Re: detect if zone/s is frozen
Mike Hoskins (michoski) micho...@cisco.com wrote: /dev/rob0 r...@gmx.co.uk wrote: I would suggest that if you're making much use of rndc freeze, YDIW. Consider using nsupdate(8) to make your changes. True, but I just setup two new networks where the tenants wanted exactly this capability...so use cases exist. [...] Failing an easy monitoring solution (I don't see anything in terms of rndc options, or old/new stats output), you might consider creating a wrapper that does the rndc freeze/vi/update serial to mtime/rndc thaw and post it clearly in /etc/motd. Not perfect, but would mostly work except when you get distracted in the middle of the vi session. :-) Better option: use nsdiff, which calculates the differences between the live version of your zone and a master file that you edit, and turns the result into an nsupdate script. http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/bind/bin/nsdiff Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ZSK rollover weirdness
Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: And, the prior ZSK was 14565 ; This is a zone-signing key, keyid 14565, for ksu.edu. ; Created: 2013060109 (Sat Jun 1 04:00:00 2013) ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013) ; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013) ; Revoke: 2013090109 (Sun Sep 1 04:00:00 2013) ; Inactive: 2013091509 (Sun Sep 15 04:00:00 2013) I think your problem here is that the inactive date is after the revoke date, so the key will still be used to sign the zone after it has been revoked. ; Delete: 2013092909 (Sun Sep 29 04:00:00 2013) ksu.edu. IN DNSKEY 256 3 8 AwEAAc1HU7nrlgFeGLZSgHCytd+BItSNgR5gY4iemDCAX9+z+cpyq/Pe 52kLuFxDjCj89EzdjKFDGAkPRDPImWlTQLCr3WQl8g5SIOs67bBR72hv q2tHmgpK+/j9Z4yqLRyld/Kpl2FRNWc7dvqh8i+Sd0or5WrLO3ocftS1 t3rQaznB Where is 14693 coming from? It is the same key as 14565 but the addition of the revoke bit has changed the tag. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Weird dig behavior when querying ANY
Nicholas F Miller nicholas.mil...@colorado.edu wrote: The problem is the reply will ALWAYS be five seconds when doing an 'ANY' query. It is not a matter of the TTL counting down. Is there a middlebox of some kind between you and the name server? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
Simon Forster fors...@spamteq.com wrote: As a matter of interest, if one had a DNSBL with 5.5 million entries (i.e. 5.5 million IPs): 1) What needs to be done to rewrite that to a BIND zone? 2) What sort of machine would be required to load that zone? 3) How long would it take to load into BIND? I did a quick test. Generating and parsing the zone in text format took about 80s wall time; loading the raw zone file took 30s. In both cases named-checkzone used about 1.25GB RAM. I don't have enough RAM on this machine to run dnssec-signzone in a reasonable length of time - it goes into swap death after 3GB. perl -e 'use Crypt::OpenSSL::Random; print x.dotat.at. 3600 in soa black.dotat.at. dot.dotat.at. 1 1h 1h 1w 1m\n; print x.dotat.at. 3600 in ns black.dotat.at.\n; printf %s.x.dotat.at 3600 IN A 127.0.0.2\n, join ., unpack C4, Crypt::OpenSSL::Random::random_bytes(4) for (1..550); ' | named-compilezone -i local -k warn -n warn -Fraw -o x.dotat.at x.dotat.at /dev/stdin named-checkzone -i local -k warn -n warn -fraw x.dotat.at x.dotat.at Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
Simon Forster fors...@spamteq.com wrote: Excellent info. Thank you. What's the specs of the machine you're testing on? An old-ish Dell Optiplex 760, Core 2 Duo, 3.16 GHz, 4GB RAM. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL probably not useful for DNS IP blacklists,
Vernon Schryver v...@rhyolite.com wrote: It's convenient that with binary zone files and the dynamic update protocol, loading from text (or signing a whole zone) is not something you need to do every hour on the hour. Right. Timings from named-checkzone give a rough idea of a worst-case cold start. I ran some numbers with a 500,000 record zone (generated with the same script as before) which is comfortably small enough to sign. These are the raw format zone files: -rw-r--r-- 1 fanf2 named 31639161 Sep 24 10:32 x.dotat.at -rw-r--r-- 1 fanf2 named 301188426 Sep 24 10:37 x.dotat.at.signed named-checkzone unsigned: 2.73 real 2.62 user 0.10 sys 120396 maximum resident set size named-compilezone text-to-raw: 5.82 real 5.70 user 0.06 sys 120380 maximum resident set size named-checkzone signed: 8.32 real 7.96 user 0.35 sys 549100 maximum resident set size dnssec-signzone: 233.97 real 391.06 user 2.44 sys 597316 maximum resident set size By the way, how much smaller would that DNSBL be if it could use wildcards? I suspect a real (as opposed to synthetic) DNSBL has a lot of repetition in all except the last labels. It depends a lot on the list. If it's a DUL then wildcards will be a win; not so much if it's listing something like compromised servers where address ranges often have bad mixed with good. Having said that, I've sampled a hundred random /24s from the Spamhaus Zen list and they are mostly all full or all empty. (But I didn't check to see if the answers all matched in the full /24s.) Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I determine if 9.9.4 bind named executable was built with --enable-rrl?
Red Cricket red.cricket.b...@gmail.com wrote: How can I determine if it was built with rate-limiting? named -V Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help on DNSSEC
babu dheen babudh...@yahoo.co.in wrote: I would like to understand DNSSEC on BIND Recusive DNS server running in RHEL 5.0. First upgrade BIND to version 9.8 or newer. Check your network connectivity isn't funted. See for instance http://www.cisco.com/web/about/security/intelligence/dnssec.html Then add the following to your named.conf options section: dnssec-validation auto; dnssec-lookaside auto; Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS format error
Jim Pazarena b...@paz.bz wrote: I see in my logs DNS format error from 205.178.190.53#53 resolving excelwetsuits.com/MX for client 207.34.147.83#54521: invalid response The client is *my* mail server IP. I am wondering is this error on MY side or their's ? Theirs. ; DiG 9.9.4rc1 ns excelwetsuits.com @a.gtld-servers.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 37039 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;excelwetsuits.com. IN NS ;; AUTHORITY SECTION: excelwetsuits.com. 2d IN NS ns1.lamedelegation.net. excelwetsuits.com. 2d IN NS ns2.lamedelegation.net. ;; ADDITIONAL SECTION: ns1.lamedelegation.net. 2d IN A 205.178.190.53 ns2.lamedelegation.net. 2d IN A 206.188.198.53 ;; Query time: 146 msec ;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30) ;; WHEN: Mon Nov 11 18:01:49 GMT 2013 ;; MSG SIZE rcvd: 132 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allow recursion for esternal resources in a authoritative zone on a not open dns server
Barry Margolin bar...@alum.mit.edu wrote: If the server is authoritative for both the CNAME and the target of the CNAME, no recursion should be necessary -- the target is already in its memory. Doesn't the server normally fill in the whole CNAME chain in this case? Yes - see the additional-from-auth configuration option. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[announce] nsdiff version 1.51
The nsdiff program examines the old and new versions of a DNS zone, and outputs the differences as a script for use by BIND's nsupdate program. It provides a bridge between static zone files and dynamic updates. If you use BIND 9.7 or 9.8, you can use nsdiff as an alternative to the DNSSEC inline-signing feature which appeared in BIND 9.9. You can now use nsdiff to support a three-tier master-signer-public hierarchy, like slave inline-signing, as well as signing on the master. And nsdiff now has a home page and public source repository http://dotat.at/prog/nsdiff/ Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc addzone, global allow-new-zones, 'file not found'
Tobias Wolter tobias.wol...@b1-systems.de wrote: # rndc -s localhost -c ~/rndc-localhost.conf addzone metazone. '{type master; file master/metazone.zone;};'; tail /var/log/messages -n 4 rndc: 'addzone' failed: file not found Dec 11 10:01:15 hostname named[21120]: received control channel command 'addzone metazone. {type master; file master/metazone.zone;};' Dec 11 10:01:15 hostname named[21120]: zone metazone/IN: loading from master file master/metazone.zone failed: file not found Dec 11 10:01:15 hostname named[21120]: zone metazone/IN: not loaded due to errors. Dec 11 10:01:15 hostname named[21120]: addzone failed; reverting. You need to create the master file (with valid zone contents) before running rndc addzone. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc refresh fails for signed zones
Thomas Schulz sch...@adi.com wrote: Am I correct in thinking that in the case of a hidden master and a chain of slaves, that the first publicly acessable slave would do the signing and that in any case only one instance of bind should do the signing? It is better if the hidden master does the signing, since it is a less exposed system so it is better able to protect the keys. Slave inline signing mode is for situations where the hidden master can't sign for whatever reason. Yes it is normal to sign in only one place. If you don't you are likely to have problems with inconsistent zone serial numbers, and RRSIG times. And you will need a good mechanism to make sure your keys are consistent! Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Serial numbers for inline signing
Thomas Schulz sch...@adi.com wrote: Checking the resulting serial number, I find that it is 2013120423. The serial number in the static zone file is 2013120400. Why did it bump it up to 23? I expected something like 02. Have a look at the sig-signing-signatures option which says (by default) that named should create at most 10 RRSIGs per signing quantum, and each quantum implies a SOA serial update. That should lead you to expect a difference of more than 2 after what you did. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sites that points their A Record to localhost
Joseph S D Yao j...@tux.org wrote: On 2014-01-12 10:04, Chris Thompson wrote: That would be more plausible if www.p3net.net actually resolved to something, rather than giving NXDOMAIN ... How interesting. From here I see (and saw before I posted): ;; ANSWER SECTION: www.p3net.net.0 IN A 199.101.28.20 That IP address indicates that your ISP is lying to you. It belongs to Skye By Nominum which is a cloud DNS service. I guess this is Skye Search since that sounds like a rent-seeking scheme based on replacing NXDOMAINs with advertising. http://www.darkreading.com/nominum-rolls-out-skye-dns-cloud-service/220100568 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insecurity proof failed resolving newsletter.postbank.de - but why?
