Re: getting answers from DNS queries
Yup. But if the DNS infra is under my control, then definitely the keys (which i have used for encryption) will also be with me. Am i missing something here ? 類 — Gaurav Kansal > On 03-May-2022, at 14:40, Petr Špaček wrote: > > On 03. 05. 22 10:56, Gaurav Kansal wrote: >> Or if you are ready to take some pain, then take the mirror from the network >> side, parse the packets and you can achieve whaterver you want to do, build >> beautiful graphs, have reports and what not. >> This will also help in reducing the load on your DNS node by disabling the >> logging completely and you can achieve high QPS. >> One such tool which can do all for you is dnsmonster - >> https://github.com/mosajjal/dnsmonster >> <https://github.com/mosajjal/dnsmonster> . Just send mirror traffic to this >> and it will do everything for you. > The major problem with packet mirroring and parsing is that it is unusable > for encrypted transports. For that very reason I think dnstap is the way to > go. > > -- > Petr Špaček > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting answers from DNS queries
Or if you are ready to take some pain, then take the mirror from the network side, parse the packets and you can achieve whaterver you want to do, build beautiful graphs, have reports and what not. This will also help in reducing the load on your DNS node by disabling the logging completely and you can achieve high QPS. One such tool which can do all for you is dnsmonster - https://github.com/mosajjal/dnsmonster <https://github.com/mosajjal/dnsmonster> . Just send mirror traffic to this and it will do everything for you. Thanks, Gaurav Kansal > On 25-Apr-2022, at 22:15, m3...@m3047.net wrote: > > More specificity would help. OTOH you mentioned the word "compile"... > > On Mon, 25 Apr 2022, King, Harold Clyde (Hal) via bind-users wrote: >> I asked this last week, but I didn't an answer. Who can I tell if a DNS >> query is refused or answered? Is it in the log files? > > Not the latest version of BIND (9.12), but here's what I get in the log: > > 25-Apr-2022 06:54:33.353 debug 2: fetch completed at resolver.c:4176 for > time.nist.gov/A in 10.000446: timed out/success > [domain:nist.gov,referral:0,restart:1,qrysent:4,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] > 25-Apr-2022 06:56:21.593 debug 2: fetch completed at resolver.c:4176 for > time.nist.gov/A in 10.000430: timed out/success > [domain:nist.gov,referral:0,restart:2,qrysent:10,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] > > Here's the config for that: > >// Must start named with -d 2 for this to be activated, >// otherwise it's just silent. >channel queryerrors { >file "bind-query-errors.log" versions 2 size 20m; >severity debug 2; >print-category no; >print-severity yes; >print-time yes; >}; > > I would expect the information you seek to be available via Dnstap. > > -- > > Fred Morris, internet plumber > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging statements w.r.t. view in Bind 9.16.18
Hi Ged, Actually recursion is only enabled for selected set of users , using geo ip feature of bind. As server is on public IP, i have added PUBLIC view to log the users who are scanning/attempting to connect my server. I hope i have explained my use case. Thanks. - Original Message - From: bind-users@lists.isc.org To: bind-users@lists.isc.org Sent: Tuesday, August 24, 2021 5:37:35 PM Subject: Re: Logging statements w.r.t. view in Bind 9.16.18 Hi there, On Tue, 24 Aug 2021, Gaurav Kansal wrote: > I want a clarity whether we can have individual logging statement > per view basis ? Whatever i found on google, i think we can't. My > use case for separate logging statement is as follows - > > In my recursive server, i have 2 views, one for my internal clients > and one for Internet ; i am running Internet view just for catch > hold of scanning IPs (type of honeypot). > > Syntax of 2 views are as follows - > > view "INTRANET" { > match-clients { PRIVATE.SEGMENTS ; }; > recursion yes; > }; > > view "PUBLIC" { > match-clients { any; }; > allow-query { none; } ; > recursion no; > }; You have recursion turned off for PUBLIC. As I understand it, the conventional wisdom is not to run recursive and non-recursive services on the same BIND instance. Would it make sense then, in your case, to run two separate instances of BIND? Separating logs is then trivial. -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Logging statements w.r.t. view in Bind 9.16.18
Hi guys, I want a clarity whether we can have individual logging statement per view basis ? Whatever i found on google, i think we can't. My use case for separate logging statement is as follows - In my recursive server, i have 2 views, one for my internal clients and one for Internet ; i am running Internet view just for catch hold of scanning IPs (type of honeypot). Syntax of 2 views are as follows - view "INTRANET" { match-clients { PRIVATE.SEGMENTS ; }; recursion yes; }; view "PUBLIC" { match-clients { any; }; allow-query { none; } ; recursion no; }; My logging config is - channel queries { file "/var/log/log/queries"; severity info; print-time yes; print-category yes; print-severity yes; }; category queries { queries; }; channel query-errors { file "/var/log/log/query-errors" versions 5 size 20m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; category query-errors { query-errors; }; channel default { file "/var/log/log/default" versions 5 size 20m; severity info; print-time yes; print-category yes; print-severity yes; }; category client { default ; } ; category general { default ; } ; category unmatched { default ; } ; By this config, i am getting all the query logs (for both the views) in a single file and also i am getting REFUSED statements in query-errors category file. I want to achieve to have separate query log file for each view and doesn't want to log REFUSED queries (which are for PUBLIC view) in query-error category. please help how can i achieve this. Thanks, Gaurav Kansal Disclaimer: This e-mail and its attachments may contain official Indian Government information. If you are not the intended recipient, please notify the sender immediately and delete this e-mail. Any dissemination or use of this information by a person other than the intended recipient is unauthorized. The responsibility lies with the recipient to check this email and any attachment for the presence of viruses. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does BIND supports ANAME RR
Ok. Thanks a lot. Sent from my iPhone > On 07-Aug-2021, at 11:51 PM, Ondřej Surý wrote: > > Hi, > > no, ANAME is dead standard and it has been replaced by HTTPS SVCB: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/ > > The support for the draft is in review and it will be merged some time this > year. > > -- > Ondřej Surý — ISC (He/Him) > > My working hours and your working hours may be different. Please do not feel > obligated to reply outside your normal working hours. > >>> On 7. 8. 2021, at 19:33, Gaurav Kansal wrote: >>> >> >> Hi guys, >> >> I need the help in figuring out whether BIND supports ANAME ? If yes, then >> from which version on wards ? >> >> Use case of ANAME RR is explained here - >> https://www.isc.org/blogs/cname-at-the-apex-of-a-zone/ >> >> Thanks. >> Gaurav Kansal >> >> >> >> Disclaimer: >> >> This e-mail and its attachments may contain official Indian Government >> information. If you are not the intended recipient, please notify the sender >> immediately and delete this e-mail. Any dissemination or use of this >> information by a person other than the intended recipient is unauthorized. >> The responsibility lies with the recipient to check this email and any >> attachment for the presence of viruses. >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Does BIND supports ANAME RR
Hi guys, I need the help in figuring out whether BIND supports ANAME ? If yes, then from which version on wards ? Use case of ANAME RR is explained here - [ https://www.isc.org/blogs/cname-at-the-apex-of-a-zone/ | https://www.isc.org/blogs/cname-at-the-apex-of-a-zone/ ] Thanks. Gaurav Kansal Disclaimer: This e-mail and its attachments may contain official Indian Government information. If you are not the intended recipient, please notify the sender immediately and delete this e-mail. Any dissemination or use of this information by a person other than the intended recipient is unauthorized. The responsibility lies with the recipient to check this email and any attachment for the presence of viruses. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: No logging of failed queries
Hi Mark, Is there a way, by which we can log denied statement w.r.t. view somewhere in logging ? Regards, Gaurav On 14/04/21 1:48 am, ma...@isc.org wrote: Real world configurations would have a catch all view after the more specific views. Add one. -- Mark Andrews On 13 Apr 2021, at 22:41, Sachchidanand Upadhyay via bind-users wrote: Hi, I am using bind's geoip feature, created one ACL to allow country IN. I am not getting logs of a failed query if the client IP is other than than country IN. Rest all is working fine, getting logs of successful queries. Below find the config details: BIND 9.16.13 (Stable Release) running on Linux x86_64 3.10.0-1160.24.1.el7.x86_64 #1 SMP Thu Apr 8 19:51:47 UTC 2021 built by make with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' '--mandir=/usr/share/man' '--with-libtool=/usr/lib64' '--disable-static' '--with-maxminddb' compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-44) compiled with OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017 linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017 compiled with libuv version: 1.41.0 linked to libuv version: 1.41.0 compiled with zlib version: 1.2.7 linked to zlib version: 1.2.7 linked to maxminddb version: 1.2.0 threads support is enabled default paths: named configuration: /etc/named.conf rndc configuration: /etc/rndc.conf DNSSEC root key: /etc/bind.keys nsupdate session key: /var/run/named/session.key named PID file: /var/run/named/named.pid named lock file: /var/run/named/named.lock geoip-directory: /usr/share/GeoIP acl "test" { geoip country IN; }; options { geoip-directory "path to geo db"; view "local" { match-clients { test; }; recursion yes; channel queries { file "/var/log/queries"; print-time yes; print-category yes; print-severity yes; }; category queries { queries; }; channel security { file "/var/log/security"; print-time yes; print-category yes; print-severity yes; }; category security { queries; }; channel query-errors { file "/var/log/query-errors"; print-time yes; print-category yes; print-severity yes; }; category query-errors { query-errors; }; BR, Sachchidanand ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Thanks and Regards, Gaurav Kansal +91-9910118448 Disclaimer: This e-mail and its attachments may contain official Indian Government information. If you are not the intended recipient, please notify the sender immediately and delete this e-mail. Any dissemination or use of this information by a person other than the intended recipient is unauthorized. The responsibility lies with the recipient to check this email and any attachment for the presence of viruses. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reg - zone data of in-addr.arpa and ip6.arpa
