Re: queries for "_.domain"

[Stephane Bortzmeyer]

On Fri, May 17, 2024 at 03:25:01PM +0200,
 Matus UHLAR - fantomas  wrote 
 a message of 43 lines which said:

> I have noticed that BIND sends strange (for me) queries.
> 
> 5   0.198221 192.168.0.1 → 193.108.88.128 DNS 105 Standard query 0x15a4 A 
> _.net.akadns.net OPT

QNAME minimisation (RFC 9156), probably?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

[Stephane Bortzmeyer]

On Wed, Dec 13, 2023 at 05:29:02PM +0100,
 Michel Diemer via bind-users  wrote 
 a message of 1723 lines which said:

> another virtual machine that uses the first one as ics dhcp and dns
> server.

An important thing about DNS: there are two types of DNS servers, very
different. Resolvers and authoritative. They use the same protocol,
and BIND can do both, but they have very different properties.

> I have disabled IPv6 by setting link-local: [] in netplan's setting.

Too bad. This is 2023, not the 20th century.

> The name of the network (dns zone) is "reseau1.lan". When I "dig -4
> reseau1.lan" the AUTHORITY bit is set to 1. 

You mean AA (authoritative answer)?

> Why or when should the AUTHORITY bit set to 1 ? What does it take
> for nslookup to give me an authoritative answer ? 

nslookup is an old and not very satisfying program. I would suggest
using dig instead.

> If I "ping xxx.reseau1.lan" I get an NXDOMAIN answer. Why NXDOMAIN
> and not NOERROR (NODATA) ? The domain "reseau1.lan" exists and my
> dns server is authoritative for this zone (SOA record) but the
> computer "xxx" on this domain does not. Should I use a wildcard dns
> record ?

Adding an entry for the "xxx" subdomain seems simpler.

> I have tryed to empty the list of forwarders and disable the dns
> cache ... should I configure a dns-resolver only for the domain
> reseau1.lan and then a dns forwared for external dns queries ? Or
> maybe configure the resolver for the lan network interface and the
> forwarder on the internet network interface on the dns server ?

I strongly suggest to separate resolver and authoritative. You
normally have authoritative answers from the authoritative servers
(surprise!) and non-authoritative from the resolvers, at least when
their cache is warm.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC error resolving gpo.gov ?

[Stephane Bortzmeyer]

On Tue, Mar 14, 2023 at 11:35:38AM -0400,
 Alexandra Yang  wrote 
 a message of 183 lines which said:

> I wonder if any of your nameserver resolve it just fine, like 8.8.8.8
> works

Among RIPE Atlas probes, most succeed:

% blaeu-resolve --displayvalidation -r 100  --type A gpo.gov
[ (Authentic Data flag)  162.140.14.82] : 46 occurrences 
[162.140.14.82] : 52 occurrences 
[ERROR: SERVFAIL] : 2 occurrences 
Test #50935448 done at 2023-03-14T15:46:50Z

The two whose resolvers servfail may have stricter/paranoid resolvers.


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC error resolving gpo.gov ?

[Stephane Bortzmeyer]

On Tue, Mar 14, 2023 at 11:08:28AM -0400,
 Alexandra Yang  wrote 
 a message of 154 lines which said:

> I wonder if anyone can shed some light on this, our nameserver(BIND
> 9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov,
> here are the
> errors:

"DS record for zone gpo.gov with keytag 18496 was created by digest
algorithm 1 (SHA-1) which is deprecated."
https://zonemaster.fr/en/result/9161c8485223705c

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Setting Up An Running Your Own Dmarc using Bind DNS

[Stephane Bortzmeyer]

On Mon, Jun 27, 2022 at 02:16:26PM -0400,
 daniel jay foran  wrote 
 a message of 370 lines which said:

> I cant be the only one that has racked his brains and written
> hundreds of lines of code trying to get ISC BIND 9 to authenticate
> Dmarc records correctly.

I'm not sure I understand you since it is clearly not BIND's job to
authenticate DMARC records. It loads them and serves them, period.

Also, I do not understand the writing of "hundreds of lines of
code". The code to load DMARC records is in BIND for a very long time
since they are just TXT records.

> @ IN TXT v=DMARC1; p=reject; rua=mailto:dmarc_rep...@mail.netassoc.net;
> ruf=mailto:demarc_foren...@mail.netassoc.net; fo=1;

Quotes, may be?

Also, DMARC records need to be at _dmarc under the apex, not at the
apex.

Then, the best way to test your DMARC records is to use an
auto-responder with diagnostics like p...@tools.mxtoolbox.com or
.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Supporting LOC RR's

[Stephane Bortzmeyer]

On Wed, Apr 13, 2022 at 03:39:33PM +0200,
 Bjørn Mork  wrote 
 a message of 14 lines which said:

> Which problems do LOC solve?
> 
> I remember adding LOC records for fun?() in the previous millennium when
> RFC 1876 was fresh out of the press.  But even back then paranoia
> finally took over, and I deleted all of them.
> 
> Don't think I ever found anything to actually use them for.

Fun is a sufficient reason.

French zip codes to LOC:

% dig +short +nodnssec LOC 34000.cp.bortzmeyer.fr
43 36 47.108 N 3 52 9.113 E 0.00m 1m 1m 10m

https://www.bortzmeyer.org/dns-code-postal-lonlat.html (in French)
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

[Stephane Bortzmeyer]

On Sat, Jan 08, 2022 at 06:10:26PM +,
 Jason Vas Dias  wrote 
 a message of 72 lines which said:

> What are "RIPE Atlas Probes" ?

Small boxes that volunteers from all over the world install in various
networks to run active measurements (DNS, ping, traceroute, etc). Very
handy to see the Internet from various vantage points.

https://atlas.ripe.net/

> Could I perhaps use these to improve my BIND DNS server so it
> can query the Google Hidden Internet too ?

Again, several people explained to you that your assessment is wrong,
that you are delusional and there is no such thing as "Google Hidden
Internet". (I can resolve the name just fine, and I use zero Google
service.)

> And with the HSE.IE about putting their covid appointment
> booking service on a Google Hidden Internet URL

Stop this crap. If you frame the problem this way, I understand that
people will refuse to reply to you.

> But I still do not understand:
>  o what is different about your RIPE Atlas Probes and the Google
>DNS servers, that they can query this domain name, but the
>BIND servers cannot ?

As was explained to you by several persons, BIND is not at fault
here. The problem is that YOU decided to forward to apparently broken
resolvers.

>  o How can I avoid this problem in the future - ie. is there any
>extension to BIND that can query the Google Hidden Internet
>without accessing Google DNS servers ?

Bullshit, crap, etc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

[Stephane Bortzmeyer]

On Sat, Jan 08, 2022 at 04:55:24PM +0100,
 Stephane Bortzmeyer  wrote 
 a message of 52 lines which said:

> This domain name seems OK for me but I notice that a fair number of
> RIPE Atlas probes in Ireland return a fake NXDOMAIN for this name:

On Twitter, an Irish DNS expert said that it happened
before. Apparently, many ISP use a blacklist without thinking and this
blacklist include legitimate domain names.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

[Stephane Bortzmeyer]

On Sat, Jan 08, 2022 at 03:34:37PM +,
 Jason Vas Dias  wrote 
 a message of 146 lines which said:

>"Book An Appointment": https://covid19booster.healthservice.ie/
> 
>to make an appointment, Firefox and Chrome both return 
>"Server Not Found" errors .

This domain name seems OK for me but I notice that a fair number of
RIPE Atlas probes in Ireland return a fake NXDOMAIN for this name:

% blaeu-resolve --type A --requested 100 --country IE
covid19booster.healthservice.ie
[ERROR: SERVFAIL] : 1 occurrences
[52.214.178.78 52.50.21.250] : 18 occurrences
[ERROR: NXDOMAIN] : 5 occurrences
Test #34762484 done at 2022-01-08T15:48:27Z

So it seems it is blacklisted in some resolvers.

>   Visiting internic.net's whois server shows no records for
>   covid19booster.healthservice.ie,

Why going to this US site and not to the site of the Irish registry?

>   Whois Lookup 'covid19booster.healthservice.ie':
>   "
> No registry RDAP server was identified for this domain. Attempting lookup 
> using WHOIS service.

Indeed, .ie has no RDAP server.

>   So it appears that human rights and Covid protection in Ireland are 
>   only granted to users of Google's DNS servers.

This is clearly a gross exaggeration (see my test with RIPE Atlas
probes).

>I thought the DNS was meant to be global, and publically
>available ?

In Europe, censorship of domain names through lying resolvers is quite
common. 
> 
>What secret sauce do Google DNS servers have that is not
>available to servers run by other operators ?

Nothing (I can resolve the name from my own resolver in France).

>Who should I sue about this ?
>Either :
> A) My ISP, for not giving me access to the whole
>internet & DNS system, for which I pay them
>€50 per month ;

This is obviously the first place to ask.

> B) HSE, for discriminating against those who
>do not use Google DNS services, denying them
>access to Covid vaccination appointments ;

This is false (and close to libel).

> C) Google, for destroying the 'global, publically available'
>nature of the DNS and Internet, and for hiding essential
>health information from non-Google users ? 
>I guess they'd prefer non-Google users to just die off soon.

Same remark.

>   If anyone could please suggest a way of resolving names like
>   'covid19booster.healthservice.ie' without using Google's DNS
>   servers, please let me know, I'd be much obliged.

Use your own resolver.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting the name of responding server(s)

[Stephane Bortzmeyer]

On Thu, Sep 09, 2021 at 12:33:22PM +0200,
 Matus UHLAR - fantomas  wrote 
 a message of 59 lines which said:

> Note that some domains can be horribly broken and different
> nameservers can send different NS, or no NS at all but SOA.

Doing this sort of survey on the wild (and wide) Internet leads
rapidly into a deep rabbit hole :-)

If you go that way, one may also add to the requirments: "test the
name servers returned, to see if they actually reply (and with bit
AA)".
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting the name of responding server(s)

[Stephane Bortzmeyer]

On Thu, Sep 09, 2021 at 03:20:14AM -0700,
 Ronald F. Guilmette  wrote 
 a message of 48 lines which said:

> I don't want and don't need SOA records.  I want and need only the
> relevant NS records.

The algorithm proposed by Matt Pounsett uses the SOA but only to find
the NS (through the name of the closest enclosing ancestor domain).


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting the name of responding server(s)

[Stephane Bortzmeyer]

On Tue, Sep 07, 2021 at 10:48:57AM -0400,
 Matthew Pounsett  wrote 
 a message of 32 lines which said:

> Yeah, you can pretty reliably get the answer in one or two steps by
> requesting the NS set for the FQDN.  You'll either get your answer, or
> get an SOA with the name of the enclosing zone.  Second lookup gets
> you the NS set for the enclosing zone.

