Am 14.07.2018 um 00:38 schrieb Matthew Pounsett:
> On 13 July 2018 at 06:04, Michał Kępień wrote:
>
>> Hopefully this will shed some light on the matter:
>>
>> https://gitlab.isc.org/isc-projects/bind9/issues/339#note_12805
>>
>> That is helpful, thanks. That comment says the issue
Hi all!
Upgrading to Ubuntu 16.04 with Bind 9.10.3 did not solved the problem.
I enabled debug log (trace 2) and query logging. Unless my monitoring
traffic (~20 Queries every second) the server is idle.
The server is a xen domU (on a idle hypervisor) with 4 vCPUs and 20G RAM.
Here the logs
Nevertheless I think there is a bug. IIR the previous default was 100% (switch
to AXFR if IXFR would be grater than AXFR) and we also saw plenty of AXFR
although the IXFR difference was very small and far away from 100%
regards
Klaus
> -Ursprüngliche Nachricht-
> Von: bind-users Im
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Evan
> Hunt
> Gesendet: Samstag, 7. August 2021 20:21
> An: Gaurav Kansal
> Cc: bind-users@lists.isc.org
> Betreff: Re: Does BIND supports ANAME RR
>
> On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote:
> > I need
> On 09.08.21 13:55, Klaus Darilion via bind-users wrote:
> >But honestly SVCB will not solve the ANAME problem. I will take years
> > until all resolvers/client would support SVCB whereas ANAME would be
> > implemented in the authoritative name server
>
> resolving on
red to be able to return these records. It
> just makes it easier.
>
> Just about all the other DNS vendors also have code that can read and
> display presentation format.
>
> ANAME is dead.
> --
> Mark Andrews
>
> > On 9 Aug 2021, at 21:53, Klaus Darilion via bin
gated to reply outside your normal working hours.
>
> > On 9. 8. 2021, at 17:23, Klaus Darilion via bind-users us...@lists.isc.org> wrote:
> >
> > Does every application that uses gethostbyname have a benefit of
> HTTPS/SVCB? That is what I meant.
> > re
Hi Matthijs!
> We would like to encourage you to change your configurations to
> 'dnssec-policy'. See this KB article for migration help:
>
> https://kb.isc.org/docs/dnssec-key-and-signing-policy
Some comments to this KB article and dnssec-policy:
- The article should mention how to
> On 10-08-2021 13:38, Klaus Darilion wrote:
> > Hi Matthijs!
> >
> >> We would like to encourage you to change your configurations to
> >> 'dnssec-policy'. See this KB article for migration help:
> >>
> >> https://kb.isc.org/docs/dnssec-key-and-signing-policy
> >
> > Some comments to this KB
Hello!
Bind version: 9.16.19-1+ubuntu18.04.1+isc+1
Recently I discovered these logs:
09:13:12 named[3234]: _default: sending trust-anchor-telemetry query
'_ta-/NULL'
09:13:12 named[3234]: validating ./NSEC: no valid signature found
09:13:12 named[3234]: validating ./SOA: no valid
IIRC, Bind needs the key as long as there are signatures in the zone generated
by this key. After key deactivation I waited the RRSIG lifetime before deleting
them.
regards
Klaus
Von: bind-users Im Auftrag von egoitz--- via
bind-users
Gesendet: Montag, 24. Jänner 2022 13:00
An:
As I have such a zone I will paste it here. But fore sure it is not complete as
it was created some time ago.
regards
Klaus
$ cat types.test
$TTL 60 ; 1 minute
@ IN SOA sec1.rcode0.net. rcodezero.ipcom.at. (
36 ; serial
Hi Andrew!
DNSSEC is more costly: more Ressource Records to hold on disk, to hold in
memory and more queries and more IP traffic. If the DNSSEC signing is also done
by the DNS provider there would be additional ressources for the signing
service and risks when doing something wrong.
For a
d the
> differences are not small, for some configurations it can be even 2x or
> 3x more on 9.16 than it is on 9.18.
>
> If you encounter it again please get back to us so we can diagnose it.
>
> Thank you!
> Petr Špaček
>
>
> On 18. 05. 22 8:56, Klaus Darilion via bind-u
ent of the JSON stats endpoint (if you are on Linux).
>
> I hope it helps.
> Petr Špaček
>
>
>
> >
> > Ondrej
> > --
> > Ondřej Surý — ISC (He/Him)
> >
> > My working hours and your working hours may be different. Please do not
> feel ob
I remember we had similar issues with 9.18 (isc ppa packages) and hence wen't
back to 9.16. But I can not remember the details.
regards
Klaus
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Ondrej
> Surý
> Gesendet: Mittwoch, 18. Mai 2022 08:37
> An: Raman kumar
> Cc:
> Can you propose log line?
