Question abount edns
Good morning, I have 2 server DNS: -BIND 9.10.0-P2-x86 in a Windows Server 32 bit -BIND 9.10.0-P2-x64 in a Windows Server 64 bit I have a problem with a query MX for domain pmk-kunststofftechnik.at On server Windows 32 bit with BIND 9.10.0-P2-x86 it ok 30-giu-2014 11.46.50.647 edns-disabled: info: success resolving 'pmk-kunststofftechnik.at/MX' (in 'pmk-kunststofftechnik.at'?) after disabling EDNS On server Windows 64 bit with BIND 9.10.0-P2-x64 it's not ok . 30-giu-2014 12:12:23.190 query-errors: debug 1: client 77.xxx.xxx.xxx#63216 (pmk-kunststofftechnik.at): query failed (SERVFAIL) for pmk-kunststofftechnik.at/IN/MX at ..\query.c:7532 Do you have any suggestion? Thanks in advance and best regards Michele ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
test bind before moving to production
*I'm new to bind. I want to be able to test the dns server on my local machine before launching it by putting the domain names (ie example.com) in my browser and browsing the site.* *Both the dev and production machines are CentOS. I assume I'll need to edit the host file to redirect to the local dns. But with this method I'm not sure how it will resolve multiple domains (i.e. example.com and example2.com).* *I use a virtual box version of CentOS to run experiments so I can do a host/guest thing if needed. * *There are 2 ways I'll use the dns in production. At the domain register I'll either point to this dns server or host the dns at the domain register and point the A record to the IP.* *Brian* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: test bind before moving to production
On Thu, 3 Jul 2014, brian wrote: I'm new to bind. I want to be able to test the dns server on my local machine before launching it by putting the domain names (ie example.com) in my browser and browsing the site. Both the dev and production machines are CentOS. I assume I'll need to edit the host file to redirect to the local dns. But with this method I'm not sure how it will resolve multiple domains (i.e. example.com and example2.com). The host file (/etc/hosts I assume) won't help. You can use /etc/resolv.conf and have nameserver line point to your localhost for testing. Or use dig with the @ argument to set the address of the nameserver to use. For example, dig @127.0.0.1 www.example.com. Then also try that from outside systems to using the @ with the network interface's address. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: test bind before moving to production
On 03/07/14 16:39, Jeremy C. Reed wrote: On Thu, 3 Jul 2014, brian wrote: I'm new to bind. I want to be able to test the dns server on my local machine before launching it by putting the domain names (ie example.com) in my browser and browsing the site. Both the dev and production machines are CentOS. I assume I'll need to edit the host file to redirect to the local dns. But with this method I'm not sure how it will resolve multiple domains (i.e. example.com and example2.com). The host file (/etc/hosts I assume) won't help. You can use /etc/resolv.conf and have nameserver line point to your localhost for testing. Or use dig with the @ argument to set the address of the nameserver to use. For example, dig @127.0.0.1 www.example.com. Then also try that from outside systems to using the @ with the network interface's address. And note that the name server will not be publicly used until it is published through the whole DNS chain. That means there is no reason you could not put everything in place even public facing servers - nobody will use them until referenced properly. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem resolving ardownload.adobe.com --enable-sit harmful?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I re-ran the dig to localhost (running bind 9.10.0-P2), and grabbed the packets with tcpdump. dig ardownload.adobe.com. @localhost That sent a query to 192.150.19.247 with flags = 0, edns size = 512, and got an NXDOMAIN answer. So I tried to reproduce that query with dig: dig ardownload.wip4.adobe.com a @192.150.19.247 +dnssec +norecur +noadflag +bufsize=512 According to tcpdump, that sent the same query, but it got the cname answer. The outgoing query from the local bind-9.10.0-P2 contains an extra 12 bytes of data in the OPT record, after the Z field containing the DO bit. This version of bind was compiled with --enable-sit It seems that the adobe servers choke on that. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlO1u5wACgkQL6j7milTFsH2IACfVK7hgK/L4XprzUWpJ7PGeXQV 938AmwcrygxiD7pZD3qYVtaL37idfHWp =Ah7c -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem resolving ardownload.adobe.com --enable-sit harmful?
