Re: dig and IDN

2016-10-12 Thread Anand Buddhdev 
On 13/10/16 00:17, Mark Elkins wrote:

Hi Mark,

> Is there any way within dig to switch off the puny to UTF8 translations?
> Some flag? Environmental variable?

IDN_DISABLE=1

Regards,
Anand
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dig and IDN

2016-10-12 Thread Mark Elkins 
O.S. - Lunux Gentoo.
BIND/BIND Tools: BIND 9.10.4-P3

I've been using "dig axfr" to fetch signed and unsigned zones for doing
comparisons. The output is easy to parse as dig gives one line records -
fully qualified - etc.

One of the records includes some IDN (Puny) stuff..

xn--caf-dma.dnssec.co.za. A   160.124.48.8

This comes back in a dig axfr as:

café.dnssec.co.za.  86400   IN  A   160.124.48.8

If I then use "validns" on this "zone-file" - the "café" records are
marked as errors.  (record name is not valid)


Is there any way within dig to switch off the puny to UTF8 translations?
Some flag? Environmental variable?

Seems like LANG=en_US.utf8 makes the conversion happen.
I actually use LANG=en_ZA.utf8 - so I can type French from my US layout
ASCII keyboard

ps. Checking with dnssec-verify does not give this error.

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-validation [ ddig_sigchase option ]

2016-10-12 Thread Dennis Clarke 

On 10/12/16 15:07, Evan Hunt wrote:

On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote:

On 10/12/16 13:36, Evan Hunt wrote:

I recommend using "delv" instead.  "dig +sigchase" isn't good code.


? well that is news to me  :-\


It's code that was contributed over ten years ago; we put it into dig
(hidden behind #ifdef's) because at the time there was no better
alternative, but we never formally supported it.  It's buggy and
broken in a number of edge cases and hasn't really kept up with the
evolution of DNSSEC.

Please try "delv" and if you find that it doesn't meet your needs,
let me know so I can try to improve it.

NLNetLabs's "drill" is also useful.


I expect we'll be removing it in a future release.


cool .. so ... any change in our build process here ? A configure change
? Anything ?


No, delv is built and installed in BIND 9.10 and higher.



Thing of beauty.  Now I understand why there wasn't a configure option 
for sigchase and we needed a define. Makes sense.


Moving upwards to 9.11 anyways.

Thanks for the info.

Dennis

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-validation [ ddig_sigchase option ]

2016-10-12 Thread Evan Hunt 
On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote:
> On 10/12/16 13:36, Evan Hunt wrote:
> > I recommend using "delv" instead.  "dig +sigchase" isn't good code.
> 
> ? well that is news to me  :-\

It's code that was contributed over ten years ago; we put it into dig
(hidden behind #ifdef's) because at the time there was no better
alternative, but we never formally supported it.  It's buggy and
broken in a number of edge cases and hasn't really kept up with the
evolution of DNSSEC.

Please try "delv" and if you find that it doesn't meet your needs,
let me know so I can try to improve it.

NLNetLabs's "drill" is also useful.

> > I expect we'll be removing it in a future release.
> 
> cool .. so ... any change in our build process here ? A configure change 
> ? Anything ?

No, delv is built and installed in BIND 9.10 and higher.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to request ixfr updates against public ip directly instead of unicast ip in bind

2016-10-12 Thread Matus UHLAR - fantomas 

On 12.10.16 20:57, rams wrote:

I have master and slave servers. When we have updates in master, slave is
getting updating after 20 or 30 minutes.
When I look into tcpdump pcakets, Slave is trying with master unicast ip to
get updates. We don't have port opened slave to master with unicast ip and
we have port opened slave to master with public ip.

Do we have any option checking for SOA value directly with public ip of
master instead of unicast ip.


I don't get it. What do you mean by "unicast" and "public" IP?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-validation [ ddig_sigchase option ]

2016-10-12 Thread Dennis Clarke 

On 10/12/16 13:36, Evan Hunt wrote:

On Wed, Oct 12, 2016 at 03:40:54PM +, Bhangui, Sandeep - BLS CTR wrote:

Was trying to run dig commands to do some dnssec validation and got the following 
message "

"Invalid option: +sigchase"


I recommend using "delv" instead.  "dig +sigchase" isn't good code.


? well that is news to me  :-\


I expect we'll be removing it in a future release.


cool .. so ... any change in our build process here ? A configure change 
? Anything ?



Dennis



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-validation [ ddig_sigchase option ]

2016-10-12 Thread Evan Hunt 
On Wed, Oct 12, 2016 at 03:40:54PM +, Bhangui, Sandeep - BLS CTR wrote:
> Was trying to run dig commands to do some dnssec validation and got the 
> following message "
> 
> "Invalid option: +sigchase"

I recommend using "delv" instead.  "dig +sigchase" isn't good code.
I expect we'll be removing it in a future release.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-validation [ ddig_sigchase option ]

2016-10-12 Thread Dennis Clarke 

On 10/12/16 11:40, Bhangui, Sandeep - BLS CTR wrote:

Hi

Running ISC Bind 9.10.4-P2 will be soon moving to 9.10.4-P3.

