Hi there,
On Wed, 13 Dec 2023, Greg Choules wrote:
If your server can reach the Internet it can recurse all on its own.
And for extra information, I recommend you give the '+trace' option to dig.
I hope that helps.
Ditto. :)
--
73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bi
ere will be no match and the response will be (authoritative)
NXDOMAIN - this name does not exist at all.
Personally I would not use a wildcard because it gives the impression that
any name exists when really it doesn't.
NOTE that the existence of "reseau1.lan" means that ALL names be
would suggest
using dig instead.
> If I "ping xxx.reseau1.lan" I get an NXDOMAIN answer. Why NXDOMAIN
> and not NOERROR (NODATA) ? The domain "reseau1.lan" exists and my
> dns server is authoritative for this zone (SOA record) but the
> computer "xxx" on th
1 ? What does it take for nslookup
to give me an authoritative answer ?
If I "ping xxx.reseau1.lan" I get an NXDOMAIN answer. Why NXDOMAIN and not
NOERROR (NODATA) ? The domain "reseau1.lan" exists and my dns server is
authoritative for this zone (SOA record) but the comp
d zone files to
> really get any help. And just just providing snippets of the files might
> not show where the problem is. You also should provide the “dig” output and
> the precise errors you get back (e.g. the SOA record returned in the
> NXDOMAIN response might provide clues).
>
help. And just just providing snippets of the files might
not show where the problem is. You also should provide the “dig” output and
the precise errors you get back (e.g. the SOA record returned in the
NXDOMAIN response might provide clues).
On Sat, Dec 2, 2023 at 4:47 PM Michał Półrolniczak
Hello Bind Community,
Im trying to resolve sub-subdomain without making each level as separate
zone file.
I have domain.my (name of domain changed) in main zone (the host I serve it
from is ns.domain.my) - this works fine, I delegated sub domain my.domain.my
by adding:
my.domain.my IN NS ns.dom
Mosharaf Hossain wrote:
> Hello Folks
> I have come across a challenge with our BIND nameserver, specifically
> related to a "*DNS NXDOMAIN flood*" problem. Despite upgrading the BIND
> version from 9.10 to 9.18, the issue persists.
>
> The attack originates from
challenge with our BIND nameserver, specifically
related to a "*DNS NXDOMAIN flood*" problem. Despite upgrading the
BIND version from 9.10 to 9.18, the issue persists.
The attack originates from an external network, and it periodically
saturates our entire internet bandwidth. W
Am 02.11.2023 um 12:02:00 Uhr schrieb Mosharaf Hossain:
> We are receiving the traffic form random IP addresses to DNS servers.
Even when those IP addresses change, can you verify in any way that
those are not spoofed, so the traffic originates rom that networks?
--
Visit https://lists.isc.org/m
Am 02.11.2023 10:58 schrieb Mosharaf Hossain:
> The attack originates from an external network, and it periodically
> saturates our entire internet bandwidth.
Can you verify that the source IP is not spoofed (TCP ACK replies
instead of ACK RST, no ICMP port unreachable for UDP)?
If yes, contact t
Hello Folks
I have come across a challenge with our BIND nameserver, specifically
related to a "*DNS NXDOMAIN flood*" problem. Despite upgrading the BIND
version from 9.10 to 9.18, the issue persists.
The attack originates from an external network, and it periodically
saturates
: lundi 19 juin 2023 16:56
À : Lee ; RAHAL Sami SOFRECOM
Cc : bind-users@lists.isc.org
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
From the correct email alias this time!
On Mon, 19 Jun 2023 at 16:50, Greg Choules
mailto:gregchou...@googlemail.com>> wrote:
Hi L
s REFUSED.
>
> Wireshark it and see.
>
> By the way, I have been testing this on 9.18.15
> Cheers, Greg
>
>
> On Mon, 19 Jun 2023 at 16:10, Lee wrote:
>
>> On 6/19/23, sami.rahal wrote:
>> > Thank you Greg
>> >
>> > I tested with other
On 6/19/23, sami.rahal wrote:
> Thank you Greg
>
> I tested with other domain name to replace "SERVFAIL" with "NXDOMAIN" is it
> not working
You're missing "break-dnssec yes" on your response-policy stanza?
