Re: newb alert: how to make v4 and v6 "A" records resolve to same website
On Wed, 2010-07-14 at 22:04 -0400, Joseph S D Yao wrote: > > but how we transform the A record in > There is no such translation. Rather, there used to be, but it has been > deprecated (that is, it's not supposed to be used any more). The IPv4-compatible IPv6 address is indeed deprecated, but there is a non-deprecated method; the IPv4-mapped IPv6 address (section 2.5.5.2 in RFC 4291): :::a.b.c.d where a.b.c.d are the four octets, represented in decimal, of an IPv4 address. However, this just allows an ordinary IPv4 address to be "packaged" in an IPv6 address. An application that understands this format will just extract the IPv4 address and use it *as an IPv4 address*. It's not a "transformation" in the sense that the OP seems to want. Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156 Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF signature.asc Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: newb alert: how to make v4 and v6 "A" records resolve to same website
On Thu, Jul 15, 2010 at 03:05:32AM +0200, fakessh wrote: ... > yes this is theoretical. This is the standard reply to dig with the > correct > > but how we transform the A record in > > this is a mathematical formula, how simple and without RTFM > > I compile my kernel is only ipv4 is no problems for the time but I would > one day confront the same problem and I do not know how to There is no such translation. Rather, there used to be, but it has been deprecated (that is, it's not supposed to be used any more). IPv6 and IPv4 are essentially two separate networks running on the same wires. To reach your Web site via IPv6, your Web site must HAVE IPv6 installed, must have an IPv6 IP address, and must have a way of getting IPv6 from your site out to a fully connected IPv6 router at your ISP. Any IPv4-only router in the way will completely block the IPv6 flow. Also, IPv6 must be understood all the way up to the applications level. This should not be a problem with Apache's 'httpd' Web server, as long as you put in either a "*" IP address or both the Web server's IPv4 and IPv6 IP addresses. I don't know about other Web servers; I know some are not IPv6-aware. Oh - you can't make up an IPv6 address; you have to use one that is compatible with the IPv6 transport you get. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: newb alert: how to make v4 and v6 "A" records resolve to same website
On Wed, 14 Jul 2010 17:12:21 -0400, Alan Clegg wrote: > On 7/14/2010 4:47 PM, Bill Buhlman wrote: > >> I am just now playing with IPv6 and wondering about how to make an IPv6 >> record resolve to the same website as the IPv4 A record. Probably a >> simple thing but how? > > Assign the to the IPv6 address of the given host... ie: > > baremetal.wetworks.org. 90 IN A192.153.154.127 > baremetal.wetworks.org. 90 IN 2001:470:1f00:4024:250:56ff:feb6:3e25 > > to test: "dig baremetal.wetworks.org A" > "dig baremetal.wetworks.org " > > Obviously, you need IPv6 transport in place to make this useful. > > AlanC yes this is theoretical. This is the standard reply to dig with the correct but how we transform the A record in this is a mathematical formula, how simple and without RTFM I compile my kernel is only ipv4 is no problems for the time but I would one day confront the same problem and I do not know how to aka /fakessh/ thanks for all god bless all ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: newb alert: how to make v4 and v6 "A" records resolve to same website
