Compiling BIND with DLS drivers.

2014-05-09 Thread Mimiko

Hello.

I am trying to compile DLZ drivers with --with-dlopen=yes so no DLZ is 
compiled statically in bind. But there is a problem if I compile bind 
with --prefix=/opt/bind9 . The Makefiles of DLZ's does not have options 
to specify this path. Only manual editing of the Makefiles can do the 
trick. It will be nice to have options or environment variables to specify.


Also there is no dinamycaly DLZ driver for postgres along with others. Why?

--
Mimiko desu.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Re: AIX and 9.9.5 compiling

2014-05-09 Thread Timothe Litt
On 09-May-14 14:53, Alan Clegg wrote:
> I do, but I don't have "early access", so other than a brief "yep, it
> works", I can't get it into the README.  8-)
I'm glad that you make that effort. 

 I was responding to Jeremy's solicitation for suggestions on what
should be done more officially/thoroughly.   (Including routine builds
during development.)

Including ARM - native and cross-compiled - would support parts of the
community that don't get much attention (nor make much noise.)   
Embedded and cross-architecture compilers.

Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 

This communication may not represent my employer's views,
if any, on the matters discussed. 

On 09-May-14 14:53, Alan Clegg wrote:
> On 5/9/14, 2:06 PM, Timothe Litt wrote:
>>> If you have a suggestion for an important or popular OS version I should 
>>> add to our build farm, please let me know why.
>> I have one suggestion:  get a Raspberry PI and build/run on it (the
>> usual OS is Debian - 'Raspbian', but people run a variety of others.)
> I do, but I don't have "early access", so other than a brief "yep, it
> works", I can't get it into the README.  8-)
>
>
> AlanC
>




smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Point domain name of my zone to name in somebody else's zone?

2014-05-09 Thread Lawrence K. Chen, P.Eng.


On 05/08/14 02:01, Dave Warren wrote:
> On 2014-05-07 15:54, Lawrence K. Chen, P.Eng. wrote:

> 
>> Though it was just a minor delayfor them to revert back to the old site,
>> until they migrated their email accounts to the CNAME site as well
> 
> You still can't CNAME the APEX of a zone even if you do migrate your email
> accounts to the CNAME site as you can't have a CNAME and SOA/NS records at the
> same level.
> 

You're quoting out of context.I wasn't talking about CNAME for my APEX,
but CNAME for somebody's host...they used to do their own website, while using
our central email service.  But asking to change their hostname to be a CNAME
to an outside web hosting provider...kind of broke their email until they
moved to using the web hosting's email service.  Don't know if they moved
their accounts there, or just defined aliases up there to send it back to our
system  on our side I had virtusertable entries to map the store email
addresses to their real accounts, though we switched email providers
recently...and I recently heard rumblings that some subdomains wanting to use
google apps to solve the problems they're having with our email provider.

Which is easier for those that have their subdomains delegated to
themthough I haven't been told that I need to stop fulfilling requests to
add verification strings for other department subdomains

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bin 9.10 verbose logging

2014-05-09 Thread Mark Andrews

In message <1399664632.4864.59.ca...@ns.five-ten-sg.com>, Carl Byington writes:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On Sat, 2014-05-03 at 14:28 -0500, Jeremy C. Reed wrote:
> > "We didn't get a OPT record in response to a EDNS query." and also
> > says "We need to drop/remove the logging here when we have more
> > experience."
> 
> Is there a sample dig query that can reproduce this? I see such a
> message in my log files regarding domain of interest to me.
> 
> For the OP's question, presumably something like
> 
> dig dns2.osogrande.com  @207.66.8.132 +?

Modern versions of DiG turn on EDNS by default.

+[no]edns[=version]
+[no]dnssec (implies +edns)

If there is a OPT record in the response you will see something
like this:

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096

or

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 72 6f 63 6b 2e 64 76 2e 69 73 63 2e 6f 72 67 ("rock.dv.isc.org")
; SIT: 8cd65ccfb9f282d53599db62536d5c39ec27d9c7420ccbbe (good)
; EXPIRE: 2389987 (3 weeks 6 days 15 hours 53 minutes 7 seconds)

If you turn on some of the EDNS options (+sit +nsid +expire) in the
request.

+sit(source identity token) provides 64 additional bits of randomness
to make of path spoofing virtually impossible to achieve.  It
also provides a method for servers to know they are talking to
a client that have talked to before so they don't need to
rate limit responses (uses a experimental code point).
+nsid   (name server identifier)
+expire how long to go before the zone expires (code point 9 has been
assigned for this, 9.10.0 uses a experimental code point and
will be changed in 9.10.1 to the assigned code point).

Mark
 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.14 (GNU/Linux)
> 
> iEYEARECAAYFAlNtL94ACgkQL6j7milTFsGZ2wCfccgyulUODofPfOr1vG98U8t+
> ujYAnjdsOnfTFsJVDeHqycRoKLkT5o/G
> =8OIw
> -END PGP SIGNATURE-
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Point domain name of my zone to name in somebody else's zone?

