OpenSSL problem: bind98-base FreeBSD port

I upgraded my OpenSSL and BIND ports on one of my machines yesterday afternoon, and ended up with BIND being unable to start due to some problem with OpenSSL. Unfortunately, it's not giving me any real information to go on about what the problem is. > openssl version WARNING: can't open con

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 15:04, Michael Sinatra wrote: > What makes me doubt what I just said is that this has been an issue for more > than a year now, so I am not sure why you have escaped it for so long. I > assume you had openssl 1.0.x installed before you upgraded it--or was it an > earlier ver

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 17:46, Doug Barton wrote: > On 07/08/2012 13:40, Matthew Pounsett wrote: >> Yeah, I have to wonder if there's something that can be done in ports to >> prevent this from being an issue. > > You need to ask the nice openssl people to turn gost into

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 20:26, Mark Andrews wrote: > > One can also build named w/o GOST support if one wants. We statically > link all the engines when building named on Windows. Unfortunately the port doesn't provide the config hooks to disable GOST support.

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 20:29, Matthew Pounsett wrote: > > On 2012/07/08, at 20:26, Mark Andrews wrote: > >> >> One can also build named w/o GOST support if one wants. We statically >> link all the engines when building named on Windows. > > Unfortunately the port

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 20:40, Doug Barton wrote: > On 07/08/2012 17:33, Matthew Pounsett wrote: >> >> On 2012/07/08, at 20:29, Matthew Pounsett wrote: >> >>> >>> On 2012/07/08, at 20:26, Mark Andrews wrote: >>> >>>> >>>>

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 22:25, Barry Margolin wrote: > In article > >> >> So to answer my earlier question, what file were you talking about copying >> into the chroot environment for BIND? > > The shared library. When you link dynamically, all the libraries have to > be in $chroot/usr/lib. No, t

dig ignores +notcp when doing IXFR (DiG 9.5.0-P2)

I'm trying to debug an IXFR problem with a client, and using dig in its place to compare IXFR requests between it and the misbehaving client. I noticed that when I do an IXFR with dig it defaults to TCP rather than UDP. I tried forcing it over with +notcp but I still get a TCP query. >From t

Re: dig ignores +notcp when doing IXFR (DiG 9.5.0-P2)

On 2013-12-04, at 21:22 , Mark Andrews wrote: > > The options are processed left to right so the +notcp has to be > after the ixfr=. There are two reasons I don't understand why this is the case. 1) Since there is only one query in the command, I don't understand why "left to right" matters.

Re: dig ignores +notcp when doing IXFR (DiG 9.5.0-P2)

On 2013-12-05, at 01:37 , Mark Andrews wrote: > >>> Note, named will for the use of TCP in its UDP response. > > s/for/force/ Always? Regardless of response size? Interesting. What's the rationale for doing it that way? ___ Please visit ht

Re: dig ignores +notcp when doing IXFR (DiG 9.5.0-P2)

On 2013-12-06, at 12:11 , Chris Thompson wrote: > > The sense in which BIND "forces use of TCP" is that when it gets an > IXFR request over UDP, it always just replies with the current SOA. > It doesn't bother to work out whether an incremental transfer is > possible and if so whether it would

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On Sunday, 24 April 2016, wrote: > > This zone would not pass named-checkzone, which interestingly, is the > same code which named itself uses when initially loading a zone. > > It appears to > > named-checkzone -t /var/chroot/named example.com > /namedb/master/example.com.zone >

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 25 April 2016 at 13:44, wrote: > > > On Mon, Apr 25, 2016, at 10:19 AM, Matthew Pounsett wrote: > > > TBH I don't understand WHAT to 'expect' from dig to test/verify this^. > > > What do I dig to get an answer with "TEST STRING" in it? &