You need something like
respo
Thank you Greg
I tested with other domain name to replace "SERVFAIL" with "NXDOMAIN" is it not
working
I use CentOS7 with BIND9.16.41
grep antlauncher db.rpz
antlauncher.com CNAME .
*.antlauncher.com CNAME .
grep example
return code we can
> not modify this code by nxdomain with the rpz configuration?
>
> Regards
>
>
>
> *De :* Greg Choules
> *Envoyé :* lundi 19 juin 2023 12:02
> *À :* RAHAL Sami SOFRECOM
> *Cc :* bind-users@lists.isc.org
> *Objet :* Re: replace "SERVFAIL"
Thank you Greg
So if I understand correctly if we receive a servfail return code we can not
modify this code by nxdomain with the rpz configuration?
Regards
De : Greg Choules
Envoyé : lundi 19 juin 2023 12:02
À : RAHAL Sami SOFRECOM
Cc : bind-users@lists.isc.org
Objet : Re: replace "SER
s why I wanted to change the return code for this
> domain name to "NXDOMAIN" so as not to distort the monitoring result .
>
> Regards
>
> *De :* Greg Choules
> *Envoyé :* lundi 19 juin 2023 10:03
> *À :* RAHAL Sami SOFRECOM
> *Cc :* bind-users@lists.isc.org
&g
turn code for this domain name to "NXDOMAIN" so as not
to distort the monitoring result .
Regards
De : Greg Choules
Envoyé : lundi 19 juin 2023 10:03
À : RAHAL Sami SOFRECOM
Cc : bind-users@lists.isc.org
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
H
Hi Sami.
Firstly, a couple of definitions:
NXDOMAIN is a response from an authoritative server (or a resolver because
it cached it). It is a positive confirmation that "this name does not
exist". It means that the QNAME in the query cannot be found, for any
record type.
SERVFAIL is a res
, please edit your Subject line so it is more specific than "Re:
Contents of bind-users digest..."
Today's Topics:
1. replace "SERVFAIL" to "NXDOMAIN" with rpz
(sami.ra...@sofrecom.com)
2. Re: replace "SERVFAIL" to "NXDOMAIN&quo
Crist Clark wrote:That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZaction. Something is wrong with your configuration.On Fri, Jun 16, 2023 at 1:39 PM wrote:For monitoring reasons I try to change the return code of a domain namefrom "SERVFAIL" to "NXDOMAIN"
orate / mitigate SERVFAIL
utilizing RPZ.
I'll try to pay more attention and see if I can isolate a test case if the
problem recurs. (I was kind of hoping someone would have a solution!)
--
Fred Morris
On Fri, 16 Jun 2023, Crist Clark wrote:
That should return a NXDOMAIN. Returning SERVFAI
That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ
action. Something is wrong with your configuration.
On Fri, Jun 16, 2023 at 1:39 PM wrote:
>
>
> Hello
>
> For monitoring reasons I try to change the return code of a domain name
> from "SERVFAIL"
Hello
For monitoring reasons I try to change the return code of a domain name from
"SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of BIND9.16.42 as
follows:
example.com IN CNAME.
*.example.com IN CNAME .
But it still doesn't work, I still have the me
'break-dnssec no' looks at the DO flag and whether the data to be returned is
signed. If DO is 1 and the data is signed
then the answer is not modified. If DO is 0 then it is modified as the client
cannot be performing DNSSEC validation on
the response and be expecting it to succeed for respons
> That's something that's impossible to answer without seeing the full
> configuration (named-checkconf -px).
The full config here : https://pastebin.com/CwWFq73G
Thanks.
Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
> On 22. 3. 2023, at 14:26, BONIN Nathanael wrote:
>
> If I add break-dnssec yes ; in my bind conf, it seems to works like I wanted
> to !!! Thanks.
+1
> But what I don’t understand is why, when I use directly SrvA (server that
> have RPZ zone), it works ?
