MS AD 2008R2 and bind
Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works. My DNS-Servers are running BIND 9.7.3-P3. So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn't find one... With regards Christian Melbinger --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MS AD 2008R2 and bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Christian, On 1/3/12 11:00 AM, Melbinger Christian wrote: So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn?t find one? from the error message you've seeing, the problem is that the domain controller has already found DNS entries for itself in the DNS, but the entries are pointing to a different IP Address than the domain controller has. The domain controller will not overwrite the existing entries. You have to remove the wrong, stale entries and after that the domain controller should be able to register (update) the address records with the correct IP addresses. You can force this with a reboot or with ipconfig /registerdns from the commandline. The old IP addresses might be leftovers from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl =uRxM -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: MS AD 2008R2 and bind
Hello Thanks for your answer, but unfortunately that's not the case. When I do a nslookup like nslookup internal.wienit.at, I get back the IPs of the DCs, speaking Addresses: 10.4.4.4, 10.5.5.5 The error message The invalid IP addresses are 10.1.1.1; 10.2.2.2. is pointing towards the dns-servers. (bind and linux, no windows there) I also had an old dns server running on 10.3.3.3, which was included in the error message too. I shut it down but the ip only got removed from the error once I deleted the NS Record. (yeah forgot to do that) any ideas? --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -Ursprüngliche Nachricht- Von: Carsten Strotmann (private) [mailto:c...@strotmann.de] Gesendet: Dienstag, 03. Jänner 2012 13:07 An: Melbinger Christian Cc: bind-users@lists.isc.org Betreff: Re: MS AD 2008R2 and bind -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Christian, On 1/3/12 11:00 AM, Melbinger Christian wrote: So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn?t find one? from the error message you've seeing, the problem is that the domain controller has already found DNS entries for itself in the DNS, but the entries are pointing to a different IP Address than the domain controller has. The domain controller will not overwrite the existing entries. You have to remove the wrong, stale entries and after that the domain controller should be able to register (update) the address records with the correct IP addresses. You can force this with a reboot or with ipconfig /registerdns from the commandline. The old IP addresses might be leftovers from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl =uRxM -END PGP SIGNATURE- Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works. My DNS-Servers are running BIND 9.7.3-P3. So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn't find one. With regards Christian Melbinger --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MS AD 2008R2 and bind
On Tue, Jan 3, 2012 at 4:00 AM, Melbinger Christian christian.melbin...@wienit.at wrote: Hi ** ** My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: ** ** *Title*: This domain controller must register its correct IP addresses with the DNS server *Severity*: Error *Category*: Configuration *Issue*: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. *Impact*: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. *Resolution*: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 ** ** ** ** All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works. My DNS-Servers are running BIND 9.7.3-P3. ** ** ** ** ** ** So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn’t find one… ** ** With regards Christian Melbinger ** ** ** ** --- Ing. Christian Melbinger Netzwerk Security ** ** WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at ** ** WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- I'm just going to throw out a few ideas, not sure any or all of them will get you in the right direction...but I had significant issues with DCs and dynamic updates following a migration from AD integrated DNS to BIND. What A records map to those IP addresses listed (10.1.1.1, 10.2.2.2)? Are there any same as zone records that point to your DC IPs? (this is common if DNS is AD integrated) Do you see in the Event Viewer on the DC that it is successfully registering the A, PTR and SRV records? (not sure what log this is in, been a little while since I looked last). I know you said it was the case, but your BIND config has one of the following options set? - allow-update { address_match_list }; -- If the DC is pointing to the master BIND server - allow-update-forwarding { address_match_list }; -- if the DC is pointing to the slave BIND server What happens if you issue the ipconfig /registerdns command from the DCs? - Will ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AW: MS AD 2008R2 and bind