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 25 April 2016 at 13:53, wrote: > > > I suspect that there's something wrong with what is/isn't copied , and > maybe when, in that chroot build/destroy script. > It's not clear to me why one would want to destroy/rebuild the chroot every time you restart the process. However, as long as you'r

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On Monday, 25 April 2016, wrote: > > > On Mon, Apr 25, 2016, at 10:58 AM, Matthew Pounsett wrote: > > It's not clear to me why one would want to destroy/rebuild the chroot > every > > time you restart the process. > > Well, here > > (1) Because I i

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 25 April 2016 at 11:44, wrote: > > > > I completely gave up on chroot'd ntpd because of the endless weirdness. > Finally just moved to openntpd as (1) it had safe privsep, (2) no chroot > req'd, and (3) did the job I need. > Privsep doesn't actually fix the same problem chroot does. As I un

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 27 April 2016 at 03:07, Tony Finch wrote: > Matthew Pounsett wrote: > > > > Privsep doesn't actually fix the same problem chroot does. As I > > understand it, privsep reduces the attack surface for remote execution > > exploits by shuffling off privileged

Re: Adding CNAME for the root domain issue

On 27 April 2016 at 06:56, John Levine wrote: > Assuming you mean this (notice the dots): > > Domain.com. CNAME x.y.com. > www CNAME x.y.com. > No, this does not work. You're forgetting what goes around the example records: domain.com. IN SOA ... domain.com IN CNAME x.y.com. domain.com

Re: Adding CNAME for the root domain issue

On 27 April 2016 at 07:26, Stephane Bortzmeyer wrote: > On Wed, Apr 27, 2016 at 05:05:50PM +0300, > Daniel Dawalibi wrote > a message of 52 lines which said: > > > our setup requires a CNAME record. > > Bad setup. (And has always been bad.) > > This isn't really his fault. The OP's goal shoul

Re: Adding CNAME for the root domain issue

On 27 April 2016 at 07:42, Baird, Josh wrote: > Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]? > > [1] > https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/ It's possible. We do a similar thing at eNom... we allow end-users to in

Re: Adding CNAME for the root domain issue

On 27 April 2016 at 07:40, Stephane Bortzmeyer wrote: > On Wed, Apr 27, 2016 at 07:32:48AM -0700, > Matthew Pounsett wrote > a message of 49 lines which said: > > > One of these days I'd like to lead a serious lobbying effort against > > the browser developers a

Re: Compiling BIND9 on CentOS 7

On 27 April 2016 at 08:34, Sean Son wrote: > Thank you for your response. Basically what I am trying to do is migrate > the BIND server from a Centos 5.11 machine to a CentOS 7.2 machine. The > BIND on CentOS 5.11 was compiled manually by source and its named.conf file > looks very different tha

Re: also-notify and nsupdate doesnt work

On 1 May 2016 at 23:57, wrote: > hi, > i have a setup with one normal and some hidden slaves. > i set up a zone with also-notify and all worked fine. > all slaves got notifies and updates. > now i added a key and policy to remote update the zone. > the updates with nsupdate woks fine. > but the n

Re: also-notify and nsupdate doesnt work

On 2 May 2016 at 10:09, wrote: > hi, > > What you're describing sounds wrong. It shouldn't work that way. >> > what do you mean by "wrong" and which "it" should not work? :-) > > What I mean is, given a typical configuration, the brokenness you're observing shouldn't be broken. > Can you share

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 2 May 2016 at 10:05, wrote: > General question -- > > When I want to change a zone file's data manually, say to add an A record, > what's the right procedure: > > If the zone is set up for dynamic updates, like the examples you've given, then in order to touch the zone file directly you need t

Re: Nsupdate usage scenario

On 2 May 2016 at 16:38, wrote: > > > On Mon, May 2, 2016, at 12:15 PM, Jeremy C. Reed wrote: > > What about using a specific zone file just for the purpose of the single > > A record you want to maintain using dynamic updates? > > Well, this is a timely idea for another issue I've been working on

