Re: Adding CNAME for the root domain issue

On 27 April 2016 at 07:26, Stephane Bortzmeyer wrote: > On Wed, Apr 27, 2016 at 05:05:50PM +0300, > Daniel Dawalibi wrote > a message of 52 lines which said: > > > our setup requires a CNAME record. > > Bad setup. (And has always been bad.) > >

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 27 April 2016 at 03:07, Tony Finch <d...@dotat.at> wrote: > Matthew Pounsett <m...@conundrum.com> wrote: > > > > Privsep doesn't actually fix the same problem chroot does. As I > > understand it, privsep reduces the attack surface for remote execution > &g

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 25 April 2016 at 11:44, wrote: > > > > I completely gave up on chroot'd ntpd because of the endless weirdness. > Finally just moved to openntpd as (1) it had safe privsep, (2) no chroot > req'd, and (3) did the job I need. > Privsep doesn't actually fix the same

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On Monday, 25 April 2016, <jaso...@mail-central.com> wrote: > > > On Mon, Apr 25, 2016, at 10:58 AM, Matthew Pounsett wrote: > > It's not clear to me why one would want to destroy/rebuild the chroot > every > > time you restart the process. > > Well, here >

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 25 April 2016 at 13:53, wrote: > > > I suspect that there's something wrong with what is/isn't copied , and > maybe when, in that chroot build/destroy script. > It's not clear to me why one would want to destroy/rebuild the chroot every time you restart the process.

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 25 April 2016 at 13:44, <jaso...@mail-central.com> wrote: > > > On Mon, Apr 25, 2016, at 10:19 AM, Matthew Pounsett wrote: > > > TBH I don't understand WHAT to 'expect' from dig to test/verify this^. > > > What do I dig to get an answer with "

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On Sunday, 24 April 2016, wrote: > > This zone would not pass named-checkzone, which interestingly, is the > same code which named itself uses when initially loading a zone. > > It appears to > > named-checkzone -t /var/chroot/named example.com >

Re: dig ignores +notcp when doing IXFR (DiG 9.5.0-P2)

On 2013-12-06, at 12:11 , Chris Thompson c...@cam.ac.uk wrote: The sense in which BIND forces use of TCP is that when it gets an IXFR request over UDP, it always just replies with the current SOA. It doesn't bother to work out whether an incremental transfer is possible and if so whether

dig ignores +notcp when doing IXFR (DiG 9.5.0-P2)

I'm trying to debug an IXFR problem with a client, and using dig in its place to compare IXFR requests between it and the misbehaving client. I noticed that when I do an IXFR with dig it defaults to TCP rather than UDP. I tried forcing it over with +notcp but I still get a TCP query. From

Re: dig ignores +notcp when doing IXFR (DiG 9.5.0-P2)

On 2013-12-04, at 21:22 , Mark Andrews ma...@isc.org wrote: The options are processed left to right so the +notcp has to be after the ixfr=serial. There are two reasons I don't understand why this is the case. 1) Since there is only one query in the command, I don't understand why left to

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 22:25, Barry Margolin wrote: In article mailman.Okay. So to answer my earlier question, what file were you talking about copying into the chroot environment for BIND? The shared library. When you link dynamically, all the libraries have to be in $chroot/usr/lib.

OpenSSL problem: bind98-base FreeBSD port

I upgraded my OpenSSL and BIND ports on one of my machines yesterday afternoon, and ended up with BIND being unable to start due to some problem with OpenSSL. Unfortunately, it's not giving me any real information to go on about what the problem is. openssl version WARNING: can't open

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 15:04, Michael Sinatra wrote: What makes me doubt what I just said is that this has been an issue for more than a year now, so I am not sure why you have escaped it for so long. I assume you had openssl 1.0.x installed before you upgraded it--or was it an earlier

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 17:46, Doug Barton wrote: On 07/08/2012 13:40, Matthew Pounsett wrote: Yeah, I have to wonder if there's something that can be done in ports to prevent this from being an issue. You need to ask the nice openssl people to turn gost into a library instead of an engine

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 20:26, Mark Andrews wrote: One can also build named w/o GOST support if one wants. We statically link all the engines when building named on Windows. Unfortunately the port doesn't provide the config hooks to disable GOST support.

