Re: caching does not seem to be working for internal view

This is boarderline not thinking on my part. OF COURSE those FQDNs resolve fast; they are in local ZOne files. No lookup needed. Sheesh. "Slow down, you move to fast.  Got to make the Mornin' last!"  :) On 8/3/22 14:43, Robert Moskowitz wrote: Perhaps this is only caching

Re: caching does not seem to be working for internal view

exactly what IS cached. On 8/3/22 10:52, Robert Moskowitz via bind-users wrote: thanks Greg.  Yes I need to figure out how to troubleshoot this. But here is some stuff: # cat resolv.conf # Generated by NetworkManager search attlocal.net htt-consult.com nameserver 23.123.122.146 nameserver 2600

Re: ,Re: caching does not seem to be working for internal view

shed Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 03-Aug-22 12:36, Robert Moskowitz wrote: On 8/3/22 11:35, Timothe Litt wrote: On 03-Aug-22 10:53, bind-users-requ...@lists.isc.org wrote: # cat resolv.conf My server is 23.123.122.146.  T

Re: ,Re: caching does not seem to be working for internal view

On 8/3/22 13:10, Anand Buddhdev wrote: On 03/08/2022 18:36, Robert Moskowitz wrote: Hi Robert, [snip] ARGH! I want the IPv6 addr from my firewall/gateway.  But I don't want that IPv6 nameserver! Calm down. Just add "PEERDNS=no" in your ifcfg-eth0 file. This way, the resolv

Re: ,Re: caching does not seem to be working for internal view

On 8/3/22 11:35, Timothe Litt wrote: On 03-Aug-22 10:53, bind-users-requ...@lists.isc.org wrote: # cat resolv.conf My server is 23.123.122.146.  That IPv6 addr is my ATT router. You don't want to do that.  The ATT router will not know how to resolve internal names.  There is no guarantee

Re: caching does not seem to be working for internal view

, or whatever) the OS will consult resolv.conf to determine where to send DNS queries. If that's not your local instance of BIND then you could be looking for trouble in the wrong place. If you *do* have an address of the local machine as the first 'nameserver' entry in resolv.conf you will ne

Re: Stopping ddos

dresses to send traffic either unrestricted, or using a more relaxed version of the above. HTH, Michael On Tue, 2022-08-02 at 16:02 -0400, Robert Moskowitz wrote: Recently I have been having problems with my server not responding to my requests.  I thought it was all sorts of issues, but I finally

caching does not seem to be working for internal view

Part of my problem is that caching does not seem to be working in my internal view. Something is happening such that my internal systems AND the server itself cannot resolve names and looses it even 5 min later, indicating not caching. I read https://kb.isc.org/docs/aa-00851 In my include

Re: Stopping ddos

On 8/2/22 17:30, Nathan Ollerenshaw via bind-users wrote: On 8/2/22 1:02 PM, Robert Moskowitz wrote: Recently I have been having problems with my server not responding to my requests.  I thought it was all sorts of issues, but I finally looked at the logs and: You're being used

Stopping ddos

Recently I have been having problems with my server not responding to my requests.  I thought it was all sorts of issues, but I finally looked at the logs and: Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205 (.): view external: query (cache) './A/IN' denied Aug  2

Re: Providing GeoIP information for servers

On 05/11/2017 10:46 AM, Timothe Litt wrote: On 10-May-17 17:50, John W. Blue wrote: >From the it-could-be-worse department: https://arstechnica.com/tech-policy/2016/08/kansas-couple-sues-ip-mapping-firm-for-turning-their-life-into-a-digital-hell/ I am more a fan of continental geolocation

Re: Providing GeoIP information for servers

On 05/10/2017 05:41 PM, Mark Andrews wrote: In message , Robert Mosko witz writes: I am kind of tired in my systems being reported as being in Plymouth MI instead of Oak Park MI. That is the best Comcast seems to be willing to do for

Providing GeoIP information for servers

I am kind of tired in my systems being reported as being in Plymouth MI instead of Oak Park MI. That is the best Comcast seems to be willing to do for where my IP addresses (which are static) reside. Is there anyway to provide location information for a server via DNS that would feed into

