[no subject]

2024-08-05 Thread Daniel Armando Rodriguez 
I have a resolver that is not resolving several domains. So far what I
found in logs is this message, repeated several times in the span of every
minute

*nssv named[38251]: resolver priming query complete: failure*

I'm using BIND 9.18.28

This is current config
# named-checkconf -p
options {
directory "/var/cache/bind";
listen-on  {
"any";
};
version none;
auth-nxdomain yes;
recursion yes;
response-policy {
zone "rpz.local";
zone "rpz.local.notransfer";
};
allow-query {
"any";
};
forwarders {
};
};
server ::/0 {
bogus yes;
};
zone "168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "8.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zonas/inv.8.168.192";
};
zone "rpz.local" {
type master;
file "/etc/bind/zonas/rpz.local";
allow-query {
"localhost";
};
};
zone "rpz.local.notransfer" {
type master;
file "/etc/bind/zonas/rpz.local.notransfer";
allow-query {
"localhost";
};
allow-transfer  {
"localhost";
};
};
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "unau.edu.ar" {
type master;
file "/etc/bind/zonas/publica.unau.edu.ar";
allow-query {
"any";
};
};
zone "253.4.45.in-addr.arpa" {
type master;
file "/etc/bind/zonas/inv.253.4.45";
};

Any ideas will be of great help.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2022-01-11 Thread Diego Garcia 
Hello

This days i got a strange behavior in my network/bind server.

Each 20/30 minutes and lasting about 5 minutes i got 'timeout' in bind
querys. After that time everything works fine again.

My bind server got response (from 0.1 to 2 seconds) but reply with a ICMP
'port unreachable'.

Any idea the problem or what i can check?

Firewall is off while testing.

My bind server is a NAT router.

I install bind in other server (VM with debian), default config, i got same
problem, seems something wrong in the nat router perhaps?

But the only problem seems in bind/udp querys

The server is running latest Ubuntu Server LTS 20.04.03 , doing
Nat/Firewall, DHCP Server and DNS server. Nothing more, no X.

It's a J1800 (dual core) 4GB ram.


I ask in servfault too
https://serverfault.com/questions/1089585/bind-timeout-and-icmp-reply-port-unreachable

