bind-9.8.1 - make error with MySQL DLZ

[Eric]

I am getting an undefined reference error when running make on  
bind-9.8.1. Error message at bottom.


|export CPPFLAGS="-I/usr/lib64/mysql $CPPFLAGS"
export LDFLAGS="-L/usr/lib64/mysql $LDFLAGS"
export LD_LIBRARY_PATH="/usr/lib64/mysql"

|# ./configure --prefix=/usr/local/bind --disable-openssl-version-check 
--with-dlz-mysql=yes


In another attempt, manually added:
DBDRIVER_INCLUDES = -I/usr/include/mysql
DBDRIVER_LIBS = -L/usr/lib64/mysql
to bin/named/Makefile.in

No success.

Installed Packages
gcc.x86_64 
4.1.2-50.el5   installed
mysql-devel.x86_64 
5.5.15-1.el5.remi  installed
openssl-devel.x86_64   
0.9.8e-12.el5_5.7  installed
unixODBC-devel.x86_64  
2.2.11-7.1 installed


MAKE ERROR:

1; mv namedtmp2 named; rm -f namedtmp0 namedtmp1 namedtmp2 
named-symtbl2.c; fi

dlz_mysql_driver.o: In function `mysql_get_resultset':
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:279: 
undefined reference to `sdlzh_build_querystring'
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:282: 
undefined reference to `sdlzh_build_querystring'
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:285: 
undefined reference to `sdlzh_build_querystring'
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:288: 
undefined reference to `sdlzh_build_querystring'
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:291: 
undefined reference to `sdlzh_build_querystring'
dlz_mysql_driver.o:/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:294: 
more undefined references to `sdlzh_build_querystring' follow

dlz_mysql_driver.o: In function `mysql_create':
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:823: 
undefined reference to `sdlzh_get_parameter_value'
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:833: 
undefined reference to `sdlzh_get_parameter_value'
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:857: 
undefined reference to `sdlzh_build_sqldbinstance'
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:902: 
undefined reference to `sdlzh_get_parameter_value'
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:909: 
undefined reference to `sdlzh_get_parameter_value'
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:916: 
undefined reference to `sdlzh_get_parameter_value'
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:924: 
undefined reference to `sdlzh_get_parameter_value'
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:925: 
undefined reference to `sdlzh_get_parameter_value'
dlz_mysql_driver.o:/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:926: 
more undefined references to `sdlzh_get_parameter_value' follow

dlz_mysql_driver.o: In function `mysql_create':
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:963: 
undefined reference to `sdlzh_destroy_sqldbinstance'
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:861: 
undefined reference to `sdlzh_build_sqldbinstance'
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:865: 
undefined reference to `sdlzh_build_sqldbinstance'
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:870: 
undefined reference to `sdlzh_build_sqldbinstance'

dlz_mysql_driver.o: In function `mysql_destroy':
/root/bind-9.8.1/bin/named/../../contrib/dlz/drivers/dlz_mysql_driver.c:1003: 
undefined reference to `sdlzh_destroy_sqldbinstance'

collect2: ld returned 1 exit status
make[2]: *** [named] Error 1
make[2]: Leaving directory `/root/bind-9.8.1/bin/named'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory `/root/bind-9.8.1/bin'
make: *** [subdirs] Error 1



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Accidentally ran rndc-confgen on a working BIND box

[Eric]

Trying using rndc to see if it's broke.

rndc status


You may need to add a path to the rndc binary if it's not in your $PATH env 
vars. Or maybe -c to the location of your rndc config.

In your named.conf you should have a rndc statement with the key name and value.

You can recreate your rndc config / key with that if needed.








Nov 24, 2024 6:36:57 PM Luis Navarro :

> I've been running BIND on Ubuntu 22.04 for over a year and it has been 
> running perfectly as my primary DNS server.  I’m currently using BIND 9.18.28.
>  
> 
> I'm currently setting up BIND on another box (as a secondary DNS server) and 
> accidentally just ran "sudo rndc-confgen -a" on the first box.  From what I 
> can tell, running this command overwrote the previously installed 
> "/etc/bind/rndc.key" file with a new one. 
>  
> 
> I'm vaguely familiar with rndc but don't think I've ever used it directly.  
> It is possible the BIND tools I typically use call it.  Anyway, the first box 
> **seems** to still be working normally.
>  
> 
> *Questions:*  Did I break anything by running "rndc-confgen"?  Is there 
> anything else I need to do on the first box to move forward with the new key 
> file?  Or should I restore the key file from a backup?
>  
> 
> Thanks in advance!
> Luis
>  
> 
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: localhost name lookup

[Eric]

I did, but my thought would be it's up to the dns admin to define those zone 
configurations as you have done. I may be wrong though.



Jan 12, 2025 6:36:03 PM Lee :

> On Sun, Jan 12, 2025 at 5:15 PM Eric wrote:
>> 
>> That is means that the 'domain' is reserved and can be used locally. It 
>> doesn't specify all records in that namespace / domain will resolve to 
>> 127.0.01.
>> 
>> Think of it like .com
>> 
>> If you want every A record in *.localhost to resolve to 127.0.0.1 what you 
>> did will do that.
> 
> Did you look at the RFC?
> 
>    4.  Caching DNS servers SHOULD recognize localhost names as special
>    and SHOULD NOT attempt to look up NS records for them, or
>    otherwise query authoritative DNS servers in an attempt to
>    resolve localhost names.  Instead, caching DNS servers SHOULD,
>    for all such address queries, generate an immediate positive
>    response giving the IP loopback address...
> 
>    5.  Authoritative DNS servers SHOULD recognize localhost names as
>    special and handle them as described above for caching DNS
>    servers.
> 
> So OK.. SHOULD isn't the same as MUST so bind as configured isn't
> violating that RFC.  But is there a _good_ reason to not follow the
> SHOULD recommendation?
> 
> Thanks,
> Lee
> 
>> 
>> Jan 12, 2025 4:38:09 PM Lee:
>> 
>>> Excuse my ignorance, but
>>> 
>>> https://datatracker.ietf.org/doc/html/rfc6761#section-6.3
>>> 
>>>    The domain "localhost." and any names falling within ".localhost."
>>>    are special in the following ways:
>>> 
>>> sure seems to mean that if I lookup curlmachine.localhost I should get
>>> a 127.0.0.1 or ::1 address returned.  Correct?
>>> 
>>> I had to change my db.local file to
>>> 
>>> $ cat db.local
>>> ;
>>> ; BIND data file for local loopback interface
>>> ;
>>> $TTL    604800
>>> @   IN  SOA localhost. root.localhost. (
>>>   3 ; Serial
>>>  604800 ; Refresh
>>>   86400 ; Retry
>>>     2419200 ; Expire
>>>  604800 )   ; Negative Cache TTL
>>> ;
>>> @   IN  NS  localhost.
>>> @   IN  A   127.0.0.1
>>> @   IN      ::1
>>> 
>>> *   IN  A   127.0.0.1
>>>     IN      ::1
>>> 
>>> 
>>> to make localhost and curl.localhost work.
>>> 
>>> Is this wrong?  and if so, why?
>>> 
>>> TIA,
>>> Lee
>>> -- 
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
>>> this list
>>> 
>>> ISC funds the development of this software with paid support subscriptions. 
>>> Contact us at https://www.isc.org/contact/ for more information.
>>> 
>>> 
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: localhost name lookup

[Eric]

That is means that the 'domain' is reserved and can be used locally. It doesn't 
specify all records in that namespace / domain will resolve to 127.0.01.

Think of it like .com

If you want every A record in *.localhost to resolve to 127.0.0.1 what you did 
will do that.

Jan 12, 2025 4:38:09 PM Lee :

> Excuse my ignorance, but
> 
> https://datatracker.ietf.org/doc/html/rfc6761#section-6.3
> 
>    The domain "localhost." and any names falling within ".localhost."
>    are special in the following ways:
> 
> sure seems to mean that if I lookup curlmachine.localhost I should get
> a 127.0.0.1 or ::1 address returned.  Correct?
> 
> I had to change my db.local file to
> 
> $ cat db.local
> ;
> ; BIND data file for local loopback interface
> ;
> $TTL    604800
> @   IN  SOA localhost. root.localhost. (
>   3 ; Serial
>  604800 ; Refresh
>   86400 ; Retry
>     2419200 ; Expire
>  604800 )   ; Negative Cache TTL
> ;
> @   IN  NS  localhost.
> @   IN  A   127.0.0.1
> @   IN      ::1
> 
> *   IN  A   127.0.0.1
>     IN      ::1
> 
> 
> to make localhost and curl.localhost work.
> 
> Is this wrong?  and if so, why?
> 
> TIA,
> Lee
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: My Introduction and current issues -

[Eric]

I get a feeling this is going to be less of a bind issue, and more so some 
other configuration issue(s).

>From the instance with bind running, can you query both your defined 
>forwarders? Does it work consistently for a variety of domains?

dig @1.1.1.1 isc.org
dig @8.8.8.8 isc.org

>From the clients can you use nslookup or dig to query the bind instance 
>directly by specifying the ip and get consistent resolution from it for 
>different names?

Have you validated the DNS server IPs that are assigned to the clients have the 
correct IP(s) set for the bind server?


Is the browser using the OS settings for dns, or are they trying to do DNS over 
https directly out to the Internet to other dns servers?

Are you sure there is only 1 dhcp service active on the network? Is the WAP 
doing dhcp as well and giving conflicting options maybe?



May 9, 2025 6:58:47 PM bi...@clearviz.biz:

> Howdy all!.   My name is Arnold, and I'm new to both Bind9 and to the Bind 
> user's list. I'm hoping to contribute my findings on the use of Bind9. in the 
> future but, for now, I need some help in getting my 1st install of Bind 9.18 
> performing well. It does run already, but does not perform well at all. I'll 
> explain.
> 
> 
> First, a quick bit of history. I run a home network (a full domain structure) 
> and, for the past 23 years, I ran a server (Windows Server 2003) as a full 
> Primary Domain Controller in my home network. I ran DHCP, DNS and AD on that 
> server. It worked great and had extremely fast responses for DNS forwarding. 
> Very rarely was there ever a failure (i.e. "Site not found" or "No Internet 
> Access") etc. And it ran great for almost 23 years Until this past Easter 
> Sunday, when it died a nasty hardware death. I deemed it unworthy of 
> repairing. This because, 2 years ago, I began building two new mid-tower 
> machines (Intel coreI7 and was going to install Ubuntu Server (22.04) on one 
> and the 22.04 client on  the other. I completed the client machine and it is 
> up and running perfectly. I held off on the server as my Win2003 server was 
> still running. But not anymore.
> 
> I resumed the build of the Ubuntu Server (22.04). I installed ISC-DHCP-Server 
> for DHCP (I know Kea is available but I read where that needs Ubuntu 24.xx+). 
> I also installed Bind9.18 as the DNS server. The DHCP server is working 
> perfectly.  No issues at all. Very happy with it.  The Bind9.18, not so much. 
>   BTW, I'll deal with an AD replacement later if at all (Samba, Kerberos or 
> something similar). 
> 
> The following are the behavioral symptoms of the current Bind9.18 install.
> 
> 1. Links/URLs -  Links/URLs submitted in a browser (especially a link not 
> used before or not after a long while) often take a very long time to render 
> and often fail with a "Can't access that site" or "No Internet Access" error. 
> if I keep refreshing the same link/URL multiple times, eventually the webpage 
> will render correctly. And the site will continue to render correctly as long 
> as I keep it active by clicking other links, etc. on the page.  But once 
> there has been a period of inactivity (usually 1/2 to 1 hr), it goes back to 
> the original behavior, requiring another cycle of "refreshes" and "site not 
> found" errors, before it renders correctly again. That said, I'm starting to 
> see continuity on the URLs/Links I use on a daily basis (i.e. only once a 
> day).
> 2. When using "ping," if I ping the hard IP, it works correctly. If I use the 
> domain name with Ping, it fails on a "name resolution" error. However, using 
> "nslookup" with the same domain names does work correctly. Cannot use 
> traceroute as it is not presently installed and attempting to install it 
> gives "Temporary failure resolving the ubuntu archive DBs. 
> 3. Devices that had connected to my Wireless access point (WAP) that are "DNS 
> dependent" also fail due to "No Internet access," including my smartphone in 
> Wifi Mode. My phone does not fail when in "5G" mode, but that's expensive.   
> FTR, my router is "wired" but I have a WAP connected to it via Ethernet. 
> Devices that connect to it can get DHCP service, but fail when DNS is 
> attempted. My laptops do not connect via WiFi anymore. I can get one of my 
> laptops connected if I 'Tether" it to my smartphone while in "5G" mode.
> 
> All of the above leads me to believe that Bind 9 may not be configured 
> correctly to allow for the best possible performance/response times by the 
> forwarding servers (8.8.8.8 and 1.1.1.1). I have attached my 
> named.conf.options file and .local file. The named.conf file only has 
> includes for .options and ,local conf files.  The .default-zones file is 
> commented out. 
> 
> If you need other info about my configuration and setup, please feel free to 
> ask and I'll do my best to provide it.
> 
> Thank you all so much and I look forward to learning from you.
> 
> Regards,
> Arnold
> 
> 
-- 
Visit https://lists.isc.org/mailman/

Re: My Introduction and current issues -

[Eric]

Based on that I'm pretty confident you can remove this as being a general DNS 
server issue.

I would not attempt to even change the configuration in bind at this point as 
to not introduce more potential changes into your env as doing those tests will 
have mostly validated the DNS server is working as expected.

If you can query out from the bind server, and your clients can query it 
without an issue I would be looking into other network connectivity issues that 
could be going on.

Could be a variety of issues like if you are using a local proxy, IP conflicts, 
browser settings using https for dns, isp issues?

The errors, and behavior you are describing doesn't stick out to me and a "dns 
issue".

May 9, 2025 11:06:08 PM bi...@clearviz.biz:

>>From the instance with bind running, can you query both your defined 
>>forwarders? Does it work consistently for a variety of domains?
> 
>>dig @1.1.1.1 isc.org
>>dig @8.8.8.8 isc.org
> 
> *Yes, it does. The above two commands work as well as several other domains I 
> tried, and the response has been immediate. *
> 
>>From the clients can you use nslookup or dig to query the bind instance 
>>directly by specifying the ip and get consistent resolution from it for 
>>different names? 
> 
> *Yes.  From my Windows 7 desktop client I use the "Command Prompt" with 
> "nslookup" and get perfect and immediate results by specifying my DNS 
> server's hard IP. Furthermore, I ran the same command with no server 
> specified and it defaulted to my server's BIND instance and gave the same 
> immediate results. Unfortunately,  I do not have "dig" on my Windows7 
> clients.*
> 
>> Have you validated the DNS server IPs that are assigned to the clients have 
>> the correct IP(s) set for the bind server?
> 
> *Yes, they all do.  They are set to the machine's IP on which the DNS 
> instance is running.*
> 
>> Are you sure there is only 1 dhcp service active on the network? Is the WAP 
>> doing dhcp as well and giving conflicting options maybe?
> 
> *Yes, there is only one (1). The WAP is not capable of performing DHCP 
> service. It only passes through requests to the DHCP server on my machine. I 
> can verify this by examining the list of active leases on my DHCP server. *
> 
> 
> On 2025-05-09 18:33, Eric wrote:
> 
>> I get a feeling this is going to be less of a bind issue, and more so some 
>> other configuration issue(s).
>> 
>> From the instance with bind running, can you query both your defined 
>> forwarders? Does it work consistently for a variety of domains?
>> 
>> dig @1.1.1.1 isc.org
>> dig @8.8.8.8 isc.org
>>  
>> From the clients can you use nslookup or dig to query the bind instance 
>> directly by specifying the ip and get consistent resolution from it for 
>> different names?
>> 
>> Have you validated the DNS server IPs that are assigned to the clients have 
>> the correct IP(s) set for the bind server?
>> 
>> 
>> Is the browser using the OS settings for dns, or are they trying to do DNS 
>> over https directly out to the Internet to other dns servers?
>> 
>> Are you sure there is only 1 dhcp service active on the network? Is the WAP 
>> doing dhcp as well and giving conflicting options maybe?
>> 
>> 
>> 
>> May 9, 2025 6:58:47 PM bi...@clearviz.biz:
>> 
>>> Howdy all!.   My name is Arnold, and I'm new to both Bind9 and to the Bind 
>>> user's list. I'm hoping to contribute my findings on the use of Bind9. in 
>>> the future but, for now, I need some help in getting my 1st install of Bind 
>>> 9.18 performing well. It does run already, but does not perform well at 
>>> all. I'll explain.
>>> 
>>> 
>>> First, a quick bit of history. I run a home network (a full domain 
>>> structure) and, for the past 23 years, I ran a server (Windows Server 2003) 
>>> as a full Primary Domain Controller in my home network. I ran DHCP, DNS and 
>>> AD on that server. It worked great and had extremely fast responses for DNS 
>>> forwarding. Very rarely was there ever a failure (i.e. "Site not found" or 
>>> "No Internet Access") etc. And it ran great for almost 23 years Until 
>>> this past Easter Sunday, when it died a nasty hardware death. I deemed it 
>>> unworthy of repairing. This because, 2 years ago, I began building two new 
>>> mid-tower machines (Intel coreI7 and was going to install Ubuntu Server 
>>> (22.04) on one and the 22.04 client on  the other. I completed the client 
>>> machine and it is up and

secure statistics page

[Eric Dewitte]

Hello,
I'm looking for help here because I haven't found any information in the
documentation (or I haven't).

I've activated Bind's statistics, to test I've set port 8080.
So I can make http requests on port 8080, it works.

but i'd like to secure the page, is it possible to switch to https and
therefore use an SSL certificate?

Thank you for your help.

OS: Debian 12, BIND: 9.18
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

masters ordering in named.conf

[Eric Chandler]

I have a question with regards to ordering of masters in slave zones.  In the 
example below, will the slave zone try these in order each and every time? In 
other words, I'm hoping the each time a zone transfer is started by this slave, 
will it always try 10.250.250.115 first, and if that doesn't work, try 
10.60.50.50, then 10.60.50.51..., or does it choose at random?



zone "example.net" {

type slave;

file "zones/example.net";

masters {

10.250.250.115;

10.60.50.50;

10.60.50.51;

1.2.3.4;

5.6.7.8;

10.10.10.10;

    };

};

 

Thanks,

 

Eric Chandler

Systems Architect

 

 

23 Main Street, Holmdel, NJ 07733

(: 732.203.7437

(: 732.284.8504 (iPhone)

*: eric.chand...@vonage.com <mailto:eric.chand...@vonage.com>  

þ: www.vonage.com <http://www.vonage.com/> 

 

 

NOTE: The information contained in this email message is considered 
confidential and proprietary to the sender and is intended solely 

for review and use by the named recipient.  Any unauthorized review, use or 
distribution is strictly prohibited. If you have received this

message in error, please advise the sender by reply email and delete the message

 

<><>___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Split DNS and zone transfers

[Eric Chandler]

I have a situation where I need to filter out our private infrastructure from 
our public-facing DNS servers. This is certainly something that should have 
been done a long time ago, but I just recently took over the spot. Now, I've 
seen plenty of examples using views and separate zonefiles, but what I can't 
find are examples of the same domain zone-xfering both zonefiles.

