Re: Slave zone intermittently not refreshing
Mart van de Wege mvdw...@gmail.com wrote:
A lot of the refresh failure logging happens at debug level 1 so you can
get more details by running `rndc trace 1`.
Is there a way to filter that after setting it?
Not without altering the server's logging configuration. Something like
the following, perhaps.
logging {
category default { default_syslog; };
category general { default_debug; };
};
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Viking, North Utsire, South Utsire, Northeast Forties: Variable 4 in North
Utsire, otherwise southeasterly 5 or 6. Slight or moderate. Showers. Good,
occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: AIX and 9.9.5 compiling
Edward DeLargy eddela...@gmail.com wrote: I just want to verify that 9.9.5 can be compiled in AIX The README says: Building BIND 9 currently requires a UNIX system with an ANSI C compiler, basic POSIX support, and a 64 bit integer type. We've had successful builds and tests on the following systems: COMPAQ Tru64 UNIX 5.1B Fedora Core 6 FreeBSD 4.10, 5.2.1, 6.2 HP-UX 11.11 Mac OS X 10.5 NetBSD 3.x, 4.0-beta, 5.0-beta OpenBSD 3.3 and up Solaris 8, 9, 9 (x86), 10 Ubuntu 7.04, 7.10 Windows XP/2003/2008 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of Windows, including Windows NT and Windows 2000, are no longer supported. We have recent reports from the user community that a supported version of BIND will build and run on the following systems: AIX 4.3, 5L CentOS 4, 4.5, 5 Darwin 9.0.0d1/ARM Debian 4, 5, 6 Fedora Core 5, 7, 8 FreeBSD 6, 7, 8 HP-UX 11.23 PA MacOS X 10.5, 10.6, 10.7 Red Hat Enterprise Linux 4, 5, 6 SCO OpenServer 5.0.6 Slackware 9, 10 SuSE 9, 10 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Biscay, South FitzRoy: Westerly 4 or 5, backing southwesterly 5 to 7, except in south. Moderate, occasionally rough in north. Occasional rain. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AIX and 9.9.5 compiling
On Fri, May 9, 2014 at 5:36 PM, Tony Finch d...@dotat.at wrote: Edward DeLargy eddela...@gmail.com wrote: I just want to verify that 9.9.5 can be compiled in AIX The README says: Building BIND 9 currently requires a UNIX system with an ANSI C compiler, basic POSIX support, and a 64 bit integer type. We've had successful builds and tests on the following systems: ... Fedora Core 6 ... Ubuntu 7.04, 7.10 Wow. Fedora core 6 and Ubuntu 7.04? I wonder if anybody is actually still using those. Makes you wonder just how often the README was updated :) -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
Dave Warren da...@hireahit.com wrote: On 2014-05-08 15:09, Mark Andrews wrote: But that does not help when you want a MX record at the apex or some other record at the apex. I'd argue that it does -- Since the record is now CNAME'd, the MX record is now under the control of the destination of the CNAME record and MX records can still be set. Unfortunately CNAME-pointing-at-MX is an interop disaster area owing to different MTA's differing opinions about whether it makes sense to rewrite email addresses in this situation. Avoid. I actually think that MX records were a boneheaded thing to do, had email started using SRV records in the first place we might be in a position now where using SRV records is the defacto standard if not the actual standard for all services. (No offense to the folks that made MX records happen, I realize that in historical context it was the correct decision and it solved the very immediate problem -- I'm just saying that in an ideal world, SRV records instead of MX records would solved the same problem in a more generic fashion, and would have pushed us to a better place for other protocols) It is interesting to look at the old RFCs and see how many false starts it took to get to the MX design. Mail was the first heavily virtualized application so I think their failure to generalize was forgivable, especially since they were also dealing with the massive problem of gatewaying between dozens of balkanized mail networks. http://stuff.mit.edu/afs/athena/reference/net-directory/documents/JANET-Mail-Gateways.ps Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Northerly 5 to 7, but mainly 4 in northwest. Moderate or rough. Mainly fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: AIX and 9.9.5 compiling