Thank you so much Anand. On 12/12/20 6:25 pm, ana...@ripe.net wrote: Hi Gaurav, You can transfer the "in-addr.arpa" and "ip6.arpa" zones from these servers: iad.xfr.dns.icann.org lax.xfr.dns.icann.org For the full list of zones provided by ICANN, check out this page: https://www.dns.icann.org/services/axfr/ Regards, Anand On 12/12/2020 13:39, Gaurav Kansal wrote: Hello folks, Like the way Root zone file is available here <https://www.internic.net/domain/root.zone>, does we have the zone files of "in-addr.arpa" and "ip6.arpa" available in public domain ? I found some data here <ftp://ftp.apnic.net/pub/zones/>, but i am looking for whole zone file at a single place. -- Thanks and Regards, Gaurav Kansal +91-9910118448 Disclaimer: This e-mail and its attachments may contain official Indian Government information. If you are not the intended recipient, please notify the sender immediately and delete this e-mail. Any dissemination or use of this information by a person other than the intended recipient is unauthorized. The responsibility lies with the recipient to check this email and any attachment for the presence of viruses. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Reg - zone data of in-addr.arpa and ip6.arpa
Hello folks, Like the way Root zone file is available here <https://www.internic.net/domain/root.zone>, does we have the zone files of "in-addr.arpa" and "ip6.arpa" available in public domain ? I found some data here <ftp://ftp.apnic.net/pub/zones/>, but i am looking for whole zone file at a single place. -- Thanks and Regards, Gaurav Kansal +91-9910118448 Disclaimer: This e-mail and its attachments may contain official Indian Government information. If you are not the intended recipient, please notify the sender immediately and delete this e-mail. Any dissemination or use of this information by a person other than the intended recipient is unauthorized. The responsibility lies with the recipient to check this email and any attachment for the presence of viruses. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Peculiar DNS queries
Sent from my iPhone > On 22-Dec-2019, at 11:02 PM, h.rei...@thelounge.net wrote: > > > >> Am 22.12.19 um 18:28 schrieb Paul Kosinski via bind-users: >> Every so often, we get a run of peculiar queries to our (BIND / named) >> DNS server. Note the apparently random mix of lower case and upper case >> letters in the domain names. >> >> Does anybody have any idea why somebody would be doing this? (It's >> legal, I guess, but quite non-standard.) >> >> Dec 22 12:05:43 iment0 named[10333]: client 134.0.217.68#20012 >> (Www.IMent.coM): query: Www.IMent.coM IN -E (216.55.100.246) >> >> Dec 22 12:05:44 iment0 named[10333]: client 134.0.217.54#53150 >> (Www.iMent.Com): query: Www.iMent.Com IN -E (216.55.100.246) >> >> Dec 22 12:05:44 iment0 named[10333]: client 134.0.217.53#27016 >> (WWw.imENT.cOm): query: WWw.imENT.cOm IN A -E (216.55.100.245) >> >> Dec 22 12:05:44 iment0 named[10333]: client 134.0.217.69#23417 >> (WWw.IMeNt.cOM): query: WWw.IMeNt.cOM IN A -E (216.55.100.245) > > because it#s some idiotic bot, typical network noise > No. Not because of Bot. It’s a technique to provide additional “spoof detection” capabilities to the DNS service. > [harry@srv-rhsoft:~]$ whois 216.55.100.246 > NetRange: 216.55.96.0 - 216.55.111.255 > CIDR: 216.55.96.0/20 > NetName:SMSV-BLK-1 > NetHandle: NET-216-55-96-0-1 > Parent: NET216 (NET-216-0-0-0-0) > NetType:Direct Allocation > OriginAS: > Organization: Smart Servers (SMSV) > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users Disclaimer: This e-mail and its attachments may contain official Indian Government information. If you are not the intended recipient, please notify the sender immediately and delete this e-mail. Any dissemination or use of this information by a person other than the intended recipient is unauthorized. The responsibility lies with the recipient to check this email and any attachment for the presence of viruses. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Peculiar DNS queries
This is a “spoofing resistance” technique. For more info, check “0x20 Bit Encoding”. Sent from my iPhone > On 22-Dec-2019, at 10:59 PM, bind-users@lists.isc.org wrote: > > Every so often, we get a run of peculiar queries to our (BIND / named) > DNS server. Note the apparently random mix of lower case and upper case > letters in the domain names. > > Does anybody have any idea why somebody would be doing this? (It's > legal, I guess, but quite non-standard.) > > Dec 22 12:05:43 iment0 named[10333]: client 134.0.217.68#20012 > (Www.IMent.coM): query: Www.IMent.coM IN -E (216.55.100.246) > > Dec 22 12:05:44 iment0 named[10333]: client 134.0.217.54#53150 > (Www.iMent.Com): query: Www.iMent.Com IN -E (216.55.100.246) > > Dec 22 12:05:44 iment0 named[10333]: client 134.0.217.53#27016 > (WWw.imENT.cOm): query: WWw.imENT.cOm IN A -E (216.55.100.245) > > Dec 22 12:05:44 iment0 named[10333]: client 134.0.217.69#23417 > (WWw.IMeNt.cOM): query: WWw.IMeNt.cOM IN A -E (216.55.100.245) > > Thanks, > Paul Kosinski > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users Disclaimer: This e-mail and its attachments may contain official Indian Government information. If you are not the intended recipient, please notify the sender immediately and delete this e-mail. Any dissemination or use of this information by a person other than the intended recipient is unauthorized. The responsibility lies with the recipient to check this email and any attachment for the presence of viruses. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Reg - query-errors for some domains
Dear All, I am getting the query-errors for some of the domains from my IPv6 resolver server. Server is running over Bind-9.11.3 Sample logs for www.cisco.com are as follows - _Sample logs -_ /12-Apr-2018 16:39:22.877 query-errors: info: client @0x7fd700bba280 2001:4408:5226:163::1e2#65525 (www.cisco.com): view intranet: query failed (SERVFAIL) for www.cisco.com/IN/A at query.c:8402// //12-Apr-2018 16:39:22.877 query-errors: debug 2: fetch completed at resolver.c:3927 for www.cisco.com.akadns.net/A in 10.000196: timed out/success [domain:akadns.net,referral:0,restart:2,qrysent:9,timeout:8,lame:0,quota:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]// //12-Apr-2018 16:39:22.878 query-errors: info: client @0x7fd6ee6abc30 2001:4408:5226:163::1e2#65527 (www.cisco.com): view intranet: query failed (SERVFAIL) for www.cisco.com/IN/A at query.c:8402// //12-Apr-2018 16:39:24.871 query-errors: info: client @0x7fd6eee29550 2001:4408:5226:163::1e2#65526 (www.cisco.com): view intranet: query failed (SERVFAIL) for www.cisco.com/IN/ at query.c:8402// //12-Apr-2018 16:39:24.872 query-errors: debug 2: fetch completed at resolver.c:3927 for www.cisco.com.akadns.net/ in 10.000170: timed out/success [domain:akadns.net,referral:0,restart:2,qrysent:9,timeout:8,lame:0,quota:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]// //12-Apr-2018 16:39:24.872 query-errors: info: client @0x7fd710245a30 2001:4408:5226:163::1e2#65528 (www.cisco.com): view intranet: query failed (SERVFAIL) for www.cisco.com/IN/ at query.c:8402// //12-Apr-2018 16:40:07.496 query-errors: info: client @0x7fd6ee1fb730 2001:4408:5600:32::1c4#59807 (cloud-ec-asn.amp.cisco.com): view intranet: query failed (SERVFAIL) for cloud-ec-asn.amp.cisco.com/IN/A at query.c:8402// //12-Apr-2018 16:40:07.496 query-errors: debug 2: fetch completed at resolver.c:3927 for cloud-ec-asn.amp.cisco.com/A in 10.000162: timed out/success [domain:amp.cisco.com,referral:0,restart:3,qrysent:13,timeout:12,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]/ / / Someone please explain what is the issue. -- Thanks and Regards, Gaurav Kansal +91-9910118448 Disclaimer: This e-mail and its attachments may contain official Indian Government information. If you are not the intended recipient, please notify the sender immediately and delete this e-mail. Any dissemination or use of this information by a person other than the intended recipient is unauthorized. The responsibility lies with the recipient to check this email and any attachment for the presence of viruses. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automatic . NS queries from BIND
In case, i have my hint file in bind configuration and it also have its hard-coded one, who will get the priority. Means which file will be used by bind for getting responses from root ? Sent by kansal's device. On Wed, Jun 17, 2015 at 7:17 AM -0700, Anand Buddhdev ana...@ripe.net wrote: On 17/06/15 15:00, Matus UHLAR - fantomas wrote: Hi Matus, well, the hard-coded hints file changes whenever new BIND release gets out, while the bungled hints file may be updated by packagers or manually. I'd say that the bundled hints file is likely to be newer than the hard-coded one. Root name server addresses don't change that often. If you don't keep your version of BIND up to date, the worst that will happen is that you have slightly out-fo-date built-in hints. Assuming one of the root name servers had changed its address in the meantime, the practical effect of this is that upon startup, your BIND resolver's priming query has a 1 in 24 chance of timing out. If this happens, it will just try another address and succeed, and all will be well after that. This is why I prefer to depend on the built-in hints in BIND (and Unbound too, but that's off-topic), instead of the hassle of installing and maintaining a separate hints file. It just seems quite pointless. Finally, let me add that if memory serves me correctly, ISC recommends the use of built-in hints these days. Regards, Anand ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA
I am getting trace failure just at the last step :- Tracing the route to 2001:500:2f::f 1 2403:0:400::115 3 msec 2 msec 1 msec 2 2001:de8:1:2::1 43 msec 43 msec 40 msec 3 2001:de8:1:2::1 40 msec 43 msec 39 msec 4 2001:de8:1:2::3 44 msec 44 msec 45 msec 5 * * * 6 * * * 7 * * * May be ISC guys can help me out in this. As they are managing the F. Regards, Gaurav Kansal -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Stuart Browne Sent: Tuesday, June 16, 2015 5:05 AM Cc: bind-users@lists.isc.org Subject: RE: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA From a NL Ring node in india: ausregistry@hostvirtual01:~$ mtr 2001:500:2f::f My traceroute [v0.81] hostvirtual01.ring.nlnog.net (::) Mon Jun 15 23:29:29 2015 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings HostLoss% Snt Last Avg Best Wrst StDev 1. 2403:2500:4000::1 0.0%140.3 0.4 0.3 0.5 0.1 2. 2401:8800:810:2::10.0%142.2 1.5 0.6 2.3 0.6 3. 2401:8800:800:201::1 0.0%140.8 1.4 0.4 2.4 0.6 4. 2404:a800:2:1e::1c:1 0.0%143.5 2.0 1.3 3.5 0.7 5. 2404:a800:2:c003::1 0.0%147.1 6.5 4.5 9.4 1.6 6. 2001:de8:1:2::1 0.0%142.6 2.6 2.1 3.4 0.3 7. 2001:de8:1:2::3 0.0%133.7 2.8 2.2 3.8 0.6 8. f.root-servers.net0.0%133.2 3.0 2.1 4.0 0.6 'dig' et al work for one-off testing. I am getting inconsistent results from doing lots of requests (occasional ' ;; Truncated, retrying in TCP mode.', but that's probably flood protection from testing too quickly). All responses I get are from nsid: ; NSID: 6d 61 61 31 62 2e 66 2e 72 6f 6f 74 2d 73 65 72 76 65 72 73 2e 6f 72 67 (m) (a) (a) (1) (b) (.) (f) (.) (r) (o) (o) (t) (-) (s) (e) (r) (v) (e) (r) (s) (.) (o) (r) (g) -- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of gaurav.kan...@nic.in Sent: Tuesday, 16 June 2015 2:58 AM To: war...@kumari.net Cc: bind-users@lists.isc.org Subject: Re: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA I am trying to telnet (port 53)/ping/dig on 2001:500:2F::F address. Src address is 2405:8a00::/32. Trace is blocked at firewall end. If needed i wl try to get the same. Regards, Gaurav Kansal STUART BROWNE Senior Unix Administrator, Network Administrator, Database Admin P +61 9866 3710 www.bomboratech.com.au Follow us on https://twitter.com/BomboraTech The Bombora Technologies group of companies includes AusRegistry, ARI Registry Services, AusRegistry International and ZOAK Solutions. The information contained in this communication is intended for the named recipients only. It is subject to copyright and may contain legally privileged and confidential information and if you are not an intended recipient you must not use, copy, distribute or take any action in reliance on it. If you have received this communication in error, please delete all copies from your system and notify us immediately. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA
Dear All, I am not able to query over IPv6 from F.ROOT-SERVERS.NET over IPv6 from India. The F Root server instance is hosted in NIXI in India. Can anyone connected to Indian ISP check the same and let me know whether the issue is only with my network or for all NIXI connected users. Regards, Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Automatic . NS queries from BIND
Dear Team, My caching DNS server is generating log of . NS queries to ROOT Servers. I have a hint file in my bind configuration and the same is up-to date. The same behavior is occurring in multiple versions of BIND (tested on 9.7, 9.9 and on 9.10). It must be for some purpose (may be BIND doesn't trust hint file and cross check it from root servers). Can anyone put some light on this. Sample tcpdump output :- 15:36:42.440831 IP anydnsmby.27938 k.root-servers.net.domain: 38907 [1au] NS? . (28) 15:36:43.241203 IP anydnsmby.52261 f.root-servers.net.domain: 3841 [1au] NS? . (28) 15:36:43.624041 IP anydnsmby.48889 k.root-servers.net.domain: 6314 [1au] NS? . (28) 15:36:44.424047 IP anydnsmby.65507 c.root-servers.net.domain: 27973 [1au] NS? . (28) 15:37:42.071574 IP anydnsmby.38958 i.root-servers.net.domain: 53519 [1au] NS? 117.240.177.150. (44) 15:40:11.121122 IP anydnsmby.7941 i.root-servers.net.domain: 62400 [1au] NS? 1.mr. (33) 15:45:52.780062 IP anydnsmby.49432 e.root-servers.net.domain: 54241+ [1au] NS? . (28) 15:45:59.341780 IP anydnsmby.34368 e.root-servers.net.domain: 55928+ [1au] NS? . (28) 15:46:04.487088 IP anydnsmby.35621 e.root-servers.net.domain: 7266+ [1au] NS? . (28) 15:46:35.453029 IP anydnsmby.62875 i.root-servers.net.domain: 4129 [1au] NS? comp-HP. (36) 16:16:13.747955 IP anydnsmby.39690 a.root-servers.net.domain: 8774+ [1au] NS? . (28) 16:16:20.845363 IP anydnsmby.36994 e.root-servers.net.domain: 63433+ [1au] NS? . (28) 16:16:36.746049 IP anydnsmby.42878 a.root-servers.net.domain: 48439+ [1au] NS? . (28) 16:16:42.060534 IP anydnsmby.41018 j.root-servers.net.domain: 5347+ [1au] NS? . (28) 16:16:49.081649 IP anydnsmby.53661 e.root-servers.net.domain: 54768+ [1au] NS? . (28) 16:51:14.034065 IP anydnsmby.38025 k.root-servers.net.domain: 52771 [1au] NS? 116.73.202.141. (43) 16:51:14.835539 IP anydnsmby.19616 i.root-servers.net.domain: 14926 [1au] NS? 116.73.202.141. (43) 17:25:16.706395 IP anydnsmby.58045 i.root-servers.net.domain: 30880 [1au] NS? 2.mr. (33) 17:25:16.707072 IP anydnsmby.38495 i.root-servers.net.domain: 43451 [1au] NS? 6.mr. (33) 17:25:16.707989 IP anydnsmby.35834 i.root-servers.net.domain: 61843 [1au] NS? 3.mr. (33) 17:56:44.855060 IP anydnsmby.61903 a.root-servers.net.domain: 23284 [1au] NS? 172.192.168.2. (42) Regards, Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA
I am trying to telnet (port 53)/ping/dig on 2001:500:2F::F address. Src address is 2405:8a00::/32. Trace is blocked at firewall end. If needed i wl try to get the same. Regards, Gaurav Kansal Sent by kansal's device. From: Warren Kumari Sent: Monday, June 15, 6:54 PM Subject: Re: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA To: Gaurav Kansal Cc: bind-users@lists.isc.org On Mon, Jun 15, 2015 at 8:41 AM, Gaurav Kansal wrote: Dear All, I am not able to query over IPv6 from F.ROOT-SERVERS.NET over IPv6 from India. The F Root server instance is hosted in NIXI in India. I just wanted to confirm - you are trying to ping 2001:4f8:0:2::69, yes? What IP / subnet would you be coming from? Also, can you provide a traceroute? W Can anyone connected to Indian ISP check the same and let me know whether the issue is only with my network or for all NIXI connected users. Regards, Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Issue in calling same zone in more than one VIEW
Dear Team, I am running BIND 9.10.2 version on CentOS and running roughly 500 domains and for most of them I am a slave server. In few of them, I have different zone file based on Internal and External view. And for rest of them, I am using a single file for both the View. This configuration was working fine till BIND version 9.9.5 but yesterday I updated to 9.10.2 and I am facing the following error. May 29 12:43:58 NKN-IPV6-DNS named[17727]: /var/named/zonedata/gov-zone.data:3: writeable file 'govdomains/xyz.gov.in.fwd': already in use: /var/named/zonedata/gov-zone.data:3 This is happening because I am calling same zone file in both view. Please help me out what I should do for getting rid of this issue. Thanks and Regards, Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Issue in calling same zone in more than one VIEW
Thanks for information. Is there any other way by which I can define the zone (which are same for all views) outside the view or anything else by which I don't need to replicate the file for all the views. Regards, Gaurav Kansal -Original Message- From: Niall O'Reilly [mailto:niall.orei...@ucd.ie] Sent: Friday, May 29, 2015 1:48 PM To: Gaurav Kansal Cc: bind-users@lists.isc.org Subject: Re: Issue in calling same zone in more than one VIEW On Fri, 29 May 2015 08:23:55 +0100, Gaurav Kansal wrote: Dear Team, I am running BIND 9.10.2 version on CentOS and running roughly 500 domains and for most of them I am a slave server. In few of them, I have different zone file based on Internal and External view. And for rest of them, I am using a single file for both the View. This configuration was working fine till BIND version 9.9.5 As I understand, this configuration was never supported. Each instance (view) of a slave server needs a private file in which to write zone data transferred from the master. Having multiple instances use the same file means that they may over-write each other's work. Managing this contention was never a design feature. but yesterday I updated to 9.10.2 and I am facing the following error. May 29 12:43:58 NKN-IPV6-DNS named[17727]: /var/named/zonedata/gov-zone.data:3: writeable file 'govdomains/xyz.gov.in.fwd': already in use: /var/named/zonedata/gov-zone.data:3 The new version now gives an error message in case you use this kind of unsupported configuration. This is happening because I am calling same zone file in both view. Please help me out what I should do for getting rid of this issue. You need to use as many copies of each zone file as you have views needing to write to it. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Issue in calling same zone in more than one VIEW
From 9.10.0 there is a new zone type 'in-view'. From the release notes: The new in-view zone option allows zone data to be shared between views, so that multiple views can serve the same zones authoritatively without storing multiple copies in memory. [RT #32968] I think this will do what you want (apologies for the scant documentation about it) Thanks Cathy. It will help me a lot. Actually I had add zone definition of all my zones (roughly 500) in one file and include the same file in both the view. Now I have to create 2 files with different zone definition (one contains definition and the second one contains 'in-view' parameter). I know that this is not at all tough I but I just need to know if I can use same file for including in both the view (by anyhow). Regards, Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Querying regarding ADDITIONAL records in named
Dear Team, While querying through dig utility, I am getting ADDITIONAL :3 in the Header section while I am only getting 2 additional records. C:\Users\Kansaldig ns3.nkn.in @ns1.nkn.in ; DiG 9.10.1 ns3.nkn.in @ns1.nkn.in ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 17302 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns3.nkn.in.IN ;; ANSWER SECTION: ns3.nkn.in. 300 IN 2405:8a00:1000::2 ;; AUTHORITY SECTION: nkn.in. 300 IN NS ns2.nkn.in. nkn.in. 300 IN NS ns1.nkn.in. nkn.in. 300 IN NS ns3.nkn.in. ;; ADDITIONAL SECTION: ns1.nkn.in. 300 IN A 180.149.63.3 ns2.nkn.in. 300 IN A 180.149.63.66 ;; Query time: 6 msec ;; SERVER: 180.149.63.3#53(180.149.63.3) ;; WHEN: Fri Mar 27 11:13:03 India Standard Time 2015 ;; MSG SIZE rcvd: 149 Pl. explain me what is going wrong in this case ? Regards, Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Paper on IPv6 DNS Measurement
Dear Team, We have analyzed around 70 million query logs which we received on our IPv6 DNS Server in the month of August 2014 and tried to figure out the stats over that. Our finding was:- 1. About 50% of the query is from Google AS 2. Around 7.4% queries are from Facebook AS (i.e., 32934) and many other.. Fb is on the 2nd spot in the AS wise query statistics. (Paper http://kansal15.blogspot.in/2014/09/ipv6-dns-measurement-stats.html ) I was wondering why Fb is querying us and that too in so much quantity ? Did anyone face similar behavior from FB ASn ?? Regards, Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to figure out QPS in bind 9.9
Dear Team, I am running authoritative server on bind 9.9.5 . I want to figure out how many queries am receiving per second at any point of time (or average QPS). I had enabled the statistics-channel in the bind conf, but there also I am getting total number of queries and not the QPS. Is there any way out to figure out the same ? Regards, Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Issues in configuring Bind 9.10 in CentOS 6.3 with --open-ssl
Dear Team, I am trying to configure Bind 9.10 version in CentOS 6.3 using the following options but getting an error as shown below. Option 1 - ./configure --with-geoip=/usr/local/share/GeoIP/ checking for libtool... no checking for Source Identity Token support... no checking for OpenSSL library... using OpenSSL from /usr/lib and /usr/include checking whether linking with OpenSSL works... no configure: error: Could not run test program using OpenSSL from /usr/lib and /usr/include. Please check the argument to --with-openssl and your shared library configuration (e.g., LD_LIBRARY_PATH). I have OpenSSL and openssl-devel package installed in my machine. Option 2- ./configure --with-geoip=/usr/local/share/GeoIP/ --with-openssl=/usr/include/openssl/ checking for sysconf... yes checking for libtool... no checking for Source Identity Token support... no checking for OpenSSL library... configure: error: /usr/include/openssl//include/openssl/opensslv.h not found I am not able to understand why it is appending the /include/openssl/ in my path as shown above. I have also try following option to play with path but didn't get success. Option 3- ./configure --with-geoip=/usr/local/share/GeoIP/ --with-openssl=/usr checking for libtool... no checking for Source Identity Token support... no checking for OpenSSL library... using OpenSSL from /usr/lib and /usr/include checking whether linking with OpenSSL works... no configure: error: Could not run test program using OpenSSL from /usr/lib and /usr/include. Please check the argument to --with-openssl and your shared library configuration (e.g., LD_LIBRARY_PATH). Pl. help me what should I do ??? Regards, Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Issues in configuring Bind 9.10 in CentOS 6.3 with --open-ssl
