bind_dlz and views and samba

ther DNS and setup views there, but that doesnt work either as all requests now come from IP of the DC and so the ACLs wont match. Any ideas how I can accomplish this? Peter -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of t

Re: Switching from rhel base 9.16 to 9.18 copr

On Sun, May 05, 2024 at 06:15:13PM +0200, Luca vom Bruch via bind-users wrote: ! Hello, ! ! I use bind (stock from alma 9.3) as a nameserver for a webhosting server ! with webmin/virtualmin. ! ! If I install BIND via copr (RHEL9 and derivatives only offer 9.16 instead of ! 9.18 - I want to

named 100% utilization

 zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; };     zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; include "/var/lib/samba/bind-dns/named.conf"; }; view vpn {     match-clients { vpn; };     al

Re: XFR killed by security

On Mon, Mar 04, 2024 at 03:43:48PM +0100, Ondřej Surý wrote: ! > On 4. 3. 2024, at 14:55, Peter wrote: ! > ! > I don't find it really surprizing that XFR would contain "multiple ! > RRSIG entries". ! ! Unfortunately, this is obviously surprising to the vendor of the securi

XFR killed by security

Hi folks, a few days ago I apparently lost the beneficence of my zone feeds, and XFR started to get into timeout. Looking at the usual culprits I then found this: DNS Response containing multiple DNSSEC RRSIG Entries (Algorithm 14) - Possible CVE-2023-50387 Activity [Classification:

Re: occasional SERVFAIL error

7200 3600 604800 86400 Nameserver 2001:67c:1bd4:8080::10:     jiscd.sk has SOA record ns1.gov.sk. gov.sk. 2024022800 7200 3600 604800 86400 Nameserver 195.49.191.162:     jiscd.sk has SOA record ns1.gov.sk. gov.sk. 2024022800 7200 3600 604800 86400 Kind Regards Peter On 29/02/2024 15.20

Re: Stub zones, but secndary?

On Mon, Nov 20, 2023 at 03:30:13PM +1300, Nick Tait via bind-users wrote: ! On 20/11/2023 1:00 pm, Peter wrote: ! > It's tricky. One problem is these are slave zones, they are ! > authoritative and do not work well with DNSSEC. ! ! I'm curious... What issues did you have with these

Re: Stub zones, but secndary?

's a more elegant way. Like "secondary-hint" zones. ! Have I overlooked something? Maybe. As You can see, it can be done, but it's a bit weird - I got the fancy that I want to have all six-way in one running image. ;) (Originally I just got bored of the SSH known-host files, and to get rid of th

DNS DevRoom at FOSDEM2024 - Call for Participation

Hello DNS enthusiasts and other developers, After four earlier successful and packed DNS devrooms, we are happy to announce a half-day DNS devroom at FOSDEM 2024. As with the previous events, we hope to host talks anywhere from hardcore protocol stuff, to practical sessions for programmers that

Re: Unable to upgrade BIND v9.19.11 on Ubuntu without error

Hi Richard, FYI: The BIND 9.19.12 Release Notes contain the following: Removed Features ... Zone type delegation-only, and the delegation-only and root-delegation-only statements, have been removed. Using them is a configuration error. ... Kind Regards Peter

Re: How to make SRV records work with caching resolvers?

Hi, In July last year I asked about a problem with an IP telephone mis-handling the DNS responses (and got the clear answer that the telephone is to blame). I quote my original message here: On Wed, Jul 13, 2022 at 01:06:13PM +0200, Peter wrote: ! My Telco has removed the A record

Re: RPZ zone response delay time ?

` on Linux) that goes to your local system. 0.0.0.0 is not the right DNS response here, or almost anywhere. NXDOMAIN likely fits better. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from t

BIND Process failed during logrotate

I had the named process fail this past weekend on two secondaries running BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13. It seems that logrotate.d is calling the following script at the time of the failure. /var/named/data/named.run { missingok su named named create 0644 named named

Re: dnstab-read with detailed information

On Wed, Mar 15, 2023 at 09:34:40PM +, MAYER Hans wrote: ! ! ! Dear All, ! ! dnstab is a great feature to analyse the details what’s going on. But I think there is room for improvement. ! ! I write the data to a file and once a day I do a log rotate. ! With "dnstab-read FILE | grep IP“ I

