Re: queries for "_.domain"

On Fri, May 17, 2024 at 03:25:01PM +0200, Matus UHLAR - fantomas wrote a message of 43 lines which said: > I have noticed that BIND sends strange (for me) queries. > > 5 0.198221 192.168.0.1 → 193.108.88.128 DNS 105 Standard query 0x15a4 A > _.net.akadns.net OPT QNAME minimisation

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

On Wed, Dec 13, 2023 at 05:29:02PM +0100, Michel Diemer via bind-users wrote a message of 1723 lines which said: > another virtual machine that uses the first one as ics dhcp and dns > server. An important thing about DNS: there are two types of DNS servers, very different. Resolvers and

Re: DNSSEC error resolving gpo.gov ?

On Tue, Mar 14, 2023 at 11:35:38AM -0400, Alexandra Yang wrote a message of 183 lines which said: > I wonder if any of your nameserver resolve it just fine, like 8.8.8.8 > works Among RIPE Atlas probes, most succeed: % blaeu-resolve --displayvalidation -r 100 --type A gpo.gov [ (Authentic

Re: DNSSEC error resolving gpo.gov ?

On Tue, Mar 14, 2023 at 11:08:28AM -0400, Alexandra Yang wrote a message of 154 lines which said: > I wonder if anyone can shed some light on this, our nameserver(BIND > 9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov, > here are the > errors: "DS record for zone gpo.gov

Re: Setting Up An Running Your Own Dmarc using Bind DNS

On Mon, Jun 27, 2022 at 02:16:26PM -0400, daniel jay foran wrote a message of 370 lines which said: > I cant be the only one that has racked his brains and written > hundreds of lines of code trying to get ISC BIND 9 to authenticate > Dmarc records correctly. I'm not sure I understand you

Re: Supporting LOC RR's

On Wed, Apr 13, 2022 at 03:39:33PM +0200, Bjørn Mork wrote a message of 14 lines which said: > Which problems do LOC solve? > > I remember adding LOC records for fun?() in the previous millennium when > RFC 1876 was fresh out of the press. But even back then paranoia > finally took over,

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

On Sat, Jan 08, 2022 at 06:10:26PM +, Jason Vas Dias wrote a message of 72 lines which said: > What are "RIPE Atlas Probes" ? Small boxes that volunteers from all over the world install in various networks to run active measurements (DNS, ping, traceroute, etc). Very handy to see the

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

On Sat, Jan 08, 2022 at 04:55:24PM +0100, Stephane Bortzmeyer wrote a message of 52 lines which said: > This domain name seems OK for me but I notice that a fair number of > RIPE Atlas probes in Ireland return a fake NXDOMAIN for this name: On Twitter, an Irish DNS exper

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

On Sat, Jan 08, 2022 at 03:34:37PM +, Jason Vas Dias wrote a message of 146 lines which said: >"Book An Appointment": https://covid19booster.healthservice.ie/ > >to make an appointment, Firefox and Chrome both return >"Server Not Found" errors . This domain name seems OK

Re: Getting the name of responding server(s)

On Thu, Sep 09, 2021 at 12:33:22PM +0200, Matus UHLAR - fantomas wrote a message of 59 lines which said: > Note that some domains can be horribly broken and different > nameservers can send different NS, or no NS at all but SOA. Doing this sort of survey on the wild (and wide) Internet leads

Re: Getting the name of responding server(s)

On Thu, Sep 09, 2021 at 03:20:14AM -0700, Ronald F. Guilmette wrote a message of 48 lines which said: > I don't want and don't need SOA records. I want and need only the > relevant NS records. The algorithm proposed by Matt Pounsett uses the SOA but only to find the NS (through the name of

Re: Getting the name of responding server(s)

On Tue, Sep 07, 2021 at 10:48:57AM -0400, Matthew Pounsett wrote a message of 32 lines which said: > Yeah, you can pretty reliably get the answer in one or two steps by > requesting the NS set for the FQDN. You'll either get your answer, or > get an SOA with the name of the enclosing zone.

