Re: Access denied Bind9

Hi Ritah. I think rndc is a red herring. Whether you can control your server using rndc or not is a different topic to "why am I seeing 'denied'" in the logs. I think a couple of questions you need to ask yourself are: Should these servers be receiving recursive queries from anywhere?

Re: Forwarding zone, setup

Sending from the correct email alias this time! On Thu, 3 Mar 2022 at 09:53, Greg Choules wrote: > Hi Greg. > Basically, you can't forward out of authority. If server A is > authoritative for "example.com" it is authoritative for that and > everything below that, ad infinitum, unless you tell

Re: Bind: Standard Ports And Non Standard Ports

Take 2. Sent from the wrong email address! Greg On Sat, 12 Feb 2022 at 08:01, Greg Choules wrote: > > "...to use a traditional VPN solution such as DNSSEC ..." > DNSSEC is not a VPN service. It is regular, unencrypted DNS on port 53, or > whichever port you choose - see the manuals and KB

Re: consolidating in-addr.arpa data

Hi John. Can you tell me a bit more please? - What zones exist in both BIND and MS DNS for something.10.in-addr.arpa? - Where are hosts auto registering to? I'd guess MS, but it would be good to confirm. - What does fragmentation look like? A few real examples would be useful. I'm trying to

Re: consolidating in-addr.arpa data

Hi. Although it is technically possible to do reverses on non-octet boundaries (for example, see https://www.ietf.org/rfc/rfc2317.txt) it is a complete pita, in my experience. Personally I would not head down that path. Stick to /8, /16 or /24. Cheers, Greg On Sat, 16 Sept 2023 at 09:20, G.W.

Re: consolidating in-addr.arpa data

Hi John. Sorry if this sounds picky, but a dot out of place in this game is the difference between success and crash-n-burn. Please can you show me EXACTLY what ...10.in-addra.arpa zones you have in both sets of DNS? >From previous work with AD clients I think that, if it doesn't already exist,

Re: consolidating in-addr.arpa data

>From the correct mail alias! On Sat, 16 Sept 2023 at 21:50, Greg Choules wrote: > Hi Ged. > 172.16/12 is not a special case. The whole problem (IMHO) stems from how > humans have chosen to represent both IP addresses (v4; v6 are different and > actually a little easier) AND DNS domain names;

Re: Facing issues while resolving only one record

Hi Blason. "incometax.gov.in" is a domain known to cause problems. Take a binary packet capture and look at it in Wireshark. Also see this https://dnsviz.net/d/incometax.gov.in/dnssec/ A workaround in BIND is to disable DNSSEC validation for just that domain whilst leaving it on generally: see

Re: Is this KB example backwards? Re: Multiple master servers for the same zones

Hi Fred. No, the sense is correct. Imagine you have a server with a secondary zone of (say) "example.com", which transfers data for that zone from a primary somewhere. The secondary loads data received during a zone transfer straight into memory and uses it. It is optional for the secondary to

Re: Recursive client query rate-limiting

Hi Ben. In short, kinda. "recursive-clients" limits the overall number of concurrent recursive queries the server will handle. For each of those queries there is also "clients-per-query", which limits the number of different sources all asking the same question at the same time. This is so that,

Re: How should I configure internal and external DNS servers

Hi Nick. First question, does the internal zone *have* to keep the same name? As has been said already, this is a fairly common setup done by people a long time ago who usually didn't think through the consequences of their actions. What follows assumes you could change the name of the internal

Re: Forwarders working differently on bind9.8 & bind9.11

Hi Prashasti. I'm on my phone, so I'll keep it brief. - ditch both 9.8 and 9.11; install 9.18 - why are you forwarding to yourself? 127.0.0.1 - get binary packet captures and look at them in Wireshark to see what's actually going on. - real IPs please. - why use "port xxx"? Cheers, Greg On Tue,

Re: help me with the ipv6 PTR generation

You may already have BIND installed; most distros do. If not, it's easy. You don't *have* to run named, but tools like this (and dig, particularly) are very useful to have. Do "which arpaname" to see if you have it already. Cheers, Greg On Thu, 24 Aug 2023 at 08:00, Marco wrote: > Am

Re: Bind failures following update/reboot w/ 9.18.1

Your MTU is not the point. It's what happens beyond your equipment that may have a bearing. However, as I said, I don't think IP fragmentation will be your problem in this case, so that's a whole other discussion for a different day. pcaps are your friend though. From a packet capture you can see

