Are SPF RR types finally dead or not? I’ve read through rfc7208 it appears that
they are:
SPF records MUST be published as a DNS TXT (type 16) Resource Record
(RR) [RFC1035] only. The character content of the record is encoded
as [US-ASCII]. Use of alternative DNS RR types was
...@cisco.com wrote:
-Original Message-
From: Nicholas F Miller nicholas.mil...@colorado.edu
Date: Thursday, June 5, 2014 at 10:25 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: SPF RR type
Are SPF RR types finally dead or not? I¹ve read through rfc7208
AM, Mike Hoskins (michoski) wrote:
-Original Message-
From: Nicholas F Miller nicholas.mil...@colorado.edu
Date: Thursday, June 5, 2014 at 10:25 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: SPF RR type
Are SPF RR types finally dead or not? I¹ve read through
Not that they are related but we had a crash of bind about seven hours after
installing 9.10:
named[20831]: name.c:534: REQUIREname) != ((void *)0)) (((const
isc__magic_t *)(name))-magic == ((('D') 24 | ('N') 16 | ('S') 8 |
('n')) failed, back trace
Back to 9.9.5 for now.
check if you have the latest 9.10
version. I wasn't running 9.10-p1.
Sent from my iPhone
On 28/05/2014, at 10:30, Nicholas F Miller nicholas.mil...@colorado.edu
wrote:
Not that they are related but we had a crash of bind about seven hours after
installing 9.10:
named[20831
You might try changing your update-policy from:
grant johnmill-dnst...@lab.brandeis.edu zonesub ANY;
grant * zonesub ANY;
to
grant johnmill-dnst...@lab.brandeis.edu zonesub ANY;
grant LAB.BRANDEIS.EDU zonesub ANY;
I’m not positive this is the proper syntax since we don’t use the zonesub
I am at a loss. When doing digs using our name servers for 'ANY' records of a
domain we are getting TTLs of five seconds. The TTLs will be correct if we
query for the records individually just not when using 'ANY'. Ideas?
dig google.com any
; DiG 9.8.3-P1 google.com any
;; global options:
There aren't any options set to reduce the TTLs. When you dig using a public
DNS server the replies are correct. It is only when using our DNS servers.
_
Nicholas Miller, OIT, University of Colorado at Boulder
On Sep 10, 2013, at 10:04
...@dotat.at wrote:
Nicholas F Miller nicholas.mil...@colorado.edu wrote:
The problem is the reply will ALWAYS be five seconds when doing an 'ANY'
query. It is not a matter of the TTL counting down.
Is there a middlebox of some kind between you and the name server?
Tony
...@fantomas.sk wrote:
On 10.09.13 08:15, Nicholas F Miller wrote:
I am at a loss. When doing digs using our name servers for 'ANY' records of
a domain we are getting TTLs of five seconds. The TTLs will be correct if
we query for the records individually just not when using 'ANY'. Ideas
On Oct 19, 2012, at 10:46 AM, Nicholas F Miller
nicholas.mil...@colorado.edu wrote:
DDNS record scavenging is the only feature I'm aware of that MS DNS has that
Bind doesn't . On the flip side, ISC Bind can ACL who can add certain record
types to a dynamic zone using GSS-TSIG as well
DDNS record scavenging is the only feature I'm aware of that MS DNS has that
Bind doesn't . On the flip side, ISC Bind can ACL who can add certain record
types to a dynamic zone using GSS-TSIG as well as supports views and ACLs for
recursion. Everything else should be standard DNS.
You need to be running Bind 9.7.2-P2 or higher for GSS-TSIG to work.
Create a user account in your AD. Then run:
ktpass -out name_of_your_keytab.keytab -princ DNS/domain.name@DOMAIN.NAME
-pass * -mapuser AD_user_you_created@domain.name
_
Try:
grant EXAMPLE.TEST subdomain EXAMPLE.TEST ANY;
_
Nicholas Miller, ITS, University of Colorado at Boulder
On May 11, 2011, at 7:08 AM, Juergen Dietl wrote:
Hello,
and thanx for all your answeres.
