Re: Message "Loop detected resolving..." and different query-behavior after flushing a cache entry

Hi Ondrej I've created the issue: https://gitlab.isc.org/isc-projects/bind9/-/issues/3885 Best regards, Tom On 2/21/23 14:24, Ondřej Surý wrote: Tom, the ADB (Address DataBase) responsible for caching the delegations had been heavily refactoring in 9.19 branch, I think the best course

Message "Loop detected resolving..." and different query-behavior after flushing a cache entry

D-9.18.12 regarding lookups after flushing the name "ns2.comtronic.ch"? - BIND-9.19.10 does A and lookups after flushing the name "ns2.comtronic.ch", where BIND-9.18.12 only queries for A records Many thanks for any hints. Best regards, Tom -- Visit https://

Re: Zones declared in a catalog-zone are not transferred successfully over XoT

Hi Aram Thanks a lot for your quick response. I've tested with 9.18.10 which definitely solved this issue and XoT for catalog-zones is now working fine. Best regards, Tom On 1/9/23 16:38, Aram Sargsyan wrote: Hello Tom, I see you are using BIND 9.18.9, can you retry with the latest

Zones declared in a catalog-zone are not transferred successfully over XoT

o properly "speak" XoT? btw: Using dig for transferring the zone from the primary with XoT and TSIG is working fine: $ dig @192.168.1.1 -k /tmp/key +tls +onesoa axfr example.ch Many thanks in advance, Tom -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe fro

Re: DF-Flag on UDP-based sockets?

On 11/30/22 09:27, Borja Marcos wrote: On 30 Nov 2022, at 08:20, Tom wrote: Hi list Regarding ARM 9.18.9 (https://bind9.readthedocs.io/en/v9_18_9/reference.html#namedconf-statement-edns-udp-size): "The named now sets the DON’T FRAGMENT flag on outgoing UDP packets." Tested

DF-Flag on UDP-based sockets?

set on the IP header (true for TCP, but never seen for UDP). Which circumstands or which queries enforces BIND9 to set the "DF"-flag on outgoing UDP-based packets? Any hints for this? Thanks a lot. Tom -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr

Re: failed to start BIND 9.16.34 on Ubuntu 20.04

restart facility rate-limit. Please attach the log which contains the real cause of failure, e.g. by using: # journalctl -u bind9 -- Tom Krizek OpenPGP_0x01623B9B652A20A7.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature -- Visit https://lists.isc.org

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

On 10/26/22 13:13, Tom wrote: On 10/26/22 10:19, Matthijs Mekking wrote: Thanks for this. It probably should be removed from the docs at this point. When introducing dnssec-policy, my goal was to reduce the dozens of DNSSEC related configuration options that are scattered throughout

Re: automatic reverse and forwarding zones

okup $ dig @resolver +short -x 2a02:1368:6000::cafe static-2a02-1368-6000--cafe.cust.swissbackbone.net. # Forward-Lookup () $ dig @resolver +short static-2a02-1368-6000--cafe.cust.swissbackbone.net. 2a02:1368:6000::cafe Best regards, Tom On 10/27/22 19:23, Marco wrote: Am 27.10.202

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

On 10/26/22 10:19, Matthijs Mekking wrote: Thanks for this. It probably should be removed from the docs at this point. When introducing dnssec-policy, my goal was to reduce the dozens of DNSSEC related configuration options that are scattered throughout named.conf and contain them in one

Re: Question about additional section in BIND-responses

On 8/17/22 06:45, Tom wrote: On 8/17/22 02:27, Evan Hunt wrote: On Tue, Aug 16, 2022 at 05:28:19PM +0200, Tom wrote: Using BIND-9.18.5 as a recursive server: What's the reason, that BIND answers with the additional section for the the following query where for example Knot resolver

Re: Question about additional section in BIND-responses

On 8/17/22 02:27, Evan Hunt wrote: On Tue, Aug 16, 2022 at 05:28:19PM +0200, Tom wrote: Using BIND-9.18.5 as a recursive server: What's the reason, that BIND answers with the additional section for the the following query where for example Knot resolver and also PowerDNS resolver doesn't add

