Panic Time! Key Generation Question
I changed our tsig key and broke the world. Actually, the DNS's are happy. DHCP appears to be happy, but I am generating bad keys. I wrote a script as follows: #! /bin/sh /usr/local/sbin/dnssec-keygen -a hmac-md5 -b 512 -n HOST keyname It produced a beautiful-looking key that bind was happy with in named.conf. Rndc worked after changing it there so I installed it in our production DNS's. Then the fun started. I put it in dhcpd and it broke because there was at least one blank in the string. After googling a bit, I used all after the blank. This made bind happy, still and dhcp worked but the original key no longer works so we can't do any manual dynamic updates until I install a key that actually works. Everything I read says to generate the key in pretty much this manner so how can I get one that works everywhere without white spaces that will blow up dhcpd? I guess I was lucky before that there wre no spaces in the previous key. Thanks for any help. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: shared KSK for static zone and dynamic subzone?
On 04/27/2011 04:40 AM, /dev/rob0 wrote: With one KSK and one ZSK per zone, we're looking at *12* keys to go in the connected sites' trusted-keys. Errr, no, I guess I only need the KSKs, but still, that's 6. I'd prefer that it be fewer than that. One sounds simpler, in fact. But the trusted-key statement still includes the key name. When you trust a key, it isn't trusted to sign anything; just the zone corresponding to it's name. While writing this, a compromise came to me. :) I can run forward zones as children of a single TLD, and use 168.192.in-addr.arpa. as parent for all my reverse zones. :) That's the way to do it. I'm a bit late to the DNSSEC party, what with the signed root being in place already, but ISTM that these trusted-keys could be a major management problem. Am I wrong? Is it still a problem? The idea is that you don't have any. The DNS root is signed, and many of the TLDs are now signed. The DLV and ITAR were always interim measures. If you had to manage trusted keys, DNSSEC would never work, but you don't because DNS has built-in delegation and hierarchy. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: shared KSK for static zone and dynamic subzone?
While writing this, a compromise came to me. :) I can run forward zones as children of a single TLD, and use 168.192.in-addr.arpa. as parent for all my reverse zones. :) If you're setting up your own DNS root server, you could sign that root zone, have your clients enter that island of trust and follow the chain of trust, just like in the real world. :) -JP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Panic Time! Key Generation Question
Torinthiel writes: Try deleting the space. Just this. dnssec-keygen inserts space for readability purposes only. If you still have original *.key and *.private files, you can check it yourself, that the Key field in *private contains exactly the same as *.key, minus the space. It actually had the space, also. I did remove the space in the .key file and dhcp dynamic updates started working again but I am still really stuck. If I take those key files and put them in /home/martin/keys, nsupdate -d -k $HOME/keys/Kkeyname.+random.key, the error is always file not found or that the private key is invalid. It's just the files as produced by the dnssec-keygen program. The output of nsupdate is always: Creating key... could not read key from /home/martin/keys/Kkey_name.+157+18051.private: private key is invalid I get the same results by using the .key file although they are specified clearly in the path. I've been doing dynamic dns for about 6 years and decided to change the key as the old one may have been compromised. It worked fine and this one works everywhere now except for nsupdate. I am at my wits' end. Thanks for the help. I do not understand why nsupdate is now broken. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[Bind 9.8.0] RPZ deny ALL
Hi, i want to implement a bind server that only answer query on www.google.comhttp://www.google.com and for the rest answer 127.0.0.17. my solution: www.google.comhttp://www.google.com IN CNAME www.google.comhttp://www.google.com. *.com IN A 127.0.0.17 *.fr IN A 127.0.0.17 *.org IN A 127.0.0.17 *.be IN A 127.0.0.17 *.de IN A 127.0.0.17 *.ca IN A 127.0.0.17 ... offcourse this work but i have to list all the TLD. can I put : .INA127.0.0.17 or something like that to rewrite the root. means my conf became something like that: .INA127.0.0.17 www.google.comhttp://www.google.com/ IN CNAME www.google.comhttp://www.google.com. which is better than listing all the TLD. Thanks. Issam HARRATHI IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles et peuvent etre protegees par la loi. Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus. Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler a l expediteur et effacer ce message et tous les fichiers eventuellement attaches. Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite. Tout message electronique est susceptible d alteration. A ce titre, le Groupe France Telecom decline toute responsabilite notamment s il a ete altere, deforme ou falsifie. De meme, il appartient au destinataire de s assurer de l absence de tout virus. IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is intended only for the named recipient(s) above. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message. Any unauthorized view, usage or disclosure ofthis message is prohibited. Since e-mail messages may not be reliable, France Telecom Group shall not be liable for any message if modified, changed or falsified. Additionally the recipient should ensure they are actually virus free. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
key directory in named.conf
Hi, How to declare multiple signed key paths in key-directory. When i declare as follows, named not starting. key-directory {/var/named/zones;/root/ramesh/Largezone;} Please clarify me. Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: key directory in named.conf
rams brames...@gmail.com wrote: How to declare multiple signed key paths in key-directory. When i declare as follows, named not starting. key-directory {/var/named/zones;/root/ramesh/Largezone;} You can specify a key-directory inside a zone statement if you want the keys for that zone to be stored in a non-default place. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5 or 6 later. Rough or very rough. Occasional rain. Moderate or good, occasionally poor. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: shared KSK for static zone and dynamic subzone?
