Unexpected change in notify log format?

[MURTARI, JOHN]

Folks,
We'd had a discussion  back in February (Bind query log format) 
about the perils of changes to the log formats.

   Just got bit by an earlier  change used for logging notify 
messages.   Had to run some regression tests. Looks like it occurred between 
9.9.8  and 9.9.9:

FROM: 24-Aug-2017 12:14:33 notify: info: client 10.10.10.10#27069: received 
notify for zone 'example.com'
TO:   24-Aug-2017 12:55:31 notify: info: client @0x1bdcf300 10.10.10.10#56633: 
received notify for zone 'example.com'

Wasn't noticed till recently when a utility script started 
failing. Field counting to find the zone name and the extra field caused it to 
run off the tracks...   I did try some 'due diligence' and checked release 
notes for 9.9.9.  Couldn't find anything, but might have missed it.

In any case, especially in a large organization, I doubt it 
would have been noted by the original script writer  Not sure if we had a 
consensus on this and balancing ISC developer's desires to give us good service 
and quick debug of issues (which we much appreciate!) and end user desires to 
keep things stable.   How about:


1.   Any future log format changes should attempt to add additional fields 
at the END of the existing message.

2.   A debug-level mask option in the named.conf to activate a change in a 
log format.

Best regards!
John Murtari



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Tom Browder]

On Thu, Aug 24, 2017 at 03:17 Matus UHLAR - fantomas 
wrote:
...


> I suggest
> - replace X.TLD. with "@" (BIND uses this as current origin)
>
> the result is:
>
> @   IN  A   142.54.186.2
> @   IN  MX  10  mail.example.com.
> @   IN  TXT "v=spf1 mx -all"


Thanks, Matus.

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Matus UHLAR - fantomas]

On 23.08.17 19:28, Tom Browder wrote:

I have a single remote server with one IP address (142.54.186.2) I am using
it to host multiple, independent domains.  I am working on configuring a
single postfix instance to serve mail for all domains (assuming I can
successfully rewrite appropriate parts of mail in and out).



From referring to "DNS and BIND" and previous discusssions here and on the
postfix users list I have re-examined my domain DNS records to see if I can
cover my requirements more easily.

Given such a configuration described in the first paragraph, does the
following set of DNS records for a domain look look appropriate:

# For each domain X.TLD:
X.TLD.  INA 142.54.186.2.
*.X.TLD.IN   CNAME   X.TLD.
X.TLD.  INMX  10   142.54.186.2.
X.TLD.  INTXT "v=spf1 mx -all"


as other suggested:
- get rid of the wildcard whenever possible
- get rid of the trailing dot in A record
- point MX to canonical name of theserver

I suggest
- replace X.TLD. with "@" (BIND uses this as current origin)

the result is:

@   IN  A   142.54.186.2
@   IN  MX  10  mail.example.com.
@   IN  TXT "v=spf1 mx -all"


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Reindl Harald]

Am 24.08.2017 um 04:57 schrieb Grant Taylor:

On 08/23/2017 07:50 PM, Reindl Harald wrote:

which means again: additional dns lookups while ip-adresses and ranges
are done with a single lookup


Yes, it does mean additional lookups, which there are a finite number of.


besides it's not true because SPF has nothing to do with PTR and they
won't get https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS
how is that related to the topic at all?


It's my understanding that some SPF implementations will do a reverse
DNS lookup on the connecting IP and test the name from the PTR record
against the SPF record of the purported sending domain.


that's not the job of SPF at all and at least no sane implementation 
talkin g about mailservers and DNS is using just the PTR without verify 
it against the A-recrd *because* you can't froge both but you may 
control the PTR records of a random network like we do for our public /24



Thus the ability for Evil Spammer to arrange for the PTR record of their
server to return a name that is allowed via SPF


but again: SPF is not about dns names
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Reindl Harald]

Am 24.08.2017 um 04:26 schrieb John Levine:

This has nothing to do with BIND, but anyway.

In article  you write:

I would personally try to use -all for new domains from the word go.


Only if you want your mail to mysteriously disappear.  There are a lot
of perfectly legitimate ways to send and route mail that SPF cannot
describe.  Unless your name is Paypal or you are otherwise a giant
phish target, -all is not want you want


sorry but that is FUD

we are hosting some hundret domains and have for *every* domain -all 
over *8 years* while the peak of hosted addresses was 25000

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users