Re: Bind failures following update/reboot w/ 9.18.1

Hi Philip. Can you run packet captures? I'm running 9.18.0 (close enough?) in Docker and just traced what happens going from "dnssec-validation no;" to "dnssec-validation auto;" It makes a DNSKEY query for "." to one of the roots. The response size was over 900 bytes, so depending on what UDP

Fwd: Request to use "Canonical/Mirror"

Hi Felicia. As the previous responder said, don't think of entire servers being one or the other, it's individual zones. IMHO the terms "primary" and "secondary" are just as meaningful as the terms "master" and "slave", but without the emotional and historical baggage. You just have to give

Re: 9.18 behavior change for mDNS queries with dig

Hi Larry. sudo tcpdump -ni any -c 1000 -w .pcap port 5353 For I usually include the date, hostname and some other meaningful stuff to help you remember what it was for in 6 months' time. Whilst this is running, make some queries in another terminal window. I hope this helps. Cheers, Greg On

Re: 9.18 behavior change for mDNS queries with dig

Wireshark works just fine on a Mac (I am using it right now) and yes, it is a great tool. You also have the choice of using tcpdump in a terminal window, if that's your preference. Personally I usually capture using tcpdump and view later in Wireshark. On Fri, 1 Jul 2022 at 12:01, Petr Menšík

Re: Can't modify an existing SPF record

The SPF record type was deprecated in 2014 and the SPF definition string *must* now be contained as data in a TXT record. BIND will still load a zone containing SPF records, but it will check whether a TXT record also exists that contains the same string and will generate a log message telling you

Re: Can't modify an existing SPF record

Hi Roberto. What domain is this SPF for and exactly how are you trying to add the extra term? Cheers, Greg On Fri, 8 Jul 2022 at 16:38, Roberto Carna wrote: > Dear, from my webmin interface for BIND9, I try to add an additional > allowed sender host to our SPF record, but I get the following

Re: Basic setup instructions

Hi Gene. Please can you post a link to 'the website' you refer to? Where have you got to so far? BIND requires one config file - named.conf - which, at its simplest, doesn't need to contain much at all; the defaults should pretty much just work. But let's start with what you have now and, if

Re: success resolving xxx after disabling EDNS

Hi Veronique. Every DNS server should support EDNS by now. It has been around for a very long time. Even if it doesn't support EDNS it should ignore it. I made some test queries and packet captures to 23.82.12.28. Whatever this box is, please talk to the manufacturer about EDNS support. Or.. it

Re: DNS traffic tracking

Hi Alex. Your use case may be very different to the one I faced in my previous job. But there we did not and could not charge for DNS. It was seen as a necessary but free resource. If you *really* want to account for how many queries clients are making, a quick and dirty solution is enabling

Re: Bind 9.11/RHEL7 Server Freezes FUTEX_WAKE_PRIVATE

Hi Peter. Off the top of my head, could it be this? random-device The source of entropy to be used by the server. Entropy is primarily needed for DNSSEC operations, such as TKEY transactions and dynamic update of signed zones. This options specifies the device (or file) from which to read

Re: Question regarding newsyslog.conf and Bind logs

Hello J What is it you're actually trying to achieve here? Cheers, Greg On Thu, 25 Aug 2022 at 04:24, J Doe wrote: > Hello, > > I was wondering if anyone could provide feedback on whether the > following: newsyslog.conf file is correct to allow for daily log > rotation for my Bind 9.16.30 logs

Re: Zone transfer over VPN

Hi Michael. Have you tried without the "allow-transfer" statements at all? I find it usually works best to start simple, get it working, then apply security bit by bit. Do you have logs from all servers? What are they telling you specifically about what is the issue? Lastly, get packet captures of

Re: address/prefix length mismatch

Hi Elias. I can't say why this might have worked with 9.11 (if it did - I'd be surprised). But you should not/cannot define ACLs like this: 10.60.0.1/23; /23 means consider only the first 23 bits of the available 32 bits of an IPv4 address and ignore the rest (in this context. Please don't someone

Re: Question regarding newsyslog.conf and Bind logs

Hi again J. If I understand correctly, you want to enable querylog on a busy recursive server permanently, rotate the files once a day and don't care if you lose some logs because the number of queries on a busy day generates more data than the specified log file is allowed to contain. My

