Re: SRV on multiple subdomains
On 14 May 2024, at 15:20, DEMBLANS Mathieu wrote: A part of the subdomains are managed by us, others subdomains by an other entity. So we can't configure a generic target for all subdomains as each entity has its own target for SRV entries. -Message d'origine- De : bind-users bind-users-boun...@lists.isc.org De la part de Matus UHLAR - fantoms Envoyé : mardi 14 mai 2024 15:58 À : bind-users@lists.isc.org Objet : Re: SRV on multiple subdomains On 14.05.24 13:08, DEMBLANS Mathieu wrote: I have a question about configuration simplification for SRV configuration (maybe it can be applyed for other entries). We manage multiple subdomain of a main one (server1.example.com, server2.example.com,...). For A and MX entries, we use a general domain definitions with wildcard but is there a way to do so for SRV without having to define all subdomains (we have several dizains of it) ? We have to define some SRV entries with the same target like : _imap._tcp.server1.example.com IN SRV main.exemple.com _imap._tcp.server2.example.com IN SRV main.exemple.com Since a record is needed for each host, I think I would use something like this: imap._tcp.server1.example.com. IN SRV main.example.com. imap._tcp.server2.example.com. IN CNAME imap._tcp.server1.example.com. ... imap._tcp.servern.example.com. IN CNAME imap._tcp.server1.example.com. The advantage here is that, if ever the target of the SRV record had to be changed, only one record would have to be updated. /Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [KASP] setup KASP in master / slave architecture
On 16 Dec 2022, at 15:59, adrien sipasseuth wrote: > - on the slaves: files .db > > I don't understand why there is no .db.signed file on my slave > knowing that a dig from a slave does return RRSIG. The secondary (slave) only needs one file to hold whatever zone data the primary provides when transferring the zone. It doesn't actually matter what you call this file, but something based on the name of the zone will likely make it easier to understand months later. The primary uses additional files to contain the keys and to hold both DNSSEC and NSUPDATE state. These files aren't needed on the secondaries. On a secondary, I actually prefer to use a suffix distinct from any used on the primary (eg. ".bk"), so that I don't have to worry about filename collisions in case, in an emergency, I might need to import the primary files from backup and reconfigure what is normally a secondary as a primary instead. I hope this helps. Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Documentation suggestion for Ubuntu PPA http://ppa.launchpad.net/isc/bind/ubuntu
Hi. With "APT-Sources: http://ppa.launchpad.net/isc/bind/ubuntu focal/main amd64 Packages", the file /usr/share/doc/bind9/README.Debian recommends: Zones subject to automatic updates (such as via DHCP and/or nsupdate) should be stored in /var/lib/bind, and specified with full pathnames. Do I understand correctly that this advice also applies to zones for which a dnssec-policy and inline-signing (rather than update-policy) are specified? If so, it might be well to extend the parenthesis "(such as ...)" to mention this case also. Best regards, Niall O'Reilly -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to introduce automatic signing for existing signed zones?
On 8 Nov 2022, at 7:54, Matthijs Mekking wrote: Thanks for reporting back. This is an omission in our KB article that I will fix. Thanks, Matthijs. I think that will be useful. Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to introduce automatic signing for existing signed zones?
On 7 Nov 2022, at 11:40, Niall O'Reilly wrote: > Preparation: > > - Set up minimal stand-alone instance of BIND9 named, > configured with a **dnssec-policy** for each algorithm, > matching properties of existing DNSSEC keys, and with > `lifetime unlimited`; > - Deliver current key files and recently-signed copy of > zone files to this instance. I needed an additional stage of preparation, before delivering the key files; specifically, I needed to edit the .private files to 'Private-key-format: v1.3' and add missing lifecycle metadata. After doing this, named behaved exactly as expected. Thanks, Matthijs, for steering me in the right direction, and for being ready to give me additional help. /Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to introduce automatic signing for existing signed zones?
Thank you for your speedy response, Matthijs. On 7 Nov 2022, at 13:10, Matthijs Mekking wrote: Ignore that, I saw too late there were attachments. Perhaps I ought to have mentioned them explicitly. Are you able to share the public key and key state files with me so I can investigate why BIND thinks the existing keys cannot be used? Off list, and PGP-protected, yes. This will mean I'll end up having to change the parent DS RRs later on. That seems a reasonable cost for getting to the root of the problem. I have no key state files, except after starting named, and then only for the RSA/SHA-256 and **newly-generated** ECDSA keys. My current signing process uses ldns-signzone, which seems not to use such files. Also, the log file looks like an excerpt. No; that's everything named, as configured, writes. A full debug (level 3) log would be useful too. I'll set up for that, and follow up off list. Thanks and best regards, Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to introduce automatic signing for existing signed zones?
I have a couple of zones which I want to migrate from CLI-driven signing to BIND9 automatic signing, while avoiding any change to the respective parent-zone DS RR. Status quo ante: - https://dnsviz.net/d/no8.be/dnssec/ separate KSK, ZSK; both using alg 13 - https://dnsviz.net/d/jamm.ie/dnssec/ 2048-bit KSK, 2x 1024-bit ZSKs (live and spare); all using alg 8 Preparation: - Set up minimal stand-alone instance of BIND9 named, configured with a **dnssec-policy** for each algorithm, matching properties of existing DNSSEC keys, and with `lifetime unlimited`; - Deliver current key files and recently-signed copy of zone files to this instance. Expected behaviour on starting named: - Zones are loaded; - Spare ZSK for jamm.ie is retired; - Other keys for each zone are accepted and retained; - A CDS RR is generated for each zone, matching the current DS RR. Observed behaviour: - `named -v` shows `BIND 9.18.8 (Stable Release) `; - Zones are loaded; - Spare ZSK for jamm.ie is retired; - Other RSA/SHA-256 keys (for jamm.ie) are accepted and retained; - A CDS RR is published for jamm.ie, matching the current DS RR; - ECDSAP256SHA256 keys (for no8.be) are not accepted; - New ECDSAP256SHA256 keys are created for no8.be; - No CDS RR is generated for no8.be. Unless I'm missing something, there seems to be a discrepancy according to key type between the handling of RSA/SHA-256 and ECDSAP256SHA256 keys respectively. /Niall // Based on https://bind9.readthedocs.io/en/latest/chapter3.html#primary-authoritative-name-server // authoritative primary named.conf file // options clause defining the server-wide properties options { // all relative paths use this directory as a base directory "/usr/local/var/named"; listen-on { 127.0.0.1; }; listen-on-v6 { ::1; }; allow-query { 127.0.0.1; ::1; }; allow-query-cache { none; }; recursion no; }; // logging clause // log to /var/log/named/example.log all events from info UP in severity (no debug) // uses 3 files in rotation swaps files when size reaches 250K // failure messages that occur before logging is established are // in syslog (/var/log/messages) // logging { channel example_log { // uses a relative path name and the directory statement to // expand to /var/log/named/example.log file "example.log" versions 3 size 250k; // only log info and up messages - all others discarded severity info; }; category default { example_log; }; }; acl local-requesters { localhost; }; dnssec-policy "persistent-rsasha256" { keys { ksk lifetime unlimited algorithm rsasha256; zsk lifetime unlimited algorithm rsasha256 1024; }; }; dnssec-policy "persistent-ecdsa256" { keys { ksk lifetime unlimited algorithm 13; zsk lifetime unlimited algorithm 13; }; }; // We are a standalone test server for jamm.ie zone "jamm.ie" { type primary; update-policy local; file "jamm.ie/db.jamm.ie"; key-directory "jamm.ie/"; masterfile-format text; dnssec-policy persistent-rsasha256; notify explicit; allow-transfer { local-requesters; }; }; // We