thanks


ICMP msg

```
Frame 4701: 150 bytes on wire (1200 bits), 150 bytes captured (1200 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Jan  9, 2022 23:06:50.500852000 Hora estándar romance
[Time shift for this packet: 0.0 seconds]
Epoch Time: 1641766010.500852000 seconds
[Time delta from previous captured frame: 0.006536000 seconds]
[Time delta from previous displayed frame: 0.006536000 seconds]
[Time since reference or first frame: 14.917496000 seconds]
Frame Number: 4701
Frame Length: 150 bytes (1200 bits)
Capture Length: 150 bytes (1200 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:dns]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: MitraSta_a5:80:e3 (e4:ab:89:a5:80:e3), Dst:
ASUSTekC_85:b5:f6 (78:24:af:85:b5:f6)
Destination: ASUSTekC_85:b5:f6 (78:24:af:85:b5:f6)
Address: ASUSTekC_85:b5:f6 (78:24:af:85:b5:f6)
 ..0.     = LG bit: Globally unique address
(factory default)
 ...0     = IG bit: Individual address (unicast)
Source: MitraSta_a5:80:e3 (e4:ab:89:a5:80:e3)
Address: MitraSta_a5:80:e3 (e4:ab:89:a5:80:e3)
 ..0.     = LG bit: Globally unique address
(factory default)
 ...0     = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 216.239.34.10, Dst: 192.168.100.10
0100  = Version: 4
 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
 00.. = Differentiated Services Codepoint: Default (0)
 ..00 = Explicit Congestion Notification: Not ECN-Capable
Transport (0)
Total Length: 136
Identification: 0x (0)
Flags: 0x40, Don't fragment
0...  = Reserved bit: Not set
.1..  = Don't fragment: Set
..0.  = More fragments: Not set
...0    = Fragment Offset: 0
Time to Live: 64
Protocol: UDP (17)
Header Checksum: 0x1ab9 [validation disabled]
[Header checksum status: Unverified]
Source Address: 216.239.34.10
Destination Address: 192.168.100.10
User Datagram Protocol, Src Port: domain (53), Dst Port: 57160 (57160)
Source Port: domain (53)
Destination Port: 57160 (57160)
Length: 116
Checksum: 0x168c [unverified]
[Checksum Status: Unverified]
[Stream index: 141]
[Timestamps]
[Time since first frame: 2.003007000 seconds]
[Time since previous frame: 2.003007000 seconds]
UDP payload (108 bytes)
Domain Name System (response)
Transaction ID: 0x187b
Flags: 0x8400 Standard query response, No error
1...    = Response: Message is a response
.000 0...   = Opcode: Standard query (0)
 .1..   = Authoritative: Server is an authority for
domain
 ..0.   = Truncated: Message is not truncated
 ...0   = Recursion desired: Don't do query recursively
  0...  = Recursion available: Server can't do
recursive queries
  .0..  = Z: reserved (0)
  ..0.  = Answer authenticated: Answer/authority
portion was not authenticated by the server
  ...0  = Non-authenticated data: Unacceptable
    = Reply code: No error (0)
Questions: 1
Answer RRs: 2
Authority RRs: 0
Additional RRs: 1
Queries
rr5---sn-h5q7kned.googlevideo.com: type A, class IN
Name: rr5---sn-h5q7kned.googlevideo.com
[Name Length: 33]
[Label Count: 3]
Type: A (Host Address) (1)
Class: IN (0x0001)
Answers
rr5---sn-h5q7kned.googlevideo.com: type CNAME, class IN, cname
rr5.sn-h5q7kned.googlevideo.com
Name: rr5---sn-h5q7kned.googlevideo.com
Type: CNAME (Canonical NAME for an alias) (5)
Class: IN (0x0001)
Time to live: 1800 (30 minutes)
Data length

[no subject]

2020-06-27 Thread baalchina 
Hi all,

I had a bind 9.16.4 as recursive name server. I want to forward all queries
to a specific dns server out of my net such as 8.8.8.8. While I have a new
domain( such as abc.com) I want to forward to a new dns server such as
9.9.9.9.

Here is my named.conf:


options {
listen-on port 53 {192.168.1.1;};
recursion yes;
allow-recursion {any;};
forwarders {
8.8.8.8;
};
};

zone "abc.com" {
type forward;
forwarders {1.1.1.1;};

};

So, in this configuration, the abc.com will be forward to 8.8.8.8 or
1.1.1.1?

Thanks.




-- 
from:baalchina
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2019-02-18 Thread Roberto Carna 
Dear I've implemented two views, one for local resolution and the other for
forward a public zone to our resolver.

But now I have a problem:

If I define the same clients for the local zone view and forward view,
depending on the order of the views the client can resolve or not the
query. In this case client 10.12.1.1 will match view INT and not view EXT:

acl internal { 10.12.1. 1; };
acl external { 10.12.1.1; };

view "INT" {
match-clients { internal; };
recursion no;
zone "company.com" {
type master;
file "/etc/bind/zones/company.com.db";
};

view "EXT" {
match-clients { external; };
