test - ignore

Hello. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

Re: Is this KB example backwards? Re: Multiple master servers for the same zones

(good question!). All they say is that after an > upgrade all servers were masters. > > The amount of direct relevance of the article is questionable. > Nonetheless, paragraph two seems factually incorrect on its face: changing > type master; to type slave; does not swich a server fro

Re: Unhelpful startup message re: RPZ

Hi John. From the ARM: response-policy … Blocks: options, view Tags: server, security, query, zone Specifies response policy zones for the view or among global options. Blocks: says where this statement can be used; i.e. in global options or within a view. The description is reasonably clear (I

BIND9 is 25 today!

Please raise a beverage of choice and celebrate the 25th birthday of BIND9: commit 7ee52cc7d195433bb8f55972e2a8ab29668f7bce Date: Mon Aug 17 22:05:58 1998 + -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software

Re: [help]how to configure ecs subnet for bind-9.18-21

Hello. Do you mean 9.18-S1? > On 28 Apr 2024, at 08:06, Yang via bind-users > wrote: > > > dear admin: > now, i use bind-9.18-21, i want to use ecs client subnet function; but i > don't know how to configure it, and i don't get method from google > please give me some example,or

Re: [help]how to configure ecs subnet for bind-9.18-21

; > <https://wx.mail.qq.com/home/index?t=readmail_businesscard_midpage=true=Yang=http%3A%2F%2Fthirdqq.qlogo.cn%2Fg%3Fb%3Dsdk%26k%3DQCkTfUibqnEM6qRuG2lPLNA%26s%3D100%26t%3D1556340979%3Frand%3D1639145287=395096713%40qq.com=> > > > > -- Original -- > Fro

Re: Access denied Bind9

Hi Ritah. I think rndc is a red herring. Whether you can control your server using rndc or not is a different topic to "why am I seeing 'denied'" in the logs. I think a couple of questions you need to ask yourself are: Should these servers be receiving recursive queries from anywhere?

Re: Forwarding zone, setup

Sending from the correct email alias this time! On Thu, 3 Mar 2022 at 09:53, Greg Choules wrote: > Hi Greg. > Basically, you can't forward out of authority. If server A is > authoritative for "example.com" it is authoritative for that and > everything below that, ad infi

Re: Bind: Standard Ports And Non Standard Ports

Take 2. Sent from the wrong email address! Greg On Sat, 12 Feb 2022 at 08:01, Greg Choules wrote: > > "...to use a traditional VPN solution such as DNSSEC ..." > DNSSEC is not a VPN service. It is regular, unencrypted DNS on port 53, or > whichever port you choose -

Re: consolidating in-addr.arpa data

Hi John. Can you tell me a bit more please? - What zones exist in both BIND and MS DNS for something.10.in-addr.arpa? - Where are hosts auto registering to? I'd guess MS, but it would be good to confirm. - What does fragmentation look like? A few real examples would be useful. I'm trying to

Re: consolidating in-addr.arpa data

Hi. Although it is technically possible to do reverses on non-octet boundaries (for example, see https://www.ietf.org/rfc/rfc2317.txt) it is a complete pita, in my experience. Personally I would not head down that path. Stick to /8, /16 or /24. Cheers, Greg On Sat, 16 Sept 2023 at 09:20, G.W.

Re: consolidating in-addr.arpa data

lier note, I have re-located the code I think I > stumbled across earlier > > Tony Finch's "nsdiff" > > > https://dotat.at/prog/nsdiff/ > > > -- > Do things because you should, not just because you can. > > John Thurston907-465-8591john.thurs...@ala

Re: consolidating in-addr.arpa data

>From the correct mail alias! On Sat, 16 Sept 2023 at 21:50, Greg Choules wrote: > Hi Ged. > 172.16/12 is not a special case. The whole problem (IMHO) stems from how > humans have chosen to represent both IP addresses (v4; v6 are different and > actually a little easier) AND D

