Re: queries with no RD bit set are truncating
Kevin, this server is totally non-recursive. Neither recurse option is enabled and packet size does not exceed 512 byte. May be it was some temporarly bugs due to mysterious causes. Below I post full sniffer's output for both queries: No. TimeSourceDestination Protocol Info 1 0.00193.110.129.66194.85.61.20 DNS Standard query MX lbr.ru Frame 1 (66 bytes on wire, 66 bytes captured) Arrival Time: Jun 9, 2009 10:21:34.40548 [Time delta from previous captured frame: 0.0 seconds] [Time delta from previous displayed frame: 0.0 seconds] [Time since reference or first frame: 0.0 seconds] Frame Number: 1 Frame Length: 66 bytes Capture Length: 66 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:dns] [Coloring Rule Name: UDP] [Coloring Rule String: udp] Ethernet II, Src: Intel_db:50:96 (00:0e:0c:db:50:96), Dst: All-HSRP-routers_c7 (00:00:0c:07:ac:c7) Destination: All-HSRP-routers_c7 (00:00:0c:07:ac:c7) Address: All-HSRP-routers_c7 (00:00:0c:07:ac:c7) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Source: Intel_db:50:96 (00:0e:0c:db:50:96) Address: Intel_db:50:96 (00:0e:0c:db:50:96) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 193.110.129.66 (193.110.129.66), Dst: 194.85.61.20 (194.85.61.20) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 00.. = Differentiated Services Codepoint: Default (0x00) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 52 Identification: 0x7b9b (31643) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 126 Protocol: UDP (0x11) Header checksum: 0x7f03 [correct] [Good: True] [Bad : False] Source: 193.110.129.66 (193.110.129.66) Destination: 194.85.61.20 (194.85.61.20) User Datagram Protocol, Src Port: 11173 (11173), Dst Port: domain (53) Source port: 11173 (11173) Destination port: domain (53) Length: 32 Checksum: 0xec71 [correct] [Good Checksum: True] [Bad Checksum: False] Domain Name System (query) [Response In: 2] Transaction ID: 0xc7e5 Flags: 0x (Standard query) 0... = Response: Message is a query .000 0... = Opcode: Standard query (0) ..0. = Truncated: Message is not truncated ...0 = Recursion desired: Don't do query recursively .0.. = Z: reserved (0) ...0 = Non-authenticated data OK: Non-authenticated data is unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries lbr.ru: type MX, class IN Name: lbr.ru Type: MX (Mail exchange) Class: IN (0x0001) No. TimeSourceDestination Protocol Info 2 0.034553194.85.61.20 193.110.129.66DNS Standard query response Frame 2 (66 bytes on wire, 66 bytes captured) Arrival Time: Jun 9, 2009 10:21:34.440033000 [Time delta from previous captured frame: 0.034553000 seconds] [Time delta from previous displayed frame: 0.034553000 seconds] [Time since reference or first frame: 0.034553000 seconds] Frame Number: 2 Frame Length: 66 bytes Capture Length: 66 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:dns] [Coloring Rule Name: UDP] [Coloring Rule String: udp] Ethernet II, Src: Cisco_ff:e0:1b (00:0b:bf:ff:e0:1b), Dst: Intel_db:50:96 (00:0e:0c:db:50:96) Destination: Intel_db:50:96 (00:0e:0c:db:50:96) Address: Intel_db:50:96 (00:0e:0c:db:50:96) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Source: Cisco_ff:e0:1b (00:0b:bf:ff:e0:1b) Address: Cisco_ff:e0:1b (00:0b:bf:ff:e0:1b) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 194.85.61.20 (194.85.61.20), Dst: 193.110.129.66 (193.110.129.66) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 00.. = Differentiated Services Codepoint: Default (0x00) ..0. = ECN-Capable Transport (ECT): 0
Re: Validating a DNSSEC installation
On Jun 15 2009, Chris Buxton wrote: On Jun 13, 2009, at 4:59 AM, Erik Lotspeich wrote: Is it normal that a validating resolver can't validate a domain it is authoritative for? Absolutely. As Alan Clegg wrote not long ago on this list, You presumably refer to https://lists.isc.org/pipermail/bind-users/2009-January/074760.html which I *suppose* counts as not long ago ... :-) this is why a DNSSEC validating resolver should not be authoritative for any signed zones. This seems too strong to me, There are lots of good reasons why one may want a resolver to stealth slave local (possibly signed) zones, and thus be authoritative for them. However, it is certainly the case that because no other validation is performed on these zones, they should be fetched by secure means, e.g. TSIG-signed transfers from trusted master servers. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Questions about DNAME records
Chris Buxton wrote: On Jun 15, 2009, at 2:37 AM, Braebaum, Neil wrote: Now, ignoring that invalid www record, the zone above has an apex (example.com itself) and then essentially infinite ghostly children. Any valid query that lands in that domain (i.e. the qname ends in example.com) but is not for example.com itself will be answered by a synthetic CNAME record, like this: qname.example.com.CNAMEqname.example2.com. If that alias points to a valid name in example2.com, then the query is answered positively. If it points to a CNAME record in the example2.com domain, then you have a CNAME chain (an alias of an alias of a third, referenced name), which then causes resolution to continue with the referenced name. (Is this what you meant by forwarding?) Don't forget that the DNAME record is also included in the answer as well as the synthesized CNAME record(s). I say records since DNAME chains are possible here too (though not recommended of course). Regards, Mike -- Michael Milligan - mi...@acmeps.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSDigger.com - An announcement and request for feature tips.
