Question abount edns
Good morning, I have 2 server DNS: -BIND 9.10.0-P2-x86 in a Windows Server 32 bit -BIND 9.10.0-P2-x64 in a Windows Server 64 bit I have a problem with a query MX for domain pmk-kunststofftechnik.at On server Windows 32 bit with BIND 9.10.0-P2-x86 it ok 30-giu-2014 11.46.50.647 edns-disabled: info: success resolving 'pmk-kunststofftechnik.at/MX' (in 'pmk-kunststofftechnik.at'?) after disabling EDNS On server Windows 64 bit with BIND 9.10.0-P2-x64 it's not ok . 30-giu-2014 12:12:23.190 query-errors: debug 1: client 77.xxx.xxx.xxx#63216 (pmk-kunststofftechnik.at): query failed (SERVFAIL) for pmk-kunststofftechnik.at/IN/MX at ..\query.c:7532 Do you have any suggestion? Thanks in advance and best regards Michele ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
test bind before moving to production
*I'm new to bind. I want to be able to test the dns server on my local machine before launching it by putting the domain names (ie example.com) in my browser and browsing the site.* *Both the dev and production machines are CentOS. I assume I'll need to edit the host file to redirect to the local dns. But with this method I'm not sure how it will resolve multiple domains (i.e. example.com and example2.com).* *I use a virtual box version of CentOS to run experiments so I can do a host/guest thing if needed. * *There are 2 ways I'll use the dns in production. At the domain register I'll either point to this dns server or host the dns at the domain register and point the A record to the IP.* *Brian* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: test bind before moving to production
On Thu, 3 Jul 2014, brian wrote: I'm new to bind. I want to be able to test the dns server on my local machine before launching it by putting the domain names (ie example.com) in my browser and browsing the site. Both the dev and production machines are CentOS. I assume I'll need to edit the host file to redirect to the local dns. But with this method I'm not sure how it will resolve multiple domains (i.e. example.com and example2.com). The host file (/etc/hosts I assume) won't help. You can use /etc/resolv.conf and have nameserver line point to your localhost for testing. Or use dig with the @ argument to set the address of the nameserver to use. For example, dig @127.0.0.1 www.example.com. Then also try that from outside systems to using the @ with the network interface's address. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: test bind before moving to production
On 03/07/14 16:39, Jeremy C. Reed wrote: On Thu, 3 Jul 2014, brian wrote: I'm new to bind. I want to be able to test the dns server on my local machine before launching it by putting the domain names (ie example.com) in my browser and browsing the site. Both the dev and production machines are CentOS. I assume I'll need to edit the host file to redirect to the local dns. But with this method I'm not sure how it will resolve multiple domains (i.e. example.com and example2.com). The host file (/etc/hosts I assume) won't help. You can use /etc/resolv.conf and have nameserver line point to your localhost for testing. Or use dig with the @ argument to set the address of the nameserver to use. For example, dig @127.0.0.1 www.example.com. Then also try that from outside systems to using the @ with the network interface's address. And note that the name server will not be publicly used until it is published through the whole DNS chain. That means there is no reason you could not put everything in place even public facing servers - nobody will use them until referenced properly. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem resolving ardownload.adobe.com --enable-sit harmful?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I re-ran the dig to localhost (running bind 9.10.0-P2), and grabbed the packets with tcpdump. dig ardownload.adobe.com. @localhost That sent a query to 192.150.19.247 with flags = 0, edns size = 512, and got an NXDOMAIN answer. So I tried to reproduce that query with dig: dig ardownload.wip4.adobe.com a @192.150.19.247 +dnssec +norecur +noadflag +bufsize=512 According to tcpdump, that sent the same query, but it got the cname answer. The outgoing query from the local bind-9.10.0-P2 contains an extra 12 bytes of data in the OPT record, after the Z field containing the DO bit. This version of bind was compiled with --enable-sit It seems that the adobe servers choke on that. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlO1u5wACgkQL6j7milTFsH2IACfVK7hgK/L4XprzUWpJ7PGeXQV 938AmwcrygxiD7pZD3qYVtaL37idfHWp =Ah7c -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem resolving ardownload.adobe.com --enable-sit harmful?
I suggest that you log a complaint with Adobe requesting that they
contact their nameserver vendor for a fix. This bug is similar in
nature to that of http://www.kb.cert.org/vuls/id/714121 (NXDOMAIN
incorrectly returned to a query). Unknown EDNS options are
supposed to be ignored by the nameserver, RFC 6891, though that
wasn't clear in RFC 2671. NXDOMAIN however is a idiotic response
to a unknown EDNS option.
dig ardownload.wip4.adobe.com @da1gtm001.adobe.com +nsid
will also demonstate this bug and doesn't involve using experimental
EDNS opcodes that +sit does.