Re: address/prefix length mismatch

Hi Sten. That is absolutely what you do *not* want to do. Writing it out in binary might help. /23 means the following: 1110 '1' bits mean, test an incoming address against the corresponding bit from the address in the mask. '0' bits mean, don't test an incoming

Re: Proxy requests but filter out IPv4 address

Hi Matthias. In DNS there are many record types. For IP addresses there are two types: A for IPv4 addresses and for IPv6 addresses. If your client asks for the record it should get only IPv6 addresses. So what is your client asking for? Can you show us a real example where both IPv4 and

Re: dig +norecurse behaviour changed with 9.16.33

Hi Veronique. As other people have said, more details please. To have a complete picture of what is going on, not only would we need to know what your dig tests look like, but also where dig is sending its queries and how that DNS server is configured. You can tell dig to send queries anywhere,

Re: dig +norecurse behaviour changed with 9.16.33

Hi Veronique. As Petr said, please don't send a pcap. This is getting beyond the scope of the list and into proper support territory. For which I would recommend that CERN pay ISC for professional support services. Regarding your external example, I get this: %dig @192.65.187.5

Re: dig +norecurse behaviour changed with 9.16.33

Hi Veronique. No, we cannot easily reproduce this behaviour because we have no knowledge of the configs of either of those servers, the details of the zones you have configured, the contents of those zones or of the system on which you are running the dig command. As I said, we need to see

Re: CVE-2022-2795

Hi Greg. Short answer: no. Slightly less short answer: no, if you prevent the server from trying to follow delegations. It's that potentially wild goose chase that was the problem. In short: - Forwarding must cover everything the server needs to do (that isn't locally defined) i.e. global

Re: Seeing lots of DNS issues on OpenWRT

Hi Philip. I echo Fred's response; why forward? - Backup your config - remove/comment the "forwarders {}" statement - start a tcpdump to disc for port 53 (for evidence about what happens next) - stop/start 'named'. - try queries/look in the log/stop the tcpdump and analyse it in Wireshark. As an

test - please ignore

Thanks, Greg -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org

Re: Dig -x +trace?

Hi Mike. OK, let's try and do some practical things here. Firstly, please share your /etc/resolv.conf Secondly, please have two windows on the go. In the first, run "tcpdump -nvi all -w port 53". In the second, run your dig tests. Then share your results. If you are reluctant to share *actually*

Re: Dig -x +trace?

Hi Mike. No need to shoot. I missed your first message to the list. Have you tried other popular open resolver services, to compare how they each behave and see whether there are differences between them? Or, since you have `dig` I'm guessing you probably also have BIND? If so, have you tried

Re: Question About Internal Recursive Resolvers

Hi John. Yes, you *could* forward and that was a setup I inherited a good few years ago. The appeal is obvious: it's easy to do; just chuck queries over there and get answers. But forwarding keeps the RD bit set, meaning that the server being forwarded to should a) have recursion enabled (though

Re: Question About Internal Recursive Resolvers

Hi Bob. In a previous life I did just this. Large resolvers for customers and internal users, defaulting to the Internet but with specific configuration to internal auth-only servers for private zones (I used stub but static-stub and mirror are alternatives - they each behave slightly

Re: Question About Internal Recursive Resolvers

Hi Grant. My understanding is this, which is almost identical to what I did in a former life: client ---recursive_query---> recursive_DNS_server ---non_recursive_query---> internal_auth/Internet where: client == laptop/phone/server running stub resolver code recursive_DNS_server == what Bob is

Re: caching does not seem to be working for internal view

Hi Robert. May we see the file /etc/resolv.conf and your BIND configuration? It's difficult to guess what might be going on with only a small snippet of information. If you "ping somewhere" (or "ssh a-server", or whatever) the OS will consult resolv.conf to determine where to send DNS queries. If

Re: caching does not seem to be working for internal view

Hi Robert. Turn on query logging by doing "rndc querylog". You should see a message saying that has been done in "named.log", to where each query will now be logged. If you have views, part of the query log will contain which view was matched. So this will tell you two things: 1. If the

Re: I need to find statistics on a running server.

