zone transfers
I have a Master BIND9 server with 2 active (up) interfaces eth0 and eth1. I need my zone update notifications and zone transfer to use eth1 instead of eth0 which is currently using. How can I change this behavior while still having the server listen on eth0? Michael DiMartino | Director of IT | Open Access, Inc. 115 Bi County Blvd | Farmingdale, NY 11735 631.227.1034| 631.694.6730 FAX |631.988.6060 MOBILE www.openaccessinc.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone transfers
I have a Master BIND9 server with 2 active (up) interfaces eth0 and eth1. I need my zone update notifications and zone transfer to use eth1 instead of eth0 which is currently using. How can I change this behavior while still having the server listen on eth0? Have a look at the listen-on, transfer-source, and notify-source (and query-source) clauses. Jeremy C. Reed ISC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with .org domain resolution
Since .org was recently DNSSEC-signed (http://www.afilias.info/afilias+signs+org+zone), my guess would be that you have a firewall, an intrusion-prevention device, or somesuch, that is dropping the packets because it doesn't understand the DNSSEC records contained in them. - Kevin Juan Rodríguez wrote: Hello. In my company we have a name server BIND 9.6 running on RedHat 4.7 ES. We've realized it don't resolve any .org domain. For example: [r...@dnsint ~]# nslookup www.mirrorservice.org 10.20.29.22 ;; connection timed out; no servers could be reached [r...@dnsint ~]# nslookup www.madrid.org 10.20.29.22 ;; connection timed out; no servers could be reached [r...@dnsint ~]# nslookup www.wikipedia.org 10.20.29.22 ;; connection timed out; no servers could be reached [r...@dnsint ~]# nslookup www.marca.es 10.20.29.22 Server: 10.20.29.22 Address:10.20.29.22#53 Non-authoritative answer: Name: www.marca.es Address: 193.110.128.199 [r...@dnsint ~]# nslookup www.elpais.com 10.20.29.22 Server: 10.20.29.22 Address:10.20.29.22#53 Non-authoritative answer: www.elpais.com canonical name = elpais.es.edgesuite.net. elpais.es.edgesuite.net canonical name = a1749.g.akamai.net. Name: a1749.g.akamai.net Address: 77.67.20.195 Name: a1749.g.akamai.net Address: 77.67.20.178 [r...@dnsint ~]# nslookup www.telefonica.net 10.20.29.22 Server: 10.20.29.22 Address:10.20.29.22#53 Non-authoritative answer: Name: www.telefonica.net Address: 213.4.130.95 [r...@dnsint ~]# nslookup www.intermonoxfam.org 10.20.29.22 ;; connection timed out; no servers could be reached [r...@dnsint ~]# This is a piece of the configuration: options { directory /zonas; // Working directory pid-file /var/run/named.pid; statistics-file /logs/named.stats; memstatistics-file /logs/named.mem; dump-file /logs/named.dump; version none; hostnamenone; server-id none; listen-on-v6 { none; }; zone-statistics yes; recursive-clients 2000; cleaning-interval 300; max-cache-size 768M; notify explicit; allow-transfer { XX}; also-notify { XXX}; allow-query { }; }; zone . { type hint; file named.ca; }; zone 0.0.127.in-addr.arpa { type master; file named.local; }; and various zones declared... The file named.ca is the last updated one. Please, could you help me with this? Thank you very much. Comparte tus fotos con tus amigos. Más fácil con Windows Live http://download.live.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with .org domain resolution
Never mind, reading that press release more deeply, it looks like they're in a _limited_ testing phase right now. Shouldn't affect you directly. Possibly they're having problems with their testing that might have indirect effect on resolvability. - Kevin Kevin Darcy wrote: Since .org was recently DNSSEC-signed (http://www.afilias.info/afilias+signs+org+zone), my guess would be that you have a firewall, an intrusion-prevention device, or somesuch, that is dropping the packets because it doesn't understand the DNSSEC records contained in them. - Kevin Juan Rodríguez wrote: Hello. In my company we have a name server BIND 9.6 running on RedHat 4.7 ES. We've realized it don't resolve any .org domain. For example: [r...