Re: Communication error when we do axfr query for the large size zone
We have CentOS Linux 7 , 128GB ram and bind 9.16.13. Could you please share what information exactly you are looking for? to resolve the issue. On Wed, Apr 20, 2022 at 11:36 AM Ondřej Surý wrote: > We can’t really help you if you withhold information. You need to learn to > provide complete information if you want other people to help you instead > of letting them guess what does you environment look like. > > Ondrej > -- > Ondřej Surý — ISC (He/Him) > > My working hours and your working hours may be different. Please do not > feel obligated to reply outside your normal working hours. > > On 20. 4. 2022, at 8:04, rams wrote: > > > Seeing only these two line in log: > Apr 20 05:54:20 perf-bind named[74314]: client @0x7fb844005288 > 127.0.0.1#13522 (25million.com): transfer of '25million.com/IN': AXFR > started (serial 1605611713) > Apr 20 05:54:41 perf-bind monit[1105]: 'rootfs' space usage 92.9% matches > resource limit [space usage > 90.0%] > Apr 20 05:54:41 perf-bind monit[1105]: 'rootfs' space usage 92.9% matches > resource limit [space usage > 90.0%] > Apr 20 05:54:50 perf-bind named[74314]: client @0x7fb844005288 > 127.0.0.1#13522 (25million.com): transfer of '25million.com/IN': send: > operation canceled > > On Wed, Apr 20, 2022 at 11:17 AM Crist Clark > wrote: > >> Probably. >> >> Maybe check for any log messages from BIND. Do packet capture to see >> exactly what's happening to the TCP. >> >> On Tue, Apr 19, 2022 at 10:12 PM rams wrote: >> >>> Hi, >>> We are getting the following error when we query for the 25M zone with >>> axfr . >>> >>> ]# dig @localhost 25million.com axfr |tail >>> a8157794.25million.com. 86400 IN A 1.1.1.1 >>> a8157795.25million.com. 86400 IN A 1.1.1.1 >>> a8157796.25million.com. 86400 IN A 1.1.1.1 >>> a8157797.25million.com. 86400 IN A 1.1.1.1 >>> a8157798.25million.com. 86400 IN A 1.1.1.1 >>> a8157799.25million.com. 86400 IN A 1.1.1.1 >>> a81578.25million.com. 86400 IN A 1.1.1.1 >>> a815780.25million.com. 86400 IN A 1.1.1.1 >>> *;; communications error to 127.0.0.1#53: end of file* >>> >>> Do we need to increase or set any parameters?. >>> >>> Regards, >>> Ramesh >>> -- >>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >>> from this list >>> >>> ISC funds the development of this software with paid support >>> subscriptions. Contact us at https://www.isc.org/contact/ for more >>> information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >>> >> -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Communication error when we do axfr query for the large size zone
Seeing only these two line in log: Apr 20 05:54:20 perf-bind named[74314]: client @0x7fb844005288 127.0.0.1#13522 (25million.com): transfer of '25million.com/IN': AXFR started (serial 1605611713) Apr 20 05:54:41 perf-bind monit[1105]: 'rootfs' space usage 92.9% matches resource limit [space usage > 90.0%] Apr 20 05:54:41 perf-bind monit[1105]: 'rootfs' space usage 92.9% matches resource limit [space usage > 90.0%] Apr 20 05:54:50 perf-bind named[74314]: client @0x7fb844005288 127.0.0.1#13522 (25million.com): transfer of '25million.com/IN': send: operation canceled On Wed, Apr 20, 2022 at 11:17 AM Crist Clark wrote: > Probably. > > Maybe check for any log messages from BIND. Do packet capture to see > exactly what's happening to the TCP. > > On Tue, Apr 19, 2022 at 10:12 PM rams wrote: > >> Hi, >> We are getting the following error when we query for the 25M zone with >> axfr . >> >> ]# dig @localhost 25million.com axfr |tail >> a8157794.25million.com. 86400 IN A 1.1.1.1 >> a8157795.25million.com. 86400 IN A 1.1.1.1 >> a8157796.25million.com. 86400 IN A 1.1.1.1 >> a8157797.25million.com. 86400 IN A 1.1.1.1 >> a8157798.25million.com. 86400 IN A 1.1.1.1 >> a8157799.25million.com. 86400 IN A 1.1.1.1 >> a81578.25million.com. 86400 IN A 1.1.1.1 >> a815780.25million.com. 86400 IN A 1.1.1.1 >> *;; communications error to 127.0.0.1#53: end of file* >> >> Do we need to increase or set any parameters?. >> >> Regards, >> Ramesh >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> from this list >> >> ISC funds the development of this software with paid support >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Communication error when we do axfr query for the large size zone
Hi, We are getting the following error when we query for the 25M zone with axfr . ]# dig @localhost 25million.com axfr |tail a8157794.25million.com. 86400 IN A 1.1.1.1 a8157795.25million.com. 86400 IN A 1.1.1.1 a8157796.25million.com. 86400 IN A 1.1.1.1 a8157797.25million.com. 86400 IN A 1.1.1.1 a8157798.25million.com. 86400 IN A 1.1.1.1 a8157799.25million.com. 86400 IN A 1.1.1.1 a81578.25million.com. 86400 IN A 1.1.1.1 a815780.25million.com. 86400 IN A 1.1.1.1 *;; communications error to 127.0.0.1#53: end of file* Do we need to increase or set any parameters?. Regards, Ramesh -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
all resource record types and examples
Hi, Greetings ... Could someone please share all supported DNS RRs and examples of each RR. Regards, Ramesh -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
CPU core load not distributing with bind 9.16.21
Hi, I am using bind 9.16.21 on ubuntu. When I am running dnsperf against that, always load is going one CPU core, because of this issue, I am seeing less QPS. Has anyone faced the same issue? Could you please someone look into this and help me with this? Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
CPU core load not distributing with bind 9.16.21
Hi, I am using bind 9.16.21 on ubuntu. When I am running dnsperf against that, always load is going one CPU core, because of this issue, I am seeing less QPS. Has anyone faced the same issue? Could you please someone look into this and help me with this? Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how/why the kernel is "routing" incoming packets to a specific core
Hi, I am using bind 9.16.21 on ubuntu. When I am running dnsperf against that, always load is going one CPU core, because of this issue, I am seeing less QPS. Has anyone faced the same issue? Could you please someone look into this and help me with this? Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to start name
Thank you Stuart for your reply. When I run named-checkconf seeing as below and also status shows always failed. I have looked into the below zones and not seen any issue with those. [dev][root@xtld2.usiad42 log]# named-checkconf -z /etc/named.conf zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: loaded serial 0 [dev][root@xtld2.usiad42 log]# service named status rndc: connect failed: 127.0.0.1#953: connection refused ● named.service - LSB: start|stop|status|restart|try-restart|reload|force-reload DNS server Loaded: loaded (/etc/rc.d/init.d/named; bad; vendor preset: disabled) Active: failed (Result: timeout) since Fri 2021-04-09 04:49:29 UTC; 1h 15min ago Docs: man:systemd-sysv-generator(8) Process: 23987 ExecStop=/etc/rc.d/init.d/named stop (code=exited, status=1/FAILURE) Process: 1345 ExecStart=/etc/rc.d/init.d/named start (code=killed, signal=TERM) Apr 09 05:19:38 named[1354]: generating session key for dynamic DNS Apr 09 05:19:38 named[1354]: could not create /var/run/named/session.key Apr 09 05:19:38 named[1354]: failed to generate session key for dynamic DNS: permi...ied Apr 09 05:19:38 named[1354]: sizing zone task pool based on 583 zones Apr 09 05:19:38 named[1354]: none:100: 'max-cache-size 90%' - setting to 115894MB ...MB) Apr 09 05:19:39 named[1354]: none:100: 'max-cache-size 90%' - setting to 115894MB ...MB) Apr 09 05:19:39 named[1354]: configuring command channel from '/etc/rndc.key' Apr 09 05:19:39 named[1354]: configuring command channel from '/etc/rndc.key' Apr 09 05:19:39 named[1354]: reloading configuration succeeded Apr 09 05:19:39 named[1354]: zone 5.0.0.0.0.0.0.0.8.1.6.0.1.0.a.2.ip6.arpa/IN: ref...led Hint: Some lines were ellipsized, use -l to show in full. [dev][root@xtld2.usiad42 log]# On Fri, Apr 9, 2021 at 11:16 AM Stuart@registry.godaddy wrote: > > > > From: bind-users on behalf of rams < > brames...@gmail.com> > > Date: Friday, 9 April 2021 at 2:56 pm > > To: bind-users > > Subject: Unable to start name > > > Hi > > We are using bind 9.11.28.1 on centos7.8. We have large number of zones > > on disk. When we stop/start , we are not getting successful message and > > seeing below error. But in log we see named is running and doing > > axfr/ixfr. Do we need to add any configuration paameter to avoid below > > error. > > > > Starting named (via systemctl): Job for named.service failed because a > timeout was exceeded. See "systemctl status named.service" and "journalctl > -xe" for details > > You mentioned that you have a large number of zones. If there are no error > messages generated by NAMED starting other than the exceeding of a timeout, > it could just be the system service-start timing out. > > Have a look at TimeoutSec in the service unit definition: > > > https://www.freedesktop.org/software/systemd/man/systemd.service.html#TimeoutSec= > > You may also want to try "named-checkconf -z /etc/named.conf" and see how > long > it takes (as this does a similar sort of validation as starting the > service does). > > Stuart > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Unable to start name
Hi We are using bind 9.11.28.1 on centos7.8. We have large number of zones on disk. When we stop/start , we are not getting successful message and seeing below error. But in log we see named is running and doing axfr/ixfr. Do we need to add any configuration paameter to avoid below error. Starting named (via systemctl): Job for named.service failed because a timeout was exceeded. See "systemctl status named.service" and "journalctl -xe" for details Kindly help me. Regards, Ramesh. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Is auto-dnssec option mndatory for inline sign?
