Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On 01.05.2024 01:33, Mark Andrews wrote: On 1 May 2024, at 03:32, Lee wrote: On Mon, Apr 29, 2024 at 11:40 PM Walter H. wrote: On 29.04.2024 22:19, Lee wrote: On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users wrote: something that I replied to and got this in response: Error Icon Message blocked Your message to Walter.H@[..snip..] has been blocked. See technical details below for more information. The response from the remote server was: 554 5.7.1 : Client host rejected: Use IPv4 For explanation: this is MY mail server, which blocks IPv6 connections from Outlook.com Gmail.com ... as these are the biggest SPAM senders Which is fine .. your server, your rules. But maybe what isn't so fine is me replying only to the list and still getting a 'rejected: Use IPv4' msg. I don't know how the mailing list works; I'm a bit surprised that I can reply only to the list, get the Client host rejected msg and somehow you can still get the msg?? there are 2 pair of shoes, mails from the list are not from Outlook.com or Gmail.com but if you put my mail address to "To: ", then its from Gmail.com ;-) This is what happens when you put something into the rejection rules which has zero relationship whether something is spam or ham. depends ... I just find it interesting that someone using mx01.ipv6help.de as a MX would be so interested in punishing IPv6 use. you are mixing up 2 independent things ... IPv6 clients aren't blocked at all, just Outlook.com, Gmail.com, ... that is the difference; just for Outlook.com the following fact is true but bullshit # host -t MX outlook.com outlook.com mail is handled by 5 outlook-com.olc.protection.outlook.com. # host outlook-com.olc.protection.outlook.com outlook-com.olc.protection.outlook.com has address 52.101.8.47 outlook-com.olc.protection.outlook.com has address 52.101.9.15 outlook-com.olc.protection.outlook.com has address 52.101.40.30 outlook-com.olc.protection.outlook.com has address 52.101.194.14 # as you see no IPv6 at all; why then the need of accepting their SPAM on IPv6 transport? smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On 29.04.2024 22:19, Lee wrote: On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users wrote: something that I replied to and got this in response: Error Icon Message blocked Your message to Walter.H@[..snip..] has been blocked. See technical details below for more information. The response from the remote server was: 554 5.7.1 : Client host rejected: Use IPv4 For explanation: this is MY mail server, which blocks IPv6 connections from Outlook.com Gmail.com ... as these are the biggest SPAM senders smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
|Try these four | | | |fail01.dnssec.works| |fail02.dnssec.works| |fail03.dnssec.works| |fail04.dnssec.works| and then with +cd and note the difference; On 28.04.2024 08:17, Walter H. via bind-users wrote: On 27.04.2024 16:54, Lee wrote: On Sat, Apr 27, 2024 at 9:50 AM Walter H. via bind-users wrote: # host dnssec-analyzer.verisignlabs.com dnssec-analyzer.verisignlabs.com is an alias for dnssec-analyzer-gslb.verisignlabs.com. dnssec-analyzer-gslb.verisignlabs.com has address 209.131.158.42 Right, the IPv4 address lookup works. Now try looking up the IPv6 address. if there was one it would be presented there see here for full answer # host one.one.one.one one.one.one.one has address 1.1.1.1 one.one.one.one has address 1.0.0.1 one.one.one.one has IPv6 address 2606:4700:4700::1001 one.one.one.one has IPv6 address 2606:4700:4700:: I get a status: SERVFAIL instead of a status: NOERROR $ dig dnssec-analyzer.verisignlabs.com ; <<>> DiG 9.16.48-Debian <<>> dnssec-analyzer.verisignlabs.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60491 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 Lee this can't be a matter of DNSSEC, as there are only signed whole zones and not just single DNS-records ... would it be a problem with just this DNS zone, why are only problems getting the IPv6? smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On 27.04.2024 16:54, Lee wrote: On Sat, Apr 27, 2024 at 9:50 AM Walter H. via bind-users wrote: # host dnssec-analyzer.verisignlabs.com dnssec-analyzer.verisignlabs.com is an alias for dnssec-analyzer-gslb.verisignlabs.com. dnssec-analyzer-gslb.verisignlabs.com has address 209.131.158.42 Right, the IPv4 address lookup works. Now try looking up the IPv6 address. if there was one it would be presented there see here for full answer # host one.one.one.one one.one.one.one has address 1.1.1.1 one.one.one.one has address 1.0.0.1 one.one.one.one has IPv6 address 2606:4700:4700::1001 one.one.one.one has IPv6 address 2606:4700:4700:: I get a status: SERVFAIL instead of a status: NOERROR $ dig dnssec-analyzer.verisignlabs.com ; <<>> DiG 9.16.48-Debian <<>> dnssec-analyzer.verisignlabs.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60491 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 Lee this can't be a matter of DNSSEC, as there are only signed whole zones and not just single DNS-records ... would it be a problem with just this DNS zone, why are only problems getting the IPv6? smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