Indeed (unless you find a broken resolver that fail to send the SOA).

I was thinking of another issue: if the goal of the OP is to find
which domain names are on the same authoritative name servers, asking
the NS may not be sufficient, if a name server is known by several
names (for instance, a.nic.sex and a.nic.sucks are the same
machine). So, the OP may have to do a resolution of nameservers' names
into IP addresses, as well.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting the name of responding server(s)

[Stephane Bortzmeyer]

On Tue, Sep 07, 2021 at 12:40:14PM -0700,
 Ronald F. Guilmette  wrote 
 a message of 36 lines which said:

> >I'm not aware of a tool (free software or not) which does it. Some
> >programming will be required.
> 
> I was afraid of that, but thank you for confirming.

Don't despair, see the other messages in the thread (by Matt Pounsett
and myself).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting the name of responding server(s)

[Stephane Bortzmeyer]

On Tue, Sep 07, 2021 at 09:44:43AM +0200,
 Stephane Bortzmeyer  wrote 
 a message of 34 lines which said:

> I'm not aware of a tool (free software or not) which does it. Some
> programming will be required.

Attached is an example program. Free software licence, whatever you
prefer. Requires Python and the dnspython library. For many many
requests, it would probably be better to parallelize it. 

% ./list-auth.py bortzmeyer.org www.bortzmeyer.org fr toto.tata.trucmachin.fx 
3.3.1.0.6.8.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.4.3.1.c.7.6.0.1.0.0.2.ip6.arpa  
lists.isc.org tristatelogic.com

bortzmeyer.org.: ns3.absolight.net. ns2.bortzmeyer.org. ns4.bortzmeyer.org. 
ns.eu.org. ns2.absolight.net. ns1.bortzmeyer.org. 

www.bortzmeyer.org.: ns2.absolight.net. ns1.bortzmeyer.org. ns3.absolight.net. 
ns2.bortzmeyer.org. ns4.bortzmeyer.org. ns.eu.org. 

fr.: d.nic.fr. e.ext.nic.fr. f.ext.nic.fr. g.ext.nic.fr. 

toto.tata.trucmachin.fx.: DOES NOT EXIST

3.3.1.0.6.8.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.4.3.1.c.7.6.0.1.0.0.2.ip6.arpa.: 
ns3.nic.fr. ns1.nic.fr. ns2.nic.fr. 

lists.isc.org.: ns.isc.afilias-nst.info. ns1.isc.org. ns3.isc.org. ns2.isc.org. 

tristatelogic.com.: t1.zoneedit.com. t2.zoneedit.com. 

#!/usr/bin/env python3

import dns.message
import dns.query
import dns.resolver

import sys

resolver = None # Use the default resolver. Set to an IP address otherwise.

def parent(name):
return dns.name.Name(name[1:])

def get_ns(name):
message = dns.message.make_query(name, dns.rdatatype.NS, use_edns=True,
 want_dnssec=False)
response = dns.query.udp(message, resolver)
if response.rcode() == dns.rcode.NXDOMAIN:
return "DOES NOT EXIST"
elif response.rcode() != dns.rcode.NOERROR:
return "SOMETHING WENT WRONG"
if len(response.answer) > 0:
result = ""
for rrset in response.answer:
for record in rrset:
if record.rdtype == dns.rdatatype.NS:
result += "%s " % record.target
return result
else:
return get_ns(parent(name))

if resolver is None:
resolver = dns.resolver.Resolver().nameservers[0]
print("Using the resolver %s" % resolver)
print()
for arg in sys.argv[1:]:
name = dns.name.from_text(arg)
print("%s: " % name, end="")
print(get_ns(name))
print()
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting the name of responding server(s)

[Stephane Bortzmeyer]

On Tue, Sep 07, 2021 at 12:33:59AM -0700,
 Ronald F. Guilmette  wrote 
 a message of 33 lines which said:

> My question is rather a simple one.  Given some FQDN `D' and given
> some DNS record type 'T' (e.g. either A or  or perhaps even PTR)
> does there exist some open source command line tool that can tell me
> the names of the DNS servers to which the final authority for
> answering a query about the tuple (D, IN, T) is delegated?

T is irrelevant since delegation does not depend on the type.

> I know that I can get this information by using "dig +trace", but that seems
> to be rather slow to me (wall clock time), and I want to be doing
> this a lot.

The only solution is chasing the delegations from the root (which is
what dig +trace is doing). Caching speeds it, this is why it is
better to go through your resolver than using dig +trace.

> So, does anyone know of an open source command line tool that can do just
> that, preferably quickly?

I'm not aware of a tool (free software or not) which does it. Some
programming will be required.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Stephane Bortzmeyer]

On Thu, Oct 15, 2020 at 02:03:52PM -0400,
 Kevin A. McGrail  wrote 
 a message of 8 lines which said:

> Firewalls are cheap and the level of effort to run a bastion host are
> significant.

Firewalls are useful when you want to protect unamanaged printers and
Windows boxes (or Web servers with a lot of crappy PHP) but a BIND
server on a reasonably managed Unix box do not need them.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Stephane Bortzmeyer]

On Thu, Oct 15, 2020 at 11:16:05AM -0700,
 Fred Morris  wrote 
 a message of 50 lines which said:

> 2) If you want to run your own DNS nameservers, you will need to buy a
>book, read the (BIND) Administrator's Reference Manual, and/or some
>RFCs

Very bad advice. RFCs are not for the faint of heart and the RFC on
DNS (RFC 1034 and 1035) are among the most difficult. And they were
never kept up-to-date so there are a lot of obsolete things in it.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Stephane Bortzmeyer]

On Thu, Oct 15, 2020 at 04:57:16PM +,
 Jason Long via bind-users  wrote 
 a message of 173 lines which said:

> I have two static IP addresses. One is for DNS server and one is for
> my website.

Note that you can put the two servers on the same machine, using the
same IP address, since the two protocols use different ports (53 for
DNS and 443 for HTTP).

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Stephane Bortzmeyer]

On Thu, Oct 15, 2020 at 04:36:58PM +,
 Jason Long via bind-users  wrote 
 a message of 1594 lines which said:

> in the panel of it, I can enter my DNS server IP addresses.

I assume you refer to the panel of your domain name registrar. If so,
it would be useful to know which is the label near the field where you
enter the IP address. It may be to give an IP address to the
www.yourdomainname, not to indicate your DNS server.

> I want to launch a CentOS DNS server that my Web site using it and
> users can visit my website from the Internet.

I have a meta-question: do you absolutely want to host the DNS
yourself (it is certainly possible but it is more work) or do you just
want to have "a Web site that people can visit"? If you don't have a
specific reason to host the DNS server(s) yourself, consider using a
DNS hoster (most domain name registrars can be DNS hosters).

"For the fun" or "to learn DNS" are perfectly valid reasons.

> All tutorials that I found on the internet are about internal DNS
> servers, but I want to launch a DNS server for hosting my website.

There is no real difference between an internal DNS server and a
publically reachable one. Same DNS, same software.

> Is Internet DNS server just possible for providers?

Certainly not. You can host a publically-reachable DNS server
yourself. It is not rocket science but it requires some basic
knowledge about the TCP/IP family of protocols and about how things
fit together.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Stephane Bortzmeyer]

On Thu, Oct 15, 2020 at 06:45:01PM +0200,
 Michael De Roover  wrote 
 a message of 65 lines which said:

> Your router can port forward traffic to port 53/udp to your local IP
> that your DNS server is on.

He said that the DNS server has a public IP address so port forwarding
is probably not necessary. 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS security, amplification attacks and recursion

[Stephane Bortzmeyer]

On Tue, Jul 07, 2020 at 03:00:13PM +0200,
 Michael De Roover  wrote 
 a message of 46 lines which said:

> The command used to test this was apparently "dig +short
> test.openresolver.com TXT @your.name.server".

ANY instead of TXT may be more efficient (specially with +dnssec), if
the goal is to get the maximum amplification. Of course, if the server
implements RFC 8482, ANY won't help.

> Authoritative name servers may not need a huge DNS infrastructure
> for a small-ish zone (say under 1k records), but recursors on the
> scale of Google and Cloudflare in particular (not sure how popular
> Quad9 is so far).. those use massive infrastructure including
> anycast and everything! I'd consider it safe to assume that their
> servers are at least on the order of 100Gbps cumulatively, if not
> more.

This is precisely what makes them dangerous. They are good reflectors
(good from the point of view of the attacker). On the other hand, they
typically implement various forms of rate-limiting, and they are
monitored closely by knowledgeable professionals so, they may not be
good reflectors after all.

> If these would be vulnerable to amplification attacks just because
> they allow recursion,

They're not vulnerable, this attack works by reflection (just like the
NTP attack you mentioned) so they are not the potential victims, they
could be used as helpers.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9 not responding to queries

[Stephane Bortzmeyer]

On Sun, Apr 12, 2020 at 01:41:52AM +,
 sir izake  wrote 
 a message of 153 lines which said:

> At specific times of day bind fails to respond to queries even
> though service is shown to run (configured to respond to my network
> IPs, this works fine till this time when service fails to answer
> queries)

The problem may be because of another component in your network. Are
you sure there is not some sort of firewall or IPS in front of BIND,
which decided to drop packets? Check with tcpdump or similar tools
that the machine with BIND does receive the queries.

> Apr 11 22:38:09 #  kernel: TCP: request_sock_TCP: Possible SYN flooding
> on port 53. Sending cookies.  Check SNMP counters.

This may indeed be a DoS attack but may be not. Check with tcpdump
what sort of traffic you receive. Also, the message is for TCP but DNS
works mostly with UDP so it may has nothing to do with your problem.

> Could  log point to DDoS attack ( how do i mitigate)

It depends. There is no general rule to deal wih DoS attacks, you need
to investigate first.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to completely transfer root zone

[Stephane Bortzmeyer]

On Mon, Feb 10, 2020 at 02:32:55PM -0500,
 Warren Kumari  wrote 
 a message of 70 lines which said:

> Also, can you try:
> dig +tcp . axfr @192.0.32.132
> dig +tcp . axfr @192.0.47.132
> dig +tcp . axfr @b.root-servers.net
> 
> (no, I'm not really sure why trying with the first 2 IPs instead of
> hostname

Because you know that IPv6 and IPv4 may exhibit different issues.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange DNS problem

[Stephane Bortzmeyer]

On Mon, Jun 10, 2019 at 05:43:02PM +,
 Jukka Pakkanen  wrote 
 a message of 58 lines which said:

> Then, unfortunately our nameservers won't resolve ns.kpk.fi either.

Same authoritative name server, same problem. See my email.

% dig @ns.datatower.fi. NS kpk.fi.