 

Our DNS infrastructure is large and the configuration varies from server type 
to server type. Some are configured to be the primary auth servers - facing the 
Internet. Others are public-facing, but accessed only by customer devices, and 
still others service our internal systems. I would like to get us down to just 
1 set of configuration files across the board, using views as the way to do it, 
but what I can't get around are split zone transfers.

 

In this example, we have a straightforward example of a split zone:

view "trusted" {
 match-clients { 192.168.23.0/24; }; // our network
  recursion yes;
  // other view statements as required
  zone "example.com" {
   type master;
   // private zone file including local hosts
   file "internal/master.example.com 
<http://www.zytrax.com/books/dns/ch6/mydomain-internal.html> ";
  };
  // add required zones
 };
view "badguys" {
 match-clients {"any"; }; // all other hosts
 // recursion not supported
 recursion no;
 // other view statements as required
 zone "example.com" {
   type master;
   // public only hosts
   file "external/master.example.com 
<http://www.zytrax.com/books/dns/ch6/mydomain-external.html> ";
  };
  // add required zones
 };

 

Now, what I would like to have are slave servers that would zone-xfer both the 
internal and external-flavored files for example.com and serve them using the 
same view structure. The hidden masters can generate the split zone files based 
on private IP address ranges, but I see no way to  use zone transfers to get 
both types of files replicated to the many slave servers that I would need to 
get them to.

 

This obviously won't work, but this is what I'm after from a logical sense.

 

view "trusted" {
 match-clients { 192.168.23.0/24; }; // our network
  recursion yes;
  // other view statements as required
  zone "example.com" {
   type slave;
masters = { 1.2.3.4, 4.5.6.7 };
   // private zone file including local hosts
   file "internal/master.example.com 
<http://www.zytrax.com/books/dns/ch6/mydomain-internal.html> ";
  };
  // add required zones
 };
view "badguys" {
 match-clients {"any"; }; // all other hosts
 // recursion not supported
 recursion no;
 // other view statements as required
 zone "example.com" {
   type slave;
masters = { 1.2.3.4, 4.5.6.7 };
   // public only hosts
   file "external/master.example.com 
<http://www.zytrax.com/books/dns/ch6/mydomain-external.html> ";
  };
  // add required zones
 };

 

I suppose I could set up another pair of hidden masters to serve up the 
internal zones, or another pair of IP addrs on the masters, but I'm hoping not 
to go down that road.

 

Thanks,

 

Eric Chandler

Systems Architect

 

 

23 Main Street, Holmdel, NJ 07733

(: 732.203.7437

(: 732.284.8504 (iPhone)

*: eric.chand...@vonage.com <mailto:eric.chand...@vonage.com>  

þ: www.vonage.com <http://www.vonage.com/> 

 

 

NOTE: The information contained in this email message is considered 
confidential and proprietary to the sender and is intended solely 

for review and use by the named recipient.  Any unauthorized review, use or 
distribution is strictly prohibited. If you have received this

message in error, please advise the sender by reply email and delete the message

 

<><>___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Split DNS and zone transfers

[Eric Chandler]

I've been pointed to the right place to figure this out.  The answer is in 
using TSIG.  That saved me a lot of time. I searched everywhere but the 
most-obvious place - the bind9 faq.

 

 

Eric Chandler

Systems Architect

 

From: bind-users-bounces+eric.chandler=vonage@lists.isc.org 
[mailto:bind-users-bounces+eric.chandler=vonage@lists.isc.org] On Behalf Of 
Eric Chandler
Sent: Monday, April 16, 2012 11:36 AM
To: bind-users@lists.isc.org
Subject: Split DNS and zone transfers

 

I have a situation where I need to filter out our private infrastructure from 
our public-facing DNS servers. This is certainly something that should have 
been done a long time ago, but I just recently took over the spot. Now, I've 
seen plenty of examples using views and separate zonefiles, but what I can't 
find are examples of the same domain zone-xfering both zonefiles.

 

Our DNS infrastructure is large and the configuration varies from server type 
to server type. Some are configured to be the primary auth servers - facing the 
Internet. Others are public-facing, but accessed only by customer devices, and 
still others service our internal systems. I would like to get us down to just 
1 set of configuration files across the board, using views as the way to do it, 
but what I can't get around are split zone transfers.

 

In this example, we have a straightforward example of a split zone:

view "trusted" {
 match-clients { 192.168.23.0/24; }; // our network
  recursion yes;
  // other view statements as required
  zone "example.com" {
   type master;
   // private zone file including local hosts
   file "internal/master.example.com 
<http://www.zytrax.com/books/dns/ch6/mydomain-internal.html> ";
  };
  // add required zones
 };
view "badguys" {
 match-clients {"any"; }; // all other hosts
 // recursion not supported
 recursion no;
 // other view statements as required
 zone "example.com" {
   type master;
   // public only hosts
   file "external/master.example.com 
<http://www.zytrax.com/books/dns/ch6/mydomain-external.html> ";
  };
  // add required zones
 };

 

Now, what I would like to have are slave servers that would zone-xfer both the 
internal and external-flavored files for example.com and serve them using the 
same view structure. The hidden masters can generate the split zone files based 
on private IP address ranges, but I see no way to  use zone transfers to get 
both types of files replicated to the many slave servers that I would need to 
get them to.

 

This obviously won't work, but this is what I'm after from a logical sense.

 

view "trusted" {
 match-clients { 192.168.23.0/24; }; // our network
  recursion yes;
  // other view statements as required
  zone "example.com" {
   type slave;
masters = { 1.2.3.4, 4.5.6.7 };
   // private zone file including local hosts
   file "internal/master.example.com 
<http://www.zytrax.com/books/dns/ch6/mydomain-internal.html> ";
  };
  // add required zones
 };
view "badguys" {
 match-clients {"any"; }; // all other hosts
 // recursion not supported
 recursion no;
 // other view statements as required
 zone "example.com" {
   type slave;
masters = { 1.2.3.4, 4.5.6.7 };
   // public only hosts
   file "external/master.example.com 
<http://www.zytrax.com/books/dns/ch6/mydomain-external.html> ";
  };
  // add required zones
 };

 

I suppose I could set up another pair of hidden masters to serve up the 
internal zones, or another pair of IP addrs on the masters, but I'm hoping not 
to go down that road.

 

Thanks,

 

Eric Chandler

Systems Architect

 

 

23 Main Street, Holmdel, NJ 07733

(: 732.203.7437

(: 732.284.8504 (iPhone)

*: eric.chand...@vonage.com 

þ: www.vonage.com <http://www.vonage.com/> 

 

 

NOTE: The information contained in this email message is considered 
confidential and proprietary to the sender and is intended solely 

for review and use by the named recipient.  Any unauthorized review, use or 
distribution is strictly prohibited. If you have received this

message in error, please advise the sender by reply email and delete the message

 

<><>___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Warning: view * : 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones

[Eric Kom]

Good day,

Thanks for the supports, am running a primary DNS server using view on 
bind version:


root@ns1:~# named -v
BIND 9.8.1-P1


I always having the above warnings in my syslog file:

Sep 22 11:40:56 ns1 named[2121]: Warning: view external-root: 
'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 
empty zones
Sep 22 11:40:56 ns1 named[2121]: using built-in root key for view 
internal-localhost
Sep 22 11:40:56 ns1 named[2121]: Warning: view internal-localhost: 
'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 
empty zones


May you please assist me on fixing it?

--
Kind Regards

Eric Kom

System Administrator - Metropolitan College
 _
/ You are scrupulously honest, frank, and \
| straightforward. Therefore you have few |
\ friends./
 -
   \
\
.--.
   |o_o |
   |:_/ |
  //   \ \
 (| Kom | )
/'\_   _/`\
\___)=(___/

2 Hennie Van Till, White River, 1240
Tel: 013 750 2255 | Fax: 013 750 0105 | Cell: 078 879 1334
eric...@kom.za.net | eric...@metropolitancollege.co.za
www.kom.za.net | www.kom.za.org | www.erickom.co.za

Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

10.in-addr.arpa Forwarder Zone

[Eric R]

I have configured a simple forward zone like the following in BIND:

zone "3.10.in-addr.arpa" {
type forward;
forward only;
forwarders { 1.2.3.4; } ;
};

This is the only zone I have configured.

When I query for, as an example, 1.2.3.10.inaddr.arpa (PTR), I expect BIND to 
query the 1.2.3.4 forwarder and return the response provided by 1.2.3.4.  With 
BIND version 9.6.1-P1, this works as expected. However with version 9.9.1-P3, 
BIND does not attempt to query the forwarder and instead immediately returns an 
NXDOMAIN response.

I found that adding the following zone, in addition to or instead of the 
original, produces the desired results:

zone "10.in-addr.arpa" {
type forward;
forward only;
forwarders { 1.2.3.4; } ;
};

However, I do not wish to send all 10.in-addr.arpa queries to the forwarder; I 
only wish to send descendants of 3.10.in-addr.arpa there.

Is this a bug in BIND 9.9.1-P3?  I do not understand why the only zone 
configured would not be used, since it does appear to be the nearest (and only) 
ancestor of the domain I am querying.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 10.in-addr.arpa Forwarder Zone

[Eric R]

Thank you for the quick responses.  I have solved my issue by setting the 
empty-zones-enable option to no.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Courses

[Eric Kom]

On 27/04/2013 14:55, Mark Elkins wrote:

If you live in Africa and can get South, ZACR (UniForum SA), the "co.za"
registry people provide free DNS Courses in Johannesburg and Cape Town.
You still have to cover personal travel, food and lodging though.
These are proper DNS training courses, three day Intro and four day
Advanced courses. They are, however, only offered twice a year, usually
February and September...
You can see more athttp://dnstraining.coza.net.za/
DNS Courses provide by the co.za from South Africa its highly quality 
with experts from the co.za registry and other registry in the world, 
totally of charges.


the topics are generally the same with the one provide by ISC in my view!

You can have DNS training trip in South Africa

I agree with the sentiment that its a costly business though.

On Sat, 2013-04-27 at 03:36 -0500, SUNDAY A. OLUTAYO wrote:

ISC should consider online training too, same linux foundation has done.


Sunday Olutayo

Sent from my LG Mobile

Doug Barton  wrote:

Ted made some really good points. It's also worth pointing out that
overhead, like renting the facility to teach the classes in, food,
travel expenses for the trainers to get to the site, course materials,
insurance, etc. often run into the 'many hundreds' of dollars per
student before the first word is spoken in class.

Doug



___
Please visithttps://lists.isc.org/mailman/listinfo/bind-users  to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--
Kind Regards

Eric Kom

System Administrator & Programmer - Metropolitan College
 _
/ You are scrupulously honest, frank, and \
| straightforward. Therefore you have few |
\ friends./
 -
   \
\
.--.
   |o_o |
   |:_/ |
  //   \ \
 (| Kom | )
/'\_   _/`\
\___)=(___/

2 Hennie Van Till, White River, 1240
Tel: 013 750 2255 | Fax: 013 750 0105 | Cell: 078 879 1334
eric...@kom.za.net  |eric...@metropolitancollege.co.za
www.kom.za.net  |www.kom.za.org  |www.erickom.co.za

Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Network Solutions and DNSSEC

[Eric Davis]

Anyone know when Network Solutions plans to support DNSSEC?

Eric Davis
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC Godaddy Style

[Eric Davis]

Anyone have any experience uploading DS records to Godaddy?  They are asking 
for the Digest in addition to the public key and I'm a little lost.  What is 
the digest and how can I find it?  I'm using an Infoblox appliance.(i 
know...cringe!)

Eric
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Disable DNSSEC

[Eric Davis]

My DNS appliances are not well-suited for this yet, so I want to disable DNSSEC 
for my for domain.  Anyone know the proper steps to  take and what order if 
there is any order?  I have a DS record in my parent domain.  Do I need to 
remove that first?  Thanks in advance.

Eric
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Disable DNSSEC

[Eric Davis]

So I guess my DS record has the same TTL as my default TTL for my records?  My 
default is 8 hours, so if I wait 8 hours after I remove the DS from my parent 
zone then I should be ok?  My parent zone is a TLD(.edu).

-Original Message-
From: bind-users-bounces+eric=rockefeller@lists.isc.org 
[mailto:bind-users-bounces+eric=rockefeller@lists.isc.org] On Behalf Of 
Georg Kahest
Sent: Tuesday, January 07, 2014 10:12 AM
To: bind-users@lists.isc.org
Subject: Re: Disable DNSSEC

On 01/07/2014 05:01 PM, Eric Davis wrote:
> My DNS appliances are not well-suited for this yet, so I want to 
> disable DNSSEC for my for domain.  Anyone know the proper steps to 
> take and what order if there is any order?  I have a DS record in my 
> parent domain.  Do I need to remove that first?  Thanks in advance.
> 
> Eric
> 
> 
> 
> ___ Please visit 
> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> bind-users mailing list bind-users@lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users
> 

Yes, first remove the DS from parent zone, then wait for the DS ttl to expire 
and then you can start removing DNSKEY's from your zone.

--
Georg
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Disable DNSSEC

[Eric Davis]

Duh...silly mistake...I did a DIG on the NS record..Once  the DS record is 
removed DNS queries should work fine right? Thanks Bill.

-Original Message-
From: Bill Owens [mailto:ow...@nysernet.org] 
Sent: Tuesday, January 07, 2014 11:28 AM
To: Eric Davis
Cc: bind-users@lists.isc.org
Subject: Re: Disable DNSSEC

On Tue, Jan 07, 2014 at 04:24:31PM +, Eric Davis wrote:
> So I guess my DS record has the same TTL as my default TTL for my records?  
> My default is 8 hours, so if I wait 8 hours after I remove the DS from my 
> parent zone then I should be ok?  My parent zone is a TLD(.edu).

The DS record is in the parent zone (.edu) and it has a one-day TTL:

;; AUTHORITY SECTION:
rockefeller.edu.172800  IN  NS  r2d2.rockefeller.edu.
rockefeller.edu.172800  IN  NS  rockyd.rockefeller.edu.
rockefeller.edu.86400   IN  DS  40486 5 1 
954F779D591F011288CAD43D64D96EA543E0D3E5
rockefeller.edu.86400   IN  RRSIG   DS 8 2 86400 20140113054536 
20140106043536 20750 edu. 
0XmRgd7FPG56t7etP2dK0W9gvVVm5oJlaCXufHlWnLsPWwNcAGIEQBCp 
RxBicOFdPgmxvm1VV+IXq7W2qEKiFOchCgfqm9ugqQ7/DOR0DJW1edgI 
ZqUVLfMgp/VT1+6EXU+wGiR7D2rZs1xvyu82cMQCkBseiKVAJv2F35LK MSE=

Bill.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

resolving from loopback is much smooth?

[Eric Yiu]

Hi,

I run bind dns server 9.9 now with around 3000query/s.  I recently upgrade
our server to Fujitsu M10-1 Solaris 10 with bind9.10.
I feel that the server serving bind is not as fast as old one in intel
solaris which was more than 8 years ago.  I tried a few test
and found that dig @localhost is much more smooth thatn dig @IP the zone at
the machine.

Try dig resolving from loopback:

bash-3.2# i=0; while [ $i -lt 20 ]; do i=`expr $i + 1`; /usr/local/bin/dig @
127.0.0.1 a   |grep "Query time"; sleep 1; done
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec

Try dig resolving from server real IP:

bash-3.2# i=0; while [ $i -lt 20 ]; do i=`expr $i + 1`; /usr/local/bin/dig
@ a  |grep "Query time"; sleep 1; done
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 215 msec
;; Query time: 0 msec
;; Query time: 112 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 0 msec
;; Query time: 170 msec
;; Query time: 167 msec
;; Query time: 145 msec
;; Query time: 193 msec
;; Query time: 2 msec
;; Query time: 17 msec
;; Query time: 26 msec
;; Query time: 138 msec
;; Query time: 2 msec
;; Query time: 324 msec

Sometimes it even need more than 2000msec to resolve.

Just wonder if it is normal behavior, or anything can be tuned?  Thanks

Eric
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: resolving from loopback is much smooth?

[Eric Yiu]

Hi Graham,

Thx for your great tip, it seems it fix my problem.

Eric

On Tue, Jun 7, 2016 at 5:45 PM, Graham Clinch 
wrote:

> Hi Eric,
>
> > I run bind dns server 9.9 now with around 3000query/s.  I recently
> > upgrade our server to Fujitsu M10-1 Solaris 10 with bind9.10.
> > I feel that the server serving bind is not as fast as old one in intel
> > solaris which was more than 8 years ago.  I tried a few test
> > and found that dig @localhost is much more smooth thatn dig @IP the zone
> > at the machine.
>
> Which specific version of 9.10 are you running?  There is a reported
> issue with prefetch in versions before 9.10.4 (and prefetch is enabled
> by default in 9.10):
>
>
> https://kb.isc.org/article/AA-01315/0/prefetch-performance-in-BIND-9.10.html
>
> We saw similar problems that only affected the service IPs (when they
> were running 9.10.3) and on reviewing netstat saw large receive queues
> on the affected listeners.
>
> Disabling prefetch as discussed in the document helped us.
>
> (we've since moved to 9.10.4 but haven't yet re-enabled prefetch).
>
> Graham
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

slow lookup to non-existent host

[Eric Ritchie]

 When doing a nslookup of a non-existent host on the same network as 
the bind servers, there is a delay. If I do the same nslookup from a 
host on a different network, the response is immediate.


host a is on the same network as bind servers, host b is on different 
network:


hostb$ nslookup dev600
Server: 131.210.30.200
Address:131.210.30.200#53

** server can't find dev600: REFUSED

hosta $ nslookup dev600
;; connection timed out; no servers could be reached

tcpdump on server:
15:53:38.535453 IP hosta.ibg.28346>  bindsrv.domain:  36663+ A? dev600.ibg. (28)
15:53:38.535582 IP bindsrv.domain>  hosta.ibg.28346:  36663 NXDomain* 0/1/0 (75)
15:53:38.535834 IP hosta.ibg.23719>  bindsrv.domain:  44929+ A? dev600. (24)


15:53:21.233381 IP hostb.ibg.51921>  bindsrv.domain:  38869+ A? dev600.ibg. (28)
15:53:21.233750 IP bindsrv.domain>  hostb.ibg.51921:  38869 NXDomain*- 0/1/0 
(75)
15:53:21.234022 IP hostb.ibg.43283>  bindsrv.domain:  41973+ A? dev600. (24)
15:53:21.234181 IP bindsrv.domain>  hostb.ibg.43283:  41973 Refused- 0/0/0 (24)


We have several locations with similar setups and all see the same 
issue. They are running different versions also, one is 9.4.2 and one is 
9.7.0-P1. The /etc/resolv.conf file is:


search ibg
options rotate
options ndots:3
nameserver 131.210.30.200
nameserver 131.210.30.201
nameserver 131.210.30.202
nameserver 131.210.30.203

Thanks

--
Eric Ritchie


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: slow lookup to non-existent host

[Eric Ritchie]

 Thank you for your replies. This is an internal network with only 1 
domain, no other DNS servers. I disabled recursion and its working good.