2014-05-09 Thread Lawrence K. Chen, P.Eng.


On 05/07/14 23:32, Barry Margolin wrote:
> In article ,
>  "Lawrence K. Chen, P.Eng."  wrote:
> 
>> Oh...I misread the questionguess DNAME isn't what's wanted
>>
>> just the apex to somewhere else
>>
>> Yeah...I currently just look up the name and enter A records.  But, I've
>> wondered if there was another record type that allowed it to detect address
>> changes of the requested 'CNAME'so I wouldn't have to.  Especially, if 
>> the
>> requested 'CNAME' is a name that is known to change its IP...
> 
> Have the apex point to your own webserver, and have it send an HTTP 
> redirect to www.domain.com, which is CNAMEd to the third party domain.
> 

I mentioned that option...but it doesn't work so well for https://example.com
(except maybe if they gave me their certthough I have limited IPs - though
the new appliance supposedly does SNI...)


>> Either that...or come up with a way to script it.
> 
> That's what we did when I was at Akamai. Their custom DNS servers have 
> an option to resolve the domain apex by looking up another name and 
> returning its IP.
> 

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Point domain name of my zone to name in somebody else's zone?

2014-05-09 Thread Kevin Darcy

On 5/8/2014 5:13 PM, John Levine wrote:

DNSMadeEasy calls this an "ANAME" record, internally they just lookup
the destination's IP and cache it, updating it as needed.

It works, but it would be nice if this could be done in DNS. Sadly, it
can't, and probably won't in our lifetimes.

I do a similar thing in my DNS crudware, a pseudo-entry in the zone,
every time the background update script runs, it does A and 
lookups and puts the results in the real zone, bumping the SOA serial
if the result changed since last time.  It's a crock, but one that we
all seem to want.

I suppose we could invent something like an ANAME (that's A and
 name), that worked like a restricted CNAME and does an indirect
lookup only for A or  requests.  Or overimplement it with a bitmap
of the RR types to indirect for.

Or, a bitmap of the RR types to *not* indirect for, which
a) often if not usually will be a shorter list (even in the zone apex 
case, you have 2 exclusions -- NS and SOA -- and typically 2 or more of 
A//MX/SPF/TXT as inclusions, potentially even more if the zone is 
DNSSEC-signed), and

b) would automatically cover new RR types as they are defined

As an implementation detail, zone-loading logic could, if desired, 
*automatically* set these bits based on what other record types with the 
same owner name are explicitly defined in the zone file (on the 
reasonable assumption that a data owner wouldn't explicitly define an 
RRset in a zone file, only to have it be "hidden" forever by an 
indirection record with the same owner name).


Of course, it's one thing to dream up a new RR type, quite another thing 
to get it standardized via the IETF and then change the installed base 
to actually recognize and use it. Also, during the (presumably long) 
transition period, you'd have to use EDNS0 signalling or something 
similar so that a server knows whether a client understands the new 
record type or not. If the client doesn't understand the new type, you 
need a fallback mechanism to cough up usable terminal-node records "the 
old-fashioned way".


- Kevin
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Multi-master (HA)

2014-05-09 Thread Kevin Darcy


On 5/9/2014 3:01 PM, John Wobus wrote:

...if anyone has specific
thoughts on how to make this sort of thing easier in BIND -- even 
just at

the level of "boy, it irritates me that I can't make BIND do " --
such comments will fall on welcoming ears.


I agree that it would be nice if effort were made into making flipping
masters straight-forward, i.e., not require a change to every zone 
declaration

and not force the operator to deal with zone files that suddenly need to
switch between binary and ascii.  (There may be good ways to do this now
that I'm unaware of.)


Where is the line drawn these days between DNS management protocols and 
provisioning protocols? Because, I've long thought the idea of feeding a 
config (i.e. the contents of a named.conf file) to a "named" instance 
via "rndc" would be an easy and secure way of quickly reconfiguring it 
to a different role (e.g. from master to slave, or _vice_versa_, for a 
whole bunch of views/zones in one fell swoop). Since the config is in a 
very regular, structured format, I'm sure some sort of encoding and/or 
compression could be employed to make the actual data transfer size 
fairly compact.


The only big gotcha that comes to mind here is if the named.conf is 
segmented via include files with different access privileges (e.g. not 
letting key definitions be world-readable), that segmentation/protection 
would need to be preserved on the receiving side.


- Kevin
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bin 9.10 verbose logging

2014-05-09 Thread Carl Byington
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sat, 2014-05-03 at 14:28 -0500, Jeremy C. Reed wrote:
> "We didn't get a OPT record in response to a EDNS query." and also
> says "We need to drop/remove the logging here when we have more
> experience."