;; Warning: Client COOKIE mismatch
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange DNS problem

[Stephane Bortzmeyer]

On Mon, Jun 10, 2019 at 02:28:46PM +,
 Jukka Pakkanen  wrote 
 a message of 382 lines which said:

> An example, the client domain is raimoasikainenoy.fi.

dig clearly says it's a cookie issue:

% dig @193.184.54.212 NS raimoasikainenoy.fi

;; Warning: Client COOKIE mismatch

An DNSviz confirms:

http://dnsviz.net/d/raimoasikainenoy.fi/dnssec/

Your tests show that it fails only when you use cookies, which is
consistent with the above:

> ; <<>> DiG 9.14.2 <<>> @ns1.qnet.fi raimoasikainenoy.fi ns
...
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 55ba199a6d905273458bc2065cfe655462f150936d882603 (good)

> ; <<>> DiG 9.14.2 <<>> @8.8.8.8 raimoasikainenoy.fi ns
...
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512

(Bad Google, no cookies)

So, they have broken authoritative name servers.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: cyberia.net.sa

[Stephane Bortzmeyer]

On Tue, Jun 26, 2018 at 03:36:25PM +0200,
 Matus UHLAR - fantomas  wrote 
 a message of 19 lines which said:

> Some web DNS checkers do great job.

And some are really bad and/or broken. Let's mention the right ones:

https://dnsviz.net/

https://zonemaster.net/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: My domain name name not propagating through the Internet.

[Stephane Bortzmeyer]

On Sat, May 26, 2018 at 12:57:26PM -0400,
 Rick Dicaire  wrote 
 a message of 276 lines which said:

> Hi Thomas, obfuscating IP addresses doesn't help in the least.

No problem, the IP address is known by the TLD name servers.

% dig @a.gtld-servers.net ns1.sleepyvalley.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @a.gtld-servers.net ns1.sleepyvalley.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7002
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ns1.sleepyvalley.net.  IN A

;; AUTHORITY SECTION:
sleepyvalley.net.   172800 IN NS ns1.sleepyvalley.net.
sleepyvalley.net.   172800 IN NS sdsn1.ovh.ca.
A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN NSEC3 1 1 0 - (
A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B
NS SOA RRSIG DNSKEY NSEC3PARAM )
A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN RRSIG NSEC3 8 2 86400 (
20180601052514 20180525041514 30812 net.
UbyYTfhQEVnqxs/X/3YWMdIoJHvLff73ynCbpZYePLS3
VseyX5n3BnqnN/hDN0cSY4pAJDvCyQevLqJHgvmNmSOu
Ui/LEDk2VONcA3vasQFvZQqQ5ionYgW89PsMidpLQu64
8iTxtsyf1Qt6Od3k7HjvyxjKqTK9KRxqxaNElBY= )
F50OCLS1S87A8L3FHE4F8HCJ2F89BEFB.net. 86400 IN NSEC3 1 1 0 - (
F512EGD4GNCDQUF9K4HK06SSV0IVTUG1
NS DS RRSIG )
F50OCLS1S87A8L3FHE4F8HCJ2F89BEFB.net. 86400 IN RRSIG NSEC3 8 2 86400 (
20180531052256 20180524041256 30812 net.
PhiHi/4ZZbRwekU25IF0F7pE3FQXqyq2Rmn2ADoieaPB
sTOC367zIfyl72A39oKqSIvikJtCzwjsF9E/6Nwkm2Yv
alxBpeOcs7akuQCh1KFM+7JKz2rc3M5/mNeR9FwYSdZN
C8ro3SiAAeoWPkaKSUBNqXh+TKNWPZbYw8JhA0w= )

;; ADDITIONAL SECTION:
ns1.sleepyvalley.net.   172800 IN A 144.217.11.151

;; Query time: 294 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Sat May 26 17:29:30 GMT 2018
;; MSG SIZE  rcvd: 590

> Did you register the nameserver ns1.sleepyvalley.net with your domain
> registrar?

Yes, he did. See above.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: My domain name name not propagating through the Internet.

[Stephane Bortzmeyer]

On Sat, May 26, 2018 at 11:44:58AM -0500,
 Thomas Strike  wrote 
 a message of 269 lines which said:

> they say that the problem is with my server.

They were right.

> I am here asking for fresh sets of eyes to look at my setup file and the
> domain zone record that is at issue. My domain is sleepyvalley.net and my
> primary dns server is ns1.sleepyvalley.net.

This server does not reply over UDP, only TCP. 

% dig @144.217.11.151 NS sleepyvalley.net
; <<>> DiG 9.10.3-P4-Debian <<>> @144.217.11.151 NS sleepyvalley.net
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached


% dig +tcp @144.217.11.151 NS sleepyvalley.net


; <<>> DiG 9.10.3-P4-Debian <<>> +tcp @144.217.11.151 NS sleepyvalley.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49349
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;sleepyvalley.net.  IN NS

;; ANSWER SECTION:
sleepyvalley.net.   38400 IN NS sdns1.ovh.ca.
sleepyvalley.net.   38400 IN NS ns1.sleepyvalley.net.

;; ADDITIONAL SECTION:
ns1.sleepyvalley.net.   38400 IN A 144.217.11.151

;; Query time: 93 msec
;; SERVER: 144.217.11.151#53(144.217.11.151)
;; WHEN: Sat May 26 19:26:36 CEST 2018
;; MSG SIZE  rcvd: 105
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TLD Registries supporting RFC 7344/8078

[Stephane Bortzmeyer]

On Tue, Mar 13, 2018 at 10:52:50AM +0100,
 Carsten Strotmann  wrote 
 a message of 19 lines which said:

> is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078)
> already support at the TLD level somewhere? I know it is implemented
> in BIND 9.11+ and Knot, but can it be used in the real Internet :)

I believe that .cz does it, you have to ask your neighbors.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND9 and AS112

[Stephane Bortzmeyer]

On Fri, Mar 09, 2018 at 03:28:18PM +0300,
 Diarmuid O Briain  wrote 
 a message of 427 lines which said:

> However quite frankly I do not get how the AS112 service is accessed via
> anycast.

Did you configure your routing as mentioned in section 3.4 of RFC 7534?

> Another thing that is confusing me is the fact that the* named.conf *file
> in RFC7534 has no IPv6 zones directed to *db.db-empty*.

You mean ip6.arpa zones? They were not important when AS112 was
launched and, now, there is no way to add zones to the old AS
112. But, yes, they should, IMHO, be DNAME-delegated to
empty.as112.arpa.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND9 and AS112

[Stephane Bortzmeyer]

On Fri, Mar 09, 2018 at 12:32:41PM +0300,
 Diarmuid O Briain  wrote 
 a message of 122 lines which said:

> Mar 09 08:11:43 as112 named[3787]: internal_send: 2620:4f:8000::42#53:
> Invalid argument
> Mar 09 08:11:43 as112 named[3787]: internal_send: 192.175.48.42#53: Invalid
> argument

I suspect that your machine is not configured for these IP
addresses. See with ifconfig or ip addr show.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Suggestions for a distributed DNS zone hosting solution I'm designing

[Stephane Bortzmeyer]

On Thu, Mar 08, 2018 at 12:52:57PM +,
 Tony Finch  wrote 
 a message of 49 lines which said:

> Best way to achieve this is with anycast, which can be pretty
> time-consuming to set up - try searching for Nat Morris's
> presentation "anycast on a shoestring" which he gave at several NOG
> meetings.  The advantage of anycast (as opposed to having NS records
> in lots of locations) is that you are depending less on resolvers to
> work out for themselves which of your servers is fastest.

It seems to me a DISadvantage of anycast. Resolvers use actual RTT to
find the fastest server while BGP uses metrics which are far from
optimal. The advantage of anycast is isolation of local dDoS, and the
ability to have much more servers. Because of the above DISadvantage,
I would advocate against a zone with only opne anycasted server (even
if it works in theory).

> IXFR+NOTIFY will achieve this, without much effort,

Remember that NOTIFY packets can be lost (it's ordinary UDP). Can BIND
do NOTIFY over TCP?

> > 1. How can I examine DNS resolution times using this platform (or other
> > platforms to compare with) in different geographic areas of the world
> > without first deploying it?
> 
> There are some distributed measurement platforms such as RIPE ATLAS.
> (I can't think of any others off the top of my head.)

Atlas is great but the OP said "without first deploying it". (And I
believe he asks for the impossible.)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec validation issue

[Stephane Bortzmeyer]

On Thu, Aug 24, 2017 at 09:33:32AM +0600,
 Ganga R. Dhungyel  wrote 
 a message of 677 lines which said:

> # dig @localhost www.icann.org A +dnssec

When you suspect a DNSSEC issue, always retry dig with +cd (Checking
Disabled). And post the result.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward record for WWW

[Stephane Bortzmeyer]

On Thu, May 05, 2016 at 04:06:06PM +,
 Cuttler, Brian R. (HEALTH)  wrote 
 a message of 34 lines which said:

> I configured the change for my external test server only
> (199.184.16.7, which is _probably_ available for external query)

No.

% dig @199.184.16.7 A wadsworth.org

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @199.184.16.7 A wadsworth.org
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward record for WWW

[Stephane Bortzmeyer]

On Thu, May 05, 2016 at 03:42:24PM +,
 Cuttler, Brian R. (HEALTH)  wrote 
 a message of 29 lines which said:

> External record in the zone file is actually
> wadsworth.org. 300 IN A 199.184.16.22

None of the three name servers for wadsworth.org serve this A record.

It seems the master was *not* reloaded. Did you check its BIND logs to
see? May be the new zone with the A record at the apex was rejected
for some reason.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Intermittent Issues Resolving Microsoft Hostnames

[Stephane Bortzmeyer]

On Wed, May 04, 2016 at 02:02:24PM -0400,
 Rob Heilman  wrote 
 a message of 305 lines which said:

> We run BIND 9.9.5-9 on Debian x86_64 to support a moderately sized
> email hosting system.  System info listed at the end of this
> message.  We are seeing intermittent but frequent issues resolving
> Microsoft records.  The hostnames are usually in the form of
> *.mail.protection.outlook.com

protection.outlook.com has a legal but unusual setup. It has only two
name servers (not enough for an important domain) but each has several
IP addresses. It should work because the RFC says that the resolver
has to try every _address_ not just every name. And I'm confident BIND
does the right thing.

However, one can note that both name servers have _exactly_ the same
set of IP addresses. Again, it should work, but this setup is strange.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Monitor DNS queries toward Root severs

[Stephane Bortzmeyer]

On Wed, May 04, 2016 at 07:03:13PM +1000,
 Mark Andrews  wrote 
 a message of 15 lines which said:

> fill in with the rest of the root servers names.