Re: Facing issues while resolving only one record

Hi Blason. "incometax.gov.in" is a domain known to cause problems. Take a binary packet capture and look at it in Wireshark. Also see this https://dnsviz.net/d/incometax.gov.in/dnssec/ A workaround in BIND is to disable DNSSEC validation for just that domain whilst leaving it on generally: see

Re: Is this KB example backwards? Re: Multiple master servers for the same zones

Hi Fred. No, the sense is correct. Imagine you have a server with a secondary zone of (say) "example.com", which transfers data for that zone from a primary somewhere. The secondary loads data received during a zone transfer straight into memory and uses it. It is optional for the secondary to

Re: Recursive client query rate-limiting

Hi Ben. In short, kinda. "recursive-clients" limits the overall number of concurrent recursive queries the server will handle. For each of those queries there is also "clients-per-query", which limits the number of different sources all asking the same question at the same time. This is so that,

Re: How should I configure internal and external DNS servers

Hi Nick. First question, does the internal zone *have* to keep the same name? As has been said already, this is a fairly common setup done by people a long time ago who usually didn't think through the consequences of their actions. What follows assumes you could change the name of the internal

Re: Forwarders working differently on bind9.8 & bind9.11

Hi Prashasti. I'm on my phone, so I'll keep it brief. - ditch both 9.8 and 9.11; install 9.18 - why are you forwarding to yourself? 127.0.0.1 - get binary packet captures and look at them in Wireshark to see what's actually going on. - real IPs please. - why use "port xxx"? Cheers, Greg On Tue,

Re: help me with the ipv6 PTR generation

You may already have BIND installed; most distros do. If not, it's easy. You don't *have* to run named, but tools like this (and dig, particularly) are very useful to have. Do "which arpaname" to see if you have it already. Cheers, Greg On Thu, 24 Aug 2023 at 08:00, Marco wrote: > Am

Re: Bind failures following update/reboot w/ 9.18.1

n May 13, 2022, at 10:34 AM, Greg Choules < > gregchoules+bindus...@googlemail.com> wrote: > > > > Hi Philip. > > Can you run packet captures? I'm running 9.18.0 (close enough?) in > Docker and just traced what happens going from "dnssec-validation no;" to

Re: Bind failures following update/reboot w/ 9.18.1

Hi Philip. Can you run packet captures? I'm running 9.18.0 (close enough?) in Docker and just traced what happens going from "dnssec-validation no;" to "dnssec-validation auto;" It makes a DNSKEY query for "." to one of the roots. The response size was over 900 bytes, so depending on what UDP

Fwd: Request to use "Canonical/Mirror"

Hi Felicia. As the previous responder said, don't think of entire servers being one or the other, it's individual zones. IMHO the terms "primary" and "secondary" are just as meaningful as the terms "master" and "slave", but without the emotional and historical baggage. You just have to give

Re: 9.18 behavior change for mDNS queries with dig

Hi Larry. sudo tcpdump -ni any -c 1000 -w .pcap port 5353 For I usually include the date, hostname and some other meaningful stuff to help you remember what it was for in 6 months' time. Whilst this is running, make some queries in another terminal window. I hope this helps. Cheers, Greg On

Re: 9.18 behavior change for mDNS queries with dig

Wireshark works just fine on a Mac (I am using it right now) and yes, it is a great tool. You also have the choice of using tcpdump in a terminal window, if that's your preference. Personally I usually capture using tcpdump and view later in Wireshark. On Fri, 1 Jul 2022 at 12:01, Petr Menšík

Re: Can't modify an existing SPF record

The SPF record type was deprecated in 2014 and the SPF definition string *must* now be contained as data in a TXT record. BIND will still load a zone containing SPF records, but it will check whether a TXT record also exists that contains the same string and will generate a log message telling you

