Re: How to minimize the downtime in my case
So the TTL value we are discussing here are individual NS TTL Value? Or the SOA Default TTL Value. When I viewed my ISP record I found that the SOA Default TTL Value is 12 days and NS RR TTL Value is 3600 secs On Fri, Mar 15, 2013 at 4:47 AM, Shawn Bakhtiar wrote: > > Given the that you will eventually stop using ns1 and ns2 You should > probably set up mynewns1 as the master with mynewns2 as a slave of mynewns1. > > > -- > Date: Fri, 15 Mar 2013 01:05:50 +0530 > Subject: Re: How to minimize the downtime in my case > From: manish...@gmail.com > To: lath...@gmail.com > CC: bind-users@lists.isc.org > > > Will my new config would look like this? will it be a Slave for my new > servers? > > ns1.example.com1.2.3.4---> Master > > ns2.example.com 5.6.7.8-->Slave > > mynewns1.example.com 20.20.20.20 --> Slave > > mynewns2.example.com 30.30.30.30 > Slave > > > > On Fri, Mar 15, 2013 at 12:44 AM, Manish Rane wrote: > > hmm...you are talking about SOA TTL Value? > > > > > On Fri, Mar 15, 2013 at 12:40 AM, Andrew Latham wrote: > > Manish > > That is a perfectly good plan. One note is to study your TTL. If > your ISP has set a longer TTL on your NS records then you would need > to first ask for a shorter TTL and wait until the time has passed. > > Example: if TTL is set to one week, ask for change to shorter period > and then wait for 1.5(or more) times the old TTL to pass before you > begin your process. > > > > On Thu, Mar 14, 2013 at 3:04 PM, Manish Rane wrote: > > Hey Folks, > > > > I right now have NS server hosted with ISP and I am planning to set up my > > own BIND servers. Now I would like to understand that I need to ask my > > Registrar to populate the entry of my new NS server which would take 4-6 > > hours to propagate over the internet. > > > > To reduce the downtime, can I not add those two new NS servers along > with my > > old DNS server with exact zone? once all the NS entries populate over the > > internet I can have my ISP's DNS removed and have one of my DNS server as > > Master? > > > > > > Current Scenario > > > > > > ns1.example.com1.2.3.4 > > ns2.example.com 5.6.7.8 > > > > > > I am thnking of below scenario > > > > ns1.example.com1.2.3.4 > > ns2.example.com 5.6.7.8 > > mynewns1.example.com 20.20.20.20 > > mynewns2.example.com 30.30.30.30 > > > > Then after few days > > > > mynewns1.example.com 20.20.20.20 > > mynewns2.example.com 30.30.30.30 > > > > Which eventually should have all the records. > > > > Please advise!! > > > > > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > > -- > ~ Andrew "lathama" Latham lath...@gmail.com http://lathama.net ~ > > > > > ___ Please visit > https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list bind-users mailing list bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to minimize the downtime in my case
Given the that you will eventually stop using ns1 and ns2 You should probably set up mynewns1 as the master with mynewns2 as a slave of mynewns1. Date: Fri, 15 Mar 2013 01:05:50 +0530 Subject: Re: How to minimize the downtime in my case From: manish...@gmail.com To: lath...@gmail.com CC: bind-users@lists.isc.org Will my new config would look like this? will it be a Slave for my new servers? ns1.example.com1.2.3.4---> Master > ns2.example.com 5.6.7.8-->Slave > mynewns1.example.com 20.20.20.20 --> Slave > mynewns2.example.com 30.30.30.30 > Slave On Fri, Mar 15, 2013 at 12:44 AM, Manish Rane wrote: hmm...you are talking about SOA TTL Value? On Fri, Mar 15, 2013 at 12:40 AM, Andrew Latham wrote: Manish That is a perfectly good plan. One note is to study your TTL. If your ISP has set a longer TTL on your NS records then you would need to first ask for a shorter TTL and wait until the time has passed. Example: if TTL is set to one week, ask for change to shorter period and then wait for 1.5(or more) times the old TTL to pass before you begin your process. On Thu, Mar 14, 2013 at 3:04 PM, Manish Rane wrote: > Hey Folks, > > I right now have NS server hosted with ISP and I am planning to set up my > own BIND servers. Now I would like to understand that I need to ask my > Registrar to populate the entry of my new NS server which would take 4-6 > hours to propagate over the internet. > > To reduce the downtime, can I not add those two new NS servers along with my > old DNS server with exact zone? once all the NS entries populate over the > internet I can have my ISP's DNS removed and have one of my DNS server as > Master? > > > Current Scenario > > > ns1.example.com1.2.3.4 > ns2.example.com 5.6.7.8 > > > I am thnking of below scenario > > ns1.example.com1.2.3.4 > ns2.example.com 5.6.7.8 > mynewns1.example.com 20.20.20.20 > mynewns2.example.com 30.30.30.30 > > Then after few days > > mynewns1.example.com 20.20.20.20 > mynewns2.example.com 30.30.30.30 > > Which eventually should have all the records. > > Please advise!! > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- ~ Andrew "lathama" Latham lath...@gmail.com http://lathama.net ~ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Announcements for latest beta releases delayed by accident.
