Re: Problem upgrading to 9.18 - important feature being removed

[G.W. Haywood]

Hi there,

On Fri, 1 Mar 2024, Petr ?pa?ek wrote:

On 01. 03. 24 12:23, G.W. Haywood wrote:


... Maybe the lesson here is that if you're using BIND other than
because it happened to come with your distro, then it's probably a
good idea to keep an eye on this list to monitor the plans for
development.? If it says that in the ARM, which IMO it probably
should, I missed that too.


ARM has warning like this:

https://bind9.readthedocs.io/en/v9.18.15/reference.html#namedconf-statement-auto-dnssec

If you have a proposal to improve it I'm all ears.


That warning is (a) specific to this issue and (b) in section 8.

I was thinking of something (a) more general and (b) in section 1 -
where people might see it before the attention span gives out. :)

Section 1.4.6 seems the obvious existing place to say something like

"The BIND users' mailing list is the place for users to get help with
BIND.  In addition the developers use it to gauge opinion on proposals
for changes to BIND's features.  If you use BIND more than casually,
it's a good idea to subscribe to the list.  You can do this by..."

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem upgrading to 9.18 - important feature being removed

[G.W. Haywood]

Hi there,

On Fri, 1 Mar 2024, Ond?ej Sur? wrote:

On 26. 2. 2024, at 22:41, Al Whaley wrote:

> A lot of pain and suffering in this world comes from people being
> sure they have a 'better idea' and everybody needs to do whatever.
> This feels a bit like that. ...

... ultimately, the developers working on BIND 9 are just a few
people and it's absolutely reasonable to remove rarely used features
- especially if there's a replacement ...

For every decision we make, be it adding a new feature or removing
an old feature, we do carefully consider the implications ...


And in this case I think it would be unfair to the developers not to
mention that more than two years ago, before actually implementing
this change, the developers did ask for comment and there was debate.
If the OP took a part in that debate I missed it.

8<--
Date: Tue, 10 Aug 2021 10:02:59 +0200
From: Matthijs Mekking 
To: bind-users@lists.isc.org
Subject: Deprecating auto-dnssec and inline-signing in 9.18+
Message-ID: 
Content-Type: text/plain; charset=utf-8; format=flowed

Hi users,

We are planning to deprecate the options 'auto-dnssec' and 
'inline-signing' in BIND 9.18. The reason for this is because 
'dnssec-policy' is the preferred way of maintaining your DNSSEC zone.


Deprecating means that you can still use the options in 9.18, but a 
warning will be logged and it is very likely that the options will be 
removed in BIND 9.20.


We would like to encourage you to change your configurations to 
'dnssec-policy'. See this KB article for migration help:


 https://kb.isc.org/docs/dnssec-key-and-signing-policy

Do you have reasons for keeping 'inline-signing' or 'auto-dnssec' 
configurations? Is there a use case that is not (yet) covered by 
'dnssec-policy'? Any other concerns? Please let us know.

8<--

To try to make this more positive, Maybe the lesson here is that if
you're using BIND other than because it happened to come with your
distro, then it's probably a good idea to keep an eye on this list to
monitor the plans for development.  If it says that in the ARM, which
IMO it probably should, I missed that too.

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Deprecation notice force BIND 9.20+: "rrset-order fixed" and "sortlist"

[G.W. Haywood]

Hi there,

On Fri, 1 Mar 2024, Matus UHLAR wrote:

On 01.03.24 08:24, Ond?ej Sur? wrote:
> The "sortlist" option allows to define a complicated rules when and
> how to reorder the resource records in the responses. The same
> caveats as with the "rrset-order" apply - relying on any specific
> order of resource records in the DNS responses is wrong.
>
> We are not aware of any other (major) DNS server that would have
> similar behaviour as this was never specified in the DNS protocol.
> If you know of any software or hardware relying on any specific
> order of the resource records in the DNS messages, it needs to
> be reported as a bug to the respective vendor.

I don't know about _requirement_, but I have used this option as poor 
man's way to implement geographically local IP addresses

- to anyone return topologically closer IP addresses first, others next.


Maybe I need more of my morning $beverage but this sort of thing seems
to me to militate against other - existing - efficiency mechanisms.

Network performance isn't just about topology, there are things like
performance and load to consider.  Might your tweaked responses just
send clients to a nearby but tragically overloaded server?

My preference would be to let those people whose job it is to think
about this stuff - which, reading this list, clearly they do - get on
with their job.

Observations welcome of course.

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Deprecated DSCP support

[G.W. Haywood]

Hi there,

On Thu, 29 Feb 2024, Wolfgang Riedel wrote:


In my case it?s dscp 24 in named.conf ...

If you don't set it, ...


ns9:~# >>> man named.conf | grep dscp
   dscp ; // obsolete

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Upgrade

[G.W. Haywood]

Hi there,

On Fri, 16 Feb 2024, Semra T?rkkal Nazl?mo?lu wrote:


Our bind version seems below. How can we upgrade bind version?
And if we upgrade bind version, is there any problem?


Recently I upgraded from 9.11.26 (not 9.11.36) to 9.18.24 using the
source from the ISC Website.

It's a very small setup here.

The only thing I needed to do to the configuration was remove a single
obsolete option (dnssec-enable) from named.conf.

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

[G.W. Haywood]

Hi there,

On Wed, 13 Dec 2023, Greg Choules wrote:


If your server can reach the Internet it can recurse all on its own.


And for extra information, I recommend you give the '+trace' option to dig.


I hope that helps.


Ditto. :)

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Deprecation notice for BIND 9: "resolver-nonbackoff-tries", "resolver-retry-interval"

[G.W. Haywood]

Hi there,

On Fri, 8 Dec 2023, Fred Morris wrote:


I welcome birds of a feather. Need to define / refine the problem
statement first.
...
...


Er, tweet!

Up to my @$$ in aligators and can't afford the time to more than chime
in here, but this is all absolutely fascinating.  Fwiw I'd love to see
it played out on this list (if the Ps that B think it appropriate).

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Value of a DNSSEC validating resolver

[G.W. Haywood]

Hi there,

On Sat, 2 Dec 2023, Mark Andrews wrote:

On Fri, 1 Dec 2023, John Thurston wrote:

> Can someone make a good case to me for continuing to perform DNSSEC
> validation on my central resolvers?

Think of a recursive server as a town water treatment plant. You
could filter and treat at every house and sometimes you still do
like boiling water for baby formula but on the most part what you
get out of it is good enough for consumption as is.


Thank you for that outstandlingly useful analogy, I hope to use it!

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: consolidating in-addr.arpa data

[G.W. Haywood via bind-users]

Hi there,

On Sat, 16 Sep 2023, Greg Choules wrote:

On Sat, 16 Sep 2023,  G.W. Haywood wrote:
...
> Is there a reason not to split the /8 into two /9s or something like that?
...
Although it is technically possible to do reverses on non-octet boundaries
(for example, see https://www.ietf.org/rfc/rfc2317.txt) it is a
complete pita, in my experience. Personally I would not head down that
path. Stick to /8, /16 or /24.


Please could you elaborate a bit?

Does RFC1918's 172.16/12 mark a special case, or is that a PITA too?
I've used such addresses, but never at anything like their full scale.

My "something like" might have included 10.16.0/12 and 10.24.0.0/12,
is your PITA comment equally applicable?  I'd be surprised if the OP
couldn't manage with 2^20 IPs in a segment - but then I guess he does
work in the .gov domain.

I'm not trying to be awkward, I'd really like to know in case I ever
come up against this myself.

(And it's the thirtieth anniversary of RFC1517.  What did we miss? :)

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: consolidating in-addr.arpa data

[G.W. Haywood via bind-users]

Hi there,

On Sat, 16 Sep 2023, John Thurston wrote:

A host which auto-registers in MS DNS, creates an A in foo.alaska.gov 
and PTR in whatever.10.in-addr.arpa. MS DNS is happy to publish those.


But the DNS system running on BIND also has a whatever.10.in-addr.arpa 
zone.


So if I want to find the PTR for 13.12.11.10.in-addr.arpa, I must query 
both DNS systems in turn. If I get NXDOMAIN from both, then I can say 
the PTR doesn't exist.


On each system, I'd like to be able to take the 10.in-addr.arpa data 
from the other, compute the differences, and incorporate them locally. 
Then I'll be able to query either system, and accept an NXDOMAIN with 
confidence.


Is there a reason not to split the /8 into two /9s or something like that?
Then you'd have no fragmentation (at least not for this reason) and you'd
always know who to ask.

And since writing my earlier note, I have re-located the code I think I 
stumbled across earlier


Tony Finch's "nsdiff"


Does that mean problem replaced, if not solved?

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: General DNS / SPF question

[G.W. Haywood via bind-users]

Hi there,

On Mon, 9 Jan 2023, Michael Muller wrote:

Thanks for responding to my question. Again, if there's a better place 
to ask this question, I can go there. ...


Taking this off list.

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: General DNS / SPF question

[G.W. Haywood via bind-users]

Hi there,

On Sun, 8 Jan 2023, Mark Andrews wrote:


Please don't hijack an existing thread by replying to an existing message for a 
unrelated subject. It is bad form. Just create a new message and send it to 
bind-us...@isc.org.


Oh, blast, I missed that, sorry.

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: General DNS / SPF question

[G.W. Haywood via bind-users]

Hi there,

On Sat, 7 Jan 2023, Michael Muller wrote:


This is my first time posting here, and I'm not sure if it's the
right place or not to ask my question. This is a general DNS
question, specifically, I think, SPF.


Probably not really the right place but the SPF users' list has been a
bit dead for a while so let's see what happens.

I host email using SmarterMail, and all 400+ customers either use a 
regular email client (desktop app/mobile device) or the webmail interface.


One particular customer wants to use Gmail as their email client for
sending email from their domain.


What's the domain?


I helped set up the settings at gmail for the SMTP server, and did
the google-siteverification and added _include:gmail.com_ to the SPF
TXT record,


The gmail.com SPF record is just a redirect - wasteful.  I'd suggest

include:_spf.google.com

instead.


as well as DKIM and DMARC configured. I get green lights for the
domain from Dmarcian (well, they said I had a duplicate SPF value,
which I have removed).

The emails that get sent *do* arrive for other users on my email server, 
but *not* to email addresses off-server, ie; @live.com


I can see the traffic from gmail in my logs, and it appears the emails 
are sent, but they do not arrive.


Stumped. Any spare brain cells available out there would be appreciated.


Can you show us a log of one of the transactions?  Or perhaps get the
customer to try to send mail to me, I should be able to see everything
that's needed in our server logs.

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RFC7344 (was: Funky Key Tag in AWS Route53 (2)) (2)

[G.W. Haywood via bind-users]

Hi there,

On Fri, 30 Dec 2022, Timothe Litt wrote:


The problem is politics, not technology.


Well there might be a little more to it than that.  People just don't know.

When my wife asked about the security of her bank's Website they told her,

"Don't worry, if there's a little padlock in the box at the top it's secure..."

