Re: srv lookup in record

[John Levine]

In article  you write:
>> [@temp3]$ dig +short srv _http-apps._server.test._tcp.marathon.mesos
>> 0 1 31024 server.test-usbzr-s3.marathon.mesos.
>> 0 1 31852 server.test-z9x84-s3.marathon.mesos.
>> 0 1 31790 server.test-k7g8r-s4.marathon.mesos.

These SRV records say that the service is on ports 31024, 31852, and 31790 on
the respective servers.  CNAME does not give you a port number.  There is no
way to fake SRV using CNAME.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SRV is not CNAME, was srv lookup in record

[John Levine]

In article  you write:
>On 2020-08-21 16:26, Marc Roos wrote:
>> Is it possible to use srv lookups, like eg cname. I do not want to
>> create SRV record, I just want to 'get' the ip addresses, that I would
>> get vai srv lookup.
>
>SRV records are more than just pointers to a specific server, there is 
>also the priority and weight that need to be considered at the 
>application level.

More importantly, SRV records have port numbers.  In SIP, which seems to be
the largest current use of SRV, as often as not the port number is different
from the default 5060.

SRV really is not like CNAME.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Invalid class in dns query

[John Levine]

In article  you write:
>Hi all,
>
>Looking for a temporary work around, while an issue gets resolved. I have a
>DNS query coming in with an invalid class requested (65 or 0x41).

The only classes ever assigned were 1, 2, 3, 4, and pseudo-classes 254 and 255.

What is class 65 supposed to be?  Why would anything that wasn't totally broken 
query for it?

R's,
John


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Best way to force a TC=1 response?

[John Levine]

In article  you write:
>What's the best way to force an A query via UDP to return a TC=1 result:
>a really long CNAME chain?

I'd suggest lots of  records.  You could do it with A records but you'd
need four times as many

$ dig wordy.examp1e.com 
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.10.6 <<>> wordy.examp1e.com 
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24856
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 187, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wordy.examp1e.com. IN  

;; ANSWER SECTION:
wordy.examp1e.com.  3594IN  2001::1
wordy.examp1e.com.  3594IN  2002::2
wordy.examp1e.com.  3594IN  2003::3
wordy.examp1e.com.  3594IN  2004::4
wordy.examp1e.com.  3594IN  2005::5
wordy.examp1e.com.  3594IN  2006::6
wordy.examp1e.com.  3594IN  2006::7
wordy.examp1e.com.  3594IN  2008::8
wordy.examp1e.com.  3594IN  2009::9
wordy.examp1e.com.  3594IN  200a::a
wordy.examp1e.com.  3594IN  200b::b
wordy.examp1e.com.  3594IN  200c::c
wordy.examp1e.com.  3594IN  200d::d
wordy.examp1e.com.  3594IN  200e::e
wordy.examp1e.com.  3594IN  200f::f
wordy.examp1e.com.  3594IN  2010::10
wordy.examp1e.com.  3594IN  2011::11
wordy.examp1e.com.  3594IN  2012::12
wordy.examp1e.com.  3594IN  2013::13
wordy.examp1e.com.  3594IN  2014::14
wordy.examp1e.com.  3594IN  2015::15
wordy.examp1e.com.  3594IN  2016::16
wordy.examp1e.com.  3594IN  2017::17
wordy.examp1e.com.  3594IN  2018::18
wordy.examp1e.com.  3594IN  2019::19
wordy.examp1e.com.  3594IN  201a::1a
wordy.examp1e.com.  3594IN  201b::1b
wordy.examp1e.com.  3594IN  201c::1c
wordy.examp1e.com.  3594IN  201d::1d
wordy.examp1e.com.  3594IN  201e::1e
wordy.examp1e.com.  3594IN  201f::1f
wordy.examp1e.com.  3594IN  2020::20
wordy.examp1e.com.  3594IN  2021::21
wordy.examp1e.com.  3594IN  2022::22
wordy.examp1e.com.  3594IN  2023::23
wordy.examp1e.com.  3594IN  2024::24
wordy.examp1e.com.  3594IN  2025::25
wordy.examp1e.com.  3594IN  2026::26
wordy.examp1e.com.  3594IN  2027::27
wordy.examp1e.com.  3594IN  2028::28
wordy.examp1e.com.  3594IN  2029::29
wordy.examp1e.com.  3594IN  202a::2a
wordy.examp1e.com.  3594IN  202b::2b
wordy.examp1e.com.  3594IN  202c::2c
wordy.examp1e.com.  3594IN  202d::2d
wordy.examp1e.com.  3594IN  202e::2e
wordy.examp1e.com.  3594IN  202f::2f
wordy.examp1e.com.  3594IN  2030::30
wordy.examp1e.com.  3594IN  2031::31
wordy.examp1e.com.  3594IN  2032::32
wordy.examp1e.com.  3594IN  2033::33
wordy.examp1e.com.  3594IN  2034::34
wordy.examp1e.com.  3594IN  2035::35
wordy.examp1e.com.  3594IN  2036::36
wordy.examp1e.com.  3594IN  2037::37
wordy.examp1e.com.  3594IN  2038::38
wordy.examp1e.com.  3594IN  2039::39
wordy.examp1e.com.  3594IN  203a::3a
wordy.examp1e.com.  3594IN  203b::3b
wordy.examp1e.com.  3594IN  203c::3c
wordy.examp1e.com.  3594IN  203d::3d
wordy.examp1e.com.  3594IN  203e::3e
wordy.examp1e.com.  3594IN  203f::3f
wordy.examp1e.com.  3594IN  2040::40
wordy.examp1e.com.  3594IN  2041::41
wordy.examp1e.com.  3594IN  2042::42
wordy.examp1e.com.  3594IN  2043::43
wordy.examp1e.com.  3594IN  2044::44
wordy.examp1e.com.  3594IN  2045::45
wordy.examp1e.com.  3594IN  2046::46
wordy.examp1e.com.  3594IN  2047::47
wordy.examp1e.com.  3594IN  2048::48
wordy.examp1e.com.  3594IN  2049::49
wordy.examp1e.com.  3594IN  204a::4a
wordy.examp1e.com.  3594IN  204b::4b
wordy.examp1e.com.  3594IN  204c::4c
wordy.examp1e.com.  