Re: Getting the name of responding server(s)

On Tue, Sep 07, 2021 at 12:40:14PM -0700, Ronald F. Guilmette wrote a message of 36 lines which said: > >I'm not aware of a tool (free software or not) which does it. Some > >programming will be required. > > I was afraid of that, but thank you for confirming. Don't despair, see the other

Re: Getting the name of responding server(s)

On Tue, Sep 07, 2021 at 09:44:43AM +0200, Stephane Bortzmeyer wrote a message of 34 lines which said: > I'm not aware of a tool (free software or not) which does it. Some > programming will be required. Attached is an example program. Free software licence, whatever you prefer. Re

Re: Getting the name of responding server(s)

On Tue, Sep 07, 2021 at 12:33:59AM -0700, Ronald F. Guilmette wrote a message of 33 lines which said: > My question is rather a simple one. Given some FQDN `D' and given > some DNS record type 'T' (e.g. either A or or perhaps even PTR) > does there exist some open source command line

Re: [External] Re: How can I launch a private Internet DNS server?

On Thu, Oct 15, 2020 at 02:03:52PM -0400, Kevin A. McGrail wrote a message of 8 lines which said: > Firewalls are cheap and the level of effort to run a bastion host are > significant. Firewalls are useful when you want to protect unamanaged printers and Windows boxes (or Web servers with a

Re: How can I launch a private Internet DNS server?

On Thu, Oct 15, 2020 at 11:16:05AM -0700, Fred Morris wrote a message of 50 lines which said: > 2) If you want to run your own DNS nameservers, you will need to buy a >book, read the (BIND) Administrator's Reference Manual, and/or some >RFCs Very bad advice. RFCs are not for the

Re: How can I launch a private Internet DNS server?

On Thu, Oct 15, 2020 at 04:57:16PM +, Jason Long via bind-users wrote a message of 173 lines which said: > I have two static IP addresses. One is for DNS server and one is for > my website. Note that you can put the two servers on the same machine, using the same IP address, since the

Re: How can I launch a private Internet DNS server?

On Thu, Oct 15, 2020 at 04:36:58PM +, Jason Long via bind-users wrote a message of 1594 lines which said: > in the panel of it, I can enter my DNS server IP addresses. I assume you refer to the panel of your domain name registrar. If so, it would be useful to know which is the label near

Re: How can I launch a private Internet DNS server?

On Thu, Oct 15, 2020 at 06:45:01PM +0200, Michael De Roover wrote a message of 65 lines which said: > Your router can port forward traffic to port 53/udp to your local IP > that your DNS server is on. He said that the DNS server has a public IP address so port forwarding is probably not

Re: DNS security, amplification attacks and recursion

On Tue, Jul 07, 2020 at 03:00:13PM +0200, Michael De Roover wrote a message of 46 lines which said: > The command used to test this was apparently "dig +short > test.openresolver.com TXT @your.name.server". ANY instead of TXT may be more efficient (specially with +dnssec), if the goal is to

Re: Bind 9 not responding to queries

On Sun, Apr 12, 2020 at 01:41:52AM +, sir izake wrote a message of 153 lines which said: > At specific times of day bind fails to respond to queries even > though service is shown to run (configured to respond to my network > IPs, this works fine till this time when service fails to

Re: Unable to completely transfer root zone

On Mon, Feb 10, 2020 at 02:32:55PM -0500, Warren Kumari wrote a message of 70 lines which said: > Also, can you try: > dig +tcp . axfr @192.0.32.132 > dig +tcp . axfr @192.0.47.132 > dig +tcp . axfr @b.root-servers.net > > (no, I'm not really sure why trying with the first 2 IPs instead of >

Re: Strange DNS problem

On Mon, Jun 10, 2019 at 05:43:02PM +, Jukka Pakkanen wrote a message of 58 lines which said: > Then, unfortunately our nameservers won't resolve ns.kpk.fi either. Same authoritative name server, same problem. See my email. % dig @ns.datatower.fi. NS kpk.fi. ;; Warning: Client COOKIE

Re: Strange DNS problem

On Mon, Jun 10, 2019 at 02:28:46PM +, Jukka Pakkanen wrote a message of 382 lines which said: > An example, the client domain is raimoasikainenoy.fi. dig clearly says it's a cookie issue: % dig @193.184.54.212 NS raimoasikainenoy.fi ;; Warning: Client COOKIE mismatch An DNSviz

Re: cyberia.net.sa

On Tue, Jun 26, 2018 at 03:36:25PM +0200, Matus UHLAR - fantomas wrote a message of 19 lines which said: > Some web DNS checkers do great job. And some are really bad and/or broken. Let's mention the right ones: https://dnsviz.net/ https://zonemaster.net/

Re: My domain name name not propagating through the Internet.