Hi, auto-dnssec option is mandatory for inline signing along with "inline-signing yes" option? Kindly confirm. Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to generate ZSK key with one year valid
Hi, Can anyone help me how to generate ZSK key with one year validity? When I am trying , it is default 30 days validity but i want to make ZSK key validity 1 year. Is it possible in bind? Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Latest bind for centos7
Hi, What is the latest bind version for Centos 7? Where we can download it? Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
auto RRSIG enable
Hi, Do we need to set any option in named.conf for auto RRSIG generation in bind? Can anyone help me on this. Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Key rollover for inline signing zones
Hi, Can anyone share the steps and commands for key rollover for inline signing zones in bind by manual/auto. Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
CAA iodef clarification
Hi On the CAA record iodef filed, do we force this to be unique or can it match a CNAME? Thanks, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to configure minimal-responses option at zone level?
Hi, Greetings ! How to configure "minimal-responses" option at zone level? At global level it is working fine. but looking help for zone level to configure. Can someone help me on this Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DS records setup
Greetings.! how does recursive resolver get the information for a zone example.com in below setup when example.com has DS records in .com .com is tld zone example.com is sld zone Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SSHFP observation
Thank you Mukund,Jim and Alan to look my issue. We are seeing the issue only when sshfp fingerprint value less than 4 characters. It is working fine value with >=4 characters. Ex: test3.ramesh-sshfp.com SSHFP 1 1 WORKING FINE I am guessing there is bug in bind and posted in bugs list . Regards, Ramesh On Thu, 31 Jan 2019, 7:14 pm rams Hi, > I have setup sshfp records as follows in bind zone file: > > test1.ramesh-sshfp.com. 86400 IN SSHFP 1 1 aa > test2.ramesh-sshfp.com. 86400 IN SSHFP 1 1 00 > > Successfully started bind but when queried for domain test1 and test2 , > returning malformed error and no answer. If fingerprint value wrong then > bind should validate and should not start. Is it expected behavior? Kindly > confirm. > > Bind responses > [qa][root@regression-bind-useast1a01-01 zones]# dig @localhost > test2.ramesh-sshfp.com. sshfp > ;; Warning: Message parser reports malformed message packet. > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> @localhost > test2.ramesh-sshfp.com. sshfp > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49768 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 > ;; WARNING: Messages has 55 extra bytes at end > > ;; QUESTION SECTION: > ;test2.ramesh-sshfp.com.IN SSHFP > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Thu Jan 31 13:29:18 2019 > ;; MSG SIZE rcvd: 107 > > [qa][root@regression-bind-useast1a01-01 zones]# dig @localhost > test1.ramesh-sshfp.com. sshfp > ;; Warning: Message parser reports malformed message packet. > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> @localhost > test1.ramesh-sshfp.com. sshfp > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23302 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 > ;; WARNING: Messages has 55 extra bytes at end > > ;; QUESTION SECTION: > ;test1.ramesh-sshfp.com.IN SSHFP > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Thu Jan 31 13:29:23 2019 > ;; MSG SIZE rcvd: 107 > > [qa][root@regression-bind-useast1a01-01 zones]# > > Regards, > Ramesh > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Fwd: SSHFP observation
Hi, I have setup sshfp records as follows in bind zone file: test1.ramesh-sshfp.com. 86400 IN SSHFP 1 1 aa test2.ramesh-sshfp.com. 86400 IN SSHFP 1 1 00 Successfully started bind but when queried for domain test1 and test2 , returning malformed error and no answer. If fingerprint value wrong then bind should validate and should not start. Is it expected behavior? Kindly confirm. Bind responses [qa][root@regression-bind-useast1a01-01 zones]# dig @localhost test2.ramesh-sshfp.com. sshfp ;; Warning: Message parser reports malformed message packet. ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> @localhost test2.ramesh-sshfp.com. sshfp ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49768 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; WARNING: Messages has 55 extra bytes at end ;; QUESTION SECTION: ;test2.ramesh-sshfp.com.IN SSHFP ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jan 31 13:29:18 2019 ;; MSG SIZE rcvd: 107 [qa][root@regression-bind-useast1a01-01 zones]# dig @localhost test1.ramesh-sshfp.com. sshfp ;; Warning: Message parser reports malformed message packet. ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> @localhost test1.ramesh-sshfp.com. sshfp ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23302 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; WARNING: Messages has 55 extra bytes at end ;; QUESTION SECTION: ;test1.ramesh-sshfp.com.IN SSHFP ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jan 31 13:29:23 2019 ;; MSG SIZE rcvd: 107 [qa][root@regression-bind-useast1a01-01 zones]# Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind has a database option instead of zone files?
Greetings!! Does Bind has a database option to read zones [if zones are in database] instead of zone files? if yes , how to setup? can someone help me. Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Unbound 1.9 release date
Greetings, Is anyone knows unbound 1.9 release date? Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind 9.10.6.1 vs 9.10.6
Hi, Greetings Is there any QPS improvement bind 9.10.6 vs 9.10.6.1? because we are seeing 47K QPS on 9.10.6 and 95K QPS on 10.9.6.1 on the same zone. Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RRSIG query
Hi Greetings!! We have 1Million signed zone records in bind. My zone is going to auto-resign after 3 days. If we change RRSIG expire date to greater than two months from now then if restart bind, Can we avoid auto-resign in this week? is there any impact on resolution or is my zone is valid? what we would need to do to make my zone is valid after changing rrsig expire date value manually. DO we need to change any other values along with RRSIG expire value. Kindly look into this. Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Any chance to do partial sign when RRSIG expires
Hi, Greetings Currently in bind we are doing auto full sign when RRSIG expires . Is there any chance to generate only RRSIGS instead of full sign. the reason I am asking is when we have large zone and when it happens auto RRSIG expire and full sign, the complete zone is going to full sign and taking more memory. To avoid that is there any chance to generate only RRSIGs like batch wise or any other alternation. Regards. Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
SOA serial increment when we update SOA RR
Greetings!! When we change any resource record like A or , then SOA serial number gets incremented. But If we update only SOA record ,Is serial number of SOA remain same as before or serial number of SOA will increment?. Do we have any RFC for this? Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
getting two rrsigs for dnskey after ksk rollover
Greetings!!! We are getting two RRSIGs and 3 DNSKEY [ 1-256 and 2-257] when we do KSK rollover. Is it correct we are returning two RRSIGs for DNSKEY? Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to pause master zone updates to slave for couple of minutes
Hi, Greetings. I want to test bulk updates master to slave in Bind. Is there any way to pause to send updates to slave from master? Thanks & Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
email notification in bind?