Is there a sample dig query that can reproduce this? I see such a
message in my log files regarding domain of interest to me.

For the OP's question, presumably something like

dig dns2.osogrande.com  @207.66.8.132 +?


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlNtL94ACgkQL6j7milTFsGZ2wCfccgyulUODofPfOr1vG98U8t+
ujYAnjdsOnfTFsJVDeHqycRoKLkT5o/G
=8OIw
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Multi-master (HA)

2014-05-09 Thread John Wobus

...if anyone has specific
thoughts on how to make this sort of thing easier in BIND -- even  
just at

the level of "boy, it irritates me that I can't make BIND do " --
such comments will fall on welcoming ears.


I agree that it would be nice if effort were made into making flipping
masters straight-forward, i.e., not require a change to every zone  
declaration

and not force the operator to deal with zone files that suddenly need to
switch between binary and ascii.  (There may be good ways to do this now
that I'm unaware of.) (I've wondered why bind doesn't simply write an
ascii copy of the zone file in addition to the binary copy.)

Running multiple dynamic-dns masters would be absolutely fantastic  
except

of course when it didn't work.  Seems like a reason to have multiple
masters is to handle the case where some are unreachable, in
which case keeping them in synch becomes interesting.  If the main
point is to eliminate single points of failure, a "three masters
with quorum" system might serve the purpose.

I like the idea of configuring zone information in a zone, and think
it would be fun to be on the team brainstorming how to guard against
sneaky config attacks.

John Wobus
Cornell University IT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: AIX and 9.9.5 compiling

2014-05-09 Thread Alan Clegg
On 5/9/14, 2:06 PM, Timothe Litt wrote:
>> If you have a suggestion for an important or popular OS version I should 
>> add to our build farm, please let me know why.
> I have one suggestion:  get a Raspberry PI and build/run on it (the
> usual OS is Debian - 'Raspbian', but people run a variety of others.)

I do, but I don't have "early access", so other than a brief "yep, it
works", I can't get it into the README.  8-)


AlanC



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Point domain name of my zone to name in somebody else's zone?

2014-05-09 Thread Kevin Darcy

On 5/9/2014 6:59 AM, Tony Finch wrote:

Dave Warren  wrote:

On 2014-05-08 15:09, Mark Andrews wrote:

But that does not help when you want a MX record at the apex or
some other record at the apex.

I'd argue that it does -- Since the record is now CNAME'd, the MX record is
now under the control of the destination of the CNAME record and MX records
can still be set.

Unfortunately CNAME-pointing-at-MX is an interop disaster area owing to
different MTA's differing opinions about whether it makes sense to rewrite
email addresses in this situation. Avoid.


I actually think that MX records were a boneheaded thing to do, had email
started using SRV records in the first place we might be in a position now
where using SRV records is the defacto standard if not the actual standard for
all services. (No offense to the folks that made MX records happen, I realize
that in historical context it was the correct decision and it solved the very
immediate problem -- I'm just saying that in an ideal world, SRV records
instead of MX records would solved the same problem in a more generic fashion,
and would have pushed us to a better place for other protocols)

It is interesting to look at the old RFCs and see how many false starts it
took to get to the MX design. Mail was the first heavily virtualized
application so I think their failure to generalize was forgivable,
especially since they were also dealing with the massive problem of
gatewaying between dozens of balkanized mail networks.

http://stuff.mit.edu/afs/athena/reference/net-directory/documents/JANET-Mail-Gateways.ps

Indeed. Hindsight is 20/20. Mail was the "killer app" for the early 
Internet, and providing a way to route it over the Internet, with 
automatic load-balancing and failover, was a major achievement. Sure, 
the IETF could have spent a few more years coming up with a "generic" 
way to do things, throwing in -- as SRV eventually did -- port 
reassignment, weighting and namespace semantics, but how much would that 
delay have stunted the growth of the nascent technology? Maybe it would 
have resulted in OSI/X.400 surpassing SMTP as the predominant mail 
transport, and we'd all be *miserable*.


- Kevin
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Answer for a specific host, but recurse for all others within a zone

2014-05-09 Thread Phil Mayers

On 09/05/2014 18:47, Jon Fullmer wrote:

(Sorry, let's try that again WITHOUT "smart quotes":)


Yeaaahhh that did not work out so well:

Content-Type: text/plain; charset="big5"

Your apostrophes ended up being a chinese character, CJK UNIFIED 
IDEOGRAPH-6613 according to Python's unicodedata.


Maybe try a better mail client ;o)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Re: AIX and 9.9.5 compiling

2014-05-09 Thread Timothe Litt
> If you have a suggestion for an important or popular OS version I should 
> add to our build farm, please let me know why.
I have one suggestion:  get a Raspberry PI and build/run on it (the
usual OS is Debian - 'Raspbian', but people run a variety of others.)