On Sat, May 26, 2018 at 12:57:26PM -0400, Rick Dicaire wrote a message of 276 lines which said: > Hi Thomas, obfuscating IP addresses doesn't help in the least. No problem, the IP address is known by the TLD name servers. % dig @a.gtld-servers.net ns1.sleepyvalley.net ;

Re: My domain name name not propagating through the Internet.

On Sat, May 26, 2018 at 11:44:58AM -0500, Thomas Strike wrote a message of 269 lines which said: > they say that the problem is with my server. They were right. > I am here asking for fresh sets of eyes to look at my setup file and the > domain zone record that is

Re: TLD Registries supporting RFC 7344/8078

On Tue, Mar 13, 2018 at 10:52:50AM +0100, Carsten Strotmann wrote a message of 19 lines which said: > is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078) > already support at the TLD level somewhere? I know it is implemented > in BIND 9.11+ and Knot, but can it

Re: BIND9 and AS112

On Fri, Mar 09, 2018 at 03:28:18PM +0300, Diarmuid O Briain wrote a message of 427 lines which said: > However quite frankly I do not get how the AS112 service is accessed via > anycast. Did you configure your routing as mentioned in section 3.4 of RFC 7534? > Another

Re: BIND9 and AS112

On Fri, Mar 09, 2018 at 12:32:41PM +0300, Diarmuid O Briain wrote a message of 122 lines which said: > Mar 09 08:11:43 as112 named[3787]: internal_send: 2620:4f:8000::42#53: > Invalid argument > Mar 09 08:11:43 as112 named[3787]: internal_send: 192.175.48.42#53: Invalid

Re: Suggestions for a distributed DNS zone hosting solution I'm designing

On Thu, Mar 08, 2018 at 12:52:57PM +, Tony Finch wrote a message of 49 lines which said: > Best way to achieve this is with anycast, which can be pretty > time-consuming to set up - try searching for Nat Morris's > presentation "anycast on a shoestring" which he gave at

Re: dnssec validation issue

On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote a message of 677 lines which said: > # dig @localhost www.icann.org A +dnssec When you suspect a DNSSEC issue, always retry dig with +cd (Checking Disabled). And post the result.

Re: Forward record for WWW

On Thu, May 05, 2016 at 04:06:06PM +, Cuttler, Brian R. (HEALTH) wrote a message of 34 lines which said: > I configured the change for my external test server only > (199.184.16.7, which is _probably_ available for external query) No. % dig @199.184.16.7 A

Re: Forward record for WWW

On Thu, May 05, 2016 at 03:42:24PM +, Cuttler, Brian R. (HEALTH) wrote a message of 29 lines which said: > External record in the zone file is actually > wadsworth.org. 300 IN A 199.184.16.22 None of the three name servers for wadsworth.org serve this A

Re: Intermittent Issues Resolving Microsoft Hostnames

On Wed, May 04, 2016 at 02:02:24PM -0400, Rob Heilman wrote a message of 305 lines which said: > We run BIND 9.9.5-9 on Debian x86_64 to support a moderately sized > email hosting system. System info listed at the end of this > message. We are seeing intermittent but

Re: Monitor DNS queries toward Root severs

On Wed, May 04, 2016 at 07:03:13PM +1000, Mark Andrews wrote a message of 15 lines which said: > fill in with the rest of the root servers names. And if you don't like to type, or if you use another root: sudo tcpdump -n -i ${INTERFACE} port 53 and \( $(for ns in $(dig

Re: Adding CNAME for the root domain issue

On Wed, Apr 27, 2016 at 07:32:48AM -0700, Matthew Pounsett wrote a message of 49 lines which said: > One of these days I'd like to lead a serious lobbying effort against > the browser developers at the W3C to have SRV records for HTTP > standardized. I fully agree and, if