Hi, Greetings!!! Do we have email notification feature in Bind when zone update fails. Thanks & Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Adding DS Records for Subdelegated Domains
Hi, we have two scenarios as follows. Is there any chance to copy DS records through AXFR or any another method to copy child DS records into parent zone. Scenario 1: Customer has domain2.com on Bind1 signed with DS records for domain2.com at place with registrar. Customer delegates a zone (sub.domain2.com) from Bind1 to another DNS provider and wants to sign domain on the other provider Assumption: We would have to host the DS records for sub.domain2.com in the zone file domain2.com. They'd need to sign the zone on the other provider. Scenario 2: Customer has DS records for domain3.com at registrar and has domain3.com and sub.domain3.com as separate zones on Bind1. Question: Since this all on the same provider do the DS records only need to exist at registrar? Will the separate zone create an issue since it ( sub.domain3.com) is not the same zone as what has DS records at the provider (domain3.com)? Thanks & Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to request ixfr updates against public ip directly instead of unicast ip in bind
Hi, Greetings!!! I have master and slave servers. When we have updates in master, slave is getting updating after 20 or 30 minutes. When I look into tcpdump pcakets, Slave is trying with master unicast ip to get updates. We don't have port opened slave to master with unicast ip and we have port opened slave to master with public ip. Do we have any option checking for SOA value directly with public ip of master instead of unicast ip. Thanks & Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Breaking trusted chain in dnssec
Greetings...! Is any one explain how to break trusted chain in dnssec with example how to create zone or data with trusted chain break. Thanks & Regards, ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
any tool or command to find/verify the closest encloser NSEC3 record
Hi, Greetings Is anyone can help me to verify the NSEC3 record in response is correct or not. Do we have any tool or command to check closet encloser NSEC3 record or Correct NSEC3 record returned in response. Thanks & Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Ns records rfc
Is there any rfc that a tld zone should have atleast two ns records when we create the tld zone Thanks & regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
recursive answer not constant
Hi I have own resolver as authoritative and configured to chase the domain in recursive bind as configured in my resolver. ex: example.com CNAME bind.com I have bind.com A record in bind. When I queried example.com against my auth resolver, for couple of queries giving A record from bind and some times not giving A record. Do we have any configuration in bind? Why I am getting A record some times and not some times. Note: allow query is already enabled in bind. Kindly look into this issue. Thanks & Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
CAA RR type
Hi. I have zone file as follows $ORIGIN rameshtest-caa.com. $TTL 86400 ; 1 day @ IN SOA ns1.rameshtest-caa.com. root.rameshtest-caa.com. ( 2009040114 ; serial 3600 ; refresh (1 hour) 900; retry (15 minutes) 1814400; expire (3 weeks) 900; minimum (15 minutes) ) IN NS ns1.rameshtest-caa.com. IN A 1.1.1.1 ns1 IN A 1.2.3.4 a IN A 2.2.2.2 IN 3FFE:0B80:0444:0004::::0004 caa IN CAA 0 issue ca.example.net caa1IN CAA 0 iodef mailto:secur...@example.com; caa2IN CAA 0 iodef http://iodef.example.com/; When I start named, getting the following error: /var/named/zones/rameshtest-caa.com:15: unknown RR type 'CAA' /var/named/zones/rameshtest-caa.com:16: unknown RR type 'CAA' /var/named/zones/rameshtest-caa.com:17: unknown RR type 'CAA' zone rameshtest-caa.com/IN: loading from master file /var/named/zones/ rameshtest-caa.com failed: unknown class/type _default/rameshtest-caa.com/IN: unknown class/type [FAILED] I am using bind 9.6. Did I miss/mistake anything here? Could you please guide me to work for CAA. Thanks Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
fowarder not working
Hi I have configured my bind as forwader but when I query it is not forwarding and looking into local only. recursion yes; zone com. { type forward; forwarders {ip; }; }; ;; QUESTION SECTION: ;soap-e2e-signzone.com. IN A ;; AUTHORITY SECTION: . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. Kindly help on this. Thanks, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to get AD flag
Hi , I have 9.7 bind installed and configured recursive. When i query against forwader i am not getting AD flag but remaining answer is correct for signed query. Could you please guide me how to get AD flag. Already i have enabled dnssec-validation and dnssec-enabled. Thanks Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to get AD flag
Thanks david, This the response i get dig +short rs.dns-oarc.net txt @forwarderip rst.x3827.rs.dns-oarc.net. rst.x3837.x3827.rs.dns-oarc.net. rst.x3843.x3837.x3827.rs.dns-oarc.net. 50.16.87.189 sent EDNS buffer size 4096 50.16.87.189 DNS reply size limit is at least 3843 bytes On Fri, Aug 2, 2013 at 11:11 AM, David Newman dnew...@networktest.comwrote: On 8/1/13 10:19 PM, rams wrote: I have 9.7 bind installed and configured recursive. When i query against forwader i am not getting AD flag but remaining answer is correct for signed query. Could you please guide me how to get AD flag. Already i have enabled dnssec-validation and dnssec-enabled. It's possible your forwarder has a bug that doesn't return DNSSEC responses (this is the case with one of our registrars' secondaries), or there may be a network problem. Try the dns-oarc reply size test against your forwarder: https://www.dns-oarc.net/oarc/services/replysizetest $ dig +short rs.dns-oarc.net txt @address_of_your_forwarder DNSSEC nameservers should not truncate or fragment responses, and should support EDNS and UDP and TCP responses. Fix any problems here first before doing DNSSEC debugging. You might also try querying other nameservers (e.g., Google's at 8.8.8.8) and check the flags there. dn ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can I disable caching without disabling recursion?
Hi , Can I disable cache without disabling recursion? Thanks Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Clarification on wildcard falls into glue records
Hi, I have NS record points a record [A/] which is falls into wildcard . But when I query for NS record against bind, we are not getting these records as glue records. ex: *.a.example.com A 1.1.1.1 example.com. NS abc.a.example.com. Querying example.com with any or ns. don't we get glue records for this scenario? please confirm. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Resign a zone
Hi , I have signed zone and already i have resigned two times. Now again i am resigning zone but after resign zone , RRSIG values are not changed. the same old values displaying. Any wrong in me. Could you please guide me how to change RRSIG values. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Resign a signed zone
Hi , Can we resign a signed zone with out key files? Please clarify me. Thanks, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
key directory in named.conf
Hi, How to declare multiple signed key paths in key-directory. When i declare as follows, named not starting. key-directory {/var/named/zones;/root/ramesh/Largezone;} Please clarify me. Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dynamic update is not working for signed zone
