Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.
On Apr 30 2012, Warren Kumari wrote: On Apr 26, 2012, at 2:51 PM, Jan-Piet Mens wrote: [...] From a Comcast talk at SATIN 2012 I believe they called that a negative trust anchor, and IIRC, the author wanted to publish a draft of its operation. Haven't seen it yet though, and it's probably off topic as regards BIND. http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01 Being actively discussed on DNSOP list It *was* being actively discussed there, up until about 10 days ago. Since then the participants seem to have stopped, maybe from sheer exhaustion, as it was pretty clear that there were irreconcilable opinions on the subject. It may be worth noting in the bind-users context that ISC's [quick check - what is he these days - ah yes...] Chairman Chief Scientist expressed fairly, well, negative opinions about negative trust anchors, which maybe does not bode well for them ever appearing in BIND. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Operational Notification -- Segmentation Fault in resolver.c Affects BIND 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0
Operational Notification -- Segmentation Fault in resolver.c Affects BIND 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0 Summary: ISC has discovered a race condition in the resolver code that can cause a recursive nameserver running BIND 9.6-ESV-R6, 9.7.5, 9.8.2, or 9.9.0 to crash with a segmentation fault. Authoritative-only servers are not affected, but recursive-only or recursive-authoritative hybrid servers are at risk of crashing because of this bug. Posting date: 30 April 2012 Program Impacted: BIND Versions affected: 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0. Description: ISC is issuing an operational notification for users running ISC BIND 9.6-ESV-R6, 9.7.5, 9.8.2 or 9.9.0. A race condition has been discovered in resolver.c that can result in a recursive nameserver running one of these versions to crash with a segmentation fault. This defect is not considered a security issue, as no known method for deliberately triggering it exists. It depends on a matter of random timing between multiple threads executing the resolver code. However, the nature of the bug is such that the probability of encountering the crash condition eventually increases in proportion to the number of queries being resolved as well as the number of queries being resolved simultaneously. Consequently, busy recursing nameservers and nameservers with more threads processing simultaneously are at higher risk of encountering this bug. This defect was introduced accidentally in change #3241 which appeared for the first time in the specified release versions. Prior release versions (9.6-ESV-R5-P1, 9.7.4-P1, and 9.8.1-P1 and any earlier versions) are not affected by this bug. ISC is preparing replacement release versions with a delivery target of mid-May 2012 and a source code patch is currently available in the ISC Knowledge Base article: https://kb.isc.org/article/AA-00664 Solution: Authoritative-only servers do not need to address this issue. If you have not upgraded yet to the affected versions, postpone updating until they are replaced by 9.6-ESV-R7, 9.7.6, 9.8.3, or 9.9.1, which are to be released in mid-May 2012 and which will include a fix for this issue along with several minor bug fixes. If you have already upgraded a recursive server to one of the affected versions, you have the option of reverting to a prior release version, waiting for the May release of superseding packages including the fix, or applying the source code patch from ISC and rebuilding BIND. The source code patch can be found as an attachment to the ISC Knowledge Base article https://kb.isc.org/article/AA-00664 - Do you have Questions? Questions regarding this advisory should go to supp...@isc.org. - Additional information on our Operational Notifications is here: https://www.isc.org/software/notifications, and Phased Disclosure Process is here: https://www.isc.org/security-vulnerability-disclosure-policy Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an AS IS basis. No warranty or guarantee of any kind is expressed in this notice and none should be inferred. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use of, or reliance on, this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.
On 30/4/12 13:56 , Chris Thompson wrote: http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01 Being actively discussed on DNSOP list It *was* being actively discussed there, up until about 10 days ago. Since then the participants seem to have stopped, maybe from sheer exhaustion, as it was pretty clear that there were irreconcilable opinions on the subject. It may be worth noting in the bind-users context that ISC's [quick check - what is he these days - ah yes...] Chairman Chief Scientist expressed fairly, well, negative opinions about negative trust anchors, which maybe does not bode well for them ever appearing in BIND. Like lying resolvers or NXdomain redirection? And irrespectively of how much I disagree with these, this it not to say that one should never change his mind. Gilles ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Convice Bind to listen on IP alias with a range of IPs.
I must be doing something wrong, because what I want to do doesn't
seem that difficult.
I have a range of IPs bound to a local interface:
lo:1 Link encap:Local Loopback
inet addr:10.0.0.1 Mask:255.255.255.224
And I want to convince Bind to listen on sub-set of the given range (
10.0.0.2 for example ), yet when I configure that IP:
listen-on { 10.0.0.2; };
Bind won't listen on that interface:
named[15035]: not listening on any interfaces
Bind has no problem listening on 10.0.0.1 however, so there must be
some configuration option I am missing.
