Re: NS Cache
In article , p...@mail.nsbeta.info wrote: > I'm reading the document "Secure DNS Deployment Guide" got from the URL a > poster gave in the list. > > The document said: > > When a user types the URL www.example.com into a Web browser, the browser > program contacts a type of resolver called a stub resolver that then > contacts a local name server (called a recursive name server or resolving > name server). The resolving name server will check its cache to determine > whether it has valid information (the information is determined to be valid > on the basis of criteria described later in this document) to provide IP > address for the accessed Internet resource > (i.e.,www.marketing.example.com). If not, the resolving name server checks > the cache to determine whether it has the information regarding the name > server for the zone marketing.example.com (since this is the zone that is > expected to contain the resource www.marketing.example.com). If the name > server!Ës IP address is in the cache, the resolver!Ës ne query will be > directed against that name server. If the IP address of the name server of > marketing.example.com is not available in the cache, the resolver > determines whether it has the name server information for a zone that is > one level higher than marketing.example.com (i.e., example.com). If the > name server information for example.com is not available, the next search > will be for the name server of the .com zone in the cache. > > > I think the statement below is wrong? > > > If not, the resolving name server checks the cache to determine whether it > > > has the information regarding the name server for the zone > > marketing.example.com (since this is the zone that is expected to contain > > > the resource www.marketing.example.com). > > > How does the resolver know www.marketing.example.com is a domain name or a > zone? www.marketing.example.com can also be a zone which has valid NS > records. So I was thinking the resolver shall check the cache firstly to > see whether it has the NS records for the zone www.marketing.example.com, > if not, then to check the NS for marketing.example.com. Am I right? > > Regards. You're correct. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: get a domain's dns records
On Fri, Jan 21, 2011 at 12:50:18PM -0500, Barry Margolin wrote: > In article , > Dave Knight wrote: > > > I guess the tool just always assumes that there's probably a www worthy > > asking about > > That's what I assumed at first, too. But the report for his domain also > included NS records for the subdomain test.nsbeta.info. Do you think it > also has test. in its default set of names to look up? It has already been established by Phil Mayers that this is exactly what it does. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: root hints
On Wed, Jan 26, 2011 at 11:20:18AM +0800, p...@mail.nsbeta.info wrote: > > Hello, > > From what version of bind we won't include the root hints file in > named.conf? Since the bind server has been including it inherently. I could be wrong, but I think that all V9 and even all V8 had this "feature". I include them anyway - because sometimes I need to change what's hidden in the program. With current V9 you can 'cp /dev/null $directory/named.conf' and have 'named' work fine. But I have only done this once, just for the experience. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns best practices
On Wed, 26 Jan 2011, p...@mail.nsbeta.info wrote: Casey Deccio writes: On Sun, Jan 23, 2011 at 10:30 PM, wrote: Is there a document for dns & bind best practices? I googled but found nothing valueable. NIST SP 800-81 Rev. 1: http://csrc.nist.gov/publications/nistpubs/800-81r1/sp-800-81r1.pdf Thanks. looks great, will learn from it. And RFC-4641bis http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis-05 Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
root hints
Hello, From what version of bind we won't include the root hints file in named.conf? Since the bind server has been including it inherently. Thanks in advance. Regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
NS Cache