# host dnssec-analyzer.verisignlabs.com dnssec-analyzer.verisignlabs.com is an alias for dnssec-analyzer-gslb.verisignlabs.com. dnssec-analyzer-gslb.verisignlabs.com has address 209.131.158.42 On 27.04.2024 01:35, Lee wrote: dig dnssec-analyzer.verisignlabs.com gives me a SERVFAIL & this in the bind errors_log file: $ grep dnssec-analyzer.verisignlabs.com named-errors.log | tail -1 26-Apr-2024 19:28:37.600 query-errors: info: client @0x7f384488e3c0 127.0.0.1#47121 (dnssec-analyzer.verisignlabs.com): query failed (failure) for dnssec-analyzer.verisignlabs.com/IN/ at query.c:7471 Is that because of the insecure delegation shown at https://dnsviz.net/d/dnssec-analyzer.verisignlabs.com/dnssec/ and me having "dnssec-validation auto;" in named.conf? Thanks Lee (still struggling to understand this stuff) smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Installing bind on Windows 10
On 09.09.2022 05:31, Ahmad Ibrahim wrote: /Hello I'm working installing an equivalent to dig on windows and stumbled upon the following site: https://phoenixnap.com/kb/dig-windows/ use this: https://www.youtube.com/watch?v=bacxWTAWiVQ (instruction with link to ISC BIND) /During the installation I'm asked for a service account - I don't believe I have any additional accounts on the computer - will I be required to create another one as a service account? Additionally I am unable to install due to the Visual C++ 2017 requirement. I have a number of different Visual Studio Redistributables installed (I am unable to upload an image as part of this support request). I do not feel comfortable uninstalling them randomly but I do have one (2015-2022 x64 14.32.31332) that seems to be more current than the one bundled with the installation./ /the service account is needed for BIND itself; the newer visual c++ runtimes are not always a replacement for older visual c++ runtimes;/ / / smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Master-Slave with IPv6 only?
Hello, I have this situation: both the master and the slave are dualstack (have both an IPv4 and IPv6 address), but the master is not reachable on IPv4 (RFC1918 IPv4 without a port forwarding); how can I prevent the following on slave side's log: Nov 7 10:23:01 nilsholgerson named[20881]: client 17.17.17.17#27763: view auth: received notify for zone '...' Nov 7 10:23:01 nilsholgerson named[20881]: zone .../IN/auth: refused notify from non-master: 17.17.17.17#27763 named.conf on master has this: notify-source 0.0.0.0; transfer-source 0.0.0.0; the same in named.conf on slave; Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DOH or DOT Forwarder in BIND and is DOH GA?
On 12.06.2021 14:24, Richard T.A. Neal wrote: Mainsh – I haven’t done any experimenting with DOT, but there’s a guide for configuring DOH at the following page. It requires BIND 9.17.10 or higher (DOH isn’t being backported to BIND 9.16): https://www.isc.org/blogs/doh-talkdns/ Walter – I’m not sure why you’d say DOH/DOT is dead and to instead use DNSSEC. DOH/DOT and DNSSEC are two completely different things meant for two completely different DNS functions – there is no overlap. short explanation: the requirement for using DOH is to allow HTTPS requests with a Host of just an IP, which you would rather block; and for both DOT and DOH are SSL-certificates with a IP address in its SAN, which you also rather reject; and the overlap you don't see is the reason why one would use DOT or DOH; smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DOH or DOT Forwarder in BIND and is DOH GA?
On 12.06.2021 04:52, Manish Rane wrote: Hi Team, I am using BIND 9.11.3-1ubuntu1.12-Ubuntu version for my BIND and planning to use ISC PPA and use 9.16.16. So my queries are 1. Is DOH/DOT officially supported now? 2. And how do I DOH forwarding in my BIND configuration? DOH/DOT is dead; use DNSSEC instead and no troubles; smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users