es, and I use `nsvi` to
edit dynamic zones in place, or `nspatch` to update a live zone from a
file stored in version control. https://dotat.at/prog/nsdiff/
--
Tony Finch(he/they) Cambridge, England
Southeast Iceland: Southwesterly severe gale 9 to violent storm 11,
becoming cyclonic 6 to gale 8
'
exit 1
esac
curl -Ssf http://$1/json |
jq '.views |
to_entries |
.[] |
.key as $view |
.value.zones[] |
"\($view) \(.type) \(.serial) \(.name)"
'
--
Tony Finch(he/they) Ca
not likely to change any
time soon, so the old isc.rndc module should continue to work. But it's
easier to use the command line program.
--
Tony Finch(he/they) Cambridge, England
Berwick upon Tweed to Whitby: North 4 to 6. Slight or moderate,
occasionally rough for a time. Showers, perhaps thu
can just add the new record which implicitly replaces
the old one. For NS records, in my experience complete replacement is rare
enough that it's OK to simply nspatch the zone twice. (The NS delete will
be ignored instead of rejected.)
--
Tony Finch(he/they) Cambridge, England
Shetland Isle
the .private
keys? can it read and write to the zone files? can it read and write to
the directories containing the keys and the zone files?
--
Tony Finch(he/they) Cambridge, England
Rattray Head to Berwick upon Tweed: Variable, mainly south, 2 to 4,
becoming northwest 4 or 5, occasional
ur parent
zone.
If these devices allow you to configure DNS servers for readiness checks
separately from general-purpose DNS, then you might be able to work around
the problem by pointing the readiness checks at an authoritative-only
server, if the devices are willing to find their answer in the
eading, because the DNS
protocol does not allow a master to tell a slave to do anything. (The
closest is NOTIFY which is a hint not a command.)
> You just have to give yourself time to get used to them.
Indeed :-)
--
Tony Finch(he/they) Cambridge, England
Fitzroy, Sole: South or southwes
rd.
(The public exponent is usually 65537, which is why RSA keys typically
start AwEAA rather than being completely random.)
--
Tony Finch(he/they) Cambridge, England
Trafalgar: Northerly or northeasterly 3 to 5, but easterly 5 to 7 in
far southeast. Slight or moderate, occasionally rough lat
each zone.
On the other hand, anycast is a good way to improve the availability and
maintainability of your resolvers, because your users' devices talk
directly to them, and if they don't work there might as well not be an
Internet connection.
--
Tony Finch(he/they) Cambridge, England
Se
st, that's the way I did it before
dnssec-policy made things even more automatic.)
--
Tony Finch(he/they) Cambridge, England
Trafalgar: Northerly or northeasterly 4 or 5, occasionally 3 in far
southeast. Moderate, but slight in far southeast. Fair. Good.
--
Visit https://lists.isc.org/mailman/li
test record by the keepalived health check scripts.
Cambridge has a residency rule for students that requires them to live
within 3 miles of the city centre, so the 10km diameter in the LOC record
is in some sense correct and reasonably accurate.
cam.ac.uk LOC 52 12 19.000 N 0 7 5.000 E 18
ht happen). If they both validate then I would expect the
problems to go away.
--
Tony Finch(he/they) Cambridge, England
Rockall, Malin, Hebrides: North or northeast 4 to 6, occasionally 7 at
first. Moderate or rough. Wintry showers. Good, occasionally poor.
--
Visit https://lists.isc.org/mai
I should not be sarcastic
about.
It isn't clear to me exactly how configurable or hardcoded your script
needs to be. If you know it will always run in a v4-only environment, or
in either v4-only or dual-stack environments, you might as well hardcode
-4 -l and you'll only need to change it if you have
ff IPv6, they can add -4 to the
variable, or they can get more creative with the -k option. (Sadly you
have to set the server address in the update script, not on the command
line.)
--
Tony Finch(he/they) Cambridge, England
Rockall: West or southwest 7 to severe gale 9, decreasing 4 to 6
later.
a zone apex then the negative response
will contain the SOA record for the correct zone in its AUTHORITY section.