recursion yes;
zone "teamviewer.com" {
type forward;
forward only;
forwarders {
172.1 8.1.1;
};
};

If I define just one view with local and forward zones, I have to define
"recursion yes" because the forward zone need this option, but in this case
a query for a local zone is trying to be resolved against ROOT Servers and
finally against master zone but it takes some seconds:

acl unique { 10.12.1. 1; };

view "INT-EXT" {
match-clients { unique; };
recursion yes;
zone "company.com" {
type master;
file "/etc/bind/zones/company.com.db";
};
zone "teamviewer.com" {
type forward;
forward only;
forwarders {
172.1 8.1.1;
};
};

How can I define same clients to try resolving first view and -if there is
no response- they try with second view ???

Or is there any other way to do what I want?

Regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2016-12-02 Thread Ivan Fabris 
Hi all,
I'm runnig some analisys on my BIND instances, I'm interested in find out
how much time it takes every single query, but I' can't find and option to
show this information in the log
The dns is used by our customers and they ask for detailed reports (
they'll never read ... :)
It would be a little clumsy, and often meaningless, to subtract the first
line's timestamp from the last one  so I hope there is a way to show
"query_exec_time=xxxns" somewhere
I'm running BIND 9.10 and 9.11-P1 in a Centos 7, with debug level 99

02-Dec-2016 13:09:53.632 security: debug 3: client xxx.yyy.www.zzz#30244:
view dxintern: request is not signed
02-Dec-2016 13:09:53.632 security: debug 3: client xxx.yyy.www.zzz#30244:
view dxintern: recursion available
02-Dec-2016 13:09:53.633 queries: info: client xxx.yyy.www.zzz#30244 (
imap.mail.yahoo.com): view dxintern: query: imap.mail.yahoo.com IN A +
(my.current.ip.addr)
02-Dec-2016 13:09:53.639 security: debug 3: client xxx.yyy.www.zzz#30244 (
imap.mail.yahoo.com): view dxintern: query (cache) 'imap.mail.yahoo.com/A/IN'
approved

I google o lot with no success
Any hint ?

TIA

Ivan
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2016-05-24 Thread c4k 4u 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2014-12-27 Thread Christian Kette 
 

Hello,
I've got a raspberry pi with 5 network interfaces (3 WLAN and
 two wired LAN).
Also, I have set up a BIND 9 server. Now I want to give the PI (the 
hostname is "DEV") a different IP address for every single interface.


For example: when a client from the network 192.168.2.0/24 looks up 
the hostname "DEV.home.lan", he should get the response that 
"DEV.home.lan" has the IP 192.168.2.100.
When a client of the 192.168.10.0/24 network looks up that hostname, the
 IP should be 192.168.10.1.


As far as I know, this can be done using views. I could'nt get it working so I 
have some questions.
Q1: Why do I get the IP address "192.168.2.100" for "DEV.home.lan" from both 
the 192.168.2.0/24 and the 192.168.10.0/24 network?


The configuration files are set up as follows: 
1.


/etc/bin/named.conf 


include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
#include "/etc/bind/named.conf.default-zones";


I had to comment out the last line with the default-zones file because 
otherwise I get the error /etc/bind/named.conf.default-zones:2: when using 
'view' statements, all zones must be in views (I think it's a default config 
file, but I can provide it when necessary). 


Q2: What exactly are these zones in the file for? Do I need them?


2.


/etc/bind/named.conf.options


options {
 directory "/var/cache/bind";
 forwarders {
 8.8.8.8;
 8.8.4.4;
 };
 dnssec-validation no;
 empty-zones-enable yes;
 auth-nxdomain no;# conform to RFC1035
 listen-on-v6 { any; };
};


I don't think the error is in that file.


3.
/etc/bind/named.conf.local


view "local" {
match-clients { any; };
zone "home.lan" IN {
type master;
file "/etc/bind/db.home.lan";
};
};
view "ext" {
match-clients { 192.168.2.0/24;};
zone "2.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.rev.2.168.192.in-addr.arpa";
};
};
view "wlan0" {
match-clients { 192.168.3.0/24;};
zone "3.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.rev.3.168.192.in-addr.arpa";
};
};
view "wlan00" {
match-clients {192.168.4.0/24;};
zone "4.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.rev.4.168.192.in-addr.arpa";
};
};
view "wlan01" {
match-clients {192.168.5.0/24;};
zone "5.168.192.in-addr.arpa" {
   type master;
   file "/etc/bind/db.rev.5.168.192.in-addr.arpa";
};
};
view "int" {
match-clients {192.168.10.0/24;};