SOLVED - Re: Bind failing to start on new 9.9.4 server

File permission problems. On 02/09/2017 10:38 AM, Ray Bellis wrote: On 09/02/2017 15:32, Robert Moskowitz wrote: Now doing it 'right' and seeing: 09-Feb-2017 09:59:52.191 could not open file '/run/named/named.pid': Permission denied 09-Feb-2017 09:59:52.192 generating session key for dynamic

Re: Bind failing to start on new 9.9.4 server

Strange.. On 02/09/2017 09:31 AM, Ray Bellis wrote: On 09/02/2017 14:28, Robert Moskowitz wrote: I am migrating to Centos7 from Centos6. Going from Bind 9.8.2 to 9.9.4, I am building this on a new server. I currently do not have DNSSEC enabled, and not enabling it for the initial migration

Re: Bind failing to start on new 9.9.4 server

On 02/09/2017 09:55 AM, Alan Clegg wrote: On 2/9/17 8:53 AM, Robert Moskowitz wrote: On 02/09/2017 09:31 AM, Ray Bellis wrote: On 09/02/2017 14:28, Robert Moskowitz wrote: I am migrating to Centos7 from Centos6. Going from Bind 9.8.2 to 9.9.4, I am building this on a new server. I

Re: Bind failing to start on new 9.9.4 server

On 02/09/2017 09:31 AM, Ray Bellis wrote: On 09/02/2017 14:28, Robert Moskowitz wrote: I am migrating to Centos7 from Centos6. Going from Bind 9.8.2 to 9.9.4, I am building this on a new server. I currently do not have DNSSEC enabled, and not enabling it for the initial migration work. I

Re: Bind failing to start on new 9.9.4 server

On 02/09/2017 09:31 AM, Ray Bellis wrote: On 09/02/2017 14:28, Robert Moskowitz wrote: I am migrating to Centos7 from Centos6. Going from Bind 9.8.2 to 9.9.4, I am building this on a new server. I currently do not have DNSSEC enabled, and not enabling it for the initial migration work. I

Bind failing to start on new 9.9.4 server

I am migrating to Centos7 from Centos6. Going from Bind 9.8.2 to 9.9.4, I am building this on a new server. I currently do not have DNSSEC enabled, and not enabling it for the initial migration work. I have looked over changes in named.conf and believe I have made the necessary changes. My

SOLVED - Re: Secondarying DLZ zones

At least the 'right' way with turning down the SOA TTL for the zone. This is one of the set it and forget it items (at least for me), and once I started reading finding enough articles on secondaries it was an oh yeah moment. On 09/07/2015 04:09 PM, Robert Moskowitz wrote: On the Samba list

Re: Secondarying DLZ zones

inful, especially for longer TTL values." Is there some way to get the secondary to check frequently, like once an hour? On 09/07/2015 03:12 PM, Robert Moskowitz wrote: It seems I have this working, but... I have a regular Centos7 Bind 9.9 server that I want to secondary a Samba AD (Also Centos7

Secondarying DLZ zones

It seems I have this working, but... I have a regular Centos7 Bind 9.9 server that I want to secondary a Samba AD (Also Centos7) DLZ zone. On the DNS server (192.168.192.5) I have: zone "home.htt" { type slave; file "slaves/bak.home.htt";

Re: Installing bind is not very clear for me

On 09/03/2015 01:45 PM, Leandro wrote: Dear All: While installing bind still have not clear some issues: Im using Centos 6.6 since Im not very comfortable with Centos7 yet. My final goal is to get an updated and stable version and also use json format for the statistics channel. 1) Some

Re: Installing bind is not very clear for me

On 09/03/2015 05:02 PM, Reindl Harald wrote: Am 03.09.2015 um 22:59 schrieb Robert Moskowitz: On 09/03/2015 04:35 PM, Leandro wrote: Ok ... I got BIND 9.10.2-P3 working. I compiled with ./configure --with-openssl --enable-threads --with-libxml2 --with-libjson make make install Json

Re: Installing bind is not very clear for me

;bind-users-boun...@lists.isc.org on behalf of Robert Moskowitz" <bind-users-boun...@lists.isc.org on behalf of r...@htt-consult.com> wrote: Ok On 09/03/2015 01:45 PM, Leandro wrote: Dear All: While installing bind still have not clear some issues: Im using Centos 6.6 since Im not