And if you don't like to type, or if you use another root:

sudo tcpdump -n -i ${INTERFACE} port 53 and \( $(for ns in $(dig +nodnssec 
+short NS .); do echo host $(dig +short +nodnssec  $ns) or; done) host 
2001:db8::::1 \)
# Last (dummy) host just to use the last "or"
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

[Stephane Bortzmeyer]

On Wed, Apr 27, 2016 at 07:32:48AM -0700,
 Matthew Pounsett  wrote 
 a message of 49 lines which said:

> One of these days I'd like to lead a serious lobbying effort against
> the browser developers at the W3C to have SRV records for HTTP
> standardized.

I fully agree and, if you're brave enough to propose it to the DNSOP
working group at IETF, I volunteer for reviewing/etc.

There is a starting point:

https://datatracker.ietf.org/doc/draft-andrews-http-srv/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

[Stephane Bortzmeyer]

On Wed, Apr 27, 2016 at 10:23:19AM -0400,
 Barry Margolin  wrote 
 a message of 28 lines which said:

> You would only be able to do this if you could put the CNAME record
> in the parent domain, instead of delegating domain.com to your own
> server.  But do any domain registrars support that option?

And would the registry (here, Verisign) accept it? As far as I know,
no.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

[Stephane Bortzmeyer]

On Wed, Apr 27, 2016 at 05:26:53PM +0300,
 Daniel Dawalibi  wrote 
 a message of 50 lines which said:

> DNS registrar that can offer this option by using apex/naked/root
> domain redirection

Sorry, but I cannot parse this sentence.

Also, as I said, this is not about the root, it is about your
ourweddingaccount.com and its parent (.com).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

[Stephane Bortzmeyer]

On Wed, Apr 27, 2016 at 05:05:50PM +0300,
 Daniel Dawalibi  wrote 
 a message of 52 lines which said:

> our setup requires a CNAME record.

Bad setup. (And has always been bad.)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

[Stephane Bortzmeyer]

On Wed, Apr 27, 2016 at 01:56:27PM -,
 John Levine  wrote 
 a message of 23 lines which said:

> Assuming you mean this (notice the dots):
> 
>  Domain.com.  CNAME  x.y.com.
>  www CNAME x.y.com.
> 
> it should work.

I disagree. I have the same experience as Daniel Dawalibi, it does not
work (BIND 9.10.3-P4):

27-Apr-2016 16:22:43.351 dns_master_load: foobar.example:15: foobar.example: 
CNAME and other data

And if I delete the "other data" (the NS and the SOA records), it also
fails:

27-Apr-2016 16:24:16.410 zone foobar.example/IN: has 0 SOA records
27-Apr-2016 16:24:16.410 zone foobar.example/IN: has no NS records
27-Apr-2016 16:24:16.410 zone foobar.example/IN: not loaded due to errors.

> Some people believe that you can't have other records at names below
> a name with a CNAME, but they are mistaken.

But that's not the problem, the problem is that you can alias a domain
name with CNAME but not a zone name.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

[Stephane Bortzmeyer]

On Wed, Apr 27, 2016 at 02:55:18PM +0300,
 Daniel Dawalibi  wrote 
 a message of 99 lines which said:

> We are facing a resolving problem on BIND DNS when adding a CNAME RR
> for root domain and other records.

I don't think that you manage the root domain so you probably mean
that you want to add a CNAME to *your* domain?

> Domain.com  CNAME  x.y.com

Short answer: don't do it. Bad idea. And unecessary since all Internet
protocols (with one big exception) allow you to separate the domain
from the server gosting the domain.

Long answer: the unfortunate exception is HTTP :-( A possible solution
is to add address records (A and ) to domain.com. (don't forget the
dot at the end). True, it requires that you keep track of the changes
in x.y.com., but this is the only clean solution.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named DNS resolution latency

[Stephane Bortzmeyer]

On Wed, Apr 27, 2016 at 02:33:26AM -0400,
 digen  wrote 
 a message of 169 lines which said:

> Any inputs on debugging this problem will be much appreciated.

The usual stuff:

1) Is the machine hosting the resolver overloaded? top, for instance

2) is the link to the Internet overloaded? Check your Cacti (or other
software) graphs.

3) Routing problem? traceroute to the name servers. (Don't try ping,
microsoft.com's servers appear to refuse it)

4) An easy way to test DNS performance issues is with a dedicated DNS
test program like check-soa
:

% check-soa -i microsoft.com 
ns1.msft.net.
2620:0:30::53: OK: 2016042614 (22 ms)
208.84.0.53: OK: 2016042614 (40 ms)
ns2.msft.net.
208.84.2.53: OK: 2016042614 (24 ms)
2620:0:32::53: OK: 2016042614 (25 ms)
ns3.msft.net.
2620:0:34::53: OK: 2016042614 (22 ms)
193.221.113.53: OK: 2016042614 (40 ms)
ns4.msft.net.
2620:0:37::53: OK: 2016042614 (25 ms)
208.76.45.53: OK: 2016042614 (40 ms)

% check-soa -i sony.com 
pdns1.cscdns.net.
2620:74:19::33: OK: 2011041474 (19 ms)
209.112.114.33: OK: 2011041474 (34 ms)
pdns2.cscdns.net.
69.36.145.33: OK: 2011041474 (23 ms)
2001:502:cbe4::33: OK: 2011041474 (27 ms)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: g.root-servers.net not reachable anymore

['Stephane Bortzmeyer']

On Thu, Apr 14, 2016 at 11:55:04AM +0300,
 Daniel Dawalibi  wrote 
 a message of 22 lines which said:

> Do you think it is better to remove it from named.root?

Certainly not, your resolver removes it automatically from the list of
authoritative servers for the zone.

> Is there any impact on the DNS resolving ?

Zero impact (that's why you must have several name servers for a
zone, idm.net.lb has only two, which is light).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: g.root-servers.net not reachable anymore

[Stephane Bortzmeyer]

On Thu, Apr 14, 2016 at 08:35:00AM +0200,
 Daniel Stirnimann  wrote 
 a message of 14 lines which said:

> Looks like you are not alone!
> 
> https://atlas.ripe.net/dnsmon/group/g-root

Only broken over UDP. Works on TCP and still replies to traceroute.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Resolution differences for getaddrinfo versus host/dig/delv

[Stephane Bortzmeyer]

On Wed, Nov 18, 2015 at 12:19:57PM +,
 Phil Mayers  wrote 
 a message of 44 lines which said:

> I suspect getaddrinfo isn't parsing the DNS response for some reason.
...
> Obviously the *.thing on the RHS of the first CNAME is weird, but is it
> illegal?

Yes, for a *host* name (no for a *domain* name). See Tony Finch's
explanation.

In the GNU libc, the relevant code is in resolv/res_comp.c and
includes this function, which tests that a *host* name is
[a-z0-9\.\-]+ :

#define alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) \
   || ((c) >= 0x61 && (c) <= 0x7a))
#define digitchar(c) ((c) >= 0x30 && (c) <= 0x39)

#define borderchar(c) (alphachar(c) || digitchar(c))
#define middlechar(c) (borderchar(c) || hyphenchar(c) || underscorechar(c))
#define domainchar(c) ((c) > 0x20 && (c) < 0x7f)

int
res_hnok(const char *dn) {
int pch = PERIOD, ch = *dn++;

while (ch != '\0') {
int nch = *dn++;

if (periodchar(ch)) {
(void)NULL;
} else if (periodchar(pch)) {
if (!borderchar(ch))
return (0);
} else if (periodchar(nch) || nch == '\0') {
if (!borderchar(ch))
return (0);
} else {
if (!middlechar(ch))
return (0);
}
pch = ch, ch = nch;
}
return (1);
}   
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How are DNS Records added dynamically in DNS Servers?

[Stephane Bortzmeyer]

On Mon, Sep 07, 2015 at 03:33:00PM +0530,
 Harshith Mulky  wrote 
 a message of 60 lines which said:

> How do System administrators add DNS Zone records in DNS Servers?

By not using outlook.com for email :-) No, I'm kidding, there are
several ways:

> Is there a specific way the records are added in DNS Servers dynamically?

* a program that you write in the langage of your choice. Every
programming langage has a DNS library and most allows dynamic updates.

* by using an already-written program which does dynamic updates. Many
DHCP servers can do so, for instance.

* using the shell with nsupdate:

#!/bin/sh

nsupdate -kKexample-dyn-update.+157+18685.private -d 

[DNSSEC] BIND validates but not Unbound: who is right?

[Stephane Bortzmeyer]

[The domain has recently changed its configuration so do not test it.]

With Unbound, I get a SERVFAIL:

% dig DNSKEY cepn.asso.fr

;  DiG 9.9.5-8-Debian  DNSKEY cepn.asso.fr
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 62442
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cepn.asso.fr.  IN DNSKEY

;; Query time: 21 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Feb 16 16:57:58 CET 2015
;; MSG SIZE  rcvd: 41

But BIND accepts it (and so does Google Public DNS):

% dig @relay1.nic.fr DNSKEY cepn.asso.fr

;  DiG 9.9.5-8-Debian  @relay1.nic.fr DNSKEY cepn.asso.fr
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 30861
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cepn.asso.fr.  IN DNSKEY