Re: What is the proper way to delegate to a private / hidden sub-domain?

[John Levine]

In article  you write:
>-=-=-=-=-=-
>
>
>On 5/6/20 4:12 PM, John Levine wrote:
>> Since they can't access the root servers, how do you expect them to 
>> do DNS lookups at all?
>There is a copy of the root zone in the environment.
>
>There is also enough net zone for the needed tests.
>
>DNSSEC is obviously not in play with doctored zones in the labs.

Oh, in that case, why don't you just put some adjusted NS entries in
your stub .net zone pointing at your internal name servers?  Seems a
lot easier than fooling around with routing.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What is the proper way to delegate to a private / hidden sub-domain?

[John Levine]

In article  you write:
>-=-=-=-=-=-
>
>On 5/6/20 3:40 PM, John Levine wrote:
>> Can clients on the internal network contact hosts in the outside 
>> world, or is it really disconnected?
>It depends on which particular lab is being used and what is being tested.
>
>I can guarantee that some of the labs will NOT have access to other 
>networks, much less the Internet.  (Some of them even have a protocol 
>barrier.)

Since they can't access the root servers, how do you expect them to
do DNS lookups at all?

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What is the proper way to delegate to a private / hidden sub-domain?

[John Levine]

In article  you write:
>-=-=-=-=-=-
>
>On 5/6/20 2:29 PM, Grant Taylor wrote:
>> That's one of the hard requirements of what I'm doing.  Not doing that 
>> is not an option.
>
>To elaborate, the internal clients are in a sequestered network which 
>will never have outside access to it.  As such, the outside world can 
>never query something from a system in it.

Can clients on the internal network contact hosts in the outside world,
or is it really disconnected?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What is the proper way to delegate to a private / hidden sub-domain?

[John Levine]

In article  you write:
>> This really seems like ordinary split horizon DNS.
>
>Please explain what you mean by "split horizon DNS" like I'm a n00b, 
>because obviously my understanding of it differs from what your 
>understanding seems to be.

The DNS server sends different answers depending on the client IP, so
on your internal network it sees the private subdomain, everywhere
else sees a ENT or NXDOMAIN.

If you really have to use physically separate servers for reasons that
you can't explain, I suppose putting the two servers at the same IP
addresss facing different networks could work, although you're asking
for trouble with route leaks anytime someone adjusts a router anywhere
near one or the other.  Remember that with normal anycast all of the
mirrors send identical or at least equivalent answers so the routes
are not a security issue.

-- 
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What is the proper way to delegate to a private / hidden sub-domain?

[John Levine]

In article  you write:
>> I think one possibility (to avoid anycast) is to have an internal and
>> external view for the "example.net" zone, so it can delegate the lab
>> zones to different servers internally and externally.
>
>But how do you do that if the internal and external views are on 
>different servers with completely different IPs?

Don't Do That.

>I ask because now you're back to the same issue, just at the parent 
>domain:  How does the net zone delegate to different example zones 
>depending on if the client is internal or external.
>
>I don't see any options that avoid anycast.

This really seems like ordinary split horizon DNS.

-- 
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DoH plugin for BIND

[John Levine]

In article  you write:
>On Sat, 2 May 2020, Michael De Roover wrote:
>
>> Even if your ISP allows it, chances are that other mail servers will 
>> reject it ...

>My residential-class static IP mail server has never had problems 
>delivering mail. I've checked it many times over the years on many 
>blacklist checkers and never had anything but green lights.

Your ISP is quite unusual.  Count your blessings.  The large cable
providers in the US and Canada block outgoing port 25 on residential
networks.

To whoever said that MUAs still default to port 25 submission, you
must use different MUAs from the rest of us.  All the ones I use
default to 587 and 465.