are a standalone test server for no8.be zone "no8.be" { type primary; update-policy local; file "no8.be/db.no8.be"; key-directory "no8.be/"; masterfile-format text; dnssec-policy persistent-ecdsa256; notify explicit; allow-transfer { local-requesters; }; }; managed-keys-zone: loaded serial 0 zone no8.be/IN: loaded serial 2022110700 (DNSSEC signed) zone jamm.ie/IN: loaded serial 2022110700 (DNSSEC signed) zone no8.be/IN: reconfiguring zone keys keymgr: DNSKEY no8.be/ECDSAP256SHA256/42593 (KSK) created for policy persistent-ecdsa256 keymgr: DNSKEY no8.be/ECDSAP256SHA256/5030 (ZSK) created for policy persistent-ecdsa256 Fetching no8.be/ECDSAP256SHA256/42593 (KSK) from key repository. DNSKEY no8.be/ECDSAP256SHA256/42593 (KSK) is now published DNSKEY no8.be/ECDSAP256SHA256/42593 (KSK) is now active Fetching no8.be/ECDSAP256SHA256/5030 (ZSK) from key repository. DNSKEY no8.be/ECDSAP256SHA256/5030 (ZSK) is now published DNSKEY no8.be/ECDSAP256SHA256/5030 (ZSK) is now active zone no8.be/IN: next key event: 07-Nov-2022 12:17:13.995 zone jamm.ie/IN: reconfiguring zone keys keymgr: retire DNSKEY jamm.ie/RSASHA256/3078 (ZSK) DNSKEY jamm.ie/RSASHA256/17103 (ZSK) is now active Removing expired key 3078/RSASHA256 from DNSKEY RRset. DNSKEY jamm.ie/RSASHA256/3078 (ZSK) is now deleted CDS for key jamm.ie/RSASHA256/47680 is now published CDNSKEY for key jamm.ie/RSASHA256/47680 is now published zone jamm.ie/IN: next key event: 07-Nov-2022 10:17:14.023 all zones loaded running managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now trusted, waiving the normal 30-day waiting period. resolver priming query complete: success zone jamm.ie/IN: reconfiguring zone keys zone jamm.ie/IN: next key event: 07-Nov-2022 11:17:14.026 zone jamm.ie/IN:
Re: Unexpected extra care needed for building BIND 9.18.8
Thanks for replying so promptly, Ondřej. On 6 Nov 2022, at 15:34, Ondřej Surý wrote: Nope, that’s local to your system. Hard to tell what’s wrong from just a single message, but either there’s cruft somewhere in the path with more priority That was it. Rebuilding the cache cleared the problem. /Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Unexpected extra care needed for building BIND 9.18.8
Building BIND 9.18.8 from source seems to need ./configure; LD_RUN_PATH=/usr/local/lib make; sudo make install instead of the traditional ./configure; make; sudo make install Using the traditional recipe, I obtained the run-time error message named: error while loading shared libraries: libisc-9.18.8.so: cannot open shared object file: No such file or directory Is this as intended? I would have expected that ./configure (or the machinery it invokes) would take care of propagating ${exec_prefix}/lib to LD_RUN_PATH at the relevant stage. /Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to prevent gratuitous publication of CDS/CDNSKEY records
On 14 Apr 2022, at 13:22, Matthijs Mekking wrote: these records may also stay in the zone. BIND chooses to keep them in the zone Thanks, Matthijs. That fills the gap for me. Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to prevent gratuitous publication of CDS/CDNSKEY records
Hi. Clue needed, please. I’ve managed to migrate a number of zones from cron-driven signing using homegrown scripts to automatic management by named, while retaining the respective original KSK for each. Following migration, ZSK:s have been replaced as might be expected, since the keys were shorter than is nowadays recommended. The old ZSK files are still lingering in the key-directory. I’m seeing that fresh CDS and CDNSKEY are being generated, and wonder why, as the CDS RDATA matches the parent CD RDATA. I’ve deleted these using nsupdate, only to find them re-inserted some time later. Could it be significant that the parent DS TTL differs from that of the local CDS? One of the zones involved is foo.ie. The server is running BIND 9.16.27-Ubuntu, installed from ppa:isc/bind. Here below is the relevant dnssec-policy configuration fragment. ``` dnssec-policy persistent { // This policy attempts to match or accommodate what zonefactory did // and gives keys unrestricted lifetime dnskey-ttl 3600; keys { ksk lifetime unlimited algorithm rsasha256; zsk lifetime unlimited algorithm rsasha256; }; max-zone-ttl 3600; parent-ds-ttl 86400; parent-propagation-delay 48h; publish-safety 7d; retire-safety 7d; signatures-refresh 5d; signatures-validity 30d; signatures-validity-dnskey 30d; zone-propagation-delay 2h; }; ``` Thanks in anticipation. Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns_dnssec_findzonekeys2: error reading WHATEVER.private: file not found
On 23 Feb 2022, at 14:32, Niall O'Reilly wrote: > I shall be grateful for any helpful advice. Thanks to Josef Moeller and Ondřej Surý. Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dns_dnssec_findzonekeys2: error reading WHATEVER.private: file not found
Hello. Using BIND 9.16.1-Ubuntu (Stable Release) because that’s what’s most simply available on Ubuntu 20.04.3 LTS (Focal Fossa), I’m seeing messages reporting that private key files can’t be found, such as the one in the subject line. The files look to me to be present as expected. I shall be grateful for any helpful advice. The relevant part of my configuration is further down. This appeared to work as expected on a development server running 9.18 from the ISC PPA. For production purposes, we would prefer to rely, if possible, on what is available without adding a PPA. Best regards, Niall O’Reilly ``` dnssec-policy onboarding { // This policy attempts to match or accommodate what zonefactory did // YMMV! dnskey-ttl 3600; keys { ksk lifetime 3650d algorithm rsasha256; zsk lifetime 3650d algorithm rsasha256; }; max-zone-ttl 3600; parent-ds-ttl 86400; parent-propagation-delay 48h; publish-safety 7d; retire-safety 7d; signatures-refresh 5d; signatures-validity 30d; signatures-validity-dnskey 30d; zone-propagation-delay 2h; }; zone "foo.ie" { type primary; update-policy local; file "/etc/bind/dynamic/foo.ie/db.foo.ie"; key-directory "/etc/bind/dynamic/foo.ie/"; masterfile-format text; dnssec-policy onboarding; # Policy under test // dnssec-policy default; # triggers retirement of existing keys // auto-dnssec maintain; # continues use of existing keys notify explicit;# Testing: don't propagate confusion! ;-) also-notify { downstream-in-house; }; allow-transfer { key in-house.ns.my-own.net.; }; }; ``` -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Possible to condition a view based on the interface the query comes in on?
match-destinations ? --- >From an Android device, using BlueMail, which forces top-posting. On 18 Nov 2021, 20:40, at 20:40, Fred Morris wrote: >I wanted to provide enhanced recursive DNS to (internal) clients on an >"opt in" basis, which is to say that clients could choose whether or >not >to receive enhanced replies based on what they configured as their >local >caching resolver. The enhanced services come in the form of a Response >Policy Zone (RPZ). > >Didn't see any reason that it had to be separate instances of BIND, >thought maybe I could do it with views, but I've run into a couple of >roadblocks: > >1. listen-on isn't supported in views. >2. internet wisdom augurs that response-policy isn't supported either. > >Is there a way to do this or should I bite the bullet and run two >copies >of BIND? > >Thanks in advance... > >-- > >Fred Morris > > >___ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to >unsubscribe from this list > >ISC funds the development of this software with paid support >subscriptions. Contact us at https://www.isc.org/contact/ for more >information. > > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Request for review of performance advice
On 9 Jul 2020, at 21:25, Havard Eidnes via bind-users wrote: > 2e#1) Make sure your UDP socket *receive* buffers are big enough. > If on BSD, monitor for "dropped due to full socket buffers" > count in "netstat -s" output, and tune accordingly. Note that > this may be a symptom of mis-tuning of other parts of BIND, > causing excessive CPU usage, which may contribute to this > problem. I'm seeing some instances of "dropped due to no socket" on my FreeBSD systems where my resolvers run. I'm wondering - whether and how I can address this with tuning, and also - whether I'm wandering out of scope for this list. Thanks in anticipation and/or apologies. Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to set up a dmarc record ?
