Re: .IN Domain is DNSSEC enabled or not
On Thu, Jan 5, 2012 at 10:08 PM, Gaurav Kansal gaurav.kan...@nic.in wrote: Dear All, I am new to DNSSEC. I purchase a new domain especially for testing dnssec. When i ask my domain seller to put my DS key in .IN Domain, they say that .IN Domain is still not ready for this But as per my knowledge .IN is DNSSEC ready. I do the *dig @8.8.8.8 in. NS +dnssec* query, and it is showing the RRSIG record in the query answer. It this is sufficient to prove that .IN Domain is DNSSEC enabled or i have to check something else. What this shows is that IN itself is signed in the root This is the first step in a TLD accepting DS records from sub-domains, but does not mean that they are ready to do so. You would really need to contact whoever manages .in and ask them if they are accepting keys. Also, even if you find a DS record in .in, it may not indicate that they are ready to open the doors to general addition of DS records. They may be testing and developing tools to handle them and have just a few test cases. I know that when I got a DS record added for a zone I handled that it was a mostly manual operation to test and confirm that things were working when the registry was not yet ready to accept DS keys in any standard way. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
IPv4 IPv6 Queries
I would like to configure my DNS Server to respond with A and records when someone queries for a specific site. I don't know if this functionality is even available but if it is would someone mind pointing me in the right direction to get this configured. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv4 IPv6 Queries
On Fri, Jan 6, 2012 at 8:05 AM, Brian Hamacher bhamac...@westianet.com wrote: I would like to configure my DNS Server to respond with A and records when someone queries for a specific site. I don’t know if this functionality is even available but if it is would someone mind pointing me in the right direction to get this configured. Just add an record that points to the corresponding IPv6 IP in the zone file where your existing A record is. hostname IN A xxx.xxx.xxx.xxx hostname IN ::::etc -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv4 IPv6 Queries
On Friday 06 January 2012 07:05:40 Brian Hamacher wrote: I would like to configure my DNS Server to respond with A and records when someone queries for a specific site. I don't know if s/site/name/ -- DNS deals in names. this functionality is even available but if it is would someone mind pointing me in the right direction to get this configured. Of course it is available, because that is exactly what DNS does: answer queries, return results as found. (Found either in zones or through recursion.) It's hard to guess what you are not understanding. Perhaps you can elaborate on what you want to do and why? -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
variable dig results
Wondering why we get variable results from the following command:dig eftc.thehartford.com (sometimes we get authority section and additional section feedback ... sometimes we don't) Usually we see the following: ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 eftc.thehartford.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 35955 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;eftc.thehartford.com. IN A ;; ANSWER SECTION: eftc.thehartford.com. 120 IN A 162.136.189.173 ;; Query time: 94 msec ;; SERVER: 172.25.17.185#53(172.25.17.185) ;; WHEN: Fri Jan 6 07:23:07 2012 ;; MSG SIZE rcvd: 54 But occasionally we see : ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 eftc.thehartford.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 64958 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;eftc.thehartford.com. IN A ;; ANSWER SECTION: eftc.thehartford.com. 120IN A 162.136.189.173 ;; AUTHORITY SECTION: thehartford.com. 120IN NS hfdns3.thehartford.com. thehartford.com. 120IN NS hfdns4.thehartford.com. thehartford.com. 120IN NS simns3.thehartford.com. thehartford.com. 120IN NS simns4.thehartford.com. ;; ADDITIONAL SECTION: hfdns3.thehartford.com. 120IN A 162.136.188.3 hfdns4.thehartford.com. 120IN A 162.136.188.4 simns3.thehartford.com. 120IN A 162.136.190.3 simns4.thehartford.com. 120IN A 162.136.190.4 ;; Query time: 52 msec ;; SERVER: 172.25.17.185#53(172.25.17.185) ;; WHEN: Fri Jan 6 00:10:02 2012 ;; MSG SIZE rcvd: 202 I assume this is due to differences in response from different auth nameservers. If that's the case ... what does one have set up to return the 2nd response? Thanks! Martin Meadows ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: variable dig results