DNSDigger.com - A massive reverse resolver that lets you dig deeper into the Net. DNSDigger.com is a service that lets you get more information about an domain name. It can show you what other domain names is hosted on a server. For example can that information be a valuable data for a hosting company that want to estimate how many customers a competitor has or se what other domains is hosted on a shared server and estimate the likelihood of that server being DDOSed. I am posting this to the Bind emailing list for two reasons. 1. To announce a relevant service (relevant to DNS) 2. To ask you for feature requests. I hope you don't get to pissed off ;) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSDigger.com - An announcement and request for feature tips.
Sounds interesting. How is it different than these?: http://whois.webhosting.info http://www.domaintools.com/reverse-ip/ Frank -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jay Ess Sent: Tuesday, June 16, 2009 7:19 PM To: bind-us...@isc.org Subject: DNSDigger.com - An announcement and request for feature tips. DNSDigger.com - A massive reverse resolver that lets you dig deeper into the Net. DNSDigger.com is a service that lets you get more information about an domain name. It can show you what other domain names is hosted on a server. For example can that information be a valuable data for a hosting company that want to estimate how many customers a competitor has or se what other domains is hosted on a shared server and estimate the likelihood of that server being DDOSed. I am posting this to the Bind emailing list for two reasons. 1. To announce a relevant service (relevant to DNS) 2. To ask you for feature requests. I hope you don't get to pissed off ;) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dynamic dns updates from cisco router dhcp
Hello, I have setup dynamic dns updates from a cisco router which is handing out dhcp addresses. In the debug's i'm getting messages that say REFUSED and SERVFAIL when trying to do a dynamic update. I'm unsure as to where the problem lies, but I think it might have to do with the security on the BIND server. I have added the networks to the zone via the allow-update option. But whatever I try I still get the REFUSED error on the router. Here is my config: acl ecs { 172.16.56.0/21; }; acl home { 192.168.75.229; }; acl slaves { 172.16.200.151; 192.168.75.115; }; options { directory /etc; pid-file /var/run/named/named.pid; forwarders { 142.161.130.155; 142.161.2.155; }; notify yes; allow-recursion { 172.16.0.0/16; 192.168.75.0/24; }; query-source address 172.16.200.150; sortlist { { 192.168.75/24; { 172.16.88/21; }; }; { 172.16.56/21; { 172.16.56/21; }; }; }; }; zone 16.172.in-addr.arpa { type master; file /var/named/172.16.rev; notify yes; also-notify { 172.16.200.151; 172.16.56.250; }; }; zone tech.net { type master; file /var/named/tech.net.hosts; notify yes; also-notify { 172.16.200.151; 172.16.56.250; }; }; zone me.net { type master; file /var/named/me.net.hosts; also-notify { 172.16.200.151; 192.168.75.115; }; notify yes; }; zone . { type hint; file /var/named/root.db; }; zone 168.192.in-addr.arpa { type master; file /var/named/192.168.rev; }; zone ecs.net { type master; file /var/named/ecs.net.hosts; }; zone me.com { type master; file /var/named/me.com.hosts; }; zone dan.net { type master; file /var/named/dan.net.hosts; allow-update { 192.168.75.1; 172.16.56.111; 192.168.75.31; }; }; controls { }; The zone i'm trying to send dynamic updates to is the last one. Thanks, Dan. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSDigger.com - An announcement and request for feature tips.