Hi, When i do a dynamic update using nsupdate, i am unable to add record into signed zone. steps followed: [root@stulcqacustbind2 muktha]# nsupdate server server ip update add net.rameshnu.sun. 86400 IN A 1.2.3.4 send update failed: SERVFAIL Bind log: 25-Apr-2011 12:43:22.166 update: info: client ip#47830: updating zone 'net.rameshnu.sun/IN': adding an RR at 'net.rameshnu.sun' A 25-Apr-2011 12:43:22.167 update: error: client ip#47830: updating zone 'net.rameshnu.sun/IN': found no private keys, unable to generate any signatures 25-Apr-2011 12:43:22.167 update: error: client ip#47830: updating zone 'net.rameshnu.sun/IN': RRSIG/NSEC/NSEC3 update failed: not found Please clarify me. Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Help on recursive set up
Hi, Could you please tell me how to set up for recursive server for NS delegation records. It would be great if you give named.conf Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help on recursive set up
I have configuered recursion yes in named.conf and i queried for NS delegated records against bind. Actually that domain is not exist in my system. Here how bind will work. On Wed, Feb 23, 2011 at 6:20 PM, rams brames...@gmail.com wrote: I have configuered recursion yes in named.conf and i queried for NS delegated records against bind. Actually that domain is not exist in my system. Here how bind will work. On Wed, Feb 23, 2011 at 6:16 PM, Stephane Bortzmeyer bortzme...@nic.frwrote: On Wed, Feb 23, 2011 at 05:59:06PM +0530, rams brames...@gmail.com wrote a message of 33 lines which said: Could you please tell me how to set up for recursive server for NS delegation records. It would be great if you give named.conf It would be great if you rewrite your requirments because I simply cannot parse them. Enabling recursion: recursion yes; in named.conf. But I do not understand the point about NS delegation records. Please elaborate. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Clarification on wildcard scenario
Hi, I have zone as follows in bind. $ORIGIN joshfeb1.com. @ IN SOA rboddeti.yahoo.com. rboddeti.gmail.com. ( 2011013101 ; serial 10800 ; refresh 3600 ; retry 2592000 ; expire 86400 ; minimum ) joshfeb1.com. NS udns1.ultradns.net. joshfeb1.com. NS udns2.ultradns.net. **.joshfeb1.com A 1.1.1.1 *.www.joshfeb1.com A 2.2.2.2* When I queried domain www.joshfeb1.com. A against Bind, I am getting NXDOMAIN.When can i get records in response. Could you please clarify me. The following response return. *[root@zones]# dig abc.www.joshfeb1.com. A* ; DiG 9.6.1-P3 abc.www.joshfeb1.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 24113 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;abc.www.joshfeb1.com. IN A ;; AUTHORITY SECTION: joshfeb1.com. 86400 IN SOA udns1.ultradns.net. rboddeti.infinite.com. 2011013101 10800 3600 2592000 86400 ;; Query time: 2 msec ;; SERVER: 10.31.145.194#53(10.31.145.194) ;; WHEN: Tue Feb 1 03:36:56 2011 ;; MSG SIZE rcvd: 110 *[root@ zones]# dig abc.joshfeb1.com. A* ; DiG 9.6.1-P3 abc.joshfeb1.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 26354 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;abc.joshfeb1.com. IN A ;; AUTHORITY SECTION: joshfeb1.com. 86400 IN SOA udns1.ultradns.net. rboddeti.infinite.com. 2011013101 10800 3600 2592000 86400 ;; Query time: 2 msec ;; SERVER: 10.31.145.194#53(10.31.145.194) ;; WHEN: Tue Feb 1 03:37:05 2011 ;; MSG SIZE rcvd: 106 *[root@ zones]# dig www.joshfeb1.com. A* ; DiG 9.6.1-P3 www.joshfeb1.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 19448 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.joshfeb1.com. IN A ;; AUTHORITY SECTION: joshfeb1.com. 86400 IN SOA udns1.ultradns.net. rboddeti.infinite.com. 2011013101 10800 3600 2592000 86400 ;; Query time: 2 msec ;; SERVER: 10.31.145.194#53(10.31.145.194) ;; WHEN: Tue Feb 1 03:37:15 2011 ;; MSG SIZE rcvd: 106 [root@stulcqacustbind2 zones]# What bind is returning is correct? Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on wildcard scenario
Hi Mark, Thank You for quick clarify. I have included trailing dot and restart bind. Now when i queired for domain www.joshfeb1.com with type A, I am getting NOERROR and NOANSWER. [root@ zones]# dig www.joshfeb1.com. A ; DiG 9.6.1-P3 www.joshfeb1.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 40667 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.joshfeb1.com. IN A ;; AUTHORITY SECTION: joshfeb1.com. 86400 IN SOA udns1.ultradns.net. rboddeti.infinite.com. 2011013101 10800 3600 2592000 86400 ;; Query time: 2 msec ;; SERVER: 10.31.145.194#53(10.31.145.194) ;; WHEN: Tue Feb 1 04:13:00 2011 ;; MSG SIZE rcvd: 106 [root@zones]# Is it correct. Actually www.joshfeb1.com is not exist and it should look into *.joshfeb1.com right. Could you please clarify why it is not returning answer. Thanks Regards, Ramesh On Tue, Feb 1, 2011 at 9:41 AM, Mark Andrews ma...@isc.org wrote: In message AANLkTi=mms6aghguqyt1pmllyqfz2zp0su6yqwqmx...@mail.gmail.com, rams w rites: Hi, I have zone as follows in bind. $ORIGIN joshfeb1.com. @ IN SOA rboddeti.yahoo.com. rboddeti.gmail.com. ( 2011013101 ; serial 10800 ; refresh 3600 ; retry 2592000 ; expire 86400 ; minimum ) joshfeb1.com. NS udns1.ultradns.net. joshfeb1.com. NS udns2.ultradns.net. **.joshfeb1.com A 1.1.1.1 *.www.joshfeb1.com A 2.2.2.2* When I queried domain www.joshfeb1.com. A against Bind, I am getting NXDOMAIN.When can i get records in response. Could you please clarify me. The following response return. *[root@zones]# dig abc.www.joshfeb1.com. A* ; DiG 9.6.1-P3 abc.www.joshfeb1.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 24113 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;abc.www.joshfeb1.com. IN A ;; AUTHORITY SECTION: joshfeb1.com. 86400 IN SOA udns1.ultradns.net. rboddeti.infinite.com. 2011013101 10800 3600 2592000 86400 ;; Query time: 2 msec ;; SERVER: 10.31.145.194#53(10.31.145.194) ;; WHEN: Tue Feb 1 03:36:56 2011 ;; MSG SIZE rcvd: 110 *[root@ zones]# dig abc.joshfeb1.com. A* ; DiG 9.6.1-P3 abc.joshfeb1.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 26354 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;abc.joshfeb1.com. IN A ;; AUTHORITY SECTION: joshfeb1.com. 86400 IN SOA udns1.ultradns.net. rboddeti.infinite.com. 2011013101 10800 3600 2592000 86400 ;; Query time: 2 msec ;; SERVER: 10.31.145.194#53(10.31.145.194) ;; WHEN: Tue Feb 1 03:37:05 2011 ;; MSG SIZE rcvd: 106 *[root@ zones]# dig www.joshfeb1.com. A* ; DiG 9.6.1-P3 www.joshfeb1.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 19448 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.joshfeb1.com. IN A ;; AUTHORITY SECTION: joshfeb1.com. 86400 IN SOA udns1.ultradns.net. rboddeti.infinite.com. 2011013101 10800 3600 2592000 86400 ;; Query time: 2 msec ;; SERVER: 10.31.145.194#53(10.31.145.194) ;; WHEN: Tue Feb 1 03:37:15 2011 ;; MSG SIZE rcvd: 106 [root@stulcqacustbind2 zones]# What bind is returning is correct? Yes. You have a mixture of relative (no period at end) and absolute names (period at end) in the zone file above. What you added to the zone was www.joshfeb1.com.joshfeb1.com. not www.joshfeb1.com.. You needed a period at the end of com or to just use www. Mark Thanks Regards, Ramesh -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Clarification on wildcard scenario
Hi, I have zone as follows in bind. $ORIGIN joshfeb1.com. @ IN SOA rboddeti.yahoo.com. rboddeti.gmail.com. ( 2011013101 ; serial 10800 ; refresh 3600 ; retry 2592000 ; expire 86400 ; minimum ) joshfeb1.com. NS udns1.ultradns.net. joshfeb1.com. NS udns2.ultradns.net. **.joshfeb1.com. A 1.1.1.1 *.www.joshfeb1.com. http://www.joshfeb1.com/ A 2.2.2.2* When I queried domain www.joshfeb1.com. A against Bind, I am getting NOERROR and NOANSWER.When can i get answer. Could you please clarify me. I able to get answer with abc.joshfeb1.com and abc.www.joshfeb1.com. Why bind is not returning answer for www.joshfeb1.com, it should map to **. joshfeb1.com. right? Thanks Regards, Ramesh * Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Clarification on CNAME
