Re: rndc (and now nsupdate too)
Am 31.07.2014 21:08, schrieb /dev/rob0: The proper tool to manage named configuration and operation, and which in the best Unix ethic is well suited for automation, is rndc(8). You can not always use rndc. For example you can add and delete zones, but you can not modify zones via rndc. regards Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS reverse sub delegation NXDOMAIN problem, Class C
I am trying to setup a sub reverse delegation to another DNS server., in my case it is a class C However I have a class B which have other entries I need to provide my class B Reverse file - 172.20.rev.txt has below - $ORIGIN 20.172.IN-ADDR.ARPA. NS ns1.test.com 43.222 IN PTR ns1.test.com. 97.201 IN PTR dev1.test.com. . . . etc... Now I want to send any reverse queries for 220.20.172.IN-ADDR.ARPA to another dns server so I set up the following in my reverse file for ns2.sub.test.com domain --- $ORIGIN 20.172.IN-ADDR.ARPA. NS ns1.test.com 0.220/24 NS ns2.sub.test.com 43.222 IN PTR ns1.test.com. 97.201 IN PTR dev1.test.com. . . $ORIGIN 220.20.172.IN-ADDR.ARPA. $GENERATE1-255$ CNAME $.220/24 --- When I do a named-checkzone and out put it , it seems to have written the right records like 42.220.20.172.IN-ADDR.ARPA. TTL IN CNAME 42.220/24.220.20.172.IN-ADDR.ARPA. and the zone file shows no errors and loads fine. However when doing a reverse query, it comes back as NXDOMAIN. Wondering if you could point out what am I doing wrong Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS reverse sub delegation NXDOMAIN problem, Class C
On 19/08/14 13:12, Bazy V wrote: $ORIGIN 20.172.IN-ADDR.ARPA. 0.220/24 NS ns2.sub.test.com You don't need to do this. You just need: $ORIGIN 20.172.IN-ADDR.ARPA. 220 NS ns2.sub.test.com. RFC 2317 is only need for /25 and longer. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS reverse sub delegation NXDOMAIN problem, Class C
Hi Bazy On Tue, Aug 19, 2014 at 08:12:58AM -0400, Bazy V wrote: so I set up the following in my reverse file for ns2.sub.test.com domain --- $ORIGIN 20.172.IN-ADDR.ARPA. NS ns1.test.com 0.220/24 NS ns2.sub.test.com 43.222 IN PTR ns1.test.com. 97.201 IN PTR dev1.test.com. The 220/24 isn't treated as a netmask for automatic expansion. It is used exactly. The only thing that generates records is the $GENERATE directive, but even it doesn't understand 220/24 as something for expansion. As another poster pointed out, you don't need to delegate a /24 network using classless delegation, but if you want to delegate a set of addresses, say 172.20.200.0-172.20.200.63, you'd use something like this: (a) In 20.172.IN-ADDR.ARPA. zone: 0-63.220 NS ns-other.example.com. $GENERATE 0-63$.220 CNAME $.0-63.220 # which should generate: # 0.220 CNAME 0.0-63.220.20.172.IN-ADDR.ARPA. # 1.220 CNAME 1.0-63.220.20.172.IN-ADDR.ARPA. # 2.220 CNAME 2.0-63.220.20.172.IN-ADDR.ARPA. # ... # 63.220 CNAME 63.0-63.220.20.172.IN-ADDR.ARPA. (b) on ns-other.example.com, in 0-63.220.20.172.IN-ADDR.ARPA. zone: 0 PTR zero.example.com. 1 PTR one.example.com. # etc. . . $ORIGIN 220.20.172.IN-ADDR.ARPA. $GENERATE1-255$ CNAME $.220/24 --- When I do a named-checkzone and out put it , it seems to have written the right records like 42.220.20.172.IN-ADDR.ARPA. TTL IN CNAME 42.220/24.220.20.172.IN-ADDR.ARPA. In your config in zone 20.172.IN-ADDR.ARPA., there are no delegations for 220/24.220.20.172.IN-ADDR.ARPA. Mukund pgp9kaEHA3Ps0.pgp Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS reverse sub delegation NXDOMAIN problem, Class C
On 19/08/14 13:12, Bazy V wrote: $ORIGIN 20.172.IN-ADDR.ARPA. 0.220/24 NS ns2.sub.test.com On 19.08.14 13:37, Phil Mayers wrote: You don't need to do this. You just need: $ORIGIN 20.172.IN-ADDR.ARPA. 220 NS ns2.sub.test.com. RFC 2317 is only need for /25 and longer. ... and it exactly causes the problem. if ns2.sub.test.com contains 220.20.172.IN-ADDR.ARPA, resolution should work the usual way. Delegating 220/24.20.172.IN-ADDR.ARPA. to ns2.sub.test.com, you'd have to create CNAMEs for 0.220/24 to 255.220/24, whic would be an overkill. Note that either 0.220/24 wasn't technically correct, it should be: 220/24 NS ns2.sub.test.com. 0.220 CNAME 0.220/24 but that's an overkill as Phil correctly pointed out. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Runtime disable RRL
