usted to suppress cryptographic
> material from other records such as TLSA, SSHFP, CDNSKEY, CDS, etc, and
> the man page updated to reflect this?
>
> Regards,
> Anand Buddhdev
> --
>
> Just my opinion, but I would like it to apply to all crypto fields.
And that's a
forwarders, and they are queried in turn until the list is
exhausted
or an answer is found." So the first one will get all the traffic, the
second is just a backup to be used if the first fails.
If you expect that to do load balancing, it will not. Try a real load
balancer, or 'dnsd
and DNS Authoritative servers?
(Granted, the actual answer size to the client could be large enough to
cause fall-back to TCP, but that is not because of DNSSEC.)
--
Bob Harold
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development
Before answering this question, can you tell me the proper place where I
should be asking this question?
"We are researching DDoS protection, including DNS. What companies or
products or methods should I be looking at?"
--
Bob Harold
--
Visit https://lists.isc.org/mailman/listinfo/
RPZ should be able to do that. Read up on RPZ in the BIND manual, and
search online for more info.
--
Bob Harold
On Fri, Aug 19, 2022 at 2:56 AM Matthias Fechner wrote:
> Dear all,
>
> I'm not sure if bind can do this, but let me explain what I would like
> to do.
>
> It
that
will cause an increase in DNS traffic, and I don't know how much of an
increase, but the 24-48 hour TTL of the DS record is the real down-side of
DNSSEC, and why it is taking me so long to try to develop a bullet-proof
process before signing my zones.
--
Bob Harold
University of Michigan
On Tue, Aug
er attacks since the recent war started, and our country
>> voted support for the
>> defending party.
>>
>> Frankly, I am not in deep with Microsoft DNS, and I guess there can be
>> some tweaking with
>> the PowerShell, and maybe even some undocumented features
On Wed, May 11, 2022 at 4:34 PM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:
> On 5/11/22 2:19 PM, Bob Harold wrote:
> > Not sure who set it up, but my DHCP servers have for some zones:
> >
> > zone x.y.z.in-addr.arpa
> > {
> > p
PZ overriding the
> MNAME with the local server's IP address.
>
> }:-)
>
>
>
> --
> Grant. . . .
> unix || die
>
>
Not sure who set it up, but my DHCP servers have for some zones:
zone x.y.z.in-addr.arpa
{
primary 10.2.3.4;
}
Which I believe overrides the MNAME lookup.
--
Bob Haro
On Wed, Apr 13, 2022 at 9:39 AM Bjørn Mork wrote:
> Timothe Litt writes:
>
> > Anyhow, it's not clear exactly what problem you're asking LOC (or
> > anything) to solve.
>
> Which problems do LOC solve?
>
> I remember adding LOC records for fun?() in the previous millennium when
> RFC 1876 was
les. If there are any other secondary servers (and you
almost always want more than just the master), then change those to pull
from the new server, and make sure that is working, before starting the
steps you listed.
--
Bob Harold
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
On Thu, Apr 15, 2021 at 12:44 PM Tony Finch wrote:
> Matthijs Mekking wrote:
> > On 15-04-2021 16:35, Bob Harold wrote:
> > >
> > > If BIND holds both the child and parent zone, will it add the DS record
> > > at the correct time? Or do I still need to
On Thu, Apr 15, 2021 at 8:50 AM Bob Harold wrote:
>
> On Thu, Apr 15, 2021 at 2:57 AM Matthijs Mekking wrote:
>
>>
>>
>> On 14-04-2021 22:30, Greg Rivers via bind-users wrote:
>> > On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote:
>> >>
On Thu, Apr 15, 2021 at 2:57 AM Matthijs Mekking wrote:
>
>
> On 14-04-2021 22:30, Greg Rivers via bind-users wrote:
> > On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote:
> >> Does anyone have an automated KSK roll process, that checks for the DS
> >> re
if some other process does not update the DS
record at the right time. That's too big a risk for me, the process needs
to check the DS record before completing the KSK roll. Surely someone has
done this. I would rather not reinvent the wheel. But I have searched and
not found anything yet.
