Re: SPF records in reverse zones?

2012-12-06 Thread WBrown 
Dan Mahoney wrote on 12/05/2012 06:52:43 PM:

> I can't even imagine what spamfilters would think of such an address. :)

To quotes some annoying TV ads here in the US: 

"REJECTED!"



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SPF records in reverse zones?

2012-12-06 Thread WBrown 
Karl Auer wrote on 12/05/2012 06:44:01 PM:

> This may be a silly question, but are SPF records supposed to be
> supported in reverse zones? I'm thinking of a mail server that has no
> entry in the DNS.


THe SPF query is looking for the sender's domain, not the sender's server, 
so the record would be added for biplane.com.au, not for 
4.251.58.117.in-addr.arpa



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can't find named_dump.db

2012-12-06 Thread Matus UHLAR - fantomas 

On 05.12.12 15:07, Daniele Imbrogino wrote:

Finally I solved it!
The problem was in the write permission of /etc, while in /var/cache/bind
it works perfectly!
Thank you for the assistance!


I hope you did not allow BIND writing to /etc...
(/etc should be writable by admins, not daemons, that's why we use /var)


On 03.12.12 21:32, Daniele Imbrogino wrote:

I edited the working directory to /etc/bind because this is the directory
where I have all the zone data files.
If I use the default /var/cache/bind do I have to move also the zone data
files



2012/12/5 Matus UHLAR - fantomas 

no, you will just have to provide full path in zones' filename statements



 I'm saying this because even if the default configuration has
/var/cache/bind as default working directory, all the files are in
/etc/bind by default.



it's done this way just to have dumps and core files in /var/cache/bind
where named usually can write, instead of /etc where it usually can't (and
shouldn't).


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Linux issue with make test failures, 9.9.2-P1

2012-12-06 Thread Shane Kerr 
Jeff,

On Wednesday, 2012-12-05 09:27:10 -0500, 
Jeff Earickson  wrote:
> 
> The "make test" stuff is failing miserably for me on Linux (Redhat
> 6.3, x64) with 9.9.2-P1:

Someone suggested to me:

There should be *.run (maybe tests/system/*/*/*.run) files that will 
have the run-time log output.

Cheers,

--
Shane
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Preference of Master Name Servers

2012-12-06 Thread Matus UHLAR - fantomas 

On 05.12.12 17:28, David Hall wrote:

Question 1:
In our secondary / slave name servers we specify the master name servers in
the normal manner:
zone mysample.me.uk { type slave; file "m/y/db.mysample.me.uk"; masters {
10.10.100.12; 10.10.101.12; 10.10.102.5; }; };
What I have found is that the order of the master name servers does not
matter and one is used at random. That name server is tried for all AXFR /
IXFR attempts until it is unreachable.
Is there a way to set a dedicated preference of which name servers to use
first?


No. all masters are treated equally. Do you know a reason why they should
not? However, if slave received notify from a master, it prefers fetching
from that master, afaik.


Question 2:
I am also seeing many entries in our logs that look like:
Dec 4 10:28:49 mysys named[28103]: zone mysample.me.uk/IN: refresh: retry
limit for master 10.10.101.12#53 exceeded (source 10.10.100.25#0)

Does this mean that the master name server is unreachable? I have confirmed
that it is reachable by UDP and TCP.
Or does it mean that we are hitting one of our limits? Our current values
are:
serial-query-rate 500;
transfers-out 300;
transfers-in 300;
transfers-per-ns 100;


I would try increasing limits, starting with transfer-in.
you can check in logs or via netstat (or packet dump), how many transfers
were executed in parallel (to know which parameter to increase)


Question 3:
We have over 100,000 domains on the name servers. What we see is that once
we start seeing many of these "exceeded" messages in the logs then our "soa
queries in progress" will go up significantly and never goes back down.
We have to shut down the name server and restart it, and then the "soa
queries in progress" goes down to 0 or 1 and he "exceeded" messages go away.
Has anyone had a similar problem? If so, how did you resolve this?


with 100k of zones, you must increase limits. Or, use different technique
for distributing changes, e.g. NOTIFY and increase the refresh (and retry)
times to avoid useless timeouts.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can't find named_dump.db

2012-12-06 Thread Daniele Imbrogino 
No, I don't.
Just for this reason I can't have a cache dump.
Now, in /var, it works!


2012/12/6 Matus UHLAR - fantomas 
>
>
> I hope you did not allow BIND writing to /etc...
> (/etc should be writable by admins, not daemons, that's why we use /var)
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Linux issue with make test failures, 9.9.2-P1

2012-12-06 Thread Evan Hunt 
Jeff Earickson  wrote:
> The "make test" stuff is failing miserably for me on Linux (Redhat
> 6.3, x64) with 9.9.2-P1:

I'm pretty sure you haven't set up the local addresses the test servers
need to run on.  From the top of the bind9 tree, run the command:

$ sudo sh bin/tests/system/ifconfig.sh up

...then run "make test" and you'll probably get better results.