I suggest that you log a complaint with Adobe requesting that they contact their nameserver vendor for a fix. This bug is similar in nature to that of http://www.kb.cert.org/vuls/id/714121 (NXDOMAIN incorrectly returned to a query). Unknown EDNS options are supposed to be ignored by the nameserver, RFC 6891, though that wasn't clear in RFC 2671. NXDOMAIN however is a idiotic response to a unknown EDNS option. dig ardownload.wip4.adobe.com @da1gtm001.adobe.com +nsid will also demonstate this bug and doesn't involve using experimental EDNS opcodes that +sit does. At least the server returns BADVERS to EDNS(1) queries. There are a number of nameservers that fail to respond correctly to unknown EDNS options to EDNS(1) queries. Dig can demonstrate the server failing. dig name @server +edns=1 dig name @server +nsid dig name @server +sit (BIND 9.10.0 compiled with --enable-sit) dig name @server +ednsopt=#[:payload] (BIND 9.11.0 or later) Each domain I have seen failing has had different failure signatures. It looks like nameserver vendors are not doing even rudimentry checks like those above. DiG has thos options so that we could perform checks like these. Until Adobe fix their broken servers you can use a server clause to disable sending SIT requests to them. Obviously this does not scale. server address { request-sit no; }; Mark In message 1404418984.5134.52.ca...@ns.five-ten-sg.com, Carl Byington writes: I re-ran the dig to localhost (running bind 9.10.0-P2), and grabbed the packets with tcpdump. dig ardownload.adobe.com. @localhost That sent a query to 192.150.19.247 with flags = 0, edns size = 512, and got an NXDOMAIN answer. So I tried to reproduce that query with dig: dig ardownload.wip4.adobe.com a @192.150.19.247 +dnssec +norecur +noadflag +bufsize=512 According to tcpdump, that sent the same query, but it got the cname answer. The outgoing query from the local bind-9.10.0-P2 contains an extra 12 bytes of data in the OPT record, after the Z field containing the DO bit. This version of bind was compiled with --enable-sit It seems that the adobe servers choke on that. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlO1u5wACgkQL6j7milTFsH2IACfVK7hgK/L4XprzUWpJ7PGeXQV 938AmwcrygxiD7pZD3qYVtaL37idfHWp =Ah7c -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem resolving ardownload.adobe.com --enable-sit harmful?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 2014-07-04 at 09:41 +1000, Mark Andrews wrote: Until Adobe fix their broken servers you can use a server clause to disable sending SIT requests to them. Obviously this does not scale. server address { request-sit no; }; Thanks. That works for now. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlO1/2cACgkQL6j7milTFsG7AwCcD8pSRM66Ywpx45Ql9y8q+33I kjYAn1BOdiVa7CLhStNRYz6ZX9mwnAC/ =GjcX -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: test bind before moving to production
I can't get this to work. I'm trying to use the test url tst.com. When I open it in my browser, I get a server not found error. In /etc/resolv.conf I changed nameserver 127.0.0.1 I set: chattr +i /etc/resolv.conf and rebooted and opened the file to verify that it wasn't getting overwritten In /etc/named.conf I added zone tst.com { type master; file /var/named/tst.com.zone; }; I created the file /var/named/tst.com.zone and added: $TTL 86400 $TTL604800 @ IN SOA ns.example.com. root.example.com. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns.example.com. ns IN A 127.0.0.1 In /usr/local/apache/conf/httpd.conf I added: VirtualHost *:80 ServerName tst.com DocumentRoot /tmp/public_html_tst01 Directory /tmp/public_html_tst01 AllowOverride None Require all denied Options Indexes Includes FollowSymLinks /Directory ErrorLog /tmp/apache_logs/error.log /VirtualHost If I run: named-checkconf /etc/named.conf I don't get any output If I run named-checkzone tst.com /var/named/tst.com.zone I get: zone tst.com/IN: loaded serial 1 OK I checked the apache error log and it is empty. Brian On 07/03/2014 10:39 AM, Jeremy C. Reed wrote: On Thu, 3 Jul 2014, brian wrote: I'm new to bind. I want to be able to test the dns server on my local machine before launching it by putting the domain names (ie example.com) in my browser and browsing the site. Both the dev and production machines are CentOS. I assume I'll need to edit the host file to redirect to the local dns. But with this method I'm not sure how it will resolve multiple domains (i.e. example.com and example2.com). The host file (/etc/hosts I assume) won't help. You can use /etc/resolv.conf and have nameserver line point to your localhost for testing. Or use dig with the @ argument to set the address of the nameserver to use. For example, dig @127.0.0.1 www.example.com. Then also try that from outside systems to using the @ with the network interface's address. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users