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

On Tue, Jan 17, 2023 at 05:28:57PM -0600, E R wrote: ! I am planning on implementing the current version of BIND to replace the ! aging, undocumented authoritative servers I inherited. I want to hide the ! primary server on our internal network and have two secondary servers be ! publicly

Re: RFC7344 (was: Funky Key Tag in AWS Route53 (2))

On Thu, Dec 29, 2022 at 03:43:35PM -0500, Timothe Litt wrote: ! So much like DNSSEC itself, the technology is there, but the will to use it ! everywhere it's needed is not. Timothy, thank You for the update. I agree to Your viewpoints, and we have seen mostly the same with IPv6. Apparently it

RFC7344 (was: Funky Key Tag in AWS Route53 (2))

On Thu, Dec 29, 2022 at 09:17:26AM -0500, Timothe Litt wrote: ! (Manual processes ! are error-prone.  That getting registrars to adopt CDS/CDNSKEY - RFC7344 - ! has been so slow is unfortunate.) Seconded. Do You have information about this moving at all? Because to me it looks very much like

Containerizing BIND with Kubernetes

Is there any good source of documentation on containerizing an authoritative BIND instance in a Kubernetes cluster? The main part I’m trying to grasp is how to dynamically horizontally scale the cluster and keep the BIND notify process working between the containers. Thanks, Peter -- Visit

New BIND Releases are available: 9.16.35, 9.18.9, and 9.19.7

from the EOL BIND 9.11 branch to the BIND 9.16 branch read the following document: https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-911-to-916 -- Peter Davies ISC Support -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds

Re: Question about dnstap

On Tue, Sep 13, 2022 at 12:24:15PM +0200, Petr Špaček wrote: ! On 12. 09. 22 15:49, Peter wrote: ! > On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote: ! > ! My testing did not uncover anything problematic. ! > ! ! > ! Versions: ! > ! fstrm 0.6.1-1 ! > ! protobuf 21.5-

Re: Question about dnstap

On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote: ! My testing did not uncover anything problematic. ! ! Versions: ! fstrm 0.6.1-1 ! protobuf 21.5-1 ! protobuf-c 1.4.1-1 ! ! ! A procedure which works: ! - start BIND configured with ! options { ! dnstap { all; }; !

Re: Question about dnstap

On Mon, Sep 12, 2022 at 12:27:25PM +0200, Borja Marcos wrote: ! I am not sure this is intended behavior, or maybe I should file a bug. ! ! I am doing some tests with dnstap and bind (9.18.6 now but I see the same behavior with older 9.18 versions). I am using ! dnstap-go. ! ! I have configured

Re: isc python module

I don’t mean to hijack the thread, but I think this is related. I also use the BIND python modules. In particular, I'm using it to update my catalog zones as described here: https://kb.isc.org/docs/aa-01401 This document has several references to BIND 9.18 without any mention of the BIND

Re: DNSSEC adoption

I see a two-fold issue with DNSSEC: 1. The wide-spread tutorials seem to explain a key rollover as an exceptional activity, a *change* that is infrequently done. And changes, specifically the infrequent ones, bring along the possibility of failure, mostly due to human error. I don't

Re: DNSSEC signing of an internal zone gains nothing (unless??)

On Wed, Aug 03, 2022 at 04:49:35PM +1000, Mark Andrews wrote: ! Additionally authoritative servers for a zone are supposed to answer queries with RD=1 set with RA=0 if the client is not being offered recursion. REFUSED is the wrong answer of the query name involves zones you serve. Only if you

Re: DNSSEC signing of an internal zone gains nothing (unless??)

On Tue, Aug 02, 2022 at 02:04:22PM -0400, Timothe Litt wrote: ! On 02-Aug-22 13:18, Peter wrote: ! > On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wr

Re: Stopping ddos

On Tue, Aug 02, 2022 at 11:16:15PM +0200, Michael De Roover wrote: ! For my servers I'm using iptables rules to achieve ratelimiting. They ! look as follows: ! -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent -- ! update --seconds 600 --hitcount 4 --name DEFAULT --mask

Re: bind-users Digest, Vol 4031, Issue 3

On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wrote: ! ! On 02-Aug-22 11:09, bind-users-requ...@lists.isc.org wrote: ! ! > | Before your authoritative view, define a recursive view with the internal ! > ! zones defined as static-stub, match-recursive-only "yes",  and a ! > !

Re: DNSSEC signing of an internal zone gains nothing (unless??)

