Cache only and reverse mapping
For an ISP, is there any risk in configuring BIND DNS as cache only and adding customer's reverse mapping zones? Any other possible implementations? regards, Sa ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind as a service on windows -c option not working
On 12/15/2011 5:52 AM, Vbvbrj wrote: On 15.12.2011 03:11, Danny Mayer wrote: On 12/14/2011 2:35 PM, Vbvbrj wrote: Bind 9.8.1 P1 installed in D:\bind9. Config files and other zone files and log files in D:\bind_config Service configuration: Path to executable D:\bind9\bin\named.exe -c D:\bind_config\etc\named.conf I haven't looked at this part of the code in a long time but it should work. Though the registry key should be ImagePath. Did you use BINDInstall to install it? Yes I used BINDInstall to install the service, and then modified the service to add the -coption. That's fine. This was one unimplemented feature for BINDInstall. named.conf has the line: directory D:\named.conf; Unless you actually have a folder called D:\named.conf\ then I suspect this is wrong. It should be the directory containing your files not the name of the config file. Oh, this is my error. The line is: directory D:\bind_config Is there a reason that you want to look for it in a different place from where it is currently looking? What's the real issue behind your question. Danny I want to keep all the files related to bind in one folder, not across the system folder. And keeping the named.conf in the system32 folder may be lost when the system is reinstalled and in a hurry the file is forgotten to be copied. If you install the software in D:\bind9 then the binaries will be in D:\bind9\bin and the config file named.conf will be in D:\bind9\etc. I don't think you need anything else. And the other thing is keeping the system's registry as simple and clean as possible, by not using registry for start-up arguments and indicating them in the command line for the service. This I managed to do for most of the services I use. If you do the above then you don't need to change anything in the registry. That's the default behavior. If there are changes you want to have added send a message to bind9-bugs. Danny ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND for Active directory with secure update
On 12/14/2011 2:36 PM, Vbvbrj wrote: Hello. I've setup BIND to serve the requests to lan instead of Microsoft DNS by first setting bind as a secondary dns server for Microsoft DNS, copy the zones, and making the BIND the master. In order for domain member hosts to update the records of the their names in dns, I allow unsecure updates from the lan computers. It's a security thread of poisoning the dns. I would like to setup up a secure by the domain servers. On the internet I read about using allow-update with a key file. But I didn't found a page on how to get the key from the Active Directory kerberos system. Could any one point on setting the secure update to bind with key from the already deployed Active Directory? The BIND is running under the windows. GSS-TSIG is not implemented for BIND9 on Windows. Danny ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cache only and reverse mapping
On Thursday 15 December 2011 02:07:12 sasa sasa wrote: For an ISP, is there any risk in configuring BIND DNS as cache only and adding customer's reverse mapping zones? Any other possible implementations? To be precise, when you are serving any zones authoritatively, your server is no longer cache only. There is no difference between in-addr.arpa zones and other zones, as far as named/DNS is concerned. If you have been delegated reverse DNS for your [customer's] netblocks, you do indeed need to serve those in-addr.arpa zones. I am not sure what you are asking regarding risk and other implementations. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND for Active directory with secure update
You need to be running Bind 9.7.2-P2 or higher for GSS-TSIG to work. Create a user account in your AD. Then run: ktpass -out name_of_your_keytab.keytab -princ DNS/domain.name@DOMAIN.NAME -pass * -mapuser AD_user_you_created@domain.name _ Nicholas Miller, OIT, University of Colorado at Boulder On Dec 9, 2011, at 12:07 PM, Vbvbrj wrote: Hello. I've setup BIND to serve the requests to lan instead of Microsoft DNS by first setting bind as a secondary dns server for Microsoft DNS, copy the zones, and making the BIND the master. In order for domain member hosts to update the records of the their names in dns, I allow unsecure updates from the lan computers. It's a security thread of poisoning the dns. I would like to setup up a secure by the domain servers. On the internet I read about using allow-update with a key file. But I didn't found a page on how to get the key from the Active Directory kerberos system. Could any one point on setting the secure update to bind with key from the already deployed Active Directory? The BIND is running under the windows. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind as a service on windows -c option not working