I'm reading the document "Secure DNS Deployment Guide" got from the URL a poster gave in the list. The document said: When a user types the URL www.example.com into a Web browser, the browser program contacts a type of resolver called a stub resolver that then contacts a local name server (called a recursive name server or resolving name server). The resolving name server will check its cache to determine whether it has valid information (the information is determined to be valid on the basis of criteria described later in this document) to provide IP address for the accessed Internet resource (i.e.,www.marketing.example.com). If not, the resolving name server checks the cache to determine whether it has the information regarding the name server for the zone marketing.example.com (since this is the zone that is expected to contain the resource www.marketing.example.com). If the name server!ˉs IP address is in the cache, the resolver!ˉs ne query will be directed against that name server. If the IP address of the name server of marketing.example.com is not available in the cache, the resolver determines whether it has the name server information for a zone that is one level higher than marketing.example.com (i.e., example.com). If the name server information for example.com is not available, the next search will be for the name server of the .com zone in the cache. I think the statement below is wrong? If not, the resolving name server checks the cache to determine whether it > has the information regarding the name server for the zone marketing.example.com (since this is the zone that is expected to contain > the resource www.marketing.example.com). How does the resolver know www.marketing.example.com is a domain name or a zone? www.marketing.example.com can also be a zone which has valid NS records. So I was thinking the resolver shall check the cache firstly to see whether it has the NS records for the zone www.marketing.example.com, if not, then to check the NS for marketing.example.com. Am I right? Regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns best practices
Casey Deccio writes: On Sun, Jan 23, 2011 at 10:30 PM, wrote: Is there a document for dns & bind best practices? I googled but found nothing valueable. NIST SP 800-81 Rev. 1: http://csrc.nist.gov/publications/nistpubs/800-81r1/sp-800-81r1.pdf Thanks. looks great, will learn from it. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward using CNAME record
Gary Wallis writes: Do not confuse your "forwarding" with HTTP rewriting. One is just about DNS records (CNAME, A or otherwise.) The other happens on the server side (see Apache rewrite engine docs.) This is nothing about rewrite, but webserver's virtual host stuff. Regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Globally setting TTL
On 26-Jan-2011, at 3:09 AM, Fred Zinsli wrote: > Hi all > > New to bind or any form of DNS. > > Is it possible to globally set (override) the default TTL for all zones > and their subsequent records? Only can be configured in zone file, don't think there is something which can configure globally. > > Regards > > Fred > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Globally setting TTL
> Is it possible to globally set (override) the default TTL for all zones > and their subsequent records? You're thinking about the authoritative zones you host? I am not aware of any such setting, but it might be possible to use $INCLUDE in the zonefiles and include a file which contains "$TTL 86400" or whatever. Try it and see if that works for you :D Regards Eivind Olsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC auto-dnssec issue bind-9.7.2-P3
In message , Kalman Feher write s: > > > > On 25/01/11 4:10 PM, "Alan Clegg" wrote: > > > On 1/25/2011 9:51 AM, Kalman Feher wrote: > > > >> If the nsec3param has been removed, the automated signing will be weird if > >> you are using nsec3 keys. I havent tested this scenario, since it isnt > >> really a working scenario. > > > > There is no such thing as an "nsec3 key". > Sorry, I was a little sloppy with my vernacular. > I meant the algorithm used to create the keys in question. ie using -3 in > dnssec-keygen. And *all* keys that support NSEC3 are also NSEC capable. There isn't such a thing as a NSEC3 key. There are NSEC3 capable keys and keys that are not NSEC3 capable. All keys are NSEC capable. As for the NSEC3PARAM going away it is only supposed to exist in a *signed* zone and you are attempting to add it to a unsigned zone. The key timing are there for managing keys in a already signed zone. You are attempting to use them to start signing the zone which requires as whole different set of steps to be done. To get named to convert a unsigned zone to a signed zone with NSEC3 use nsupdate to add the DNSKEYs and NSEC3PARAM record in the same UPDATE request. > > If you auto-sign a zone that does not contain an NSEC3PARAM record, the > > zone will be signed using NSEC. > That was the observed behaviour of the OP, which wasn't their preference. > Hence the need to add and retain said nsec3param in this instance. > > > > > [note that I'm leaving the rest of that mail to be responded to by > > someone with more intimate knowledge of the auto-signing mechanism] > > > > AlanC > > > > ___ > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > -- > Kal Feher > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Globally setting TTL