The bank is anonymous here not to protect the guilty, but to highlight
the fact that it almost doesn't matter which one you choose.

$ whois UK_bank_domain | grep DNSSEC
$

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.16.1 crash

[G.W. Haywood via bind-users]

Hi there,

On Thu, 8 Dec 2022, Ondřej Surý wrote:


The "we don't update upstream version" policy works well only if you
carefully pick upstream version. Instead this is snapshot of Debian
at random point ...


Somewhat OT, but this applies to more or less all software which you
might think of as "mission critical".  That includes your kernels -
after an 'upgrade' I've had a Debian kernel give, on an only slightly
unusual Intel architecture, performance which was orders of magnitude
poorer than the previously released version.  Very embarrassing if you
just spent the weekend installing it for an entire client organization.

--

73,
Ged.-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Add TXT records for SPF when CNAME exists in same sub-domain

[G.W. Haywood via bind-users]

Hi there,

On Tue, 29 Nov 2022, Mark Andrews wrote:


Chris Liesfield wrote:



> It appears TXT and CNAME records for the same string/host cannot
> co-exist. We are able to specify an SPF record for the origin only
> in each sub-domain.
> 
> Open to any suggestions on how to get around this issue.


Place the TXT record at the target of the CNAME.


See also RFC2181 section 10.

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list questions (DMARC, ARC, more?)

[G.W. Haywood via bind-users]

Hi there,

On Tue, 23 Aug 2022, Alessandro Vesely wrote:

I see the list operates both From: munging and ARC sealing.  While I'm 
clear about the former, I'm curious about how ARC works:


Do any subscribers trust the seal by isc.org?


When it comes to email, I don't trust *anything*. :)

Generally speaking I think these technological fixes are very much
over-engineered as compared with, say, inspecting the headers. :/

We check the ARC seal and I would be alerted to a failure.  That's all.
There have been two failures since ISC implemented ARC - the first two
ARC-signed messages we received, on 25th April - all after that passed:

Date: Mon, 22 Aug 2022 12:00:00 +
X-ARCverify: pass (All ARC Seals and the most recent ARC Signature passed 
verification)

There were a few DKIM failures in the early days too, I don't remember
if I investigated any of the failures.


In that case, do they get non-munged messages?


Nope.  I'm on the digest list anyway.


Are there other advantages that ARC brings about?


It's a comfort to know that it's all working as designed, but I can't
get excited about munged addresses.  I've experienced no issues on the
BIND list to which I've thought ARC might be relevant.  Unfortunately
that's by no means the case for some of the other lists to which I am
(or have in the past been) subscribed.

Otherwise, RFC9057 introduced the Author: header field.  Using it to save 
the original From: would allow trusting receivers to de-munge the message 
at a later stage.  I'm trying to elaborate a draft[*] to formalize such 
method.  Would this list be interested in experimenting that?


I'm happy to use cut'n'paste for replies, but I can offer to help you
with your testing.  The milters here can do more or less anything. :)

PS: Please don't be offended if mail sent directly to me is rejected.
We can get around it.

PPS: [Page 18] s/Content-Tyep:/Content-Type:/;

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Basic setup instructions

[G.W. Haywood via bind-users]

Hi there,

On Mon, 25 Jul 2022, Gene Ammerman wrote:


I am on a Mac running macOS 10.10 with server 5.7 and I just need to
setup DNS for this.


Your meaning is not clear to me.  When you say

"I just need to setup DNS"

which of the following do you mean:

(a) I need applications which run on the Mac to be able to resolve
domain names so that I can for example send email and browse the Web.

(b) I need to host a DNS server of my own, which will serve requests
for information about my own domains from machines all over the planet.
I will be responsible for providing that information, for keeping both
it and the DNS server up to date, for ensuring that the host is secure,
and for the hundred and one other things a DNS administrator has to do.

(c) something else.

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ipv6 adoption

[G.W. Haywood via bind-users]

Hi Grant,

On Thu, 17 Feb 2022, Grant Taylor wrote:

Please clarify if you are talking about DNSSEC for your own zone that 
they are doing secondary transfers of or if you are talking about DNSSEC 
for the IPv6's reverse DNS namespace that they delegate to you.


Ah, good point Grant.

The reverse zones are delegated to us but they aren't signed.

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ipv6 adoption

[G.W. Haywood via bind-users]

Hi there,

On Wed, 16 Feb 2022, Mark Tinka wrote:

On 2/16/22 17:18, Timothe Litt wrote:

> You can get IPv6 via a tunnel broker.? Hurricane Electric 
> (http://he.net/) is one of the larger ones.? You can get a /48 from 
> them - for free.? Bandwidth is modest.? You can setup reverse zones; 
> they'll delegate.? I don't think they support DNSSEC - it's been on 
> their wishlist for years.


Ah, I misunderstood the OP's question - I thought he meant if their 
provider does IPv6, but cannot assign an IPv6 address from their PA space.


Yes, if your providers does not yet support IPv6, then a tunnel broker 
like HE (and others) are workable.


FWIW I've been using DNSSEC with HE slaves since October 2017.  I'm
happy to report that I've never had any problem with the service.

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: your mail

[G.W. Haywood via bind-users]

Hi there,

On Sat, 15 Jan 2022, Diego Garcia wrote:

On Sat, Jan 15, 2022 at 2:14 PM G.W. Haywood via bind-users wrote:
> On Sat, 15 Jan 2022, Diego Garcia wrote:
> > ...
> > network unreachable resolving 'play.google.com/A/IN': 216.239.36.10#53
> > ...
> ... If you are getting 'network unreachable' messages then likely there's
> something wrong with your network setup. ...

really?


Yes, really.

Please do not top post.  Some of us are on the digest list, and it
makes trawling through all the unnecessary garbage very tedious, as
well as prone to errors and misunderstandings.


my first post have a tcpdump capture packet, dig trace...


Nothing in your first post mentions 'network unreachable' messages.
You do, however, say that things work for a time, then they break,
then work again, and then...

I really do think that asking BIND to use an unreliable connection to
the Internet is going to cause you endless problems which will often
be difficult to diagnose.  Until you can be sure that there's nothing
getting in BIND's way you probably aren't asking the right questions.

This does not look like a problem with BIND itself.

Perhaps it's time to run some stress tests on the network.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: your mail

[G.W. Haywood via bind-users]

Hi there,

On Sat, 15 Jan 2022, Diego Garcia wrote:


Still with problems. That setup was running fine for few years.


But you changed something.


Bind Server is on DMZ and doing NAT for the local net. Test Server is
behing NAT

Must have another problem

I try this days a lot of things and nothing works,


Generally speaking, if you set things up right, BIND Just Works.  It
must be a couple of decades since I last had to fiddle with anything
to fix a broken BIND server.

It is not helpful to us if you tell us that you have tried a lot of things.
It would be much more helpful if you told us exactly what you have tried
and exactly what were the results.  You need to be methodical and precise.


think in try reinstall but i preferred to know what happened and solve it


'Reinstall' to me means the sort of thing that you do if you're
working on a Windows box.  If you're using a real computer it's
usually much better to find out what's going wrong and fix it.


...
network unreachable resolving 'play.google.com/A/IN': 216.239.36.10#53
...


If you are getting 'network unreachable' messages then likely there's
something wrong with your network setup.  Before doing anything else,
you need to fix that.  It may or may not be a problem of your making,
but given that you said you are using BIND on a server in a DMZ then I
suspect that it is.  Using a DMZ will make things more complicated and
the faults will be more difficult to diagnose - especially for people
on mailing lists to whom you give little and very poor information.

It *looks* like BIND is trying to make queries but failing to connect
to anything to make them.

You do not appear to have acted on the good advice which was given to
you after your previous post.  Are you able to use tools like 'ping'
and 'traceroute' to diagnose network problems, also like Wireshark or
tcpdump to inspect network traffic?  These would be my first steps in
approaching this kind of problem.  You will need to know that packets
from the BIND server can go where they're supposed to go and replies
reach the server in good time.  You might also need to be able to see
exactly what BIND sends, where it sends it, exactly what it receives
(if anything) in reply to what it sends, and perhaps where the replies
come from.  If there are no replies, or the replies go to the wrong
place, you need to be able to show that and find out why.

What exactly are you trying to achieve which cannot be achieved by
simply using a public DNS service, or one provided by your ISP?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

[G.W. Haywood via bind-users]

Hi there,

On Sat, 8 Jan 2022, Jason wrote:


...
My point is that public service websites, which provide vital
public health services , on which people's lives and human
rights depend , should NOT be on some
"Google Server Accessable Only" Hidden Internet .


And they aren't.


What about non-technical users, who may not have a smartphone,
who just assume "the HSE website is down", and as a result, never
get a Booster Appointment ?

Maybe the HSE are using this situation to limit access to
Covid vaccines & Passports only to wealthier people with smartphones
and full-featured internet accounts ?  That would get
alot of problems off their books, and they'd have to spend
alot less on vaccine .


You're tilting at windmills.


It is frightening that there is developing this "Google User Only"
"Hidden Internet" , accessable only to users who agree to their
web behaviour being analysed and financially exploited by Google.


Again, you're inventing problems which don't exist.


I would like to find a way to access the WHOLE internet, without
using Google.
...


You don't seem to be paying attention to the knowledgeable people who
have answered your questions.

There's nothing wrong with BIND, nothing wrong with the DNS name that
you're, er, harping on about, there's no conspiracy, and (!) you don't
have to involve Google if you don't want to.

You've simply borked your own setup by using broken forwarders which
you didn't need to use to begin with.  You created your problems.

Here's one of my BIND installations resolving the name that you're
having trouble with:

$ dig +short covid19booster.healthservice.ie
hse-self-referral.swiftqueue.com.
52.50.21.250
52.214.178.78

It Works For Me, I can browse to the location, but I try not to get in
the nameserver's way (and I had my booster a couple of months ago...)

For some amusement and education try

dig +trace covid19booster.healthservice.ie

and spend some quality time with the BIND documentation.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A good name for development branch releases package

[G.W. Haywood via bind-users]

Hi there,

On Wed, 1 Dec 2021, Petr Men??k wrote:


 ... Would you have some idea, how should it be called?


Call a spade a spade.  Or in this case "bind9-unstable".


Do you like "bind9-dev" base name?


No.  It will cause confusion.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.16.19 or any version newer than 9.16.15 does not start on Windows Server 2019

[G.W. Haywood via bind-users]

Hi there,

On Wed, 8 Sep 2021, Sami Leino wrote:


I will return to this problem with 8 vCPU count. You wrote earlier
that there could be a way to have BIND run a specific number of vCPU
cores?


Have you tried searching something like "windows processor affinity"?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logging statements w.r.t. view in Bind 9.16.18

[G.W. Haywood via bind-users]

Hi there,

On Tue, 24 Aug 2021, Gaurav Kansal wrote:


I want a clarity whether we can have individual logging statement
per view basis ? Whatever i found on google, i think we can't.  My
use case for separate logging statement is as follows -

In my recursive server, i have 2 views, one for my internal clients
and one for Internet ; i am running Internet view just for catch
hold of scanning IPs (type of honeypot).

