RE: how to modify the cache
Steven, Your solution is very good. It can forward the queries to the specified name servers first. But if the specified name server is enabled only when normal dns query process is down. How to configure the local DNS server? The detailed scenario is descibed in below figure: -- |Root | | nameServer | / - ②/ / -- - | Client | __①\ | Local | ___③_\ | Authority| | Resolver | / | DNS Server | X / | DNS Server | -- - \ \④ \ \ | Hidden | | DNS Server | Normally, 1) A internet user wants to access www.abc.com, a DNS request is sent to local DNS server 2) Local DNS server queries the root name server, the .com name server to get the Authority Name Server of abc.com 3) local DNS server queries the Authority name server, and gets the IP But when the Authority name server is down, the internet user won't get the IP address. My solution is as follows: a) A hidden name server with low performance is deployed. When authority name server can't be accessed, local dns server will access the hidden server. b)The hidden server is never used in normal situation. It act as a cold backup for authority name server. c) The zone file in the hidden server is the same as that configuration in the authority name server d) The hidden name server doesn't appear in the NS records of authority name server Btw, all above doesn't consider the cache in the local dns server. Best Regards, Guanghua Date: Mon, 17 Feb 2014 09:09:13 + Subject: Re: how to modify the cache From: sjc...@gmail.com To: houguang...@hotmail.com CC: bind-users@lists.isc.org On 17 February 2014 01:17, houguanghua houguang...@hotmail.com wrote: I want to override the IP address of NS, for I want to use other authority DNS which isn't registered. For that you use forwarding. Create a zone statement for the zone in question and forward the queries to a different name server. You don't need to mess with the cache. https://mknowles.com.au/wordpress/2009/07/20/bind-forwarding-zone/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind/PowerDNS interoperatiblity issue
Hi! We are investigating an interoperatibility issue with bind and powerdns. Scenario: We have DNSSEC secured domain using NSEC, pasilehto.fi. This domain has two insecure delegations 0.0.0.0.pasilehto.fi and 1.0.0.0.pasilehto.fi We have A records 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi and 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.pasilehto.fi Now. If I ask DNSSEC validating BIND version 9.9.3-P2 or 9.9.4-P2 to resolve either of those A records, I get errors, while While google's 8.8.8.8 and unbound accept these as valid. You can go ahead and test this live, these domains are publicly available for now. There is also open issue in github for PowerDNS. https://github.com/PowerDNS/pdns/issues/1289 The errors are here: Feb 19 10:45:52 cmouse-virtual-machine named[15177]: client 80.64.8.203#57968 (5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi): query: 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi IN A +E (80.64.8.203) Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 194.100.90.53#53 Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 80.64.12.65#53 Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::4:2#53 Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::3:2#53 Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::5:2#53 Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 62.236.49.41#53 Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid DS) resolving '5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/A/IN': 62.236.49.41#53 Feb 19 10:45:53 cmouse-virtual-machine named[15177]: validating @0x7fa3406146e0: 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi A: bad cache hit (0.pasilehto.fi/DS) Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (broken trust chain) resolving '5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/A/IN': 194.100.90.53#53 Kind regards, Aki Tuomi signature.asc Description: Digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: intermittent resolving problem for some domains
At Wed, 19 Feb 2014 00:33:11 +0200, Daniel Dawalibi wrote: Kindly note that the number of recursive clients is increasing during the problem : recursive clients: 3700/14900/15000 I think it's likely that you have a connectivity problem. I'ld suggest checking whether your server which is giving these messages can reach any of the root servers or even any of the external Internet. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind/PowerDNS interoperatiblity issue
Aki Tuomi cmo...@cmouse.fi wrote: We have A records 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi and 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.pasilehto.fi Now. If I ask DNSSEC validating BIND version 9.9.3-P2 or 9.9.4-P2 to resolve either of those A records, I get errors, while While google's 8.8.8.8 and unbound accept these as valid. I have tried this with BIND 9.9.5 and 9.10.0a2 and both resolve and validate these domains successvully. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ German Bight, Humber, Thames, Dover, Wight, Portland: West backing south, 4 or 5 increasing 6 or 7 later. Moderate. Rain at times. Moderate or good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind/PowerDNS interoperatiblity issue