In message 4db7b21d.8010...@data.pl, Torinthiel writes: On 04/27/11 05:40, /dev/rob0 wrote: On Tue, Apr 26, 2011 at 10:15:18AM +0100, Phil Mayers wrote: On 04/26/2011 02:13 AM, /dev/rob0 wrote: Is there any reason why I can't use the parent zone's KSK for the dynamic zone? Better yet, is there a reason why I shouldn't? Better yet, why *would* you? Keys aren't exactly expensive to=20 generate. =20 Again, the $SUBJECT problem is resolved, but I have come upon a=20 possible reason to reuse a key. =20 I'm setting up a private namespace (RFC 1918 networks and imaginary=20 domain names) named+dhcpd system with three static zones, a dynamic=20 forward zone, and two dynamic reverse zones. Six total. =20 I want all these zones to be signed. Why? No good reason, just a learning exercise, actually. Because I can. That's a very good reason. [...] So that's what I'm going to do. Two more zones, four more keys, but=20 only two in trusted-keys. Tolerable. You have some other options as well. First, as you've noticed, only the top zone in the chain needs to have keys configured, all zones below can benefit from DS records. Second, if your zones are public, you can add your key to dlv.isc.org, and only have to configure one key (which is build in into bind BTW). Third, you can create your own DLV, and still use one key even with private zones. Downside is that BIND cannot use two DLV repositories, so you won't benefit from a lot of DLV configured zones. And I don't know of a sensible way to duplicate ISC DLV and add some more keys. You could download zones from http://secspider.cs.ucla.edu/ add your own keys and sign by your own key. But keep in mind, that while ISC DLV asks admins to configure their zones and verifies that they have keys and abilities to modify zone, secspider simply walks everything (but from several points around the world), so it's probably less secure. =20 Anyway, the answer is not really. The keys that bind generates include the zone name, and you can't easily use a key whose name !=3D zone, and certainly not whose name is in a different zone. You're just complicating your life to no benefit. Use a different=20 key for the child. =20 I'm a bit late to the DNSSEC party, what with the signed root being=20 in place already, but ISTM that these trusted-keys could be a major=20 management problem. Am I wrong? Is it still a problem? Yes, but there are several possibilities to solve it. First note that root is already signed, but not all (not even most) TLDs are signed/accept DS records for delegations. So eg in .pl you are no better than if root was not signed. Ways to circumvent this include: 1) have your key distributed widely. Worst IMHO option, as it requires a good distribution chain both at start, and when you change your KSK. 2) DLV - from DNS point of view it's a simple zone with a bit different record types. If you have dlv.net, and want to check if example.com is correclty signed, than your resolver asks for example.com.dlv.net, of type DLV and if it receives correct answer (this implies that first you trust DLV's key) it behaves just as if it got example.com's DS record from .com. You still have to maintain key, but only one. 3) RFC 5011 specifies how keys can authenticate themselves, thus simplifying KSK rollover. Torinthiel There is zero point in trying to share keying material between zones unless you have a HSM and it has limits on the number of keys it supports. The RRSIGs differ. The DS differ. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Mise à
Bonjour, J'aimerai mettre à jour mes zones via le méchanisme Dynamic DNS Update en fonction des machines qui se connectent sur mes différentes cartes réseau. Mon serveur est équipé de trois cartes ethernet avec différents subnet qui ne sont pas accessibles les uns des autres et j'ai besoin que les zones soient automatiquement mises à jour par les clients par l'adresse IP de la carte ethernet d'où le DHCP est distribué. En quelque sort j'ai besoin que l'adresse IP ci-dessous corresponde à l'adresse de la carte ethernet duquelle le DHCP est distribué: zone trucmuche.ch. { primary 10.1.1.100; key clé_serveur; } J'utilise bind 9.7.3 avec dhcpd 4.2.1 sous openSUSE 11.4 Merci infiniment et meilleures salutations Banana___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dynamic DNS Update depuis mes cartes ethernet
Bonjour, J'aimerai mettre à jour mes zones via le méchanisme Dynamic DNS Update en fonction des machines qui se connectent sur mes différentes cartes réseau. Mon serveur est équipé de trois cartes ethernet avec différents subnet qui ne sont pas accessibles les uns des autres et j'ai besoin que les zones soient automatiquement mises à jour par les clients par l'adresse IP de la carte ethernet d'où le DHCP est distribué. En quelque sort j'ai besoin que l'adresse IP ci-dessous corresponde à l'adresse de la carte ethernet duquelle le DHCP est distribué: zone trucmuche.ch. { primary 10.1.1.100; key clé_serveur; } J'utilise bind 9.7.3 avec dhcpd 4.2.1 sous openSUSE 11.4 Merci infiniment et meilleures salutations Banana ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: key directory in named.conf