The ifconfig.sh command sets up loopback addresses 10.53.0.1 through
10.53.0.7.  The system tests run servers on those addresses and make
them talk to each other.  Without addresses configured, about 90% of
the tests will fail.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Querying directly a nameserver works, while forwarding not

2012-12-06 Thread Daniele Imbrogino 
I'm testing new configuration on VirtualBox following the advice of not
forwarding.
Furthermore, I exclude any reference to DNSSEC.

So, in these conditions and assuming an empty cache, if I query for a
remote domain name, my server should query a root-server and then iterate,
right?
Well, Wireshark shows me outcoming queries and incoming responses to/from
root-servers, but "dig www.apple.com" (for example) fails with a timeout.

"syslog" has a lot of "DNS format error ... non-improving referral" and
"error (FORMERR) resolving" entries.

This is my very vary basic "named.conf" file

options {
directory "/var/cache/bind";
}

zone "." {
type hint;
file "/etc/bind/db.root";
};

zone "localhost" {
type master;
file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};

I've also updated "db.root" from ftp.internic.net/domain/db.cache


2012/12/5 Sten Carlsen 

>
> On 05/12/12 18:29, Hauke Lampe wrote:
>
> On 05.12.2012 14:59, Daniele Imbrogino wrote:
>
> resolv.conf contains only 127.0.0.1 as nameserver.
>
> The syslog contains a lot of errors as "insecurity proof failed", "no
> valid
> RRSIG", "got insecure response" that I don't understand.
>
>
> Your forwarder probably doesn't handle DNSSEC responses well. Therefore
> your BIND cannot validate the answers and returns a failure code.
>
> Either update the forwarder/enable DNSSEC (older versions of BIND 9
> require "dnssec-enable yes;" in the options clause), or disable DNSSEC
> validation in your local BIND (set "dnssec-validation no;").
>
> Or consider not doing forwarding, that usually gives fewer problems if
> possible.
>
>
>
>
> Hauke
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> --
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
>
>"MALE BOVINE MANURE!!!"
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Linux issue with make test failures, 9.9.2-P1

2012-12-06 Thread Jeff Earickson 
Evan,

Yup, I knew all of that and that is what I have always done.  This morning
I got things to work by skipping the -j option of gmake to do parallel compiles,
and the tests then worked.

Before I always did:

configure
gmake -j2
ifconfig.sh up (as root)
gmake test

Once I didn't do the parallel compile (-j2), the tests worked.  But I did not
see any failures from a parallel compile either.  Weird.

Jeff Earickson
Colby College

On Thu, Dec 6, 2012 at 10:40 AM, Evan Hunt  wrote:
> Jeff Earickson  wrote:
>> The "make test" stuff is failing miserably for me on Linux (Redhat
>> 6.3, x64) with 9.9.2-P1:
>
> I'm pretty sure you haven't set up the local addresses the test servers
> need to run on.  From the top of the bind9 tree, run the command:
>
> $ sudo sh bin/tests/system/ifconfig.sh up
>
> ...then run "make test" and you'll probably get better results.
>
> The ifconfig.sh command sets up loopback addresses 10.53.0.1 through
> 10.53.0.7.  The system tests run servers on those addresses and make
> them talk to each other.  Without addresses configured, about 90% of
> the tests will fail.
>
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Improved SSL Error Logging [RT #29932]

2012-12-06 Thread Shane Kerr 
Noel,

On Thursday, 2012-12-06 11:03:24 +1000, 
Noel Butler  wrote:
> Hi Shane, Mark, Evan
> 
> On Tue, 2012-10-16 at 08:22 +0200, Shane Kerr wrote:
> > 
> > These changes are in our review queue now, so will go in future
> > releases.
> 
> 
> I guess this was not pushed in?  After update to 9.9.2-p1  the old
> logging returned, eg:

Our security releases only include the specific fix, to insure that
they provide the least impact on administrators.

We'll be coming out with a beta for 9.9.3 next week or so which will
include the changes, along with a number of other non-security fixes
and (minor) features.

Cheers,

--
Shane


signature.asc
Description: PGP signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Linux issue with make test failures, 9.9.2-P1

2012-12-06 Thread Evan Hunt 
> Yup, I knew all of that and that is what I have always done.  This morning
> I got things to work by skipping the -j option of gmake to do parallel
> compiles, and the tests then worked.

Neat!

> Once I didn't do the parallel compile (-j2), the tests worked.  But I did
> not see any failures from a parallel compile either.  Weird.

We actually specify in the README that parallel compiles aren't supported,
but it's been my experience that they usually do work, and when they've
failed for me it's always been with an outright build failure rather than
an apparently successful build that didn't work.  You got lucky, I guess.
Glad it's sorted out.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how t orestrict nsupdate to a single A or PTR record ?