y resolver is returning multiple CNAMEs for same hostname. But I believe CNAME should not return same hostname with multiple values. Ex: Configured GEOIP records as follows: ramesh.com CNAME a.ramesh.com. ramesh.com CNAME az.ramesh.com. Arizone configured ramesh.com CNAME va.ramesh.com. Virginia configured ramesh.com CNAME others.ramesh.com. Others configured Queried “ramesh.com” from AZ,VA and OTHERS regions against my resolver. My resolver is returning same hostname with mutliple CNAME's. From AZ i am getting: ramesh.com CNAME a.ramesh.com. ramesh.com CNAME az.ramesh.com. From VA i am getting: ramesh.com CNAME a.ramesh.com. ramesh.com CNAME va.ramesh.com. Is this behavior is correct. Could you please clarify me. Thanks regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
NSEC3 ISSUE
I have trouble resolving the host name dnssecnsec3qatestdomain.com. which is NSEC3 signed. This is the parent and child zone. If I run dig ( dnssec query) with the +cd option I which is a proper response: [r...@stulcqanusbind1 ~]# dig dnssecnsec3qatestdomain.com. any +dnssec *+cd * ; DiG 9.7.1-P2 dnssecnsec3qatestdomain.com. any +dnssec +cd ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 1601 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 8, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssecnsec3qatestdomain.com. IN ANY ;; ANSWER SECTION: dnssecnsec3qatestdomain.com. 86396 IN RRSIG A 7 2 86400 2020083100 20100831205954 61559 dnssecnsec3qatestdomain.com. A4HqcGYSyEoM7Y75MoRaK4zzNiuL45tq+AnfUIrxxEIPkIOI12FmFyhY JOQN216QkTbYkJBlNwe2Ky1SRGjwhQ== dnssecnsec3qatestdomain.com. 86396 IN A 12.12.1.0 dnssecnsec3qatestdomain.com. 86396 IN A 255.12.1.0 dnssecnsec3qatestdomain.com. 86396 IN RRSIG SOA 7 2 86400 2020083100 20100831205954 61559 dnssecnsec3qatestdomain.com. eAV/LHcB3WLA9ULvsz/kcVJ63XeJCX/YAOu9ZFUM+SVDIW/BAUXNfq9O iNBuukgDBlFZFOQyblfgjpcSW3CQMw== dnssecnsec3qatestdomain.com. 86396 IN SOA udns1.ultradns.net. bitbuck...@qa.neustar.com. 2009111903 10800 3600 2592000 86400 dnssecnsec3qatestdomain.com. 86396 IN RRSIG NS 7 2 86400 2020083100 20100831205954 61559 dnssecnsec3qatestdomain.com. r11osNc3HFoVFWjC1iNN9Yv3IKGvApbZwkNLdK5HTlPt+3UDB2Do7RvT 9SSJaZYLj4PEC8Gp6lT1L+0LlsEP9w== dnssecnsec3qatestdomain.com. 86396 IN NS udns2.ultradns.net. dnssecnsec3qatestdomain.com. 86396 IN NS udns1.ultradns.net. ;; AUTHORITY SECTION: dnssecnsec3qatestdomain.com. 86396 IN NS udns2.ultradns.net. dnssecnsec3qatestdomain.com. 86396 IN NS udns1.ultradns.net. dnssecnsec3qatestdomain.com. 86396 IN RRSIG NS 7 2 86400 2020083100 20100831205954 61559 dnssecnsec3qatestdomain.com. r11osNc3HFoVFWjC1iNN9Yv3IKGvApbZwkNLdK5HTlPt+3UDB2Do7RvT 9SSJaZYLj4PEC8Gp6lT1L+0LlsEP9w== But dig (dnssec query)without +cd option returns servfail. [r...@stulcqanusbind1 ~]# dig dnssecnsec3qatestdomain.com. any +dnssec ; DiG 9.7.1-P2 @ dnssecnsec3qatestdomain.com. any +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 7437 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssecnsec3qatestdomain.com. IN ANY In my logs I am getting messages: Jan 7 13:17:55 named[17154]: error (no valid RRSIG) resolving ' dnssecnsec3qatestdomain.com/DNSKEY/IN': 10.31.142.103#53 Jan 7 13:17:55 named[17154]: error (broken trust chain) resolving ' dnssecnsec3qatestdomain.com/ANY/IN': 10.31.142.103#53 When doing query without +cd option. Can you figure out what would be the exact problem? Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Clarification
Hi, What is the bind response when queried MX record. The MX record is having prefernce value is greater than maximum of preference value [ex: 65536]. Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
clarification
Hi, I have a record in BIND as follows: mxdomain.com. 86400 IN MX 65536 gmail.com. When I query mxdomain.com. with type MX. What is the bind response. Is there any RFC mentioned about this . Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
nsupdate
An observation in nsupdate: Suppose we have two A records as , *addforixfr.bind9712.com. 3456 IN A 10.32.21.30* *addforixfr.bind9712.com. 3456 IN A 10.32.21.20* When we update TTL value as below for one of the records , the TTL value changes for both the records. *update add addforixfr. bind9712.com 8564 A 10.32.21.30* * * [root@ zones]# dig @ addforixfr.bind9712.com ; DiG 9.2.4 @ addforixfr.bind9712.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 15707 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 0 ;; QUESTION SECTION: ;addforixfr.bind9712.com. IN A ;; ANSWER SECTION: *addforixfr.bind9712.com. 8564 IN A 10.32.21.20* *addforixfr.bind9712.com. 8564 IN A 10.32.21.30* ;; AUTHORITY SECTION: bind9712.com. 86400 IN NS ns3.bind9712.com. bind9712.com. 86400 IN NS ns4.bind9712.com. bind9712.com. 86400 IN NS ns5.bind9712.com. bind9712.com. 86400 IN NS ns1.bind9712.com. bind9712.com. 86400 IN NS ns2.bind9712.com. ;; Query time: 1 msec ;; SERVER: 10.31.142.24#53(10.31.142.24) ;; WHEN: Mon Mar 15 02:53:32 2010 ;; MSG SIZE rcvd: 163 Please clarify me. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Clarification on delegated NS
Hi , When I created delegated NS record. Bind 9.7.1 p3 is giving SERVFAIL , when i queried for NS delegated record with NS. Could you please clarify me or is it bug in 9.7? Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind not starting
Hi, I have configured records as follows in bind. When we start the bind 9.7, bind is not starting. But bind is started successfully when commented below ns domains which are marked as RED. Could you please clarify me. *Note: Bind 9.6 is started successfully with the same below zone. * Error: zone nsdomain.com/IN: NS 'ns1.nsdomain.com' has no address records (A or ) zone nsdomain.com/IN: not loaded due to errors. _default/nsdomain.com/IN: bad zone $ORIGIN nsdomain.com. @ IN SOA dns1.dns.net. ppk.yahoo.com. ( 2009111903 ; serial 10800 ; refresh 3600 ; retry 2592000 ; expire 86400 ; minimum ) a.nsdomain.com.86400INA1.1.1.1 a1.nsdomain.COM.86400INFE80:: a1.nsdomain.com.86400INFE80:: a1.nsdomain.com.86400INA1.1.1.1 a1.nsdomain.com.86400INNSa1.nsdomain.com. a10.nsdomain.com.9INNSns1.nu.moon. a11.nsdomain.com.9INNSabc.nsdomain.com. a12.nsdomain.com.86400INNSmx.nsdomain.com. a13.nsdomain.com.86400INNScname.nsdomain.com. a13.nsdomain.com.86400INNSa.nsdomain.com. a13.nsdomain.com.86400INNSmx.nsdomain.com. a14.nsdomain.com.2147483647INNSns1.a14.nsdomain.com. a15.nsdomain.com.2147483647INNSns1.a15.nsdomain.com. a2.nsdomain.com.86400INNSnsdomain.com. a3.nsdomain.com.86400INNSa3.nsdomain.com. a3.nsdomain.com.86400INNSa2.nsdomain.com. a3.nsdomain.com.86400INNSa1.nsdomain.com. a3.nsdomain.com.86400INNSnsdomain.com. a4.nsdomain.com.86400INNSa4.nsdomain.com. a4.nsdomain.com.86400INNSa4.nsdomain.com. a4.nsdomain.com.86400INNSa4.nsdomain.com. A5.NSDOMAIN.COM.86400INFE80:: a5.NSDOMAIN.com.86400INFE80:: A5.nsdomain.com.86400INFE80:: a5.nsdomain.com.86400INFE80:: A5.NSDOMAIN.COM.86400INA255.255.255.255 a5.nsdomain.COM.86400INA255.255.255.255 a5.NSDOMAIN.com.86400INA255.255.255.255 A5.nsdomain.com.86400INA255.255.255.255 a5.nsdomain.com.86400INA255.255.255.255 a5.nsdomain.com.86400INNSA5.NSDOMAIN.COM. a5.nsdomain.com.86400INNSa5.nsdomain.COM. a5.nsdomain.com.86400INNSa5.NSDOMAIN.com. a5.nsdomain.com.86400INNSA5.nsdomain.com. A6.NSDOMAIN.COM.86400INA255.255.255.255 a6.nsdomain.COM.86400INA255.255.255.254 a6.NSDOMAIN.com.86400INA255.255.255.253 A6.nsdomain.com.86400INA255.255.255.252 a6.nsdomain.com.86400INA255.255.255.251 a6.nsdomain.com.86400INNSA6.NSDOMAIN.COM. a6.nsdomain.com.86400INNSa6.nsdomain.COM. a6.nsdomain.com.86400INNSa6.NSDOMAIN.com. a6.nsdomain.com.86400INNSA6.nsdomain.com. a6.nsdomain.com.86400INNSa6.nsdomain.com. A7.NSDOMAIN.COM.86400IN2001::1001 a7.nsdomain.COM.86400IN2001:: a7.NSDOMAIN.com.86400INFEA0:: A7.nsdomain.com.86400INFE90:: a7.nsdomain.com.86400INFE80:: a7.nsdomain.com.86400INNSA7.NSDOMAIN.COM. a7.nsdomain.com.86400INNSa7.nsdomain.COM. a7.nsdomain.com.86400INNSa7.NSDOMAIN.com. a7.nsdomain.com.86400INNSA7.nsdomain.com. a7.nsdomain.com.86400INNSa7.nsdomain.com. a8.nsdomain.com.0INNSns1.nu.moon. a9.nsdomain.com.100INNSns1.nu.moon. cname.nsdomain.com.86400INCNAMEnsdomain.com. mx.nsdomain.com.86400INMX10 nsdomain.com. net.nsdomain.com.86400INNSns3.dns.net.nsdomain.com. net.nsdomain.com.86400INNSns2.dns.net.nsdomain.com. net.nsdomain.com.86400INNSns1.dns.net.nsdomain.com. ns1.dns.net.nsdomain.com.86400IN 2001:0DCE:2000:0002::::0130 ns1.dns.net.nsdomain.com.86400INA202.46.190.130 ns2.dns.net.nsdomain.com.86400IN 2001:0DCE:2000:0002::::0130 ns2.dns.net.nsdomain.com.86400INA202.46.191.130 ns3.dns.net.nsdomain.com.86400INA203.97.8.250 *;nsdomain.com.86400INNSns2.nsdomain.com. ;nsdomain.com.86400INNSns1.nsdomain.com.* nsdomain.com.86400INNSdns2.dns.net. nsdomain.com.86400INNSdns1.dns.net. ;End of file: 1285827330 Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Clarification on bind response