Re: Can't modify an existing SPF record

Hi Roberto. What domain is this SPF for and exactly how are you trying to add the extra term? Cheers, Greg On Fri, 8 Jul 2022 at 16:38, Roberto Carna wrote: > Dear, from my webmin interface for BIND9, I try to add an additional > allowed sender host to our SPF record, but I get the following

Re: Basic setup instructions

Hi Gene. Please can you post a link to 'the website' you refer to? Where have you got to so far? BIND requires one config file - named.conf - which, at its simplest, doesn't need to contain much at all; the defaults should pretty much just work. But let's start with what you have now and, if

Re: success resolving xxx after disabling EDNS

Hi Veronique. Every DNS server should support EDNS by now. It has been around for a very long time. Even if it doesn't support EDNS it should ignore it. I made some test queries and packet captures to 23.82.12.28. Whatever this box is, please talk to the manufacturer about EDNS support. Or.. it

Re: DNS traffic tracking

Hi Alex. Your use case may be very different to the one I faced in my previous job. But there we did not and could not charge for DNS. It was seen as a necessary but free resource. If you *really* want to account for how many queries clients are making, a quick and dirty solution is enabling

Re: Bind 9.11/RHEL7 Server Freezes FUTEX_WAKE_PRIVATE

Hi Peter. Off the top of my head, could it be this? random-device The source of entropy to be used by the server. Entropy is primarily needed for DNSSEC operations, such as TKEY transactions and dynamic update of signed zones. This options specifies the device (or file) from which to read

Re: Question regarding newsyslog.conf and Bind logs

Hello J What is it you're actually trying to achieve here? Cheers, Greg On Thu, 25 Aug 2022 at 04:24, J Doe wrote: > Hello, > > I was wondering if anyone could provide feedback on whether the > following: newsyslog.conf file is correct to allow for daily log > rotation for my Bind 9.16.30 logs

Re: Zone transfer over VPN

Hi Michael. Have you tried without the "allow-transfer" statements at all? I find it usually works best to start simple, get it working, then apply security bit by bit. Do you have logs from all servers? What are they telling you specifically about what is the issue? Lastly, get packet captures of

Re: address/prefix length mismatch

Hi Elias. I can't say why this might have worked with 9.11 (if it did - I'd be surprised). But you should not/cannot define ACLs like this: 10.60.0.1/23; /23 means consider only the first 23 bits of the available 32 bits of an IPv4 address and ignore the rest (in this context. Please don't someone

Re: Question regarding newsyslog.conf and Bind logs

Hi again J. If I understand correctly, you want to enable querylog on a busy recursive server permanently, rotate the files once a day and don't care if you lose some logs because the number of queries on a busy day generates more data than the specified log file is allowed to contain. My

Re: address/prefix length mismatch

Hi Sten. That is absolutely what you do *not* want to do. Writing it out in binary might help. /23 means the following: 1110 '1' bits mean, test an incoming address against the corresponding bit from the address in the mask. '0' bits mean, don't test an incoming

Re: Proxy requests but filter out IPv4 address

Hi Matthias. In DNS there are many record types. For IP addresses there are two types: A for IPv4 addresses and for IPv6 addresses. If your client asks for the record it should get only IPv6 addresses. So what is your client asking for? Can you show us a real example where both IPv4 and

Re: dig +norecurse behaviour changed with 9.16.33

Hi Veronique. As other people have said, more details please. To have a complete picture of what is going on, not only would we need to know what your dig tests look like, but also where dig is sending its queries and how that DNS server is configured. You can tell dig to send queries anywhere,

Re: dig +norecurse behaviour changed with 9.16.33

> dig @ip-dns-0 foundservices.cern.ch | grep flags | grep ANSWER > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4 > > dig @ip-dns-0 foundservices.cern.ch *+norecurse* | grep flags | grep > ANSWER > ;; flags: qr aa; QUERY: 1, ANSWER: *2*, AUTHORITY: 2, ADDITIO