Eric

On 10/17/2010 8:44 PM, Mark Andrews wrote:

In 
message,
 Barry Margo
lin writes:

In article,
  Eric Ritchie  wrote:


   When doing a nslookup of a non-existent host on the same network as
the bind servers, there is a delay. If I do the same nslookup from a
host on a different network, the response is immediate.

My guess is that the server allows recursion for clients on the same
network, but doesn't allow it for clients on a different network.  But
there's something blocking its ability to recurse.

You have two problem.

1. You don't have allow-recursion set to allow all your recursive
clients to recurse.  When your off net clients try to recurse
they get REFUSED.  This is why you get "quick" responses.
The default for allow-recursion is "{ localnets; localhost; };"

2. When you do attempt to recurse on behalf of the local clients
you can't reach the root servers.  This results in a timeout.
I would be looking for a mis-configured firewall.


host a is on the same network as bind servers, host b is on different
network:

hostb$ nslookup dev600
Server: 131.210.30.200
Address:131.210.30.200#53

** server can't find dev600: REFUSED
hosta $ nslookup dev600
;; connection timed out; no servers could be reached

tcpdump on server:
15:53:38.535453 IP hosta.ibg.28346>   bindsrv.domain:  36663+ A? dev600.ibg.
(28)
15:53:38.535582 IP bindsrv.domain>   hosta.ibg.28346:  36663 NXDomain* 0/1/0
(75)
15:53:38.535834 IP hosta.ibg.23719>   bindsrv.domain:  44929+ A? dev600. (24)


15:53:21.233381 IP hostb.ibg.51921>   bindsrv.domain:  38869+ A? dev600.ibg.
(28)
15:53:21.233750 IP bindsrv.domain>   hostb.ibg.51921:  38869 NXDomain*- 0/1/0
(75)
15:53:21.234022 IP hostb.ibg.43283>   bindsrv.domain:  41973+ A? dev600. (24)
15:53:21.234181 IP bindsrv.domain>   hostb.ibg.43283:  41973 Refused- 0/0/0
(24)


We have several locations with similar setups and all see the same
issue. They are running different versions also, one is 9.4.2 and one is
9.7.0-P1. The /etc/resolv.conf file is:

search ibg
options rotate
options ndots:3
nameserver 131.210.30.200
nameserver 131.210.30.201
nameserver 131.210.30.202
nameserver 131.210.30.203

Thanks

--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Eric Ritchie
Interactive Brokers LLC
203-618-5868

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange behaviour after nsupdate

[Eric Ham]

On 11/ 9/10 01:25 PM, Christian Ruppert wrote:

On 11/09/2010 10:11 PM, Christian Ruppert wrote:

Hey guys,

I have a zone that I update remotely via nsupdate. When I update the
zone and query it internal (view) I get the correct answer but when I do
a query from outside I still get the old A record.
So the same nameserver gives different answers.

"dig my.zone.tld A +short @ns.zone.tld".

I have a internal view as well as a external view. The biggest
difference between those two is that the external view has recursion,
additional-from-auth and additional-from-cache disabled.

Both views include the hint (root.cache) and the same zones.conf.
The internal view includes additionally 127.in-addr.arpa and a localhost
zone.

ls -l /etc/bind/dyn/my.zone.tld.zone*
-rw-r--r-- 1 named named  386 2010-11-07 11:22
/etc/bind/dyn/my.zone.tld.zone
-rw-rw 1 root  named 2636 2010-11-07 11:08
/etc/bind/dyn/my.zone.tld.zone.jnl

Any ideas what could be wrong?



I forgot to mention that I use bind-9.7.2-P2.
Removing the journal (as a workaround for now) helps although it's no
solution.
The nsupdate commands are:
server ns.zone.tld
zone my.zone.tld
update delete my.zone.tld  A 
update add my.zone.tld  A 
send


You are sharing 1 zone file between 2 views? If so, I don't think this 
is recommended.


What happens if you flush the cache on the external view and/or 
completely stop and start named? My guess is that it will then resolve 
correctly? If that works then it's probably because your connection to 
nsupdate matches your internal view and so only the cache for the 
internal view gets updated. The external view might eventually update 
after the TTL expires or you manually flush the cache or do a restart.


Regards,
-Eric
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to Setup a Name Servers visible on Internet?

[Eric Kom]

Good Morning all,


I changed some settings in my zones data files but still have a same
complaints: has 0 SOA records, has no NS records and not loaded due to
errors.

please see below my zone files:

File: /var/cache/bind/metropolitanbuntu.co.za

;$ORIGIN metropolitanbuntu.co.za.
$TTL 3H
metropolitanbuntu.co.za.IN  SOA
ns1.metropolitanbuntu.co.za.postmaster.metropolitanbuntu.co.za. (
3   ; serial
8H  ; refresh
2H  ; retry
4W  ; expire
1D) ; default_TTL
;
metropolitanbuntu.co.za.IN  NS
ns1.metropolitanbuntu.co.za.
metropolitanbuntu.co.za.IN  NS
ns2.metropolitanbuntu.co.za.
;
metropolitanbuntu.co.za.IN  MX  10
mail.metropolitanbuntu.co.za.
;
metropolitanbuntu.co.za.IN  TXT "Metropolitan College
DNS Server."
;
localhost   IN  A   127.0.0.1
ns1 IN  A   41.134.194.90
ns2 IN  A   41.134.194.91
ns1 IN  A   10.0.0.80
ns2 IN  A   10.0.0.82
www IN  A   10.0.0.81
www IN  A   10.0.0.82
mailIN  A   10.0.0.84
backup  IN  A   10.0.0.102
;
ftp IN  CNAME   www
img IN  CNAME   www
*   IN  CNAME   www
imapIN  CNAME   mail
pop IN  CNAME   mail
pop3IN  CNAME   mail
smtpIN  CNAME   mail

 File: /var/cache/bind/0.0.10.in-addr.arpa


$TTL 38400
0.0.10.in-addr.arpa.IN  SOA ns1.metropolitanbuntu.co.za.
postmaster.metropolitanbuntu.co.za. (
3   ; serial
8H  ; refresh
2H  ; retry
4W  ; expire
1D) ; default_TTL
;
0.0.10.in-addr.arpa.IN  NS  ns1.metropolitanbuntu.co.za.
0.0.10.in-addr.arpa.IN  NS  ns2.metropolitanbuntu.co.za.
;
80  IN  PTR ns1.metropolitanbuntu.co.za.
82  IN  PTR ns2.metropolitanbuntu.co.za.
81  IN  PTR www.metropolitanbuntu.co.za.
102 IN  PTR backup.metropolitanbuntu.co.za.
108 IN  PTR printer-server.metropolitanbuntu.co.za.
31  IN  PTR ldap.metropolitanbuntu.co.za.

File: /var/cache/bind/194.134.41.in-addr.arpa

$TTL 38400
194.134.41.in-addr.arpa.IN  SOA
ns1.metropolitanbuntu.co.za.postmaster.metropolitanbuntu.co.za. (
3   ; serial
3600; refresh
900 ; retry
1209600 ; expire
43200)  ; default_TTL
;
194.134.41.in-addr.arpa.IN  NS  ns1.metropolitanbuntu.co.za.
194.134.41.in-addr.arpa.IN  NS  ns2.metropolitanbuntu.co.za.
;
90  IN  PTR ns1.metropolitanbuntu.co.za.
91  IN  PTR ns2.metropolitanbuntu.co.za.


Thanks in advance

On 14/06/2011 19:18, Mark Elkins wrote:
> Eric,
> 
> Did you know that UniForum SA (the CO.ZA administrators) provide free
> DNS classes for people that live in South Africa? (Intro and Advanced).
> 
> So you'd need to get over to Johannesburg and/or Cape Town and pay for
> some accommodation - but the courses are free. You can see and book for
> the courses via the CO.ZA Web site. Courses are run twice a year.
> 
> 
> On Tue, 2011-06-14 at 14:25 +0200, eric...@kom.za.net wrote:
>> On 14/06/2011 10:15, Stephane Bortzmeyer wrote:
>>> On Tue, Jun 14, 2011 at 09:58:36AM +0200,
>>>  eric...@kom.za.net  wrote
>>>  a message of 80 lines which said:
>>>
>>>> sorry for that, please see below the content for my reverse file 
>>>> data:
>>>>
>>>> File: /var/cache/bind/metropolitanbntu.co.za.inv:
>>> ...
>>>> 41.134.194.90.  IN  PTR ns1.metropolitanbuntu.co.za.
>>>
>>> Then, BIND is perfectly right, 41.134.194.90 does not belong to
>>> 0.0.10.in-addr.arpa...
>>>
>>>> 10.0.0.80.  IN  PTR ns1.metropolitanbuntu.co.za.
>>>
>>> More subtle here: you should have learn about PTR records before
>>> trying it (may I suggest Liu & Albitz' book?) 10.0.0.80 should have
>>> been written just 80 (thus forming the name 80.0.0.10.in-addr.arpa).
>>>
>> Thank you in advance!
>>
>> I order the book and waiting for the delivery,
>>
>> I also fund a PDF copy on internet.
>>
> [outputs deleted]
> 


-- 
Your Truly

Eric Kom

2 Hennie

Re: How to Setup a Name Servers visible on Internet?

[Eric Kom]

On 17/06/2011 09:21, Benny Pedersen wrote:
> On Tue, 14 Jun 2011 14:25:12 +0200, eric...@kom.za.net wrote:
> 
>> zone "194.134.41.in-addr.arpa" IN {
>> type master;
>> file "/var/cache/bind/194.134.41.metropolitanbuntu.co.za.inv";
>> };
> 
The reverse mapping IP addresses to name it's seeming like no configured!

> you need to ask isp to set this, this is common error at home
Since you said that I already have the same error at home, please did
you solved it?

> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


-- 
Your Truly

Eric Kom

2 Hennie Van Till, White River, 1240
eric...@kom.za.net | eric...@namekom.co.za | eric...@erickom.co.za
www.kom.za.net | www.kom.za.org | www.erickom.co.za

Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5


0xA9DA1EF5.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

servfail when refresh aws.amazon.com

[Eric Yiu]

Hi,

I am using bind9.7.3-P1 with solaris10x86.  I notice that
sometimes our bind server will reply servfail when querying
a zone aws.amazon.com which is expiring, while this
aws.amazon.com only 60sec cache lifetime, eg.

> /usr/local/bin/dig a aws.amazon.com

; <<>> DiG 9.7.3-P1 <<>> a aws.amazon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26307
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1

;; QUESTION SECTION:
;aws.amazon.com.IN  A

;; ANSWER SECTION:
aws.amazon.com. 1   IN  A   72.21.210.163

;; AUTHORITY SECTION:
aws.amazon.com. 6517IN  NS  ns-932.amazon.com.
aws.amazon.com. 6517IN  NS  ns-931.amazon.com.
aws.amazon.com. 6517IN  NS  ns-912.amazon.com.
aws.amazon.com. 6517IN  NS  ns-923.amazon.com.
aws.amazon.com. 6517IN  NS  ns-911.amazon.com.
aws.amazon.com. 6517IN  NS  ns-921.amazon.com.

;; ADDITIONAL SECTION:
ns-911.amazon.com.  3108IN  A   207.171.178.13

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 22 18:59:30 2011
;; MSG SIZE  rcvd: 190

> /usr/local/bin/dig a aws.amazon.com

; <<>> DiG 9.7.3-P1 <<>> a aws.amazon.com
;; global options: +cmd
;; Got answer:
*;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20884
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0*

;; QUESTION SECTION:
;aws.amazon.com.IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 22 18:59:31 2011
;; MSG SIZE  rcvd: 32

> /usr/local/bin/dig a aws.amazon.com
^[[A
; <<>> DiG 9.7.3-P1 <<>> a aws.amazon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47970
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1

;; QUESTION SECTION:
;aws.amazon.com.IN  A

;; ANSWER SECTION:
aws.amazon.com. 60  IN  A   72.21.210.163

;; AUTHORITY SECTION:
aws.amazon.com. 6516IN  NS  ns-932.amazon.com.
aws.amazon.com. 6516IN  NS  ns-911.amazon.com.
aws.amazon.com. 6516IN  NS  ns-912.amazon.com.
aws.amazon.com. 6516IN  NS  ns-931.amazon.com.
aws.amazon.com. 6516IN  NS  ns-921.amazon.com.
aws.amazon.com. 6516IN  NS  ns-923.amazon.com.

;; ADDITIONAL SECTION:
ns-911.amazon.com.  3107IN  A   207.171.178.13

;; Query time: 229 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 22 18:59:31 2011
;; MSG SIZE  rcvd: 190



Is it normal?  What would be the problem?

Eric
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: servfail when refresh aws.amazon.com

[Eric Yiu]

Hi,

I tried to go debug level 2 on query-errors and
have the result:

23-Jun-2011 09:57:39.182 query-errors: debug 1: client 202.14.67.27#55079:
query failed (SERVFAIL) for aws.amazon.com/IN/A at query.c:4651

23-Jun-2011 09:57:39.182 query-errors: debug 2: fetch completed at
resolver.c:3103 for aws.amazon.com/A in 0.73: out of memory/success
[domain:aws.amazon.com
,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]


Is it because we limit the memory usage at named.conf?

max-cache-size  1610612736;

Eric

On Thu, Jun 23, 2011 at 5:25 AM, Kevin Darcy  wrote:

> **
> On 6/22/2011 7:26 AM, Eric Yiu wrote:
>
> Hi,
>
> I am using bind9.7.3-P1 with solaris10x86.  I notice that
> sometimes our bind server will reply servfail when querying
> a zone aws.amazon.com which is expiring, while this
> aws.amazon.com only 60sec cache lifetime, eg.
>
> > /usr/local/bin/dig a aws.amazon.com
>
> ; <<>> DiG 9.7.3-P1 <<>> a aws.amazon.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26307
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;aws.amazon.com.IN  A
>
> ;; ANSWER SECTION:
> aws.amazon.com. 1   IN  A   72.21.210.163
>
> ;; AUTHORITY SECTION:
> aws.amazon.com. 6517IN  NS  ns-932.amazon.com.
> aws.amazon.com. 6517IN  NS  ns-931.amazon.com.
> aws.amazon.com. 6517IN  NS  ns-912.amazon.com.
> aws.amazon.com. 6517IN  NS  ns-923.amazon.com.
> aws.amazon.com. 6517IN  NS  ns-911.amazon.com.
> aws.amazon.com. 6517IN  NS  ns-921.amazon.com.
>
> ;; ADDITIONAL SECTION:
> ns-911.amazon.com.  3108IN  A   207.171.178.13
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Jun 22 18:59:30 2011
> ;; MSG SIZE  rcvd: 190
>
> > /usr/local/bin/dig a aws.amazon.com
>
> ; <<>> DiG 9.7.3-P1 <<>> a aws.amazon.com
> ;; global options: +cmd
> ;; Got answer:
> *;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20884
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0*
>
> ;; QUESTION SECTION:
> ;aws.amazon.com.IN  A
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Jun 22 18:59:31 2011
> ;; MSG SIZE  rcvd: 32
>
> > /usr/local/bin/dig a aws.amazon.com
> ^[[A
> ; <<>> DiG 9.7.3-P1 <<>> a aws.amazon.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47970
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;aws.amazon.com.IN  A
>
> ;; ANSWER SECTION:
> aws.amazon.com. 60  IN  A   72.21.210.163
>
> ;; AUTHORITY SECTION:
> aws.amazon.com. 6516IN  NS  ns-932.amazon.com.
> aws.amazon.com. 6516IN  NS  ns-911.amazon.com.
> aws.amazon.com. 6516IN  NS  ns-912.amazon.com.
> aws.amazon.com. 6516IN  NS  ns-931.amazon.com.
> aws.amazon.com. 6516IN  NS  ns-921.amazon.com.
> aws.amazon.com. 6516IN  NS  ns-923.amazon.com.
>
> ;; ADDITIONAL SECTION:
> ns-911.amazon.com.  3107IN  A   207.171.178.13
>
> ;; Query time: 229 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Jun 22 18:59:31 2011
> ;; MSG SIZE  rcvd: 190
>
>  I couldn't really see anything that would explain the SERVFAIL. Each of
> those "nameservers" appears to be a load-balancer of some sort. When queried
> individually for aws.amazon.com/A, they give a diversity of answers,
> implying that they are attempting some form of "DNS geolocation". None of
> them seem bothered by EDNS0 or DNSSEC stuff (most likely they're completely
> oblivious). When queried individually for aws.amazon.com/NS, all of them
> except for one return a single NS record with their own name in the RDATA.
> The only exception I saw was ns-912.amazon.com, which returned
> ns-945.amazon.com. But, I don't think that's the cause of the SERVFAIL,
> since ns-945.amazon.com answers authoritatively for the name, even though
> it's not one of the delegated nameservers for the zone.
>
> Time to look at logs, run named in debug mode and/or fire up a packet
> tracer and see what's really going on. Possibly something between you and
> the amazon.com nameserv

Re: How to Setup a Name Servers visible on Internet?