I’ve been building bind on AIX for years with no problems. I’ve had successful builds of 9.9.5 with both GCC and XLC. Tedd From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Edward DeLargy Sent: Thursday, May 08, 2014 2:40 PM To: bind-users@lists.isc.org Subject: AIX and 9.9.5 compiling Good Afternoon, I just want to verify that 9.9.5 can be compiled in AIX with the binaries provided in the download the same you would compile in RHEL or SLES. I do understand that libraries have to be correct but want to be sure the BIND download works in AIX. Regards, Ed This e-mail and any attachments are intended only for the named recipient(s) and may contain information that is legally privileged, confidential, or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), you may not retain copy or use this e-mail or any attachment for any purpose or disclose all or any part of the contents to any other person. Any such dissemination, distribution or copying of this e-mail or its attachments is strictly prohibited. If you are not the intended recipient, please immediately notify the sender and permanently delete this e-mail and any attachment from your computer. This e-mail and any attachments are intended only for the named recipient(s) and may contain information that is legally privileged, confidential, or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), you may not retain copy or use this e-mail or any attachment for any purpose or disclose all or any part of the contents to any other person. Any such dissemination, distribution or copying of this e-mail or its attachments is strictly prohibited. If you are not the intended recipient, please immediately notify the sender and permanently delete this e-mail and any attachment from your computer. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AIX and 9.9.5 compiling
Thank you! I figured that but given some of the oddities of six wasn't sure. Regards, Ed Sent from my iPhone On May 9, 2014, at 6:36 AM, Tony Finch d...@dotat.at wrote: Edward DeLargy eddela...@gmail.com wrote: I just want to verify that 9.9.5 can be compiled in AIX The README says: Building BIND 9 currently requires a UNIX system with an ANSI C compiler, basic POSIX support, and a 64 bit integer type. We've had successful builds and tests on the following systems: COMPAQ Tru64 UNIX 5.1B Fedora Core 6 FreeBSD 4.10, 5.2.1, 6.2 HP-UX 11.11 Mac OS X 10.5 NetBSD 3.x, 4.0-beta, 5.0-beta OpenBSD 3.3 and up Solaris 8, 9, 9 (x86), 10 Ubuntu 7.04, 7.10 Windows XP/2003/2008 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of Windows, including Windows NT and Windows 2000, are no longer supported. We have recent reports from the user community that a supported version of BIND will build and run on the following systems: AIX 4.3, 5L CentOS 4, 4.5, 5 Darwin 9.0.0d1/ARM Debian 4, 5, 6 Fedora Core 5, 7, 8 FreeBSD 6, 7, 8 HP-UX 11.23 PA MacOS X 10.5, 10.6, 10.7 Red Hat Enterprise Linux 4, 5, 6 SCO OpenServer 5.0.6 Slackware 9, 10 SuSE 9, 10 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Biscay, South FitzRoy: Westerly 4 or 5, backing southwesterly 5 to 7, except in south. Moderate, occasionally rough in north. Occasional rain. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AIX and 9.9.5 compiling
Edward DeLargy eddela...@gmail.com wrote: I just want to verify that 9.9.5 can be compiled in AIX On Fri, May 9, 2014 at 5:36 PM, Tony Finch d...@dotat.at wrote: The README says: We've had successful builds and tests on the following systems: ... Fedora Core 6 ... Ubuntu 7.04, 7.10 On 09.05.14 17:48, Fajar A. Nugraha wrote: Wow. Fedora core 6 and Ubuntu 7.04? I wonder if anybody is actually still using those. Makes you wonder just how often the README was updated :) yes, there are many people who will only understand when and later will be added... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AIX and 9.9.5 compiling