Question about additional section in BIND-responses

e: 4 msec ;; SERVER: 10.100.102.21#53(test) (UDP) ;; WHEN: Tue Aug 16 17:14:21 CEST 2022 ;; MSG SIZE rcvd: 120 Any hints why BIND adds the additional section while other resolvers doesn't? Is there an option in BIND to behave like Knot/PDNS? Many thanks. Regards, Tom -- Visit https://lists.is

Re: After switching to "dnssec-policy", existing RRs are still signed with the "old" ZSK

On 11.05.22 11:26, Mark Andrews wrote: Signature-refresh determines when the RRSIGs will be replaced by looking at the expiration time and working backwards. New RRSIGs are generate Using signature-interval. Ah, perfect. Thx. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to

After switching to "dnssec-policy", existing RRs are still signed with the "old" ZSK

600; nsec3param iterations 0 optout no salt-length 0; }; Many thanks for hints/explanations. Best regards, Tom -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us

Re: "Length"-output in DNSSEC-Policy state-files vs. "Key Length"-output on dnsviz.net

Hi Tony Many thanks for your explanation! Tom On 10.05.22 10:46, Tony Finch wrote: Tom wrote: I'm wondering about the value of the "Length"-field in the dnssec-policy state-file output, which results in "Length: 256" for domains, which are signed with algorithm

"Length"-output in DNSSEC-Policy state-files vs. "Key Length"-output on dnsviz.net

in on "dnsviz.net" (ZSK or KSK), which results in "Key Length: 512". # state file $ grep Length Karcademics.ch.+013+19238.state Length: 256 # The ZSK/KSK for this domain on "dnsviz.net" Key Length: 512 What's the difference between this both values? Many thanks. Tom

Re: Changing ZSK-lifetime in dnssec-policy is not applied

Hi Matthijs Perfect, thank you for this information and clarifying this. Best regards, Tom On 14.02.22 09:59, Matthijs Mekking wrote: Hi Tom, The lifetime is applied to new keys, so when the ZSK is rolled the lifetime of the successor key should be 60 days. I have considered applying

Changing ZSK-lifetime in dnssec-policy is not applied

8 2022) DNSKEYChange: 20220211092418 (Fri Feb 11 10:24:18 2022) ZRRSIGChange: 20220211092418 (Fri Feb 11 10:24:18 2022) DNSKEYState: omnipresent ZRRSIGState: rumoured GoalState: omnipresent Any hints for this? Many thanks. Best regards, Tom -- Visit https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-policy is not signing anymore

Hi Matthijs I've tried several times to reproduce this behavior..., dnssec-policy always does his job. I did not currently succeed in reproducing the behavior. I will make a few more attempts and otherwise inform you. Thank you. Best regards, Tom On 29.11.21 10:56, Matthijs Mekking wrote

dnssec-policy is not signing anymore

without recreating a new KSK? I assume, that disabling DNSSEC completely and creating a new ZSK/KSK will work, but in the case now, I already have the mentioned KSK (61416). Thank you. Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/list

ECS-IP in the RPZ-Log?

log? Many thanks. Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact

Re: Question about "max-zone-ttl" in dnssec-policy

Hi Matthijs Thank you for your explanation. The documentation says, that "any record encountered with a TTL higher than max-zone-ttl is capped at the maximum permissible TTL value". Is the documentation wrong here? Thank you. Kind regards, Tom On 21.09.21 09:47, Matthijs Mek

Question about "max-zone-ttl" in dnssec-policy

3cprtWPAOwEuUvaiV5DKYWxhJHrdU6FL7Jk2+aNavOao lTzQMKev2OF6TqPhXXfaHANIz+tiVhZaeaDCDagkSA== ) ... ... What do I misunderstand here? Many thanks for a hint. Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsu

Using catz (catalog zones): BIND does not remove the catz-journal file on the slave

com.db.jnl Is this intentional or possibly a bug? Many thanks. Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact u

