Re: SPF implementation schedule.
Looking at zytrix and spf2 sites, it seems that SPF is yet to be implemented at functional level. RFC4408 documentation suggests method to implement SPF. However, I need to know if ISC is planning to provide support for SPF at client and/or server side. Will anyone from ISC like to comment? On Mon, Jul 11, 2011 at 7:42 PM, Eivind Olsen eiv...@aminor.no wrote: kalpesh varyani wrote: Does ISC implement SPF for server or client side currently? If yes, then where to get the libraries; if not then what is the scheduled date/release for implementation? I'm not ISC, and anything I say may be completely wrong. Ok, that's the disclaimer done with... BIND support for SPF extends as far as being allowed to put SPF records into zones. As far as I know BIND does not have any libraries or functions to actually make much sense of the content of SPF records, which is what I'm guessing you're really looking for. Perhaps something like libspf (http://www.libspf2.org) is what you want? Regards Eivind Olsen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF implementation schedule.
On 2011-07-12 10:07, kalpesh varyani wrote: Looking at zytrix and spf2 sites, it seems that SPF is yet to be implemented at functional level. RFC4408 documentation suggests method to implement SPF. However, I need to know if ISC is planning to provide support for SPF at client and/or server side. Will anyone from ISC like to comment? I'm not from ISC as well, but as Eivind has already stated - BIND already supports EVERYTHING there is on DNS server/resolver side. It serves SPF records, allows to fetch them, and there's nothing more from DNS you can require. What remains is *mailserver's* side to query for said SPF records and act accordingly. And this does not belong to ISC, but to your mailserver's provider. Postfix can do this by external plugins, some others probably as well but I haven't tested it. Regards, Torinthiel On Mon, Jul 11, 2011 at 7:42 PM, Eivind Olsen eiv...@aminor.no mailto:eiv...@aminor.no wrote: kalpesh varyani wrote: Does ISC implement SPF for server or client side currently? If yes, then where to get the libraries; if not then what is the scheduled date/release for implementation? I'm not ISC, and anything I say may be completely wrong. Ok, that's the disclaimer done with... BIND support for SPF extends as far as being allowed to put SPF records into zones. As far as I know BIND does not have any libraries or functions to actually make much sense of the content of SPF records, which is what I'm guessing you're really looking for. Perhaps something like libspf (http://www.libspf2.org http://www.libspf2.org/) is what you want? Regards Eivind Olsen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF implementation schedule.
Hi, I have fallen in problem with my dns server. Some times , some specific domain can't resolve. From log report (/var/log/messages) i have given log for that. Jul 12 11:17:44 ns1 named[14948]: client 178.33.222.134#38772: query (cache) 'rankstel.net/MX/IN' denied Jul 12 11:17:45 ns1 named[14948]: client 212.204.41.82#44529: query (cache) 'rankstel.net/MX/IN' denied Jul 12 11:17:48 ns1 named[14948]: client 212.204.41.82#64402: query (cache) 'rankstel.net/MX/IN' denied Jul 12 11:17:49 ns1 named[14948]: client 69.73.138.12#55591: query (cache) 'era.com.bd/MX/IN' denied If you advise, its useful for me. Regards- Mahmud almah...@ranksitt.net On 2011-07-12 10:07, kalpesh varyani wrote: Looking at zytrix and spf2 sites, it seems that SPF is yet to be implemented at functional level. RFC4408 documentation suggests method to implement SPF. However, I need to know if ISC is planning to provide support for SPF at client and/or server side. Will anyone from ISC like to comment? I'm not from ISC as well, but as Eivind has already stated - BIND already supports EVERYTHING there is on DNS server/resolver side. It serves SPF records, allows to fetch them, and there's nothing more from DNS you can require. What remains is *mailserver's* side to query for said SPF records and act accordingly. And this does not belong to ISC, but to your mailserver's provider. Postfix can do this by external plugins, some others probably as well but I haven't tested it. Regards, Torinthiel On Mon, Jul 11, 2011 at 7:42 PM, Eivind Olsen eiv...@aminor.no mailto:eiv...@aminor.no wrote: kalpesh varyani wrote: Does ISC implement SPF for server or client side currently? If yes, then where to get the libraries; if not then what is the scheduled date/release for implementation? I'm not ISC, and anything I say may be completely wrong. Ok, that's the disclaimer done with... BIND support for SPF extends as far as being allowed to put SPF records into zones. As far as I know BIND does not have any libraries or functions to actually make much sense of the content of SPF records, which is what I'm guessing you're really looking for. Perhaps something like libspf (http://www.libspf2.org http://www.libspf2.org/) is what you want? Regards Eivind Olsen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF implementation schedule.
On 12.07.11 15:07, almah...@ranksitt.net wrote: I have fallen in problem with my dns server. Some times , some specific domain can't resolve. From log report (/var/log/messages) i have given log for that. Jul 12 11:17:44 ns1 named[14948]: client 178.33.222.134#38772: query (cache) 'rankstel.net/MX/IN' denied Jul 12 11:17:45 ns1 named[14948]: client 212.204.41.82#44529: query (cache) 'rankstel.net/MX/IN' denied Jul 12 11:17:48 ns1 named[14948]: client 212.204.41.82#64402: query (cache) 'rankstel.net/MX/IN' denied rankstel.net is delegated to two servers, of which one refuses queries, the another doesn't reply. Either the domain is not configured on the first, or it has restricted clients with allow-query. The another is apparently down. Jul 12 11:17:49 ns1 named[14948]: client 69.73.138.12#55591: query (cache) 'era.com.bd/MX/IN' denied three servers, nearly the same problems. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF implementation schedule.