Re: dig +norecurse behaviour changed with 9.16.33

in addition the IP of > spectrum-lb.cern.ch. > > > And yes, a capture shows confirms indeed that dig returns less information > when the BIND 9.16.33 DNS server is used. > > I guess you can easily reproduce that behaviour, unless it is due to a > mis-configuration bit on our

Re: CVE-2022-2795

Hi Greg. Short answer: no. Slightly less short answer: no, if you prevent the server from trying to follow delegations. It's that potentially wild goose chase that was the problem. In short: - Forwarding must cover everything the server needs to do (that isn't locally defined) i.e. global

Re: Seeing lots of DNS issues on OpenWRT

Hi Philip. I echo Fred's response; why forward? - Backup your config - remove/comment the "forwarders {}" statement - start a tcpdump to disc for port 53 (for evidence about what happens next) - stop/start 'named'. - try queries/look in the log/stop the tcpdump and analyse it in Wireshark. As an

test - please ignore

Thanks, Greg -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org

Re: Dig -x +trace?

Hi Mike. OK, let's try and do some practical things here. Firstly, please share your /etc/resolv.conf Secondly, please have two windows on the go. In the first, run "tcpdump -nvi all -w port 53". In the second, run your dig tests. Then share your results. If you are reluctant to share *actually*

Re: Dig -x +trace?

using that? Since you are unwilling to share a pcap I don't see what further help we can be. Good luck with Ubuntu and Cloudflare. Greg On Mon, 3 Oct 2022 at 21:55, Mike Hodson wrote: > On Mon, Oct 3, 2022 at 2:24 PM Greg Choules < > gregchoules+bindus...@googlemail.com> wrote: > &g

Re: Question About Internal Recursive Resolvers

Hi John. Yes, you *could* forward and that was a setup I inherited a good few years ago. The appeal is obvious: it's easy to do; just chuck queries over there and get answers. But forwarding keeps the RD bit set, meaning that the server being forwarded to should a) have recursion enabled (though

Re: Question About Internal Recursive Resolvers

Hi Bob. In a previous life I did just this. Large resolvers for customers and internal users, defaulting to the Internet but with specific configuration to internal auth-only servers for private zones (I used stub but static-stub and mirror are alternatives - they each behave slightly

Re: Question About Internal Recursive Resolvers

Hi Grant. My understanding is this, which is almost identical to what I did in a former life: client ---recursive_query---> recursive_DNS_server ---non_recursive_query---> internal_auth/Internet where: client == laptop/phone/server running stub resolver code recursive_DNS_server == what Bob is

Re: caching does not seem to be working for internal view

Hi Robert. May we see the file /etc/resolv.conf and your BIND configuration? It's difficult to guess what might be going on with only a small snippet of information. If you "ping somewhere" (or "ssh a-server", or whatever) the OS will consult resolv.conf to determine where to send DNS queries. If

Re: caching does not seem to be working for internal view

> file "intelcon.htt-consult.com.hosts";}; > zone "mobile.htt-consult.com" { > type master; > file "mobile.htt-consult.com.hosts";}; > zone "test.htt-consult.com&quo

Re: I need to find statistics on a running server.

Hi Jeff. Query logging is quite an overhead and very heavy on writing to storage, so use it sparingly as it can have a detrimental impact on performance. For any moderately loaded server I would not have it enabled by default. Cheers, Greg On Thu, 12 Jan 2023 at 18:22, Jeff Sumner wrote: >

Re: Use UDP for (small) incremental zone transfers?

not worth worrying about. Cheers, Greg On Fri, 13 Jan 2023 at 06:19, Jesus Cea wrote: > On 13/1/23 7:12, Greg Choules via bind-users wrote: > > Hi Jesus. > > No. Zone Transfer always uses TCP. Is it really that much of an overhead > > for you? > > Not now, but

Re: Use UDP for (small) incremental zone transfers?