Hi all New to bind or any form of DNS. Is it possible to globally set (override) the default TTL for all zones and their subsequent records? Regards Fred ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: odd dig results for fqdn
On 25.01.11 13:14, M. Meadows wrote: > From: "M. Meadows" > Date: Tue, 25 Jan 2011 13:14:45 -0500 > Subject: RE: odd dig results for fqdn > To: d...@dotat.at > Cc: bind-users > > > Thank you Tony. > > I see a cname pointing to another cname in this output. Is that the invalid > cname? > I thought that sort of record was discouraged but not against the rules. > When I do a query on these cnames I get answers that seem meaningful. > I wonder why this would cause the odd results we are seeing ... where dig on > fqdn fails until we do dig with +nssearch on the domain? > > ;; ANSWER SECTION: > > getaroomgetadeal.com. 7200 IN SOA ns1.slicehost.net. > > hostmaster.getaroomgetadeal.com. 2011010501 28800 7200 604800 3600 > > getaroomgetadeal.com. 3600 IN CNAME www.getaroom.com. CNAME cannot coexist with any other record, including SOA. That means, you can NOT CNAME a domain delegated from anywhere. you only could do it in .com domain, instead of delegating it anywhere, including NS records that are in .com for getaroomgetadeal.com. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward using CNAME record
On 1/25/2011 10:40 AM, Torinthiel wrote: Dnia 2011-01-25 10:18 Henry Hartley napisał(a): In the second case, which is NOT working, I have a similar CNAME record but instead of web.me.com, it's on tumblr.com. So, I have this (this is the actual domain): www.ioanamorosan.com. CNAME ioanamorosan.tumblr.com. If you go directly to ioanamorosan.tumblr.com, the site loads, but if you go to www.ioanamorosan.com, you get a tumblr.com 404 error page. The browser still displays www.ioanamorosan.com in the address bar. So, is this a situation where web.me.com is set up to recognize www.example.com properly but tumblr.com is not? Or what? Should I be able to do what I'm trying to do? No, not exactly. your name properly resolves to the same domain as ioanamorosan.tumblr.com. Your DNS setup is perfectly correct. But the web server is not configured to handle www.ioanamorosan.com. If you go to ioanamorosan.tumblr.com it handles the name correctly and gives your page. But when faced with a name it doesn't recognize it falls back to default site. If you have a web panel to configure your hosting, look for something named alternative domain names, aliases, virtual hosts or virtual servers. The name that is sent to the web serwer is the one typed in browser, and has nothing to do with any CNAME records on the way. The web server must be configured to handle it. Torinthiel I thought it might be something like that. Since I don't have access to any web panel type interface for the site (I'm just providing DNS for a friend) I can't fix it on my own. Also, since she's in Europe and I'm in North America, it's a little harder for me to hand hold, but I'm sure we'll figure it out. If not, I can always point the DNS to my own web server and redirect from there, changing the URL passed to tumblr.com. Thanks you to you and the others who took time to answer my question. -- Henry ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: odd dig results for fqdn
Thank you Tony. I see a cname pointing to another cname in this output. Is that the invalid cname? I thought that sort of record was discouraged but not against the rules. When I do a query on these cnames I get answers that seem meaningful. I wonder why this would cause the odd results we are seeing ... where dig on fqdn fails until we do dig with +nssearch on the domain? > Date: Tue, 25 Jan 2011 17:57:33 + > From: d...@dotat.at > To: sun-g...@live.com > CC: bind-users@lists.isc.org > Subject: Re: odd dig results for fqdn > > On Tue, 25 Jan 2011, M. Meadows wrote: > > > > Any thoughts on why this might happen? > > Invalid CNAME at zone apex. > > ; <<>> DiG 9.6.2-P2 <<>> any getaroomgetadeal.com @ns1.slicehost.com. > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15830 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 4 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;getaroomgetadeal.com. IN ANY > > ;; ANSWER SECTION: > getaroomgetadeal.com. 7200 IN SOA ns1.slicehost.net. > hostmaster.getaroomgetadeal.com. 2011010501 28800 7200 604800 3600 > getaroomgetadeal.com. 3600 IN CNAME www.getaroom.com. > www-production-eyc.getaroom.com. 3600 IN A 174.129.27.6 > > ;; AUTHORITY SECTION: > getaroom.com. 3600 IN NS ns1.slicehost.net. > getaroom.com. 3600 IN NS ns2.slicehost.net. > getaroom.com. 3600 IN NS ns3.slicehost.net. > > ;; ADDITIONAL SECTION: > www.getaroom.com. 3600 IN CNAME www-production-eyc.getaroom.com. > ns1.slicehost.net. 3600 IN A 67.23.4.57 > ns2.slicehost.net. 3600 IN A 173.45.224.132 > ns3.slicehost.net. 3600 IN A 207.97.244.36 > > ;; Query time: 116 msec > ;; SERVER: 67.23.4.57#53(67.23.4.57) > ;; WHEN: Tue Jan 25 17:55:27 2011 > ;; MSG SIZE rcvd: 276 > > Tony. > -- > f.anthony.n.finch http://dotat.at/ > HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, > DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR > ROUGH. RAIN THEN FAIR. GOOD. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: odd dig results for fqdn