Re: Forward record for WWW

On 5 May 2016 at 11:55, Stephane Bortzmeyer wrote: > On Thu, May 05, 2016 at 03:42:24PM +, > Cuttler, Brian R. (HEALTH) wrote > a message of 29 lines which said: > > > External record in the zone file is actually > > wadsworth.org. 300 IN A 199.184.16.22 > > None of the three name servers

Re: Shared libraries loaded after chroot

On 16 May 2016 at 04:38, Marc Haber wrote: > I have filed Debian Bug #820974 (http://bugs.debian.org/820974) > accordingly. The Debian bind people suggest that I copy the respective > libraries to the chroot so that bind can find them. > Yeah, this has been the fix on a lot of systems since GOST

Re: Logging question about message 'update-security: error: client update denied'

On 16 May 2016 at 19:03, Josh Nielsen wrote: > Thank you for the response Mark. I'm still a little confused at what this > might mean though. Clearly the originating address is my slave DNS server > (every single one of the messages say "error: client 10.20.0.101"). > > Are you saying that some p

Re: Forward zone not working

On 17 May 2016 at 09:29, Woodworth, John R wrote: > > > > > >Ideally every machine should be registering its own PTR record in the > > > >DNS and addresses without machines shouldn't have PTR records. > > > >The only reason ISP did this is that they were too lazy to manage PTR > > > >records for

Re: Loading all zone files in a directory

On 23 July 2016 at 15:25, Danilo wrote: > Is there a way to get Bind to automatically include config files in a > directory? If not, might it make sense to place a feature request for > this with the Bind developers? If yes, what would the process be for > such a request? Or is there a better alt

Re: named and use of resolv.conf? - how to "learn" this

On 2 August 2016 at 12:25, Spumonti Spumonti wrote: > (I've done several searches for this first but the general nature of some > of these terms returned way too many non-relevant responses) > > I was recently told that named does not use resolv.conf when resolving > names. This was not something

Re: named and use of resolv.conf? - how to "learn" this

On 2 August 2016 at 17:01, Ray Bellis wrote: > On 02/08/2016 19:47, Matthew Pounsett wrote: > > > In the authoritative configuration, BIND has no need to do DNS lookups > > of its own, so it wouldn't be any use there. > > That's not strictly true - BIND will

Re: named and use of resolv.conf? - how to "learn" this

On 2 August 2016 at 19:50, Evan Hunt wrote: > On Tue, Aug 02, 2016 at 05:04:33PM -0400, Matthew Pounsett wrote: > > Yes it will. But, as far as I understand, it uses the recursive code > paths > > to do that, and won't consult resolv.conf. Yes? > > Correct. However

Re: Delegation questions

On 11 August 2016 at 09:13, Bob McDonald wrote: > I have a child domain that is delegated to a second site. Pretty > straightforward situation. In the parent zone I have NS records that point > to the DNS servers at the second site. > > The issue comes up when a slaved copy of the parent domain i

Re: Delegation questions

On 11 August 2016 at 10:14, Bob McDonald wrote: > > Currently, clients sending queries for domain child.example.com. to > server A get good results. > However, clients sending queries for domain child.example.com. to server > C get SERVFAIL because server C has no access to server B. (I'm guessin

Re: Question about dynamic IPv6-PTR-Generation

On 26 August 2016 at 13:45, Matus UHLAR - fantomas wrote: > On 26.08.16 07:34, Tom Tom wrote: > >> I'm searching a way to respond to IPv6-PTR-Queries like the >> "$GENERATE"-mechanism for IPv4 has done it. >> > > why? configuring single IP addresses or taking them from DHCP is easier > than > cre

Re: Question about dynamic IPv6-PTR-Generation

On 26 August 2016 at 15:41, Matus UHLAR - fantomas wrote: > >>> On 26.08.16 14:01, Matthew Pounsett wrote: > >> That's not necessarily true for IPv6, where even a modest network could >> have trillions of addresses that may need PTR records. >> > &g

Re: Load balancer for Bind

On 14 September 2016 at 12:17, Job wrote: > Hello, > > which is the best load balancer for two or more Bind DNS Server, located > in the same farm? > I read something about HAProxy but it does not manage udp connection and > the interesting security proxy/balancer DnsDist does not pass original >

checkzone from stdin?