Currently, some of the systems that we automatically build and run various tests on include: FreeBSD 4.11 i386 FreeBSD 6.3 i386 FreeBSD 8.4 i386 FreeBSD 10.0-CURRENT i386 Fedora 18 Linux 3.8.1-201.fc18.x86_64 x86_64 Fedora 19 Linux 3.11.6-200.fc19.x86_64 x86_64 HPUX B11.11 HPPA2.0w (HP 9000/800) MacOSX 10.6.6 Darwin 10.8.0 x86_64 NetBSD 5.2 i386 NetBSD 6.0 i386 NetBSD 6.0.2 amd64 Solaris 10 SunOS 5.10 sun4u sparc SUNW,Sun-Fire-V240 Solaris 10 SunOS 5.10 sun4u sparc SUNW,UltraAX-i2 Solaris 11 SunOS 5.11 i86pc i386 Ubuntu 13.10 Linux 3.11.0-15-generic x86_64 The developers also use a variety of other systems like FreeBSD 9.1-RELEASE-p4 amd64, Mac OS 10.8.4 and 10.8.5, Ubuntu Linux 13.04, Fedora 19 Linux, NetBSD 6, and others, but they may have newer versions than these. There are also some Windows build systems with VS2005, VS2008, VS2010express, VS2010, and VS2012 (and maybe others). I was also doing automated builds on OpenBSD, Debian, and Ubuntu LTS, but need to replace the server. Also our AIX machine crashed. If you have a suggestion for an important or popular OS version I should add to our build farm, please let me know why. Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AIX and 9.9.5 compiling
Thank you all for your quick response I do appreciate it!! Regards, Ed On Fri, May 9, 2014 at 6:48 AM, Fajar A. Nugraha w...@fajar.net wrote: On Fri, May 9, 2014 at 5:36 PM, Tony Finch d...@dotat.at wrote: Edward DeLargy eddela...@gmail.com wrote: I just want to verify that 9.9.5 can be compiled in AIX The README says: Building BIND 9 currently requires a UNIX system with an ANSI C compiler, basic POSIX support, and a 64 bit integer type. We've had successful builds and tests on the following systems: ... Fedora Core 6 ... Ubuntu 7.04, 7.10 Wow. Fedora core 6 and Ubuntu 7.04? I wonder if anybody is actually still using those. Makes you wonder just how often the README was updated :) -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9.10 64 bit
O.S. Windows 2008 R2 64 bit. Up to now I have used Bind 32 bit, now I see that a 64 bit version is available. Should I move to 64 bit version ? If yes is there any how to doc ? Giovanni Paterno ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.10 64 bit
In message c2b3930fd9ce014d9ddacf994b672c9f55d0c...@atlas2.dcsos-m.dcsos.it, Giovanni Paterno' writes: O.S. Windows 2008 R2 64 bit. Up to now I have used Bind 32 bit, now I see t= hat a 64 bit version is available. Should I move to 64 bit version ? If yes is there any how to doc ? Giovanni Paterno Uninstall the 32 bit version preserving data. Install the 64 bit version. 9.10.0 changes the default install location so you may want to move your data across. x86: CSIDL_PROGRAM_FILESX86 x64: CSIDL_PROGRAM_FILES -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
R: Bind 9.10 64 bit
Thanks for your reply. Regards Giovanni Paterno -Messaggio originale- Da: Mark Andrews [mailto:ma...@isc.org] Inviato: venerdì 9 maggio 2014 17.46 A: Giovanni Paterno' Cc: bind-users@lists.isc.org Oggetto: Re: Bind 9.10 64 bit In message c2b3930fd9ce014d9ddacf994b672c9f55d0c...@atlas2.dcsos-m.dcsos.it, Giovanni Paterno' writes: O.S. Windows 2008 R2 64 bit. Up to now I have used Bind 32 bit, now I see t= hat a 64 bit version is available. Should I move to 64 bit version ? If yes is there any how to doc ? Giovanni Paterno Uninstall the 32 bit version preserving data. Install the 64 bit version. 9.10.0 changes the default install location so you may want to move your data across. x86: CSIDL_PROGRAM_FILESX86 x64: CSIDL_PROGRAM_FILES -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Answer for a specific host, but recurse for all others within a zone
Rich, you and Barry both touched on my original tactic. I can define
³something.xyz.com² as a master zone with a single entry. The problem, as
you pointed out, is that this doesn¹t catch ³www.something.xyz.com².
Unfortunately, the ³www² section will have any number of random hosts, so
putting manually entries will be impractical.
I¹m intrigued by the RPZ option. I¹m not familiar with it. I realize that
it¹s only available in 9.8.1 and above (which will require me to upgrade;
I¹m using 9.7.3). I¹ve been scouring the Net for examples, but they¹re
typically targeted to one of RPZ¹s main purposes (spam blacklisting,
etc.).
IF I¹m following the config right, let¹s say that the local server in my
example is 10.1.2.3:
named.conf
options {
response-policy { ³something.xyz.com²; };
};
zone ³something.xyz.com² {
type master;
file ³something.xyz.com.db²;
};
something.xyz.com.db
$TTL 900
@IN SOA soa.xyz.com. hostmaster.xyz.com. 0001 900 900 604800 30
IN NS localhost.
