> On 13 Apr 2023, at 06:44, Mark Andrews wrote:
>
>
>
>> On 13 Apr 2023, at 03:19, Fred Morris wrote:
>>
>> TLDR: NS records occur above and below zone cuts.
>>
>> On Wed, 12 Apr 2023, John Thurston wrote:
>>>
>>> We have autho
On 13/04/2023 5:58 am, Havard Eidnes via bind-users wrote:
I suspect you don't need the NS records in challenge.state.ak.us and
if you remove them then the records in challenge.state.ak.us are
simply part of the state.ak.us zone since they're served off of the
same server.
Unfortunately
> On 13 Apr 2023, at 03:19, Fred Morris wrote:
>
> TLDR: NS records occur above and below zone cuts.
>
> On Wed, 12 Apr 2023, John Thurston wrote:
>>
>> We have authority over state.ak.us, which we publish as a public zone. We
>> also publish chall
> I suspect you don't need the NS records in challenge.state.ak.us and
> if you remove them then the records in challenge.state.ak.us are
> simply part of the state.ak.us zone since they're served off of the
> same server.
Unfortunately "not quite".
While a publishing na
it'll matter when you decide to add DNSSEC to the zone, and it's also
good hygiene in the absence of DNSSEC so that any future maintainer
can be reminded that there is a subdomain at that name when looking at
the parent.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
TLDR: NS records occur above and below zone cuts.
On Wed, 12 Apr 2023, John Thurston wrote:
We have authority over state.ak.us, which we publish as a public zone. We
also publish challenge.state.ak.us as a public zone.
The public NS records for state.ak.us are: ns4.state.ak.us and
ns3
I uncovered an oddity in my zone definitions, which I'm trying to wrap
my head around.
We have authority over state.ak.us, which we publish as a public zone.
We also publish challenge.state.ak.us as a public zone.
The public NS records for state.ak.us are: ns4.state.ak.us and
ns3
; minimum
> @ DNAME 8m.local.
>
> But when I start bind, I got error:
>
> Jun 19 09:13:38 dns1.local bash[28971]: zone local/IN: has no NS records
> Jun 19 09:13:38 dns1.local bash[28971]: zone local/IN: not loaded due to
> errors.
> Jun 19 09:13:3
; minimum
@ DNAME 8m.local.
But when I start bind, I got error:
Jun 19 09:13:38 dns1.local bash[28971]: zone local/IN: has no NS records
Jun 19 09:13:38 dns1.local bash[28971]: zone local/IN: not loaded due to errors.
Jun 19 09:13:38 dns1.local bash[28971]: internal-view/local/IN: bad zon
On 26.04.18 15:18, Lucio Crusca wrote:
Until a few hours ago, I had several domains and 3 nameservers for them:
ns1.virtualbit.it (master, 136.243.232.142)
ns11.virtualbit.it (slave, 158.69.210.19)
ns2.virtualbit.it (slave, 136.243.232.143)
Nameservers A recordsERROR: Some of your DNS
omain
>
>
>
>
>
> --
> *From:* bind-users <bind-users-boun...@lists.isc.org> on behalf of Lucio
> Crusca <lucio.cru...@gmail.com>
> *Sent:* Thursday, April 26, 2018 3:18 PM
> *To:* bind-users@lists.isc.org
> *Subject:* problems chang
Lucio Crusca wrote:
> Until a few hours ago, I had several domains and 3 nameservers for them:
>
> ns1.virtualbit.it (master, 136.243.232.142)
> ns11.virtualbit.it (slave, 158.69.210.19)
> ns2.virtualbit.it (slave, 136.243.232.143)
Oh dear, this is a bit of a rabbit
Crusca
<lucio.cru...@gmail.com>
Sent: Thursday, April 26, 2018 3:18 PM
To: bind-users@lists.isc.org
Subject: problems changing NS records
Until a few hours ago, I had several domains and 3 nameservers for them:
ns1.virtualbit.it<http://ns1.virtualbit.it> (master, 136.243.232.142)
ns11.
file "/var/lib/bind/acquaritalia.it.db";
};
and so on for all other zones.
3) I updated the NS records in the zone files, and in the control panel of
the domain registrar
Now all the domains have problems. IntoDNS reports:
"
Nameservers A recordsERROR: Some of you
actors.