Re: Solved - Re: A tale of two nameservers - resolution problems

On 09/03/2015 04:09 AM, Matus UHLAR - fantomas wrote: On 01.09.15 13:36, Robert Moskowitz wrote: On the Fedora-arm list I was told about systemd-timesyncd. Much better for these systems than chronyd which is suppose to be the replacement for ntpdate... chrony is replacement for ntpd

Final on - Re: A tale of two nameservers - resolution problems

-timesync, but Fedora/redhat went the chrony route, and I got more help figuring it out. On to the next fun challenge. On 09/01/2015 12:16 PM, Sam Wilson wrote: In article <mailman.2626.1441122408.26362.bind-us...@lists.isc.org>, Robert Moskowitz <r...@htt-consult.com> wrote: I wil

Solved - Re: A tale of two nameservers - resolution problems

On 09/01/2015 12:16 PM, Sam Wilson wrote: In article <mailman.2626.1441122408.26362.bind-us...@lists.isc.org>, Robert Moskowitz <r...@htt-consult.com> wrote: I will be looking more into this. Obvious when you get ones nose dragged into time wrong on boot. This is actual

Re: A tale of two nameservers - resolution problems

. So there is something about that resolution that does not like the early date. So I am caught in a time bind here! Is there anyway to get bind not to be particular about system time at first? John On Tue, Sep 1, 2015 at 9:09 AM, Robert Moskowitz <r...@htt-consult.com> wrote: I ha

A tale of two nameservers - resolution problems

I have one nameserver running bind 9.8.2 and a new one running 9.9.4. Both can resolve www.ietf.org Only the 9.8.2 can resolve 0.centos.pool.ntp.org I literally rsynced all the of the conf and zone files from the old to the new, then changed all of the server name references. I have done

Re: A tale of two nameservers - resolution problems

On 09/01/2015 09:36 AM, Reindl Harald wrote: Am 01.09.2015 um 15:31 schrieb Robert Moskowitz: On 09/01/2015 09:20 AM, John Miller wrote: If you check pcap, logs, etc., is the server's following delegation for 0.centos.pool.ntp.org? Where do outbound packets stop? I don't believe

Re: A tale of two nameservers - resolution problems

On 09/01/2015 10:38 AM, Reindl Harald wrote: Am 01.09.2015 um 16:28 schrieb John Miller: On Tue, Sep 1, 2015 at 9:31 AM, Robert Moskowitz <r...@htt-consult.com> wrote: On 09/01/2015 09:20 AM, John Miller wrote: If you check pcap, logs, etc., is the server's following delegation

Re: A tale of two nameservers - resolution problems

On 09/01/2015 10:28 AM, John Miller wrote: On Tue, Sep 1, 2015 at 9:31 AM, Robert Moskowitz <r...@htt-consult.com> wrote: On 09/01/2015 09:20 AM, John Miller wrote: If you check pcap, logs, etc., is the server's following delegation for 0.centos.pool.ntp.org? Where do outbound packet

Finding authoritative server and last update

I am trying to find out which comcast server is authoritative for 4.254.253.50.in-addr.arpa and when the zone file for the ptr rr was last updated. I was told a week ago that the ptr would be updated, but I am still not seeing any change... I am not really good at keeping good notes on

Re: Finding authoritative server and last update

. Or at least I don't see it on the results page. but thanks for the tip. Frank -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Robert Moskowitz Sent: Tuesday, February 03, 2015 4:01 PM To: bind-users@lists.isc.org

Re: Finding authoritative server and last update

On 02/03/2015 05:09 PM, Jeremy C. Reed wrote: On Tue, 3 Feb 2015, Robert Moskowitz wrote: I am trying to find out which comcast server is authoritative for 4.254.253.50.in-addr.arpa and when the zone file for the ptr rr was last updated. I was told a week ago that the ptr would be updated

Re: Finding authoritative server and last update

[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Robert Moskowitz Sent: Tuesday, February 03, 2015 4:43 PM To: Jeremy C. Reed Cc: bind-users@lists.isc.org Subject: Re: Finding authoritative server and last update On 02/03/2015 05:09 PM, Jeremy C. Reed wrote: On Tue, 3 Feb 2015, Robert Moskowitz wrote

Glue records for secondary NS

I just found out that I had old garbage in my rgistrar setup for my domain. To wit, an NS server that has not been an NS server for years. And now that I use that host name for another usage on another address, it was giving lots of problems. My bad, I should have caught this when I moved