On 10 Dec 2019, at 13:30, Edouard Guigné wrote: ; DMARC _dmarc.pasteur-cayenne.fr IN TXT ( "v=DMARC1; p=none; " "rua=[mailto:dm...@pasteur-cayenne.fr](<mailto:dm...@pasteur-cayenne.fr>); pct=5; " "sp=none; aspf=r" ) Instead of "_dmarc.pasteur-cayenne.fr", you should put "_dmarc", leaving out ".pasteur-cayenne.fr", just as you did for the DKIM record. Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What is wrong in the view matching below
On 5 Dec 2019, at 13:49, Harshith Mulky wrote: > view "external" { > > match-clients { any; }; > > recursion no; > > zone "nixcraft.com" IN { > > type master; > > file "internet.master.nixcraft.com"; > > }; > > }; > > view "internal" { > > match-clients { internal; }; > > allow-recursion { any; }; > ... > }; With the views in this order, the external view will always be used. This is because the configuration is scanned from the top until a view is found whose `match-clients` specification matches the requesting client; that view is then used. Since you have `match-clients { any; };` in the first view, scanning will stop there. Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding named related issue observed with bind 9.11.5-P4 version
On 3 Apr 2019, at 10:26, Chandra Rao wrote: > exec /usr/sbin/named -u named -c "/etc/ClusterDNS.conf" -f You may need to use sudo /usr/sbin/named -u named ... or, if you prefer exec sudo /usr/sbin/named -u named ... Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc and nsupdate failing to work for me
On 14 Mar 2019, at 5:17, Marc Chamberlin via bind-users wrote: > On 03/13/2019 08:33 PM, John W. Blue wrote: >> >> As an option, instead of including /etc/rndc.key nothing prevents you >> from including rndc.conf. That way you are consistent with your useage. Another option is to include rndc.key from both rndc.conf and named.conf, which also keeps things consistent. Additionally, it allows rndc.key to have stricter protection than the .conf files (in my case, mode bits 0640 rather than 0644). I seem to recall actually needing to do this because of named objecting to the syntax of some of the configuration statements I needed to use in rndc.conf. I hope this helps. Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help: BIND _ Recursive query
On 4 Mar 2019, at 16:20, Paul Kosinski wrote: > provides our users with general caching DNS service for > all other domains. [...] > Its "named.conf" file doesn't list any "forwarders" any more, and > "forward-only" is gone, but it still has a leftover "recursion yes" > clause. Am I correct is assuming that this is now useless and can be > removed? If you want "general caching DNS service" to continue to work, you'll need to keep "recursion yes". /NoR ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Server can not resolve Domain
On 21 Feb 2019, at 9:28, Wolfgang Pähler wrote: > The domain is: paehler.coud Zonemaster reports problems with the (currently) delegated name servers. I've put a little more detail in a private message. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to create an SRV record for the CSTA service
On 13 Sep 2018, at 17:03, King, Harold Clyde (Hal) wrote: > _csta._tcp.csta.example.com. 3600 IN SRV 20 0 1040 > hostname.example.com Instead of "hostname.example.com", you need "hostname.example.com.", with a trailing dot. Niall O'Reilly signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to create an SRV record for the CSTA service
On 13 Sep 2018, at 16:39, King, Harold Clyde (Hal) wrote: > Here's what I thought it should be: > _csta_tcp.csta-example.com. 3600 IN SRV hostname.example.com. The SRV record needs 4 data items; you've specified only one. For an easy read: https://en.wikipedia.org/wiki/SRV_record For something more formal: https://tools.ietf.org/html/rfc2782 Good luck! Niall O'Reilly signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and secondary DNS servers
On 8 Sep 2018, at 14:58, @lbutlr wrote: > so I think there must be something else. You might need to so some other housekeeping: https://zonemaster.net/domain_check http://dnsviz.net/d/covisp.net/dnssec/ /Niall signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: slave-not-updated
On 1 Aug 2018, at 10:01, Mohammed Ejaz wrote: Is there any way to troubleshoot from the master server why there is no synchnization to one more Slave. Only partly. You may need access to the slave at some stage. Master log should record NOTIFY messages sent to all slaves. If not all desired slaves are being sent NOTIFY, master needs to be configured with relevant directive (BIND named: also-notify). If master is sending NOTIFY, next thing to check is whether slave is requesting AXFR/IXFR. Master log should show each transfer. If not, then you’ll need to ask sysadmin at slave to check whether NOTIFY is arriving and being accepted, and whether slave is actually requesting transfer. If not, slave configuration may need correction (BIND named: allow-notify). If there is still a problem, you’ll likely need to use tcpdump or the like to investigate at network level, as NOTIFY or transfer may be blocked by a misconfigured firewall or other network fault. One other thing: avoid using nslookup. In trying to be “helpful”, it hides significant information and makes troubleshooting difficult. You’ll save time (yours, and that of anyone who tries to help you) by using dig. Best regards, Niall O’Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling expired domains
On 28 Jun 2018, at 23:48, rohan.henry cwjamaica.com wrote: > If all zones on a slave server expire because the slave could not reach the > master shouldn't the slave start working again once the master becomes > reachable without having to tweak anything like the serial? The slave should start working again once it discovers that the master has become reachable. According to the circumstances, this moment may differ, either grossly or subtly, from the moment when the master actually becomes reachable. For example, if the master itself has failed, been recovered, and been restarted, it will likely send NOTIFY messages to the slaves, which will then be aware of restored reachability, and will be able to resume service directly. On the other hand, if the reachability failure is due to a network fault, the master will have continued running, and will have no reason to send NOTIFY on restoration of reachability. In this case, resumption of normal service will depend on how the slave server software implements recovery from an expiry event. I expect, but have never had occasion to confirm, that this would depend on the REFRESH and RETRY timers. this might involve a delay of some, or even many, hours. In any recovery situation, I would be minded to check slave status within a few minutes of restoration of reachability, and to force the master to send NOTIFY messages in case any slaves had not yet resumed service. Niall O'Reilly signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS not resolving on google, but is on other services
On 16 Feb 2018, at 23:23, LuKreme wrote: > Is google just b0rked? (Seems unlikely) or is there something in the > configuration for the dns that they don't like? In my not-very-extensive experience, Google's 8.8.8.8 service seems to have limited tolerance of badly-behaving authority servers; in such a case, it seems to give up early and report SERVFAIL. As it happens, there seem to be problems with the set of authority servers involved. You'll find more information at https://zonemaster.fr/test/932ded6946bfebb4 . Best regards, Niall O'Reilly signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: intermittent SERVFAIL for high visible domains such as *.google.com
On 23 Jan 2018, at 12:25, Brian J. Murrell wrote: > I don't think it's possible > to run two BINDs on the same machine on different ports and have one > (on port 53) delegate a zone to another running on some other port. You could use different __addresses__, if you have any to spare. Best regards, Niall O'Reilly signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Subdomain DNSSEC
On 28 Aug 2017, at 17:06, Michael Dahlberg wrote: My apologies if this question has an easily discoverable answer but my google-fu seems to be failing me today. Try "insecure delegation" against your favourite search engine. Here's an example of what searching for this gave me (from DuckDuckGo rather than Google): https://stackoverflow.com/questions/25674236/how-to-create-delegation-signer-ds-record-for-a-subdomain-with-powerdns If a domain is signed, is it possible to delegate a subdomain to a 3rd party who is unable to sign that subdomain? Yes. You need NS records as has always been the case. By simply not adding a DS record, you signal an insecure delegation. You may have problems if the two sets of name servers (for parent and child zones) overlap. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: delegation NS records
On 14 Jul 2017, at 14:07, b...@zq3q.org wrote: > only a single **delegation** NS record > needed Actually, there should be two or more, and their IP addresses should belong to different networks. RFC1034, section 4.1: A given zone will be available from several name servers to insure its availability in spite of host or communication link failure. By administrative fiat, we require every zone to be available on at least two servers, and many zones have more redundancy than that. /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
On 11 Jul 2017, at 22:01, b...@zq3q.org wrote: As I wrote to Niall (msg dated 11 Jul 2017 15:04:32 -0500) , That hasn't reached me yet. I **do not** have a NS record for each of my two nameservers, in the domain zone that the respective nameserver itself is in. That is a mistake, I need to fix, right? Short answer: just no. Long answer: not unless either of your servers is providing name service for the zone that the nameserver itself is in. As I understand from your original message, this is not the case, so just no. I hope this helps. With best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
On 11 Jul 2017, at 14:57, b...@zq3q.org wrote: Assume I register domain 'mynew.org' with registrar namecheap; and as an exercise, I plan to setup my own two authoritative DNS nameservers for 'mynew.org'. I have several linux VMs, that are under used, so I want to use them for the nameservers for 'mynew.org'. **Neither are in 'mynew.org'; is that going to work?** Unless you misconfigure things, it should just work. namecheap support seems to suggest that the personal DNS authorative nameservers for 'mynew.org', must be in 'mynew.org', as in ns1.mynew.org ns2.mynew.org Nonsense. OTOH, if your registrar is obdurate, you may need to find a creative work-around. This is not what I want, since I do not want to spin up 2 new servers. You can work around the obduracy without spinning up any new server. Simply use the addresses of each of your existing servers in the (you are using IPv6, I hope?) and A records for the new names. Of course, this can only work if your servers have public, reachable addresses. **Pls confirm, that I do not need to do this, and that I could use 2 existing linux hosts outside of mynew.org as personal DNS authorative nameservers.** Any additional related tips appreciated. See above. With best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS and cache-expiration modification