Is there a runtime switch or config option to disable RRL. The bind 9.9.5-S1 by default included the RRL enable but we would like to run test with and without the RRL active. Rick. smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Runtime disable RRL
On Tue, 19 Aug 2014, Olsen, Richard William (Rick) CTR DISA PEO-MA (US) wrote: Is there a runtime switch or config option to disable RRL. The bind 9.9.5-S1 by default included the RRL enable but we would like to run test with and without the RRL active. There isn't a way to disable the code, but you can disable the rate limiting with: rate-limit { responses-per-second 0; }; If your tests involve builtin CHAOS, see https://lists.isc.org/pipermail/bind-users/2014-May/093107.html Jeremy C. Reed ISC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Runtime disable RRL
Thanks. We'll try this, otherwise I guess I'll just build a separate binary with RRL disabled. -Original Message- From: Jeremy C. Reed [mailto:jr...@isc.org] Sent: Tuesday, August 19, 2014 11:15 AM To: Olsen, Richard William (Rick) CTR DISA PEO-MA (US) Cc: bind-users@lists.isc.org Subject: Re: Runtime disable RRL On Tue, 19 Aug 2014, Olsen, Richard William (Rick) CTR DISA PEO-MA (US) wrote: Is there a runtime switch or config option to disable RRL. The bind 9.9.5-S1 by default included the RRL enable but we would like to run test with and without the RRL active. There isn't a way to disable the code, but you can disable the rate limiting with: rate-limit { responses-per-second 0; }; If your tests involve builtin CHAOS, see https://lists.isc.org/pipermail/bind-users/2014-May/093107.html Jeremy C. Reed ISC smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS reverse sub delegation NXDOMAIN problem, Class C
One post said 220/24 is not the correct format, Another post said that is the format. Not sure which one is correct. Setting 220NSns2.sub.test.com. Did not work as suggested by Phil. Having the CNAME $0.220 caused the entries to be 94.0.220/24.20.172.IN-ADDR.ARPA. Used the generate statement $GENERATE 0-255 $.220 CNAME $.220 This is the only one irrespective or 0-255.220 or 220 or 220/24 against the NS statement, which gave a reply back without NXDOMAIN but all it gives as a response is 94.220.20.172.IN-ADDR.ARPAcanonical name = 94.220.20.172.IN-ADDR.ARPA. However due to the situation I am in ( the Unix / Linux server hosts a /16 subnet ) and there is a Windows DNS which hosts a subset /24 of this. Hence trying this out, as it is not possible to get all the information for the hosts and PTR's in the /24 subnet and host my own class C PTR file. Message: 2 Date: Tue, 19 Aug 2014 13:37:08 +0100 From: Phil Mayers p.may...@imperial.ac.uk To: bind-users@lists.isc.org Subject: Re: DNS reverse sub delegation NXDOMAIN problem, Class C Message-ID: 53f344f4.3010...@imperial.ac.uk Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 19/08/14 13:12, Bazy V wrote: $ORIGIN 20.172.IN-ADDR.ARPA. 0.220/24 NS ns2.sub.test.com You don't need to do this. You just need: $ORIGIN 20.172.IN-ADDR.ARPA. 220 NS ns2.sub.test.com. RFC 2317 is only need for /25 and longer. -- Message: 3 Date: Tue, 19 Aug 2014 19:09:04 +0530 From: Mukund Sivaraman m...@isc.org To: Bazy V bza...@gmail.com Cc: bind-users@lists.isc.org Subject: Re: DNS reverse sub delegation NXDOMAIN problem, Class C Message-ID: 20140819133904.ga4...