Re: managed-keys-error since BIND-9.16.15

: expected serial 2021050100, got 2021050300 03-May-2021 00:20:28.532 general: error: zone example.com/IN: dns_journal_compact failed: unexpected error Thank you. Kind regards, Tom On 01.05.21 08:52, Mark Andrews wrote: Named should automatically correct this error. The journal version was no

managed-keys-error since BIND-9.16.15

s.bind.jnl. Any hints about this error? Thank you. Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact u

resolv.conf question / timeout behaviour

Hi, at my work place we have a three resolver setup in /etc/resolv.conf. We had sometimes, though rarely, response times for DNS like 14000ms, due to the fact that the *first* listed resolver is down for maintenance reasons. The application we test this with is Oracle/TNSPing. As a mitigation we

Re: BIND through COPR after CentOS

Hey all, Just wondering here, why switching from CentOS to Debian or building BIND from sources? What is wrong with migrating to CentOS Stream? Why would that be so much worse than using Debian? Regards, Tom On Sat, 19 Dec 2020 at 00:25, G.W. Haywood via bind-users < bind-users@lists.isc.

Re: Abour RRL and Best Practise

;, meaning "no limit" (see the ARM for version 9.16.8 on page 73). [1]: https://kb.isc.org/docs/aa-00994 [2]: https://conference.apnic.net/data/37/apricot-2014-rrl_1393309768.pdf Best regards, Tom On Fri, 27 Nov 2020 at 08:00, Onur GURSOY wrote: > > Hello Everyone, > > Bind9

Re: [External] Re: How can I launch a private Internet DNS server?

Thank you for your valuable feedback. It is much appreciated. On Fri, 20 Nov 2020 at 19:37, Reindl Harald wrote: > > Am 08.11.20 um 14:44 schrieb Timothe Litt: > > > I'm amazed that this thread has persisted for so long on this list of > knowledgeable people > > > me too, i would understand

Re: [External] Re: How can I launch a private Internet DNS server?

Having at least two name servers is not a requirement by the RFC standards but which TLD allows for only one NS server to be given when hou register a domain? On Sat, 7 Nov 2020 at 16:53, Kevin A. McGrail wrote: > On 11/7/2020 10:15 AM, Reindl Harald wrote: > > >

Re: How can I launch a private Internet DNS server?

; Ale Is it not a requirement to have at least two authoritative name servers? I believe all TLDs require at least two name servers but I must be mistaking as no one pointed this out yet. Regards, Tom ___ Please visit https://lists.isc.org/mailman/list

Hints for forwarding a subdomain on a authoritative server

recursion? Is there a better way with not enabling recursion (perhaps with views) to accomplish this? Many thanks for any hints. Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC

CDS/CDNSKEY are not published with BIND-9.16.1 and dnssec-policies

1638 (Thu Apr 9 08:16:38 2020) example.com. 60 IN DNSKEY 257 3 13 uV/NtPZSL1fmO3FAi4pZCcbTl19iD3SizgVcDXGJEl1g4l/cHUGvVl33 3cx2cODA6RUj55pZa77g1VBtFBXByg== Any hints, why in this case the dnssec-policy mechanism doesn't publish the CDS/CDNSKEY records? Many thanks. Kind regards, Tom

Re: CDS-deletion record "CDS 0 0 0 00" is failing with bind-9.14.9 and bind-9.14.8

Hi Mark Heureka..., that did the trick. The zone is inline signed and after I added the already existing DNSKEY records in the raw zone file, the CDS/CDNSKEY deletion record was accepted and the zone was loaded. Many thanks. Kind regards, Tom On 21.02.20 21:08, Mark Andrews wrote

Re: CDS-deletion record "CDS 0 0 0 00" is failing with bind-9.14.9 and bind-9.14.8

IN CDS 0 0 0 00 @ IN CDNSKEY 0 3 0 AA== SCHNAPP 21-Feb-2020 08:13:40.939 general: error: zone example.com/IN (unsigned): CDS/CDNSKEY consistency checks failed 21-Feb-2020 08:13:40.939 zoneload: error: zone example.com/IN (unsigned): not loaded due to errors.