In message BANLkTi=jzsrn3xbgsbg5oiymxbyren6...@mail.gmail.com, rams writes: Hi, How to declare multiple signed key paths in key-directory. When i declare as follows, named not starting. key-directory {/var/named/zones;/root/ramesh/Largezone;} The syntax is key-directory quoted_string; Each zone can only have one key-directory. key-directory is inherited from the view/options. Please clarify me. Thanks Regards, Ramesh -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic DNS Update depuis mes cartes ethernet
If each of your three adapters get their IP's from DHCP, why don't you configure the DHCP server to update DDNS instead of the client (i.e. - a separate ddns-domainname statement for each DHCP subnet)? That way you can specify the zone to update dynamically based on the subnet each adapter gets an IP from. For example: Adapter 1 will get an IP from Subnet A and the DHCP server will add a record to the zone named a.zone.com. Adapter 2 will get an IP from Subnet B and the DHCP server will add a record to the zone named b.zone.com. Adapter 3 will get an IP from Subnet C and the DHCP server will add a record to the zone named c.zone.com. Chris. -- Forwarded message -- From: Flex Banana flex.ban...@bluewin.ch To: bind-us...@isc.org, Users of ISC DHCP dhcp-us...@lists.isc.org Date: Wed, 27 Apr 2011 13:36:17 +0200 Subject: Dynamic DNS Update depuis mes cartes ethernet Bonjour, J'aimerai mettre à jour mes zones via le méchanisme Dynamic DNS Update en fonction des machines qui se connectent sur mes différentes cartes réseau. Mon serveur est équipé de trois cartes ethernet avec différents subnet qui ne sont pas accessibles les uns des autres et j'ai besoin que les zones soient automatiquement mises à jour par les clients par l'adresse IP de la carte ethernet d'où le DHCP est distribué. En quelque sort j'ai besoin que l'adresse IP ci-dessous corresponde à l'adresse de la carte ethernet duquelle le DHCP est distribué: zone trucmuche.ch. { primary *10.1.1.100*; key clé_serveur; } J'utilise bind 9.7.3 avec dhcpd 4.2.1 sous openSUSE 11.4 Merci infiniment et meilleures salutations Banana ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Stumped - SERVFAIL vs NOERROR?
Hi all. Well, I'm stumped. This is causing non-delivery of mail for the affected domain because it is blocking fallback from IPv6 to IPv4 for the domain. The problem smells like misconfigured IPv6 somewhere along the way, but all the servers involved (that have IPv6 addresses) seem to be answering OK. Using our local caching, recursive BIND9 nameservers, we get SERVFAIL on a particular domain, namely mailergoat.rsi.co.jp. But from other places, we get NOERROR (which is the correct answer, because there is a A record with that name). However, from some places outside our network we also get SERVFAIL. Traces (using the +trace option to dig) are identical regardless of where we do them, besides some reordering of the nameserver results, which is normal. One oddity (at least it seems odd to me) is that a trace ends with two nameservers, gtm1.rsi.co.jp and gtm2.rsi.co.jp, that are not present in the nameserver list for rsi.co.jp, meaning that the domain mailergoat.rsi.co.jp has been delegated to them. When I ask either of those servers directly for the nameserver records for mailergoat.rsi.co.jp, I get NOERROR, but no answer. Asking those servers for ANY records for that name shows an A record and a TXT (SPF) record only. That makes this a lame delegation - but why do some recursive nameservers report it as SERVFAIL and some as NOERROR? A difference between nameservers, or nameserver versions? Any ideas gratefully received. See below for dig outputs demonstrating the above statements. Regards, K. dmz-rz-ap:[~]$ dig mailergoat.rsi.co.jp ; DiG 9.6.1-P3 mailergoat.rsi.co.jp ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 772 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN ;; Query time: 582 msec ;; SERVER: 129.132.98.12#53(129.132.98.12) ;; WHEN: Wed Apr 27 13:09:43 2011 ;; MSG SIZE rcvd: 38 But from other places, we get NOERROR (which is the correct answer, because there is a A record with that name). This via Google DNS: dns2-rz-ap:[log]$ dig mailergoat.rsi.co.jp @8.8.8.8 ; DiG 9.2.4 mailergoat.rsi.co.jp @8.8.8.8 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 518 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN ;; AUTHORITY SECTION: rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60 ;; Query time: 523 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Apr 27 13:10:07 2011 ;; MSG SIZE rcvd: 90 Note that there *is* an A record with that name: dmz-rz-ap:[~]$ dig mailergoat.rsi.co.jp ; DiG 9.6.1-P3 