[Eric Kom]

On 22/06/2011 14:07, Matus UHLAR - fantomas wrote:
> On 21.06.11 12:26, Metropolitan College  wrote:
>> I'm sorry, I forgot that a terminal mail clients don't support HTMl,
> 
> They do. However HTML mail is hard to read and even harder to reply.
> That's why I didn't read most of your former mails...
> 
>> This below is my zone file metropolitanbuntu.co.za.external:
> 
> I recommend you skipping the .metropolitanbuntu.co.za. part (bind adds
> current ORIGIN to names not terminated by dot) and replace
> "metropolitanbuntu.co.za." by "@".
> 
> That would make the file easier to read and less prone to errors
> (mistakes).
> 
Good Morning all

And Thanks again for all people who interact with this mailing-list,

Officially I set up a Nameservers,

It's working, thanks a lot,

This is the time to just perform the DNS terminologies and also work on
the DNS security,

Thanks again


>> $TTL 3H
>> metropolitanbuntu.co.za.IN  SOA
> 
> @INSOA
> 
>> ns1.metropolitanbuntu.co.za.postmaster.metropolitanbuntu.co.za. (
> 
> ns1postmaster (
> 
>>16  ; serial
>>8H  ; refresh
>>2H  ; retry
>>4W  ; expire
>>1D) ; default_TTL
> 
>> metropolitanbuntu.co.za.IN  NS
>> ns1.metropolitanbuntu.co.za.
> 
> ... I hope these belong to one line, you can even skip the @ since you
> are still defining RRs for @
> 
> INNSns1
> 
>> metropolitanbuntu.co.za.IN  NS
>> ns2.metropolitanbuntu.co.za.
> 
> INNSns2
> 
>> metropolitanbuntu.co.za.IN  MX  10
>> mail.metropolitanbuntu.co.za.
> 
> INMX10mail
> 
>> metropolitanbuntu.co.za.IN  TXT "Metropolitan College
>> DNS Server."
> INTXT"Metropolitan College DNS Server."
> 
>> ns1.metropolitanbuntu.co.za.IN  A   41.134.194.90
> 
> ns1INA41.134.194.90
> 
>> ns2.metropolitanbuntu.co.za.IN  A   41.134.194.91
> 
> ns2INA41.134.194.91
> 
> 
> ... etc etc.
> 
> Since you clearly DO have A records for your NS'es, I guess the problem
> is in the metropolitanbuntu.co.za zone in the internal view. Check that
> one.
> 
>>> Views complicate everything and I don't think there is anymore a real
>>> use for them. I strongly suggest you don't use them.
>>
>> alright!
>>
>> But since I got the internal services to resolve, if I remove the
>> internal resolution, I won't solve request in the case if my internet is
>> down?
> 
> you _can_ use views but note many of problems with bind come from bad
> understanding how views work.
> 


-- 
Your Truly

Eric Kom

2 Hennie Van Till, White River, 1240
eric...@kom.za.net | eric...@namekom.co.za | eric...@erickom.co.za
www.kom.za.net | www.kom.za.org | www.erickom.co.za

Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5


0xA9DA1EF5.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

[Eric Kom]

On 28/09/2011 21:02, Mark Elkins wrote:
> On Wed, 2011-09-28 at 16:19 +0200, feralert wrote:
> 
>> The thing is that i want users redirected to 'www.domain.com' even
>> when they just type the domain name 'domain.com'.
>> In order to do so I am not sure if its best to have one A RR for each
>> or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
>> for 'www.domain.com'.
>>
>>
>> domain.com   A1.1.1.1
>> www.domain.com   A1.1.1.1
>>
>> OR
>>
>> domain.com   A1.1.1.1
>> www.domain.com   CNAME  domain.com
> 
> If named.conf is correctly set up with the domain name - then
> you could use
> 
What Mark tell you is a good principle!
if you can send us you named.conf config, It'll be okay.
> $TTL 3600
> @ IN  SOA ...the SOA info
>   IN  NS  Nameserver record lines
>   IN  A   1.1.1.1
> www   IN  A   1.1.1.1
> 
> Last line can be converted to a CNAME...
> www   IN  CNAME   domain.com.
> 
> When you include IPv6 addresses into the mix...
> using a CNAME saves you entering the same IPv6 address twice - so then
> there really is a saving - especially when you include other alternative
> labels like 'mail', 'pop', 'smtp', 'ftp' - etc - do them all as CNAMES!
> 
> $TTL 3600
> @ IN  SOA ...the SOA info
>   IN  NS  Nameserver record lines
>   IN  A   1.1.1.1
>   IN  2001:1:1::80
> www   IN  CNAME   domain.com
> 
> What I think is your real problem
> Regardless of whatever which way you decide - apache will be given the
> original name - DNS will not re-write that.. so you have to spell out
> both names in your apache configuration files...
> 
> So (playing with virtual hosts)
> NameVirtualHost 1.1.1.1
> 
playing with the web server in this apache it's very important if your
domain is well configured as the above configuration.

You can decided to call your FQDN as you want, playing with the
ServerAlias directive.

> 
>   ServerName domain.com
>   ServerAlias www.domain.com
>   ...
> 
> 
> -and later for IPv6 - duplicate the above...
> (this line next to the other "NameVirtualHost"
> NameVirtualHost [2001:1:1::80]
> 
> 
>   ServerName domain.com
>   ServerAlias www.domain.com
>   ...
> 
> 


-- 
Your Truly

Eric Kom

2 Hennie Van Till, White River, 1240
eric...@kom.za.net | eric...@namekom.co.za | eric...@erickom.co.za
www.kom.za.net | www.kom.za.org | www.erickom.co.za

Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5


0xA9DA1EF5.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Warning view message during rndc reload

[Eric Kom]

Good morning all,

its many days now that I observed the warning view message during the
rndc reload process:

Jan  4 07:01:09 ns1 named[920]: received control channel command 'reload'
Jan  4 07:01:09 ns1 named[920]: loading configuration from
'/etc/bind/named.conf'
Jan  4 07:01:09 ns1 named[920]: reading built-in trusted keys from file
'/etc/bind/bind.keys'
Jan  4 07:01:09 ns1 named[920]: using default UDP/IPv4 port range:
[1024, 65535]
Jan  4 07:01:09 ns1 named[920]: using default UDP/IPv6 port range:
[1024, 65535]
Jan  4 07:01:09 ns1 named[920]: no IPv6 interfaces found
Jan  4 07:01:09 ns1 named[920]: sizing zone task pool based on 53 zones
Jan  4 07:01:09 ns1 named[920]: Warning: view internal:
'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918
empty zones
Jan  4 07:01:09 ns1 named[920]: Warning: view external-root:
'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918
empty zones
Jan  4 07:01:09 ns1 named[920]: Warning: view internal-localhost:
'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918
empty zones
Jan  4 07:01:09 ns1 named[920]: reloading configuration succeeded
Jan  4 07:01:09 ns1 named[920]: reloading zones succeeded
Jan  4 07:01:09 ns1 named[920]: zone 0.0.10.in-addr.arpa/IN/internal:
loaded serial 2012010402


Please how can I fix this issue?

-- 
--
You Truly

Eric Kom

System Administrator - Metropolitan College

2 Hennie Van Till, White River, 1240
Tel: 013 750 2255 | Fax: 013 750 0105 | Cell: 078 879 1334
eric...@kom.za.net | eric...@namekom.co.za | eric...@erickom.co.za
www.kom.za.net | www.kom.za.org | www.erickom.co.za

Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND trying to use IPv6 for recursion

[Eric Kom]

Good day,

configure /etc/default/bind9  file like:

OPTIONS="-4 -u bind"

-4 for IPv4. Bind was confusing between IPv4 and IPv6.



On 13/01/2012 19:20, Ian Pilcher wrote:
> I am a relative newbie to running BIND in "production".  I have recently
> set up BIND 9.7 (on CentOS 6.2) as the nameserver for my home network.
> I am using Google's public DNS servers (8.8.8.8 and 8.8.4.4 as my
> forwarders).
>
> My ISP does not support IPv6, and none of the network interfaces on the
> server has an IPv6 address (including the loopback interface).  Despite
> this, BIND appears to be trying to use IPv6 to communicate with other
> nameservers.  My log is filling with messages like:
>
> error (network unreachable) resolving 'www.isc.org/A/IN':
> 2001:4f8:0:2::19#53
>
> 2001:4f8:0:2::19 is sfba.sns-pb.isc.org, which is one of the nameservers
> for the isc.org zone.
>
> I've tried Googling and looked through the ARM, but I haven't found any
> way to change this behavior.
>
> Hints appreciated.  Thanks!
>


-- 
--
You Truly

Eric Kom

System Administrator - Metropolitan College
 _
/ You are scrupulously honest, frank, and \
| straightforward. Therefore you have few |
\ friends./
 -
   \
\
.--.
   |o_o |
   |:_/ |
  //   \ \
 (| Kom | )
/'\_   _/`\
\___)=(___/

2 Hennie Van Till, White River, 1240
Tel: 013 750 2255 | Fax: 013 750 0105 | Cell: 078 879 1334
eric...@kom.za.net | eric...@namekom.co.za | eric...@erickom.co.za
www.kom.za.net | www.kom.za.org | www.erickom.co.za

Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Strange Problem querying delegated zone

[Eric Langheinrich]

 

I'm running into a strange problem and am hoping someone might be able to
give me at least some direction regarding what to look at. 

I have bind setup and the name server on my box. /etc/resolve.conf lists
127.0.0.1 as the name server. Bind is authoritative for a single domain (for
internal use only) with three subzone delegations to rbldnsd for blacklists
running on 127.0.0.253.

The problem I am experiencing is when I attempt to query one of the
delegated zones, the first query works beautifully, but any subsequent
queries result in SERVFAIL responses. If I stop querying for some period of
time (say a minute) I can then successfully run a single query against the
delegated zones and again any subsequent queries fail. During the time where
bind returns SERVFAIL, I am able to query directly against the rbldnsd
server running on 127.0.0.253. 

Thanks in advance for any help!

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS failures - FORMERR

[Eric Swenson]

I'm seeing lots of DNS resolution failures on my router (running Utuntu
8.10, bind 9.3.4).  While most succeed, I get quite a few FORMERR errors
similar to:
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 66.151.140.2#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.168.3.1#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.112.36.4#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 128.63.2.53#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.228.79.201#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.36.148.17#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 202.12.27.33#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.33.4.12#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.5.5.241#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.58.128.30#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 128.8.10.90#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 198.41.0.4#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.203.230.10#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 193.0.14.129#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 199.7.83.42#53

I'm running an iptables firewall on this box, which is connected to the
internet via a wireless access point on my roof with a link to my ISP.  As a
result of the above FORMERRs, clients on my lan are unable to resolve
addresses -- in the above case, imap.gmail.com, and therefore are unable to
access mail.  Upon the recommendations of someone familiar with the relevant
technologies, I've updated my DNS (named.conf) to set the edns-udp-size 500
option.  This had no effect.

If I use dig to resolve imap.gmail.com manually, by specifying any of the
above-mentioned DNS servers, everything works fine.  In fact, I can usually
force my DNS server to begin resolving these address (e.g. imap.gmail.com)
for a LITTLE while, by manually using nslookup and querying first for the NS
record of gmail.com, and then for the A record of imap.gmail.com.  Once I
succeed in getting a resolution, the address record is cached, and my DNS
will resolve the hostname until the cache time is exceeded. And then I'm
back to no resolution and FORMERRs.

Can anyone suggest anything I can try?

Thanks much. -- Eric
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

FORMERR during DNS queries

[Eric Swenson]

I'm seeing lots of DNS resolution failures on my router (running Utuntu
8.10, bind 9.3.4).  While most succeed, I get quite a few FORMERR errors
similar to:
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 66.151.140.2#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.168.3.1#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.112.36.4#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 128.63.2.53#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.228.79.201#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.36.148.17#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 202.12.27.33#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.33.4.12#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.5.5.241#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.58.128.30#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 128.8.10.90#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 198.41.0.4#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.203.230.10#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 193.0.14.129#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 199.7.83.42#53

I'm running an iptables firewall on this box, which is connected to the
internet via a wireless access point on my roof with a link to my ISP.  As a
result of the above FORMERRs, clients on my lan are unable to resolve
addresses -- in the above case, imap.gmail.com, and therefore are unable to
access mail.  Upon the recommendations of someone familiar with the relevant
technologies, I've updated my DNS (named.conf) to set the edns-udp-size 500
option.  This had no effect.

If I use dig to resolve imap.gmail.com manually, by specifying any of the
above-mentioned DNS servers, everything works fine.  In fact, I can usually
force my DNS server to begin resolving these address (e.g. imap.gmail.com)
for a LITTLE while, by manually using nslookup and querying first for the NS
record of gmail.com, and then for the A record of imap.gmail.com.  Once I
succeed in getting a resolution, the address record is cached, and my DNS
will resolve the hostname until the cache time is exceeded. And then I'm
back to no resolution and FORMERRs.

Can anyone suggest anything I can try?

Thanks much. -- Eric

PS: If this message appears twice on the list, I apologize.  I'm not seeing
my posts show up (although I'm seeing others' posts)
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS Resolution Failure - FORMERR

[Eric Swenson]

I'm seeing lots of DNS resolution failures on my router (running Utuntu
8.10, bind 9.3.4).  While most succeed, I get quite a few FORMERR errors
similar to:
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 66.151.140.2#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.168.3.1#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.112.36.4#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 128.63.2.53#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.228.79.201#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.36.148.17#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 202.12.27.33#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.33.4.12#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.5.5.241#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.58.128.30#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 128.8.10.90#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 198.41.0.4#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.203.230.10#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 193.0.14.129#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 199.7.83.42#53

I'm running an iptables firewall on this box, which is connected to the
internet via a wireless access point on my roof with a link to my ISP.  As a
result of the above FORMERRs, clients on my lan are unable to resolve
addresses -- in the above case, imap.gmail.com, and therefore are unable to
access mail.  Upon the recommendations of someone familiar with the relevant
technologies, I've updated my DNS (named.conf) to set the edns-udp-size 500
option.  This had no effect.

If I use dig to resolve imap.gmail.com manually, by specifying any of the
above-mentioned DNS servers, everything works fine.  Also, when clients
within my network fail to have imap.gmail.com resolve, I can "fix" things
for a short while, by simply issuing the following:

nslookup
set querytype=ns
gmail.com.
lserver 
set querytype=a
imap.gmail.com

Once I've done the above, my DNS server caches the A record for
imap.gmail.com and happily hands it out until the cache time is exceeded,
when I'm back getting FORMERRs and failing to resolve imap.gmail.com.

There are other addresses than imap.gmail.com that cannot be resolved due to
FORMERRs, but this domain name is the most prevalent, and most annoying,
since it prevents users within my network from getting mail.

Since I can force my DNS to resolve these addresses by issuing the above
queries, I'm wondering if the problem is due to having the following in my
named.conf:

 forwarders {
 192.168.3.1;
 66.151.140.2;
 };

My ISP provides the above two DNS servers and I have mine delegating to
theirs.  Perhaps one of these two DNS servers (or any that they forward to)
is having problems (perhaps no EDNS0 support?), which causes the FORMERRs to
be reported by my DNS server.

I haven't yet tried removing the forwarders.  I figured this was not the
issue because the FORMERR log messages suggest (to me) that my DNS is trying
to contact the root servers itself (and not relying on the downstream DNS
servers to do so).

Does anyone have ideas about what is going on?

Thanks much. -- Eric
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS resolution failure - FORMERR

[Eric Swenson]

I'm seeing lots of DNS resolution failures on my router (running Utuntu
8.10, bind 9.3.4).  While most succeed, I get quite a few FORMERR errors
similar to:
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 66.151.140.2#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.168.3.1#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.112.36.4#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 128.63.2.53#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.228.79.201#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.36.148.17#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 202.12.27.33#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.33.4.12#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.5.5.241#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.58.128.30#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 128.8.10.90#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 198.41.0.4#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.203.230.10#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 193.0.14.129#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 199.7.83.42#53

I'm running an iptables firewall on this box, which is connected to the
internet via a wireless access point on my roof with a link to my ISP.  As a
result of the above FORMERRs, clients on my lan are unable to resolve
addresses -- in the above case, imap.gmail.com, and therefore are unable to
access mail.  Upon the recommendations of someone familiar with the relevant
technologies, I've updated my DNS (named.conf) to set the edns-udp-size 500
option.  This had no effect.

If I use dig to resolve imap.gmail.com manually, by specifying any of the
above-mentioned DNS servers, everything works fine.  Also, when clients
within my network fail to have imap.gmail.com resolve, I can "fix" things
for a short while, by simply issuing the following:

nslookup
set querytype=ns
gmail.com.
lserver 
set querytype=a
imap.gmail.com

Once I've done the above, my DNS server caches the A record for
imap.gmail.com and happily hands it out until the cache time is exceeded,
when I'm back getting FORMERRs and failing to resolve imap.gmail.com.

There are other addresses than imap.gmail.com that cannot be resolved due to
FORMERRs, but this domain name is the most prevalent, and most annoying,
since it prevents users within my network from getting mail.

Since I can force my DNS to resolve these addresses by issuing the above
queries, I'm wondering if the problem is due to having the following in my
named.conf:

 forwarders {
 192.168.3.1;
 66.151.140.2;
 };

My ISP provides the above two DNS servers and I have mine delegating to
theirs.  Perhaps one of these two DNS servers (or any that they forward to)
is having problems (perhaps no EDNS0 support?), which causes the FORMERRs to
be reported by my DNS server.

I haven't yet tried removing the forwarders.  I figured this was not the
issue because the FORMERR log messages suggest (to me) that my DNS is trying
to contact the root servers itself (and not relying on the downstream DNS
servers to do so).

Does anyone have ideas about what is going on?

Thanks much. -- Eric
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Resolution Failure - FORMERR

[Eric Swenson]

I apologize for the multiple posts. I didn't think my post was making it to
the list since I never received my own post, but have been receiving those
of others.  And yes, I'm configured to see my own posts.
A couple people have suggested I look at the trace output of bind to see
what server is sending the bad response.  I provide some of the trace output
below.  I certainly don't see anything amiss, and one of the servers that
appears to provoke the FORMERR seems to have responded just fine.  Here is
relevant output (with some stuff deleted due to verbosity):

05-May-2009 10:49:14.943 dispatch 0x8144b90 response 0x81476b8
192.228.79.201#53: attached to task 0x80ed240
05-May-2009 10:49:14.945 resquery 0x8152c70 (fctx 0x812f170(
imap.gmail.com/A)): sent
05-May-2009 10:49:14.945 resquery 0x8152c70 (fctx 0x812f170(
imap.gmail.com/A)): senddone
05-May-2009 10:49:14.945 dispatch 0x8149a70: got packet: requests 0, buffers
2, recvs 1
05-May-2009 10:49:14.945 dispatch 0x8149a70: shutting down; detaching from
sock 0x81418f0, task 0x8141a20
05-May-2009 10:49:14.965 socket 0x8141460 192.228.79.201#53: packet received
correctly
05-May-2009 10:49:14.966 dispatch 0x8144b90: got packet: requests 1, buffers
1, recvs 1
05-May-2009 10:49:14.966 dispatch 0x8144b90: got valid DNS message header,
/QR 1, id 47066
05-May-2009 10:49:14.966 resquery 0x8152c70 (fctx 0x812f170(
imap.gmail.com/A)): response
05-May-2009 10:49:14.967 received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  47066
;; flags: qr rd ra ; QUESTION: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;imap.gmail.com. IN A

;; ANSWER SECTION:
imap.gmail.com. 241 IN CNAME gmail-imap.l.google.com.
gmail-imap.l.google.com. 241 IN A 209.85.201.111
gmail-imap.l.google.com. 241 IN A 209.85.201.109

;; AUTHORITY SECTION:
gmail.com. 76384 IN NS ns4.google.com.
gmail.com. 76384 IN NS ns1.google.com.
gmail.com. 76384 IN NS ns2.google.com.
gmail.com. 76384 IN NS ns3.google.com.