Re: Glue records for secondary NS

On 12/05/2014 12:30 PM, Casey Deccio wrote: On Fri, Dec 5, 2014 at 11:47 AM, Robert Moskowitz r...@htt-consult.com mailto:r...@htt-consult.com wrote: I have 3 secondaries run by other domains. This was to give me some geo-diversity. How do I create glue records for them? My

Value of memory

I have a server that is only running bind 9.8.2 (Centos 6.5). It has 2Gb memory and free reports ~1.7Gb used. I am looking at replacing this server with an armv7 board running Redsleeve (until Centos 7 is out and stable for armv7). I have a choice of boards, one with 1Gb memory ($60) and

Disabling DNSSEC until...

I solve the EDNS problem, probably on my Juniper SSG5. This will initially have to wait until Juniper gets back to me, or I corner some of their developers at IETF in a couple weeks. Alternatively I replace the SSG5... And I change my registry to one that supports DNSSEC. Commenting all

Re: Disabling DNSSEC until...

On 03/03/2013 08:10 AM, Robert Moskowitz wrote: I solve the EDNS problem, probably on my Juniper SSG5. This will initially have to wait until Juniper gets back to me, or I corner some of their developers at IETF in a couple weeks. Alternatively I replace the SSG5... And I change my

Re: bad zone transfer request of reverse addr zone

On 03/01/2013 06:42 PM, Mark Andrews wrote: In message 5130fba0.3020...@htt-consult.com, Robert Moskowitz writes: On 03/01/2013 01:50 PM, Jan-Piet Mens wrote: I get this for all my secondaries for my reverse domain: client 63.68.132.50 view external: bad zone transfer request: '192

Re: bad zone transfer request of reverse addr zone

On 03/02/2013 09:14 PM, Robert Moskowitz wrote: On 03/01/2013 06:42 PM, Mark Andrews wrote: In message 5130fba0.3020...@htt-consult.com, Robert Moskowitz writes: On 03/01/2013 01:50 PM, Jan-Piet Mens wrote: I get this for all my secondaries for my reverse domain: client 63.68.132.50 view

in-addr.arpa insecure?

I got tipped off about this from logwatch report. On my public DNS server had the following: Feb 26 04:02:04 onlo named[19336]: validating @0xb2929ee0: in-addr.arpa SOA: got insecure response; parent indicates it should be secure Feb 27 04:02:04 onlo named[32262]: validating @0xb37e25e0:

Re: in-addr.arpa insecure?

On 03/01/2013 08:57 AM, Tony Finch wrote: Robert Moskowitz r...@htt-consult.com wrote: I got tipped off about this from logwatch report. On my public DNS server had the following: Feb 26 04:02:04 onlo named[19336]: validating @0xb2929ee0: in-addr.arpa SOA: got insecure response; parent

Re: in-addr.arpa insecure?

On 03/01/2013 09:22 AM, Michael W. Lucas wrote: On Fri, Mar 01, 2013 at 09:19:42AM -0500, Robert Moskowitz wrote: On 03/01/2013 08:57 AM, Tony Finch wrote: Robert Moskowitz r...@htt-consult.com wrote: I got tipped off about this from logwatch report. On my public DNS server had

Re: in-addr.arpa insecure?

On 03/01/2013 09:22 AM, Michael W. Lucas wrote: On Fri, Mar 01, 2013 at 09:19:42AM -0500, Robert Moskowitz wrote: On 03/01/2013 08:57 AM, Tony Finch wrote: Robert Moskowitz r...@htt-consult.com wrote: I got tipped off about this from logwatch report. On my public DNS server had

Re: in-addr.arpa insecure?