That's something that's impossible
j Surý
Envoyé : mercredi 22 mars 2023 14:12
À : BONIN Nathanael
Cc : bind-users@lists.isc.org
Objet : Re: RPZ answer me NXDOMAIN for some domain
Hi,
look for break-dnssec in
https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting
--
Ondřej Surý — ISC (He/Him)
My w
t;
>
>
> BUT
>
>
>
> If we create another A record sri.biopyrenees.net / 3.4.5.6 (that doesn’t
> exist at biopyrenees.net) on RPZ zone :
>
>
>
>- On SrvA with : dig @localhost sri.biopyrenees.net, we got IP :
>3.4.5.6 => YOUPI !
>- On SrvB wi
.net / 3.4.5.6 (that doesn’t
> exist at biopyrenees.net) on RPZ zone :
>
> On SrvA with : dig @localhost sri.biopyrenees.net, we got IP : 3.4.5.6 =>
> YOUPI !
> On SrvB with : dig @localhost sri.biopyrenees.net, we got : NXDOMAIN =>
> WHA ?
>
>
t IP : 3.4.5.6 =>
YOUPI !
* On SrvB with : dig @localhost sri.biopyrenees.net, we got : NXDOMAIN =>
WHA ?
Why for some domain, the RPZ isn't working ?
An exemple of what I wrote on my RPZ zone :
tatata.google.com A 2.3.4.5
sri.biopyrenees.net
lva Carlos wrote:
>
> Hello everybody
>
> I am newbie to BIND DNS.
>
> I would like your help to understand a little more about the problem below,
> please:
>
> ***Problem: Sometimes my DNS reports too many NXDOMAIN responses.
>
> ***Question 1: Is there any wa
Hello everybody
I am newbie to BIND DNS.
I would like your help to understand a little more about the problem below,
please:
Problem:* Sometimes my DNS reports too many NXDOMAIN responses.
Question 1*: Is there any way to identify the site/domain that is being
consulted and
AWS are aware of the issue and are just taking a long time to address it.
noted.
pretty sure there's not a %*^$* thing i can do about THAT!
NXDOMAIN for ENTs can also be result of not adding delegating NS records
to the parent zone when both parent and child zones are served by the
> On 26 Oct 2022, at 11:25, PGNet Dev wrote:
>
>> QNAME minimisation is a good idea. It comes in two flavours, relaxed
>> and strict. Relaxed tries to cope with some breakages like NXDOMAIN
>> being returned from ENTs. Strict doesn’t.
>
> switch to '
QNAME minimisation is a good idea. It comes in two flavours, relaxed
and strict. Relaxed tries to cope with some breakages like NXDOMAIN
being returned from ENTs. Strict doesn’t.
switch to 'relaxed' does, in fact, 'solve' the issue. insofar as, it appears, i
no longer
> On 26 Oct 2022, at 11:12, PGNet Dev wrote:
>
> hi,
>
>> AWS are returning NXDOMAIN instead of NOERROR for empty non terminals. Do
>> you have strict
>> qname minimisation turned on?
>
> yup, i do
>
> ...
> qname-minimizati
hi,
AWS are returning NXDOMAIN instead of NOERROR for empty non terminals. Do you
have strict
qname minimisation turned on?
yup, i do
...
qname-minimization strict;
...
only because my i understood my reads of
BIND to Add QNAME Minimization
https
AWS are returning NXDOMAIN instead of NOERROR for empty non terminals. Do you
have strict
qname minimisation turned on?