@totoro.home.mukund.org Content-Type: text/plain; charset=us-ascii Hi Bazy On Tue, Aug 19, 2014 at 08:12:58AM -0400, Bazy V wrote: so I set up the following in my reverse file for ns2.sub.test.com domain --- $ORIGIN 20.172.IN-ADDR.ARPA. NS ns1.test.com 0.220/24 NS ns2.sub.test.com 43.222 IN PTR ns1.test.com. 97.201 IN PTR dev1.test.com. The 220/24 isn't treated as a netmask for automatic expansion. It is used exactly. The only thing that generates records is the $GENERATE directive, but even it doesn't understand 220/24 as something for expansion. As another poster pointed out, you don't need to delegate a /24 network using classless delegation, but if you want to delegate a set of addresses, say 172.20.200.0-172.20.200.63, you'd use something like this: (a) In 20.172.IN-ADDR.ARPA. zone: 0-63.220 NS ns-other.example.com. $GENERATE 0-63$.220 CNAME $.0-63.220 # which should generate: # 0.220 CNAME 0.0-63.220.20.172.IN-ADDR.ARPA. # 1.220 CNAME 1.0-63.220.20.172.IN-ADDR.ARPA. # 2.220 CNAME 2.0-63.220.20.172.IN-ADDR.ARPA. # ... # 63.220 CNAME 63.0-63.220.20.172.IN-ADDR.ARPA. (b) on ns-other.example.com, in 0-63.220.20.172.IN-ADDR.ARPA. zone: 0 PTR zero.example.com. 1 PTR one.example.com. # etc. . . $ORIGIN 220.20.172.IN-ADDR.ARPA. $GENERATE1-255$ CNAME $.220/24 --- When I do a named-checkzone and out put it , it seems to have written the right records like 42.220.20.172.IN-ADDR.ARPA. TTL IN CNAME 42.220/24.220.20.172.IN-ADDR.ARPA. In your config in zone 20.172.IN-ADDR.ARPA., there are no delegations for 220/24.220.20.172.IN-ADDR.ARPA. Mukund -- next part -- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 2881 bytes Desc: not available URL: https://lists.isc.org/pipermail/bind-users/attachments/20140819/e2b86b45/attachment-0001.bin -- Message: 4 Date: Tue, 19 Aug 2014 15:40:49 +0200 From: Matus UHLAR - fantomas uh...@fantomas.sk To: bind-users@lists.isc.org Subject: Re: DNS reverse sub delegation NXDOMAIN problem, Class C Message-ID: 20140819134049.gb30...@fantomas.sk Content-Type: text/plain; charset=us-ascii; format=flowed On 19/08/14 13:12, Bazy V wrote: $ORIGIN 20.172.IN-ADDR.ARPA. 0.220/24 NS ns2.sub.test.com On 19.08.14 13:37, Phil Mayers wrote: You don't need to do this. You just need: $ORIGIN 20.172.IN-ADDR.ARPA. 220NS ns2.sub.test.com. RFC 2317 is only need for /25 and longer. ... and it exactly causes the problem. if ns2.sub.test.com contains 220.20.172.IN-ADDR.ARPA, resolution should work the usual way. Delegating 220/24.20.172.IN-ADDR.ARPA. to ns2.sub.test.com, you'd have to create CNAMEs for 0.220/24 to 255.220/24, whic would be an overkill. Note that either 0.220/24 wasn't technically correct, it should be: 220/24 NS ns2.sub.test.com. 0.220 CNAME 0.220/24 but that's an overkill as Phil correctly pointed out. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na
Re: DNS reverse sub delegation NXDOMAIN problem, Class C
On 19.08.14 11:54, Bazy V wrote: One post said 220/24 is not the correct format, Another post said that is the format. no post said this. Not sure which one is correct. 220.20.172.IN-ADDR.ARPA is the correct zone into which to put PTR records. Setting 220NSns2.sub.test.com. this belongs to the 20.172.IN-ADDR.ARPA domain on your recursive nameserver - the one your resolv.conf points to. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. To Boot or not to Boot, that's the question. [WD1270 Caviar] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
no servers found
HI, I am running BIND 9.6-ESV-R5-P1 on a Solaris 10 server. I can run queries without specifying a name server on my Solaris servers successfully. When I try to run a query on a Solaris 10 virtual server, I get connection timed out; no servers could be reached error. If I add the name servers from our main campus (or 8.8.8.8) to the virtual server's resolv.conf file, then dig will use the other name server and skip my name server to resolve the query which is successful. If i use dig and specify my master name server, then the query works fine. I do not understand why the virtual server cannot find the name servers on my campus (my building) unless I specify it. Host file contents of virtual server # # Internet host table # ::1 localhost 127.0.0.1 localhost 64.131.119.61 dnstest.kentlaw.edu dnstest loghost 64.131.119.11 nsa.kentlaw.edu nsa 64.131.119.12 nsb.kentlaw.edu nsb resolv.conf contents of virtual server domain kentlaw.edu nameserver 66.131.119.11 nameserver 66.131.119.12 nameserver 216.47.128.11 nameserver 216.47.128.12 nameserver 8.8.8.8 search kentlaw.edu Larry Lawrence Adamiec UNIX Mgr/Web Support Specialist Illinois Institute of Technology-DTC 565 W. Adams St. Chicago, IL 60661 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: no servers found