@dnsint ~]# nslookup www.mirrorservice.org 10.20.29.22 ;; connection timed out; no servers could be reached [r...@dnsint ~]# nslookup www.madrid.org 10.20.29.22 ;; connection timed out; no servers could be reached [r...@dnsint ~]# nslookup www.wikipedia.org 10.20.29.22 ;; connection timed out; no servers could be reached [r...@dnsint ~]# nslookup www.marca.es 10.20.29.22 Server: 10.20.29.22 Address:10.20.29.22#53 Non-authoritative answer: Name: www.marca.es Address: 193.110.128.199 [r...@dnsint ~]# nslookup www.elpais.com 10.20.29.22 Server: 10.20.29.22 Address:10.20.29.22#53 Non-authoritative answer: www.elpais.com canonical name = elpais.es.edgesuite.net. elpais.es.edgesuite.net canonical name = a1749.g.akamai.net. Name: a1749.g.akamai.net Address: 77.67.20.195 Name: a1749.g.akamai.net Address: 77.67.20.178 [r...@dnsint ~]# nslookup www.telefonica.net 10.20.29.22 Server: 10.20.29.22 Address:10.20.29.22#53 Non-authoritative answer: Name: www.telefonica.net Address: 213.4.130.95 [r...@dnsint ~]# nslookup www.intermonoxfam.org 10.20.29.22 ;; connection timed out; no servers could be reached [r...@dnsint ~]# This is a piece of the configuration: options { directory /zonas; // Working directory pid-file /var/run/named.pid; statistics-file /logs/named.stats; memstatistics-file /logs/named.mem; dump-file /logs/named.dump; version none; hostnamenone; server-id none; listen-on-v6 { none; }; zone-statistics yes; recursive-clients 2000; cleaning-interval 300; max-cache-size 768M; notify explicit; allow-transfer { XX}; also-notify { XXX}; allow-query { }; }; zone . { type hint; file named.ca; }; zone 0.0.127.in-addr.arpa { type master; file named.local; }; and various zones declared... The file named.ca is the last updated one. Please, could you help me with this? Thank you very much. Comparte tus fotos con tus amigos. Más fácil con Windows Live http://download.live.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with .org domain resolution
On Wed, 3 Jun 2009, Kevin Darcy wrote: Kevin Darcy wrote: Since .org was recently DNSSEC-signed (http://www.afilias.info/afilias+signs+org+zone), my guess would be that you have a firewall, an intrusion-prevention device, or somesuch, that is dropping the packets because it doesn't understand the DNSSEC records contained in them. (Ignoring the never mind ...) That might be the case. 9.6 has DNSSEC validation enabled by default so the corresponding DNSSEC records and signatures may be sent back regardless if the label requested is signed or not. Such as the NSEC3 (TYPE50) and RRSIGs in the AUTHORITY section. Juan: Please use dig instead. Please try with DNSSEC checking disabled, for example: dig +cd www.mirrorservice.org @10.20.29.22 dig +cd www.madrid.org @10.20.29.22 dig +cd www.wikipedia.org @10.20.29.22 Please look at your BIND logging. (Maybe search for error.) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Problem with .org domain resolution
Thank both of you. Kevin, you're right. We have a Checkpoint firewall which is configured to do some kind of DNS protections using SmartDefense; it is called protocol enforcement and can be UDP or TCP. We have UDP protection enabled; its description is the following one (Copypaste from checkpoint): - Attack Description: DNS protocol is used to identify servers according to their IP addresses and aliases. DNS protocol messages can be transported over TCP or UDP. To infect a network with malicious content, attackers attempt to change the content of a DNS packet sent over TCP or UDP with the hope that it will enter the network undetected. SmartDefense Protection: SmartDefense is able to recognize a DNS packet that has been altered. This ability enables SmartDefense to catch potentially harmful packets before they enter the network. SmartDefense enables a system administrator to enforce TCP and UDP protocols. Only pure DNS packets sent over TCP or UDP will be able to enter the network. In this case, all DNS port