How to set a proxy using DHCP

[Steve Frazier via bind-users]

I am new to the list and looking for a FAQ to determine how/if I can set up 
DHCP to put out a proxy to my workstations of workstation getting an IP address 
via DHCP.
This is for dhcpd 8 installed on Centos 6.9
TIA.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

[Matthew Pounsett]

On 10 March 2018 at 04:08, Matus UHLAR - fantomas  wrote:

> Cathy Almond  wrote:
>>
>>> The rs.dns-oarc.net zone is broken because it returns a CNAME for
>>> queries at the apex.
>>>
>>
> On 09.03.18 15:23, Tony Finch wrote:
>
>> I just got a problem report from a user who has a few personal domains
>> with CNAME at apex that used to work (or at least appeared to work) but
>> no longer do.
>>
>> I've said that the domains are misconfigured, but since this is a
>> relatively widespread misconfiguration, I think it's likely to cause
>> more complaints. Tiresome.
>>
>
> it's the very common result of misconfiguration that something sometimes
> does not work, while sometimes it does.
>

Apex CHAMEs, in particular, have nondeterministic failure modes.  In that,
each resolver deals differently with this misconfiguration, since by
definition there is no correct way to deal with it.  Some resolvers find a
way to gloss over the problem, and others fail hard making the domain name
and everything below it unresolvable for the TTL of either the apex NS set
or the TTL of the CNAME itself, depending on which way it breaks.

Best to just stop doing that so that whether the domain works doesn't
depend on which resolver you're trying to use.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

[Matus UHLAR - fantomas]

Cathy Almond  wrote:

The rs.dns-oarc.net zone is broken because it returns a CNAME for
queries at the apex.


On 09.03.18 15:23, Tony Finch wrote:

I just got a problem report from a user who has a few personal domains
with CNAME at apex that used to work (or at least appeared to work) but
no longer do.

I've said that the domains are misconfigured, but since this is a
relatively widespread misconfiguration, I think it's likely to cause
more complaints. Tiresome.


it's the very common result of misconfiguration that something sometimes
does not work, while sometimes it does.

I usually advise people to fix things inctead of complaining that something
"misconfigured doesn't work sometimes" - that is the definition of
misconfiguration, isn't it?

especially DNS, with caching, TTLs and DNSSEC - there's not enough room for
making every possible mistake and expecting it to work.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

[Tony Finch]

Evan Hunt  wrote:
>
> In 9.12.1 and the other upcoming maintenance releases, we've just reverted
> the change to validator.c that caused the problems. (That turns out to have
> the exact same effect as your patch does.)

Great, that will please my user, and I can use NTAs to work around the
problem until then.

> Apex CNAMEs are bogus, of course, but we do need to cope with them when
> they appear. We're going to revisit this issue in 9.12.2, once we've
> figured out how to solve the one problem without causing the other one.

I have said this already so I'm at risk of being a bore, but it would be
super cool if BIND could make use of the DS records (or PNEs) it gets in
referrals, instead of re-fetching them during validation. It should
provide a nice speed-up, as well as allowing the validator to avoid
looking into insecure subtrees, which will have the side-effect of
avoiding problems with apex CNAMEs.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Fisher: Easterly 6 to gale 8, increasing severe gale 9 for a time in north.
Moderate or rough, occasionally very rough in north. Rain. Moderate or poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

[Evan Hunt]

On Sat, Mar 10, 2018 at 06:30:41PM +, Tony Finch wrote:
> I have said this already so I'm at risk of being a bore, but it would be
> super cool if BIND could make use of the DS records (or PNEs) it gets in
> referrals, instead of re-fetching them during validation. It should
> provide a nice speed-up, as well as allowing the validator to avoid
> looking into insecure subtrees, which will have the side-effect of
> avoiding problems with apex CNAMEs.

Yep, that's one of the approaches we've discussed.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

[Mark Andrews]

While it will speed up things slightly it won’t avoid the issue as TTLs vary. 

-- 
Mark Andrews

> On 11 Mar 2018, at 05:30, Tony Finch  wrote:
> 
> Evan Hunt  wrote:
>> 
>> In 9.12.1 and the other upcoming maintenance releases, we've just reverted
>> the change to validator.c that caused the problems. (That turns out to have
>> the exact same effect as your patch does.)
> 
> Great, that will please my user, and I can use NTAs to work around the
> problem until then.
> 
>> Apex CNAMEs are bogus, of course, but we do need to cope with them when
>> they appear. We're going to revisit this issue in 9.12.2, once we've
>> figured out how to solve the one problem without causing the other one.
> 
> I have said this already so I'm at risk of being a bore, but it would be
> super cool if BIND could make use of the DS records (or PNEs) it gets in
> referrals, instead of re-fetching them during validation. It should
> provide a nice speed-up, as well as allowing the validator to avoid
> looking into insecure subtrees, which will have the side-effect of
> avoiding problems with apex CNAMEs.
> 
> Tony.
> -- 
> f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
> Fisher: Easterly 6 to gale 8, increasing severe gale 9 for a time in north.
> Moderate or rough, occasionally very rough in north. Rain. Moderate or poor.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users