The DC must not only be allow to update his A, (if applicable) and PTR records, he must also be able to update his SRV and TXT records. Please add the DC to the ACL for allow-updates on the zone that corresponds to the AD Domain/Kerberos zone, and then confirm that it is working by restarting Netlogon service (necessary, because IPCONFIG /registerdns only updates A, (if applicable) and PTR records, while the former regenerates the SRV records, et al). Hope that helps, -DTK Sent via BlackBerry from T-Mobile -Original Message- From: Melbinger Christian christian.melbin...@wienit.at Sender: bind-users-bounces+root=nachtmaus...@lists.isc.orgDate: Tue, 3 Jan 2012 13:47:30 To: Carsten Strotmann (private)c...@strotmann.de Cc: bind-users@lists.isc.orgbind-users@lists.isc.org Subject: AW: MS AD 2008R2 and bind Hello Thanks for your answer, but unfortunately that's not the case. When I do a nslookup like nslookup internal.wienit.at, I get back the IPs of the DCs, speaking Addresses: 10.4.4.4, 10.5.5.5 The error message The invalid IP addresses are 10.1.1.1; 10.2.2.2. is pointing towards the dns-servers. (bind and linux, no windows there) I also had an old dns server running on 10.3.3.3, which was included in the error message too. I shut it down but the ip only got removed from the error once I deleted the NS Record. (yeah forgot to do that) any ideas? --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -Ursprüngliche Nachricht- Von: Carsten Strotmann (private) [mailto:c...@strotmann.de] Gesendet: Dienstag, 03. Jänner 2012 13:07 An: Melbinger Christian Cc: bind-users@lists.isc.org Betreff: Re: MS AD 2008R2 and bind -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Christian, On 1/3/12 11:00 AM, Melbinger Christian wrote: So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn?t find one? from the error message you've seeing, the problem is that the domain controller has already found DNS entries for itself in the DNS, but the entries are pointing to a different IP Address than the domain controller has. The domain controller will not overwrite the existing entries. You have to remove the wrong, stale entries and after that the domain controller should be able to register (update) the address records with the correct IP addresses. You can force this with a reboot or with ipconfig /registerdns from the commandline. The old IP addresses might be leftovers from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl =uRxM -END PGP SIGNATURE- Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works. My DNS-Servers are running BIND 9.7.3-P3. So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn't find one. With regards Christian Melbinger --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at WienIT EDV Dienstleistungsgesellschaft mbH Co KG,
Re: About root zones
2012/1/2 Matus UHLAR - fantomas uh...@fantomas.sk: On 21.12.11 19:21, Peter Andreev wrote: I think that if server is authoritative - and - slave-only it should use system resolver rather than querying by itself. 2012/1/2 Matus UHLAR - fantomas uh...@fantomas.sk: BIND will not use system resolver. BIND is the resolver. Relying on other resolver could cause troubles. If BIND does not need to resolve, it will not. If it needs, don't block it. On 02.01.12 16:42, Peter Andreev wrote: I understood your point, however it differs from mine. Matus, I'm afraid we won't find consent on this topic. So I offer you to stop this discussion. Thank you for suggestions and happy new year! I don't see your point now. I'm afraid that you will have to live with the fact that you can not disable sending queries from BIND when it needs them, you can only prevent it by configuring BIND (so it will not need them) or firewall such packets so they will not get outside (which may break its functionality). My point: I need my servers to answer with authoritative data only. I need them to not perform anything else. Only get query - send authoritative response. Where in this scenario BIND has to resolve something? In which scenario (except master notifies) BIND has to resolve something? Maybe ISC will patch BIND to use system resolver for internal queries, but I doubt so. Maybe you can do it but imho it's not worth trying. Maybe you can set up forward only; and forwarders {}; so BIND will forward all recursive queries it generates to your recursive servers. But the way you are trying to get over this, I'm afrait you will fail and that's what I am trying to tell you. I'm free to replace BIND with another authoritative DNS implementation. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
