On Wed, Jan 11, 2012 at 1:27 PM, babu dheen babudh...@yahoo.co.in wrote:
Dear Fajar,
Below logs taken from Internal DNS server running in Microsoft DNS.
Then why did you ask this list instead of contacting MS support?
I checked with client AV status, everything is fine( system is up to
On 10.01.12 18:13, Tony Finch wrote:
In the reverse direction I have 1.0.0.172.in-addr.arpa and
1.0.0.ip6.arpa zones with the predictable contents:
@ SOA localhost. root.localhost. 1 1h 1000 1w 1h
NS localhost.
PTRlocalhost.
I prefer defining 127.in-addr.arpa and inside:
On 10.01.12 15:06, Dan Letkeman wrote:
It seems as if these types of records get transfered:
9 PTR gvc-busdrivers.wks-gvc.domain.com.
But these do not:
24.184.16.172.in-addr.arpa. IN PTR str-r7500.gvc.domain.com.
If I delete the journal file on the on
$ORIGIN 184.16.172.in-addr.arpa.
$TTL 14400; 4 hours
105 PTR GVC-E237-A01.wks-gvc.domain.com.
88PTR GVC-LIB-C07.wks-gvc.domain.com.
9 PTR gvc-busdrivers.wks-gvc.domain.com.
90PTR
On 11/01/2012 11:13, Gaurav kansal wrote:
Hi Gaurav,
Now, I understand why I was not getting my “AD” flag set in query response.
I tried from google dns (8.8.8.8) also but didn’t get “AD” bit set. This may
be because 8.8.8.8 might not be configured for DLV validation.
Is there any open
I tried from google dns (8.8.8.8) also but didnt get AD bit set. This may
be because 8.8.8.8 might not be configured for DLV validation.
Google's DNS servers don't do proper DNSSEC validation.
Is there any open dns available from which I can check my domain for AD
flag set?
DNS OARC runs a pair of validating servers, open to the public.
It appears their BIND server has DLV anchor configured, but their
Unbound instance doesn't.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
Ya.
It also appears the same to me.
-Original Message-
From: Jan-Piet Mens [mailto:jpm...@gmail.com] On Behalf Of Jan-Piet Mens
Sent: Wednesday, January 11, 2012 5:00 PM
To: bind-users@lists.isc.org
Cc: Gaurav kansal
Subject: Re: DNSSEC authentication and ad parameter
DNS OARC runs
Thanks Anand.
I have one more question.
Is there any option in bind which facilitates me to answer my clients for
that zone only which has DNSSEC enable??? For all other queries, it should
not answer.
Please don't print this e-mail until unless you really need, it will save
Trees on Planet
Thanks Fajr.
I will handle it further.
Regards
Babu
--- On Wed, 11/1/12, Fajar A. Nugraha w...@fajar.net wrote:
From: Fajar A. Nugraha w...@fajar.net
Subject: Re: huge count of DNS deny hits
To: babu dheen babudh...@yahoo.co.in
Cc: bind-users@lists.isc.org
Date: Wednesday, 11 January, 2012,
On Jan 10 2012, Tony Finch wrote:
Irwin Tillman ir...@princeton.edu wrote:
What's the recommended approach?
My empty zone is:
@ SOA localhost. root.localhost. 1 1h 1000 1w 1h
NS localhost.
I also have a localhost. zone (RFC 2606) which is:
@ SOA localhost. root.localhost. 1 1h
Matus UHLAR - fantomas uh...@fantomas.sk wrote:
I prefer defining 127.in-addr.arpa and inside:
1.0.0 PTR localhost.
I used to do that, but I need fewer zone files if I use the same reverse
zone for v6 and v4 :-) I have fairly extensive setup for bogons, and I
have set up empty zones to cover
OK, in an attempt to start using DNSSEC over here, I suppose I bit myself
in the backside, and even spending some time using googlefu I still haven't
quite figured this all out.
I am currently running the current BIND 9.8.1, and setup to support DNSSEC.
After reading around a bit, I saw that
You want BIND 9.9 (currently 9.9.0rc1) with inline signing. This will do
exactly what you want, I think.
--Michael
On Jan 11, 2012, at 9:31 AM, Howard Leadmon wrote:
OK, in an attempt to start using DNSSEC over here, I suppose I bit myself
in the backside, and even spending some time
On 11/01/12 15:31, Howard Leadmon wrote:
Then I go to make a change to my DNS file, whoa was I in for a shock, as
apparently BIND took my nice text file for DNS I have edited for ages, and
As you found out, you cannot do that. auto-dnssec maintain requires
that updates to the zone by via
ISC is also, by pure luck, offering a web seminar on inline signing in BIND 9.9
today. While the first one starts in 15 minutes as I write this message, there
are a total of three sessions today.
Head on over to http://www.isc.org/webinar to find out the times and
information on how to join.