;; ANSWER SECTION:
cepn.asso.fr.   7808 IN DNSKEY 257 3 5 (
AwEAAaBtXBNAyFHVvRBB4K9z79+1YRXkUDyycyCzPRpm
Xi9lhB0Eg5vM3XlaS6OuN0dnFHItpZFNIDBDrPsN1OCf
1ULKWpD3KDl1mE7zRK2W0HXeu4WOoFpUcC/1h06W26DT
CkisntU9L8JfPi9osmI+CuzWZhdmyZt+hPvMpjmDthyh
MZpb//kNv7+TUeczCo4MExHxjHHIVH0vRmhfyo/J1KBe
6eS3G5lDbJEEFUdxuLyGQLaG2f6wlQxoHGnzvM+V/Mj8
yGHae//7Z5rMCdaiLJy03u5+l2WVVy954dsrFC6mkB5s
M4n8nvbo1d5ap7cI76dJi9X0IUJQohZk5b5eef0=
) ; KSK; alg = RSASHA1; key id = 36778
cepn.asso.fr.   7808 IN DNSKEY 256 3 5 (
AwEAAc6AqnBoi+hfxMqtb0eokyqWT46Os5N6ZYoFm8Gb
t90EF3hTpuwDClEsulKSckhr4zFTDj3SvHc9krzeQEl5
UNCqmmZeMo/wsxKHTzIVU75fPrs1zOuM9m9zRNV4q9eG
Y0+I2h4D7E/WlPE7n57E0lmPOxK9g46xE8p9eX3bWVVK
FSm60VvginZfTzN3Zgt+peecrboEZnSzWvDVcHY2dq+o
w0UEekI1+nfwcIgEOn0Wh8B5Gx3pG5XkV3QvHVN514FH
eJLdsk0iFPHv1Xc0rLYWssFVS9s7Z8u0tEju6LshGaPQ
+zrQr54RMD9IecwbMCERcrjV2Dm5CZq+Jf53pGc=
) ; ZSK; alg = RSASHA1; key id = 54030
cepn.asso.fr.   7808 IN RRSIG DNSKEY 5 3 10800 (
20250115124200 20150216080551 36778 
cepn.asso.fr.
fc1YnbjbglVC8alL9NN9LUo54kUODgk6gblFt+CjDJ4+
0i9HqEdbbW/49wksEMkFySPf24yRaswbf9W/OHeJtXid
6CEcVdZiHfPuTzxBelQVfPiIQreJ9yvxBF1z/pmTBf0X
o8TEMUjaV4f2c5eqELKdZ986RRk6J35tDd0w3cbeHGV1
mnAagjT+SOLlmF8mx6MZkgsgFylBIt0MfEaX1ZS4PfAh
TCIXi6shM0KcwZ7rI24nVGcu6wDfxdiwUZ5lJ6KWFBsM
pC0beLiKRYlqnQidkech+dlSHQGj0DXAINi6ZrS+iRhv
mCLlId4oezMaxx8P3dLo71cAqPGNBwM62A== )
cepn.asso.fr.   7808 IN RRSIG DNSKEY 5 3 10800 (
20250115124200 20150216080551 54030 
cepn.asso.fr.
v1b7K0jZ4WH1yMCvJHOkxWp7EUHtsFPpKjwplu8EhqDs
WAwB0ORSFMN6Y0PDMfSydXeSwn3+L75OKk1Ne6VNaE5E
jeYi7BEChE0wZH1L6/qyIHgw0YCDfQN4HuG005RFRKgi
p1t06h3iKnVHFzduSxSby5Oq3iZgbyaSPeAhDa/LZPXv
oNb1cVmVrPKTIhZqSxKNC0t4XQ3iUffgrLvq1ErFeuut
QQeD3uzwWXCUkZA5rK7fp9eKKlSOJpP3na2r8cEy0WlC
jZ2HNPA6pIUnq+w7eD0oGp0aukJ1C85TeE1a8cr3Luf8
LnSXm7cIxSWOdw9GZEjaavWFfpYdguFxQQ== )

;; Query time: 1 msec
;; SERVER: 2001:67c:2218:9::4:162#53(2001:67c:2218:9::4:162)
;; WHEN: Mon Feb 16 17:01:03 CET 2015
;; MSG SIZE  rcvd: 1193

I also tested with OARC's ODVR service which confirmed that there is a
difference between BIND and Unbound. 

At the time of the test, the DS were:


% dig DS cepn.asso.fr

;  DiG 9.9.5-8-Debian  DS cepn.asso.fr
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 6975
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cepn.asso.fr.  IN DS

;; ANSWER SECTION:
cepn.asso.fr.   171998 IN DS 36778 5 2 (
D21FC827CF4621DF88D06A8F6EA5F4B4DE72A362AB2E
03D440C315A9D8FE1407 )
cepn.asso.fr.   171998 IN DS 13585 8 2 (
AB057D7A9BBDB721EBD33FC64F3C6CC53D9020D12F18
   

Re: [DNSSEC] BIND validates but not Unbound: who is right?

[Stephane Bortzmeyer]

On Tue, Feb 17, 2015 at 07:34:37AM +1100,
 Mark Andrews ma...@isc.org wrote 
 a message of 171 lines which said:

 The validator is *not* supposed to *check* if the zone has been
 signed with all the alogorithms in the DS RRset.  It is supposed to
 keep trying all RRSIG/DS/DNSKEY combinations until it succeeds.

For the record, the relevant RFC seems to be RFC 6840, section 5.11,
A signed zone MUST include a DNSKEY for each algorithm present in the
zone's DS RRset and expected trust anchors for the zone.  The zone
MUST also be signed with each algorithm (though not each key) present
in the DNSKEY RRset.

It seems that the zone violated the first requirment (there was an
alg. 8 in the DS RRset but not in the DNSKEY RRset) but not the second
(there was only alg. 5 in the DNSKEY RRset).


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

SERVFAIL when increasing recursive-clients? (Was: bind-users Digest, Vol 1902, Issue 2

[Stephane Bortzmeyer]

On Fri, Aug 01, 2014 at 09:56:53AM +0700,
 Xuan Hung hungn...@viettel.com.vn wrote 
 a message of 298 lines which said:

 I think this problem of me, need have version new of Bind.

9.9.5 is quite recent. Actually, it is the latest in 9.9 branch. What
makes you think upgrading would change anything?

 I think resolver of Bind.9.9.5 have problem when response for
 customer.

Please, less I think and more actual copy-and-paste of config files,
extracts of logs, output of dig, etc.

 If recusive client of My DNS increase to 4000 then resolver response
 servfail.

Did you check the log (checking the logs is MANDATORY when managing a
daemon) to see if BIND was properly reloaded after you increased
recursive-clients?

Also, what is the amount of memory? The more you increase
recursive-clients, the more memory you need. Check the memory use by
your server.

Otherwise, no idea but could you post the actual query and response,
as seen by dig?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: problem registering DS records with EDUCAUSE, sanity check please

[Stephane Bortzmeyer]

On Mon, Jul 14, 2014 at 07:14:57PM -0700,
 Paul B. Henson hen...@acm.org wrote 
 a message of 56 lines which said:

 I also don't think this is what educause is doing, as I haven't had
 any trouble entering DS records for published but not activated
 KSK's in the past,

You can also note that it is quite common to publish DS without any
matching KSK. It is even documented in RFC 6781, section 4.2.4. For an
actual example, see .UK http://dnsviz.net/d/uk/dnssec/ (the yellow
path).


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: problem registering DS records with EDUCAUSE, sanity check please

[Stephane Bortzmeyer]

On Mon, Jul 14, 2014 at 01:24:38PM -0700,
 Paul B. Henson hen...@acm.org wrote 
 a message of 135 lines which said:

 And finally, the new key I just created, for which I'm trying to add DS
 records. The dsset file created by dnssec-signzone says these records should
 be:

I find the same values as you, using dnssec-dsfromkey from the key in
the DNS. Also, Zonecheck agrees:

% zonecheck -s DS:68893E21C919C85530F9033B4315F68D1248CDBC:SHA-1 csupomona.edu 
...
== SUCCESS (but 6 warning(s))

If the DS were invalid, it would have say The given DS or DNSKEY does
not correspond to any DNSKEY in the zone.

So, I suspect a bug in EDUCAUSE.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: problem registering DS records with EDUCAUSE, sanity check please

[Stephane Bortzmeyer]

On Mon, Jul 14, 2014 at 10:40:19PM +0200,
 Stephane Bortzmeyer bortzme...@nic.fr wrote 
 a message of 19 lines which said:

 So, I suspect a bug in EDUCAUSE.

Your DNSKEY set being a little over 1500 bytes, you may suspect a MTU
issue.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Handling of expired RRSIG records - ise.gov

[Stephane Bortzmeyer]

On Wed, May 21, 2014 at 12:56:32PM +0100,
 Simon Waters simon.wat...@surevine.com wrote 
 a message of 58 lines which said:

 BIND 9 logs report: RRSIG has expired for www.ise.gov

Indeed.

www.ise.gov.43200 IN RRSIG CNAME 5 3 43200 (
20140513120652 20140413120652

More than a week ago.

 Yet I can still resolve and visit the website http://ise.gov/

Probably because there is no DS record for ise.gov, which prevents the
validator to try.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Audit the consistency of zone files on DNS servers

[Stephane Bortzmeyer]

On Fri, Mar 14, 2014 at 12:33:47PM +,
 Phil Mayers p.may...@imperial.ac.uk wrote 
 a message of 25 lines which said:

 dig @server zone axfr file
 diff file file.real

diff is not clever enough, you'll find many spurious differences. Try
feeding the two files (the local one and the AXFRed one) through
named-compilezone to canonicalize them.

(I actually use a non-BIND tool, ldns-read-zone)

http://www.bortzmeyer.org/canonicalize-zones.html
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Audit the consistency of zone files on DNS servers

[Stephane Bortzmeyer]

On Fri, Mar 14, 2014 at 12:33:47PM +,
 Phil Mayers p.may...@imperial.ac.uk wrote 
 a message of 25 lines which said:

 dig @server zone axfr file
 diff file file.real

If you're really paranoid, it may not be sufficient since a server may
reply differently to normal DNS queries and to zone file transfer
requests (for instance if the server is also authoritative for a
child zone, see RFC 5936, section 3.2).

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: source address problem

[Stephane Bortzmeyer]

On Tue, Feb 04, 2014 at 10:40:46AM +0100,
 ro...@ip-plus.net ro...@ip-plus.net wrote 
 a message of 19 lines which said:

 I use the options query-source, notify-source, and transfer-source.
 Still I get outgoing queries with another source address.

Are you sure they come from BIND and not from, say, a dig running on
the same machine. Also, these queries are sent to which server? If
it's to the local resolver, it makes sense.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Rate-limiting - working? How to test?

[Stephane Bortzmeyer]

On Fri, Jan 17, 2014 at 01:34:00PM +,
 John Horne john.ho...@plymouth.ac.uk wrote 
 a message of 40 lines which said:

   log-only yes;

From the ARM:

Use commandlog-only yes/command to test rate limiting parameters
without actually dropping any requests.

 I get 10 correct responses.

It makes sense.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Gi/Gn DNS for telecoms

[Stephane Bortzmeyer]

On Fri, Nov 15, 2013 at 02:47:10PM +0530,
 benjamin fernandis benjo11...@gmail.com wrote 
 a message of 50 lines which said:

 Can we use bind DNS for Gi/Gn DNS?