On Tue, 25 Jan 2011, M. Meadows wrote: > > Any thoughts on why this might happen? Invalid CNAME at zone apex. ; <<>> DiG 9.6.2-P2 <<>> any getaroomgetadeal.com @ns1.slicehost.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15830 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;getaroomgetadeal.com. IN ANY ;; ANSWER SECTION: getaroomgetadeal.com. 7200IN SOA ns1.slicehost.net. hostmaster.getaroomgetadeal.com. 2011010501 28800 7200 604800 3600 getaroomgetadeal.com. 3600IN CNAME www.getaroom.com. www-production-eyc.getaroom.com. 3600 IN A 174.129.27.6 ;; AUTHORITY SECTION: getaroom.com. 3600IN NS ns1.slicehost.net. getaroom.com. 3600IN NS ns2.slicehost.net. getaroom.com. 3600IN NS ns3.slicehost.net. ;; ADDITIONAL SECTION: www.getaroom.com. 3600IN CNAME www-production-eyc.getaroom.com. ns1.slicehost.net. 3600IN A 67.23.4.57 ns2.slicehost.net. 3600IN A 173.45.224.132 ns3.slicehost.net. 3600IN A 207.97.244.36 ;; Query time: 116 msec ;; SERVER: 67.23.4.57#53(67.23.4.57) ;; WHEN: Tue Jan 25 17:55:27 2011 ;; MSG SIZE rcvd: 276 Tony. -- f.anthony.n.finchhttp://dotat.at/ HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR ROUGH. RAIN THEN FAIR. GOOD. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns best practices
On Sun, Jan 23, 2011 at 10:30 PM, wrote: > Is there a document for dns & bind best practices? > I googled but found nothing valueable. > NIST SP 800-81 Rev. 1: http://csrc.nist.gov/publications/nistpubs/800-81r1/sp-800-81r1.pdf Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
odd dig results for fqdn
: dig mta.news.getaroomgetadeal.com +noall +answer @4.2.2.1 ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> mta.news.getaroomgetadeal.com +noall +answer @4.2.2.1 ;; global options: printcmd : dig news.getaroomgetadeal.com +nssearch @4.2.2.1 SOA ns1.exacttarget.com. hostmaster.exacttarget.com. 2011012501 7200 3600 1209600 3600 from server ns1.exacttarget.com in 3 ms. SOA ns1.exacttarget.com. hostmaster.exacttarget.com. 2011012501 7200 3600 1209600 3600 from server ns2.exacttarget.com in 95 ms. : dig mta.news.getaroomgetadeal.com +noall +answer @4.2.2.1 ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> mta.news.getaroomgetadeal.com +noall +answer @4.2.2.1 ;; global options: printcmd mta.news.getaroomgetadeal.com. 3600 IN A 68.232.198.41 Then wait a while (less than the 3600 TTL) and the dig for mta.news.getaroomgetadeal.com starts failing again. Repeat the dig of the domain with +nssearch and it works again. Haven't seen this behavior before. Sort of screwy isn't it? Any thoughts on why this might happen? Thanks, Martin Meadows ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC auto-dnssec issue bind-9.7.2-P3
On 25/01/11 4:10 PM, "Alan Clegg" wrote: > On 1/25/2011 9:51 AM, Kalman Feher wrote: > >> If the nsec3param has been removed, the automated signing will be weird if >> you are using nsec3 keys. I havent tested this scenario, since it isnt >> really a working scenario. > > There is no such thing as an "nsec3 key". Sorry, I was a little sloppy with my vernacular. I meant the algorithm used to create the keys in question. ie using -3 in dnssec-keygen. > > If you auto-sign a zone that does not contain an NSEC3PARAM record, the > zone will be signed using NSEC. That was the observed behaviour of the OP, which wasn't their preference. Hence the need to add and retain said nsec3param in this instance. > > [note that I'm leaving the rest of that mail to be responded to by > someone with more intimate knowledge of the auto-signing mechanism] > > AlanC > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward using CNAME record