;; ADDITIONAL SECTION:
ns4.google.com. 77136 IN A 216.239.38.10
ns1.google.com. 77136 IN A 216.239.32.10
ns2.google.com. 77136 IN A 216.239.34.10
ns3.google.com. 77136 IN A 216.239.36.10


05-May-2009 10:49:14.967 fctx 0x812f170(imap.gmail.com/A'): answer_response
05-May-2009 10:49:14.968 fctx 0x812f170(imap.gmail.com/A'):
noanswer_response
05-May-2009 10:49:14.968 fctx 0x812f170(imap.gmail.com/A'): cancelquery
05-May-2009 10:49:14.968 dispatch 0x8144b90 response 0x81476b8
192.228.79.201#53: detaching from task 0x80ed240
05-May-2009 10:49:14.968 dispatch 0x8144b90: detach: refcount 0
05-May-2009 10:49:14.968 fctx 0x812f170(imap.gmail.com/A'): add_bad
05-May-2009 10:49:14.969 FORMERR resolving 'imap.gmail.com/A/IN':
192.228.79.201#53

Does this trace output suggest what is going wrong?  -- Eric

On Tue, May 5, 2009 at 9:53 AM, Eric Swenson  wrote:

> I'm seeing lots of DNS resolution failures on my router (running Utuntu
> 8.10, bind 9.3.4).  While most succeed, I get quite a few FORMERR errors
> similar to:
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 66.151.140.2#53
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 192.168.3.1#53
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 192.112.36.4#53
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 128.63.2.53#53
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 192.228.79.201#53
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 192.36.148.17#53
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 202.12.27.33#53
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 192.33.4.12#53
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 192.5.5.241#53
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 192.58.128.30#53
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 128.8.10.90#53
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 198.41.0.4#53
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 192.203.230.10#53
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 193.0.14.129#53
> May  4 20:25:25 localhost named[19579]: FORMERR resolving '
> imap.gmail.com/A/IN': 199.7.83.42#53
>
> I'm running an iptables firewall on this box, which is connected to the
> internet via a wireless access point on my roof with a link to my I

Re: DNS Resolution Failure - FORMERR

[Eric Swenson]

I suspect my problem has to do with the fact that imap.gmail.com is a CNAME
for gmail-imap.l.google.com. When queries fail (with the FORMERRs), the
responses I see coming back to my DNS server include a CNAME record and two
A records.  When I do the little hack with a manual query, which makes the
server respond successfully for a while, I note that I get a CNAME record
with only one A record back from one ISP DNS servers I forward to.
Also, if I change my iphone/thunderbird applications to use
gmail-imap.l.google.com rather than imap.gmail.com, everything works fine
(no FORMERRs or resolution failures).

Does this ring any bells?

On Tue, May 5, 2009 at 9:11 PM, Eric Swenson  wrote:

> I renamed the forwarders and added a "forward only;" option, and now, while
> I still can't resolve imap.gmail.com, I now simply get FORMERRs for the
> two forwarded DNS servers:
> May  5 21:05:10 localhost named[12188]: FORMERR resolving '
> imap.gmail.com/A/IN': 66.151.140.2#53
> May  5 21:05:10 localhost named[12188]: FORMERR resolving '
> imap.gmail.com/A/IN': 192.168.3.1#53
>
> Since if I use "dig" or "nslookup" against these two servers directly,
> (from my router machine) the queries come back fine, what does this mean?  I
> wouldn't think my firewall is to be suspected of causing this since I can
> issue these requests and get valid answers back, and that traffic would go
> through the firewall in the same way as requests going through my DNS
> server, right?
>
> -- Eric
>
> On Tue, May 5, 2009 at 4:08 PM, Kevin Darcy  wrote:
>
>>
>> Eric Swenson wrote:
>>
>>> I apologize for the multiple posts. I didn't think my post was making it
>>> to the list since I never received my own post, but have been receiving
>>> those of others.  And yes, I'm configured to see my own posts.
>>>
>>> A couple people have suggested I look at the trace output of bind to see
>>> what server is sending the bad response.  I provide some of the trace output
>>> below.  I certainly don't see anything amiss, and one of the servers that
>>> appears to provoke the FORMERR seems to have responded just fine.  Here is
>>> relevant output (with some stuff deleted due to verbosity):
>>>
>>> 05-May-2009 10:49:14.943 dispatch 0x8144b90 response 0x81476b8
>>> 192.228.79.201#53: attached to task 0x80ed240
>>> 05-May-2009 10:49:14.945 resquery 0x8152c70 (fctx 0x812f170(
>>> imap.gmail.com/A) <http://imap.gmail.com/A%29>): sent
>>> 05-May-2009 10:49:14.945 resquery 0x8152c70 (fctx 0x812f170(
>>> imap.gmail.com/A) <http://imap.gmail.com/A%29>): senddone
>>> 05-May-2009 10:49:14.945 dispatch 0x8149a70: got packet: requests 0,
>>> buffers 2, recvs 1
>>> 05-May-2009 10:49:14.945 dispatch 0x8149a70: shutting down; detaching
>>> from sock 0x81418f0, task 0x8141a20
>>> 05-May-2009 10:49:14.965 socket 0x8141460 192.228.79.201#53: packet
>>> received correctly
>>> 05-May-2009 10:49:14.966 dispatch 0x8144b90: got packet: requests 1,
>>> buffers 1, recvs 1
>>> 05-May-2009 10:49:14.966 dispatch 0x8144b90: got valid DNS message
>>> header, /QR 1, id 47066
>>> 05-May-2009 10:49:14.966 resquery 0x8152c70 (fctx 0x812f170(
>>> imap.gmail.com/A) <http://imap.gmail.com/A%29>): response
>>> 05-May-2009 10:49:14.967 received packet:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  47066
>>> ;; flags: qr rd ra ; QUESTION: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4
>>> ;; QUESTION SECTION:
>>> ;imap.gmail.com <http://imap.gmail.com>. IN A
>>>
>>> ;; ANSWER SECTION:
>>> imap.gmail.com <http://imap.gmail.com>. 241 IN CNAME
>>> gmail-imap.l.google.com <http://gmail-imap.l.google.com>.
>>> gmail-imap.l.google.com <http://gmail-imap.l.google.com>. 241 IN A
>>> 209.85.201.111
>>> gmail-imap.l.google.com <http://gmail-imap.l.google.com>. 241 IN A
>>> 209.85.201.109
>>>
>>> ;; AUTHORITY SECTION:
>>> gmail.com <http://gmail.com>. 76384 IN NS ns4.google.com <
>>> http://ns4.google.com>.
>>> gmail.com <http://gmail.com>. 76384 IN NS ns1.google.com <
>>> http://ns1.google.com>.
>>> gmail.com <http://gmail.com>. 76384 IN NS ns2.google.com <
>>> http://ns2.google.com>.
>>> gmail.com <http://gmail.com>. 76384 IN NS ns3.google.com <
>>> http://ns3.google.com>.
>>>
>>> ;; ADDITIONAL SECTION:
>>> ns4.google.com <http://ns4.google.com>. 77136 IN A 216.

Logwatch Unmatched Entries

[Eric Paulsen]

I've recently moved our DNS from FreeBSD 4 / Bind8 to CentOS 5.3  
Bind9.4.3. These are not authoritative for any routable domains but  
are for my NAT'd school network. I have an AD server (10.1.60.11) that  
forwards to my two Bind servers. I receive the logwatch each night and  
have some questions.


1) Zone update refused from my windows workstations.

Zone update refused:
   10.1.60.11 (60.1.10.IN-ADDR.ARPA/IN): 24 Time(s)
   10.1.60.11 (smls.org/IN): 48 Time(s)
   10.1.60.122 (smls.org/IN): 4 Time(s)
   10.1.60.82 (smls.org/IN): 8 Time(s)
   10.1.60.84 (smls.org/IN): 12 Time(s)
   10.1.60.85 (smls.org/IN): 15 Time(s)
   10.1.60.89 (smls.org/IN): 1 Time(s)

What are these machines trying to do?

2) Unmatched Entries

chase DS servers resolving '165.55.65.in-addr.arpa/DS/IN':  
65.55.226.140#53: 21 Time(s)
   must-be-secure resolving '205.in-addr.arpa.dlv.isc.org/DLV/IN':  
199.6.0.29#53: 1 Time(s)
   must-be-secure resolving '216.in-addr.arpa.dlv.isc.org/DLV/IN':  
149.20.64.4#53: 1 Time(s)
   no valid DS resolving '187.37.55.65.in-addr.arpa/PTR/IN':  
68.115.71.53#53: 1 Time(s)
   no valid DS resolving '2.16.11.168.in-addr.arpa/PTR/IN':  
68.115.71.53#53: 1 Time(s)
   no valid DS resolving 'org.dlv.isc.org/DLV/IN': 199.254.63.254#53:  
2 Time(s)
   no valid DS resolving 'org.dlv.isc.org/DLV/IN': 199.6.0.29#53: 1  
Time(s)

...snip...
   no valid RRSIG resolving '16.11.168.in-addr.arpa/DS/IN':  
127.0.0.1#53: 1 Time(s)
   no valid RRSIG resolving '16.11.168.in-addr.arpa/DS/IN':  
131.144.4.10#53: 1 Time(s)
   no valid RRSIG resolving '16.11.168.in-addr.arpa/DS/IN':  
131.144.4.9#53: 1 Time(s)

...snip...
   not insecure resolving '55.65.in-addr.arpa/NS/IN': 127.0.0.1#53:  
19 Time(s)
   not insecure resolving '55.65.in-addr.arpa/NS/IN':  
207.46.66.126#53: 19 Time(s)
   not insecure resolving '55.65.in-addr.arpa/NS/IN':  
213.199.161.77#53: 19 Time(s)
   not insecure resolving '55.65.in-addr.arpa/NS/IN':  
24.196.64.53#53: 19 Time(s)
   not insecure resolving '55.65.in-addr.arpa/NS/IN': 64.4.59.173#53:  
19 Time(s)
   not insecure resolving '55.65.in-addr.arpa/NS/IN':  
65.55.226.140#53: 19 Time(s)
   not insecure resolving '55.65.in-addr.arpa/NS/IN': 65.55.37.62#53:  
19 Time(s)
   not insecure resolving '55.65.in-addr.arpa/NS/IN':  
68.115.71.53#53: 19 Time(s)

   not insecure resolving 'isc.org/NS/IN': 199.254.63.254#53: 1 Time(s)
   not insecure resolving 'isc.org/NS/IN': 199.6.1.30#53: 1 Time(s)
   not insecure resolving 'isc.org/NS/IN': 68.115.71.53#53: 1 Time(s)
   not insecure resolving 'se/DNSKEY/IN': 130.239.5.114#53: 1 Time(s)
   not insecure resolving 'se/DNSKEY/IN': 192.36.133.107#53: 1 Time(s)
   not insecure resolving 'se/DNSKEY/IN': 192.71.53.53#53: 1 Time(s)
   validating @0xab01de0: 205.in-addr.arpa.dlv.isc.org DLV: must be  
secure failure: 1 Time(s)
   validating @0xb49fe660: 216.in-addr.arpa.dlv.isc.org DLV: must be  
secure failure: 1 Time(s)


What do these log entries mean? Anything to worry about?

Thanks for taking the time to help out.
---
Eric

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

nsupdate, dnssec, minimum ttl

[Eric Ham]

I'm using 9.7.0-P2 to test with dynamic updates via nsupdate along with 
setting up dnssec. So far my tests are working well with dynamic updates 
and validation of the dnssec records, but I have a question on how the 
TTL is set for the NSEC and RRSIG NSEC records.


As a test, when I do the following update:

nsupdate
> ttl 7200
> update add ldap5.example.com CNAME ldap.example.com
> send

I then see the following set of entries via named-journalprint with the 
respective TTLs.


add ldap5.example.com. 7200IN  CNAME   ldap.example.com.
add ldap5.example.com. 7200IN  RRSIG   CNAME 5 3 7200 ...
add ldap5.example.com. 86400   IN  RRSIG   NSEC 5 3 86400 ...
add ldap4.example.com. 86400   IN  RRSIG   NSEC 5 3 86400 ...
add ldap4.example.com. 86400   IN  NSECldap5.example.com. CNAME 
RRSIG NSEC
add ldap5.example.com. 86400   IN  NSECldp.example.com. CNAME 
RRSIG NSEC


It would appear that the NSEC and RRSIG NSEC TTLs are set to my 
example.com zone's minimum TTL which is 86400 instead of inheriting the 
TTL I set of 7200.


Is this the expected behavior? I guess I was hoping that since nsupdate 
was auto creating the NSEC and RRSIG NSEC records for me, that it would 
inherit the "ttl 7200" value.


Regards,
-Eric
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

problem domains host in ns1/ns2.planetdomain.com

[Eric Yiu]

Hi,

Someday ago netregistry.com bought planetdomain.com.  And there are a
number of domains (not sure if all) host at ns1/ns2.planetdomain.com
ns point to ns1/ns2/ns3.netregistry.net.  However these netregistry.net do
not host these domain.  Then if the records of these domain expired and
refresh from these netregistry name server, they will get error.  For
example: domain "carlajohnson.com.au":

$ dig +trace ns carlajohnson.com.au

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> +trace ns
carlajohnson.com.au
;; global options: +cmd
.   399916  IN  NS  e.root-servers.net.
.   399916  IN  NS  j.root-servers.net.
.   399916  IN  NS  i.root-servers.net.
.   399916  IN  NS  h.root-servers.net.
.   399916  IN  NS  b.root-servers.net.
.   399916  IN  NS  c.root-servers.net.
.   399916  IN  NS  d.root-servers.net.
.   399916  IN  NS  a.root-servers.net.
.   399916  IN  NS  m.root-servers.net.
.   399916  IN  NS  l.root-servers.net.
.   399916  IN  NS  g.root-servers.net.
.   399916  IN  NS  k.root-servers.net.
.   399916  IN  NS  f.root-servers.net.
;; Received 492 bytes from 10.68.201.185#53(10.68.201.185) in 9 ms

au. 172800  IN  NS  v.au.
au. 172800  IN  NS  w.au.
au. 172800  IN  NS  a.au.
au. 172800  IN  NS  b.au.
au. 172800  IN  NS  x.au.
au. 172800  IN  NS  y.au.
au. 172800  IN  NS  u.au.
au. 172800  IN  NS  z.au.
;; Received 489 bytes from 192.36.148.17#53(192.36.148.17) in 71 ms

carlajohnson.com.au.14400   IN  NS  ns1.planetdomain.com.
carlajohnson.com.au.14400   IN  NS  ns2.planetdomain.com.
;; Received 89 bytes from 37.209.194.5#53(37.209.194.5) in 304 ms

carlajohnson.com.au.3600IN  NS  ns2.netregistry.net.
carlajohnson.com.au.3600IN  NS  ns1.netregistry.net.
carlajohnson.com.au.3600IN  NS  ns3.netregistry.net.
;; Received 106 bytes from 203.55.142.5#53(203.55.142.5) in 327 ms



$ dig @ns1.planetdomain.com soa carlajohnson.com.au

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> @ns1.planetdomain.com
soa carlajohnson.com.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18145
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;carlajohnson.com.au.   IN  SOA

;; ANSWER SECTION:
carlajohnson.com.au.3600IN  SOA ns1.netregistry.net.
dmain.netregistry.net. 2014051416 86400 7200 360 172800

;; Query time: 312 msec
;; SERVER: 203.55.143.4#53(203.55.143.4)
;; WHEN: Thu Dec 29 18:26:37 2016
;; MSG SIZE  rcvd: 98



$ dig @ns1.netregistry.net soa carlajohnson.com.au

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> @ns1.netregistry.net soa
carlajohnson.com.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45598
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;carlajohnson.com.au.   IN  SOA

;; Query time: 316 msec
;; SERVER: 203.55.143.10#53(203.55.143.10)
;; WHEN: Thu Dec 29 18:22:27 2016
;; MSG SIZE  rcvd: 37


I check google dns 8.8.8.8 would really able to fresh the correct records
after expired.  So just wonder bind config is able
to bypass this problem except I make the forward only zones to ask 8.8.8.8.

Eric
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: problem domains host in ns1/ns2.planetdomain.com (Eric Yiu)

[Eric Yiu]

Hi,

The thing I try to solve is, our users use our caching dns servers cannot
send emails to those domains which this planetdomain.com is currrently
hosting as the MX of these domains expired.  But google dns work properly
after expired.  Although I know it is the normal behavior as the
netregistry does not hold anything of those domains, but I tried myself a
few hours to load the google dns servers 8.8.8.8 with these domains cached,
wait the MX expired of the problem domain and all google dns would indeed
refresh the right MX record.  Our user argued why google dns can perform
properly but not our cache only dns.  Users are somehow the idiot on tech
things. They know a few of the dns flow, but they know they can compare,
you know...  So I am asking if any miss of the bind dns config if I can fix
these domains at our side.