--
Bob
Pv4 only"
Perhaps you want "-6" to use IPv6 only ?
--
Bob Harold
>
> Normally you can do this via the file /etc/default/named (In the options
> variable). Unfortunately, this file is ignored. I also tried it with the
> "Environment" parameter in docker-comp
e
"DNS servers" seen in windows client settings, will only be used by the
client if the first server does not respond. For that, you can use a
public resolver like Google 8.8.8.8 as the second choice for your users.
--
Bob Harold
___
Please visit https://l
That is certainly not obvious. How do I request improving the manual?
"in turn" would seem to imply "in order", and the order would logically be
the order I listed them.
--
Bob Harold
DNS and DHCP Hostmaster - UMNet
Information and Technology Services (ITS)
rharo...@umic
based algorithm"
So which is correct?
And did it change at some point?
--
Bob Harold
DNS and DHCP Hostmaster - UMNet
Information and Technology Services (ITS)
rharo...@umich.edu 734-512-7038
___
Please visit https://lists.isc.org/mailman
I am told from my Splunk experts that the vendor supplied Splunk app for
isc-bind matches the BIND 9.8 version used in RHEL6, but not the BIND 9.11
version using in RHEL7. I have a mix now. Does anyone have a REGEX for
9.11, or better yet, a regex that matches both formats?
--
Bob Harold
tub;
> server-names {
>"10.n.n.n";
>"10.n.n.m";
> };
>};
> };
>
> This ALWAYS gives a SERVFAIL though regardless of whether the 10.n.n.n
> addresses are reachable or not...
>
"server-names" must be given a lis
On Wed, May 13, 2020 at 3:49 PM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:
> On 5/13/20 6:29 AM, Bob Harold wrote:
> > Your ACL looks right. I think Ben has the key - Windows uses GSS-TSIG,
> > not regular TSIG. Not sure how or if that can be solved.
&g
key - Windows uses GSS-TSIG, not
regular TSIG. Not sure how or if that can be solved.
--
Bob Harold
> On Tue, 12 May 2020 at 13:40, Bob Harold wrote:
>
>>
>> On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <
>> bind-users@lists.isc.org> wrote:
>>
>
tance being internal private accessible.
>
> I don't see another way to delegate the same zone to different (sets of)
> name servers without using anycast. Hence my email to the list asking
> if anyone had any suggestions.
>
>
>
> --
> Grant. . . .
> unix || die
>
On Fri, Apr 17, 2020 at 12:45 PM Tim Daneliuk wrote:
> On 4/17/20 10:17 AM, julien soula wrote:
> > On Fri, Apr 17, 2020 at 09:56:21AM -0500, Tim Daneliuk wrote:
> >> On 4/17/20 9:50 AM, Bob Harold wrote:
> >>>
> >>> Agree, that's odd, a
On Fri, Apr 17, 2020 at 11:03 AM Konstantin Stefanov
wrote:
> On 17.04.2020 17:56, Tim Daneliuk wrote:
> > On 4/17/20 9:50 AM, Bob Harold wrote:
> >>
> >> Agree, that's odd, and not what the man page says. Any chance that
> there is some other DNS helper running
On Fri, Apr 17, 2020 at 10:34 AM Tim Daneliuk wrote:
> On 4/17/20 7:26 AM, Bob Harold wrote:
> >
> > On Thu, Apr 16, 2020 at 7:17 PM Tim Daneliuk <mailto:tun...@tundraware.com>> wrote:
> >
> > We have split horizon setup and enable our internal an
aware.com/PGP/
Is 127.0.0.1 in the 'trustedhosts' list?
Are you telling 'dig' what server to use - dig @127.0.0.1
What servers are listed in /etc/resolv.conf? Do they resolve the reverse
zones?
Are local queries hitting the right 'view' (if you have multiple views) ?
--
Bob Harold
__
I would suggest:
tsig-keygen your-key-name
It does not need any options, the defaults are fine.
