Gregory Sloop wrote:
> Would you mind showing me how you got there?
I like https://dnsviz.net/ and https://zonemaster.net/ - dnsviz is better
at showing DNSSEC issues, and zonemaster has a bigger collection of
general DNS checks, so it's worth using them both.
Tony.
--
f.anthony.n.finchhtt
Duleep Thilakarathne wrote:
>
> How does bind select NS entry during recursive queries , when the answer
> section has multiple NS entries.
It's roughly based on measuring the smoothed round trip time (SRTT) to
each nameserver and picking the closest, with a lot of randomness in the
mix. Try sea
senthan.sivasunda...@szkb.ch wrote:
> One Day it came an alert from Cybereason (Antivirus-Software), that our
> Bind server tried to Connect to a suspicious domain "ns2.honeybot.us".
> But I couldn't find the log, which domain the BIND server was searching
> for, so that the BIND server has to c
Axel Rau wrote:
>
> Has anybody a working IPv6 notify address in use?
Notifies from my primary to my on-site servers go over IPv6 with a TSIG
key. They are all dual-stack.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Sole: Variable 4 at first in east, otherwise westerly or southwesterly 4 to
Axel Rau wrote:
>
> I can’t see any notifies to 2001:470:100::2 in the logs.
>
> What am I doing wrong?
Normally BIND only logs "sending notifies" without saying anything about
where it is sending them. You need to increase the log level using `rndc
trace 3` (or more than 3) to get the informatio
Veaceslav Revutchi wrote:
> Given this soa:
>
> fe80.info. 3600 IN SOA ns-538.awsdns-03.net.
> awsdns-hostmaster.amazon.com. 1 7200 900 1209600 60
>
> I see bind caching negative answers for 3600 instead of 60. The rfc
> and my google searches suggest that it should pick the MIN(soa ttl,
> soa mi
Scott Nicholas wrote:
>
> Primary nameserver is behind a cache/proxy on enterprise network such that
> all external traffic hits this. Zone went bogus. I blame policy but on
> further inspection 2/3 proxys had differing TTL between the DNSKEY and it's
> RRSIG.
Hmm, that's suspicious. In the DNS,
ShubhamGoyal wrote:
> We have enabled " minimal-any yes;" in our Bind DNS Sever, Yet an ANY
> query provides complete details instead of providing reduced details .
Testing minimal-any with dig is tricky and very obscure!
For an example of how to test it, try:
dig cam.ac.uk any @131.11
Anand Buddhdev wrote:
> On 22/07/2020 15:06, Josef Moellers wrote:
>
> > named complains about the missing file /etc/bind.keys if run chrooted:
> > unable to open '/etc/bind.keys' using built-in keys
> >
> > What is the preferred way around this? Add "/etc/bind-keys" to
> > NAMED_CONF_INCLUDE_FILE
Zhiyong Cheng wrote:
>
> We are using named cluster in our internal network as the authoritative
> DNS. So there are no cache servers between clients and named cluster.
> Maybe we should add one but it is just another story.
Sorry, I wasn't completely clear: I was not saying that your authoritati
程智勇 wrote:
>
> So could anybody tell me why DNS_RRL_MAX_RATE defined 1000?
RRL is designed for authoritative DNS servers. Legitimate queries come
from recursive resolvers with caches. There should not be more than one
query for each RRset from each resolver per TTL. So a normal response rate
limi
Klaus Darilion wrote:
>
> A signed zone shall be moved to another DNS provider. Hence I want to
> add the public KSK of the gaining DNS provider as additional DNSKEY to
> the zone.
I guess you might already have seen this draft - it discusses long-term
multi-provider setups rather than transition
Brett Delmage wrote:
> On Tue, 7 Jul 2020, Tony Finch wrote:
> >
> > minimal-any yes;
>
> Why only reduce and not eliminate?