On Tue, Aug 02, 2022 at 05:51:28AM -0400, Timothe Litt wrote: ! You can get the AD flag set, with a bit of extra work.  I've done this for ! years. Thanks for Your message, Timothe. After investigating the matter, I had figured out a similar approach - but didn't know if this is a recommended or

Re: Bind 9.11/RHEL7 Server Freezes FUTEX_WAKE_PRIVATE

if the problem continues. Thanks so much for your help! From: Greg Choules Date: Monday, August 1, 2022 at 6:21 PM To: White, Peter Cc: bind-users@lists.isc.org Subject: Re: Bind 9.11/RHEL7 Server Freezes FUTEX_WAKE_PRIVATE CAUTION: This email originated from outside of Penguin Random House. Please

Bind 9.11/RHEL7 Server Freezes FUTEX_WAKE_PRIVATE

I’m running BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 (Extended Support Version) on RHEL 7 in a chroot jail. As of late, at times running some rndc commands are causing my server to lock up. It’s usually an “rndc addzone” that triggers the issue. I’ll also mention that I have recently started

Re: How to make SRV records work with caching resolvers?

. (Obviousely there can be many other reasons for a temporary outage.) The plan is now to put this on hold until it appears at annoying daytimes again, and ideally obtain a kind of VoIP-proxy or PBX to put in between. -- PMc ! > On 13. 7. 2022, at 13:18, Peter wrote: ! > ! >  ! > My Telco

Re: How to make SRV records work with caching resolvers?

On Wed, Jul 13, 2022 at 09:22:17PM +1000, Mark Andrews wrote: ! The client is supposed to lookup missing address records. Now that's clear and short. Thank You very much, Mark! ! Complain to the supplier of the phone that they have a defective product. I still have to see a linux plastic box

How to make SRV records work with caching resolvers?

My Telco has removed the A record for their VoIP server, and now has only SRV data there - which seems not to work properly. The SRV data contains various services (SIP via UDP, TCP, secure TCP, whatever), and these get individual expiry counters in the caching resolver. So when a telephone

IPv6 scoped address disambiguation

Hi @all, the reference manual says something about scoped ipv6 addresses, so I might assume they are understood and useable. But maybe either I did misunderstand something, or something is wrong here: My configuration: listen-on-v6 port 53{ fe80::2%lo0;

Re: Bugfix: missing line in message.c

On Thu, Jun 02, 2022 at 08:23:27AM +1000, Mark Andrews wrote: ! Thanks. ! ! INDENT is being addressed. ! ! Can you add an issue on https://gitlab.isc.org/ for the view name in dnstap? Bad luck for me, my login does actually work there - so I probably have to... ;) Done, it says #3391. -- PMc

Bugfix: missing line in message.c

Hi, this is broken in 916 (and apparently 918 also). Consequentially, output from dnstap gets unreadable (invalid YAML) when using dynamic zone updates. PATCH --- lib/dns/message.c.orig 2022-05-10 11:02:21.0 +0200 +++ lib/dns/message.c

Re: DNS traffic tracking

tting a better idea of who is responsible for generating it and why. In my opinion, in the absence of knowing what the problem is, experimenting with stuff like rate limiting or blocking is unlikely to solve the problem. Regards, Peter Coghlan. -- Visit https://lists.isc.org/mailman/listinfo/bi

Re: getting answers from DNS queries

ling with the subject of malicious, bogus queries etc. Regards, Peter Coghlan. > > -- > > Hal King - h...@utk.edu > Systems Administrator > Office of Information Technology > Shared Services > > The University of Tennessee > 103c5 Kingston Pike Building > 2309 Kin

9.18.0 now available

For those of you that may not be on the -announce list, I would like to make you aware of the following: https://lists.isc.org/pipermail/bind-announce/2022-January/001205.html -- Peter Davies Support Engineer Internet Systems Corporation pet...@isc.org 001 650-423-1460

Re: Found the bug (was: ERROR: Failed to create fetch for DNSKEY update)

On Sun, Nov 21, 2021 at 06:51:13PM +0100, Sten Carlsen wrote: ! As far as I am aware - and what I have always done - the normal | thing to do is to use a hints file. Lately the hints are built-in, | so nothing is really needed. Ah. Well, I have here a named.conf.sample file that comes with the

Found the bug (was: ERROR: Failed to create fetch for DNSKEY update)