--
Bob Harold
On Fri, Apr 10, 2020 at 7:52 PM moo can via bind-users <
bind-users@lists.isc.org> wrote:
> Hello,
>
> For educational purpose I need to setup an DDN
ut I don't see where that
handles updates.
--
Bob Harold
On Wed, Apr 1, 2020 at 9:39 AM Ondřej Surý wrote:
> I would recommend dnspython as a start. The API is very non-Python,
> but once you get hang of it, it’s not that bad.
>
> Ondrej
> --
> Ondřej Surý
> ond...@isc.org
ique names just to be sure which queries you
are looking at.
That's the best that I can suggest.
--
Bob Harold
On Mon, Mar 30, 2020 at 1:07 PM Marc Chamberlin via bind-users <
bind-users@lists.isc.org> wrote:
> Hello - I am running the Bind server
>
> > named -v
> BIND 9.11.
t; I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
>
ary.
--
Bob Harold
On Thu, Feb 27, 2020 at 3:23 PM Alistair Bayley <
alistair.bay...@kordia.co.nz> wrote:
> Hello,
>
> I didn't get any response to this. Is there some documentation that I
> haven't yet found that explains what these measurements mean? Has anyone
> else expe
t;
>
Scott,
To directly give an opinion on your last question - client applications
can often be slow to recover from failed connections, so updating the A
records in the zone is a good idea - best to use nsupdate, do not edit zone
file and reload. DNS Recursive resolvers should failover in secon
.A 141.211.7.25
itd.umich.edu. A 141.211.7.25
*.itd.umich.edu.A 141.211.7.25
dns1.itd.umich.edu. A 192.12.80.214
--
Bob Harold
On Tue, Feb 11, 2020 at 11:16 AM Petr Bena wrote:
> Oh, that explains it, I did
This zone is same in all views:
zone example.com
host1.example.com IN A 10.0.0.4
host2.example.com IN A 10.1.1.7
router.example.com CNAME router.splitview.example.com
Then in one view:
zone splitview.example.com
router.splitview.example.com IN A 10.0.0.1
And the other view:
zone splitview.example.com
router.spli
gt;
> > Looks like the file lan.master.nixcraft.com has no data.
> >
> >>
> >> Dec 05 17:51:54 sataradnsVM1 named[4038]: zone
> >> internal.nixcraft.com\032/IN/internal:
> has 0 SOA records
> >> Dec 05 17:51:54 sataradnsVM1 named[4038]: zone
> >&
" records. Or both CNAME. But one RPZ entry cannot
point to another.
Use scripts to automate the process, if you don't want to enter 10.10.10.10
twice.
p.s. The decision not to re-lookup the results of RPZ lookups is probably
for speed and to avoid loops. Trying to patch around that is not
arate.
Do you want cname.domain.com to point to 10.10.10.10? Then use an A record
to 10.10.10.10.
Do you want cname.domain.com to point to some real domain name (probably a
name you control, like a walled garden, or error page)? Then CNAME to that
real name.
--
Bob Harold
>
> In this
t.net.
> YegwZlzjBoJ+b9nWTHwRZQbce619UcOVdo6FUPG056Sod4MEchv/GCHu
> 7BpREAUm0CBoE4qbipTiS47wIk7QJYzz10B78wRgMGNwMTUXQ571YRyq
> P0I3I0Dzag28j607walJOZms3lAXDzSnyvv9wocaH2MJ7Z3j68Qf5pKh YpM=
> > ;; Received 227 bytes from 69.252.250.103#53(dns101.comcast.net) in 14
> > ms
> >
> >
uded in that
scope, unless overridden."
Why have exceptions to this? This seems like expected behavior, and will
allow for simpler configurations in some cases.
No one is forced to use this, it is optional, but often convenient.
--
Bob Harold
___
P
. .
> unix || die
>
I use:
named-checkconf -p > named.conf.out
which I think is close enough, except for the comments.
You just need to know that view-level settings are at the end of the view,
not where you might expect.
It makes for a very lot of text to read through, but it is a 'stand
hould be possible to override any setting
at a lower level, for the exceptions. It would be even better if I could
'group' zones and set configurations on the group. Repeating the same
configuration thousands of times seems like a waste. I would even set
"masters" and 'type
can be split off into its own
2.10.in-addr.arpa.