Re: Adding CNAME for the root domain issue

On Wed, Apr 27, 2016 at 10:23:19AM -0400, Barry Margolin wrote a message of 28 lines which said: > You would only be able to do this if you could put the CNAME record > in the parent domain, instead of delegating domain.com to your own > server. But do any domain

Re: Adding CNAME for the root domain issue

On Wed, Apr 27, 2016 at 05:26:53PM +0300, Daniel Dawalibi wrote a message of 50 lines which said: > DNS registrar that can offer this option by using apex/naked/root > domain redirection Sorry, but I cannot parse this sentence. Also, as I said, this is not about

Re: Adding CNAME for the root domain issue

On Wed, Apr 27, 2016 at 05:05:50PM +0300, Daniel Dawalibi wrote a message of 52 lines which said: > our setup requires a CNAME record. Bad setup. (And has always been bad.) ___ Please visit

Re: Adding CNAME for the root domain issue

On Wed, Apr 27, 2016 at 01:56:27PM -, John Levine wrote a message of 23 lines which said: > Assuming you mean this (notice the dots): > > Domain.com. CNAME x.y.com. > www CNAME x.y.com. > > it should work. I disagree. I have the same experience as Daniel

Re: Adding CNAME for the root domain issue

On Wed, Apr 27, 2016 at 02:55:18PM +0300, Daniel Dawalibi wrote a message of 99 lines which said: > We are facing a resolving problem on BIND DNS when adding a CNAME RR > for root domain and other records. I don't think that you manage the root domain so you

Re: named DNS resolution latency

On Wed, Apr 27, 2016 at 02:33:26AM -0400, digen wrote a message of 169 lines which said: > Any inputs on debugging this problem will be much appreciated. The usual stuff: 1) Is the machine hosting the resolver overloaded? top, for instance 2) is the link to the

Re: g.root-servers.net not reachable anymore

On Thu, Apr 14, 2016 at 11:55:04AM +0300, Daniel Dawalibi wrote a message of 22 lines which said: > Do you think it is better to remove it from named.root? Certainly not, your resolver removes it automatically from the list of authoritative servers for the zone.

Re: g.root-servers.net not reachable anymore

On Thu, Apr 14, 2016 at 08:35:00AM +0200, Daniel Stirnimann wrote a message of 14 lines which said: > Looks like you are not alone! > > https://atlas.ripe.net/dnsmon/group/g-root Only broken over UDP. Works on TCP and still replies to traceroute.

Re: Resolution differences for getaddrinfo versus host/dig/delv

On Wed, Nov 18, 2015 at 12:19:57PM +, Phil Mayers wrote a message of 44 lines which said: > I suspect getaddrinfo isn't parsing the DNS response for some reason. ... > Obviously the *.thing on the RHS of the first CNAME is weird, but is it > illegal? Yes, for a

Re: How are DNS Records added dynamically in DNS Servers?

On Mon, Sep 07, 2015 at 03:33:00PM +0530, Harshith Mulky wrote a message of 60 lines which said: > How do System administrators add DNS Zone records in DNS Servers? By not using outlook.com for email :-) No, I'm kidding, there are several ways: > Is there a

[DNSSEC] BIND validates but not Unbound: who is right?

[The domain has recently changed its configuration so do not test it.] With Unbound, I get a SERVFAIL: % dig DNSKEY cepn.asso.fr ; DiG 9.9.5-8-Debian DNSKEY cepn.asso.fr ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 62442 ;; flags: qr rd ra; QUERY: 1,

Re: [DNSSEC] BIND validates but not Unbound: who is right?