zone "10.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.rev.10.168.192.in-addr.arpa";
};
};


4.
/etc/bind/db.home.lan


home.lan. IN SOA DEV.home.lan. hostmaster.home.lan. (
2013120101 ; serial
8H ; refresh
4H ; retry
4W ; expire
1D ; minimum
)
home.lan. IN NSDEV.home.lan.
home.lan. IN MX 10 DEV.home.lan.
; Set the address for localhost.home.lan
localhostIN A 127.0.0.1
; Set the hostnames in alphabetical order
DEVIN A 192.168.2.100
router IN A 192.168.2.1
proxy  IN CNAME DEV.home.lan.
wpad   IN CNAME DEV.home.lan.


And finally, /etc/bind/db.rev.10.168.192.in-addr.arpa


; IP Address-to-Host DNS Pointers for the 192.168.10 subnet
@ IN SOA DEV.home.lan. hostmaster.home.lan. (
2013120101 ; serial
8H ; refresh
4H ; retry
4W ; expire
1D ; minimum
)
; define the authoritative name server
   IN NS DEV.home.lan.
; our hosts, in numeric order
1 IN PTR router.home.lan.
1 IN PTR DEV.home.lan.


Thank you!



  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2013-02-05 Thread funky monkey 
> From: Phil Mayers 

> To: bind-users@lists.isc.org,

> Date: 05/02/2013 15:26
> Subject: Re: Selective resolution in a corporate environment
>
> On 05/02/13 15:16, funky monkey wrote:
>
> > But to get back to what I'm often asked for, more as a tactical
> > solution, is there any way of being able to subvert specific DNS names
> > with alternate responses, whilst leaving the rest of the resolution to
> > be obtained in the normal way - I know that doesn't follow the normal
> > looking for authority for a domain name, then asking the correct
> > question there.
>
> RPZ. It's present in bind 9.8 and 9.9, and can filter queries and
> responses to an (intentionally) limited degree.
>
> Basically you define a response-policy statement in the config. That
> statement lists one or more zones e.g. "rpz.yoursite.org". Queries and
> answers are passed through that zone looking for specially formatted
> records, and answers rewritten or turned into NODATA/NXDOMAIN as required.

Could you sandwich that in a forwarding chain - say have a bind
9. in between your normal forwarders to internet, and
does it just look fo rthe entries you've specified as either alternate data
or does not exist, but otherwise, carries on to forward to an authoritative
(or cached, I suppose) version of the domain in question?

Thanks for the responses so far, by the way.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2012-12-01 Thread Mark Andrews 

In message <20121130125333.gc9...@fantomas.sk>, Matus UHLAR - fantomas writes:
> On 29.11.12 18:34, Jose Manuel Delgado G. wrote:
> >about the other question, as to reduce the response time of my server when
> >the domain does not exist?
> 
> it is not the "domain does not exist" problem. This is the "the only
> nameserver for a domain times out" problem, which can be only avoided either
> by fixing the server or making it answer. Since there is just no workaround,
> the only thing bind can do is to query (and timeout).
> 
> >> > # dig @8.8.8.8 videolinedvd.com
> 
> >2012/11/29 Chuck Swiger 
> >> You've got two nameservers for the domain per WHOIS as:
> >>
> >>Domain servers in listed order:
> >>   NS1.VIDEOLINEDVD.COM
> >>   NS2.VIDEOLINEDVD.COM
> >>
> >> ...but they don't have A records setup.  Your nameservers must have A
> >> records:
> 
> actually, they have glue A record in .com zone:
> 
> ;; AUTHORITY SECTION:
> videolinedvd.com.   172800  IN  NS  ns1.videolinedvd.com.
> videolinedvd.com.   172800  IN  NS  ns2.videolinedvd.com.
> 
> ;; ADDITIONAL SECTION:
> ns1.videolinedvd.com.   172800  IN  A   72.167.164.36
> ns2.videolinedvd.com.   172800  IN  A   72.167.164.36

But when the recursive nameserver asks for the  records for
these two nameservers it gets told that the name is not valid and
as the zone is more authorative than the parent the glue records
get wiped out.  The recursive server then has no address records
for the nameservers and cached records that say that there are no
records at those names.  Further lookups fail for that zone.

The zone is improperly delegated.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2012-11-20 Thread Daniele Imbrogino 
I'd like to install on Ubuntu 12.04 a DNS server using BIND9.
As a first step, I'd just like to configure it as a forwarder for my box
only.
This is what I do:

 1. I deactivate `dnsmasq` editing
`/etc/NetworkManager/NetworkManager.conf` by commenting the `dns=dnsmasq`
line.
Before, the `/etc/resolv.conf` file contained a `nameserver 127.0.0.1`
line, and now there is a `nameserver 10.0.2.3` line (my actual DNS server