It looks to me like named-checkzone isn't able to read a zone file from stdin. % cat example.com.db | named-checkzone example.com - zone example.com/IN: loading from master file - failed: file not found zone example.com/IN: not loaded due to errors. % cat example.com.db | named-checkzone example.

Re: checkzone from stdin?

fortunately, we don’t backport new features, so either you need to > follow the 9.17 track or backport the patch yourself. It should be fairly > straightforward to backport it to 9.16 branch since the codebases don’t > differ much yet. > > Ondrej > -- > Ondřej Surý — ISC > >

Re: checkzone from stdin?

On Wed, 8 Apr 2020 at 15:55, Anand Buddhdev wrote: > Note that it would work with "cat file | ..." but I absolutely hate the > cat-pipe combination. I've been known to mark down interviewees who > offer a solution that involves cats and pipes :) > That was just a minimal example to demonstrate t

Re: Forwarded lookup failing on no valid RRSIG

On Fri, 18 Dec 2020 at 18:08, Nicolas Bock wrote: > Thanks Mark. Am I correct then that I need to either convince the > administrator of that DNS to enable DNSSEC or configure my DNS with > `dnssec-validation = no`? > The upstream administrator isn't required to be validating DNSSEC for this to

Broken signatures on packages.sury.org

Beginning today, I'm seeing the following errors on systems that use the ISC Debian packages: Err:5 https://packages.sury.org/bind buster InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key I haven't seen any official word from ISC tha

Re: Getting the name of responding server(s)

On Tue, 7 Sept 2021 at 03:45, Stephane Bortzmeyer wrote: > The only solution is chasing the delegations from the root (which is > what dig +trace is doing). Caching speeds it, this is why it is > better to go through your resolver than using dig +trace. Yeah, you can pretty reliably get the answ

Re: Only one DS key comes back in query

On Mon, May 16, 2022 at 2:41 PM frank picabia wrote: > I've been using open source for decades. Long enough that I rarely need > to use lists for help. > > Here's the RFC mentioning reserved domain name use: > https://www.rfc-editor.org/rfc/rfc2606.html > Those reservations are for testing and

Re: bind-dlz and %client% token

On 27-Nov-2008, at 11:50 , Jakub Heichman wrote: Hello all, I'm looking to implementing a DNS server based on bind-dlz with mysql backend that would allow me to give different DNS responses based on clients' IP addresses. The closest match to this in BIND currently is views. If you've got

Re: setup default DNS server with only one record

On 11-Dec-2008, at 04:08 , Chris Henderson wrote: I am trying to setup a default DNS server for one of my restricted network segment so that no matter what people type in their browser, they will be redirected to a single IP address or the hostname. The zone file that I have setup is partially

Re: Conflicting glue records?

On 08-Jan-2009, at 03:41 , Dawn Connelly wrote: Right, but his question was regarding the host record for the name server. You tell the registrar the name and IP address of the name servers that are authoritative for the domain. The registrar then pushes those glue records to the root servers.

