Re: Delegation NS-records when zones share an authority server

> On 13 Apr 2023, at 06:44, Mark Andrews wrote: > > > >> On 13 Apr 2023, at 03:19, Fred Morris wrote: >> >> TLDR: NS records occur above and below zone cuts. >> >> On Wed, 12 Apr 2023, John Thurston wrote: >>> >>> We have autho

Re: Delegation NS-records when zones share an authority server

On 13/04/2023 5:58 am, Havard Eidnes via bind-users wrote: I suspect you don't need the NS records in challenge.state.ak.us and if you remove them then the records in challenge.state.ak.us are simply part of the state.ak.us zone since they're served off of the same server. Unfortunately

Re: Delegation NS-records when zones share an authority server

> On 13 Apr 2023, at 03:19, Fred Morris wrote: > > TLDR: NS records occur above and below zone cuts. > > On Wed, 12 Apr 2023, John Thurston wrote: >> >> We have authority over state.ak.us, which we publish as a public zone. We >> also publish chall

Re: Delegation NS-records when zones share an authority server

> I suspect you don't need the NS records in challenge.state.ak.us and > if you remove them then the records in challenge.state.ak.us are > simply part of the state.ak.us zone since they're served off of the > same server. Unfortunately "not quite". While a publishing na

Re: Delegation NS-records when zones share an authority server

it'll matter when you decide to add DNSSEC to the zone, and it's also good hygiene in the absence of DNSSEC so that any future maintainer can be reminded that there is a subdomain at that name when looking at the parent. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: Delegation NS-records when zones share an authority server

TLDR: NS records occur above and below zone cuts. On Wed, 12 Apr 2023, John Thurston wrote: We have authority over state.ak.us, which we publish as a public zone. We also publish challenge.state.ak.us as a public zone. The public NS records for state.ak.us are: ns4.state.ak.us and ns3

Delegation NS-records when zones share an authority server

I uncovered an oddity in my zone definitions, which I'm trying to wrap my head around. We have authority over state.ak.us, which we publish as a public zone. We also publish challenge.state.ak.us as a public zone. The public NS records for state.ak.us are: ns4.state.ak.us and ns3

Re: Zone with DNAME has no NS records

; minimum > @ DNAME 8m.local. > > But when I start bind, I got error: > > Jun 19 09:13:38 dns1.local bash[28971]: zone local/IN: has no NS records > Jun 19 09:13:38 dns1.local bash[28971]: zone local/IN: not loaded due to > errors. > Jun 19 09:13:3

Zone with DNAME has no NS records

; minimum @ DNAME 8m.local. But when I start bind, I got error: Jun 19 09:13:38 dns1.local bash[28971]: zone local/IN: has no NS records Jun 19 09:13:38 dns1.local bash[28971]: zone local/IN: not loaded due to errors. Jun 19 09:13:38 dns1.local bash[28971]: internal-view/local/IN: bad zon

Re: problems changing NS records

On 26.04.18 15:18, Lucio Crusca wrote: Until a few hours ago, I had several domains and 3 nameservers for them: ns1.virtualbit.it (master, 136.243.232.142) ns11.virtualbit.it (slave, 158.69.210.19) ns2.virtualbit.it (slave, 136.243.232.143) Nameservers A recordsERROR: Some of your DNS

Re: problems changing NS records

omain > > > > > > -- > *From:* bind-users <bind-users-boun...@lists.isc.org> on behalf of Lucio > Crusca <lucio.cru...@gmail.com> > *Sent:* Thursday, April 26, 2018 3:18 PM > *To:* bind-users@lists.isc.org > *Subject:* problems chang

Re: problems changing NS records

Lucio Crusca wrote: > Until a few hours ago, I had several domains and 3 nameservers for them: > > ns1.virtualbit.it (master, 136.243.232.142) > ns11.virtualbit.it (slave, 158.69.210.19) > ns2.virtualbit.it (slave, 136.243.232.143) Oh dear, this is a bit of a rabbit