On Jan 2, 2012, at 2:16 PM, Barry Margolin wrote: If the system resolver is good enough for every other application running on the system, it should be good enough for BIND. Why not at least allow this as an option? In article mailman.656.1325532888.68562.bind-us...@lists.isc.org, Chuck Swiger cswi...@mac.com wrote: The system resolver will happily provide answers based upon data from /etc/hosts, YP/NIS, and LDAP which have no relationship to what is in the DNS. On 02.01.12 17:03, Barry Margolin wrote: In that case, you probably shouldn't enable the option. I'm not even suggesting that the option be on by default. Actually, does libresolv really use those other facilities? highly depends on configuration of host.conf or nsswitch.conf, but afaik hosts are preferred by default on most of systems. gethostbyname() does, but BIND probably shouldn't use that, because it loses data like TTLs. and that is one of reasons why BIND does not (and apparently even should not) use system libresolv and gethost* functions. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
In article mailman.665.1325598835.68562.bind-us...@lists.isc.org, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On Jan 2, 2012, at 2:16 PM, Barry Margolin wrote: If the system resolver is good enough for every other application running on the system, it should be good enough for BIND. Why not at least allow this as an option? In article mailman.656.1325532888.68562.bind-us...@lists.isc.org, Chuck Swiger cswi...@mac.com wrote: The system resolver will happily provide answers based upon data from /etc/hosts, YP/NIS, and LDAP which have no relationship to what is in the DNS. On 02.01.12 17:03, Barry Margolin wrote: In that case, you probably shouldn't enable the option. I'm not even suggesting that the option be on by default. Actually, does libresolv really use those other facilities? highly depends on configuration of host.conf or nsswitch.conf, but afaik hosts are preferred by default on most of systems. gethostbyname() does, but BIND probably shouldn't use that, because it loses data like TTLs. and that is one of reasons why BIND does not (and apparently even should not) use system libresolv and gethost* functions. Are we talking about the same libresolv? I'm talking about functions like res_query(), which are very DNS-specific. They return the raw DNS reply data, including details like TTL. gethostbyname() is the function that uses nsswitch.conf. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2012/1/2 Matus UHLAR - fantomas uh...@fantomas.sk: I don't see your point now. I'm afraid that you will have to live with the fact that you can not disable sending queries from BIND when it needs them, you can only prevent it by configuring BIND (so it will not need them) or firewall such packets so they will not get outside (which may break its functionality). On 03.01.12 16:53, Peter Andreev wrote: My point: I need my servers to answer with authoritative data only. I need them to not perform anything else. Only get query - send authoritative response. Where in this scenario BIND has to resolve something? Nowhere. Note that BIND may send upward or root referrals, for clients that are allowed to view cached data (the hint zone is taken as cached). Also, bind can send additional data (authoritative or from cache) when configured so, but won't recursively resolve them. See description of additional-from-cache and additional-from-auth, maybe minimal-responses. In which scenario (except master notifies) BIND has to resolve something? I don't know about any. Maybe ISC will patch BIND to use system resolver for internal queries, but I doubt so. Maybe you can do it but imho it's not worth trying. Maybe you can set up forward only; and forwarders {}; so BIND will forward all recursive queries it generates to your recursive servers. But the way you are trying to get over this, I'm afrait you will fail and that's what I am trying to tell you. I'm free to replace BIND with another authoritative DNS implementation. Yes, you are. but i'd advise you focus on the real problem, if it exists. Kevin Darcy mentioned that in his response. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