@IN A 10.1.2.3
*IN CNAME .
end
Is this right? I guess the trick I¹m trying to sort out is how to tell the
zone file to ³recurse, if not explicitly Œsomething.xyz.com¹.² What else
am I leaving out?
- Jon
On 5/8/14, 10:05 PM, Rich Goodson rgood...@gronkulator.com wrote:
On your resolver, create a zone called
something.xyz.com
and only have one entry, an A record for the zone itself. something like
this:---begin something.xyz.com zonefile---
something.xyz.com. in soa ns1.abc.com. hostmaster.abc.com. (
2014050901
3H
300
2W
3600 )
something.xyz.com. in ns ns1.abc.com.
something.xyz.com. in ns ns2.abc.com.
something.xyz.com. in a 192.168.100.15
---end something.xyz.com zonefile---
This will still allow www.xyz.com and mail.xyz.com to resolve, but will
NOT
recurse for www.something.xyz.com. If you want that to resolve, you'll
have to
add that to the zone as well, as you're claiming authority for
something.xyz.com and everything to the left of that as well.
It just occurred to me that you could also provide a local answer for a
single
name with RPZ, which would give the benefit of continuing to recurse for
www.something.xyz.com.
-Rich
On May 9, 2014, at 1:15 AM, fullme...@ldschurch.org wrote:
Does anyone know how I might configure bind to answer for a specific
host within the zone, but perform a recursive lookup for the rest of the
zone?
For example, given the domain xyz.com, how might I configure a local
DNS server to reslove something.xyz.com to, maybe, a local server, but
still allow Wwww.xyz.com, mail.xyz.com and www.something.xyz.com
to still recursively resolve?
Is there a way?
- Jon
___
Please visit
https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/
listinfo/bind-usersk=wlPCrglRP6kzT4RbABWMaw%3D%3D%0Ar=Ba5TSsfIG%2FGaAmY
ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0Am=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ
TlkIicI%3D%0As=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163
a95980c to unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/
listinfo/bind-usersk=wlPCrglRP6kzT4RbABWMaw%3D%3D%0Ar=Ba5TSsfIG%2FGaAmY
ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0Am=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ
TlkIicI%3D%0As=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163
a95980c
NOTICE: This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply email and destroy all
copies of the original message.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Answer for a specific host, but recurse for all others within a zone
(Sorry, let's try that again WITHOUT smart quotes:)
Rich, you and Barry both touched on my original tactic. I can define
something.xyz.com as a master zone with a single entry. The problem, as
you pointed out, is that this doesn't catch www.something.xyz.com.
Unfortunately, the www section will have any number of random hosts, so
putting manually entries will be impractical.
I'm intrigued by the RPZ option. I'm not familiar with it. I realize that
it's only available in 9.8.1 and above (which will require me to upgrade;
I'm using 9.7.3). I've been scouring the Net for examples, but they're
typically targeted to one of RPZ's main purposes (spam blacklisting,
etc.).
IF I易m following the config right, let易s say that the local server in my
example is 10.1.2.3:
named.conf
options {
response-policy { something.xyz.com; };
};
zone something.xyz.com {
type master;
file something.xyz.com.db;
};
something.xyz.com.db
$TTL 900
@IN SOA soa.xyz.com. hostmaster.xyz.com. 0001 900 900 604800 30
IN NS localhost.
@IN A 10.1.2.3
*IN CNAME .
end
Is this right? I guess the trick I'm trying to sort out is how to tell the
zone file to recurse, if not explicitly 'something.xyz.com'. What else
am I leaving out?
- Jon
On 5/8/14, 10:05 PM, Rich Goodson rgood...@gronkulator.com wrote:
On your resolver, create a zone called
something.xyz.com
and only have one entry, an A record for the zone itself. something like
this:---begin something.xyz.com zonefile---
something.xyz.com. in soa ns1.abc.com. hostmaster.abc.com. (
2014050901
3H
300
2W
3600 )
something.xyz.com. in ns ns1.abc.com.
something.xyz.com. in ns ns2.abc.com.
something.xyz.com. in a 192.168.100.15
---end something.xyz.com zonefile---
This will still allow www.xyz.com and mail.xyz.com to resolve, but will
NOT
recurse for www.something.xyz.com. If you want that to resolve, you'll
have to
add that to the zone as well, as you're claiming authority for
something.xyz.com and everything to the left of that as well.