Re: unwanted delegations was: What to do about openDNS

On 20-Jan-2009, at 21:24 , Danny Thomas wrote: Scott Haneda wrote: I brought this up a few months back. For me, it is getting worse, and I am not able to come up with a solution. I have many clients who reg domains. They all point to my NS. Sometimes, the client lapses hosting with me,

Re: unwanted delegations was: What to do about openDNS

On 21-Jan-2009, at 03:23 , Scott Haneda wrote: On Jan 20, 2009, at 6:42 PM, Matthew Pounsett wrote: Registries that implement host records (so, at least the gTLDs) could accept the word of the registrant of the zone that contains a name server (or the word of their registrar on their

Re: allow-query-cache and resolution time

On 22-Jan-2009, at 16:00 , LENA MATUSOVSKAYA, BLOOMBERG/ 731 LEXIN wrote: Hello, Thank you for answering my quesiton yesterday. I have a new question about allow-query-cache and its effect on a dns server' response resolution time. allow-query-cache "specifies which hosts are allowed t

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"

On 25-Jan-2009, at 03:44 , Al Stu wrote: "When a domain name associated with an MX RR is looked up and the associated data field obtained, the data field of that response MUST contain a domain name.That domain name, when queried, MUST return at least one address record (e.g., A or

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"

On 25-Jan-2009, at 12:41 , Al Stu wrote: "That domain name, when queried, MUST return at least one address record (e.g., A or RR) that gives the IP address of the SMTP server to which the message should be directed." @ 1800 IN A 1.2.3.4 srv1 1800 IN A 1.2.3.4 mx 1800 IN CNAME blah.xyz

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"

On 25-Jan-2009, at 13:15 , Al Stu wrote: Yes, blah was supposed to be srv1. I do receive both the CNAME and A records for the A mx.xyz.com query. See attached capture file. In the capture file three global search and replacements were performed to match the previous example. 1) domain

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"

On 25-Jan-2009, at 23:06 , Barry Margolin wrote: In article , Matthew Pounsett wrote: In the example above, when I query for "IN A mx.xyz.com?" I do not get an address record back (A, )..instead I get a CNAME record. Requirements NOT met. Then there's something

Re: Forcing a secondary update...

On 26-Jan-2009, at 17:50, Jeff Justice wrote: Without getting into how I managed to accomplish this, I have wound up with a secondary DNS that has incorrect information in it but the serial numbers are the same as on the master. So, my question is: how can I get the secondary to sync up?

Re: What are these entries in the log file - " query: . IN NS +"?

On 26-Jan-2009, at 23:03, Tony Toews [MVP] wrote: Ah, I think I see what is happening here. Searching at the below article for 63.217.28.226 http://tech.slashdot.org/tech/09/01/24/0113210.shtml shows a reply stating: "The problem seems to kick in for DNS servers that arent rejecting th

Re: my DNS not resolving

On 29-Jan-2009, at 13:49, S. Jeff Cold wrote: BIND List, I have a server running OpenSuse 11.1 with BIND 9.5.0P2-18.1. This server has a dedicated IP address from my ISP. I want this server to resolve my registered domain jatec.us. The server has internet connectivity. If I dig j

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"

On 31-Jan-2009, at 13:18, Al Stu wrote: And what business of yours would it be if I did? That is pretty much the point here. What business is it of yours, ISC, or anyone else if I chose to run my DNS with MX's pointing to CNAMES? If it is a "bad" practice, fine so be it. But it has p

Re: A newbies Bind question

On 31-Jan-2009, at 13:24, Peter Privat wrote: My question: Is it possible for my friends out there somewhere in cybespace to also use my DNS server by entering its IP their DNS settings? So far I haven't managed to make it work. If another computer somewhere out there in the cloud is ente

Re: BIND still will not resolve

On 02-Feb-2009, at 14:03, S. Jeff Cold wrote: BIND list, Well, I thought I had this DNS problem licked with my ISP volunteering as a secondary name server, but I guess not. My server still will not resolve my jatec.us domain. Maybe I have something wrong in named.conf or the zone fi

Re: single-character host names

On 25-Feb-2009, at 16:46, Mike Bernhardt wrote: So what is the accepted view on this currently? Is there another RFC that has made it OK now? I'm not going to say this definitively, because I'm not certain, but I think 952 may have been updated by a later RFC. Certainly there are sever