On 01/03/12 07:53, Peter Andreev wrote: 2012/1/2 Matus UHLAR - fantomasuh...@fantomas.sk: On 21.12.11 19:21, Peter Andreev wrote: I think that if server is authoritative - and - slave-only it should use system resolver rather than querying by itself. 2012/1/2 Matus UHLAR - fantomasuh...@fantomas.sk: BIND will not use system resolver. BIND is the resolver. Relying on other resolver could cause troubles. If BIND does not need to resolve, it will not. If it needs, don't block it. On 02.01.12 16:42, Peter Andreev wrote: I understood your point, however it differs from mine. Matus, I'm afraid we won't find consent on this topic. So I offer you to stop this discussion. Thank you for suggestions and happy new year! I don't see your point now. I'm afraid that you will have to live with the fact that you can not disable sending queries from BIND when it needs them, you can only prevent it by configuring BIND (so it will not need them) or firewall such packets so they will not get outside (which may break its functionality). My point: I need my servers to answer with authoritative data only. I need them to not perform anything else. Only get query - send authoritative response. Where in this scenario BIND has to resolve something? In which scenario (except master notifies) BIND has to resolve something? Maybe ISC will patch BIND to use system resolver for internal queries, but I doubt so. Maybe you can do it but imho it's not worth trying. Maybe you can set up forward only; and forwarders {}; so BIND will forward all recursive queries it generates to your recursive servers. But the way you are trying to get over this, I'm afrait you will fail and that's what I am trying to tell you. I'm free to replace BIND with another authoritative DNS implementation. Let me ask this question another way. How do you plan to block BIND from making any queries outside the server? If you want me to log any queries that I don't answer(refused in the logs), I think the default is to look up the reverse of the querying IP address. Do you want to block that type of traffic also? Do you want to block this traffic at the application level or in IPTables? If you block this traffic via IPTables or an external firewall, lots of things at the OS level get grumpy. For instance, I want to attach to the server using VNC or SSH for maintanence. By default, they want to do do a reverse lookup of your ip address before allowing access. Now you wait for that query to time out before you can do your work. That's just a PITA. And if Bind does want to do any lookups(reverse lookups, go query the root servers for something), now you are forcing it to timeout rather than doing the lookup and continuing on it's way. Very inefficient use of resources and will cause delays for legit queries. BIND was designed to be a multipurpose application and as such, it wants and is happier being able to do lookups as needed. You are asking for a specific use case and ISC is not into generating special builds for special or specific use cases unless you contract with them to build and maintain your special build of BIND. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: MS AD 2008R2 and bind
What A records map to those IP addresses listed (10.1.1.1, 10.2.2.2)? only their own name, nothing more Are there any same as zone records that point to your DC IPs? (this is common if DNS is AD integrated) yes internal.wienit.at is a round robbin to all DC IPs gc._msdcs.internal.wienit.at is also a round robbin to all DC IPs I don't know if long time ago it was AD integrated, but in the last few years it certainly was not. Do you see in the Event Viewer on the DC that it is successfully registering the A, PTR and SRV records? (not sure what log this is in, been a little while since I looked last). yes that's working too, otherwise there would be a lot more errors I even see every update in the messages log on the dns-server, all working I know you said it was the case, but your BIND config has one of the following options set? - allow-update { address_match_list }; -- If the DC is pointing to the master BIND server - allow-update-forwarding { address_match_list }; -- if the DC is pointing to the slave BIND server updates are working What happens if you issue the ipconfig /registerdns command from the DCs? I think I did that some time ago... the DC kicked all of its own Records and then put them back in... --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at Von: Will Lists [mailto:listsw...@gmail.com] Gesendet: Dienstag, 03. Jänner 2012 14:07 An: bind-users@lists.isc.org Cc: Melbinger Christian Betreff: Re: MS AD 2008R2 and bind On Tue, Jan 3, 2012 at 4:00 AM, Melbinger Christian christian.melbin...@wienit.atmailto:christian.melbin...@wienit.at wrote: Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works. My DNS-Servers are running BIND 9.7.3-P3. So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn't find one... With regards Christian Melbinger --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188tel:%2B43%20%281%29%2090405%2047188 fax: +43 (1) 90405 88 47188tel:%2B43%20%281%29%2090405%2088%2047188 mailto:christian.melbin...@wienit.atmailto:christian.melbin...@wienit.at WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- I'm just going to throw out a few ideas, not sure any or all of them will get you in the right direction...but I had significant issues with DCs and dynamic updates following a migration from AD integrated DNS to BIND. What A records map to those IP addresses listed (10.1.1.1, 10.2.2.2)? Are there any same as zone records that point to your DC IPs? (this is common if DNS is AD integrated) Do you see in the Event Viewer on the DC that it is successfully registering the A, PTR and SRV records? (not sure what log this is in, been a little while since I looked last). I know you said it was the case, but your BIND config has one of the following options set? - allow-update { address_match_list }; -- If the DC is pointing to the master BIND server -