Graham Clinch g.cli...@lancaster.ac.uk wrote: I'm seeing a dnssec validation error that I can't pin down, for the domain: newsletter.postbank.de. Looks like a bug in BIND to me. It works out that there is no DS in the parent then gets muddled. I note that postbank.de is in the middle of a double-signature ZSK rollover. Dunno if that is relevant, but it is a bit unusual. 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: in authvalidated 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: resuming nsecvalidate 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: looking for relevant NSEC3 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: looking for relevant NSEC3 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: NSEC3 proves name exists (owner) data=0 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: nonexistence proof(s) found 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): received validation completion event 20-Jan-2014 12:18:51.415 dnssec: debug 3: validator @0x8071e8300: dns_validator_destroy 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): nonexistence validation OK ... right ... 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): clone_results 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): done 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): stopeverything 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): cancelqueries 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): sendevents 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): doshutdown 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): stopeverything 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): cancelqueries 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): unlink 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): destroy 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x80bb74500: newsletter.postbank.de A: in dsfetched2: ncache nxrrset 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x80bb74500: newsletter.postbank.de A: resuming proveunsecure 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x80bb74500: newsletter.postbank.de A: insecurity proof failed ... what? ... 20-Jan-2014 12:18:51.416 resolver: debug 3: fetch 0x801859ff0 (fctx 0x80b044860(newsletter.postbank.de/DS)): destroyfetch 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): shutdown 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx 0x80b044430(newsletter.postbank.de/A): received validation completion event 20-Jan-2014 12:18:51.416 dnssec: debug 3: validator @0x80bb74500: dns_validator_destroy 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx 0x80b044430(newsletter.postbank.de/A): validation failed 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx 0x80b044430(newsletter.postbank.de/A): add_bad 20-Jan-2014 12:18:51.416 lame-servers: info: error (insecurity proof failed) resolving 'newsletter.postbank.de/A/IN': 195.140.184.21#53 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using nsupdate to insert/delete record in the RPZ zone file
Pika.Aman a...@thingsto.me wrote: Is that possible to use the bind-util “nsupdate” to insert a new record into the zone file of response policy zone ? I got “NOTZONE” reply from the bind. NOTZONE means you have used a domain name that is not in the zone you are trying to update. #nsupdate debug yes server 127.0.0.1 zone rpz update add test.thingsto.me. 60 A 127.0.0.1 send Change this to update add test.thingsto.me.rpz 60 A 127.0.0.1 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to query the incoming serial of a zone while inline signing
Mark Andrews ma...@isc.org wrote: In message 52ea4c56.5060...@pernau.at, Klaus Darilion writes: Are there any tools/ways to query Bind for the incoming serial? rndc zonestatus zone [class [view]] I think that's a BIND-9.10 feature :-) On 9.9 I think you either have to look at named's logs and/or look at the unsigned zone file and journal using named-compilezone -j. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to query the incoming serial of a zone while inline signing
Klaus Darilion klaus.mailingli...@pernau.at wrote: named-compilezone -j -f raw -o - example.com \ /etc/bind/zones/example.com 21| grep SOA|awk '{print $7;}' Another option might be to use named-journalprint and grab the last SOA from the output. I don't know which is faster... actually, let's test... $ time named-compilezone -j -f raw -o - cam.ac.uk /spool/bind/zs/cam | awk '/ IN SOA / { print $7 }' zone cam.ac.uk/IN: loaded serial 1391086754 (DNSSEC signed) 1391086754 OK real0m1.802s user0m1.793s sys 0m0.150s $ time named-journalprint /spool/bind/zs/cam.jnl | awk '/ IN SOA / { soa = $8 } END { print soa }' 1391086754 real0m5.317s user0m4.949s sys 0m0.629s $ time named-checkzone -j -f raw cam.ac.uk /spool/bind/zs/cam 21 | awk '/ loaded serial / { print $5 }' 1391086754 real0m0.678s user0m0.622s sys 0m0.050s Winner! Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and upgrading/restoring
David Newman dnew...@networktest.com wrote: 2. For five domains, the log contains signature-has-expired warnings. In all five cases, these are for NSEC3PARAM records. Is any action needed on my part, for example manually doing NSEC3 signing of these zones? See if named has already re-signed them - check that the first date in the RRSIG is in the future. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and upgrading/restoring
David Newman dnew...@networktest.com wrote: What action, if any, is needed? Does rndc sign zone make it wake up? Is there anything in the logs reporting problems, e.g. inability to read the key files? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and upgrading/restoring
David Newman dnew...@networktest.com wrote: On 1/31/14 10:35 AM, Tony Finch wrote: David Newman dnew...@networktest.com wrote: What action, if any, is needed? Does rndc sign zone make it wake up? Alas, no. There are a bunch of successful IXFR messages to slave servers but the dates in that NSEC3PARAM RRSIG did not change. Not good. I would try deleting and re-adding the NSEC3PARAM records. Slow if the zones are big but at least it should fix the problem. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Trouble building bind with Openssl support
Olsen, Richard William (Rick) CTR DISA PEO-MA (US) richard.w.olsen.ctr@mai...: We have been trying to build bind using with-openssl=PATH and not have it require the full openssl install on the destination system. Try building BIND with --without-gost Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Trouble building bind with Openssl support
Mark Andrews ma...@isc.org wrote: If you really want to go down this path then you need to copy over the shared library which is dynamically loaded into named at runtime specifically lib/engines/libgost.so or rebuild openssl to include the gost code in libcrypto. How do you do that? The documentation doesn't say. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BUG? Wildcard lookup masked by more specific record of alternative type
Terry Burton t...@terryburton.co.uk wrote: Is the following expected or is it a bug? It is correct. See RFC 4592 for the full explanation of how wildcards work. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Same internal and external zone
Sarath sar...@slashroot.in wrote: The internal xyz.example.com is on an internal host (private address ) which is the default DNS server for all internal hosts (all hosts use this DNS server in their resolve.conf ) And the external xyz.example.com is on another public ip server (aws route 53 ). The problem is i have a hostname for example xyz.xyz.example.com which is on the public DNS server..and my local network hosts cannot Resolve that hostname which is on the public DNS server (route 53) I cannot add the record of xyz.xyz.example.com on my local DNS server (which is bind )because that host is DNS load balanced using route 53 health checks.. I would suggest moving xyz.xyz.example.com into a zone of its own which is only hosted on Route 53. So you would have three zones: xyz.example.com (private version) xyz.example.com (public version) xyz.xyz.example.com (public only) Both versions of xyz.example.com have identical delegations to xyz.xyz.example.com. The load balancing records are at the apex of the xyz.xyz.example.com zone. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind/PowerDNS interoperatiblity issue
Aki Tuomi cmo...@cmouse.fi wrote: We have A records 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi and 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.pasilehto.fi Now. If I ask DNSSEC validating BIND version 9.9.3-P2 or 9.9.4-P2 to resolve either of those A records, I get errors, while While google's 8.8.8.8 and unbound accept these as valid. I have tried this with BIND 9.9.5 and 9.10.0a2 and both resolve and validate these domains successvully. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ German Bight, Humber, Thames, Dover, Wight, Portland: West backing south, 4 or 5 increasing 6 or 7 later. Moderate. Rain at times. Moderate or good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind/PowerDNS interoperatiblity issue
Aki Tuomi cmo...@cmouse.fi wrote: Hi, can you try again? Just to be sure. This time it failed in the way you described earlier: 19-Feb-2014 12:23:27.043 queries: info: client ::1#32049 (5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi): view rec: query: 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi IN A +E (::1) 19-Feb-2014 12:23:27.162 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::3:2#53 19-Feb-2014 12:23:27.212 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 80.64.12.65#53 19-Feb-2014 12:23:27.221 queries: info: client ::1#32777 (api.twitter.com): view rec: query: api.twitter.com IN A +E (::1) 19-Feb-2014 12:23:27.221 queries: info: client ::1#47673 (api.twitter.com): view rec: query: api.twitter.com IN +E (::1) 19-Feb-2014 12:23:27.258 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 62.236.49.41#53 19-Feb-2014 12:23:27.301 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 194.100.90.53#53 19-Feb-2014 12:23:27.344 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::5:2#53 19-Feb-2014 12:23:27.384 lame-servers: info: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::4:2#53 19-Feb-2014 12:23:27.384 lame-servers: info: error (no valid DS) resolving '5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/A/IN': 194.100.90.53#53 19-Feb-2014 12:23:27.449 dnssec: info: validating @0x806dca500: 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi A: bad cache hit (0.pasilehto.fi/DS) 19-Feb-2014 12:23:27.449 lame-servers: info: error (broken trust chain) resolving '5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/A/IN': 80.64.12.65#53 19-Feb-2014 12:23:27.449 query-errors: info: client ::1#32049 (5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi): view rec: query failed (SERVFAIL) for 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/IN/A at query.c:7519 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Malin, Hebrides: Southeast 5 to 7, occasionally gale 8, veering west or southwest 5 or 6 later. Moderate or rough, becoming rough or very rough. Showers then rain. Good, becoming moderate or poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
Gaurav Kansal gaurav.kan...@nic.in wrote: I have doubt in this only. What's the difference between Zone or Host ?? Zone keys are used for DNSSEC signing zones. Host keys are used for TSIG transaction authentication, for securing zone transfers or dynamic updates. I also want to know which algorithm is the best one on security aspects for generating Keys for DNSSEC. Your security is affected more by how you store the keys than anything else. RSASHA256 is fine. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Faeroes: East or southeast 5 to 7. Rough or very rough. Rain. Moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: which Name sever is selected?