Hi Jesus. No. Zone Transfer always uses TCP. Is it really that much of an overhead for you? Cheers, Greg On Fri, 13 Jan 2023 at 05:56, Jesus Cea wrote: > I have a dns zone with many dns updates per minute. The updates are > tiny, like 2-3 records, <500 bytes in total. > > Currently my

Re: Views vs Separate Authoritative & Recursive DNS

Hi E R. My short answer would be, don't configure views unless you have a good use case for them. For example you are running resolvers that have two different kinds of clients that need to be handled differently - one client set needs RPZ, the other doesn't. Or something like that. BIND has

Re: What is the meaning of an ecs log

Hi Mik. The Client Subnet in DNS Queries RFC should explain all. Essentially there are two masks in the ECS option - source prefix length and scope prefix length. ECS-enabled recursive servers (like Google or BIND -S edition) will set the source prefix

Re: How to configure , dig command support +subnet

Hello. What exact version of BIND are you running? "named -V" From dig it *looks* like you are running 9.18.9. ECS support only exists in the subscription editions of BIND (-S suffix) and to get that you need to be an eligible ISC support customer. Thanks, Greg On Tue, 13 Dec 2022 at 10:48, 徐娅

Re: SERVFAIL IPv6 debugging

Hi Bruce. There's potentially a bunch of things to note here. DNS conversations are independent of each other. The dig to your own server (dig -6 ec.europa.eu) may be over v4 or v6. But the subsequent queries that server makes (if any) may be over v4, or v6, or both. It depends how your server is

Re: recursion yes/no?

Hi David. "recursion yes;" tells named that it can (if it has to) make queries to other places if it needs more information in order to answer a client query. Pure authoritative servers shouldn't need it and should have "recursion no;". So the first question is, do your servers make queries out to

Re: recursion yes/no?

inimal-responses to no, now I get the usual output when querying. > > For what I understand, there is no downside in maintaining this setting, > right? > > Thank you! > > > > Kind regards. > > David > > > > > > *From:* Greg Choules > *Sent:* 24 Ja

Re: Resolving and caching illegal names

Hi John. A few questions, if I may. - Why *must* you forward everything to Akamai? - Was that a real example of a daft query: 10.11.12.13 type A? If not, do you have some real examples of queries being made to your servers please? - Notwithstanding the nature of these illegal queries, if they

Re: Gratuitous AXFRs of RPZ after 9.18.11

Hi John. Personally, I would start by drawing a picture (I like pictures) of all the players in the game and gathering data, leaving nothing out, including: - All servers, with all IP addresses. - SOA and NS records of working zones and the troublesome RPZ zone. - Which servers are

Re: Converting between zone file formats

Hi Håvard. I currently have 9.18.8 installed; the version of named-compilezone is the same. As a test I just converted a text format zone file to raw and then that raw file back to text and it looks fine to me: - named-compilezone -f text -F raw -o junk.raw junk db.junk - named-compilezone -f raw

Re: Bind listener to an IPv6 from AnyIP subnet

Hi Serg. Can you post the output of "named -V" please? You're looking for "--disable-linux-caps", which you don't want. I'm not sure how (if) BIND interacts with AnyIP, but it should pick up new interfaces as they are added, *if* it is built with the necessary capabilities enabled. 'named' starts

Re: RPZ answer me NXDOMAIN for some domain

Hi Nath. What have you got on SrvB for biopyrenees.net, or net? On SrvB, please do "dig @127.0.0.1 sri.biopyrenees.net" (please use the actual address rather than "localhost") and paste the full result here. I am interested in flags and the query time right now. Cheers, Greg On Wed, 22 Mar 2023

Re: Is there an incompatibility between 9.16.37/9.18.11 and 9.9 when doing HMAC-MD5 AXFR?