>
> Should it be one line per algorithm? Or one line with all disabled? Or
> one one with all enabled? What log level? Log category? It it okay it
> will be almost always logging GOST? ...
I am not using Red Hat, but when debugging DNSSEC issues it would be helpful to
I checked all options of rndc to get the list of zones configured/served by
bind - but I can't find any.
Is it really not possible to get this list from a running Bind process?
Thanks
Klaus
--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria
--
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Mark
> Andrews
> Gesendet: Donnerstag, 9. März 2023 21:04
> An: Jan-Piet Mens
> Cc: bind-users@lists.isc.org
> Betreff: Re: Correlation between NOTIFY-Source and AXFR-Source
>
> Named just uses the notify to trigger an early
>
> https://bind9.readthedocs.io/en/stable/reference.html#namedconf-statement-notify-rate
Will that feature throttle Notifys or stop them completely for some minutes?
Thanks
Klaus
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the
Hi!
root@cc-tld-sbg1:/var/log/tld-acct-by-customer# dpkg -l|grep bind9
ii bind9 1:9.18.6-1+ubuntu22.04.1+isc+1
amd64Internet Domain Name Server
Please help me debugging this issue: We have a TLD zone with ~3mio delegations
and updates every
Hello!
I always was quite sure that Bind will request XFR from the Primary that sent
the NOTIFY.
config:
masters {
X.X.X.4;
X.X.X.20;
};
Bind Version 9.11.5.P4+dfsg-5.1+deb10u8
But I just saw this in the logs that the first NOTIFY is received from .20, but
AXFR is
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Bob
> Harold
> Gesendet: Freitag, 24. Februar 2023 19:26
> An: bind-users
> Betreff: DNS DDoS protection
>
> Before answering this question, can you tell me the proper place where I
> should be asking this question?
>
> "We
Yes it does. I guess all name servers offer a command to force a transfer of
the zone without checking the serial. The ones I use support that:
Bind: rndc retransfer
NSD: nsd-control force_transfer
PowerDNS: pdns_control retrieve
Knot: knotc zone-retransfer
regards
Klaus
>
> > On 24. 3. 2023, at 14:36, Klaus Darilion via bind-users us...@lists.isc.org> wrote:
> >
> > Is there some rate liming in Bind?
>
> https://bind9.readthedocs.io/en/stable/reference.html#namedconf-
> statement-notify-rate
For the records: Increasing the n
Hi Petr!
> > For example, there are 8 secondaries (Mumbai, LosAngeles, Melbourne,
> > Atlante, SaoPaulo...) to which the XFR took 2361 seconds.
> >
> > Are there some mechanisms in Bind that put multiple XFRs together into
> a
> > common stream? Or do you have any other ideas how it come that
Hello!
Yesterday I made some tests transferring a zone with 50mio RRs to 35
Secondaries. I measured the time between:
- Primary logs "zone test/IN: sending notifies"
- Primary logs "client : transfer of 'test/IN': AXFR-style IXFR
ended"
What makes we wonder is, that for
There are several tools with different features and behavior. I would take
alook at dnsperf, kxdpgun and flamethrower
regards
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von
> sami.ra...@sofrecom.com
> Gesendet: Mittwoch, 21. Juni 2023 17:59
> An: bind-users@lists.isc.org
>
Hi all!
I also know a colleague which was hit by the same issue, causing problems to
their zone.
Migrating from auto-dnssec to dnssec-policy can lead to operational issues. For
example that problem with different algos should be mentioned in
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Carsten
...
> It would be nice to have a "dry-run" mode in BIND 9, where BIND 9 would
> report steps it would do because of "dnssec-policy", but will not execute the
> changes.
If this Bind9 is only a hidden primary, disable
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Arsen
> STASIC
> Gesendet: Donnerstag, 21. März 2024 08:47
> An: Petr Špaček
> Cc: bind-users@lists.isc.org
> Betreff: Re: Crafting a NOTIFY message from the command line?
>
> * Petr Špaček [2024-03-20 09:32 (+0100)]:
> > On
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Jan
> Schaumann via bind-users
> Gesendet: Dienstag, 26. März 2024 14:44
> An: bind-users@lists.isc.org
> Betreff: Re: [OFF-TOPIC] Question about ClouDNS (and others') ALIAS records
>
> Karl Auer wrote:
> > I'm puzzled by the
32 matches
Mail list logo