Dnia 2011-01-25 10:18 Henry Hartley napisał(a): >My apologies if this gets to the list twice. I tried to post it through >the web interface but it seems to have been dropped by whatever >screening gets applied. > >I'm not sure if I've misunderstood the use of CNAME or if I've simply >done something wrong. > >I have two domains that I want to forward. One is working properly and >the other is not. In both cases I want users to enter a URL in their >browser (www.example.com) and be forwarded to a different system, where >the user has their site. In the working case, the forwarding it to >web.me.com so I have the following in my zone file: > >www.example.com. CNAME web.me.com. > >When you point your browser to www.example.com (obviously not >"example") the page on web.me.com loads properly but www.example.com is >still displayed in the address bar. > >In the second case, which is NOT working, I have a similar CNAME record >but instead of web.me.com, it's on tumblr.com. So, I have this (this is >the actual domain): > >www.ioanamorosan.com. CNAME ioanamorosan.tumblr.com. > >If you go directly to ioanamorosan.tumblr.com, the site loads, but if >you go to www.ioanamorosan.com, you get a tumblr.com 404 error page. The >browser still displays www.ioanamorosan.com in the address bar. > >So, is this a situation where web.me.com is set up to recognize >www.example.com properly but tumblr.com is not? Or what? > >Should I be able to do what I'm trying to do? No, not exactly. your name properly resolves to the same domain as ioanamorosan.tumblr.com. Your DNS setup is perfectly correct. But the web server is not configured to handle www.ioanamorosan.com. If you go to ioanamorosan.tumblr.com it handles the name correctly and gives your page. But when faced with a name it doesn't recognize it falls back to default site. If you have a web panel to configure your hosting, look for something named alternative domain names, aliases, virtual hosts or virtual servers. The name that is sent to the web serwer is the one typed in browser, and has nothing to do with any CNAME records on the way. The web server must be configured to handle it. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward using CNAME record
> www.example.com. CNAME web.me.com. > When you point your browser to www.example.com (obviously not > "example") the page on web.me.com loads properly but www.example.com is > still displayed in the address bar. What happens in this case is: the web browser you use will connect to the address of web.me.com but will present a HTTP host header asking for www.examle.com. Depending on the configuration of the webserver on that host, it may serve web pages from a default document root, which may or may not be the same as web.me.com > www.ioanamorosan.com. CNAME ioanamorosan.tumblr.com. > If you go directly to ioanamorosan.tumblr.com, the site loads, but if > you go to www.ioanamorosan.com, you get a tumblr.com 404 error page. The > browser still displays www.ioanamorosan.com in the address bar. In this case, the webserver on ioanamorosan.tumblr.com doesn't know how to deal with requests coming in for www.ioanamorosan.com and gives that error message. The administrators of the webserver could add a ServerAlias setting in their Apache configuration, to put requests into the correct document root. Regards Eivind Olsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward using CNAME record
Gary Wallis wrote: Henry Hartley wrote: ... In the second case, which is NOT working, I have a similar CNAME record but instead of web.me.com, it's on tumblr.com. So, I have this (this is the actual domain): www.ioanamorosan.com. CNAME ioanamorosan.tumblr.com. If you go directly to ioanamorosan.tumblr.com, the site loads, but if you go to www.ioanamorosan.com, you get a tumblr.com 404 error page. The browser still displays www.ioanamorosan.com in the address bar. So, is this a situation where web.me.com is set up to recognize www.example.com properly but tumblr.com is not? Or what? Should I be able to do what I'm trying to do? About your second case: This is not about DNS but about HTTP. Site tumblr uses the incoming HTTP request to provide content. Since it does not know anything about "www.ioanamorosan.com" it returns the 404. Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward using CNAME record
Henry Hartley wrote: My apologies if this gets to the list twice. I tried to post it through the web interface but it seems to have been dropped by whatever screening gets applied. I'm not sure if I've misunderstood the use of CNAME or if I've simply done something wrong. I have two domains that I want to forward. One is working properly and the other is not. In both cases I want users to enter a URL in their browser (www.example.com) and be forwarded to a different system, where the user has their site. In the working case, the forwarding it to web.me.com so I have the following in my zone file: www.example.com. CNAME web.me.com. When you point your browser to www.example.com (obviously not "example") the page on web.me.com loads properly but www.example.com is still displayed in the address bar. In the second case, which is NOT working, I