AW: AW: MS AD 2008R2 and bind
According to syslog the DCs do update tons of records all the time... A, PTR, SRV. I didn't regulate them. Their IPs are allowed to do any updates. --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -Ursprüngliche Nachricht- Von: r...@nachtmaus.us [mailto:r...@nachtmaus.us] Gesendet: Dienstag, 03. Jänner 2012 14:17 An: Melbinger Christian; bind-users-bounces+root=nachtmaus...@lists.isc.org; Carsten Strotmann (private) Cc: bind-users@lists.isc.org Betreff: Re: AW: MS AD 2008R2 and bind The DC must not only be allow to update his A, (if applicable) and PTR records, he must also be able to update his SRV and TXT records. Please add the DC to the ACL for allow-updates on the zone that corresponds to the AD Domain/Kerberos zone, and then confirm that it is working by restarting Netlogon service (necessary, because IPCONFIG /registerdns only updates A, (if applicable) and PTR records, while the former regenerates the SRV records, et al). Hope that helps, -DTK Sent via BlackBerry from T-Mobile -Original Message- From: Melbinger Christian christian.melbin...@wienit.at Sender: bind-users-bounces+root=nachtmaus...@lists.isc.orgDate: Tue, 3 Jan 2012 13:47:30 To: Carsten Strotmann (private)c...@strotmann.de Cc: bind-users@lists.isc.orgbind-users@lists.isc.org Subject: AW: MS AD 2008R2 and bind Hello Thanks for your answer, but unfortunately that's not the case. When I do a nslookup like nslookup internal.wienit.at, I get back the IPs of the DCs, speaking Addresses: 10.4.4.4, 10.5.5.5 The error message The invalid IP addresses are 10.1.1.1; 10.2.2.2. is pointing towards the dns-servers. (bind and linux, no windows there) I also had an old dns server running on 10.3.3.3, which was included in the error message too. I shut it down but the ip only got removed from the error once I deleted the NS Record. (yeah forgot to do that) any ideas? --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -Ursprüngliche Nachricht- Von: Carsten Strotmann (private) [mailto:c...@strotmann.de] Gesendet: Dienstag, 03. Jänner 2012 13:07 An: Melbinger Christian Cc: bind-users@lists.isc.org Betreff: Re: MS AD 2008R2 and bind -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Christian, On 1/3/12 11:00 AM, Melbinger Christian wrote: So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn?t find one? from the error message you've seeing, the problem is that the domain controller has already found DNS entries for itself in the DNS, but the entries are pointing to a different IP Address than the domain controller has. The domain controller will not overwrite the existing entries. You have to remove the wrong, stale entries and after that the domain controller should be able to register (update) the address records with the correct IP addresses. You can force this with a reboot or with ipconfig /registerdns from the commandline. The old IP addresses might be leftovers from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl =uRxM -END PGP SIGNATURE- Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server, and
Re: About root zones
2012/1/3 Matus UHLAR - fantomas uh...@fantomas.sk: 2012/1/2 Matus UHLAR - fantomas uh...@fantomas.sk: I don't see your point now. I'm afraid that you will have to live with the fact that you can not disable sending queries from BIND when it needs them, you can only prevent it by configuring BIND (so it will not need them) or firewall such packets so they will not get outside (which may break its functionality). On 03.01.12 16:53, Peter Andreev wrote: My point: I need my servers to answer with authoritative data only. I need them to not perform anything else. Only get query - send authoritative response. Where in this scenario BIND has to resolve something? Nowhere. Note that BIND may send upward or root referrals, for clients that are allowed to view cached data (the hint zone is taken as cached). Also, bind can send additional data (authoritative or from cache) when configured so, but won't recursively resolve them. See description of additional-from-cache and additional-from-auth, maybe minimal-responses. Yep, that's what I done first when problem appeared. Second step was deleting root.hints to (as I hoped) prevent any further resolving and caching. In