Hija, I finally found the cause of the error! As soon as I stop slaving the root-zones and instead use the (configured or compiled-in) hint-file, the error stops. The actual error-condition (zone is not loaded) then becomes obvious, because this RFC-5011 action happens very early, before any

Re: ERROR: Failed to create fetch for DNSKEY update

On Mon, Nov 15, 2021 at 09:14:19AM +0100, Ondřej Surý wrote: ! > On 15. 11. 2021, at 3:41, Peter wrote: ! > ! >

ERROR: Failed to create fetch for DNSKEY update

Hi all, I continuousely happen to see this message: > local0.warn named[2291]: > dnssec: warning: managed-keys-zone: Failed to create fetch for DNSKEY update I see it on different nameservers, at different sites, with and without views, with and without IPv6, and I see it every time when named

Re: BIND caching of nxdomain responses

tps://lists.dns-oarc.net/pipermail/dns-operations/2021-September/021362.html Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC fu

Re: Preventing a particular type of nameserver abuse

be interested to know what the experts think bind might have made of this traffic had it not been filtered out. I have included some of the more usual probes before and after the more interesting traffic for context. Regards, Peter Coghlan. 09:50:12.36 207.244.251.243.41020 > 192.168.80.24.53: 64

Failure from rate-limit

Hi, my servers fail to query the upstream servers with these errors: rate-limit: debug 99: rrl=0x0, HAVECOOKIE=0, result=DNS_R_SERVFAIL, fname=0x8027a5450(0), is_zone=0, RECURSIONOK=1, query.rpz_st=0x0(0), RRL_CHECKED=0 The operator of the upstream servers says it is due to a configuration

Re: Without IPv6 half of the queries yield SERVFAIL

On Fri, Aug 06, 2021 at 07:22:32AM +0200, sth...@nethelp.no wrote: ! > ! I tried to use this recommendation, https://kb.isc.org/docs/aa-00206, ! > ! marking all IPv6 addrs as bogus, but it does not make a difference in ! > ! behaviour. ! > ! > Update: Actually there is a difference if this

Re: Without IPv6 half of the queries yield SERVFAIL

On Thu, Aug 05, 2021 at 11:53:35PM +0200, Peter wrote: ! I tried to use this recommendation, https://kb.isc.org/docs/aa-00206, ! marking all IPv6 addrs as bogus, but it does not make a difference in ! behaviour. Update: Actually there is a difference if this recommended configuration is present

Without IPv6 half of the queries yield SERVFAIL

Hi all, first off: I do not have IPv6 physical connectivity yet, but I would like to run a nameserver nevertheless. Sadly, it seems that without IPv6 connectivity, half of the queries fail, in a random fashion. There is no clue in the logfile about any reason for this behaviour, only so

Re: ITS THE NUMBER OF CORES/THREADS

update on how to get bind to run with parameters for windows make folder in C:\ named make file called named.bat in the bat file add: sc start named -n 7 in services > ISC BIND recovery tab first failure select run a program check enable actions for stops with errors in run program browse

Re: ITS THE NUMBER OF CORES/THREADS

reproducer is helpful. Can you try if adding `-n 8` vs `-n 7` have the same effect? Ondřej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 23. 7. 2021, at 20:31, Peter via bind-users

Re: ITS THE NUMBER OF CORES/THREADS

Well I reported it and we see what happens my main bind is not in a virtual machine I guess I cound disbale Hyper-Threading as a workaround... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds

ITS THE NUMBER OF CORES/THREADS

So after ALL that it was down to the number of cores/threads, anything more then 7 cores/threads and 9.16.19 WILL NOT RUN tested in avirtual PC. Man what A BUG ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Sorry

I have come to the conclusion that I am being punished! I have moved heaven and earth to get 9.16.19 to work and only seem to work on another old system Core™2 Duo that I installed win 7 activated it then upgrade to win10 only that system work with 9.16.19 on another system I remove NICs

New BIND 9.16.19 I think don't run with Intel VLANs

I have three PC's tested that all work fine on 9.16.15 or 9.17.12 with my Intel VLANs but 9.16.19 simply will not start. Is this a new limitation for BIND on windows now? or a change that causes it not to run if it detects VLANs with the intel APP?