connections over UDP and TCP will be monitored to verify that every DNS packet attempting to enter the network has not been altered. With the enforcement of the UDP and TCP protocols the potential for maliciously altered DNS packets to enter the system is decreased. A monitor-only mode makes it possible to track unauthorized traffic without blocking it. --- If I disable this protection the .org resolution works fine!! So, that is the case, firewall is dropping the packets with these DNSSEC staff in them. Jeremy, I've enabled DNS protection in our firewall and I've carried out the tests you say: With dnssec enabled: [r...@dnsint01 bin]# ./dig +cd www.madrid.org @10.20.29.22 ; DiG 9.6.0-P1 +cd www.madrid.org @10.20.29.22 ;; global options: +cmd ;; connection timed out; no servers could be reached [r...@dnsint bin]# and in named.logs: 03-Jun-2009 20:03:03.826 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:c::1#53 03-Jun-2009 20:03:13.875 unexpected RCODE (SERVFAIL) resolving 'www.madrid.org/A/IN': 199.249.112.1#53 After using command dnssec-enable no; in option section in named.conf: [r...@dnsint01 bin]# ./dig +cd www.madrid.org @10.20.29.22 ; DiG 9.6.0-P1 +cd www.madrid.org @10.20.29.22 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 17343 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 9, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.madrid.org.IN A ;; ANSWER SECTION: www.madrid.org. 1800IN CNAME www.madrid.org.edgesuite.net. www.madrid.org.edgesuite.net. 21600 IN CNAME a621.b.akamai.net. a621.b.akamai.net. 20 IN CNAME a621.b.akamai.net.0.1.cn.akamait ech.net. a621.b.akamai.net.0.1.cn.akamaitech.net. 20 IN A 80.157.169.10 a621.b.akamai.net.0.1.cn.akamaitech.net. 20 IN A 80.157.169.19 ;; AUTHORITY SECTION: cn.akamaitech.net. 1799IN NS n4cn.akamaitech.net. cn.akamaitech.net. 1799IN NS n1cn.akamaitech.net. cn.akamaitech.net. 1799IN NS n0cn.akamaitech.net. cn.akamaitech.net. 1799IN NS n2cn.akamaitech.net. cn.akamaitech.net. 1799IN NS n7cn.akamaitech.net. cn.akamaitech.net. 1799IN NS n6cn.akamaitech.net. cn.akamaitech.net. 1799IN NS n5cn.akamaitech.net. cn.akamaitech.net. 1799IN NS n8cn.akamaitech.net. cn.akamaitech.net. 1799IN NS n3cn.akamaitech.net. ;; Query time: 4079 msec ;; SERVER: 10.20.29.22#53(10.20.29.22) ;; WHEN: Wed Jun 3 20:08:36 2009 ;; MSG SIZE rcvd: 355 [r...@dnsint01 bin]# and in named.log: 03-Jun-2009 20:04:17.251 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:40::1#53 03-Jun-2009 20:04:18.494 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:b::1#53 03-Jun-2009 20:04:19.805 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:48::1#53 03-Jun-2009 20:04:19.805 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:f::1#53 03-Jun-2009 20:04:21.344 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:e::1#53 03-Jun-2009 20:04:22.704 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:c::1#53 03-Jun-2009 20:04:22.776 success resolving 'www.madrid.org/A' (in 'madrid.org'?) after disabling EDNS Note: I've realized that the kind of messages network unreachable resolving are very usual in the named logs. Note: The same behaviour with other .org domains. Thank you. Date: Wed, 3 Jun 2009 12:18:28 -0500 From: jr...@isc.org To: cut...@hotmail.com CC: bind-users@lists.isc.org Subject: Re: Problem with .org domain resolution On Wed, 3 Jun 2009, Kevin Darcy wrote: Kevin Darcy wrote: Since .org was recently DNSSEC-signed
PTR delegation
Hoping I can get a walk through in simple terms, but also a pointer to some docs where I can dive into the details. I think I am finding what I want in the docs, but those docs come up 404 since the isc site changed things a bit, from there, I generally can not locate the old doc file. 1) Is it possible to determine what ip range/space has been given to user of that IP space? For example, in a colocation environment, I am given say, a /24, and I want to look that up and see if it really is a /24. I have found the -x option which is making life a lot easier to find PTR records. 2) Given an IP that does not have a PTR, how do I determine if it has been sub delegated (?) to the user of that IP? I need to learn whether or not I need to contact the IP provider, and ask for a PTR record, or if I need to add one in myself. Thank you. -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PTR delegation