On Wed, Feb 19, 2014 at 12:16:19PM +0200, Aki Tuomi wrote: Hi! We are investigating an interoperatibility issue with bind and powerdns. It would appear that PowerDNS is not adding non-terminals with NSEC zones. This causes that 0.pasilehto.fi returns NXDOMAIN instead of NOERROR, causing this issue. When added non-terminals by hand, bind accepted the zone. Sorry for the noise. Aki Tuomi signature.asc Description: Digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to modify the cache
On 19 February 2014 09:51, houguanghua houguang...@hotmail.com wrote: But if the specified name server is enabled only when normal dns query process is down. How to configure the local DNS server? The detailed scenario is descibed in below figure: I'm not sure if that is possible, you either forward or you allow normal resolution to take place. You may be able to use static-stub in this instance but that's not something I've ever used before, someone else might be able to shed some light... Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind/PowerDNS interoperatiblity issue
On Wed, Feb 19, 2014 at 11:50:24AM +, Tony Finch wrote: Aki Tuomi cmo...@cmouse.fi wrote: We have A records 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi and 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.pasilehto.fi Now. If I ask DNSSEC validating BIND version 9.9.3-P2 or 9.9.4-P2 to resolve either of those A records, I get errors, while While google's 8.8.8.8 and unbound accept these as valid. I have tried this with BIND 9.9.5 and 9.10.0a2 and both resolve and validate these domains successvully. Hi, can you try again? Just to be sure. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ German Bight, Humber, Thames, Dover, Wight, Portland: West backing south, 4 or 5 increasing 6 or 7 later. Moderate. Rain at times. Moderate or good, occasionally poor. signature.asc Description: Digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind/PowerDNS interoperatiblity issue
Aki Tuomi cmo...@cmouse.fi wrote: Hi, can you try again? Just to be sure. This time it failed in the way you described earlier: 19-Feb-2014 12:23:27.043 queries: info: client ::1#32049 (5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi): view rec: query: 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi IN A +E (::1) 19-Feb-2014 12:23:27.162 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::3:2#53 19-Feb-2014 12:23:27.212 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 80.64.12.65#53 19-Feb-2014 12:23:27.221 queries: info: client ::1#32777 (api.twitter.com): view rec: query: api.twitter.com IN A +E (::1) 19-Feb-2014 12:23:27.221 queries: info: client ::1#47673 (api.twitter.com): view rec: query: api.twitter.com IN +E (::1) 19-Feb-2014 12:23:27.258 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 62.236.49.41#53 19-Feb-2014 12:23:27.301 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 194.100.90.53#53 19-Feb-2014 12:23:27.344 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::5:2#53 19-Feb-2014 12:23:27.384 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::4:2#53 19-Feb-2014 12:23:27.384 lame-servers: info: error (no valid DS) resolving '5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/A/IN': 194.100.90.53#53 19-Feb-2014 12:23:27.449 dnssec: info: validating @0x806dca500: 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi A: bad cache hit (0.pasilehto.fi/DS) 19-Feb-2014 12:23:27.449 lame-servers: info: error (broken trust chain) resolving '5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/A/IN': 80.64.12.65#53 19-Feb-2014 12:23:27.449 query-errors: info: client ::1#32049 (5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi): view rec: query failed (SERVFAIL) for 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/IN/A at query.c:7519 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Malin, Hebrides: Southeast 5 to 7, occasionally gale 8, veering west or southwest 5 or 6 later. Moderate or rough, becoming rough or very rough. Showers then rain. Good, becoming moderate or poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind/PowerDNS interoperatiblity issue
On Wed, Feb 19, 2014 at 12:27:05PM +, Tony Finch wrote: Aki Tuomi cmo...@cmouse.fi wrote: Hi, can you try again? Just to be sure. This time it failed in the way you described earlier: 19-Feb-2014 12:23:27.043 queries: info: client ::1#32049 (5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi): view rec: query: 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi IN A +E (::1) 19-Feb-2014 12:23:27.162 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::3:2#53 19-Feb-2014 12:23:27.212 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 80.64.12.65#53 19-Feb-2014 12:23:27.221 queries: info: client ::1#32777 (api.twitter.com): view rec: query: api.twitter.com IN A +E (::1) 19-Feb-2014 12:23:27.221 queries: info: client ::1#47673 (api.twitter.com): view rec: query: api.twitter.com IN +E (::1) 19-Feb-2014 12:23:27.258 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 62.236.49.41#53 19-Feb-2014 12:23:27.301 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 194.100.90.53#53 19-Feb-2014 12:23:27.344 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::5:2#53 19-Feb-2014 12:23:27.384 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::4:2#53 19-Feb-2014 12:23:27.384 lame-servers: info: error (no valid DS) resolving '5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/A/IN': 194.100.90.53#53 19-Feb-2014 12:23:27.449 dnssec: info: validating @0x806dca500: 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi A: bad cache hit (0.pasilehto.fi/DS) 19-Feb-2014 12:23:27.449 lame-servers: info: error (broken trust chain) resolving '5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/A/IN': 80.64.12.65#53 19-Feb-2014 12:23:27.449 query-errors: info: client ::1#32049 (5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi): view rec: query failed (SERVFAIL) for 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/IN/A at query.c:7519 Ok. Now I didn't have the empty non-terminals 0.pasilehto.fi 0.0.pasilehto.fi 0.0.0.pasilehto.fi thank you so much for confirming this. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Malin, Hebrides: Southeast 5 to 7, occasionally gale 8, veering west or southwest 5 or 6 later. Moderate or rough, becoming rough or very rough. Showers then rain. Good, becoming moderate or poor. signature.asc Description: Digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 1766, Issue 2
markus weber bumpemacve...@googlemail.com wrote: Hey Guys, I am new to administer a Bind server and after a few problems i ran into i need to monitor the zonefile transfers of my slave server. I have searched on google and nagios plugin sites but could not find anything that fits my needs entirely. Here is the Setup: - MS ActiveDirectory as primary Nameservers (not under my control) - 2 Bind server as slave for various zones (behind a loadbalancer) The problem i ran into, was that the zone transfer didn't work for some reason and the zone we hold expired causing our mailgateway to stop relaying mails :/ As i sayed i googled around and as i could not find anything i hacked a nagios plugin myself ( you can find the code here https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zonetransfer.pl). But i am curious if i took the right route. These are my assumptions and a first approach: - read named.conf and get master servers - query soa of slave and get serial - query first master and get serial - if serial match: get zonefile modification time (not sure if this is significant) and compare it with localtime and soa-expiretime + warn or crit on threshold (stat($zoneFile)[9] + $SOA_S-expire) - time - if master serial slave serial create tempfile and check for how long it stays lower then masters serial + warn or crit on threshold - else test next master on last master exit with error ( this should not become true ever, right?) A few problems i discovered: - sometimes have a higher serial then all masters have, is this normal on an AD DNS? or am I doing something wrong i thought this could not happen. - Some Zones nearly always reach expireation time. and i get a lot of critical messages and a few hours/minutes before expireation it does the update. i hope you can guide me a bit and tell me if this is what i want xD many thanks in advance seppovic When I had BIND slaves of zones mastered on Windows Domain Controller DNS Servers, the problem I had was that Microsoft in the EventLog only logged successful zone transfers. I told MS (in a conversation with one of the DNS developers) that I needed failed zone transfers to be logged along with the reason for the refused transfer. The response from the developer was that MS did not want all of the failed zone transfers filling up the EventLog. In my case, there were lots of unnecessary successful zone transfers, but if one failed, I had no way of knowing why. There might have been information in the Windows dns.log file (where I had complete logging), but when that file got to its max size, MS would clear the file and start again, losing all of the information. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: Monitoring Zonefiletransfer
A few problems i discovered: - sometimes have a higher serial then all masters have, is this normal on an AD DNS? or am I doing something wrong i thought this could not happen. Only transfer from one AD master. Microsoft AD doesn't maintain consistent serials across the servers. The serials should be monotonically increasing from a individual server. And when I had BIND slaves for AD masters, when patches were being applied to the Domain Controllers (i.e., the ONE DC that I had selected as a master), a zone serial number would decrease. In most (but not all) cases, after the DC patching was finished, the zone serial number would go back to normal. I was not allowed to open a trouble ticket with Microsoft. Every morning at 7AM I ran a cron to capture the zone serial numbers on all of the 44+ AD zones on all my BIND DNS servers. (I just realized that in my post about a half-hour ago on this subject, I had forgotten to change the Subject: line from the digest). --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
Only transfer from one AD master. Microsoft AD doesn't maintain consistent serials across the servers. The serials should be monotonically increasing from a individual server. Oh, i didn't know that. Thats weird behavior isn't it? I will give it definitely a try, I just added 3 of those servers to Masters option because i thought it would increase the reliability in case of an error. See MS KB article 282826, where MS documents the handling of zone serial numbers in an AD environment. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: intermittent resolving problem for some domains