Syntax of 2 views are as follows -

view "INTRANET" {
match-clients { PRIVATE.SEGMENTS ; };
recursion yes;
};

view "PUBLIC" {
match-clients { any; };
allow-query { none; } ;
recursion no;
};


You have recursion turned off for PUBLIC.  As I understand it, the
conventional wisdom is not to run recursive and non-recursive services
on the same BIND instance.  Would it make sense then, in your case, to
run two separate instances of BIND?  Separating logs is then trivial.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [Question] About migration for 9.11.X to 9.16.X.

[G.W. Haywood via bind-users]

Hi there,

On Thu, 19 Aug 2021, Techs-yama wrote:


I'm thinking about BIND Version migration for 9.11.X to 9.16.X.
Also,  I'm about to check the different default config value and config
parameters for the purpose of that now.

I would like to ask you all.
Are there any other points of observe carefully when migrating versions?
 e.g.)Behaves differently, Added 9.16.X only new features, etc.
also, Is there any documentation that might be helpful?


The source tarball available from the ISC Website contains a file
called README.  In it you will find the answers to your questions.

You could also spend some quality time in the mailing list archives.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Tracking Down Odd bind Behavior

[G.W. Haywood via bind-users]

Hi there,

On Sun, 15 Aug 2021, Tim Daneliuk wrote:


I have a bind slave instance running on FreeBSD 13-STABLE.  Periodically (after
a few days of perfect operation), it loses its ability to resolve at
least some names - in this case, git.freebsd.org. ...
...
Aug 14 17:07:03 ozzie named[32292]: running as: named -4 -u bind -c 
/usr/local/etc/namedb/named.conf
...


Wild guess: try running without '-4'?

Otherwise, see "Troubleshooting" in the ARM.  Then, assuming that
you've set up the logging as per the ARM to be sufficiently verbose,
wait until the resolution failures start happening again and post
relevant extracts.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: My FC33->FC34 bind-chroot upgrade notes

[G.W. Haywood via bind-users]

Hi there,

On Wed, 16 Jun 2021, ToddAndMargo wrote:

Re: My FC33->FC34 bind-chroot upgrade notes


I hope this is the last time I have to revise this!
...


Unfortunately perhaps not.


...
# means root
$ means user
...


Sometimes, in your configuration file extracts, you use '#' meaning
'this line is a comment'.  I guess this is a write-up for a novice.
The non-novices here have overlooked it, but I'm much closer to the
novice end of the BIND user spectrum than they are and If I were a
*complete* novice, I'd find these uses of '#' very confusing.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need Help with BIND9

[G.W. Haywood via bind-users]

Hi there,

On Sat, 12 Jun 2021, techli...@phpcoderusa.com wrote:

Re: Need Help with BIND9


...
The two domains I am working with on my SOHO home server are 1)
keiththewebguy.com  and 2) phpcodetest.com.

I setup keiththewebguy.com first and configured BIND9 for it on the same
server.

To try to troubleshoot I configured phpcodetest.com on the same box,
however it uses Zoneedit for DNS.  phpcodetest.com works as expected.

keiththewebguy.com does not work which uses my local BIND9.

I've tried everything I can think of.  I've tested the config files, run
dig, and verified port 53 is open.

I took the zone file for keiththewebguy.com from my VPS that runs Plesk
and previously hosted keiththewebguy.com.  I forgot to change the IP
addresses in the zone to my SOHO box and the website on my VPS was
accessible.  When I changed the IP addresses in the zone file to my SOHO
box the website quit working.

I assumed this meant I had an Apache issue and that is when I added
phpcodetest.com to test Apache.  I've checked apache several times...
And I just checked it again.


Your problem statement is extremely vague and it seems to be telling
me that you do not understand how the parts you're working with all
fit together into a functioning whole.  You need to remedy that, or
you'll be flailing around quite unnecessarily in a fog of technical
terms and untested and/or broken configurations.  You might also need
to work on your fault-finding skills, but they might not be the, er,
root of the issue.

Do you have the book "DNS and BIND"?  Old, but still very relevant.


...
If you need any additional information let me know.


There might be loads of it, but for now I think probably your best bet
is to do some reading.  The Web client (browser) needs to request its
configured resolver (*may* be BIND) to supply an IP address which is
associated with a domain name so it can send HTTP requests (packets)
to the Web server (*may* be Apache) at that IP address.  To answer the
queries from the Web client, the resolver needs to make queries of its
own from a name server which *may* also be BIND - not necessarily the
same instance.  In its turn, the resolver has to find IP addresses for
name servers which will answer its queries.  The routes all need to be
set up so *both* that the clients can talk to all the servers at the
IP addresses involved in the conversations *and* that the DNS and Web
servers can reply to the requesting clients.  You can see this happen,
in nauseating detail if required, with a tool like Wireshark.  It's a
good way to watch the traffic flowing (or not flowing, as the case may
be) and I recommend that you spend some quality time doing just that.

Note that the terms 'server' and 'client' can be misleading.  A server
can become a client of another server when it needs information which
it intends to return to a client of its own.  In my little description
above for example, the resolver acts as a server when it serves an IP
address to the browser, but as a client when it asks a name server for
the IP address to serve to the client.  So it's sometimes best to look
at the level of the individual request to decide what is acting as a
server, and what is acting as a client.

I see a nameserver response only for phpcodetest.com:

$ dig keiththewebguy.com | grep ANSWER
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
$ dig +short phpcodetest.com
98.191.108.149

I wouldn't run a port scan without your permission, but at the moment
there seems to be no response from 98.191.108.149 to ping and HTTP(S)
(which might mean that you've switched off the box for the night...:)

$ ping 98.191.108.149
PING 98.191.108.149 (98.191.108.149) 56(84) bytes of data.
^C
--- 98.191.108.149 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 159ms
$ telnet 98.191.108.149 80
Trying 98.191.108.149...
telnet: Unable to connect to remote host: Connection timed out
$ telnet 98.191.108.149 443
Trying 98.191.108.149...
telnet: Unable to connect to remote host: Connection timed out

HTH

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root.hints - apparmor access error with Bind from PPA

[G.W. Haywood via bind-users]

Hi there,

On Fri, 4 Jun 2021, 3coma3 wrote:


Jun 3 22:03:53 ... apparmor="DENIED" ... "/usr/share/dns/root.hints" ...


This isn't exactly an answer to your question but I don't think you
need root.hints any more - you can just delete it.

I'm currently using 9.11.26, and I haven't used root.hints for years.
The hints section (zone ".") in my named.conf is just commented out.

https://kb.isc.org/docs/aa-01309

HTH

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.16.17-snapshot - testers needed - recursive performance

[G.W. Haywood via bind-users]

Hi there,

On Wed, 26 May 2021, He/Him wrote:


we merged a change that substantially reduces a contention between threads
and improves the recursive performance ...


We are currently running 9.11.26, and 9.11 has always built with no issues.
Debian 9.13 (Stretch).

$ aunpack bind-9.16.17-pre.tar.xz
$ cd bind-9.16.16   # NB bind-9.16.16 in the tarball, not bind-9.16.17
$ ./configure --prefix=/usr/local --sysconfdir=/etc --with-openssl
...
...
configure: error: The pkg-config script could not be found or is too old.
$

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9 ARM, html/pdf not in the source?

[G.W. Haywood via bind-users]

Hi there,

On Sun, 16 May 2021, Ond?ej Sur? wrote:

On Sun, 16 May 2021, Chuck Aurora wrote:
> On Sun, 16 May 2021, Ond?ej Sur? wrote:
> 
> > ... yes, you need ISC GitLab account to create new issues (unless

> > it's a security vulnerability then OpenPGP encrypted email is
> > accepted). We need to interact with the reporters from the issue and
> > we think this is a reasonable requirement.
> 
> FWIW I do not agree.


... I don't think it's too much to ask a little bit of inconvenience
from the users, so we can actually focus on fixing bugs and
improving the software.


I feel strongly that I should chime in with my experiences of trying
to use Git/Web interfaces to report issues.  Not, I hasten to add,
issues with BIND - I don't recall ever trying to use ISC's GitLab and
I'd have no particular issues with creating an account except that I'd
try to make sure that it could never be linked to me by criminals when
it's almost inevitably compromised.

I don't want this to sound like an attempt to pour fuel onto the flames
but insisting on Git/HTTP is not just "a little bit of inconvenience".

After finding it necessary to download tens of megabytes of source to
make a ten character change to the code, and finding that the little
'Commit' button that you have to press to the pull request would not
come out of its greyed-out state no matter what I do, and on enquiry
after some hours of digging being told that I need to use a different
browser (I use Palemoon; one suggestion was Firefox), I've now reached
the point that if it says 'http' and 'git' I will look for the little
'X' in the tab near the top of my browser window.  Call me a dinosaur
if you like but after wasting much time on it, I flatly refuse to even
try to use a Git/Web interface any more.  If I expected to use it all
day every day things might be different, but for chipping in a minor
report or small improvement the bars to entry seem to be set too high.
If I found a mistake in the ARM I'd cheerfully send an email, but I'd
never even consider navigating through a GitLab maze to do the same
thing and I'd just keep quiet about it.

There is an email interface for GitLab.  It requires no account to be
created by the user.  You get to keep the single repository of wisdom.

https://docs.gitlab.com/ee/user/project/service_desk.html

Would it be too onerous for the ISC to make this available?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Inline signing fails dnsviz test - STILL [LONG]

[G.W. Haywood via bind-users]

Hello again,

On Sun, 16 May 2021, I wrote:


...  If you can't agree their numbers then
you're some information ...


Having screen troubles.  The word 'missing' is missing.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Inline signing fails dnsviz test - STILL [LONG]

[G.W. Haywood via bind-users]

Hi there,

On Sun, 16 May 2021, Dan Egli wrote:

... I'm aware of the buddyns.com servers not responding. Noting I can 
do about that. They CLAIM I've had over 300k requests in the last couple 
of weeks and have exceeded my monthly cap. I say Bull Crap ...


I'd be inclined to believe them, but you could monitor the traffic
directly e.g. with tcpdump.  If you can't agree their numbers then
you're some information, I'd be dissatisfied with that.

But FWIW I've no complaints about the service from Hurricane Electric.

Meanwhile, I found that the google nameservers are currently not working 
either. I can query my domain at places like 1.1.1.1 and 1.0.0.1 no 
problem. But if I query at 8.8.8.8 or 8.8.4.4 I get servfail even though 
I have completely disabled DNSSEC for this zone.


Something somewhere seems, er, unusual.

Your problems aren't being compounded by some dumb firewall are they?

Some long TTL?

Just shootin' the fish, I don't know nearly as much about this stuff
at the guys already helping you.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND through COPR after CentOS

[G.W. Haywood via bind-users]

Hi there,

On Fri, 18 Dec 2020, Leroy Tennison wrote:


... switching from an rpm world to a deb world
... Not an enormous change but significant.