houguanghua houguang...@hotmail.com wrote: What's the meaning of bind decaying? Where can I find the detailed description? Thanks! There's a summary of the SRTT algorithm in http://securityintelligence.com/subverting-binds-srtt-algorithm-derandomizing-ns-selection/ Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Lundy, Fastnet: Northwest 5 to 7, occasionally gale 8 at first, backing south 4 or 5 later, occasionally 6 in southwest Fastnet. Very rough or high, becoming rough in north. Showers then rain. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding zone trf from master to slave
Gaurav Kansal gaurav.kan...@nic.in wrote: We are running slave services for our customers. We want to have log of what entries has been changed in the master (which is causing this zone transfer) at the time of zone transfer. I want to know whether it is possible to have some sort of log generation (either by using query channels or by any other means) which we can save for future reference purposes. Are the zone journal files on the slaves useful for solving your problem? e.g. my nameserver logs 05-Mar-2014 09:36:19.992 general: info: zone cam.ac.uk/IN/auth: transferred serial 1394009951 05-Mar-2014 09:36:19.992 xfer-in: info: transfer of 'cam.ac.uk/IN/auth' from 2001:630:212:8::d:a0#53: Transfer completed: 16 messages, 5572 records, 935172 bytes, 0.118 secs (7925186 bytes/sec) [...] 05-Mar-2014 15:54:30.008 general: info: zone cam.ac.uk/IN/auth: transferred serial 1394024357 05-Mar-2014 15:54:30.008 xfer-in: info: transfer of 'cam.ac.uk/IN/auth' from 2001:630:212:8::d:a0#53: Transfer completed: 1 messages, 266 records, 34454 bytes, 0.009 secs (3828222 bytes/sec) If I run named-journalprint I can work out the contents the second IXFR based on the SOA serial numbers, starting with the line deleting the SOA with previously transferred serial, and ending with the last contiguous add line after the SOA with the current serial. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Fisher, German Bight: South or southwest 3 or 4, increasing 5 or 6. Slight becoming moderate. Fog patches in east, rain later. Moderate, occasionally very poor in east. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
Jason Hellenthal jhellent...@dataix.net wrote: I recall spending a LOT of time with DNSSEC figuring out all the nonsense but like anything else stability and friendliness has to start somewhere. And development should not be impeded by adoption of bad practices. Fix the root cause not the symptom. dnssec-keygen actually has quite sane defaults, but unfortunately the man page is not great at saying which options can be ignored because they are cruft from the 1990s. It could do with better examples too. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ South Utsire, Forties: Southwesterly 5 to 7, perhaps gale 8 later. Moderate or rough. Rain. Moderate or poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configure error - openSSL. Mac OS X
James Brown jlbr...@bordo.com.au wrote: I have recently upgraded to openSSL 1.0.1f. When I try to configure bind 9.9.5 I'm getting an error: checking for OpenSSL library... using OpenSSL from /usr/local/ssl/lib and /usr/local/ssl/include checking whether linking with OpenSSL works... no configure: error: Could not run test program using OpenSSL from /usr/local/ssl/lib and /usr/local/ssl/include. Please check the argument to --with-openssl and your shared library configuration (e.g., LD_LIBRARY_PATH). Try LDFLAGS=-Wl,-R/usr/local/ssl/lib ./configure --enable-threads --with-atf --enable-newstats --enable-rrl --with-ecdsa --with-gost --with-openssl=/usr/local/ssl Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Malin: Variable 3 or 4, becoming southerly 5 or 6 in northwest. Moderate or rough. Fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internal clients' queries for myhostname. get sent to forwarders. Why?
Andreas Ntaflos d...@pseudoterminal.org wrote: Using Bind 9 on Ubuntu 12.04 for internal DNS (master for zones dc01.example.at., 7.1.10.in-addr.arpa., ...) with forwarders (ISP's nameservers) for everything outside of internal zones. The Problem: Clients, when running hostname -f or hostname -i, create queries for myhostname. which are sent to the forwarders which respond with NXDomain. This generates load on the forwarders and exposes our internally used hostnames, both of which seems unnecessary and possible dangerous. This doesn't seem like normal or healthy behaviour. What can we do to stop it? Option 1: put the FQDN in /etc/hostname on each machine. Option 2: populate /etc/hosts on each machine. Option 3: slave the root zone on your name servers. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Shannon: Southeasterly 4 or 5, occasionally 6 in northwest. Moderate or rough. Fair. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internal clients' queries for myhostname. get sent to forwarders. Why?
Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: If you have FQDN for machines, the problem might be that the domain isn't set in resolv.conf? The machines are configured with a bare hostname. If there isn't a search or domain directive in /etc/resolv.conf and there isn't an entry for the machine in /etc/hosts then `hostname -f` will fail. It is probably a bug that `hostname -f` does not have any ndots logic. See also RFC 1535. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Tyne, Dogger: Southeast veering southwest 3 or 4. Slight. Fog patches in south. Moderate or good, occasionally very poor in south. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic update with bind
Ramanou Biaou rama...@netim.com wrote: Someone has resources, links or tutorial to understand and implement the dynamic update zone files with BIND If you search the web for [nsupdate howto] or [nsupdate tutorial] you should find some useful resources. If you are running BIND 9.7 or newer then it has a built-in setup for simple DNS UPDATE uses. Try adding the following line to your zone's configuration: update-policy local; Then on your master server you can run $ nsupdate -l The nsupdate man page explains the input format. For most purposes you only need to use update add, update delete, and send, e.g. on my server I can type $ nsupdate -l add example.dotat.at 3600 in a 192.0.2.4 ^D And my log says: 26-Mar-2014 11:44:00.603 update: info: client 127.0.0.1#43926/key local-ddns: view auth: updating zone 'dotat.at/IN': adding an RR at 'example.dotat.at' A 192.0.2.4 26-Mar-2014 11:44:00.607 notify: info: zone dotat.at/IN/auth: sending notifies (serial 2434) Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Humber, Thames: North becoming cyclonic then east, 5 to 7, occasionally 4 later. Slight or moderate, becoming moderate or rough in Humber. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problems with auto-dnssec maintain on BIND 9.9.5 (latest patch, FreeBSD)
Daniel Ryslink daniel.rysl...@dialtelecom.cz wrote: At first, when the zone was not signed at all, all that sufficed was to do rndc loadkeys example.com, and when I later used rndc signing -list example.com, the keys set via dnssec-settime as active in the keys directory were displayed. Note that `rndc signing -list` possibly does not do what you expect: it tells you about named's progress with incremental signing, which is possibly important for large zones, but for small ones it is so quick it's almost impossible to catch it while signing is in progress. It is a user interface for the TYPE65534 records that named uses to save this information. After a zone has been signed, there is no need for the TYPE65534 records and `rndc signing -list` does not have anything informative to say. What you probably want instead is `rndc zonestatus` except that feature was added in 9.10... Now, the system reverted into a state where rndc signing -list example.com states that no signing records were found. That is normal if you have run `rndc signing -clear`. However, when I export the new zone file into master/example.com, it is no longer signed automatically as before. Did you tell it to reload the zone? Also. named.log for bind displays curiously frequent key events: Why a key event every five minutes, when TTL of the records is 6 hours? Have you set dnssec-loadkeys-interval ? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Irish Sea: Southeasterly backing northeasterly 5 or 6, occasionally 7 in north, decreasing 4 at times in south. Moderate in west, slight or moderate in east. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9's entropy consumption
Tom Limoncelli t...@whatexit.org wrote: I have 4 DNS servers all running BIND 9.8.2 (the CentOS 6.5 package). One is configured as the master for about 100 zones. The other 3 are slaves for those 100 zones. On the master the amount of entropy reported by cat /proc/sys/kernel/random/entropy_avail was around 150. On the slaves it hovered around 90. Is there a technical reason for the difference? My guess is that the slaves need more random numbers because they are making more queries, to check the SOAs of the zones. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Rockall, Malin: Southeast 5 or 6, veering south 3 or 4. Moderate or rough. Rain then showers. Moderate or poor, becoming good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: All client resolvers support DNSSEC compatible queries ???