The reason is a bit subtle. If an ANY query comes via a recursive
resolver, it is much better to give the resolver an answer so that it will
put
@lbutlr wrote:
>
> > rate-limit { responses-per-second 10; };
>
> Does that apply to local queries as well (for example, a mail server may
> easily make a whole lot of queries to 127.0.0.1, and rate limiting it
> would at the very least affect logging and could delay mail if the MTA
> cannot v
@lbutlr wrote:
>
> The latest surprise was that dnssec-enable yes; is obsolete in Bind 9.16.
`dnssec-enable yes` has been the default since 2007, so that directive has
been useless for quite a long time :-) What changed in 9.16 is that you
now can't turn DNSSEC off. (Specifically, support for cor
Michael De Roover wrote:
>
> Said friend said to me that he tested my authoritative name servers and
> found them to be not vulnerable. [snip] They do not respond to recursive
> queries. It appears that the test of whether a server is "vulnerable" or
> not has to do with this. The command used to
Tom wrote:
>
> But: The zone-forwarding is only working, when I enable "recursion" on the
> authoritative server. Does this means, that zone-forwarding really requires
> recursion?
Yes, forwarding is completely specific to recursive servers. That is, the
server doing the forwarding must be recurs
@lbutlr wrote:
> When a domain configuration file contains an include line for the key,
> where is that include looking for the key file?
... good question, I have avoided having to find that out ...
> I'm in a situation where the keys seems to work fine for updating
> DNSSEC, but nsdiff compla
Chuck Aurora wrote:
nice domain name :-)
> On 2020-07-01 00:55, Harshith Mulky wrote:
>
> > Any methods or links which can be shared to help us reload the zone
> > files automatically once we make changes to the zone files ( cron
> > methods or shell scripts)
>
> A different paradigm which would
Jakob Dhondt wrote:
>
> I am generating dnstap files using bind and regularly roll them using
> 'rndc dnstap -roll [number]'. The way I understand the documentation is
> that there should be max [number] old dnstap files after executing this
> command but what actually happens is that all files ar
Anand Buddhdev wrote:
>
> 16-Jun-2020 15:21:58.815 general: Accepting TCP connection failed: socket is
> not connected
>
> What does this log message mean?
I think this error comes from getpeername() and it can occur if the
connection is closed between accept() and getpeername(), which I wouldn'
Kevin Darcy wrote:
>
> The "master" nomenclature is appropriate from a *data*dependency*
> standpoint. The "master" holds the "master copy" of the zone contents (
> https://www.collinsdictionary.com/us/dictionary/english/master-copy). All
> other copies are duplicates of that.
There isn't in gene
Vinícius Ferrão via bind-users wrote:
>
> But the prevalence of terms are still master and slave. And I really
> hope this thing of changing nomenclatures doesn’t go any further due to
> political correctness.
"Political correctness" just means being considerate for other people,
especially peopl
Steffen Breitbach via bind-users wrote:
>
> I am having issues with my bind server setup. When I try to resolve the PTR
> for 130.248.154.166 or 172.82.233.25, I will get the proper result only after
> a few tries so. After that, resolving will work.
Looks like there are some discrepancies with t
Jukka Pakkanen wrote:
> Thx for the info, had missed this one and actually we have that minor
> misconfiguration too. Have had since 1995 when started our nameservers
> and never noticed...
Yes, it used to be recommended -
https://tools.ietf.org/html/rfc1537#section-10
But not any more, because
ShubhamGoyal wrote:
>
> 1. Can bind support DoH and DoT
It isn't built in, you need to run a proxy in front. See this thread from
a month ago -
https://lists.isc.org/mailman/htdig/bind-users/2020-April/103075.html
There was more discussion in May but unfortunately the mailing list
archive seems
rams wrote:
>
> On the CAA record iodef filed, do we force this to be unique or can it
> match a CNAME?
The specification says the iodef field contains a URL so normal URL
resolution applies.
https://tools.ietf.org/html/rfc8659#section-4.4
Questions about CNAMEs are at the wrong layer. HTTP URL
Erich Eckner wrote:
>
> Will there be client-side DoT/DoH support in bind, too? E.g. will my recursive
> (or forwarding) resolver be able to resolve upstream dns via those?
At the moment the specifications are not yet done for encrypted DNS
between recursive and authoritative servers. It's very d
Michael De Roover wrote:
> On that subject, how about DoT?