(PS. you get the prize for my first message to this list with my new email
address!)
--
Tony Finch(he/they) Cambridge, England
Viking, North Utsire, South Utsire: Southerly or
John Thurston wrote:
> Are we not able to use catalog zones to propagate zone-configuration for
> anything other than 'master' zones?
It is only for configuring authoritative secondary zones. You are right
that this isn't completely clear in the documentation, uless you read the
whole section
Gregory Shapiro via bind-users wrote:
>
> Two questions:
Slightly expanding on Mark's answers...
> 1. Is there a reason when BIND is running as both a recursive server and
> an authoritative server for a domain, it doesn't set the AD bit when
> answering resolver queries for one of its
Anand Buddhdev wrote:
>
> The server has many IP addresses. In named.conf, there are 129 IPv6 addresses
> in the "listen-on-v6" option and 128 IPv4 addresses in the "listen-on" option.
> The server begins running, but then repeatedly emits this log:
>
> general: error: socket: file descriptor
Gehrkens.IT GmbH | Heiko Wundram wrote:
>
> From what I gather, this behaviour sounds almost like what RFC 8020 proposes
> (NXDOMAIN cut), but at least according to the corresponding ticket, that
> isn't implemented in BIND.
The other things that can cause the behaviour you observed are
egoitz--- via bind-users wrote:
>
> These are the contents of a cat of the private file I have renamed to
> samename.private-OLD :
>
> Created: 20211031230338
> Publish: 2020220241
> Activate: 2020220341
> Inactive: 20211215230338
> Delete: 20211217230338
Yes, it can be confusing when
Fred Morris wrote:
>
> What I'm looking at is trying to build a BIND kernel, like a nanokernel. Socat
> won't work in this case, because because there's no "IPC" layer, because there
> is only one process in the kernel.
Sounds fun. I think your solution must be to modify BIND's dnstap sender
so
Diego Garcia wrote:
>
> Each 20/30 minutes and lasting about 5 minutes i got 'timeout' in bind
> querys. After that time everything works fine again.
>
> My bind server got response (from 0.1 to 2 seconds) but reply with a ICMP
> 'port unreachable'.
>
> Any idea the problem or what i can check?
>
Mik J via bind-users wrote:
> How can I check which variables are loaded in memory and considered as active.
As Ray said, usually it isn't ambiguous.
But there are a couple of semi-relevant tools that are worth knowing
about:
You can use `named-checkconf -p` to canonicalize your configuration
Duncan wrote:
>
> Is there any option to suppress warnings if using transfer-source /
> notify-source specifying ports ?
There are good reasons for these warnings.
NOTIFY uses UDP, and source port randomization in UDP is important to
protect against spoofing. Spoofing NOTIFY is relatively
Mirsad Goran Todorovac wrote:
> Please excuse me, as I am a bit confused ...
>
> I have tried to verify your findings, but I've found something awkward:
Something has changed, because earlier I got:
; <<>> DiG 9.10.6 <<>> soa 192/27.186.198.193.in-addr.arpa @193.0.9.6
;; global options: +cmd
Mirsad Goran Todorovac wrote:
>
> I have recently implemented dynamic updates to a sub /24 reverse DNS
> domain, 193.198.186.192/27.
> I had upstream domain 192/27.186.198.193.in-addr.arpa. delegated from
> authoritative servers.
>
> However, something still isn't right. In some reverse PTR
Danilo Godec via bind-users wrote:
>
> I have an authoritative DNS server for a domain, but I was also going to
> use the same server as a recursive DNS for my internal network, limiting
> recursion by the IP. Apparently, this is a bad idea that can lead to
> cache poisoning...
Sort of. It's
Ondřej Surý wrote:
> FTR RRL will not help on this case. There’s no difference between
> response with TC and response with REFUSED.