Any help is appreciated.
augie@augnix:~$ named -v
BIND 9.7.0-P1
--
Augie Schwer - au...@schwer.us - http://schwer.us
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
dynamic update to SOA records
Hello, How to use nsupdate to dynamic update the SOA records? For example, I want to update the zone's contact email and main NS server name. Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dynamic update to SOA records
In message 2a078dfa10a22fe23c0ad67b92b58...@mail.mxes.net, cloud cache writes: Hello, How to use nsupdate to dynamic update the SOA records? For example, I want to update the zone's contact email and main NS server name. Thanks. update add zone ttl SOA . send Just make sure the serial is bigger than the current serial or it will be ignores. The old SOA will be removed as a side effect of the add. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Convice Bind to listen on IP alias with a range of IPs.
On Mon, 30 Apr 2012, Augie Schwer wrote:
I must be doing something wrong, because what I want to do doesn't
seem that difficult.
I have a range of IPs bound to a local interface:
lo:1 Link encap:Local Loopback
inet addr:10.0.0.1 Mask:255.255.255.224
And I want to convince Bind to listen on sub-set of the given range (
10.0.0.2 for example ), yet when I configure that IP:
listen-on { 10.0.0.2; };
Bind won't listen on that interface:
named[15035]: not listening on any interfaces
Bind has no problem listening on 10.0.0.1 however, so there must be
some configuration option I am missing.
Any help is appreciated.
augie@augnix:~$ named -v
BIND 9.7.0-P1
Your interface output above doesn't show the other IP.
Maybe you need to run something like:
ifconfig lo:1 10.0.0.2 up
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Convice Bind to listen on IP alias with a range of IPs.
Augie Schwer augie.sch...@gmail.com wrote: I have a range of IPs bound to a local interface: lo:1 Link encap:Local Loopback inet addr:10.0.0.1 Mask:255.255.255.224 And I want to convince Bind to listen on sub-set of the given range ( 10.0.0.2 for example ) You can't do that without hacking the network stack, as far as I know. See for instance this rather old FreeBSD patch. Note that even this doesn't quite do what you want since it doesn't allow you to bind to a subset of a CIDR range configured on an interface. http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/12071 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Fisher, German Bight: North or northeast 3 or 4, occasionally 5. Slight or moderate. Fair. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Convice Bind to listen on IP alias with a range of IPs.
On 30/04/2012 23:56, Augie Schwer wrote:
I must be doing something wrong, because what I want to do doesn't
seem that difficult.
I have a range of IPs bound to a local interface:
lo:1 Link encap:Local Loopback
inet addr:10.0.0.1 Mask:255.255.255.224
This means you've got 10.0.0.1 on the interface lo:1. You don't have
10.0.0.2 configured yet. You need to create extra virtual interfaces
called lo:2, lo:3 and so on, and give them addresses 10.0.0.2 and
10.0.0.3 and so on.
And I want to convince Bind to listen on sub-set of the given range (
10.0.0.2 for example ), yet when I configure that IP:
listen-on { 10.0.0.2; };
Bind won't listen on that interface:
named[15035]: not listening on any interfaces
That's right, because 10.0.0.2 is not yet configured.
--
Anand Buddhdev
RIPE NCC
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: dynamic update to SOA records
cloud cache i...@cloudcache.net wrote: How to use nsupdate to dynamic update the SOA records? For example, I want to update the zone's contact email and main NS server name. Like this: $ dig +noall +answer soa fanf2.ucam.org fanf2.ucam.org. 3600IN SOA black.dotat.at. dot.dotat.at. 40 3600 600 604800 60 $ nsupdate -l update add fanf2.ucam.org 3600 soa black.csi.cam.ac.uk fanf2.cam.ac.uk 41 3600 600 604800 60 send quit $ dig +noall +answer soa fanf2.ucam.org fanf2.ucam.org. 3600IN SOA black.csi.cam.ac.uk. fanf2.cam.ac.uk. 41 3600 600 604800 60 $ Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Biscay: South backing east, 5 to 7. Moderate or rough, becoming slight or moderate. Thundery showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Convice Bind to listen on IP alias with a range of IPs.