DoT is easier since you only need a raw TLS reverse proxy, and there are
lots of those, for example, nginx:
http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48
Note that if you enable DoT on port 853 on your
Walter Peng wrote:
>
> Does BIND have a DoH plugin official?
> Or is there any guide to customize that one?
You'll need to run a DoH proxy in front of BIND, for example
https://dnsdist.org/ - my DoH service uses
https://dotat.at/cgi/git/doh101.git
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Ondřej Surý wrote:
>
> On Linux, just put the path to /etc/ld.so.conf.d/local.conf and that should
> do the trick.
I'm usually using per-build install paths for experimentation or for easy
rollback, so I prefer not to fiddle with the global path. I make things
difficult for myself :-)
Tony.
--
In my experience getting rpaths to work properly is a massive pain because
most autoconf/libtool build systems don't automatically set the rpath as
required for the --with-libwhatever=PATH options to work properly, and
they often prevent attempts to set rpath linker flags. In BIND there has
been a
Havard Eidnes via bind-users wrote:
>
> If it was due to validation failure, I would have thought that it
> would be more persistent than only last for 10 minutes.
Looking for vaguely plausible causes I guess what might have happened is
there was a DNSKEY lookup failure (transient network problem
Havard Eidnes via bind-users wrote:
>
> Looking at the code in BIND 9.14.10 (BIND 9.16.2 doesn't appear to be
> significantly different in this regard), there appears to be a "cache
> of bad records" implemented by lib/dns/badcache.c. There are two
> invocations of dns_resolver_addbadcache() in l
Sarah Newman wrote:
> What should happen when for a given domain:
>
> - The domain resolves via TCP but not UDP - UDP for this domain had no
> response at all.
I would expect the domain to be completely unresolvable: the resolver will
only try TCP if it gets a truncated reaponse over UDP.
> - T
Lars Kollstedt wrote:
> One of the arpa-Nameservers 192.5.5.241, 2001:500:2::c which is the C-Root-
> Server is shown to be not responsive for queries over UDP by DNSviz for a long
> time.
This is due to a stupid peering disagreement between a couple of very
stubborn tier 1 transit providers.
T
Steve Egbert wrote:
> I haven't worked on the zone syntax file yet. It hasn't changed since v9.5
> days. That should be my next subproject.
That will be great! when I use nsvi, vim gets bright red and angry about
lots of fun records like DS, SSHFP, URI, EUI48, and RFC 3597 custom
records. Which
Mark Andrews wrote:
> > On 23 Apr 2020, at 07:20, Evan Hunt wrote:
> >
> > As far as I can recall, the only way to change a TTL in nsupdate is to
> > delete the whole RRset and then add it back in the same transaction:
There's actually a standard shortcut for TTL changes which is a
consequence o
Lars Kollstedt wrote:
>
> what do the following messages in loose combination mean?:
>
> Apr 22 09:23:01 resolver1 named[1201]: validating ip6.arpa/SOA: got insecure
> response; parent indicates it should be secure
This means there is a DS record for ip6.arpa in the .arpa zone, but there
were n
Petr Bena wrote:
>
> So when someone changes zone on A via nsupdate, NOTIFY and subsequent IXFR
> goes like this: A -> B -> C instead of:
>
> A -> B
> -> C
Chaining NOTIFY like A -> B -> C is very common - I would guess most TLDs
do it. In many cases, A is a secure hidden primary, B are zone tr
@lbutlr wrote:
>
> Is it possible to batch update all the domains? Looking at nsupdate it
> looks like I have to step through and do every domain individually.
An UPDATE request can change many records, so long as they are all in the
same zone, and so long as they fit in the 64KB limit of DNS mes
John Wiles wrote:
>
> I am running into a problem that I think is caused by either a
> misconfiguration in Bind9, our Cisco NAT, or perhaps both.