An if a /24 gets really busy, you can split it out 5.1.10.in-addr.arpa
There is no need to create all 256 /16's or all the /24's, just create them
as needed.
If having different sizes is too confusing, I suggest all /16's.
--
Bob Harold
__
depending on the situation.
>
> A "week" is a minimum of 10 days, because 5 works days plus two weekends
> in 9 days.
>
I also assume that either the Friday before their vacation week, or the
Monday after, might be a holiday, so I use 11 days. :)
--
Bob Harold
gt; these forward only servers ?
>
> Any thoughts on this ?
>
> Thank you
>
The RPZ function only runs on the Recursive DNS servers.
The RPZ zone could be mastered on an Authoritative server, but it should
not be visible to the public.
quot; forwarder statement is, but your F5's
are acting as Authoritative DNS servers. Forwarding only applies to DNS
Resolvers, and is only used if you don't want the resolver to follow the NS
records (like when firewalls are in the way).
--
Bob Harold
to want
it. Otherwise, newname.newzone.domain.com will be a faster and more
reliable choice.
Definitely avoid forwarding when possible. It causes slower lookups and
more points of failure. (There will occasional be times when it has some
advantage, or requirement.)
--
Bob Harold
>
&g
oading configuration from
'/etc/named.conf'
And ends with:
18-Oct-2018 12:55:30.358 general: notice: all zones loaded
--
Bob Harold
>
> Below is the event timeline, I hope it is clear enough for everyone:
> 1. Oct 16 17:24:18 SLAVE1 named[29671]: [ID 873579 daemon.info] transfer
> of
G
> 'ns1ns3_key'
>
Notice the "view external" in the line above, compared to ns5, which got
the notify on the internal view. That appears to be the issue.
Try adding the IP of NS1 to the "match" list for the internal view on NS3.
--
Bob Harold
> *NS5:*
> 17-Oct
n 3, so the notify packet hits the wrong
view. Check the notify messages in the logs on 3, compared to 5. Here is
a typical notify log message:
30-Sep-2018 23:12:37.135 general: info: zone psych.lsa.umich.edu/IN/oncampus:
notify from 141.211.147.150#38695: zone is up to da
ng.com <http://sb1.principal.hosting.com>* y el
> *sb2.principal.hosting.com
><http://sb2.principal.hosting.com>*
>
> Having said that, in my vps I have defined the following:
>
>
>
>
>
>
> *; BIND reverse data file for empty rfc1918 zone ; ; DO NOT EDIT
skyblock.mc-game.us. IN SRV
;; ANSWER SECTION:
_minecraft._tcp.skyblock.mc-game.us. 299 IN SRV 0 5 25567
skyblock.mc-game.us.
;; Query time: 56 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 17 13:38:35 EDT 2018
;; MSG SIZE rcvd: 103
--
Bob Harold
___
I don't know what else to check. If possible, I would avoid forwarding by
putting both functions on the same server. You could turn on BIND
debugging - Cricket's "DNS and BIND" book has a chapter on debugging - but
that could be a lot of work.
--
Bob Harold
On Mon, Aug 13, 2018 a
--
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharo...@umich.edu
734-647-6524 desk
On Sun, Aug 12, 2018 at 2:38 AM Blason R wrote:
> Hi Bob,
>
> I guess my scenario is not exactly understood I believe. Before that if I
> have set forwarder in G
diate server to get it to forward. If it is
running Microsoft DNS, then I don't know enough to help you with that.
I would suggest that you have the RPZ server be a 'slave' for the 'test.com'
zone (and all the zones that the AUTH server has). Then point users
directly at the RPZ server.
--
name is looked up normally first, and only if there is an
answer, is RPZ invoked. If it gets NXDOMAIN or some error, it returns that
and does not use RPZ.
If that is not what you want, then you probably want to set the option:
qname-wait-recurse no;
--
Bob Harold
>
> On Thu, Aug 9
h the parent zone, whether I
like that ttl or not.