It just occurred to me that you could also provide a local answer for a
single
name with RPZ, which would give the benefit of continuing to recurse for
www.something.xyz.com.
-Rich
On May 9, 2014, at 1:15 AM, fullme...@ldschurch.org wrote:
Does anyone know how I might configure bind to answer for a specific
host within the zone, but perform a recursive lookup for the rest of the
zone?
For example, given the domain xyz.com, how might I configure a local
DNS server to reslove something.xyz.com to, maybe, a local server, but
still allow Wwww.xyz.com, mail.xyz.com and www.something.xyz.com
to still recursively resolve?
Is there a way?
- Jon
___
Please visit
https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/
listinfo/bind-usersk=wlPCrglRP6kzT4RbABWMaw%3D%3D%0Ar=Ba5TSsfIG%2FGaAmY
ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0Am=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ
TlkIicI%3D%0As=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163
a95980c to unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/
listinfo/bind-usersk=wlPCrglRP6kzT4RbABWMaw%3D%3D%0Ar=Ba5TSsfIG%2FGaAmY
ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0Am=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ
TlkIicI%3D%0As=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163
a95980c
NOTICE: This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply email and destroy all
copies of the original message.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Answer for a specific host, but recurse for all others within a zone
On 09/05/2014 18:47, Jon Fullmer wrote: (Sorry, let's try that again WITHOUT smart quotes:) Yeaaahhh that did not work out so well: Content-Type: text/plain; charset=big5 Your apostrophes ended up being a chinese character, CJK UNIFIED IDEOGRAPH-6613 according to Python's unicodedata. Maybe try a better mail client ;o) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
On 5/9/2014 6:59 AM, Tony Finch wrote: Dave Warren da...@hireahit.com wrote: On 2014-05-08 15:09, Mark Andrews wrote: But that does not help when you want a MX record at the apex or some other record at the apex. I'd argue that it does -- Since the record is now CNAME'd, the MX record is now under the control of the destination of the CNAME record and MX records can still be set. Unfortunately CNAME-pointing-at-MX is an interop disaster area owing to different MTA's differing opinions about whether it makes sense to rewrite email addresses in this situation. Avoid. I actually think that MX records were a boneheaded thing to do, had email started using SRV records in the first place we might be in a position now where using SRV records is the defacto standard if not the actual standard for all services. (No offense to the folks that made MX records happen, I realize that in historical context it was the correct decision and it solved the very immediate problem -- I'm just saying that in an ideal world, SRV records instead of MX records would solved the same problem in a more generic fashion, and would have pushed us to a better place for other protocols) It is interesting to look at the old RFCs and see how many false starts it took to get to the MX design. Mail was the first heavily virtualized application so I think their failure to generalize was forgivable, especially since they were also dealing with the massive problem of gatewaying between dozens of balkanized mail networks. http://stuff.mit.edu/afs/athena/reference/net-directory/documents/JANET-Mail-Gateways.ps Indeed. Hindsight is 20/20. Mail was the killer app for the early Internet, and providing a way to route it over the Internet, with automatic load-balancing and failover, was a major achievement. Sure, the IETF could have spent a few more years coming up with a generic way to do things, throwing in -- as SRV eventually did -- port reassignment, weighting and namespace semantics, but how much would that delay have stunted the growth of the nascent technology? Maybe it would have resulted in OSI/X.400 surpassing SMTP as the predominant mail transport, and we'd all be *miserable*. - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AIX and 9.9.5 compiling
On 5/9/14, 2:06 PM, Timothe Litt wrote: If you have a suggestion for an important or popular OS version I should add to our build farm, please let me know why. I have one suggestion: get a Raspberry PI and build/run on it (the usual OS is Debian - 'Raspbian', but people run a variety of others.) I do, but I don't have early access, so other than a brief yep, it works, I can't get it into the README. 8-) AlanC signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multi-master (HA)