Re: problems changing NS records

Crusca <lucio.cru...@gmail.com> Sent: Thursday, April 26, 2018 3:18 PM To: bind-users@lists.isc.org Subject: problems changing NS records Until a few hours ago, I had several domains and 3 nameservers for them: ns1.virtualbit.it<http://ns1.virtualbit.it> (master, 136.243.232.142) ns11.

problems changing NS records

file "/var/lib/bind/acquaritalia.it.db"; }; and so on for all other zones. 3) I updated the NS records in the zone files, and in the control panel of the domain registrar Now all the domains have problems. IntoDNS reports: " Nameservers A recordsERROR: Some of you

Re: Stealth NS records

actors. I thought hidden master configurations did not include the MNAME server in any of the published NS records in the zone or registered with the registrar (or parent zone). So, I don't see the MNAME being related to (poorly named?) "stealth" name servers if it's not included

RE: Stealth NS records

> -Original Message- > From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of > Darcy Kevin (FCA) > Sent: Wednesday, 4 April 2018 7:42 AM > To: bind-users@lists.isc.org > Subject: [EXTERNAL] RE: Stealth NS records > > "Stealth" implies something th

RE: Stealth NS records

"Stealth" implies something that isn't seen in the normal course of activity, so it's really the *wrong* word to use here, since the apex NS records are seen during normal iterative resolution, and in fact the apex NS records take precedence over the delegated NS records in the se

Re: Stealth NS records

On 30.03.18 15:44, PANG J. wrote: I saw a zone check on intodns.com shows, Stealth NS records were sent: ns2.xxx.com ns1.xxx.com So what's a stealth NS record? http://massivedns.com/blog/dns-report-tutorials/what-are-stealth-ns-records/ maybe I could explain more deeply if you have sent

Stealth NS records

I saw a zone check on intodns.com shows, Stealth NS records were sent: ns2.xxx.com ns1.xxx.com So what's a stealth NS record? thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users

Re: delegation NS records

On Thu, Jul 13, 2017 at 8:39 PM, wrote: > Hi Bob: > > These examples help! Thank you. > > On Thu 7/13/17 15:53 -0400 Bob Harold wrote: > > Let's illustrate one NS record, for each of the cases: > > (I think your case is #2) > > > > 1. Name server name inside the domain itself > >

Re: delegation NS records

-evans ] [ https://github.com/jakedevans ] [ https://keybase.io/jacobdevans ] - Original Message - From: "Niall O'Reilly" <niall.orei...@ucd.ie> To: "bind-users" <bind-users@lists.isc.org> Sent: Friday, July 14, 2017 2:40:49 PM Subject: Re: delegation NS reco

Re: delegation NS records

On 14 Jul 2017, at 14:07, b...@zq3q.org wrote: > only a single **delegation** NS record > needed Actually, there should be two or more, and their IP addresses should belong to different networks. RFC1034, section 4.1: A given zone will be available from several name servers to insure its

Re: delegation NS records

Yesterday, Niall corrected me off list. Hopefully what I write below is now correct: Assume our nameserver SOA and related authoritatve NS record are in the zone w/$ORIGIN" "example.com.". Regardless of what the FQDN for the nameserver itself is, only a single **delegation** NS

Re: delegation NS records

On 13.07.17 19:39, b...@zq3q.org wrote: Interesting. I think the glue record make sense. I'm not planning to do this. :-> I do not see any delegation NS record for otherdomain.com above. Is this right?: TLD com zone: example.comIN NS ns.otherdomain.com ns.example.com IN A

Re: delegation NS records

Hi Bob: These examples help! Thank you. On Thu 7/13/17 15:53 -0400 Bob Harold wrote: > Let's illustrate one NS record, for each of the cases: > (I think your case is #2) > > 1. Name server name inside the domain itself > > example.com zone: > example.com IN NS ns.example.com > ns.example.com