On 18 Nov 2016, at 9:24, Job wrote: Do you know if with Bind is possible? Perhaps the configuration option 'max-cache-ttl' is what you're looking for ? Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
On 1 Apr 2016, at 11:08, Tony Finch wrote: > Robert Edmondswrote: >> Tony Finch wrote: >>> Phil Mayers wrote: What is considered the source of the ownername for, say, "com."? >>> >>> It should be the root zone master file. >> >> Why not the com zone master file? > > If you are going to pick a single authority for a particular label, it > should be the zone that determines whether that label exists or not. That seems no less arbitrary a rule of thumb than one which would give priority to the zone which contains the authoritative NS records. 8-) /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: unalbe-to-query
On Mon, 14 Dec 2015 06:59:12 +, Ejaz wrote: > > Hi all, > > We are one of the leading ISP of Saudi Arabia. Installed latest > version of bind and smbind inorder manage the zones over the Web > interface. > > Wonder is that, the zones which configured through smbind cannot be > seen from the outside world.. locally it is fine. For an example > arabsat.com. > > Almost 1500 other zones on the same name server runs through bind 9.9. > works perfectly internally and externally. Eg. Cyberia.net.sa. > > From Internally I can query it.. it is ok… I'm not sure that you can safely say this. From what I can see, you seem to be using nslookup, which (in trying to be "helpful") hides so much information that you cannot depend on the results it gives. I suggest you use the zonemaster tool (https://zonemaster.net/) to run a comprehensive series of tests against the zone(s) which are giving you trouble. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: subdomain/zone with DHCPD
On 15 October 2015 15:56:42 BST, lejeczekwrote: >hi everybody > >I'm trying a bind setup which could be talked to by dhcpd. >I've bind setup with virtual zones and now trying to set up >dhcpd so it would be updating DNS, but... but. > >In dhcpd.conf I'm trying: and what's in your named.conf? -- Sent from Kaiten Mail. Please excuse my brevity. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dname reverse delegation
On Tue, 13 Oct 2015 21:40:30 +0100, Paul A wrote: > > I have a few /24 that I want to delegate using DNAME. Are you expecting to save yourself trouble by doing so? If not, you should probably reconsider. If you decide DNAME is a useful trick, bear in mind that what DNAME does is not really delegation, but just a trick for the lazy. I'm actually one of those lazy people, so please understand that I don't mean the word offensively. Besides, cleverer people than I have recognized laziness as a virtue. I have persuaded the administrator of the 1.0.0.7.7.0.1.0.0.2.ip6.arpa. zone to use a DNAME rather than a delegation for f.3.1.0.0.7.7.0.1.0.0.2.ip6.arpa. Yes, this is for IPv6, but it's conveniently to hand, and the principles are the same. I have actually had second thoughts about this, and more than once, but never felt worried enough that making the change needed priority before the other things on my do-list. The trouble I save by doing this is that of maintaining two zone files for my and corresponding PTR records. Instead, I can keep both together in one file, like this: $ORIGIN no8.be. bode3600IN 2001:770:13f:0:5054:ff:fe00:d978 8.7.9.d.0.0.e.f.f.f.0.0.4.5.0.5.0.0.0.0.f.3.1.0.0.7.7.0.1.0.0.2.ip6 3600 IN PTR bode Using 'dig', you can explore how it works, and what zones are involved, by using commands such as these: dig bode.no8.be dig -x 2001:770:13f:0:5054:ff:fe00:d978 dig +trace -x 2001:770:13f:0:5054:ff:fe00:d978 dig f.3.1.0.0.7.7.0.1.0.0.2.ip6.arpa ns dig no8.be ns You can do the same for your /24's, if the administrator of the parent reverse zone is minded to co-operate. Alternatively, you can use a normal delegation and set up your zone as follows, filling in the gaps appropriately. $TTL 3600 ;; or whatever $ORIGIN 13.168.192.in-addr.arpa. @ IN SOA ... IN NS ... IN DNAME whatever.example.net. Then, you populate the whatever.example.net. zone with the PTR records: $TTL 3600 ;; or whatever $ORIGIN whatever.example.net. @ IN SOA ... IN NS ... 0 IN PTR base-addr.whatever-else.example.net. 1 IN PTR some-host.whatever-else.example.net. 2 IN PTR anor-host.whatever-else.example.net. ;; and so on ... 255 IN PTR bcast-addr.whatever-else.example.net. > Lets says I have 192.168.13.0/24 how would I go about doing reserve on > the forwarding server using DNAME. > > Currently on the forwarding server I have > > NS ns.isp.com > > ;; > > DNAME 0/24 Don't be distracted by RFC2317. It describes the trickery you need when you're dealing with a longer prefix (fewer addresses) than a /24. If you have "a few /24", you can deal with them without needing any of that. > ;; > > ;;; delegate to server > > 0/24 NS ns.someserver.com. > > On the server handling the PTRs (ns.someserver.com) I have: > > zone "0/24.13.168.192.IN-ADDR.ARPA" { > > type master; > > file "/slvdb/db.13.168.192"; > > }; > > In the PTR server the zone file looks like a normal PTR file and when > I query on this server its working, I get the DNAME/CNAME and PTR. > > However when I query on the forwarding server it’s not working, I just > keep getting the CNAME over and over again but not actual PTR. I'm not sure what in what sense you're using the term "forwarding server". If you mean the authoritative server where the DNAME record is sitting, then I believe that this is normal. An authoritative server should return just the DNAME and synthesized CNAME, as it's not responsible for chasing down the CNAME reference. That's the job of a recursive resolver. > Shouldn’t the forwarding server query the PTR server since it has a > 0/24 NS RR? It seems like because of the above DNAME RR it expects and > zone file for the 0/24. However I just want to forward this. I'm sorry. I don't understand what you think you're trying to achieve. I hope this helps. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface
On Sat, 26 Sep 2015 17:27:56 +0100, Gordon Lang wrote: > > CHANGE: I did not properly characterized the problem in my original > post, so here is the real situation. > > If the bash shell from which I launch "named" is owned by root, then > "named" runs perfectly using the "-u" option, even listening on the > tun/tap interfaces. > But if I run "named" as a regular user, relying on the SUID file > setting to elevate privileges, then named fails to listen on any > addresses. > I believe the differences I saw before related to tun/tap interfaces > were due to testing on different RedHat platforms, but this revised > problem statement describes what is happening on both platforms. > > So the real problem is this: It seems I can use the SUID file bit to > allow a regular user to launch named, OR I can use the "-u" option of > "named" to lower the privileges after launch (requiring native root > privileges to launch), but I can't use both at the same time. > > Can anyone shed any light on this scenario? I'm missing some information which might help me understand the problem: the user and group to which your named belong. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface
On Sun, 27 Sep 2015 16:59:14 +0100, Gordon Lang wrote: > > Here is the file info: > > glang@nstv1:/export/local/ISC> ls -ld bind-9.10.3/sbin > bind-9.10.3/sbin/named > drwxrwsr-x. 2 incadmin network 4096 Sep 26 10:39 bind-9.10.3/sbin > -rwsr-xr-x. 2 root network 10095219 Sep 26 09:16 > bind-9.10.3/sbin/named > glang@nstv1:/export/local/ISC> > > If I run "named" as user 'glang' without the "-u" option, it works > fine -- "named" runs as root (due to the suid file bit) and it listens > on port 53 of the configured ip addresses. Real user is unprivileged, but effective user is, so it all works. > If I run "named" as user 'glang' with the "-u incadmin" option, it > does not work fine -- it runs with the change of process owner to > 'incadmin', but it does not listen on any ip addresses. Real user is unprivileged. Effective user is briefly privileged, and later unprivileged. In the section of the ARM which contains copies of the man pages, I see the following description of the -u option. -u user Setuid to user after completing privileged operations, such as creating sockets that listen on privileged ports. NOTE On Linux, named uses the kernel’s capability mechanism to drop all root privileges except the ability to bind(2) to a privileged port and set process resource limits. Unfortunately, this means that the -u option only works when named is run on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since previous kernels did not allow privileges to be retained after setuid(2).  I don't doubt that you're running a new enough kernel. However, I guess that, since the real user didn't have the privileges in question, the final effective user can't retain them. Without checking kernel and/or named code, I'm afraid I can't do better then guess. > If I run "named" as user 'root' with the "-u incadmin" option, it > works fine -- it listens on the configured ip's and it changes the > owner of the process to 'incadmin'. This is the "traditional" way to run a reduced-privilege instance of named. I've used it, and I believe it's widely used. Are you sure it's not adequately secure for your needs? Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple A and PTR and the "main" ones?
On Fri, 11 Sep 2015 15:54:52 +0100, David Ford wrote: > > [...] satisfy RFC requirements for DNS [...] Would you mind citing? Thanks Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issue in calling same zone in more than one VIEW
On Fri, 29 May 2015 08:23:55 +0100, Gaurav Kansal wrote: Dear Team, I am running BIND 9.10.2 version on CentOS and running roughly 500 domains and for most of them I am a slave server. In few of them, I have different zone file based on Internal and External view. And for rest of them, I am using a single file for both the View. This configuration was working fine till BIND version 9.9.5 As I understand, this configuration was never supported. Each instance (view) of a slave server needs a private file in which to write zone data transferred from the master. Having multiple instances use the same file means that they may over-write each other's work. Managing this contention was never a design feature. but yesterday I updated to 9.10.2 and I am facing the following error. May 29 12:43:58 NKN-IPV6-DNS named[17727]: /var/named/zonedata/gov-zone.data:3: writeable file 'govdomains/xyz.gov.in.fwd': already in use: /var/named/zonedata/gov-zone.data:3 The new version now gives an error message in case you use this kind of unsupported configuration. This is happening because I am calling same zone file in both view. Please help me out what I should do for getting rid of this issue. You need to use as many copies of each zone file as you have views needing to write to it. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issue in calling same zone in more than one VIEW
