Redirecting subdomain to different resolver

2011-10-19 Thread feralert 
Hi all,

I have a domain defined within a zone statement so it resolves
hostnames via the intranet, just like this:

zone intradomain.com { type forward; forwarders {
10.222.1.21;};};


Now there is this host which does not resolve internally (with an
intranet ip) but it does externally (wan ip): www.sub.intradomain.com.
And my problem is that I need to, somehow, override de 'zone
intradomain.com' statement, so this particular host/subdomain would
resolve externally.

I hope I explained myself properly, please do ask if it's not clear enough.

¿Is this at all possible?, if so ¿how?


Cheers,
Fred.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fix for CVE-2006-2073

2011-10-19 Thread Florian Weimer 
* Mark Andrews:

 Access Vector: Network exploitable
 Access Complexity: Low
 Authentication: Not required to exploit
 Impact Type:Allows disruption of service

 I fail to see how this could ever have been classified as
 Access Complexity: Low.

I believe the CVSS scoring for those old entries was generated
semi-automatically.  There's also very little public information
available about this issue.

 Looking at the CVE it looks like this bug fix contains the correction.

 2013.   [bug]   Handle unexpected TSIGs on unsigned AXFR/IXFR
 responses more gracefully. [RT #15941]

 What was the first BIND version that fixed it?

 9.2.7, 9.3.3, 9.4.0.

Thanks, this is helpful.  I've adjusted Debian's records.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Master/slave issues

2011-10-19 Thread Joseph L. Casale 
Got around to adding a virtual interface on the production box (I never could 
get this
working with keys alone), I had labbed this up previously in reverse of what I 
needed
but transfers were broken on the production box when I reversed the views that
contained the master/slave.

The following works on the lab box, but when I swap master and zone between 
views
It breaks. What I wanted was:

view internal - match-clients { localnets; };  - slave zones
view external - match-clients { any; }; - master zones

I suppose it makes sense, but none the less, I think I have been staring at 
this too long.
Any have any insight? All the dynamic clients reside on the public side.

view internal
{
match-clients   { localhost; };
server 10.0.0.4 {
keys { external; };
};
recursion yes;
zone foo.local {
type master;
allow-update { key dhcpd_ddns; };
also-notify { 172.16.0.1; };
allow-query { any; };
file /var/named/foo.local.zone.db;
};
};

view external
{
match-clients   { any; };
recursion yes;
zone foo.local {
type slave;
masters { 10.0.0.4; };
allow-update { key external; };
file dynamic/foo.local.slave_zone.db;
};
};

key external {
algorithm hmac-md5;
secret ...;
};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND master , Windows 2008 stub zone not transferring

2011-10-19 Thread Gregory Machin 
Hi
We have a Linux server running bind 9.2.4 and dhcpd in a ddns
configuration.  We also have a number of windows 2008 R2 servers
running AD / DNS / dhcp on other sites. These windows servers have
stub zones configured, for the zones on the Linux server.

All worked fine up until yesterday.

Now none of the zones will transfer to the stub zones on the Windows
servers. From the windows servers I can use nslookup to do zone
transfers with out any issues. But in DNS mangers , on the stub zone ,
when I click one reload, or Transfer from Master, or Transfer new copy
from zone Master then result is the same Zone Not Loaded by DNS
server  there is nothing in the bind logs that relate to this server
or the zone transfer request. As far a I can see there are no firewall
issues or connectivity issues.

Any suggestions ?

G
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Setting Up Permissions

2011-10-19 Thread Stephen Grant Brown 
Hi All,
In the readme1st.txt files that comes with Bind 9.8.1 for Windows I read

With BIND running under an account name it is necessary for all
files and directories that BIND uses to have permissions set up for
the named account if the files are on an NTFS disk. BIND requires
that the account have read and write access to the directory for
the pid file, any files that are maintained either for slave zones
or for master zones supporting dynamic updates. The account will
also need read access to the named.conf and any other file that it
needs to read.

I have looked for the named account but cannot find it.
Can someone explain this in more detail please? Or at least point me to a more 
informative explanatoon?

Yours sincerely Stephen Grant Brown___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent bad horizontal referral?

2011-10-19 Thread Karl Auer 
Someone wrote (privately, so I'm not giving a name):
 There's a bit of problem with the DNS.  You might want to jump over to
 http://dns.squish.net/ and run an NS traversal for biplane.com.au --
 pps.com.au's DNS is befuddled.