Hi, I have set up data as follows in bind. Zone: rameshops5526old.com maint.rameshops5526old.com. 300 IN CNAME maint.global.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns5.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns2.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns1.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns6.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns4.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns3.rameshops5526old.com. global.rameshops5526old.com. 300 IN NS j.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS a.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS l.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS d.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS b.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS e.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS c.ns.nsatc.net. Queried against bind and get the reposne as follows [r...@stulcqacustbind2 recursive_enabled]# dig @10.31.145.194 maint.rameshops5526old.com. ; DiG 9.6.1-P3 @10.31.145.194 maint.rameshops5526old.com. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 16855 ;; flags: qr *aa* rd; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;maint.rameshops5526old.com.IN A ;; ANSWER SECTION: maint.rameshops5526old.com. 300 IN CNAME maint.global.rameshops5526old.com. ;; AUTHORITY SECTION: global.rameshops5526old.com. 300 IN NS e.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS l.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS a.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS j.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS c.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS d.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS b.ns.nsatc.net. ;; Query time: 2 msec ;; SERVER: 10.31.145.194#53(10.31.145.194) ;; WHEN: Tue Aug 24 06:26:31 2010 ;; MSG SIZE rcvd: 195 Here AA flag is returning is it correct? because domain global.rameshops5526old.com. delegated so we should not return AA flag right? Please clarify me. Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on bind response
Hi , Please tell me the correct answer for the below set up: *Zone: rameshops5526old.com * maint.rameshops5526old.com. 300 IN CNAME maint.global.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns5.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns2.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns1.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns6.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns4.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns3.rameshops5526old.com. global.rameshops5526old.com. 300 IN NS j.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS a.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS l.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS d.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS b.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS e.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS c.ns.nsatc.net. dig @localhost *maint.rameshops5526old.com A* ** Thanks Regards, Ramesh * * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Clarification on bind response
Hi When we have data as follows queried domain maint.rameshops5526old.com. against bind and my own resolver. Bind and my resolver response are same but only mismatching with flags. bind is returning AA flag but my resolver is not returning AA flag. in this case wihcih is correct bind or my resolver? Zone: rameshops5526old.com maint.rameshops5526old.com. 300 IN CNAME maint.global.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns5.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns2.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns1.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns6.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns4.rameshops5526old.com. rameshops5526old.com. 21600 IN NS dns3.rameshops5526old.com. global.rameshops5526old.com. 300 IN NS j.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS a.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS l.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS d.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS b.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS e.ns.nsatc.net. global.rameshops5526old.com. 300 IN NS c.ns.nsatc.net. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RRSIG for glue records
Hi , I have delegated NS records and those records pointed to A records in signed zone. When I queired for my delgated domain against bind 9.6-p3. Bind is returning NS records and RRSIG for NS in authority section correctly. Glue records are returned correctly in additional section but RRSIG values are not returned for glue records. Is RRSIG won't return for glue records in additonal section? Could you please clarify me. Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Clarification on ANY query
Hi , I have data as follows a.rameshops5446.com. 86400 IN A 1.2.3.1 a.rameshops5446.com. 86400 IN MX 10 a.rameshops5446.com. I queried domain a.rameshops5446.com with type ANY against bind9.6 . Actual Result: Bind is returning above two records in answer section and also returning A record in additional section as follows. # dig @localhost a.rameshops5446.com. any ; DiG 9.6.1-P3 @localhost a.rameshops5446.com. any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 33411 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;a.rameshops5446.com. IN ANY ;; ANSWER SECTION: a.rameshops5446.com.86400 IN MX 10 a.rameshops5446.com. a.rameshops5446.com.86400 IN A 1.2.3.1 ;; AUTHORITY SECTION: rameshops5446.com. 86400 IN NS udns2.ultradns.net. rameshops5446.com. 86400 IN NS udns1.ultradns.net. ;; ADDITIONAL SECTION: a.rameshops5446.com.86400 IN A 1.2.3.1 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 3 04:06:45 2010 ;; MSG SIZE rcvd: 137 Here my doubt is A record already returned in answer section why the same A record is returning in additional section. I know if MX pointed record have any A/ records will return in additional section. but in above case already the same A record returned in answer section. Is bind result correct? could you please clarify me. Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
cname chain limit
Hi , What is the cname chains limit ? Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 538, Issue 1