Re: delegation NS records

t; Short answer: just no. > > > > Long answer: not unless either of your servers is providing name service > for > > the zone that the nameserver itself is in. As I understand from your > > original message, this is not the case, so just no. > > Thanks much! > > -- >

Re: delegation NS records

hat the nameserver itself is in. As I understand from your > original message, this is not the case, so just no. Thanks much! -- Check my comprehension: So, **delegation** NS records are only needed in the zone which has an $ORIGIN, which is 1 level up from the $ORIGIN in the zone that

Re: Assertion failure when RPZ zone returns NS records?

> > example.org and then used RPZ to create a CNAME for foo.example.com > > pointing to foo.example.org > > > > > > Anyway, with the NS records, I got an assertion failure: > > 10-Jun-2016 15:49:58.584 client 10.10.207.244#49952 (foo.example.com > > <http://sts.aust

Re: Assertion failure when RPZ zone returns NS records?

NS ns2.example.org > > > My goal was to redirect queries to a load balancer serving > foo.example.com A records. I should have created the glue in > example.org and then used RPZ to create a CNAME for foo.example.com > pointing to foo.example.org > >

Re: Ns records rfc

y rfc that a tld zone should have atleast two ns records when > we > > create the tld zone > > RFC 1034 Section 4.1 > > A given zone will be available from several name servers to insure its > availability in spite of host or communication link failure. By > administra

Re: Ns records rfc

On 6 March 2016 at 04:08, rams <brames...@gmail.com> wrote: > Is there any rfc that a tld zone should have atleast two ns records when we > create the tld zone RFC 1034 Section 4.1 A given zone will be available from several name servers to insure its availability in s

Ns records rfc

Is there any rfc that a tld zone should have atleast two ns records when we create the tld zone Thanks & regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

DNS: how to verify glue NS records?

Hello. I would like to resolve this problem: - I have a child DNS zone served by my ISP slave name server; - the parent zone is served by my ISP master name server; - the question is - how and with what tools (dig, host, nslookup, or maybe C or Perl libs) can I verify the NS glue records in the

Re: DNS: how to verify glue NS records?

(dig, host, nslookup, or maybe C or Perl libs) can I verify the NS glue records in the parent zone of my ISP (zone transfers are denied)? The delegation NS records (i.e., the NS records in the parent zone) cannot be determined using simple queries because the parent zone is also authoritative

Re: DNS: how to verify glue NS records?

Hi Casey. Thank you for the explanation. I'm sorry for the misleading Subject of this thread, of course I meant delegation NS records. I understand from your reply that there are no technical means, tools, etc for verifying delegation NS records in the parent zone if the child and parent zone

Re: DNS: how to verify glue NS records?

Hi Alexei, On Fri, Dec 5, 2014 at 2:31 PM, Alexei Malinin alexei.mali...@mail.ru wrote: Thank you for the explanation. I'm sorry for the misleading Subject of this thread, of course I meant delegation NS records. No problem. I knew what you meant :) I understand from your reply

Re: DNS: how to verify glue NS records?

I meant delegation NS records. No problem. I knew what you meant :) I understand from your reply that there are no technical means, tools, etc for verifying delegation NS records in the parent zone if the child and parent zone are on the same authoritative name server and zone

Re: DNS: how to verify glue NS records?

On 12/05/14 23:33, Mark Andrews wrote: ... With all this said a RFC 2317 parent really should let their zone be transfered as the child zone administrator needs a local copy of the zone for when their external link goes down. If they do not have a local copy then reverse lookups will fail

Re: DNS: how to verify glue NS records?

In message 548223dd.2050...@mail.ru, Alexei Malinin writes: On 12/05/14 23:33, Mark Andrews wrote: ... With all this said a RFC 2317 parent really should let their zone be transfered as the child zone administrator needs a local copy of the zone for when their external link goes down.