On 7/14/2010 4:47 PM, Bill Buhlman wrote: > I am just now playing with IPv6 and wondering about how to make an IPv6 > record resolve to the same website as the IPv4 A record. Probably a > simple thing but how? Assign the to the IPv6 address of the given host... ie: baremetal.wetworks.org. 90 IN A192.153.154.127 baremetal.wetworks.org. 90 IN 2001:470:1f00:4024:250:56ff:feb6:3e25 to test: "dig baremetal.wetworks.org A" "dig baremetal.wetworks.org " Obviously, you need IPv6 transport in place to make this useful. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
newb alert: how to make v4 and v6 "A" records resolve to same website
Hi, I am just now playing with IPv6 and wondering about how to make an IPv6 record resolve to the same website as the IPv4 A record. Probably a simple thing but how? Thanks, Bill ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone syntax question
You don't have an origin nor an A record for ns.example.com. I would replace example.com in the SOA with @ and you are missing the space between the authoritive name server and the email address. Also missing a period at the end of the email address. I kept my time periods in seconds since that is what dig will give you back when querying the zone. IN for Internet zone is assumed and is not required in the records. Lyle Giese LCR Computer Services, Inc. CT wrote: > old zone file > --- > $ORIGIN . > $TTL 3600 > example.com IN SOA ns.example.com. root.example.com ( > 2010071402 ; serial > 10800 ; refresh (3 hours) > 3600 ; retry (1 hour) > 345600 ; expire (4 days) > 86400 ; minimum (1 day) > ) > NS example.com. > > $ORIGIN example.com. > A 192.168.1.1 > MX 10 ns.example.com. > www CNAME example.com. > - > > proposed new file > - > $TTL 3600 $origin example.com. > @ IN SOA ns.example.com. root.example.com. ( > 2010071403 ;serial > 3h ;refresh > 1h ;retry > 1w ;expire > 1h ;ncache > ) > IN NS ns.example.com. > IN MX 10 ns.example.com. ns in a 192.168.1.2 > > ;localhost IN A 127.0.0.1 > IN A 192.168.1.1 > www CNAME example.com. > > > My question... > Will my proposed set up work on the "old bind" version.. > and it is syntactically correct ?? > > Thx > Charles > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone syntax question
- Original message - > example.com. IN SOA [...] > IN NS ns.example.com. > IN MX 10 ns.example.com. The A record for ns.example.com is missing from your zone. > Will my proposed set up work on the "old bind" version.. Which old version? > and it is syntactically correct ?? BIND comes with a tool "named-checkzone" that can do the syntax and integrity checks for you. Hauke. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
zone syntax question
old zone file --- $ORIGIN . $TTL 3600 example.com IN SOA ns.example.com. root.example.com ( 2010071402 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 345600 ; expire (4 days) 86400 ; minimum (1 day) ) NS example.com. $ORIGIN example.com. A 192.168.1.1 MX 10 ns.example.com. www CNAMEexample.com. - proposed new file - $TTL 3600 example.com.IN SOA ns.example.com.root.example.com ( 2010071403 ;serial 3h ;refresh 1h ;retry 1w ;expire 1h ;ncache ) IN NS ns.example.com. IN MX 10 ns.example.com. ;localhost IN A 127.0.0.1 IN A 192.168.1.1 www CNAMEexample.com. My question... Will my proposed set up work on the "old bind" version.. and it is syntactically correct ?? Thx Charles ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