>
> When I am on our internal network, I am able to query both servers and
> get the appropriate external ip address. However, when I try to do the
> sa
Witold Kręcicki wrote:
> I'm currently working on DoH/DoT design - most specifically, the configuration
> syntax that will be used to set up DoH/DoT. Since removing or modifying
> options in named.conf is very hard I want it to be done properly - hence this
> request for comments. The current des
Matthew Pounsett wrote:
>
> I like your suggestion of using /dev/stdin as the file though.. I bet I can
> make that work until 9.18 is out.
Anand's trick has worked for me for many years :-) nsdiff has used
`named-compilezone /dev/stdin` since I originally wrote it in 2011...
Tony.
--
f.anthony
David Alexandre M. de Carvalho wrote:
> So I'm still fighting with dnssec in BIND 9.8.2 (oracle linux 6).
> Unfortunately no automatic sigining before Bind 9.9, from what I read.
BIND 9.8 has automatic signing, but not inline signing. However nsdiff is
almost as good as inline signing, and I wro
> Because the AD domain controllers already own 10.in-addr.arpa, they
> refuse to allow us to configure conditional forwarding for its
> subdomains. So we delegated the subdomains to the inbound endpoints.
> Because they are delegations, the domain controllers set the recursion
> desired flag to 0
David Alexandre M. de Carvalho wrote:
>
A few hints and tips...
> my named.conf already has the following:
>
> dnssec-enable yes;
You don't need this because it's on by default :-)
> dnssec-lookaside auto;
You want to remove this because the DNSSEC lookaside validation service
Jim Popovitch via bind-users wrote:
>
>update-policy {grant webserver-tsig-key wildcard _acme-challenge.* TXT;};
Sadly in the DNS a wildcard * can only occur as the leftmost label in a name.
RFC 4592 has more than you ever wanted to know about DNS wildcards. It's
not pretty.
Tony.
--
f.ant
Shumon Huque wrote:
>
> The implication is that "ignore" also means set the response code to
> NOERROR. Although, I suppose CNAME related UPDATE processing could have
> been special cased to return an error code like YXRRSET (even without a
> specified prerequisite clause).
Ah, yes, now you menti
Petr Bena wrote:
>
> The problem with this approach is that it's not atomic.
That's the point of the prerequisite section! You can package up the
atomicity checks and updates into one request. You will have to deal with
concurrent update clashes in some way, but that's true for any system that
ha
Petr Bena wrote:
>
I think your approach of using standard protocols (DNS queries and
updages) to edit zones is very good!
> Is there any alternative to nsupdate, something that can work with XML
> or JSON payloads or provide output in such machine parseable format?
I've done a lot with wrappin
Gabriel Gbs wrote:
> In case that this is not possible out of the box, where should I start in
> source code doing some modifications or workarounds?
Have a look in lib/dns/dst_* and lib/dns/openssl_*
Tony.
--
f.anthony.n.finchhttp://dotat.at/
a world in which all people share the same bas
Alan Batie wrote:
>
> I'm letting named do the automatic signing/generation of RRSIG records,
> but unless I'm missing something, you still have to generate the DNSKEY
> records manually. dnssec-verify is the tool in question complaining
> about not including RSASHA1 keys and signatures.
Oh whoo
Alan Batie wrote:
>
> That was my thought, but the tools complain about not having both...
[snip]
> Still working out which ones it thinks are missing, as both appear to be
> there - it would be nice if the tool was more specific...
If you are doing an algorithm rollover, you should have 2 keys
von Dein, Thomas wrote:
>
> we're seeing a lot of malformed dns queries to our recursive nameservers
> like these:
[snip queries for notification. / antivirusix. / kubeinspect. /
organization. / history. / go-kms. ]
> Obviously these clients (there are many) are misconfigured in some weird
> way
Alan Batie wrote:
>
> This is timely as I was about to ask if there's any reason to generate
> SHA1 DNSKEY records? I should think that anything I care about can
> handle SHA256 these days...
There are extremely strong reasons for NOT generating SHA1 DNSKEY records!
https://www.dns.cam.ac.uk/ne
Shaun via bind-users wrote:
>
> The 9.16.0 version of delv seems to have trouble reading the root trust
> anchor from the bind.keys file.