Hi , When we resign using dnssec-signzone -o zone name -f new zone file name signed zone file , we don't get SOA incremented . In general AXFR looks for SOA comparison to reload zone file. In this case how will AXFR happen? Thanks Regards, Ramesh On Mon, Jun 7, 2010 at 5:30 PM, bind-users-requ...@lists.isc.org wrote: Send bind-users mailing list submissions to bind-users@lists.isc.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.isc.org/mailman/listinfo/bind-users or, via email, send a message with subject or body 'help' to bind-users-requ...@lists.isc.org You can reach the person managing the list at bind-users-ow...@lists.isc.org When replying, please edit your Subject line so it is more specific than Re: Contents of bind-users digest... Today's Topics: 1. .org registrars allowing DS records (itservices88) 2. Re: .org registrars allowing DS records (Kevin Oberman) 3. Re: .org registrars allowing DS records (Doug Barton) 4. Re: .org registrars allowing DS records (Mark Andrews) 5. Re: .org registrars allowing DS records (itservices88) 6. how to resign a zone (rams) 7. Re: how to resign a zone (Alan Clegg) -- Message: 1 Date: Sun, 6 Jun 2010 11:36:43 -0700 From: itservices88 itservice...@gmail.com Subject: .org registrars allowing DS records To: bind-users@lists.isc.org Message-ID: aanlktimwvwoth3yiqxuz-v5eq0yljbrb9jazgyl7x...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 I am using godaddy.com for my .org domains and as per the customer support replies, they donot support DNSSEC and thus cannot add DS records for my domains. Which other registrars people are using that allow DS records. Thanks -dani -- next part -- An HTML attachment was scrubbed... URL: https://lists.isc.org/pipermail/bind-users/attachments/20100606/d0704f3b/attachment-0001.html -- Message: 2 Date: Sun, 06 Jun 2010 17:14:27 -0700 From: Kevin Oberman ober...@es.net Subject: Re: .org registrars allowing DS records To: itservices88 itservice...@gmail.com Cc: bind-users@lists.isc.org Message-ID: 20100607001427.7e7161c...@ptavv.es.net Content-Type: text/plain; charset=us-ascii I am using godaddy.com for my .org domains and as per the customer support replies, they donot support DNSSEC and thus cannot add DS records for my domains. Which other registrars people are using that allow DS records. Thanks -dani Last I checked, .org, while signed, was not yet accepting DS records from anyone. I suspect that no gtld other than .gov will accept them until the root is signed next month. I do know that afilias was certifying registrars and I believe that they will be releasing a list of those registrars that are certified, but that will not mean that they will be accepting them immediately. Until then, dlv.isc.org is the best (only?) option. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 -- Message: 3 Date: Sun, 06 Jun 2010 17:24:07 -0700 From: Doug Barton do...@dougbarton.us Subject: Re: .org registrars allowing DS records To: Kevin Oberman ober...@es.net Cc: bind-users@lists.isc.org Message-ID: 4c0c3c27.2050...@dougbarton.us Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 06/06/10 17:14, Kevin Oberman wrote: I am using godaddy.com for my .org domains and as per the customer support replies, they donot support DNSSEC and thus cannot add DS records for my domains. Which other registrars people are using that allow DS records. Thanks -dani Last I checked, .org, while signed, was not yet accepting DS records from anyone. I suspect that no gtld other than .gov will accept them until the root is signed next month. I do know that afilias was certifying registrars and I believe that they will be releasing a list of those registrars that are certified, but that will not mean that they will be accepting them immediately. Basically correct, yes. For ORG, keep your eye on the following list: http://www.pir.org/get/registrars hth, Doug Until then, dlv.isc.org is the best (only?) option. -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/http://supersetsolutions.com/ -- Message: 4 Date: Mon, 07 Jun 2010 11:47:34 +1000 From: Mark Andrews ma...@isc.org Subject: Re: .org registrars allowing DS records
how to resign a zone
Hi, How to resign a zone? Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
clarification on AXFR
Hi, During AXFR of a zone, the zone.dbfile is not created till the AXFR completes. Till AXFR completes, the file name will be some value as 456eefwfc. Is it correct behavior? Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on bind result
Is there any update on the following issue. On Mon, May 31, 2010 at 2:16 PM, rams brames...@gmail.com wrote: Hi , I have the following zone file: $ORIGIN td3497.com. @ IN SOA udns1.ultradns.net. ppk.yahoo.com. ( 2010052610 ; serial 10800 ; refresh 3600 ; retry 2592000 ; expire 86400 ; minimum ) cname.chain.td3497.com. 86400 IN CNAME mx.chain.td3497.com. mx.chain.td3497.com. 86400 IN MX 34 mx1.chain.td3497.com. mx1.chain.td3497.com. 86400 IN MX 34 mx2.chain.td3497.com. mx2.chain.td3497.com. 86400 IN MX 34 mx3.chain.td3497.com. mx3.chain.td3497.com. 86400 IN A 1.2.3.4 ramesh.td3497.com. 86400 MX 20 . ramesh.td3497.com. 86400 MX 20 mx1. *cname.td3497.com. 86400 CNAME .* td3497.com. 86400 IN NS udns2.ultradns.net. td3497.com. 86400 IN NS udns1.ultradns.net. ;End I queried for cname domain against bind 9.6.X and got the following response C:\Documents and Settings\rameshbdig @localhost cname.td3497.com mx ; DiG 9.6.1-P1 @localhost cname.td3497.com mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 681 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;cname.td3497.com. IN MX ;; ANSWER SECTION: cname.td3497.com. 86400 IN CNAME . ;; Query time: 15 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon May 31 14:10:32 2010 ;; MSG SIZE rcvd: 47 Here why authority section is not returned? Actually authority section should be returned with SOA right? Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind response
Hi , I have the following zone file: $ORIGIN td3497.com. @ IN SOA udns1.ultradns.net. ppk.yahoo.com. ( 2010052610 ; serial 10800 ; refresh 3600 ; retry 2592000 ; expire 86400 ; minimum ) cname.chain.td3497.com. 86400 IN CNAME mx.chain.td3497.com. mx.chain.td3497.com. 86400 IN MX 34 mx1.chain.td3497.com. mx1.chain.td3497.com. 86400 IN MX 34 mx2.chain.td3497.com. mx2.chain.td3497.com. 86400 IN MX 34 mx3.chain.td3497.com. mx3.chain.td3497.com. 86400 IN A 1.2.3.4 ramesh.td3497.com. 86400 MX 20 . ramesh.td3497.com. 86400 MX 20 mx1. cname.td3497.com. 86400 CNAME . td3497.com. 86400 IN NS udns2.ultradns.net. td3497.com. 86400 IN NS udns1.ultradns.net. ;End I queried for cname domain against bind 9.6.X and got the following response C:\Documents and Settings\rameshbdig @localhost cname.td3497.com mx ; DiG 9.6.1-P1 @localhost cname.td3497.com mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 681 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;cname.td3497.com. IN MX ;; ANSWER SECTION: cname.td3497.com. 86400 IN CNAME . ;; Query time: 15 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon May 31 14:10:32 2010 ;; MSG SIZE rcvd: 47 Here why authority section is not returned? Actually authority section should be returned with SOA right? Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Clarification on bind result
Hi , I have the following zone file: $ORIGIN td3497.com. @ IN SOA udns1.ultradns.net. ppk.yahoo.com. ( 2010052610 ; serial 10800 ; refresh 3600 ; retry 2592000 ; expire 86400 ; minimum ) cname.chain.td3497.com. 86400 IN CNAME mx.chain.td3497.com. mx.chain.td3497.com. 86400 IN MX 34 mx1.chain.td3497.com. mx1.chain.td3497.com. 86400 IN MX 34 mx2.chain.td3497.com. mx2.chain.td3497.com. 86400 IN MX 34 mx3.chain.td3497.com. mx3.chain.td3497.com. 86400 IN A 1.2.3.4 ramesh.td3497.com. 86400 MX 20 . ramesh.td3497.com. 86400 MX 20 mx1. *cname.td3497.com. 86400 CNAME .* td3497.com. 86400 IN NS udns2.ultradns.net. td3497.com. 86400 IN NS udns1.ultradns.net. ;End I queried for cname domain against bind 9.6.X and got the following response C:\Documents and Settings\rameshbdig @localhost cname.td3497.com mx ; DiG 9.6.1-P1 @localhost cname.td3497.com mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 681 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;cname.td3497.com. IN MX ;; ANSWER SECTION: cname.td3497.com. 86400 IN CNAME . ;; Query time: 15 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon May 31 14:10:32 2010 ;; MSG SIZE rcvd: 47 Here why authority section is not returned? Actually authority section should be returned with SOA right? Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