which scenario (except master notifies) BIND has to resolve something? I don't know about any. Neither do I. Unfortunately it is not covered in documentation. Maybe ISC will patch BIND to use system resolver for internal queries, but I doubt so. Maybe you can do it but imho it's not worth trying. Maybe you can set up forward only; and forwarders {}; so BIND will forward all recursive queries it generates to your recursive servers. But the way you are trying to get over this, I'm afrait you will fail and that's what I am trying to tell you. I'm free to replace BIND with another authoritative DNS implementation. Yes, you are. but i'd advise you focus on the real problem, if it exists. Kevin Darcy mentioned that in his response. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
On Jan 3, 2012, at 11:13 AM, Peter Andreev wrote: Unfortunately as I learning BIND more, I understand that it is not very suitable for my requirements. Which are? I've been trying to understand what the actual problem you are trying to solve might be. Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
In article mailman.668.1325603242.68562.bind-us...@lists.isc.org, Lyle Giese l...@lcrcomputer.net wrote: For instance, I want to attach to the server using VNC or SSH for maintanence. By default, they want to do do a reverse lookup of your ip address before allowing access. Now you wait for that query to time out before you can do your work. That's just a PITA. Of course you wouldn't block DNS queries at the network level, that messes up everything else running on the machine. He apparently just wants to ensure that nothing gets into the BIND cache of an authoritative-only server -- it should truly be authoritative-only. If other servers on the machine need to do lookups, it will use a caching server for this. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2012/1/3 Chuck Swiger cswi...@mac.com: On Jan 3, 2012, at 11:13 AM, Peter Andreev wrote: Unfortunately as I learning BIND more, I understand that it is not very suitable for my requirements. Which are? I've been trying to understand what the actual problem you are trying to solve might be. I'm not trying to solve any problem. I'm wondering why this thread grown so big. The only question I have unanswered is where I can find documents/articles/whatever describing BIND's internals, architecture etc? That's all :) It was asked in 13th post. May be it's still unanswered because of unhappy number, I'm not sure. Regards, -- -Chuck -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MS AD 2008R2 and bind
There is a bug in Windows 2008 R2 which prevents correct registration to BIND dns servers. See http://support.microsoft.com/kb/2002490 for the hotfix to apply. Unfortunately, this hotfox still does not correct the behavior. Windows 2008 R2 registers the record first. This record is registered correctly on BIND, but the response from BIND is interpreted by the windows incorrectly, so it stops registering the following records, like the A record. However, the DCs with this patch successfully registers all records related to the AD. This is a strange behavior. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
On 1/2/2012 2:16 PM, Barry Margolin wrote: In articlemailman.654.1325531095.68562.bind-us...@lists.isc.org, Kevin Darcyk...@chrysler.com wrote: I agree with Matus. BIND should be as self-sufficient as possible, and not make any assumptions about the capability of and/or the data it expects to get from the system resolver If the system resolver is good enough for every other application running on the system, it should be good enough for BIND. See, there's the problem right there. Many of us see the BIND instance as forming part of an *infrastructure*, not just an *application* that happens to run on the machine. This distinction isn't just semantic. We have, for instance, totally separate groups who manage the OS'es of our servers (including the configuration of the system resolver), versus those of us in the Networking area who have responsibility for the DNS infrastructure itself. Those server folks have strange ideas about name resolution. Strange enough that sometimes I don't even understand what the hell they are trying to accomplish. Or, they do know, but I think they indulge the end-users way too much (don't even get me started on shortname resolution, for instance, and the ugly hacks we're forced to maintain, supporting that bad habit). So no, the system resolver is not good enough for BIND. Not in my book. I'm responsible for BIND, I'm not going to stick my neck out making my subsystem dependent on someone's else's subsystem, when I have no confidence that they know what they're doing and/or that they're doing the right things. Nor do I think it is particularly unusual for the Networking and Server responsibilities within an organization to belong to different groups, with different skillsets and competency levels. BIND is good at resolving names to addresses, so let it do the name resolution, without creating unnecessary dependencies which may cross organizational and possibly even trust boundaries. I've already outlined in my previous message some possible ways to obviate these internal queries, along with the suggestion that maybe at the end of the day it's actually more trouble than it's worth... - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