I see this too. The bug is that dns_client_addtrustedkey() has a buffer
for parsing DNSKEY or DS records, but it's only big enough for DS.
diff --git lib/dns/
Erich Eckner wrote:
>
> is it possible to set up a zone in bind similar to a http(s) reverse
> proxy:
You're looking for dnsdist https://dnsdist.org/
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Fitzroy: West 5, increasing 6 to gale 8. Rough or very rough. Rain or showers.
Good, occasionally
Scott A. Wozny wrote:
>
> Failures aside, I’m worried about creating a bad user experience EVERY
> time I need to take a DNS server down for patching.
I generally let resolvers handle retry/failover when I'm patching my
authoritative servers. Each resolver that encounters an authoritative
server
Branko Mijuskovic wrote:
>
> But I'm curious, do you know does BIND failover to TCP if UDP timeouts
> during DNSKEY fetching?
Dunno. I have blocked both UDP and TCP on my hidden primary, and it is
refreshing its trust anchors via my recursive servers OK, so it is not
something I have had to worry
Branko Mijuskovic wrote:
>
> We have an authoritative DNS hidden master (bind-9.11.4-9) running behind
> the network where outgoing UDP traffic to unlisted IPs is blocked.
>
> We are using DNSSEC and I've noticed that we are getting following errors
> in the bind9 logfile: 'managed-keys-zone/defau
Matthew Richardson wrote:
> Having upgraded to 9.11.15 I am still seeing similar problems, where some
> zones stop updating their signatures.
I recently had a signing problem on my toy server which I think was
caused by a cockup with `rndc freeze`. It was not easy to get named to
re-start re-sig
mail-list-us...@materna.de wrote:
>
> I am trying to use $INCLUDE in zones, but getting the error
> "dns_master_load: file not found". My main zone:
The problem might be that the $INCLUDE file name is relative to the
server's working directory, not relative to the main zone file.
Tony.
--
f.ant
Matus UHLAR - fantomas wrote:
>
> unfortunately this happens when you decide to mirror root zone and it fails.
>
> you should use more primary servers when possible and change root zone
> type from secondary to hint if it fails.
In this particular case, adding more primaries would not have helped
Petr Bena wrote:
>
> Why is this? Is that normal or a bug?
It's because wildcards in the DNS are crazy and totally abnormal, but
sadly ossified tradition means it cannot be considered a bug. (It's also
intimately tied up with the subtle semantics of NXDOMAIN, and rigidly
enforced by DNSSEC.) It's
Warren Kumari wrote:
> von Dein, Thomas wrote:
> >
> > Does anyone have an idea, what's wrong here and how I could possibly fix
> > this?
>
> This sounds very much like a path MTU issue -- it starts the transfer,
> gets part of the way and then a big packet doesn't make it through...
I wondered
Milan Jeskynka Kazatel wrote:
>
> could someone, please, help me with diagnostics, how can I check how many
> records are signed per cycle?
I looked at my zone transfer logs, which give the size of each IXFR
following a zone update. If you don't have any ixfr logs, then you can use
`named-journal
Milan Jeskynka Kazatel wrote:
>
> Then how to achieve to resign the whole zone in one step? Which config
> option should be affected?
I don't believe that is possible with automatic signing. You can do it
yourself with `dnssec-signzone` but that's fiddly and error-prone.
Tony.
--
f.anthony.n.fi
Milan Jeskynka Kazatel wrote:
>
> Why does Bind keep resign zone in a loop over and over in a few minutes?
It only signs a few records at a time to avoid eating all your CPU (my
server seems to average 53 records at a time, coincidentally). It spreads
out re-signing according to the sig-validity-
Grant Taylor via bind-users wrote:
> On 1/20/20 9:06 AM, N. Max Pierson wrote:
>
> > I was not aware there was anything built in that would let you
> > add/remove/change the zone itself from the master.
>
> Yes, Catalog Zones. I think it's only a few years old.
Catalog zones are for automatic co
Brian J. Murrell wrote:
>
> But the hosts on Network 1 and Network 2 need to resolve the same name
> (let's call it "gateway") to the address of their interface on Router.