Re: CDS-deletion record "CDS 0 0 0 00" is failing with bind-9.14.9 and bind-9.14.8

17:31:25.381 zoneload: error: zone example.com/IN (unsigned): not loaded due to errors. In which version will this issue be fixed? Many thanks. Kind regards, Tom On 11.01.20 08:48, Mark Andrews wrote: Open a ticket saying “CDS/CDNSKEY not handled when performing constancy checks

CDS-deletion record "CDS 0 0 0 00" is failing with bind-9.14.9 and bind-9.14.8

for this? Thank you. Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

DNS-resolution failed for "www.gracenote.com" when "qname-minimization relaxed|strict;"

here I can configure a zone-wide exception for "qname-minimization" in a (pseudo)-way like this: zone "gracenote.com." { qname-minimization off; }; What's the best way to "enable" resolution for the mentioned zone

Re: Error: zone example.com/IN (signed): receive_secure_serial: unchanged

thanks for any hints/ideas. Kind regards, Tom On 11.03.19 09:14, Tom wrote: Hi list We're sometimes receiving the same error as described in https://gitlab.isc.org/isc-projects/bind9/issues/256 after reloading BIND. zone example.com/IN (signed): receive_secure_serial: unchanged What does this

Error: zone example.com/IN (signed): receive_secure_serial: unchanged

, that DNSSEC is working fine, but the error is confusing. Thank you. Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org

DNSSEC debugging: TC and AD-Flag set?

NSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;org. IN DNSKEY ... ... Any hints for this behavior? Many thanks. Tom ___ Please visit https://lists.isc.or

Re: 0-TTL when querying "invalid" soa

Perfect.., many thanks for your hints. Tom On 29.01.19 16:33, Tony Finch wrote: Tom wrote: We're running BIND-9.12.3-P1 on our authoritative servers and we have the same behavior with 0-ttl with a invalid soa-query. Is this bind-specific? Why does an invalid soa-record responds with 0-ttl

0-TTL when querying "invalid" soa

P1 on our authoritative servers and we have the same behavior with 0-ttl with a invalid soa-query. Is this bind-specific? Why does an invalid soa-record responds with 0-ttl in the authority-section? Thank you. Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.12.3-P1: No additional section

On 16.01.19 08:08, Evan Hunt wrote: On Wed, Jan 16, 2019 at 07:02:05AM +0100, Tom wrote: $ dig +norec -4 @ns3.example.com www.mydomain.net ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> +norec -4 @ns3.example.com www.mydomain.net ; (1 server found) ;; global opt

Re: BIND 9.12.3-P1: No additional section

3 In both authoritative configurations I've set "minimal-responses no;", but on 9.12.3-P1, no additional section comes back. Thank you. Kind regards, Tom On 15.01.19 19:15, Evan Hunt wrote: On Tue, Jan 15, 2019 at 02:40:51PM +0100, Tom wrote: After migrating from 9.11.x to 9.12.3-P1

BIND 9.12.3-P1: No additional section

hy this happens when "minimal-responses no;" is configured. Thank you. Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Can I use multi-purpose servers for authoritative bind dns servers?

On Sat, Jan 5, 2019 at 10:06 Warren Kumari wrote: > On Sat, Jan 5, 2019 at 7:06 AM Tom Browder wrote: > >> I have two remote servers: (1) one with one >> > ... > Question: Can I use one or both servers as authoritative bind dns servers, >> or should I ge

Can I use multi-purpose servers for authoritative bind dns servers?

for that purpose? If they are usable, is it preferable to have a unique IP instead of sharing with other services? Thanks, and Happy New Year! -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users

Re: Rewrite/Override QTYPE with RPZ

Hi Daniel Thank you for your feedback. This could be a solution. It seems, that unbound can do this (not verified) and BIND-RPZ can't do this actually: https://serverfault.com/questions/18748/overriding-some-dns-entries-in-bind-for-internal-networks Any plans for BIND? Tom On 12.11.18 08

Re: Rewrite/Override QTYPE with RPZ

addresses from your databases. These often occur because the customer no longer has the email address they originally gave you (or they had a typo in what they gave you). -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Tom Sent: Thursday, November

Re: Rewrite/Override QTYPE with RPZ

Fore example "example.com" and "*.example.com" are blacklisted. I would like to return a real ip address for special query types like MX or TXT, but not for A or . Tom On 08.11.18 16:44, Barry Margolin wrote: In article , Tom wrote: Hi all Is there a way to ov