Why:  I don't run bind on RPI, but I do run bind on similar embedded ARM
systems. 

The RPI is cheap (functional system with a HDD for ~$120 US), it's
ARM-based, and it's disk and memory limited. 

Besides all the scale-up machines (zillions of zones, many GB of memory
& disk) that you hear about, you do have scale-down customers. 

ARM-based systems are built native compile, and cross-compiled
(typically from x86).  So for a very small investment, you could
validate ARM, cross-compilation and small-memory environments.  (Yes, I
know you do some in-family cross-compiles for Sun, but x86-ARM
guarantees that compile-time checks - especially in configure - don't
work unless they're validated.  Well, *nothing* works unless it's
validated, but this in particular!) 

I'm glad to see that big-endian is represented (by HPUX) - many embedded
systems oriented toward network servers run big-endian to avoid
byte-swapping.

Why embedded systems?  Well, for large home/small office environments,
one can often squeeze bind (and dhcp & ntp) into a (jailbroken) router
or network storage box.  More than the cost of the box, there's the
maintenance issue - or lack of one.  These tend to run themselves.  And
they don't use much power, so a fairly inexpensive UPS will keep router,
modem, phone up for many hours. 

I ported bind to optware many years ago for this.

And no, I'm not suggesting that bind should be run on your favorite
smartphone...

Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 


> Currently, some of the systems that we automatically build and run 
> various tests on include:
>
> FreeBSD 4.11 i386
> FreeBSD 6.3 i386
> FreeBSD 8.4 i386
> FreeBSD 10.0-CURRENT i386
> Fedora 18 Linux 3.8.1-201.fc18.x86_64 x86_64 
> Fedora 19 Linux 3.11.6-200.fc19.x86_64 x86_64 
> HPUX B11.11 HPPA2.0w (HP 9000/800)
> MacOSX 10.6.6 Darwin 10.8.0 x86_64
> NetBSD 5.2 i386
> NetBSD 6.0 i386
> NetBSD 6.0.2 amd64
> Solaris 10 SunOS 5.10 sun4u sparc SUNW,Sun-Fire-V240
> Solaris 10 SunOS 5.10 sun4u sparc SUNW,UltraAX-i2
> Solaris 11 SunOS 5.11 i86pc i386
> Ubuntu 13.10 Linux 3.11.0-15-generic x86_64
>
> The developers also use a variety of other systems like FreeBSD 
> 9.1-RELEASE-p4 amd64, Mac OS 10.8.4 and 10.8.5, Ubuntu Linux 13.04, 
> Fedora 19 Linux, NetBSD 6, and others, but they may have newer versions 
> than these.  There are also some Windows build systems with VS2005, 
> VS2008, VS2010express, VS2010, and VS2012 (and maybe others).
>
> I was also doing automated builds on OpenBSD, Debian, and Ubuntu LTS, 
> but need to replace the server. Also our AIX machine crashed.
>
> If you have a suggestion for an important or popular OS version I should 
> add to our build farm, please let me know why. Thanks
>




smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Answer for a specific host, but recurse for all others within a zone

2014-05-09 Thread Jon Fullmer
(Sorry, let's try that again WITHOUT "smart quotes":)

Rich, you and Barry both touched on my original tactic. I can define
"something.xyz.com" as a master zone with a single entry. The problem, as
you pointed out, is that this doesn't catch "www.something.xyz.com".
Unfortunately, the "www" section will have any number of random hosts, so
putting manually entries will be impractical.

I'm intrigued by the RPZ option. I'm not familiar with it. I realize that
it's only available in 9.8.1 and above (which will require me to upgrade;
I'm using 9.7.3). I've been scouring the Net for examples, but they're
typically targeted to one of RPZ's main purposes (spam blacklisting,
etc.). 

IF I易m following the config right, let易s say that the local server in my
example is 10.1.2.3:

 named.conf 

options {
   response-policy { "something.xyz.com"; };
};

zone "something.xyz.com" {
  type master;
  file "something.xyz.com.db";
};

 something.xyz.com.db 

$TTL 900

@IN SOA  soa.xyz.com.  hostmaster.xyz.com.   0001 900 900 604800 30
 IN NS localhost.

@IN A 10.1.2.3
*IN CNAME .

 end 

Is this right? I guess the trick I'm trying to sort out is how to tell the
zone file to "recurse, if not explicitly 'something.xyz.com'." What else
am I leaving out?