Was trying to run dig commands to do some dnssec validation and got the following 
message "

"Invalid option: +sigchase"

When checked found that the dig utility has to be compiled with 
"-DDIG_SIGCHASE" option for that apparently looks like I have not done when we 
compiled 9.10.4-P2

I plan to soon compile 9.10.4.-P3 is it simply using " --DDIG_SIGCHASE" when I compile 
which will than allow me to run the dig binary with the "+sigchase" option?

My current compile options are as follows so would I be just adding 
"--DDIG_SIGCHASE" to get the dig binary which will allow me run dig with 
+sigchase option when I run the compile for 9.10.4-P3?



Create an environment var thus :

STD_CDEFINES=-D_TS_ERRNO -D_POSIX_PTHREAD_SEMANTICS 
-D_LARGEFILE64_SOURCE -DDIG_SIGCHASE=1


The run configure and carry on as usual.  Test with :

$ dig @my1.mydnsserver.com facebook.com +sigchase +trace



Dennis





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec-validation [ ddig_sigchase option ]

2016-10-12 Thread Bhangui, Sandeep - BLS CTR 
Hi

Running ISC Bind 9.10.4-P2 will be soon moving to 9.10.4-P3.

Was trying to run dig commands to do some dnssec validation and got the 
following message "

"Invalid option: +sigchase"

When checked found that the dig utility has to be compiled with 
"-DDIG_SIGCHASE" option for that apparently looks like I have not done when we 
compiled 9.10.4-P2

I plan to soon compile 9.10.4.-P3 is it simply using " --DDIG_SIGCHASE" when I 
compile which will than allow me to run the dig binary with the "+sigchase" 
option?

My current compile options are as follows so would I be just adding 
"--DDIG_SIGCHASE" to get the dig binary which will allow me run dig with 
+sigchase option when I run the compile for 9.10.4-P3?


 BIND 9.10.4-P2 
running on SunOS sun4u 5.10 Generic_150400-39
built by make with '--build=sparc-sun-solaris2.10' 
'--host=sparc-sun-solaris2.10' '--with-openssl' '--with-libxml2' 
'--disable-openssl-version-check' '--enable-ipv6' '--enable-fixed-rrset' 
'--enable-threads' '--enable-sit' '--enable-largefile' '--enable-full-report' 
'--enable-fetchlimit' '--prefix=/usr/local/named-jail9.10.4P2' 
'--bindir=/usr/local/named-jail9.10.4P2/usr/bin' 
'--sbindir=/usr/local/named-jail9.10.4P2/usr/sbin' 
'--libexecdir=/usr/local/named-jail9.10.4P2/usr/libexec' 
'--sysconfdir=/usr/local/named-jail9.10.4P2/etc' 
'--sharedstatedir=/usr/local/named-jail9.10.4P2/usr/shared' 
'--localstatedir=/usr/local/named-jail9.10.4P2/var' 
'--libdir=/usr/local/named-jail9.10.4P2/usr/lib' 
'--includedir=/usr/local/named-jail9.10.4P2/usr/include' 
'--mandir=/usr/local/named-jail9.10.4P2/usr/man' 
'build_alias=sparc-sun-solaris2.10' 'host_alias=sparc-sun-solaris2.10'

Thanks in advance

Thanks
Sandeep

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to request ixfr updates against public ip directly instead of unicast ip in bind

2016-10-12 Thread Barry Margolin 
In article ,
 rams  wrote:

> Hi,
> Greetings!!!
> I have master and slave servers. When we have updates in master, slave is
> getting updating after 20 or 30 minutes.
> When I look into tcpdump pcakets, Slave is trying with master unicast ip to
> get updates. We don't have port opened slave to master with unicast ip and
> we have port opened slave to master with public ip.
> 
> Do we have any option checking for SOA value directly with public ip of
> master instead of unicast ip.

It uses whatever address is in the "master" statement in named.conf.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How to request ixfr updates against public ip directly instead of unicast ip in bind

2016-10-12 Thread rams 
Hi,
Greetings!!!
I have master and slave servers. When we have updates in master, slave is
getting updating after 20 or 30 minutes.
When I look into tcpdump pcakets, Slave is trying with master unicast ip to
get updates. We don't have port opened slave to master with unicast ip and
we have port opened slave to master with public ip.

Do we have any option checking for SOA value directly with public ip of
master instead of unicast ip.

Thanks & Regards,
Ramesh
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users