R's,
John

PS: What deoes this have to do with BIND?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using different OS for Master and Slaves

[John Levine]

In article  you write:
>I suspect the pain he was referring to is not really DNS-specific, but 
>just due to having to manage servers with different operating systems. 
>This means using a more diverse set of management tools, different 
>configuration syntax, etc.

I have masters running NSD on FreeBSD and a slave running bind on
linux.  It's not unduly hard to manage, give or take some kludgery in
the scripts that manage the config files, but that's because NSD is
different from bind, not because FreeBSD is different from linux.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Proper Way to Configure a Domain which never sends emails

[John Levine]

In article  you write:
>El 20/08/2019 a las 9:28, Marco Davids via bind-users escribió:
>> A TXT _dmarc.domain.tld "v=DMARC1; p=reject" might also be useful.

>Wouldn't that imply having DKIM set up for the domain?

No, of course not.

It says that if mail isn't authenticated, reject it.  An excellent way
to be sure you never get DKIM authentication is not to set up DKIM in
the first place.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind has a database option instead of zone files?

[John Levine]

In article  you write:
>-=-=-=-=-=-
>
>On 1/27/19 8:57 AM, John Levine wrote:
>> No.  If that's what you want to do, I'd suggest looking at PowerDNS.
>
>John, why would you recommend PowerDNS over BIND's DLZ options?

PowerDNS was designed to serve the data out of databases and its
database usage is a lot more mature, particularly if you use MySQL.

It's open source and well documented, so feel free to do your own research.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind has a database option instead of zone files?

[John Levine]

In article  you write:
>-=-=-=-=-=-
>
>Greetings!!
>Does Bind has a database option to read zones [if zones are in database]
>instead  of zone files? if yes , how to setup? can someone help me.

No.  If that's what you want to do, I'd suggest looking at PowerDNS.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse lookup for classless networks

[John Levine]

In article  you write:
>-=-=-=-=-=-
>
>On 12/27/18 11:24 AM, John Levine wrote:
>> Well, there's those pesky old DNS standards, but we're used to software 
>> working around screwed up zones.
>
>Agreed.  Which standard(s) does this run afoul of?
>
>> If the parent delegates a name to a child server, the child server must 
>> have an SOA at that name, along with whatever else you might want to 
>> put there.
>
>Which of the other records that must be there are actually queried as 
>part of a normal lookup?
>
>Sure, they should be there or expect failure when someone / something 
>explicitly looks for the SOA record.

Well, yeah, like I said it's wrong but you can often get away with it.
The DNS specs are a mess and the SOA at the top is poorly described in
1034 and 1035 (as is a lot of other stuff.)  You'll definitely lose if
your reverse zones are signed like mine are.

>> I see a delegation loop.   What's the lookup chain supposed to be for 
>> 128.0.192.in-addr.arpa?
>
>192.0.128.0/24 is outside of the zone in question (192.0.2.0/24).  ;-)

I can't type either.  Try 128.2.0.192 which in your example appears to
have an NS in the parent zones pointing at yourdomain, and in
yourdomain pointing back at the parent.

>> PS: What's wrong with using $GENERATE in the parent zone like everyone 
>> else who uses BIND does?
>
>There's nothing wrong with $GENERATE per say.  I advocate using it. 
>That being said, I find that $GENERATE, and other similar shortcuts, can 
>hinder teaching.  I don't want someone to have to learn multiple 
>concepts at the same time (if they aren't already familiar with $GENERATE).

I agree that $GENERATE is a kludge, but since we agree that we want to
control our own rDNS, it's the kludge that gets the job done.  Just
use it.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse lookup for classless networks

[John Levine]

From: John Levine 
To: bind-users@lists.isc.org
Subject: Re: Reverse lookup for classless networks
In-Reply-To: 
Organization: Taughannock Networks
Cc: gtay...@tnetconsulting.net
Bcc: johnl-sent
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit

In article  you write:
>1)  The parent zone needs to have the delegation like Barry depicted above.
>2)  The child zone needs to have records for the name being looked up. 
>Nothing specifically translates to them needing to be in separate zones.

Well, there's those pesky old DNS standards, but we're used to software
working around screwed up zones.

If the parent delegates a name to a child server, the child server
must have an SOA at that name, along with whatever else you might
want to put there.  BIND will generally forgive what you're doing,
but I wouldn't expect it to work on other name server software.

>I could easily create a zone like this:
>
>; 1.0.192.in-addr.arpa.zone on local nameservers ns{1,2}.yourdomain.com
>$ORIGIN 1.0.192.in-addr.arpa.
>0   IN PTR web.yourdomain.com.
>1   IN PTR ftp.yourdomain.com.
>...
>128 IN NS  ns1.parent.example.
> IN NS  ns2.parent.example.
>129 IN NS  ns1.parent.example.
> IN NS  ns2.parent.example.
>...

>In essence, you end up with two independent zones for the same domain 
>name, 1.0.192.in-addr.arpa, cross delegating /different/ records to each 
>other.  Thus, both are perfectly happy to answer authoritatively with 
>PTR records for the IPs that they are ""responsible for, while 
>""delegating (redirecting) to the other name servers for the IPs that 
>they aren't locally responsible for.