I think you've all missed the netmask there, 10.0.0.2 is in that range. augie@augnix:~$ sudo ifconfig lo:1 10.0.0.1 netmask 255.255.255.224 augie@augnix:~$ ifconfig lo:1 lo:1 Link encap:Local Loopback inet addr:10.0.0.1 Mask:255.255.255.224 augie@augnix:~$ ping 10.0.0.2 -c 1 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.027 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms Given all that, can anyone suggest a reason why Bind won't listen on that address? -- Augie Schwer - au...@schwer.us - http://schwer.us ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Convice Bind to listen on IP alias with a range of IPs.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04/30/2012 04:56 PM, Augie Schwer wrote:
I must be doing something wrong, because what I want to do doesn't
seem that difficult.
I have a range of IPs bound to a local interface:
lo:1 Link encap:Local Loopback
inet addr:10.0.0.1 Mask:255.255.255.224
And I want to convince Bind to listen on sub-set of the given range (
10.0.0.2 for example ), yet when I configure that IP:
listen-on { 10.0.0.2; };
Bind won't listen on that interface:
named[15035]: not listening on any interfaces
is 10.0.0.2 bound to the server?
can you show the ip address or ifconfig output ?
- --
Larry Brower, CCNA
Fedora Ambassador - North America
Fedora Quality Assurance
lbro...@fedoraproject.org
http://www.fedoraproject.org/
-BEGIN PGP SIGNATURE-
iQIcBAEBCgAGBQJPnyJPAAoJEF1Xw4ZWTEoJzecP/j6745eQs5TWT8+9p4k7L92p
UF5pM65GSynCmh2KZk0VGLYuYCJNWGywsQU6S3CnsNAWE+a9TaL3I7ViKIrpRjId
0pp/4P4o8Jxi8/fkgG+wXnceOHsSklCKTV883ppKCwl1RJJfncNJQN1+p/bUhBgA
53rMNk0pzr6wAllS3LcqrbGoe3hBJj5hbI/snqw67zjvU4PsfgBi+SjYI0+j9paN
edv2VhmN3qQvpJyQW2lMEVwxOLNAa4coClRYaqiOCz35Tg+ZykBVMU5W2jaByS6e
qb2KX+Q+eOd6S6IQDT8C122yeHv9nik4Pl1LB6Om3hUEhoAr56BCSWbmPkIy72uC
LtQkqWhtqU4706Bzq2Yf5SFpAJQI63ef1Bypm2N91gRhggFBkCcSWnzDXig/cVh+
XGDcXGzSnRCrpHz1uiKNO6rSmDPmd/eugTMGHNa/VTbqepIwIUhu1lLP9AswHWSa
3C3oqncA3CJO6+STryYtyLMtSx6BMtMgaDBJoDCJ1TZ9zAa9nFQlF1hybhsMstEP
sgttF17hbgksoOXc0L7Lj1OMTvoClKwosfaEpzyfPJNwZhthG8a37SdNswf/PifF
dHlxUniVLOyg4uj6jplzkD2GLFd5ZMwg74fISORh6guOQjNext+Vs/pZt5IvGmie
Wi++mDbkUPhq6/9ZwGec
=G6Ta
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Convice Bind to listen on IP alias with a range of IPs.
Thanks for the reply, please see my previous e-mail about the address
being perfectly pingable on that interface.
We run PowerDNS and Unbound with a similar interface configuration
without a problem, I'm sure Bind can too, I just need to know what the
special config. option I'm missing is.
Any help is appreciated, thank you. :)
--Augie
On Mon, Apr 30, 2012 at 4:36 PM, michoski micho...@cisco.com wrote:
On 4/30/12 2:56 PM, Augie Schwer augie.sch...@gmail.com wrote:
I must be doing something wrong, because what I want to do doesn't
seem that difficult.
I have a range of IPs bound to a local interface:
lo:1 Link encap:Local Loopback
inet addr:10.0.0.1 Mask:255.255.255.224
This isn't a /27 CIDR range, it's one IP alias with the wrong netmask. :-)
IP aliases should generally have a 255.255.255.255 netmask, and you'd need
to configure aliases (ifcfg-lo:0, ifcfg-lo:1, etc.) for each IP in the range
you want to listen-on.
And I want to convince Bind to listen on sub-set of the given range (
10.0.0.2 for example ), yet when I configure that IP:
listen-on { 10.0.0.2; };
Bind won't listen on that interface:
Yes, indeed, only 10.0.0.1 is up according to your ifconfig output. Once
you've fixed that, you should be able to use an IP range in your listen-on
statement as needed, for example:
listen-on { !10.0.0.1; 10.0.0/24; };
The BIND ARM shows you listen-on's full syntax:
http://ftp.isc.org/isc/bind9/cur/9.7/doc/arm/Bv9ARM.html
Good luck.