I thought hidden master configurations did not include the MNAME server
in any of the published NS records in the zone or registered with the
registrar (or parent zone).
So, I don't see the MNAME being related to (poorly named?) "stealth"
name servers if it's not included
> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
> Darcy Kevin (FCA)
> Sent: Wednesday, 4 April 2018 7:42 AM
> To: bind-users@lists.isc.org
> Subject: [EXTERNAL] RE: Stealth NS records
>
> "Stealth" implies something th
"Stealth" implies something that isn't seen in the normal course of activity,
so it's really the *wrong* word to use here, since the apex NS records are seen
during normal iterative resolution, and in fact the apex NS records take
precedence over the delegated NS records in the se
On 30.03.18 15:44, PANG J. wrote:
I saw a zone check on intodns.com shows,
Stealth NS records were sent:
ns2.xxx.com
ns1.xxx.com
So what's a stealth NS record?
http://massivedns.com/blog/dns-report-tutorials/what-are-stealth-ns-records/
maybe I could explain more deeply if you have sent
I saw a zone check on intodns.com shows,
Stealth NS records were sent:
ns2.xxx.com
ns1.xxx.com
So what's a stealth NS record?
thanks.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users
On Thu, Jul 13, 2017 at 8:39 PM, wrote:
> Hi Bob:
>
> These examples help! Thank you.
>
> On Thu 7/13/17 15:53 -0400 Bob Harold wrote:
> > Let's illustrate one NS record, for each of the cases:
> > (I think your case is #2)
> >
> > 1. Name server name inside the domain itself
> >
-evans ] [
https://github.com/jakedevans ] [ https://keybase.io/jacobdevans ]
- Original Message -
From: "Niall O'Reilly" <niall.orei...@ucd.ie>
To: "bind-users" <bind-users@lists.isc.org>
Sent: Friday, July 14, 2017 2:40:49 PM
Subject: Re: delegation NS reco
On 14 Jul 2017, at 14:07, b...@zq3q.org wrote:
> only a single **delegation** NS record
> needed
Actually, there should be two or more, and their IP addresses
should belong to different networks.
RFC1034, section 4.1:
A given zone will be available from several name servers to insure its
Yesterday, Niall corrected me off list. Hopefully what I write below is
now correct:
Assume our nameserver SOA and related authoritatve NS record are in
the zone w/$ORIGIN" "example.com.". Regardless of what the FQDN for
the nameserver itself is, only a single **delegation** NS
On 13.07.17 19:39, b...@zq3q.org wrote:
Interesting. I think the glue record make sense.
I'm not planning to do this. :->
I do not see any delegation NS record for otherdomain.com above.
Is this right?:
TLD com zone:
example.comIN NS ns.otherdomain.com
ns.example.com IN A
Hi Bob:
These examples help! Thank you.
On Thu 7/13/17 15:53 -0400 Bob Harold wrote:
> Let's illustrate one NS record, for each of the cases:
> (I think your case is #2)
>
> 1. Name server name inside the domain itself
>
> example.com zone:
> example.com IN NS ns.example.com
> ns.example.com
t; Short answer: just no.
> >
> > Long answer: not unless either of your servers is providing name service
> for
> > the zone that the nameserver itself is in. As I understand from your
> > original message, this is not the case, so just no.
>
> Thanks much!
>
> --
>
hat the nameserver itself is in. As I understand from your
> original message, this is not the case, so just no.
Thanks much!
--
Check my comprehension:
So, **delegation** NS records are only needed in the zone which has an $ORIGIN,
which is 1 level up from the $ORIGIN in the zone that
> > example.org and then used RPZ to create a CNAME for foo.example.com
> > pointing to foo.example.org
> >
> >
> > Anyway, with the NS records, I got an assertion failure:
> > 10-Jun-2016 15:49:58.584 client 10.10.207.244#49952 (foo.example.com
> > <http://sts.aust
NS ns2.example.org
>
>
> My goal was to redirect queries to a load balancer serving
> foo.example.com A records. I should have created the glue in
> example.org and then used RPZ to create a CNAME for foo.example.com
> pointing to foo.example.org
>
>
y rfc that a tld zone should have atleast two ns records when
> we
> > create the tld zone
>
> RFC 1034 Section 4.1
>
> A given zone will be available from several name servers to insure its
> availability in spite of host or communication link failure. By
> administra
On 6 March 2016 at 04:08, rams <brames...@gmail.com> wrote:
> Is there any rfc that a tld zone should have atleast two ns records when we
> create the tld zone
RFC 1034 Section 4.1
A given zone will be available from several name servers to insure its
availability in s
Is there any rfc that a tld zone should have atleast two ns records when we
create the tld zone
Thanks & regards,
Ramesh
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
Hello.