Indeed.  I'd suggest that if it's just about BIND, it's easier to grab
the source and build it.  That way you don't ever have to wait for the
package maintainer (not that you'll usually have to wait long), you do
get to make your own decisions, and there'll be fewer nasty surprises.

This has been my routine for more than a decade - I just did it this
evening on our primary.  The secondaries are somebody else's problem.

$ wget https://downloads.isc.org/isc/bind9/9.11.26/bind-9.11.26.tar.gz
$ tar xzvf bind-9.11.26.tar.gz
$ cd bind-9.11.26/
$ ./configure --enable-ipv6 --prefix=/usr/local --sysconfdir=/etc 
--with-openssl ...
$ make
# make install
# kill $(pidof /usr/local/sbin/named) ; sleep 2 ; /usr/local/sbin/named -u named

I don't think 'apt-get update/upgrade' would have been any quicker.

You might want to check signatures etc., but it is an 'https' download
link.  If you have a lot of machines and no Puppet, you can of course
make your own package in a few minutes.

You'll want to subscribe to the announce@ list.  If there's no CVE, I
usually wait for a couple of days after the announcement...

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NXDOMAIN problems

[G.W. Haywood via bind-users]

Hi there,

On Tue, 17 Nov 2020, Boylan, Ross wrote:


I have been experiencing NXDOMAIN errors ...
... There are a lot of complications.
... The remote machine is only accessible though VPN 
... the nameserver ... is also accessible only through VPN

... The VPN connection has always been a bit touchy ...


In my experience, complicated usually also means unreliable.

Does it _need_ to be complicated?

Could you not just put

192.0.2.3   mymachine.ucsf.edu  mymachine

or similar into /etc/hosts (or whatever passes for that on the client)?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.16.x won't start from systemd

[G.W. Haywood via bind-users]

Hi there,

On Wed, 8 Jul 2020, Adrian van Bloois wrote:


When I try to start bind 9.16.x from systemd it fails not being able to
find something. When I start it straight from the CMD-line like:
sudo  /usr/local/sbin/named
There is no problem and it works fine.
What could be the problem???


systemd.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Steps to reload zone files automatically?

[G.W. Haywood via bind-users]

Hi there,

On Wed, 1 Jul 2020, Harshith Mulky wrote:


Is there an automatic way we could use reloading the zone files
rather than using rndc reload or named restart?


It should be trivial to implement this, but I'm not sure that I'd want
to do it on a server of mine.


We are running bind with version as below

# rpm -qi bind
Name: bind
Version : 9.9.5P1
...


https://kb.isc.org/docs/bind-9-end-of-life-dates


Date: Wed, 08 Jun 2016 20:09:54 +1000
From: Mark Andrews 
To: Harshith Mulky 
...
... Harshith Mulky writes:
> I have bind Running on following Version:
> 
> bind-9.8.2-0.17.rc1.el6.x86_64


Upgrade.


Plus ça change, plus c'est la même chose...

--

73,
Ged.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Masters and slaves

[G.W. Haywood via bind-users]

Hi there,

On Mon, 15 Jun 2020, bind-users-requ...@lists.isc.org wrote - and wrote, and 
wrote:


... [all sniped] ...


Please guys[1], stop it.

--

73,
Ged.
[1] The masculine embraces the feminine where the context permits.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Does 'make uninstall' work?

[G.W. Haywood via bind-users]

Hi there,

On Thu, 28 May 2020, Nyamkhand Buluukhuu wrote:


...
Does 'make uninstall' command work? I have a source folder remained.
Or do I need to compile a newer version with a different prefix and make a link?

Which one is the safest way? If make uninstall doesn't work, how do you guys 
upgrade your compiled bind?


I don't normally bother with 'make uninstall' for anything at all.

You could simply make a copy of the existing 'named' binary in a safe
place and when you run 'make install' it will (if you configured things
same as last time) overwrite your existing 'named' binary.  Of course
it will overwrite all the other BIND binaries too so this might not be
as safe as you would like it to be.

BIND releases in particular are very reliable and I don't even make a
safe copy of the 'named' binary when I build a new one.  I generally
leave the source tree from the previous version in my home directory
until I can see that the latest version is working.  If things went
wrong for some reason I could just change directory to the older one
and run 'make install' there to recover the earlier 'named' version.
Once a new version runs OK I delete the source tree for the old one.

Even if it was deleted it's very easy to recover it from the released
tarballs.  If you don't still have the source tree for the old version
now might be a good time to create it again and make sure that you can
still build the older version of the 'named' binary.  Of course you
don't need to run 'make install' for the old version but it might be
worth comparing the binary built by the 'make' step with the one that
you're running.

However since you ask for the safest way of doing things I suggest
that you first set up slave nameservers, if you do not already have
any, and make sure that your TTLs are sane - at least a few days.  My
slave servers are provided by Hurricane Electric.  I'm very happy with
their services.  If I break something on the master, or if one of a
hundred or possibly more other problems happens, then the slaves will
handle the load while I'm fixing it so isn't a big deal.

If you want to be able to run either version you could for example
configure the build process so that the old binary is somewhere like
/usr/sbin and the new one in /usr/local/sbin; then you can choose
which one runs in your startup scripts.  They will both use the same
configuration and data (in /etc/named.conf and /var/named/ or wherever
you have configured it to be).

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Machine friendly alternative to nsupdate

[G.W. Haywood via bind-users]

Hi there,

On Wed, 1 Apr 2020, Petr Bena wrote:


... Is there any alternative to nsupdate, something that can work with XML
or JSON payloads or provide output in such machine parseable format? ...


If it's any help DNS::ZoneParse claims to be able to output XML - but
I don't have any experience of it.  The last changelog entry is dated
Sep 22 2010, which you might consider a good thing, or you might not.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: recursive resolver

[G.W. Haywood via bind-users]

Hi there,

On Thu, 12 Mar 2020, G.W. Haywood wrote:

On Thu, 12 Mar 2020, ShubhamGoyal wrote:


How can i improve my recursive resolver speed.


I wonder if you have some kind of networking misconfiguration which
results in timeouts while BIND is waiting for responses.  Perhaps you
will learn more about what is happening if you look at the network
traffic using a tool such as Wireshark.


--

On Sat, 14 Mar 2020, Grant Taylor wrote:


I feel like running a network sniffer (tcpdump, Wireshark, etc.) on the
recursive resolver will make it quite apparent ...


Great minds think alike... :)

--
For the purposes of comparison you can always try a public service:

laptop3:~$ >>> dig @8.8.8.8 lists.isc.org

; <<>> DiG 9.10.3-P4-Debian <<>> @8.8.8.8 lists.isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24936
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;lists.isc.org. IN  A

;; ANSWER SECTION:
lists.isc.org.  7199IN  A   149.20.1.60

;; Query time: 62 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Mar 14 13:15:51 GMT 2020
;; MSG SIZE  rcvd: 58
--

Seems to me that 62ms is very respectable.  If you have problems with
your own service you can probably use a different one, if only until
such time as you can fix your own (and if indeed it needs to be fixed).

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: recursive resolver

[G.W. Haywood via bind-users]

Hi there,

On Thu, 12 Mar 2020, ShubhamGoyal wrote:


we made a recurive resolver (Cent OS 7,  8GB RAM ,250 GB Hard disk and network
speed is also good  ) . It reply in 1200 msec and 1800 msec (which is very
slow). if it gave Reply by Cache (80 msec or 76 msec).
so i want to know about,
How can i improve my recursive resolver speed.


I wonder if you have some kind of networking misconfiguration which
results in timeouts while BIND is waiting for responses.  Perhaps you
will learn more about what is happening if you look at the network
traffic using a tool such as Wireshark.


and If  we apply syslog  (it is a centralised logging of bind) .  then any
profit for recursive resolver.


If I had a problem with anything which used centralised logging, one
of the first things I would do is check that the centralised logging
was not causing the problem - it is very simple to change the logging
arrangements.  Having said that, I have never found that centralised
logging has caused any problems when it is set up sanely.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Advice on balancing web traffic using geoip ACls

[G.W. Haywood via bind-users]

Hi there,

On Sun, 23 Feb 2020, Scott A. Wozny wrote:


Greetings BIND gurus,


Sorry, I can't make any claim to be a BIND guru.


... webserver clusters hosted on the west and east coasts of the US
and would like to use Bind 9.11.4


Hmmm.  You might want to look e.g. at all the fixes since 9.11.4 in

https://downloads.isc.org/isc/bind9/9.11.16/RELEASE-NOTES-bind-9.11.16.html


with the Maxmind GeoIP database to split the traffic about evenly ...


especially the release notes for 9.11.15 if you're sure about MaxMind.
(After the changes in their APIs a while back cost me many weeks of
effort, and some temporary loss in functionality, I'd be very cautious
about relying on them again.  It was a completely different scenario.)

Of course even if you do look at the location of your DNS clients, it
doesn't tell you much about where _their_ clients are, nor much about
the routing of any packets that their clients might exchange with your
webservers.  In England I frequently see email from the neighbouring
town that's been routed via Austria, Finland, Japan...

Wouldn't even random routing or round-robin (basically do nothing) be
easier to implement, faster, more reliable, more (perhaps strangely)
predictable, and ... ?

https://en.wikipedia.org/wiki/Round-robin_DNS

For your use case I guess you'd really need to instrument something to
know for sure, and by then you've gone and done it anyway. :)

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using different OS for Master and Slaves

[G.W. Haywood via bind-users]

Hi there,

On Tue, 12 Nov 2019, Mundile wrote:


Is it good idea and possible to create Master and Slaves nameservers using 
different OSes.
For example , Master OS =Centos 7 and Slaves Os=Ubuntu 18 or  Windows 2016


It depends on whether or not you enjoy pain.


Sent from Mail for Windows 10

-- next part --
An HTML attachment was scrubbed...
URL: 



Perhaps you do.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can i remove @0x in my log query message, bind 9.11

[G.W. Haywood via bind-users]

Hi there,

On Mon, 4 Nov 2019, Nguyen Huy Bac wrote:


... bind 9.11, have @0x in log query message.
But, my statistical system dont support two log message structure at the same.
So, my question is: Can and How to remove @0x in my log 
query message.


You could do this for example by piping the log messages to a 'sed'
one-liner with syslog-ng, which would avoid the need to patch every
time you install a new version of bind.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ with Spamhaus

[G.W. Haywood via bind-users]

Hi there,

On Mon, 24 Jun 2019, Tony Finch wrote:

Mik J via bind-users  wrote:
>
> I registered in spamhaus but don't know how to be able to axfr the
> content of the zone

... The DROP lists are freely available in plain text so if you are
handy with bit of programming it isn't too hard to turn them into
your own RPZ. ...


FWIW: a few years back, as an experiment I used the DROP lists exactly
that way for at least a couple of years.  In the entire time I saw not
a single connection from a listed IP.  My guess was that our upstream
provider (BT, aka British Telecom) were doing their job right and took
it out of service.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A policy for removing named.conf options.