have a similar CNAME record but instead of web.me.com, it's on tumblr.com. So, I have this (this is the actual domain): www.ioanamorosan.com. CNAME ioanamorosan.tumblr.com. If you go directly to ioanamorosan.tumblr.com, the site loads, but if you go to www.ioanamorosan.com, you get a tumblr.com 404 error page. The browser still displays www.ioanamorosan.com in the address bar. So, is this a situation where web.me.com is set up to recognize www.example.com properly but tumblr.com is not? Or what? Should I be able to do what I'm trying to do? -- Henry ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Do not confuse your "forwarding" with HTTP rewriting. One is just about DNS records (CNAME, A or otherwise.) The other happens on the server side (see Apache rewrite engine docs.) Usually both must be setup correctly to achieve your "forwarding." Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Forward using CNAME record
My apologies if this gets to the list twice. I tried to post it through the web interface but it seems to have been dropped by whatever screening gets applied. I'm not sure if I've misunderstood the use of CNAME or if I've simply done something wrong. I have two domains that I want to forward. One is working properly and the other is not. In both cases I want users to enter a URL in their browser (www.example.com) and be forwarded to a different system, where the user has their site. In the working case, the forwarding it to web.me.com so I have the following in my zone file: www.example.com. CNAME web.me.com. When you point your browser to www.example.com (obviously not "example") the page on web.me.com loads properly but www.example.com is still displayed in the address bar. In the second case, which is NOT working, I have a similar CNAME record but instead of web.me.com, it's on tumblr.com. So, I have this (this is the actual domain): www.ioanamorosan.com. CNAME ioanamorosan.tumblr.com. If you go directly to ioanamorosan.tumblr.com, the site loads, but if you go to www.ioanamorosan.com, you get a tumblr.com 404 error page. The browser still displays www.ioanamorosan.com in the address bar. So, is this a situation where web.me.com is set up to recognize www.example.com properly but tumblr.com is not? Or what? Should I be able to do what I'm trying to do? -- Henry ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC auto-dnssec issue bind-9.7.2-P3
On 1/25/2011 9:51 AM, Kalman Feher wrote: > If the nsec3param has been removed, the automated signing will be weird if > you are using nsec3 keys. I havent tested this scenario, since it isnt > really a working scenario. There is no such thing as an "nsec3 key". If you auto-sign a zone that does not contain an NSEC3PARAM record, the zone will be signed using NSEC. [note that I'm leaving the rest of that mail to be responded to by someone with more intimate knowledge of the auto-signing mechanism] AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC auto-dnssec issue bind-9.7.2-P3
On 25/01/11 2:34 PM, "Zbigniew Jasiński" wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > W dniu 2011-01-24 17:47, Kalman Feher pisze: >> This appears to be the problem. >> I copied your NSEC3PARAM (opt out clear, 12 iterations) details but could >> not replicate it. Try turning up the logging to get more information about >> why the nsec3param is removed. Make sure also that your keys are nsec3 >> compatible and you don't have any old non nsec3 keys in the directory that >> could be used to sign. > > > I was trying to reproduce your scheme: > >> FWIW I use a script to add all my test zones from a zone template > file. That >> script automatically adds the nsec3param as soon as the zone is > loaded, but >> before it signs. That way I keep things simple and never forget to update >> that zone before signing. > > but without success. did you use keys with future Prepublish and > Activate or it's set to NOW? > > I made few tests: > > - -- first scenario (desirable): > > 1. get unsigned zone > 2. generate nsec3 compatible keys (Prepublish and Activate in the future) > 3. send 'rndc sign' to named > 4. send NSEC3PARAM via dynamic update If you swap steps 3 and 4 you'll be ok. That is assuming your sign is issued at the point in future after your activate date (activate saying that the key should now be used to sign rather than just be present for caching). Done in that order, my test worked fine, including DS signing whenever a DS was added (along with any other new record). > > result: > > after waiting until key Activate event: > > 1. SOA and DNSKEY records are signed and have RRSIG records > 2. NSEC3PARAM and DS records are still unsigned This is symptomatic of the broken automatic signing. I suspect