Re: single-character host names

On 25-Feb-2009, at 17:14, Evan Hunt wrote: Actually, to be lawyerly about it, while RFC952 says you can't have a single-character name, it also defines names as including periods to delimit domain-name components. So, "m.google.com." is really a 13-character name, with a single-character compo

Re: TSIG verify failure

On 28-Feb-2009, at 04:11, Jeremie Le Hen wrote: AXFR fails invariably with the following error: "tsig verify failure". Do, by chance, TSIG packets use IP address during encryption? I've been struggling to understand the problem for maybe 8 hours, but I'm clueless now... Any help would be welco

IXFR size limit?

Is there, by any chance, a maximum size to the IXFRs BIND will send? I've noticed an upstream server I slave from is being suspiciously consistent in the number of records it sends per IXFR (86,450 plus or minus ~10 records). The upstream server is part of an appliance, but fingerprints as BI

Re: IXFR size limit?

On 2011/02/14, at 10:47, Matthew Pounsett wrote: > Is there, by any chance, a maximum size to the IXFRs BIND will send? I've > noticed an upstream server I slave from is being suspiciously consistent in > the number of records it sends per IXFR (86,450 plus or minus ~10 rec

Re: [dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

While it's possible you have encountered a bug with BIND, it's generally a bad idea to mix recursive and authoritative service in the same process. The RFCs that define the resolution algorithms were never written with mixed service in mind, and there are conflicts that can result in undefined,

Re: [dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

On 2011-05-20, at 00:35, Carlos Vicente wrote: > That's news to me. What's the failure mode? Does the server return SERVFAIL, > or does it not set the AD flag, or...? It's another undefined condition in the RFCs, and so the outcome is implementation specific. I believe in the case of BIND th

Re: [dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

On 2011-05-19, at 21:58, Michael Sinatra wrote: > If you're saying that you shouldn't *offer* recursive and authoritative > services on the same box, then I generally agree. If you're saying that you > shouldn't ever prime your cache with a zone, or have a recursive server be a > slave to any

Re: big improvement in BIND9 auth-server startup time

On 2011/07/13, at 11:15, Evan Hunt wrote: > > People who operate big authoritative name servers (particularly with > large numbers of small zones, e.g., for domain hosting and parking), > and have had trouble with slow startup, may find this information > useful: > > http://www.isc.org/communit

Re: named-xfer?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02-Apr-2009, at 18:33, Michelle Konzack wrote: Hello, I have to fetch some zones from but it seems, "named-xfer" does not more exist in bind9. How can I now manualy download a zone? dig IN AXFR zone @server > fi

Re: Delegation of DHCP blocks within same server?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20-May-2009, at 19:03, John Cole wrote: For a concrete example: 10.0.0.0/16 is presently handled by a single zone file. 10.1.3.0/24 is DHCP issued 10.1.4.0/24 is DHCP issued I haven't tested this... but I'm 99% certain that you can simply loa

Re: proving a server doesn't have a zone

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01-Jun-2009, at 15:42, Todd Snyder wrote: I'm sure I'm just having a dumb moment, and that the return codes from dig can give me what I need, but I can't figure it out. Indeed, dig can help you here. Send the server a non-recursive query fo

Re: Dynamic DNS and Slave Servers

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18-Jun-2009, at 14:25, Gregory Hicks wrote: Kevin: I'll bite! What is the difference between a sub*domain* and a sub*zone*? I don't see how you could have the one w/o the other. But that could be because I'm feeling especially slow today.