Eric

On Thu, Dec 29, 2016 at 10:23 PM, MURTARI, JOHN  wrote:

> Eric,
> Thanks for the complete example below, but I'm not sure what you
> are trying to solve?
>
> It looks like the netregistry.net servers don't have zone data
> loaded even though they are supposed to be authoritative.  Your best bet
> would be to contact them and point out it appears some zone data was lost
> when service was transferred.  Trying to use Google isn't going to help if
> the data isn't on the designated authoritative servers.
>
> Hope this helps.
> John
>
> -
> Date: Thu, 29 Dec 2016 18:27:47 +0800
> From: Eric Yiu 
> To: bind-users@lists.isc.org
> Subject: problem domains host in ns1/ns2.planetdomain.com
>
> Someday ago netregistry.com bought planetdomain.com.  And there are a
> number of domains (not sure if all) host at ns1/ns2.planetdomain.com
> ns point to ns1/ns2/ns3.netregistry.net.  However these netregistry.net do
> not host these domain.  Then if the records of these domain expired and
> refresh from these netregistry name server, they will get error.  For
> example: domain "carlajohnson.com.au":
>
> $ dig +trace ns carlajohnson.com.au
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> +trace ns
> carlajohnson.com.au
> ;; global options: +cmd
> .   399916  IN  NS  e.root-servers.net.
> .   399916  IN  NS  j.root-servers.net.
> .   399916  IN  NS  i.root-servers.net.
> .   399916  IN  NS  h.root-servers.net.
> .   399916  IN  NS  b.root-servers.net.
> .   399916  IN  NS  c.root-servers.net.
> .   399916  IN  NS  d.root-servers.net.
> .   399916  IN  NS  a.root-servers.net.
> .   399916  IN  NS  m.root-servers.net.
> .   399916  IN  NS  l.root-servers.net.
> .   399916  IN  NS  g.root-servers.net.
> .   399916  IN  NS  k.root-servers.net.
> .   399916  IN  NS  f.root-servers.net.
> ;; Received 492 bytes from 10.68.201.185#53(10.68.201.185) in 9 ms
>
> au. 172800  IN  NS  v.au.
> au. 172800  IN  NS  w.au.
> au. 172800  IN  NS  a.au.
> au. 172800  IN  NS  b.au.
> au. 172800  IN  NS  x.au.
> au. 172800  IN  NS  y.au.
> au. 172800  IN  NS  u.au.
> au. 172800  IN  NS  z.au.
> ;; Received 489 bytes from 192.36.148.17#53(192.36.148.17) in 71 ms
>
> carlajohnson.com.au.14400   IN  NS  ns1.planetdomain.com.
> carlajohnson.com.au.14400   IN  NS  ns2.planetdomain.com.
> ;; Received 89 bytes from 37.209.194.5#53(37.209.194.5) in 304 ms
>
> carlajohnson.com.au.3600IN  NS  ns2.netregistry.net.
> carlajohnson.com.au.3600IN  NS  ns1.netregistry.net.
> carlajohnson.com.au.3600IN  NS  ns3.netregistry.net.
> ;; Received 106 bytes from 203.55.142.5#53(203.55.142.5) in 327 ms
>
>
>
> $ dig @ns1.planetdomain.com soa carlajohnson.com.au
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> @ns1.planetdomain.com
> soa carlajohnson.com.au
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18145
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;carlajohnson.com.au.   IN  SOA
>
> ;; ANSWER SECTION:
> carlajohnson.com.au.360

Re: DNS Recognition

[Eric C Davis]

eltiare wrote:

Hello all,

  Got a total newb here to DNS. I've purchased the book DNS and BIND
from O'Reilly, and most of it makes sense to me. However, there is one
thing that has been bugging me, and it's that I can't figure out how
the life of me I am supposed to point registrar's to my domain name
server. The one with which I am registered only wants the _names_ of
the DNS and not IP addresses, and I am confused as to how I am
supposed to assign names (like ns1.my-domain.com) to my domain name
servers. Even if you could get me pointed with some docs that would
help me out, it would be appreciated. I've spent about a day looking
for this information now.

Jeremy Nicoll
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
  

what registrar are you using?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Hostname Naming Compliance

[Eric C. Davis]

Are there plans for Bind to enforce hostname compliance according to 
RFC's or is this going to be left up to each DNS operator?


Eric Davis
Rockefeller University

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hostname Naming Compliance

[Eric C. Davis]

I know the option to use this compliance checker is present, but I'm 
curious to know if there are plans to make it mandatory to comply.  We 
aren't using this feature now, but I would like to.  My problem is 
politicking my way around the issue of breaking something that works.  
If Bind were to say they were going to start forcing compliance with 
this naming standard, then I simply have to say it's a standard that is 
being enforced.  Shouldn't enforcement be applied across the board 
anyway instead of at the operator's discretion?


Eric
Chris Buxton wrote:

On Feb 23, 2009, at 10:19 AM, Eric C. Davis wrote:

Are there plans for Bind to enforce hostname compliance according to 
RFC's or is this going to be left up to each DNS operator?


It's present in BIND 9.3 and later. All characters except a-z, A-Z, 
0-9, and "-" itself are forbidden to appear in the labels of any 
domain name that is to be treated as a hostname. That is, any name 
that has an A or  record, or that appears in the RData of an NS, 
MX, or SRV record (if I'm not mistaken).


This can be disabled with:

options {
check-names master warn; # or fail
};

or:

zone "some.name" {
check-names warn; # or fail
};

Chris Buxton
Professional Services
Men & Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Deny query from a single IP

[Eric C. Davis]

It is better do this with a real IPS rather than use your DNS server to 
do this.  You should avoid having any unwanted traffic hit you DNS 
servers ever.


Eric
Prabhat Rana wrote:

Hello,
I have BIND 9.5running on a Solaris10 box. It provides recursive DNS service. 
I'm trying to implement a script where it reads the BIND stats file for all the 
incoming queries and if there are too many queries from a single user (source 
IP) it will block queries from that particular IP. In order for this to occur 
is there a parameter similar to allow-query that I can inject into the 
named.conf to block query from a single IP address when this condition occurs? 
Basically I'm trying to add a tool to detect potential DOS attacks where we see 
too many queries from one single IP. Any other suggestions would also be 
appreciated.

Thanks
Prabhat.






  


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
  


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Eric Magutu, CAPM wants to stay in touch on LinkedIn

[Eric Magutu, CAPM]

LinkedIn


   
I'd like to add you to my professional network on LinkedIn.

- Eric Magutu, CAPM

Eric Magutu, CAPM
Senior Network Administrator at Safaricom 
Kenya

Confirm that you know Eric Magutu, CAPM
https://www.linkedin.com/e/-7udqre-gnzxtytv-4v/isd/2959671537/VjPLqjy6/


 
-- 
(c) 2011, LinkedIn Corporation___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Eric Magutu, CAPM wants to stay in touch on LinkedIn

[Eric Magutu, CAPM]

LinkedIn


   
I'd like to add you to my professional network on LinkedIn.

- Eric Magutu, CAPM

Eric Magutu, CAPM
Senior Network Administrator at Safaricom 
Kenya

Confirm that you know Eric Magutu, CAPM
https://www.linkedin.com/e/7z6xwn-gnzxtyt8-58/isd/2959671536/BNSHu5y5/


 
-- 
(c) 2011, LinkedIn Corporation___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange DNS Behaviour

[Eric C. Davis]

funet.finameserver = ns.funet.fi
funet.finameserver = ns-secondary.funet.fi
> kemira.com
Server:  rockyd.rockefeller.edu
Address:  129.85.1.24

Non-authoritative answer:
kemira.com  nameserver = ns1.capgemini.fi
kemira.com  nameserver = ns2.capgemini.fi

Internet DNS thinks those domain names are under the authority of the 
name servers listed above.  What are you trying to accomplish?


Eric
Ashish wrote:

Hi,

Could someone kindly explain what is happening?

I don't have domain name kemira.kemira.com anywhere in my primary
database (and all secondaries, too) kemira.com = 137.33.1.2
I have doublechecked the master database and secondaries. I have
restarted both of them, but nothing seems to help.

In funet.fi (master for fi-domain) when I start named and query
kemira.kemira.com for the first time, it looks like this:

==
datagram from 130.230.1.1 port 1536, fd 7, len 44
req: nlookup(kemira.kemira.com.funet.fi) id 1 type=1
req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0)
findns: SOA found
req: leaving (kemira.kemira.com.funet.fi, rcode 3)
req: answer -> 130.230.1.1 9 (1536) id=1 Local

datagram from 130.230.1.1 port 1537, fd 7, len 44
req: nlookup(kemira.kemira.com.funet.fi) id 2 type=15
req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0)
findns: SOA found
req: leaving (kemira.kemira.com.funet.fi, rcode 3)
req: answer -> 130.230.1.1 9 (1537) id=2 Local

datagram from 130.230.1.1 port 1538, fd 7, len 35
req: nlookup(kemira.kemira.com) id 3 type=1
req: found 'kemira.kemira.com' as 'com' (cname=0)
findns: using cache
findns: 7 NS's added for ''
ns_forw()
nslookup(nsp=xf7fff1e0,qp=x55000)
nslookup: NS NS.NIC.DDN.MIL c1 t2 (x0)
nslookup: 1 ns addrs
nslookup: NS AOS.BRL.MIL c1 t2 (x0)
nslookup: 4 ns addrs
nslookup: NS KAVA.NISC.SRI.COM c1 t2 (x0)
nslookup: 5 ns addrs
nslookup: NS C.NYSER.NET c1 t2 (x0)
nslookup: 6 ns addrs
nslookup: NS TERP.UMD.EDU c1 t2 (x0)
nslookup: 7 ns addrs
nslookup: NS NS.NASA.GOV c1 t2 (x0)
nslookup: 9 ns addrs
nslookup: NS NIC.NORDU.NET c1 t2 (x0)
nslookup: 10 ns addrs total
forw: forw -> 192.33.4.12 7 (53) nsid=5 id=3 0ms retry 4 sec



and a bit later:

datagram from 192.33.4.12 port 53, fd 7, len 186
USER response nsid=5 id=3
stime 712944912/687743  now 712944912/887742 rtt 199
NS #0 addr 192.33.4.12 used, rtt 199
NS #1 128.63.4.82 rtt now 0
NS #2 26.3.0.29 rtt now 0
NS #3 192.5.25.82 rtt now 0
NS #4 192.33.33.24 rtt now 0
NS #5 128.8.10.90 rtt now 0
NS #6 192.52.195.10 rtt now 0
NS #7 128.102.16.10 rtt now 0
NS #8 192.36.148.17 rtt now 0
NS #9 192.112.36.4 rtt now 401
resp: ancount 1, aucount 3, arcount 3
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname kemira.kemira.com type 1 class 1 ttl 172800
db_update(kemira.kemira.com, 0x554b8, 0x554b8, 031, 0x44ca0)
db_update: adding 554b8
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
db_update(KEMIRA.COM, 0x55580, 0x55580, 031, 0x44ca0)
db_update: adding 55580
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
db_update(KEMIRA.COM, 0x555b8, 0x555b8, 031, 0x44ca0)
db_update: adding 555b8
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
db_update(KEMIRA.COM, 0x555f0, 0x555f0, 031, 0x44ca0)
db_update: adding 555f0
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname KEMIRA.KEMIRA.COM type 1 class 1 ttl 172800
db_update(KEMIRA.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0)
db_update: new ttl 713117712, +172800
update failed (DATAEXISTS)
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname HYDRA.HELSINKI.FI type 1 class 1 ttl 518400
db_update(HYDRA.HELSINKI.FI, 0x55630, 0x55630, 031, 0x44ca0)
192.33.4.12 attempted update to auth zone 1 'fi'
update failed (-10)
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname HKIUX9.FIN.KEMIRA.COM type 1 class 1 ttl 172800
db_update(HKIUX9.FIN.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0)
db_update: adding 55630
resp: got as much answer as there is
send_msg -> 130.230.1.1 (UDP 9 1538) id=3

datagram from 130.230.1.1 port 1539, fd 7, len 35
req: nlookup(kemira.kemira.com) id 4 type=15
datagram from 130.230.1.1 port 1539, fd 7, len 35
req: nlookup(kemira.kemira.com) id 4 type=15
req: found 'kemira.kemira.com' as 'kemira.kemira.com' (cname=0)
finddata: added 0 class 1 type 15 RRs
findns: 3 NS's added for 'kemira'
ns_forw()
nslookup(nsp=xf7fff1e0,qp=x55000)
nslookup: NS KEMIRA.KEMIRA.COM c1 t2 (x0)
nslookup: 1 ns addrs
nslookup: NS HYDRA.HELSINKI.FI c1 t2 (x0)
nslookup: 2 ns addrs
nslookup: NS HKIUX9.FIN.KEMIRA.COM c1 t2 (x0)
nslookup: 3 ns addrs
nslookup: 3 ns addrs total
forw: forw -> 137.33.1.2 7 (53) nsid=7 id=4 0ms retry 4 sec

datagram from 137.33.1.2 port 53, fd 7, len 92
USER

Re: DNS Appliance

[Eric C. Davis]

Infoblox user:  Love them.  Support is fantastic.  I can name actual 
support engineers.  Products are very good.  Not too expensive.  Only 
thing I'm disappointed with is the reporting/monitoring of the system.  
They are actively working to improve it as they just came out with a new 
software release that has new IPAM and Reporting features.  Appliances 
in general I think are good for this service.  We also use DHCP and NTP 
on these boxes as well...fully redundant.


Eric
Rockefeller University

John D. Vo wrote:

Anyone has experience (good or bad) with a dns appliance?

Bluecatnetwork
infoblox
infoweapons..

Thanks.



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Appliance

[Eric C. Davis]

Adonis XMB™ is transforming the face of IPAM. Built for branch and 
remote offices, the Adonis XMB brings the power and features of the 
Adonis 1000 Enterprise-class DNS/DHCP Appliance to the branch and remote 
office. ***


This from Bluecat's website. I believe it is an appliance, but I can't 
speak from experience about the quality of their products.


Eric
Baird, Josh wrote:

Not an appliance, but has a nice offering including a MMC-ish console and
Web GUI.

Josh

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Gainey, Joe (AT -
Atlanta)
Sent: Wednesday, March 25, 2009 10:43 AM
To: j...@eagle.net; bind-users@lists.isc.org
Subject: RE: DNS Appliance

blue cat Adonis/XMB provide a great GUI interfaces for dns power users
with enough intuitive widgets for dns novices.  they have been fairly
stable and easy to manage and their support has been knowledgeable. 


-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John D. Vo
Sent: Wednesday, March 25, 2009 11:41 AM
To: bind-users@lists.isc.org
Subject: DNS Appliance

Anyone has experience (good or bad) with a dns appliance?

Bluecatnetwork
infoblox
infoweapons..

Thanks.

  



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Appliance

[Eric C. Davis]

It's sign that they have low turnover.  The few times that have relied 
on them I've gotten the same engineers.  A lot of companies lack that 
personal rapport with their clients.  You are just a number to them.


Eric
Steve Lancaster wrote:

[In a message on Wed, 25 Mar 2009 11:45:47 EDT,
  ""Eric C. Davis"" wrote:]
  
Infoblox user:  Love them.  Support is fantastic.  I can name actual 
support engineers.  



Is the fact that you can name support engineers a good thing or are you
spending too much time talking to them? :-)

Steve Lancaster

  


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Funky Key Tag in AWS Route53

[Eric Germann via bind-users]

I’m running bind 9.18.10 and having a hell of a time with AWS Route53 and 
DNSSEC.

I’m testing dnssec-policy and have algorithms 8, 13, and 15 set.  On the test 
domain I’m using, I wiped the old keys, deleted the DS records in the parent 
zone and basically started from scratch.

I started named and it created new .key/.private files in the key directory.  
My KSK is Kericgermann.photography.+008+32686.key and I run dnssec-dsfromkey 
and get a DS record.  I cut and paste that record in to Route53 DNSSEC config 
and it decodes the key tag as 22755 instead of 32686.

I get a DNSviz diagram that looks like this 
https://dnsviz.net/d/ericgermann.photography/dnssec/

In the diagram, .photography is looking for a key tag of 22755 instead of the 
correct 32686 for algorithm 8.

My question is

Is there any way to decode the DS record and see what key tag is actually 
encoded in it?  If it’s 32686 it’s an issue with Route53.  If it’s 22755 it’s 
an issue with dnssec-dsfromkey.

If anyone wants the DNSKEY for algorithm 8, ping me off list and I will share 
it with you in a private email.

Thoughts?


--
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/>
Twitter: @ekgermann
Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1









signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Funky Key Tag in AWS Route53 (2)

[Eric Germann via bind-users]

Yeah, that’s the problem I’m trying to solve.  I run the key thru 
dnssec-dsfromkey and get 32686, When I put the key in to Route53, I get 22755 
from the decoded DS record in the console for Route53.

That’s why I wanted to decode the DS record to see if it’s encoding it as 32686 
or 22755


> On Dec 29, 2022, at 09:17, Timothe Litt  wrote:
> 
> On 28-Dec-22 19:40, Eric Germann wrote:
>> My question is
>> 
>> Is there any way to decode the DS record and see what key tag is actually 
>> encoded in it?  If it’s 32686 it’s an issue with Route53.  If it’s 22755 
>> it’s an issue with dnssec-dsfromkey.
>> 
>> If anyone wants the DNSKEY for algorithm 8, ping me off list and I will 
>> share it with you in a private email.
>> 
>> Thoughts?
>> 
> And because it's trivial, here are the keytags for all your keys and DS 
> records and how to get them.  Note that you have DNSKEY 32686: installed in 
> the DNS, and that the installed DS is 22755.
> 
> Can't say how it got that way, but that's what is there.  (Manual processes 
> are error-prone.  That getting registrars to adopt CDS/CDNSKEY - RFC7344 - 
> has been so slow is unfortunate.)  It's rarely the tools.
> 
>  perl  -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag +short 
> ericgermann.photography DNSKEY); print "$_ => 
> ",Net::DNS::RR->new("ericgermann.photography. DNSKEY $_")->keytag,"\n" 
> foreach (@keys);'
> 257 3 8 AwEAAatPHgdYxFA74X+17xAMmZNn+I6XVzodbnA/m4M6vV+axYh+PTNt 
> xrZSQ4PXEcJkNXF5OR1UPfPWea/gGIuYUbjMaa2H7fd+TXqc+C44U/2O 
> vbZqefSUXl1QzqyxPyG7xZuAgTApFt+PuK9CrQtP7IV9qu34cXAXLGF1 
> SgrhBi843sTESw8nBAv1MDLMBCDEULVOSghqqxdJQ57yGOdsgYFdt6kL 
> UNA1zntZV49dDWHGttZWwhEnnMuNz+e6bRroETOIhtzxLn4HOievnZmV 
> 4rqzh5Zku/06QMNiUWwePW07RIGVVzUszU0LaAgBh/m111x5UiYfup2N egWHPunS1IM= => 32686
> 256 3 8 AwEAAaD+/5eN/zIqYhG/CXXastruIQEBBuD2Y2Yinx+IqWvInKc5Kb6K 
> AWvUWECjn0Q7Lrt1s759/04SZXm2M4GwuKBzY+Ern2ukWi0hQmUBqoET 
> VSrFhu75FJpi0+8wJZhx5UVPg7NTriYXC29rSTBt/OCr/Ot+utf2P9G2 
> hr/BXQqcwausick9Gu9zZtzB0072IEM6okZW1rDwlAwmlDjicJgbAnRt 
> qgpWX21CgRG/G8Jjz4pGSP1rt54ilxVbCL8KR3huRaJGb6lnnJnQJckL 
> oN2+rGaps1bLYC79fgdL5Y/fzR43J+te7RBo4AJXFhW9n1WL6KOKbprE pbl7yiINzTU= => 43126
> 256 3 13 bX62WTOQmhTaqnQprecHwUjDzBGAQbF0kqywkNzE1yBTrmP/zBNhvtp+ 
> H9iYf1OOcfyDo6iE1XXUCNKHKZFHkg== => 36584
> 256 3 15 9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9kZTH8XQ= => 48248
> 257 3 15 A8W3oD5oGEkHjOTfCmPbEBzHHTILksfywXvjQ5r9/dA= => 13075
> 257 3 13 DBT06AacWTT1cD//OgwSSNRT9UTZdAgbJOnU/sWcFYhJ+x9SHvpfZGF6 
> tkGehWujsuYtwLf0aKt2b1mjQUk/BA== => 49677
> 
> perl  -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag +short 
> ericgermann.photography DS); print "$_ => 
> ",Net::DNS::RR->new("ericgermann.photography. DS $_")->keytag,"\n" foreach 
> (@keys);'
> 22755 8 2 2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9 
> => 22755
> 
> You can, of course, use data from your files instead of dig.  Works for both 
> DS and DNSKEY
> 
>  perl -MNet::DNS -MNet::DNS::SEC -e' print 
> Net::DNS::RR->new("ericgermann.photography. DS 22755 8 2 
> 2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9")->keytag,"\n"'
> 
> 
> 
> Enjoy.
> 
> Timothe Litt
> ACM Distinguished Engineer
> --
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed.
> 
> 
> 
> 



signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Funky Key Tag in AWS Route53 (2)

[Eric Germann via bind-users]

I understand all the tools and output.  The error I was trying to find is why 
they disagreed and checking all the points along the way.  Thanks for your 
scripts.