working in a VirtualBox environment). I think it's right, and name
resolution (using `dig`) still works.

 2. I download BIND9 and the suggested packages with `sudo apt-get install
bind9 bind9utils bind9-doc`

 3. In `/etc/bind/named.conf.options` I edit the

// forwarders {
//  0.0.0.0;
// };
block with the

 forwarders {
10.0.2.3;
 };
block.

 4. In `/etc/dhcp/dhclient.conf` I de-comment the `#prepend
domain-name-servers 127.0.0.1;` line; using DHCP for my network interface,
this allows to have `nameserver 127.0.0.1` as first line on
`/etc/resolv.conf`; if I had a static configuration, I would just add a
`dns-nameservers 127.0.0.1` line in `/etc/network/interfaces`.

 5. Now I restart all services (resolvconf, dhclient, bind9).

Well, from this point nothing works.
Using Wireshark I can see a lot of DNS queries to/from 10.0.2.3 and also
to/from root-servers, but `dig` continues to fail with `status: SERVFAIL`.

Why?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2012-05-07 Thread hugo hugoo 

Dear all,

I have the following situation in my zone migration for one server (A) to 
another server (B)

The zone is called toto.be and contains the following record:

www.toto.be  86400 IN CNAME  www.titi.be


==> the zone titi.be is in the same server (A) but is not transferred to the 
server (B).


If I do a dig @SERVER(A) www.toto.be  ==> I  receive the IP corresponding to 
www.titi.be

If I do a dig @SERVER(B) www.toto.be  ==> I do not receive the IP corresponding 
to www.titi.be


- Is this situation due to the fact that dig always and only contacts the 
server mentionned in the command ?


- Does the titi.be and toto.be be on the same server to correctly use CNAMES?


Thanks for your feedback,

hugo,





  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2012-03-19 Thread Mark Andrews 

In message , hugo hugoo writes:
> 
> Doug
> 
> The problem is that the parent zone and the subzone are on the same name se=
> rver.
> 
> If I do a dig @name_server subzone NS  or   dig @name_server zone NS   ... =
> I receive the same NS answer.
 
Hugo, you asked this before and you got a number of answers already
which I will repeat below.

Mark

1)  Make a DS query.  A DNSSEC aware nameserver will answer from
the parent zone, not the child zone.  From that you can determine
if the NS RRset is present or not.  You can't however check the
contents.

2) Transfer the parent zone and check the records in that.

3) Set up a slave of the parent zone only and ask it.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2012-03-13 Thread hugo hugoo 

Dear all,
 
I have a problem in the understanding of the creation of a subzone.
Here the situation; let's call the name server ns1.xxx.be
 
 
I have zone "toto.be" with some records (not important)
 
In the same name server, I want to create the subzone "titi.toto.be" with some 
records.
 
 
==> do I have to create in zone "toto.be" the following NS record:
 
 titi.toto.be.   TTL   IN   NSns1.xxx.be
 
 
I have found cases where this situation is present and other when it is not 
present...and both cases seems to work.
What is the difference?
   
 
thanks for any feedback,
 
Hugo,.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2011-12-21 Thread Konstantin V. Krotov 

Hello, list!
I have split view on my name-servers (master and slave), for internal 
and external clients i have zone with similar names, but different content.

Part of config named.conf on master:

view "internal" {
match-clients { myclients; };
recursion yes;
match-recursive-only yes;
allow-recursion { myclients; };
...
zone "10.168.192.in-addr.arpa" {
type master;
file "10.168.192.in-addr.arpa.db";
allow-transfer {transfer_acl;};
allow-update {none;};
};
...
}

view "external" {
match-clients { "any"; };
recursion no;
...
[here descriptions of zone]
}

Well, then i have "match-recursive-only yes" directive in "internal" 
view, slave name-server report: "zone 
10.168.192.in-addr.arpa/IN/internal: refresh: non-authoritative answer 
from master xx.xx.136.2#53 (source xx.xx.140.26#0). If 
match-recursive-only no, zone transfer to slave all right. There i have 
wrong? Thx.


--
WBR, Konstantin V. Krotov
mailto: k...@insysnet.ru
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2011-11-24 Thread Loganathan Thirukkumaran 
Hello All,
 
We have our slave servers running compiled Bind 9.6.1-P3 on CentOS 5.4. 
 
Can I upgrade to 9.8.1-P1 directly from the current version 9.6.1-P3?  Or It 