2012-12-06 Thread gmx 
Thank you very much learnt a new thing too

Mark Andrews  ha scritto:

>
>In message <50bfaba3.5040...@dougbarton.us>, Doug Barton writes:
>> On 12/05/2012 11:29 AM, fddi wrote:
>> > Hello, I have a domain called mydomain.org
>> > 
>> > I would need a way to allow access with nsupdate not to the entire
>> > domain mydomain.org
>> > but only to specific hosts and specific IP Address do be modified
>using
>> > nsupdate.
>> > 
>> > 
>> > here is my config
>> > 
>> > zone "mydomain.org" IN {
>> > type master;
>> > allow-query { any; };
>> > file "mydomain.org.db";
>> > update-policy {
>> > grant mykey. subdomain mydomain.org. A TXT CNAME;
>> > };
>> > };
>> > 
>> > but in this way anyone can modify any hosts in the domain.
>> > How can I restrict and allow to modify only specific hosts ?
>> > 
>> > for example I would like to restrict to modify only
>host1.mydomain.org
>> > with a given key.
>> > 
>> > is it possibile ?
>> 
>> make the records you want to be modifiable into their own zones.
>
>   grant mykey. name host1.mydomain.org. A 
>
>   or
>
>   grant host1.mydomain.org. self . A 
>
>   or
>
>   grant "local:/path/to/socket" external * A 
>
>   or 
>
>   grant "local:/path/to/socket" external * ANY
>
>   The last two require a external tool to make the decision.
> 
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe 
>> from this list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>-- 
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Querying directly a nameserver works, while forwarding not

2012-12-06 Thread Sten Carlsen 
My next move would be to look for issues in the network, I would look at
what wireshark can sniff out. I would look for packets with errors. The
purpose is to find out if the network is mangling packets.


On 06/12/12 16:46, Daniele Imbrogino wrote:
> I'm testing new configuration on VirtualBox following the advice of
> not forwarding.
> Furthermore, I exclude any reference to DNSSEC.
>
> So, in these conditions and assuming an empty cache, if I query for a
> remote domain name, my server should query a root-server and then
> iterate, right?
> Well, Wireshark shows me outcoming queries and incoming responses
> to/from root-servers, but "dig www.apple.com "
> (for example) fails with a timeout.
>
> "syslog" has a lot of "DNS format error ... non-improving referral"
> and "error (FORMERR) resolving" entries.
>
> This is my very vary basic "named.conf" file
>
> options {
> directory "/var/cache/bind";
> }
>
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> I've also updated "db.root" from ftp.internic.net/domain/db.cache
> 
>
>
> 2012/12/5 Sten Carlsen mailto:st...@s-carlsen.dk>>
>
>
> On 05/12/12 18:29, Hauke Lampe wrote:
>> On 05.12.2012 14 :59, Daniele Imbrogino wrote:
>>
>>> resolv.conf contains only 127.0.0.1 as nameserver.
>>>
>>> The syslog contains a lot of errors as "insecurity proof
>>> failed", "no valid
>>> RRSIG", "got insecure response" that I don't understand.
>>
>> Your forwarder probably doesn't handle DNSSEC responses well.
>> Therefore your BIND cannot validate the answers and returns a
>> failure code.
>>
>> Either update the forwarder/enable DNSSEC (older versions of BIND
>> 9 require "dnssec-enable yes;" in the options clause), or disable
>> DNSSEC validation in your local BIND (set "dnssec-validation no;").
> Or consider not doing forwarding, that usually gives fewer
> problems if possible.
>
>>
>>
>>
>> Hauke
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org 
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> -- 
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
>
>"MALE BOVINE MANURE!!!" 
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Querying directly a nameserver works, while forwarding not

2012-12-06 Thread Mark Andrews 

In message 
, Daniele 
Imbrogino writes:
> I'm testing new configuration on VirtualBox following the advice of not
> forwarding.
> Furthermore, I exclude any reference to DNSSEC.
> 
> So, in these conditions and assuming an empty cache, if I query for a
> remote domain name, my server should query a root-server and then iterate,
> right?
> Well, Wireshark shows me outcoming queries and incoming responses to/from
> root-servers, but "dig www.apple.com" (for example) fails with a timeout.
> 
> "syslog" has a lot of "DNS format error ... non-improving referral" and
> "error (FORMERR) resolving" entries.

Find the "transparent" DNS cache and nuke it.  Most site that do
this deploy a ordinary DNS recursive server and that DOES NOT work
with recursive server expecting to be talking to authoritative
servers.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Improved SSL Error Logging [RT #29932]

2012-12-06 Thread Noel Butler 
Thanks Shane,

I have re-applied previous changes to source files and that has silenced
them again in meantime.
Cheers
Noel


On Thu, 2012-12-06 at 17:05 +0100, Shane Kerr wrote:

> Noel,
> 
> On Thursday, 2012-12-06 11:03:24 +1000, 
> Noel Butler  wrote:
> > Hi Shane, Mark, Evan
> > 
> > On Tue, 2012-10-16 at 08:22 +0200, Shane Kerr wrote:
> > > 
> > > These changes are in our review queue now, so will go in future
> > > releases.
> > 
> > 
> > I guess this was not pushed in?  After update to 9.9.2-p1  the old
> > logging returned, eg:
> 
> Our security releases only include the specific fix, to insure that
> they provide the least impact on administrators.
> 
> We'll be coming out with a beta for 9.9.3 next week or so which will
> include the changes, along with a number of other non-security fixes
> and (minor) features.
> 
> Cheers,
> 
> --
> Shane




signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users