Re: Question abut reserv zone

[Michelle Konzack]

Good morning,

Am 2018-02-13 hackte Mark Andrews in die Tasten:
> ISP’s are only scared of it because people may add “.sucks” as
> the name in the
> PTR record.

ROTFL!

> Mark

Have a nice day

-- 
Michelle KonzackMiila ITSystems @ TDnet
GNU/Linux Developer 00372-54541400

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question abut reserv zone

[Mark Andrews]

The reverse of a /8 is pretty big.  I would do it as reverses of /16’s or /24’s.
That also lets you mix and match management styles, but for a /24 which has 
multiple
administrators DNS UPDATE is still the way to go.

Machines should be updating their own PTR records using DNS UPDATE.  DNS UPDATE 
over
TCP from the address to be updated is secure enough for 99.9% of uses.

ISP’s are only scared of it because people may add “.sucks” as the name in 
the
PTR record.

Mark

> On 13 Feb 2018, at 10:36 am, Darcy Kevin (FCA)  
> wrote:
> 
> You mean, don't slave 100.10.in-addr.arpa at all, and just maintain 
> 10.in-addr.arpa locally?
> 
> The problem the original poster may run into, however, is that there may be 
> other records in 100.10.in-addr.arpa that change dynamically, and those 
> changes may not be reflected if only 10.in-addr.arpa is maintained locally.
> 
> To be sure, a "sync" script could be run periodically to keep 10.in-addr.arpa 
> up to date. I've written such things in the past. But now we're talking about 
> custom software, not something that can be accomplished using just BIND and 
> its associated tools...
> 
> The other approach is to define zones for just the specific names that need 
> to be "overridden" from the slave zone (Microsoft calls them "pinpoint 
> zones"). That's a terrible solution, of course, since these zones are 
> undelegated from their parent and thus special care must be taken to ensure 
> that all resolvers which need to resolve the names in a specific way are 
> configured appropriately (using master/slave/stub/forward). But at least it 
> can be implemented using only BIND and its tools.
> 
>   
> - Kevin
> 
> 
> 
> 
> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark 
> Andrews
> Sent: Monday, February 12, 2018 6:19 PM
> To: Julie Xu 
> Cc: bind-users@lists.isc.org
> Subject: Re: Question abut reserv zone
> 
> In this example since the address is the same I would just pick one name (the 
> name the machine knows itself as) and use that name for the PTR record.
> 
> I would also use DNS UPDATE to update the reverse zones rather than editing 
> master files.  You can delegate update authority down to the  
> tuple level with DNS UPDATE.  Then it doesn’t matter which machines are 
> holding master files for the reverse zones.
> 
> Mark
> 
>> On 13 Feb 2018, at 9:06 am, Julie Xu  wrote:
>> 
>>> 
>>> Hi,
>>> 
>>> I have a zone, we say abc.edu.au, all private address 10.0.0.0/8 is in this 
>>> zone. So, I have a revers zoon 10.in-addr-arpa existed. I am the master.
>>> 
>>> Now, there is a new zone required - ddd.abc.edu.au reverse should 
>>> 100.10.in-addr-arpa; we are secondary of this zone.
>>> 
>>> However, currently, there is some ip address in zone abc.edu.au there which 
>>> is  the range, they are still required.
>>> 
>>> For example we want host.ddd.abc.edu.au, and app.abc.edu.au both existed. 
>>>The host.ddd.abs.edu.au – 10.100.10.20 – transferred from 
>>> master dns for the domain ( both forward/reversed zones)
>>>The app.abc.edu.au – 10.100.10.20  original in 10.0.0.0/8 
>>> zone file which we are the master.
>> 
>> Both are A record.
>>> 
>>> What will happen if I create second reverse zoon for 100.10.in-addr-arp? Is 
>>> my current app.abc.edu.au will lose? If it is true, do I have anyway to 
>>> work around?
>>> 
>>> Any comments will be appreciated
>>> 
>>> Thanks in advance
>>> 
>>> 
>>> Julie Xu
>>> 
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Question abut reserv zone

[Darcy Kevin (FCA)]

You mean, don't slave 100.10.in-addr.arpa at all, and just maintain 
10.in-addr.arpa locally?

The problem the original poster may run into, however, is that there may be 
other records in 100.10.in-addr.arpa that change dynamically, and those changes 
may not be reflected if only 10.in-addr.arpa is maintained locally.

To be sure, a "sync" script could be run periodically to keep 10.in-addr.arpa 
up to date. I've written such things in the past. But now we're talking about 
custom software, not something that can be accomplished using just BIND and its 
associated tools...

The other approach is to define zones for just the specific names that need to 
be "overridden" from the slave zone (Microsoft calls them "pinpoint zones"). 
That's a terrible solution, of course, since these zones are undelegated from 
their parent and thus special care must be taken to ensure that all resolvers 
which need to resolve the names in a specific way are configured appropriately 
(using master/slave/stub/forward). But at least it can be implemented using 
only BIND and its tools.


