Re: Rate-Limit Question
You need to patch your 9.9.2 source code and recompile. Take a look at: http://www.redbarn.org/dns/ratelimits cheers, ~Carlos On 6/14/13 11:27 AM, Manson, John wrote: We are running Bind 9.9.2 and would like to invoke the rate-limit option but named says ‘unknown option’. Do we need to upgrade bind to get this option? Using this syntax: rate-limit { responses-per-second 5; window 5; }; Thanks John Manson US House of Representatives CAO/HIR/NAF/Data-Communications Senior Network Communications Specialist Desk: 202-226-4244 NCC: 202-226-6430 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Rate-Limit Question
tks !! On 6/14/13 1:21 PM, Evan Hunt wrote: On Fri, Jun 14, 2013 at 01:10:47PM -0300, Carlos M. Martinez wrote: thanks for the heads up. Do you have a estimated time of release for 9.9.4 and 9.9.10 ? Every time I make predictions about dates, events conspire to make me wrong, but I'm *hoping* to have 9.9.4 out in early August. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Confused about a basic concept
The 'hidden master' setup is a very good strategy for a number of reasons. I think the original description only derails a bit when using the term 'authoritative': I'm being told our authoritative DNS servers should not receive any queries, as well as DNS slaves respond to queries. These statements seem like a conflict to me, but maybe I'm simply confused? Many people confuse authority with master/slave. Slaves will also respond authoritatively. In fact, by just looking at a DNS response is hard to tell which NS points to the actual master, if any (in the case of the hidden master, no NS actually points to a master). cheers! ~Carlos On 6/5/13 11:18 AM, Ben Croswell wrote: Everything you listed is pretty close to accurate. A couple points of clarification. 8) The master needs UDP/TCP 53 open to the slaves. Before a zone transfer can happen the slave needs to get the SOA RR from the master to see if the serial number has changed. This normally happens over UDP 53(see my point on 9). So The slaves need to also be in the allow-query ACL on the master, if they cant query for SOA they can never determine the serial number and cant transfer. 9) You should always have UDP/TCP 53 open to DNS servers. Normal queries happen on UDP 53, but if an answer is too large to fit in a single packet the answer will be truncated and the TC bit will be set. This bit tells the client they didnt get the full answer and that they may want to try the same query via TCP. On you last points you are pretty much spot on the answer but are wondering the mechanics. Most best practices state that you should not have recursion and authoritative on the same DNS server. That is a should, but not a must. What you said is the normal answer you run DNS servers that host zones, and you run DNS servers that serve direct client queries. The client caching DNS servers would need to know where your authoritative servers are via NS records or forwarding. One big reason for the split is DNSSEC. An authoritative DNS server cant validate DNSSEC for a query sent directly to it from a client. There has to be another step in between. For instance if I ask you if you are Bryan and you say yes, why should I believe you. However, if I ask a trusted friend if you are Bryan I will believe you because there is third party verification. On Wed, Jun 5, 2013 at 10:02 AM, Bryan Harris bryanlhar...@me.com mailto:bryanlhar...@me.com wrote: Hi all, I think I may be confused about a very basic DNS concept. Sorry if this has been asked before. 1. I have a master and two slaves. 2. The master server is the SOA for my zone. The SOA record points to the master server. 3. Each of the two slaves are authoritative for my zone. 4. There are 2 NS records for my zone. The first NS = slave1 and the second NS = slave2. 5. The Master server is not listed in the NS records for my zone. 6. The master does not receive any queries from the clients. 7. The slaves receive queries from the clients. 8. The master - slaves relationship is via tcp/53 (notifies zone transfers) 9. The slaves - clients relationship is via udp/53 (queries) Is this correct so far? I'm being told our authoritative DNS servers should not receive any queries, as well as DNS slaves respond to queries. These statements seem like a conflict to me, but maybe I'm simply confused? I don't see how a slave could respond to a query unless it's authoritative. The only thing I can imagine is adding some more caching servers just for queries and have them forward+recurse to the authoritative slave servers (but they're not slaves themselves). But even in that case, the authoritative servers would still need to respond to queries, no? Otherwise how would the caching servers get any answers in the first place? Bryan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -Ben Croswell ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: This list's prefix