> So that is, hosts on Network 1 want a query of "gateway." to resolve to
> 192.168.1.254 and hosts on Network 2 want a query
Itay Alayoff wrote:
>
> There is something I can't figure out, What the Red Black Tree DB is used
> for and what the ADB is used for? Is there a relationship between the two?
The rbtdb holds authoritative zone files and the resolver cache.
The adb is used for dynamic information about other serv
Itay Alayoff wrote:
> I'd like to know where is the policy eviction currently implemented?
The way I answer questions like this is to start from the configuration
options, and working my way from bin/named/server.c (where the parsed
config file is processed) I trace through to find the code that
Dns Admin wrote:
>
> ./configure -h
>
> Will give you list of the available options.
Yes, and there's a bit more information in the README
https://gitlab.isc.org/isc-projects/bind9/blob/master/README.md#opts
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forth, Tyne, Dogger: Northwest 4 to 6,
Fred Morris wrote:
> Regarding case, in any case (pardon the pun) case is not guaranteed.
> Especially regarding dynamic updates, your case will not be preserved
> (and maybe I fat-fingered and left caps lock on once upon a time without
> realizing it) in the authoritative zone.
Well, it's a bit
Lars Kollstedt wrote:
>
> for more information about this see
>
> https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
>
> and
>
> https://indico.dns-oarc.net/event/20/contributions/265/attachments/254/471/ISC-case-sensitivity.pdf
Yes. And one prominent resolver that implements this is unbou
Champion Xie wrote:
>
> When I use the catalogzone function to automatically add zones, I found
> from the slave server that the zone files are not stored according to the
> custom path, but are stored in the directory defined in options. the
> service is started by chroot
I have
options {
mail-list-us...@materna.de wrote:
>
> server 127.0.0.1
> debug no
> zone testoverride
> update add zzz.google.de 604800 A 127.0.0.1
> send
The problem is that nsupdate needs fully-qualified domain names - you
can't omit the zone name like you can in zone files. So your script needs
to be
zone te
Md. abdullah Al naser via bind-users wrote:
> But I want to do like this, the dns queries from 192.168.10.0/24 blocks
> will be matched with RPZ zone and other requests from rest of IPs will
> bypass the RPZ configuration and will match my general "allow-query
> {any;}" statement mentioned in nam
Alessandro Vesely wrote:
>
> It doesn't seem to happen every day, but can happen again on the next day.
> Can
> the period be controlled?
It depends on the size of the zone (bigger zone -> more frequent upates),
how widely scattered the RRSIG expiry times are (which depends on how the
zone is u
Erich Eckner wrote:
>
> To my understanding, the difference between "forward first;" and "forward
> only;" is, that the former caches and the latter forwards all queries.
> However, I see the same behaviour in the log for both. Where is my mistake?
My understanding is that first vs. only is relat
Erich Eckner wrote:
> I have also a hard time, generating some useful debug output
> - setting `-d 9` does not give additional information in the system log.
You might find it is being written to the file named.run in named's
working directory (this is the default_debug logging channel
configura
Erich Eckner wrote:
>
> However, I encounter the issue here:
> https://lists.isc.org/mailman/htdig/bind-users/2011-November/085536.html
If you are running 9.14 (or newer) you can use the validate-except
configuration option. In older versions you can use `rndc nta` but
that is very inconvenient i
Matthew Richardson wrote:
> What "category" should one be logging in order to get details of DNSSEC
> inline signing when running Bind 9.8.11?
I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has
been unsupported for ages.
Yes, there is not very much logging automatic zone sig
Chris Thompson wrote:
>
> Don't hold your breath.
Indeed, I put those Barclays nameservers in our noedns list on 2017-07-14
(tho I have also not really tried to get them fixed, despite Barclays
being our bank)
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Bailey: Northeast veering southeast la
Computerisms Corporation wrote:
>
> yes, I understand that I can't have them in the same zone (ie in the same
> domain name). but not trying that here. I want the CNAME for
> firstdomain.com to point to a TXT record at seconddomain.com
There aren't any gotchas here, what you are trying to do ju
John W. Blue wrote:
> Additionally, Tony Finch back on July 11th of this year suggested:
It's so nice when people do the dirty work for me :-)
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Cromarty, Forth: Northeast 6 to gale 8, occasionally severe gale 9 at first in
Forth, backing
Nguyen Huy Bac wrote:
> So, my question is: Can and How to remove @0x in my
> log query message.