On 03/01/2013 09:19 AM, Robert Moskowitz wrote: On 03/01/2013 08:57 AM, Tony Finch wrote: Robert Moskowitz r...@htt-consult.com wrote: I got tipped off about this from logwatch report. On my public DNS server had the following: Feb 26 04:02:04 onlo named[19336]: validating @0xb2929ee0

bad zone transfer request of reverse addr zone

I get this for all my secondaries for my reverse domain: client 63.68.132.50 view external: bad zone transfer request: '192-26.67.83.208.in-addr.arpa/IN': non-authoritative zone (NOTAUTH): 23 Time(s) I don't get this for my forward domain and the SOA for both are similarly structured. For

Re: bad zone transfer request of reverse addr zone

On 03/01/2013 01:03 PM, Robert Moskowitz wrote: I get this for all my secondaries for my reverse domain: client 63.68.132.50 view external: bad zone transfer request: '192-26.67.83.208.in-addr.arpa/IN': non-authoritative zone (NOTAUTH): 23 Time(s) I don't get this for my forward domain

Re: Problems with resolving a local tld

Still not working even with htt. signed. See below. I guess what I need for right now is to turn off DNSSEC checking of a branch in the tree; in this case the tld htt. On 02/27/2013 08:34 PM, Mark Andrews wrote: In message 512e31ca.5030...@htt-consult.com, Robert Moskowitz writes

Re: Problems with resolving a local tld

On 02/28/2013 12:37 PM, Doug Barton wrote: On 02/28/2013 09:34 AM, Robert Moskowitz wrote: Only for my internal tld does the lookup fail. Are you distributing the trust anchor for htt to all of the servers that are doing validation? No. Of course I did not think of that! I just ASSuMEd

Re: Problems with resolving a local tld

On 02/28/2013 12:57 PM, Vernon Schryver wrote: From: Robert Moskowitz r...@htt-consult.com Well one really shouldn't be creating one's own tlds. As the instigator and a co-author of rfc 1918, I beg to differ. Many people considered the notion in RFC 1918 harmful. See RFC 1627. Um, I lived

Re: Problems with resolving a local tld

On 02/28/2013 01:14 PM, Tony Finch wrote: Robert Moskowitz r...@htt-consult.com wrote: Feb 28 12:14:16 klovia named[22332]: validating @0xb421ba30: htt SOA: got insecure response; parent indicates it should be secure I think this suggests that one of the servers for htt doesn't have

Re: Problems with resolving a local tld

On 02/28/2013 01:31 PM, Vernon Schryver wrote: From: Tony Finch d...@dotat.at Another reason not to use made-up domain names: CAs are going to stop issuing X.509 certificates for them. (It baffles me why they ever did so.) http://ssl.entrust.net/blog/?p=1831 That's another reason to publish

Adding trusted-keys to named.conf

I MAY be doing something wrong, or my problem is elsewhere... In zone htt. I have the DNSKEY RR: htt.INDNSKEY257 3 7 AwEAAfEIWjDoEesqC4NLAwNFgviq+IGbUFmnFn0/2L8UvLWMjYiGFETi NyA4CVaaG4GMekSJM8dI0FepyIKurxAhYzyV+phS5C6MoVmnYdF27dkP

Re: Adding trusted-keys to named.conf

On 02/28/2013 02:42 PM, Robert Moskowitz wrote: I MAY be doing something wrong, or my problem is elsewhere... In zone htt. I have the DNSKEY RR: htt. IN DNSKEY 257 3 7 AwEAAfEIWjDoEesqC4NLAwNFgviq+IGbUFmnFn0/2L8UvLWMjYiGFETi NyA4CVaaG4GMekSJM8dI0FepyIKurxAhYzyV+phS5C6MoVmnYdF27dkP qS0pFDZ

Re: Adding trusted-keys to named.conf

On 02/28/2013 06:21 PM, Mark Andrews wrote: In message 512fb319.7030...@htt-consult.com, Robert Moskowitz writes: I MAY be doing something wrong, or my problem is elsewhere... In zone htt. I have the DNSKEY RR: htt.INDNSKEY257 3 7 AwEAAfEIWjDoEesqC4NLAwNFgviq+IGbUFmnFn0

Problems with resolving a local tld

For various testing reasons, I have been running a tld here of htt. It has worked of old and continues to work on my new 9.8.2 Centos servers. Problem came up from a namecaching server that 'forwards only' to my internal server. It cannot resolve any hosts in this tld and on the server

Re: Problems with resolving a local tld

On 02/27/2013 08:34 PM, Mark Andrews wrote: In message 512e31ca.5030...@htt-consult.com, Robert Moskowitz writes: For various testing reasons, I have been running a tld here of htt. It has worked of old and continues to work on my new 9.8.2 Centos servers. Problem came up from a namecaching

disabling lame server logging

Continuing to 'clean up' my new server by reviewing logged messages. Researching a common one: Feb 26 07:30:29 onlo named[19336]: error (unexpected RCODE SERVFAIL) resolving 'foo.com/MX/IN': 1.2.3.4#53 I get the drift that my server has been directed to a 'lame server' and logs that fact.