Hi Jeff. Query logging is quite an overhead and very heavy on writing to storage, so use it sparingly as it can have a detrimental impact on performance. For any moderately loaded server I would not have it enabled by default. Cheers, Greg On Thu, 12 Jan 2023 at 18:22, Jeff Sumner wrote: >

Re: Use UDP for (small) incremental zone transfers?

not worth worrying about. Cheers, Greg On Fri, 13 Jan 2023 at 06:19, Jesus Cea wrote: > On 13/1/23 7:12, Greg Choules via bind-users wrote: > > Hi Jesus. > > No. Zone Transfer always uses TCP. Is it really that much of an overhead > > for you? > > Not now, but

Re: Use UDP for (small) incremental zone transfers?

Hi Jesus. No. Zone Transfer always uses TCP. Is it really that much of an overhead for you? Cheers, Greg On Fri, 13 Jan 2023 at 05:56, Jesus Cea wrote: > I have a dns zone with many dns updates per minute. The updates are > tiny, like 2-3 records, <500 bytes in total. > > Currently my

Re: Views vs Separate Authoritative & Recursive DNS

Hi E R. My short answer would be, don't configure views unless you have a good use case for them. For example you are running resolvers that have two different kinds of clients that need to be handled differently - one client set needs RPZ, the other doesn't. Or something like that. BIND has

Re: What is the meaning of an ecs log

Hi Mik. The Client Subnet in DNS Queries RFC should explain all. Essentially there are two masks in the ECS option - source prefix length and scope prefix length. ECS-enabled recursive servers (like Google or BIND -S edition) will set the source prefix

Re: How to configure , dig command support +subnet

Hello. What exact version of BIND are you running? "named -V" From dig it *looks* like you are running 9.18.9. ECS support only exists in the subscription editions of BIND (-S suffix) and to get that you need to be an eligible ISC support customer. Thanks, Greg On Tue, 13 Dec 2022 at 10:48, 徐娅

Re: SERVFAIL IPv6 debugging

Hi Bruce. There's potentially a bunch of things to note here. DNS conversations are independent of each other. The dig to your own server (dig -6 ec.europa.eu) may be over v4 or v6. But the subsequent queries that server makes (if any) may be over v4, or v6, or both. It depends how your server is

Re: recursion yes/no?

Hi David. "recursion yes;" tells named that it can (if it has to) make queries to other places if it needs more information in order to answer a client query. Pure authoritative servers shouldn't need it and should have "recursion no;". So the first question is, do your servers make queries out to

Re: recursion yes/no?

Hi David. With "minimal-responses", usually I would set it to "no" for a purely authoritative server because resolvers need all the help they can get. But for a purely recursive server I would set it to "yes" because end users don't need (any wouldn't do anything with it anyway) Authority or

Re: Resolving and caching illegal names

Hi John. A few questions, if I may. - Why *must* you forward everything to Akamai? - Was that a real example of a daft query: 10.11.12.13 type A? If not, do you have some real examples of queries being made to your servers please? - Notwithstanding the nature of these illegal queries, if they

Re: Gratuitous AXFRs of RPZ after 9.18.11

Hi John. Personally, I would start by drawing a picture (I like pictures) of all the players in the game and gathering data, leaving nothing out, including: - All servers, with all IP addresses. - SOA and NS records of working zones and the troublesome RPZ zone. - Which servers are

Re: Converting between zone file formats

Hi Håvard. I currently have 9.18.8 installed; the version of named-compilezone is the same. As a test I just converted a text format zone file to raw and then that raw file back to text and it looks fine to me: - named-compilezone -f text -F raw -o junk.raw junk db.junk - named-compilezone -f raw

Re: Bind listener to an IPv6 from AnyIP subnet

Hi Serg. Can you post the output of "named -V" please? You're looking for "--disable-linux-caps", which you don't want. I'm not sure how (if) BIND interacts with AnyIP, but it should pick up new interfaces as they are added, *if* it is built with the necessary capabilities enabled. 'named' starts

Re: RPZ answer me NXDOMAIN for some domain

Hi Nath. What have you got on SrvB for biopyrenees.net, or net? On SrvB, please do "dig @127.0.0.1 sri.biopyrenees.net" (please use the actual address rather than "localhost") and paste the full result here. I am interested in flags and the query time right now. Cheers, Greg On Wed, 22 Mar 2023

Re: Is there an incompatibility between 9.16.37/9.18.11 and 9.9 when doing HMAC-MD5 AXFR?