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 20:29, Matthew Pounsett wrote: On 2012/07/08, at 20:26, Mark Andrews wrote: One can also build named w/o GOST support if one wants. We statically link all the engines when building named on Windows. Unfortunately the port doesn't provide the config hooks to disable

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 20:40, Doug Barton wrote: On 07/08/2012 17:33, Matthew Pounsett wrote: On 2012/07/08, at 20:29, Matthew Pounsett wrote: On 2012/07/08, at 20:26, Mark Andrews wrote: One can also build named w/o GOST support if one wants. We statically link all the engines when

Re: big improvement in BIND9 auth-server startup time

On 2011/07/13, at 11:15, Evan Hunt wrote: People who operate big authoritative name servers (particularly with large numbers of small zones, e.g., for domain hosting and parking), and have had trouble with slow startup, may find this information useful:

Re: [dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

On 2011-05-19, at 21:58, Michael Sinatra wrote: If you're saying that you shouldn't *offer* recursive and authoritative services on the same box, then I generally agree. If you're saying that you shouldn't ever prime your cache with a zone, or have a recursive server be a slave to

Re: [dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

While it's possible you have encountered a bug with BIND, it's generally a bad idea to mix recursive and authoritative service in the same process. The RFCs that define the resolution algorithms were never written with mixed service in mind, and there are conflicts that can result in

Re: [dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

On 2011-05-20, at 00:35, Carlos Vicente wrote: That's news to me. What's the failure mode? Does the server return SERVFAIL, or does it not set the AD flag, or...? It's another undefined condition in the RFCs, and so the outcome is implementation specific. I believe in the case of BIND the

IXFR size limit?

Is there, by any chance, a maximum size to the IXFRs BIND will send? I've noticed an upstream server I slave from is being suspiciously consistent in the number of records it sends per IXFR (86,450 plus or minus ~10 records). The upstream server is part of an appliance, but fingerprints as

Re: IXFR size limit?

On 2011/02/14, at 10:47, Matthew Pounsett wrote: Is there, by any chance, a maximum size to the IXFRs BIND will send? I've noticed an upstream server I slave from is being suspiciously consistent in the number of records it sends per IXFR (86,450 plus or minus ~10 records). The upstream

Re: how to read and answer to this mailing list

On 2010/03/31, at 04:08, Markus Feldmann wrote: Matthew Pounsett schrieb: On 2010/03/30, at 19:04, Markus Feldmann wrote: Warren Kumari schrieb: In the footer of every message lurks the following link: https://lists.isc.org/mailman/listinfo/bind-users Yes ... i read this but you can

Re: MX records for new additional domain on existing authoritative name servers

Hi Karen. Please don't start a new thread by replying to an email in an existing discussion -- your message can get lost in that other discussion, rather than appearing as a new topic for anyone who threads their email. On 2010/03/30, at 16:30, Lear, Karen (Evolver) wrote: I'm adding a new

Re: Using an MX record from a different domain

On 2010/03/30, at 16:57, Lear, Karen (Evolver) wrote: I'm adding a new domain to my existing authoritative name servers, and need to add an MX record for a device residing on existing domain. When I run named-checkzone, I get a message about the MX record being out of zone and not

Re: Subdomain delegation only returns SOA on dig

On 2010/03/29, at 15:34, Prabhat Rana wrote: Hello all, I'm running BIND 9.6.1-P1 on a Solaris box. This DNS (ns1.spx.net) is authoritative to domain spx.net (this is just example). And I'm trying to delegate nse.spx.net to ns1.nse.spx.net. I think I have configured correctly but when

Re: how to read and answer to this mailing list

On 2010/03/30, at 19:04, Markus Feldmann wrote: Warren Kumari schrieb: In the footer of every message lurks the following link: https://lists.isc.org/mailman/listinfo/bind-users Yes ... i read this but you can not answer a mail this way. You can answer an email this way. I'm not sure if

Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled

On 2010/03/28, at 18:48, Roy Badami wrote: configured). The queries are resulting in SERVFAIL, and I'm pretty sure the failures are DNSSEC-related, as when I've seen problems as they occur (dig failing from the command line) then repeating the query with the CD bit allowed it to succeed.

Re: Notify storms

On 2010/01/20, at 13:03, Dave Sparro wrote: We would like to make this better. Can anyone help with ideas on this? Are we missing something obvious? In that situation I'd consider using CVS on all of the servers to maintain the DNS data. Just make all of the servers masters, and

  1   2   >