recursing stop at about 1000 clients
Hi List i have been having issues with my dns server for a while now, my server suddently stops answering to queries. i notice that this happen when every my recursive clients is more that a thousand, as per the result of rndc status. any help about this will highly be welcome Thanks Kebba ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Slowness and timeouts resolving qa.pay.gov
1. I run the recursive servers. 2. RHEL 4.0 running BIND 9.6.1-P3 3. timeouts or slow responses from dig qa.pay.gov occur maybe 1 in 3 or 4 tries. 4. Not having the same issue with other requests. Otherwise, the campus would be screaming about Internet slowness/timeouts. 5. I don't see anything strange in the logs. I see requests showing up in dnssec.log and query.log. I do see what looks like IPv6 requests showing up in query.log, but not being approved in dnssec.log. Examples: [kl...@idns1 logs]$ grep pay.gov dnssec.log 14-Jul-2010 10:56:37.608 security: debug 3: client 10.112.171.38#60907: query (cache) 'qa.pay.gov/A/IN' approved [kl...@idns1 logs]$ grep pay.gov query.log 13-Jul-2010 13:00:00.079 client 10.112.171.38#59791: query: qa.pay.gov IN A + 13-Jul-2010 13:00:03.082 client 10.112.171.38#57288: query: qa.pay.gov IN + 6. I'm logging: logging { category lame-servers { null; }; category edns-disabled { null; }; category unmatched { unmatched_log; }; channel unmatched_log { severity info; print-time yes; print-category yes; print-severity yes; file "/logs/unmatched.log" versions 10 size 100M; }; channel update_log { severity info; print-time yes; print-category yes; print-severity yes; file "/logs/updates.log" versions 10 size 100M; }; channel query_log { severity info; print-time yes; file "/logs/query.log" versions 15 size 500M; }; channel activity_log { severity info; print-time yes; print-category yes; print-severity yes; file "/logs/activity.log" versions 3 size 10M; }; channel dnssec_log { severity debug 10; print-time yes; print-category yes; print-severity yes; file "/logs/dnssec.log" versions 3 size 100M; }; category queries { query_log; }; category default { activity_log; }; category xfer-in { activity_log; }; category xfer-out{ activity_log; }; category notify { activity_log; }; category security{ activity_log; }; category update-security { update_log; }; category update { update_log; }; category dnssec { dnssec_log; }; category security{ dnssec_log; }; }; 7. Yes there is a firewall between my resolver and the rest of the world. 9. Dig outputs: [kl...@idns1 etc]$ dig qa.pay.gov @localhost ; <<>> DiG 9.6.1-P3 <<>> qa.pay.gov @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59511 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;qa.pay.gov.IN A ;; ANSWER SECTION: qa.pay.gov. 30 IN A 199.169.197.30 ;; AUTHORITY SECTION: pay.gov.30 IN NS ns2.twai.gov. pay.gov.30 IN NS ns1.twai.gov. ;; Query time: 989 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jul 14 11:42:16 2010 ;; MSG SIZE rcvd: 85 [kl...@idns1 etc]$ dig +trace qa.pay.gov ; <<>> DiG 9.6.1-P3 <<>> +trace qa.pay.gov ;; global options: +cmd . 515795 IN NS i.root-servers.net. . 515795 IN NS m.root-servers.net. . 515795 IN NS f.root-servers.net. . 