 - Jon


On 5/8/14, 10:05 PM, "Rich Goodson"  wrote:

>On your resolver, create a zone called
>something.xyz.com
>and only have one entry, an A record for the zone itself.  something like
>this:---begin something.xyz.com zonefile---
>something.xyz.com. in soa ns1.abc.com. hostmaster.abc.com. (
>2014050901
>3H
>300
>2W
>3600 )
>something.xyz.com.  in ns ns1.abc.com.
>something.xyz.com.  in ns ns2.abc.com.
>something.xyz.com.  in a  192.168.100.15
>---end something.xyz.com zonefile---
>
>This will still allow www.xyz.com and mail.xyz.com to resolve, but will
>NOT 
>recurse for www.something.xyz.com.  If you want that to resolve, you'll
>have to 
>add that to the zone as well, as you're claiming authority for
>something.xyz.com and everything "to the left" of that as well.
>
>It just occurred to me that you could also provide a local answer for a
>single 
>name with RPZ, which would give the benefit of continuing to recurse for
>www.something.xyz.com.
>
>-Rich
>
>
>
>On May 9, 2014, at 1:15 AM, fullme...@ldschurch.org wrote:
>
>> Does anyone know how I might configure bind to answer for a specific
>>host within the zone, but perform a recursive lookup for the rest of the
>>zone?
>> 
>> For example, given the domain "xyz.com", how might I configure a local
>>DNS server to reslove "something.xyz.com" to, maybe, a local server, but
>>still allow "Wwww.xyz.com", "mail.xyz.com" and "www.something.xyz.com"
>>to still recursively resolve?
>> 
>> Is there a way?
>> 
>> - Jon
>> ___
>> Please visit 
>>https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/
>>listinfo/bind-users&k=wlPCrglRP6kzT4RbABWMaw%3D%3D%0A&r=Ba5TSsfIG%2FGaAmY
>>ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0A&m=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ
>>TlkIicI%3D%0A&s=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163
>>a95980c to unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> 
>>https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/
>>listinfo/bind-users&k=wlPCrglRP6kzT4RbABWMaw%3D%3D%0A&r=Ba5TSsfIG%2FGaAmY
>>ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0A&m=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ
>>TlkIicI%3D%0A&s=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163
>>a95980c
>> 
>




 NOTICE: This email message is for the sole use of the intended recipient(s) 
and may contain confidential and privileged information. Any unauthorized 
review, use, disclosure or distribution is prohibited. If you are not the 
intended recipient, please contact the sender by reply email and destroy all 
copies of the original message.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Answer for a specific host, but recurse for all others within a zone

2014-05-09 Thread Jon Fullmer
Rich, you and Barry both touched on my original tactic. I can define
³something.xyz.com² as a master zone with a single entry. The problem, as
you pointed out, is that this doesn¹t catch ³www.something.xyz.com².
Unfortunately, the ³www² section will have any number of random hosts, so
putting manually entries will be impractical.

I¹m intrigued by the RPZ option. I¹m not familiar with it. I realize that
it¹s only available in 9.8.1 and above (which will require me to upgrade;
I¹m using 9.7.3). I¹ve been scouring the Net for examples, but they¹re
typically targeted to one of RPZ¹s main purposes (spam blacklisting,
etc.). 

IF I¹m following the config right, let¹s say that the local server in my
example is 10.1.2.3:

 named.conf 

options {
   response-policy { ³something.xyz.com²; };
};

zone ³something.xyz.com² {
  type master;
  file ³something.xyz.com.db²;
};

 something.xyz.com.db 

$TTL 900

@IN SOA  soa.xyz.com.  hostmaster.xyz.com.   0001 900 900 604800 30
 IN NS localhost.

@IN A 10.1.2.3
*IN CNAME .

 end 

Is this right? I guess the trick I¹m trying to sort out is how to tell the
zone file to ³recurse, if not explicitly Œsomething.xyz.com¹.² What else
am I leaving out?


 - Jon


On 5/8/14, 10:05 PM, "Rich Goodson"  wrote:

>On your resolver, create a zone called
>something.xyz.com
>and only have one entry, an A record for the zone itself.  something like
>this:---begin something.xyz.com zonefile---
>something.xyz.com. in soa ns1.abc.com. hostmaster.abc.com. (
>2014050901
>3H
>300
>2W
>3600 )
>something.xyz.com.  in ns ns1.abc.com.
>something.xyz.com.  in ns ns2.abc.com.
>something.xyz.com.  in a  192.168.100.15
>---end something.xyz.com zonefile---
>
>This will still allow www.xyz.com and mail.xyz.com to resolve, but will
>NOT 
>recurse for www.something.xyz.com.  If you want that to resolve, you'll
>have to 
>add that to the zone as well, as you're claiming authority for
>something.xyz.com and everything "to the left" of that as well.
>
>It just occurred to me that you could also provide a local answer for a
>single 
>name with RPZ, which would give the benefit of continuing to recurse for
>www.something.xyz.com.
>
>-Rich
>
>
>
>On May 9, 2014, at 1:15 AM, fullme...@ldschurch.org wrote:
>
>> Does anyone know how I might configure bind to answer for a specific
>>host within the zone, but perform a recursive lookup for the rest of the
>>zone?
>> 
>> For example, given the domain "xyz.com", how might I configure a local
>>DNS server to reslove "something.xyz.com" to, maybe, a local server, but
>>still allow "Wwww.xyz.com", "mail.xyz.com" and "www.something.xyz.com"
>>to still recursively resolve?
>> 
>> Is there a way?
>> 
>> - Jon
>> ___
>> Please visit 
>>https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/
>>listinfo/bind-users&k=wlPCrglRP6kzT4RbABWMaw%3D%3D%0A&r=Ba5TSsfIG%2FGaAmY
>>ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0A&m=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ
>>TlkIicI%3D%0A&s=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163
>>a95980c to unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> 
>>https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/
>>listinfo/bind-users&k=wlPCrglRP6kzT4RbABWMaw%3D%3D%0A&r=Ba5TSsfIG%2FGaAmY
>>ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0A&m=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ
>>TlkIicI%3D%0A&s=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163
>>a95980c
>> 
>