I see a delegation loop.   What's the lookup chain supposed to be
for 128.0.192.in-addr.arpa?

R's,
John

PS: What's wrong with using $GENERATE in the parent zone like everyone
else who uses BIND does?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DMARC question

[John Levine]

In article  you write:
>We have a couple of small domains whose DNS is served by BIND on our dedicated 
>machines. Almost 3 years ago we had set up DMARC records,
>and were getting reports from various MXs every day until a couple of days ago 
>(Aug 13). Then they suddenly stopped!
>
>Nothing in the BIND config or zone files was changed, and our Postfix mail 
>logs (on our dedicated server) don't show *anything* addressed
>to our DMARC target since then. (I.e., it's not that our spam filtering is 
>dropping them.)
>
>Has anyone ever observed anything like this?

I'm getting the usual reports from Google, Yahoo, and other places, as recently 
as this morning.

It's Just You.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minimum TTL?

[John Levine]

In article  you write:
>The target, instead of very quickly rejecting the spam because of the =
>lack of a domain or the lack of DNS, instead has to deal with thousands =
>of different IPs.

That's not how spam filters work.  They do filtering based on the IP
address sending the spam and maybe the rDNS.  It makes no difference
whatsoever if there is some other random A record pointing at the
spamming host.  You can't even tell.

>> Botnets are computers with IP addresses.  They don't need DNS pointing =
>at them to send spam.
>
>They do to send spam to any mail admin with even half a brain who would =
>not accept unauthenticated mail from an IP without an actual domain =
>attached.

The half a brain generally requires forward and reverse DNS to match
before using them.  If you know a way to do fast flux rDNS on botnets,
I know a lot of people who'd like to talk to you.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minimum TTL?

[John Levine]

In article  you write:
>For the record, the issue is not RBLs or legitimate domains, it is =
>spammer scum that set super-low DNS because they are shotgunning spam =
>from a a vast botnet and they want to have maximal impact, so you get a =
>different IP for every spam they send. It is a way of trying to =
>overwhelm a machines tarpits, blacklists, sshguard protections, and =
>others.

Um, you have it completely backward.  Botnets are computers with IP
addresses.  They don't need DNS pointing at them to send spam.  DNSBLs
with low TTLs try and list them the moment the first spam hits the
spamtraps.

There is fast flux DNS for computers running landing pages, but they
tend to use a lot of A records at once and don't care about the TTL
since they're going for quantity, not quality.

>But to answer your question, off-hand, I'd say that any TTL under 60s is =
>suspicious and any TTL under 10s is almost certainly intentionally =
>abusive.

I hope you're not planning to do much spam filtering.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minimum TTL?

[John Levine]

In article  you write:
>As long as you understand the implications of what you're doing?
>
>The zone owner may be using short TTLs to implement load balancing 
>and/or quick failover. If you extend the TTLs, your users may experience 
>poor performance when they try to go to these sites using out-of-date 
>cache entries.

The zone in question is a DNSBL.  When an address is added to or
removed from a dynamically maintained BL, the short TTL means clients
pick it the change promptly.  If you want your mail filtering to work
reliably, you pay attention to that.  Some of Spamhaus' BLs have
minimum TTLs of 10 seconds, and they do update that fast (not using
BIND, of course.)

The person who asked the original question made it quite clear that
his goal is use a commercial DNSBL but avoid paying for it, so I don't
see any need to offer further help.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minimum TTL?

[John Levine]

In article  you write:
>you miss the topic
>
>many DNSBL's have a very short TTL and at the same time a limit of 
>queries froma single IP until you need to pay for the service

This doesn't sound like a technical problem.

Is there some reason you shouldn't pay for the service you're using?



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: search algorithm in DNS

[John Levine]

In article  you write:
>-=-=-=-=-=-
>
>I am Munkhbaatar, a master course student studying on mechanism and algorithm 
>of DNS.I want to search algorithm in DNS, but
>i have not found the documents clearly explaining this on the web.I guess it's 
>just a "list search", but I am not
>sure.Please tell me the details of the search algorithm. 

There is no search algorithm, only exact match.  See RFCs 1034, 1035, and 2181.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Email & PTR Issues [Solved]

[John Levine]

In article  you write:
>> I have issues emailing to certain domains. I use my own mail
>> server to deliver mail. It is currently not sending through SMTP
>> Relay. The failure says that I have a missing PTR record. For example:

I'm amazed that it works at all.  Like most ISPs, AT usually blocks
port 25 on their consumer broadband.

If you want to run your own mail server, get a VPS somewhere.  They're cheap,
like $5/mo or less if you pay by the year.  If you just want your mail to work,
get it hosted somewhere.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[John Levine]

This has nothing to do with BIND, but anyway.

In article  you write:
>I would personally try to use -all for new domains from the word go.

Only if you want your mail to mysteriously disappear.  There are a lot
of perfectly legitimate ways to send and route mail that SPF cannot
describe.  Unless your name is Paypal or you are otherwise a giant
phish target, -all is not want you want.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[John Levine]

In article  you write:
>> X.TLD   IN   MX   10 mail.example.com.
>>
>> is perfectly valid, and quite common for people who don't host their own 
>> e-mail.
>
>Okay, but for now each domain will have its one mail server.