Re: Glue record miunderstanding

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01-Oct-2009, at 16:03, Scott Haneda wrote: Is it also correct, I only need a NS glue record for the actual NS itself. There does not need to be a glue record for very zone that I am providing DNS for? The only case where glue *must* be pre

Re: Glue record miunderstanding

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01-Oct-2009, at 19:03, Scott Haneda wrote: So I see my NS is listed in the additional section. This to me tells me there is in fact glue, so I should consider the report at http://intodns.com/hostwizard.com to be inaccurate? Yeah, I just r

Re: Nslookup not showng TTL

On 15-Oct-2009, at 16:03, John Horne wrote: On Thu, 2009-10-15 at 13:15 -0400, Kevin Darcy wrote: Removing features from nslookup gets us that much closer to KILLING and BURYING it. Forever. So why does the ISC still distribute it? (Although I guess the answer may simply be "because peop

Re: isc.org has signed delegation

On 22-Oct-2009, at 01:16, Loren M. Lang wrote: I just noticed that isc.org has a signed delegation from the .org name servers. I am curious what registrar you went through to get this. .org is doing a limited production release of DNSSEC right now, referred to as "Friends & Family." Ther

Re: BIND9 slave

On 07-Dec-2009, at 08:37, George wrote: Is there a way to make the slave server automatically get and update any new domains that are added to the master server? This question pops up about once every two months on the list. There are several other discussions on the subject that you could

Re: Is an IPv6-only glue/delegation record a problem in a world of IPv4?

On 2010/01/11, at 12:57, Rick Dicaire wrote: > If I understand this correctly, the lack of an ANSWER section for > query would denote there is no ipv6 glue at the TLD? No, that would indicate that the name server you queried is not authoritative for the record you queried about. Glue, by

Re: Is an IPv6-only glue/delegation record a problem in a world of IPv4?

On 2010/01/11, at 12:29, Mathew J. Newton wrote: > Specifically, the Dig tool at http://www.kloth.net/services/dig.php seems > unable to resolve my records and I can't help but feel it's a problem at > my end rather than theirs! The problem may be at Kloth.. but at least one of the many possible

Re: Is an IPv6-only glue/delegation record a problem in a world of IPv4?

On 2010/01/11, at 14:48, Mathew J. Newton wrote: >> FWIW, at least one of the afilias hosts had the same IPv4 address for >> ns[12].v6ns.org. > >>> ns1.v6ns.org. 86400 IN A 77.103.161.36 >>> ns1.v6ns.org. 86400 IN 2a01:348:133::a1 >>> ns2.v6ns.org.

Re: Is an IPv6-only glue/delegation record a problem in a world of IPv4?

On 2010/01/11, at 15:16, Matthew Pounsett wrote: > By contrast, Verisign's servers have long included glue in the ANSWER > section. This is widely considered to be at best suboptimal, and by many (or > most) to be a bug. Verisign has indicated that this behaviour is comin

Re: Notify "storms"

On 2010/01/20, at 13:03, Dave Sparro wrote: >> We would like to make this better. >> Can anyone help with ideas on this? Are we missing something obvious? >> > > In that situation I'd consider using CVS on all of the servers to maintain > the DNS data. > Just make all of the servers masters

Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled

On 2010/03/28, at 18:48, Roy Badami wrote: > configured). The queries are resulting in SERVFAIL, and I'm pretty > sure the failures are DNSSEC-related, as when I've seen problems as > they occur (dig failing from the command line) then repeating the > query with the CD bit allowed it to succeed.

Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled

On 2010/03/29, at 06:04, Roy Badami wrote: > >> It looks to me like your example, freebsd.org, is insecure. > > Yes, I agree freebsd.org is insecure, but I still want to be able to > resolve it :-) The point was, you should not be getting DNSSEC-related errors from a domain that is not secu

Re: MX records for new additional domain on existing authoritative name servers

Hi Karen. Please don't start a new thread by replying to an email in an existing discussion -- your message can get lost in that other discussion, rather than appearing as a new topic for anyone who threads their email. On 2010/03/30, at 16:30, Lear, Karen (Evolver) wrote: > I'm adding a new