RPZ - how to modify NS records in answer?

Hello, Using BIND 9.9.3 I have been trying to do a little testing to see if we can modify the response for NS records. I have a test server which is a stealth secondary for our 'plymouth.ac.uk' zone. The name servers for the zone are 'dns0.plymouth.ac.uk' and 'dns1.plymouth.ac.uk'. So, 'dig

Re: RPZ - how to modify NS records in answer?

On Fri, 2013-06-21 at 17:11 +0100, John Horne wrote: My understanding is that RPZ can do this, but I just cannot seem to configure the RPZ zone file to enable this. The zone file contains: = $TTL 1H @ SOA LOCALHOST. hostmaster.plymouth.ac.uk (1 1h 15m 30d 2h)

Re: RPZ - how to modify NS records in answer?

From: John Horne john.ho...@plymouth.ac.uk dns1.plymouth.ac.uk.rpz-nsdomainCNAME *. But the example zone file further down the page has the example: ns.domain.com.rpz-nsdname CNAME . So is 'rpz-nsdomain' wrong then in the zone file and 'rpz-nsdname' should be used

Re: NS records

servers you need the glue records. That's true, and it also becomes a problem when you want to sign the zones with DNSSEC; if there's no NS record in the parent, there can't be a chain of trust from the parent to the child. Assuming that you'll someday want to sign toto.be, you should put the parent NS

.hu ns records incorrect?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am I missing something, or are the hu NS records incomplete? dig d.hu +trace ;; AUTHORITY SECTION: hu. 86400 IN NS e.hu. hu. 86400 IN NS ns-se.nic.hu. hu. 86400

Re: .hu ns records incorrect?

On Thu, Jul 28, 2011 at 01:18:29PM -0700, Carl Byington c...@byington.org wrote a message of 35 lines which said: dig: couldn't get address for 'b.hu': not found Strange. It works for me. b.hu. 86292 IN A 193.239.149.3

how to see ALL NS records in a zone file with dig

If I use dig NS domain name I know I will see the NS records for the domain. I know I can do the same thing for other RR types. In the case where a zone file has RR records that define delegation for subdomains why can't I use this dig command to see those delegations? I assume this is easy

Re: how to see ALL NS records in a zone file with dig

On Fri, 12 Nov 2010, M. Meadows wrote: If I use dig NS domain name I know I will see the NS records for the domain. I know I can do the same thing for other RR types. In the case where a zone file has RR records that define delegation for subdomains why can't I use this dig command to see

OT: Propagation of my NS records?

Hi All: I think this is a little OT, but I’m wondering why changes to my NS records aren’t propagating when my NS is authoritative for my domain? enigmedia.com is registered at NetSol and delegated to my NS: ns.enigmedia.com (running on bind9/fedora) ns1.enigmedia.com (running on bind9/Freebsd

Re: OT: Propagation of my NS records?

On Oct 4 2010, online-reg wrote: Hi All: I think this is a little OT, but I'm wondering why changes to my NS records aren't propagating when my NS is authoritative for my domain? enigmedia.com is registered at NetSol and delegated to my NS: ns.enigmedia.com (running on bind9/fedora) ns1

Re: OT: Propagation of my NS records?

this is a little OT, but I’m wondering why changes to my NS records aren’t propagating when my NS is authoritative for my domain? enigmedia.com is registered at NetSol and delegated to my NS: ns.enigmedia.com (running on bind9/fedora) ns1.enigmedia.com (running on bind9/Freebsd) Global TTL is 3h

Re: OT: Propagation of my NS records?

On 04/10/2010 16:01, online-reg wrote: Hi All: I think this is a little OT, but I’m wondering why changes to my NS records aren’t propagating when my NS is authoritative for my domain? enigmedia.com is registered at NetSol and delegated to my NS: ns.enigmedia.com (running on bind9/fedora

Re: Propagation of my NS records?