I have no idea what Gi/Gn is. Can anyone post an explanation?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Does anyone have DNSSEC problem with uscg.mil

[Stephane Bortzmeyer]

These name servers have another interesting feature: the serial number
is different depending on whether you set the DO bit or or:

% dig +short +dnssec +bufsize=4096 @ns1.uscg.mil SOA uscg.mil
osc-bloxmaster.iap.uscg.mil. hostmaster.uscg.mil. 2012079853 10800 1080 604800 
900
...
% dig +short +nodnssec +noedns +bufsize=0 @ns1.uscg.mil SOA uscg.mil
osc-bloxmaster.iap.uscg.mil. hostmaster.uscg.mil. 2012079854 10800 1080 604800 
900

% dig +short +dnssec +bufsize=4096 @ns1.uscg.mil SOA uscg.mil   
osc-bloxmaster.iap.uscg.mil. hostmaster.uscg.mil. 2012079853 10800 1080 604800 
900
...
% dig +short +nodnssec +noedns +bufsize=0 @ns1.uscg.mil SOA uscg.mil
osc-bloxmaster.iap.uscg.mil. hostmaster.uscg.mil. 2012079854 10800 1080 604800 
900
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS 64 and the new domain ipv4only.arpa

[Stephane Bortzmeyer]

I try to understand DNS64 and there is a problem I don't get. I have
BIND configured with:

dns64 2001:db8:1:64::/96 { // Network-Specific Prefix
  clients { me; };
};

and it works, synthesis happens when the domain name has no  records:

%  dig +cd @localhost -p 9053  twitter.com   
...
;; ANSWER SECTION:
twitter.com.30 IN  2001:db8:1:64::c710:9c66
twitter.com.30 IN  2001:db8:1:64::c710:9cc6
twitter.com.30 IN  2001:db8:1:64::c710:9c06

I try it now on the new ipv4only.arpa, which has only A and not 
and nothing happens:

% dig +cd @localhost -p 9053  ipv4only.arpa

;  DiG 9.8.4-rpz2+rl005.12-P1  +cd @localhost -p 9053  ipv4only.arpa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 62138
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ipv4only.arpa. IN 

;; AUTHORITY SECTION:
ipv4only.arpa.  3038 IN SOA sns.dns.icann.org. noc.dns.icann.org. (
2013053904 ; serial
7200   ; refresh (2 hours)
3600   ; retry (1 hour)
604800 ; expire (1 week)
3600   ; minimum (1 hour)
)
ipv4only.arpa.  3038 IN RRSIG SOA 8 2 3600 20131028181436 (
20131021083223 33820 ipv4only.arpa.
GEbCQfPa1q8e0qaQTT5S1yrmfRp3Vx+lueUB+i846fCl
/5J3mbew8PI2LMd7stndYwPARIDWjapyzyFk5de6/Yx9
Nyxn0AOVr9wRnRPy14FCH0P05EQFYzklOkC5Fjzn/B+B
z4ngG4hM3RfAkckhj0zZ5zMhiYbxucOK/U8T398= )
ipv4only.arpa.  3038 IN RRSIG NSEC 8 2 3600 20131028191728 (
20131021083223 33820 ipv4only.arpa.
Id6eQDjnvBhqoZSOBsNKywa0yAEiaGmyakGFLG3Mc2/h
lmjAPylP9fDdBORpdgnbV0AMt5JzzzIblDTsfs9sbKby
cCRHkE+Vhchu/NnChM+xslJ15daNNLgYUQHd5xwvdzgP
OdpknW9kyfpjR4Cj3dixxfFhrsFFNvZo2FOyTW0= )
ipv4only.arpa.  3038 IN NSEC ipv4only.arpa. A NS SOA TXT RRSIG NSEC 
DNSKEY

;; Query time: 0 msec
;; SERVER: 127.0.0.1#9053(127.0.0.1)
;; WHEN: Mon Oct 21 14:33:52 2013
;; MSG SIZE  rcvd: 481

What did I miss?

BIND 9.9.4
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS 64 and the new domain ipv4only.arpa

[Stephane Bortzmeyer]

On Tue, Oct 22, 2013 at 12:47:38AM +1100,
 Mark Andrews ma...@isc.org wrote 
 a message of 98 lines which said:

   dns64 {
   clients { me; };
   break-dnssec yes;
   };

OK, it works without the DO bit (dig +nodnssec, I had +dnssec in my
~/.digrc) or with break-dnssec yes. Thanks.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Logging of rate-limited queries way too talkative

[Stephane Bortzmeyer]

I'm trying RRL on the new BIND 9.9.4.

When RRL steps in, if I understand the documentation properly, two
things are logged, a summary of the beginning and end of RRL, and one
message per rejected query (!) Since RRL is used when there is an
attack, there are *many* such messages. Worse, the default behavior of
BIND aggravates the attack by filling the disk.

From the ARM, I find no way to prevent these annoying messages,
except shutting down all query errors logging. Here is my best config
so far:

logging { 
   channel rrl_channel {
  file rrl.log versions 3 size 10m;
  print-time yes;
  print-category yes;
   };

   # Prints begin and end of rate-limiting
   category rate-limit {
  rrl_channel;
   };

   # Individual requests rejected
   category query-errors {
  null;
   };

};

But it is too harsh, since all query errors are sent to null.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

SERVFAIL when two SOA in the domain

[Stephane Bortzmeyer]

One of my contacts noticed that you cannot query 42.fr's SOA with
BIND: SERVFAIL. Querying other types, or using Unbound (or Google
Public DNS) instead of BIND works.

The only thing special he sees is the double SOA:

% dig SOA 42.fr

;  DiG 9.9.2-P1  SOA 42.fr
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 9894
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;42.fr. IN  SOA

;; ANSWER SECTION:
42.fr.  2907IN  SOA ns1.42.fr. postmaster.42.fr. 
2013032901 300 300 604800 86400
42.fr.  2907IN  SOA ns2.42.fr. postmaster.42.fr. 
2013032901 300 300 604800 86400

;; AUTHORITY SECTION:
42.fr.  2897IN  NS  ns1.42.fr.
42.fr.  2897IN  NS  ns2.42.fr.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)- Unbound
;; WHEN: Thu Aug 29 20:21:51 2013
;; MSG SIZE  rcvd: 153

I'm not sure of what the RFC say about that...

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to get AD flag

[Stephane Bortzmeyer]

On Fri, Aug 02, 2013 at 10:49:22AM +0530,
 rams brames...@gmail.com wrote 
 a message of 41 lines which said:

 I have 9.7 bind installed and configured recursive.  When i query
 against forwader i am not getting AD flag. Could you please guide me
 how to get AD flag.

Several possible reasons:

1) Unsigned domain. Are you sure you test with a signed domain such as
ietf.org, afnic.fr or nlnetlabs.nl?

2) Broken forwarder (strip the signatures or something like that). Try without 
it.

3) Wrong anchor (DNS root key). Do you have a trusted-keys or
managed-keys directive and what does it contain?

 remaining answer is correct for signed query

I would prefer that you copy-and-paste this answer. How do you know it
is correct? (See suggestions 1 and 2)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[auto-dnssec] Switching to NSEC3 leaves behind stale NSEC signatures?

[Stephane Bortzmeyer]

I have a zone maintained by:

inline-signing yes;
auto-dnssec maintain;
update-policy local; 

I switched it from the default NSEC to NSEC3 with:

rndc signing -nsec3param 1 0 10  68f499ee auto.rd.nic.fr

It seems to work but the zone still contains NSEC signatures (but no
NSEC records):

auto.rd.nic.fr. 86400   IN  RRSIG   NSEC 8 4 86400 20130829140232 
20130730135801 53989 auto.rd.nic.fr. 
FNHDlnIq1fN0bVJtLvP56BNw3Pydmogp8KWn2n200zMWSuHrq1sgU3Q3 
cv8o+Cbr6w871IHBKwd+edz67URntzWferPzy2aklAEIdsRlvHSDHJyD 
WzUs915+GeUR0NOU2m/zfWQBAYBj8UP2i1puxh4NBzfnGF9ChCRKuhrT 
pBz+hxgdNKpQ2rt+NkBXFGKtZUz1eIDCpiT5F8CweetnajSyKRUVFCod 
emrOfdR1axr4Bp5Jaokrp5XbC2tefSs+NqXJycHBhmMGisAXOho4fOKY 
5OWMb7IrcXA0xh8LUF5+uuQ6mpM7j+i0ZLiubt2TR6VxkcGbb4yfXWef x7vYAQ==

Some checking tools complain. For instance, validns:

auto.rd.nic.fr:8: auto.rd.nic.fr. RRSIG exists for non-existing type NSEC

Is it a bug? Or did I use the wrong procedure to switch to NSEC3?

BIND 9.9.2-P1 (the last version in the current Ubuntu)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

auto-dnssec maintain and no key: no error message?

[Stephane Bortzmeyer]

When I run a BIND with auto-dnssec maintain and inline-signing
yes, if I create no key, there is no error message and, worse, the
log file says the zone is signed:

Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (unsigned): 
loaded serial 2013073000
Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): loaded 
serial 2013073000
Jul 30 16:31:42 u12-33673 named[1605]: all zones loaded
Jul 30 16:31:42 u12-33673 named[1605]: running
Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): 
receive_secure_serial: unchanged
Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): 
reconfiguring zone keys
Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): next 
key event: 30-Jul-2013 17:31:42.009
Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): sending 
notifies (serial 2013073000)

Of course, there is no signature:

% dig +multi @localhost SOA auto.rd.nic.fr

;  DiG 9.9.2-P1  +multi @localhost SOA auto.rd.nic.fr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 57439
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;auto.rd.nic.fr.IN SOA

;; ANSWER SECTION:
auto.rd.nic.fr. 86400 IN SOA 10.200.0.73. bortzmeyer.nic.fr. (
2013073000 ; serial
30480  ; refresh (8 hours 28 minutes)
26400  ; retry (7 hours 20 minutes)
2419200; expire (4 weeks)
86400  ; minimum (1 day)
)

;; AUTHORITY SECTION:
auto.rd.nic.fr. 86400 IN NS ns1.bortzmeyer.org.
auto.rd.nic.fr. 86400 IN NS ns1.auto.rd.nic.fr.

;; ADDITIONAL SECTION:
ns1.auto.rd.nic.fr. 86400 IN A 109.26.74.172

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 30 16:38:00 2013
;; MSG SIZE  rcvd: 167

IMHO, BIND should clearly log there is something missing.

BIND 9.9.2-P1 (the version in the last Ubuntu server)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: auto-dnssec maintain and no key: no error message?

[Stephane Bortzmeyer]

On Tue, Jul 30, 2013 at 09:50:46AM -0500,
 Jeremy C. Reed jr...@isc.org wrote 
 a message of 7 lines which said:

  Of course, there is no signature:
  
  % dig +multi @localhost SOA auto.rd.nic.fr
 
 Add +dnssec

[I thought it was in my .digrc.] It changes nothing. Without a key,
BIND could not create signatures.

% dig +multi +dnssec @localhost SOA auto.rd.nic.fr

;  DiG 9.9.2-P1  +multi +dnssec @localhost SOA auto.rd.nic.fr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 13678
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;auto.rd.nic.fr.IN SOA

;; ANSWER SECTION:
auto.rd.nic.fr. 86400 IN SOA 10.200.0.73. bortzmeyer.nic.fr. (
2013073000 ; serial
30480  ; refresh (8 hours 28 minutes)
26400  ; retry (7 hours 20 minutes)
2419200; expire (4 weeks)
86400  ; minimum (1 day)
)

;; AUTHORITY SECTION:
auto.rd.nic.fr. 86400 IN NS ns1.bortzmeyer.org.
auto.rd.nic.fr. 86400 IN NS ns1.auto.rd.nic.fr.