- Kevin




-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark 
Andrews
Sent: Monday, February 12, 2018 6:19 PM
To: Julie Xu 
Cc: bind-users@lists.isc.org
Subject: Re: Question abut reserv zone

In this example since the address is the same I would just pick one name (the 
name the machine knows itself as) and use that name for the PTR record.

I would also use DNS UPDATE to update the reverse zones rather than editing 
master files.  You can delegate update authority down to the  tuple 
level with DNS UPDATE.  Then it doesn’t matter which machines are holding 
master files for the reverse zones.

Mark

> On 13 Feb 2018, at 9:06 am, Julie Xu  wrote:
> 
>> 
>> Hi,
>>  
>> I have a zone, we say abc.edu.au, all private address 10.0.0.0/8 is in this 
>> zone. So, I have a revers zoon 10.in-addr-arpa existed. I am the master.
>>  
>> Now, there is a new zone required - ddd.abc.edu.au reverse should 
>> 100.10.in-addr-arpa; we are secondary of this zone.
>>  
>> However, currently, there is some ip address in zone abc.edu.au there which 
>> is  the range, they are still required.
>>  
>> For example we want host.ddd.abc.edu.au, and app.abc.edu.au both existed. 
>> The host.ddd.abs.edu.au – 10.100.10.20 – transferred from 
>> master dns for the domain ( both forward/reversed zones)
>> The app.abc.edu.au – 10.100.10.20  original in 10.0.0.0/8 
>> zone file which we are the master.
> 
> Both are A record.
>>  
>> What will happen if I create second reverse zoon for 100.10.in-addr-arp? Is 
>> my current app.abc.edu.au will lose? If it is true, do I have anyway to work 
>> around?
>>  
>> Any comments will be appreciated
>>  
>> Thanks in advance
>>  
>>  
>> Julie Xu
>>  
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question abut reserv zone

[Mark Andrews]

In this example since the address is the same I would just pick
one name (the name the machine knows itself as) and use that name for the
PTR record.

I would also use DNS UPDATE to update the reverse zones rather than
editing master files.  You can delegate update authority down to the
 tuple level with DNS UPDATE.  Then it doesn’t matter which
machines are holding master files for the reverse zones.

Mark

> On 13 Feb 2018, at 9:06 am, Julie Xu  wrote:
> 
>> 
>> Hi, 
>>  
>> I have a zone, we say abc.edu.au, all private address 10.0.0.0/8 is in this 
>> zone. So, I have a revers zoon 10.in-addr-arpa existed. I am the master.
>>  
>> Now, there is a new zone required - ddd.abc.edu.au reverse should 
>> 100.10.in-addr-arpa; we are secondary of this zone.
>>  
>> However, currently, there is some ip address in zone abc.edu.au there which 
>> is  the range, they are still required.
>>  
>> For example we want host.ddd.abc.edu.au, and app.abc.edu.au both existed. 
>> The host.ddd.abs.edu.au – 10.100.10.20 – transferred from 
>> master dns for the domain ( both forward/reversed zones)
>> The app.abc.edu.au – 10.100.10.20  original in 10.0.0.0/8 
>> zone file which we are the master.
> 
> Both are A record.
>>  
>> What will happen if I create second reverse zoon for 100.10.in-addr-arp? Is 
>> my current app.abc.edu.au will lose? If it is true, do I have anyway to work 
>> around?
>>  
>> Any comments will be appreciated
>>  
>> Thanks in advance
>>  
>>  
>> Julie Xu
>>  
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question abut reserv zone

[Julie Xu]

Hi,

I have a zone, we say abc.edu.au, all private address 
10.0.0.0/8 is in this zone. So, I have a revers zoon 10.in-addr-arpa existed. I 
am the master.

Now, there is a new zone required - ddd.abc.edu.au 
reverse should 100.10.in-addr-arpa; we are secondary of this zone.

However, currently, there is some ip address in zone 
abc.edu.au there which is  the range, they are still 
required.

For example we want host.ddd.abc.edu.au, and 
app.abc.edu.au both existed.
The host.ddd.abs.edu.au – 
10.100.10.20 – transferred from master dns for the domain ( both 
forward/reversed zones)
The app.abc.edu.au – 10.100.10.20  
original in 10.0.0.0/8 zone file which we are the master.

Both are A record.

What will happen if I create second reverse zoon for 100.10.in-addr-arp? Is my 
current app.abc.edu.au will lose? If it is true, do I 
have anyway to work around?

Any comments will be appreciated

Thanks in advance


Julie Xu

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minimum TTL?

[wbrown]

From: "Reindl Harald" 
> To: bind-users@lists.isc.org

> the ISP has no business to touch any package bewteen source and me 
> because he can't know the implications - he even must not know about 
> them because it#s not his business

And yet they do (Supercookies?), and sell that data to any and all buyers.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SOA Minimum comment in "dig" output

[Matus UHLAR - fantomas]

RFC 2308 "DNS NCACHE" defines the last field of the SOA RR as "the TTL of
negative responses".