If you have one host with one IP, I hope you have one mail server
since only one process can listen on port 25 on a single IP.  Any
normal mail server can host mail for many domains.  My little 1U
server handles 140 different mail domains and it certainly isn't
listening on 140 IPs.

>> Also, why the wildcard CNAME record?  It's definitely not essential to
>> your example.
>
>I believe it will be needed for my wild card TLS certificates.

Nope.  You can have a *.example.com certificate and set up your DNS
and web server for specific names foo.example.com and bar.example.com
and however many others you actually use.

Unless you have special coding in your web sites to handle arbitrary
random domain names, you will probably give people a lot of mysterious
404 pages when they try names you haven't configured.

>Good point, I'll change to "?all" instead.

Right, -all is asking for trouble.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

[John Levine]

In article  you write:
>>* IP with *one* PTR
>>* the A-Record for the PTR matches
>>* smtp_helo_name of your MTA matches the same name
>
>Even this is not required. In fact, requiring this breaks SMTP RFC.
>The only requirement on helo name is that host must exist and be canonical,
>which means it has to point to A or  record.

Regardless of what the RFC says, if an IP doesn't have matching
forward/backward DNS that is an extremely strong indication that it's
a random computer in a botnet and few people will accept mail from it.

As others have noted, it doesn't matter what the forward/backward name
is so long as at least one pair of A and PTR match.  You do want the
HELO name to resolve correctly, again, again non-resolving HELO is a
very strong indication of a bot.

Yes, we know the SMTP specs say otherwise but they haven't been
updated since bot spam became such a problem.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: High performance DNS server configuration?

[John Levine]

>Problem is procmail + postfix with rbl's (zen.spamhaus.org and others).
>
>Really big problem are spam botnet's and some day we can get over 5-6
>million messages per day or even more.
>
>Procmail/postfix is doing every check per msg at localdns (localdns =>
>rbl's) server and average check time is 1-2 sec per message and it's
>too much.

I agree that bind is likely not the best DNS cache for this purpose.
You might look at unbound.

More importantly, at that query volume you should be running a local
copy of rbndnsd and rsync'ing the DNSBLs.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Request reverse dns mapping advice

[John Levine]

>1.  pick a primary domain from the list of virtual hosts (example2.com)
>2.  use the "real" host name of the server (juvat.example1.com)
>3.  the mail server name (mail.example1.com)
>4.  the dns server name (ns2.example1.com)
>5.  another domain from the virtual hosts list (example 3.com)

Publish a PTR with the mail server name, forget about the rest of
them.  

On today's Internet, you want your mail server to EHLO with a name
that has matching forward and reverse DNS with the server's IP.  If
you don't, you look unnecessarily like a spambot.

Everyone knows that web servers and DNS servers have multiple names,
and neither should be sending unsolicited traffic, so matching rDNS
doesn't matter.

Opinions vary on how well it works to return multiple PTRs.  My
advice is don't borrow trouble you don't need.

R's,
John

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about dynamic IPv6-PTR-Generation

[John Levine]

>It is true at first glance the regex-esque syntax in our I-D may seem a
>bit complex but I don't believe anywhere near the complexity of NAPTR

None of the complexity of NAPTR is in the DNS or the DNS servers; it's
all in the applications that use NAPTR.  For DNS servers, NAPTR is
just a record it handles the way it does any other normal record, like
A or HINFO.  

This draft requires every DNS server to change the semantics of
wildcards, change the way DNSSEC signatures are computed, and
introduces new RRTYPEs that don't work in existing servers the way RFC
3597 says they should.  Ain't gonna happen.

Really, if you want to do generic rDNS for IPv6, use a specialized
server like we do for DNSBLs.  rbldnsd is open source, everyone uses
it, so you can start with that.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about dynamic IPv6-PTR-Generation

[John Levine]

PS:

>I understand rwhois exists but it is much more complicated to manage
>than DNS and for the most part is only used at the RIR level for
>reverse IP namespace.

This would probably be a good time to read up on RDAP.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about dynamic IPv6-PTR-Generation

[John Levine]

>beginning of DNS.  It allows address space to be "tagged" and
>organized in a manner that just makes sense.

We'll have to agree to violently disagree at this point.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about dynamic IPv6-PTR-Generation

[John Levine]

>Though, if you want to participate in the cargo cult of generic PTRs,
>you don't need the complexity of draft-woodworth-bulk-rr's regex-driven
>templates in your nameserver. Knot DNS's "minimal viable product"
>implementation is ~300 SLOC and uses a hardcoded template.

Having looked at the draft, I agree that its complexity and the multiple
changes it makes to exisitng DNS semantics make it dead on arrival.