[G.W. Haywood via bind-users]

Hi there,

On Thu, 13 Jun 2019, Leroy Tennison wrote:

On Thu, 13 Jun 2019, Ond?ej Sur? wrote:

On 13 Jun 2019, at 15:55, G.W. Haywood via bind-users ... wrote:


... could you not set up an ISC zone which BIND on startup will ping ...


we?ve been discussing the ?call home? feature on several occasions
and usually something more pressing crawls at top of the TODO list...


Unconditional "call home" is always problematic ...


Sure.


... administrative hassle ... management approval ...


Hence the "ask for permission at build time, etc.".  Just Say No.


We would be happy to collect more feedback and don?t get me started
on how I just love to receive patches, preferably as merge requests
(ping me if you need up the projects limit in our GitLab) ;).


Unfortunately I also have one of those TODO lists, and I'm afraid it
has no room for patching BIND although I'd relish the opportunity.  I
did have a quick look and it doesn't look too daunting.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A policy for removing named.conf options.

[G.W. Haywood via bind-users]

Hello again,

On Thu, 13 Jun 2019, Matthijs Mekking wrote:

On 6/13/19 2:40 PM, G.W. Haywood via bind-users wrote:
> On Thu, 13 Jun 2019, Matthijs Mekking? wrote:
>
> > | managed-keys?? | 9.15/9.16 | replaced with dnssec-keys |
>
> According to my changelogs for 'named.conf I removed 'managed-keys' and
> 'trusted-keys' three years ago, but still use 'managed-keys-directory'.

... it is likely that you are using managed trust anchors that
are configured with 'managed-keys' in a bind.keys file. ...


Correct.  It says in that file that I'm not expected to do anything to
it - so I expect you'll take care of that when the time comes, yes?

To tell you about the use of configuration options, could you not set
up an ISC zone which BIND on startup will ping with a few packets?
You'd get a lot more (and more accurate) feedback than sending out a
plea on a mailing list.  You could make it a compile time option, ask
for permission at build time, etc..

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A policy for removing named.conf options.

[G.W. Haywood via bind-users]

Hi there,

On Thu, 13 Jun 2019, Matthijs Mekking  wrote:


We would like to hear your feedback.


Thank you for the timely heads up.


| managed-keys   | 9.15/9.16 | replaced with dnssec-keys |


According to my changelogs for 'named.conf I removed 'managed-keys' and
'trusted-keys' three years ago, but still use 'managed-keys-directory'.

Will the option 'managed-keys-directory' also be deprecated?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: allow-update in global options (was Re: bind and certbot with dns-challenge)

[G.W. Haywood via bind-users]

Hello again,

On Mon, 18 Mar 2019, Alan Clegg wrote:


Take the personal attacks elsewhere if you don't mind.


My post was not intended to be a personal attack.  I did explain that
it was sent in more haste than I'd have liked, and perhaps it might
have been better if I'd have left it until I got back - but I don't
know how much better, as I'm told I'm not always very good at email
and judging by some of the responses I get that's probably correct.

In any case please do be assured that there's nothing personal going
on here, I'm simply trying to remind anyone who might think that it
doesn't hurt to be reminded (and I believe there are some) that the
ISC should have stability right up near the very top of its list of
objectives.  Amongst the characteristics of stability one may count
the lack of any requirement to make changes to configuration files,
especially at a potentially stressful time such as for example when
installing any new version of BIND.  I'd much prefer it didn't happen
at all, but if it's required then in my view the new release should be
entirely about the configuration file change(s) and nothing else, so
there's more flexibility in scheduling the change because there won't
be all those pesky new features to consider.


On Mon, 18 Mar 2019, G.W. Haywood wrote:
> Apologies for speaking frankly, but that's a lie.
I would like an apology for this because I am not a liar.


Well the apology was right there in that sentence, but here and now
and in public I apologize again.  I could take issue with a few other
things in your reply, but this is my apology, not some attempt at a
refutation or a justification, so here it ends.  More or less this
entire message is an apology, as you requested, and to anyone reading
who has better things to do, I apologize for that also.  Please let's
get back to BIND now.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: allow-update in global options (was Re: bind and certbot with dns-challenge)

[G.W. Haywood via bind-users]

Hi there,

I've been reading this exchange with growing frustration, and I hope a
forthright response will be excused - especially since I now have to
dash out to the hospital so I don't have more time to work on this.

On Mon, 18 Mar 2019, or possibly earlier, Alan Clegg wrote:


The change was an unintended consequence ...


Please try not to let things like that escape into the wild, and
please, please, NEVER turn them into deliberate actions purely for
your own convenience.  If this means that you have to pull a release,
then so what?  You've put me first.  That's fine by me.


How many zones are you authoritative for?  Would it be a major
difficulty to (once) change the existing zones and then modify your
provisioning to add the "allow-update" option in the zone stanza?


Please don't even *think* questions like that.  Maybe you could code
it yourself, and send the script out with the next release, and take
the flack when it breaks, and next time, well, not do it.


... roasted because they don't read the release notes.


Seems to me that you don't care anything like enough about this.


If we (ISC) base our changes on what we've gotten in response to the
surveys, we will make changes based on the fact that nearly all of the
somewhere around 20 people that use BIND are using Solaris.

Not enough people actually respond to our surveys to base any real
changes on the results.


Apologies for speaking frankly, but that's a lie.


If anyone can tell me why we have such low response rates to our
surveys, please let me know that as well... WE NEED YOUR INPUT.


THE ISC HAS ALREADY HAD MY INPUT.  HERE, ON THIS LIST.


If, after breaking things because the default behavior changed and you
hadn't read the release notes, you can then read the release notes, and
you will know why it broke.


If you can say that, I can now confidently tell you that even if you
are asking questions, you aren't asking the right questions and you
aren't listening to the answers anyway.  The people you're asking tend
to be busy, and the people that are likely to be able to give you
useful responses tend to be VERY busy.  Try asking:

"If the next release of BIND breaks your existing configurations and
you either have to start writing sed and awk scripts to fix them or
change to a different product, can you tell us

1. what else will be going on in your office that morning,

2. exactly how pleased you will be to have your load increased without
warning, and

3. as a result of the next disruption we've planned for you, how much
more likely will it be that you will change to a different product?"

Right, you say, you already know the answers.  Try also:

"Are thousands and thousands of surveys from suppliers annoying?"

Right, you say, you already know the answer to that one too.  (I have
a couple of milter rules that reply to email surveys with a specially
crafted 550 5.7.1 ...)

And please, DON'T EVER say:

"WE NEED YOUR INPUT"

when you've already had it.  If you make a survey, and the result you
get back is a big "Yawn", that input tells you what you need to know.

In case there's still any doubt, pop along to Vicky's office and have
a chat with her (even if it means that you'll have to get on a 'plane,
it will be worth it).  On the wall in Vicky's office you should find
an email from me.  I've reproduced it below together with her response
to it.  Apologies, Vicky, if that's taking a liberty.

There are users, and there's everything else, like the infrastructure.
The users alone give us enough trouble thank you very much, and *they*
usually only give trouble one at a time.

It's REALLY annoying when the infrastructure starts to give trouble,
because then all the users kick off, all at once, and they tell us
it's all our fault.

Curiously enough, it is.

--

73,
Ged.

8<--
Date: Wed, 26 Feb 2014 12:44:37 + (GMT)
From: "G.W. Haywood" 
To: bind-users@lists.isc.org
Subject: Re: BIND 9.10.0b1 has been released.

Hi there,

On Wed, 26 Feb 2014, Michael McNally wrote:


At ISC we are quite excited about the long list of new features and ...


I don't want to rain on your parade, and I know that this is likely to
be contentious, but I would just like to ask all at ISC (and I know it
isn't necessary, but I'll ask anyway) to remember that many of us out
here in the Totally Untamed Internet do not like our infrastructure
to be exciting.  Long lists of new features give me personally the
screaming heeby-jeebies.  The last thing anyone needs is a zero-day
BIND exploit in the wild.

Solid and dependable is good.  For the most part BIND is just that,
and I can't heap enough praise on the people who gave all that to us.

But I've noticed in the last few years that I've had to do more work
to keep up with bind developments when a few things have escaped that
perhaps should not have.  I've wanted to say this fo

Re: Classless Reverse Zones PTR Dig Format Issue

[G.W. Haywood via bind-users]

Hi there,

On Thu, 7 Feb 2019, Matus UHLAR - fantomas wrote:

On 07.02.19 12:53, Nagesh Thati wrote:

I have created a network with *199.192.0.0/11 * and
created 4 subnets with */13* mask in that network,
Network: *199.192.0.0/11  : 192.199.in-addr.arpa*,
Subnet1: *199.192.0.0/13  : 0-13.192.199.in-addr.arpa*,
Subnet2: *199.200.0.0/13  : 0-13.200.199.in-addr.arpa*,
Subnet3: *199.208.0.0/13  : 0-13.208.199.in-addr.arpa*,
Subnet4: *199.216.0.0/13  : 0-13.216.199.in-addr.arpa*.


holy shit ...


H.

$ dig +short -x 199.192.0.1
dhhs1.dhhs.state.nh.us.
$ dig +short -x 199.200.10.10
www.winamonga.com.
$ dig +short -x 199.208.121.1
dha-121-1.health.mil.
$ dig +short -x 199.216.0.1
gov.ab.ca.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about visibility

[G.W. Haywood via bind-users]

Hi there,

On Thu, 25 Oct 2018, Grant Taylor wrote:

On 10/24/2018 06:15 AM, G.W. Haywood via bind-users wrote:


A server on a non-standard port is often neglected.? Its security may
be less well maintained than one that is intentionally public.


Why and how do you make that correlation?


Years of customers (including a major motor vehicle manufacturer) who
said "The guy that set all this up has left." and "We don't know what
happened to the disc.", and "Oh, we'd forgotten about that one." and...


Are you implying that some people think that because they've taken one
step (moving the port) they may think that they don't need to take other
steps (updating)? ...


No, that was not what I meant to imply at all.


I've always found that moving the port is one of many steps done to
improve security.


As was mentioned by other earlier in the thread.  No argument there, I
do that too - especially for ssh and VPN connections.  But you'd likely
have poor results with a nameserver. :)


The more important steps being stay up to date.


That being the problem.  The |guy left|...|forgotten about it| means
that unless the updating is automatic (and still working - unlikely,
even if it was once) then you more or less have a ticking time-bomb.

Mostly off-topic for this list though.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about visibility

[G.W. Haywood via bind-users]

Hi there,

On Wed, 24 Oct 2018, Hardy, Andrew wrote:


Further to the original post, as well as not creating a DNS record
and "possibly" adding robot.txt with appropriate content, as
discussed, I presume that if I run the http server on a personally
selected unprivileged port then it is very "unlikely" the site pages
will be indexed/discovered/etc surely?

Thoughts?


A server on a non-standard port is often neglected.  Its security may
be less well maintained than one that is intentionally public.