mailergoat.rsi.co.jp ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 1627 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN A ;; ANSWER SECTION: mailergoat.rsi.co.jp. 600 IN A 202.214.41.103 ;; AUTHORITY SECTION: mailergoat.rsi.co.jp. 260 IN NS gtm2.rsi.co.jp. mailergoat.rsi.co.jp. 260 IN NS gtm1.rsi.co.jp. ;; ADDITIONAL SECTION: gtm1.rsi.co.jp. 600 IN A 202.214.41.51 gtm2.rsi.co.jp. 600 IN A 202.25.214.15 ;; Query time: 592 msec ;; SERVER: 129.132.98.12#53(129.132.98.12) ;; WHEN: Wed Apr 27 13:14:56 2011 ;; MSG SIZE rcvd: 124 But from some places outside our network we also get SERVFAIL: kauer@karl:~$ dig mailergoat.rsi.co.jp ; DiG 9.7.1-P2 mailergoat.rsi.co.jp ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 3850 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN ;; Query time: 544 msec ;; SERVER: 192.168.1.35#53(192.168.1.35) ;; WHEN: Wed Apr 27 21:09:40 2011 ;; MSG SIZE rcvd: 38 The following sequence of three digs shows that when I ask the reportedly authoritative servers directly about this name, they can and do answer correctly. It's only when the query recurses that SERVFAIL shows up: kauer@karl:~$ dig @gtm1.rsi.co.jp mailergoat.rsi.co.jp ; DiG 9.7.1-P2 @gtm1.rsi.co.jp mailergoat.rsi.co.jp ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 43306 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN ;; AUTHORITY SECTION: rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60 ;; Query time: 272 msec ;; SERVER: 202.214.41.51#53(202.214.41.51) ;; WHEN: Wed Apr 27 21:40:09 2011 ;; MSG SIZE rcvd: 90 kauer@karl:~$ dig @gtm2.rsi.co.jp
BIND error: opcode: QUERY, status: SERVFAIL
Hi everbody , we are unable to lookup the domain goelexports.com [root@D1OKH680RL ~]# dig goelexports.com ; DiG 9.2.4 goelexports.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 63082 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;goelexports.com. IN A ;; Query time: 10 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Apr 27 03:28:13 2011 ;; MSG SIZE rcvd: 33 what does status: SERVFAIL means how can check Regards, kshitij ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND error: opcode: QUERY, status: SERVFAIL
On Wed, 2011-04-27 at 17:45 +0530, kshitij mali wrote: we are unable to lookup the domain goelexports.com ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 63082 A trace shows the likely problem: dns2-rz-ap:[log]$ dig +trace goelexports.com [...] ;; Received 505 bytes from 192.58.128.30#53(j.root-servers.net) in 32 ms goelexports.com.172800 IN NS ns.hostsearchindia.com. goelexports.com.172800 IN NS ns2.hostsearchindia.com. ;; Received 116 bytes from 192.52.178.30#53(k.gtld-servers.net) in 29 ms dig: Couldn't find server 'ns.hostsearchindia.com': node name or service name not known Neither of those allegedly authoritative nameservers appears to exist. Has there been a very recent change to the nameservers for this domain? My servers seem to have it cached and are responding with what looks like good data: dns2-rz-ap:[log]$ dig goelexports.com ; DiG 9.2.4 goelexports.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 1596 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;goelexports.com. IN A ;; ANSWER SECTION: goelexports.com.14057 IN A 69.16.253.121 ;; AUTHORITY SECTION: goelexports.com.84408 IN NS ns5.webcomindia.net. goelexports.com.84408 IN NS ns4.webcomindia.net. ;; ADDITIONAL SECTION: ns4.webcomindia.net.12408 IN A 69.16.253.121 ns5.webcomindia.net.12408 IN A 69.16.253.122 ;; Query time: 2 msec ;; SERVER: 129.132.98.12#53(129.132.98.12) ;; WHEN: Wed Apr 27 14:58:26 2011 ;; MSG SIZE rcvd: 132 Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/kauer/ +61-428-957160 (mob) GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156 signature.asc Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mise à
In message 1fd98bf0-1d91-419b-beca-9958295de...@bluewin.ch, Flex Banana write s: Bonjour, J'aimerai mettre =E0 jour mes zones via le m=E9chanisme Dynamic DNS = Update en fonction des machines qui se connectent sur mes diff=E9rentes = cartes r=E9seau. Mon serveur est =E9quip=E9 de trois cartes ethernet avec diff=E9rents = subnet qui ne sont pas accessibles les uns des autres et j'ai besoin que = les zones soient automatiquement mises =E0 jour par les clients par = l'adresse IP de la carte ethernet d'o=F9 le DHCP est distribu=E9. En quelque sort j'ai besoin que l'adresse IP ci-dessous corresponde =E0 = l'adresse de la carte ethernet duquelle le DHCP est distribu=E9: zone trucmuche.ch. { primary 10.1.1.100; key cl=E9_serveur; } J'utilise bind 9.7.3 avec dhcpd 4.2.1 sous openSUSE 11.4 Merci infiniment et meilleures salutations=20 Banana= named.conf: key cl=E9_serveur { algorithm HMAC-MD5.SIG-ALG.REG.INT; secret ;` }; zone trucmuche.ch { type master; file trucmuche.ch; allow-update { key cl=E9_serveur; }; }; -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Stumped - SERVFAIL vs NOERROR?