My suggestion if you really want to do this is to use a specialized
server.  People who serve DNSBLs use a specialized server called
rbldnsd.  You give it CIDR ranges of addresses and it synthesizes
DNSBL records, including patching the addresses into TXT records so
they can return stuff like this:

4.3.2.1.bl.bad.example TXT "Blocked -- see http://www.bad.example?ip=1.2.3.4;

where the 1.2.3.4 was plugged in on the fly.

rDNS and DNSBLs are quite similar in DNS function, so you could
probably modify rbldnsd to generate PTR records with patterns in the
same way.  Then just delegate your rDNS zones to it. Since v6 rDNS
breaks names on 4-bit boundaries, even if your delegations are rather
irregular, it's not all that many delegations.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about dynamic IPv6-PTR-Generation

[John Levine]

>A very popular option is to only create or delegate IPv6 PTR entries for
>hosts with static address assignments, and to return NXDOMAIN for
>address space used for dynamic address assignments.

I talk to a lot of large providers at M3AAWG and that's the consensus
about what to do.  If it doesn't have a static address, it's not a
server and it doesn't need rDNS.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

[John Levine]

>> You would only be able to do this if you could put the CNAME record
>> in the parent domain, instead of delegating domain.com to your own
>> server.  But do any domain registrars support that option?
>
>And would the registry (here, Verisign) accept it? As far as I know,
>no.

This smells a lot like the bundled variant problem, in which you
register one name but get a bunch of lexically related names along
with it, and in some cases the related names are active.  For example,
if you register ex�mple.cat, you also get example.cat without the
accent.  Their implementation is terrible, a DNAME at the 2LD.

There's been a lot of discussion about how you might make this work
better, such as BNAME which is supposed to combine CNAME and DNAME.
There's better places to discuss this, of course, since I think we
can assume that should such features be standardized, BIND will
implement them.

R's,
John


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

[John Levine]

Assuming you mean this (notice the dots):

 Domain.com.  CNAME  x.y.com.
 www CNAME x.y.com.

it should work.  Some people believe that you can't have other records
at names below a name with a CNAME, but they are mistaken.

On the other hand, this will not work.

  domain.com. CNAME x.y.com.
  domain.com. MX 10 server.somewhere

To make this work, you need Stephane's hack of copying the A and  records.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: frequent queries to root servers

[John Levine]

>If chained CNAMEs work for you, more power to you.  But don't be 
>surprised if they fail unexpectedly at some point.

If they don't, you'll have a lot of unhappy users since there's a
whole lot of the Internet they won't be able to see.  

Try www.apple.com and www.microsoft.com, both of which have three
chained CNAMES through Akamai.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cloud DNS providers for secondary DNS

[John Levine]

>My more specific question is this: If I'm a site on the internet looking for a 
>server in my domain for the first time, I query the TLD
>servers for a list of name servers for my domain and pick one to query. 
>Suppose I pick one that has the correct zone information and can
>answer the query, but that specific NS is not listed in the zone record. I 
>believe that's called a LAME nameserver, correct?

Not sure I understand your question.  If you're looking for, say,
www.blah.example, you (actually your DNS cache that does the recursive
lookups) ask the example TLD servers for www.blah.example, and it
answers with some NS records that say that the blah.example domain is
handled by some set of servers.  Then the cache looks up the address
of one of the servers if it doesn't have it already, and asks it for
www.blah.example.  If the server doesn't know the answer, i.e., it
doesn't handle the blah.example zone, that's a lame delegation.  At
that point most caches will try other servers to try and find a
non-lame one so it's not fatal, but it's not a great idea either.

Extra complication ensues when the server's name is within the zone,
e.g., the server for blah.example is ns.blah.example.  In that case,
the A or  record(s) for ns.blah.example are copied into the upper
level zone (the TLD in this case) as "glue" that are returned in the
additional section of the answer, so caches can use it to handle the
request.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cloud DNS providers for secondary DNS

[John Levine]

>Am 30.12.2015 um 03:12 schrieb Luis Daniel Lucio Quiroz:
>> You could use dyndns for that, but it is not free.
>
>do the provide anycast?

Yes, of course.  Dyn is one of the largest DNS providers in the world.

Their basic secondary service is $40/yr.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cloud DNS providers for secondary DNS

[John Levine]

>IN  NS  ns1.mydomain.com.
>IN  NS  ns2.mydomain.com.
>IN  NS  ns1.d-zone.ca  <== Addition
>IN  NS  ns2.d-zone.ca  <== Addition

These questions would, as always, be easier to answer if you gave us
the actual names rather than inventing other names that may or may not
be similar to the real ones.

If your servers are not authoritative for d-zone.ca, which in this
case they very likely aren't, there is no benefit from putting their A
or  records into your zones, since nobody will ask for them.  Just
add the NS records to your own zones, and add them to the list that
the registrar uploads to the TLD zone and it will work.

