Re: problem for validate the script dnssec to isc dlv
dns appear as my syncro. yet I'm still at the same point missing keys Your delegation for the domain fakessh.eu doesn't seem to be 100% correct yet though. If I ask the nameservers for .eu (like p.nic.eu) it tells me your domain belongs to 4 nameservers: ns0.xname.org ns1.xname.org ns1.novacrea.fr r13151.ovh.net If I ask the first one on that list, ns0.xname.org, it tells me you only have 3 nameservers: ns1.xname.org ns1.novacrea.fra r13151.ovh.net If I try to get a reply from ns1.xname.org it just goes into timeout here: [eivind@vimes ~]$ dig +dnssec ns fakessh.eu @ns1.xname.org ; DiG 9.6.-ESV-R3 +dnssec ns fakessh.eu @ns1.xname.org ;; global options: +cmd ;; connection timed out; no servers could be reached [eivind@vimes ~]$ If I try to get a reply from r13151.ovh.net I just get a servfail: [eivind@vimes ~]$ dig +dnssec ns fakessh.eu @r13151.ovh.net ; DiG 9.6.-ESV-R3 +dnssec ns fakessh.eu @r13151.ovh.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 53023 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;fakessh.eu.IN NS ;; Query time: 55 msec ;; SERVER: 87.98.186.232#53(87.98.186.232) ;; WHEN: Mon Mar 28 10:02:33 2011 ;; MSG SIZE rcvd: 39 Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
can I set the second nameserver to a public dns cache?
Hello, I have only one nameserver for a domain. Can I set the second nameserver for this domain to a public dns cache? for example: abc.com. IN NS ns1.abc.com. abc.com. IN NS ns2.abc.com. ns2.abc.com. IN A 8.8.8.8 # 8.8.8.8 is google's public dns server Since DNS cache does a rec-resolver, so it will also answer with the correct result? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
is notify message going with UDP or TCP?
BIND master sends the notify message with TCP or UDP protocal? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: is notify message going with UDP or TCP?
In message AANLkTin32s_ZrrzsznV=HhqAc02Rv73p=-Z6eTcQU=e...@mail.gmail.com, terr y writes: BIND master sends the notify message with TCP or UDP protocal? UDP. Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I set the second nameserver to a public dns cache?
On Mon, Mar 28, 2011 at 08:25:46PM +0800, terry wrote: Hello, I have only one nameserver for a domain. Can I set the second nameserver for this domain to a public dns cache? for example: abc.com. IN NS ns1.abc.com. abc.com. IN NS ns2.abc.com. ns2.abc.com. IN A 8.8.8.8 # 8.8.8.8 is google's public dns server Since DNS cache does a rec-resolver, so it will also answer with the correct result? You can set another peer nameserver to be a public, private, commercial, or other name server as follows: ; Zone file for abc.com. $TTLxxx @ IN SOA ... IN NS ns1.abc.com. IN NS google-public-dns-a.google.com. IN NS res060.ns.uu.net. [Note the blank space in front of the [unneeded] IN in each NS above: they each inherit the LHS from the record above.] Assuming that an IP address that is not yours will never change is a frightening assumption, especially when proved untrue. Don't plant someon else's IP address in your name space, unless there is a firm agreement between yourself and them about why it's there and how changes will be communicated. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I set the second nameserver to a public dns cache?
Hello, I have only one nameserver for a domain. Can I set the second nameserver for this domain to a public dns cache? for example: abc.com. IN NS ns1.abc.com. abc.com. IN NS ns2.abc.com. ns2.abc.com. IN A 8.8.8.8 # 8.8.8.8 is google's public dns server No. Don't do that. A cache/resolver is not the same as an authoritative server. For example, it will not flag the cache contents as being authoritative (the AA flag). Get a proper secondary/slave nameserver somewhere, it doesn't need to be costly. Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: is notify message going with UDP or TCP?
On Mon, Mar 28, 2011 at 08:30:00PM +0800, terry wrote: BIND master sends the notify message with TCP or UDP protocal? RFC 1996: 3.4. The transport protocol used for a NOTIFY transaction will be UDP unless the master has reason to believe that TCP is necessary; for example, if a firewall has been installed between master and slave, and only TCP has been allowed; or, if the changed RR is too large to fit in a UDP/DNS datagram. So, JUST AS WITH RESPONSES TO QUERIES, both UDP and TCP must be allowed for reliable service. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I set the second nameserver to a public dns cache?