Carsten Strotmann c...@strotmann.de wrote: You can enable DNSSEC validation support on a BIND 9 caching server that is used as a resolver by your clients. BIND 9 9.9.x already comes with DNSSEC validation enabled, for older versions you need to enable it manually in the configuration. DNSSEC validation needs to be explicitly enabled in every version of BIND. Since version 9.8 BIND ships with a built-in root trust anchor, so to enable validation you can just add dnssec-validation auto; (and dnssec-lookaside auto; if you like). The dnssec-enable option defaults to yes (since version 9.5), but this just makes BIND DNSSEC-aware (so it supports the special semantics of DNSSEC RR types) but does not make it validate. The rest of what you said is correct. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Fair Isle, Faeroes, South-east Iceland: Mainly southeasterly 5 or 6, decreasing 4 at times. Moderate or rough. Occasional rain, fog patches. Moderate or good, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC domain and sub-domains
r...@iastate.edu r...@iastate.edu wrote: If we implement DNSSEC for iastate.edu, admin.iastate.edu and its.iastate.edu, must DNSSEC be implemented for the delegated zones as well? No, in exactly the same way that signing .edu does not mean iastate.edu has to be signed. If there are no DS records at the delegation point for cs.iastate.edu that means that cs.iastate.edu is insecure. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ South Biscay: Easterly 4 or 5, veering westerly 5 to 7. Rough. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Strange validation failure for answers.ssh.com
We have a couple of recursive servers running 9.9.5 which are persistently unable to validate answers.ssh.com, returning SERVFAIL. With debug logging turned on we get (amongst lots of other things): 24-Apr-2014 16:41:23.087 client 131.111.56.28#35569 (answers.ssh.com): query (cache) 'answers.ssh.com/A/IN' approved 24-Apr-2014 16:41:23.087 client 131.111.56.28#35569 (answers.ssh.com): replace 24-Apr-2014 16:41:23.127 validating @2e4e75b8: answers.ssh.com A: starting 24-Apr-2014 16:41:23.127 validating @2e4e75b8: answers.ssh.com A: attempting insecurity proof 24-Apr-2014 16:41:23.127 validating @2e4e75b8: answers.ssh.com A: checking existence of DS at 'com' 24-Apr-2014 16:41:23.127 validating @2e4e75b8: answers.ssh.com A: checking existence of DS at 'ssh.com' 24-Apr-2014 16:41:24.114 validating @252fd3f0: ssh.com DS: starting 24-Apr-2014 16:41:24.114 validating @252fd3f0: ssh.com DS: attempting positive response validation 24-Apr-2014 16:41:24.114 validating @252fd3f0: ssh.com DS: keyset with trust secure 24-Apr-2014 16:41:24.114 validating @252fd3f0: ssh.com DS: verify rdataset (keyid=56657): success 24-Apr-2014 16:41:24.114 validating @252fd3f0: ssh.com DS: marking as secure, noqname proof not needed 24-Apr-2014 16:41:24.115 validating @2e4e75b8: answers.ssh.com A: in dsfetched2: success 24-Apr-2014 16:41:24.115 validating @2e4e75b8: answers.ssh.com A: resuming proveunsecure 24-Apr-2014 16:41:24.115 validating @2e4e75b8: answers.ssh.com A: checking existence of DS at 'answers.ssh.com' 24-Apr-2014 16:41:24.115 validating @2e4e75b8: answers.ssh.com A: bad cache hit (answers.ssh.com/DS) 24-Apr-2014 16:41:24.115 error (broken trust chain) resolving 'answers.ssh.com/A/IN': 208.109.255.50#53 24-Apr-2014 16:41:24.117 client 131.111.56.28#35569 (answers.ssh.com): query failed (SERVFAIL) for answers.ssh.com/IN/A at query.c:7005 24-Apr-2014 16:41:24.117 fetch completed at resolver.c:4173 for answers.ssh.com/A in 1.028114: broken trust chain/broken trust chain [domain:ssh.com,referral:1,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:1] Questions: Why is it attempting an insecurity proof? Why is there a bad cache hit for one of the DS queries? With a bit more debugging turned on we see that named is getting a response from the authoritative server without EDNS and without DNSSEC (see below). Is it omitting EDNS from its query, and if so why? rndc flushname on answers.ssh.com and ssh.com and all the name servers for ssh.com doesn't fix it. (If I understand it correctly, in 9.9 flushname should clear an entry from the bad cache but flushtree does not. The latter is improved in 9.10.) It might be nice at this debugging level to log queries as well as responses, and the source and destination addresses of packets. 24-Apr-2014 17:55:31.395 resquery 126e5060 (fctx 18262460(answers.ssh.com/A)): response 24-Apr-2014 17:55:31.395 received packet: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 62966 ;; flags: qr aa; QUESTION: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2 ;; QUESTION SECTION: ;answers.ssh.com. IN A ;; ANSWER SECTION: answers.ssh.com.3600IN A 194.137.52.201 ;; AUTHORITY SECTION: ssh.com.3600IN NS pdns02.domaincontrol.com. ssh.com.3600IN NS pdns01.domaincontrol.com. ssh.com.3600IN NS ns2.ssh.com. ssh.com.3600IN NS ns1.ssh.com. ;; ADDITIONAL SECTION: ns2.ssh.com.600 IN A 208.109.255.50 ns1.ssh.com.600 IN A 216.69.185.50 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Lundy: Variable 4, becoming southeast 5 or 6. Slight or moderate. Showers. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Promoting a slave to master gives syntax error
Theodotos Andreou t...@theo-andreou.org wrote: Now I have a different problem. After converting alll the zones to master many zones failed to load because of this: 29-Apr-2014 11:21:32.613 dns_rdata_fromtext: db.0.210.10.in-addr.arpa:26: near 'android_b2b2b8cdeedf92d3.example.com.': bad name (check-names) Any idea why? Is there a configuration setting to ignore these errors? Use check-names warn;. The BIND 9 ARM says: check-names This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the network. The default varies according to zone type. For master zones the default is fail. For slave zones the default is warn. It is not implemented for hint zones. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Plymouth, North Biscay: Variable 4, becoming southerly or southwesterly 4 or 5 later. Moderate becoming rough in west. Thundery showers. Moderate, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange validation failure for answers.ssh.com
Tony Finch d...@dotat.at wrote: We have a couple of recursive servers running 9.9.5 which are persistently unable to validate answers.ssh.com, returning SERVFAIL. Some days later one of our servers has been restarted and is successfully resolving this name. The other is still persistently failing. Shouldn't something have timed out or expired and allowed the server to recover? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forth, Tyne, Dogger: Variable 3, becoming east 4 or 5, occasionally 6 later. Slight becoming moderate. Occasional rain, fog banks until later. Poor or very poor, becoming moderate or good later. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10 compilation problem for FreeBSD 6.x/7.x
Shawn Zhou shawnzho...@yahoo.com wrote: Any problem has problem building BIND 9.10 for FreeBSD? We are using the same process that worked for building 9.9.4 to build 9.10 on FreeBSD 6.x/7.x but we are getting ld: invalid BFD target error. Yes. BIND's linking stage changed between 9.9 and 9.10 so instead of invoking cc to link, its build scripts now invoke ld directly. If you used to use -Wl to escape linker flags you must now pass them unescaped. My build used to have export LDFLAGS=-Wl,-R/opt/OpenSSL/lib but now has export LDFLAGS=-R/opt/OpenSSL/lib Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Southwest Forties, Cromarty, Forth, Tyne, Northwest Dogger: Southerly or southwesterly 4 or 5. Slight or moderate. Showers. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bin 9.10 verbose logging
Noel Butler noel.but...@ausics.net wrote: U, since upgrade 9.9.5 to 9.10 every request to the name server is spewing copious amounts of debug type data (thankfully I only upgraded the one server) Was debug left on in the final release source code? :) When I was running pre-release versions I hacked out some of the new EDNS logging (see link below) which I thought would be adjusted before release but I think someone forgot :-) An alternative patch would be to reduce the ISC_LOG_NOTICE to ISC_LOG_DEBUG(3). https://github.com/fanf2/bind-9/commit/73a2c0ec42c0915bde0275c81861f57645daf683 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Hebrides, Bailey, Fair Isle, South Faeroes: Mainly southerly or southeasterly, becoming cyclonic 4 or 5, occasionally 6 at first. Moderate or rough. Rain or showers. Moderate or good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10 compilation problem for FreeBSD 6.x/7.x
Mark Andrews ma...@isc.org wrote: Also one shouldn't need to add LDFLAGS=-R/opt/OpenSSL/lib. configure adds it itself if the platform needs it. --with-openssl=/opt/OpenSSL should be enough. I think the bug here is that configure assumes the admin has added all possible library directories to the RTLD path, so it does not specify an RPATH at all. However if (like me) you are passing a specific path to configure then there is probably a good reason you aren't using the usual system library locations, so you need -R as well as -L and -I. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ North Malin, Hebrides, Bailey: Variable or cyclonic 3 or 4, occasionally 5 except in Hebrides. Moderate or rough. Rain or thundery showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
Dave Warren da...@hireahit.com wrote: DNSMadeEasy calls this an ANAME record, internally they just lookup the destination's IP and cache it, updating it as needed. It works, but it would be nice if this could be done in DNS. Sadly, it can't, and probably won't in our lifetimes. Never say never :-) You can implement something ANAME-alike with a script that polls the A and records at the target name and does a DNS UPDATE on the owner as necessary, but that might not scale too well. There are a couple of difficulties with implementing ANAME inside the server. Firstly it implies a weird authoritative/recursive hybrid. A bit ugly but not unreasonable. Secondly, and more importantly, is the question of how this works with zone transfers and secondaries. How do you ensure they support ANAME records? Do you include a backwards compatibility hack by adding the A and records to the zone? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Thames, Dover, Wight, Portland, Plymouth: Southwest 5 to 7, occasionally gale 8 in Thames, Dover and Wight. Moderate or rough. Rain or showers. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL active by default?
Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: And, then it finally crashed complain that there was no root hints for the view _ksu_bind, and making class IN view _ksu_bind with all the same zones, including the hint zoneit still complained that there was no root hints for view _ksu_bind and crashed. Did you put the _ksu_bind view in the CHAOS class or leave it in the default IN class? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Viking, North Utsire: Easterly or southeasterly 4 or 5, occasionally 6 in south Viking. Slight or moderate. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave zone intermittently not refreshing
Mart van de Wege mvdw...@gmail.com wrote: How do I go about troubleshooting this issue to get a better idea of what is going on? Are there any messages in your log containing the string refresh: ? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Thames, Dover, Wight, Portland, Plymouth: Southwest 5 to 7, occasionally gale 8 in Thames, Dover and Wight. Moderate or rough. Rain or showers. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multi-master (HA)
A few thoughts... The DNS protocol is already pretty good at replicating zone data - see for instance John Wingenbach's message in which he describes how their deployment gradually converged on a fairly standard architecture :-) I think multi-master makes most sense if the primary master uses DNS UPDATE for zone edits (and use raw file format), to minimize the differences between the primary and the secondaries. You probably want to ensure update forwarding is allowed, so that update clients do not have to worry so much about finding the current primary master. When a secondary takes over as primary it will need to update the SOA MNAME to point to itself so updates go to the right place. Most of the problem is actually one of remote configuration management: promoting a secondary to a primary is not all that different from setting up the secondary in the first place or making other co-ordinated changes. For instance it would be nice to be able to set up a zone once on the primary and have it automatically provisioned on the secondaries. I like Phil Mayers' zone-template idea, which might make it easier to flip from secondary to primary, as well as reducing the size and ensuring the consistency of large configs. Metazones are a tempting idea but the details get yucky the more of BIND's features you want to support. Also I am rather wary about the idea of putting secrets in a DNS zone; if you have an out-of-band way of distributing them it makes sense to use the same channel for the rest of the configuration. (http://ci.nii.ac.jp/naid/110007502948 - Vixie's metazones paper.) Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Viking, North Utsire: Easterly or southeasterly 4 or 5, occasionally 6 in south Viking. Slight or moderate. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave zone intermittently not refreshing
Mart van de Wege mvdw...@gmail.com wrote: Tony Finch d...@dotat.at writes: Mart van de Wege mvdw...@gmail.com wrote: How do I go about troubleshooting this issue to get a better idea of what is going on? Are there any messages in your log containing the string refresh: ? I have a couple, all of them 'retry limit for master $foo exceeded'. That implies that the SOA query (which checks if an XFR is necessary) is timing out. Try running the following on the secondary to see what fails. If you have a TSIG key you will need to use the -k or -y options. dig soa $zone @$master dig +noedns soa $zone @$master dig +tcp soa $zone @$master dig axfr $zone @$master A lot of the refresh failure logging happens at debug level 1 so you can get more details by running `rndc trace 1`. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Southwest Forties, Cromarty, Forth: Cyclonic 3 or 4, occasionally 5. Slight, occasionally moderate. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
Barry Margolin bar...@alum.mit.edu wrote: It also has adverse implications for DNS-based CDN routing, e.g. Akamai. Everyone will be routed to the servers close to the auth servers of the domain containing the ANAME, instead of routing each end user to their closest servers. Good point. This is relevant to the current discussion about the edns-client-subnet extension on dn...@ietf.org. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ South Biscay, FitzRoy, Sole: Westerly or southwesterly 4 or 5, but 6 or 7 in north Fitzroy and Sole at first. Moderate or rough. Rain or showers. Moderate or good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave zone intermittently not refreshing
Mart van de Wege mvdw...@gmail.com wrote: A lot of the refresh failure logging happens at debug level 1 so you can get more details by running `rndc trace 1`. Is there a way to filter that after setting it? Not without altering the server's logging configuration. Something like the following, perhaps. logging { category default { default_syslog; }; category general { default_debug; }; }; Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Viking, North Utsire, South Utsire, Northeast Forties: Variable 4 in North Utsire, otherwise southeasterly 5 or 6. Slight or moderate. Showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AIX and 9.9.5 compiling
Edward DeLargy eddela...@gmail.com wrote: I just want to verify that 9.9.5 can be compiled in AIX The README says: Building BIND 9 currently requires a UNIX system with an ANSI C compiler, basic POSIX support, and a 64 bit integer type. We've had successful builds and tests on the following systems: COMPAQ Tru64 UNIX 5.1B Fedora Core 6 FreeBSD 4.10, 5.2.1, 6.2 HP-UX 11.11 Mac OS X 10.5 NetBSD 3.x, 4.0-beta, 5.0-beta OpenBSD 3.3 and up Solaris 8, 9, 9 (x86), 10 Ubuntu 7.04, 7.10 Windows XP/2003/2008 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of Windows, including Windows NT and Windows 2000, are no longer supported. We have recent reports from the user community that a supported version of BIND will build and run on the following systems: AIX 4.3, 5L CentOS 4, 4.5, 5 Darwin 9.0.0d1/ARM Debian 4, 5, 6 Fedora Core 5, 7, 8 FreeBSD 6, 7, 8 HP-UX 11.23 PA MacOS X 10.5, 10.6, 10.7 Red Hat Enterprise Linux 4, 5, 6 SCO OpenServer 5.0.6 Slackware 9, 10 SuSE 9, 10 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Biscay, South FitzRoy: Westerly 4 or 5, backing southwesterly 5 to 7, except in south. Moderate, occasionally rough in north. Occasional rain. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
Dave Warren da...@hireahit.com wrote: On 2014-05-08 15:09, Mark Andrews wrote: But that does not help when you want a MX record at the apex or some other record at the apex. I'd argue that it does -- Since the record is now CNAME'd, the MX record is now under the control of the destination of the CNAME record and MX records can still be set. Unfortunately CNAME-pointing-at-MX is an interop disaster area owing to different MTA's differing opinions about whether it makes sense to rewrite email addresses in this situation. Avoid. I actually think that MX records were a boneheaded thing to do, had email started using SRV records in the first place we might be in a position now where using SRV records is the defacto standard if not the actual standard for all services. (No offense to the folks that made MX records happen, I realize that in historical context it was the correct decision and it solved the very immediate problem -- I'm just saying that in an ideal world, SRV records instead of MX records would solved the same problem in a more generic fashion, and would have pushed us to a better place for other protocols) It is interesting to look at the old RFCs and see how many false starts it took to get to the MX design. Mail was the first heavily virtualized application so I think their failure to generalize was forgivable, especially since they were also dealing with the massive problem of gatewaying between dozens of balkanized mail networks. http://stuff.mit.edu/afs/athena/reference/net-directory/documents/JANET-Mail-Gateways.ps Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Northerly 5 to 7, but mainly 4 in northwest. Moderate or rough. Mainly fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Exiting due fatal error, no named.conf found.