any new record would not be signed. Give it a try just in case. > > which is not proper signed zone. > > - -- second scenario: > > 1. get unsigned zone with NSEC3PARAM record > 2. generate nsec3 compatible keys (Prepublish and Activate in the future) > 3. send 'rndc sign' to named > > result: > > 1. NSEC3PARAM is immediately removed from zone If you issue sign before the key is active, you're not going to be able to sign properly. I'm not sure why nsec3param is removed, but it probably is due to the aborted automated signing. > > after waiting until key Activate event: > > 1. SOA and DNSKEY records are signed and have RRSIG records but in zone > file. can't get RRSIG records with dns response. only if I send query > for RRSIG records If the nsec3param has been removed, the automated signing will be weird if you are using nsec3 keys. I havent tested this scenario, since it isnt really a working scenario. > > - -- third scenario: > > 1. get unsigned zone > 2. generate nsec3 compatible keys (Prepublish and Activate = NOW) > 3. send NSEC3PARAM via dynamic update > 4. send 'rndc sign' to named > > result: > > everything is ok. > > one conclusion: you need to have at least one key in Activate state. as > for me this is wrong assumption. first scenario should be ok but strange > things happened after Activate event or I made a mistake. Yes this is the correct scenario. Activate is when you plan on using that key to sign. Issuing sign without an active key doesn't really make sense. Noting of course that the meta data is only used by the automated signing logic within BIND. So you can always use any key to sign manually. However I think this may have mislead you regarding the purpose of the meta data. The best way to think of keys in DNSSEC is in groups of threes. Keys in the past, keys in the future and keys in the present. Keys in the past don't matter for your first signing. Keys in the present are used for signing _right now_. That means they need to be active and published. Keys in the future will be used to sign, so they should ideally be published before hand. You may also need to apply some parent publishing logic (has my registry accepted my DS, has it published in the parent zone) for the exact time difference between publish and activate. Most organisations simply leave a large gap (a month or two) between publish and activate for KSKs as a result. With that in mind, your first time signing should be: 1.Create nsec3 compatible keys. Ideally a pair for now and a pair for the future (the future pair can wait however). -Personally my "now" keys are actually set as active and publish in the past. -My future keys are created on a set schedule with publish dates a few days before their active dates (this is the test system, production systems need longer times). 2.If zone is not already locally dynamically managed, do so now. 3.NSEC3PARAM is added 4.Sign is issued for the first and last time (if you are using "maintain"). -The active keys are used to sign and will continue to be used until they are no longer active. -Key directory will be checked as key events approach and keys will be published and made active according to their meta data. For the exact timing aroun
Re: DNSSEC auto-dnssec issue bind-9.7.2-P3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 W dniu 2011-01-24 17:47, Kalman Feher pisze: > This appears to be the problem. > I copied your NSEC3PARAM (opt out clear, 12 iterations) details but could > not replicate it. Try turning up the logging to get more information about > why the nsec3param is removed. Make sure also that your keys are nsec3 > compatible and you don't have any old non nsec3 keys in the directory that > could be used to sign. I was trying to reproduce your scheme: > FWIW I use a script to add all my test zones from a zone template file. That > script automatically adds the nsec3param as soon as the zone is loaded, but > before it signs. That way I keep things simple and never forget to update > that zone before signing. but without success. did you use keys with future Prepublish and Activate or it's set to NOW? I made few tests: - -- first scenario (desirable): 1. get unsigned zone 2. generate nsec3 compatible keys (Prepublish and Activate in the future) 3. send 'rndc sign' to named 4. send NSEC3PARAM via dynamic update result: after waiting until key Activate event: 1. SOA and DNSKEY records are signed and have RRSIG records 2. NSEC3PARAM and DS records are still unsigned which is not proper signed zone. - -- second scenario: 1. get unsigned zone with NSEC3PARAM record 2. generate nsec3 compatible keys (Prepublish and Activate in the future) 3. send 'rndc sign' to named result: 1. NSEC3PARAM is immediately removed