That's a neat trick, thanks Warren! I also do like prefixes, BTW (as can be seen in the other thread referenced). cheers! ~Carlos On 6/5/13 2:46 PM, Warren Kumari wrote: On Jun 5, 2013, at 11:43 AM, Narcis Garcia informat...@actiu.net wrote: It's not the only mailing list where I'm subscribed. Could please the administrator setup a prefix for messages' subject? You have unwittingly walked into a religious argument. If, like me, you really like list prefixes, *and* you use procmial, you can add them yourself: # Add an [6MAN] to messages to the IPv6 Maintenance Working Group \(6man\) ipv6.ietf.org :0 fw * ^List-Id:[ ].*\ipv6\.ietf\.org\ |/bin/sed -e 's/^Subject:[ ]*/Subject: [6MAN] /' Nice to meet another member of the Church of Prefixes. We meet on Saturdays, and wear tricorn hats. Sure, folk laugh at the hats, but at least it draws attention away from our list prefix kink. Warren For example: [bind-u] Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Curse the dark, or light a match. You decide, it's your dark. -- Valdis Kletnieks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mailing list reply-to setting
My mail setup is as limited as my eyesight. As I mentioned, I have emails in my inbox and filter afterwards in order to keep mbox size at reasonable levels. In this way I don't forget to check this or that folder. While on inbox I filter by looking at the tags. Works really well and I know quite a few people who do the same. I counted and I'm subscribed to over 50 mailing lists and this is the only one which does not tag the subject. Probably you've discussed this in the past (I'm a rather new subscriber), so I apologize for bringing up a dead horse. regards, Carlos On 5/8/13 10:53 PM, Michael McNally wrote: On 5/8/13 9:43 AM, Carlos M. martinez wrote: Agreed, but, subject tagging is very useful for those who prefer to have things hit your inbox first, before archiving. And there seems to be a lot more agreement on the tagging issue than on the reply to. Unless your mail setup is extremely restricted in what it can filter on, you have several choices of header which can be used by an automated filter to detect and classify appropriately according to list. Personally I have procmail file bind-users traffic based on the List-Id: header, but I realize you may be in a different environment with different tools available.) List-Id: BIND Users Mailing List bind-users.lists.isc.org Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mailing list reply-to setting
And, If I might add, adding a tag to the subject like [bind-users] would be extremely nice. regards ~Carlos On 5/8/13 12:02 PM, Steven Carr wrote: Any chance someone can correct the settings on this mailing list to reply to the list by default instead of the user posting the message? Thanks Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Views Question
I think views have mostly to do with the source of the queries, thus presenting a different 'view' of zone data depending on who the client is. You could have one view only with master zones and other view with salve zones, but I'm not sure what the purpose would be, unless for example you want to provide slave service for your internal clients only. regards, ~Carlos On 4/30/13 1:36 PM, Manson, John wrote: If the ‘type’ info in a zone statement determines master or slave, can you have 2 views in the same named.conf file, one with type master zones and the other with type slave zones? John Manson CAO/HIR/NAF Data-Communications | U.S. House of Representatives | Washington, DC 20515 Desk: 202-226-4244 | TCC: 202-226-6430 | john.man...@mail.house.gov mailto:john.man...@mail.house.gov ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC Courses
That's stiff... On 4/26/13 2:47 PM, rohan.he...@cwjamaica.com wrote: Hello, Can anyone say why Bind course offering appears so expensive? Is something else included in the package that is not specified? 2-Day Introduction to DNS BIND Training Price: $1,795.00 Rohan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: signature expiration
If nothing changes, only the SOA serial will be incremented on resign. The signatures don't 'have' to be renewed every 30 days, you can resign as often as you want / need. regards ~Carlos On 4/11/13 9:14 AM, hugo hugoo wrote: Hello, Can anyone tell me why signatures in dnssec mut be renewed every 30 days? What are the modifications made on a zone with a resign? Thanks in advance for the clarifications. Hugo, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Auto-dnssec maintain and 'continous' resigning
Thank you very much for all the bits, certainly very helpful. My problem is that this cycle of zone signing triggers zone number increases and generates dozens of NOTIFY messages and the corresponding zone transfers to all slaves within a short period of time, something which I believe is not very friendly to my gracious slave service providers. Since my signer instance does not provide public service, I would rather prefer the signing to be done in a single op and then send a single NOTIFY to slaves. Maybe my problem is 'auto-dnssec maintain', maybe I would be better off with the other options. Looking forward to your thoughts. ~Carlos On 4/3/13 7:48 PM, Mark Andrews wrote: In message 515a92a5.3020...@imperial.ac.uk, Phil Mayers writes: On 04/01/2013 07:36 PM, Carlos M. Martinez wrote: Reframing the question in more general terms... Which events trigger a zone re-sign and reload when using auto-dnssec maintain ? As someone else has already said, zone updates, signature expiration and key events. In particular, it's normal for the SOA serial to constantly increase in a zone with auto-dnssec maintain, even if nothing else happens, because the signatures will be regenerated every N days. N depends on your config, but is 0.75 * default_sig_life (30 days) by default i.e. signatures are generated every 22.5 days. Named attempts to spread out re-signing load for a zone over time even is the zone content is essentially static. It takes time to regenerate signatures so you don't want non-threaded builds to stall too long res-signing. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Auto-dnssec maintain and 'continous' resigning