In your case, removing the NS records from both your zone and the parent
zone, two days (or whatever the ttl) before you turn off the server, should
be fine.
--
Bob Harold
___
Please visit https:/
ce would be greatly appreciated.
>
>
> Regards,
> Hotta
>
Just guessing, but it sounds like " [global IPv6 address]" is either
malformed, or it is expecting an IPv4 address.
--
Bob Harold
___
Please visit https://lists.isc.org/mai
On Fri, Jun 1, 2018 at 2:01 PM Blason R wrote:
> Yes that was the issue :) and got resolved.
>
Glad it was an easy fix.
--
Bob Harold
> On Fri, Jun 1, 2018 at 11:29 PM, Blason R wrote:
>
>> I guess this could be the issue
>>
>> zone "malware.trap" {
what could be wrong??
>
Not sure what is a normal configuration, but on my servers users cannot
query the RPZ domain, it is only used for RPZ.
Try putting the A record in a normal zone, and CNAME to that, rather than
having the A record in the RPZ zone.
Or try doing a direct query for the A record a
;rpz" {
"rpz_file";
};
};
You might want less versions and/or a smaller size - my values allow rpz
logs to fill 1gb of disk.
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-use
2972IN NS l.root-servers.net.
>
> ;; Query time: 128 msec
>
>
> Any clue why this is happening?
>
Check the logs for an error message saying that the zone failed to load,
and which line # had the error.
Also try this:
cat /tmp/sinkhole.zones | awk '{print $2}' | sed -e 's/\"//g' | egrep -v
'^[-0-9a-zA-Z.]*$'
There might be names that don't fit that pattern that are still ok, but it
is a start.
If not, then edit the zone and delete the last half of the lines, reload,
if it fails delete half of the remaining names, etc, until you find it by
binary search.
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
uot; option, it would tell you the name of the config file.
If not, like this example, the default is "/etc/named.conf".
Note the "-t" option, which says we are doing chroot to
/replicated/jail/named
So my config file is at:
/replicated/jail/named/etc/named.conf
--
Bob Harold
___
vers out on the Internet to make effective
> use of my secondaries.
>
> Tony.
> --
Likewise. My resolvers are stealth slaves for all my zones. Mainly
because they get updates faster - users do not have to wait for the old
data to expire its ttl before the resol
ly two issues: 1) Does the capability
> to override published values and 2) should I use said capability. They
> really are two different questions. I personally would like to see BIND
> have the option to do #1, even if I never use it.
>
>
+1
>
> --
> Grant. . . .
> unix ||
t;d...@dotat.at> http://dotat.at/ - I xn--zr8h
> punycode
> Irish Sea: Southeast 5 to 7, becoming cyclonic 4 or 5 later. Moderate or
> rough, becoming slight or moderate. Occasional rain. Good, occasionally
> poor.
>
Tony,
That's a
On Wed, Jan 3, 2018 at 5:58 PM, Mik J <mikyde...@yahoo.fr> wrote:
> Thank you Bob for your answer.
> I continued to search and saw rfc1912 page 4
> It's much higher than I first thought
>
>
>
> Le mercredi 3 janvier 2018 à 20:05:57 UTC+1, Bob Harold <
d that zone transfers are failing.
The refresh and retry are ok, but personally I would set them lower because
they don't generate a lot of traffic, and a notify could get lost. It
depends on how sensitive you are to extra traffic.
Negative TTL depends partly on how fast you want new (
ssing here, but I see a TXT record beside each A record, and am
told that Windows clients check the TXT record to see if they "own" the A
record. The TXT record is hex encoded data, maybe the client identifier.
So if you created a TXT record for each A record, like:
server
> recursion yes;
> allow-query { ip addresses; };
>
----- You might also need to add:
allow-recursion { ip addresses; };
--
Bob Harold
> listen-on-v6 { any; };
> dnssec-enable no;
> dnssec-validation no;
> d
.168.200.102#51726: view auth: query:
> graph.instagram.com IN A + (192.168.200.1)
>
> I could count the queries by parsing the logs though this seems to be
> somehow inefficient.