I would like to resolve this problem:
- I have a child DNS zone served by my ISP slave name server;
- the parent zone is served by my ISP master name server;
- the question is - how and with what tools (dig, host, nslookup, or
maybe C or Perl libs) can I verify the NS glue records in the
(dig, host, nslookup, or
maybe C or Perl libs) can I verify the NS glue records in the parent
zone of my ISP (zone transfers are denied)?
The delegation NS records (i.e., the NS records in the parent zone) cannot
be determined using simple queries because the parent zone is also
authoritative
Hi Casey.
Thank you for the explanation.
I'm sorry for the misleading Subject of this thread, of course I meant
delegation NS records.
I understand from your reply that there are no technical means, tools,
etc for verifying delegation NS records in the parent zone if the child
and parent zone
Hi Alexei,
On Fri, Dec 5, 2014 at 2:31 PM, Alexei Malinin alexei.mali...@mail.ru
wrote:
Thank you for the explanation.
I'm sorry for the misleading Subject of this thread, of course I meant
delegation NS records.
No problem. I knew what you meant :)
I understand from your reply
I meant
delegation NS records.
No problem. I knew what you meant :)
I understand from your reply that there are no technical means, tools,
etc for verifying delegation NS records in the parent zone if the child
and parent zone are on the same authoritative name server and zone
On 12/05/14 23:33, Mark Andrews wrote:
...
With all this said a RFC 2317 parent really should let their zone
be transfered as the child zone administrator needs a local copy
of the zone for when their external link goes down. If they do not
have a local copy then reverse lookups will fail
In message 548223dd.2050...@mail.ru, Alexei Malinin writes:
On 12/05/14 23:33, Mark Andrews wrote:
...
With all this said a RFC 2317 parent really should let their zone
be transfered as the child zone administrator needs a local copy
of the zone for when their external link goes down.
Hello,
Using BIND 9.9.3 I have been trying to do a little testing to see if we
can modify the response for NS records. I have a test server which is a
stealth secondary for our 'plymouth.ac.uk' zone. The name servers for
the zone are 'dns0.plymouth.ac.uk' and 'dns1.plymouth.ac.uk'.
So, 'dig
On Fri, 2013-06-21 at 17:11 +0100, John Horne wrote:
My understanding is that RPZ can do this, but I just cannot seem to
configure the RPZ zone file to enable this. The zone file contains:
=
$TTL 1H
@ SOA LOCALHOST. hostmaster.plymouth.ac.uk (1 1h
15m 30d 2h)
From: John Horne john.ho...@plymouth.ac.uk
dns1.plymouth.ac.uk.rpz-nsdomainCNAME *.
But the example zone file further down the page has the example:
ns.domain.com.rpz-nsdname CNAME .
So is 'rpz-nsdomain' wrong then in the zone file and 'rpz-nsdname'
should be used
servers you need the glue records.
That's true, and it also becomes a problem when you want to sign the zones with
DNSSEC; if there's no NS record in the parent, there can't be a chain of trust
from the parent to the child. Assuming that you'll someday want to sign
toto.be, you should put the parent NS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Am I missing something, or are the hu NS records incomplete?
dig d.hu +trace
;; AUTHORITY SECTION:
hu. 86400 IN NS e.hu.
hu. 86400 IN NS ns-se.nic.hu.
hu. 86400
On Thu, Jul 28, 2011 at 01:18:29PM -0700,
Carl Byington c...@byington.org wrote
a message of 35 lines which said:
dig: couldn't get address for 'b.hu': not found
Strange. It works for me.
b.hu. 86292 IN A 193.239.149.3
If I use dig NS domain name I know I will see the NS records for the domain.