On 1/3/12 12:46 PM, Kevin Darcy k...@chrysler.com wrote: Those server folks have strange ideas about name resolution. Strange enough that sometimes I don't even understand what the hell they are trying to accomplish. In all fairness, lots of folks have strange ideas. We should start with standards -- software should be built based on BCPs (peer review rules). If those don't meet our needs, we should help to get them updated (good luck, I know -- many standards bodies have become like political lobbyists) So no, the system resolver is not good enough for BIND. Not in my book. I'm responsible for BIND, I'm not going to stick my neck out making my subsystem dependent on someone's else's subsystem, when I have no confidence that they know what they're doing and/or that they're doing the right things. Maybe it's because I started in networking... But TCP/IP (or IPv6 these days) is quite the subsystem to avoid. Really, like it or not, you are actually responsible for understanding interactions with subsystems your managed system must interact with. ;-) possibly even trust boundaries. I've already outlined in my previous message some possible ways to obviate these internal queries, along with the suggestion that maybe at the end of the day it's actually more trouble than it's worth... That's the problem. Such suggestions won't ever become BCPs, since they aren't easily justifiable to business minds. Granted, personal preferences are always welcome...but more trouble than it's worth and business priority or even POLA don't jive. -- Don't worry about avoiding temptation -- as you grow older, it starts avoiding you. -- The Old Farmer's Almanac ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
If you want named to be authoritative only set recursion no; or allow-recursion { none; } or allow-query-cache { none; }; and no data will be returned from the cache. allow-recursion and allow-query-cache cross inherit from each other. If you only want master zones to send notify messages then set notify master-only;. If you want named to only use the same nameservers as the system uses then set forward only; forwarders { list from resolv.conf; };. Named does not read resolv.conf though the tools do. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Warning view message during rndc reload
Good morning all, its many days now that I observed the warning view message during the rndc reload process: Jan 4 07:01:09 ns1 named[920]: received control channel command 'reload' Jan 4 07:01:09 ns1 named[920]: loading configuration from '/etc/bind/named.conf' Jan 4 07:01:09 ns1 named[920]: reading built-in trusted keys from file '/etc/bind/bind.keys' Jan 4 07:01:09 ns1 named[920]: using default UDP/IPv4 port range: [1024, 65535] Jan 4 07:01:09 ns1 named[920]: using default UDP/IPv6 port range: [1024, 65535] Jan 4 07:01:09 ns1 named[920]: no IPv6 interfaces found Jan 4 07:01:09 ns1 named[920]: sizing zone task pool based on 53 zones Jan 4 07:01:09 ns1 named[920]: Warning: view internal: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Jan 4 07:01:09 ns1 named[920]: Warning: view external-root: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Jan 4 07:01:09 ns1 named[920]: Warning: view internal-localhost: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Jan 4 07:01:09 ns1 named[920]: reloading configuration succeeded Jan 4 07:01:09 ns1 named[920]: reloading zones succeeded Jan 4 07:01:09 ns1 named[920]: zone 0.0.10.in-addr.arpa/IN/internal: loaded serial 2012010402 Please how can I fix this issue? -- -- You Truly Eric Kom System Administrator - Metropolitan College 2 Hennie Van Till, White River, 1240 Tel: 013 750 2255 | Fax: 013 750 0105 | Cell: 078 879 1334 eric...@kom.za.net | eric...@namekom.co.za | eric...@erickom.co.za www.kom.za.net | www.kom.za.org | www.erickom.co.za Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Warning view message during rndc reload