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1690
;; flags: qr aa ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSEC
95
if I query at my local NS, i get NXDOMAIN response,
dig A elb-default.us-east-1.aws.dckr.io @10.53.53.53
; <<>> DiG 9.18.8 <<>> A elb-default.us-east-1.aws.dckr.io
@10.53.53.53
;; global options: +cmd
;; Got answer:
On Fri, 2021-10-22 at 13:22 -0400, Dan Hanks wrote:
> On Fri, Oct 22, 2021 at 9:57 AM Dan Hanks wrote:
> > Greetings,
> >
> > As I understand RFC 2308, when receiving an NXDOMAIN response, and when
> > deciding how long to cache that NXDOMAIN response, a resolver shou
On 22.10.21 09:57, Dan Hanks wrote:
>As I understand RFC 2308, when receiving an NXDOMAIN response, and when
>deciding how long to cache that NXDOMAIN response, a resolver should use
>whichever value is lower of the SOA TTL, and the SOA.minimum value as the
>length of time to cache
On Fri, Oct 22, 2021 at 9:57 AM Dan Hanks wrote:
>
> Greetings,
>
> As I understand RFC 2308, when receiving an NXDOMAIN response, and when
> deciding how long to cache that NXDOMAIN response, a resolver should use
> whichever value is lower of the SOA TTL, and the SOA.mi
On Fri, Oct 22, 2021 at 10:29 AM Matus UHLAR - fantomas
wrote:
>
> On 22.10.21 09:57, Dan Hanks wrote:
> >As I understand RFC 2308, when receiving an NXDOMAIN response, and when
> >deciding how long to cache that NXDOMAIN response, a resolver should use
> >whichever value
On 22.10.21 09:57, Dan Hanks wrote:
As I understand RFC 2308, when receiving an NXDOMAIN response, and when
deciding how long to cache that NXDOMAIN response, a resolver should use
whichever value is lower of the SOA TTL, and the SOA.minimum value as the
length of time to cache the NXDOMAIN.
I
Greetings,
As I understand RFC 2308, when receiving an NXDOMAIN response, and when
deciding how long to cache that NXDOMAIN response, a resolver should use
whichever value is lower of the SOA TTL, and the SOA.minimum value as the
length of time to cache the NXDOMAIN.
I have a situation where I
On 4/26/21 2:45 PM, bamberg2000 via bind-users wrote:
Hi!
Hi,
BIND 9.11.5, I forward the request ("forward zone" or global "forward
first") to another server and I get NXDOMAIN. Is it possible to process
NXDOMAIN other than "redirect zone"? I just want to
On 26.04.21 20:45, bamberg2000 via bind-users wrote:
BIND 9.11.5, I forward the request ("forward zone" or global "forward
first") to another server and I get NXDOMAIN. Is it possible to process
NXDOMAIN other than "redirect zone"? I just want to repeat the reques
Hi!
BIND 9.11.5, I forward the request ("forward zone" or global "forward first")
to another server and I get NXDOMAIN. Is it possible to process NXDOMAIN other
than "redirect zone"? I just want to repeat the request
Hi there,
On Tue, 17 Nov 2020, Boylan, Ross wrote:
I have been experiencing NXDOMAIN errors ...
... There are a lot of complications.
... The remote machine is only accessible though VPN
... the nameserver ... is also accessible only through VPN
... The VPN connection has always been a bit
On 17.11.20 05:41, Boylan, Ross wrote:
One other detail may be important: I just added a bridge interface and
virtual machines. I presume the VPN tunnel was using the hardware
interface (enp5s0) before, and is using the bridge (br0) now. OpenConnect
creates the tunnel (tun0); both the name and
On 16.11.20 22:58, Boylan, Ross wrote:
I have been experiencing NXDOMAIN errors persistently, though not 100% of
the time, for a machine I am trying to reach. The queries worked OK
before today. I not only don't know what's causing it, but am having
trouble tracing what's goi
t; From: Boylan, Ross
> Sent: Monday, November 16, 2020 2:58 PM
> To: bind-users@lists.isc.org
> Cc: Ross Boylan
> Subject: NXDOMAIN problems
>
> I have been experiencing NXDOMAIN errors persistently, though not 100% of the
> time, for a machine I am trying to reach. The queries
.11.5.
From: Boylan, Ross
Sent: Monday, November 16, 2020 2:58 PM
To: bind-users@lists.isc.org
Cc: Ross Boylan
Subject: NXDOMAIN problems
I have been experiencing NXDOMAIN errors persistently, though not 100% of the
time, for a machine I am trying to reach.
I have been experiencing NXDOMAIN errors persistently, though not 100% of the
time, for a machine I am trying to reach. The queries worked OK before today.
I not only don't know what's causing it, but am having trouble tracing what's
going on inside of bind. I'd be
rtunately there were a few records I
> dropped that I should not have, but it's hard to figure out which until
> someone complains.