Hello I am able to reach the root servers and I can resolve other domains. ; DiG 9.8.0 . ns ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32217 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518187 IN NS i.root-servers.net. . 518187 IN NS d.root-servers.net. . 518187 IN NS g.root-servers.net. . 518187 IN NS f.root-servers.net. . 518187 IN NS m.root-servers.net. . 518187 IN NS h.root-servers.net. . 518187 IN NS j.root-servers.net. . 518187 IN NS c.root-servers.net. . 518187 IN NS b.root-servers.net. . 518187 IN NS l.root-servers.net. . 518187 IN NS e.root-servers.net. . 518187 IN NS a.root-servers.net. . 518187 IN NS k.root-servers.net. ;; ADDITIONAL SECTION: a.root-servers.net. 604587 IN A 198.41.0.4 a.root-servers.net. 604603 IN 2001:503:ba3e::2:30 b.root-servers.net. 604587 IN A 192.228.79.201 c.root-servers.net. 604587 IN A 192.33.4.12 d.root-servers.net. 604767 IN A 199.7.91.13 d.root-servers.net. 604767 IN 2001:500:2d::d e.root-servers.net. 604587 IN A 192.203.230.10 f.root-servers.net. 604587 IN A 192.5.5.241 f.root-servers.net. 604587 IN 2001:500:2f::f g.root-servers.net. 604587 IN A 192.112.36.4 h.root-servers.net. 604587 IN A 128.63.2.53 h.root-servers.net. 604587 IN 2001:500:1::803f:235 i.root-servers.net. 604765 IN A 192.36.148.17 i.root-servers.net. 604765 IN 2001:7fe::53 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 19 16:38:34 2014 ;; MSG SIZE rcvd: 512 Best Regards, Daniel Dawalibi -Original Message- From: Niall O'Reilly [mailto:niall.orei...@ucd.ie] Sent: Wednesday, February 19, 2014 1:22 PM To: Daniel Dawalibi Cc: bind-users@lists.isc.org Subject: Re: intermittent resolving problem for some domains At Wed, 19 Feb 2014 00:33:11 +0200, Daniel Dawalibi wrote: Kindly note that the number of recursive clients is increasing during the problem : recursive clients: 3700/14900/15000 I think it's likely that you have a connectivity problem. I'ld suggest checking whether your server which is giving these messages can reach any of the root servers or even any of the external Internet. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
On Tue, Feb 18, 2014 at 10:34 PM, /dev/rob0 r...@gmx.co.uk wrote: On Tue, Feb 18, 2014 at 11:44:15PM +0100, markus weber wrote: I am new to administer a Bind server and after a few problems i ran into i need to monitor the zonefile transfers of my slave server. I think the terminology you use shows a part of the confusion. Zone *data* is transferred to slave servers, not zone *files.* Well, yes and no... Yes, the zone data is transferred, not the zone file -- but, isn't this kindaof sorta true of any copy operation? If I copy (or transfer) a file from one machine to another, it's not that I'm actually transferring the file, I'm creating a new file on the destination and copying the contents into it. And if the hard drive architecture of the destination machine is different to the source (or perhaps if the architectures are different endianness) the destination blob of magnetic bits is subtly different. The files still *mean* the same thing, but the encoding is altered... Same thing if I placed a color photo on a black and white photocopier -- I would be able to quite happily say that I transferred the image to a new piece of paper (actually I'd just say that I copied it...), but I didn't really -- I transferred a close enough approximation of the image. So, yes, a zone file itself isn't copied, the contents are -- and the files themselves probably won't be binary identical[0] (especially in the case of bind raw vs text formats!), but semantically will, and that's the important bit. But yes, I know what you means, I'm just feeling a bit pedantic this morning W I have searched on google and nagios plugin sites but could not find anything that fits my needs entirely. Here is the Setup: - MS ActiveDirectory as primary Nameservers (not under my control) - 2 Bind server as slave for various zones (behind a loadbalancer) The problem i ran into, was that the zone transfer didn't work for some reason and the zone we hold expired causing our mailgateway to stop relaying mails :/ As i sayed i googled around and as i could not find anything i hacked a nagios plugin myself ( you can find the code here https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zonetransfer.pl). But i am curious if i took the right route. These are my assumptions and a first approach: - read named.conf and get master servers - query soa of slave and get serial If query is something like dig +short zone.example. soa @slave, right. - query first master and get serial Likewise here, s/slave/master/ - if serial match: get zonefile modification time (not sure if this is significant) It is not. Zone data is kept in memory and is written to the journal. At 15-minute intervals, the zone file is written if it differs from actual zone data. and compare it with localtime and soa-expiretime + warn or crit on threshold (stat($zoneFile)[9] + $SOA_S-expire) - time - if master serial slave serial create tempfile and check for how long it stays lower then masters serial + warn or crit on threshold - else test next master on last master exit with error ( this should not become true ever, right?) A few problems i discovered: - sometimes have a higher serial then all masters have, is this normal on an AD DNS? or am I doing something wrong i thought this could not happen. - Some Zones nearly always reach expireation time. and i get a lot of critical messages and a few hours/minutes before expireation it does the update. Not enough here to know what's going on. i hope you can guide me a bit and tell me if this is what i want xD -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