That's just the sort of thing that criminals are looking for.  They'll
probably find it, and then they'll attack it.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC: give KSK from my domain to parent zones

[G.W. Haywood via bind-users]

Hi there,

On Fri, 5 Oct 2018, Roberto Carna wrote:


... when I check for the DNSEC support with:

dig com.uk +dnssec +multi

I can see there is no support at all...so use DNSSEC for xxx.com.uk has no
sense at allhasn't it?


Do you mean "xxx.co.uk" and not "xxx.com.uk"?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND and UDP tuning

[G.W. Haywood via bind-users]

Hello again,

On Mon, 1 Oct 2018, Alex wrote:


> Are your requests being dropped by the service(s)?
>
> (Or: are you inadvertently abusing the said service(s)?)

I don't believe so - often times a follow-up host query succeeds
without issue. It's also failing for invaluement and spamhaus, both
of which we subscribe.
[...]
It also tends to happen in bulk - there may be 25 SERVFAILs within
the same second, then nothing for another few minutes.


Hmmm.  If it isn't the modem and it isn't the BLs then it more or less
has to be the service, no?

I'd be tempted by Mr. Clegg's suggestion to spin up a VPS somewhere
with decent connection, which will at least offload a lot of retries.
Talk to it through OpenVPN, which is very easy to set up, and it can
(a) put the VPS on your LAN (b) take much unreliablility out of the
presumably unreliable connection between you and the VPS and (c) write
very verbose logs if you wish.  On occasion on unreliable connections
I've had to use TCP for the VPN link but UDP is the norm - OpenVPN has
its own ways of dealing with lost packets.

Then you'll probably have a whole new can of worms to investigate, but
the worms will definitely tell you something. :)

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND and UDP tuning

[G.W. Haywood via bind-users]

Hi there,

On Sun, 30 Sep 2018, Alex wrote:


Sep 29 14:33:54 mail03 postfix/dnsblog[3290]: warning:
dnsblog_query: lookup error for DNS query
123.139.28.66.dnsbl.sorbs.net: Host or domain name not found. Name
service error for name=123.139.28.66.dnsbl.sorbs.net type=A: Host
not found, try again

I'd really be interested in people's input here.


Are your requests being dropped by the service(s)?

(Or: are you inadvertently abusing the said service(s)?)

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND and UDP tuning

[G.W. Haywood via bind-users]

Hi there,

On Thu, 27 Sep 2018, Alex wrote


This is also only happening on the two identical systems connected
to the 165/35mbit cable modem.
...
I really hope there is > someone with some additional ideas.


Is it the modem?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Operational Notification: Some releases of BIND are too strict when handling referrals containing non-empty answer sections

[G.W. Haywood via bind-users]

Hi there,

On Wed, 19 Sep 2018, Michael McNally wrote:


  ... code refactoring ...


That phrase always sends shudders through my corpus.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Test mail to bind-users

[G.W. Haywood via bind-users]

Hi Michael,

On Wed, 30 May 2018, Michael McNally wrote:


We have had reports that posts to bind-users are (in at least some
cases) triggering unwelcome direct-to-the-submitter messages from
spammers.

Please disregard this message while I try to gather some information
in the hopes of stopping this unwelcome behavior.


I'm not sure that there's much that a list manager can do about it.

This has been an issue for most of the lists to which I've subscribed
for decades.  My list addresses only accept mail from the lists to
which they're subscribed, and I'd imagine most other subscribers (at
least to the BIND list) would take similar precautions if necessary.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Should we bundle the MaxMind GeoIP db?

[G.W. Haywood via bind-users]

Hi Victoria,

On Wed, 30 May 2018, Victoria Risk wrote:


... would it be useful if we included the GeoLite2 database with the
BIND distribution? Since we update at least twice a year, we could
keep it fairly well up to date, and it would save users having to go
get and update the db themselves. It would add about 1.5MB to the
BIND distribution (depending on whether we use the country or city
level).

Votes, comments welcome.


The increase in sizes of the distributions would be of no concern to me.

I would hope to see both IPv4 and IPv6 data as well as the ASN data,
without which it would be of no use to me.

At present I use the Debian package, which updates much more often than
twice yearly.  I keep no data on the volumes of changes, but the file
timestamps today tell me that the changes are infrequent so I guess I'd
be relaxed about that:

-rw-r--r-- 1 root root  4638365 Mar 24 10:10 GeoIPASNum.dat
-rw-r--r-- 1 root root 20539238 Mar 27 13:05 GeoLiteCity.dat
-rw-r--r-- 1 root root  1242574 Mar 27 13:17 GeoIP.dat
-rw-r--r-- 1 root root 21662641 May  1 21:14 GeoLiteCityv6.dat
-rw-r--r-- 1 root root  2297267 May  1 21:23 GeoIPv6.dat
-rw-r--r-- 1 root root  5564550 May  5 11:10 GeoIPASNumv6.dat

I use the database to screen incoming mail connections to limit abuse.
Connections are blocked or permitted by a pure Perl homebrew Sendmail
milter based on the Country and/or ASN as identified by a GeoIP lookup
on the connecting IP.

Lookup failures in the ASNUM edition are much more common than in the
country and the city 'rev. 1' editions, and it seems much more common
since March this year.  I do keep stats on those, although they're not
very illuminating.  If they'd be of any interest you'd be very welcome
to have them.

HTH

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fwd: Facing weird issue with DNS-RPZ

[G.W. Haywood via bind-users]

Hi there,

On Wed, 25 Apr 2018, Blason R wrote:


Unfortunately neither RHEL nor CentOS gives RPM for 9.10+ and really
compiling and building is really pain and time consuming.
Hence I decided to give a try with Ubuntu 16.04 and any ways within few
days 18.04 is coming out with 9.11.


Date: Wed, 17 Jan 2018 08:52:30 -0800
From: Carl Byington 
To: bind-users@lists.isc.org
Subject: RHEL, Centos, Fedora rpm 9.11.2-P1
Message-ID: <1516207950.16446.8.ca...@ns.five-ten-sg.com>
Content-Type: text/plain; charset="UTF-8"

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

http://www.five-ten-sg.com/mapper/bind contains links to the source
rpms, and build instructions.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlnS18UACgkQL6j7milTFsGZfgCbBIUaYjY+AbTUz6X6xHJN4m1M
tXgAniEvP2Nd/1IW+PBUXRSnJq716Whe
=ILkA
-END PGP SIGNATURE-

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Administrivia.

[G.W. Haywood via bind-users]

Hi there,

It looks like something has recently changed in the ISC DNS.

8<--
Apr 20 09:00:36 mail6 sm-mta[20203]: NOQUEUE: connect from lists.isc.org 
[149.20.1.60]
Apr 20 13:00:22 mail6 sm-mta[29448]: NOQUEUE: connect from lists.isc.org 
[149.20.1.60]
Apr 21 13:00:15 mail6 sm-mta[28060]: NOQUEUE: connect from lists.isc.org 
[149.20.1.60]
Apr 22 13:00:10 mail6 sm-mta[30898]: NOQUEUE: connect from [149.20.1.60]
Apr 22 13:09:26 mail6 sm-mta[31397]: NOQUEUE: connect from [149.20.1.60]
Apr 22 13:24:27 mail6 sm-mta[32126]: NOQUEUE: connect from [149.20.1.60]
8<--

Our picky servers started blocking list mail.  Thinking it might right
itself, at first I ignored it.  Then I tweaked some filtering rules to
let list messages through.

Below is from our own DNS server; I get the same response from all the
public servers that I've tried.

8<--
mail6:~$ >>> dig -x 149.20.1.60

; <<>> DiG 9.9.5-9+deb8u14-Debian <<>> -x 149.20.1.60
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26391
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;60.1.20.149.in-addr.arpa.  IN  PTR
[...]
8<--

No problem as far as I'm concerned, I just hope whoever needs to know
about this knows about this (and that I haven't missed something. :)

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Responding with a subset of an rrset

[G.W. Haywood via bind-users]

Hi there,

On Wed, 11 Apr 2018, speijnik wrote:


I'd need a way of returning a random pick of a limited number of
records from a given rrset ...


Something like this?

8<--
#!/usr/bin/perl -w
use strict;
use Net::DNS;
use List::Util qw( shuffle );

sub get_5_random_records
{
my $domain = shift;
my $rrtype = shift;
my @records = ();
my $resolver = Net::DNS::Resolver->new();
$resolver->nameservers( "ns.example.com" );
my $packet = $resolver->send( $domain, $rrtype );
if( ! $packet ) { return undef; }
my $packet_string = $packet->string();
if( $packet_string =~ m/NXDOMAIN/s ) { return undef; }
foreach my $rr ( $packet->answer() ) { if( $rr->type =~ /$rr/i ) { push 
@records, $rr->string; } }
my @shuffled = shuffle @records; # Not that they'll likely need it.
return splice( @shuffled, 0, 5 );
}
8<--

Untested.  Needs work.  YMMV.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Separate DNS slaves as internal and external

[G.W. Haywood via bind-users]

Hi there,

On Mon, 19 Mar 2018, King, Harold Clyde wrote:


I have DNS slaves for internal and external entities. I don't know
how to work the NS records so that outside users would only get the
external slave and internal would only get the internal slave.

How can I do this? ...


You could use a firewall to route the queries as required.

You might look at Bind 'Views', for example see the Cricket book.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

[G.W. Haywood via bind-users]

Hi there,

On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote:


Good morning, I'm trying to make it more difficult for an attacker to
get my DNS server version.


Waste of time.  The attacks are automated, and will be mounted anyway.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS not resolving on google, but is on other services

[G.W. Haywood via bind-users]

Hi there,

On Sat, 17 Feb 2018, LuKreme wrote:


... Is google just b0rked? ...


You might need to look closer to home.

You claim three nameservers, but it appears that they're all on the
same network segment - a *really* bad idea - and one of them doesn't
respond to DNS requests, using IPs located both here in the UK and
way over in the western USA:

8<--
laptop3:~$ >>> dig www.david-dodge.com
[snip]
;; ANSWER SECTION:
www.david-dodge.com.86349   IN  CNAME   www.covisp.net.
www.covisp.net. 86361   IN  A   65.121.55.45
;; AUTHORITY SECTION:
covisp.net. 172119  IN  NS  ns2.covisp.net.
covisp.net. 172119  IN  NS  ns3.covisp.net.
covisp.net. 172119  IN  NS  ns1.covisp.net.
[snip]
8<--
laptop3:~$ >>> dig @ns1.covisp.net -t any covisp.net
[snip]
;; ANSWER SECTION:
covisp.net. 86400   IN  SOA ns1.covisp.net. 
root.covisp.net. 2018020300 14400 1800 1209600 3600
covisp.net. 172800  IN  NS  ns1.covisp.net.
covisp.net. 172800  IN  NS  ns2.covisp.net.
covisp.net. 172800  IN  NS  ns3.covisp.net.
covisp.net. 172800  IN  MX  10 mail.covisp.net.
covisp.net. 86400   IN  TXT "v=spf1 mx a ip4:65.121.55.42/32 
-all"
covisp.net. 86400   IN  TXT 
"google-site-verification=6rB9Dkgu8_hfTbLiieRTAkvFitENOvyszmzoAu1N27U"
covisp.net. 86400   IN  A   65.121.55.42
;; ADDITIONAL SECTION:
ns1.covisp.net. 172800  IN  A   65.121.55.42
ns2.covisp.net. 172800  IN  A   65.121.55.43
ns3.covisp.net. 172800  IN  A   65.121.55.45
mail.covisp.net.172800  IN  A   65.121.55.42
[snip]
8<--
laptop3:~$ >>> dig @ns3.covisp.net -t any covisp.net
; <<>> DiG 9.10.3-P4-Debian <<>> @ns3.covisp.net -t any covisp.net
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
8<--

However ns3 responds to 'ping'
8<--
laptop3:~$ >>> ping ns3.covisp.net
PING ns3.covisp.net (65.121.55.45) 56(84) bytes of data.
64 bytes from www.covisp.net (65.121.55.45): icmp_seq=1 ttl=49 time=141 ms
64 bytes from www.covisp.net (65.121.55.45): icmp_seq=2 ttl=49 time=141 ms
64 bytes from www.covisp.net (65.121.55.45): icmp_seq=3 ttl=49 time=141 ms
...
8<--

Maybe the nameserver just isn't running?