There is no convenient way. You have to apply this patch:
diff --git a/lib/ns/client.c b/lib/ns/client.c
index f16ece8c49..7861f12084 100644
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -4066,8 +4
Erich Eckner wrote:
>
> I'm undecided whether they're authoritative or not. On one hand, they are
> distributed via DHCP as default DNS servers, speaking for "recursive", on
> the other hand, they have matching SOA records (and I think, that means,
> they're authoritative) - maybe they're both?
I
Erich Eckner wrote:
>
> 1. Set a custom query-source (the one of the vpn interface) for that
> second-level domain. (This would also be applied to all subdomains thereof,
> right?)
>
> 2. Overwrite (by rpz?) the name-servers for that domain to the (somehow
> obtained) internal nameservers (they di
Ritah Mulinde wrote:
> kindly post the procedure for enabling dnssec on bind 9.9.6 running on
> OpenSuse 13.2.
Have a look at https://www.isc.org/dnssec/ especially the "BIND DNSSEC
guide" linked at the bottom.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Ardnamurchan Point to Cape Wrath: We
rams wrote:
> How to configure "minimal-responses" option at zone level?
You can only configure it per view or in the global options.
The named.conf(5) man page lists all the options and where they can
appear. It is generated from the configuration file parsing code so
you can trust its correct
Robert Senger via bind-users wrote:
>
> Which one is true? I only neet the source address to be set (both udp
> and tcp, for source based routing of dns queries), not the port.
TCP queries use the query-source address unless
BROKEN_TCP_BIND_BEFORE_CONNECT is set ...
https://gitlab.isc.org/isc-pr
CpServiceSPb . wrote:
> So how is to change Bind9 , what and where is to set up and waht setting
> that Bind9 would send forwarding packet via wan interface but would use
> address what it is binded to or internal, if it is binded to 127.0.0.1 and
> 192.168.0.1 ?
Have you tried the query-source
jean-christophe manciot wrote:
> However, if I increment the serial number (SN) on the primary from
> 2019101614 to 2019101709 and order a retransfer on the secondary with "rndc
> retransfer sdxlive.com", I get in the logs:
> *on the primary*:
>
> (serial 2019101614)
Did you `rndc reload sdxlive
jean-christophe manciot wrote:
wow something has chewed up your message and vomited it out again but some
of the remnants are vaguely legible...
> - the debug log shows that the zone transfer has *successfully* taken place
> on the primary towards the secondary server:
>
> - actually, the zone t
Jukka Pakkanen wrote:
> Having these *error* messages in the syslog when restarting the
> service... guess they are not too harmfull, but why exactly is this
> coming:
>
> zone qnet.fi/IN (signed): receive_secure_serial: unchanged
This can happen in the following code, which suggests to me that
John W. Blue wrote:
>
> Nothing prevents anyone from using DNSSEC internally but, as I
> understand it, that was not the intent.
I'm a relative newcomer having only done DNSSEC for about 10 years (so
I wasn't around until most of the design arguments were settled), but I
don't remember seeing any
Evan Hunt wrote:
>
> There's a way now for a signed domain to send an in-band signal to its
> parent that the DS RRset needs updating. A new tool "dnssec-cds" is
> available to help with this. AFAIK this mechanism hasn't been adopted by
> any TLDs yet, but may be of interest anyway.
.ch https://w
Mark Elkins wrote:
>
> 2) When a Zone is signed, you will be given some DS Records - which need to be
> passed on for inclusion into the Parent Zone. Currently, BIND creates two DS
> keys.
> You'll find them inside "dsset-Zone.being.signed".
... if you are using dnssec-signzone, but I would not r
101 - 200 of 1038 matches
Mail list logo