On 12/15/2011 11:43 AM, Vbvbrj wrote: On 15.12.2011 15:39, Danny Mayer wrote: Thanks for answering. I want to keep all the files related to bind in one folder, not across the system folder. And keeping the named.conf in the system32 folder may be lost when the system is reinstalled and in a hurry the file is forgotten to be copied. If you install the software in D:\bind9 then the binaries will be in D:\bind9\bin and the config file named.conf will be in D:\bind9\etc. I don't think you need anything else. The production I use for now is configured like you wrote^ all files under the install directory. And the other thing is keeping the system's registry as simple and clean as possible, by not using registry for start-up arguments and indicating them in the command line for the service. This I managed to do for most of the services I use. If you do the above then you don't need to change anything in the registry. That's the default behavior. If there are changes you want to have added send a message to bind9-bugs. This is the problem. If the InstallDir key is deleted from the registry, the bind at start searches for the named.conf in the system32\etc folder and falls with an error. That's why I asked about the -c option that is not taken. If without that regystry key, the bind service will try to find a named.conf under the etc folder from where the executable resides - will be easier. For example PHP is searching for the ini file in systme32 folder, then in the executable folder, then in paths. InstallDir is required in the registry for proper administration of BIND9. Danny ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind, rpz and views
Hello Bind ML, i am trying to setup some blacklists foqr some users. I have a file for every blacklist, example: blacaklistA blacklistB blacklistC. I have to assign different combination of A B C to users. I created dns bind view that, by matching source ip client, provide different answer according to match-clients. The problems is that, when scaling this configuration, bind requests lots of memory because, if the blacklistA file is requested from 100 different users in 100 different view, it loads 100 times the file! Is there a way to reuse that same file without loading it, in memory, n times? Thank you! Francesco ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fwd: Re: .TLD minimum number of nameservers rule
To settle the question of are 2 nameservers required by the RFCs?, I'm surprised you guys missed this text in RFC 1034, Section 4.1: A given zone will be available from several name servers to insure its availability in spite of host or communication link failure. By administrative fiat, we require every zone to be available on at least two servers, and many zones have more redundancy than that. This is an administrative fiat, you can't get much clearer than that. - Kevin On 12/12/2011 6:20 PM, nudge...@fastmail.fm wrote: Thanks all. Chris, Anand that's very useful to know, sorry Jeff and Philippe, your interesting suggestions wont work in this case. If I attack the problem from the other way down instead, the fact my current registra doesn't allow me to add PTR or DNAME records to my top level domain limits what exactly ? For instance, would this be a problem when implementing a wide area bonjour subdomain using my own local dns server for clients that are mobile (internal/external) ? I'm only allowed to add A NS MX CNAME TXT and SRV records via the web interface of my registra and I imagined that I'd need PTRs or a DNAME or some ther glue frustratingly unavailable. Having heard your response to my original question, I'm now desperately wishing that I got that wrong... On Dec 12 2011, Anand Buddhdev wrote: I suspect that most, if not all registries will require you to provide at least 2 name servers, because this is highly recommended in one of the RFCs (forget which one now). This seems to go right back to RFC 882 (November 1983): | The domain must provide redundant (i.e., two or more) name servers | to provide the name to address resolution service. These name | servers must be accessible from outside the domain (as well as | inside) and must resolve names for at least all the hosts in the | domain. RFC 1035 (November 1987) just mentions this in section 2.1 Overview: | Different parts of the domain space are stored in different name | servers, although a particular data item will be stored redundantly | in two or more name servers. while RFC 2182 (July 1997), which I suspect is the one Anand had in mind, says in section 5 How many secondaries?: | The DNS specification and domain name registration rules require at | least two servers for every zone. before going on to recommend more than two in most cases. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fwd: Re: .TLD minimum number of nameservers rule