On Fri, 29 May 2015 11:49:35 +0100, Gaurav Kansal wrote: Now I have to create 2 files with different zone definition (one contains definition and the second one contains ‘in-view’ parameter). I know that this is not at all tough I but I just need to know if I can use same file for including in both the view (by anyhow). You can find some helpful examples in the configuration files used by the test suite (.../*.conf below): dhcp-162(niall)14: tar xzf ~/Downloads/bind-9.10.2.tar.gz dhcp-162(niall)16: find bind-9.10.2/ -type f -exec fgrep -q in-view {} \; -print bind-9.10.2//bin/named/server.c bind-9.10.2//bin/tests/system/checkconf/bad-sharedzone1.conf bind-9.10.2//bin/tests/system/checkconf/bad-sharedzone2.conf bind-9.10.2//bin/tests/system/checkconf/good.conf bind-9.10.2//bin/tests/system/views/ns2/named2.conf bind-9.10.2//CHANGES bind-9.10.2//doc/arm/Bv9ARM-book.xml bind-9.10.2//doc/arm/Bv9ARM.ch06.html bind-9.10.2//doc/misc/options bind-9.10.2//lib/bind9/check.c bind-9.10.2//lib/isccfg/namedconf.c You'll also find documentation (in the ARM) of the restrictions on which other options can validly be used together with in-view: An in-view option cannot refer to a view that is configured later in the configuration file. A zone statement which uses the in-view option may not use any other options with the exception of forward and forwarders. (These options control the behavior of the containing view, rather than changing the zone object itself.) An in-view zone cannot be used as a response policy zone. I think you'll find that just one of your views can reference the zone file, while the other(s) will have an in-view option referencing the first view. I hope this helps. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issue in calling same zone in more than one VIEW
On Fri, 29 May 2015 11:25:48 +0100, Cathy Almond wrote: From 9.10.0 there is a new zone type 'in-view'. From the release notes: Neat! Thanks and best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lists subdomain not fully working [SOLVED]
On Wed, 27 May 2015 07:50:12 +0100, Lucio Crusca wrote: I've now fixed the MNAME and I have to wait propagation before testing again, but I'm really confident it will solve the problem, Fammi sapere, per piacere ... Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lists subdomain not fully working
On Mon, 25 May 2015 11:26:58 +0100, Lucio Crusca wrote: I moved my bind installation to a new server two weeks ago and I copied the zones verbatim: on the old server everything was working ok. More precisely, you weren't aware of a problem, which is not necessarily the same thing. The zone lists.granellodisenape.org This isn't a zone, as it's not delegated; it's just a host, as can be seen by requesting relevant DNS resource records from one of the servers (ns{1,2}.virtualbit.it) responsible for the zone granellodisenape.org. ; DiG 9.8.3-P1 +norec @ns1.virtualbit.it. any lists.granellodisenape.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 52674 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;lists.granellodisenape.org.IN ANY ;; ANSWER SECTION: lists.granellodisenape.org. 12880 INA 136.243.232.142 ;; AUTHORITY SECTION: granellodisenape.org. 12880 IN NS ns2.virtualbit.it. granellodisenape.org. 12880 IN NS ns1.virtualbit.it. ;; ADDITIONAL SECTION: ns1.virtualbit.it. 3600IN A 136.243.232.142 ns2.virtualbit.it. 3600IN A 136.243.232.143 ;; Query time: 51 msec ;; SERVER: 136.243.232.142#53(136.243.232.142) ;; WHEN: Mon May 25 14:07:24 2015 ;; MSG SIZE rcvd: 141 Where your new server fits in all of this isn't clear, as you don't mention what either its name or its address is. It may be useful for you to use a public validation service (such as http://zonemaster.net/) to check the name service for your zone. hosts a mailing list (mailman). On the new server, all mailing list users can use it except two of them: they are the only ones with email address @alice.it. When they try to write to the mailing list, their SMTP server @alice.it is complainig that: 550 RCPT address has non-existant domain lists.granellodisenape.org From where I sit, this problem does not appear. If you can confirm that this problem is still present, you'll need to look for help with analysing it to someone who has access to the name server(s) used by this SMTP server. Either of the users you mention may be able to help. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND response time is relatively high
At Mon, 26 Jan 2015 21:50:37 +, Darcy Kevin (FCA) wrote: The parameter that is glaringly missing from your list is “recursive-clients”. Do you have that set at default value (1000) or have you bumped it up higher? Since you say that this happens at “peak hours”, recursive-clients is the prime suspect, Besides what Kevin suggests, it may be worth checking for swapping and/or IO wait using 'top'. /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9 Return different IP address based on subnet
At Sat, 3 Jan 2015 19:24:47 +0100, Christian Kette wrote: I have found a workaround. I defined a different zone for every network A simpler solution might be to use a sortlist. From the ARM: 6.2.16.13 The sortlist Statement The response to a DNS query may consist of multiple resource records (RRs) forming a resource records set (RRset). The name server will normally return the RRs within the RRset in an indeterminate order (but see the rrset-order statement in Section 6.2.16.14). The client resolver code should rearrange the RRs as appropriate, that is, using any addresses on the local net in preference to other addresses. However, not all resolvers can do this or are correctly configured. When a client is using a local server, the sorting can be performed in the server, based on the client’s address. This only requires configuring the name servers, not all the clients. Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: recursive-clients : recommended value for a high traffic recursive nameserver
At Sun, 23 Nov 2014 21:00:15 -0800 (PST), blrmaani wrote: Our nameservers take upto 10KQPS (mostly NOERROR type most of the time). Twice or thrice a week, I have seen upto 10% of the queries are SERVFAIL and we have started exceeding the default value of 2000 for recursive-clients settings in BIND 9.9.x. Is there a recommended value for recursive-clients option assuming huge number of SERVFAIL queries once in a 2/3 days? I'm not convinced to increase it to some arbitrary huge number 20,000 or 200,000. I am looking for answer like - if your peak SERVFAIL queries are 2000/second, then your recursive-clients value should be N. I wouldn't expect that such an answer could make sense. Exhaustion of the active recursive-clients list and the generation of responses marked SERVFAIL are most likely different symptoms of the same problem. I think you'll need to identify this problem and then determine what action to take. Your resolver seems to be dealing with queries which are unanswerable and which are arriving in a quantity sufficient to fill the recursive-clients list. This may be due to rogue clients, misconfigured authoritative servers, network problems, or some combination of these. Your logs will help identify which. I hope this helps. Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: recursive-clients : recommended value for a high traffic recursive nameserver
At Sun, 23 Nov 2014 21:00:15 -0800 (PST), blrmaani wrote: Our nameservers take upto 10KQPS (mostly NOERROR type most of the time). Twice or thrice a week, I have seen upto 10% of the queries are SERVFAIL and we have started exceeding the default value of 2000 for recursive-clients settings in BIND 9.9.x. Is there a recommended value for recursive-clients option assuming huge number of SERVFAIL queries once in a 2/3 days? I'm not convinced to increase it to some arbitrary huge number 20,000 or 200,000. I am looking for answer like - if your peak SERVFAIL queries are 2000/second, then your recursive-clients value should be N. I wouldn't expect that such an answer could make sense. Exhaustion of the active recursive-clients list and the generation of responses marked SERVFAIL are most likely different symptoms of the same problem. I think you'll need to identify this problem and then determine what action to take. Your resolver seems to be dealing with queries which are unanswerable and which are arriving in a quantity sufficient to fill the recursive-clients list. This may be due to rogue clients, misconfigured authoritative servers, network problems, or some combination of these. Your logs will help identify which. I hope this helps. Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Digging to the final IP
At Thu, 23 Oct 2014 15:17:49 +0100, Sam Wilson wrote: In article mailman.1128.1414072988.26362.bind-us...@lists.isc.org, Bob Harold rharo...@umich.edu wrote: Anytime you see 'grep' and 'cut' used together, they can usually be shortened to just 'awk', which requires starting one less process. And if this case it splits fields the way a users sees them, so the same code works in both cases: $ dig +noall +answer home.kreme.com in a | awk '/[\t ]A[\t ]/ {print $NF}' 23.24.150.141 $ dig +noall +answer dave.knig.ht in a | awk '/[\t ]A[\t ]/ {print $NF}' 216.235.14.46 $ dig +noall +answer cancer.ucs.ed.ac.uk | perl -ne ' /\sA\s/ do { @_=split; print $_[$#_]\n }' 129.215.166.13 129.215.200.7 Which makes it easy, in either case, to return a status value, as Frank Bulk seemed to want. Something like '... {print $NF; count++} END {exit ! count}' or | perl -ane ' /\sA\s/ do { print $F[$#F]\n; $count++ } END {exit ! $count }' might work. Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Digging to the final IP
At Thu, 23 Oct 2014 15:17:49 +0100, Sam Wilson wrote: In article mailman.1128.1414072988.26362.bind-us...@lists.isc.org, Bob Harold rharo...@umich.edu wrote: Anytime you see 'grep' and 'cut' used together, they can usually be shortened to just 'awk', which requires starting one less process. And if this case it splits fields the way a users sees them, so the same code works in both cases: $ dig +noall +answer home.kreme.com in a | awk '/[\t ]A[\t ]/ {print $NF}' 23.24.150.141 $ dig +noall +answer dave.knig.ht in a | awk '/[\t ]A[\t ]/ {print $NF}' 216.235.14.46 $ dig +noall +answer cancer.ucs.ed.ac.uk | perl -ne ' /\sA\s/ do { @_=split; print $_[$#_]\n }' 129.215.166.13 129.215.200.7 Which makes it easy, in either case, to return a status value, as Frank Bulk seemed to want. Something like '... {print $NF; count++} END {exit ! count}' or | perl -ane ' /\sA\s/ do { print $F[$#F]\n; $count++ } END {exit ! $count }' might work. Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Digging to the final IP
At Tue, 21 Oct 2014 22:31:28 -0500, Frank Bulk wrote: Dave, Thanks for the input, but what I was looking for was a dig command that returns the IP(s) or a fail. It looks like the host command is the right solution in this case, not dig. Doesn't egrep fail on no match? Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does bind read /etc/hosts?
At Tue, 15 Jul 2014 10:28:30 +, houguanghua wrote: Before Bind consults authority NS, does it access /etc/hosts? In my testing, it does not even seem to access /etc/hosts. That's right. BIND tools (dig, ...) are DNS tools. Local files aren't part of the DNS. For more information, please see http://serverfault.com/questions/498500/why-does-the-host-command-not-resolve-entries-in-etc-hosts Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to setup a backup NameServer?