Hi Jaremy, Config.log doesn't showing any useful data to troubleshoot this. configure:15007: result: no configure:15121: checking for sysconf configure:15121: gcc -o conftest -g -O2 -I/usr/local/share/GeoIP//include -D_GNU_SOURCE -I/usr/local/share/GeoIP//include conftest.c -lpthread -lm -lGeoIP -L/usr/local/share/GeoIP//lib 5 configure:15121: $? = 0 configure:15121: result: yes configure:15143: checking for libtool configure:15174: result: no configure:15267: checking for Source Identity Token support configure:15287: result: no configure:15338: checking for OpenSSL library configure:15436: error: /usr/include/openssl//include/openssl/opensslv.h not found ## ## ## Cache variables. ## Regards, Gaurav Kansal -Original Message- From: Jeremy C. Reed [mailto:jr...@isc.org] Sent: Friday, May 02, 2014 6:08 PM To: Gaurav Kansal Cc: bind-users@lists.isc.org Subject: Re: Issues in configuring Bind 9.10 in CentOS 6.3 with --open-ssl On Fri, 2 May 2014, Gaurav Kansal wrote: The config.log debugging file should contain further details that may be used to troubleshoot this. Please look in config.log for lines around checking whether linking with OpenSSL works (and above ## Cache variables ## line). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:bind tools on windows wait forever
Hi Matus, I also notice the same thing. This may be an issue or any other feature in bind tool which is producing this result. I did it on windows 8, so I think that may be 8 and bind 9.9.5 is producing this and I didn't do much troubleshooting on this. Sent frm Kansal's Mobile Sry for typo error :) Matus UHLAR - fantomas uh...@fantomas.sk wrote: Hello, I have installed bind 9.9.5 on windows (tools only) and when I execute dig, host or even nslookup, they return output but don't exit so I must break (Ctrl-C) them. Did anyone notice such behaviour? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:Re: bind tools on windows wait forever
Ok I wl try. Shd I upgrade bind on dns servers also ??? Sent frm Kansal's Mobile Sry for typo error :) Mark Andrews ma...@isc.org wrote: Use BIND 9.9.5-W1. Mark In message 9jawi1csarsretigbud1n5h0.1395229889...@email.android.com, Gaurav K ansal writes: Hi Matus, I also notice the same thing. This may be an issue or any other feature in bind tool which is producing thi s result. I did it on windows 8, so I think that may be 8 and bind 9.9.5 is producing t his and I didn't do much troubleshooting on this. Sent frm Kansal's Mobile Sry for typo error :) Matus UHLAR - fantomas uh...@fantomas.sk wrote: Hello, I have installed bind 9.9.5 on windows (tools only) and when I execute dig, host or even nslookup, they return output but don't exit so I must break (Ctrl-C) them. Did anyone notice such behaviour? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscrib e from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
At the time of posting this question, I didn't think that this thread will cause this much of discussion. :) Thanks to all for nice explanation and help. Regards, Gaurav Kansal -Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Evan Hunt Sent: Thursday, March 6, 2014 10:08 PM To: Carsten Strotmann Cc: bind-users@lists.isc.org Subject: Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen there could be a hard-link from a name like tsig-keygen to dnssec-keygen which changes the type of key created to -n HOST. That would not require any change to the existing interface. Just an idea. Thanks, Carsten. I had actually had the same thought after writing my post last night, though I was thinking of making it a hard link to ddns-confgen rather than dnssec-keygen. (Question: is ddns-confgen -q an appropriate and useful format? I've never understood why anybody would want TSIG keys in .key/.private form, but there may be a use case for it that I've overlooked.) -- Evan Hunt -- mailto:e...@isc.org e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list mailto:bind-users@lists.isc.org bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
HI Tony, Thanks for help. I was wondering if HMAC* keys are not used for zone then why the same is displayed when we use dnssec-keygen -h. Regards, Gaurav Kansal -Original Message- From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch Sent: Monday, March 3, 2014 3:58 AM To: Gaurav Kansal Cc: bind-users@lists.isc.org Subject: Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen Gaurav Kansal mailto:gaurav.kan...@nic.in gaurav.kan...@nic.in wrote: I have doubt in this only. What's the difference between Zone or Host ?? Zone keys are used for DNSSEC signing zones. Host keys are used for TSIG transaction authentication, for securing zone transfers or dynamic updates. I also want to know which algorithm is the best one on security aspects for generating Keys for DNSSEC. Your security is affected more by how you store the keys than anything else. RSASHA256 is fine. Tony. -- f.anthony.n.finch mailto:d...@dotat.at d...@dotat.at http://dotat.at/ http://dotat.at/ Faeroes: East or southeast 5 to 7. Rough or very rough. Rain. Moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Regarding zone trf from master to slave
Dear Team, We are running slave services for our customers. We want to have log of what entries has been changed in the master (which is causing this zone transfer) at the time of zone transfer. I want to know whether it is possible to have some sort of log generation (either by using query channels or by any other means) which we can save for future reference purposes. Thanks and Regards, Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
Dear Team, I am using RSASHA1 key generation algorithm for generating the KSK and ZSK. Today, I tried to generate the algorithm using RSASHA512 and HMAC-SHA256 algorithm. Key generation through RSASHA512 algorithm run successfully but while generating the keys through HMAC-SHA512 algorithm, I am getting the following error - dnssec-keygen: fatal: a key with algorithm 'HMAC-SHA512' cannot be a zone key I googled it and find a previous discussion on BIND Mailing list that HMAC-* is used for generating keys for Host and not for Zone. I have doubt in this only. What's the difference between Zone or Host ?? Is it key generation for one client machine or what ? I also want to know which algorithm is the best one on security aspects for generating Keys for DNSSEC. Thanks and Regards, Gaurav Kansal Emp Code - 6274 Mob - 9910118448 Intercom - 7331 Have you enabled IPv6 on something today...? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Enabing RRL in bind
Thanks Evan. J -Original Message- From: Evan Hunt [mailto:e...@isc.org] Sent: Tuesday, December 31, 2013 1:27 AM To: Gaurav Kansal Cc: bind-users@lists.isc.org Subject: Re: Enabing RRL in bind On Mon, Dec 30, 2013 at 05:47:13PM +0530, Gaurav Kansal wrote: In bind 9.9.4, Reponse-Rate Limit doesn't work until you configure bind with -enable-rrl option. I was wondering why is it so ? Why not this feature is enabled by default in bind. RRL was added to the BIND 9.9 branch late, in release 9.9.3. Ordinarily, it's our policy only to add new features in 9.x.0 releases. We felt that this feature was important enough to make an exception to our usual rule, but since code changes of that size always introduce a risk of destabilization, we decided to make it a compile-time option: those who want RRL can get it; those who don't can skip it. RRL will be enabled by default in 9.10.0. -- Evan Hunt -- mailto:e...@isc.org e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Error logs in bind resolving
Thanks Chris for your useful comments. On Dec 30, 2013, at 9:46 PM, Gaurav Kansal gaurav.kan...@nic.in wrote: I am getting the error message for lot of domains. Log of error entries are attached. All the ones I checked were caused by broken implementations. Is this a broken implementation of IPv6 or something else. As this DNS Server is running IPv6 only. Is it possible to configure bind so that error message should not be generated in logs file. They're logged as errors. I'm not sure I'd want to suppress these errors. Maybe your log service can be configured to filter them out more specifically than what can be done with named's own logging capability. Ok. will try to play around with logging options. Thanks for your help and happy new year. J Regards, Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Query regardign CNAME
Dear Guys, I have 2 domains and i want both have exact similar entries. What I tried is to have entries in one zone file and in another I tried something as mentioned below:- *.xyz.gov.in CNAME *.xyz.in where xyz.gov.in and xyz.in are my two domains. But this doesn't helps. I want to ask is it possible to have a CNAME configuration by which I can divert all queries for my xyz.gov.in domain to xyz.in domain. Happy New Year J. Thanks and Regards, Gaurav Kansal Emp Code - 6274 Mob - 9910118448 Intercom - 7331 Have you enabled IPv6 on something today...? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Error logs in bind resolving
Dear All, In my bind server logs, I am getting too much error logs of below mentioned type. Can anyone pl. explain me why I am getting these logs and how to get rid of those. Although when I am doing dig for the domain (for which I am getting the error), I am getting the valid output. Thanks. Dec 30 15:54:18 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.10#53 Dec 30 15:54:18 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.11#53 Dec 30 15:54:39 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.10#53 Dec 30 15:54:39 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.11#53 Dec 30 15:54:40 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.10#53 Dec 30 15:54:40 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.11#53 Dec 30 15:54:40 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'm.ib.sin1.geoadnxs.com//IN': 64.208.141.10#53 Dec 30 15:54:41 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.10#53 Dec 30 15:54:41 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'm.ib.sin1.geoadnxs.com//IN': 64.208.141.11#53 Dec 30 15:54:42 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.11#53 Dec 30 15:54:43 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.10#53 Dec 30 15:54:43 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.11#53 Dec 30 15:54:52 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'w27.b.cap-mii.net//IN': 120.89.70.10#53 Dec 30 15:54:52 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'w27.b.cap-mii.net//IN': 216.38.174.11#53 Dec 30 15:54:52 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'w27.b.cap-mii.net//IN': 120.89.70.11#53 Dec 30 15:54:52 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'w27.b.cap-mii.net//IN': 216.38.174.10#53 Dec 30 15:54:53 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'w27.b.cap-mii.net//IN': 120.89.70.11#53 Dec 30 15:54:53 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'w27.b.cap-mii.net//IN': 216.38.174.11#53 Dec 30 15:54:53 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'w27.b.cap-mii.net//IN': 120.89.70.10#53 Dec 30 15:54:53 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'w27.b.cap-mii.net//IN': 216.38.174.10#53 Dec 30 15:55:31 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.10#53 Dec 30 15:55:32 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.11#53 Dec 30 15:55:32 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.10#53 Dec 30 15:55:32 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.11#53 Thanks and Regards, Gaurav Kansal Emp Code - 6274 Mob - 9910118448 Intercom - 7331 Have you enabled IPv6 on something today...? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Enabing RRL in bind
Hi Guys, In bind 9.9.4, Reponse-Rate Limit doesn't work until you configure bind with -enable-rrl option. I was wondering why is it so ? Why not this feature is enabled by default in bind. I tried to find out the same in ARM but didn't get any success. And also if you have a list of feature which needs to explicitly enabled, pl. share the same. Thanks and Regards, Gaurav Kansal Emp Code - 6274 Mob - 9910118448 Intercom - 7331 Have you enabled IPv6 on something today...? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Error logs in bind resolving