On Dec 15 2011, Kevin Darcy wrote: To settle the question of are 2 nameservers required by the RFCs?, I'm surprised you guys missed this text in RFC 1034, Section 4.1: A given zone will be available from several name servers to insure its availability in spite of host or communication link failure. By administrative fiat, we require every zone to be available on at least two servers, and many zones have more redundancy than that. This is an administrative fiat, you can't get much clearer than that. Indeed, that's a better quote than my one from RFC 1035. How did I miss it? Well, it turns out that the word two above occurs at the beginning of a line in rfc1034.txt, and I was searching for the string two ... :-( [Too many false drops if you search for just the three-character string, because of network.] -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind, rpz and views
Hello Bind ML, i am trying to setup some blacklists foqr some users. I have a file for every blacklist, example: blacaklistA blacklistB blacklistC. I have to assign different combination of A B C to users. I created dns bind view that, by matching source ip client, provide different answer according to match-clients. The problems is that, when scaling this configuration, bind requests lots of memory because, if the blacklistA file is requested from 100 different users in 100 different view, it loads 100 times the file! Is there a way to reuse that same file without loading it, in memory, n times? Thank you! Francesco ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
information in slave zone file
Hello, I have recently done a migration bind8 to bind9. I have remarked that in my slave zones file, I did not have anymore some interesting information I had with bind8. These informations are comments on the last zone transfer. Can anybody tell me if it is possible in BINDP to have the same info? Thanks in advance, bind8 -- The 5 first lines have disappeared in bind9 dnszone001:/export/live/zones/slave# more symphony-solutions.eu ; BIND version named 8.4.7-REL-NOESW Mon Sep 25 00:30:06 UTC 2006 ; BIND version lamont@mix:/build/lamont/bind-8.4.7/src/bin/named ; zone 'symphony-solutions.eu' last serial 116233 ; from [194.44.122.66].53 (local [195.238.3.17].51242) using AXFR at Tue Nov 8 06:20:54 2011 ; NOT TSIG verified $ORIGIN eu. symphony-solutions 3600IN SOA dc-1.symphony-solutions.eu. hostmaster.symphony-solutions.eu. ( 116235 900 600 86400 3600 ) 600 IN A 192.168.0.42 600 IN A 192.168.0.32 3600IN A 178.20.153.9 600 IN A 172.22.32.32 600 IN A 192.168.0.31 3600IN NS ns2.skynet.be. 3600IN NS ns3.skynet.be. 0 IN NS alpha.freehost.com.ua. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: information in slave zone file
Please contact your MUA vendor and report that there printed-quotable generation is broken. printed-quotable SHOULD NOT be escaping ; and ,. printed-quotable should be doing the bare minimum of trasformation as one of its design goals is for the result to be readable by HUMANS. Un-necessary transformation break that goal. To answer your question, no this information is not recorded. Additionally the default format in BIND 9.9 is raw. Mark In message dub109-w44b24b573b5eb9751ec71aac...@phx.gbl, hugo hugoo writes: Hello=2C I have recently done a migration bind8 to bind9. I have remarked that in my slave zones file=2C I did not have anymore some = interesting information I had with bind8. These informations are comments on the last zone transfer. Can anybody tell me if it is possible in BINDP to have the same info? Thanks in advance=2C bind8 -- The 5 first lines have disappeared in bind9 =20 dnszone001:/export/live/zones/slave# more symphony-solutions.eu =3B BIND version named 8.4.7-REL-NOESW Mon Sep 25 00:30:06 UTC 2006 =3B BIND version lamont@mix:/build/lamont/bind-8.4.7/src/bin/named =3B zone 'symphony-solutions.eu' last serial 116233 =3B from [194.44.122.66].53 (local [195.238.3.17].51242) using AXFR at Tue = Nov 8 06:20:54 2011 =3B NOT TSIG verified $ORIGIN eu. symphony-solutions 3600IN SOA dc-1.symphony-solutions.eu.= hostmaster.symphony-solutions.eu. ( 116235 900 600 86400 3600 ) 600 IN A 192.168.0.42 600 IN A 192.168.0.32 3600IN A 178.20.153.9 600 IN A 172.22.32.32 600 IN A 192.168.0.31 3600IN NS ns2.skynet.be. =20 3600IN NS ns3.skynet.be. =20 0 IN NS alpha.freehost.com.ua. = -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