On Mon, Mar 28, 2011 at 11:35:06PM +1100, Mark Andrews wrote: ... No. A cache is NOT authoritative for the zone. ... Of course right. I concentrated on the form and missed the substance. I was thinking of a service that will serve your DNS for you - which a caching server is not. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
it is, I'm coming I do not understand the need to recreate and validate the file keyset-en ... I then recreate a good record with the key in this file and my past signatures are good. I did not understand correctly the operation of dlv keyset files and I recreated downgrade bind to the stable version 9.3 of CentOS 5.5 and using webmin. can you give me the command to use to create files Keyset I did not find any documentation regarding the creation of this type of file I will update my blog more precisely with the new guidelines thanks for your good support thanks mark andrews thanks Torinthiel thanks eivind olsen thanks evan hunt thanks dan mahoney thanks michel graff Le lundi 28 mars 2011 à 10:04 +0200, Eivind Olsen a écrit : dns appear as my syncro. yet I'm still at the same point missing keys Your delegation for the domain fakessh.eu doesn't seem to be 100% correct yet though. If I ask the nameservers for .eu (like p.nic.eu) it tells me your domain belongs to 4 nameservers: ns0.xname.org ns1.xname.org ns1.novacrea.fr r13151.ovh.net If I ask the first one on that list, ns0.xname.org, it tells me you only have 3 nameservers: ns1.xname.org ns1.novacrea.fra r13151.ovh.net If I try to get a reply from ns1.xname.org it just goes into timeout here: [eivind@vimes ~]$ dig +dnssec ns fakessh.eu @ns1.xname.org ; DiG 9.6.-ESV-R3 +dnssec ns fakessh.eu @ns1.xname.org ;; global options: +cmd ;; connection timed out; no servers could be reached [eivind@vimes ~]$ If I try to get a reply from r13151.ovh.net I just get a servfail: [eivind@vimes ~]$ dig +dnssec ns fakessh.eu @r13151.ovh.net ; DiG 9.6.-ESV-R3 +dnssec ns fakessh.eu @r13151.ovh.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 53023 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;fakessh.eu.IN NS ;; Query time: 55 msec ;; SERVER: 87.98.186.232#53(87.98.186.232) ;; WHEN: Mon Mar 28 10:02:33 2011 ;; MSG SIZE rcvd: 39 Regards Eivind Olsen eiv...@aminor.no -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: can I set the second nameserver to a public dns cache?
No. But you can use a public (commercial or non-commerical) secondary DNS service. Google secondary dns or free secondary dns. You will find a number of services and reviews. Be careful in selecting - many charge or limit you based on the number of queries and/or zones. QOS and reliablity vary, as do levels of support. Note that not all secondary services use BIND. Many of the free services don't yet support DNSSEC, don't accept NOTIFY (polling instead) or are un-reliable. Most don't support IPV6 and don't have any QOS guarantee. Also, for any serious use, you want geographic separation for disaster-tolerance. Nonetheless, you can find reasonable free services. Commercial services also vary the same parameters as well as price and support. I settled on puck.nether.net/dns for my personal domain, which seems to stay current with BIND, has been reliable, supports IPV6 and NOTIFY and is located in Chicago. But your milage (and criteria) may vary. - This communication may not represent my employer's views, if any, on the matters discussed. -Original Message- From: terry [mailto:te...@list.dnsbed.com] Sent: Monday, March 28, 2011 08:26 To: bind-users Subject: can I set the second nameserver to a public dns cache? Hello, I have only one nameserver for a domain. Can I set the second nameserver for this domain to a public dns cache? for example: abc.com. IN NS ns1.abc.com. abc.com. IN NS ns2.abc.com. ns2.abc.com. IN A 8.8.8.8 # 8.8.8.8 is google's public dns server Since DNS cache does a rec-resolver, so it will also answer with the correct result? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Logging the answers to queries
What is the logging option to log the answers? Example, in my bind logs, I can see these type of entries: 28-Mar-2011 09:54:20.034 queries: info: client 127.0.0.1#56237: query: www.isc.org IN A + But I can't find anything in the logs what the answer to the query was. I've searched the bind documentation as well. Thanks in advance for your help. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: notify-source-v6 and transfer-source-v6 for BIND 9.8
On 29/03/2011 00:37, Ivan R. Sy wrote: Hi Ivan, its been a while since my last config of BIND and I was just wondering if notify-source-v6 transfer-source-v6 are still there for BIND 9.8.0? the ARM says so. when i do notify-source-v6 on a zone statement and reload it... notify-source-v6 { 2001:470:1f05:1ae0::1;; }; transfer-source-v6 { 2001:470:1f05:1ae0::1; }; 29-Mar-2011 16:21:04.147 general: info: received control channel command 'reload' 29-Mar-2011 16:21:04.147 general: info: loading configuration from '/etc/namedb/named.conf' 29-Mar-2011 16:21:04.149 config: error: /etc/namedb/named.conf:141: expected IPv6 address or '*' near '{' This error message is the hint: the notify-source-v6 option is expecting to find an IP address, but instead found a '{'. Don't use curly braces with these options: they only take one address (or an asterisk) as a parameter. Regards, Anand Buddhdev ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: GUI for bind
We have used the commercial Men Mice suite for 3 years now and have had great success with it. It meets all of your requirements listed below. It has an intuitive Windows based console as well as a web application that can be used to manage DNS, IPAM and DHCP. It works directly on top of BIND without any modifications. Josh -Original Message- From: bind-users-bounces+jbaird=follett@lists.isc.org [mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf Of Jorg B. Sent: Monday, March 28, 2011 6:55 PM To: bind-users Subject: GUI for bind Hello, I'm looking for a GUI for bind that meets the following requirements: (1) Must still be under development (and supported, either commercially or via community support) (2) Supports accounts/groups that will allow me to create user accounts that are able to modify only zone records assigned to the account/group. (3) Administrator access with the permissions to modify any zone record. (4) Should support most common features of bind. (5) Should support 100's of zone records. (6) Should be somewhat easy to use, so that non-experts can figure it out. The product does not have to be free... a commercial product is perfectly fine. I've spend some time searching around, but most of the GUI products either don't support bind or are no longer maintained... Any recommendations would be appreciated... Thanks JB ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users