I know I can do the same thing for other RR types. In the case where a zone
file has RR records that define delegation for subdomains why can't I use this
dig command to see those delegations? I assume this is easy
On Fri, 12 Nov 2010, M. Meadows wrote:
If I use dig NS domain name I know I will see the NS records for the
domain. I know I can do the same thing for other RR types. In the case
where a zone file has RR records that define delegation for subdomains why
can't I use this dig command to see
Hi All: I think this is a little OT, but I’m wondering why changes to my NS
records aren’t propagating when my NS is authoritative for my domain?
enigmedia.com is registered at NetSol and delegated to my NS:
ns.enigmedia.com (running on bind9/fedora)
ns1.enigmedia.com (running on bind9/Freebsd
On Oct 4 2010, online-reg wrote:
Hi All: I think this is a little OT, but I'm wondering why changes to
my NS records aren't propagating when my NS is authoritative for my domain?
enigmedia.com is registered at NetSol and delegated to my NS:
ns.enigmedia.com (running on bind9/fedora)
ns1
this is a little OT, but I’m wondering why changes to my NS
records aren’t propagating when my NS is authoritative for my domain?
enigmedia.com is registered at NetSol and delegated to my NS:
ns.enigmedia.com (running on bind9/fedora)
ns1.enigmedia.com (running on bind9/Freebsd)
Global TTL is 3h
On 04/10/2010 16:01, online-reg wrote:
Hi All: I think this is a little OT, but I’m wondering why changes to
my NS records aren’t propagating when my NS is authoritative for my
domain?
enigmedia.com is registered at NetSol and delegated to my NS:
ns.enigmedia.com (running on bind9/fedora
Hi All: I think this is a little OT, but I'm wondering why changes to
my NS records aren't propagating when my NS is authoritative for my
domain?
enigmedia.com is registered at NetSol and delegated to my NS:
ns.enigmedia.com (running on bind9/fedora)
ns1.enigmedia.com (running on bind9
Date: Mon, 04 Oct 2010 17:29:33 +0200
From: Anand Buddhdev ana...@ripe.net
Sender: bind-users-bounces+oberman=es@lists.isc.org
On 04/10/2010 16:01, online-reg wrote:
Hi All: I think this is a little OT, but Iâm wondering why changes to
my NS records arenât propagating when my
wondering why changes to my NS
records aren’t propagating when my NS is authoritative for my domain?
enigmedia.com is registered at NetSol and delegated to my NS:
ns.enigmedia.com (running on bind9/fedora)
ns1.enigmedia.com (running on bind9/Freebsd)
Global TTL is 3h and TTL for the “NS1” record
[I apologize in advance if this is a double post. I'm not sure if my
original went through]
I was implementing ISC Bind 9.5 at a client site last month and had a single
zone that accepted DDNS updates only from the ISC DHCP service.
The environment consisted of a Master BIND server and almost
It probably has something to do with the packet size. You can't easily fit 25
NS records into a 512 byte UDP packet.
You really don't want to have more than 8 published NS records for most
purposes.
Chris Buxton
BlueCat Networks
On Sep 20, 2010, at 2:30 PM, Christopher Cain wrote:
[I
After specifying MX records for a 2nd tier domain, is it necessary to
restate the MX records for a new $ORIGIN? For example, if I have:
$ORIGIN .
...
IN MX 10 mx1.example.com.
IN MX 10 mx2.example.com.
IN MX 10
-users@lists.isc.org
Subject: Questions regarding global MX and NS records
After specifying MX records for a 2nd tier domain, is it necessary to
restate the MX records for a new $ORIGIN? For example, if I have:
$ORIGIN .
...
IN MX 10 mx1.example.com
) for each website, rather
than a delegation per website.
Also, aliasing things this way allows the GSS to respond sanely with
SOA/NS records for the delegated zone (lb.example.com), when the GSS is
configured properly to proxy non-A queries to the servers of a shadow
version of the zone. If you
) for each website, rather
than a delegation per website.
Also, aliasing things this way allows the GSS to respond sanely with
SOA/NS records for the delegated zone (lb.example.com), when the GSS
is configured properly to proxy non-A queries to the servers of a
shadow version of the zone
Hi all,
Does anyone know what algorithm BIND uses to order the NS records in a
DNS reply? e.g.
dig @66.6.49.217 NS yahoo.com
yahoo.com. 160275 IN NS ns6.yahoo.com.
yahoo.com. 160275 IN NS ns8.yahoo.com.
yahoo.com. 160275
Successive queries give different orderings of nameservers. I though
it was decreasing RTT order, but wanted to confirm.