from zone after waiting until key Activate event: 1. SOA and DNSKEY records are signed and have RRSIG records but in zone file. can't get RRSIG records with dns response. only if I send query for RRSIG records - -- third scenario: 1. get unsigned zone 2. generate nsec3 compatible keys (Prepublish and Activate = NOW) 3. send NSEC3PARAM via dynamic update 4. send 'rndc sign' to named result: everything is ok. one conclusion: you need to have at least one key in Activate state. as for me this is wrong assumption. first scenario should be ok but strange things happened after Activate event or I made a mistake. - -- regards zbigniew jasinski [SYStem OPerator] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNPtF7AAoJEH26UYiRhe/gReoP/j9fMxut/d7B5g4n86X2xiu/ GxvHbLiCMzxmJvIJG0tx2WuMYddiWBT+Jpv3sRimhdXY5zuALYK/n9Kig6r9GcCj P12fH5CgDR/G5EP0ll254JeEGv34M4v7ZlUEU1ffZK14b+/RGNFZloSZ4wyBTcWv aqcqUOnd0a7g2sRsDk3I9T3MSla9sYBKeh4/CLQlmIyDWIHG4L3X9Nr6HWwj9hZv 0Oeu60eY6C/pLGptsHhax/dxmE+ZanQ2Dtrq5eTxFtyUT6TBFMKrZbpBuNjfq0QK M2GRwEiILujx5g5u/eWgfggd+aPWjafkn1hskxaSJfSZ6uni8f+sKiRnR3HFkVkN vLrgLdyVoNL4PsChvLu8eyPsLbaJTx6UagovIw5EEvAaWIyKrw6Hf8YxwjvI95uF wBphk118zw7SXxchyJaDIT2cyxUtWDt3spou6mq7Mi45CdAj47ekVoc8txcUW6mW MhgIQi+U+7XcbzfhxRiQoGeuSkRnJ5o3TlJNsgzKjDwZdqHRMxuDI+Mh87ZjJXa2 gVZAX2INWy3pEAmVEPy84ci1iRrgns7buzv7no5AG8oBpZEHzr0DOhy+XCpCCjND w6vulBKlraEPC5cTK3HoOC8lxXWixF86q4xmIZ8KXIAOPvARJkTa92Mia9/XVrER gZfMc3kS3UWIBZoJAKeq =IR/F -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CHANGES file for new releases [was: Re: BIND 9.7.3b1 is now available]
On Dec 24 2010, Mark Andrews wrote: I've extracted the CHANGES files for BIND 9.6.3b1, BIND 9.7.3b1 and BIND 9.8.0a1 and put them in relevant directories on ftp.isc.org. Thanks, but ... It would be helpful if this happened for all new versions. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.0b1 Released Today
> >> I wonder, what are expected usages for this kinds of zones? > >> Maybe blacklists, if we have local mirrors and traffic so high that > >> we'd get blocked imediately? > On Jan 24, 2011, at 5:59 AM, Cathy Almond wrote: > > One use case is for testing new servers that aren't yet part of the main > > Internet name space. You can force queries for that zone to go to your > > test servers (maybe they're running new software, maybe they're testing > > DNSSEC, maybe... ) instead of the servers that would be located the via > > delegation from the parent zone. In this instance the test servers > > might well need to respond with the 'real' nameserver information (for > > returning to clients) - but you don't want that to override the fact > > that you still want to send future queries to the servers you have on test. On 24.01.11 13:13, Chris Buxton wrote: > Another use is to separate recursion from internal authoritative name > servers. You could put this on the recursing name servers, telling them > explicitly which auth servers to hit rather than relying on a traditional > stub zone. > > This might be useful if the zone is hosted on some nearby servers and also > some remote servers, to avoid having the RTT algorithm cause the recursing > server to query the remote servers. using "type forward" with "forward first" would behave better because they would query remote servers if all nearby servers would get unreachable or have troubles. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question when testing Caching Server with resperf
Hi Eivind Olsen, The command to did test is /usr/local/nom/bin/resperf -d /usr/local/nom/examples/dnsperf/queryfile-example-100thousand -s localhost -P result.txt queryfile-example-100thousand or queryfile-example-3million are provided by Nominum. Each line on file is a input to query so each file have 100 000 and 3 000 000 lines( queries). So data is external data and real data. First test: When i use queryfile-example-100thousand, i did two command. Its ok with first command with result 9000 throughput. The second command is "ran out of query data". So it mean resperf use all the lines ( queries ) of file. So resperf doesn't re-use the same 65000 line that was run in the first command. May be it used 65000 line randomly, i don't know. I can' find how it works with query in Nominum document. So i need help at this. Second test: Next, i flush cache. I run command with 3million query file. And run continuesly the command and check named process by top. The process just reach to 600Mb and not increase anymore. So it mean the cache is not increase. But if the command use different query each time (as first test) why it doesnt increase? As i think, the cache will save new queries and it will help faster search. Tien 86. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