Re: disabling lame server logging

On 02/26/2013 08:38 AM, Robert Moskowitz wrote: Continuing to 'clean up' my new server by reviewing logged messages. Researching a common one: Feb 26 07:30:29 onlo named[19336]: error (unexpected RCODE SERVFAIL) resolving 'foo.com/MX/IN': 1.2.3.4#53 I get the drift that my server has been

Re: disabling lame server logging

On 02/26/2013 09:13 AM, Phil Mayers wrote: On 26/02/13 13:54, Robert Moskowitz wrote: I would be interested in which client is requesting these lookups that end up going to lame servers. I am assuming the IP address in the log is the address of the lame server, not the requesting client

Re: disabling lame server logging

On 02/26/2013 09:25 AM, Robert Moskowitz wrote: On 02/26/2013 09:13 AM, Phil Mayers wrote: On 26/02/13 13:54, Robert Moskowitz wrote: I would be interested in which client is requesting these lookups that end up going to lame servers. I am assuming the IP address in the log is the address

Re: disabling lame server logging

On 02/26/2013 09:37 AM, Phil Mayers wrote: On 26/02/13 14:31, Robert Moskowitz wrote: On 02/26/2013 09:25 AM, Robert Moskowitz wrote: On 02/26/2013 09:13 AM, Phil Mayers wrote: On 26/02/13 13:54, Robert Moskowitz wrote: I would be interested in which client is requesting these lookups

name caching and forwarding

So now I am working on adding a name caching service to my mailserver. And I am reading up on namecaching. For RHEL/Centos, there is not much to doing this as the default install of bind SEEMS to be a name caching server. But I want it to NOT go out on the net for queries, but to direct all

Re: name caching and forwarding

On 02/26/2013 11:14 AM, Phil Mayers wrote: On 26/02/13 16:07, Robert Moskowitz wrote: And I am having challenges with the forward option. It reads that 'forward only' will always ask the forwarder about the query and seems to defeat caching? And 'forward first' only looks in cache after

Re: disabling lame server logging

On 02/26/2013 11:43 AM, Sten Carlsen wrote: On 26/02/13 15:50, Robert Moskowitz wrote: I would expect that a namecaching server on the mailserver would reduce traffic and resources all the way around. I don't need my mailserver to constantly be asking my name server about, say

Re: disabling lame server logging

On 02/26/2013 12:58 PM, Sten Carlsen wrote: On 26/02/13 18:06, Robert Moskowitz wrote: On 02/26/2013 11:43 AM, Sten Carlsen wrote: On 26/02/13 15:50, Robert Moskowitz wrote: I would expect that a namecaching server on the mailserver would reduce traffic and resources all the way around

Re: disabling lame server logging

On 02/26/2013 01:19 PM, Doug Barton wrote: You want to set up your resolver on your mail server to forward to your main resolver, using the forward only option. This will allow your mail server resolver to benefit from the cache already populated on your main resolver, while still maintaining

Re: name caching and forwarding

hey, Kevin, hope you are hanging well back at the old stomping ground! On 02/26/2013 01:42 PM, Kevin Darcy wrote: On 2/26/2013 11:39 AM, Robert Moskowitz wrote: On 02/26/2013 11:14 AM, Phil Mayers wrote: On 26/02/13 16:07, Robert Moskowitz wrote: And I am having challenges with the forward

Re: disabling lame server logging

On 02/26/2013 01:57 PM, Doug Barton wrote: On 02/26/2013 10:38 AM, Robert Moskowitz wrote: I would like a scalpel for lame logging, but probably would not discover any actionable data. There is a logging category for lame-servers. It's in the ARM. So far 2 reads and I am not getting out

Stop of logging of No Valid Signature Found

Yes, I know lots of places don't have DNSSEC signed zones. **I** have not done mine yet, but I turned on DNSSEC checking on my server and I am getting all too many messages like: validating @0xb4247b50: 117.in-addr.arpa NSEC: no valid signature found: 1 Time(s) validating