Anyways, for GoogleFu, I got it fixed and it works correctly now thanks to 
https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2

For entering the DS record in to Route53, you enter the whole public key in 
Base64 without spaces or newlines, not the hash of the key like the registrars 
I’ve used for other domains.

What is annoying is it accepts the hash as perfectly valid and gets the  DS 
record number as the wrong ID.

Thanks to all who helped!

Eric


> On Dec 29, 2022, at 10:06, Timothe Litt  wrote:
> 
> 
>> That’s why I wanted to decode the DS record to see if it’s encoding it as 
>> 32686 or 22755
> 
> As I said, no decoding required.  Just look at the DS record.  The keytag is 
> immediately after "DS" in plain, unencoded text.
> 
> If the question is how to verify the keytag from the DNSKEY it references, 
> I've shown you two different tools that produce the same result.
> 
> If you use the same input file, you get the same answer from ISC and 
> Net::DNS::SEC.
> 
> cat >tmp.key
> 
> ericgermann.photography. DNSKEY 257 3 8 
> AwEAAatPHgdYxFA74X+17xAMmZNn+I6XVzodbnA/m4M6vV+axYh+PTNt 
> xrZSQ4PXEcJkNXF5OR1UPfPWea/gGIuYUbjMaa2H7fd+TXqc+C44U/2O 
> vbZqefSUXl1QzqyxPyG7xZuAgTApFt+PuK9CrQtP7IV9qu34cXAXLGF1 
> SgrhBi843sTESw8nBAv1MDLMBCDEULVOSghqqxdJQ57yGOdsgYFdt6kL 
> UNA1zntZV49dDWHGttZWwhEnnMuNz+e6bRroETOIhtzxLn4HOievnZmV 
> 4rqzh5Zku/06QMNiUWwePW07RIGVVzUszU0LaAgBh/m111x5UiYfup2N egWHPunS1IM=
> 
> dnssec-dsfromkey -2 tmp
> ericgermann.photography. IN DS 32686 8 2 
> A17DF360A9E0CB485BD396A839119441C5FF62A9C9E46D586EBDD1D084E2E36B
> 
> That's the same answer as Net::DNS::SEC.  Two different tools from reputable 
> sources, same answer.
> 
> None of the installed keys have 22755.  DNSvis does show a DS record 
> installed with 22755 (and no matching key).  So AWS is installing that DS 
> from whatever input you provide it.
> 
> That leaves:
> 
> Different input to AWS vs. the local tools
> perhaps you have a file with a different DNSKEY that you are uploading to 
> AWS.  I've been known to accidentally overwrite, rename, or confuse files.  
> (Not often, but it happens.)
> have you verified that the contents of the file that you are using matches 
> what's in the DNS?
> Does AWS have an option to use a DNSKEY from your zone?  That would avoid the 
> manual step.
> If you're copy/pasting the DNSKEY file into AWS, corruption in the process 
> (buffer overruns?)
> It's not inconceivable that AWS has a bug, but someone should have hit one 
> like this before you
> Before blaming AWS, I'd be very sure that the same key is being input.  If it 
> is, they have a bug
> 
> You might also consider using a different key experimentally, on the off 
> chance that a wrong keytag bug is data-dependent.
> 
> But the most likely scenario is that somehow AWS is generating a DS for a 
> different key.
> 
> I don't use AWS, so that's as far as I can go.
> 
> Good luck.
> 
> Timothe Litt
> ACM Distinguished Engineer
> --
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed.
> On 29-Dec-22 09:28, Eric Germann wrote:
>> Yeah, that’s the problem I’m trying to solve.  I run the key thru 
>> dnssec-dsfromkey and get 32686, When I put the key in to Route53, I get 
>> 22755 from the decoded DS record in the console for Route53.
>> 
>> That’s why I wanted to decode the DS record to see if it’s encoding it as 
>> 32686 or 22755
>> 
>> 
>>> On Dec 29, 2022, at 09:17, Timothe Litt  
>>> <mailto:l...@acm.org> wrote:
>>> 
>>> On 28-Dec-22 19:40, Eric Germann wrote:
>>>> My question is
>>>> 
>>>> Is there any way to decode the DS record and see what key tag is actually 
>>>> encoded in it?  If it’s 32686 it’s an issue with Route53.  If it’s 22755 
>>>> it’s an issue with dnssec-dsfromkey.
>>>> 
>>>> If anyone wants the DNSKEY for algorithm 8, ping me off list and I will 
>>>> share it with you in a private email.
>>>> 
>>>> Thoughts?
>>>> 
>>> And because it's trivial, here are the keytags for all your keys and DS 
>>> records and how to get them.  Note that you have DNSKEY 32686: installed in 
>>> the DNS, and that the installed DS is 22755.
>>> 
>>> Can't say how it got th

Re: RFC7344 (was: Funky Key Tag in AWS Route53 (2)) (2)

[Eric Germann via bind-users]

On Dec 29, 2022, at 16:34, Timothe Litt  wrote:



Yup, Eric's case was a classic example.  He tried to do the right thing, put in 
the wrong record, and the system didn't produce the expected results.  To his 
credit, he persisted.  Most people don't.  A while ago there was a study 
(cloudflare/APNIC 
<https://blog.cloudflare.com/automatically-provision-and-maintain-dnssec/>) 
that showed that about only about 40% of people who enabled DNSSEC for their 
accounts successfully served DS records in their registry.



The really annoying part is it isn’t obvious that they want the public key and 
not the result of dnssec-dsfromkey; they do it themselves.  The annoying part 
is they throw an error if the key isn’t valid Base64 (think spaces or 
newlines), but gladly accept the DS output from dnssec-dsfromkey.  Somehow or 
another they are getting the key tag from the incorrect DS  record, because 
they encode again the already encoded string.

I looked in the docs for boto3 (the official API for AWS) and there appears no 
way to add a public key so you can’t do it programmatically.

I’ll have to pass that on to my AWS contacts.  Doubt they’ll do anything but it 
is worth throwing it over the fence.

Again, thanks for all the help!

Eric



signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: filter-a and dns64 in a ipv6-only network

[Eric Germann via bind-users]

> On Jan 31, 2023, at 15:27, Thomas Schäfer  wrote:
> 
> Am Dienstag, 31. Januar 2023, 20:03:42 CET schrieb Marco:
> 
>> 
>> Why would it make sense to block them?
> 
> Avoiding wrong decisions by "happy eyeballs" - probably the same rare reasons
> why isc introduced the  filter yeas ago - in theory there is no reason to
> block  nor A. But blocking A depending on the existence of   makes no
> sense at all.
> (as bind at moment is doing)


I’ve found one edge case where blocking  records fixes something in order 
to force it to A addresses.

Netflix

I use a Hurricane Electric tunnel for my IPv6.  Works like a charm for every 
other site I use.  But Netflix rejects connections because it thinks it’s on a 
VPN.  So, filtering the quad A makes it appear it isn’t IPv6 enabled, so it 
connects over 4.  Works like a champ.

Eric



signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: No more support for windows

[Eric Germann via bind-users]

Call me naive, but I’m trying to figure out what the corner case is to use BIND 
on Windows.

For an internal network Windows Server already has a name server that 
integrates with AD and everything else needed to run a Windows network.  
Support for DDNS is a lot easier, it has tons of SRV records needed for service 
location, etc.  It seems it would be a lot easier to use that for a Windows 
network than shoehorn everything in to BIND.

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann 
<https://www.linkedin.com/in/ericgermann> 
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash } 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







> On Jun 4, 2021, at 4:58 PM, Gregory Sloop  wrote:
> 
> This feels a lot like responding to trolls, but I'll instead assume that 
> you're asking (or making a point) in good faith.
> 
> So, we'll stipulate that - you're actually interested in truth and knowledge.
> 
> So, it's easily compiled on Mac, Unix, FreeBSD, Linux, SunOS, RaspPi, etc.
> And it compiles on a huge range of hardware, CPU's etc.
> 
> I'd consider that highly portable.
> 
> You're welcome to disagree, but then someone else will complain it's not 
> available in Amiga, Atari and under Dos and complain it isn't "portable" 
> because there's no dos version.
> 
> So how many platforms do you have to support, to call it portable?
> (I've always thought of "portable" code, in this context especially, as code 
> that is kept open so it will fairly easily compile on any *nix/posix platform 
> without too much drama. And I think that's a pretty universal understanding 
> for *nix style code.)
> 
> So, it seems you are tilting at windmills, complaining about Windows only.
> 
> Yes, the fundamentals of Windows are *VERY* different than any 
> Linux/Unix/Solaris etc based platform. As such, making it work across all 
> those platforms is really quite a lot of work.
> (Making it work fine, even on the future supported platforms (*nix) isn't 
> trivial - obviously adding Windows to the mix is far, far more!)
> 
> And, it seems like no-one has stepped up to commit the $$$ needed to keep 
> that support going.
> Even a cheap dev probably charges $100+ an hour. How many hours/dollars do 
> you think, in aggregate, is committed to keeping Windows support? It's not 
> going to be like buying a $3 app for your phone - since the market for 
> Windows users is far smaller.
> 
> And, I suspect, if we reach the end of the road for Windows support, and 
> there's a half million users out there that want BIND supported on Windows, 
> and they'll all pledge a buck a year, than I'd expect that Windows support 
> will roll right out.
> 
> But if instead there's 100 people willing to pledge even $100 a year, well 
> I'd guess that's not likely to pay for it.
> 
> ISC manages to pay the people who write code and do support through support 
> contracts. Do you have one of those?
> 
> So the last option is;
> You, or someone else to simply give away their time for free.
> You up for that?
> If you're not, or you don't have that skill set, then complaining bitterly 
> seems a little hypocritical.
> 
> ISC already releases a huge set of software that you almost certainly use 
> every single day (DHCP server and clients, along with BIND) and they aren't 
> charging you a dime for that use. They're not charging your ISP either, or a 
> ton of other people. So, IMO, they've really done a ton of free work for the 
> community already.
> 
> But it seems like you think it's not enough.
> 
> Sigh.
> What. Can. I. Say.
> ISC does a lot of really good work.
> IMO, this kind of a complaint is really misplaced.
> 
> And to be clear, I won't engage in a bunch of back-and-forth arguing this 
> position. You're welcome to agree or not.
> But *I* think you're obviously wrong, and I want everyone at ISC who does all 
> that good work, developing great software that they let us use for free that 
> I really appreciate their work.
> 
> -Greg
> 
> 
> 
> PC> What I find ironic is that here:
> 
> PC> https://gitlab.isc.org/isc-projects/bind9/-/blob/main/README.md 
> <https://gitlab.isc.org/isc-projects/bind9/-/blob/main/README.md>
> 
> PC> the very first line says:
> 
> PC> "BIND (Berkeley Internet Name Domain) is a complete, highly portable
> PC> implementation of the Domain Name System (DNS) protocol."
> 
> PC> If this were truly the case, BIND would wo

named reload and HTTPS certs

[Eric Germann via bind-users]

There’s been some great discussion lately on enabling DoH with LetsEncrypt 
certs.

My question is this:  If I renew the cert while named is running and do a 
reload on it, is that enough to pick up the new certs or do I need to 
stop/start the named process?

Basically, does reload only reload the zones or the entire config and 
subordinate files?

Thanks

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1









signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.11 to 9.16: need directions

[Eric Germann via bind-users]

bind doesn’t support @ signs for the email contact.  It would be 
root.rn6.xyz.local

Line 15, missing the class (IN)?  

DeadStick   IN A 192.168.255.156
> 
> INTXT"310702541c5622d0e6001136bd71a6578b"

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







> On Jun 12, 2021, at 8:33 PM, ToddAndMargo via bind-users 
>  wrote:
> 
> On 6/12/21 5:30 PM, ToddAndMargo via bind-users wrote:
>> Hi All,
>> I just upgraded from Fedora 33 to Fedora 34.
>> Bind was updated from 9.11 to 9.16 in Fedora 34.
>> It completely broke my Fedora 33 configuration.
>> Would someone please point me to the directions
>> as to how to migrate from 9.11 to 9.16?
>> Many thanks,
>> -T
> 
> Some of my error messages:
> 
> # named-checkzone -t /var/named/chroot/var/named/slaves xyz xyz.hosts
> 
> xyz.hosts:3: ignoring out-of-zone data (xyz.local)
> xyz.hosts:15: ignoring out-of-zone data (DeadStick.xyz.local)
> 
> 
> 
> 1$ORIGIN .
> 2$TTL 86400; 1 day
> 3xyz.localIN SOAxyz.local. root\@rn6.xyz.local. (
> 4265; serial
> 510800  ; refresh (3 hours)
> 63600   ; retry (1 hour)
> 7360; expire (5 weeks 6 days 16 hours)
> 886400  ; minimum (1 day)
> 9)
>10NSxyz.local.
>11A192.168.255.10
>12MX10 xyz.local.
>13$ORIGIN xyz.local.
>14$TTL 3600; 1 hour
>15DeadStickA192.168.255.156
>16TXT"310702541c5622d0e6001136bd71a6578b"
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Odd A record in our hosts zone file

[Eric Germann via bind-users]

Time to live in the cache. Short time to live is useful when you need to change 
the A record to swing one host to another. 

> On Jun 25, 2021, at 12:56, Bruce Johnson  wrote:
> 
> I ran across these A records in one of our zone files:
> 
> ;EXCHANGE STUFF
> mail1m  IN  A   xxx.xxx.xxx.52; dhbex1
> mail1m  IN  A   xxx.xxx.xxx.54; dhbex2
> 
> I can see that this is a cheap load-balancing for our exchange OWA servers, 
> but what is the ‘1m’ notation? I haven’t been able to find that in my 
> searching of the manual.
> 
> (We’re adding new servers and I need to make sure our DNS is properly set for 
> them.)
> 
> -- 
> Bruce Johnson
> University of Arizona
> College of Pharmacy
> Information Technology Group
> 
> Institutions do not have opinions, merely customs
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Compiling bind 9.17.15 with alternate OpenSSL library

[Eric Germann via bind-users]

I’m in the process of building a custom version of bind with DoH and would also 
like to add DNSSEC algorithm 15 for experimental purposes

DoH works just fine on the servers I have configured.

My “configure" command is

  ./configure --with-openssl=../openssl-1.1.1k --with-libxml2 --with-json-c 
--disable-dnstap --enable-fixed-rrset --enable-querytrace 
--sysconfdir=/etc/namedb

When I override the SSL library, it doesn’t pick it up.  It uses the system 
library of 1.0.2k-fips from the system (Centos 7 10.0-1160.25.1.el7.x86_64 #1 
SMP Wed Apr 28 21:49:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux)

I know when I build nginx, I can override the SSL library by pointing to the 
OpenSSL directory and it shows and functions with the correct library (1.1.1k).

I’ve built OpenSSL in the directory spec’d in the config line, but haven’t done 
a “make install” because it will trash the system.

Is there anyway to build against 1.1.1k without doing a “make install” on the 
newer OpenSSL library?

Thanks

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1









signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Compiling bind 9.17.15 with alternate OpenSSL library

[Eric Germann via bind-users]

I’m confused

./configure --help | grep openssl

  --with-openssl=DIR  root of the OpenSSL directory

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







> On Jul 5, 2021, at 12:55 PM, Ondřej Surý  wrote:
> 
> Eric,
> 
> configure uses pkg-config to detect OpenSSL version thus you need to point 
> pkg-config to the right directory.
> 
> There’s no such option to configure.
> 
> Ondřej
> --
> Ondřej Surý — ISC (He/Him)
> 
> My working hours and your working hours may be different. Please do not feel 
> obligated to reply outside your normal working hours.
> 
>> On 5. 7. 2021, at 18:24, Eric Germann via bind-users 
>>  wrote:
>> 
>> I’m in the process of building a custom version of bind with DoH and would 
>> also like to add DNSSEC algorithm 15 for experimental purposes
>> 
>> DoH works just fine on the servers I have configured.
>> 
>> My “configure" command is
>> 
>>   ./configure --with-openssl=../openssl-1.1.1k --with-libxml2 --with-json-c 
>> --disable-dnstap --enable-fixed-rrset --enable-querytrace 
>> --sysconfdir=/etc/namedb
>> 
>> When I override the SSL library, it doesn’t pick it up.  It uses the system 
>> library of 1.0.2k-fips from the system (Centos 7 10.0-1160.25.1.el7.x86_64 
>> #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux)
>> 
>> I know when I build nginx, I can override the SSL library by pointing to the 
>> OpenSSL directory and it shows and functions with the correct library 
>> (1.1.1k).
>> 
>> I’ve built OpenSSL in the directory spec’d in the config line, but haven’t 
>> done a “make install” because it will trash the system.
>> 
>> Is there anyway to build against 1.1.1k without doing a “make install” on 
>> the newer OpenSSL library?
>> 
>> Thanks
>> 
>> ---
>> Eric Germann
>> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
>> LinkedIn: https://www.linkedin.com/in/ericgermann 
>> <https://www.linkedin.com/in/ericgermann>
>> Twitter: @ekgermann
>> Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
>> 
>> GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support subscriptions. 
>> Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Compiling bind 9.17.15 with alternate OpenSSL library

[Eric Germann via bind-users]

Bummer.

Thanks for the quick turnaround though!