In message 1303906294.2246.93.camel@karl, Karl Auer writes: Hi all. Well, I'm stumped. This is causing non-delivery of mail for the affected domain because it is blocking fallback from IPv6 to IPv4 for the domain. The problem smells like misconfigured IPv6 somewhere along the way, but all the servers involved (that have IPv6 addresses) seem to be answering OK. The SMTP server will be failing on the MX lookup if it is following the RFCs. A and should only be looked up after getting a NODATA response to a MX query. Using our local caching, recursive BIND9 nameservers, we get SERVFAIL on a particular domain, namely mailergoat.rsi.co.jp. But from other places, we get NOERROR (which is the correct answer, because there is a A record with that name). However, from some places outside our network we also get SERVFAIL. The nameservers for mailergoat.rsi.co.jp are broken. They return the *wrong* SOA record in the response which can clearly be seen at the end of a dig +trace mailergoat.rsi.co.jp mx. mailergoat.rsi.co.jp. 600 IN NS gtm1.rsi.co.jp. mailergoat.rsi.co.jp. 600 IN NS gtm2.rsi.co.jp. ;; Received 108 bytes from 202.248.0.34#53(ns.center.web.ad.jp) in 304 ms rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60 ;; Received 90 bytes from 202.25.214.15#53(gtm2.rsi.co.jp) in 395 ms The correct SOA record would be mailergoat.rsi.co.jp 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60 all other things being equal. Traces (using the +trace option to dig) are identical regardless of where we do them, besides some reordering of the nameserver results, which is normal. One oddity (at least it seems odd to me) is that a trace ends with two nameservers, gtm1.rsi.co.jp and gtm2.rsi.co.jp, that are not present in the nameserver list for rsi.co.jp, meaning that the domain mailergoat.rsi.co.jp has been delegated to them. When I ask either of those servers directly for the nameserver records for mailergoat.rsi.co.jp, I get NOERROR, but no answer. Asking those servers for ANY records for that name shows an A record and a TXT (SPF) record only. That makes this a lame delegation - but why do some recursive nameservers report it as SERVFAIL and some as NOERROR? A difference between nameservers, or nameserver versions? Different tolerances for errors. Adding a MX record here will help. One really shouldn't be depending apon the implicit MX records generated from the A and records. Any ideas gratefully received. See below for dig outputs demonstrating the above statements. Regards, K. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND error: opcode: QUERY, status: SERVFAIL
In message banlktik70mdfrhcbfi+7ye_sibccoge...@mail.gmail.com, kshitij mali w rites: Hi everbody , we are unable to lookup the domain goelexports.com goelexports.com is delegated to the following nameservers which do not exist. Mark goelexports.com.172800 IN NS ns.hostsearchindia.com. goelexports.com.172800 IN NS ns2.hostsearchindia.com. ; DiG 9.6.0-APPLE-P2 ns.hostsearchindia.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 36873 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ns.hostsearchindia.com.IN A ;; AUTHORITY SECTION: hostsearchindia.com.10719 IN SOA ns4.webcomindia.net. amit.sood.webcomindia.net. 2009090712 86400 7200 360 86400 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Apr 27 23:45:38 2011 ;; MSG SIZE rcvd: 105 [root@D1OKH680RL ~]# dig goelexports.com ; DiG 9.2.4 goelexports.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 63082 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;goelexports.com. IN A ;; Query time: 10 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Apr 27 03:28:13 2011 ;; MSG SIZE rcvd: 33 what does status: SERVFAIL means how can check Regards, kshitij --0016e6d96f657794a304a1e56815 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable div=A0/div divHi everbody ,/div div=A0/div divwe are unable to lookup the domain quot;a href=3Dhttp://goelexports= .comgoelexports.com/aquot;/div div=A0/div div p style=3DMARGIN: 0in 0in 0pt class=3DMsoNormalspan style=3DFONT-FA= MILY: #39;Tahoma#39;,#39;sans-serif#39;; COLOR: black; FONT-SIZE: 10pt= [root@D1OKH680RL ~]# dig a href=3Dhttp://goelexports.com;goelexports.co= m/a/span/p p style=3DMARGIN: 0in 0in 0pt class=3DMsoNormalspan style=3DFONT-FA= MILY: #39;Tahoma#39;,#39;sans-serif#39;; COLOR: black; FONT-SIZE: 10pt= ; lt;lt;gt;gt; DiG 9.2.4 lt;lt;gt;gt; a href=3Dhttp://goelexport= s.comgoelexports.com/abr ;; global options:=A0 printcmdbr;; Got answer:br;; -gt;gt;HEADERlt;= lt;- opcode: QUERY, statusspan style=3DBACKGROUND: yellow; mso-highlight:= yellow: SERVFAIL/span, id: 63082br;; flags: qr rd ra; QUERY: 1, ANSW= ER: 0, AUTHORITY: 0, ADDITIONAL: 0/span/p p style=3DMARGIN: 0in 0in 0pt class=3DMsoNormalspan style=3DFONT-FA= MILY: #39;Tahoma#39;,#39;sans-serif#39;; COLOR: black; FONT-SIZE: 10pt= ;; QUESTION SECTION:br;a href=3Dhttp://goelexports.com;goelexports.co= m/a.