;; ADDITIONAL SECTION:
ns1.auto.rd.nic.fr. 86400 IN A 109.26.74.172

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 30 16:55:24 2013
;; MSG SIZE  rcvd: 167
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: auto-dnssec maintain; and key missing or inactive and has no replacement

[Stephane Bortzmeyer]

On Thu, Jul 25, 2013 at 12:05:35AM +0100,
 Tony Finch d...@dotat.at wrote 
 a message of 21 lines which said:

 Obvious question: does BIND have permission to read the private key?

Yes, it runs (it is an experimental setup) as the same user which
owns the private key file.

 I guess it does since it managed to re-sign.

And to sign, the first time (the zone was unsigned). Indeed. 

 Does the zone have only one key which is a KSK?

Yes. I tested with two keys, a KSK and a ZSK and the warning
disappears. Do you mean it is a spurious warning when there is only
one key (a CSK, as in co.uk)?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: auto-dnssec maintain; and key missing or inactive and has no replacement

[Stephane Bortzmeyer]

On Wed, Jul 24, 2013 at 09:58:08AM -0700,
 David Newman dnew...@networktest.com wrote 
 a message of 89 lines which said:

 Not sure if this is the problem, but have you tried with
 managed-keys-directory in options instead of key-directory?

I just tried, and same warning:

26-Jul-2013 08:53:43.637 running
26-Jul-2013 08:53:43.637 zone example/IN (signed): loaded serial 2013071800
26-Jul-2013 08:53:43.637 zone example/IN (signed): receive_secure_serial: 
unchanged
26-Jul-2013 08:53:43.637 zone example/IN (signed): sending notifies (serial 
2013071800)
26-Jul-2013 08:53:43.637 zone example/IN (signed): reconfiguring zone keys
26-Jul-2013 08:53:43.721 zone example/IN (signed): next key event: 26-Jul-2013 
09:03:43.637
26-Jul-2013 08:53:43.805 zone example/IN (signed): Key example/RSASHA256/1159 
missing or inactive and has no replacement: retaining signatures.
26-Jul-2013 08:53:48.638 zone example/IN (signed): sending notifies (serial 
2013071802)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: auto-dnssec maintain; and key missing or inactive and has no replacement

[Stephane Bortzmeyer]

On Fri, Jul 26, 2013 at 08:54:26AM +0200,
 Stephane Bortzmeyer bortzme...@nic.fr wrote 
 a message of 23 lines which said:

 I just tried, and same warning:

But only at startup and not afterwards so it is an improvment.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: auto-dnssec maintain; and key missing or inactive and has no replacement

[Stephane Bortzmeyer]

On Fri, Jul 26, 2013 at 08:52:04AM +0200,
 Stephane Bortzmeyer bortzme...@nic.fr wrote 
 a message of 24 lines which said:

 Yes. I tested with two keys, a KSK and a ZSK and the warning
 disappears.

Another solution, even if using only one key, is to add:

update-policy local; # Necessary, says the ARM (otherwise, you cannot 
freeze/thaw)

in the zone configuration. Apparently, it worked without it but, when
you use it, there is no longer this undecipherable warning.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

auto-dnssec maintain; and key missing or inactive and has no replacement

[Stephane Bortzmeyer]

I'm trying auto-dnssec maintain; with a BIND 9.9.3-P1. My
configuration is:

options {
directory /tmp/bind;
key-directory /tmp/bind; 
};


zone example {
type master;
file example;
inline-signing yes;
auto-dnssec maintain;
};

Apparently, everything works. The key I created and put in /tmp/bind
is used, the zone is signed, everyone is happy.

But I get messages:

24-Jul-2013 07:39:25.480 zone example/IN (signed): Key example/RSASHA256/46747 
missing or inactive and has no replacement: retaining signatures.

Which I do not understand. They key is there:

% ls -lt /tmp/bind/Kexample.+008+46747*
-rw-r--r-- 1 bortzmeyer bortzmeyer  597 Jul 23 12:02 
/tmp/bind/Kexample.+008+46747.key
-rw--- 1 bortzmeyer bortzmeyer 1776 Jul 23 12:02 
/tmp/bind/Kexample.+008+46747.private

And is certainly active:

% cat /tmp/bind/Kexample.+008+46747.key 
; This is a key-signing key, keyid 46747, for example.
; Created: 2013072315 (Tue Jul 23 12:00:05 2013)
; Publish: 2013072315 (Tue Jul 23 12:00:05 2013)
; Activate: 20130723070226 (Tue Jul 23 09:02:26 2013)
...

And, despite the message retaining signatures, signatures *are*
regenerated periodically, even after the warning:

example.600 IN RRSIG DNSKEY 8 1 600 20130725045802 (
20130724043925 46747 example.
rkNJdCp8PV3PzEsVc6efh/mBY3eHZcL3712ELD2g7gte
...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New warning message...

[Stephane Bortzmeyer]

On Mon, Jul 22, 2013 at 03:01:47PM +1000,
 Mark Andrews ma...@isc.org wrote 
 a message of 56 lines which said:

 It SHOULD have record of type SPF as per RFC 4408.  Named will
 complain if both types are not present.

Then, named is now wrong, since RFC 6686. 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New warning message...

[Stephane Bortzmeyer]

On Mon, Jul 22, 2013 at 12:39:53PM +0200,
 Matus UHLAR - fantomas uh...@fantomas.sk wrote 
 a message of 28 lines which said:

 This was discussed here already, and imho this is anti-spf bullshit
 like all those spf breaks forwarding FUD. The SPF RR is already
 here and is preferred over TXT that is generik RR type, unlike SPF.

I don't see any connection with anti-SPF stances. Whether you love or
despise SPF, the facts (RFC 6686, sections 5 and 6) are that the SPF
record (type 99) is not used at all and that the TXT record is now the
only one recommended (if you do SPF, which probably means you did not
believe the FUD).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can I change the zone file from command line?

[Stephane Bortzmeyer]

On Tue, Jul 23, 2013 at 02:30:49PM -0400,
 Kevin Darcy k...@chrysler.com wrote 
 a message of 565 lines which said:

 When you dial a telephone number, do you worry that your dialing may
 have consequences against telephone numbers that you *didn't*
 dial? Seems very unlikely.

OK, but switching from a static zone to a dynamically provisioned one
*has* consequences (modification of the BIND configuration, may be a
change in permissions of the directories, etc). I agree it is probably
The Right Way here but it does not mean it has zero consequences.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dns update issue

[Stephane Bortzmeyer]

On Wed, Jul 24, 2013 at 10:52:51AM -0400,
 James Chase chase1...@gmail.com wrote 
 a message of 64 lines which said:

 However if I try to ping dns3.mandala-designs.com from different
 network locations it still returns the IP address of our old server,

Probably the usual problem with in-zone name servers: glue not
modified at the registry.

% whois DNS3.MANDALA-DESIGNS.COM
...
   Server Name: DNS3.MANDALA-DESIGNS.COM
   IP Address: 216.195.213.58

And, indeed, the registry still serves the old info:

%  dig @a.gtld-servers.net A DNS3.MANDALA-DESIGNS.COM
...
DNS3.MANDALA-DESIGNS.COM. 172800 IN A   216.195.213.58
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

[Stephane Bortzmeyer]

On Wed, Jul 17, 2013 at 05:05:31PM -0700,
 Ray Van Dolson rvandol...@esri.com wrote 
 a message of 36 lines which said:

 Tried dns-ad...@fbi.gov but got a bounce. :(

You want Sandra Bullock's, er, Sarah Ashburn's phone number?

http://en.wikipedia.org/wiki/The_Heat_%28film%29
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Rate-Limit Question

[Stephane Bortzmeyer]

On Fri, Jun 14, 2013 at 02:27:50PM +,
 Manson, John john.man...@mail.house.gov wrote 
 a message of 138 lines which said:

 We are running Bind 9.9.2 and would like to invoke the rate-limit
 option but named says 'unknown option'.

RRL (Response Rate Limiting) is an unofficial patch. You'll have to
patch the source first.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: querying TLD nameservers - limitations

[Stephane Bortzmeyer]

On Sun, Mar 24, 2013 at 04:55:13PM -0700,
 blrmaani blrma...@gmail.com wrote 
 a message of 17 lines which said:

 I am developing a monitoring script for internal use and this
 requires extensive querying of TLD nameservers (a .. m).tld servers.

[TLD operator hat on.]

Hard to ansdwer without more details. Really, I do not see why a
monitoring script for internal use could require a lot of requests
to TLD name servers.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: jabber.isc.org

[Stephane Bortzmeyer]

On Mon, Jan 21, 2013 at 04:35:39PM +0200,
 Georg Kahest georg.kah...@internet.ee wrote 
 a message of 19 lines which said:

 I'm unable to figure out where does one register for jabber.isc.org
 account.

I don't speak for ISC but may I ask why you need one? There are many
XMPP providers in the world, several of them are gratis (for instance
Google Talk).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: jabber.isc.org

[Stephane Bortzmeyer]

On Mon, Jan 21, 2013 at 04:44:53PM +0200,
 Georg Kahest georg.kah...@internet.ee wrote 
 a message of 19 lines which said:

 I was interested of idling in bind 10 dev channel.

So? XMPP is federated, like any good system (like email). You don't
need an account in the isc.org email server to use the bind-users
mailing list. You don't need an account on the ISC XMPP server to use
the bind10 room (I just tried).

You probably used too many centralized archaic systems like Facebook
:-) 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: jabber.isc.org

[Stephane Bortzmeyer]

On Mon, Jan 21, 2013 at 05:09:16PM +0200,
 Georg Kahest georg.kah...@internet.ee wrote 
 a message of 20 lines which said:

 I'm failing to understand how i should configure my xmpp client (
 pidgin ) without user credentials. Without entering
 username/password i can't add the account, and with
 username/password i get failed auth.

1) Choose a XMPP provider. I would recommend Google Talk (gratis, very
reliable) since this is the one I use. If you don't like/use Google,
jabber.org offers a gratis service, too. If your organization is an
OARC member, there is also an OARC XMPP server.

2) Configure the XMPP client with the parameters of *your*
provider. If it is Google Talk, these are your Google username and
password.

3) Direct your XMPP client to bin...@conference.jabber.isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: jabber.isc.org

[Stephane Bortzmeyer]

On Mon, Jan 21, 2013 at 04:17:40PM +0100,
 Stephane Bortzmeyer bortzme...@nic.fr wrote 
 a message of 19 lines which said:

 1) Choose a XMPP provider. I would recommend Google Talk (gratis,
 very reliable) since this is the one I use. If you don't like/use
 Google, jabber.org offers a gratis service, too. If your
 organization is an OARC member, there is also an OARC XMPP server.