Hi-- On Aug 19, 2014, at 1:47 PM, Adamiec, Lawrence ladam...@kentlaw.iit.edu wrote: I am running BIND 9.6-ESV-R5-P1 on a Solaris 10 server. I can run queries without specifying a name server on my Solaris servers successfully. When I try to run a query on a Solaris 10 virtual server, I get connection timed out; no servers could be reached error. If I add the name servers from our main campus (or 8.8.8.8) to the virtual server's resolv.conf file, then dig will use the other name server and skip my name server to resolve the query which is successful. It's fairly normal for virtualization stuff to forbid network access from a VM to the host, via some combination of network interface configuration and NAT/firewall rules. If you're using VirtualBox, look into bridged adaptor, ie: https://www.virtualbox.org/manual/ch06.html#network_bridged Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: no servers found
I should have said it was a Solaris 10 zone (container). I am not using VirtualBox, VMware, or other third party software. Larry On Tue, Aug 19, 2014 at 3:54 PM, Charles Swiger cswi...@mac.com wrote: Hi-- On Aug 19, 2014, at 1:47 PM, Adamiec, Lawrence ladam...@kentlaw.iit.edu wrote: I am running BIND 9.6-ESV-R5-P1 on a Solaris 10 server. I can run queries without specifying a name server on my Solaris servers successfully. When I try to run a query on a Solaris 10 virtual server, I get connection timed out; no servers could be reached error. If I add the name servers from our main campus (or 8.8.8.8) to the virtual server's resolv.conf file, then dig will use the other name server and skip my name server to resolve the query which is successful. It's fairly normal for virtualization stuff to forbid network access from a VM to the host, via some combination of network interface configuration and NAT/firewall rules. If you're using VirtualBox, look into bridged adaptor, ie: https://www.virtualbox.org/manual/ch06.html#network_bridged Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS reverse sub delegation NXDOMAIN problem, Class C
Sorry, this is going to be a pedantic post, so I might as well start here: Subject: Re: DNS reverse sub delegation NXDOMAIN problem, Class C No, there's no such thing as Class C, so please forget that. It's a /24 network. CIDR is in; class is dismissed. On Tue, Aug 19, 2014 at 07:03:20PM +0200, Matus UHLAR - fantomas wrote: On 19.08.14 11:54, Bazy V wrote: One post said 220/24 is not the correct format, Another post said that is the format. no post said this. Right. I wonder where the OP got that idea? Not sure which one is correct. 220.20.172.IN-ADDR.ARPA is the correct zone into which to put PTR records. Setting 220NSns2.sub.test.com. Test.com is a real Internet domain. Please don't use that if you aren't the actual owner. this belongs to the 20.172.IN-ADDR.ARPA domain Yes, to repeat, and enhanced for RFC 2606 compliance: 220 NS ns2.sub.example.com. on your recursive nameserver - the one your resolv.conf points to. Well no, not necessarily. This is authoritative service we are discussing here. That said, sure, typically you're going to host such internal-only zones on a server that also does recursion. That's not required, however. The recursive server could have stub or static-stub zones, or even an alternate root zone, which points to the authoritative server. Pedantry complete. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users