At Tue, 29 Apr 2014 10:24:58 +, houguanghua wrote: Yes, I had asked the same question months ago. I'm designing how to protect DNS for an ISP. The zones are not owned by the ISP. The ISP wants to proect the DNS query during attacking. So it's not standard DNS solution. During the attacking, the backup server will provide the DNS query and it works even if it can't refresh zones from primary NS. Which (or how many) zones do you expect your backup server to work for? /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: intermittent resolving problem for some domains
At Wed, 19 Feb 2014 00:33:11 +0200, Daniel Dawalibi wrote: Kindly note that the number of recursive clients is increasing during the problem : recursive clients: 3700/14900/15000 I think it's likely that you have a connectivity problem. I'ld suggest checking whether your server which is giving these messages can reach any of the root servers or even any of the external Internet. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bad owner name - Unable to add forward map from Nintendo Wii U ... REFUSED
On 27 Dec 2013, at 06:07, David C. Rankin drankina...@suddenlinkmail.com wrote: Dec 26 20:55:43 nirvana dhcpd: Unable to add forward map from Nintendo Wii U.3111skyline.com to 192.168.6.148: REFUSED IIUC, your DHCP server seems to be handling the DDNS transaction. If you can set the configuration of this server, I expect you're in a position to determine what owner name is passed to the DNS server, and that this approach might be what you need. This thread probably belongs better on the dhcp-users list ... Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: missing ‘additional section’
On 18 Dec 2013, at 15:19, houguanghua houguang...@hotmail.com wrote: Is there any way to enable the Additional Section? Thanks. The server sends data in the additional section if either (a) these data are required, or (b) the server supports and is configured to send data which, although not actually required, may somehow be “useful”. The BIND named configuration option “minimal-responses” controls case (b). If this is set to “no”, and the server isn’t sending data in the additional section, it’s because it doesn’t have anything useful to put there. As this option is part of the server configuration, there isn’t anything you can do with DiG to enable sending of additional data. I hope this helps. Niall O’Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recursive DNS server cannot resolve the reverse zone records from my IPv6 private network
On 6 Nov 2013, at 18:30, Listas wrote: ;; QUESTION SECTION: ;f.1.4.2.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.5.a.8.3.2.e.3.e.0.0.c.f.ip6.arpa. IN PTR And placed the following (and more) data at http://adminlinux.com.br/recursive-bind.conf /etc/bind/named.conf.local-ip6: zone 5.a.8.3.2.e.3.e.0.0.c.f.ip6.arpa IN { type master; file /etc/bind/db.fc; }; /etc/bind/db.fc: $TTL 86400 ; Minimum TTL of 1 day. @ IN SOA ns1.mydomain.com. dnsmasters.mydomain.com. ( 1 ; Serial. 10800 ; Refresh after 3 hours. 3600; Retry after 1 hour. 604800 ; Expire after 1 week. 86400 ) ; Minimum TTL of 1 day. IN NS ns1.mydomain.com. IN NS ns2.mydomain.com. 10 IN NS ns3.mydomain.com. IN NS ns4.mydomain.com. 12 IN NS ns5.mydomain.com. IN NS ns6.mydomain.com. 16 IN NS ns7.mydomain.com. IN NS ns8.mydomain.com. 20 IN NS ns9.mydomain.com. IN NS ns10.mydomain.com. The zone file you've chosen to show us has records only for the following names: 5.a.8.3.2.e.3.e.0.0.c.f.ip6.arpa. 10.5.a.8.3.2.e.3.e.0.0.c.f.ip6.arpa. 12.5.a.8.3.2.e.3.e.0.0.c.f.ip6.arpa. 16.5.a.8.3.2.e.3.e.0.0.c.f.ip6.arpa. 20.5.a.8.3.2.e.3.e.0.0.c.f.ip6.arpa. None of these matches the target of your query, so the result is NXDOMAIN. Anything else would be strange. If you need the server to return some other result for this query, you must place the corresponding record(s) in the zone file you're using. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: use bind 9.8 as caching server and authoritative nameserver
On 28 Oct 2013, at 13:10, bind-ch...@telenet.be wrote: Recently our government obligated all ISP's to block access to child-porn, illegal betting sites, illegal file share sites etc... I have been asked now to implement this on our caching DNS servers (serve a custom zone to all of our customers that points to an IP from the government that hosts a block-page) You probably understand that this approach is of limited effectiveness, and has arguably significant disadvantages. It may be of interest for you to read the report mentioned at either of the following URIs (in French, English respectively). http://www.afnic.fr/fr/l-afnic-en-bref/actualites/actualites-generales/6573/show/le-conseil-scientifique-de-l-afnic-partage-sur-le-filtrage-internet-par-dns.html http://www.afnic.fr/en/about-afnic/news/general-news/6584/show/the-afnic-scientific-council-shares-its-report-on-dns-based-internet-filtering.html Best regards, Niall O'Reilly Member of AFNIC's Conseil Scientifique PS. I wan't a significant contributor to this report. Credit for that belongs to the colleagues who did the work. /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: packet size
On 11 Sep 2013, at 17:24, Maria Iano wrote: What does it mean when the edns0 response to a dig says the overall packet size will be one value Not will be one value but can be no more than that value. but the message size reported is different. That's the actual size of the response message. It depends on what you requested, and what data was sent in the response. For example in this reponse the OPT PSEUDOSECTION says udp: 4096 but at the end it says MSG SIZE rcvd: 275. I hope this helps. /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISO or virtual appliance
On 22 Aug 2013, at 10:49, Phil Mayers wrote: * Make the service name a CNAME into another small dynamic (sub-)zone. This is what most DNS-based LB do e.g. www.example.com CNAME www.lb.example.com, then make lb.example.com a small, dynamically-updated zone. or delegate www.example.com as a tiny dynamic zone and update it directly. Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.1-P1: 'make test' fails
On 22 Nov 2011, at 11:24, Niall O'Reilly wrote: Since quite a few years, I habitually run 'make test' after building BIND from sources. I'me seiing a failure with 9.8.1-P1, and wonder whether anyone else is also. [By way of putting this to bed, at last ...] Updating the Perl module Net::DNS to a recent version seems to be what is needed to make the test which was failing (labelled 'xfer') run successfully. I don't know the cut-off point between 'old' and 'recent' version of Net::DNS. I've had success with 0.65 and 0.66; current is 0.72. An 'old' version will cause the 'xfer' test to fail in BIND releases subsequent to 9.8.1-P1, including current releases. Best regards, /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.1-P1: 'make test' fails
On 20 Aug 2013, at 15:08, Chris Buxton wrote: There is a mailing list for Net::DNS. List-Subscribe: https://www.nlnetlabs.nl/mailman/listinfo/net-dns-users, mailto:net-dns-users-requ...@nlnetlabs.nl?subject=subscribe That said, there was a discussion last December about what has changed since Net::DNS was taken over by a new maintainer, meaning post-0.68. A small number of quite disruptive changes were made in 0.69. Thanks, Chris. For problem at hand, the break-point of interest is somewhere between 0.31 and 0.65. 8-) Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave not creating/updating zones
On 15 Jul 2013, at 12:49, Grace Ingabire wrote: The issue is now resolved, my master was not configured properly! There's something else: LTD.RW seems not to be delegated. The problem seems to be masked from you because this zone and its parent are both hosted on ns{1,2}.ricta.org.rw. From further away, a query for NS records for LTD.RW sometimes returns a list of NS records, sometimes NXDOMAIN, according to which of the parent zone (RW) name servers is queried for the delegation (zone-cut) records, as shown below. I expect you'll need to add NS records for LTD in the RW zone file. dhcp-c101a88b(niall)8: dig +trace ltd.rw ns ; DiG 9.6-ESV-R4-P3 +trace ltd.rw ns ;; global options: +cmd . 232678 IN NS e.root-servers.net. . 232678 IN NS k.root-servers.net. . 232678 IN NS f.root-servers.net. . 232678 IN NS a.root-servers.net. . 232678 IN NS m.root-servers.net. . 232678 IN NS g.root-servers.net. . 232678 IN NS j.root-servers.net. . 232678 IN NS h.root-servers.net. . 232678 IN NS d.root-servers.net. . 232678 IN NS i.root-servers.net. . 232678 IN NS l.root-servers.net. . 232678 IN NS b.root-servers.net. . 232678 IN NS c.root-servers.net. ;; Received 512 bytes from 137.43.116.19#53(137.43.116.19) in 7 ms rw. 172800 IN NS ns1.ricta.org.rw. rw. 172800 IN NS fork.sth.dnsnode.net. rw. 172800 IN NS sns-pb.isc.org. rw. 172800 IN NS ns-rw.afrinic.net. ;; Received 290 bytes from 2001:dc3::35#53(m.root-servers.net) in 19 ms rw. 86400 IN SOA ns1.ricta.org.rw. info.ricta.org.rw. 2013071545 86400 7200 604800 86400 ;; Received 79 bytes from 2001:500:2e::1#53(sns-pb.isc.org) in 35 ms dhcp-c101a88b(niall)8: dig +trace ltd.rw ns ; DiG 9.6-ESV-R4-P3 +trace ltd.rw ns ;; global options: +cmd . 232677 IN NS m.root-servers.net. . 232677 IN NS f.root-servers.net. . 232677 IN NS a.root-servers.net. . 232677 IN NS l.root-servers.net. . 232677 IN NS i.root-servers.net. . 232677 IN NS h.root-servers.net. . 232677 IN NS k.root-servers.net. . 232677 IN NS c.root-servers.net. . 232677 IN NS g.root-servers.net. . 232677 IN NS j.root-servers.net. . 232677 IN NS d.root-servers.net. . 232677 IN NS e.root-servers.net. . 232677 IN NS b.root-servers.net. ;; Received 512 bytes from 137.43.116.19#53(137.43.116.19) in 1 ms rw. 172800 IN NS ns1.ricta.org.rw. rw. 172800 IN NS fork.sth.dnsnode.net. rw. 172800 IN NS ns-rw.afrinic.net. rw. 172800 IN NS sns-pb.isc.org. ;; Received 290 bytes from 2001:500:3::42#53(l.root-servers.net) in 3 ms ltd.rw. 86400 IN NS ns2.ricta.org.rw. ltd.rw. 86400 IN NS ns1.ricta.org.rw. ;; Received 102 bytes from 41.74.173.250#53(ns1.ricta.org.rw) in 202 ms dhcp-c101a88b(niall)8: /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
On Fri, 28 Jun 2013 13:57:44 -0400 Novosielski, Ryan novos...@umdnj.edu wrote: The short answer is some software once cared. Does it still now, I'm not sure. But we do it. Some still does Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some Server not Resolving certain address
On 8 Apr 2013, at 14:25, wbr...@e1b.org wrote: Try running dig from each server. And be sure to specify the server address on the dig command line; otherwise whatever test you intend may be diverted by what is specified in /etc/resolv.conf. If you use dig @127.0.0.1 ... you can be sure that the server on which your shell session is running is the one to which dig sends the query. If this is not what you need, use the address of the server's network interface. ATB Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS traffic
On 25 Mar 2013, at 16:21, babu dheen wrote: Still not convinced because if i need to allow 1024 port from our DNS server to external world(internet).. where is the security? I beleive we just need to allow TCP and UDP 53 from our DNS server to internet(any) which is already done. Not sure why we have to open non standard port from our DNS server to internet? Your DNS server will likely need to send queries to other DNS servers. When it does this, it uses a destination port of 53 and a source port from the range above 1024. It is important for security that it not use a fixed source port, but rather pick one at random for each query. [Hint: Google source port randomization (without the quotes)] The reply to such a query originates from port 53 on the remote server, and is destined for the port on your server which was used as the source of the query. If you block access to high-numbered UDP ports on your server, you block these replies. For TCP, allowing established packet flows is usually sufficient to allow the replies to reach your server. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking private addresses with a optionq
On 14 Mar 2013, at 15:57, Chris Buxton wrote: No, I'm pretty sure the OP wants to strip records from responses if the records are A records referring to private address space (RFC 1918). I've no idea how you would do this. Other than separate views, with a trimmed zone in the external view? /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking private addresses with a optionq
On 14 Mar 2013, at 16:22, Chris Buxton wrote: Well, yes, if the server in question is authoritative for all the data in question. But if it's just a resolver, that may be more difficult. Fair comment. I was (perhaps naïvely) being led by my aversion to open resolvers to assume that any externally-facing name server must be authoritative. Things might not be that simple. /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9 statistics-server: JSON?