Hi Patrik. 9.9? Classic! :D I don't believe there should be any incompatibilities. Are you perhaps falling foul of this? From Cricket's book, chapter 11 It’s important that the name of the key—not just the binary data the key points to— be identical on both ends of the transaction. If it’s not,

Re: Best practice MultiView

Hi Jiaming. The arguments to "also-notify {...};" are explicit IP addresses. Why do you need it? Do you have some secondaries that are not listed as NS in zones? Regarding views. Why would you have the same zone in an internal and external view? A few years ago, having to maintain multiple zones

Re: Fully automated DNSSEC with BIND 9.16

Hi Håvard Odd, it works for me. Try a literal copy/paste of the link below. Or go to https://kb.isc.org and search for packages: https://kb.isc.org/docs/isc-packages-for-bind-9 Cheers, Greg On Wed, 19 Apr 2023 at 12:03, Havard Eidnes via bind-users < bind-users@lists.isc.org> wrote: > >>

Re: Best practice MultiView

Hi Jiaming. You're welcome. Personally I don't see why you want to obscure information about internal zones, since they can't be reached from the Internet anyway. Creating a dummy intermediate zone (an ENT - Empty Non-Terminal) may work, but it seems to add complexity for no - or very little -

Re: Best practice MultiView

Hi Jiaming. I had a similar requirement. Since there were not many (a few tens or at most a hundred) names that needed to be resolved differently locally my approach was to create a zone for each of them and to not have the parent zone at all. Each specific zone would contain a single A record (or

Re: Best practice MultiView

Hi Jiaming. Here's what I would do. I am assuming one nameserver for the public zone and one (different) nameserver for the internal zones. You would use more in practice but I'm keeping it simple, for illustration. The external NS is reachable from anywhere in the Internet. If you host it in

Re: Best practice MultiView

Hi Jiaming. Every zone *must* have one SOA record and at least one NS record. This is a requirement of the protocol. Internal clients will (probably) be making recursive queries to the internal DNS server for A, , MX, SRV records (maybe some more types as well). It is unlikely they will be

Re: bind with qname min. fails to continue recursing on one specific query

Hi Jason. I just tried this on my server (9.18.11) and it does indeed appear to be qname minimisation. The following servers (NS for tn.gov) just don't respond to the query "_.edison.tn.gov": dns4.tn.gov: type A, class IN, addr 170.141.167.222 dns5.tn.gov: type A, class IN, addr 170.141.168.22

Re: Intermittent issues resolving "labor.upload.akamai.com"

Hi Sandeep. >From a quick look in Wireshark at what my own server (9.18.8) is doing, this looks like Akamai not responding correctly to a BIND QNAME minimisation query. Here's one response, from 95.101.36.192 for example, of many similar ones showing an issue. The response code shouldn't be

Re: named out of swap on NetBSD/amd64

Hi Jan. There could be SO many things going on here. I have a few questions: - Do you mean 200 QPS or 200,000 QPS? I was wondering if a "k" had missed the print. If it's really 200, this box (not necessarily just BIND) sounds very ill. 200 QPS is background noise and (depending what's going on)

Re: named out of swap on NetBSD/amd64

Hi Jan. Since the queries are unique the responses should be NXDOMAIN, which *will* be cached and therefore consume memory. This is why I was curious what you are hitting it with. You can see these cache entries if you dump it using "rndc dump -cache". This produces a file (by default) called

Re: named out of swap on NetBSD/amd64

Point taken. Unique does not necessarily mean non-existent and *something* will end up in cache. So restricting your max-cache-size would seem to be the thing for you. If it were my server, I would monitor just how much RAM is getting used in total and adjust max-cache-size to allow BIND to use as

Re: Bind to Bind DNS Lookup - Returns wildcard value for defined A record

This time from the correct email alias! On Mon, 17 Jul 2023 at 22:58, Greg Choules wrote: > Hi. > Some observations: > - Please don't use nslookup. Please use dig, it is much more versatile and > gives much more information with which to try and interpret what might be > going on. > - If you're

Re: Bind to Bind DNS Lookup - Returns wildcard value for defined A record

Real data please: - example queries (genuine, not invented for illustration) - real domains - real IP addresses - packet captures - both BIND server configs - zone file contents - startup logs There are so many things it *could* be, the more information the better. Cheers, Greg On Sun, 16 Jul

Re: extended dns error

Hi Sami. In the "response-policy" block in your config, what (if anything) is the value of the statement "qname-wait-recurse"? If you do not have that set explicitly, please do "named -C" to list the defaults and see what it is; probably "yes". This parameter controls whether RPZ waits until

Re: thank you - Re: bind9 (9.18.14) build / install on macOS Ventura (13.3.1) fails to create dirs or files as expected

You are most welcome, I'm glad you got it running. Now the fun starts! :D Greg On Tue, 30 May 2023 at 21:02, Pacific wrote: > Thank you and to everyone who took the time to respond. Your collective > input did the trick and I now have bind running successfully through a brew > install. > > I

Re: Possibility of using views to properly return appropriate IP address for hostname based on requestor subnet?