has to be on the same 9.6.ESV-R5-P1 latest version?
 
 Master is in internal running on Bind 9.2.1, doing only pusing the 
config/zones to slaves. With the current setup we don't face any problem to 
push the config/zones from master to slaves. Plan to upgrade slaves first to 
patch for eve-2011-4313 as they are in public and doing both authoritative and 
recursive.Will it create any problem if i patch the slaves to latest version? 
 
FYI, We are not using dnssec currently.
 
Thanks in advance 
 
Thiru___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2010-06-13 Thread Greg Whynott 
Hello,

I'm seeing an unfamiliar error while attempting to start a newly built from 
source named instance.   I've search on the net and within the bind-user list 
without luck,  DST returns lots of hits,  but nothing with "named DST". 
hoping someone here might know what its about.  Is it really a Day Light 
related?  
thanks much for your time,
greg




the error:

[r...@fido ~]# /etc/init.d/named start
Starting named:[FAILED]
[r...@fido ~]# grep named /var/log/messages 
Jun 13 10:20:00 fido named[2430]: starting BIND 9.7.0-P2 -u named
Jun 13 10:20:00 fido named[2430]: built with '--build=i386-redhat-linux-gnu' 
'--host=i386-redhat-linux-gnu' '--program-prefix=' 
'--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' 
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' 
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' 
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' 
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' 
'--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' 
'--disable-static' '--disable-openssl-version-check' 
'--with-pkcs11=/usr/lib/pkcs11/PKCS11_API.so' '--with-dlz-filesystem=yes' 
'--with-gssapi=yes' '--disable-isc-spnego' 'build_alias=i386-redhat-linux-gnu' 
'host_alias=i386-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom 
-fasynchronous-unwind-tables' 'CPPFLAGS= -DDIG_SIGCHASE'
Jun 13 10:20:00 fido named[2430]: adjusted limit on open files from 1024 to 
1048576
Jun 13 10:20:00 fido named[2430]: found 2 CPUs, using 2 worker threads
Jun 13 10:20:00 fido named[2430]: using up to 4096 sockets

Jun 13 10:20:00 fido named[2430]: initializing DST: no engine
Jun 13 10:20:00 fido named[2430]: exiting (due to fatal error)




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2010-06-02 Thread Paul Vixie 
Chris Thompson  writes:

> Nothing that I can see. Maybe dnsviz can't cope with multiple PTR
> records in an RRset, as your first case has? (On the other hand it
> handles multiple A records in forward zones OK.)

to be fair, multiple PTR RRs is something we added in BIND gethostbyaddr()
in more or less direct contravention to RFC 1034. if dnsviz doesn't handle
it (and i don't know if it doesn't) then it's not dnsviz's fault at all
since the DNS RFC's say that there will only be one PTR RR at an in-addr.
-- 
Paul Vixie
KI6YSY
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[no subject]

2010-05-06 Thread bind-users-bounces+archive=mail-archive . com 
X-zuka-RWMailScanner-ID: 063F2638001.AC137
X-zuka-rw-MailScanner-Information: Please contact the ISP for more information
Received: from Magnolia.local (unknown [70.48.209.168])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
(Authenticated sender: dave.filc...@zuka.net)
by rosewood.zuka.net (Postfix) with ESMTP id 063F2638001
for ; Thu,  6 May 2010 23:23:23 -0400 (EDT)
Message-ID: <4be38761.9080...@zuka.net>
Date: Thu, 06 May 2010 23:22:09 -0400
From: Dave Filchak 
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: bind-users@lists.isc.org
Subject: Re: Master server offline
References: 

In-Reply-To: 
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.pao1.isc.org
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: BIND Users Mailing List 
List-Unsubscribe: ,

List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,

Content-Type: multipart/mixed; boundary="===8099937040315822544=="
Sender: bind-users-bounces+archive=mail-archive@lists.isc.org
Errors-To: bind-users-bounces+archive=mail-archive@lists.isc.org
X-pstn-neptune: 1/1/1.00/81
X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 
R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c 
X-pstn-addresses: from  [294/10] 

This is a multi-part message in MIME format.
--===8099937040315822544==
Content-Type: multipart/alternative;
boundary="080001040208080201060908"

This is a multi-part message in MIME format.
--080001040208080201060908
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I was thinking that as well ... would probably be the easiest and then 
