Re: DNSSEC troubles (no valid NSEC) ?

Casey Deccio wrote: > On Wed, Jul 25, 2012 at 10:07 AM, Frantisek Hanzlik > wrote: > > I solve problem with delivering mail to address "x...@br.ds.mfcr.cz > ". > MTA obviously isn't able resolve MX records for this domain. > "dig

Re: Journal File Question

In message , Chris Thompson writes: > On Jul 25 2012, wbr...@e1b.org wrote: > > >Chris Buxton wrote on 07/25/2012 12:07:22 PM: > > > >> > It doesn't sync the files to make two equal copies. It applies all of > >the > >> > outstanding transactions in the journal file to the zone file and then

Re: Block some users with Bind9

block udp dst port 53 is good but you must to take in account that maybe some of your services\servers needs this access for whatever reason there is. That's true. if you are using squid in transparent mode it's good enough for basic http blocking. to block HTTPS you will need to force your us

Re: Journal File Question

On Jul 25 2012, wbr...@e1b.org wrote: Chris Buxton wrote on 07/25/2012 12:07:22 PM: > It doesn't sync the files to make two equal copies. It applies all of the > outstanding transactions in the journal file to the zone file and then > empties the journal. I don't believe that is entirel

Re: DNSSEC troubles (no valid NSEC) ?

In message , Casey Deccio writes: > > On Wed, Jul 25, 2012 at 10:07 AM, Frantisek Hanzlik wrote: > > > I solve problem with delivering mail to address "x...@br.ds.mfcr.cz". > > MTA obviously isn't able resolve MX records for this domain. > > "dig @localhost -t MX br.ds.mfcr.cz" ends with SERV

Re: Block some users with Bind9

On 7/25/2012 3:26 PM, Emiliano Vazquez wrote: well on a dns level will be nice to block it but if the user will have access to some dns anywhere in the world in any way he can just use some basic browser tricks to make this dns setup stupid. i think it's better to use a proxy\fw to block these s

Re: DNSSEC troubles (no valid NSEC) ?

On Wed, Jul 25, 2012 at 10:07 AM, Frantisek Hanzlik wrote: > I solve problem with delivering mail to address "x...@br.ds.mfcr.cz". > MTA obviously isn't able resolve MX records for this domain. > "dig @localhost -t MX br.ds.mfcr.cz" ends with SERVFAIL error: > > ... > > and in BIND (v9.7.4 i686)

Re: "Nintendo"('s NSes) are asking my IP for it's rdns

I'm assuming this "greatunwashed" view has recursion turned off, right? If so, then the following approaches come to mind: a) create a master zone for 5.37.58.216.in-addr.arpa in the non-recursive view, putting the PTR record at the apex b) become a "stealth" (unpublished) slave for 5.37.58.216.

RHEL, Centos, Fedora rpm 9.9.1-P2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://www.five-ten-sg.com/util/bind-9.9.1-0.1.P2.fc18.src.rpm EL4: rpmbuild --rebuild --define 'dist .el4' \ bind-9.9.1-0.1.P2.fc18.src.rpm EL5: rpmbuild --rebuild --define 'dist .el5' \ bind-9.9.1-0.1.P2.fc18.src.rpm EL6: rpmbui

Re: global forwarders - current BIND9 behaviour documentation

All forwarders in the list will tried at least some. Every time the fastest forwarder responds the srtt of the remaining forwarders are decayed. Eventually they will be lower and get tried. If they are slower than the original fastest their srtt go back up and the original will be used again. It's

global forwarders - current BIND9 behaviour documentation

Hi, anybody there who can provide a definitive answer on the current BIND 9.7 (or higher) global forwarder behaviour? I did find the following info before on using multiple forwarders: https://lists.isc.org/pipermail/bind-users/2007-September/067830.html My expectation based on that is that the

Re: DNSSEC troubles (no valid NSEC) ?

Frantisek Hanzlik wrote: > ; <<>> DiG 9.7.4-P1-RedHat-9.7.4-2.P1.fc14 <<>> @localhost -t MX br.ds.mfcr.cz > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43325 > Problem will be perhaps something with DNSSEC. What is interesting, > BIND v9.9.1, essentially with the same configuration > qu

DNSSEC troubles (no valid NSEC) ?