Re: cmdns.dev.dns-oarc.net oddness with windows 10 and bind

Seems fine now they must of fixed the testing. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at

Re: Windows support has been discontinued in BIND 9.17+ (Was: Important: A significant flaw is present in June BIND releases 9.16.17 and 9.17.14)

Well for the time being I give up I think something like this happen before many years ago, I'm sure someone will post having this iusse. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the

Re: Windows support has been discontinued in BIND 9.17+ (Was: Important: A significant flaw is present in June BIND releases 9.16.17 and 9.17.14)

I getnothing which means good? installed back to the default path. C:\Program Files\ISC BIND 9\bin>named-checkconf C:\Program Files\ISC BIND 9\bin> On 19/06/2021 5:53 pm, Richard T.A. Neal wrote: And what do you get when you run c:\BIND\named-checkconf ? Richard.

Re: Windows support has been discontinued in BIND 9.17+ (Was: Important: A significant flaw is present in June BIND releases 9.16.17 and 9.17.14)

n>named-checkconf C:\BIND\etc\named.conf:8: unknown option 'x' C:\BIND\etc\named.conf:8: unexpected token near end of file Richard. *From:*bind-users *On Behalf Of *Peter via bind-users *Sent:* 18 June 2021 5:49 pm *To:* bind-users@lists.isc.org *Subject:* Re: Windows support has been discontinu

Re: Windows support has been discontinued in BIND 9.17+ (Was: Important: A significant flaw is present in June BIND releases 9.16.17 and 9.17.14)

It shows 17 information with the last showing "using 1 UDP listener per interface" maybe it don't like my intel VLAN's? On 18/06/2021 5:21 pm, Richard T.A. Neal wrote: When you say “in Application logs show fine” – how far does named actually get (if at all)? For example whenever I (re)start

Re: Windows support has been discontinued in BIND 9.17+ (Was: Important: A significant flaw is present in June BIND releases 9.16.17 and 9.17.14)

will be taken in 6 milliseconds: Restart the service. And in Application logs show fine Maybe its just windows 10 pro? Or is it possible to have bind coded to no longer run in win 10? On 18/06/2021 3:08 pm, Richard T.A. Neal wrote: On 18/06/2021 2:48 pm, Peter wrote: Even BIND9.16.18

Re: Windows support has been discontinued in BIND 9.17+ (Was: Important: A significant flaw is present in June BIND releases 9.16.17 and 9.17.14)

Even BIND9.16.18 will not run on windows 10 same error On 18/06/2021 2:21 pm, Ondřej Surý wrote: Hi Peter, the Windows support in 9.17 has been discontinued (as discussed on this very mailing list). So, while technically the BIND 9.17.14/9.17.15 still includes the Windows binaries, the code

Re: Important: A significant flaw is present in June BIND releases 9.16.17 and 9.17.14

Well I don't know about anyone else but BIND 9.17.14 did not want to start in win 10 “windows could not start the ISC BIND service on local computer Error 1067: the process terminated unexpectedly.” ___ Please visit

cmdns.dev.dns-oarc.net oddness with windows 10 and bind

So I redone my windows bind setup on a new system and this bug may never get fixed but I wanted to post the oddness of this bug. Bind on New PC as servers 127.0.0.1 for dns on that system cmdns.dev.dns-oarc.net reports fine except for IPv6 test OK I then have two PC's as clients to this DNS

Re: No more support for windows

> Peter, > > > do you seriously think that this word play is going to help the BIND 9 > support for Windows? So, I am asking you, what’s your serious > proposal what should we do? > You may regard it as a word play but I am being very serious indeed. I have looked

Re: No more support for windows

rena, then shouldn't this be stated clearly instead of also declaring that it is highly portable? Regards, Peter Coghlan. > > Do you understand how ironic is for you to complain about “subscription is > not going to happen” while **every** email on the mailing list has this > no

Re: No more support for windows

Well its clearly not working so it needs to change just like DDNS is free but you can paid for a subscription thats easy to do or SSL is free for 90days but you have the option to pay easily for a year but that might not work for bind for windows so it needs to be a subscription to run it at

No more support for windows

On 04/06/2021 6:05 pm, John Thurston wrote: On 6/4/2021 8:48 AM, Peter via bind-users wrote: When people find out2024 is the year bind is no longer supported for windows people aregoing to be upset this all seems to be done quietly nothing posted on the the isc.org site about this just how

No more support for windows

When people find out2024 is the year bind is no longer supported for windows people aregoing to be upset this all seems to be done quietly nothing posted on the the isc.org site about this just how many people depend on bind for windows will be shocking.