Hello all, I have a few zones signed with DNSSEC and autodnssec maintain. I have one particular zone that every now and then (I'm working on finding a pattern or trigger) This re-signing process runs for a while, incrementing the serial each time and growing the journal until stopping. I know I need to do more legwork here, but I would appreciate any heads-up on this particular problem. Warm regards, ~Carlos ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Auto-dnssec maintain and 'continous' resigning
Reframing the question in more general terms... Which events trigger a zone re-sign and reload when using auto-dnssec maintain ? regards, ~Carlos On 4/1/13 12:04 PM, Carlos M. Martinez wrote: Hello all, I have a few zones signed with DNSSEC and autodnssec maintain. I have one particular zone that every now and then (I'm working on finding a pattern or trigger) This re-signing process runs for a while, incrementing the serial each time and growing the journal until stopping. I know I need to do more legwork here, but I would appreciate any heads-up on this particular problem. Warm regards, ~Carlos ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS traffic
Are you talking about SOURCE or destination ports ? regards ~CArlos On 3/25/13 1:21 PM, babu dheen wrote: Hi Matus, Still not convinced because if i need to allow 1024 port from our DNS server to external world(internet).. where is the security? I beleive we just need to allow TCP and UDP 53 from our DNS server to internet(any) which is already done. Not sure why we have to open non standard port from our DNS server to internet? Kindly provide some details. Regards Babu *From:* Matus UHLAR - fantomas uh...@fantomas.sk *To:* bind-users@lists.isc.org *Sent:* Monday, 25 March 2013 3:30 PM *Subject:* Re: Suspecious DNS traffic On 25.03.13 16:59, babu dheen wrote: I am able to query one of the PTR record available in my company BIND caching DNS server from internet(ANY IP address) successfully. As per your statement, If I am denying the response, how could I get response successfully? you must allow the packets from TCP+UDP port 53 coming to any =1024 port on your nameserver. -- Matus UHLAR - fantomas, uh...@fantomas.sk mailto:uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The only substitute for good manners is fast reflexes. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig for link-local
link-locals are not that special, with the exception of the %interface decorator... other than that, they work exactly like any other address. Bind/Apache/insert your server here will listen on link locals and they can be used as route next-hops too. regards, ~Carlos On 3/22/13 1:13 PM, Kevin Darcy wrote: I'm not sure what you're asking, exactly. Are you surprised that named would respond on an IPv6 link-local address if configured with listen-on-v6 { any; };? - Kevin On 3/22/2013 5:35 AM, Alok Raj wrote: Hi, How dig-command is able to resolve an ip using link-local address, /etc/resolv.conf has only one entry – ipv6-link link local address, if I write dig www.domain.com http://www.domain.com, it is able to resolve that and print the address. Can anyone help me out in documentation or code please? Thanks, Alok DISCLAIMER: This email message and all attachments are confidential and may contain information that is Privileged, Confidential or exempt from disclosure under applicable law. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email to mailad...@spanservices.com mailto:mailad...@spanservices.com and destroy the original message. Opinions, conclusions and other information in this message that do not relate to the official of SPAN, shall be understood to be nether given nor endorsed by SPAN. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig for link-local
Transport has nothing to do with content in DNS. If your client asks for an record it will get the appropriate answer according to the zone's records (a value or an error condition) regardless on whether the query was made over IPv6 or IPv4. That said, you can 'hack' around this expected behavior (see 'no on ipv4') in order to help hosts with broken IPv6 connectivity, but you have to enable it. regards, ~Carlos On 3/22/13 1:19 PM, Bryan Harris wrote: Hello, On Mar 22, 2013, at 12:13 PM, Kevin Darcy k...@chrysler.com wrote: I'm not sure what you're asking, exactly. Are you surprised that named would respond on an IPv6 link-local address if configured with listen-on-v6 { any; };? Can an ipv4-only server give an ipv6 address as part of an overall answer to a dig? E.g. Our servers recurse to get outside addresses, and when I query for www.google.com one of the addresses is ip6 Bryan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users