Hi All: I think this is a little OT, but I'm wondering why changes to my NS records aren't propagating when my NS is authoritative for my domain? enigmedia.com is registered at NetSol and delegated to my NS: ns.enigmedia.com (running on bind9/fedora) ns1.enigmedia.com (running on bind9

Re: OT: Propagation of my NS records?

Date: Mon, 04 Oct 2010 17:29:33 +0200 From: Anand Buddhdev ana...@ripe.net Sender: bind-users-bounces+oberman=es@lists.isc.org On 04/10/2010 16:01, online-reg wrote: Hi All: I think this is a little OT, but I’m wondering why changes to my NS records aren’t propagating when my

Re: OT: Propagation of my NS records?

wondering why changes to my NS records aren’t propagating when my NS is authoritative for my domain? enigmedia.com is registered at NetSol and delegated to my NS: ns.enigmedia.com (running on bind9/fedora) ns1.enigmedia.com (running on bind9/Freebsd) Global TTL is 3h and TTL for the “NS1” record

DDNS Updates fail When More Than 15 Authoritative Servers (NS records) are listed in a Dynamically Updated Zone

[I apologize in advance if this is a double post. I'm not sure if my original went through] I was implementing ISC Bind 9.5 at a client site last month and had a single zone that accepted DDNS updates only from the ISC DHCP service. The environment consisted of a Master BIND server and almost

Re: DDNS Updates fail When More Than 15 Authoritative Servers (NS records) are listed in a Dynamically Updated Zone

It probably has something to do with the packet size. You can't easily fit 25 NS records into a 512 byte UDP packet. You really don't want to have more than 8 published NS records for most purposes. Chris Buxton BlueCat Networks On Sep 20, 2010, at 2:30 PM, Christopher Cain wrote: [I

Questions regarding global MX and NS records

After specifying MX records for a 2nd tier domain, is it necessary to restate the MX records for a new $ORIGIN? For example, if I have: $ORIGIN . ... IN MX 10 mx1.example.com. IN MX 10 mx2.example.com. IN MX 10

RE: Questions regarding global MX and NS records

-users@lists.isc.org Subject: Questions regarding global MX and NS records After specifying MX records for a 2nd tier domain, is it necessary to restate the MX records for a new $ORIGIN? For example, if I have: $ORIGIN . ... IN MX 10 mx1.example.com

Re: Questions regarding global MX and NS records

) for each website, rather than a delegation per website. Also, aliasing things this way allows the GSS to respond sanely with SOA/NS records for the delegated zone (lb.example.com), when the GSS is configured properly to proxy non-A queries to the servers of a shadow version of the zone. If you

Re: Questions regarding global MX and NS records

) for each website, rather than a delegation per website. Also, aliasing things this way allows the GSS to respond sanely with SOA/NS records for the delegated zone (lb.example.com), when the GSS is configured properly to proxy non-A queries to the servers of a shadow version of the zone

Order of NS records given by bind

Hi all, Does anyone know what algorithm BIND uses to order the NS records in a DNS reply? e.g. dig @66.6.49.217 NS yahoo.com yahoo.com. 160275 IN NS ns6.yahoo.com. yahoo.com. 160275 IN NS ns8.yahoo.com. yahoo.com. 160275

Re: Order of NS records given by bind

Successive queries give different orderings of nameservers. I though it was decreasing RTT order, but wanted to confirm. It's configurable (see the documentation of the rrset-order statement for details), but in this particular case it appears to be round-robin. Successive queries give me

Re: Problem resolving domains with valid GLUE records but misconfigured NS records

Well, the zone is publishing NS records that all return REFUSED when I query them, so from my point of view the whole domain is broken. The *best* approach here is to contact the domain admin and get them to fix it. In the absence of that, how to circumvent it? ns1.ecb.int apparently

Problem resolving domains with valid GLUE records but misconfigured NS records

Hi, We have a recurring problem with recursive domain resolution using a bind 9.6 caching server. An example of such a zone is ecb.eu. The problem seems due to a misconfiguration on their side where all the (supposedly authorative) NS records listed in their zone file do not answer requests