Yes and no :-) RRL uses a mixture of "slip" (i.e. truncation) and dropping
responses, so it will attenuate REFUSED spam. (The documentatin is not
very clear about
Ralph Seichter via bind-users wrote:
>
> How would you go about moving all functionality from Alpha to Beta,
> ideally with minimal downtime, and with the hard requirement of not
> breaking DNSSEC? How would one need to handle key material, zone
> signatures, journals, etc.?
There was this time
Nagesh Thati wrote:
>
> Can anyone tell me why I am getting tsig errors and SERVFAIL errors for
> non managed zones? Why named using the "server statement" TSIG key in
> forwarding queries instead of using this TSIG only for ixfr/axfr?
TSIG is a bit confusing to set up because there are a bunch
Divya wrote:
> How to create DS for 2409::/28
The fun / maddening part of managing reverse DNS is getting to know how
your RIR handles it, and the weird differences from common-or-garden
forward domain registrations. In your case, 2409::/28 is allocated by
APNIC. They have a bit of
Fred Morris wrote:
>
> Didn't see any reason that it had to be separate instances of BIND,
> thought maybe I could do it with views, but I've run into a couple of
> roadblocks:
>
> 1. listen-on isn't supported in views.
Right, listen-on is for the server as a whole.
To control which view is
John Thurston wrote:
> If I have a Reverse Policy Zone (RPZ) defined, I can define a specific answer
> to be sent for a specific record-type for a specific name:
>
>foo.bar.com IN A 10.11.12.13
>foo.bar.com IN TXT "Hello World"
>
> But I can't seen to define one for the record-type
Grant Taylor via bind-users wrote:
> On 11/13/21 7:29 AM, Tony Finch wrote:
> > You should make sure that your public nameservers return a definite nodata
> > or NXDOMAIN reply for your private names, not REFUSED, nor a referral to an
> > RFC 1918 address. The latter two
A couple of generaal points about private names and addresses:
If you have a private subdomain, e.g. private.cam.ac.uk, and a
non-negligible number of users, the names *will* leak into the outside
world and your public nameservers will get queries for them. You should
make sure that your public
@lbutlr via bind-users wrote:
> I have a domain that I hot DNS and email for, but not web. I set the A
> record for www.example.com to the IP of the web server with nsupdate,
> removing the old CNAME the pointed to the local webserver, but the web
> monkey for the new website is saying that www
Edwardo Garcia wrote:
>
> I guess bind can not consolidate like this and we have to put up with a
> million /24 zone files ? I was thinking because we can do classless dele
> with smaller than /24, it would work on bigger :)
It is possible! The basic idea (very briefly) is:
With classless
Sonal Pahuja wrote:
>
> We are sending a CNAME query but currently we don't have any CNAME
> record, just have NS info. What should be the Bind9 response for this
> CNAME query? Will it return NS Record in Authority/Answer section?
In general, applications should not make CNAME queries because
Parkin, Richard (R.) wrote:
>
> I’d like to understand how much traffic is flowing to each forwarder
> (QPS, etc) and monitor that for any issues. Is there a way to do that
> effectively in Bind without putting some kind of network device on the
> outbound path to measure it? If not, does
raf via bind-users wrote:
> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton
> wrote:
>
> > What algorithm(s) are you using for ZSK and KSK? If they’re not the
> > same algorithm, then both will be used to sign the entire zone.
>
> Just out of curiosity, why is that?
> Isn't having the
raf via bind-users wrote:
>
> But that means that it applies to all of the zones in
> /etc/bind/named.conf.default-zones which is not helpful. It also applies
> to the zones in /etc/bind/zones.rfc1918 if that is included in
> /etc/bind/named.conf.local (which a comment there suggested). That's
John Thurston wrote:
>
> But as far as I can tell, the name of the key needs to match the hostname in
> the update-policy statement. I can define a new aes-256 key, but it can't have
> the name "foo.bar.baz.com" while the current md5 key is defined. Nor can I
> find a way to craft an
Klaus Darilion via bind-users wrote:
>
> By reading this KB I do not know how the user will be informed which DS
> (or DNSKEY) must be submitted to the parent zone. I know you to convert
> a DNSKEY to DS, but IMO the KB is very good but missest hat point.