On 2011-07-12 11:07, almah...@ranksitt.net wrote: Hi, I have fallen in problem with my dns server. Some times , some specific domain can't resolve. From log report (/var/log/messages) i have given log for that. And what does this has in common with the thread you've replied to? Jul 12 11:17:44 ns1 named[14948]: client 178.33.222.134#38772: query (cache) 'rankstel.net/MX/IN' denied Jul 12 11:17:45 ns1 named[14948]: client 212.204.41.82#44529: query (cache) 'rankstel.net/MX/IN' denied Jul 12 11:17:48 ns1 named[14948]: client 212.204.41.82#64402: query (cache) 'rankstel.net/MX/IN' denied Looks like rankstel.net is delegated to two nameservers (see dig ns rankstel.net @e.gtld-servers.net.): ns1.ranksitt.net. (which refuses to answer for it) and ns1.rankstel.net. (which times out). So, rankkstel.net is broken, you cannot do anything with it. Jul 12 11:17:49 ns1 named[14948]: client 69.73.138.12#55591: query (cache) 'era.com.bd/MX/IN' denied And era.com.bd is delegated to ns2.ranksitt.net., ns1.ranksitt.net. and dns.bankasia.com.bd. And I see three different answers from those servers. Only ns2.ranksitt.net seems to be configured correctly (But I haven't dig any deeper). Note, I've not tested it deeply, so it might be wrong. Regards, Torinthiel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rankstel.net (was: SPF implementation schedule.)
Mahmud wrote: I have fallen in problem with my dns server. Some times , some specific domain can't resolve. From log report (/var/log/messages) i have given log for that. Jul 12 11:17:44 ns1 named[14948]: client 178.33.222.134#38772: query (cache) 'rankstel.net/MX/IN' denied Jul 12 11:17:45 ns1 named[14948]: client 212.204.41.82#44529: query (cache) 'rankstel.net/MX/IN' denied Jul 12 11:17:48 ns1 named[14948]: client 212.204.41.82#64402: query (cache) 'rankstel.net/MX/IN' denied Jul 12 11:17:49 ns1 named[14948]: client 69.73.138.12#55591: query (cache) 'era.com.bd/MX/IN' denied I only looked into rankstel.net, since it was listed 3 times above. The domain rankstel.net is delegated to ns1.ranksitt.net (202.40.176.12) and ns1.rankstel.net (202.72.233.7), but neither of them are working: ns1.ranksitt.net is giving return code REFUSE when I ask it for the NS records to rankstel.net, and ns1.rankstel.net just isn't giving any answer back (timeout). Whoever owns those nameservers should probably consider fixing them. PS! Don't just reply to a previous email when you write about something unrelated - it messes up the topic, threading etc. Regards Eivind Olsen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF implementation schedule.
Hi there, On Tue, 12 Jul 2011 kalpesh varyani wrote: Looking at zytrix and spf2 sites, it seems that SPF is yet to be implemented at functional level. If my understanding of that sentence is correct, then the sentence is not correct. SPF is implemented by (1) Publication of TXT or SPF records in the DNS. This is well supported by nameservers such as BIND. Their involvement in SPF ends at this point. (2) Examination of published DNS records by MAIL SERVERS which make DNS queries IF they wish to check that incoming mail is not forged. This is well supported by MAIL SERVER software. The SPF DNS mechanism has been in common use for a number of years. See for example dig -t txt google.com Why don't you join a mailing list more appropriate for SPF questions and ask them there? Here is one: List-Subscribe: mailto:subscribe-spf-disc...@listbox.com -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clients get DNS timeouts because ipv6 means more queries for each lookup
Well, all the prodding from people here prompted me to investigate further exactly what's going on. The problem isn't what I thought it was. It appears to be a bug in glibc, and I've filed a bug report and found a workaround. In a nutshell, the getaddrinfo function in glibc sends both A and queries to the DNS server at the same time and then deals with the responses as they come in. Unfortunately, if the responses to the two queries come back in reverse order, /and/ the first one to come back is a server failure, both of which are the case when you try to resolve en.wikipedia.org immediately after restarting your DNS server so nothing is cached, the glibc code screws up and decides it didn't get back a successful response even though it did. If you do the same lookup again, it works, because the CNAME that was sent in response to the A query is cached, so both the A and queries get back valid responses from the DNS server. And even if that weren't the case, since the CNAME is cached it gets returned first, since the server doesn't need to do a query to get it, whereas it does need to do another query to get the record (which recall isn't being cached because of the previously discussed FORMERR problem). It'll keep working until the cached records time out, at which point it'll happen again, and then be OK again until the records time out, etc. The workaround is to put options single-request in /etc/resolv.conf to prevent the glibc innards from sending out both the A and queries at the same time. FYI, here's the glibc bug I filed about this: http://sourceware.org/bugzilla/show_bug.cgi?id=12994 Thank you for telling me I was full of it and making me dig deeper into this until I located the actual cause of the issue. :-) jik ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users