It's configurable (see the documentation of the rrset-order statement
for details), but in this particular case it appears to be round-robin.
Successive queries give me
Well, the zone is publishing NS records that all return REFUSED when I
query them, so from my point of view the whole domain is broken.
The *best* approach here is to contact the domain admin and get them to
fix it.
In the absence of that, how to circumvent it? ns1.ecb.int apparently
Hi,
We have a recurring problem with recursive domain resolution using a
bind 9.6 caching server. An example of such a zone is ecb.eu. The
problem seems due to a misconfiguration on their side where all the
(supposedly authorative) NS records listed in their zone file do not
answer requests
authorative) NS records listed in their zone file do not
answer requests to resolve ecb.eu hosts. This prevents us from resolving
anything under the domain after that the NS records are cached (the
first query goes through as the GLUE record seems to work). The
interesting thing is that it works
to the child.
Thanks!
jwc
-Original Message-
From: Alan Clegg [mailto:alan_cl...@isc.org]
Sent: Saturday, March 28, 2009 8:42 AM
To: Cherney John-CJC030
Cc: bind-us...@isc.org
Subject: Re: Lookup of delegation NS records
Cherney John-CJC030 wrote:
Is it possible to use nslookup
-Original Message-
From: Alan Clegg [mailto:alan_cl...@isc.org]
Sent: Saturday, March 28, 2009 8:42 AM
To: Cherney John-CJC030
Cc: bind-us...@isc.org
Subject: Re: Lookup of delegation NS records
Cherney John-CJC030 wrote:
Is it possible to use nslookup or dig to look up delegation records
John-CJC030
Cc: bind-us...@isc.org
Subject: Re: Lookup of delegation NS records
Cherney John-CJC030 wrote:
Is it possible to use nslookup or dig to look up delegation records? I
can use them to get the nameservers for a particular domain, but I
also want to see the nameservers it would
Is it possible to use nslookup or dig to look up delegation records? I
can use them to get the nameservers for a particular domain, but I also
want to see the nameservers it would delegate to. So far, the only way I
can figure out to do that is to parse the actual db file.
Thanks,
jwc
2009/3/28 Cherney John-CJC030 john.cher...@motorola.com
Is it possible to use nslookup or dig to look up delegation records? I
can use them to get the nameservers for a particular domain, but I also want
to see the nameservers it would delegate to. So far, the only way I can
figure out to do
I inherited a Bind DNS server set up for a company that runs a number
of web site. I'm in the process of cleaning up the zone files and
adding additional slave DNS servers and I haven't got my head around
NS records yet. When a domain is registered you specify what DNS
servers will be providing
Date: Wed, 26 Nov 2008 21:09:53 +0100 (CET)
To: [EMAIL PROTECTED]
Subject: Re: rfc1918 ns records coming from internet are queried?
From: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
A border router knows what is inside and outside your network, while
a DNS server does not. Important
I'm looking for a way to set a policy that named wont
query
rfc1918 nameserver addresses returned from a non-rfc1918 query.
Would this be
a bad policy?
You could use netmasks with your server statements, like this:
server 10.0.0.0/8 {
bogus yes;
};
server 172.16.0.0/12 {
On Nov 26, 2008, at 11:49 AM, David Sparks wrote:
However, if you're concerned, it's pretty easy to set up a more
secure
infrastructure. Put a resolver (resolving name server) at the edge of
your network (in a DMZ, presumably) that knows nothing of internal
domains (nor IP address space). It
A border router knows what is inside and outside your network, while
a DNS server does not. Important difference.
You're missing the point. This is not about inside and outside networks, it
is about rfc1918 responses from internet queries.
I'm afraid I have seen too many organizations
Problem: when querying asdf.ad.rice.edu, bind sends queries into my local
network (specifically to 10.129.92.100, which is not a ns) which I find
undesirable.
Is there any way to disable this behavior? Is it expected that bind queries
rfc1918 nameserver addresses from non-rfc1918 queries? I
76 matches
Mail list logo