This is true. Two of the four PPS nameservers do not have glue records
in .com.au. What I don't understand is how a trace can compete at all,
if there is no glue.

That is, root should return a set of referrals to .au, one of the .au
servers then returns referrals to .com.au, one of those returns
referrals to biplane.com.au, one of those can then answer the actual
query.

If there are no referrals to x.com.au in .com.au, how can a query jump
the gap? Because I can see that happening in a trace. Here are two
traces for pps.com.au. The first shows referrals in .com.au, the second
does not. It looks as if n.au somehow answered directly, but g.au did
not.

So I'm confused (and possibly befuddled). Firstly as to why n.au would
have *any* information about pps.com.au, and secondly why g.au would
have different information than n.au :-(

Regards, K.

kauer@karl:~$ dig +trace pps.com.au ns

;  DiG 9.7.1-P2  +trace pps.com.au ns
;; global options: +cmd
.   113025  IN  NS  c.root-servers.net.
.   113025  IN  NS  a.root-servers.net.
.   113025  IN  NS  m.root-servers.net.
.   113025  IN  NS  k.root-servers.net.
.   113025  IN  NS  f.root-servers.net.
.   113025  IN  NS  b.root-servers.net.
.   113025  IN  NS  j.root-servers.net.
.   113025  IN  NS  d.root-servers.net.
.   113025  IN  NS  g.root-servers.net.
.   113025  IN  NS  l.root-servers.net.
.   113025  IN  NS  h.root-servers.net.
.   113025  IN  NS  e.root-servers.net.
.   113025  IN  NS  i.root-servers.net.
;; Received 512 bytes from 139.130.4.4#53(139.130.4.4) in 7 ms

au. 172800  IN  NS  o.au.
au. 172800  IN  NS  n.au.
au. 172800  IN  NS  a.au.
au. 172800  IN  NS  l.au.
au. 172800  IN  NS  m.au.
au. 172800  IN  NS  r.au.
au. 172800  IN  NS  h.au.
au. 172800  IN  NS  p.au.
au. 172800  IN  NS  s.au.
au. 172800  IN  NS  u.au.
au. 172800  IN  NS  v.au.
au. 172800  IN  NS  b.au.
;; Received 496 bytes from 192.112.36.4#53(g.root-servers.net) in 348 ms

com.au. 172800  IN  NS  q.au.
com.au. 172800  IN  NS  j.au.
com.au. 172800  IN  NS  i.au.
com.au. 172800  IN  NS  h.au.
com.au. 172800  IN  NS  o.au.
com.au. 172800  IN  NS  l.au.
com.au. 172800  IN  NS  g.au.
com.au. 172800  IN  NS  n.au.
com.au. 172800  IN  NS  m.au.
com.au. 172800  IN  NS  p.au.
com.au. 172800  IN  NS  k.au.
;; Received 408 bytes from 2607:f140::fffe::e#53(s.au) in 193 ms

pps.com.au. 14400   IN  NS  ppsdns6.pps.com.au.
pps.com.au. 14400   IN  NS  ppsdns4.pps.com.au.
pps.com.au. 14400   IN  NS  ppsdns2.pps.com.au.
pps.com.au. 14400   IN  NS  ppsdns1.pps.com.au.
pps.com.au. 14400   IN  NS  ppsdns3.pps.com.au.
;; Received 214 bytes from 202.65.12.72#53(i.au) in 16 ms

pps.com.au. 3600IN  NS  ppsdns3.pps.com.au.
pps.com.au. 3600IN  NS  ppsdns6.pps.com.au.
pps.com.au. 3600IN  NS  ppsdns2.pps.com.au.
pps.com.au. 3600IN  NS  ppsdns4.pps.com.au.
pps.com.au. 3600IN  NS  ppsdns1.pps.com.au.
;; Received 342 bytes from 2406:a000::5#53(ppsdns6.pps.com.au) in 21 ms

kauer@karl:~$ dig +trace pps.com.au ns

;  DiG 9.7.1-P2  +trace pps.com.au ns
;; global options: +cmd
.   113019  IN  NS  m.root-servers.net.
.   113019  IN  NS  h.root-servers.net.
.   113019  IN  NS  f.root-servers.net.
.   113019  IN  NS  e.root-servers.net.
.   113019  IN  NS  j.root-servers.net.
.   113019  IN  NS  i.root-servers.net.
.   113019  IN  NS  k.root-servers.net.
.   113019  IN  NS  l.root-servers.net.
.