chaining MX
Hi, I have mx records with chaining as follows. mx.chain.td3497.com.86400INMX34 mx1.chain.td3497.com. mx1.chain.td3497.com.86400INMX34 mx2.chain.td3497.com. mx2.chain.td3497.com.86400INMX34 mx3.chain.td3497.com. mx3.chain.td3497.com.86400INA1.2.3.4 Now if i query for domain mx.chain.td3497.com. with type MX or any, did we get chain in answer ? or did we get only specific domain pointed mx record. Thanks regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to resign a signed zone
Hi, How do we resign the signed zone? What is the command to do the RESIGNING ? Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: add a record into signed zone
Hi , As you said I tried with nsupdate but unable to add a record into signed zone. It is giving SERVFAIL. Do we need to send any special value? Thanks, Ramesh On Thu, May 13, 2010 at 9:05 AM, Mark Andrews ma...@isc.org wrote: In message aanlktilljh9vaiifvfzzgi9ls3nyi1arkx2tyozky...@mail.gmail.com, rams writes: Hi, How to add a record into signed zone using nsupdate. Is there any additional arguments need to be passed for getting RRSIG of addition record or automatically bind will take care? Thanks Regards, Ramesh Named will take care of it. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
add a record into signed zone
Hi, How to add a record into signed zone using nsupdate. Is there any additional arguments need to be passed for getting RRSIG of addition record or automatically bind will take care? Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Behavior of delegation records for dnssec
Hi, I have delegation of NS records in my zone and i signed zone using RSASHA1 algorithm. It is signed successfully. When I checked the the zone i am not seeing RRSIG for delegated NS records. When I query for delegated NS record with dnssec, it is returning NS records, NSEC and RRSIG for NSEC and also glue records returned in additional section with out any RRSIG. Dig results are given below. ; DiG 9.6.1-P3 @localhost srs.net.nu.moon. A +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 40245 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;srs.net.nu.moon. IN A ;; AUTHORITY SECTION: srs.net.nu.moon.86400 IN NS ns1.dns.net.nu.moon. srs.net.nu.moon.86400 IN NS ns2.dns.net.nu.moon. srs.net.nu.moon.86400 IN NS ns3.dns.net.nu.moon. srs.net.nu.moon.86400 IN NSECnet.nu.moon. NS RRSIG NSEC srs.net.nu.moon.86400 IN RRSIG NSEC 5 4 86400 20100521075518 20100421075518 57966 net.nu.moon. DxLpXxvkOsLVruDKp1K/K7FUPpxlxI/awCOtggM6m6T/d26iGwDJ1wqW 5PTQ6baNCgUTUbiydNEpHmKR7Z1bqQ== ;; ADDITIONAL SECTION: ns1.dns.net.nu.moon.86400 IN A 202.46.190.130 ns1.dns.net.nu.moon.86400 IN 2001:dce:2000:2::130 ns2.dns.net.nu.moon.86400 IN A 202.46.191.130 Why i am not getting RRSIG for NS records and also RRSIG for additional section records. Is there any configuration required for glue records and delegated records . Please clarify me on this. Thanks, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 512, Issue 3
Hi Peter, In the out put of your dig result , you can see the following section. This section is counted as RR and count will be updated in additional section. ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 Thanks, ramesh On Sun, May 9, 2010 at 11:02 PM, bind-users-requ...@lists.isc.org wrote: Send bind-users mailing list submissions to bind-users@lists.isc.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.isc.org/mailman/listinfo/bind-users or, via email, send a message with subject or body 'help' to bind-users-requ...@lists.isc.org You can reach the person managing the list at bind-users-ow...@lists.isc.org When replying, please edit your Subject line so it is more specific than Re: Contents of bind-users digest... Today's Topics: 1. RE: Dig 9.7 DNSSEC output (Peter Janssen) 2. Re: Dig 9.7 DNSSEC output (R Dicaire) 3. RE: Dig 9.7 DNSSEC output (Peter Janssen) 4. Re: Dig 9.7 DNSSEC output (Shumon Huque) 5. RE: Dig 9.7 DNSSEC output (Chris Thompson) -- Message: 1 Date: Sun, 9 May 2010 17:48:34 +0200 From: Peter Janssen peter.jans...@eurid.eu Subject: RE: Dig 9.7 DNSSEC output To: 'R Dicaire' dicai...@gmail.com Cc: bind-users@lists.isc.org Message-ID: 024201caef8f$150177e0$3f0467...@janssen@eurid.eu Content-Type: text/plain; charset=iso-8859-1 Hi Rick, as per the header of Dig output? ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 a part from that, I'm glad that my counting is still up to par :-) R. --Pj. Peter Janssen Technical Manager Join us in June! EURid hosts ICANN?s 38th meeting in Brussels.? Find out more at brussels38.icann.org. ??? EURid ??? Woluwelaan 150 ??? 1831 Diegem - Belgium ??? TEL.: +32 (0) 2 401 2750 ??? peter.jans...@eurid.eu ??? http://www.eurid.eu ??? From: R Dicaire [mailto:dicai...@gmail.com] Sent: Sunday, May 09, 2010 17:42 To: Peter Janssen Cc: bind-users@lists.isc.org Subject: Re: Dig 9.7 DNSSEC output On Sun, May 9, 2010 at 11:24 AM, Peter Janssen peter.jans...@eurid.eu wrote: ;; ADDITIONAL SECTION: ns.nic.se. ? ? ? ? ? ? ?3600 ? ?IN ? ? ?A ? ? ? 212.247.7.228 ns.nic.se. ? ? ? ? ? ? ?3600 ? ?IN ? ? ? ? ?2a00:801:f0:53::53 ns2.nic.se. ? ? ? ? ? ? 3600 ? ?IN ? ? ?A ? ? ? 194.17.45.54 ns3.nic.se. ? ? ? ? ? ? 60 ? ? ?IN ? ? ?A ? ? ? 212.247.3.83 ns.nic.se. ? ? ? ? ? ? ?3600 ? ?IN ? ? ?RRSIG ? A 5 3 3600 20100517132001 20100507132001 20273 nic.se. TLTnkqESLN7DdoC2urF14ox1JolvUSCySe4oqYfof4ER/ZNNl8DO1P46 mSKpNxf3kNUJWoMkjBjtUgZgiMcVSuD7V6qTHLA2A8tEhnM4pXCeo/yj kirCEzo3YQzcW56BZVXgVe41K3QT4GpIm0rmTyEy+8ZCe7oeMKFem5PL Ibw= ns.nic.se. ? ? ? ? ? ? ?3600 ? ?IN ? ? ?RRSIG ? 5 3 3600 20100517132001 20100507132001 20273 nic.se. HcUbk9y1aR9zeHOwNsqTtPL97P+ftyoQVAyTZbuPpr6GEzIsKL8MyQoP h4qyAkOHFWC2lgZ4xroHemR9OXa3JCLn1UtYE0UbgszUJWSJcQW+2ho3 GIsfEzVfJwMEomhvPuEyVfNxdaP87ITFTfNJcUvEApHCnYHO0RNgeEL0 l/Y= ns2.nic.se. ? ? ? ? ? ? 3600 ? ?IN ? ? ?RRSIG ? A 5 3 3600 20100517132001 20100507132001 20273 nic.se. fGqc3OIwmaYPFJoRrULGaUIRxGV+i6FJkcSZ4HRJL0x+siwVcTrIb+5t ER9woGl9sabyXH9H4aHc90ARABer0RodbnQSZDT7SPamDb97UP1ESBs2 Av9N43nr54M/ctLk8EZc1q7GblBK7inf7iY/AQsHTsFv1BWJOAYw+n4N YaM= ns3.nic.se. ? ? ? ? ? ? 60 ? ? ?IN ? ? ?RRSIG ? A 5 3 60 20100517132001 20100507132001 20273 nic.se. vTil1+1r3dOyV3zHdd53p2O5qnBHfexdwJVjx2E+G5z5FTqa50YRQYfH JwVHHertJcMo2wek/y2g0GBQJdkFTKwpJZv3IWWp9TYqJ3lCIYzoWxWV pzc7i+m2Ha3HupVY0e/tOJPKsiJu+LnyH3LJ66WV/xCRDjhZ8N6RONl5 xQU= I count 8 RRs. 3 A, 1 , 4 RRSIG. Where are you seeing 9? -- aRDy Music/Rick Dicaire http://www.ardynet.com http://linux.ardynet.com -- Message: 2 Date: Sun, 9 May 2010 12:00:14 -0400 From: R Dicaire dicai...@gmail.com Subject: Re: Dig 9.7 DNSSEC output To: Peter Janssen peter.jans...@eurid.eu Cc: bind-users@lists.isc.org Message-ID: aanlktilbjerhdv9kida7ms548fasu_ow6dp85phle...@mail.gmail.com Content-Type: text/plain; charset=windows-1252 On Sun, May 9, 2010 at 11:48 AM, Peter Janssen peter.jans...@eurid.eu wrote: as per the header of Dig output? ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 Curious, I too get 9 but only 8 RRs are shown: ; DiG 9.7.0-P1 +dnssec @rdb.ardynet.com ardynet.com ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 19752 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 9 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ardynet.com. IN NS ;; ANSWER SECTION: ardynet.com. 10800 IN NS rdb.ardynet.com. ardynet.com. 10800 IN NS dev.ardynet.com. ardynet.com. 10800 IN RRSIG NS 5 2 10800 2010051512 2010050912 60794 ardynet.com.
help on NESC3PARAM
HI , How to sign a zone for getting NSEC3, NSEC3PARAM RR's in a signed zone. Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Create DS and DLV records
Hi, could you please explain me, how to create DS and DLV records into my zone. Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users