Mimiko vbv...@gmail.com wrote: May 11 09:56:14 srv58 named[28172]: loading configuration from '/opt/bind9/etc/named.conf' May 11 09:56:14 srv58 named[28172]: open: /opt/bind9/etc/named.conf: file not found I've put bind in /srv/bind9. Also I use chrooting. If you are chrooting then all the paths compiled in to named, and the in the command line options, and in the configuration files, are interpreted relative to the chroot. You need to ensure that all your configuration files are inside the chroot. This: ln -s /srv/bind9/chroot/etc /opt/bind9/etc creates a symlink outside your chroot pointing in to it, so it won't help named to find its files - though it might help you to find them :-) Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ German Bight: Northwest 4 or 5, occasionally 6. Slight or moderate. Showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: No logging after logfile turned over. v9.10
James Brown jlbr...@bordo.com.au wrote: Any suggestions as to how to make the logging continue after the rollover? Either: (1) configure newsyslog to HUP named after rolling the logs, by telling it the path to named.pid (2) configure named to use syslog (3) configure named to roll its log files itself (which it does based on size rather than time) Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Humber: North or northwest 3 or 4, occasionally 5 at first. Slight or moderate, but rough in east at first. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave zone intermittently not refreshing
Mart van de Wege mvdw...@gmail.com wrote: The only difference I *can* see is that this particular slave zone occasionally gets a lot of updates in a single day, which is when this problem seems to be triggered. Is there an MTU problem between your slave and the master? Or a problem with fragmented UDP? I wonder if something is screwing up large IXFR packets, causing your slave to get stuck - that might explain the timeout messages in the log. It is a bit difficult to properly test IXFR because dig will only do it over TCP (it ignores the +notcp option for AXFR and IXFR). And you can't force named to use TCP for IXFR, so getting named and dig to behave the same is tricky... You could try setting request-ixfr no; to see if AXFR (over TCP) works better. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Shannon: Northwest 5 to 7, decreasing 4 or 5. Rough. Showers, squally at first. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave zone intermittently not refreshing
Mark Andrews ma...@isc.org wrote: 2275. [func] Add support to dig to perform IXFR queries over UDP. [RT #17235] DiG has supported ixfr over udp since 2007. It just defaults to TCP. you have to disable TCP after specifying ixfr. Ah I am sure you have told me that before, but I forgot and the man page didn't remind me :-) And I had falsely got the impression from RFC 1995 that IXFR-over-UDP was the norm, but all the IXFRs in my logs are over TCP, and named/xfrout.c says: * Sending a single SOA record is also how we refuse * IXFR over UDP (currently, we always do). Sadface. Which suggests my guess about the cause of Mart's problem was wrong, though I suppose it could still be a TCP MTU problem. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ German Bight: Northwest 5, increasing 6 or 7. Slight or moderate, becoming moderate or rough. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split DNS(view configuration)
Techs_Maru tec...@gmail.com wrote: viewinternal { recursion yes; zone . IN { ... }; I think it is better to use named's built-in root hints, so you don't need to explicitly configure this. zone hoge.com IN { type slave; masters { AAA.AAA.AAA.AAA; }; file hoge.zone_slave; }; }; viewexternal { zone hoge.com IN { type slave; masters { ... }; file hoge.zone_slave; You must not share slave zone files between zones. }; }; The content of internal view is not updated even if it updates record. I want to let both view reflect an update record by zonal transfer. Use a different TSIG key for each view in the slave. Include each key in the match-clients clause of each view. Include both keys in the also-notify clause on the master. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Sole: Variable 3 or 4, becoming northerly or northeasterly 5 or 6 for a time in far west. Moderate or rough. Thundery showers. Moderate or good, occasionally poor in east. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split DNS(view configuration)
Techs_Maru tec...@gmail.com wrote: The mastering server side cannot be touched as this assumption. Ah, I missed that difficulty. It can solve what I wanted to do by forwarding the zone in the local. Method of sending notify to other view when source in zone forwarding origin is confirmed with client-match, and either view receives zone. However, how to configuration is not understood. There are two options: You can have one view that slaves the zone from the master, and the other view slaves the zone from the first view. Or you can have an authoritative view that slaves the zone from the master, and a recursive view that has static-stub clauses to send queries to the first zone. (But beware, there are bugs in older versions of BIND if your zones are DNSSEC signed.) view internal { match-clients{ XXX.XXX.XXX.XXX; }; match-recursive-only yes; recursion yes; zone hoge.com { type static-stub; server-addresses { 127.0.0.1; }; }; }; view external { match-clients{ YYY.YYY.YYY.YYY; }; recursion no; zone hoge.com { type slave; masters { AAA.AAA.AAA.AAA; }; file hoge.zone_slave; }; }; Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Fair Isle: Southeasterly 4 or 5 in east, northerly 5 to 7 in west, perhaps gale 8 later. Slight or moderate in east, moderate becoming rough or very rough in west. Fog patches, rain or thundery showers. Moderate, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slightly Off-Topic: Dealing with DNSSEC Bogus Data
Jorge Fábregas jorge.fabre...@gmail.com wrote: This change is going to impact thousands of users for us and I'm a bit worried about it. How do you deal with DNSSEC bogus data? We don't do anything special to reduce the problem. It has not caused noticable pain or complaints from our users. We have I think had only one case which caused any significant difficulty, mainly because the breakage lasted months and it was difficult to get the broken site to understand what needed fixing. Fortunately it only affected a few users. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Westerly or northwesterly, but southwesterly for a time in north, 4 or 5. Moderate, occasionally rough in northwest. Showers in north. Good.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A Note About Today's New BIND Releases
Noel Butler noel.but...@ausics.net wrote: Does this also address the crazy amount of logging (as previously discussed here)? If you mean the EDNS logging, that should be fixed in 9.10.1. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ East Sole, Lundy, Fastnet: Variable 3 or 4. Smooth or slight. Mainly fair. Moderate or good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FORMERR on packet received from Forwarder
Levi Pederson levipeder...@mankatonetworks.net wrote: I have an authoritative DNS server that is supposed to forward any unknowns to a specific upstream server. You are mixing authoritative and recursive service in a way that is not going to work well. Forwarding is designed for recursive clients. It doesn't make sense to forward queries on an authoritative server. When BIND forwards to an upstream server it makes recursive queries and expects the upstream server to return a complete response. Your upstream server is not a recursive server: there is no RA bit set in the response, and the response is a referral. BIND is objecting to a non-improving referral which means that BIND thinks the server is authoritative for zone X but the referral says zone X is elsewhere. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Fisher: North or northwest 5 to 7, occasionally gale 8 at first. Moderate or rough. Fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL question
Nick n...@nsnpc.net wrote: Is there a way to setup RRL to rate limit by source IP / or certain net blocks? For simple cases where you want to rate-limit by default, but allow some clients to be unlimited, use the exempt-clients clause. If you want different limits for different clients, use different views with different rate-limit clauses in each view. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ South North Utsire, South Utsire: Variable 3 or 4. Slight or moderate. Fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: daemon warning
Stewart, Larry C Sr CTR DISA JITC (US) larry.c.stewart@mail.mil wrote: I have configured the Solaris service admin to run /nithr/sbin/named -t /dns -u dnsuser when I start the dns server now since I have upgraded to 9.10.0-P2 I get a daemon notice that it is unable to set the effective uid to 0: Not Owner logged in my /var/adm/messages that I never received before. I think this warning happens either when named tries to write its pid file or its session key file, which are the only times that I can find when it would try to set its euid to 0. (When writing those files named temporarily drops privileges, calling seteuid(0) to raise them again, and it permanently drops privileges a bit later.) So my guess is you are not starting named as root? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Humber: Northwest backing southwest 3 or 4. Slight, becoming moderate for a time in northeast. Mainly fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: daemon warning
Stewart, Larry C Sr CTR DISA JITC (US) larry.c.stewart@mail.mil wrote: Correct, so is there some negative impact I can expect or is it just a log entry I can ignore? If you aren't getting any Could not open... warnings as well then you are probably OK. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Dover, Wight, Portland, Plymouth: East or northeast 4 or 5, occasionally 6 at first. Slight or moderate. Showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error when using GeoIP
Ali Jawad alijaw...@gmail.com wrote: acl US { geoip country US; }; view US { match-clients { US; }; //Once I add this it throws the error below }; /etc/named.conf:47: no GeoIP database installed which can answer queries of type 'country' This is a bug in 9.10.0 which will be fixed in 9.10.1. Until then there is a patch: https://lists.isc.org/pipermail/bind-users/2014-May/093083.html The workaround is to put the geoip country directive in the match-clients clause itself rather than going via a named acl. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Southeast Rockall, Malin: Variable 4, becoming southwesterly 5 to 7, perhaps gale 8 later. Slight or moderate, becoming moderate or rough later. Rain later. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DLV dnssec setup
Wolfgang Rosenauer wrosena...@gmail.com wrote: dnssec-validation auto; dnssec-lookaside . trust-anchor dlv.isc.org.; Why not use dnssec-lookaside auto; ? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ West Forties, Cromarty, Forth, Tyne, Dogger: Northerly or northwesterly 5 or 6, decreasing 4. Moderate becoming slight. Occasional rain, fog patches developing. Good becoming moderate, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DLV dnssec setup