=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 IN=A0=A0=A0=A0=A0 A/span= /p p style=3DMARGIN: 0in 0in 0pt class=3DMsoNormalspan style=3DFONT-FA= MILY: #39;Tahoma#39;,#39;sans-serif#39;; COLOR: black; FONT-SIZE: 10pt= ;; Query time: 10 msecbr;; SERVER: 127.0.0.1#53(127.0.0.1)br;; WHEN: W= ed Apr 27 03:28:13 2011br ;; MSG SIZE=A0 rcvd: 33/span/p p style=3DMARGIN: 0in 0in 0pt class=3DMsoNormalspan style=3DFONT-FA= MILY: #39;Tahoma#39;,#39;sans-serif#39;; COLOR: black; FONT-SIZE: 10pt= /span=A0/p p style=3DMARGIN: 0in 0in 0pt class=3DMsoNormalspan style=3DFONT-FA= MILY: #39;Tahoma#39;,#39;sans-serif#39;; COLOR: black; FONT-SIZE: 10pt= /span=A0/p p style=3DMARGIN: 0in 0in 0pt class=3DMsoNormalspan style=3DFONT-FA= MILY: #39;Tahoma#39;,#39;sans-serif#39;; COLOR: black; FONT-SIZE: 10pt= what does status: SERVFAIL means how can check/span/p p style=3DMARGIN: 0in 0in 0pt class=3DMsoNormalspan style=3DFONT-FA= MILY: #39;Tahoma#39;,#39;sans-serif#39;; COLOR: black; FONT-SIZE: 10pt= /span=A0/p p style=3DMARGIN: 0in 0in 0pt class=3DMsoNormalspan style=3DFONT-FA= MILY: #39;Tahoma#39;,#39;sans-serif#39;; COLOR: black; FONT-SIZE: 10pt= Regards,/span/p p style=3DMARGIN: 0in 0in 0pt class=3DMsoNormalspan style=3DFONT-FA= MILY: #39;Tahoma#39;,#39;sans-serif#39;; COLOR: black; FONT-SIZE: 10pt= kshitij/span/p/div --0016e6d96f657794a304a1e56815-- --===2533559258763338727== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===2533559258763338727==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Stumped - SERVFAIL vs NOERROR?
Karl Auer ka...@biplane.com.au wrote: Using our local caching, recursive BIND9 nameservers, we get SERVFAIL on a particular domain, namely mailergoat.rsi.co.jp. But from other places, we get NOERROR (which is the correct answer, because there is a A record with that name). However, from some places outside our network we also get SERVFAIL. The name servers for the zone mailergoat.rsi.co.jp are broken. They return a nodata response with the wrong authority for all non-A non-TXT queries. The SOA record owner name in the additional section of the reply should be mailergoat.rsi.co.jp not rsi.co.jp. BIND requires that the SOA owner name in a nodata response matches the zone name that BIND is expecting. This is part of the logic it uses to tell the difference between various kinds of negative responses (as in RFC 2308). Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5 or 6 later. Rough or very rough. Occasional rain. Moderate or good, occasionally poor. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND error: opcode: QUERY, status: SERVFAIL
On 27/04/2011 15:03, Karl Auer wrote: On Wed, 2011-04-27 at 17:45 +0530, kshitij mali wrote: we are unable to lookup the domain goelexports.com ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 63082 A trace shows the likely problem: dns2-rz-ap:[log]$ dig +trace goelexports.com [...] ;; Received 505 bytes from 192.58.128.30#53(j.root-servers.net) in 32 ms goelexports.com.172800 IN NS ns.hostsearchindia.com. goelexports.com.172800 IN NS ns2.hostsearchindia.com. ;; Received 116 bytes from 192.52.178.30#53(k.gtld-servers.net) in 29 ms dig: Couldn't find server 'ns.hostsearchindia.com': node name or service name not known Neither of those allegedly authoritative nameservers appears to exist. Has there been a very recent change to the nameservers for this domain? My servers seem to have it cached and are responding with what looks like good data: dns2-rz-ap:[log]$ dig goelexports.com [...] ;; ANSWER SECTION: goelexports.com.14057 IN A 69.16.253.121 ;; AUTHORITY SECTION: goelexports.com.84408 IN NS ns5.webcomindia.net. goelexports.com.84408 IN NS ns4.webcomindia.net. ;; ADDITIONAL SECTION: ns4.webcomindia.net.12408 IN A 69.16.253.121 ns5.webcomindia.net.12408 IN A 69.16.253.122 Hello, It looks like the delegation has not changed, but the zonefile itself has : $ dig -t ns goelexports.com @l.gtld-servers.net. ;; AUTHORITY SECTION: goelexports.com.172800 IN NS ns.hostsearchindia.com. goelexports.com.172800 IN NS ns2.hostsearchindia.com. ;; ADDITIONAL SECTION: ns.hostsearchindia.com. 172800 IN A 69.16.253.121 ns2.hostsearchindia.com. 172800 IN A 69.16.253.122 *.gtld-servers.net still hold the correct glues for ns[2].hostsearchindia.com, but the parent's answer is not authoritative. If you request the IP addresses for those records, you will see the new NS records, and