515795 IN NS l.root-servers.net. . 515795 IN NS e.root-servers.net. . 515795 IN NS a.root-servers.net. . 515795 IN NS g.root-servers.net. . 515795 IN NS h.root-servers.net. . 515795 IN NS k.root-servers.net. . 515795 IN NS j.root-servers.net. . 515795 IN NS d.root-servers.net. . 515795 IN NS c.root-servers.net. . 515795 IN NS b.root-servers.net. ;; Received 320 bytes from 127.0.0.1#53(127.0.0.1) in 9 ms gov.172800 IN NS e.usadotgov.net. gov.172800 IN NS g.usadotgov.net. gov.172800 IN NS b.usadotgov.net. gov.172800 IN NS c.usadotgov.net. gov.172800 IN NS a.usadotgov.net. gov.172800 IN NS d.usadotgov.net. gov.172800 IN NS f.usadotgov.net. ;; Received 265 bytes from 192.228.79.201#53(b.root-servers.net) in 78 ms pay.gov.86400 IN NS NS1.TWAI.gov. pay.gov.86400 IN NS NS2.TWAI.gov. ;; Received 101 bytes from 206.204.217.151#53(b.usadotgov.net) in 6278 ms qa.pay.gov. 30 IN A 199.1
Re: ad flag for RRSIG queries
I think the issue here is that the authenticity of an RRSIG RR doesn't really make sense without the RRset it covers, and RRSIG themselves are not signed (RFC 4035 section 2.2). The RRSIGs returned by the cache are there initially because they exist (as well as the RRsets they cover), but not because the RRsets they cover have necessarily been validated. I believe that the BIND resolver sets the AD bit if the RRset it covers has been validated (not simply exists in cache), even though it technically is undefined. Now some guesswork to explain the behavior... From a clean cache, I make the following query: $ dig +dnssec forfunsec.org rrsig This returns two RRSIG RRs--one covering NS and one covering DS, and not AD bit. (Note that there are other RRSIGs returned if you query the authoritative server directly, but because the RRsets they cover aren't yet in cache, they are discarded [see RFC 4035 section 4.5]). Next I query the following, which validates the DS RRset for forfunsec.org: $ dig +dnssec forfunsec.org ds Then re-try the RRSIG query: $ dig +dnssec forfunsec.org rrsig Same result as before--two RRSIG RRs and no AD bit because the NS RRset is not yet validated. Now I validate the NS RRset: $ dig +dnssec forfunsec.org ns Then re-try the RRSIG query: $ dig +dnssec forfunsec.org rrsig Now the cache contains three RRSIGs (the DNSKEY RRset had to be validated to validate the NS RRset), and the RRsets covered by each has been validated, so BIND sets the AD bit. Of course, these RRSIGs are not really an "RRset", nor are they authenticated, but the data they cover is at this point. Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slowness and timeouts resolving qa.pay.gov
On Jul 14, 2010, at 9:54 AM, Lear, Karen (Evolver) wrote: My recursive DNS servers are intermittently timing out and giving slow responses to qa.pay.gov. I haven't noticed problems with any other sites. How can I nail down where the problem is? You are going to have to start by providing way more info, like: 1: Do you run these recursive servers or does someone else? 2: what are they ? version, etc. 3: How often does this happen? 4: Do you have the same issues with any other requests? 5: Do you have anything interesting in the logs? 6: Are you logging anything? 7: Is there a firewall between your resolver and the rest of the world? 8: Please provide configs... 