On 15 Feb 2013, at 05:57, Jan-Piet Mens wrote: would there be a chance of ISC adding this to stock BIND9? Even better: would ISC take on the work of doing it? ;-) FWIW: +1 /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: what do you use for logging?
On 17 Jan 2013, at 20:58, Mike Hoskins (michoski) wrote: Syslog as the default is perfectly fine with us. Please keep that as the default, following the principle of least astonishment. I do also use the rotated file method a few places, so hoping that doesn't disappear. I would hope so too, not that we use it. Thanks for asking the list. +1 /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: what do you use for logging?
On 18 Jan 2013, at 06:27, Jan-Piet Mens wrote: Could CLI utility be man(1) and info(1)? :-) It could, yes, but `b10-msg NNN` isn't going to break BIND 10's development budget (I hope), +1 and I feel it to be more practical than scrolling through a man page with 900+ error-messages in it. ;) I'm not sure I see the big practical advantage over 'C-S' in info or '/' in the pager invoked by man. I would see the man page as indispensible, and a bespoke utility as merely cool. /N ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: what do you use for logging?
On 17 Jan 2013, at 18:33, Jeremy C. Reed wrote: BIND 9 by default has logging using syslog, using its daemon facility, and logging of info or higher. Is using syslog a sane default for new installations or when using official vendor packages with their startup scripts? Definitely. Do any packagers provide a configuration with different-than-default logging setup? (What and why?) I'm sorry; I don't know. Apart from one exceptional NetBSD box, I always build from source and avoid whatever the packager offers. Best regards Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update view without using 2 ip for each DNS Server
On 4 Dec 2012, at 11:23, manman wrote: Is it possible to update the second view when the firstl view is updated without having to assign 2 IPs like now ? You could use a pair of TSIG secrets instead of a pair of IP addresses. There has been discussion about this on the list before, which you can find in the archives. The following links may help. https://lists.isc.org/pipermail/bind-users/2009-August/077479.html https://lists.isc.org/pipermail/bind-users/2012-June/087872.html https://lists.isc.org/pipermail/bind-users/2012-June/087933.html The example in the last one is extracted from a live configuration which I'm responsible for. Best regards, Niall O'Reilly University College Dublin IT Services ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dhcpd
[ Not sure why this thread started on BIND-users: please continue on DHCP-users! ] On 18 Oct 2012, at 13:42, Dwayne Hottinger wrote: I checked the mac addresses of these clients and thus far they are all ipads, ipods or iphones. We see BOOTP transactions here at UCD (in Ireland, not California!) too. I was agreeably surprised to see that our latest monthly statistical report shows these on our copper networks only, not on wireless. IIRC, it's actually very easy for the user to configure any of the iDevices to use DHCP instead of BOOTP. Jim Glassford's suggestion seems good enough to me. On 18 Oct 2012, at 14:28, Jim Glassford wrote: We just continue to deny bootp for subnets that have no need for it and ignore them. Best regards, Niall O'Reilly University College Dublin IT Services ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RH release selection (was: Moving from type forward to type static-stub)
On 21 Sep 2012, at 08:55, Adam Tkac wrote: Because rc2 was released too late to get it into RHEL 6.3... Btw which is the bug that bothers you? Why don't you report it to RH bugzilla? I don't understand why RH would choose to include a release candidate rather than a stable release. /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question about how a particular dig works ...
On 18 Sep 2012, at 14:45, M. Meadows wrote: dig www.careerone.com.au +short @8.8.8.8 www.careerone.com.au.edgesuite.net. a903.g.akamai.net. 208.44.23.99 208.44.23.121 Why does the above dig work when If you try dig +trace www.careerone.com.au you'll find that the www... subdomain is delegated to a different set of name servers. Besides, there's a CNAME at the apex ... /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 30 Aug 2012, at 13:14, fddi wrote: I need to implement a bind filter for many hundreds of domains which are considered outlaw and illegal by italian government about gamble games. If I create a named zone for each illegal domain and configure my nameserver as authoritative for those zones, I can catch the DNS resolutions and I can resolve with a local LAN IP with a message for users. But it is really complicate to manage such a high number of domains. Is there another way I could achieve this ? Don't waste your time. This approach is superficial. It doesn't actually prevent access to the target sites, and is likely to be a nuisance for intending users of legitimate services (web sites or others) which fall in the shadow of the intervention you suggest. Besides, if you take this approach, you will have to commit resources to chasing a moving target. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SRV query with no domain?