I suspect that dig is confused. Let me explain. Looks like WHOIS says that these (2) servers are authoritative for this domain: ns1.thehartford.com. ['162.136.188.1'] [TTL=172800] ns2.thehartford.com. ['162.136.190.1'] [TTL=172800] However, the DNS configuration says something different, which lists these (4) servers instead: hfdns3.thehartford.com ['162.136.188.3'] [TTL=120] hfdns4.thehartford.com ['162.136.188.4'] [TTL=120] simns3.thehartford.com ['162.136.190.3'] [TTL=120] simns4.thehartford.com ['162.136.190.4'] [TTL=120] As one can see, they do not match nor even overlap nor even agree. Someone needs to decide which servers are really supposed to be authoritative for this domain and have alignment in all configurations. http://www.intodns.com/thehartford.com Hope this helps. From: M. Meadows sun-g...@live.com To: bind-users bind-users@lists.isc.org Sent: Friday, January 6, 2012 8:28 AM Subject: variable dig results Wondering why we get variable results from the following command: dig eftc.thehartford.com (sometimes we get authority section and additional section feedback ... sometimes we don't) Usually we see the following: ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 eftc.thehartford.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 35955 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;eftc.thehartford.com. IN A ;; ANSWER SECTION: eftc.thehartford.com. 120 IN A 162.136.189.173 ;; Query time: 94 msec ;; SERVER: 172.25.17.185#53(172.25.17.185) ;; WHEN: Fri Jan 6 07:23:07 2012 ;; MSG SIZE rcvd: 54 But occasionally we see : ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 eftc.thehartford.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 64958 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;eftc.thehartford.com. IN A ;; ANSWER SECTION: eftc.thehartford.com. 120 IN A 162.136.189.173 ;; AUTHORITY SECTION: thehartford.com. 120 IN NS hfdns3.thehartford.com. thehartford.com. 120 IN NS hfdns4.thehartford.com. thehartford.com. 120 IN NS simns3.thehartford.com. thehartford.com. 120 IN NS simns4.thehartford.com. ;; ADDITIONAL SECTION: hfdns3.thehartford.com. 120 IN A 162.136.188.3 hfdns4.thehartford.com. 120 IN A 162.136.188.4 simns3.thehartford.com. 120 IN A 162.136.190.3 simns4.thehartford.com. 120 IN A 162.136.190.4 ;; Query time: 52 msec ;; SERVER: 172.25.17.185#53(172.25.17.185) ;; WHEN: Fri Jan 6 00:10:02 2012 ;; MSG SIZE rcvd: 202 I assume this is due to differences in response from different auth nameservers. If that's the case ... what does one have set up to return the 2nd response? Thanks! Martin Meadows ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: variable dig results
On Fri, 6 Jan 2012, M. Meadows wrote: Wondering why we get variable results from the following command:dig eftc.thehartford.com (sometimes we get authority section and additional section feedback ... sometimes we don't) ;; Query time: 52 msec ;; SERVER: 172.25.17.185#53(172.25.17.185) ;; WHEN: Fri Jan 6 00:10:02 2012 ;; MSG SIZE rcvd: 202 I assume this is due to differences in response from different auth nameservers. If that's the case ... what does one have set up to return the 2nd response? As the server wasn't specified, dig tries each of the servers listed in /etc/resolv.conf and used 172.25.17.185 both times, one with the rd flag set and got a non-authoritative answer and an authoritative. I'd assume there are multiple instances or views and you're getting cached answers occasionally. If consistency is needed, maybe specify the server with @server and/or +[no]recurse -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: .IN Domain is DNSSEC enabled or not
On 06/01/2012 09:03, Kevin Oberman wrote: What this shows is that IN itself is signed in the root This is the first step in a TLD accepting DS records from sub-domains, but does not mean that they are ready to do so. You would really need to contact whoever manages .in and ask them if they are accepting keys. Also, even if you find a DS record in .in, it may not indicate that they are ready to open the doors to general addition of DS records. They may be testing and developing tools to handle them and have just a few test cases. I know that when I got a DS record added for a zone I handled that it was a mostly manual operation to test and confirm that things were working when the registry was not yet ready to accept DS keys in any standard way. Hello, Yes indeed, a testing phase has opened a couple of month ago, it looks like the registry will soon be ready to accept DS : http://www.registry.in/DNSSEC_Deployment You might want to ask your registrar(s) if they plan to implement DNSSEC with the .in registry. Regards, Laurent Bauer ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: variable dig results
thanks for the helpful feedback guys! Date: Fri, 6 Jan 2012 10:14:55 -0600 From: d...@maplepark.com To: sun-g...@live.com CC: bind-users@lists.isc.org Subject: Re: variable dig results On Fri, 6 Jan 2012, M. Meadows wrote: Wondering why we get variable results from the following command: dig eftc.thehartford.com (sometimes we get authority section and additional section feedback ... sometimes we don't) ;; Query time: 52 msec ;; SERVER: 172.25.17.185#53(172.25.17.185) ;; WHEN: Fri Jan 6 00:10:02 2012 ;; MSG SIZE rcvd: 202 I assume this is due to differences in response from different auth nameservers. If that's the case ... what does one have set up to return the 2nd response? As the server wasn't specified, dig tries each of the servers listed in /etc/resolv.conf and used 172.25.17.185 both times, one with the rd flag set and got a non-authoritative answer and an authoritative. I'd assume there are multiple instances or views and you're getting cached answers occasionally. If consistency is needed, maybe specify the server with @server and/or +[no]recurse -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New problem with lame-server after Dist-Upgrade