>
> I am interested in capturing queries that fail, return a NXDOMAIN to the
> client in other words.
>
> I have two logging categories
x27;s hard to figure out which until someone
complains.
I am interested in capturing queries that fail, return a NXDOMAIN to the client
in other words.
I have two logging categories setup "queries" and "query-errors", both going to
separate logs.
The problem is that the
On 11/10/2017 07:05 PM, Mark Andrews wrote:
On 11 Nov 2017, at 3:38 am, Tony Finch wrote:
Filipe Cifali wrote:
I'm trying to have an Auth Server that says the auth flags ('aa') even on
NXDOMAIN.
BIND (well, all DNS servers) have to do that. It doesn't need to be
confi
> On 11 Nov 2017, at 3:38 am, Tony Finch wrote:
>
> Filipe Cifali wrote:
>>
>> I'm trying to have an Auth Server that says the auth flags ('aa') even on
>> NXDOMAIN.
>
> BIND (well, all DNS servers) have to do that. It doesn't need to be
Filipe Cifali wrote:
>
> I'm trying to have an Auth Server that says the auth flags ('aa') even on
> NXDOMAIN.
BIND (well, all DNS servers) have to do that. It doesn't need to be
configured. See the first example dig output below.
However the example query in your
On 11/10/2017 10:05 AM, Tony Finch wrote:
Filipe Cifali wrote:
I need to make an authoritative server that gives 'AA' flags to every query, I
would need to set only auth-nxdomain right?
Don't use auth-nxdomain, it has been obsolete for 15 years.
Ok, I understand that j
Filipe Cifali wrote:
>
> I need to make an authoritative server that gives 'AA' flags to every query, I
> would need to set only auth-nxdomain right?
Don't use auth-nxdomain, it has been obsolete for 15 years.
> I'm running this config:
That looks like a recu
Hello,
I'm have a question:
IF(Ignoring RFC 1035 #do not shoot the messenger)
I need to make an authoritative server that gives 'AA' flags to every
query, I would need to set only auth-nxdomain right?
I'm
.
· nslookup fails that query, then, behind the scenes (and unbeknownst
to you) it starts searchlisting, e.g. looking up
centos.mirror.iweb.ca.example.com. This results, as one might expect, in an
NXDOMAIN
· nslookup (mis)reports NXDOMAIN as the result of the overall lookup
You can turn on
[ ~]# *nslookup centos.mirror.iweb.ca <http://centos.mirror.iweb.ca>*
Server:172.21.241.18
Address:172.21.241.18#53
** server can't find centos.mirror.iweb.ca: NXDOMAIN
But ...
[ ~]$ *nslookup iweb.ca <http://iweb.ca>*
Server:172.21.241.18
Address:
e forward a name in one domain to 5 external
> > > nam
> > eservers. We see NXDOMAIN error intermittently (once in couple of weeks).
> > How
> > do I debug this issue?
> > >
> > > I took a cache dump on our DNS and 2 out of 5 nameserver IPs appear in
&
On 21.02.16 19:07, blrmaani wrote:
the cache dump also has this entry (myname.mydomain.com is name I am interested
in)
myname.mydomain.com 10324 \-ANY ;-$NXDOMAIN
Which probably means if anyone requests for myname.mydomain.com, they will be
handed NXDOMAIN for upto 10324 seconds from
In message <2f868c2b-d04b-4caf-abd7-8176352cc...@googlegroups.com>, blrmaani wr
ites:
> On Friday, February 19, 2016 at 5:09:02 PM UTC-8, blrmaani wrote:
> > We have a DNS setup where we forward a name in one domain to 5 external nam
> eservers. We see NXDOMAIN error inter
On Friday, February 19, 2016 at 5:09:02 PM UTC-8, blrmaani wrote:
> We have a DNS setup where we forward a name in one domain to 5 external
> nameservers. We see NXDOMAIN error intermittently (once in couple of weeks).
> How do I debug this issue?