Re: Problem resolving domains with valid GLUE records but misconfigured NS records

authorative) NS records listed in their zone file do not answer requests to resolve ecb.eu hosts. This prevents us from resolving anything under the domain after that the NS records are cached (the first query goes through as the GLUE record seems to work). The interesting thing is that it works

Re: Lookup of delegation NS records

to the child. Thanks! jwc -Original Message- From: Alan Clegg [mailto:alan_cl...@isc.org] Sent: Saturday, March 28, 2009 8:42 AM To: Cherney John-CJC030 Cc: bind-us...@isc.org Subject: Re: Lookup of delegation NS records Cherney John-CJC030 wrote: Is it possible to use nslookup

RE: Lookup of delegation NS records

-Original Message- From: Alan Clegg [mailto:alan_cl...@isc.org] Sent: Saturday, March 28, 2009 8:42 AM To: Cherney John-CJC030 Cc: bind-us...@isc.org Subject: Re: Lookup of delegation NS records Cherney John-CJC030 wrote: Is it possible to use nslookup or dig to look up delegation records

Re: Lookup of delegation NS records

John-CJC030 Cc: bind-us...@isc.org Subject: Re: Lookup of delegation NS records Cherney John-CJC030 wrote: Is it possible to use nslookup or dig to look up delegation records? I can use them to get the nameservers for a particular domain, but I also want to see the nameservers it would

Lookup of delegation NS records

Is it possible to use nslookup or dig to look up delegation records? I can use them to get the nameservers for a particular domain, but I also want to see the nameservers it would delegate to. So far, the only way I can figure out to do that is to parse the actual db file. Thanks, jwc

Re: Lookup of delegation NS records

2009/3/28 Cherney John-CJC030 john.cher...@motorola.com Is it possible to use nslookup or dig to look up delegation records? I can use them to get the nameservers for a particular domain, but I also want to see the nameservers it would delegate to. So far, the only way I can figure out to do

Newbie question about registrar DNS servers and NS records

I inherited a Bind DNS server set up for a company that runs a number of web site. I'm in the process of cleaning up the zone files and adding additional slave DNS servers and I haven't got my head around NS records yet. When a domain is registered you specify what DNS servers will be providing

Re: rfc1918 ns records coming from internet are queried?

Date: Wed, 26 Nov 2008 21:09:53 +0100 (CET) To: [EMAIL PROTECTED] Subject: Re: rfc1918 ns records coming from internet are queried? From: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] A border router knows what is inside and outside your network, while a DNS server does not. Important

Re: rfc1918 ns records coming from internet are queried?

I'm looking for a way to set a policy that named wont query rfc1918 nameserver addresses returned from a non-rfc1918 query. Would this be a bad policy? You could use netmasks with your server statements, like this: server 10.0.0.0/8 { bogus yes; }; server 172.16.0.0/12 {

Re: rfc1918 ns records coming from internet are queried?

On Nov 26, 2008, at 11:49 AM, David Sparks wrote: However, if you're concerned, it's pretty easy to set up a more secure infrastructure. Put a resolver (resolving name server) at the edge of your network (in a DMZ, presumably) that knows nothing of internal domains (nor IP address space). It

Re: rfc1918 ns records coming from internet are queried?

A border router knows what is inside and outside your network, while a DNS server does not. Important difference. You're missing the point. This is not about inside and outside networks, it is about rfc1918 responses from internet queries. I'm afraid I have seen too many organizations

rfc1918 ns records coming from internet are queried?

Problem: when querying asdf.ad.rice.edu, bind sends queries into my local network (specifically to 10.129.92.100, which is not a ns) which I find undesirable. Is there any way to disable this behavior? Is it expected that bind queries rfc1918 nameserver addresses from non-rfc1918 queries? I