I would expect the zone's apex CDS and
Ramesh wrote:
>
> I commented the root hint zone section(default) in the named.conf file to
> stop bind from communicating to the global root DNS servers and it should
> only use the internal forwarders available in the options{} section.
I think the config option you want is `forward only`. The
Jiri Hromadka wrote:
>
> Is there any way to reuse already loaded rpz zone in memory for other
> views ? I know in-view is not an option for rpz, using one master /
> slave zones has same memory effect.
Yeah, in-view would be perfect, if only :-)
You might try setting up a view that only does
Jason Vas Dias wrote:
>
> Please can anyone advise the best way to optimize named's
> UDP timeout settings for caching-only local resolver usage
> over a slow network link - I can't seem to find any in the
> Bv9ARM document specifically describing how named
> implements UDP re-transmits -
Felipe Gasper wrote:
>
> Is there any public code interface that exposes named-checkzone’s
> functionality?
> I’d specifically like to have numeric error codes rather than strings.
It isn't easy to do that, I'm afraid.
There are two places that don't do what you want. The source for
Grant Taylor via bind-users wrote:
> On 6/21/21 11:00 AM, Tony Finch wrote:
> > That advice is out of date: nowadays you should not put any localhost
> > entries in the DNS, because it can cause problems for web browser security.
> > Modern software should suppress que
techli...@phpcoderusa.com wrote:
>
> This book :
> https://www.oreilly.com/library/view/dns-and-bind/0596100574/ch04.html says I
> should manage the localhost within my zone (SOA) and reverse lookup / PTR.
That advice is out of date: nowadays you should not put any localhost
entries in the
Manish Rane wrote:
>
> Would be keen to know if BIND RPZ supports IPv6?
Yes, see https://bind9.readthedocs.io/en/v9_16_6/reference.html#rpz
Tony.
--
f.anthony.n.finchhttps://dotat.at/
sovereignty rests with the people and authority
in a democracy derives from the people
John Kristoff wrote:
> Has anyone configured BIND to force TC=1 responses on all queries using
> RRL?I'd like to do this for some experimentation and measurement
> work, but maybe this just isn't the right tool for that job?
>
> I've tried a number of configurations (e.g. slip=1, rate=0) and
PGNet Dev wrote:
>
> With a NOTIFY, something like _your_ old listener
>
> nsnotifyd: handle DNS NOTIFY messages by running a command
> https://dotat.at/prog/nsnotifyd/
>
> Don't know yet how dusty that is, or relevant to current bind 9.16+, etc. --
> -- but the general 'respond immediately to
Matthijs Mekking wrote:
>
> A brief summary. Folks that are interested in the reasons why can read
> up and discuss here:
>
>https://gitlab.isc.org/isc-projects/bind9/-/issues/1890#note_220217
So the fundamental design issue here is related to edge-triggered vs.
level-triggered activities,
Walter H. via bind-users wrote:
>
> DOH/DOT is dead;
>
> use DNSSEC instead and no troubles;
No.
DNSSEC is about data integrity. It allows me to host my zones with a
collection of semi-trusted third parties without having to worry about
them changing my DNS records. It allows clients to be sure
PGNet Dev wrote:
>
> fyi, perhaps keep an eye on this:
>
> https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11
hmm, maybe, but it's my Spock eye with a single arched eyebrow
Tony.
--
f.anthony.n.finchhttps://dotat.at/
Thames, Dover: Southwest 4 to 6. Smooth or slight becoming
PGNet Dev wrote:
>
> Has anyone here on-list figured out how to hook bind's internal signing
> process to *trigger* and external script to exec those API pushes?
I have not, and I also want to be able to do this, and I also want
scripting hooks for whenever any keys change so that I can stash
MAYER Hans wrote:
>
I can see why the behaviour of your server is confusing! I'll explain what
is happening in detail below, but here's the basic idea:
Each view in a configuration is separate from the others: `named` first
chooses which view to use (based on match-clients etc.) then handles
JW λ John Woodworth wrote:
> Greetings, I would like to request a new feature which I hope will make
> management of the 'allow' match-lists a tad easier.In short, an option
> such as 'allow-transfer' in view or zone contexts could extend the
> match-list as defined in the options section.