> Is there any way that bind9 could be queries otherwise to provide such
> info?
>
>
Read up on t
On Thu, Jul 13, 2017 at 8:39 PM, <b...@zq3q.org> wrote:
> Hi Bob:
>
> These examples help! Thank you.
>
> On Thu 7/13/17 15:53 -0400 Bob Harold wrote:
> > Let's illustrate one NS record, for each of the cases:
> > (I think your case is #2)
> >
> >
com IN A x.x.x.x
otherdomain.com zone:
otherdomain.com IN NS ns.example.com
ns.otherdomain.com IN A x.x.x.x
TLD com zone:
example.com IN NS ns.otherdomain.com
ns.example.com IN A x.x.x.x (glue record?)
ns.otherdomain.com IN A x.x.x.x (glue record?)
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
feedback if this runs
> smoothly and any other hints?
>
> Cheers,
> Matthias
>
We use RPZ in two views. In one view the RPZ zones are active (policy
given), and in the other view they are logging-only (policy disabled).
Departments opt-in to RPZ and we add their s
t;
> Regards
> Marc
>
I tend to distrust "CPU(30%)" if it is averaged over more than one cpu.
Could you run "top" and hit the number "1" so that it shows each cpu
separately? With 8 cpu's, "30%" could be one cpu at 100% and others lower,
where the
ame block list source).
The actual DNS name is the combination of the ORIGIN and the entry:
bad.domain.com.rpz.example.com.
which exceeds 255 characters including the trailing dot, most likely.
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
for resolution?
>>>
>>
> On Wed, May 10, 2017 at 5:56 AM, Tony Finch <d...@dotat.at> wrote:
>>
>>> Mine don't :-)
>>>
>>
> On 18.05.17 16:38, Bob Harold wrote:
>
>> My authoritative servers are non-recursive. They use the same DNS
>&g
t;
> Mine don't :-)
>
> Tony.
>
>
My authoritative servers are non-recursive. They use the same DNS
resolvers that any other server uses, and not themselves.
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to u
o the records if listed in full would be something like:
hr16038.somedomain.tld. IN A 10.57.48.209
hr16038.somedomain.tld. INTXT "
00f8e5793e94da14990f27763448c54a00"
nsupdate is probably the best tool for removing the old records.
--
Bob Harold
entries for the IPv6
> hosts that actually need them for some reason, or to use dynamic DNS to
> add/replace/delete them as addresses are used/discarded by dynamic clients.
>
Note that there is future work being done to solve the 'too many entries'
issue with
is.net.
> 81 3600IN PTR alpha.archaxis.net.
> 82 3600 IN PTR bravo.archaxis.net.
> 87 3600IN PTR broadcast.archaxis.net.
>
> What is wrong? Is this my problem, or with AT?
>
--
Bob Harold
_
/welissontome/
>
>
>
https://www.dns-oarc.net/tools/dsc
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
$1 }'
>
> --
> Mark Andrews, ISC
>
> I think this is a very interesting solution because:
- named-checkconf and dig format in a standard way, so it is easy to parse
- since DNS holds the data in ram, this avoids reading the files from disk,
so it could be much faster (unless the
e 'refresh' timer (15 minutes) to
pull updates.
I also ignore these errors for those servers:
failed to connect: timed out
failed while receiving responses: REFUSED
I list more than one, for redundancy, and ignore serial number mismatches.
Since it is constantly increasing, updates missed on one transfer should be
in the next transfer.
That 'works'. Whether that means "works fine" or "users have gotten used
to it" is hard to say.
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
hanks
> Blr
>
Looks to me like "othername1.example.com" is not in the zone "
zone1.example.com" and is not below that zone, so it is not proper glue,
and should not be in that zone at all. The name server should ignore it.
It is in zone "example.com <http://otherna
r the zone or not.
>>
>> Regards,
>> Anand
>>
>
>
I don't have a solution, but some debugging options:
I would suggest running packet traces with the same steps, with and without
the firewall, and compare the traces.