Re: Using an MX record from a different domain

On 2010/03/30, at 16:57, Lear, Karen (Evolver) wrote: > > I'm adding a new domain to my existing authoritative name servers, and need > to add an MX record for a device residing on existing domain. When I run > named-checkzone, I get a message about the MX record being out of zone and > not

Re: Subdomain delegation only returns SOA on dig

On 2010/03/29, at 15:34, Prabhat Rana wrote: > > Hello all, > I'm running BIND 9.6.1-P1 on a Solaris box. This DNS (ns1.spx.net) is > authoritative to domain spx.net (this is just example). And I'm trying to > delegate nse.spx.net to ns1.nse.spx.net. I think I have configured correctly > but

Re: how to read and answer to this mailing list

On 2010/03/30, at 19:04, Markus Feldmann wrote: > Warren Kumari schrieb: >> In the footer of every message lurks the following link: >> https://lists.isc.org/mailman/listinfo/bind-users > Yes ... i read this but you can not answer a mail this way. You can answer an email this way. I'm not sure

Re: how to read and answer to this mailing list

On 2010/03/31, at 04:08, Markus Feldmann wrote: > Matthew Pounsett schrieb: >> On 2010/03/30, at 19:04, Markus Feldmann wrote: >>> Warren Kumari schrieb: >>>> In the footer of every message lurks the following link: >>>> https://lists.isc.org/mailman/l

Re: Load Balancer for DNS

On 2010/04/05, at 02:06, sasa sasa wrote: > Hello everyone, > > Any one used any load balancer for DNSs? any recommendation? it's 2 > caching-only DNSs, and I'd like to make a load balance between them using > software. Unless you're willing to spend a lot of money, load balancers are general

Re: dig +trace = Bad Referral orBad Horizontal referral

On 16 September 2016 at 11:12, project722 wrote: > I have an interesting problem. I started noticing that when I do a dig > +trace against one of the domains we are authoritative for, we get errors > from our nameservers for "Bad Referral" and you can see where it forwarded > the request back up

Re: dig +trace = Bad Referral orBad Horizontal referral

;re going to have to share details of your configuration. > > On Tue, Sep 20, 2016 at 8:58 AM, Matthew Pounsett > wrote: > >> >> >> On 16 September 2016 at 11:12, project722 wrote: >> >>> I have an interesting problem. I started noticing that when I do a dig >

Re: Multiple IPs Associated With A Single Name

On 29 September 2016 at 12:02, Tim Daneliuk wrote: > In the dark and dusty reaches of my elderly DNS experience, ISTR a way to > set up A records so that the request to resolve a name returns a *list > of associated IPs*. This is distinct from DNS RR (I think?) which > simply returns a different

Re: Multiple IPs Associated With A Single Name

On 29 September 2016 at 14:18, Tim Daneliuk wrote: > > What I am stuck on is this: Is there any simple (i.e., non-root) way > to write a client or otherwise configure userspace to go to the > non-standard > port and run my sort of man-in-the-middle server? Or is this just a stupid > idea? > > T

Re: Multiple IPs Associated With A Single Name

On 29 September 2016 at 15:07, Tim Daneliuk wrote: > > > No, not really. It's for a private cloud microservices system we're > thinking through. We already run most/many of the various service > backends in user space so that the app devs and support folks can control > their own universe witho

Re: acl

On 8 October 2016 at 09:57, Pol Hallen wrote: > 192.168.1/24 is not a valid netmask >> > > huh? > In linux and BSD I always use 192.168.1/24 (how shortcut of 192.168.1.0/24) > and so on... You're confusing network configuration with ACL syntax. Where you're using 192.168.1.50/24 in your OS con

Re: Wildcard SRV record?

On 31 October 2016 at 12:35, Stephen Pape wrote: > Is there a better way for me to do this, or do I have to generate a > whole lot of specific CNAME records? > If your subdomains follow a predictable pattern, then this seems like a prime use of the $GENERATE statement. You could either use it t

  1   2   >