You
Stoffel, John (TAI) wrote:
>
> And it does dump some errors too, which hopefully will give me an idea
> of where my crappy bad record is located, and no use hiding crap:
yuck, this looks like no fun...
> www.cisco.toshiba.com. 3600IN CNAME redirect.toshiba.com.
>
Stoffel, John (TAI) wrote:
> failed while receiving responses: bad bitmap
>
> None of my googling has given me any hints on what this error could be.
I had to look at the source, which told me it's to do with NXT records
which are super obsolete, so I wonder what weird stuff is in the zone that
Dan Egli wrote:
>
> Still not working for me. The dig doesn't report anything, and I don't HAVE a
> keyfile since i'm using inline signing. Or does inline signing still require a
> key to be generated?
Yes, you need to do your own key management with inline-signing using
dnssec-keygen. The new
Dan Egli wrote:
>
> Where do I get the DS record, since i'm using bind's inline signing?
Use the dnssec-dsfromkey tool, e.g. from a key file (make sure it's the
KSK file)
$ grep This Kcam.ac.uk.+013+32840.key
; This is a key-signing key, keyid 32840, for cam.ac.uk.
$
Peter Fraser wrote:
>
> I am using bind-9.14.x and here are the DNSSEC related entries in the zone.
>
> auto-dnssec maintain;
> update-policy local;
> key-directory “zones/domain-keys”;
How you go about this depends on whether your configuration enables
`inline-signing` or not.
If it has
Levente Birta wrote:
>
> I have a caching resolver. Is it possible to log the IP address of the queried
> forwarder without too much overhead?
dnstap might be what you want, but it's a bit intricate.
Tony.
--
f.anthony.n.finchhttps://dotat.at/
Irish Sea: Northwesterly 4 to 6, occasionally
Dennis Clarke via bind-users wrote:
>
> Hey there. I looked in the README and I dont see an INSTALL file at all
> so I have to assume that the testing docs exist somewhere.
Have a look at
https://gitlab.isc.org/isc-projects/bind9/-/tree/main/bin/tests/system
There are some more notes in:
Axel Rau wrote:
> I have,
>
> allow-query { any; };
> allow-query-cache { recursive-users; };
> allow-recursion { recursive-users; };
>
> How can I make sure that none recursive-users get a REFUSED if query is
> recursive?
Weird! I think your config should do what you want so
Roee Mayerowicz wrote:
> I have ~700k (and growing) domain names that should be resolved daily.
> I'm trying to make it efficient as possible using the recursive BIND
> server (do you know a better option?), the goal is to get 2000 queries
> per second with minimum server\s cost.
I do bulk
Petr Menšík wrote:
> Because BIND uses DNS protocol only and not any dbus or former lwres
> protocol, you can count only querying -t ANY for single name as
> something similar.
ANY queries don't necessarily give you all the records :-)
In situations where a DNS client wants to do multiple
Edwardo Garcia wrote:
>
> So you mean to say when it print out
>
> IN DS 45701 13 1 5422E9...
> IN DS 45701 13 2 qwertyE9...
>
> we never needed 45701 13 1 5422E9 only 45701 13 2 qwertyE9 ?
Exactly, yes!
> and we only need run
>
> dig @ns0 dnskey guiltyparty.net | dnssec-dsfromkey -2 -f -
Edwardo Garcia wrote:
> One thing I note, all check say everything is good, but when using dnsviz,
> it says secure, shows the ecd... but also puts up warnings that I am using
> alg 13 but digest 1 (sha1), which is not allowed,
I guess the "digest 1" is referring to your DS records. In my
@lbutlr wrote:
>
> I update the last of my zones over a month ago and they are still
> showing alg-7.
>
> I'm sure I missed a step on these specific domains, but there are only a
> handful that are still using alg-7 and many more that are now on alg-13
> only.
Hmm, curious!