Re: Stop of logging of No Valid Signature Found

On 02/25/2013 02:00 PM, Casey Deccio wrote: On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz r...@htt-consult.com mailto:r...@htt-consult.com wrote: Yes, I know lots of places don't have DNSSEC signed zones. **I** have not done mine yet, but I turned on DNSSEC checking on my

Re: Stop of logging of No Valid Signature Found

On 02/25/2013 02:33 PM, Robert Moskowitz wrote: On 02/25/2013 02:00 PM, Casey Deccio wrote: On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz r...@htt-consult.com mailto:r...@htt-consult.com wrote: Yes, I know lots of places don't have DNSSEC signed zones. **I** have not done mine

Re: Stop of logging of No Valid Signature Found

On 02/25/2013 03:25 PM, Robert Moskowitz wrote: On 02/25/2013 02:33 PM, Robert Moskowitz wrote: On 02/25/2013 02:00 PM, Casey Deccio wrote: On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz r...@htt-consult.com mailto:r...@htt-consult.com wrote: Yes, I know lots of places don't have

Re: Stop of logging of No Valid Signature Found

On 02/25/2013 08:15 PM, Mark Andrews wrote: In message 512c09f5.4040...@htt-consult.com, Robert Moskowitz writes: On 02/25/2013 03:25 PM, Robert Moskowitz wrote: On 02/25/2013 02:33 PM, Robert Moskowitz wrote: On 02/25/2013 02:00 PM, Casey Deccio wrote: On Mon, Feb 25, 2013 at 5:09 AM

Re: Stop of logging of No Valid Signature Found

On 02/25/2013 08:38 PM, Mark Andrews wrote: In message 512c1009.4060...@htt-consult.com, Robert Moskowitz writes: dnssec-enable yes; dnssec-validation yes; digging back in the archive here, I find out this should be dnssec-validation auto; Actually it can be either. It's

Re: Stop of logging of No Valid Signature Found

On 02/25/2013 09:36 PM, Mark Andrews wrote: In message 512c18eb.2050...@htt-consult.com, Robert Moskowitz writes: On 02/25/2013 08:38 PM, Mark Andrews wrote: In message 512c1009.4060...@htt-consult.com, Robert Moskowitz writes: dnssec-enable yes; dnssec-validation yes; digging

Re: Registrar that supports self-run domains and provides DNSSEC support

On 02/22/2013 10:51 AM, Mike Hoskins (michoski) wrote: I know this last bit from experience, having worked at CELECs back in the day and running an ISP that was severely underfunded because the Internet was new and couldn't be trusted like a telephone. Lots of committed people working long

Re: Not - Re: New DNS server up and running

. On 21/02/13 2:59, Robert Moskowitz wrote: On 02/20/2013 08:28 PM, Robert Moskowitz wrote: It looks like no system, internal or external could access the DNS on my new server. IPTABLES was set for 53 both UDP and TCP. Firewall was OK. In fact a local system on the same subnet, thus NOT going

Re: Not - Re: New DNS server up and running

localhost. On 21/02/13 2:59, Robert Moskowitz wrote: On 02/20/2013 08:28 PM, Robert Moskowitz wrote: It looks like no system, internal or external could access the DNS on my new server. IPTABLES was set for 53 both UDP and TCP. Firewall was OK. In fact a local system on the same subnet, thus

allow-query and views

I am reading: https://www.isc.org/software/bind/faq and 'What has changed in the behavior of allow-recursion and allow-query-cache '. I am struggling here trying to match up the various access control features, particularly when we are suppose to have different views for different clients.

Re: allow-query and views

On 02/21/2013 10:40 AM, Matus UHLAR - fantomas wrote: On 21.02.13 08:59, Robert Moskowitz wrote: I am reading: https://www.isc.org/software/bind/faq and 'What has changed in the behavior of allow-recursion and allow-query-cache '. I am struggling here trying to match up the various access

Re: allow-query and views

On 02/21/2013 12:10 PM, Matus UHLAR - fantomas wrote: On 21.02.13 08:59, Robert Moskowitz wrote: I am reading: https://www.isc.org/software/bind/faq and 'What has changed in the behavior of allow-recursion and allow-query-cache '. I am struggling here trying to match up the various access