On 2014-02-19 16:06, Barry S. Finkel wrote: See MS KB article 282826, where MS documents the handling of zone serial numbers in an AD environment. My experience is that it tends to work pretty well if BIND only points to one particular MS DNS server at a time, with a failover script that detects when that DNS server goes down and flips to another master (if you're worried about such things) That being said, even without that script and with multiple MS DNS masters configured in BIND at once, any issues generally work themselves out within 15 minutes or so, once the Active Directory serial number update propagates through the MS DNS infrastructure. As described in the article, the servers self-increment properly when a slave is detected, and occasionally sync up the serial numbers between MS DNS servers (again, only moving update). The only inconsistencies are in those recently added/modified records, so if you just plan for 15 minute update times for non-MS secondaries to sync up and ignore the periodic serial is lower than expected warnings, multi-mastering works fine in practice. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to modify the cache
Not a good solution. Even under normal circumstances, there will be temporary bottlenecks, dropped packets, etc.. that will trigger failover and users will get different answers at different times. Not good for support, maintainability, user experience/satisfaction, etc. If all you want is resilience, and you own/control the domain in question, why not just slave it (stealth slave, i.e. you don't need to publish it in the NS records)? If you *don't* own/control the domain in question, what business do you have standing up a fake version of it in your own infrastructure? Not a best practice. - Kevin On 2/19/2014 4:51 AM, houguanghua wrote: Steven, Your solution is very good. It can forward the queries to the specified name servers first. But if the specified name server is enabled only when normal dns query process is down. How to configure the local DNS server? The detailed scenario is descibed in below figure: -- |Root | | nameServer | / - (2)/ / -- - | Client | __(1)\ | Local | ___(3)_\ | Authority| | Resolver | / | DNS Server | X / | DNS Server | -- - \ \(4) \ \ | Hidden | | DNS Server | Normally, 1) A internet user wants to access www.abc.com http://www.abc.com, a DNS request is sent to local DNS server 2) Local DNS server queries the root name server, the .com name server to get the Authority Name Server of abc.com 3) local DNS server queries the Authority name server, and gets the IP But when the Authority name server is down, the internet user won't get the IP address. My solution is as follows: a) A hidden name server with low performance is deployed. When authority name server can't be accessed, local dns server will access the hidden server. b)The hidden server is never used in normal situation. It act as a cold backup for authority name server. c) The zone file in the hidden server is the same as that configuration in the authority name server d) The hidden name server doesn't appear in the NS records of authority name server Btw, all above doesn't consider the cache in the local dns server. Best Regards, Guanghua Date: Mon, 17 Feb 2014 09:09:13 + Subject: Re: how to modify the cache From: sjc...@gmail.com To: houguang...@hotmail.com CC: bind-users@lists.isc.org On 17 February 2014 01:17, houguanghua houguang...@hotmail.com wrote: I want to override the IP address of NS, for I want to use other authority DNS which isn't registered. For that you use forwarding. Create a zone statement for the zone in question and forward the queries to a different name server. You don't need to mess with the cache. https://mknowles.com.au/wordpress/2009/07/20/bind-forwarding-zone/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Difference between BIND 9.8 and 9.9
Hello is there a link to a documentation that lists the main differences between BIND 9.8 and 9.9 ? I would like to read it before swiching from 9.8 thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Converting an inline-signed zone to unsigned
What is the right way ... or maybe I should be asking IS there a right way ... to change a zone that has been signed by inline signing (i.e. with inline-signing yes; auto-dnssec maintain; in it zone statement) to unsigned? When I change the zone statement to remove the inline signing part, and update the SOA serial in the zone file for good measure, and then do either rndc reload or rndc reconfig, I get messages like named[22954]: general: error: zone playground.test/IN: journal rollforward failed: journal out of sync with zone named[22954]: general: error: zone playground.test/IN: not loaded due to errors. and the zone goes into SERVFAIL state. The only way I found out of this was to remove the [zone-file].signed and [zone-file].signed.jnl files manually, and *then* do rndc reconfig. Surely there must be something better than that? -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Difference between BIND 9.8 and 9.9