>
> I took a cache dump on our D
In message <20160220172148.ga26...@fantomas.sk>, Matus UHLAR - fantomas writes:
> On 19.02.16 17:08, blrmaani wrote:
> >We have a DNS setup where we forward a name in one domain to 5 external
> > nameservers. We see NXDOMAIN error intermittently (once in couple of
> &
On 19.02.16 17:08, blrmaani wrote:
We have a DNS setup where we forward a name in one domain to 5 external
nameservers. We see NXDOMAIN error intermittently (once in couple of
weeks). How do I debug this issue?
tcpdump?
I took a cache dump on our DNS and 2 out of 5 nameserver IPs appear in
We have a DNS setup where we forward a name in one domain to 5 external
nameservers. We see NXDOMAIN error intermittently (once in couple of weeks).
How do I debug this issue?
I took a cache dump on our DNS and 2 out of 5 nameserver IPs appear in
"Unassociated entries" when the probl
In message <1927990884.5538420.1447651533589.javamail.ya...@mail.yahoo.com>, Go
rdon Freeman writes:
> >> I'm hoping the answer is yes, so that once an NXDOMAIN response is
> >> received by the name server, it will not forward repeated queries for
> >>
>> I'm hoping the answer is yes, so that once an NXDOMAIN response is
>> received by the name server, it will not forward repeated queries for
>> that same name, at least for as long as the negative cache TTL.
>
> Named does that by default. Not all
In message <756753830.5253999.1447625854773.javamail.ya...@mail.yahoo.com>, Gor
don Freeman writes:
> option: auth-nxdomain
>
> I see the default for this is no, but what exactly are the ramifications
> of setting this to yes?
RFC 1034 or RFC 1035 stated that NXDOM
In message <01ce01cfd87b$0146fc00$03d4f400$@iprimus.com.au>, "Neil" writes:
> That solution worked Mark , Thank you.
>
> One more question, is it possible perform the below, from the left to right
> The below does not work on NXDOMAIN override.
>
&g
That solution worked Mark , Thank you.
One more question, is it possible perform the below, from the left to right
The below does not work on NXDOMAIN override.
autodiscover.*. IN A 192.168.0.1
autodiscover.nxdomain.com.au should return 192.168.0.1
autodiscover.domainnoexist.net.au
@iprimus.com.au>, "Neil" writes:
>
> Hi,
>
> We are investigating the features of NXDOMAIN redirect as explained in
> https://kb.isc.org/article/AA-00376/0/BIND-9.9-redirect-zones-for-NXDOMAIN-r
> edirection.html
>
>
>
> We are running BIND 9.9 stream.
&g
Hi,
We are investigating the features of NXDOMAIN redirect as explained in
https://kb.isc.org/article/AA-00376/0/BIND-9.9-redirect-zones-for-NXDOMAIN-r
edirection.html
We are running BIND 9.9 stream.
My question is, Is it possible to "whitelist" particular domains?, The ARM
Sorry, this is going to be a pedantic post, so I might as well start
here:
> Subject: Re: DNS reverse sub delegation NXDOMAIN problem, Class C
No, there's no such thing as "Class C", so please forget that. It's
a /24 network. CIDR is in; class is dismissed.
On Tue
On 19.08.14 11:54, Bazy V wrote:
One post said 220/24 is not the correct format,
Another post said that is the format.
no post said this.
Not sure which one is correct.
220.20.172.IN-ADDR.ARPA is the correct zone into which to put PTR records.
Setting 220NSns2.sub.
the generate statement
$GENERATE 0-255 $.220 CNAME $.220
This is the only one irrespective or 0-255.220 or 220 or 220/24 against the
NS statement,
which gave a reply back without NXDOMAIN but all it gives as a response is
94.220.20.172.IN-ADDR.ARPAcanonical name =
94.220.20.172.IN
On 19/08/14 13:12, Bazy V wrote:
$ORIGIN 20.172.IN-ADDR.ARPA.
0.220/24 NS ns2.sub.test.com
On 19.08.14 13:37, Phil Mayers wrote:
You don't need to do this. You just need:
$ORIGIN 20.172.IN-ADDR.ARPA.
220 NS ns2.sub.test.com.
RFC 2317 is only need for /25 and longer.
... and it e
Hi Bazy
On Tue, Aug 19, 2014 at 08:12:58AM -0400, Bazy V wrote:
> so I set up the following in my reverse file for ns2.sub.test.com domain
> ---
> $ORIGIN 20.172.IN-ADDR.ARPA.
