Same Transaction ID queries
Hi all, We have an observation for some queries where BIND caching server receives multiple queries (three or four, A or ) for a domain name, with the same transaction ID in the DNS header in all query packets, and one response packet is sent back from the server only for these queries. The client IP,source port and Server IP is the same in these queries. Is this the right BIND behavior in this case or it is an issue. Regards, Naser Al Hattab. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to validate DNSSEC signed record with dig?
Hi! I am trying to validate DNSSEC signature on ns record using dig. Domain nox.su is properly signed using DNSSEC. Prove link: http://dnssec-debugger.verisignlabs.com/nox.su I am trying to validate it as dicribed here: http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/ $ dig +nocomments +nostats +nocmd +noquestion -t dnskey . trusted-key.key $ dig +topdown +sigchase nox.su but it gives me ;; DSset is missing to continue validation: FAILED error while processing the whole hierarchy of zones. $ cat /etc/resolv.conf # Generated by NetworkManager domain router search router nameserver 8.8.8.8 nameserver 78.46.213.227 dig is built with DIG_SIGCHASE option. What am I doing wrong and how to do it right? :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to validate DNSSEC signed record with dig?
I am trying to validate DNSSEC signature on ns record using dig. Domain nox.su is properly signed using DNSSEC. I am trying to validate it as dicribed here: http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/ $ dig +nocomments +nostats +nocmd +noquestion -t dnskey . trusted-key.key $ dig +topdown +sigchase nox.su but it gives me ;; DSset is missing to continue validation: FAILED error while processing the whole hierarchy of zones. $ cat /etc/resolv.conf # Generated by NetworkManager domain router search router nameserver 8.8.8.8 nameserver 78.46.213.227 Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com) doesn't appear to offer DNSSEC validation, and 78.46.213.227 (rms.coozila.com) doesn't respond to my query at all. A known-good publicly accessible DNSEC-validating recursive resolver is available at bind.odvr.dns-oarc.net. If I run dig @bind.odvr.dns-oarc.net nox.su +dnssec, I get an AD (authenticated data) flag returned for the A record with IPv4 address 50.16.193.159. This is a prima facie indication that DNSSEC is working for nox.su. The +topdown option isn't available to me (bind 9.9.0rc2 version of dig). Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
zone serial (0) unchanged. zone may fail to transfer to slaves.
named (BIND 9.7.4-P1) fills up my log with these errors about various zones which I do not find in name,conf on the slave nor on the master: err named[9964]: 05-Feb-2012 17:23:16.586 general: error: zone 127.IN-ADDR.ARPA/IN/internal: zone serial (0) unchanged. zone may fail to transfer to slaves. err named[9964]: 05-Feb-2012 17:23:16.586 general: error: zone 254.169.IN-ADDR.ARPA/IN/internal: zone serial (0) unchanged. zone may fail to transfer to slaves. err named[9964]: 05-Feb-2012 17:23:16.586 general: error: zone 2.0.192.IN-ADDR.ARPA/IN/internal: zone serial (0) unchanged. zone may fail to transfer to slaves. What is causing this? Thank you so much, Mohamed. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone serial (0) unchanged. zone may fail to transfer to slaves.
Ignore it. The message is suppressed in the next maintence release. In message cagf_jtcqngxa4ulnvfvdgvyscqz-k9fvgfanvwbwmbgix+f...@mail.gmail.com , Mohamed Lrhazi writes: named (BIND 9.7.4-P1) fills up my log with these errors about various zones which I do not find in name,conf on the slave nor on the master: err named[9964]: 05-Feb-2012 17:23:16.586 general: error: zone 127.IN-ADDR.ARPA/IN/internal: zone serial (0) unchanged. zone may fail to transfer to slaves. err named[9964]: 05-Feb-2012 17:23:16.586 general: error: zone 254.169.IN-ADDR.ARPA/IN/internal: zone serial (0) unchanged. zone may fail to transfer to slaves. err named[9964]: 05-Feb-2012 17:23:16.586 general: error: zone 2.0.192.IN-ADDR.ARPA/IN/internal: zone serial (0) unchanged. zone may fail to transfer to slaves. What is causing this? Thank you so much, Mohamed. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: zone serial (0) unchanged. zone may fail to transfer to slaves.
named (BIND 9.7.4-P1) err named[9964]: 05-Feb-2012 17:23:16.586 general: error: zone 127.IN-ADDR.ARPA/IN/internal: zone serial (0) unchanged. zone may fail to transfer to slaves. Ignore it. The message is suppressed in the next maintence release. I see similar messages in 9.9.0rc2, where I have configured a server to receive unsigned zones for DNSSEC inline signing from a bind10-devel-20120119 hidden master and to serve the signed zones to two bind10-devel-20120119 slaves: Feb 4 15:53:46 nsb0s named[9090]: zone jspain.us/IN (signed): zone serial (2012013003) unchanged. zone may fail to transfer to slaves. The 9.9.0rc2 server is configured with the option notify explicit; and the zones, which are of type slave, are configured with masters { address of bind10 hidden master }; and also notify { addresses of bind10 slaves };. Is it this particular configuration that triggers this message? or should I look for other issues? or should this message be ignored in this context as well? Thanks. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone serial (0) unchanged. zone may fail to transfer to slaves.
In message 7610864823c0d04d89342623a3adc9de2e2fd...@hopple.countryday.net, Spain, D r. Jeffry A. writes: named (BIND 9.7.4-P1) err named[9964]: 05-Feb-2012 17:23:16.586 general: error: zone 127.IN-ADDR.ARPA/IN/internal: zone serial (0) unchanged. zone may fail=20 to transfer to slaves. Ignore it. The message is suppressed in the next maintence release. I see similar messages in 9.9.0rc2, where I have configured a server to rec= eive unsigned zones for DNSSEC inline signing from a bind10-devel-20120119 = hidden master and to serve the signed zones to two bind10-devel-20120119 sl= aves: Feb 4 15:53:46 nsb0s named[9090]: zone jspain.us/IN (signed): zone serial = (2012013003) unchanged. zone may fail to transfer to slaves. The 9.9.0rc2 server is configured with the option notify explicit; and th= e zones, which are of type slave, are configured with masters { address of= bind10 hidden master }; and also notify { addresses of bind10 slaves }= ;. Is it this particular configuration that triggers this message? or shou= ld I look for other issues? or should this message be ignored in this conte= xt as well? Thanks. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School I suspect that is is benign. Had you just thawed the server/zone? Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users