Deprecating BIND 9.18+ on Windows (or making it community improved and supported

Guess not even a subscription will not happen too. I'm having to try and do Bind on ubuntu and it just will not let me edit files like named.conf unless you do some vodoo that I don't understand and even updating the bind like how? Windows no problem you want to edit a file no problem can't

Deprecating BIND 9.18+ on Windows (or making it community improved and supported

Maybe they could release a bind for windows ever year with limited support? But I guess bind will still work long after its not supported which is the only good thing. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Deprecating BIND 9.18+ on Windows (or making it community improved and supported

Well that sucks no more bind for windows...:( ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at

Update DNSSEC Zone

HI All, I really would appreciate a pointer in the right direction. I took over a bind server recently. I am not new to bind. I have used it many times and honestly prefer it to windows dns but I have never worked with DNSSEC. I have been reading all day and I still can’t figure out how to

Re: How to return REFUSED

ill keep on trying. The most recent one I've seen was three days ago but there could have been more since then that hit the packet filters when I wasn't paying attention. Regards, Peter Coghlan. ___ Please visit https://lists.isc.org/mailman/listinfo

Re: Preventing a particular type of nameserver abuse

Tony Finch wrote: >Peter Coghlan wrote: >> Instead, isn't it the case that bind knows what domains it is authoritative >> for (or which ones it is supposed to be authoritative for) and bind is >> therefore in the ideal position to know which queries are abusive and which &

Re: Preventing a particular type of nameserver abuse

Tony Finch wrote: > Peter Coghlan wrote: > > > > I have a nameserver which is authoritative for three or four domain names. > > It receives around 1000 queries per day that could be regarded as plausably > > legitimate. It receives around ten times that number of absi

Preventing a particular type of nameserver abuse

y nameserver admins probably would not even notice it unless they had query logging or query-error logging turned on and checked the logs. Regards, Peter Coghlan. --Boundary_(ID_/cANmbMgveXk/KlZF+xdIQ)-- ___ Please visit https://lists.isc.org/mailman/listinfo/bi

broken trust chain with my DNS setup

https://bridgemode.bounceme.net/DNS%20BIND%20setup2.txt %ProgramFiles%\ISC BIND 9\bin run CMD rndc-confgen -a folder managed-keys in ect file rndc.conf in etc include "C:\Program Files\ISC BIND 9\etc\rndc.key"; options { default-key "rndc-key"; default-server 127.0.0.1;

broken trust chain with my DNS setup

Hi hope someone can help here is my setup on Bind 9.17.10. https://bridgemode.bounceme.net/DNS%20BIND%20setup.html https://bridgemode.bounceme.net/DNS%20BIND%20setup2.txt When working what happens is: first lookup Lookup by

Re: named 9.14.6 memory leak, cannot start

On Wed, Oct 16, 2019 at 12:27:39PM +0200, Ondřej Surý wrote: ! Hi Peter, ! ! we had a similar report in the past, Ah, that's a good message! ! so maybe you can chime in and add ! the information to the issue here https://gitlab.isc.org/isc-projects/bind9/issues/1179 ? Okay, done. Further

named 9.14.6 memory leak, cannot start

When starting named 9.14.6, before doing any activity it immediately grows infinitely, hits the system limits and crashes with: > mem.c:710: fatal error: > malloc failed: Cannot allocate memory > exiting (due to fatal error in library) Version 9.14.3 does not have this memory leak and runs

High load on BIND DNS and query timeouts after RPZ XFR retrieve

Hi all, I would like to get opinion on issue I was involved over weekend. Customer utilizes RPZ feed from spamhaus and worked pretty OK for some months after initial deployment. They reported issue with wrong performance of BIND DNS; BIND version: 9.10.8-P1 I observed BIND CPU usage went from

Re: Named Service

that and opt for my own manual rndc config. Peter On Tue, Jan 22, 2019 at 12:35 PM Jordan Tinsley wrote: > Thank you for the information! Also, do I need to use the {-chroot} > portion? > > > > Thanks, > > Jordan > > > > *From:* Peter DeVries > *Se

Re: Named Service

You didn't mention your OS. I'm assuming Redhat Linux. The files you are looking for are /usr/lib/systemd/system/named{-chroot}.service. The files are not included in the BIND source. The easiest thing is to pull them out of one of the existing redhat BIND packages and edit for your needs.