On Dec 28, 2011, at 8:56 PM, Chris Buxton wrote: On Dec 24, 2011, at 4:50 PM, Michelle Konzack wrote: Dec 25 01:39:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'www4.l.google.com//IN': 2001:503:231d::2:30#53 Dec 25 01:40:10 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'ns2.roka.net//IN': 2001:500:1::803f:235#53 Dec 25 01:40:10 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'dns.roka.net//IN': 2001:748:100:70::2#53 Dec 25 01:42:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'www.kaleme.com//IN': 2001:503:a83e::2:30#53 Dec 25 01:42:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'pdns3.ultradns.org/A/IN': 2001:500:2f::f#53 Dec 25 01:42:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'pdns4.ultradns.org/A/IN': 2001:500:2f::f#53 Dec 25 01:42:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'pdns3.ultradns.org//IN': 2001:503:c27::2:30#53 Dec 25 01:42:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'pdns4.ultradns.org//IN': 2001:503:ba3e::2:30#53 Dec 25 01:42:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'pdns3.ultradns.org/A/IN': 2001:dc3::35#53 Dec 25 01:42:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'pdns4.ultradns.org/A/IN': 2001:503:c27::2:30#53 Dec 25 01:42:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'pdns4.ultradns.org/A/IN': 2001:503:ba3e::2:30#53 Dec 25 01:42:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'pdns4.ultradns.org/A/IN': 2001:7fd::1#53 Dec 25 01:42:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'pdns3.ultradns.org//IN': 2001:7fd::1#53 Dec 25 01:42:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'pdns5.ultradns.info/A/IN': 2001:500:19::1#53 Dec 25 01:42:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'pdns5.ultradns.info/A/IN': 2001:500:1a::1#53 Dec 25 01:42:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'pdns4.ultradns.org//IN': 2001:500:40::1#53 Dec 25 01:42:02 storage000 named[29649]: lame-servers: info: error (network unreachable) resolving 'pdns4.ultradns.org/A/IN': 2001:502:4612::1#53 That tells me your IPv6 connectivity is probably broken. Either fix it or disable IPv6 in named by starting it with -4. So Bind's 'lame' log line includes the concept of 'unreachable'? I seem to recall the definition 'delegation target that answers without aa'. However, given the '(network unreachable)' comment, I agree with your diagnosis. John Wobus Cornell ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: variable dig results
On Jan 6, 2012, at 11:14 AM, David Forrest wrote: On Fri, 6 Jan 2012, M. Meadows wrote: Wondering why we get variable results from the following command:dig eftc.thehartford.com (sometimes we get authority section and additional section feedback ... sometimes we don't) ;; Query time: 52 msec ;; SERVER: 172.25.17.185#53(172.25.17.185) ;; WHEN: Fri Jan 6 00:10:02 2012 ;; MSG SIZE rcvd: 202 I assume this is due to differences in response from different auth nameservers. If that's the case ... what does one have set up to return the 2nd response? As the server wasn't specified, dig tries each of the servers listed in /etc/resolv.conf and used 172.25.17.185 both times, one with the rd flag set and got a non-authoritative answer and an authoritative. I'd assume there are multiple instances or views and you're getting cached answers occasionally. If consistency is needed, maybe specify the server with @server and/or +[no]recurse The cited dig answers differ in that only one has the 'rd' flag (recursion desired), which suggests to me a difference in the queries. It would be interesting to know whether +recurse versus +norecurse controls it. Also, +qr would let you directly see what flags are in the query. It's a mystery if the answers differ despite the exact same dig command, the same client IP and client computer login (i.e., same .digrc if one exists). If it's from different client IPs, Bind views configured on the server could cause such a different. John Wobus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv4 IPv6 Queries
As others have pointed out, you configure both A and records into your zone for the same name, and then the client makes *separate* queries for each. If you want a lot more detail on the process, check out RFC 3493, which describes the socket interface for IPv6, in particular the getaddrinfo() library routine which can fetch IPv4 and/or IPv6 addresses for a given node name or service name, and also RFC 3484, which goes into detail as to how the client will decide which source and destination addresses to use when communicating with other nodes, once the IPv4 and/or IPv6 address(es) are obtained from DNS (or any other source). - Kevin On 1/6/2012 8:05 AM, Brian Hamacher wrote: I would like to configure my DNS Server to respond with A and records when someone queries for a specific site. I don't know if this functionality is even available but if it is would someone mind pointing me in the right direction to get this configured. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users