Wolfgang Rosenauer wrosena...@gmail.com wrote: Changed it now to dnssec-lookaside auto and it still behaves exactly the same way. What happens if you delete the managed-keys files and restart? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ North Utsire, South Utsire, East Forties: Variable, mainly northeasterly, veering southeasterly, 3 or 4. Slight. Fog patches. Moderate or good, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DLV dnssec setup
Wolfgang Rosenauer wrosena...@gmail.com wrote: first thing: 2014-07-10T16:04:56.862405+02:00 s15418965 named[29815]: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': timed out Eventually the file appeared a bit later with the dlv.isc.org key. Suspicious. What do you get if you run dig +short rs.dns-oarc.net txt Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Humber, Thames, Dover: North or northwest 4 or 5, occasionally 6 until later. Moderate, occasionally rough at first, becoming slight. Rain or thundery showers, fog patches developing. Moderate, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DLV dnssec setup
Wolfgang Rosenauer wrosena...@gmail.com wrote: s15418965:~ # dig @127.0.0.1 +short rs.dns-oarc.net txt there is no output at all. Is that also expected and the reason is the UDP limitation? Yes. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Easterly or northeasterly 5 to 7, decreasing 4 in southeast. Moderate or rough. Fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: recover missing journal files from running server
Phil Pennock bind-users+p...@spodhuis.org wrote: Seeing little things like this: deleting db.spodhuis.org.signed.jnl deleting db.spodhuis.org.signed deleting db.spodhuis.org.jnl deleting db.spodhuis.org.jbk worry me. Is there any way to get back the on-disk state files for the auto-maintained zones, so that I can recover from my mistake cleanly? Journal files mainly support incremental updates, so it is safe to lose them provided you have an up-to-date zone file and you don't mind retransferring the zones from scratch. The main thing you need to recover is the .signed file, which you can get using `dig axfr`. This is perhaps less tricky than persuading named to re-write it :-) Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Northerly or northeasterly 5 to 7. Moderate or rough. Fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Public facing authoritative NS all masters
Gary Wallis wgg1...@gmail.com wrote: What are the drawbacks, if any, of running only master name servers for the set of authoritative NSs? That depends entirely on how you are replicating the zone data. The DNS's own replication (AXFR, IXFR, NOTIFY, TSIG) is pretty hard to beat: it is fast, secure, and copes gracefully with outages. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Shannon: Southwest veering west 5 to 7, decreasing 4 later. Moderate or rough. Rain at first. Good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0-P2 prefetch problem
Tracy, Tedd C. Contractor tedd.c.tr...@ssa.gov wrote: ;; ANSWER SECTION: www.securityplusfcuhb.org. 86399 IN CNAME securityplusfcuhb.flb.intuit.com. securityplusfcuhb.flb.intuit.com. 30 IN CNAME 03845.olb.prd1.flb.digitalinsight.com. 03845.olb.prd1.flb.digitalinsight.com. 30 IN A 199.102.151.76 As long as no queries are performed at a time that would trigger a prefetch, everything is fine. If a query is performed at a time that does trigger a prefetch, all subsequent queries return NXDOMAIN. The problem is one of the name servers responds incorrectly to CNAME queries: ; DiG cname securityplusfcuhb.flb.intuit.com. @flbflb-gtm-lvdc.intuit.com. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 7806 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;securityplusfcuhb.flb.intuit.com. IN CNAME ;; AUTHORITY SECTION: flb.intuit.com. 600 IN SOA flbflb-gtm-qydc.intuit.com. hostmaster.flb.intuit.com. 2014022110 10800 3600 604800 86400 ;; Query time: 150 msec ;; SERVER: 63.172.232.28#53(63.172.232.28) ;; WHEN: Tue Jul 15 18:06:45 BST 2014 ;; MSG SIZE rcvd: 124 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Viking, North Utsire, South Utsire, Northeast Forties: Westerly 5 or 6, backing southerly 4 or 5 later. Slight or moderate. Showers, rain later. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and ZSK-Rollovers: Changing salt automatically?
Carsten Strotmann c...@strotmann.de wrote: I do not understand how the NSEC3 hash can be defeated by an attacker. Could you give a link to additional information or could you explain the issue with NSEC3 salt in other words? http://www.vs.uni-due.de/personal/wander/20130512_NSEC3_Hash_Breaking/ Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Dover, East Wight: Northerly or northeasterly 4 or 5. Slight or moderate. Thundery showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.5 high CPU and when will Bind9.8 EOL?
Lily truelil...@gmail.com wrote: will 9.8 branch reach end of life support soon? Go to http://www.isc.org/downloads/ and click on BIND towards the bottom. EOL for 9.8 is September. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ West Bailey: Northerly 4 or 5 becoming variable 3. Slight or moderate. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc (and now nsupdate too)
Reindl Harald h.rei...@thelounge.net wrote: Am 31.07.2014 um 21:08 schrieb /dev/rob0: The proper tool to manage zone data is nsupdate(8). Likewise well suited for automation. zone file *editing*? sorry, no, i developed 2008 a interface to create all zone files based on database records, write the complete zone content in a main table with a textfiled and a second textfiled where translation for NAT/WAN zones happens and so there is and never was a reason to *edit* a zone file it is created from scratch when changes in a zone happen and cronjobs only pull zones with the updated-field set to 1 In our setup, changes made in the database are turned into an nsupdate script, so we don't need to bounce the name server and we can use BIND's automatic signing. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Sole: Southwest 3 or 4 veering northwest 5 or 6. Slight or moderate, becoming moderate or rough in west. Rain or showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc (and now nsupdate too)
Mike Hoskins (michoski) micho...@cisco.com wrote: Tony Finch d...@dotat.at wrote: In our setup, changes made in the database are turned into an nsupdate script, so we don't need to bounce the name server and we can use BIND's automatic signing. no argument on nsupdate, but even if you copy files around...you don't need to bounce the nameserver, unless rndc reload is what you mean (when i hear bounce i think stop/start). Sorry, I was being imprecise. When I said bounce I meant any kind of config change action that makes named do more work than is necessary to change the contents of the zone. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ FitzRoy: Westerly or southwesterly veering northwesterly, 4 or 5, increasing 6 or 7 for a time in east. Slight or moderate, becoming moderate or rough in east. Rain or thundery showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: running named built with --enable-native-pkcs11 without HSM provider library
Tomas Hozza tho...@redhat.com wrote: Right now it is not possible, and when named is built with --enable-native-pkcs11 it can not run without HSM and some PKCS#11 provider library. Would using SoftHSM solve your problem? http://www.opendnssec.org/softhsm/ http://ftp.isc.org/isc/bind9/9.10.0-P2/doc/arm/Bv9ARM.ch04.html#id2666009 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Irish Sea: West or southwest, veering northwest for a time, 4 or 5, occasionally 6 at first. Slight or moderate. Showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'
Timothe Litt l...@acm.org wrote: There are still registrars that don't accept DNSSEC records, and a non-trivial number of domain holders can't easily switch registrars. In some cases it isn't possible to switch to a better registrar, e.g. if you need DNSSEC for your reverse DNS. So yes, there is still value in DLV. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Putting weird characters into zone files ?
Mukund Sivaraman m...@isc.org wrote: BIND will not allow you to use special characters such as '!' in owner names of certain RRs types such as A, MX, etc. as they don't form valid hostnames (see RFCs 1123 and 1912). But you can set the check-names option to relax the restrictions. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Punycode questions
Ronald F. Guilmette r...@tristatelogic.com wrote: In a nutshell, I'd just like to know whether or not Punycode encoded strings may ever validly contain either (a) leading periods or else (b) two consecutive periods. Would any strings that contain either of those things be considered to be valid Punycode encoded strings? No. For details see RFCs 5891, 5892, and 3492. To be more specific and concrete about it, here is a small example Perl program I wrote: ftp://ftp.tristatelogic.com/pub/punybug.pl When *I* run this, it prints out several Invalid punycode! errors. I think that is because the function you are calling is intended for encoding individual labels, not whole domain names. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Diagnostic help part 2
Mike Hoskins (michoski) micho...@cisco.com wrote: This isn't even specific to DNS...for example, there was a time when just turning on what sounds good for cisco, netscreen and even checkpoint would break other things like ESMTP. You mean Cisco have fixed the grossly damaging bugs in the PIX/ASA application layer filters? My favourite one is its insufficient cross-packet state, and habit of ing out commands it does not understand, which leads to it ing out RCPT commands that happen to be split between packets, leading to things like people being unsubscribed from mailing lists. (Sorry for straying off topic. I have less experience of Cisco PIX/ASA breaking DNS than of them breaking SMTP.) Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Inline-signing feature request: Directly set the signed zone's serial number
Terry Burton t...@terryburton.co.uk wrote: This is especially useful in bootstrapping scenarios where the zone data is held under strict revision control or generated by some provisioning system that owns the serial number. Our provisioning system used to think it owned zone serial numbers, but when we started signing we moved the version tag into an HINFO record. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about swupdl.adobe.com
Giles Coochey gi...@coochey.net wrote: It looks like adobe are entertaining use of a CNAME chain (a CNAME to a CNAME which points to a CNAME which points to a CNAME which eventually points to an A record). No, CNAME chains are OK. The problem is that the wip4.adobe.com name servers incorrectly respond with NXDOMAIN (instead of noerror/nodata) when you ask for RRtypes other than A and . ; DiG 9.11.0pre-alpha mx swupdl.adobe.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 36234 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;swupdl.adobe.com. IN MX ;; ANSWER SECTION: swupdl.adobe.com. 2976IN CNAME swupdl.wip4.adobe.com. ;; AUTHORITY SECTION: wip4.adobe.com. 30 IN SOA sj1gtm001.adobe.com. hostmaster.sj1gtm001.adobe.com. 1287 10800 3600 604800 60 ;; Query time: 169 msec ;; SERVER: ::1#53(::1) ;; WHEN: Thu Oct 09 14:41:01 BST 2014 ;; MSG SIZE rcvd: 128 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: injecting records into transfered zone (hidden primary/inline DNSSEC)