also you will no longer see an answer for the glues themselves : $ dig -t ns goelexports.com @69.16.253.121 ;; ANSWER SECTION: goelexports.com.86400 IN NS ns5.webcomindia.net. goelexports.com.86400 IN NS ns4.webcomindia.net. $ dig -t ns ns.hostsearchindia.com @69.16.253.121 ;; -HEADER- opcode: QUERY, status: *NXDOMAIN*, id: 47931 ;; AUTHORITY SECTION: hostsearchindia.com.86400 IN SOA ns4.webcomindia.net. amit.sood.webcomindia.net. 2009090712 86400 7200 360 86400 Maybe the zone administrator intended to change the NS names, but did that the wrong way. I guess some DNS clients won't use the glue records if they are not part of an authoritative answer, and some clients will try anyway, using the IP they have from the parent (additional section). In my case (dig version 9.6) 'dig' does the former, and 'dig +trace' the latter. I have already had a similar issue, see : https://lists.isc.org/pipermail/bind-users/2010-December/082051.html for example. Regards, Laurent ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND error: opcode: QUERY, status: SERVFAIL
In message 4db829e3.5010...@mailclub.fr, Laurent Bauer writes: On 27/04/2011 15:03, Karl Auer wrote: On Wed, 2011-04-27 at 17:45 +0530, kshitij mali wrote: we are unable to lookup the domain goelexports.com ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 63082 A trace shows the likely problem: dns2-rz-ap:[log]$ dig +trace goelexports.com [...] ;; Received 505 bytes from 192.58.128.30#53(j.root-servers.net) in 32 ms goelexports.com.172800 IN NS ns.hostsearchindia.com. goelexports.com.172800 IN NS ns2.hostsearchindia.com. ;; Received 116 bytes from 192.52.178.30#53(k.gtld-servers.net) in 29 ms dig: Couldn't find server 'ns.hostsearchindia.com': node name or service name not known Neither of those allegedly authoritative nameservers appears to exist. Has there been a very recent change to the nameservers for this domain? My servers seem to have it cached and are responding with what looks like good data: dns2-rz-ap:[log]$ dig goelexports.com [...] ;; ANSWER SECTION: goelexports.com.14057 IN A 69.16.253.121 ;; AUTHORITY SECTION: goelexports.com.84408 IN NS ns5.webcomindia.net. goelexports.com.84408 IN NS ns4.webcomindia.net. ;; ADDITIONAL SECTION: ns4.webcomindia.net.12408 IN A 69.16.253.121 ns5.webcomindia.net.12408 IN A 69.16.253.122 Hello, It looks like the delegation has not changed, but the zonefile itself has : $ dig -t ns goelexports.com @l.gtld-servers.net. ;; AUTHORITY SECTION: goelexports.com. 172800 IN NS ns.hostsearchindia.com. goelexports.com. 172800 IN NS ns2.hostsearchindia.com. ;; ADDITIONAL SECTION: ns.hostsearchindia.com. 172800 IN A 69.16.253.121 ns2.hostsearchindia.com. 172800 IN A 69.16.253.122 *.gtld-servers.net still hold the correct glues for ns[2].hostsearchindia.com, but the parent's answer is not authoritative. If you request the IP addresses for those records, you will see the new NS records, and also you will no longer see an answer for the glues themselves : $ dig -t ns goelexports.com @69.16.253.121 ;; ANSWER SECTION: goelexports.com. 86400 IN NS ns5.webcomindia.net. goelexports.com. 86400 IN NS ns4.webcomindia.net. $ dig -t ns ns.hostsearchindia.com @69.16.253.121 ;; -HEADER- opcode: QUERY, status: *NXDOMAIN*, id: 47931 ;; AUTHORITY SECTION: hostsearchindia.com. 86400 IN SOA ns4.webcomindia.net. amit.sood.webcomindia.net. 2009090712 86400 7200 360 86400 Maybe the zone administrator intended to change the NS names, but did that the wrong way. Perhaps. This is also something the registry is supposed to be checking regularly. RFC 1034 As the last installation step, the delegation NS RRs and glue RRs necessary to make the delegation effective should be added to the parent zone. The administrators of both zones should insure that the NS and glue RRs which mark both sides of the cut are consistent and remain so. Unfortunately lots of TLD administators think they don't need to follow the proceedures in RFC 1034. All of the TLD administrators took on their roles *after* RFC 1034 was written so they have no excuse to not ensuring that these checks are being made. I guess some DNS clients won't use the glue records if they are not part of an authoritative answer, and some clients will try anyway, using the IP they have from the parent (additional section). In my case (dig version 9.6) 'dig' does the former, and 'dig +trace' the latter. I have already had a similar issue, see : https://lists.isc.org/pipermail/bind-users/2010-December/082051.html for example. Regards, Laurent ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Empty CNAME chain, should getaddrinfo() return EAI_NONAME or EAI_FAIL?