On Tue, Feb 17, 2015 at 07:34:37AM +1100, Mark Andrews ma...@isc.org wrote a message of 171 lines which said: The validator is *not* supposed to *check* if the zone has been signed with all the alogorithms in the DS RRset. It is supposed to keep trying all RRSIG/DS/DNSKEY combinations

SERVFAIL when increasing recursive-clients? (Was: bind-users Digest, Vol 1902, Issue 2

On Fri, Aug 01, 2014 at 09:56:53AM +0700, Xuan Hung hungn...@viettel.com.vn wrote a message of 298 lines which said: I think this problem of me, need have version new of Bind. 9.9.5 is quite recent. Actually, it is the latest in 9.9 branch. What makes you think upgrading would change

Re: problem registering DS records with EDUCAUSE, sanity check please

On Mon, Jul 14, 2014 at 07:14:57PM -0700, Paul B. Henson hen...@acm.org wrote a message of 56 lines which said: I also don't think this is what educause is doing, as I haven't had any trouble entering DS records for published but not activated KSK's in the past, You can also note that it

Re: problem registering DS records with EDUCAUSE, sanity check please

On Mon, Jul 14, 2014 at 01:24:38PM -0700, Paul B. Henson hen...@acm.org wrote a message of 135 lines which said: And finally, the new key I just created, for which I'm trying to add DS records. The dsset file created by dnssec-signzone says these records should be: I find the same values

Re: problem registering DS records with EDUCAUSE, sanity check please

On Mon, Jul 14, 2014 at 10:40:19PM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 19 lines which said: So, I suspect a bug in EDUCAUSE. Your DNSKEY set being a little over 1500 bytes, you may suspect a MTU issue. ___ Please visit

Re: Handling of expired RRSIG records - ise.gov

On Wed, May 21, 2014 at 12:56:32PM +0100, Simon Waters simon.wat...@surevine.com wrote a message of 58 lines which said: BIND 9 logs report: RRSIG has expired for www.ise.gov Indeed. www.ise.gov.43200 IN RRSIG CNAME 5 3 43200 ( 20140513120652

Re: Audit the consistency of zone files on DNS servers

On Fri, Mar 14, 2014 at 12:33:47PM +, Phil Mayers p.may...@imperial.ac.uk wrote a message of 25 lines which said: dig @server zone axfr file diff file file.real diff is not clever enough, you'll find many spurious differences. Try feeding the two files (the local one and the AXFRed one)

Re: Audit the consistency of zone files on DNS servers

On Fri, Mar 14, 2014 at 12:33:47PM +, Phil Mayers p.may...@imperial.ac.uk wrote a message of 25 lines which said: dig @server zone axfr file diff file file.real If you're really paranoid, it may not be sufficient since a server may reply differently to normal DNS queries and to zone

Re: source address problem

On Tue, Feb 04, 2014 at 10:40:46AM +0100, ro...@ip-plus.net ro...@ip-plus.net wrote a message of 19 lines which said: I use the options query-source, notify-source, and transfer-source. Still I get outgoing queries with another source address. Are you sure they come from BIND and not from,

Re: Rate-limiting - working? How to test?

On Fri, Jan 17, 2014 at 01:34:00PM +, John Horne john.ho...@plymouth.ac.uk wrote a message of 40 lines which said: log-only yes; From the ARM: Use commandlog-only yes/command to test rate limiting parameters without actually dropping any requests. I get 10

Re: Gi/Gn DNS for telecoms

On Fri, Nov 15, 2013 at 02:47:10PM +0530, benjamin fernandis benjo11...@gmail.com wrote a message of 50 lines which said: Can we use bind DNS for Gi/Gn DNS? I have no idea what Gi/Gn is. Can anyone post an explanation? ___ Please visit

Re: Does anyone have DNSSEC problem with uscg.mil

These name servers have another interesting feature: the serial number is different depending on whether you set the DO bit or or: % dig +short +dnssec +bufsize=4096 @ns1.uscg.mil SOA uscg.mil osc-bloxmaster.iap.uscg.mil. hostmaster.uscg.mil. 2012079853 10800 1080 604800 900 ... % dig +short

DNS 64 and the new domain ipv4only.arpa

I try to understand DNS64 and there is a problem I don't get. I have BIND configured with: dns64 2001:db8:1:64::/96 { // Network-Specific Prefix clients { me; }; }; and it works, synthesis happens when the domain name has no records: % dig +cd @localhost -p

Re: DNS 64 and the new domain ipv4only.arpa

On Tue, Oct 22, 2013 at 12:47:38AM +1100, Mark Andrews ma...@isc.org wrote a message of 98 lines which said: dns64 { clients { me; }; break-dnssec yes; }; OK, it works without the DO bit (dig +nodnssec, I had +dnssec in my ~/.digrc) or with