Thomas Goldberg t.goldber...@gmail.com wrote: Essentially we're looking for a way to inject DS records into a slave zone (transfered from another DNS server). One way to do this is with my nsdiff script which was written to do a similar job to inline-signing mode for older versions of BIND. http://dotat.at/prog/nsdiff/ To set it up, you configure your BIND server as a master (instead of as a slave) with dynamic updates and automatic signing turned on. You run nsdiff in bump-in-the-wire mode which takes a zone transfer from a hidden master (e.g. your windows server) and injects the changes into the signer (BIND) using nsupdate. To take control of DS records, use an option to make nsdiff ignore them: nsdiff -i '^\S+\s+\d+\s+IN\s+DS\s+' Then you can use nsupdate to inject the DS records into BIND. Then when you run nsdiff it will propagate non-DNSSEC changes from Windows to BIND, but it will leave the DS records alone. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ISC KB recursive server best practices
A couple of notes and queries re. https://kb.isc.org/article/AA-00874/0/Best-Practices-for-those-running-Recursive-Servers.html RRL: I don't think this is a good idea on recursive servers; at the very least it is difficult to tune appropriately for recursive servers. Also, RRL is available as a build-time option in 9.9.4 and later, and by default in all builds of 9.10 and later. The max-cache-size 32 bit limit was fixed in 9.9.3. Do you have any guidelines on --with-tuning=large in 9.10, or related configuration knobs for 9.9? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone to another DNS server problem
houguanghua houguang...@hotmail.com wrote: Can bind support forwarding zone to another DNS server? In my testing, for loacl name servers, it can. But for authority name servers, it can't. Use stub or static-stub to forward to an authoritative server. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone to another DNS server problem
Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 02.11.14 23:09, Frank Pikelner wrote: What is the advantage of using a stub or static-stub to using a slave? you should use them when it's not possible or viable to use slave, e.g. windows AD domain, RBL domain, domain that can't be transferred etc... Also if you want to do DNSSEC validation. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: forwarding zone to another DNS server problem
houguanghua houguang...@hotmail.com wrote: I 'm not familiar with'stub'. The description of 'stub' is hard to understand. Yes it's a bit weird. Think of it like the root hints but for other zones: i.e. a hint zone configuration in a recursive server tells named that instead of using a referral from the parent zone to find the name servers for this zone, use these configured name servers. However the name servers at the zone's apex can override your configuration. If you use static-stub instead, your configured name servers override all name servers for the zone that your name server might receive. The difference with forwarding zones occurs if there is a delegation point below the zone you have configured. With a fowarding zone, named expects the target name server to do recursion, so the target server will deal with following the referral and resolving the final answer. With a stub zone, named expects to get authoritative answers and referrals to child zones, and it will do its own recursion to resolve the final answer. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Viking, North North Utsire: Cyclonic, becoming northeasterly 6 to gale 8, occasionally severe gale 9. Moderate or rough, becoming rough or very rough. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to debug BIND
Kaouthar Chetioui kaoutharcheti...@gmail.com wrote: I want to know the exact path that follows bind to resolve a DNS query Try running $ rndc flush $ rndc trace 11 $ dig www.example.ma Then look at named's logs which will give you lots of details about queries, responses, and the parts of BIND involved in the process. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ South Fitzroy: Northerly 5 to 7, occasionally gale 8 at first. Rough, occasionally very rough at first. Showers. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to debug BIND
Kaouthar Chetioui kaoutharcheti...@gmail.com wrote: I don't find any name of source file (like message.c or name.c) or name of function in this log file, so I can't understand excatly the process of resolution for dig command. The log module gives you a rough idea of which part of the system emitted the log message. I often find I have to grep the source to find the exact place, which is a bit tiresome especially because messages are often split across multiple lines in the code. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Southeast Iceland: Southwesterly severe gale 9 or storm 10, decreasing 6 to gale 8. High becoming very rough. Squally wintry showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with BIND 9.10.1-P1 recursion limits
Evan Hunt e...@isc.org wrote: However, in this case I think it's because you had an empty cache, and sending a second query will clear the problem up. In a future release, we may want to lift the restrictions temporarily while priming. Yes, I could reproduce it after flushing my cache. Had to wait five minutes before the queries succeeded, which seems unpleasantly long. I don't know where that time comes from - the ARM says the default servfail-ttl is 10s. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Faeroes: Southwesterly gale 8 to storm 10, occasionally violent storm 11 at first in east. High becoming very high, occasionally phenomenal later. Rain, then squally wintry showers. Moderate, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about new options (9.9.6-P1)
양지은 god...@naver.com wrote: I have a question about new options, max-recursion-depth and max-recursion-queries in 9.9.6-P1. Would you teach me how the options work? The ARM has a fairly complete description. Does it answer your questions? ftp://ftp.isc.org/isc/bind9/9.9.6-P1/doc/arm/Bv9ARM.ch06.html#max-recursion-depth max-recursion-depth Sets the maximum number of levels of recursion that are permitted at any one time while servicing a recursive query. Resolving a name may require looking up a name server address, which in turn requires resolving another name, etc; if the number of indirections exceeds this value, the recursive query is terminated and returns SERVFAIL. The default is 7. max-recursion-queries Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query is terminated and returns SERVFAIL. The default is 50. I am also wondering if they are applied each request query or global option. Per query. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Faeroes, Southeast Iceland: Northerly gale 8 to storm 10 backing westerly 5 to 7. High or very high, becoming rough or very rough, occasionally moderate later in Southeast Iceland. Snow showers. Moderate or poor, occasionally very poor.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bad zone not loaded
Bob Harold rharo...@umich.edu wrote: Two suggestions: 1. Don't stop/start named. Instead, do rndc freeze, update the zone files, rndc thaw, rndc reload. If a zone is bad, I think BIND will continue to server the old zone. Also there is no break in service since BIND is never stopped. or more complicated: 2. Have your provisioning system update a hidden master DNS server, and have the DNS server that others see be a slave. Only valid zones will transfer to the slave. Run named-checkzone on the master file before installing it. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Fair Isle: North 6 to gale 8, backing northwest 5. Rough or very rough, becoming moderate or rough. Wintry showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Possible spnego licensing problem
Mukund Sivaraman m...@isc.org wrote: That doesn't exactly mean general public, so does anyone else know where a license grant to implementors is documented? Section 4 of http://trustee.ietf.org/license-info/IETF-TLP-3.htm Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Cromarty, Forth: Northwest 5 to 7 becoming variable 4. Moderate or rough. Wintry showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuration
wu shuangrong wushuangr...@yahoo.com wrote: I'd like to configure BIND in such way that when it failed to get result for the first time, it'll query for the second time. Try adjusting resolver-query-timeout. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ East Sole, Lundy, Fastnet: Mainly northerly or northeasterly 4 or 5. Moderate or rough. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allowing recursive queries of 'static-stub' zones
Enrico Scholz enrico.sch...@sigma-chemnitz.de wrote: Unfortunately, our ISP (Deutsche Telekom) does not allow AXFR of the /24 zone. I solved it now by declaring an external (non-recursive) and internal (recursive) view, where the external one is a master for 2.1.10.in-addr.arpa covering only our 31-24 range. This will break when zone is DNSSEC signed, but when this happens, AXFR can be simulated and I can ship the whole zone. If you are contemplating hacks like that, there is no need to wait for DNSSEC because it is trivial to enumerate reverse IPv4 zones :-) dig +noall +answer 2.1.10.in-addr.arpa in any i=0; while [ $i -lt 256 ]; do dig +noall +answer $i.2.1.10.in-addr.arpa in any i=$((i+1)) done You will need something a bit more complicated than that if the delegations in the zone need glue. (But that is rare for reverse zones.) Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Northwest Rockall: Northerly 5 to 7, occasionally gale 8 at first, becoming variable 4 later. Rough or very rough. Wintry showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND w/ Lync?
Stuart Henderson s...@spacehopper.org wrote: On 2015/02/02 21:51, Ray Van Dolson wrote: Unfortunately, the only solution I'm really seeing right now is an ugly one -- setting up a new view for this set of clients and then creating 25+ zones -- one zone per record I want to override (so that the primary domain -- esri.com, still gets handled correctly). Wouldn't it be simpler to use two versions of esri.com, one for standard clients and one for special ones? Common records can be kept in an $INCLUDEd file. Another option (if your zone is dynamic) is to use nsdiff, which generates an nsupdate script based on the differences betwen zones. You can use it to automatically copy changes from the main version of your zone to the special VPN version. The tricky bit is writing a regular expression to tell nsdiff to ignore changes to the Lync records. Something like: dig -k standard-view-key +noadditional esri.com axfr db.esri nsdiff -k vpn-view-key -i '^(_sip|lync)' esri.com db.esri | nsupdate That regex is very sketchy so you will need to turn it into something more precise. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Biscay, East Fitzroy: Northerly 4 or 5, veering northeasterly 5 to 7. Moderate or rough. Rain or showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users