I solve problem with delivering mail to address "x...@br.ds.mfcr.cz". MTA obviously isn't able resolve MX records for this domain. "dig @localhost -t MX br.ds.mfcr.cz" ends with SERVFAIL error: ; <<>> DiG 9.7.4-P1-RedHat-9.7.4-2.P1.fc14 <<>> @localhost -t MX br.ds.mfcr.cz ; (1 server found) ;; gl

Re: Journal File Question

Chris Buxton wrote on 07/25/2012 12:07:22 PM: > > It doesn't sync the files to make two equal copies. It applies all of the > > outstanding transactions in the journal file to the zone file and then > > empties the journal. > > I don't believe that is entirely correct. The journal file needs

Re: dig: Transfer failed

> Check the 'allow-transfer' option in your named.conf. I don't have this option. Should I include it? Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc

Re: Journal File Question

> The problem here is that a large portion of the zone file was > "accidentally" deleted. If you have a backup of the zone file from not too long ago (maybe a copy on a slave server?), then that plus the journal file could be enough to get all the data back. The journal will usually contain recor

Re: Journal File Question

On Jul 25, 2012, at 7:25 AM, wbr...@e1b.org wrote: > Chris wrote on 07/25/2012 09:04:49 AM: > >> Is it possible to restore a zone file from its associated journal file? > > No. The journal file only records updates to the zone. At best you would > only recover the changes since last commit to

Re: Journal File Question

Chris wrote on 07/25/2012 09:04:49 AM: > Is it possible to restore a zone file from its associated journal file? No. The journal file only records updates to the zone. At best you would only recover the changes since last commit to the zone file. > The docs seem to indicate that a restart of

Re: "Nintendo"('s NSes) are asking my IP for it's rdns

On 24/07/12 14:30, Brian J. Murrell wrote: Why? I mean other than a knee-jerk reaction to that behavior not (yet) being documented in an RFC somewhere? I mean for practical purposes why is what they are (or rather, could be, assuming my suggestion about what they could be doing is correct) doi

Journal File Question

Is it possible to restore a zone file from its associated journal file? The docs seem to indicate that a restart of bind will sync the two files, but in practice I get such as this: zone foo.bar/IN: journal rollforward failed: journal out of sync with zone The problem here is that a large portio

Re: Block some users with Bind9

well on a dns level will be nice to block it but if the user will have access to some dns anywhere in the world in any way he can just use some basic browser tricks to make this dns setup stupid. i think it's better to use a proxy\fw to block these sites. you can use let say squid and use some ni

Re: Block some users with Bind9

El 24/07/12 22:38, Michael Hoskins (michoski) escribió: I would try using RPZ with a combination of views and match-clients. http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-us ing-response-policy-zones-rpz/ Thanks for the link! i will read and post the results. Best

Re: Filtering IPv6 AAAA records?

In message , Paul Reilly writes: > > Thanks all - the "filter--on-v4" has worked well in testing. > > In terms of "why?" we do actually have native IPv6 upstream, and some parts > of the network are fully IPv6 enabled, and access the internet on IPv6. But > some areas are only IPv4. I need

Re: Filtering IPv6 AAAA records?

Dne 25.7.2012 12:01, Paul Reilly napsal(a): > I need to make sure these IPv4 only parts of the network do not try and > access IPv6 internet hosts - as they are blocked at the firewall Then you should not send IPv6 router advertisments to v4only part of the network. Disabling responses is jus

Re: Filtering IPv6 AAAA records?

Thanks all - the "filter--on-v4" has worked well in testing. In terms of "why?" we do actually have native IPv6 upstream, and some parts of the network are fully IPv6 enabled, and access the internet on IPv6. But some areas are only IPv4. I need to make sure these IPv4 only parts of the networ

Re: Filtering IPv6 AAAA records?

On Tue, Jul 24, 2012 at 07:06:09PM +0100, Paul Reilly wrote a message of 61 lines which said: > Is it possible using the BIND resolver to filter out record > replies to end clients? It's probably less work to actually enable IPv6 access... In 2012, this is not even a big achievment.

Re: Block some users with Bind9

On 7/24/2012 8:32 PM, Emiliano Vazquez wrote: Hi to everyone! I'm stuck with this! I need to do the following but i did not find the real solution. My problem: I need to block some IPs from the LAN to specific places, like "Facebook.com" I do this with Squid but https transport is encripted a