Re: Question regarding different responses that I am getting for a lookup.

They are probably using a load balancer of some sort that is choosing between multiple systems and directing you to the one closest or no under load at the moment. The low TTL is usually a sign of this as well. On Mon, Aug 6, 2018 at 2:12 PM, Bhangui, Sandeep - BLS CTR <

Re: cyberia.net.sa

You're going to have to provide more information than that. What isn't working from your internet perspective? Looks fine from where I'm sitting. ; <<>> DiG 9.11.2-P1 <<>> cyberia.net.sa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4586 ;; flags:

Re: extranet.aro.army.mil - not resolving

+cd disables DNSSEC validation. You are running some very old versions of dig in some cases which don't have dnssec support. The 9.9 version of dig you have on at least one server should work. What version of BIND server are you running on the problematic system? On Thu, May 31, 2018 at 8:18

Re: extranet.aro.army.mil - not resolving

It's messy to be sure but it's not failing validation on any of the systems I'm testing on (no AD bit because the CNAMEs aren't signed but no SERVFAIL either)(. I see a bunch of dig versions in your posting (9.3?). What version BIND is the server running? On Thu, May 31, 2018 at 5:51 PM,

Re: dyndb regression: bind fails to build --without-dlopen

Thank you Tony. Works for me. -- Peter. On Tue, May 30, 2017 at 7:36 PM, Tony Finch <d...@dotat.at> wrote: > Peter Volkov <peter.vol...@gmail.com> wrote: > > > Hi, what this correct place to report issue? Is there any better way to > > contact developers? >

Re: dyndb regression: bind fails to build --without-dlopen

Hi, what this correct place to report issue? Is there any better way to contact developers? -- Peter. On Mon, May 8, 2017 at 11:01 AM, Peter Volkov <peter.vol...@gmail.com> wrote: > Hello. > > bind 9.10.x and 9.11.x fails to build if ./configure'ed > --without-dlopen[1]: &g

dyndb regression: bind fails to build --without-dlopen

lopen) and thus libdns.la will be linked without -ldl. Probably correct fix will be to remove --with/without-dlopen option from ./configure. Ref: [1] https://bugs.gentoo.org/show_bug.cgi?id=600212 -- Peter. ___ Please visit https://lists.isc.org/mailman/

Re: Logging to syslog

und 3 million lines per day each. Without RateLimitInterval=0 it routinely drops messages. --  Peter ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.10.4 may have a fatal crash defect.

Hello, On 12 May 2016, at 15:44, Peter van Dijk wrote: I’ve heard two proposals: (1) brew fakes up a version number X that sorts 9.10.4 < X < Y, where Y is whatever ISC is going to release next (2) ISC ‘clones’ 9.10.3-P4 into 9.10.5 (or 9.10.4-P1 but that seems wrong) so the highest v

Re: BIND 9.10.4 may have a fatal crash defect.

othing increases the odds of somebody running into the crash but one might argue that this is helpful! I think all three options are a bit ugly, to be fair. I don’t have any preference. Thoughts? Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerd

Moving dynamic zones to new master+slave pair without interruptions

25.P1.el5_11.5). So the setup is really in need of a refresh. :-) Thank you in advance! --  Peter Rathlev ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Moving dynamic zones to new master+slave pair without interruptions

xtra recursing server. Keeping things simple, even if that means running more servers, helps me sleep at night. It helps my colleagues handling things without having to call me. :-) --  Peter Rathlev ___ Please visit https://lists.isc.org/mailman/listinf

Re: Moving dynamic zones to new master+slave pair without interruptions

far as I can see this should Just Work™. > My program nsdiff (http://dotat.at/prog/nsdiff) is useful for copying > dynamic zones from from an existing master to a new master without > faffing around with `rndc freeze`. Nice. :-) Perfect for copying changes without touching the files.

Re: Is it possible to have separate query logs for different views?

-inside; next} / view outside / {print $0 named-queries-outside; next} {print $0 named-queries-other}' (not tested, but have used similar before) Ok, I'm officially blind... Should have seen this myself. This will solve my problem. Thanks! Peter Olsson -- Bob Harold hostmaster

Is it possible to have separate query logs for different views?

; print-time yes; severity debug; }; }; Thanks! -- Peter Olsson ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users

  1   2   3   >