...if anyone has specific thoughts on how to make this sort of thing easier in BIND -- even just at the level of boy, it irritates me that I can't make BIND do X -- such comments will fall on welcoming ears. I agree that it would be nice if effort were made into making flipping masters straight-forward, i.e., not require a change to every zone declaration and not force the operator to deal with zone files that suddenly need to switch between binary and ascii. (There may be good ways to do this now that I'm unaware of.) (I've wondered why bind doesn't simply write an ascii copy of the zone file in addition to the binary copy.) Running multiple dynamic-dns masters would be absolutely fantastic except of course when it didn't work. Seems like a reason to have multiple masters is to handle the case where some are unreachable, in which case keeping them in synch becomes interesting. If the main point is to eliminate single points of failure, a three masters with quorum system might serve the purpose. I like the idea of configuring zone information in a zone, and think it would be fun to be on the team brainstorming how to guard against sneaky config attacks. John Wobus Cornell University IT ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bin 9.10 verbose logging
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 2014-05-03 at 14:28 -0500, Jeremy C. Reed wrote: We didn't get a OPT record in response to a EDNS query. and also says We need to drop/remove the logging here when we have more experience. Is there a sample dig query that can reproduce this? I see such a message in my log files regarding domain of interest to me. For the OP's question, presumably something like dig dns2.osogrande.com @207.66.8.132 +? -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlNtL94ACgkQL6j7milTFsGZ2wCfccgyulUODofPfOr1vG98U8t+ ujYAnjdsOnfTFsJVDeHqycRoKLkT5o/G =8OIw -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multi-master (HA)
On 5/9/2014 3:01 PM, John Wobus wrote: ...if anyone has specific thoughts on how to make this sort of thing easier in BIND -- even just at the level of boy, it irritates me that I can't make BIND do X -- such comments will fall on welcoming ears. I agree that it would be nice if effort were made into making flipping masters straight-forward, i.e., not require a change to every zone declaration and not force the operator to deal with zone files that suddenly need to switch between binary and ascii. (There may be good ways to do this now that I'm unaware of.) Where is the line drawn these days between DNS management protocols and provisioning protocols? Because, I've long thought the idea of feeding a config (i.e. the contents of a named.conf file) to a named instance via rndc would be an easy and secure way of quickly reconfiguring it to a different role (e.g. from master to slave, or _vice_versa_, for a whole bunch of views/zones in one fell swoop). Since the config is in a very regular, structured format, I'm sure some sort of encoding and/or compression could be employed to make the actual data transfer size fairly compact. The only big gotcha that comes to mind here is if the named.conf is segmented via include files with different access privileges (e.g. not letting key definitions be world-readable), that segmentation/protection would need to be preserved on the receiving side. - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
On 5/8/2014 5:13 PM, John Levine wrote: DNSMadeEasy calls this an ANAME record, internally they just lookup the destination's IP and cache it, updating it as needed. It works, but it would be nice if this could be done in DNS. Sadly, it can't, and probably won't in our lifetimes. I do a similar thing in my DNS crudware, a pseudo-entry in the zone, every time the background update script runs, it does A and lookups and puts the results in the real zone, bumping the SOA serial if the result changed since last time. It's a crock, but one that we all seem to want. I suppose we could invent something like an ANAME (that's A and name), that worked like a restricted CNAME and does an indirect lookup only for A or requests. Or overimplement it with a bitmap of the RR types to indirect for. Or, a bitmap of the RR types to *not* indirect for, which a) often if not usually will be a shorter list (even in the zone apex case, you have 2 exclusions -- NS and SOA -- and typically 2 or more of A//MX/SPF/TXT as inclusions, potentially even more if the zone is DNSSEC-signed), and b) would automatically cover new RR types as they are defined As an implementation detail, zone-loading logic could, if desired, *automatically* set these bits based on what other record types with the same owner name are explicitly defined in the zone file (on the reasonable assumption that a data owner wouldn't explicitly define an RRset in a zone file, only to have it be hidden forever by an indirection record with the same owner name). Of course, it's one thing to dream up a new RR type, quite another thing to get it standardized via the IETF and then change the installed base to actually recognize and use it. Also, during the (presumably long) transition period, you'd have to use EDNS0 signalling or something similar so that a server knows whether a client understands the new record type or not. If the client doesn't understand the new type, you need a fallback mechanism to cough up usable terminal-node records the old-fashioned way. - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