If you're using nameservers with names within your own zone you have
to set up glue records, but in this case you don't.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SPF RR type

[John Levine]

In article mailman.348.1401978387.26362.bind-us...@lists.isc.org you write:
Are SPF RR types finally dead or not? I�ve read through rfc7208 it appears 
that they are:

They're dead as in nobody looks at them other than legacy software
that hasn't been updated.  The SPF record was a screwup from beginning
to end.  By the time 4408 came out, there was already a lot of running
SPF software using the badly designed TXT record.  The mail community
never wanted the SPF record but it was added reluctantly to 4408 due
to filibustering by the DNS crowd.  There was never a plausible
transition plan for publishing SPF records, and by the time 7208 came
out it was clearly time to put type 99 out of its misery.*

It's extremely unlikely that the RRTYPE will ever be reused, so you
can publish them if you want, but don't expect anyone to pay attention
to them.  Perhaps they can be reused for steganography.

R's,
John

* - Mark doubtless feels differently.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Point domain name of my zone to name in somebody else's zone?

[John Levine]

DNSMadeEasy calls this an ANAME record, internally they just lookup 
the destination's IP and cache it, updating it as needed.

It works, but it would be nice if this could be done in DNS. Sadly, it 
can't, and probably won't in our lifetimes.

I do a similar thing in my DNS crudware, a pseudo-entry in the zone,
every time the background update script runs, it does A and 
lookups and puts the results in the real zone, bumping the SOA serial
if the result changed since last time.  It's a crock, but one that we
all seem to want.

I suppose we could invent something like an ANAME (that's A and
 name), that worked like a restricted CNAME and does an indirect
lookup only for A or  requests.  Or overimplement it with a bitmap
of the RR types to indirect for.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Variable SOAs in negative responses

[John Levine]

For addresses that aren't listed, some of the NXDOMAINs are a lot less
likely to change than others, e.g, the address of an outbound mail
server at a large mail provider is unlikely ever to be listed, but a
random host at a hosting provider in India, who knows.  So he'd like
to have the TTLs on some of those NXDOMAINs be longer than others, by
putting a different TTL in the SOA in the authority section.

If you know those IPs, why do you check them for being listed at all?

The DNSBL operator knows the IPs belong to large mail providers.  The
clients don't, and are checking them because they're getting mail from
them.


If any IP starts spamming, why to give it longer time to appear in the
blacklists? I don't think this makes sense at all...

Most DNSBLs try to avoid false positives.  The chances that Gmail (or
whoever) would suddenly start sending so much spam that it would swamp
the real mail and make them worth listing are extremely low.

I realize there are DNSBLs that list on the merest whiff of spam and
don't care if they block legitimate mail.  That's not what we're
talking about here.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Variable SOAs in negative responses

[John Levine]

A friend (really) asks this question: they have some DNSBLs, which get
a lot of queries.  Sometimes the answer has A or TXT records, meaning
the corresponding address is listed in the DNSBL, sometimes it's
NXDOMAIN which means the address isn't.

For addresses that aren't listed, some of the NXDOMAINs are a lot less
likely to change than others, e.g, the address of an outbound mail
server at a large mail provider is unlikely ever to be listed, but a
random host at a hosting provider in India, who knows.  So he'd like
to have the TTLs on some of those NXDOMAINs be longer than others, by
putting a different TTL in the SOA in the authority section.

The DNS server isn't BIND, coding this up is easy enough.  The question
is what's likely to break at the other end.

Question: what will BIND's cache do if there are inconsistent SOAs for
NXDOMAINS in the same zone?

Bonus question: how does this answer change if we ever do DNSSEC?
(Since the server alrady generates the RRs on the fly, you can assume
it will do online signing.)

TIA and all that,

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can we do a sub-domain delegation with godaddy?

[John Levine]

I mean I have example.com hosted with Go Daddy while I need sub-domain
ftp.example.com to be delegated to my internal BIND server.

Does any one know how do I do it in Go Daddy?

The easiest approach in the long run is to move the DNS for the whole
domain to your own DNS servers.  Large cheap hosting services like
Godaddy do not deal well with exceptions.  Pointing the 2LD at your
servers is normal, delegating a subdomain is an exception.

If you have web or other hosting there, you can still point the DNS
records back at them as needed.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query regardign CNAME

[John Levine]

the DNAME already recommended by Dave Warren is what you want:

xyz.gov.in.DNAME   xyz.in.

Except that DNAME only applies to names under xyz.gov.in, not to
xyz.gov.in itself.  There are a variety of ways to deal with this
but in practice:

another possibility is to include the same file to zone files for both
domains as Leonard Mills recommended. 

is the easiest way to do it if you're using BIND.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query regardign CNAME

[John Levine]

xyz.gov.in.  DNAME   xyz.in.
On 01.01.14 18:16, John Levine wrote:
Except that DNAME only applies to names under xyz.gov.in, not to
xyz.gov.in itself.

Usually because xyz.gov.in must already have SOA and NS records and
therefore it's not possible to redirect it easily.

That's what DNAME does, regardless of where in the DNS tree it is.  It
redirects the subtree under the DNAME but not name where the DNAME is.
You can put other RRs (except CNAME of course) at the same name as the
DNAME.

I found single DNAME easier than playing with $INCLUDE.

If it does what you want, sure.  In the frequent case that it doesn't,
you need to do something else.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TXT Record Format with multiple records?

[John Levine]

Please forgive my ignorance, and sorry about all the details. I have
not been able to find a detailed specification.