Hi Patrik. 9.9? Classic! :D I don't believe there should be any incompatibilities. Are you perhaps falling foul of this? From Cricket's book, chapter 11 It’s important that the name of the key—not just the binary data the key points to— be identical on both ends of the transaction. If it’s not,

Re: Best practice MultiView

Hi Jiaming. The arguments to "also-notify {...};" are explicit IP addresses. Why do you need it? Do you have some secondaries that are not listed as NS in zones? Regarding views. Why would you have the same zone in an internal and external view? A few years ago, having to maintain multiple zones

Re: Fully automated DNSSEC with BIND 9.16

Hi Håvard Odd, it works for me. Try a literal copy/paste of the link below. Or go to https://kb.isc.org and search for packages: https://kb.isc.org/docs/isc-packages-for-bind-9 Cheers, Greg On Wed, 19 Apr 2023 at 12:03, Havard Eidnes via bind-users < bind-users@lists.isc.org> wrote: > >>

Re: Best practice MultiView

nder. Yixi Meta is registered with the Dutch Chamber of > Commerce trade register with number 85744115.* > -- > *Van:* Greg Choules > *Verzonden:* Wednesday, April 19, 2023 11:01:00 PM > *Aan:* Jiaming Zhang > *CC:* bind-users@lists.isc.org > *Onderwerp:* Re: Best practic

Re: Best practice MultiView

e intended recipient, we kindly request you to delete the > message and inform the sender. It is strictly prohibited to disclose, copy > or distribute this email or the information inside it, without a written > consent from the sender. Yixi Meta is registered with the Dutch Chamber of > Com

Re: Best practice MultiView

e information inside it, without a written > consent from the sender. Yixi Meta is registered with the Dutch Chamber of > Commerce trade register with number 85744115.* > -- > *Van:* Greg Choules > *Verzonden:* Tuesday, April 18, 2023 2:51:05 PM > *Aan:* Jiamin

Re: Best practice MultiView

to delete the > message and inform the sender. It is strictly prohibited to disclose, copy > or distribute this email or the information inside it, without a written > consent from the sender. Yixi Meta is registered with the Dutch Chamber of > Commerce trade register with number 85744115.

Re: bind with qname min. fails to continue recursing on one specific query

Hi Jason. I just tried this on my server (9.18.11) and it does indeed appear to be qname minimisation. The following servers (NS for tn.gov) just don't respond to the query "_.edison.tn.gov": dns4.tn.gov: type A, class IN, addr 170.141.167.222 dns5.tn.gov: type A, class IN, addr 170.141.168.22

Re: Intermittent issues resolving "labor.upload.akamai.com"

Hi Sandeep. >From a quick look in Wireshark at what my own server (9.18.8) is doing, this looks like Akamai not responding correctly to a BIND QNAME minimisation query. Here's one response, from 95.101.36.192 for example, of many similar ones showing an issue. The response code shouldn't be

Re: named out of swap on NetBSD/amd64

Hi Jan. There could be SO many things going on here. I have a few questions: - Do you mean 200 QPS or 200,000 QPS? I was wondering if a "k" had missed the print. If it's really 200, this box (not necessarily just BIND) sounds very ill. 200 QPS is background noise and (depending what's going on)

Re: named out of swap on NetBSD/amd64

lt) called "named_dump.db" in named's working directory. Grep for NXDOMAIN in that file. Cheers, Greg On Tue, 14 Feb 2023 at 15:29, Jan Schaumann via bind-users < bind-users@lists.isc.org> wrote: > Jan Schaumann via bind-users wrote: > > Greg Choules wrote: > > >

Re: named out of swap on NetBSD/amd64

as much RAM as you can afford. That way you minimise the frequency of cache cleaning, which is an overhead. Greg On Wed, 15 Feb 2023 at 19:45, Jan Schaumann via bind-users < bind-users@lists.isc.org> wrote: > Greg Choules wrote: > > > Since the queries are unique the responses