Perhaps you should look into one of the free DNS slave services.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: disable dnssec for particular domain

[G.W. Haywood via bind-users]

Hi there,

On Wed, 7 Feb 2018, Michelle Konzack wrote:


... Note:  If someone is interested making a slave for me ...


Is there a reason you don't use e.g. he.net?

https://dns.he.net/

They do say of DNSSEC that they are "exploring this now" but it seems
to work for me.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[G.W. Haywood via bind-users]

Hi there,

On Tue, 23 Jan 2018, Grant Taylor wrote:


...
I'm sure that you could do some networking magic to cause connections to
$AlternateIP port 53 to be re-routed to $DifferentIP $AlternatePort.


http://netcat.sourceforge.net/

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC validation without current time

[G.W. Haywood via bind-users]

Hi there,

On Fri, 15 Dec 2017,  Barry Margolin wrote:


In article <mailman.120.1513339585.749.bind-us...@lists.isc.org>,
"G.W. Haywood" <b...@jubileegroup.co.uk> wrote:


On Fri, 15 Dec 2017, Petr Men??k wrote:


... current time is not available or can be inaccurate.


ntpdate?


I think the issue is that he needs to resolve the hostname of the NTP
server.


Perhaps he could set up some IPv6 time servers on a dedicated /48.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC validation without current time

[G.W. Haywood via bind-users]

Hi there,

On Fri, 15 Dec 2017, Petr Men??k wrote:


... current time is not available or can be inaccurate.


ntpdate?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Domain Not Resolving

[G.W. Haywood via bind-users]

Hi there,

On Tue, 21 Nov 2017, Ron Wingfield wrote:


... our registered domain, archaxis.net, is not resolving ...


As has been mentioned, you don't have a nameserver listening on IP
162.202.233.81.  At a guess, you need to restart it.


We run BIND version 9.10.2 ...


Upgrade.  See for example

http://www.cvedetails.com/cve/CVE-2016-2776/


... This has worked for past months until 3 NOV 2017 ...


It depends on your definition of 'worked'.  I'd say that it has never
worked, it's just sort of limped along in spite of all your mistakes.


Again, I emphasize that this configuration has been working since modified
Thr Aug 6 2015 following conversion to AT U-verse, and has not changed
since Jan 12 2017 when added an SPF TXT RR for archaxis.net.
[...]
Can any of you list members see any thing wrong with the previously
included zone file?


Your configuration has probably never been correct.  At some stage,
something you wanted to happen might have happened, but that was just
blind luck.  Your zone file is a mess.  Most importantly the four
names ns1, ns2, alpha and bravo all have the same IP address which is
ridiculous in this context.  There are two SPF TXT records when only
one is allowed by the RFCs, and I suspect that neither of them will do
what's required.  The simplest thing you can do with those is delete
them.  The address for localhost (127.0.0.1) should be in /etc/hosts,
not in your zone file, and very probably it already is.

When you've got the rest of your DNS mess sorted out, and when you've
ensured your site is secure (upgrade BIND - and keep it up to date;
did you know that you have servers listening to the entire Internet on
ports 22, 110, 8080 and 60443?; are *they* patched up to date? this
includes firmware updates for your Linksys router ...) then you might
drop by the SPF users' mailing list for advice on your SPF TXT record.


After reporting this continuing unsatisfactory fail to AT, they have yet
again responded "As was stated, it shows that we are correctly delegating
the records.  The issue still persists that your nameservers A records are
not resolving.  That is wholly outside our control or access.  PTR requests
will continue to fail as the ns1.archaxis.net and ns2.archaxis.net are not
responding to requests."


AT is correct.  You have told them that you are running your own
name servers, which is a lie - you've only ever had one, and that's
not acceptable.  Your name service is not running on the one server
which you do have.


Who is to blame?


You are.


I am at my wit?s end.  This was working ? why did it just stop?


I don't know why it stopped.  You *might* have suffered from the DOS
attack mentioned in the above CVE, but I think it's much more likely
that you broke something.  It might be that that something was your
nameserver configuration, or perhaps you've broken the server's boot
scripts, or perhaps you've changed your router or its configuration
and it isn't forwarding DNS requests to your internal server.  These
are all your responsibilities.

There are many free DNS services available.  I suggest you pick one of
them, and many of your problems will be, er, resolved.  The services
from he.net have always been very good for my purposes, and extend to
areas beyond simple IPv4 DNS.  They will keep their servers patched.
They offer educational material too.

As a general observation, not knowing what you're doing is dangerous
on the Internet.  Please take some time out of your undoubtedly busy
life to try to ensure that you aren't a menace to the rest of us.  A
good start might be to read the famous "DNS and BIND".

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: designing the DNS from the scratch

[G.W. Haywood]

Hi there,

On Sun, 9 Jul 2017, Abdulhadi Ettwejiri wrote:

Re: designing the DNS from the scratch


we are ISP company , we are providing Internet to our customer,
Recently one of our VIP customer ask for DNS service, and need the
response time 3msec, we don't have enough knowledge of DNS ...


But you do know the approximate speed of light in a vacuum?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: are you using lwres?

[G.W. Haywood]

Hi there,

On Fri, 19 May 2017, Evan Hunt wrote:


Do you run lwresd or named-with-lwres?  Do you have code that
links with liblwres?  If so, please let me know.


8<--
mail6:~# >>> cat /etc/debian_version
8.7
mail6:~# >>> apt-get remove liblwres90
...
The following packages will be REMOVED:
bind9-host dnsutils host liblwres90
...
8<--

Perhaps I'd better not do that then... :)

8<--
Do you want to continue? [Y/n] n
Abort.
8<--

It doesn't seem to rate a mention in the Debian Popularity Contest.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind unexpectedly quit, how to debug

[G.W. Haywood]

Hi there,

On Tue, 9 May 2017, Paul Seward wrote:


... I'm not so much asking for a fix as asking how I can find more
information. ...


grep '\(released\|security\)' bind-9.10.5/CHANGES | head -n 90

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9 windows XP builds

[G.W. Haywood]

Hi there,

On Tue, 18 Apr 2017, Evan Hunt wrote:


... I wanted to find out whether there's a reason for so many people
to still be doing this -- even if it wasn't a very good reason --
before I cut them off.


Personally I'm more than a bit surprised, and even a little offended
that ISC still provides an XP build.  Running an XP machine connected
to the Internet is like driving around town in an uninsured vehicle
with no roadworthiness certificate.  It's irresponsible.  Those of us
who manage mailservers and who take any kind of interest in the threat
landscape will attest to the number of XP botnets still plying their
obnoxious trade, especially (sorted by greatest volume in my mailserver
logs first) from China, Vietnam, India and the USA.

Cut them off.  If, by being one more provider which drops support for
a sociopathic menace, you tend to reduce the threat from it, then you
will at least have the warm appreciation of hard-pressed and generally
ill-appreciated mail administrators the world over.

If you don't already run 'p0f', then you might want to consider it to
give you an idea of what's connecting to your servers.  I'd guess it
will be more informative than any feedback you get from real users.
It wouldn't surprise me if most of the downloaders of XP builds that
you're seeing are themselves bots.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recognizing remote IP in shared connections

[G.W. Haywood]

Hi there,

On Tue, 28 Feb 2017, Job wrote:


for policies purpuose, we need to know which remote site is resolving a Bind 
9.x public DNS Server.
The problem occurs when some carriers "share" the same IP address between more 
customers and they surf behind a shared NAT.


Sounds like a trial.


Is there a way? Perhaps with DNS crypt o dnssec?


IPv6?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enforce EDNS

[G.W. Haywood]

Hi there,

On Tue, 7 Feb 2017, Mark Andrews wrote:


I really don't want to add new automatic work arounds for broken
servers but it requires people being willing to accepting that
lookups will fail.  That manual work arounds will now have to be
done. e.g. "server ... { send-cookie no; };"


+2

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Bind Queries log file format

[G.W. Haywood]

Hi there,

For the avoidance of doubt, It seems to me that the stability of BIND
has been improving over the last couple of years.

Thank you.  Keep it up.

If I were hunting some rarely-seen fault condition, I think I'd write
any output which is more useful for debugging than anything else to a
separate file - even if that results in duplication of a little of the
information written to more 'routine' logs, and especially if it's the
kind of information which can cheerfully be purged every hour or two.
Debug and routine log rotations (and storage) can then be different.

Of course if the log message format isn't exactly what's needed in any
particular situation, the source code is freely available.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Jumbo" Security Release of BIND corrects four exploitable vulnerabilities.

[G.W. Haywood]

Hello again,

On Thu, 12 Jan 2017, Andrey Fanin wrote:

On Thu, 12 Jan 2017, G.W. Haywood wrote:
> On Thu, 12 Jan 2017, Michael McNally wrote:
>
> > ISC has issued new security releases of BIND today [..snip..]
>
> I'm trying to get BIND 9.9.9-P5 from the downloads page, but
> it seems to be giving me something else...