At least the server returns BADVERS to EDNS(1) queries.
There are a number of nameservers that fail to respond correctly
to unknown EDNS options to EDNS(1) queries. Dig can demonstrate the
server failing.
dig name @server +edns=1
dig name @server +nsid
dig name @server +sit (BIND 9.10.0 compiled with
--enable-sit)
dig name @server +ednsopt=#[:payload] (BIND 9.11.0 or later)
Each domain I have seen failing has had different failure signatures.
It looks like nameserver vendors are not doing even rudimentry
checks like those above. DiG has thos options so that we could
perform checks like these.
Until Adobe fix their broken servers you can use a server clause to
disable sending SIT requests to them. Obviously this does not scale.
server address { request-sit no; };
Mark
In message 1404418984.5134.52.ca...@ns.five-ten-sg.com, Carl Byington writes:
I re-ran the dig to localhost (running bind 9.10.0-P2), and grabbed the
packets with tcpdump.
dig ardownload.adobe.com. @localhost
That sent a query to 192.150.19.247 with flags = 0, edns size = 512, and
got an NXDOMAIN answer. So I tried to reproduce that query with dig:
dig ardownload.wip4.adobe.com a @192.150.19.247 +dnssec +norecur
+noadflag +bufsize=512
According to tcpdump, that sent the same query, but it got the cname
answer.
The outgoing query from the local bind-9.10.0-P2 contains an extra 12
bytes of data in the OPT record, after the Z field containing the DO
bit. This version of bind was compiled with --enable-sit
It seems that the adobe servers choke on that.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlO1u5wACgkQL6j7milTFsH2IACfVK7hgK/L4XprzUWpJ7PGeXQV
938AmwcrygxiD7pZD3qYVtaL37idfHWp
=Ah7c
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: problem resolving ardownload.adobe.com --enable-sit harmful?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 2014-07-04 at 09:41 +1000, Mark Andrews wrote:
Until Adobe fix their broken servers you can use a server clause to
disable sending SIT requests to them. Obviously this does not scale.
server address { request-sit no; };
Thanks. That works for now.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlO1/2cACgkQL6j7milTFsG7AwCcD8pSRM66Ywpx45Ql9y8q+33I
kjYAn1BOdiVa7CLhStNRYz6ZX9mwnAC/
=GjcX
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: test bind before moving to production
I can't get this to work. I'm trying to use the test url tst.com.
When I open it in my browser, I get a server not found error.
In /etc/resolv.conf I changed
nameserver 127.0.0.1
I set:
chattr +i /etc/resolv.conf
and rebooted and opened the file to verify that it wasn't getting
overwritten
In /etc/named.conf I added
zone tst.com {
type master;
file /var/named/tst.com.zone;
};
I created the file /var/named/tst.com.zone and added:
$TTL 86400
$TTL604800
@ IN SOA ns.example.com. root.example.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.example.com.
ns IN A 127.0.0.1
In /usr/local/apache/conf/httpd.conf I added:
VirtualHost *:80
ServerName tst.com
DocumentRoot /tmp/public_html_tst01
Directory /tmp/public_html_tst01
AllowOverride None
Require all denied
Options Indexes Includes FollowSymLinks
/Directory
ErrorLog /tmp/apache_logs/error.log
/VirtualHost
If I run:
named-checkconf /etc/named.conf
I don't get any output
If I run
named-checkzone tst.com /var/named/tst.com.zone
I get:
zone tst.com/IN: loaded serial 1
OK
I checked the apache error log and it is empty.
Brian
On 07/03/2014 10:39 AM, Jeremy C. Reed wrote:
On Thu, 3 Jul 2014, brian wrote:
I'm new to bind. I want to be able to test the dns server on my local
machine before launching it by putting the domain names (ie example.com) in
my browser and browsing the site.
Both the dev and production machines are CentOS. I assume I'll need to edit
the host file to redirect to the local dns. But with this method I'm not
sure how it will resolve multiple domains (i.e. example.com and
example2.com).
The host file (/etc/hosts I assume) won't help. You can use
/etc/resolv.conf and have nameserver line point to your localhost for
testing.
Or use dig with the @ argument to set the address of the nameserver to
use. For example, dig @127.0.0.1 www.example.com. Then also try that
from outside systems to using the @ with the network interface's
address.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