If you have swapped
Robert M. Stockmann wrote:
>
> Does bind 9 need C11 atomics ?
Yes. BIND used to have its own atomic implementation but that kind of code
is tricky and arcane, so it's better to use the standard implementations
in the C library.
It is not just a matter of the hardware BIND runs on: atomics rely
Edwardo Garcia wrote:
>
> One question however it talk about longest TTL, does this mean also root
> TLD zones (.com, .net) which from memory are 48 hours, so before we delete
> old keys we need wait 48 hours, even though our zone TTL was 24 ?
When you are waiting after adding and signing with
Edwardo Garcia wrote:
>
> Many year ago we set up DNSSEC, our key were generated with sha1 as was
> recommended way back all them years. We too are not DNSSEC guru, so some
> answer may be simple
Well, you are going to do an algorithm rollover, which is one of the more
tricky things you can do
Grant Taylor via bind-users wrote:
>
> Do you think that per (mail) server instances of BIND are worth the additional
> administrative overhead as compared to more central shared instances?
Yes, that's what I did when I was doing mail things. There are a few
reasons: reduce load on the shared
Anders Löwinger wrote:
> Ivan Avery Frey wrote:
> >
> >We are only using update to provision the acme challenge as described
> >by RFC 8555 8.4. Nothing else.
>
> Acme follows CNAMEs. I've redirected all challenges to my domains to a
> separate subdomain, which allows dynamic updates. Works
Ivan Avery Frey wrote:
> I'm trying to obtain certificates from Let's Encrypt using the DNS-01
> challenge method.
>
> I just want to confirm that there is no option to configure the
> directory for the .jnl files independently of the zone files.
You have had a bunch of helpful replies already,
Anand Buddhdev wrote:
>
Anand's advice is good, as usual :-)
But a small pedantic point:
> The DNS protocol itself has recently been updated to allow for
> encryption, using DTLS (DNS-over-TLS).
DTLS usually means "datagram TLS", i.e. TLS-over-UDP (RFC 6347). There's a
spec for DNS-over-DTLS
Paul Kosinski via bind-users wrote:
> A couple of years ago, I tried using nsupdate to modify a dynamic (DHCP)
> IP address for my very simple domain. It worked, except that it totally
> messed up the organization of the zone file. Since the file only has 44
> active lines (which are organized
Greg Donohoe wrote:
> I have created a CI/CD pipeline in order to amend zone files using nsupdate
> based on a front end user request. This portion of the pipeline is working
> as expected so now I want to be able to connect from my pipeline runner to
> my remote BIND staging server and update
Matthijs Mekking wrote:
> On 15-04-2021 16:35, Bob Harold wrote:
> >
> > If BIND holds both the child and parent zone, will it add the DS record
> > at the correct time? Or do I still need to write scripts to update the
> > DS records in all my sub-zones? And is there some signal from BIND at
>
Peter Coghlan wrote:
>
> I wouldn't describe it as background radiation or probes. It doesn't seem
> to be caused by misconfigured or faulty resolvers or anything of that nature.
Hmm, maybe air pollution would be a better metaphor? What I mean is the
kind of continuous low levels of abuse
sth...@nethelp.no wrote:
>
> Agree that you should be able to ignore them. But as a practical matter,
> ignoring them *may* result in the question being asked again and again,
> while REFUSED *may* stop the client from asking more.
REFUSED leads to retries too: if the client is a legit resolver
Anand Buddhdev wrote:
>
> A legitimate client, following a normal chain of referrals, has *no*
> reason to query a server for zones it is not authoritative for.
That's true for cases like .sl and other domains whose delegations are set
up correctly, but if a server is accidentally lame then it's
Peter Coghlan wrote:
>
> I have a nameserver which is authoritative for three or four domain names.
> It receives around 1000 queries per day that could be regarded as plausably
> legitimate. It receives around ten times that number of absive queries per
> day from presumably spoofed ip
Mark Andrews wrote:
> > On 8 Apr 2021, at 00:37, Tony Finch wrote:
> >
> > Forward zones require the upstream server to be recursive too.