Hi Chris, Thanks for your response. I am getting the error message for lot of domains. Log of error entries are attached. Is it possible to configure bind so that error message should not be generated in logs file. Regards, Gaurav Kansal -Original Message- From: Chris Buxton [mailto:cli...@buxtonfamily.us] Sent: Monday, December 30, 2013 11:53 PM To: Gaurav Kansal Cc: BIND Users Subject: Re: Error logs in bind resolving On Dec 30, 2013, at 2:29 AM, Gaurav Kansal mailto:gaurav.kan...@nic.in gaurav.kan...@nic.in wrote: Dear All, In my bind server logs, I am getting too much error logs of below mentioned type. Can anyone pl. explain me why I am getting these logs and how to get rid of those. Although when I am doing dig for the domain (for which I am getting the error), I am getting the valid output. Thanks. Dec 30 15:54:18 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.10#53 I see an incorrect negative response. Could this be the problem? Here is the end of a dig trace: geoadnxs.com. 172800 IN NS 01.auth.nym1.appnexus.net. geoadnxs.com. 172800 IN NS 01.auth.nym2.appnexus.net. geoadnxs.com. 172800 IN NS 01.auth.lax1.appnexus.net. geoadnxs.com. 172800 IN NS 01.auth.ams1.appnexus.net. ;; Received 222 bytes from 192.33.14.30#53(192.33.14.30) in 123 ms sin1.geoadnxs.com.86400IN NS ns2.apac.gslb-ns.net. sin1.geoadnxs.com.86400IN NS ns1.apac.gslb-ns.net. ;; Received 122 bytes from 68.67.133.169#53(68.67.133.169) in 67 ms geoadnxs.com. 30 IN SOA ns1.gslb.com. support.appnexus.net. 1 86400 30 86400 30 ;; Received 103 bytes from 64.208.141.10#53(64.208.141.10) in 187 ms ___ My resolving name server complains as follows: Dec 30 10:19:45 ubuntu named[1299]: DNS format error from 64.208.141.10#53 resolving ib.sin1.geoadnxs.com/ for client ::1#60014: invalid response Dec 30 10:19:45 ubuntu named[1299]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.10#53 Dec 30 10:19:45 ubuntu named[1299]: DNS format error from 64.208.141.11#53 resolving ib.sin1.geoadnxs.com/ for client ::1#60014: invalid response Dec 30 10:19:45 ubuntu named[1299]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.11#53 ___ I believe the problem is that when asked for an record, the load balancer gives an otherwise-proper-looking negative response that claims to be from the wrong zone. Regards, Chris Buxton Dec 30 15:56:22 IPV6-NKN-DNS named[13123]: error (unexpected RCODE REFUSED) resolving 'stats.norton.com//IN': 63.245.192.31#53 Dec 30 15:56:22 IPV6-NKN-DNS named[13123]: error (unexpected RCODE REFUSED) resolving 'stats.norton.com//IN': 63.245.196.31#53 Dec 30 15:56:23 IPV6-NKN-DNS named[13123]: error (unexpected RCODE REFUSED) resolving 'stats.norton.com//IN': 63.245.200.31#53 Dec 30 15:56:59 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'www.makemytrip.com//IN': 115.114.52.7#53 Dec 30 15:56:59 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'www.makemytrip.com//IN': 180.179.112.7#53 Dec 30 15:57:05 IPV6-NKN-DNS named[13123]: error (unexpected RCODE REFUSED) resolving 'stats.norton.com//IN': 63.245.192.31#53 Dec 30 15:57:05 IPV6-NKN-DNS named[13123]: error (unexpected RCODE REFUSED) resolving 'stats.norton.com//IN': 63.245.200.31#53 Dec 30 15:57:06 IPV6-NKN-DNS named[13123]: error (unexpected RCODE REFUSED) resolving 'stats.norton.com//IN': 63.245.196.31#53 Dec 30 15:57:37 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'dewpoint-eg.com//IN': 204.13.160.143#53 Dec 30 15:57:38 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'dewpoint-eg.com//IN': 204.13.161.145#53 Dec 30 15:57:51 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'cf-protected-www.epapersland.com.cdn.cloudflare.net//IN': 173.245.59.113#53 Dec 30 15:57:52 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'cf-protected-www.epapersland.com.cdn.cloudflare.net//IN': 173.245.58.121#53 Dec 30 15:57:52 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.10#53 Dec 30 15:57:53 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.11#53 Dec 30 15:57:59 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'cf-protected-www.epapersland.com.cdn.cloudflare.net//IN': 2400:cb00:2049:1::adf5:3a79#53 Dec 30 15:58:10 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'lr-bid.display.provenpixel.com//IN': 174.129.198.73#53 Dec 30 15:58:10 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 'lr-bid.display.provenpixel.com//IN': 174.129.12.214#53 Dec 30 15:58
Health Check feature in BIND ?
Dear All, I was just thinking whether it is possible to have a some type of health checking of servers through BIND DNS Server and DNS Server should replied to clients based on that only. i.e., Suppose I have two entries of www record for domain xyz.in having ip address 10.1.1.10 and 10.2.2.10. Now I want that my DNS Server should check whether the server is up or not before replying to clients. If one is down, then DNS server should reply the IP address of the second one. Although this is not a DNS Job and we should use Load-Balancer for this. But I just wanna to check whether this feature is available in Bind or in any Open-Source Program which in turn can be combined with BIND to achieve the desired result. Thanks and Regards, Gaurav Kansal Emp Code - 6274 Mob - 9910118448 Have you enabled IPv6 on something today...? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: ISC Courses
You can also try training arranged by APRICOT (and others incl. NANOG others). The bad things is these events only happens once in a year. I had been in APRICOT's DNS/DNSSEC Workshop held in Delhi last year. Phil Regnauld, Allen and Randy was the trainer and no doubt Regnauld is one of the best trainer. And these events are economical too. Charges was Rs. 15,000/- (Roughly $300) only. I can't comment how best is ISC Courses because ISC training rarely happens in INDIA. As per my opinion, ISC should focus on training events in INDIA also. Regards, Gaurav Kansal -Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Mark Elkins Sent: Saturday, April 27, 2013 6:25 PM To: SUNDAY A. OLUTAYO Cc: bind-users@lists.isc.org Subject: Re: ISC Courses If you live in Africa and can get South, ZACR (UniForum SA), the co.za registry people provide free DNS Courses in Johannesburg and Cape Town. You still have to cover personal travel, food and lodging though. These are proper DNS training courses, three day Intro and four day Advanced courses. They are, however, only offered twice a year, usually February and September... You can see more at http://dnstraining.coza.net.za/ I agree with the sentiment that its a costly business though. On Sat, 2013-04-27 at 03:36 -0500, SUNDAY A. OLUTAYO wrote: ISC should consider online training too, same linux foundation has done. Sunday Olutayo Sent from my LG Mobile Doug Barton do...@dougbarton.us wrote: Ted made some really good points. It's also worth pointing out that overhead, like renting the facility to teach the classes in, food, travel expenses for the trainers to get to the site, course materials, insurance, etc. often run into the 'many hundreds' of dollars per student before the first word is spoken in class. Doug -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to Limit DNS Request per ip source ?
Dear All, I want to limit the dns request per ip source through iptables. I tried the following commands, but unfortunately didn't succeed. -A RH-Firewall-1-INPUT -m udp -p udp --dport 53 -m state --state NEW -m recent --set --name DNSQF --rsource -A RH-Firewall-1-INPUT -m udp -p udp --dport 53 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name DNSQF --rsource -j DROP If anyone is using iptables for limiting DNS Query per IP, then pl. help me out. Thanks and Regards, Gaurav Kansal Mob - 9910118448 Happy New Year 2013. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query about EDNS UDP Packet
Hi Team, Thanks for help. My Firewall was dropping packet size larger than 512 bytes. Cisco 5580 having ASA 8.3. It is by default blocking my EDNS0 Packet. Thanks and Regards, Gaurav Kansal On 12/31/12, Sten Carlsen st...@s-carlsen.dk wrote: With the replies you have shown, the limitation is very likely within your own walls. While it is possible that some router on the path between you and the test server limits the packet size, I would say it is very likely not the case, much less than 1% propability - according to my experience. I would use a sniffer along the path between each switch/router/firewall/xx until you either don't see the longer edns0 packets or some other evidence (could be some ICMP message) shows you that this is the place. I would also search for keywords like: DNS EDNS0 truncate. Good hunting. On 31/12/12 15:07, Phil Mayers wrote: On 12/31/2012 10:54 AM, Gaurav Kansal wrote: I just want to test whether this limit is within my organization. Is any method available by which I can check this? https://www.dns-oarc.net/oarc/services/replysizetest ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! -- Thanks n Regards, GAURAV KANSAL 9910118448 Operation And Routing Unit NIC , NEW DELHI Happy New Year 2013. Please don't print this e-mail until unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: difference between default views in named_statistics.txt
Hello Team, After enabling statistics-channel in bind conf file, I am getting the following O/P in the Incoming Request table: Incoming Requests QUERY 31553047 NOTIFY 2994 UPDATE 17896 I just want to know whether the query count will set to ZERO after STOP/START named daemon or in case of system restart? Sorry to bother you guys but I can't STOP/START the named service at my end. That's why I am asking this question. Regards, Gaurav Kansal -Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Alan Clegg Sent: Friday, December 28, 2012 5:56 AM To: benjamin fernandis Cc: bind-users@lists.isc.org Subject: Re: difference between default views in named_statistics.txt On Dec 27, 2012, at 1:05 PM, benjamin fernandis mailto:benjo11...@gmail.com benjo11...@gmail.com wrote: cat /var/named/chroot/var/named/data/named_stats.txt While this may present what you want, I think you may be happier parsing the Statistics Channel... http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#statschannels http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#statschannels While this points to the 9.9 ARM, but the statistics channel has existed since 9.5. AlanC -- Alan Clegg | +1-919-355-8851 | mailto:a...@clegg.com a...@clegg.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list mailto:bind-users@lists.isc.org bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
query about EDNS UDP Packet
Hello Team, I am getting too many entries for reducing the EDNS Packet size to 512 bytes in my log file. For Eg: Dec 31 03:07:20 IPv6-DNS named[3769]: success resolving 'dns1.vps.net/A' (in 'vps.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:21 IPv6-DNS named[3769]: success resolving 'ad.metanetwork.com/A' (in 'metanetwork.com'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:25 IPv6-DNS named[3769]: success resolving 'geo.admetanetwork.com/A' (in 'admetanetwork.com'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving 'tomcat.apache.org/A' (in 'apache.org'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving 'www.apache.org/A' (in 'apache.org'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving 'issues.apache.org/A' (in 'apache.org'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/A' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns2.surfnet.nl/' (in 'surfnet.nl'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns2.surfnet.nl/A' (in 'surfnet.nl'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving './NS' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:40 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/A' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:40 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets On googling for this, I got to know that this come when remote DNS Server doesn't support EDNS0 (i.e., packet size upto 4096 bytes). Now I want to know whether my DNS Server supports EDNS0 for incoming request or not. I use the 'OARC's DNS Reply Size Test Server' for the same and I got the below mentioned O/P: #dig +short rs.dns-oarc.net txt rst.x476.rs.dns-oarc.net. rst.x450.x476.rs.dns-oarc.net. rst.x490.x450.x476.rs.dns-oarc.net. Tested at 2012-12-31 09:40:11 UTC 164.100.1.206 sent EDNS buffer size 4096 164.100.1.206 DNS reply size limit is at least 490 Does this mean that my server is not supporting EDNS0 ??? Thanks and Regards, Gaurav Kansal Mob - 9910118448 Happy New Year 2013. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: query about EDNS UDP Packet