Re: Bind to Bind DNS Lookup - Returns wildcard value for defined A record

This time from the correct email alias! On Mon, 17 Jul 2023 at 22:58, Greg Choules wrote: > Hi. > Some observations: > - Please don't use nslookup. Please use dig, it is much more versatile and > gives much more information with which to try and interpret what might be > going on

Re: Bind to Bind DNS Lookup - Returns wildcard value for defined A record

Real data please: - example queries (genuine, not invented for illustration) - real domains - real IP addresses - packet captures - both BIND server configs - zone file contents - startup logs There are so many things it *could* be, the more information the better. Cheers, Greg On Sun, 16 Jul

Re: extended dns error

Hi Sami. In the "response-policy" block in your config, what (if anything) is the value of the statement "qname-wait-recurse"? If you do not have that set explicitly, please do "named -C" to list the defaults and see what it is; probably "yes". This parameter controls whether RPZ waits until

Re: thank you - Re: bind9 (9.18.14) build / install on macOS Ventura (13.3.1) fails to create dirs or files as expected

ll. > > I got pulled into another project and wanted to reply with thanks sooner. > Your time is valuable and I sincerely appreciate everyone who took the time > to make suggestions. > > On May 10, 2023, at 1:39 AM, Greg Choules < > gregchoules+bindus...@googlemail.com>

Re: Possibility of using views to properly return appropriate IP address for hostname based on requestor subnet?

Hi Ubence. Firstly, may we see your configs please. It's impossible to say exactly what's going on from a human description. Secondly, views and different answers. Yes it *is* entirely possible to use views to provide answers based on client IP - `match-clients. I would start with the most

Re: Possibility of using views to properly return appropriate IP address for hostname based on requestor subnet?

recedence. > > It also seems that the bind configuration file is read from top down in > processing order? I had the main view on top first, but then moved it > below the other views, and then the 192.168.10-net view worked...but the > main view did not work. > > I know t

Re: Possibility of using views to properly return appropriate IP address for hostname based on requestor subnet?

eep the lab.domain.com domain name. > > Ultimately, views won't work, which is very clear now, but having distinct > hostnames for each instance on a different subnet *should* work and could > be put on the lab.domain.com system so that when they are replicated to > the primary name ser

Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

Hi Sami. Firstly, a couple of definitions: NXDOMAIN is a response from an authoritative server (or a resolver because it cached it). It is a positive confirmation that "this name does not exist". It means that the QNAME in the query cannot be found, for any record type. SERVFAIL is a response from

Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

to change the return code for this > domain name to "NXDOMAIN" so as not to distort the monitoring result . > > Regards > > *De :* Greg Choules > *Envoyé :* lundi 19 juin 2023 10:03 > *À :* RAHAL Sami SOFRECOM > *Cc :* bind-users@lists.isc.org > *Objet :*

Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

>From the correct email alias this time! On Mon, 19 Jun 2023 at 16:50, Greg Choules wrote: > Hi Lee/Sami. > `break-dnssec yes;` *may* also be needed in some cases. But not here as > the zone isn't signed anyway. > > The reason that "example.com" works but "

Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

de we can > not modify this code by nxdomain with the rpz configuration? > > Regards > > > > *De :* Greg Choules > *Envoyé :* lundi 19 juin 2023 12:02 > *À :* RAHAL Sami SOFRECOM > *Cc :* bind-users@lists.isc.org > *Objet :* Re: replace "SERVFAIL" to "NXDOMA

Re: latency and response time

Hi Sami. Let me ask you a question. How would you define the terms "latency" and "response time"? Greg On Tue, 27 Jun 2023 at 17:23, wrote: > Hello In DNS benchmarking which is more important latency or response > time? for a DNS server what is the difference between the two values? > > > >

Re: bind9 (9.18.14) build / install on macOS Ventura (13.3.1) fails to create dirs or files as expected