On 16 Aug 2012, at 15:42, Christopher Cain wrote: Of course a dig query will fail without the domain appended. Dig takes you query at face value and will not append domains from your search suffix list like nslookup and ping will. You ALWAYS have to fully qualify your requests when using dig. unless you use the +search option ... /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: recursive-clients recommended values
On 12 Jul 2012, at 03:21, blrmaani wrote: I searched earlier posts but noticed that people are recommending it to just increase it to suppress the errors in log. Any pointers on this? If it's set too low for your normal operating circumstances, you do need to increase it. I've never needed to do this, as the default values just works for me. In abnormal operating circumstances, it's probably neither posssible, nor useful to try, to eliminate the log messages. See, for example, https://lists.isc.org/pipermail/bind-users/2009-August/077589.html. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Basic scope question
On 10/07/12 18:07, Bennett, Gary L. wrote: No, have that part. Was just wondering which domain-name-servers parm, global or in DHCP address pool, has precedence. Thanks. The more specific specific over-rides the global one. Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Several (2) different views [SOLVED]
On 3 Jul 2012, at 21:21, Rodrigo Renie Braga wrote: Just giving a feedback, this method worked great, but in my case, didn't have no negate the keys in the ACL (like the example below), I created one key for each ACL in my configuration and used that ACL for the match-clients directive in the view. Congratulations! You seem to have thought of a better (i.e. simpler) way to do it than I did. Learning is a two-way process. ATB Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Several (2) different views
On 15 Jun 2012, at 01:14, Rodrigo Renie Braga wrote: I've been trying to find examples on how to use TSIG to replicate several differents views to a slave server, but I could only find with two views, and I just couldn't figure out how to adapt that example to 3 or more views. Could you send me example on how to accomplish that? Something like what follows below may be what you need. This supports 3 views, keyed on TSIG or by default on client address. For more views, no new ideas are needed. include /etc/select-tsig.keys;// keep keys in protected file acl captive-clients { // Purpose: triage for captive view key select-captive.ucd.ie.; // select on this key ! key select-internal.ucd.ie.;// by-pass ! key select-general.ucd.ie.; // by-pass 10.137.0.0/16;// Target networks 10.193.128.0/19; 10.193.160.0/20; }; acl internal-clients { // Purpose: triage for internal view key select-internal.ucd.ie.; // select on this key ! key select-captive.ucd.ie.; // by-pass (redundant) ! key select-general.ucd.ie.; // by-pass localhost; 172.16.0.0/16;// Special networks 10.224.0.0/16; }; // Clients not otherwise selected are offered general view // special-purpose view: 'captive' view captive { match-clients { captive-clients; }; // view details go here ... }; // End view captive view internal { match-clients { internal-clients; }; // view details go here ... }; // standard view: 'general' view general { match-clients { any; }; // view details go here ... }; I hope this helps. Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Transfer the same zone from a split-view master
On 5 Jun 2012, at 23:01, Carlos Raúl Laguna Mendoza wrote: i read something about using TSIG to get this done but so far nothing Just telling people that you read something doesn't give them enough information to help you. You need to explain what you did, what you expected to happen, and what actually happened. People won't help unless they believe you're making a serious effort; so far, you haven't sent anything which might convince them. Best regards, Niall O'Reilly University College Dublin IT Services ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: erros in logs
On 10 May 2012, at 09:47, Ben wrote: I just enable bind as caching name server and when watching logs i got below erros. You seem to be noticing 3 kinds of error. Network unreachable messages refer only to IPv6 destinations. Perhaps you have IPv6 enabled on the system where you're running named, but don't have any external IPv6 connectivity? Connection refused or format error (duplicated confusingly as FORMERR) indicate that a remote name server has refused to handle your request or has sent a badly-formed response. You can expect to see these all the time when you run a resolver. There are broken and misconfigured servers out there! I hope this helps. Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Restricting access keeping identical data across views
On 28 Mar 2012, at 02:16, Jon A. wrote: I'm looking for a best practice to keep zone data across multiple views on multiple servers sync FWIW, you're not alone. I have three views too, internal, external, and mendacious. The last is for coercing unregistered clients connecting to LANs where registration is required. What we have works. It will need a major overhaul for DNSSEC. I think I know what will be needed, but would find a BP or HOWTO helpful, provided it met my use-case closely enough. I'm not averse to contributing some effort to such a project. ATB Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Restricting access keeping identical data across views
On 28 Mar 2012, at 13:01, Lightner, Jeff wrote: Is signing not done at zone file level? Yes, but that's not the problem. For our views even when the zones are identical I keep separate copies for the internaland external views so I would have thought this wouldn't be an issue. The devil is in the details, which I'll spare you! 8-) Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Master/slave configuration
On 8 Mar 2012, at 02:58, Lyle Giese wrote (on bind-users): On linux boxes, adding options rotate to the /etc/resolv.conf helps. [cross-posted, reply-to header set] Is there a DHCP option which expresses that, and which typical fielded DHCP clients will respect? As you may guess, I don't have access to those thousands of client systems out there. /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: State diagram for DNSsec key lifecycle
On 10 Feb 2012, at 00:57, Mark Andrews wrote: I recommend activate + publish at the same time. Mark, I'ld appreciate knowing your reasoning for preferring this approach over publication for later activation. I suspect I might not be alone. 8-) Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Permissions change after running dnssec-settime bind 9.9.0rc2
On 1 Feb 2012, at 09:52, Phil Mayers wrote: As is probably obvious, I consider it an irritating bug ;o) +1 Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.1-P1: 'make test' fails
On 22/11/11 18:10, /dev/rob0 wrote: Is this a manifestation of the same issue as brought up last week? https://lists.isc.org/pipermail/bind-users/2011-November/085593.html I don't think so. I can compile without problem. I see a failure during 'make test' processing, and only for a specific RH release (RHEL ES 3.4) on real i686. The only other RH release which is conveniently available to me is 6.0 on real or VMware guest x86_64, so there is plenty of scope for ignored intermediate data points. If I have occasion to explore further, I'll report anything which seems interesting. /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.8.1-P1: 'make test' fails
Since quite a few years, I habitually run 'make test' after building BIND from sources. I'me seiing a failure with 9.8.1-P1, and wonder whether anyone else is also. Relevant log fragment is shown below. /Niall S:xfer:Tue Nov 22 11:12:07 GMT 2011 T:xfer:1:A A:System test xfer I:testing basic zone transfer functionality I:testing TSIG signed zone transfers I:reload servers for in preparation for ixfr-from-differences tests I:ns1 server reload successful I:ns2 server reload successful I:ns3 server reload successful I:ns6 server reload successful I:ns7 server reload successful I:updating master zones for ixfr-from-differences tests I:ns1 server reload successful I:ns2 server reload successful I:ns6 server reload successful I:ns7 server reload successful I:testing ixfr-from-differences yes; I:testing ixfr-from-differences master; (master zone) I:testing ixfr-from-differences master; (slave zone) I:testing ixfr-from-differences slave; (master zone) I:testing ixfr-from-differences slave; (slave zone) I:testing that incorrectly signed transfers will fail... I:initial correctly-signed transfer should succeed I:ns4 server reload successful I:failed I:unsigned transfer I:bad keydata I:partially-signed transfer I:unknown key I:incorrect key I:exit status: 1 R:FAIL E:xfer:Tue Nov 22 11:12:40 GMT 2011 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I can dig a domain but named won't resolve it.
On 22/09/11 01:02, Keith Burgoyne wrote: Any advice would be massively appreciated. The +trace operation which you say is failing for you works from my network -- at home, where I have to use NAT. It looks as if either your network or the nameserver you're using (according to your message, at 24.222.7.12) is misconfigured. If you're prepared to share your nameserver configuration on the list, you may find that some people are minded to give advice. It the problem lies in your network, you'll need to do some packet capture to find out what's not happening. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I can dig a domain but named won't resolve it.
On 22/09/11 17:34, Keith Burgoyne wrote: Here's the named.conf file from my name server. The meat of your configuration seems to be in the (hidden) included files. Forcing the source of your outgoing queries always to be port 53 is a well-documented bad idea. You might find https://www.dns-oarc.net/oarc/services/porttest an interesting read. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation check failed
On 21 Sep 2011, at 02:08, Kevin Oberman wrote: dig confirms that .com had the glue for water.com. As does dnscheck.iis.se. Indeed, none of the test history (5 tests, today and yasterday) archived for water.com at this site shows any delegation problem. Only a warning is shown against the SOA: Failed to connect to smtpbh1.water.com (12.44.84.193). I guess that this means that an MX host is protected in some way. Is there some other dnscheck that people are using, and which is causing confusion? ATB Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation check failed
On 21/09/11 17:30, Kevin Oberman wrote: Are you running the Undelegated domain test or just the default Domain test? Only the Undelegated domain test is showing the error. It is still reporting it now. This is pretty-well way out of scope for bind-users by now. Thanks for clarifying, Kevin. I hadn't tried the Undelegated domain test until just now. I see. Best rregards Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problems with nic.it
[Not really a BIND matter, but ...] On 20 Sep 2011, at 08:20, Lucio Crusca wrote: Hence I wonder if there existed any public DNS checker that could check a DNS which is not the NS pointed server yet, so that I could check the new DNS myself before submitting a new NS record change and going through the hassle of waiting nic.it automated checks, eventual failure and assistance from my hosting provider. Is there such a thing? I think the checking tool at http://dnscheck.iis.se/?test=undelegated may be what you need. You may find it useful to read the explanation at http://dnscheck.iis.se/?faq=1test=undelegated#f16 before running a test. Another good checking tool may be found at www.zonecheck.fr, but it's less obvious (to me) how to use it for your immediate purpose. I hope this helps. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup a Name Servers visible on Internet?
On 21 Jun 2011, at 08:34, Metropolitan College wrote: named-checkzone metropolitanbuntu.co.za 194.134.41.in-addr.arpa on my master: zone metropolitanbuntu.co.za/IN: NS 'ns1.metropolitanbuntu.co.za' has no address records (A or ) zone metropolitanbuntu.co.za/IN: NS 'ns2.metropolitanbuntu.co.za' has no address records (A or ) zone metropolitanbuntu.co.za/IN: not loaded due to errors. It still not loaded and the NSs do not have bo addresses records Those error messages are telling you need to add some address records to the zone file for each of those name servers. If you think you've already done this, you should look for a spelling error or an omitted dot. Kind regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AW: ipv6 PTR in zone file
On 12 Apr 2011, at 10:49, Michel de Nostredame wrote: Thanks Walter and Marco. Those two tool/method do resolve short term needs. Thanks again. (btw, the URL form Walter should be ftp://ftp.bieringer.de/pub/linux/IPv6/ipv6calc/ ) Beside them, is any potential possibility to have something build-in in BIND config/zone file as kind of beautiful (my, and my team, personal point of view) solution? Anyone knows if there was any similar discussions inside BIND developer group before? Not that I recall. I'm not sure what benefit you see in adding a feature to the BIND server and tools. I should have thought that a suitable script, either for provisioning your zone file(s) or for applying a dynamic update, would both relieve any burden you currently have, and leave you more flexibility than would an extension to BIND. FWIW, here's yet another way, grabbed from a shell (bash) session. dhcp-c101a88b(niall)4: alias pint alias pint='perl -ne '\''sub BEGIN {print pint } sub END {print \n} printf %s\npint ,eval'\''' dhcp-c101a88b(niall)5: pint pint use Net::IP pint $foo = new Net::IP '2001:db8::42' 3 pint $foo-reverse_ip() 2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. pint ^D dhcp-c101a88b(niall)6: Best regards, Niall O'Reilly ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About name servers registration
On 10 Mar 2011, at 08:44, Torinthiel wrote: Bujt the procedure still is same. A solution (not necessarilty better) involving less typing would be dig +trace dnsbed.com ns /Niall ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users