I just want to test whether this limit is within my organization. Is any method available by which I can check this? Regards, Gaurav Kansal From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Sten Carlsen Sent: Monday, December 31, 2012 4:02 PM To: bind-users@lists.isc.org Subject: Re: query about EDNS UDP Packet It means that something in your path limits packet size. That could likely be a firewall or router with a helpful function to pass DNS packets on; only it thinks that a DNS packet can only be 512 bytes long. On 31/12/12 10:49, Gaurav Kansal wrote: Hello Team, I am getting too many entries for reducing the EDNS Packet size to 512 bytes in my log file. For Eg: Dec 31 03:07:20 IPv6-DNS named[3769]: success resolving 'dns1.vps.net/A' (in 'vps.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:21 IPv6-DNS named[3769]: success resolving 'ad.metanetwork.com/A' (in 'metanetwork.com'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:25 IPv6-DNS named[3769]: success resolving 'geo.admetanetwork.com/A' (in 'admetanetwork.com'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving 'tomcat.apache.org/A' (in 'apache.org'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving 'www.apache.org/A' (in 'apache.org'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving 'issues.apache.org/A' (in 'apache.org'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/A' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns2.surfnet.nl/' (in 'surfnet.nl'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns2.surfnet.nl/A' (in 'surfnet.nl'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving './NS' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:40 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/A' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:40 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets On googling for this, I got to know that this come when remote DNS Server doesn't support EDNS0 (i.e., packet size upto 4096 bytes). Now I want to know whether my DNS Server supports EDNS0 for incoming request or not. I use the 'OARC's DNS Reply Size Test Server' for the same and I got the below mentioned O/P: #dig +short rs.dns-oarc.net txt rst.x476.rs.dns-oarc.net. rst.x450.x476.rs.dns-oarc.net. rst.x490.x450.x476.rs.dns-oarc.net. Tested at 2012-12-31 09:40:11 UTC 164.100.1.206 sent EDNS buffer size 4096 164.100.1.206 DNS reply size limit is at least 490 Does this mean that my server is not supporting EDNS0 ??? Thanks and Regards, Gaurav Kansal Mob - 9910118448 Happy New Year 2013. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
open-source tool for filter out stats from dns logs
Dear Team, I want to collect some stats (such as most which zone has queried most, which DNS Server queries us most and so on) based on my DNS Logs. Is there any open-source tool available to filter out these statistics using my dns logs. Thanks and Regards, Gaurav Kansal Mob - 9910118448 Happy New Year 2013. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Query regarding 'UPDATE' field in log entries
Hi, I am getting the below mentioned log continuously in my log file. client 2001:db8:0:196:feed:feed:feed:dc#54458: update 'test-zone.in/IN' denied I have changed the client ip address in the above line. Does it means that someone is claiming for the authority of the test-zone.in for which I am the master? Thanks Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Query about mirroring Root DNS Server
Dear All, Somewhere I heard that one of the Root Servers allows you to take a zone copy of that, so that if you want to look and feel about Root DNS servers, you can do so. Is it true? If yes then can anyone please guide me which Root DNS Server is allowing for the same? Thanks n Regards, GAURAV KANSAL 9910118448 VoIP - 6259 Operation And Routing Unit NIC , NEW DELHI 2012... Now you can use your 1984 calenders again.:P:P Please don't print this e-mail until unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9.8.1-P1 is crashing again and again
Dear Team, My BIND DNS Server is crashing again and again. I am getting these logs: Jul 2 12:03:33 gaurav named[30523]: query.c:5379: INSIST(!is_zone) failed, back trace Jul 2 12:03:33 gaurav named[30523]: #0 0x805a7a5 in assertion_failed()+0x45 Jul 2 12:03:33 gaurav named[30523]: #1 0x81cd8b7 in isc_assertion_failed()+0x27 Jul 2 12:03:33 gaurav named[30523]: #2 0x8067dac in query_find()+0x561c Jul 2 12:03:33 gaurav named[30523]: #3 0x8068cdf in query_resume()+0x1ef Jul 2 12:03:33 gaurav named[30523]: #4 0x81ea103 in isc__taskmgr_dispatch()+0x1c3 Jul 2 12:03:33 gaurav named[30523]: #5 0x81ed6f3 in evloop()+0x73 Jul 2 12:03:33 gaurav named[30523]: #6 0x81ed958 in isc__app_ctxrun()+0x138 Jul 2 12:03:33 gaurav named[30523]: #7 0x81eda02 in isc__app_run()+0x12 Jul 2 12:03:33 gaurav named[30523]: #8 0x805b886 in main()+0x606 Jul 2 12:03:33 gaurav named[30523]: #9 0xc24dec in ?? Jul 2 12:03:33 gaurav named[30523]: #10 0x804bfa1 in _start()+0x21 Jul 2 12:03:33 gaurav named[30523]: exiting (due to assertion failure) Jul 2 13:49:20 gaurav avahi-daemon[2656]: Invalid query packet. Why I am getting these errors and what should I do? Thanks n Regards, GAURAV KANSAL 9910118448 VoIP - 6259 Operation And Routing Unit NIC , NEW DELHI 2012... Now you can use your 1984 calenders again.:P:P Please don't print this e-mail until unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9.8.1-P1 is crashing again and again
Dear Team, My BIND DNS Server is crashing again and again. I am getting these logs: Jul 2 12:03:33 gaurav named[30523]: query.c:5379: INSIST(!is_zone) failed, back trace Jul 2 12:03:33 gaurav named[30523]: #0 0x805a7a5 in assertion_failed()+0x45 Jul 2 12:03:33 gaurav named[30523]: #1 0x81cd8b7 in isc_assertion_failed()+0x27 Jul 2 12:03:33 gaurav named[30523]: #2 0x8067dac in query_find()+0x561c Jul 2 12:03:33 gaurav named[30523]: #3 0x8068cdf in query_resume()+0x1ef Jul 2 12:03:33 gaurav named[30523]: #4 0x81ea103 in isc__taskmgr_dispatch()+0x1c3 Jul 2 12:03:33 gaurav named[30523]: #5 0x81ed6f3 in evloop()+0x73 Jul 2 12:03:33 gaurav named[30523]: #6 0x81ed958 in isc__app_ctxrun()+0x138 Jul 2 12:03:33 gaurav named[30523]: #7 0x81eda02 in isc__app_run()+0x12 Jul 2 12:03:33 gaurav named[30523]: #8 0x805b886 in main()+0x606 Jul 2 12:03:33 gaurav named[30523]: #9 0xc24dec in ?? Jul 2 12:03:33 gaurav named[30523]: #10 0x804bfa1 in _start()+0x21 Jul 2 12:03:33 gaurav named[30523]: exiting (due to assertion failure) Jul 2 13:49:20 gaurav avahi-daemon[2656]: Invalid query packet. Why I am getting these errors and what should I do? Thanks n Regards, GAURAV KANSAL 9910118448 VoIP - 6259 Operation And Routing Unit NIC , NEW DELHI 2012... Now you can use your 1984 calenders again.:P:P Please don't print this e-mail until unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS64 - multiple mapping
Hi Rock, So have u got success in mapping specific v6 network to defined v4 network? From: Rock July [mailto:headgea...@yahoo.com] Sent: Monday, June 04, 2012 10:55 AM To: Gaurav Kansal; 'Phil Mayers'; bind-users@lists.isc.org Subject: Re: DNS64 - multiple mapping Hi Gaurav, My goal is to mapped IPv6 to a specific IPv4 network that is why I use a mapped { } in options. Regards, Rock From: Gaurav Kansal gaurav.kan...@nic.in To: 'Rock July' headgea...@yahoo.com; 'Phil Mayers' p.may...@imperial.ac.uk; bind-users@lists.isc.org Sent: Wednesday, May 30, 2012 6:34 PM Subject: RE: DNS64 - multiple mapping Why u are using mapped{} options in dns64 conf ??? What we are doing is: dns64 2001:db8:5200::/96 { Clients { 2001:db8:1000:10::/64; 2001:db8:20:10::/64; ……. }; }; From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Rock July Sent: Monday, May 28, 2012 8:05 AM To: Phil Mayers; bind-users@lists.isc.org Subject: Re: DNS64 - multiple mapping Hi Phil, Thanks. We have multiple IPv4 networks and we want to have different IPv6 address network mapping for each IPv4 manily for security reasons. Based from your reply, I can add multiple dns64 in options. Should I configure it like this? options { directory /var/cache/bind; auth-nxdomain no; listen-on-v6 { any; }; allow-query { any; }; dns64 2001:db8:1:::/96 { clients { any; }; mapped { 10.10.10.0/24; }; }; dns64 2001:db9:1:::/96 { clients { any; }; mapped { 10.10.20.0/24; }; }; }; Thanks From: Phil Mayers p.may...@imperial.ac.uk To: bind-users@lists.isc.org Sent: Thursday, May 24, 2012 4:15 PM Subject: Re: DNS64 - multiple mapping On 05/24/2012 07:36 AM, Rock July wrote: Hi All, Is it possible for me to add multiple dns64 in options? I want to have Yes. different IPv6 prefix for each IPv4 network address. I don't know what the means, but the dns64 option takes a quite comprehensive set of ACLs to match client and original packet A address(es) as well as other options. Perhaps you should read the ARM? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS64 - multiple mapping
Why u are using mapped{} options in dns64 conf ??? What we are doing is: dns64 2001:db8:5200::/96 { Clients { 2001:db8:1000:10::/64; 2001:db8:20:10::/64; ... }; }; From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Rock July Sent: Monday, May 28, 2012 8:05 AM To: Phil Mayers; bind-users@lists.isc.org Subject: Re: DNS64 - multiple mapping Hi Phil, Thanks. We have multiple IPv4 networks and we want to have different IPv6 address network mapping for each IPv4 manily for security reasons. Based from your reply, I can add multiple dns64 in options. Should I configure it like this? options { directory /var/cache/bind; auth-nxdomain no; listen-on-v6 { any; }; allow-query { any; }; dns64 2001:db8:1:::/96 { clients { any; }; mapped { 10.10.10.0/24; }; }; dns64 2001:db9:1:::/96 { clients { any; }; mapped { 10.10.20.0/24; }; }; }; Thanks From: Phil Mayers p.may...@imperial.ac.uk To: bind-users@lists.isc.org Sent: Thursday, May 24, 2012 4:15 PM Subject: Re: DNS64 - multiple mapping On 05/24/2012 07:36 AM, Rock July wrote: Hi All, Is it possible for me to add multiple dns64 in options? I want to have Yes. different IPv6 prefix for each IPv4 network address. I don't know what the means, but the dns64 option takes a quite comprehensive set of ACLs to match client and original packet A address(es) as well as other options. Perhaps you should read the ARM? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC
DNSSEC is done on Authoritative side. Caching DNS only check whether that particular domain is signed or not, only if that caching DNS is designed to do so. As we don't signed our records on fly in DNSSEC, so DNSSEC doesn't increase the load but ya it increases the size of the response of the query. By Flow what do you mean to say? -Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Ben Sent: Wednesday, May 09, 2012 11:29 AM To: bind-users@lists.isc.org Subject: DNSSEC Hi, I have a some queries regarding dnssec.Kindly clear me out it. 1) DNSSEC is required for authoritative dns or is it for caching dns or for both? 2) If we enable DNSSEC , do we face any performance problem while concerning with throughput? 3) What is actual flow of dnssec? Regards, Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: A few conceptual question about dnssec.
Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? - You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. _ dig +dnssec -t DS isc.org @b0.org.afilias-nst.org. ; DiG 9.8.1 +dnssec -t DS isc.org @b0.org.afilias-nst.org. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32385 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN DS ;; ANSWER SECTION: isc.org.86400 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 isc.org.86400 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org.86400 IN RRSIG DS 7 2 86400 20120309160141 20120217150141 55440 org. SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE= ;; Query time: 339 msec ;; SERVER: 199.19.54.1#53(199.19.54.1) ;; WHEN: Fri Feb 17 23:36:01 2012 ;; MSG SIZE rcvd: 283 _ Why do I get multiple RRSIG records from some servers? - You will get single RRSIG per RR sets. _ dig +dnssec -t NS yahoo.com @g.gtld-servers.net. ; DiG 9.8.1 +dnssec -t NS yahoo.com @g.gtld-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 35065 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;yahoo.com. IN NS ;; AUTHORITY SECTION: yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns5.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. yahoo.com. 172800 IN NS ns3.yahoo.com. yahoo.com. 172800 IN NS ns4.yahoo.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20120222012103 20120215001103 54350 com. gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9 TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8= GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 - GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400 20120224144059 20120217133059 54350 com. NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+ 3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds= ;; ADDITIONAL SECTION: ns1.yahoo.com. 172800 IN A 68.180.131.16 ns5.yahoo.com. 172800 IN A 119.160.247.124 ns2.yahoo.com. 172800 IN A 68.142.255.16 ns3.yahoo.com. 172800 IN A 121.101.152.99 ns4.yahoo.com. 172800 IN A 68.142.196.63 ;; Query time: 386 msec ;; SERVER: 192.42.93.30#53(192.42.93.30) ;; WHEN: Fri Feb 17 23:40:26 2012 ;; MSG SIZE rcvd: 693 _ Do we get a RRSIG for each RR retrieved? If so, why does - Not for each RR But for each RR sets. _ dig +dnssec -t NS com @a.root-servers.net. ; DiG 9.8.1 +dnssec -t NS com @a.root-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44852 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;com. IN NS ;; AUTHORITY SECTION: com.172800 IN NS a.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.
Query Regarding AKAMAI Working Model
Dear Team, I want to know how AKAMAI works May be this is not the right forum to ask but I am asking this here because AKAMAI heavily depend on its HL-DNS and LL-DNS AND these DNS Servers answer the query based on some input it gets from BGP Routes. If anyone can help me then I will be highly obliged. Thanks n Regards, GAURAV KANSAL 9910118448 VoIP - 6259 Operation And Routing Unit NIC , NEW DELHI Please don't print this e-mail until unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: A few conceptual question about dnssec.
-Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Miek Gieben Sent: Saturday, February 18, 2012 12:42 AM To: bind-users@lists.isc.org Subject: Re: A few conceptual question about dnssec. [ Quoting mailto:gaurav.kan...@nic.in gaurav.kan...@nic.in at 00:36 on Feb 18 in RE: A few conceptual... ] Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? – You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. That completely depends on what is configured in the zone. But I think it is recommended that you should always put 2 DS Records in your zone file corresponding to each child zone. One for SHA1 and second for SHA256. That’s why we always get 2 DS Records from ROOT Server pointing to TLDs. Perhaps this will help: http://nlnetlabs.nl/publications/dnssec_howto/ http://nlnetlabs.nl/publications/dnssec_howto/ grtz Miek ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Query Regarding AKAMAI Working Model
-Original Message- From: Chuck Swiger [mailto:cswi...@mac.com] Sent: Saturday, February 18, 2012 1:04 AM To: Gaurav kansal Cc: bind-users@lists.isc.org Subject: Re: Query Regarding AKAMAI Working Model Hi, Gaurav-- On Feb 17, 2012, at 11:15 AM, Gaurav kansal wrote: I want to know how AKAMAI works They work well. :-) Ya. They work well. That's why, majority of content providers are using them. J May be this is not the right forum to ask but I am asking this here because AKAMAI heavily depend on its HL-DNS and LL-DNS AND these DNS Servers answer the query based on some input it gets from BGP Routes. They've got a fair amount of documentation publicly available describing their CDN network, pushing updates from origin to their Edge servers, Akamai'zed URL format, determining which Edge servers should be returned for a client request, based on geo location, network location, availability and throughput, failover, and so forth. http://www.akamai.com/html/technology/products/index.html http://www.akamai.com/html/technology/products/index.html It's not completely off-topic, but you'd likely do better to ask them directly if you need more info. I search a lot for but didn't find answer for my question. I have few questions about there working model. First is, why they are doing CNAME 4 time for each zone?? For ex: ;; QUESTION SECTION: ;www.cisco.com. IN A ;; ANSWER SECTION: www.cisco.com. 236 IN CNAME www.cisco.com.akadns.net. www.cisco.com.akadns.net. 268 IN CNAME geoprod.cisco.com.akadns.net. geoprod.cisco.com.akadns.net. 206 INCNAME www.cisco.com.edgekey.net. www.cisco.com.edgekey.net. 11010 IN CNAME www.cisco.com.edgekey.net.globalredir.akadns.net. www.cisco.com.edgekey.net.globalredir.akadns.net. 257 IN CNAME e144.cd.akamaiedge.net. e144.cd.akamaiedge.net. 7 IN A 125.252.232.170 What's the need of doing CNAME 4 times and AKAMAI does this thing for each domain they takes care of. Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC authentication and ad parameter
Ya. It also appears the same to me. -Original Message- From: Jan-Piet Mens [mailto:jpm...@gmail.com] On Behalf Of Jan-Piet Mens Sent: Wednesday, January 11, 2012 5:00 PM To: bind-users@lists.isc.org Cc: Gaurav kansal Subject: Re: DNSSEC authentication and ad parameter DNS OARC runs a pair of validating servers, open to the public. It appears their BIND server has DLV anchor configured, but their Unbound instance doesn't. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC authentication and ad parameter
Thanks Anand. I have one more question. Is there any option in bind which facilitates me to answer my clients for that zone only which has DNSSEC enable??? For all other queries, it should not answer. Please don't print this e-mail until unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. Thanks n Regards, GAURAV KANSAL 9910118448 VoIP - 6259 Operation And Routing Unit NIC , NEW DELHI -Original Message- From: Anand Buddhdev [mailto:ana...@ripe.net] Sent: Wednesday, January 11, 2012 4:37 PM To: Gaurav kansal Cc: bind-users@lists.isc.org Subject: Re: DNSSEC authentication and ad parameter On 11/01/2012 11:13, Gaurav kansal wrote: Hi Gaurav, Now, I understand why I was not getting my AD flag set in query response. I tried from google dns (8.8.8.8) also but didn't get AD bit set. This may be because 8.8.8.8 might not be configured for DLV validation. Is there any open dns available from which I can check my domain for AD flag set? DNS OARC runs a pair of validating servers, open to the public. Here's a page with more information about then: https://www.dns-oarc.net/oarc/services/odvr Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC authentication and ad parameter
Dear All, I had purchased a new domain especially for DNSSEC testing. But when I ask my registry to insert my DS keys in .in zone file, I got the answer that .in is still not ready for this although .in is signed. I tried to authenticate my domain through ISC dlv. I upload my DS key there and it is showing a GOOD status for my domain but still I am not getting ad parameter in my dig answer. Anyone please explain what I have to do next so that I can give authenticated answer for test.nknsec.in domain. Zone List https://dlv.isc.org/users/1632/zones/new (add a zone) Zone Name Status DNSKEYs Zone Actions test.nknsec.in Good 1 https://dlv.isc.org/zones/7129/dnskeys/new (add) https://dlv.isc.org/zones/7129 (details) https://dlv.isc.org/zones/7129 (delete) Copyright C 2010 by Internet Systems Consortium. Please don't print this e-mail until unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. Thanks n Regards, GAURAV KANSAL 9910118448 VoIP - 6259 Operation And Routing Unit NIC , NEW DELHI ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
.IN Domain is DNSSEC enabled or not
Dear All, I am new to DNSSEC. I purchase a new domain especially for testing dnssec. When i ask my domain seller to put my DS key in .IN Domain, they say that .IN Domain is still not ready for this But as per my knowledge .IN is DNSSEC ready. I do the dig @8.8.8.8 in. NS +dnssec query, and it is showing the RRSIG record in the query answer. It this is sufficient to prove that .IN Domain is DNSSEC enabled or i have to check something else. Please don't print this e-mail until unless you really need, it will save Trees on Planet Earth. Thanks n Regards, GAURAV KANSAL 9910118448 VoIP - 6259 Operation And Routing Unit NIC , NEW DELHI ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: added new name server to zone are missing from the slave
Did you increment the Serial Number in SOA?? -Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Gregory Machin Sent: Tuesday, 20 December, 2011 7:40 AM To: bind-us...@isc.org Subject: added new name server to zone are missing from the slave Hi. I have added 2 new name servers ns3 and ns4 to my zone, when I use dig against the master they are shown in the list. When I do a dig against the slave only the original servers ns1 and ns2 are there, I have deleted the slave zones files and even after transferring the zone again I get the same results. Master (ns1): root@ns1:~ # dig @127.0.0.1 mydom.com ; DiG 9.2.4 @127.0.0.1 mydom.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 61847 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;mydom.com. IN A ;; ANSWER SECTION: mydom.com. 86400 IN A x.x.64.254 ;; AUTHORITY SECTION: mydom.com. 86400 IN NS ns4.mydom.com. mydom.com. 86400 IN NS ns1.mydom.com. mydom.com. 86400 IN NS ns2.mydom.com. mydom.com. 86400 IN NS ns3.mydom.com. ;; ADDITIONAL SECTION: ns1.mydom.com. 86400 IN A x.x.64.242 ns2.mydom.com. 86400 IN A x.x.64.254 ns3.mydom.com. 68400 IN A x.x.32.7 ns4.mydom.com. 68400 IN A x.x.32.9 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Dec 20 15:06:52 2011 ;; MSG SIZE rcvd: 183 Slave (ns3): root@ns3:/var/lib/bind# dig @127.0.0.1 mydom.com ; DiG 9.7.1-P2 @127.0.0.1 mydom.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 38068 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;mydom.com. IN A ;; ANSWER SECTION: mydom.com. 86400 IN A x.x.64.254 ;; AUTHORITY SECTION: mydom.com. 86400 IN NS ns1.mydom.com. mydom.com. 86400 IN NS ns2.mydom.com. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Dec 20 15:06:29 2011 ;; MSG SIZE rcvd: 83 Any suggestions what would cause this ? Thanks G ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Zone Transfer Query
Dear All, I have a master DNS on IPv4 AND slave DNS on IPv6. I also have a IPv4 address on slave (But only IPv6 address is entered in NS). Now I am trying to transfer my zone from master to slave through the IPv4 address. But it is giving me a error failed while receiving responses: REFUSED. So, Is the error is because I am trying to transferring a zone on a different IP which is not Authoritative for that zone or because of something else Thanks and Regards, Gaurav Kansal 9910118448 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Zone Transfer Query