From: BONNET, Frank frank.bon...@esiee.fr Date: Wednesday, February 19, 2014 at 12:41 PM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Difference between BIND 9.8 and 9.9 Hello is there a link to a documentation that lists the main differences between BIND 9.8 and 9.9 ? I would like to read it before swiching from 9.8 thank you I generally browse the release notes. https://kb.isc.org/category/81/0/10/Software-Products/BIND9/Release-Notes/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Difference between BIND 9.8 and 9.9
On Wed, Feb 19, 2014 at 06:00:42PM +, Mike Hoskins (michoski) wrote: From: BONNET, Frank frank.bon...@esiee.fr is there a link to a documentation that lists the main differences between BIND 9.8 and 9.9 ? I would like to read it before swiching from 9.8 I generally browse the release notes. https://kb.isc.org/category/81/0/10/Software-Products/BIND9/Release-Notes/ Note as well that 9.9 is the current Extended Support Version. BIND9 version 9.10 is presently in alpha, probably soon to be beta, so depending on your needs that could be another branch to consider. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: intermittent resolving problem for some domains
On 2/19/14, 1:33 AM, Daniel Dawalibi wrote: Kindly note that the number of recursive clients is increasing during the problem : recursive clients: 3700/14900/15000 rndc recursing and look to see what is plugging up your pipes. AlanC signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Converting an inline-signed zone to unsigned
On 2/19/14, 8:59 PM, Chris Thompson wrote: What is the right way ... or maybe I should be asking IS there a right way ... to change a zone that has been signed by inline signing (i.e. with inline-signing yes; auto-dnssec maintain; in it zone statement) to unsigned? When I change the zone statement to remove the inline signing part, and update the SOA serial in the zone file for good measure, and then do either rndc reload or rndc reconfig, I get messages like named[22954]: general: error: zone playground.test/IN: journal rollforward failed: journal out of sync with zone named[22954]: general: error: zone playground.test/IN: not loaded due to errors. and the zone goes into SERVFAIL state. The only way I found out of this was to remove the [zone-file].signed and [zone-file].signed.jnl files manually, and *then* do rndc reconfig. Surely there must be something better than that? Have you tried setting dnssec-secure-to-insecure then setting all of the keys to deleted? AlanC signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
On 2014-02-19 16:06, Barry S. Finkel wrote: See MS KB article 282826, where MS documents the handling of zone serial numbers in an AD environment. And Dave Warren replied: My experience is that it tends to work pretty well if BIND only points to one particular MS DNS server at a time, with a failover script that detects when that DNS server goes down and flips to another master (if you're worried about such things) That being said, even without that script and with multiple MS DNS masters configured in BIND at once, any issues generally work themselves out within 15 minutes or so, once the Active Directory serial number update propagates through the MS DNS infrastructure. As described in the article, the servers self-increment properly when a slave is detected, and occasionally sync up the serial numbers between MS DNS servers (again, only moving update). The only inconsistencies are in those recently added/modified records, so if you just plan for 15 minute update times for non-MS secondaries to sync up and ignore the periodic serial is lower than expected warnings, multi-mastering works fine in practice. -- Dave Warren That MS KB article states that if a Domain Controller DNS Server is not used as a master for a slave server, then the zone serial number is irrelevant. But if the Server is used as a master, then the serial number is relevant. Assume one zone that is mastered on two DCs, and the two serial numbers match (and the serial is N). A dynamic update for the zone is sent to DC1, and the serial number there is increased to N+1. At the same time a different dynamic update for the zone is sent to DC2, and DC2 then has serial number N+1. The two copies of the zone are different, but they both have the same serial number. When Active Directory synchronizes the zone, what serial number can it use for the synched zone? It can't use N+1, because that serial has been used, and the zone might have already been transferred to the slave server. It can't be N+2, because, in the meantime, another dynamic update may have come to DC1 or DC2, so serial N+2 might have already been used. Another thing that I hinted in an earlier reply - With AD zones, the serial number can increase unnecessarily. In the past, when a dynamic DNS update was sent to a DC, and that update was already in DNS (e.g., a re-lease of a DHCP address), the Windows DNS Server code treated the update as a no-op, except for updating an internal timestamp in the zone. But sometime later, MS changed the code, so that the dynamic DNS update is no longer treated as a no-op. This causes 1) the DNS update to be initially refused because it does not have TSIG authorization, and the client (or DHCP Server) has to re-send the update. 2) the zone serial number is updated, even when there is no update to the zone; this causes unnecessary zone transfers. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
whois expiration limit?