I want to ask the question
I recently went through this and have it working. Look through the archives for
'GSS-TSIG and Active Directory'.
https://lists.isc.org/mailman/mmsearch/bind-users?config=bind-users.htsearchrestrict=exclude=method=andformat=shortsort=scorewords=GSS-TSIG+and+Active+Directory
Things to check:
1)
time I set a
deny for '' it also blocks 'A' records.
Are these bugs or by design?
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Oct 1, 2010, at 1:27 PM, Nicholas F Miller wrote:
YES Brilliant Thanks Rob.
I
PM, Dave Knight wrote:
On 2010-09-30, at 11:24 AM, Nicholas F Miller wrote:
Does anyone actually have GSS-TSIG working with an Active Directory? I see
plenty of posts from people trying to get it to work. I have yet to see
anyone who claims to actually have it working. Did MS change
Thanks, I'll give it a try and see if things begin to work.
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 30, 2010, at 10:15 AM, Tony Finch wrote:
On Thu, 30 Sep 2010, Nicholas F Miller wrote:
Does anyone actually
.
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 30, 2010, at 4:00 PM, Rob Austein wrote:
Sorry, I spent most of the last two weeks locked in a conference room
and mostly off net, still catching up.
At Mon, 27 Sep 2010 07:54:54 -0600, Nicholas F
.
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Oct 1, 2010, at 7:00 AM, Nicholas F Miller wrote:
Thanks, I'll give it a try and see if things begin to work.
_
Nicholas Miller, ITS, University
YES Brilliant Thanks Rob.
I think it is working now. I have the update-policy setup as follows:
grant d...@realm wildcard * ANY;
grant d...@realm wildcard * ANY;
grant dns_serv...@realm wildcard * ANY;
deny REALM ms-self *
Does anyone actually have GSS-TSIG working with an Active Directory? I see
plenty of posts from people trying to get it to work. I have yet to see anyone
who claims to actually have it working. Did MS change something in 2008r2 since
GSS-TSIG was implemented in bind to make it inoperable?
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 27, 2010, at 10:23 AM, Nicholas F Miller wrote:
A small correction:
The packets captured below were between one of the DCs and the DNS server not
a client.
Also, I am getting
something obvious?
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 17, 2010, at 11:08 PM, Rob Austein wrote:
At Fri, 17 Sep 2010 13:18:42 -0600, Nicholas F Miller wrote:
Does anyone have instructions on how to setup
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 27, 2010, at 7:54 AM, Nicholas F Miller wrote:
Are you sure? ;-P
I can't seem to get things working. It looks like the Windows machines are
not happy with the TKEY the DCs are giving them. I can kinit a user account
from
I was wondering if it is possible to use the tkey-gssapi-credential and
update-policy on a Windows install of bind. It strikes me that running bind on
a Windows server, snapped into the AD it will serve DNS to, should be the
easiest way of getting DDNS with update-policy control working.
Am I
of Colorado at Boulder
On Sep 17, 2010, at 12:54 PM, Rob Austein wrote:
At Fri, 17 Sep 2010 09:17:09 -0600, Nicholas F Miller wrote:
I was wondering if it is possible to use the tkey-gssapi-credential
and update-policy on a Windows install of bind. It strikes me that
running bind
I take it this is not possible using update-policy?
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 30, 2009, at 11:29 AM, Nicholas F Miller wrote:
Is it possible to restrict user machines to only be able to update
Is it possible to restrict user machines to only be able to update
their 'A' records on a specific subnet? We would like to allow DDNS
but restrict it to specific subnets and only allow the machines to
update their 'A' records. Allow-updates will not get us the record
restrictions we would
We have a few dynamic zones that are provisioned using Addhost. When
addhost adds records to the zone every night it will run nsupdate
update.file. The update.file will contain records like these:
prereq yxrrset machine.colorado.edu. in a
update delete machine.colorado.edu. in a
prereq
All good suggestions. We have given them both some thought. I was just
wondering if there was a problem with the way we were doing things.
Nicholas Miller, ITS, University of Colorado at Boulder
On Jan 7, 2009, at 11:34 AM, Mike
Barry Jonathan,
Thanks for the quick replies. your responses go along with my findings
as well. I am trying to clean up some of our configs. The DDNS zones
just didn't look right to me and I wanted to confirm what I was
thinking.
Jonathan, I tested things on a test DC by pointing it at
32 matches
Mail list logo