Hi Ubence. Firstly, may we see your configs please. It's impossible to say exactly what's going on from a human description. Secondly, views and different answers. Yes it *is* entirely possible to use views to provide answers based on client IP - `match-clients. I would start with the most

Re: Possibility of using views to properly return appropriate IP address for hostname based on requestor subnet?

Hi Ubence. That is starting to get complex! Firstly, yes BIND parses views top down, so order matters. Secondly, most specific domain wins (like more specific routes). I now see that you have created three levels of zones: domain.com lab.domain.com system.lab.domain.com This config looks like

Re: Possibility of using views to properly return appropriate IP address for hostname based on requestor subnet?

Hi. Ah, I got the networks the wrong way round. Sorry, it wasn't until I saw Sten's response that it occurred to me that not everyone knows how views work. Indeed a query will be tested against each view, top down. If it satisfies the criteria for a view (either/both match-clients and

Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

Hi Sami. Firstly, a couple of definitions: NXDOMAIN is a response from an authoritative server (or a resolver because it cached it). It is a positive confirmation that "this name does not exist". It means that the QNAME in the query cannot be found, for any record type. SERVFAIL is a response from

Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

That's because this domain is broken. The NS for it are: antlauncher.com: type NS, class IN, ns ns1626.ztomy.com (204.11.56.26) antlauncher.com: type NS, class IN, ns ns2626.ztomy.com (204.11.57.26) No matter what query you send them (so far) they respond with REFUSED and claim not to be

Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

>From the correct email alias this time! On Mon, 19 Jun 2023 at 16:50, Greg Choules wrote: > Hi Lee/Sami. > `break-dnssec yes;` *may* also be needed in some cases. But not here as > the zone isn't signed anyway. > > The reason that "example.com" works but "antlauncher.com" doesn't is down > to

Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

Hi Sami. That's not what I said. Yes, you can do this with RPZ if you want - it's all in the BIND ARM - but it's not something I would do. Cheers, Greg On Mon, 19 Jun 2023 at 12:40, wrote: > Thank you Greg > > So if I understand correctly if we receive a servfail return code we can > not

Re: latency and response time

Hi Sami. Let me ask you a question. How would you define the terms "latency" and "response time"? Greg On Tue, 27 Jun 2023 at 17:23, wrote: > Hello In DNS benchmarking which is more important latency or response > time? for a DNS server what is the difference between the two values? > > > >

Re: bind9 (9.18.14) build / install on macOS Ventura (13.3.1) fails to create dirs or files as expected

Hello. By far the simplest way to install BIND natively on Mac is to use the Homebrew package manager. I have 9.18.14 installed on mine and it works fine. The other alternative is to run it from the Docker image. See here for details: https://hub.docker.com/r/internetsystemsconsortium/bind9 Hope

Re: bind9 (9.18.14) build / install on macOS Ventura (13.3.1) fails to create dirs or files as expected

The named binary *could* exist in many places; it depends on the OS. For example, with a Homebrew install on my Mac it's here: /usr/local/Cellar/bind/9.18.14/sbin/named because of this build parameter: --prefix=/usr/local/Cellar/bind/9.18.14 It's linked to from /usr/local/opt/bind/sbin/named, for

Re: resolver: DNS format error from

Hi Alex. TL;DR 9.18 is stricter than 9.16 at handling junk responses from authoritative servers. Looking at a packet capture for this from my own BIND server (9.18.14) the response from 195.178.56.17 is FORMERR, which tends to mean that it objects to something in the query. The correct response

Re: acl in also-nofify

Hi both. You can't do it using ACLs. But you can do it using primaries. This is hinted at in the section about the primaries statement, but not clearly expanded on. For example: # define a primaries list called "also-notifed" (or anything you like). Define as many lists as you need. primaries

Re: Re: zone not loaded in one of view

Hi. The existence of a `.jnl` file for the zone means that, at some point in the past anyway, you *did* allow dynamic updates to this zone and some updates were made, which were stored in the journal file. I would like to ask a couple of questions: 1) What is the timeline of your investigation?