Logging of rate-limited queries way too talkative

I'm trying RRL on the new BIND 9.9.4. When RRL steps in, if I understand the documentation properly, two things are logged, a summary of the beginning and end of RRL, and one message per rejected query (!) Since RRL is used when there is an attack, there are *many* such messages. Worse, the

SERVFAIL when two SOA in the domain

One of my contacts noticed that you cannot query 42.fr's SOA with BIND: SERVFAIL. Querying other types, or using Unbound (or Google Public DNS) instead of BIND works. The only thing special he sees is the double SOA: % dig SOA 42.fr ; DiG 9.9.2-P1 SOA 42.fr ;; global options: +cmd ;; Got

Re: How to get AD flag

On Fri, Aug 02, 2013 at 10:49:22AM +0530, rams brames...@gmail.com wrote a message of 41 lines which said: I have 9.7 bind installed and configured recursive. When i query against forwader i am not getting AD flag. Could you please guide me how to get AD flag. Several possible reasons:

[auto-dnssec] Switching to NSEC3 leaves behind stale NSEC signatures?

I have a zone maintained by: inline-signing yes; auto-dnssec maintain; update-policy local; I switched it from the default NSEC to NSEC3 with: rndc signing -nsec3param 1 0 10 68f499ee auto.rd.nic.fr It seems to work but the zone still contains NSEC signatures (but no

auto-dnssec maintain and no key: no error message?

When I run a BIND with auto-dnssec maintain and inline-signing yes, if I create no key, there is no error message and, worse, the log file says the zone is signed: Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (unsigned): loaded serial 2013073000 Jul 30 16:31:42 u12-33673

Re: auto-dnssec maintain and no key: no error message?

On Tue, Jul 30, 2013 at 09:50:46AM -0500, Jeremy C. Reed jr...@isc.org wrote a message of 7 lines which said: Of course, there is no signature: % dig +multi @localhost SOA auto.rd.nic.fr Add +dnssec [I thought it was in my .digrc.] It changes nothing. Without a key, BIND could not

Re: auto-dnssec maintain; and key missing or inactive and has no replacement

On Thu, Jul 25, 2013 at 12:05:35AM +0100, Tony Finch d...@dotat.at wrote a message of 21 lines which said: Obvious question: does BIND have permission to read the private key? Yes, it runs (it is an experimental setup) as the same user which owns the private key file. I guess it does since

Re: auto-dnssec maintain; and key missing or inactive and has no replacement

On Wed, Jul 24, 2013 at 09:58:08AM -0700, David Newman dnew...@networktest.com wrote a message of 89 lines which said: Not sure if this is the problem, but have you tried with managed-keys-directory in options instead of key-directory? I just tried, and same warning: 26-Jul-2013

Re: auto-dnssec maintain; and key missing or inactive and has no replacement

On Fri, Jul 26, 2013 at 08:54:26AM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 23 lines which said: I just tried, and same warning: But only at startup and not afterwards so it is an improvment. ___ Please visit https

Re: auto-dnssec maintain; and key missing or inactive and has no replacement

On Fri, Jul 26, 2013 at 08:52:04AM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 24 lines which said: Yes. I tested with two keys, a KSK and a ZSK and the warning disappears. Another solution, even if using only one key, is to add: update-policy local; # Necessary

auto-dnssec maintain; and key missing or inactive and has no replacement

I'm trying auto-dnssec maintain; with a BIND 9.9.3-P1. My configuration is: options { directory /tmp/bind; key-directory /tmp/bind; }; zone example { type master; file example; inline-signing yes; auto-dnssec maintain; }; Apparently, everything

Re: New warning message...

On Mon, Jul 22, 2013 at 03:01:47PM +1000, Mark Andrews ma...@isc.org wrote a message of 56 lines which said: It SHOULD have record of type SPF as per RFC 4408. Named will complain if both types are not present. Then, named is now wrong, since RFC 6686.

Re: New warning message...