Hi, I know this is the BIND list but I’m thinking folks who deal with DNS probably may be able to answer this question about whois. We recently transferred and renewed a domain by 2 years which pushed its expiration to 01/25/2025. The order confirmation shows that expiration and looking at the domain at the Registrar’s web site under our account it shows that expiration as well. However, when running whois both here and at the Registrar’s site it shows expiration 01/25/2024. It makes me wonder if there is a 10 year limit in whois since 2024 would be within 10 years but 2025 would be outside of it. I didn’t see anything in RFC 3912 describing whois that even suggests a limit for expirations dates. Not a big deal as I may be dead by then either way – just wondering if anyone knows of a reason this would occur. Please don’t suggest I contact the Registrar. I already did and they seemed as clueless as I am. Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer How and Why I Should Support Bottled Water! Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today! - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: whois expiration limit?
On Wed, 19 Feb 2014, Lightner, Jeff wrote: Hi, I know this is the BIND list but I???m thinking folks who deal with DNS probably may be able to answer this question about whois. We recently transferred and renewed a domain by 2 years which pushed its expiration to 01/25/2025. The order confirmation shows that expiration and looking at the domain at the Registrar???s web site under our account it shows that expiration as well. However, when running whois both here and at the Registrar???s site it shows expiration 01/25/2024. It makes me wonder if there is a 10 year limit in whois since 2024 would be within 10 years but 2025 would be outside of it. I didn???t see anything in RFC 3912 describing whois that even suggests a limit for expirations dates. Not a big deal as I may be dead by then either way ??? just wondering if anyone knows of a reason this would occur. Please don???t suggest I contact the Registrar. I already did and they seemed as clueless as I am. Just anecdotally, but I have seen a 10 year limit on registration/renewal, before. I believe CIRA only allows that, generally. Not sure of a more appropriate list, either, so figured I'd respond here.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: whois expiration limit?
On 2014-02-19 20:44, Lightner, Jeff wrote: Hi, I know this is the BIND list but I’m thinking folks who deal with DNS probably may be able to answer this question about whois. We recently transferred and renewed a domain by 2 years which pushed its expiration to 01/25/2025. The order confirmation shows that expiration and looking at the domain at the Registrar’s web site under our account it shows that expiration as well. However, when running whois both here and at the Registrar’s site it shows expiration 01/25/2024. It makes me wonder if there is a 10 year limit in whois since 2024 would be within 10 years but 2025 would be outside of it. I didn’t see anything in RFC 3912 describing whois that even suggests a limit for expirations dates. Not a big deal as I may be dead by then either way – just wondering if anyone knows of a reason this would occur. Please don’t suggest I contact the Registrar. I already did and they seemed as clueless as I am. http://www.icann.org/en/resources/compliance/faqs#7 Each registrar has the flexibility to offer initial and renewal registrations in one-year increments, provided that the maximum remaining unexpired term shall not exceed ten years. In reality, they'll probably issue the renewal automagically once you're under the 9-year mark and the domain is renewal-eligible. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: whois expiration limit?