--
Men use thought only to justify their wrong doings,
and speech only to conceal their thoughts.
-- Voltaire
--
Augie Schwer - au...@schwer.us - http://schwer.us
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Convice Bind to listen on IP alias with a range of IPs.
On 4/30/2012 7:14 PM, Augie Schwer wrote: I think you've all missed the netmask there, 10.0.0.2 is in that range. augie@augnix:~$ sudo ifconfig lo:1 10.0.0.1 netmask 255.255.255.224 Netmask says what addresses are REACHABLE on that interface, not the addresses assigned to that interface. AlanC -- a...@clegg.com | acl...@infoblox.com 1.919.355.8851 signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Convice Bind to listen on IP alias with a range of IPs.
On 4/30/12 4:14 PM, Augie Schwer augie.sch...@gmail.com wrote: I think you've all missed the netmask there, 10.0.0.2 is in that range. augie@augnix:~$ sudo ifconfig lo:1 10.0.0.1 netmask 255.255.255.224 augie@augnix:~$ ifconfig lo:1 lo:1 Link encap:Local Loopback inet addr:10.0.0.1 Mask:255.255.255.224 augie@augnix:~$ ping 10.0.0.2 -c 1 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.027 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms Given all that, can anyone suggest a reason why Bind won't listen on that address? No, we all saw the netmask. A few tried to point out the answer...you first need to get the desired aliases UP on the system for BIND to listen-on. For example, loopback is 127/8 so I can ping all those addresses: OPS:507 r...@dev-ops-test11.vega:mhoskins# ifconfig lo loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32 errors:0 dropped:0 overruns:0 frame:0 TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:8148 (7.9 KiB) TX bytes:8148 (7.9 KiB) OPS:508 r...@dev-ops-test11.vega:mhoskins# ping 127.0.0.2 PING 127.0.0.2 (127.0.0.2) 56(84) bytes of data. 64 bytes from 127.0.0.2: icmp_seq=1 ttl=64 time=0.012 ms --- 127.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.012/0.012/0.012/0.000 ms OPS:509 r...@dev-ops-test11.vega:mhoskins# ping 127.0.0.3 PING 127.0.0.3 (127.0.0.3) 56(84) bytes of data. 64 bytes from 127.0.0.3: icmp_seq=1 ttl=64 time=0.011 ms --- 127.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.011/0.011/0.011/0.000 ms However, I can't bind daemons to 127.0.0.2, etc. until I configure lo:0, etc. aliases for those addresses! If your ifconfig output doesn't show the IP you want to listen-on, it won't work. This is how it's been as long as I've been alive. If this is hard to believe, try adding a 10.0.0.2 (or whatever) loopback alias with a netmask of 255.255.255.255 (the correct netmask for aliases) and see how BIND behaves. -- By nature, men are nearly alike; by practice, they get to be wide apart. -- Confucius ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Convice Bind to listen on IP alias with a range of IPs.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 04/30/2012 07:13 PM, Augie Schwer wrote: Thanks for the reply, please see my previous e-mail about the address being perfectly pingable on that interface. Whats that have to do with anything? It being pingable only means something is responding for it. This does NOT mean it is on THAT specific server. If it is not on THAT server then bind cant use it. This isn't rocket science :) - -- Larry Brower, CCNA Linux System Administrator II HostGator.com LLC lbro...@hostgator.com Http://www.hostgator.com Http://support.hostgator.com/ -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJPn15TAAoJEF1Xw4ZWTEoJlK0P/0wCGKtzfFr7jCrxq2YQlZbj 2DBwCO9gjZWHnHr35DQ/iYz7U+gU9rzKvXMdDWNKsr8zXoqiyMgt0N1Yp+llHQdj zgGOIlEuqIcL77hGBNQ7zlrutfiPaUuIG/vZe8mLX31M8yDOG2fa38cGtSNKILZL aSejkv5u+4QfRBhWGqtWtcUwslWdBc3TLoxKoI2YidPALjtkGXsPF/qYoke80b+Y 0YPxZ/lyS85KovK9ZgG3dCXl35r0hyLTbHBeD9JTUw6g28CKPq8HX5nKdo1hTYQv +Wdb5cIQGIovVF1QZcXkdGWnhIh9AkGXQ3J4RasCUPi6TuKTlWNhlQjYiYWAl5BB WmvPGSm3gczEJS2VGkTeJbDMKSfmNzRruzObBbVBhUr4rp/xCuJITfltne5PEmaJ 3acBm1fHi1SGifueJeK9LdFPDW27Xog2+1FDbdJFrTGO1qjwGfrEyJ9FFtk9ve2U FZWvyOdomoKapAtI4sxbKG54LTmgAazXflRa4CowEA8EhykX2qGgFhv3rKy3Y9Gf hXnNlVJUIOif9kotAem50MsgTLmMpHkOOcb6ADNDMZ91hxRvJrZ/Eb7E4UtU/g+S UDlb28WT5Cu8okrhqS1uiVjvl4dhnr0ZIz6AZMgMgKTOUw0vihvDgIZ6Ve6Ws+HB PLdxKpjwi6pt6RvHk+al =+qgi -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Convice Bind to listen on IP alias with a range of IPs.