>
> More correctly, the upstream server has to serve the entire namespace being
> forwarded if it does not off recursion t
Chuck Aurora wrote:
>
> A stub or static-stub zone would not require recursion. In that case
> named is asking for authoritative data from upstream. But type
> forward zones indeed cannot work if recursion is disabled.
Be careful in this kind of situation to be very clear about which client
or
Cuttler, Brian R (HEALTH) via bind-users wrote:
>
> I don't think the issue I'm having is related to notify message not
> being reacted to nor zone transfer requests not being sent to answered.
It's worth checking the logs to make sure that they agree with what you
expect.
> What I think I'm
Matus UHLAR - fantomas wrote:
>
> note that for this kind setup, using dnsmasq with two forwarders and
> www.google.com
> overriden through /etc/hosts would be easier solution.
Or a response policy zone, if you don't want to switch software
Tom Preissler wrote:
>
> at my work place we have a three resolver setup in /etc/resolv.conf.
>
> We had sometimes, though rarely, response times for DNS like 14000ms,
> due to the fact that the *first* listed resolver is down for maintenance
> reasons.
Sadly the traditional unix stub resolver
Cuttler, Brian R (HEALTH) via bind-users wrote:
>
> We are seeing a delay in the primary DNS server updating the secondary
> and would like to shorten that interval.
This is probably due to NOTIFY messages not working. NOTIFY is the
mechanism that allows primary servers to tell secondaries to
alcol alcol wrote:
> seriously? is like linux/unix FAQ
Please, if you can't be helpful, don't reply at all. We all have to learn
somehow, and the best way to show your knowledge is to share it generously.
Tony.
--
f.anthony.n.finchhttps://dotat.at/
Trafalgar: Easterly 6 to gale 8 in
Paul Cizmas wrote:
> ~$ named -v
> BIND 9.9.7-P3 (Extended Support Version)
What's probably happening here is that the BIND on your $PATH isn't
necessarily the BIND that homebrew installed and (hopefully) is running.
You can run `dig @localhost version.bind ch txt` to see what the running
Paul Cizmas wrote:
>
> but it appears that “service” must be replaced by something else
Yes: init on macOS is called launchd, and the service control program is
called launchctl, which has a reasonably useful man page.
Tony.
--
f.anthony.n.finchhttps://dotat.at/
Mull of Galloway to Mull of
Jonathan via bind-users wrote:
> It makes no difference from which subnet the queries come from. For
> testing I used a server in the same subnet like my DNS is, so there is
> no firewall or NAT in between. I also captured the network traffic of
> the DNS-Server and -Client. All I can see is,
Prasanna Mathivanan (pmathiva) via bind-users wrote:
>
> I couldn’t find anything from logs (checked both xfer and messages)
The best way to find out if a secondary server thinks a zone is
out-of-date is to look at the notify log messages. On the primary you'll
see something like
17-Mar-2021
lejeczek via bind-users wrote:
>
> Have a zone on a server, say:
>
> - the.zone
>
> with "flat" files being the backend for it. Now wanting to have:
>
> - sub.the.zone
>
> served by the same BIND server, but stored in.. "SQL" backend.
>
> How... well how to make that work if at all possible?
>
Marki wrote:
>
> But if you need granular filtering, that could become a lot of views...
Yes, I think RPZ is really designed to be a ban hammer for dealing with
abuse, rather than a general-purpose access control mechanism. If you need
to get really fancy then you should look at dnsdist which
Marki wrote:
>
> Concerning static-stub: Using a (bogus) forwarder together with "forward
> first" (default) seems to work (Note: using "forward only" gives SERVFAIL).
> All outside requests get a SERVFAIL even with "forward first" but that's an
> esthetic problem.
Yes, SERVFAIL is ugly - I
Marki wrote:
>
> I am seeking a combination of either a combined configuration on one, or a
> config of several different DNS servers together to achieve the following:
>
> * Some clients should be able to resolve authoritative local zones as well as
> some forwarded zones.
>
> * Other clients
1 - 100 of 986 matches
Mail list logo