Re: How do I debug if the queries are not getting resolved?

I really wouldn't recommend that. If you have to, create exceptions for domains that won't validate correctly by using the "validate-except {..." statement. In parallel with that, encourage people with broken domains to fix them, which makes life better for all of us. Cheers, Greg On Tue, 12 Dec

Re: How do I debug if the queries are not getting resolved?

Hello. There are well known and documented issues with the zone "gov.in" and there were some recent problems with "gov" as well. Please search this mailing list archive for those domains and you may find some useful hints, tips and information that explain and help you with your own problem.

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

Hi Michel. You will get an authoritative answer (AA bit = 1) if the server is either primary (master) or secondary (slave) for the QNAME (query name); in this case "reseau1.lan". From the config snip you provided this is because you have the config: zone "reseau1.lan" { type master; ... }; If

Re: Question about authoritative server and AA Authoritative Answer

Hi Michel. Please can you send the following information: - name and IP address of the authoritative server - the full contents of the zone file for "reseau1.lan" - name and IP address of the other server - what does this server do? - What is the machine "pc1", on which you are running the digs? -

Re: Question about authoritative server and AA Authoritative Answer

Hi again. Please start a packet capture on the auth server. This should do it: sudo tcpdump -nvi any -c 1 -w mydns.pcap port 53 Then from pc1, please do these and copy/paste text output, not screenshots: dig @172.16.0.254 pc1.reseau1.lan NS +norecurse dig @172.16.0.254 pc1.reseau1.lan SOA

Re: Problem with recursion for windows bind for Teamviewer

Hi there. Can you send some information, for those unfamiliar with what you're trying to do? - Full BIND config - IP addresses of relevant things, like interfaces of the servers on which you are running BIND and of Teamviewer. - What does Teamviewer need from DNS? What kinds of queries is it

Re: Problem with recursion for windows bind for Teamviewer

Have you checked the routeing table on this server? Without any other evidence, this looks to me like packets are going places you aren't expecting. In the first screenshot the query goes to 213.227.191.1 and apparently a response doesn't come back until 4s later. When I try it using dig I get an

Re: Question about authoritative server and AA Authoritative Answer

Hi again and thanks for that. I'm still not exactly clear on the setup. I think the auth server is 172.16.0.254 (I don't know what pc1 is). But anyway, looking at your results I see the AA bit for everything. It appears that these queries both went directly to the auth server because recursion is

Re: Deprecation notice force BIND 9.20+: "rrset-order fixed" and "sortlist"

2nd $beverage consumed. I have never liked sortlist since I inherited it 16 years ago in my previous job. For me it suffers from at least one fundamental problem: - If a client, say at location "1", is given a bunch of sorted A records with the server at location "1" first, what does the client

Re: fixed rrset ordering - is this still a thing?

Please don't encourage using "search" in resolv.conf or the Windows equivalent. Search domains make queries take longer, impose unnecessary load on resolvers and make diagnosis of issues harder because, when users say "it doesn't work" you have no idea what it was that didn't work. I tried using

Re: Deprecated DSCP support

Hi Wolfgang. Firstly let me say that I have never been a fan of QoS. So I'm slightly biased against the whole thing in the first place. But regarding your comment "It’s not easy for the network to guess the requirements of an application," I would disagree. Traffic classification and setting of

Re: Bind9 "split zones"

Hi. If I understand you correctly, you are trying to get your resolver to go to two different places (main_hidden_dns_server and other_dns_server) for answers to the same question, and then want it combine those answers into a single response to the client, which contains PTR records for both

Re: DNSSEC deployement in an isolated virtual environment

Hi Amaury. You should be able to do this by defining your own trust anchors. This should explain what you need: https://bind9.readthedocs.io/en/latest/dnssec-guide.html#trusted-keys-and-managed-keys Have fun. Greg On Sat, 16 Mar 2024 at 13:38, Amaury Van Pevenaeyge < avanpevenae...@outlook.fr>

Re: transfert master slave

Hi Sami. "allow-..." statements are to restrict from which sources *this* server will accept messages, of whichever type. On the secondary (slave), "allow-notify {192.168.56.154;};" will permit it to process NOTIFY messages sent to it from the primary (master), but ignore any others. Actually,

  1   2   >