In message cbc4a14e.28bd2%micho...@cisco.com, michoski writes: On 4/30/12 4:14 PM, Augie Schwer augie.sch...@gmail.com wrote: I think you've all missed the netmask there, 10.0.0.2 is in that range. augie@augnix:~$ sudo ifconfig lo:1 10.0.0.1 netmask 255.255.255.224 augie@augnix:~$ ifconfig lo:1 lo:1 Link encap:Local Loopback inet addr:10.0.0.1 Mask:255.255.255.224 augie@augnix:~$ ping 10.0.0.2 -c 1 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.027 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms Given all that, can anyone suggest a reason why Bind won't listen on that address? No, we all saw the netmask. A few tried to point out the answer...you first need to get the desired aliases UP on the system for BIND to listen-on. For example, loopback is 127/8 so I can ping all those addresses: OPS:507 r...@dev-ops-test11.vega:mhoskins# ifconfig lo loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32 errors:0 dropped:0 overruns:0 frame:0 TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:8148 (7.9 KiB) TX bytes:8148 (7.9 KiB) OPS:508 r...@dev-ops-test11.vega:mhoskins# ping 127.0.0.2 PING 127.0.0.2 (127.0.0.2) 56(84) bytes of data. 64 bytes from 127.0.0.2: icmp_seq=1 ttl=64 time=0.012 ms --- 127.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.012/0.012/0.012/0.000 ms OPS:509 r...@dev-ops-test11.vega:mhoskins# ping 127.0.0.3 PING 127.0.0.3 (127.0.0.3) 56(84) bytes of data. 64 bytes from 127.0.0.3: icmp_seq=1 ttl=64 time=0.011 ms --- 127.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.011/0.011/0.011/0.000 ms The fact that you can ping them just means that you have a kernel bug. % ifconfig lo0 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 options=3RXCSUM,TXCSUM inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet 10.53.0.1 netmask 0x inet6 fd92:7065:b8e:::1 prefixlen 64 inet 10.53.0.2 netmask 0x inet6 fd92:7065:b8e:::2 prefixlen 64 inet 10.53.0.3 netmask 0x inet6 fd92:7065:b8e:::3 prefixlen 64 inet 10.53.0.4 netmask 0x inet6 fd92:7065:b8e:::4 prefixlen 64 inet 10.53.0.5 netmask 0x inet6 fd92:7065:b8e:::5 prefixlen 64 inet 10.53.0.6 netmask 0x inet6 fd92:7065:b8e:::6 prefixlen 64 inet 10.53.0.7 netmask 0x inet6 fd92:7065:b8e:::7 prefixlen 64 inet 10.53.0.50 netmask 0x inet 10.53.0.60 netmask 0x inet 10.53.0.70 netmask 0x inet 10.53.0.80 netmask 0x inet 10.53.0.90 netmask 0x inet 10.53.0.100 netmask 0x inet 10.53.0.110 netmask 0x inet 10.53.0.120 netmask 0x inet 10.53.0.130 netmask 0x inet 10.53.0.140 netmask 0x inet 10.53.0.150 netmask 0x inet 10.53.0.160 netmask 0x inet 10.53.0.170 netmask 0x % ping 127.0.0.45 PING 127.0.0.45 (127.0.0.45): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 ^C --- 127.0.0.45 ping statistics --- 4 packets transmitted, 0 packets received, 100.0% packet loss % However, I can't bind daemons to 127.0.0.2, etc. until I configure lo:0, etc. aliases for those addresses! If your ifconfig output doesn't show the IP you want to listen-on, it won't work. This is how it's been as long as I've been alive. If this is hard to believe, try adding a 10.0.0.2 (or whatever) loopback alias with a netmask of 255.255.255.255 (the correct netmask for aliases) and see how BIND behaves. -- By nature, men are nearly alike; by practice, they get to be wide apart. -- Confucius ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org