I have already check this too. I have done an entry in allow-transfer ACL. -Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Phil Mayers Sent: Monday, 05 December, 2011 6:07 PM To: bind-users@lists.isc.org Subject: Re: Zone Transfer Query On 05/12/11 12:32, Gaurav Kansal wrote: Dear All, I have a master DNS on IPv4 AND slave DNS on IPv6. I also have a IPv4 address on slave (But only IPv6 address is entered in NS). Now I am trying to transfer my zone from master to slave through the IPv4 address. But it is giving me a error failed while receiving responses: REFUSED. So, Is the error is because I am trying to transferring a zone on a different IP which is not Authoritative for that zone or because of something else Something else. You probably have an allow-transfer ACL restricting you at the master. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Not able to resolve a domain
1. When was 1/8 allocated, recently? Maybe you need to update your bogon filter? Can we anyhow find when an IP block is assigned to an organization by RIR ??? I have tried WHOIS but didn't find anything for the same. Thanks and Regards, Gaurav Kansal 8860785630 9910118448 -Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of /dev/rob0 Sent: Friday, 18 November, 2011 9:19 PM To: bind-users@lists.isc.org Subject: Re: Not able to resolve a domain On Friday 18 November 2011 09:19:18 King, Harold Clyde (Hal) wrote: I have found that http://www.thisisgame.com www.thisisgame.com does not resolve on our DNS servers. Google DNS works fine. Looks fine from here. According to dns.14x.org the top level domain com is w. I do not see a w server. I have the most recent named.root file from June. What have I done wrong? I don't know what that means. IWFM using both normal recursion and direct-to-NS: ;; ANSWER SECTION: http://www.thisisgame.com www.thisisgame.com. 1800 IN A 1.234.35.120 ;; AUTHORITY SECTION: thisisgame.com. 1800 IN NS ns1.thisisgame.com. ;; ADDITIONAL SECTION: ns1.thisisgame.com. 1800 IN A 1.234.35.141 I'll toss out a couple of WAGs at no extra charge! 1. When was 1/8 allocated, recently? Maybe you need to update your bogon filter? 2. It's Korean, are you blocking APNIC space? -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list mailto:bind-users@lists.isc.org bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: trigger point for new bug
Can you please explain What is the meaning of INVALID RECORD? Thanks and Regards, Gaurav Kansal 9910118448 -Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Michael McNally Sent: Thursday, 17 November, 2011 2:50 AM To: bind-users@lists.isc.org Subject: Re: trigger point for new bug On 11/16/11 9:55 AM, Chris Brookes wrote: Any info on whether the newly announced bug can be triggered before the query ACL is applied on a recursive only server? An authoritative only server ought to be safe? According to our best current understanding of the issue: + Authoritative-only nameservers should be safe and only recursing servers at risk. + From the security advisory we have posted on our website: ( http://www.isc.org/software/bind/advisories/cve-2011-4313 ) An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. Your server has to be servicing a query for the invalid cache data to pull the trigger on this. That comes after the query ACL is applied. Although that's somewhat better than anyone, anywhere, can cause this to happen to any server at any time, you should not rely on it, as it requires little imagination to think how a user in your network might be enticed into an action which caused them to issue a query for the malformed data. Mitigation patches have been posted to the ISC web site which can prevent the server from exiting when the invalid cache data is encountered. We strongly advise anyone running a recursing BIND 9 server to deploy them. Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Query regarding dig output
Dear Sir, When I am query through dig for nkn.in domain without any additional parameter, It is showing 3 ADDITIONAL records. And when I am query through dig for same nkn.in domain with +dnssec parameter, It is showing 4 ADDITIONAL records but there are only 3 answers in ;;ADDITIONAL SECTION. Why is it so??? [@gaurav ~]# [@gaurav ~]# dig @180.149.63.3 nkn.in ; DiG 9.3.3rc2 @180.149.63.3 nkn.in ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 62605 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;nkn.in.IN A ;; ANSWER SECTION: nkn.in. 86400 IN A 164.100.56.206 ;; AUTHORITY SECTION: nkn.in. 86400 IN NS ns3.nkn.in. nkn.in. 86400 IN NS ns2.nkn.in. nkn.in. 86400 IN NS ns1.nkn.in. ;; ADDITIONAL SECTION: ns1.nkn.in. 86400 IN A 180.149.63.3 ns2.nkn.in. 86400 IN A 180.149.63.66 ns3.nkn.in. 86400 IN 2405:8a00:1000::2 ;; Query time: 2 msec ;; SERVER: 180.149.63.3#53(180.149.63.3) ;; WHEN: Tue Nov 15 17:58:21 2011 ;; MSG SIZE rcvd: 154 [@gaurav ~]# [@gaurav ~]# [@gaurav ~]# dig @180.149.63.3 +dnssec nkn.in ; DiG 9.3.3rc2 @180.149.63.3 +dnssec nkn.in ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 39199 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;nkn.in.IN A ;; ANSWER SECTION: nkn.in. 86400 IN A 164.100.56.206 ;; AUTHORITY SECTION: nkn.in. 86400 IN NS ns1.nkn.in. nkn.in. 86400 IN NS ns3.nkn.in. nkn.in. 86400 IN NS ns2.nkn.in. ;; ADDITIONAL SECTION: ns1.nkn.in. 86400 IN A 180.149.63.3 ns2.nkn.in. 86400 IN A 180.149.63.66 ns3.nkn.in. 86400 IN 2405:8a00:1000::2 ;; Query time: 603 msec ;; SERVER: 180.149.63.3#53(180.149.63.3) ;; WHEN: Tue Nov 15 17:59:33 2011 ;; MSG SIZE rcvd: 165 [@gaurav ~]# Thanks and Regards, Gaurav Kansal 8860785630 9910118448 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Reason for Limited number of Root DNS Servers
Dear All, Somewhere I read that number of ROOT DNS servers is limited to 13 because of protocol limitation of DNS and UDP. Exact writing was A combination of limits in the DNS and certain protocols, namely the practical size of unfragmented User Datagram Protocol (UDP) packets, resulted in a limited number of root server addresses that can be accommodated in DNS name query responses. This limit has determined the number of name server installations at (currently) 13 clusters, serving the needs of the entire public Internet worldwide. As root DNS are running in anycast so number is not an issue at all. But I don't understand where exactly is this limitation exists??? Please some elaborate on this. Thanks and Regards, Gaurav Kansal 9910118448 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind does not reply with no such name to A query
Dear Sven, Client queries a name for Both A and records. Now, the thing is NAME exist but either A or doesn't exist for this. Then how can a server reply that no such name?? Thanks and Regards, Gaurav Kansal 9910118448 From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Beisiegel, Sven Sent: Wednesday, 09 November, 2011 3:04 PM To: bind-users@lists.isc.org Subject: Bind does not reply with no such name to A query at Hi everyone, I tried to find a solution to this using Google, but I failed. I'm wondering if this is expected behavior of bind9 or if this is configurable. I have a domain configured and my server is the authoritative name server for this domain. My server is reachable via IPv4 and IPv6 address. 2 records are configured like this: dls-koe.gvs.local. 2h A 192.168.100.251 dls-koe-v6.gvs.local. 2h 2001:4dd0:f9c0:100::251 I have clients that are running with IPv4 and IPv6 address at the same time and are configured with one of the FQDNs above. When the client is sending a query for one of the names, it directly sends an A and query. Now for example: The client sends an A query for dls-koe-v6.gvs.local, which is only configured as record in the server. I now would expect the server to reply with no such name, but it doesn't. Other example: The client sends an query for dls-koe.gvs.local, which is only configured as A record in the server. Same result. My question is: Why is bind not replying with no such name in this case? Is this expected behavior? Maybe a configuration issue? Thanks in advance for any help, Sven ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Using IPv6/IPv4 tunnels to send queries to a DNS server
Ya. It is totally valid. In fact we have tested the same in our organization for giving internet connectivity to ipv6 islands. What tunnel do is, it basically encapsulate the ipv6 packet in ipv4 header. So a packet reach its destination,( i.e, tunnel destination), transparently. And at the destination point, ipv4 header is removed and packet is forwarded as per its ipv6 destination. No issue as at all except slowness in opening some website due to the MTU size of the tunnels. So keep in mind the MTU size of your tunnel AND fine tune it for smooth browsing. Thanks and Regards, Gaurav Kansal 9910118448 -Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Hansen Candrawinata Sent: Thursday, 10 November, 2011 9:35 AM To: bind-users@lists.isc.org Subject: Using IPv6/IPv4 tunnels to send queries to a DNS server This is not strictly a BIND related question, but thought someone here probably knew the answer. Is it valid to use IPv6/IPv4 tunnels to send DNS queries to a DNS server. Does anyone know what the standards (RFCs) say about this? Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to show the Recursion behaviour of DNS Servers
Dear All, Is there any way in dig or nslookup utility to see the whole path which a DNS Server follows for giving me the answer. For eg: Suppose I ask what is www.nkn.in from goggle 8.8.8.8 server AND at that time goggle 8.8.8.8 DNS doesn't have the answer in its cache. Then it will first go to root servers then .in NS server and then nkn.in NS server. I wanna show this to my trainees as a POC. Is this possible? Thanks and Regards, Gaurav Kansal NIC 8860785630 9910118448 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS64 Query
Dear All, As we have a DNS64 functionality available for accessing ipv4 content(internet) from ipv6 only host. Is there any functionality available for accessing IPv6 internet from IPv4 only host?? For eg: I have a website ipv6.nkn.in running on ipv6. Now I want to access this website from ipv4 machine. For this, I need DNS Translation. Is this is possible? Thanks and Regards, Gaurav Kansal 8860785630 9910118448 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS64 Query
Dear Karl, First of all thanks for prompt reply. I think I didn't explain myself clearly. I have a website which is already running on ipv6 and I want to access the same from ipv4 network. Instant6.com provide the functionality to make a website accessible from ipv6 network which is only on ipv4 internet. But I need the reverse one. I already have my website running on ipv6 and wanna to make it accessible to ipv4 only network users. Thanks and Regards, Gaurav Kansal 8860785630 9910118448 -Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Karl Auer Sent: Thursday, 03 November, 2011 6:33 PM To: bind-users@lists.isc.org Subject: Re: DNS64 Query On Thu, 2011-11-03 at 16:15 +0530, Gaurav Kansal wrote: Is there any functionality available for accessing IPv6 internet from IPv4 only host?? [...] I have a website ipv6.nkn.in running on ipv6. Now I want to access this website from ipv4 machine. For this, I need DNS Translation. Is this is possible? instant6.com Regards, K. PS: I have an interest in this service. -- ~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/kauer/ +61-428-957160 (mob) GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Bulk Query Tool
Dear All, I set up a new DNS Server using Bind 9.7 For meantime I open this server for the whole world. I wanna check how many queries it can handle. Is this any freeware available for checking this. Is there any tool available by which I can come to know after how much load my DNS will be down (Or it will stop responding) ??? Thanks and Regards, Gaurav Kansal 8860785630 9910118448 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users