>
>NS ns1.test.com
> 0.220/24 NS ns2.sub.test.com
> 43.222
On 19/08/14 13:12, Bazy V wrote:
$ORIGIN 20.172.IN-ADDR.ARPA.
0.220/24 NS ns2.sub.test.com
You don't need to do this. You just need:
$ORIGIN 20.172.IN-ADDR.ARPA.
220 NS ns2.sub.test.com.
RFC 2317 is only need for /25 and longer.
___
Plea
comes back as NXDOMAIN.
Wondering if you could point out what am I doing wrong
Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https
crease the risk of DNS resolution failures resulting from a namespace
> transition by creating a fallback from the old to the new namespace. For
> some definite period of time after the change, an NXDOMAIN in the old
> namespace would result in a synthesized CNAME pointing to the same name in
On Thu, Oct 3, 2013 at 5:52 PM, Mark Andrews wrote:
> Then I suggest that you just add CNAMEs whenever you remove other record.
> Once a part of the namespace only have CNAME/DNAME below it replace it
> with a DNAME. You will converge on the earlier example.
>
Thanks - I'll start there.
Casey
In message
, Casey
Deccio writes:
>
> On Thu, Oct 3, 2013 at 5:42 PM, Mark Andrews wrote:
>
> >
> > Use a DNAME record. That works with DNSSEC.
> >
> >
> Thanks for the suggestion. I would use DNAME, except the old namespace
> will still have names under it, and names are not allowed to exi
On Thu, Oct 3, 2013 at 5:42 PM, Mark Andrews wrote:
>
> Use a DNAME record. That works with DNSSEC.
>
>
Thanks for the suggestion. I would use DNAME, except the old namespace
will still have names under it, and names are not allowed to exist below a
DNAME. In other words, we're not replacing t
a namespace
> transition by creating a fallback from the old to the new namespace. For
> some definite period of time after the change, an NXDOMAIN in the old
> namespace would result in a synthesized CNAME pointing to the same name in
> the new namespace. Anyway, there might not be an easy
fallback from the old to the new namespace. For
some definite period of time after the change, an NXDOMAIN in the old
namespace would result in a synthesized CNAME pointing to the same name in
the new namespace. Anyway, there might not be an easy way to to do it, and
we might just have to lose ou
On Thu, 3 Oct 2013, Casey Deccio wrote:
I would like to apply something similar to a "redirect" zone (for NXDOMAIN
responses)
You are why we can't have nice things :P
We had enough Sitewinders. With DNSSEC on the endnode, your lies won't
be believed anway. What you are
thing similar to a "redirect" zone (for NXDOMAIN
responses), but it doesn't appear to be supported. Can this be confirmed?
Does anyone recommend any alternatives?
Thanks,
Casey
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
@lists.isc.org] On Behalf Of Carl
> > Byington
> > Sent: Friday, September 20, 2013 7:15 PM
> > To: bind-users@lists.isc.org
> > Subject: Re: bind/sendmail resolving.. (NXDOMAIN)
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > On Fr
n any of the hosts that should accept the mail, I see:
>>
>> $ host smtp.panini.co.uk
>> smtp.panini.co.uk is an alias for smtp.panini.it.
>> smtp.panini.it has address 151.12.160.24
>> Host smtp.panini.it not found: 3(NXDOMAIN)
>>
>> $ host smtp2.panini.co.
"host" performs A, and MX queries, by default. If you want to limit
it to a specific query type, use the "-t" option.
Having said that, I didn't get an NXDOMAIN for any of the query types,
from any of the delegated nameservers, when using dig, but I'm gett
; Sent: Friday, September 20, 2013 7:28 PM
> To: Howard Leadmon
> Cc: bind-us...@isc.org; dom...@paninigroup.com
> Subject: Re: bind/sendmail resolving.. (NXDOMAIN)
>
>
> In message <021501ceb653$ede37250$c9aa56f0$@leadmon.net>, "Howard
> Leadmon" writ
> es:
>
1 - 100 of 206 matches
Mail list logo