switch it back later. However, I would have to change my glue record at 
the registrar as well ...  no?

On 06/05/10 11:19 PM, Barry Margolin wrote:
> In article,
>   Bruce Ray  wrote:
>
>
>> You have until the expiry counter expires for a given zone.
>>
>> We typically run our expiries at a week to allow for this type of failure.
>>  
> You can easily turn a slave into a master.  Just go into its named.conf
> file, change "type slave" to "type master" and comment out the "masters
> {...}" clause.
>
>
>> 
>> From: bind-users-bounces+bruce.ray=zionsbancorp@lists.isc.org
>> 
>> To: bind-users@lists.isc.org
>> Sent: Thu May 06 21:37:35 2010
>> Subject: Master server offline
>>
>> Our master server machine had a drive failure and looks like it will be
>> offline for some time. Somewhere in the back of my mind, I thought I
>> remembered that something bad can happen to the dns resolution for your zones
>> if the master is offline for too long. Is there anything to this or am I just
>> dreaming? As long as the secondary can answer request, we should be ok?
>>
>> Cheers,
>>
>> Dave
>>  
>

--080001040208080201060908
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit




  


I was thinking that as well
... would probably be the easiest and then switch it back later.
However, I would have to change my glue record at the registrar as well
...  no?

On 06/05/10 11:19 PM, Barry Margolin wrote:

  In article mailto:mailman.1415.1273200624.21153.bind-us...@lists.isc.org";>,
 Bruce Ray mailto:bruce@zionsbancorp.com";> 
wrote:

  
  
You have until the expiry counter expires for a given zone.

We typically run our expiries at a week to allow for this type of failure.

  
  
You can easily turn a slave into a master.  Just go into its named.conf 
file, change "type slave" to "type master" and comment out the "masters 
{...}" clause.

  
  


From: mailto:bind-users-bounces+bruce.ray=zionsbancorp@lists.isc.org";>bind-users-bounces+bruce.ray=zionsbancorp@lists.isc.org
 
mailto:bind-users-bounces+bruce.ray=zionsbancorp@lists.isc.org";>
To: mailto:bind-users@lists.isc.org";>bind-users@lists.isc.org mailto:bind-users@lists.isc.org";>
Sent: Thu May 06 21:37:35 2010
Subject: Master server offline

Our master server machine had a drive failure and looks like it will be 
offline for some time. Somewhere in the back of my mind, I

[no subject]

2010-05-06 Thread bind-users-bounces+archive=mail-archive . com 
X-zuka-RWMailScanner-ID: A075B638001.ABE87
X-zuka-rw-MailScanner-Information: Please contact the ISP for more information
Received: from Magnolia.local (unknown [70.48.209.168])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
(Authenticated sender: dave.filc...@zuka.net)
by rosewood.zuka.net (Postfix) with ESMTP id A075B638001
for ; Thu,  6 May 2010 23:18:56 -0400 (EDT)
Message-ID: <4be38655.9070...@zuka.net>
Date: Thu, 06 May 2010 23:17:41 -0400
From: Dave Filchak 
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: bind-users@lists.isc.org
Subject: Re: Master server offline
References: <4be37cef.7010...@zuka.net> <1273200836.7996.11.ca...@tardis>
In-Reply-To: <1273200836.7996.11.ca...@tardis>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.pao1.isc.org
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: BIND Users Mailing List 
List-Unsubscribe: ,

List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,

Content-Type: multipart/mixed; boundary="===3266933940258959469=="
Sender: bind-users-bounces+archive=mail-archive@lists.isc.org
Errors-To: bind-users-bounces+archive=mail-archive@lists.isc.org
X-pstn-neptune: 3/1/0.33/53
X-pstn-levels: (S:96.30511/99.9 CV:99.9000 FC:95.5390 LC:95.5390 
R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c 
X-pstn-addresses: from  [294/10] 

This is a multi-part message in MIME format.
--===3266933940258959469==
Content-Type: multipart/alternative;
boundary="010206060103000502050300"

This is a multi-part message in MIME format.
--010206060103000502050300
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Well, my SOA Expires are set to 604800 (1 week ). Can I change those to 
four weeks to give us some time. We are dealing with a load of other 
stuff at the moment (small company). Is that allowed?

Dave

On 06/05/10 10:53 PM, Noel Butler wrote:
> On Thu, 2010-05-06 at 22:37 -0400, Dave Filchak wrote:
>> Our master server machine had a drive failure and looks like it will 
>> be offline for some time. Somewhere in the back of my mind, I thought 