TXT records haven't changed since RFC 1034 and 1035.

You can have multiple strings per record, and multiple records per
name.  At the application level, some applications glom multiple
strings per record together, some treat them separately.  There are a
few obscure designs that combine multiple TXT records at the same
name, but you're unlikely to run into any of them.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TXT Record Format with multiple records?

[John Levine]

How, precisely, is the second (or third) string added?

plugh.example TXT foo bar

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[John Levine]

OK. I just want to be clear here, and make sure that I have properly
understood what you have said.   Would it be correct, then, to say that
at the present moment you are not actually able to produce, cite, or
describe, with any particularity or specificity, even one individual
specific incident in which 512 byte packets were used to perpetrate
any individual, effective, and successful DDoS attack which actually
resulted in some actual service being denied, and that you are
likewise unable to relate any specifics about any such purported attack
which was in any other way worthy of note?

No.  In any reflector attack, the bad guys blast out the requests and
the reflectors send back what they send back.  Since there are still
plenty of DNS caches that don't do EDNS0, some of the traffic is big
packets, some is smaller.  The victims of the attacks for some reason
always have something more pressing to do than to collect detailed
statistics on the distribution of the incoming packets, so nobody
knows what fraction is what.

More to the point, I know you can do arithmetic.  The bad guys have
botnets of 100,000 hosts or more, and there are at least that many
open resolvers (think random networked printers and such) so a factor
of 4 in the amplification ratio isn't important.

When Doug said they were switching to chargen, he wasn't kidding.
There's an unlimited number of things on the net that will respond to
incoming packets.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[John Levine]

The entire problem is fundamentally a result of the introduction of EDNS0.
Wwouldn't you agree?

No, that just makes it a little easier.  You pound the patoot out of
someone with 512 byte packets just as much as you can with 4K packets,
just by making your attacking botnet bigger.

The real solution is BCP 38, to keep spoofed packets out of the
network in the first place.  With widely implemented BCP 38, open
resolvers wouldn't matter since you could only DoS yourself, or at
worst someone else on your own network segment.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[John Levine]

The real solution is BCP 38...

I agree completely John.  I cannot do otherwise.  But I have to ask the
obvious elephant-in-the-room question... How is that comming along so far?

Based on discussions I've had with people who work at large networks
and in policy positions in various governments (not all in the US), a
lot faster than it it was even a few months ago.

If we're going to ask people to update their networks, I'd rather
concentrate on an update that will really work, rather than some plan
B that sorta kinda helps, and gives people the excuse that since they
did that they don't have to do BCP 38.

Also, a fair amount is just education.  I ran a spoofer test on my
server and found the network wide open.  I talked to the guy who runs
the hosting center today and he said oops, he thought it was set to do
ingress filtering.  So it will in a few days when he gets his router
configs updated.

R's,
John


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[John Levine]

So, may I infer that rather than being put off until the end of the
century, which seemed to be the previous implementation timeline,
pervasive implementation of BCP 38 may now be expected at around the
time that 32-bit UNIX clocks are anticipated to wrap-around to negative?

Perhaps, but I think that's still a lot sooner than a yet-to-be-designed
hack to DNS servers will be widely used.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list reply-to setting

[John Levine]

 Any chance someone can correct the settings on this mailing list to
 reply to the list by default instead of the user posting the message?

This is a religious argument.  Please, leave it alone.

And, If I might add, adding a tag to the subject like [bind-users] would
be extremely nice.

It's twelve years after RFC 2919 and people are still using mail
software that can't filter on List-ID?  Aw, come on.

In gmail, it takes about 15 seconds to add a rule to apply a label to
mail with a particular list-ID.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: spf ent txt records.

[John Levine]

I've not been keeping up with the IETF; is there a document that
describes what looks like a de facto standard of using _pname labels
with TXT RRs that is being followed by at least DMARC and DANE in
*._tcp.example.com, *._smimecert.example.com, and _dmarc.example.com

No, but Dave Crocker is working on one.

Is SRV the precedent being followed?

Yes.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: spf ent txt records.

[John Levine]

It is or would have been, very little cost to publish SPF records.

Not until we fix the provisioning problem.  (News flash: in 99.9% of
the Internet, people do not edit master files with vi.)

In the early days of SPF, it was remarkably hard to get TXT records
provisioned, even though TXT records have been part of the DNS since
the beginning.  People had to go to their hosting companies, and the
places that produce the web software they use, and persuade them to
handle TXT, since in most cases it's just A, MX, and maybe CNAME.

Having gone through that pain, nobody has any interest in going
through it again for new rrtypes.  I can assure you that the vast
majority of the provisioning software that people use handles only a
small subset of existing defined rrtypes.

I have a draft about a DNS master file extension language with the
goal being that DNS servers and particularly provisioning software can
be updated by adding lines to configuration files rather than by
rewriting code.  Vixie (now a co-author) had the clever idea of
publishing the config info in a well known place in the DNS so the
configuration can be automatic.

https://datatracker.ietf.org/doc/draft-levine-dnsextlang/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users