In message 4f03dddf.6070...@metropolitanstaff.co.za, Eric Kom writes: Good morning all, its many days now that I observed the warning view message during the rndc reload process: Jan 4 07:01:09 ns1 named[920]: received control channel command 'reload' Jan 4 07:01:09 ns1 named[920]: loading configuration from '/etc/bind/named.conf' Jan 4 07:01:09 ns1 named[920]: reading built-in trusted keys from file '/etc/bind/bind.keys' Jan 4 07:01:09 ns1 named[920]: using default UDP/IPv4 port range: [1024, 65535] Jan 4 07:01:09 ns1 named[920]: using default UDP/IPv6 port range: [1024, 65535] Jan 4 07:01:09 ns1 named[920]: no IPv6 interfaces found Jan 4 07:01:09 ns1 named[920]: sizing zone task pool based on 53 zones Jan 4 07:01:09 ns1 named[920]: Warning: view internal: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Jan 4 07:01:09 ns1 named[920]: Warning: view external-root: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Jan 4 07:01:09 ns1 named[920]: Warning: view internal-localhost: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Jan 4 07:01:09 ns1 named[920]: reloading configuration succeeded Jan 4 07:01:09 ns1 named[920]: reloading zones succeeded Jan 4 07:01:09 ns1 named[920]: zone 0.0.10.in-addr.arpa/IN/internal: loaded serial 2012010402 Please how can I fix this issue? Explictly set empty-zones-enable or explictly disable a empty zone. This test has been removed from 9.9.0. -- -- You Truly Eric Kom System Administrator - Metropolitan College 2 Hennie Van Till, White River, 1240 Tel: 013 750 2255 | Fax: 013 750 0105 | Cell: 078 879 1334 eric...@kom.za.net | eric...@namekom.co.za | eric...@erickom.co.za www.kom.za.net | www.kom.za.org | www.erickom.co.za Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problems with NS @home and my public
Hello, I learn network administration and like to configure my network to do: workstation - ns.intra.mydomain.com - ns.mydomain.com currently I have followin configs: workstation: --( /etc/resolv.conf )-- search intra.mydomain.com nameserver 192.168.0.2 ns.intra.mydomain.com --( /etc/resolv.conf )-- search mydomain.com nameserver IP.OF.MY.PUBLIC.NS - --( /etc/named.conf.options )--- options { directory /var/cache/bind; check-names master fail; check-names slave warn; check-names response ignore; auth-nxdomain no; listen-on-v6 { any; }; listen-on { 192.168.0.2; }; forwarders { IP.OF.MY.PUBLIC.NS; }; dnssec-enable yes; }; logging { channel default_syslog { syslog local2; severity info; print-category yes; print-severity yes; print-time no; }; category default { }; category edns-disabled { null; }; }; include /etc/bind/rndc.key; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; }; include /etc/bind/tsig.key; ns.mydomain.com: --( /etc/resolv.conf )-- --( /etc/named.conf.options )--- options { directory /var/cache/bind; check-names master fail; check-names slave warn; check-names response ignore; auth-nxdomain no; listen-on-v6 { any; }; listen-on { IP.OF.MY.PUBLIC.NS; }; dnssec-enable yes; recursion yes; allow-recursion { any; }; allow-query { any; }; allow-query-cache { any; }; }; logging { channel default_syslog { syslog local2; severity info; print-category yes; print-severity yes; print-time no; }; category default { default_syslog; }; }; include /etc/bind/rndc.key; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; }; include /etc/bind/tsig.key; I have gotten the above config from the internet but it seems not to work, because I have the same error messages like lame-servers: info: error (unexpected RCODE REFUSED) resolving... security: info: client MY.FIXED.HOME.IP#5525: query (cache) 'some_domain' denied lame-servers: info: error (network unreachable) resolving 'b.au//IN': 2607:f140::fffe::3#53 lame-servers: info: lame server resolving 'www.some_domain' (in 'some_domain'?): first.NS.IP#53 lame-servers: info: lame server resolving 'www.some_domain' (in 'some_domain'?): second.NS.IP#53 in my logs as another person on the list. So, in the last days I was searchi the intenet hell how to solf this problem but have noting found yet Can someone help me please? Where can I find a HOWTO which tell me how to setup my Name Server correctly including DNSEC3 Thanks Note: I need to lean this perfectly, because I come from a conty where peoples are kidnaped and killed by the government and I need a bulletproof setup which I can put online one day without risking being hacked by my government ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2012/1/4 Mark Andrews ma...@isc.org: If you want named to be authoritative only set recursion no; or allow-recursion { none; } or allow-query-cache { none; }; and no data will be returned from the cache. allow-recursion and allow-query-cache cross inherit from each other. If you only want master zones to send notify messages then set notify master-only;. If you want named to only use the same nameservers as the system uses then set forward only; forwarders { list from resolv.conf; };. Named does not read resolv.conf though the tools do. Thank you, Mark, these things was done long time ago. Is there any documentation related to BIND's internals? -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users