Re: allow-query and views

On 02/21/2013 11:50 AM, Vernon Schryver wrote: correct, no external hosts should query your cache. OK. There is no substitute for testing assumptions, mailing list assurances, understandings of documentation, etc. Test from outside your network to see that your DNS servers don't answer

Re: allow-query and views

On 02/21/2013 12:58 PM, Mike Hoskins (michoski) wrote: -Original Message- From: Robert Moskowitz r...@htt-consult.com Date: Thursday, February 21, 2013 12:53 PM To: Vernon Schryver v...@rhyolite.com Cc: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Re: allow-query

Re: allow-query and views

On 02/21/2013 01:54 PM, Matus UHLAR - fantomas wrote: On 21.02.13 12:45, Robert Moskowitz wrote: Fact: No clients could access DNS from my server, both internal and external (I have hotspot on my cellphone, so I can attach a client to it to get external testing) UNTIL I added the allow

Re: allow-query and views

On 02/21/2013 02:04 PM, Vernon Schryver wrote: From: Robert Moskowitz r...@htt-consult.com Whow... This is news. A hidden view? Where is this documented. The ARM says in part: Built-in server information zones The server provides some helpful diagnostic information through

Re: allow-query and views

On 02/21/2013 02:16 PM, Vernon Schryver wrote: The ARM says in part: Built-in server information zones The server provides some helpful diagnostic information through a number of built-in zones under the pseudo-top-level-domain bind in the CHAOS class. These zones are part of

Re: Most specific match on PTR records

On 02/21/2013 06:49 PM, Mark Andrews wrote: In message CANYsE-zYQh7Jv4QoVM45q-w1Vz1=YBk7j=K=ooq01ugyvw_...@mail.gmail.com, Nikita Koshiko v writes: Hello list, I'm trying to cut /24 network from the scope of /8 network, here is example: zone 11.2.10.in-addr.arpa {

New DNS server up and running

Phase I is hopefully complete. A new onlo.htt-consult.com is up in place of the old one. This is a faster box with current software. I will 'leave it alone' for a week, unless someone tells me something is wrong with it. Next I unlock my domain from NetSol and choose my new registrar and

Not - Re: New DNS server up and running

updates. So I hope someone can point me to what I have missed. On 02/20/2013 02:07 PM, Robert Moskowitz wrote: Phase I is hopefully complete. A new onlo.htt-consult.com is up in place of the old one. This is a faster box with current software. I will 'leave it alone' for a week, unless

Re: Not - Re: New DNS server up and running

On 02/20/2013 08:28 PM, Robert Moskowitz wrote: It looks like no system, internal or external could access the DNS on my new server. IPTABLES was set for 53 both UDP and TCP. Firewall was OK. In fact a local system on the same subnet, thus NOT going through my firewall was denied access

Registrar that supports self-run domains and provides DNSSEC support

Delving further into my challenges. Right now I use Network Solutions as my registrar. Just never changes as they were the only show in town back then. But they don't seem to support DNSSEC protected domains, and even IPv6 glue records are special requests, it seems. My registration is up

Free secondary servers supporting DNSSEC?

I hope to roll out my DNS upgrade today, but without enabling DNSSEC; that will take a bit longer. One of my secondaries, though, does not support DNSSEC and it is the one that gives me a bit of geographical diversity. So I am looking for someplace that will accept my smallish domains.

Re: Free secondary servers supporting DNSSEC?

On 02/17/2013 09:57 AM, David Forrest wrote: On Sun, 17 Feb 2013, Vernon Schryver wrote: In any case, some naming and shaming seems appropriate. Basic Naming and shaming seems excessive for a free service. Just like I am FINALLY moving to DNSSEC, the fellow running the system I have

Re: Free secondary servers supporting DNSSEC?

On 02/17/2013 09:44 AM, Vernon Schryver wrote: From: Robert Moskowitz r...@htt-consult.com One of my secondaries, though, does not support DNSSEC How does a secondary authoritative DNS server fail to support DNSSEC? It's not as if it would be doing any signature checking or automagic (re

Re: Free secondary servers supporting DNSSEC?

On 02/17/2013 11:48 AM, Vernon Schryver wrote: From: David Forrest d...@maplepark.com In any case, some naming and shaming seems appropriate. Basic Naming and shaming seems excessive for a free service. Services that do not charge users money are often not really free. This is my concern

  1   2   >