Howard Leadmon how...@leadmon.net wrote:
So I guess my million dollar question is, I want to use DNSSEC (it's
actually working now), but I want to be able to edit my zone files the way I
always have for many years, and just have BIND sign the zones with the keys
and update as needed to keep
Thanks, I will head on over and take a look, sounds like something I should
be interested in.Now if FreeBSD would just add 9.9 to the ports
collection, it would save me from having to build it by hand..
---
Howard Leadmon
-Original Message-
From: Michael Graff
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/11/2012 10:47 AM, Phil Mayers wrote:
On 11/01/12 15:31, Howard Leadmon wrote:
Then I go to make a change to my DNS file, whoa was I in for a
shock, as
apparently BIND took my nice text file for DNS I have edited for ages,
and
As you
I took the ISC 2 day Intro to DNS and BIND class. The instructor made a
good point that building from source frees you from the dependance on the
distro's package maintainer. As part of the class, we had to compile bind
from scratch. It was very straight forward ./configure, make, make
On 11/01/12 17:04, Ryan Novosielski wrote:
Not that this is honestly so hard, however. I have played with it at
home some and the ns-update command means that you can still at least do
this manually fairly easily from the command line. Is my read on that
correct?
Performing a dynamic DNS
On 1/11/2012 8:50 AM, Howard Leadmon wrote:
Now if FreeBSD would just add 9.9 to the ports collection
I generally don't add new versions until they are released, but if there
is sufficient interest I can take a look at adding this as a -devel
version sooner rather than later.
Doug
--
Hello Doug,
As always thanks for all the support for things like this on the FreeBSD
side.That said, I'd love to see that happen, even as a -devel type port,
since in general when ISC considers something an RC, it's pretty darn stable
by the point.
At the moment I use the 9.8.1 port,
On 1/11/2012 9:27 AM, Howard Leadmon wrote:
As always thanks for all the support for things like this on the FreeBSD
side.
My pleasure.
That said, I'd love to see that happen, even as a -devel type port,
since in general when ISC considers something an RC, it's pretty darn stable
by the
Phil Mayers p.may...@imperial.ac.uk wrote:
Something like Tony's nsdiff script (see his post) makes it relatively easy,
but it's still another step.
It's more like a replacement step: run nsdiff | nsupdate instead of rndc reload.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Next great thing would be for ISC to support the Soft-HSM that
OpenDNSSEC uses. I believe that this would make the step of moving to a
real hardware HSM a lot easier (if necessary).
softhsm works with BIND 9. It's cumbersome--you need special
configure options and and a patched version of
Next great thing would be for ISC to support the Soft-HSM that
OpenDNSSEC uses. I believe that this would make the step of moving to a
real hardware HSM a lot easier (if necessary).
BIND has supported the PKCS#11 interface (./configure --with-pkcs11)
since 9.6 IIRC, so it ought to be possible
Hi
Good news is that you should simplify your bogon list, lots of those
addresses are now actually in use; e.g. I have regular visits on my
pages by 2.x.x.x as they are now mostly handed out (local ISP here) and
in legitimate use.
On 11/01/12 16:05, Tony Finch wrote:
Matus UHLAR - fantomas
Apples and oranges. The things listed below are actual bogons. Compare
http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/namedb/named.conf?rev=1.36
Doug
On 1/11/2012 9:15 AM, Sten Carlsen wrote:
Hi
Good news is that you should simplify your bogon list, lots of those
addresses are now actually
On Wed, 2012-01-11 at 19:26 +0100, Jan-Piet Mens wrote:
Next great thing would be for ISC to support the Soft-HSM that
OpenDNSSEC uses. I believe that this would make the step of moving to a
real hardware HSM a lot easier (if necessary).
BIND has supported the PKCS#11 interface
On 1/11/12 10:57 AM, Doug Barton do...@dougbarton.us wrote:
Apples and oranges. The things listed below are actual bogons. Compare
http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/namedb/named.conf?rev=1.36
When tracking bogons, it's certainly good to stay up to date. Another
related data point:
Now if FreeBSD would just add 9.9 to the ports collection
I generally don't add new versions until they are released,
ISC said today in the inline-signing Webinar, that 9.9 would probably be
released on February 7th. Maybe wait for that?
-JP
Ah, I did not know that. So then my scenario must be somewhat common.
Yes I update this reverse zone dynamically via dhcp, but I also have
some static devices in the same range that I want to manually enter,
hence the manual entry on the master. So what is the best practice
for adding a static
You can freeze thaw or use nsupdate to dynamically add the static entries.
rndc freeze
Edit zone
rndc thaw
You will lose any ddns updates during the freeze.
-Ben Croswell
On Jan 11, 2012 3:52 PM, Dan Letkeman danletke...@gmail.com wrote:
Ah, I did not know that. So then my scenario must be
34 matches
Mail list logo