Thanks. My thinking was the limit was on the whois database since the Registrar was telling me it was registered for more than 10 years. It appears based on this Registration FAQ regarding “compliance” that the registrar may simply be showing it as 2024 because they can’t really report 2025 and be in compliance. I was just having a hard time finding anything that mentioned the 10 year limit even though it seemed likely that was the issue. Hopefully you’re correct that the Registrar will automatically adjust it before 2024. I’ll set myself a reminder for next year and prompt them if they don’t automatically update it themselves so we don’t have to remember in 2024 that we already paid for another year. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Dave Warren Sent: Wednesday, February 19, 2014 4:17 PM To: bind-users@lists.isc.org Subject: Re: whois expiration limit? On 2014-02-19 20:44, Lightner, Jeff wrote: Hi, I know this is the BIND list but I’m thinking folks who deal with DNS probably may be able to answer this question about whois. We recently transferred and renewed a domain by 2 years which pushed its expiration to 01/25/2025. The order confirmation shows that expiration and looking at the domain at the Registrar’s web site under our account it shows that expiration as well. However, when running whois both here and at the Registrar’s site it shows expiration 01/25/2024. It makes me wonder if there is a 10 year limit in whois since 2024 would be within 10 years but 2025 would be outside of it. I didn’t see anything in RFC 3912 describing whois that even suggests a limit for expirations dates. Not a big deal as I may be dead by then either way – just wondering if anyone knows of a reason this would occur. Please don’t suggest I contact the Registrar. I already did and they seemed as clueless as I am. http://www.icann.org/en/resources/compliance/faqs#7 Each registrar has the flexibility to offer initial and renewal registrations in one-year increments, provided that the maximum remaining unexpired term shall not exceed ten years. In reality, they'll probably issue the renewal automagically once you're under the 9-year mark and the domain is renewal-eligible. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer How and Why I Should Support Bottled Water! Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today! - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to hidden the salve
Stealth slave doesn't fully meet the requirement. It's just part of the requirement to not publish the slave name server in the NS records. Further more, the 'stealth' slave is quired by local DNS server only when all name servers in the NS records are out of service ( maybe in case of ddos attack). Guanghua -- On 2/19/2014 11:54 AM, Kevin wrote: Date: Wed, 19 Feb 2014 11:54:44 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to modify the cache Message-ID: 5304e1d4.5000...@chrysler.com Not a good solution. Even under normal circumstances, there will be temporary bottlenecks, dropped packets, etc.. that will trigger failover and users will get different answers at different times. Not good for support, maintainability, user experience/satisfaction, etc. If all you want is resilience, and you own/control the domain in question, why not just slave it (stealth slave, i.e. you don't need to publish it in the NS records)? If you *don't* own/control the domain in question, what business do you have standing up a fake version of it in your own infrastructure? Not a best practice. - Kevin On 2/19/2014 4:51 AM, houguanghua wrote: Steven, Your solution is very good. It can forward the queries to the specified name servers first. But if the specified name server is enabled only when normal dns query process is down. How to configure the local DNS server? The detailed scenario is descibed in below figure: -- |Root | | nameServer | / - ②/ / -- --- - | Client | __①\ | Local | ___③_\ | Authority | | Resolver |/ | DNS Server |X / | DNS Server | -- - \ \④ \ \ | Hidden | | DNS Server | Normally, 1) A internet user wants to access www.abc.com http://www.abc.com, a DNS request is sent to local DNS server 2) Local DNS server queries the root name server, the .com name server to get the Authority Name Server of abc.com 3) local DNS server queries the Authority name server, and gets the IP But when the Authority name server is down, the internet user won't get the IP address. My solution is as follows: a) A hidden name server with low performance is deployed. When authority name server can't be accessed, local dns server will access the hidden server. b)The hidden server is never used in normal situation. It act as a cold backup for authority name server. c) The zone file in the hidden server is the same as that configuration in the authority name server d) The hidden name server doesn't appear in the NS records of authority name server Btw, all above doesn't consider the cache in the local dns server. Best Regards, Guanghua Date: Mon, 17 Feb 2014 09:09:13 + Subject: Re: how to modify the cache From: sjc...@gmail.com To: houguang...@hotmail.com CC: bind-users@lists.isc.org On 17 February 2014 01:17, houguanghua houguang...@hotmail.com wrote: I want to override the IP address of NS, for I want to use other authority DNS which isn't registered. For that you use forwarding. Create a zone statement for the zone in question and forward the queries to a different
Re: whois expiration limit?
On 2014-02-19 23:29, Lightner, Jeff wrote: Thanks. My thinking was the limit was on the whois database since the Registrar was telling me it was registered for more than 10 years. It appears based on this Registration FAQ regarding “compliance” that the registrar may simply be showing it as 2024 because they can’t really report 2025 and be in compliance. Just to be clear, it's not about showing something different for compliance, the domain is only registered for 9.something years, full stop. ICANN/Internic is the ultimate authority within their gTLD roots, everyone else is just a reseller, so at this point you've been sold something they're unable to deliver -- But since they can deliver it over time, it should work itself out. In other words, what you have is a domain for 9 years, and the promise of one more. That's fair, most service contacts are based on one party or the other doing something and the other promising to do something later. Luckily registrars don't have much of an incentive to jerk people around, saving themselves $9 isn't worth the lawsuit and potential loss of accreditation. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users