On Mon, Jul 22, 2013 at 12:39:53PM +0200, Matus UHLAR - fantomas uh...@fantomas.sk wrote a message of 28 lines which said: This was discussed here already, and imho this is anti-spf bullshit like all those spf breaks forwarding FUD. The SPF RR is already here and is preferred over TXT that

Re: Can I change the zone file from command line?

On Tue, Jul 23, 2013 at 02:30:49PM -0400, Kevin Darcy k...@chrysler.com wrote a message of 565 lines which said: When you dial a telephone number, do you worry that your dialing may have consequences against telephone numbers that you *didn't* dial? Seems very unlikely. OK, but switching

Re: dns update issue

On Wed, Jul 24, 2013 at 10:52:51AM -0400, James Chase chase1...@gmail.com wrote a message of 64 lines which said: However if I try to ping dns3.mandala-designs.com from different network locations it still returns the IP address of our old server, Probably the usual problem with in-zone

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

On Wed, Jul 17, 2013 at 05:05:31PM -0700, Ray Van Dolson rvandol...@esri.com wrote a message of 36 lines which said: Tried dns-ad...@fbi.gov but got a bounce. :( You want Sandra Bullock's, er, Sarah Ashburn's phone number? http://en.wikipedia.org/wiki/The_Heat_%28film%29

Re: Rate-Limit Question

On Fri, Jun 14, 2013 at 02:27:50PM +, Manson, John john.man...@mail.house.gov wrote a message of 138 lines which said: We are running Bind 9.9.2 and would like to invoke the rate-limit option but named says 'unknown option'. RRL (Response Rate Limiting) is an unofficial patch. You'll

Re: querying TLD nameservers - limitations

On Sun, Mar 24, 2013 at 04:55:13PM -0700, blrmaani blrma...@gmail.com wrote a message of 17 lines which said: I am developing a monitoring script for internal use and this requires extensive querying of TLD nameservers (a .. m).tld servers. [TLD operator hat on.] Hard to ansdwer without

Re: jabber.isc.org

On Mon, Jan 21, 2013 at 04:35:39PM +0200, Georg Kahest georg.kah...@internet.ee wrote a message of 19 lines which said: I'm unable to figure out where does one register for jabber.isc.org account. I don't speak for ISC but may I ask why you need one? There are many XMPP providers in the

Re: jabber.isc.org

On Mon, Jan 21, 2013 at 04:44:53PM +0200, Georg Kahest georg.kah...@internet.ee wrote a message of 19 lines which said: I was interested of idling in bind 10 dev channel. So? XMPP is federated, like any good system (like email). You don't need an account in the isc.org email server to use

Re: jabber.isc.org

On Mon, Jan 21, 2013 at 05:09:16PM +0200, Georg Kahest georg.kah...@internet.ee wrote a message of 20 lines which said: I'm failing to understand how i should configure my xmpp client ( pidgin ) without user credentials. Without entering username/password i can't add the account, and with

Re: jabber.isc.org

On Mon, Jan 21, 2013 at 04:17:40PM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 19 lines which said: 1) Choose a XMPP provider. I would recommend Google Talk (gratis, very reliable) since this is the one I use. If you don't like/use Google, jabber.org offers a gratis

Re: How to Limit DNS Request per ip source ?

On Mon, Jan 14, 2013 at 06:36:44PM +0530, Gaurav Kansal gaurav.kan...@nic.in wrote a message of 156 lines which said: I tried the following commands, but unfortunately didn't succeed. Why do you want to limit? If it is against a DoS attack, I warn you that most Netfilter modules (for

Re: Caching name server - Choosing the root-servers

On Fri, Dec 14, 2012 at 09:00:31AM +, Can Şirin sirin...@itu.edu.tr wrote a message of 114 lines which said: I mean, choosing the faster ones (root-servers) is gonna be better for speed performans. Yes, but BIND does it (testing the fastest) and probably better than you. Is there any

Re: multiple entries for TXT record

On Fri, Oct 26, 2012 at 06:08:32AM -0700, enigmedia online-...@enigmedia.com wrote a message of 29 lines which said: TXT IN (v=spf1 a mx ptr ip4:65.49.39.152/29 ~all DZC=DlaVBmG) This is *one* TXT record made of two strings. Whether or not the SPF standard