Hello. By far the simplest way to install BIND natively on Mac is to use the Homebrew package manager. I have 9.18.14 installed on mine and it works fine. The other alternative is to run it from the Docker image. See here for details: https://hub.docker.com/r/internetsystemsconsortium/bind9 Hope

Re: bind9 (9.18.14) build / install on macOS Ventura (13.3.1) fails to create dirs or files as expected

The named binary *could* exist in many places; it depends on the OS. For example, with a Homebrew install on my Mac it's here: /usr/local/Cellar/bind/9.18.14/sbin/named because of this build parameter: --prefix=/usr/local/Cellar/bind/9.18.14 It's linked to from /usr/local/opt/bind/sbin/named, for

Re: resolver: DNS format error from

Hi Alex. TL;DR 9.18 is stricter than 9.16 at handling junk responses from authoritative servers. Looking at a packet capture for this from my own BIND server (9.18.14) the response from 195.178.56.17 is FORMERR, which tends to mean that it objects to something in the query. The correct response

Re: acl in also-nofify

Hi both. You can't do it using ACLs. But you can do it using primaries. This is hinted at in the section about the primaries statement, but not clearly expanded on. For example: # define a primaries list called "also-notifed" (or anything you like). Define as many lists as you need. primaries

Re: Re: zone not loaded in one of view

Hi. The existence of a `.jnl` file for the zone means that, at some point in the past anyway, you *did* allow dynamic updates to this zone and some updates were made, which were stored in the journal file. I would like to ask a couple of questions: 1) What is the timeline of your investigation?

Re: How do I debug if the queries are not getting resolved?

ue, 12 Dec 2023 at 17:42, Blason R wrote: > Thanks folks > > I just disabled DNSSEC validation from bind config file (globally) and > those domains started resolving fine. > > > On Tue, Dec 12, 2023, 13:25 Greg Choules < > gregchoules+bindus...@googlemail.com> wr

Re: How do I debug if the queries are not getting resolved?

Hello. There are well known and documented issues with the zone "gov.in" and there were some recent problems with "gov" as well. Please search this mailing list archive for those domains and you may find some useful hints, tips and information that explain and help you with your own problem.

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

Hi Michel. You will get an authoritative answer (AA bit = 1) if the server is either primary (master) or secondary (slave) for the QNAME (query name); in this case "reseau1.lan". From the config snip you provided this is because you have the config: zone "reseau1.lan" { type master; ... }; If

Re: Question about authoritative server and AA Authoritative Answer

Hi Michel. Please can you send the following information: - name and IP address of the authoritative server - the full contents of the zone file for "reseau1.lan" - name and IP address of the other server - what does this server do? - What is the machine "pc1", on which you are running the digs? -

Re: Question about authoritative server and AA Authoritative Answer

HEADER<<- opcode: QUERY, status: NOERROR, id: 56002 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > *AUTHORITY: 1 : this is ok.* > > > Command dig pc1.reseau1.lan > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57670 > ;; f

Re: Problem with recursion for windows bind for Teamviewer

Hi there. Can you send some information, for those unfamiliar with what you're trying to do? - Full BIND config - IP addresses of relevant things, like interfaces of the servers on which you are running BIND and of Teamviewer. - What does Teamviewer need from DNS? What kinds of queries is it

Re: Problem with recursion for windows bind for Teamviewer

Have you checked the routeing table on this server? Without any other evidence, this looks to me like packets are going places you aren't expecting. In the first screenshot the query goes to 213.227.191.1 and apparently a response doesn't come back until 4s later. When I try it using dig I get an

Re: Question about authoritative server and AA Authoritative Answer

> > Thank you for your reply. > > > Please find attached the markdown file with all the commands and text > from the terminal. > > In /etc/resolv.conf I had "127.0.0.53" so I disabled the DNSStubListener > from systemd-resolved. I have netplan and networ

  1   2   >