 NOTICE: This email message is for the sole use of the intended recipient(s) 
and may contain confidential and privileged information. Any unauthorized 
review, use, disclosure or distribution is prohibited. If you are not the 
intended recipient, please contact the sender by reply email and destroy all 
copies of the original message.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


R: Bind 9.10 64 bit

2014-05-09 Thread Giovanni Paterno'
Thanks for your reply.

Regards

Giovanni Paterno

-Messaggio originale-
Da: Mark Andrews [mailto:ma...@isc.org] 
Inviato: venerdì 9 maggio 2014 17.46
A: Giovanni Paterno'
Cc: bind-users@lists.isc.org
Oggetto: Re: Bind 9.10 64 bit


In message , 
Giovanni Paterno' writes:
> O.S. Windows 2008 R2 64 bit. Up to now I have used Bind 32 bit, now I 
> see t= hat a 64 bit version is available.
> Should I move to 64 bit version ? If yes is there any how to doc ?
> 
> Giovanni Paterno
 
Uninstall the 32 bit version preserving data.  Install the 64 bit version.

9.10.0 changes the default install location so you may want to move your data 
across.

x86: CSIDL_PROGRAM_FILESX86
x64: CSIDL_PROGRAM_FILES

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Bind 9.10 64 bit

2014-05-09 Thread Mark Andrews

In message , 
Giovanni Paterno' writes:
> O.S. Windows 2008 R2 64 bit. Up to now I have used Bind 32 bit, now I see t=
> hat a 64 bit version is available.
> Should I move to 64 bit version ? If yes is there any how to doc ?
> 
> Giovanni Paterno
 
Uninstall the 32 bit version preserving data.  Install the 64 bit
version.

9.10.0 changes the default install location so you may want to move
your data across.

x86: CSIDL_PROGRAM_FILESX86
x64: CSIDL_PROGRAM_FILES

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Bind 9.10 64 bit

2014-05-09 Thread Giovanni Paterno'
O.S. Windows 2008 R2 64 bit. Up to now I have used Bind 32 bit, now I see that 
a 64 bit version is available.
Should I move to 64 bit version ? If yes is there any how to doc ?

Giovanni Paterno
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AIX and 9.9.5 compiling

2014-05-09 Thread Edward DeLargy
Thank you all for your quick response I do appreciate it!!

Regards,
Ed



On Fri, May 9, 2014 at 6:48 AM, Fajar A. Nugraha  wrote:

> On Fri, May 9, 2014 at 5:36 PM, Tony Finch  wrote:
> >
> > Edward DeLargy  wrote:
> >
> > > I just want to verify that 9.9.5 can be compiled in AIX
> >
> > The README says:
> >
> > Building
> >
> > BIND 9 currently requires a UNIX system with an ANSI C compiler,
> > basic POSIX support, and a 64 bit integer type.
> >
> > We've had successful builds and tests on the following systems:
> ...
> > Fedora Core 6
> ...
> > Ubuntu 7.04, 7.10
>
> Wow. Fedora core 6 and Ubuntu 7.04? I wonder if anybody is actually
> still using those. Makes you wonder just how often the README was
> updated :)
>
> --
> Fajar
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AIX and 9.9.5 compiling

2014-05-09 Thread Jeremy C. Reed
Currently, some of the systems that we automatically build and run 
various tests on include:

FreeBSD 4.11 i386
FreeBSD 6.3 i386
FreeBSD 8.4 i386
FreeBSD 10.0-CURRENT i386
Fedora 18 Linux 3.8.1-201.fc18.x86_64 x86_64 
Fedora 19 Linux 3.11.6-200.fc19.x86_64 x86_64 
HPUX B11.11 HPPA2.0w (HP 9000/800)
MacOSX 10.6.6 Darwin 10.8.0 x86_64
NetBSD 5.2 i386
NetBSD 6.0 i386
NetBSD 6.0.2 amd64
Solaris 10 SunOS 5.10 sun4u sparc SUNW,Sun-Fire-V240
Solaris 10 SunOS 5.10 sun4u sparc SUNW,UltraAX-i2
Solaris 11 SunOS 5.11 i86pc i386
Ubuntu 13.10 Linux 3.11.0-15-generic x86_64

The developers also use a variety of other systems like FreeBSD 
9.1-RELEASE-p4 amd64, Mac OS 10.8.4 and 10.8.5, Ubuntu Linux 13.04, 
Fedora 19 Linux, NetBSD 6, and others, but they may have newer versions 
than these.  There are also some Windows build systems with VS2005, 
VS2008, VS2010express, VS2010, and VS2012 (and maybe others).