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







> On Jul 5, 2021, at 1:07 PM, Ondřej Surý  wrote:
> 
> Oh, you are right. That will get only used when pkg-config based method 
> doesn’t work. We probably should remove that as openssl.pc is now widely 
> available.
> 
> Ondřej
> --
> Ondřej Surý — ISC (He/Him)
> 
> My working hours and your working hours may be different. Please do not feel 
> obligated to reply outside your normal working hours.
> 
>> On 5. 7. 2021, at 18:57, Eric Germann  wrote:
>> 
>> I’m confused
>> 
>> ./configure --help | grep openssl
>> 
>>   --with-openssl=DIR  root of the OpenSSL directory
>> 
>> ---
>> Eric Germann
>> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
>> LinkedIn: https://www.linkedin.com/in/ericgermann 
>> <https://www.linkedin.com/in/ericgermann>
>> Twitter: @ekgermann
>> Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
>> 
>> GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>> On Jul 5, 2021, at 12:55 PM, Ondřej Surý >> <mailto:ond...@isc.org>> wrote:
>>> 
>>> Eric,
>>> 
>>> configure uses pkg-config to detect OpenSSL version thus you need to point 
>>> pkg-config to the right directory.
>>> 
>>> There’s no such option to configure.
>>> 
>>> Ondřej
>>> --
>>> Ondřej Surý — ISC (He/Him)
>>> 
>>> My working hours and your working hours may be different. Please do not 
>>> feel obligated to reply outside your normal working hours.
>>> 
>>>> On 5. 7. 2021, at 18:24, Eric Germann via bind-users 
>>>> mailto:bind-users@lists.isc.org>> wrote:
>>>> 
>>>> I’m in the process of building a custom version of bind with DoH and 
>>>> would also like to add DNSSEC algorithm 15 for experimental purposes
>>>> 
>>>> DoH works just fine on the servers I have configured.
>>>> 
>>>> My “configure" command is
>>>> 
>>>>   ./configure --with-openssl=../openssl-1.1.1k --with-libxml2 
>>>> --with-json-c --disable-dnstap --enable-fixed-rrset --enable-querytrace 
>>>> --sysconfdir=/etc/namedb
>>>> 
>>>> When I override the SSL library, it doesn’t pick it up.  It uses the 
>>>> system library of 1.0.2k-fips from the system (Centos 7 
>>>> 10.0-1160.25.1.el7.x86_64 #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64 
>>>> x86_64 x86_64 GNU/Linux)
>>>> 
>>>> I know when I build nginx, I can override the SSL library by pointing to 
>>>> the OpenSSL directory and it shows and functions with the correct library 
>>>> (1.1.1k).
>>>> 
>>>> I’ve built OpenSSL in the directory spec’d in the config line, but haven’t 
>>>> done a “make install” because it will trash the system.
>>>> 
>>>> Is there anyway to build against 1.1.1k without doing a “make install” on 
>>>> the newer OpenSSL library?
>>>> 
>>>> Thanks
>>>> 
>>>> ---
>>>> Eric Germann
>>>> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
>>>> LinkedIn: https://www.linkedin.com/in/ericgermann 
>>>> <https://www.linkedin.com/in/ericgermann>
>>>> Twitter: @ekgermann
>>>> Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
>>>> 
>>>> GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> ___
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users 
>>>> <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from 
>>>> this list
>>>> 
>>>> ISC funds the development of this software with paid support 
>>>> subscriptions. Contact us at https://www.isc.org/contact/ 
>>>> <https://www.isc.org/contact/> for more information.
>>>> 
>>>> 
>>>> bind-users mailing list
>>>> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
>>>> https://lists.isc.org/mailman/listinfo/bind-users 
>>>> <https://lists.isc.org/mailman/listinfo/bind-users>
>> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dig standalone source?

[Eric Germann via bind-users]

Has ISC given any thought to releasing dig as a separate source package?

It’s good for testing DoH, but you need to build the entire bind package to get 
it.  It would be useful for support analysts without the overhead of compiling 
all of bind to get it

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Contents of bind-users digest...

[Eric Germann via bind-users]

Or “make dig”

> On Jul 6, 2021, at 11:47, Paul Kosinski via bind-users 
>  wrote:
> 
> On Tue, 6 Jul 2021 12:44:15 +
> "MURTARI, JOHN"  wrote:
> 
>> Folks, let me add my desire for a quick download dig supporting DoH.  It 
>> could really help with some testing, some ready stuff for Ubuntu 18/20,  
>> Redhat/CentOS, could make a lot of people happy.   Maybe the libs included 
>> and we set the LD_LIBRARY_PATH, or a 'static' link?
>> 
>> 
>> It only takes a 'few minutes' more -- once you spend a few hours getting the 
>> whole environment setup.  some don't build it all the time.
>> 
>> 
>> I'll give ISC Five Stars on Google! 😃
>> 
>> 
>>>> On 6 Jul 2021, at 05:56, Eric Germann via bind-users 
>>>>  wrote:
>>> 
>>> Has ISC given any thought to releasing dig as a separate source package?
>>> 
>>> It?s good for testing DoH, but you need to build the entire bind package to 
>>> get it.  It would be useful for support analysts without the overhead of 
>>> compiling all of bind to get it  
>> 
>> Really, it a couple of extra megabytes of disk space and a couple of extra 
>> minutes of compile
>> time.  Dig is not a stand alone component.  It depends on libisc, libdns, 
>> libisccfg, libirs, and
>> libbind9.  Thats most of the libraries we build.  It makes no sense to have 
>> a seperate source
>> package for dig.
> 
> 
> It isn't mainly the disk space and extra build time, it's the complexity. 
> Somebody who only wants 'dig' would have to figure out how to isolate it from 
> the result of the build. This would be especially troublesome after doing a 
> "make install" (which I suspect is necessary to get the 'dig' executable 
> properly set up) as there would be a whole lot of undesired stuff installed. 
> Perhaps adding a "install-dig-only" option to the make file would be possible 
> and not a lot of work?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reloading new certs for DNS over HTTPS

[Eric Germann via bind-users]

I’ve implemented DNS over HTTPS on two of my servers to get some experience.  
I’m using LetsEncrypt for the cert issuer.

I ran in to an issue where it appears named only reads them on init.  The cert 
expired and certbot faithfully renewed it, but was using the old cert it read 
at initialization.

My question is if a “rndc reconfig” will read the new cert when it reloads the 
config or do I have to stop and start named to get it to pick it up?

Thanks

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

[Eric Germann via bind-users]

Why not as a stopgap to protect your human rights, use you phone as a hotspot?  
Cheaper than suing everyone

Eric

> On Jan 8, 2022, at 11:17, Stephane Bortzmeyer  wrote:
> 
> On Sat, Jan 08, 2022 at 04:55:24PM +0100,
> Stephane Bortzmeyer  wrote 
> a message of 52 lines which said:
> 
>> This domain name seems OK for me but I notice that a fair number of
>> RIPE Atlas probes in Ireland return a fake NXDOMAIN for this name:
> 
> On Twitter, an Irish DNS expert said that it happened
> before. Apparently, many ISP use a blacklist without thinking and this
> blacklist include legitimate domain names.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding a new domain with DNSSEC

[Eric Germann via bind-users]

Are you missing a left paren before "1-16”?


Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann 
<https://www.linkedin.com/in/ericgermann>
Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/> 
Twitter: @ekgermann
Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







> On Apr 10, 2022, at 4:40 AM, @lbutlr  wrote:
> 
> I have an several domains setup in bind, all with DNSSEC implemented, and am 
> trying to add a new domain, and seem to have missed a step.
> 
> 
> # dnssec-keygen -a 13 example,com
> # dnssec-keygen -f KSK -a 13 example,com
> 
> Add $INLCUDE to the zone file for each of these 4 keys.
> 
> # dnssec-signzone -3 $(head -c 1000 /dev/random | shasum | cut -b 1-16) -o 
> example.com -t example.com
> 
> dnssec-signzone: warning: keys/Kexample.com.+013+55923.private:1: unknown RR 
> type 'v1.3'
> dnssec-signzone: fatal: failed loading zone from 'example.com': unknown 
> class/type
> 
> 
> -- 
> "Are you pondering what I'm pondering?"
> "I think so, Brain! But ruby-studded stockingswould be mighty
>   uncomfortable wouldn't they?"
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Odd problem with DoH and DoT

[Eric Germann via bind-users]

I’m having a really weird issue with 9.18.3

When I connect with OpenSSL to this particular server, I get two different 
server certs

Here is my requisite configs

listen-on   port 53 { any; };
listen-on   port 443 tls local-tls http local-http-server { 
any; };
listen-on   port 853 tls local-tls { any; };
listen-on-v6port 53 { any; };
listen-on-v6port 443 tls local-tls http local-http-server { 
any; };
listen-on-v6port 853 tls local-tls { any; };
http-port   80;
https-port  443;
};

tls local-tls {
key-file  "/etc/namedb/keys/privkey.pem";
cert-file "/etc/namedb/keys/fullchain.pem";
};

http local-http-server {
endpoints { "/dns-query";  };
};

my last line of the cert in fullchain.pem for the correct server cert is

"+sWJ8Oluyktfz7I5MSsXwIqCMK/4qG/S4hf04FUk"


When I connect to port 443 for DoH, I get a server cert that ends in “FUk”

When I connect to port 853 for DoT, I get a server cert that ends in 
“HhQraavJaViojiiFyfcKONWCPVuQozJDWoICan7i”.  The issue is when I execute

kdig -d @ns05x.semperen.com +tls-sni=ns05x.semperen.com 
+tls-host=ns05x.semperen.com semperen.com mx

I get back 

;; DEBUG: Querying for owner(semperen.com.), class(1), type(15), 
server(ns05x.semperen.com), port(853), protocol(TCP)
;; DEBUG: TLS, imported 127 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=ns05x.semperen.com
;; DEBUG:  SHA-256 PIN: WLEeS4l9ObJUnZ1X055NrxlYkzaep5Ynig7KA8GnuqE=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=R3
;; DEBUG:  SHA-256 PIN: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
;; DEBUG:  #3, C=US,O=Internet Security Research Group,CN=ISRG Root X1
;; DEBUG:  SHA-256 PIN: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The certificate chain uses 
expired certificate. 
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=ns05x.semperen.com
;; DEBUG:  SHA-256 PIN: WLEeS4l9ObJUnZ1X055NrxlYkzaep5Ynig7KA8GnuqE=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=R3
;; DEBUG:  SHA-256 PIN: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
;; DEBUG:  #3, C=US,O=Internet Security Research Group,CN=ISRG Root X1
;; DEBUG:  SHA-256 PIN: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The certificate chain uses 
expired certificate. 
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server ns05x.semperen.com@853(TCP)


Which says the cert is expired.  When checking the cert with OpenSSL that is 
returned, the start and end dates are the same, Jul 4 2022.

In the LetsEncrypt dir, in “archive” dorectory fullchain7.pem is the current 
cert and the symbolic link in “live” is linked to this.  However, that tail end 
of the incorrect server cert is contained in "fullchain5.pem”, and it is 
expired.  I relinked the files to make sure it wasn’t a file system issue.  How 
is it picking up the wrong full chain when I point it to a dir with only the 
links to chain7?

Querying ns04x.semperen.com returns the same cert on both ports.

Thanks for any pointers

--
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Medium: https://ekgermann.medium.com 
Twitter: @ekgermann
Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Odd problem with DoH and DoT

[Eric Germann via bind-users]

Never mind.  Rebooting the box resolved it.  I’m still curious how it got 
crossed

--
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann 
<https://www.linkedin.com/in/ericgermann>
Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/> 
Twitter: @ekgermann
Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







> On Oct 6, 2022, at 19:02, Eric Germann via bind-users 
>  wrote:
> 
> I’m having a really weird issue with 9.18.3
> 
> When I connect with OpenSSL to this particular server, I get two different 
> server certs
> 
> Here is my requisite configs
> 
>listen-on   port 53 { any; };
>listen-on   port 443 tls local-tls http local-http-server 
> { any; };
>listen-on   port 853 tls local-tls { any; };
>listen-on-v6port 53 { any; };
>listen-on-v6port 443 tls local-tls http local-http-server 
> { any; };
>listen-on-v6port 853 tls local-tls { any; };
>http-port   80;
>https-port  443;
> };
> 
> tls local-tls {
>key-file  "/etc/namedb/keys/privkey.pem";
>cert-file "/etc/namedb/keys/fullchain.pem";
> };
> 
> http local-http-server {
>endpoints { "/dns-query";  };
> };
> 
> my last line of the cert in fullchain.pem for the correct server cert is
> 
> "+sWJ8Oluyktfz7I5MSsXwIqCMK/4qG/S4hf04FUk"
> 
> 
> When I connect to port 443 for DoH, I get a server cert that ends in “FUk”
> 
> When I connect to port 853 for DoT, I get a server cert that ends in 
> “HhQraavJaViojiiFyfcKONWCPVuQozJDWoICan7i”.  The issue is when I execute
> 
> kdig -d @ns05x.semperen.com +tls-sni=ns05x.semperen.com 
> +tls-host=ns05x.semperen.com semperen.com mx
> 
> I get back 
> 
> ;; DEBUG: Querying for owner(semperen.com.), class(1), type(15), 
> server(ns05x.semperen.com), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 127 system certificates
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, CN=ns05x.semperen.com
> ;; DEBUG:  SHA-256 PIN: WLEeS4l9ObJUnZ1X055NrxlYkzaep5Ynig7KA8GnuqE=
> ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=R3
> ;; DEBUG:  SHA-256 PIN: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
> ;; DEBUG:  #3, C=US,O=Internet Security Research Group,CN=ISRG Root X1
> ;; DEBUG:  SHA-256 PIN: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is NOT trusted. The certificate chain uses 
> expired certificate. 
> ;; WARNING: TLS, handshake failed (Error in the certificate.)
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, CN=ns05x.semperen.com
> ;; DEBUG:  SHA-256 PIN: WLEeS4l9ObJUnZ1X055NrxlYkzaep5Ynig7KA8GnuqE=
> ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=R3
> ;; DEBUG:  SHA-256 PIN: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
> ;; DEBUG:  #3, C=US,O=Internet Security Research Group,CN=ISRG Root X1
> ;; DEBUG:  SHA-256 PIN: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is NOT trusted. The certificate chain uses 
> expired certificate. 
> ;; WARNING: TLS, handshake failed (Error in the certificate.)
> ;; ERROR: failed to query server ns05x.semperen.com@853(TCP)
> 
> 
> Which says the cert is expired.  When checking the cert with OpenSSL that is 
> returned, the start and end dates are the same, Jul 4 2022.
> 
> In the LetsEncrypt dir, in “archive” dorectory fullchain7.pem is the current 
> cert and the symbolic link in “live” is linked to this.  However, that tail 
> end of the incorrect server cert is contained in "fullchain5.pem”, and it is 
> expired.  I relinked the files to make sure it wasn’t a file system issue.  
> How is it picking up the wrong full chain when I point it to a dir with only 
> the links to chain7?
> 
> Querying ns04x.semperen.com returns the same cert on both ports.
> 
> Thanks for any pointers
> 
> --
> Eric Germann
> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
> LinkedIn: https://www.linkedin.com/in/ericgermann
> Medium: https://ekgermann.medium.com 
> Twitter: @ekgermann
> Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712
> 
> GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1
> 
> 
> 
> 
> 
> 
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> I

Re: key dir massive

[Eric Germann via bind-users]

> On Dec 22, 2022, at 09:32, Matthijs Mekking  wrote:
> 
> 


> I hope you have read our KB article on dnssec-policy before migrating:
> 
>  https://kb.isc.org/v1/docs/en/dnssec-key-and-signing-policy
> 
> It should list the main pitfalls to save you a lot of hassle (I suspect you 
> started algorithm rollover immediately when changing to dnssec-policy 
> default).
> 
> If there are any things we should add, I am happy to receive your suggestions.

Are there any examples from ISC on how to handle multiple algorithms in the 
dnssec-policy stanza?  I’m running 8 and 13 both as an experiment

Eric

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: signing for a hidden primary

[Eric K Germann via bind-users]

I use an unsigned hidden master I maintain from inside my local network. 
 This feeds a secondary server where the signing is done and it acts as 
a master to other secondaries.  Works well.  Started as an experiment 
and works well enough I've left it alone.


  Hidden master >> DNSSEC signing server (slave to hidden, master to 
secondariers) >> secondaries


Here's a config block

zone example.com {
type slave;
masters { a.b.c.d key master-dns01; };
file "slave/example.com.db";
key-directory   "keys/example.com";
dnssec-policy   domain-policy;
inline-signing  yes;
zone-statistics yes;
};

If you're interested in  more specifics, I'm happy to share.  Ping me 
off-list


Eric

On 2023-01-21 19:56, Randy Bush wrote:


hi mark

hidden primary can not sign.  can the public primary which fetches
from it, and happens to be primary for the parent zone, do bitw
signing?
In-line signing is the concept you are looking for and yes named
supports it.


i know bind9 does bitw.  happy to learn it is called inline-signing.

sorry not to have been clear.  i want to sign a zone where the server is
secondary.  i.e. may i use

  zone "foo.bar" {
type slave;
file "secondary/bar.foo";  // yes, i like dir list to alpha sort
...
auto-dnssec maintain;
inline-signing yes;
}

looking at example 2 in https://kb.isc.org/docs/aa-00626, i think that
this will work, i.e. there will be a `secondary/bar.foo.signed` from
which i can extract the DS needed by the parent zone, the server will
send notifies etc.

randy-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.18.6 disables RSASHA1 at runtime?

[Eric K Germann via bind-users]

I would propose one line per protocol for disabled methods.  This would 
allow for easier log parsing


On 2022-09-13 06:28, Petr Špaček wrote:

On 02. 09. 22 15:49, Anand Buddhdev wrote: On 02/09/2022 13:53, Mark 
Andrews wrote:


Hi Mark,

We don't log rsamd5 is disabled now ec or ed curves when they are
not  supported by the crypto provider. Why should rsasha1 based algs be 
 special?


The problem I see with 9.18.6 is that at startup, it is checking to see 
if it can validate RSASHA1 signatures, and if it can't, it is disabling 
the algorithm *silently*. I understand the reasoning, but I disagree 
with it being disabled silently. If BIND is disabling something as 
important as this at runtime, at the very least, a log entry about it 
would go a long way towards helping system administrators. Here's my 
reasoning:


There is a difference between RSAMD5 and RSASHA1. RFC 8624 clearly 
forbids RSAMD5 for all uses, with "MUST NOT". It's fine for BIND to 
skip validation for any zone signed with this algorithm.


RSASHA1 is quite different. The RFC recommends not signing with it, but 
validation is still a must. Similarly, it forbids publishing SHA1 
digests in DS records, but requires validation using them.


Now, on RedHat Linux 9 and its clones, SHA1 is disabled by *policy*. 
The named.conf from the BIND package in this distro (version 9.16.23) 
includes the file:


/etc/crypto-policies/back-ends/bind.config

and this file contains:

disable-algorithms "." {
RSAMD5;
RSASHA1;
NSEC3RSASHA1;
DSA;
};
disable-ds-digests "." {
SHA-1;
GOST;
};

This is explicit declaration that SHA1 has been disabled.

But if one builds BIND >= 9.18.6 from pristine sources, the 
configuration file is not going to include this snippet, and BIND is 
going to silently disable SHA1. I strongly feel that BIND should log 
this.


Can you propose log line?

Should it be one line per algorithm? Or one line with all disabled? Or 
one one with all enabled? What log level? Log category? It it okay it 
will be almost always logging GOST? ...


So many questions to get log line covering < 2 % of all signed domains, 
which will be obsolete over time anyway (hopefully).


--
Petr Špaček-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users