Re: response-policy zones from spamhaus.org

2017-10-07 Thread Sten Carlsen 


On 07-10-2017 21.36, MAYER Hans wrote:
>
> Dear All, 
>
> We are using response-policy zones as a service from spamhaus.org
> This is used for web access as well as for SMTP ( incoming and outgoing ) 
> Actually this worked fine over years. 
> Now we have the situation if I dig www.airindia.in I get as result 
>
> ;; ADDITIONAL SECTION:
> bad-nameservers.rpz.spamhaus.org. 60 IN SOA need.to.know.only. 
> hostmaster.spamhaus.org. 1507403414 300 60 432000 60
>
> This indicates that it is listed in the  bad-nameservers.rpz.spamhaus.org 
> database from spamhaus.org which I have configured as a slave zone in my DNS 
> server.
> Our employees are travelling a lot and therefore it is not acceptable that 
> the Indian Airline is not reachable. 
>
> Such zones are defined as type slave. Therefore it’s not possible to update 
> such a zone. 
> I also tried to define these records in my own RPZ and hoping it has higher 
> priorities. But it isn’t. 
> Finally I tried a forward only zone for airindia.in to a server in my 
> environment which does not use RPZ. But this doesn’t work too. 
>
> Any ideas how I could shade or overwrite the content of RPZ ? 
I would look at the mail server configuration. It might be possible to
add a positive list in front of the spamhaus lookup.
>
> I am using BIND 9.11.2
>
>
> Kind regards 
> Hans
>
> — 
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

"MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forcing external domains TTL value

2017-10-07 Thread 'at'lbutlr 
Please fix this lazy regex on the list.

^From:.*@.*@.*$

It should be

^From:.*<.*@.*@.*>$

(Or, eliminated entirely, of course)

On 07 Oct 2017, at 12:30, Reindl Harald  wrote:
> Am 07.10.2017 um 20:17 schrieb Job:
>> Hi Reindl,
>> thank you!
 not with named - unbound as resolver support's it
>> Perhaps do you know if DjbDns support this directive?
>> I thought putting a frontend DNS server before Bind...
> 
> go with unbound - you won't find anything better for a cachingonly meaning 
> non-autoritative dns-server these days

+1. Unbound is simple, fast, stable, reliable, and small.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forcing external domains TTL value

2017-10-07 Thread Warren Kumari 
On Sat, Oct 7, 2017 at 12:59 AM, Job  wrote:
> Dear guys,
>
> Due to heavy traffic caching performance, i would like to force external 
> domains TTL - for external domains - to at least 600 seconds.
>
> Is there a way to do it, maybe by recompiling the package?

There is  max-cache-ttl  , but this does exactly the opposite
of what you want -- it overrrides the TTL, specifying the maximum time
a record can be cached.

I'd advise against what you are trying to do -- apart from violating
standards, it may cause issues -- domain admins set the TTL low for a
reason, but because they like the added traffic and fragility. How big
is your cache? What is your cache miss rate? What issues are you
seeing?

W


>
> Thank you, very best!
> /F
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forcing external domains TTL value

2017-10-07 Thread Reindl Harald 



Am 07.10.2017 um 09:59 schrieb Job:

Dear guys,

Due to heavy traffic caching performance, i would like to force external 
domains TTL - for external domains - to at least 600 seconds.

Is there a way to do it, maybe by recompiling the package?


not with named - unbound as resolver support's it
cache-min-ttl: 600
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Forcing external domains TTL value

2017-10-07 Thread Job 
Dear guys,

Due to heavy traffic caching performance, i would like to force external 
domains TTL - for external domains - to at least 600 seconds.

Is there a way to do it, maybe by recompiling the package?

Thank you, very best!
/F
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forcing external domains TTL value

2017-10-07 Thread Alberto Colosi 
TTL if not record specific on other DNS is defined inside SOA


usually shoulbe be 24H on internet and if an admin as me , put it low , it is 
for a specific purpose as a server change.


is strange u have so many low ttl. I think u only can work on cache ttl on ur 
dns


if are other way to arrive to ur goal, I don't know as never needed specially 
becouse ttl on 99% of records should be 24H






From: bind-users  on behalf of Job 

Sent: Saturday, October 7, 2017 9:59 AM
To: Job; bind-users@lists.isc.org
Subject: Forcing external domains TTL value

Dear guys,

Due to heavy traffic caching performance, i would like to force external 
domains TTL - for external domains - to at least 600 seconds.

Is there a way to do it, maybe by recompiling the package?

Thank you, very best!
/F
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

R: Forcing external domains TTL value

2017-10-07 Thread Job 
Hi Reindl,
thank you!

>>not with named - unbound as resolver support's it
Perhaps do you know if DjbDns support this directive?
I thought putting a frontend DNS server before Bind...

Thank you,
/F
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forcing external domains TTL value

2017-10-07 Thread Reindl Harald 



Am 07.10.2017 um 20:17 schrieb Job:

Hi Reindl,
thank you!


not with named - unbound as resolver support's it

Perhaps do you know if DjbDns support this directive?
I thought putting a frontend DNS server before Bind...


go with unbound - you won't find anything better for a cachingonly 
meaning non-autoritative dns-server these days


https://en.wikipedia.org/wiki/Djbdns
Stable release  
1.05 / 2001; 16 years ago

sorry, but this a terrible developer attitude, in the last 16 years a 
lot of things happended in the DNS world

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

response-policy zones from spamhaus.org

2017-10-07 Thread MAYER Hans 


Dear All, 

We are using response-policy zones as a service from spamhaus.org
This is used for web access as well as for SMTP ( incoming and outgoing ) 
Actually this worked fine over years. 
Now we have the situation if I dig www.airindia.in I get as result 

;; ADDITIONAL SECTION:
bad-nameservers.rpz.spamhaus.org. 60 IN SOA need.to.know.only. 
hostmaster.spamhaus.org. 1507403414 300 60 432000 60

This indicates that it is listed in the  bad-nameservers.rpz.spamhaus.org 
database from spamhaus.org which I have configured as a slave zone in my DNS 
server.
Our employees are travelling a lot and therefore it is not acceptable that the 
Indian Airline is not reachable. 

Such zones are defined as type slave. Therefore it’s not possible to update 
such a zone. 
I also tried to define these records in my own RPZ and hoping it has higher 
priorities. But it isn’t. 
Finally I tried a forward only zone for airindia.in to a server in my 
environment which does not use RPZ. But this doesn’t work too. 

Any ideas how I could shade or overwrite the content of RPZ ? 

I am using BIND 9.11.2


Kind regards 
Hans

— 


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users