Can DNSdigger see .GOD? What about .SATAN. Does DNSdigger see the Peking University on the China National TLD DNS? What happens if I ask it a question on the domain 北京大学.中国 or the equivalent ascii IDN of xn--1lq90ic7fzpc.xn--fiqs8s ? Well I tried digger. I know it does not speak Chinese, Peaking University at 北京大学.中国 does not resolve. Nor does the ascii xn--1lq90ic7fzpc.xn--fiqs8s resolve - so we can assume digger can't yet see China. Thats unfortunate. Until digger can see China - it sure won't see .GOD and .SATAN. But that fault aside - I like digger. I'll use it - so sad it has limited vision of the name space. But I'm sure it will improve. cheers joe baptista - thats one recommend bookmark ;) On Tue, Jun 16, 2009 at 8:19 PM, Jay Ess li...@netrogenic.com wrote: DNSDigger.com - A massive reverse resolver that lets you dig deeper into the Net. DNSDigger.com is a service that lets you get more information about an domain name. It can show you what other domain names is hosted on a server. For example can that information be a valuable data for a hosting company that want to estimate how many customers a competitor has or se what other domains is hosted on a shared server and estimate the likelihood of that server being DDOSed. I am posting this to the Bind emailing list for two reasons. 1. To announce a relevant service (relevant to DNS) 2. To ask you for feature requests. I hope you don't get to pissed off ;) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Joe Baptista www.publicroot.org PublicRoot Consortium The future of the Internet is Open, Transparent, Inclusive, Representative Accountable to the Internet community @large. Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084 Personal: www.joebaptista.wordpress.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
create journal file: permission denied
Hello, I'm trying to setup ddns and the log file is showing that it cannot create the journal file 16-Jun-2009 22:03:30.145 update: info: client 172.16.56.111#63970: updating zone 'dan.net/IN': error: journal open failed: unexpected error 16-Jun-2009 22:03:30.211 update: info: client 172.16.56.111#63970: updating zone 'dan.net/IN': deleting rrset at 'none.dan.net' A 16-Jun-2009 22:03:30.212 update: info: client 172.16.56.111#63970: updating zone 'dan.net/IN': adding an RR at 'none.dan.net' A 16-Jun-2009 22:03:30.212 general: info: journal file /var/named/dan.net/dan.net.hosts.jnl does not exist, creating it 16-Jun-2009 22:03:30.218 general: error: /var/named/dan.net/dan.net.hosts.jnl: create: permission denied 16-Jun-2009 22:03:30.218 update: info: client 172.16.56.111#63970: updating zone 'dan.net/IN': error: journal open failed: unexpected error I have tried moving the zone into it's own directory and giving the named user full rights to it but it is still unable to create the file. Is there anything else I can try? Thanks, Dan. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: create journal file: permission denied
In message dcbb85870906162115j19aaef94q2b0fa8ae6ac9...@mail.gmail.com, Dan Le tkeman writes: Hello, I'm trying to setup ddns and the log file is showing that it cannot create the journal file 16-Jun-2009 22:03:30.145 update: info: client 172.16.56.111#63970: updating zone 'dan.net/IN': error: journal open failed: unexpected error 16-Jun-2009 22:03:30.211 update: info: client 172.16.56.111#63970: updating zone 'dan.net/IN': deleting rrset at 'none.dan.net' A 16-Jun-2009 22:03:30.212 update: info: client 172.16.56.111#63970: updating zone 'dan.net/IN': adding an RR at 'none.dan.net' A 16-Jun-2009 22:03:30.212 general: info: journal file /var/named/dan.net/dan.net.hosts.jnl does not exist, creating it 16-Jun-2009 22:03:30.218 general: error: /var/named/dan.net/dan.net.hosts.jnl: create: permission denied 16-Jun-2009 22:03:30.218 update: info: client 172.16.56.111#63970: updating zone 'dan.net/IN': error: journal open failed: unexpected error I have tried moving the zone into it's own directory and giving the named user full rights to it but it is still unable to create the file. Is there anything else I can try? /var/named/dan.net needs to be writable by named. If you are using a Linux box you may also need to ensure that SELinux is properly configured to allow the write. See the FAQ for how to do this. Mark Thanks, Dan. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users