Rewrite/Override QTYPE with RPZ

Hi all Is there a way to override/rewrite QTYPE (ex. MX) with RPZ? If no, is this planned in future releases of BIND? Regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing

Re: Understanding TTL in "rndc dumpdb"-output

umpdb" nevertheless the TTL in the form of "serve-stale" is shown (even if the serve-stale-status = off)? Thank you. Tom On 23.10.18 10:25, Michał Kępień wrote: After querying my resolver for "testbla11.example.com", I receive a NXDOMAIN response with a minimum-ttl (in the s

Understanding TTL in "rndc dumpdb"-output

e "rndc dumpdb"-output I have a value for 605082. Any hints? Thank you. Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org htt

DNSSEC validation option in BIND 9.10

Hi people, I have two BIND 9.10.3 servers with DNSSEC validation enabled, one in one client and the other in another client. Both BIND have the same configuration lines relative to DNSSEC validation: dnssec-validation auto; dnssec-enable yes; and both has the current and future key in

Re: Logrotate for bind9

te new log files. ...or you use "copytruncate", so the file will be copied and the other stuff (compress, rotate 180, etc..) and then truncated, so BIND has still the same filedescriptors open, but the logfile is rotated :-). This way, you don't need to "rndc reconfig"

DNSSEC and automatic renewal of RRSIG-expiration-time

, to force BIND automatically to renew the RRSIGs? Thank you. Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailma

Unclear behavior with option "lame-ttl 0;"

ups. I've tested with simple iptables-rules on my resolver, which are blocking outbound-connections to one or more authoritative servers of a zone for simulating the "lame-servers"-behavior. Any explanation or hints for this (mis)-behavior? Thank you. Kind regards, Tom

Re: response-rate-limiting - "window" explained?

On 01/09/2018 05:11 PM, Tony Finch wrote: Tom <tomtux...@gmail.com> wrote: Slip is set to "0" (always drop). After stopping the flood, I'm immediately able to query the same record (www.example.com) with a positive answer. Does the "window 5;" or "window 30;&

Re: response-rate-limiting - "window" explained?

On 01/09/2018 02:49 PM, Tony Finch wrote: Tom <tomtux...@gmail.com> wrote: If I set the "responses-per-second 5;" and the "window 30;", then begin flooding (the responses are correctly dropped), then stop flooding, then querying the nameserver from the same source

Re: response-rate-limiting - "window" explained?

60 or 3600. Any hints / explanation for the behavior of the "window"-value? Many thanks. Tom On 01/05/2018 07:27 PM, Tony Finch wrote: Tom <tomtux...@gmail.com> wrote: Could someone explain the problem here? Why do I never have to wait longer than about 5s until I'm able to q

Re: response-rate-limiting - "window" explained?

Why do I never have to wait longer than about 5s until I'm able to query the nameserver from the unique client with the same query again? Many thanks. Kind regards, Tom On 03/27/2017 11:33 AM, Tony Finch wrote: Tom <tomtux...@gmail.com> wrote: Can someone explain the behaviour of

Question about: "rate-limit: stop limiting responses to 1.1.1.0/24 for www.example.com"

bout 60-65 seconds later, after I've stopped the "test"-attack (confirmed multiple times..)? My rate-config: rate-limit { responses-per-second 5; slip 0; window 5; }; Many thank

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

il.example.com. > @ IN TXT "v=spf1 mx -all" Thanks, Matus. -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

rs with bind. But that is down the road a bit. This a hobby and I can only put so much time in with each kitchen pass! Thanks. -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing lis

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

On Wed, Aug 23, 2017 at 17:25 Alan Clegg wrote: > Now you broke the A record. Get rid of the trailing dot. > Done. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

On Wed, Aug 23, 2017 at 2:28 PM, Tom Browder <tom.brow...@gmail.com> wrote: ... > I have a single remote server with one IP address (142.54.186.2) I am using > it to host multiple, independent domains. I am working on configuring a > single postfix instance to serve mail for all do