9: Please provide output of dig, against both your server and with +trace. Also, please don't start a new thread by replying to a message and changing the subject, it is bad form and will annoy lots of folk. People who have stopped following the old thread with also probably not see your message, and so you will be less likely to get help... W From my home, on comast.net, I don't have slowness or timeouts resolving qa.pay.gov. Thx, k ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- A. No Q. Is it sensible to top-post? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Slowness and timeouts resolving qa.pay.gov
My recursive DNS servers are intermittently timing out and giving slow responses to qa.pay.gov. I haven't noticed problems with any other sites. How can I nail down where the problem is? From my home, on comast.net, I don't have slowness or timeouts resolving qa.pay.gov. Thx, k ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ad flag for RRSIG queries
Using the ORG trust anchor from the ITAR yields the following result on 9.7.1 (no P1 patch). No initial time out. # dig +dnssec -t RRSIG www.forfunsec.org ; <<>> DiG 9.7.1 <<>> +dnssec -t RRSIG www.forfunsec.org ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ; EDNS: version: 0, flags:; udp: 1280 ;www.forfunsec.org. IN RRSIG www.forfunsec.org. 3599IN RRSIG A 7 3 3600 20100813101841 20100714101841 50402 forfunsec.org. Gkk25aX2wRSwwEqAvazUqmdWXW9P7iW/j2LcRbuUnJnEleQYr2OWuLNf 60spJ2xFI7zD10DQcgXBnjU4lf4qozOd9w9iNzzAqFOyZ5EftSv0j2Go BZZQWAztx/JLoFyLC8EkygySl4APxWTxbb5J4FWyMuSRlG392DBDL/GS 4FI= www.forfunsec.org. 3599IN RRSIG 7 3 36000 20100813101841 20100714101841 50402 forfunsec.org. ixahCFi//d5CBf0ScxkwcYSCZv+RhfckdVscoVLxov6BGQ8F+skuy/AS WB69Dt9Q5uKjFGPNLmAnBbLL+f5ShQ/0VXAoyHCKRtiBofNFDK19VfvI y03pKjRYhAewZq5ztNzmMWH6pI014l4t6FX+Axj0dRWown6Ep0+MRYJF pGg= www.forfunsec.org. 3599IN RRSIG SSHFP 7 3 86400 20100813101841 20100714101841 50402 forfunsec.org. diOATJqAlbwIljg6ZcFxpsMPObTo8wmXyMORzZxErWxnFbpcks+ePx1t cmxKvmTKTGJ15yVab6aV+BLbxKwpIHeXLttBvWVH49twAeQrurnHmOfE UPSUzxu7bpG2czbNXk2bKuG8MyRC6Oep50sY1/ZdzAv0PN6BUokEAyJG PvQ= On 14/07/10 3:34 PM, "Tony Finch" wrote: > On Wed, 14 Jul 2010, Chris Thompson wrote: >> >> With 9.7.1-P1 (and a trust anchor for dlv.isc.org) on a local workstation >> >> dig +dnssec -t RRSIG www.forfunsec.org @127.0.0.1 >> >> initially times out. But after doing >> >> dig +dnssec -t ANY www.forfunsec.org @127.0.0.1 >> >> the same command reports the three RRSIG records (for A, and SSHFP >> types) that got into its cache, and it does set the "ad" bit in that >> response. > > I see the same for bind-9.7.1. > > Was a release announcement sent out for 9.7.1-P1? We didn't receive one here. > > Tony. -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ad flag for RRSIG queries
On Wed, 14 Jul 2010, Chris Thompson wrote: > > With 9.7.1-P1 (and a trust anchor for dlv.isc.org) on a local workstation > > dig +dnssec -t RRSIG www.forfunsec.org @127.0.0.1 > > initially times out. But after doing > > dig +dnssec -t ANY www.forfunsec.org @127.0.0.1 > > the same command reports the three RRSIG records (for A, and SSHFP > types) that got into its cache, and it does set the "ad" bit in that > response. I see the same for bind-9.7.1. Was a release announcement sent out for 9.7.1-P1? We didn't receive one here. Tony. -- f.anthony.n.finchhttp://dotat.at/ PORTLAND PLYMOUTH BISCAY FITZROY SOLE: SOUTH OR SOUTHWEST 6 TO GALE 8 BECOMING CYCLONIC LATER IN FITZROY AND SOLE. ROUGH OR VERY ROUGH, OCCASIONALLY HIGH. RAIN OR SQUALLY SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.4.3-P3 on Solaris 10 Hang