Looks all is correctly delivered ( all three versions of tar.gz )
from my side ( UA )


Maybe it makes a difference that I'm in England, and using IPv6?

laptop3:~$ >>> wget 
https://www.isc.org/downloads/file/bind-9-9-10b1/?version=tar-gz -O bind.tgz
--2017-01-12 15:16:37--  
https://www.isc.org/downloads/file/bind-9-9-10b1/?version=tar-gz
Resolving www.isc.org (www.isc.org)... 2001:4f8:0:2::69, 149.20.64.69
Connecting to www.isc.org (www.isc.org)|2001:4f8:0:2::69|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: ‘bind.tgz’

bind.tgz  [.=>...]   8.98M  89.5KB/s   in 71s

2017-01-12 15:17:50 (129 KB/s) - ‘bind.tgz’ saved [9414022]

laptop3:~$ >>> tar tzvf bind.tgz | head
drwxr-xr-x each/wheel0 2016-12-29 22:25 bind-9.10.5b1/
-rw-r--r-- each/wheel   52 2016-12-29 22:22 bind-9.10.5b1/.gitattributes
-rw-r--r-- each/wheel   14 2016-12-29 22:25 bind-9.10.5b1/srcid
-rw-r--r-- each/wheel   88 2016-12-29 22:22 bind-9.10.5b1/Atffile
-rw-r--r-- each/wheel   479504 2016-12-29 22:22 bind-9.10.5b1/CHANGES
-rw-r--r-- each/wheel27137 2016-12-29 22:22 bind-9.10.5b1/COPYRIGHT
-rw-r--r-- each/wheel33543 2016-12-29 22:22 bind-9.10.5b1/FAQ
-rw-r--r-- each/wheel45917 2016-12-29 22:22 bind-9.10.5b1/FAQ.xml
-rw-r--r-- each/wheel12791 2016-12-29 22:22 bind-9.10.5b1/HISTORY
-rw-r--r-- each/wheel 3609 2016-12-29 22:22 bind-9.10.5b1/Makefile.in

--

73,
Ged.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Jumbo" Security Release of BIND corrects four exploitable vulnerabilities.

[G.W. Haywood]

Hi there,

On Thu, 12 Jan 2017, Michael McNally wrote:


ISC has issued new security releases of BIND today [..snip..]
These are available via the http://www.isc.org/downloads web page:

  BIND 9.9.9-P5
  BIND 9.10.4-P5
  BIND 9.11.0-P2

...


I'm trying to get BIND 9.9.9-P5 from the downloads page, but
it seems to be giving me something else...

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slow recursion with ipv6 enabled?

[G.W. Haywood]

Hi there,

On Sat, 19 Nov 2016, Job wrote:


on Bind 9.10 (latest version of this stable branch), i notice in
some cases a relevant slowdown when resolving (for the first time)
hostname, when named is launched with both ipv4 and ipv6.  It use
recursion to fetch for the first time the information and i have,
often, about 2000/3000ms of slowdown.  Then, when record is in
cache, it is fast.

By launching Bind with only ipv4 (-4 switch) also recursion is very fast.

Do you think there are some known issues or i have to refine my configuration?


In a case like this I'd run tcpdump and look at the packets directly.
You might see IPv6 queries to which there are no responses, resulting
in timeouts, followed by IPv4 queries for the same information.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.11.0 RPZ performance issue

[G.W. Haywood]

Hi there,

On Mon, 17 Oct 2016, Daniel Stirnimann wrote:


I have upgraded some of our BIND resolvers from BIND 9.9.9-P3 to BIND
9.11.0 and I notice timeouts for 3 - 5 seconds about every 1 to 5 hour.


Something to do with dlv.isc.org?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple A Records - Followup Question

[G.W. Haywood]

Hi there,

On Sun, 2 Oct 2016, Tim Daneliuk wrote:


... can a given *IP* appear in more than one A record? ...


http://serverfault.com/questions/56539/dns-multiple-a-records-or-1-a-record-and-lots-of-cnames

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: lookout timesouts

[G.W. Haywood]

Hi there,

On Mon, 19 Sep 2016, bind-users-requ...@lists.isc.org wrote:


We have a customer who has their own cache server, but in the
afternoons before they close up for the day, they commit off-site
backups, this process takes them about 90 mins, anyone trying to use
the internet in this time fails 99.9% of the time ...
Is there a named.conf setting we can suggest they use on their cache
server that perseveres and waits a little longer for answers to send
to their client machines?


If I was going there, I wouldn't start from here.  (Old Irish joke:).

The backup system needs more thought.  It could be done automatically
when everyone has gone home.  Its bandwith usasge could be throttled.
The traffic could be 'shaped'.  Take a look at 'BackupPC' for example.
Way OT for this list though.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[G.W. Haywood]

Hi there,

On Tue, 26 Jul 2016, Ejaz wrote:


There is huge traffic coming out from my DNS server since yesterday and
flooding the IP 212.107.121.110 ...


Are you able to let us see your bind configuration?

This might be IP spoofing, an attempted a DOS attack on the IP.

Is there any reason why that IP should be allowed to query your
nameserver?  If not, then you should change your configuration so
that only those clients who are expected to query the server are
allowed to do so.  The 'acl', 'allow-query' and 'allow-recursion'
directives for the BIND configuration file enable you to do this.

What operating system are you running on your server?  If all else
fails, in most cases it will be trivial to implement a local firewall
rule or two - at least as a temporary measure until the, er, root of
the problem is discovered and solved.  Consider the TARPIT target. :)

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Sending extra info in bind dns query packet

[G.W. Haywood]

Hi there,

On Thu, 14 Jul 2016, Sachin Patil wrote:


I am just looking into bind and want to send extra information while
querying dns bind server. ...


Is there an echo in here?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: bind-users Digest, Vol 1727, Issue 1

[G.W. Haywood]

Hi there,

On Mon, 4 Jul 2016, Amit Kumar Gupta wrote:


[An entire digest message, which I've snipped]


It would be extremely helpful to those of us on the digest list, and
generally more polite, if you would NOT include in your posts to the
list, simply in order to save yourself the time and effort of typing
the list's address and thinking of a subject line, a complete digest
message, two and a half years old and apparently selected at random.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Append a Hard-coded Text Tuple into Additional Section of "dig" Feature

[G.W. Haywood]

Hi there,

On Wed, 15 Jun 2016, Jun Xiang X Tee wrote:


...
I wish to append a hard-coded text tuple into end of the section. 
...


I think what you want to do sounds strange, but if I wanted to do
something like that I would not modify an existing perfectly good
utility.  I would create a new one:

8<-
#!/usr/bin/perl -w
# crazy_dig.pl: Sometimes adds crazy text to the output of dig.
use strict;
my $crazy_text = "--\nCrazy text\n--\n";
print qx |/usr/bin/dig $ARGV[0]|;
if( $ARGV[0] eq 'google.com' ) { print $crazy_text; }
# EOF: crazy_dig.pl
8<-

YMMV.

Don't do stuff like this without thinking about it Really Hard.
Probably not even then.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: installation issues

[G.W. Haywood]

Hi there,

On Sun, 8 May 2016, Rajesh M wrote:


i am getting error this is not a valid win32 application.


I suspect that you've downloaded the wrong archive.  Does the .zip
file that you downloaded say 'x86' somewhere in its name?

Try

https://www.isc.org/downloads/file/bind-9-10-4/?version=win-32-bit

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: *Reminder of the* L-Root IPv6 address renumbering

[G.W. Haywood]

Hi there,

On Tue, 22 Mar 2016, Bob Harold wrote:


I appreciate the announcement of the change ahead of time, but I
don't feel like it is safe to update my root hints file based on an
email ...


Hint: the 'hints' file contains hints. :)

https://deepthought.isc.org/article/AA-01309/0/Root-hints-a-collection-of-operational-and-configuration-FAQs.html

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[G.W. Haywood]

Hi there,

On Thu, 17 Mar 2016, Ron wrote:


... in this case it's a supplier who is unable to keeps his DNS servers
working, and we just want to keep the connectivity.


I'd just put something in /etc/hosts and send myself an email every
month or so to remind me I'd done that.

--

73,
Ged.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CVE-2015-7547: getaddrinfo() stack-based buffer overflow

[G.W. Haywood]

Hi there,

On Wed, 17 Feb 2016, Dominique Jullier wrote:


Are they any thoughts around, how to handle yesterday's glibc
vulnerability[1][2] from the side bind?


This is a glibc issue, not a bind issue.  It makes no sense to attempt
to fix the problem by modifying bind.  Firstly, bind is not the only
software which may call glibc's getaddrinfo() function in a way which
could permit exploitation, and secondly, a 'sticking plaster' fix is
likely to come unstuck anyway.


Since it is a rather painful task in order to update all hosts ...


I fear that there's no alternative.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Allow-Query=any

[G.W. Haywood]

Hi there,

On Thu, 7 Jan 2016, Reindl Harald wrote:


... when somebody wants a information which exists in
the DNS he can ask for that information - unconditionally


laptop3:~$ >>> dig -t any lloyds.co.uk

; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> -t any lloyds.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21502
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;lloyds.co.uk.  IN  ANY

;; ANSWER SECTION:
lloyds.co.uk.   3789IN  HINFO   "Please stop asking for ANY" "See 
draft-jabley-dnsop-refuse-any"
lloyds.co.uk.   137094  IN  NS  dina.ns.cloudflare.com.
lloyds.co.uk.   137094  IN  NS  matt.ns.cloudflare.com.

;; AUTHORITY SECTION:
lloyds.co.uk.   137094  IN  NS  matt.ns.cloudflare.com.
lloyds.co.uk.   137094  IN  NS  dina.ns.cloudflare.com.

;; Query time: 54 msec
;; SERVER: 192.168.44.72#53(192.168.44.72)
;; WHEN: Thu Jan 07 20:17:18 GMT 2016
;; MSG SIZE  rcvd: 197

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-users Digest, Vol 2277, Issue 1

[G.W. Haywood]

Hi there,

On Sun, 27 Dec 2015, kev wrote:


I am using bind9 with ubuntu 14.04. I was wondering how to log by
indivudual IP. Ive googled it but didnt find what i was looking
for.Thanks,?


I find p0f is a very useful tool, and can be used for more than just
OS fingerprinting.

http://lcamtuf.coredump.cx/p0f3/

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Again Crashed Bind

[G.W. Haywood]

Hi there,

On Thu, 3 Dec 2015, Re: Again manasa.jamuna wrote:


Bind version used is 9.6.2-P2.
Named crashed ...


No big surprise.


I did a google search ...


Did you look at the ISC Website?

https://www.isc.org/downloads/

9.6.x has been End Of Life for nearly two years.  Upgrade.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: shutting up logs

[G.W. Haywood]

Hi there,

On Fri, 15 May 2015, Reindl Harald wrote:

Am 15.05.2015 um 02:01 schrieb Nick Edwards:
   skipping nameserver 'ns5.concord.org' because it is a CNAME, while
 resolving '210.128-25.119.138.63.in-addr.arpa/PTR'

 I have logs grow by about 30 megs a day with pretty much only this in
 it (of course not always same remote server), how do I shut this up ?
 ...

you can't ...


You can.  If you use syslog-ng you can do anything you like, for
example you can filter messages using regular expressions.

If there wasn't a syslog-ng, I'd have to write one.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-users Digest, Vol 2085, Issue 1

[G.W. Haywood]

Hi there,

On Tue, 7 Apr 2015, bind-users-requ...@lists.isc.org wrote:


Message: 1

[Snip 51 lines]

Message: 2

[Snip 75 lines]

 Message: 1

[Snip 37 lines]

 Message: 1

[Snip 45 lines]

 Message: 2

[Snip 49 lines]

 Message: 2

[Snip 16 lines]

 Message: 1

[Snip 49 lines]

 Message: 3

[Snip 95 lines]

Please guys, trim your posts.  Some of us are on the digest list.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users