>> I remembered that something bad can happen to the dns resolution for 
>> your zones if the master is offline for too long. Is there anything 
>> to this or am I just dreaming? As long as the secondary can answer 
>> request, we should be ok?
>>
>
> Depends on your SOA expire timeout, most use 4 weeks, IIRC a slave 
> will cease to serve if it can't get an update after then.
> But, if you can not replace a server within 4 weeks, your organisation 
> has much bigger problems.
>
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by *MailScanner* , and is
> believed to be clean.
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--010206060103000502050300
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit




  


Well, my SOA Expires are set
to 604800 (1 week ). Can I change those to four weeks to give us some
time. We are dealing with a load of other stuff at the moment (small
company). Is that allowed?

Dave

On 06/05/10 10:53 PM, Noel Butler wrote:

  
  
On Thu, 2010-05-06 at 22:37 -0400, Dave Filchak wrote:
   Our master server machine had a drive
failure and looks like it will be offline for some time. Somewhere in
the back of my mind, I thought I remembered that something bad can
happen to the dns resolution for your zones if the master is offline
for too long. Is there anything to this or am I just dreaming? As long
as the secondary can answer request, we should be ok?

  
  
Depends on your SOA expire timeout, most use 4 weeks, IIRC a slave will
cease to serve if it can't get an update after then.
But, if you can not replace a server within 4 weeks, your organisation
has much bigger problems.
  
  
  
-- 
This message has been scanned for viruses and
  
dangerous content by
  http://www.mailscanner.info/";>MailScanner,
and is
  
believed to be clean.
  

___
bind-users mailing list
mailto:bind-users@lists.isc.org";>bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users";>https://lists.isc.org/mailman/list

[no subject]

2010-05-06 Thread bind-users-bounces+archive=mail-archive . com 
X-zuka-RWMailScanner-ID: 57AA9638001.AE218
X-zuka-rw-MailScanner-Information: Please contact the ISP for more information
Received: from Magnolia.local (unknown [70.48.209.168])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
(Authenticated sender: dave.filc...@zuka.net)
by rosewood.zuka.net (Postfix) with ESMTP id 57AA9638001
for ; Thu,  6 May 2010 22:38:50 -0400 (EDT)
Message-ID: <4be37cef.7010...@zuka.net>
Date: Thu, 06 May 2010 22:37:35 -0400
From: Dave Filchak 
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: bind-users@lists.isc.org
Subject: Master server offline
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.pao1.isc.org
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: BIND Users Mailing List 
List-Unsubscribe: ,

List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,

Content-Type: multipart/mixed; boundary="===7572640330274276018=="
Sender: bind-users-bounces+archive=mail-archive@lists.isc.org
Errors-To: bind-users-bounces+archive=mail-archive@lists.isc.org
X-pstn-neptune: 2/1/0.50/62
X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 
R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c 
X-pstn-addresses: from  [294/10] 

This is a multi-part message in MIME format.
--===7572640330274276018==
Content-Type: multipart/alternative;
boundary="070103030402040003010504"

This is a multi-part message in MIME format.
--070103030402040003010504
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Our master server machine had a drive failure and looks like it will be 
offline for some time. Somewhere in the back of my mind, I thought I 
remembered that something bad can happen to the dns resolution for your 
zones if the master is offline for too long. Is there anything to this 
or am I just dreaming? As long as the secondary can answer request, we 
should be ok?

Cheers,

Dave

--070103030402040003010504
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit








Our master server machine had
a drive failure and looks like it will be offline for some time.
Somewhere in the back of my mind, I thought I remembered that something
bad can happen to the dns resolution for your zones if the master is
offline for too long. Is there anything to this or am I just dreaming?
As long as the secondary can answer request, we should be ok?

Cheers,

Dave




--070103030402040003010504--

--===7572640330274276018==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--===7572640330274276018==--