Re: multiple entries for TXT record

On Fri, Oct 26, 2012 at 06:31:31AM -0700, enigmedia online-...@enigmedia.com wrote a message of 34 lines which said: I wasn't sure if I was allowed to have more than one TXT record in a zone, and when I googled around the only references I saw were to concatenating multiple name-value pairs

[DNSSEC] Dealing with an inconsistent NSEC

It may be a bug in BIND and it is certainly a bug in the zone pcextreme.nl. BIND validating resolvers are unable to get the IP address of v1.pcextreme.nl. I believe this is because of the strange NSEC: tools-newerst.pcextreme.nl. 2315 IN NSECv2.pcextreme.nl. RRSIG NSEC which says

Re: [DNSSEC] Dealing with an inconsistent NSEC

On Tue, Oct 23, 2012 at 06:27:12AM -0700, Casey Deccio ca...@deccio.net wrote a message of 88 lines which said: The issue here is that no delegation NS records exist for v1.pcextreme.nlin its parent zone, pcextreme.nl. Thus when any server (authoritative for both zones) is queried for

Re: DNS software used by cloudflare

On Tue, Sep 18, 2012 at 08:31:13PM +0800, pangj pa...@riseup.net wrote a message of 12 lines which said: do you know what dns software is used by cloudflare? I don't know. and how they defend the DDoS against DNS? http://blog.cloudflare.com/65gbps-ddos-no-problem

Re: Glue from Root Servers returns wrong A record, why?

On Mon, Sep 10, 2012 at 11:47:38AM -0700, Ponga ponga2...@gmail.com wrote a message of 55 lines which said: But if I ask any root server, [...] DiG 9.7.3 -t ns intaq.com @192.42.93.30 192.42.93.30 is not a root name server. ___ Please visit

Re: Root hints updates

On Thu, Sep 06, 2012 at 08:06:45AM -0400, Timothe Litt l...@acm.org wrote a message of 466 lines which said: This is a script to automagically update the root hints file. Since the first thing BIND does at startup is to check the root NS set, and since DNSSEC guarantees that it is genuine,

Re: Question related to domain names and less to bind straight.

On Wed, Sep 05, 2012 at 07:51:05AM +0100, Phil Mayers p.may...@imperial.ac.uk wrote a message of 18 lines which said: See also: http://publicsuffix.org/ And remember it is unofficial, not perfectly maintained and has several holes. It's OK if you accept a few misclassifications.

Re: Sunos 5.8 Error:EDNS not supported by your namesever

On Wed, Sep 05, 2012 at 10:01:45AM +0300, syed haq smu...@gmail.com wrote a message of 66 lines which said: EDNS not supported by ***.**.**.** 1) Test your name server to be sure the diagnostic is correct: dig +bufsize=4096 @YOUR-NAME-SERVER SOA YOUR-DOMAIN You should get in the answer

Re: Sunos 5.8 Error:EDNS not supported by your namesever

On Wed, Sep 05, 2012 at 11:11:43AM +0300, syed haq smu...@gmail.com wrote a message of 134 lines which said: That means EDNS is not supported by that var of SunOS ,can you give me the commands for checking the ENDS,BIND version in sunos I already gave them (dig). You simply cannot expect to

Re: Sunos 5.8 Error:EDNS not supported by your namesever

On Wed, Sep 05, 2012 at 04:29:25PM +0300, syed haq smu...@gmail.com wrote a message of 769 lines which said: That means I need to completely upgrade the OS to make the EDNS support Personal opinion: you need to follow a serious Unix sysadmin training first. From your messages, it seems you

Re: ho to filter hundeds of domains ?

On Thu, Aug 30, 2012 at 01:34:07PM +0100, Niall O'Reilly niall.orei...@ucd.ie wrote a message of 32 lines which said: Don't waste your time. This approach is superficial. http://www.bortzmeyer.org/images/please-close-gate.jpg :-)

Re: ho to filter hundeds of domains ?

On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote a message of 15 lines which said: Actually many telephone companies in the world are doing this, They're wrong politically (censorship) and they're wrong technically (see O'Reilly's answer). Copying telephone companies is not

  1   2   3   4   >