How to set a proxy using DHCP
I am new to the list and looking for a FAQ to determine how/if I can set up DHCP to put out a proxy to my workstations of workstation getting an IP address via DHCP. This is for dhcpd 8 installed on Centos 6.9 TIA. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12
On 10 March 2018 at 04:08, Matus UHLAR - fantomaswrote: > Cathy Almond wrote: >> >>> The rs.dns-oarc.net zone is broken because it returns a CNAME for >>> queries at the apex. >>> >> > On 09.03.18 15:23, Tony Finch wrote: > >> I just got a problem report from a user who has a few personal domains >> with CNAME at apex that used to work (or at least appeared to work) but >> no longer do. >> >> I've said that the domains are misconfigured, but since this is a >> relatively widespread misconfiguration, I think it's likely to cause >> more complaints. Tiresome. >> > > it's the very common result of misconfiguration that something sometimes > does not work, while sometimes it does. > Apex CHAMEs, in particular, have nondeterministic failure modes. In that, each resolver deals differently with this misconfiguration, since by definition there is no correct way to deal with it. Some resolvers find a way to gloss over the problem, and others fail hard making the domain name and everything below it unresolvable for the TTL of either the apex NS set or the TTL of the CNAME itself, depending on which way it breaks. Best to just stop doing that so that whether the domain works doesn't depend on which resolver you're trying to use. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12
Cathy Almondwrote: The rs.dns-oarc.net zone is broken because it returns a CNAME for queries at the apex. On 09.03.18 15:23, Tony Finch wrote: I just got a problem report from a user who has a few personal domains with CNAME at apex that used to work (or at least appeared to work) but no longer do. I've said that the domains are misconfigured, but since this is a relatively widespread misconfiguration, I think it's likely to cause more complaints. Tiresome. it's the very common result of misconfiguration that something sometimes does not work, while sometimes it does. I usually advise people to fix things inctead of complaining that something "misconfigured doesn't work sometimes" - that is the definition of misconfiguration, isn't it? especially DNS, with caching, TTLs and DNSSEC - there's not enough room for making every possible mistake and expecting it to work. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12
Evan Huntwrote: > > In 9.12.1 and the other upcoming maintenance releases, we've just reverted > the change to validator.c that caused the problems. (That turns out to have > the exact same effect as your patch does.) Great, that will please my user, and I can use NTAs to work around the problem until then. > Apex CNAMEs are bogus, of course, but we do need to cope with them when > they appear. We're going to revisit this issue in 9.12.2, once we've > figured out how to solve the one problem without causing the other one. I have said this already so I'm at risk of being a bore, but it would be super cool if BIND could make use of the DS records (or PNEs) it gets in referrals, instead of re-fetching them during validation. It should provide a nice speed-up, as well as allowing the validator to avoid looking into insecure subtrees, which will have the side-effect of avoiding problems with apex CNAMEs. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Fisher: Easterly 6 to gale 8, increasing severe gale 9 for a time in north. Moderate or rough, occasionally very rough in north. Rain. Moderate or poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12
On Sat, Mar 10, 2018 at 06:30:41PM +, Tony Finch wrote: > I have said this already so I'm at risk of being a bore, but it would be > super cool if BIND could make use of the DS records (or PNEs) it gets in > referrals, instead of re-fetching them during validation. It should > provide a nice speed-up, as well as allowing the validator to avoid > looking into insecure subtrees, which will have the side-effect of > avoiding problems with apex CNAMEs. Yep, that's one of the approaches we've discussed. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12
While it will speed up things slightly it won’t avoid the issue as TTLs vary. -- Mark Andrews > On 11 Mar 2018, at 05:30, Tony Finchwrote: > > Evan Hunt wrote: >> >> In 9.12.1 and the other upcoming maintenance releases, we've just reverted >> the change to validator.c that caused the problems. (That turns out to have >> the exact same effect as your patch does.) > > Great, that will please my user, and I can use NTAs to work around the > problem until then. > >> Apex CNAMEs are bogus, of course, but we do need to cope with them when >> they appear. We're going to revisit this issue in 9.12.2, once we've >> figured out how to solve the one problem without causing the other one. > > I have said this already so I'm at risk of being a bore, but it would be > super cool if BIND could make use of the DS records (or PNEs) it gets in > referrals, instead of re-fetching them during validation. It should > provide a nice speed-up, as well as allowing the validator to avoid > looking into insecure subtrees, which will have the side-effect of > avoiding problems with apex CNAMEs. > > Tony. > -- > f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode > Fisher: Easterly 6 to gale 8, increasing severe gale 9 for a time in north. > Moderate or rough, occasionally very rough in north. Rain. Moderate or poor. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users