Also, if possible, turn on logging in the fir
ound >2Gig per day and
> resolver here. That's to much work...
>
> Is there another way to get this measure?
>
> --
> Regards
>
> Thomas
>
>
I suspect that "DSC" collects the data you want, but you might need to
configure a graph to show it.
https://www.dns
ch the original query was received, enabling authoritative servers
> to give different answers to the same resolver for different resolver
> clients.
> An ACL containing an element of the form ecs prefix will match
> if a request arrives in containing an ECS option encoding an address
> within that prefix.
> If the request has no ECS option, then "ecs" elements are simply ignored.
> Addresses in ACLs that are not prefixed with "ecs" are matched only
> against the source address.
>
> Above section was from ARM page 176, when i careful check my config file
> I don't know where i was wrong
>
>
>
>
>
> Client subnet information will store in which log
>
>
> --
> 本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。 This email may contain
> confidential information. Please do not use or disclose it in any way and
> delete it if you are not the intended recipient.
>
>
The first three dig commands look correct.
1. No ecs, so it does not match.
2. No ecs, matches "no-ecs-area01"
3. ecs matches
4. and 5. use "@dns2.example.com." instead of "@dns2.sub.example.com." - is
that a different server?
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
main.idv.; };
> }; // End View
>
> view "deafult" { // Default
> match-clients { any; };
> zone "sub.mydomain.idv" in {
> type slave;
> allow-query { any; };
> file "sub/default.mydo
9.9
> subscription branch is OK.
>
>
Is RPZ in BIND 9.8 ok to use? (Using RedHat 9.8.2 plus they backport
security patches.)
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-us
ts HMAC-MD5 and lots of HMAC-SHA* versions.
See "dnssec-keygen" in the appendix.
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
o reset
them at the end of the file since they cease to exist at that point. They
apply "from this line down until changed" and are merely a convenience to
shorten the size of the file.
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
subject slightly, because I had to cut out a lot of the
>>> forwarded message - the list server was complaining about the size of the
>>> messages.
>>>
>>> I just found that my setup was not working completely as I expected.
>>> The view with only a few z
automatically got
the "empty zones" created, so any queries in those zones did not get
forwarded. I am fixing it by adding to that view the line:
empty-zones-enable no;
--
Bob Harold
On Thu, Sep 8, 2016 at 9:41 AM, Bob Harold <rharo...@umich.edu> wrote:
>
> On Thu,
match is not "any', then you would want to include the
external key and 127.0.0.1.
> On Wed, Sep 7, 2016 at 10:48 AM, Bob Harold <rharo...@umich.edu> wrote:
>
>>
>> On Wed, Sep 7, 2016 at 11:37 AM, project722 <project...@gmail.com> wrote:
>>
>>>
On Wed, Sep 7, 2016 at 12:34 PM, /dev/rob0 <r...@gmx.co.uk> wrote:
> On Wed, Sep 07, 2016 at 11:48:54AM -0400, Bob Harold wrote:
> > On Wed, Sep 7, 2016 at 11:37 AM, project722 <project...@gmail.com>
> wrote:
> >
> > > Thanks Bob, I will look into this. Do y
On Wed, Sep 7, 2016 at 11:37 AM, project722 <project...@gmail.com> wrote:
> Thanks Bob, I will look into this. Do you know if the forwarders feature
> is supported in Bind 9.8.2?
>
>
Yes, forwarders is an old and stable feature.
("in-view" is new and experimental)
--
;
>
> view external {
>
> match clients - external {
>
> zone example.org {
> };
>
> zone example.com {
> };
>
> };
>
>
>
> On Tue, Aug 30, 2016 at 2:53 PM, Bob Harold <rharo...@umich.edu> wrote:
>
>>
>> On Thu, Aug 25, 2016
r IP. But since you have 5 IP's, you can have one
PTR record on each, just be sure there is a matching forward "A" record.
Your list of 5 names looks good, but only if each service uses the
corresponding IP for its outgoing connections, which could be difficult or
not the most efficient. (W
1 - 100 of 133 matches
Mail list logo