On 12.02.18 10:29, Daniel Stirnimann wrote:

Negative caching TTL is not defined as the last field of the SOA RR:


yes, it is, as RFC 2308 section 4 says:

The remaining of the current meanings, of being the TTL to be used
for negative responses, is the new defined meaning of the SOA minimum
field.


"When the authoritative server creates this record its TTL
is taken from the minimum of the SOA.MINIMUM field and SOA's TTL."


this is the TTL of the SOA returned in NXDOMAIN response.

a bit schizophrenic, but the SOA "minimum" field clearly applies there,
unless your SOA TTL is shorter.


Why is dig still showing the old description "minimum" about the meaning
of the field?


apparently nobody changed that comment in 'dig' source code yet.


Because minimum is what it is? It's not negative caching ttl, see above.


while called "minimum", as the OP correctly noted, it's defined as TTL for
negative responses. describing it as "negative TTL" would be correct.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SOA Minimum comment in "dig" output

[Carsten Strotmann]

Hi Daniel,

Daniel Stirnimann  writes:

> Hello Carsten,
>
>> RFC 2308 "DNS NCACHE" defines the last field of the SOA RR as "the TTL of
>> negative responses".
>
> Negative caching TTL is not defined as the last field of the SOA RR:
>
> "When the authoritative server creates this record its TTL
> is taken from the minimum of the SOA.MINIMUM field and SOA's TTL."
>
>
>> Why is dig still showing the old description "minimum" about the meaning
>> of the field?
>
> Because minimum is what it is? It's not negative caching ttl, see above.
>

great, make sense, and I forgot about this.

Thanks

Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Saurabh: Error while adding the Domain into RPZ as Bad Name.

[Matus UHLAR - fantomas]

On 12.02.18 13:51, Saurabh Srivastava wrote:

*I have faced one issue during the addition of one domain into My RPZ
Server.*


you don't have to put asterisks around your sentences. In fact, it makes
them harder to read and understand.


*The Domain name is "xmr.-eu1.nanopool.org ".*
*I am trying to put the domain entry as *. xmr.-eu1.nanopool.org
 which gives me an error of Bad Domain Name.*
*Please suggest the solution for this mans why it is a bad domain name when
even i am able to dig that?*


domain name element must not start with a dash.

xrm-eu is ine, xmr.eu is fine, xmr.-eu is invalid.

see rfc 1034 section 3.5.

 ::=  | " "

 ::=  |  "." 

 ::=  [ [  ]  ]



*Secondly, I try to ask one more thing that when i have dig the Domain
xmr.-eu1.nanopool.org  , the A Record shows me as
IP 8.8.8.8.*


there are nameservers who do not enforce the requirement above.
However, I don't recommend violating the requirement.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SOA Minimum comment in "dig" output

[Daniel Stirnimann]

Hello Carsten,

> RFC 2308 "DNS NCACHE" defines the last field of the SOA RR as "the TTL of
> negative responses".

Negative caching TTL is not defined as the last field of the SOA RR:

"When the authoritative server creates this record its TTL
is taken from the minimum of the SOA.MINIMUM field and SOA's TTL."


> Why is dig still showing the old description "minimum" about the meaning
> of the field?

Because minimum is what it is? It's not negative caching ttl, see above.

Daniel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SOA Minimum comment in "dig" output

[Carsten Strotmann]

Hi,
 
here is a question I've got during a DNS training, and I still do not
have a good answer:
 


RFC 2308 "DNS NCACHE" defines the last field of the SOA RR as "the TTL of
negative responses".
 
; <<   DiG 9.10.3-P4-Ubuntu <<   +noall +answer +multi +cmd soa
example.com ;; global options: +cmd
example.com. 86326 IN SOA dns1.example.com.
hostmaster.example.com. ( 2018013002 ; serial
 900; refresh (15 minutes)
 300; retry (5 minutes)
 604800 ; expire (1 week)
 900; minimum (15 minutes)
  )
   
Why is dig still showing the old description "minimum" about the meaning
of the field?
 

 
Is there a good answer? This behaviour of "dig" is irritating users.
 
Best regards
 
Carsten

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Saurabh: Error while adding the Domain into RPZ as Bad Name.

[Saurabh Srivastava]

Dear Bind-Users,

Greeings of the Day!!!

*I have faced one issue during the addition of one domain into My RPZ
Server.*
*The Domain name is "xmr.-eu1.nanopool.org ".*
*I am trying to put the domain entry as *. xmr.-eu1.nanopool.org
 which gives me an error of Bad Domain Name.*
*Please suggest the solution for this mans why it is a bad domain name when
even i am able to dig that?*

*Secondly, I try to ask one more thing that when i have dig the Domain
xmr.-eu1.nanopool.org  , the A Record shows me as
IP 8.8.8.8.*

*I need to know why they do this thing or should we point to any domain to
any IP in internet domain too??*
*If you say, I can share the the Error Screen Shot too.*

Waiting for the reply.

Thanks & Regards,

Saurabh Srivastava,
Email: jp.saur...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users