On Wed, 3 Jun 2009, Scott Haneda wrote: Hoping I can get a walk through in simple terms, but also a pointer to some docs where I can dive into the details. I think I am finding what I want in the docs, but those docs come up 404 since the isc site changed things a bit, from there, I generally can not locate the old doc file. What documents? I will help make sure they are visible or fix links if needed. 1) Is it possible to determine what ip range/space has been given to user of that IP space? For example, in a colocation environment, I am given say, a /24, and I want to look that up and see if it really is a /24. I have found the -x option which is making life a lot easier to find PTR records. Someone else can answer that. 2) Given an IP that does not have a PTR, how do I determine if it has been sub delegated (?) to the user of that IP? I need to learn whether or not I need to contact the IP provider, and ask for a PTR record, or if I need to add one in myself. Use dig to follow the delegation. For example: dig -x 204.152.184.110 @f.root-servers.net dig -x 204.152.184.110 @chia.arin.net (look at authority section) dig -x 204.152.184.110 @ams.sns-pb.isc.org. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PTR delegation
On Jun 3, 2009, at 11:53 AM, Scott Haneda wrote: Hoping I can get a walk through in simple terms, but also a pointer to some docs where I can dive into the details. I think I am finding what I want in the docs, but those docs come up 404 since the isc site changed things a bit, from there, I generally can not locate the old doc file. 1) Is it possible to determine what ip range/space has been given to user of that IP space? For example, in a colocation environment, I am given say, a /24, and I want to look that up and see if it really is a /24. I have found the -x option which is making life a lot easier to find PTR records. 2) Given an IP that does not have a PTR, how do I determine if it has been sub delegated (?) to the user of that IP? I need to learn whether or not I need to contact the IP provider, and ask for a PTR record, or if I need to add one in myself. I was thinking and testing, and I believe I can answer part of my own question, but please correct and advise where I am wrong. Given an ip of 64.84.37.2 $dig -x 64.84.37.2 2.37.84.64.in-addr.arpa. 3589 IN PTR capone.hostwizard.com. So I clearly have a PTR, but I want to see who has been delegated control of the PTR. Dropping the trailing 2 $dig 37.84.64.in-addr.arpa NS 37.84.64.in-addr.arpa. 3538IN NS ns1.nacio.com. 37.84.64.in-addr.arpa. 3538IN NS ns3.nacio.com. 37.84.64.in-addr.arpa. 3538IN NS ns2.nacio.com. This to me looks like nacio.com in this case is going to control the PTR zones? I can go to arin.net and do a lookup there, and find that I have been dished out a /26, how do I use dig to get that same answer? Thanks again. -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PTR delegation
ScottH Given an ip of 64.84.37.2 ScottH $dig -x 64.84.37.2 ScottH 2.37.84.64.in-addr.arpa. 3589 IN PTR capone.hostwizard.com. ScottH $dig 37.84.64.in-addr.arpa NS ScottH 37.84.64.in-addr.arpa. 3538IN NS ns1.nacio.com. ScottH 37.84.64.in-addr.arpa. 3538IN NS ns3.nacio.com. ScottH 37.84.64.in-addr.arpa. 3538IN NS ns2.nacio.com. ScottH This to me looks like nacio.com in this case is going to control ScottH the PTR zones? Not necessarily. Nacio could be keeping control of the whole zone or subdelegating parts of that network as it assigns pieces to customers of theirs (see RFC 2317). ScottH I can go to arin.net and do a lookup there, and find that I have ScottH been dished out a /26, how do I use dig to get that same answer? Simple answer is that you can't do it all with dig. You need dig and whois and some poking around. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PTR delegation