> hi. > > I'm satoshi. > > I use BIND 9.4.3. > > Same situation was generated in my DNS server. > > Did you solve this problem? > > I would like you to teach when doing because it solved it. > > Regards > Just upgrade to 9.7.1-P1 on Solaris. There are free packages ready to run at Blastwave.org -- Dennis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ad flag for RRSIG queries
Using bind 9.7.1. w/ IANA test bed and not DLV: dig +dnssec rrsig www.iis.se ; <<>> DiG 9.7.1 <<>> +dnssec rrsig www.iis.se ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49621 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;www.iis.se.IN RRSIG ;; ANSWER SECTION: www.iis.se. 60 IN RRSIG NSEC 5 3 14400 20100723102502 20100713102502 3932 iis.se. n+0mfgfl9Ov76DZlF6BZoyGNJSc3GX/RFTaWOVStNIqPPGW13b/zuvBr ml3g556jt6GibbVp5apJ3FuQeqI9v6U4SOA36AqjhE5zMhbx2w+gAyez 5DDPyr1NOCC6E0f0cPGYj48O/aNIEXJKjyTJ0vwuwwLYiDt7jI8CNxcD Zec= www.iis.se. 60 IN RRSIG 5 3 3600 20100723102502 20100713102502 3932 iis.se. EOM2vHFm1XrQYe3xyiT+CCLU49XljlFpZzFUKZZWZb2l6hRjh9OnrTYJ bP817UA2OgKEs4Pdp6ZugQIiYhAViRd6EMlMPSyb+9YHCMioQ7JLrxfY D9K4BJOAmtBFpzL4laG5SltCx9FEesIWAYOySApVmM+uTBoRDXBHK23Z 9aw= www.iis.se. 60 IN RRSIG A 5 3 60 20100723102502 20100713102502 3932 iis.se. MF5Qq5yBzQ+ZvDvcfGBoVn6ym3EzCOVVqQY2ghVxBoSCQ9Hrh1/0nOj9 39Mr5incAefjg0mXSSvDo9WqFUm1cqUcQ4UJuOoT7VzDiC2OilAxr2xe fo6pivkNlHGIPzbXjSrq65292YIKgQnPXleTtH4HepUmn6bESQI/ioaB 9xk= and the other domain dig +dnssec -t RRSIG www.forfunsec.org ; <<>> DiG 9.7.1 <<>> +dnssec -t RRSIG www.forfunsec.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8864 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;www.forfunsec.org. IN RRSIG ;; ANSWER SECTION: www.forfunsec.org. 3291IN RRSIG 7 3 36000 20100813101841 20100714101841 50402 forfunsec.org. ixahCFi//d5CBf0ScxkwcYSCZv+RhfckdVscoVLxov6BGQ8F+skuy/AS WB69Dt9Q5uKjFGPNLmAnBbLL+f5ShQ/0VXAoyHCKRtiBofNFDK19VfvI y03pKjRYhAewZq5ztNzmMWH6pI014l4t6FX+Axj0dRWown6Ep0+MRYJF pGg= www.forfunsec.org. 3291IN RRSIG SSHFP 7 3 86400 20100813101841 20100714101841 50402 forfunsec.org. diOATJqAlbwIljg6ZcFxpsMPObTo8wmXyMORzZxErWxnFbpcks+ePx1t cmxKvmTKTGJ15yVab6aV+BLbxKwpIHeXLttBvWVH49twAeQrurnHmOfE UPSUzxu7bpG2czbNXk2bKuG8MyRC6Oep50sY1/ZdzAv0PN6BUokEAyJG PvQ= www.forfunsec.org. 3291IN RRSIG A 7 3 3600 20100813101841 20100714101841 50402 forfunsec.org. Gkk25aX2wRSwwEqAvazUqmdWXW9P7iW/j2LcRbuUnJnEleQYr2OWuLNf 60spJ2xFI7zD10DQcgXBnjU4lf4qozOd9w9iNzzAqFOyZ5EftSv0j2Go BZZQWAztx/JLoFyLC8EkygySl4APxWTxbb5J4FWyMuSRlG392DBDL/GS 4FI= So it looks ok from my box. On 14/07/10 10:49 AM, "Marco Davids (SIDN)" wrote: > On 07/14/10 00:43, Doug Barton wrote: > > Can anyone explain to me why the 'ad'-flag is set for this query? > > dig +dnssec -t RRSIG www.forfunsec.org >>> I use BIND 9.7.0rc1, configured to work with the IANA testbed. > >> I'd be interested to see what happens if you upgrade to the latest >> versions in each branch (the 9.7.x server above >> What you're seeing sounds like a bug, hopefully one that's been fixed >> (as it seems to be in 9.7.1-P1). > > I just upgraded one machine to 9.7.1-P1 (configured to use DLV). > > Same result... > > ; <<>> DiG 9.7.1-P1 <<>> +dnssec rrsig www.iis.se @localhost > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48545 