On 05/07/14 23:32, Barry Margolin wrote: In article mailman.160.1399503258.26362.bind-us...@lists.isc.org, Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: Oh...I misread the questionguess DNAME isn't what's wanted just the apex to somewhere else Yeah...I currently just look up the name and enter A records. But, I've wondered if there was another record type that allowed it to detect address changes of the requested 'CNAME'so I wouldn't have to. Especially, if the requested 'CNAME' is a name that is known to change its IP... Have the apex point to your own webserver, and have it send an HTTP redirect to www.domain.com, which is CNAMEd to the third party domain. I mentioned that option...but it doesn't work so well for https://example.com (except maybe if they gave me their certthough I have limited IPs - though the new appliance supposedly does SNI...) Either that...or come up with a way to script it. That's what we did when I was at Akamai. Their custom DNS servers have an option to resolve the domain apex by looking up another name and returning its IP. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bin 9.10 verbose logging
In message 1399664632.4864.59.ca...@ns.five-ten-sg.com, Carl Byington writes: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 2014-05-03 at 14:28 -0500, Jeremy C. Reed wrote: We didn't get a OPT record in response to a EDNS query. and also says We need to drop/remove the logging here when we have more experience. Is there a sample dig query that can reproduce this? I see such a message in my log files regarding domain of interest to me. For the OP's question, presumably something like dig dns2.osogrande.com @207.66.8.132 +? Modern versions of DiG turn on EDNS by default. +[no]edns[=version] +[no]dnssec (implies +edns) If there is a OPT record in the response you will see something like this: ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 or ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; NSID: 72 6f 63 6b 2e 64 76 2e 69 73 63 2e 6f 72 67 (rock.dv.isc.org) ; SIT: 8cd65ccfb9f282d53599db62536d5c39ec27d9c7420ccbbe (good) ; EXPIRE: 2389987 (3 weeks 6 days 15 hours 53 minutes 7 seconds) If you turn on some of the EDNS options (+sit +nsid +expire) in the request. +sit(source identity token) provides 64 additional bits of randomness to make of path spoofing virtually impossible to achieve. It also provides a method for servers to know they are talking to a client that have talked to before so they don't need to rate limit responses (uses a experimental code point). +nsid (name server identifier) +expire how long to go before the zone expires (code point 9 has been assigned for this, 9.10.0 uses a experimental code point and will be changed in 9.10.1 to the assigned code point). Mark -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlNtL94ACgkQL6j7milTFsGZ2wCfccgyulUODofPfOr1vG98U8t+ ujYAnjdsOnfTFsJVDeHqycRoKLkT5o/G =8OIw -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
On 05/08/14 02:01, Dave Warren wrote: On 2014-05-07 15:54, Lawrence K. Chen, P.Eng. wrote: Though it was just a minor delayfor them to revert back to the old site, until they migrated their email accounts to the CNAME site as well You still can't CNAME the APEX of a zone even if you do migrate your email accounts to the CNAME site as you can't have a CNAME and SOA/NS records at the same level. You're quoting out of context.I wasn't talking about CNAME for my APEX, but CNAME for somebody's host...they used to do their own website, while using our central email service. But asking to change their hostname to be a CNAME to an outside web hosting provider...kind of broke their email until they moved to using the web hosting's email service. Don't know if they moved their accounts there, or just defined aliases up there to send it back to our system on our side I had virtusertable entries to map the store email addresses to their real accounts, though we switched email providers recently...and I recently heard rumblings that some subdomains wanting to use google apps to solve the problems they're having with our email provider. Which is easier for those that have their subdomains delegated to themthough I haven't been told that I need to stop fulfilling requests to add verification strings for other department subdomains -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: AIX and 9.9.5 compiling
On 09-May-14 14:53, Alan Clegg wrote: I do, but I don't have early access, so other than a brief yep, it works, I can't get it into the README. 8-) I'm glad that you make that effort. I was responding to Jeremy's solicitation for suggestions on what should be done more officially/thoroughly. (Including routine builds during development.) Including ARM - native and cross-compiled - would support parts of the community that don't get much attention (nor make much noise.) Embedded and cross-architecture compilers. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. This communication may not represent my employer's views, if any, on the matters discussed. On 09-May-14 14:53, Alan Clegg wrote: On 5/9/14, 2:06 PM, Timothe Litt wrote: If you have a suggestion for an important or popular OS version I should add to our build farm, please let me know why. I have one suggestion: get a Raspberry PI and build/run on it (the usual OS is Debian - 'Raspbian', but people run a variety of others.) I do, but I don't have early access, so other than a brief yep, it works, I can't get it into the README. 8-) AlanC smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