Thank you for your other answers, I will read those and test them after this reply.. On Jun 3, 2009, at 12:02 PM, Jeremy C. Reed wrote: Hoping I can get a walk through in simple terms, but also a pointer to some docs where I can dive into the details. I think I am finding what I want in the docs, but those docs come up 404 since the isc site changed things a bit, from there, I generally can not locate the old doc file. What documents? I will help make sure they are visible or fix links if needed. You just caught me in the midst of a browser history roll, I guess noon on my system is when my browser expired those. I found one link in my history, there were three I was interested in, sorry I am missing the two: https://www.isc.org/index.pl?/sw/bind/delegation-only.php While time consuming, this type of search, with some of google's wildcards may narrow you a nice list you could check to see which are ending up at the same place as above: http://www.google.com/search?q=site:www.isc.orghl=ensafe=offclient=safarirls=en-usnum=50start=150sa=N Sorry I can not be of more help. -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with .org domain resolution
ORG uses NSEC3 rather than NSEC. It would be interesting to see if you can get responses from .SE or not with the setting enabled. SE uses NSEC which has been around years longer than NSEC3. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Setting up tkey
In message 20090603165304.ga28...@csy.ca, Shane Wegner writes: Hello, I am looking at setting up tkey between master and slave nameservers but have been unable to find documentation on how to get this going properly. In the bind9 manual, there is a whole section on TSIG and setting up shared secrets between servers but how does one do it the TKEY way? That is, not having to generate different keypairs per host? It's not supported and I really can't see the need for it. Mark From what I've been able to figure out, the servers generate a keypair: gnssec-keygen -a dh -b 1024 -n host hostname and publish the result in a tkey-key configuration directive. But then how does one server recognize the other. How is access control done? Does the server just trust the keyname given to it by the other side? Shane ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone transfers
In article h061r8$q8...@sf1.isc.org, Michael Di Martino m...@openaccessinc.com wrote: I have a Master BIND9 server with 2 active (up) interfaces eth0 and eth1. I need my zone update notifications and zone transfer to use eth1 instead o= f eth0 which is currently using. How can I change this behavior while still having the server listen on eth0= Do you need it to send this traffic through eth1, or use eth1's IP as the source address? The other answers assumed the latter. Most operating systems don't provide a way to specify which interface gets used. Setting the source IP doesn't force traffic to go through that NIC. The choice of interface is almost always based on the destination address, not the source address. And even if the OS provides a way to force traffic through a particular interface, I don't think BIND will use it. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone transfers
Michael Di Martino wrote: I have a Master BIND9 server with 2 active (up) interfaces eth0 and eth1. I need my zone update notifications and zone transfer to use eth1 instead of eth0 which is currently using. How can I change this behavior while still having the server listen on eth0? Given your problem statement (incompletely supplied), the only answer for you is to change the system routing table(s) to suite your needs. BIND9 has no control over that, only what interfaces to listen on and what source addresses to use for various activities (listen-on, query-source, transfer-source, notify-source, and friends.) Regards, Mike -- Michael Milligan - mi...@acmeps.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users