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

On Wed, Aug 23, 2017 at 2:58 PM, John Miller <johnm...@brandeis.edu> wrote: > Hi Tom, > > You'll want to change your MX records to point to the name, rather > than the IP, of your mail server. Note that your MX target does _not_ > have to be in the same domain as the

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

On Wed, Aug 23, 2017 at 2:54 PM, Alan Clegg <a...@clegg.com> wrote: > MX record needs a name and not an IP address. Beyond that, seems fine. Thanks, Alan. -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

On Wed, Aug 23, 2017 at 3:01 PM, <wbr...@e1b.org> wrote: > MX records cannot point to an IP address. try this: > > x.tld MX 10 x.tld. Thanks, William! -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

e address resolves to)' ... > You don’t have an SOA record, or NS records. Those are also required, I should have been a little clearer about the DNS server: I'm using Namecheap so some things like SOA and NS records are done using their entry form. I'll change the MX record

Need DNS records help for single server (and IP), and multi-domain mail server.

ain look look appropriate: # For each domain X.TLD: X.TLD. INA 142.54.186.2. *.X.TLD.IN CNAME X.TLD. X.TLD. INMX 10 142.54.186.2. X.TLD. INTXT "v=spf1 mx -all" Thanks. With

Re: Systemd bind9.service file?

On Sat, Jul 22, 2017 at 04:06 Alberto Colosi <al...@hotmail.com> wrote: > as just said inside previous mail > > ever if you edit some , you should understand > Thanks for your help and good links, Alberto. -Tom ___ Please visit htt

Re: Systemd bind9.service file?

On Fri, Jul 21, 2017 at 3:46 PM, Tom Browder <tom.brow...@gmail.com> wrote: > How does one install bind9 from source and set it up to work with systemd? > > I copied a bind9.service file from a Debian 9 package installation but > I think it's more complicated than that. So

Systemd bind9.service file?

How does one install bind9 from source and set it up to work with systemd? I copied a bind9.service file from a Debian 9 package installation but I think it's more complicated than that. Thanks. -Tom ___ Please visit https://lists.isc.org/mailman

Re: Bind DNS servers: can they coexist with httpd and mail servers?

ts of a caching > NS, but if you need to run BIND anyway I meant to say I intend to run as an authoritative DNS server for my personal domains. I assume Reindl's answer is still valid. BTW, anything special I need for the bind service file?

Re: Bind DNS servers: can they coexist with httpd and mail servers?

On Wed, Jul 19, 2017 at 05:42 Reindl Harald <h.rei...@thelounge.net> wrote: > Am 19.07.2017 um 12:37 schrieb Tom Browder: > > I want to host my own DNS servers, but I need the master to share Bind > > with other services, specifically Apache 2.4, Postfix 3.3, and Mailma

Bind DNS servers: can they coexist with httpd and mail servers?

, -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

response-rate-limiting - "window" explained?

Hi Can someone explain the behaviour of "window" in the rate-limit-context? I've tried "responses-per-second 10; window 3;" and had the same results as "responses-per-second 10; window 5;". Any simple explanation for the "window"-di

Running current version of bind in a jail?

the reason, that it isn't necessary to run modern version of bind in a jail? Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.o

Re: BIND-RPZ and Views

the slave-zone again...just for the view2. Thank you. Tom On 09/16/2016 12:22 PM, Tony Finch wrote: Anand Buddhdev <ana...@ripe.net> wrote: In newer versions of BIND, you cannot share a writable file in different views. This is a bad configurtion, and newer versions of BIND reject it

BIND-RPZ and Views

/malware.rpz.spamhaus.org': already in use: /etc/named/named.conf:259 Is there a way to support RPZ in views? I want to achieve that Customer01 (view01) should have different RPZ-options than Customer02 (view02) using the same RPZ-Files. Thank you. Kind regards, Tom

Overwrite SOA-Records in RPZ-Responses?

se "on-the-fly", whose zone is configured as "slave"? Because we use configured some third-party-rpz-zones, the soa-record is predefined... Thank you. Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users t

Re: Latest BIND: Error "rpz_rewrite_name: mismatched summary data; continuing"