Of course, there is also the possibility of being your own provider
(that's the great thing with the Internet) and install a XMPP server
(there are many implementations) on your machines. I never did it so I
cannot advise.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to Limit DNS Request per ip source ?

[Stephane Bortzmeyer]

On Mon, Jan 14, 2013 at 06:36:44PM +0530,
 Gaurav Kansal gaurav.kan...@nic.in wrote 
 a message of 156 lines which said:

 I tried the following commands, but unfortunately didn't succeed. 

Why do you want to limit? If it is against a DoS attack, I warn you
that most Netfilter modules (for instance, state) require allocating
a state on the firewall and a clever attack can fill the memory of the
machine.

 If anyone is using iptables for limiting DNS Query per IP, 

If you have a DNS server used for reflection+amplification attacks
*and* it is a Linux machine *and* you have Netfilter = 1.4 *and* you
cannot or does not want to install the patches for BIND or NSD to do
rate-limiting (they may provide a better result) *and* the attack is
over IPv4 *and* the attacker uses only a few domain names, you could
be interested in the technique we use. Disclaimer: it works for us, it
will not work for ever, it works now.

The idea is to use the Netfilter u32 module to recognize the attack,
then to rate-limit it with the Netfilter hashlimit module.

First, get the iptables rules generation script
http://www.bortzmeyer.org/files/generate-netfilter-u32-dns-rule.py.

Then, look at the traffic so see the pattern: what query type
(typically ANY), what query domain name, etc. In the examples, we'll
assume QTYPE=ANY, QNAME=example.net.

Then, generate the Netfilter rule:

iptables -A INPUT -p udp --dport 53 -m u32 \
 --u32 $(python generate-netfilter-u32-dns-rule.py --qname example.net 
--qtype ANY) -j RATELIMITER

The RATELIMITER chain can be:

iptables -A RATELIMITER -m hashlimit \
   --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
   --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

or you can replace -j RATELIMITER by -j DROP of you want to be
radical.

There are more options in the generate-netfilter-u32-dns-rule.py
script, such as --bufsize=NNN if the attacker uses a fixed EDNS buffer
size (some do).

There are several ways for the attacker to work around this technique
(some obvious and some not so obvious). But my point is that it works
*today*, with *actual* attacks. So, it definitely helps but keep your
eyes open, have alternative solutions in place and do not put all your
eggs in one basket

More details (only in French) at
http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html
and http://www.bortzmeyer.org/dns-netfilter-u32.html
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Caching name server - Choosing the root-servers

[Stephane Bortzmeyer]

On Fri, Dec 14, 2012 at 09:00:31AM +,
 Can Şirin sirin...@itu.edu.tr wrote 
 a message of 114 lines which said:

 I mean, choosing the faster ones (root-servers) is gonna be better
 for speed performans.

Yes, but BIND does it (testing the fastest) and probably better than
you.

 Is there any way to configure the caching name server in the way of
 I think.

I don't think so and it seems quite useless. 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: multiple entries for TXT record

[Stephane Bortzmeyer]

On Fri, Oct 26, 2012 at 06:08:32AM -0700,
 enigmedia online-...@enigmedia.com wrote 
 a message of 29 lines which said:

 TXT   IN   (v=spf1 a mx ptr ip4:65.49.39.152/29 ~all
DZC=DlaVBmG)

This is *one* TXT record made of two strings. Whether or not the SPF
standard mandates it, it would be cleaner, IMHO, to have *two* TXT
records.

 TXT   IN   v=spf1 a mx ptr ip4:65.49.39.152/29 ~all
 TXT   IN   DZC=DlaVBmG


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: multiple entries for TXT record

[Stephane Bortzmeyer]

On Fri, Oct 26, 2012 at 06:31:31AM -0700,
 enigmedia online-...@enigmedia.com wrote 
 a message of 34 lines which said:

 I wasn't sure if I was allowed to have more than one TXT record in
 a zone, and when I googled around the only references I saw were to
 concatenating multiple name-value pairs into a single record.

I've now checked RFC 4408, the SPF standard and such a single record
would be illegal (section 3.1.3 of the RFC), since it would not be
legal SPF syntax.
 
 I originally tried adding a second record, but when I did this and
 used some testing websites to check the TXT records for the zone,
 they only returned the first one, so I wasn't sure if having more
 than one was valid.

Many DNS tool are buggy in that respect: they forget that several
records of the same type and name are possible (it is common for A and
 records, for instance).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[DNSSEC] Dealing with an inconsistent NSEC

[Stephane Bortzmeyer]

It may be a bug in BIND and it is certainly a bug in the zone
pcextreme.nl.

BIND validating resolvers are unable to get the IP address of
v1.pcextreme.nl.

I believe this is because of the strange NSEC:

tools-newerst.pcextreme.nl. 2315 IN NSECv2.pcextreme.nl.  RRSIG NSEC

which says there is nothing between tools-newerst.pcextreme.nl and
v2.pcextreme.nl (and therefore no v1).

This is inconsistent since there are also A and  records for
v1.pcextreme.nl.

I tested with a BIND and an Unbound, as well as with ODVR
https://www.dns-oarc.net/oarc/services/odvr. Apparently BIND always
fail and Unbound always succeed, probably because Unbound is happy
with the A record but BIND uses the (unvalidated, since there is no DS
in the parent) NSEC to disprove the domain name.

So, the zone signature system at pcextreme.nl seems broken. But is
BIND right to send back NXDOMAIN? RFC 4035, section 5.4 is not obvious
here.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [DNSSEC] Dealing with an inconsistent NSEC

[Stephane Bortzmeyer]

On Tue, Oct 23, 2012 at 06:27:12AM -0700,
 Casey Deccio ca...@deccio.net wrote 
 a message of 88 lines which said:

 The issue here is that no delegation NS records exist for
 v1.pcextreme.nlin its parent zone, pcextreme.nl.  Thus when any
 server (authoritative for both zones) is queried for
 v1.pcextreme.nl/DS, NXDOMAIN is returned because there are no
 records by that name in the parent (no DS or NS).

But it should reply NOERROR,DATA=0, no NXDOMAIN. Indeed,
pcextreme.nl's name servers reply NXDOMAIN for DS queries but not for
other QTYPES.

So, no bug in BIND and Unbound, only in the zone?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS software used by cloudflare

[Stephane Bortzmeyer]

On Tue, Sep 18, 2012 at 08:31:13PM +0800,
 pangj pa...@riseup.net wrote 
 a message of 12 lines which said:

 do you know what dns software is used by cloudflare?

I don't know.

 and how  they defend the DDoS against DNS?

http://blog.cloudflare.com/65gbps-ddos-no-problem
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Glue from Root Servers returns wrong A record, why?

[Stephane Bortzmeyer]

On Mon, Sep 10, 2012 at 11:47:38AM -0700,
 Ponga ponga2...@gmail.com wrote 
 a message of 55 lines which said:

 But if I ask any root server, [...] DiG 9.7.3  -t ns intaq.com
 @192.42.93.30

192.42.93.30 is not a root name server.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Root hints updates

[Stephane Bortzmeyer]

On Thu, Sep 06, 2012 at 08:06:45AM -0400,
 Timothe Litt l...@acm.org wrote 
 a message of 466 lines which said:

 This is a script to automagically update the root hints file. 

Since the first thing BIND does at startup is to check the root NS
set, and since DNSSEC guarantees that it is genuine, is there still an
use for this tool?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question related to domain names and less to bind straight.

[Stephane Bortzmeyer]

On Wed, Sep 05, 2012 at 07:51:05AM +0100,
 Phil Mayers p.may...@imperial.ac.uk wrote 
 a message of 18 lines which said:

 See also:
 
 http://publicsuffix.org/

And remember it is unofficial, not perfectly maintained and has
several holes. It's OK if you accept a few misclassifications.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Sunos 5.8 Error:EDNS not supported by your namesever

[Stephane Bortzmeyer]

On Wed, Sep 05, 2012 at 10:01:45AM +0300,
 syed haq smu...@gmail.com wrote 
 a message of 66 lines which said:

 EDNS not supported by ***.**.**.**

1) Test your name server to be sure the diagnostic is correct:

dig +bufsize=4096 @YOUR-NAME-SERVER SOA YOUR-DOMAIN

You should get in the answer something like:

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096

(To test with a non-EDNS name server, 'dig +bufsize=4096
@uz5dz39x8xk8wyq3dzn7vpt670qmvzx0zd9zg4ldwldkv6kx9ft090.ns.yp.to SOA
yp.to' and with a EDNS name server 'dig +bufsize=4096 @f.ext.nic.fr
SOA fr' so you can see the difference)

2) BIND supports EDNS for so long that everyone forget when it was
included. So, it is unlikely it is the fault of your name server. If
your name server does not support EDNS, it probably means there is a
broken middlebox (firewall or something like that: most are configured
by ignorants, specially when it comes to the DNS) that you have to
fix.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Sunos 5.8 Error:EDNS not supported by your namesever

[Stephane Bortzmeyer]

On Wed, Sep 05, 2012 at 11:11:43AM +0300,
 syed haq smu...@gmail.com wrote 
 a message of 134 lines which said:

 That means EDNS is not supported by that var of SunOS ,can you give
 me the commands for checking the ENDS,BIND version in sunos

I already gave them (dig). You simply cannot expect to solve *any* DNS
problem without dig (or an equivalent like drill). Install it before
anything (it does not have to run on the name server, any stupid Linux
box has dig).

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Sunos 5.8 Error:EDNS not supported by your namesever

[Stephane Bortzmeyer]

On Wed, Sep 05, 2012 at 04:29:25PM +0300,
 syed haq smu...@gmail.com wrote 
 a message of 769 lines which said:

 That means I need to completely upgrade the OS to make the EDNS support

Personal opinion: you need to follow a serious Unix sysadmin training
first. From your messages, it seems you are a beginner. May I suggest
that you leave this matter to a more experienced colleague, while you
learn system administration?

And I repeat myself: dig is a pre-requisite. Without it, you won't
even be able to *test* if your name server now supports EDNS.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ho to filter hundeds of domains ?

[Stephane Bortzmeyer]

On Thu, Aug 30, 2012 at 01:34:07PM +0100,
 Niall O'Reilly niall.orei...@ucd.ie wrote 
 a message of 32 lines which said:

   Don't waste your time.
 
   This approach is superficial.  

http://www.bortzmeyer.org/images/please-close-gate.jpg :-)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ho to filter hundeds of domains ?

[Stephane Bortzmeyer]

On Thu, Aug 30, 2012 at 03:16:32PM +0200,
 fddi f...@gmx.it wrote 
 a message of 15 lines which said:

 Actually many telephone companies in the world are doing this, 

They're wrong politically (censorship) and they're wrong technically
(see O'Reilly's answer).

Copying telephone companies is not a good idea for the Internet :-)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users