I was also doing automated builds on OpenBSD, Debian, and Ubuntu LTS, 
but need to replace the server. Also our AIX machine crashed.

If you have a suggestion for an important or popular OS version I should 
add to our build farm, please let me know why. Thanks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: AIX and 9.9.5 compiling

2014-05-09 Thread Matus UHLAR - fantomas

Edward DeLargy  wrote:
> I just want to verify that 9.9.5 can be compiled in AIX



On Fri, May 9, 2014 at 5:36 PM, Tony Finch  wrote:

The README says:



We've had successful builds and tests on the following systems:

...

Fedora Core 6

...

Ubuntu 7.04, 7.10


On 09.05.14 17:48, Fajar A. Nugraha wrote:

Wow. Fedora core 6 and Ubuntu 7.04? I wonder if anybody is actually
still using those. Makes you wonder just how often the README was
updated :)


yes, there are many people who will only understand when "and later" will be
added...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: AIX and 9.9.5 compiling

2014-05-09 Thread eddelargy
Thank you! I figured that but given some of the oddities of six wasn't sure.

Regards,
Ed

Sent from my iPhone

> On May 9, 2014, at 6:36 AM, Tony Finch  wrote:
> 
> Edward DeLargy  wrote:
> 
>> I just want to verify that 9.9.5 can be compiled in AIX
> 
> The README says:
> 
> Building
> 
>BIND 9 currently requires a UNIX system with an ANSI C compiler,
>basic POSIX support, and a 64 bit integer type.
> 
>We've had successful builds and tests on the following systems:
> 
>COMPAQ Tru64 UNIX 5.1B
>Fedora Core 6
>FreeBSD 4.10, 5.2.1, 6.2
>HP-UX 11.11
>Mac OS X 10.5
>NetBSD 3.x, 4.0-beta, 5.0-beta
>OpenBSD 3.3 and up
>Solaris 8, 9, 9 (x86), 10
>Ubuntu 7.04, 7.10
>Windows XP/2003/2008
> 
>NOTE:  As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
>Windows, including Windows NT and Windows 2000, are no longer
>supported.
> 
>We have recent reports from the user community that a supported
>version of BIND will build and run on the following systems:
> 
>AIX 4.3, 5L
>CentOS 4, 4.5, 5
>Darwin 9.0.0d1/ARM
>Debian 4, 5, 6
>Fedora Core 5, 7, 8
>FreeBSD 6, 7, 8
>HP-UX 11.23 PA
>MacOS X 10.5, 10.6, 10.7
>Red Hat Enterprise Linux 4, 5, 6
>SCO OpenServer 5.0.6
>Slackware 9, 10
>SuSE 9, 10
> 
> Tony.
> -- 
> f.anthony.n.finchhttp://dotat.at/
> Biscay, South FitzRoy: Westerly 4 or 5, backing southwesterly 5 to 7, except
> in south. Moderate, occasionally rough in north. Occasional rain. Good,
> occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: AIX and 9.9.5 compiling

2014-05-09 Thread Tedd Tracy TANAGER
I’ve been building bind on AIX for years with no problems. I’ve had successful 
builds of 9.9.5 with both GCC and XLC.

Tedd

From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Edward DeLargy
Sent: Thursday, May 08, 2014 2:40 PM
To: bind-users@lists.isc.org
Subject: AIX and 9.9.5 compiling

Good Afternoon,
I just want to verify that 9.9.5 can be compiled in AIX 
with the binaries provided in the download the same you would compile in RHEL 
or SLES. I do understand that libraries have to be correct but want to be sure 
the BIND download works in AIX.

Regards,
Ed



This e-mail and any attachments are intended only for the named recipient(s) 
and may contain information that is legally privileged, confidential, or exempt 
from disclosure under applicable law. If you have received this message in 
error, or are not the named recipient(s), you may not retain copy or use this 
e-mail or any attachment for any purpose or disclose all or any part of the 
contents to any other person. Any such dissemination, distribution or copying 
of this e-mail or its attachments is strictly prohibited. If you are not the 
intended recipient, please immediately notify the sender and permanently delete 
this e-mail and any attachment from your computer.