Hi Mukund Many thanks for your hint. In fact named was compiled with "--enable-querytrace". After recompiling 9.10.4-P2 without querytrace, the log looks good. Kind regards, Tom On 09/06/2016 09:32 AM, Mukund Sivaraman wrote: Hi Tom On Tue, Sep 06, 2016 at 07:37:50AM +0200,

Re: Latest BIND: Error "rpz_rewrite_name: mismatched summary data; continuing"

Is there a workaround/configuration-directive not to log every request with this "error"? One way would be using BIND 9.9.9-P2 (because this code was added in 9.10.x...), but I would prefer 9.10.x. Kind regards, Tom On 08/31/2016 03:05 PM, Tony Finch wrote: Tom <tomtux...@gma

Re: Request reverse dns mapping advice

n able to find it again. On today's Internet, you want your mail server to EHLO with a name > that has matching forward and reverse DNS with the server's IP. If > you don't, you look unnecessarily like a spambot. ... A very good reason, indeed! Thanks again. Best regards, -Tom _

Request reverse dns mapping advice

the names I use for the IPv4 records. Thanks for your always helpful advice. Best regards, -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc

Re: rndc on local host: need named running?

On Tuesday, August 30, 2016, Woodworth, John R < john.woodwo...@centurylink.com> wrote: > > I have a slightly unorthodox view on this which may even offer a bit more > > security. The answers are listed below inline. > > ... Thanks, Jo

Re: rndc on local host: need named running?

- perhaps > the address range in which your local machine is to be allocated its > address? > Thanks, Cathy. Best regards -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing li

Re: Latest BIND: Error "rpz_rewrite_name: mismatched summary data; continuing"

Sorry...wrong post. After a little bit more testing, the errors are still appearing. The masterfile-format didn't solved the errors Thank you, Tom On 08/30/2016 08:20 AM, Tom wrote: Hi list After some more troubleshooting, I was able to locate the problem: - One Spamhaus-Zone-File

Re: Latest BIND: Error "rpz_rewrite_name: mismatched summary data; continuing"

file-format map;" for this zone, then the error disappered. Any hints for this behaviour? Kind regards, On 08/30/2016 06:53 AM, Tom wrote: Hi list Using self-compiled latest bind (9.10.4-P2): I have a bind-setup with activated response-policy-zones. For *each* client-forward-query, w

Latest BIND: Error "rpz_rewrite_name: mismatched summary data; continuing"

107b0a8700 (yahoo.com/A): rpz_rewrite_name: mismatched summary data; continuing ... ... The client receives the right response, dns-rpz is also working, but I'm suspicious about the errors mentioned above. Any hints? Thanks a lot. Kind regards, Tom

Re: rndc on local host: need named running?

On Saturday, August 27, 2016, Lyle <l...@lcrcomputer.net> wrote: > On 08/27/16 10:54, Tom Browder wrote: > > https://calomel.org/dynamic_dns_ddns.htmlMy plan is to have two > > 2. Can I use rndc from my local host which doesn't have a fixed ip address? > > ... &

Re: Allowable reverse mapping zone file names

them to insert the > records you think necessary including your mail server's host name. > Thanks, Lyle! Best regards, -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-user

Re: rndc on local host: need named running?

On Saturday, August 27, 2016, Warren Kumari <war...@kumari.net> wrote: > On Saturday, August 27, 2016, Tom Browder <tom.brow...@gmail.com > <javascript:_e(%7B%7D,'cvml','tom.brow...@gmail.com');>> wrote: > >> My plan is to have two remote, authoritative name ser

Re: Allowable reverse mapping zone file names

On Saturday, August 27, 2016, /dev/rob0 <r...@gmx.co.uk> wrote: > On Sat, Aug 27, 2016 at 10:47:36AM -0500, Tom Browder wrote: > > I do not control 3-octet networks but need reverse mapping for my > > mail server. > > Discuss that with your ISP or netblock owner. ...

rndc on local host: need named running?

a fixed ip address? Thanks. Best regards, -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Allowable reverse mapping zone file names

single mail server? Thanks. Best regards, -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

  1   2   >