Assuming a case where there is an empty CNAME chain, but no error, should getaddrinfo() return EAI_NONAME or EAI_FAIL? For example: ; DiG 9.8.0 www.apple.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 64776 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.apple.com. IN ;; ANSWER SECTION: www.apple.com. 281 IN CNAME www.isg-apple.com.akadns.net. www.isg-apple.com.akadns.net. 60 IN CNAME www.apple.com.edgekey.net. www.apple.com.edgekey.net. 17295 IN CNAME e3191.c.akamaiedge.net. On FreeBSD 9-current I get this: ping6 www.apple.com ping6: Non-recoverable failure in name resolution which is _FAIL. Should it be _NONAME instead? I looked at the POSIX definition and it's not clear to me which it should be. Thanks, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AXFR/IN' denied
Greetings I have 2 systems master and slave, the slave seems to not allow the zone transfer. master 192.168.1.2 // // mydomain.com zone mydomain.com { type master; file domain.db; allow-transfer { 192.168.96.3; }; allow-update {none;}; }; zone 96.168.192.in-addr.arpa { type master; file in-arpa-192/REV-NOC.db; }; zone 97.168.192.in-addr.arpa { type master; file in-arpa-192/REV-EDC.db; }; slave; 192.168.1.3 // // mydomain.com zone mydomain.com { type slave; masters { 192.168.96.2; }; file domain.db; allow-transfer {none;}; }; zone 96.168.192.in-addr.arpa { type slave; masters { 192.168.96.2; }; file in-arpa-209/REV-NOC.db; }; zone 97.168.192.in-addr.arpa { type slave; masters { 209.96.96.2; }; file in-arpa-209/REV-EDC.db; }; here is the log output from master -Apr-2011 22:54:17.539 security: error: client 192.168.96.3#60712: view com.basd.DNS.public: zone transfer '96.168.192.in-addr.arpa/AXFR/IN' denied -Apr-2011 22:54:17.539 security: error: client 192.168.96.3#60737: view com.basd.DNS.public: zone transfer '97.168.192.in-addr.arpa/AXFR/IN' denied from slave 27-Apr-2011 22:57:23.039 general: info: zone 96.168.192.in-addr.arpa/IN/com.basd.DNS.public: Transfer started. 27-Apr-2011 22:57:23.041 xfer-in: info: transfer of '96.168.192.in-addr.arpa/IN/com.basd.DNS.public' from 192.168.96.2#53: connected using 192.168.96.3#60755 27-Apr-2011 22:57:23.042 xfer-in: error: transfer of '96.168.192.in-addr.arpa/IN/com.basd.DNS.public' from 192.168.96.2#53: failed while receiving responses: REFUSED 27-Apr-2011 22:57:23.042 xfer-in: info: transfer of '96.168.192.in-addr.arpa/IN/com.basd.DNS.public' from 192.168.96.2#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec) firewall on the slave is off and the master has an allow statement for dns 12310271101096192 allow tcp from any to any dst-port 53 12310 2124656 168384287 allow udp from any to any dst-port 53 not sure what I missed , any insight would be helpful -j ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AXFR/IN' denied
On 04/28/11 05:10, jeffrey j donovan wrote: Greetings I have 2 systems master and slave, the slave seems to not allow the zone transfer. It's the master that doesn't allow zone transfer. You have allow-transfer and allow-update in mydomain.com (which I guess is transfering correctly, at least nothing you've written says otherwise), but you don't have these in reverse zones. Torinthiel master 192.168.1.2 // // mydomain.com zone mydomain.com { type master; file domain.db; allow-transfer { 192.168.96.3; }; allow-update {none;}; }; zone 96.168.192.in-addr.arpa { type master; file in-arpa-192/REV-NOC.db; }; zone 97.168.192.in-addr.arpa { type master; file in-arpa-192/REV-EDC.db; }; slave; 192.168.1.3 // // mydomain.com zone mydomain.com { type slave; masters { 192.168.96.2; }; file domain.db; allow-transfer {none;}; }; zone 96.168.192.in-addr.arpa { type slave; masters { 192.168.96.2; }; file in-arpa-209/REV-NOC.db; }; zone 97.168.192.in-addr.arpa { type slave; masters { 209.96.96.2; }; file in-arpa-209/REV-EDC.db; }; here is the log output from master -Apr-2011 22:54:17.539 security: error: client 192.168.96.3#60712: view com.basd.DNS.public: zone transfer '96.168.192.in-addr.arpa/AXFR/IN' denied -Apr-2011 22:54:17.539 security: error: client 192.168.96.3#60737: view com.basd.DNS.public: zone transfer '97.168.192.in-addr.arpa/AXFR/IN' denied from slave 27-Apr-2011 22:57:23.039 general: info: zone 96.168.192.in-addr.arpa/IN/com.basd.DNS.public: Transfer started. 27-Apr-2011 22:57:23.041 xfer-in: info: transfer of '96.168.192.in-addr.arpa/IN/com.basd.DNS.public' from 192.168.96.2#53: connected using 192.168.96.3#60755 27-Apr-2011 22:57:23.042 xfer-in: error: transfer of '96.168.192.in-addr.arpa/IN/com.basd.DNS.public' from 192.168.96.2#53: failed while receiving responses: REFUSED 27-Apr-2011 22:57:23.042 xfer-in: info: transfer of '96.168.192.in-addr.arpa/IN/com.basd.DNS.public' from 192.168.96.2#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec) firewall on the slave is off and the master has an allow statement for dns 12310271101096192 allow tcp from any to any dst-port 53 12310 2124656 168384287 allow udp from any to any dst-port 53 not sure what I missed , any insight would be helpful -j ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users