This e-mail and any attachments are intended only for the named recipient(s) 
and may contain information that is legally privileged, confidential, or exempt 
from disclosure under applicable law. If you have received this message in 
error, or are not the named recipient(s), you may not retain copy or use this 
e-mail or any attachment for any purpose or disclose all or any part of the 
contents to any other person. Any such dissemination, distribution or copying 
of this e-mail or its attachments is strictly prohibited. If you are not the 
intended recipient, please immediately notify the sender and permanently delete 
this e-mail and any attachment from your computer.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Point domain name of my zone to name in somebody else's zone?

2014-05-09 Thread Tony Finch
Dave Warren  wrote:
> On 2014-05-08 15:09, Mark Andrews wrote:

> > But that does not help when you want a MX record at the apex or
> > some other record at the apex.
>
> I'd argue that it does -- Since the record is now CNAME'd, the MX record is
> now under the control of the destination of the CNAME record and MX records
> can still be set.

Unfortunately CNAME-pointing-at-MX is an interop disaster area owing to
different MTA's differing opinions about whether it makes sense to rewrite
email addresses in this situation. Avoid.

> I actually think that MX records were a boneheaded thing to do, had email
> started using SRV records in the first place we might be in a position now
> where using SRV records is the defacto standard if not the actual standard for
> all services. (No offense to the folks that made MX records happen, I realize
> that in historical context it was the correct decision and it solved the very
> immediate problem -- I'm just saying that in an ideal world, SRV records
> instead of MX records would solved the same problem in a more generic fashion,
> and would have pushed us to a better place for other protocols)

It is interesting to look at the old RFCs and see how many false starts it
took to get to the MX design. Mail was the first heavily virtualized
application so I think their failure to generalize was forgivable,
especially since they were also dealing with the massive problem of
gatewaying between dozens of balkanized mail networks.

http://stuff.mit.edu/afs/athena/reference/net-directory/documents/JANET-Mail-Gateways.ps

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Trafalgar: Northerly 5 to 7, but mainly 4 in northwest. Moderate or rough.
Mainly fair. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: AIX and 9.9.5 compiling

2014-05-09 Thread Fajar A. Nugraha
On Fri, May 9, 2014 at 5:36 PM, Tony Finch  wrote:
>
> Edward DeLargy  wrote:
>
> > I just want to verify that 9.9.5 can be compiled in AIX
>
> The README says:
>
> Building
>
> BIND 9 currently requires a UNIX system with an ANSI C compiler,
> basic POSIX support, and a 64 bit integer type.
>
> We've had successful builds and tests on the following systems:
...
> Fedora Core 6
...
> Ubuntu 7.04, 7.10

Wow. Fedora core 6 and Ubuntu 7.04? I wonder if anybody is actually
still using those. Makes you wonder just how often the README was
updated :)

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: AIX and 9.9.5 compiling

2014-05-09 Thread Tony Finch
Edward DeLargy  wrote:

> I just want to verify that 9.9.5 can be compiled in AIX

The README says:

Building

BIND 9 currently requires a UNIX system with an ANSI C compiler,
basic POSIX support, and a 64 bit integer type.

We've had successful builds and tests on the following systems:

COMPAQ Tru64 UNIX 5.1B
Fedora Core 6
FreeBSD 4.10, 5.2.1, 6.2
HP-UX 11.11
Mac OS X 10.5
NetBSD 3.x, 4.0-beta, 5.0-beta
OpenBSD 3.3 and up
Solaris 8, 9, 9 (x86), 10
Ubuntu 7.04, 7.10
Windows XP/2003/2008

NOTE:  As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
Windows, including Windows NT and Windows 2000, are no longer
supported.

We have recent reports from the user community that a supported
version of BIND will build and run on the following systems:

AIX 4.3, 5L
CentOS 4, 4.5, 5
Darwin 9.0.0d1/ARM
Debian 4, 5, 6
Fedora Core 5, 7, 8
FreeBSD 6, 7, 8
HP-UX 11.23 PA
MacOS X 10.5, 10.6, 10.7
Red Hat Enterprise Linux 4, 5, 6
SCO OpenServer 5.0.6
Slackware 9, 10
SuSE 9, 10

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Biscay, South FitzRoy: Westerly 4 or 5, backing southwesterly 5 to 7, except
in south. Moderate, occasionally rough in north. Occasional rain. Good,
occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Slave zone intermittently not refreshing

2014-05-09 Thread Tony Finch
Mart van de Wege  wrote:
>
> > A lot of the refresh failure logging happens at debug level 1 so you can
> > get more details by running `rndc trace 1`.
>
> Is there a way to filter that after setting it?

Not without altering the server's logging configuration. Something like
the following, perhaps.

logging {
category default { default_syslog; };
category general { default_debug; };
};

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Viking, North Utsire, South Utsire, Northeast Forties: Variable 4 in North
Utsire, otherwise southeasterly 5 or 6. Slight or moderate. Showers. Good,
occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users