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;www.iis.se. IN RRSIG > > ;; ANSWER SECTION: > www.iis.se. 6 IN RRSIG A 5 3 60 20100723102502 20100713102502 3932 > iis.se. MF5Qq5yBzQ+ZvDvcfGBoVn6ym3EzCOVVqQY2ghVxBoSCQ9Hrh1/0nOj9 > 39Mr5incAefjg0mXSSvDo9WqFUm1cqUcQ4UJuOoT7VzDiC2OilAxr2xe > fo6pivkNlHGIPzbXjSrq65292YIKgQnPXleTtH4HepUmn6bESQI/ioaB 9xk= > > ;; AUTHORITY SECTION: > iis.se. 3545 IN NS ns2.nic.se. > iis.se. 3545 IN NS ns.nic.se. > iis.se. 3545 IN NS ns3.nic.se. > iis.se. 3545 IN RRSIG NS 5 2 3600 20100723102502 20100713102502 3932 > iis.se. JRJ11qCnEFgVFY0ZDfevfd7Colywb7tlgFXWXOjq0ikqCX8lvcIBKbik > RQ+NqwBsHE4aa4E9QLVaruFTg+5tYIKWdonDjk8Kon+8f4oAf9cy9Yjs > Ldg0N6wa2HsTlHAq+EdlvXKgZvs8qCkY87iwkVLqn0bp704yacQhVKIQ yXA= > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Wed Jul 14 04:46:41 2010 > ;; MSG SIZE rcvd: 428 > > > dig +short chaos txt version.bind @localhost > "9.7.1-P1" > > -- > Marco > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ad flag for RRSIG queries
On Jul 13 2010, Doug Barton wrote: On Tue, 13 Jul 2010, Marco Davids (SIDN) wrote: Hi, Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What version of BIND are you using? With 9.7.1-P1 (and a trust anchor for dlv.isc.org) on a local workstation dig +dnssec -t RRSIG www.forfunsec.org @127.0.0.1 initially times out. But after doing dig +dnssec -t ANY www.forfunsec.org @127.0.0.1 the same command reports the three RRSIG records (for A, and SSHFP types) that got into its cache, and it does set the "ad" bit in that response. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ad flag for RRSIG queries
On 07/14/10 00:43, Doug Barton wrote: Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org >>> >> I use BIND 9.7.0rc1, configured to work with the IANA testbed. > I'd be interested to see what happens if you upgrade to the latest > versions in each branch (the 9.7.x server above > What you're seeing sounds like a bug, hopefully one that's been fixed > (as it seems to be in 9.7.1-P1). I just upgraded one machine to 9.7.1-P1 (configured to use DLV). Same result... ; <<>> DiG 9.7.1-P1 <<>> +dnssec rrsig www.iis.se @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48545 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.iis.se.IN RRSIG ;; ANSWER SECTION: www.iis.se. 6 IN RRSIG A 5 3 60 20100723102502 20100713102502 3932 iis.se. MF5Qq5yBzQ+ZvDvcfGBoVn6ym3EzCOVVqQY2ghVxBoSCQ9Hrh1/0nOj9 39Mr5incAefjg0mXSSvDo9WqFUm1cqUcQ4UJuOoT7VzDiC2OilAxr2xe fo6pivkNlHGIPzbXjSrq65292YIKgQnPXleTtH4HepUmn6bESQI/ioaB 9xk= ;; AUTHORITY SECTION: iis.se. 3545IN NS ns2.nic.se. iis.se. 3545IN NS ns.nic.se. iis.se. 3545IN NS ns3.nic.se. iis.se. 3545IN RRSIG NS 5 2 3600 20100723102502 20100713102502 3932 iis.se. JRJ11qCnEFgVFY0ZDfevfd7Colywb7tlgFXWXOjq0ikqCX8lvcIBKbik RQ+NqwBsHE4aa4E9QLVaruFTg+5tYIKWdonDjk8Kon+8f4oAf9cy9Yjs Ldg0N6wa2HsTlHAq+EdlvXKgZvs8qCkY87iwkVLqn0bp704yacQhVKIQ yXA= ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jul 14 04:46:41 2010 ;; MSG SIZE rcvd: 428 dig +short chaos txt version.bind @localhost "9.7.1-P1" -- Marco ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9.4.3-P3 on Solaris 10 Hang
hi. I'm satoshi. I use BIND 9.4.3. Same situation was generated in my DNS server. Did you solve this problem? I would like you to teach when doing because it solved it. Regards ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users