With apologies to readers of this list: the announcement e-mails for BIND 9.6-ESV-R9b2, 9.8.5b2, and 9.9.3b2 were sent to the bind-announce list earlier this week but a typo in my shell script incorrectly prevented the bind-users and bind-workers lists from receiving the announcement at that time. The bind-announce list *is* the place to go for official announcements about BIND releases but since we have traditionally announced them in bind-users and bind-workers as well, I know some of you do not subscribe to the announce list. So for those who are just receiving this news -- new betas are available, have at them! Again, apologies for the oversight, Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.3b2 is now available
Introduction BIND 9.9.3b2 is the second beta release of BIND 9.9.3. This document summarizes changes from BIND 9.9.2 to BIND 9.9.3b2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (CVE-2012-5688) [RT #30792 / #30996] Prevents a named assert (crash) when using RPZ to generate A records (but not records) and DNS64 to generate records from A records. (CVE-2012-5689) [RT #32141] New Features Add support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836] Feature Changes Updates the built-in root hints for D.ROOT-SERVERS.NET whose IPv4 address changed to 199.7.91.13 (as of 3rd January 2013). Note that recursive servers running with an older set of root hints will still operate successfully because there are 12 other root servers whose addresses are correct and who will respond during root priming with the new root nameserver RRset. [RT #32164] Adds RFC 6598 reverse zones to the built-in empty zones list: 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336] Makes available a new XML schema (version 3.0) for the statistics channel that adds query type statistics at the zone level, flattens the XML tree and uses compressed format to optimize parsing. It also includes new XSL that permits charting via the Google Charts API on browsers that support javascript in XSL. To enable, build BIND with "configure --enable-newstats". [RT #30023] "named -V" can now report a source ID string. (This is will be of most interest to developers and troubleshooters). The source ID for ISC's production versions of BIND is defined in the "srcid" file in the build tree and is normally set to the most recent git hash. [RT #31494] Response Policy Zone performance enhancements. New "response-policy" option "min-ns-dots". "nsip" and "nsdname" now enabled by default with RPZ. [RT #32251] Now includes, in the community contribution section, a dynamically-loadable DLZ module: BDBHPT, contributed by Mark Goldfinch. [RT #32549] Bug Fixes Allow max-cache-size and max-acache-size to accept values greater than 4 gigabytes when built with 64-bit integers. "unlimited" still means 4 gigabytes - 1 and "0" still allows truly unlimited cache sizes. [RT #32358] Removed lock contention issues that slowed zone loading times for 9.9.x compared with 9.8.x. Zone loading times are now faster than they were with 9.8.x. [RT #30399] The zone-statistics option now takes three options: "full", "terse", and "none". "yes" is now a synonym for "full". "no" is now a synonym for "terse", which is how it behaved in previous versions. [RT #29165] The default value for the number of UDP dispatchers is now either the number of CPUs or the number of worker threads, whichever is lower. The previous default was the number of worker threads. [RT #30964] Fixed a crash bug with the loading of incomplete configurations including a slave zone with inline-signing and without a file name. [RT #31946] Corrected dnssec-signzone and dnssec-verify behavior with opt-out delegations and NSEC3. [RT #32072] Fixed rendering issues for some statistics with the XML stats channel. [RT #32587] Prevent a crash-on-shutdown race condition. [RT #32777] Fixed glitch in displaying query data when configured with --enable-newstats and no queries have yet been received. [RT #32620] Fixed bug where expired slave zones could fail to rewrite the zone data file after the master is again available. [RT #31276] Fixed a potential crash when adding and deleting keys with rndc. [RT #32506] Fixed a possible crash with Diffie-Hellman generated TSIG keys. [RT #32649] Now supports NAPTR regular expression validation on all platforms. [RT #32688] Increased maximum allowed key size for some algorithms in ddns-confgen and rndc-confgen. [RT #32753] nsupdate could exit with an assertion when the local and remote address families didn't match. [RT #22897] Fixes some potential memory leaks with gssapi usage. [RT #32405] Fixes a coup
BIND 9.8.5b2 is now available
Introduction BIND 9.8.5b2 is the second beta release of BIND 9.8.5 This document summarizes changes from BIND 9.8.4 to BIND 9.8.5b2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (CVE-2012-5688) [RT #30792 / #30996] Prevents a named assert (crash) when using RPZ to generate A records (but not records) and DNS64 to generate records from A records. (CVE-2012-5689) [RT #32141] New Features Add support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836] Feature Changes Updates the built-in root hints for D.ROOT-SERVERS.NET whose IPv4 address changed to 199.7.91.13 (as of 3rd January 2013). Note that recursive servers running with an older set of root hints will still operate successfully because there are 12 other root servers whose addresses are correct and who will respond during root priming with the new root nameserver RRset. [RT #32164] Adds RFC 6598 reverse zones to the built-in empty zones list: 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336] "named -V" can now report a source ID string. (This is will be of most interest to developers and troubleshooters). The source ID for ISC's production versions of BIND is defined in the "srcid" file in the build tree and is normally set to the most recent git hash. [RT #31494] Response Policy Zone performance enhancements. New "response-policy" option "min-ns-dots". "nsip" and "nsdname" now enabled by default with RPZ. [RT #32251] Bug Fixes Fixed bug where expired slave zones could fail to rewrite the zone data file after the master is again available. [RT #31276] Fixed a potential crash when adding and deleting keys with rndc. [RT #32506] Prevent a crash-on-shutdown race condition. [RT #32777] Fixed a possible crash with Diffie-Hellman generated TSIG keys. [RT #32649] Now supports NAPTR regular expression validation on all platforms. [RT #32688] Increased maximum allowed key size for some algorithms in ddns-confgen and rndc-confgen. [RT #32753] nsupdate could exit with an assertion when the local and remote address families didn't match. [RT #22897] Fixes some potential memory leaks with gssapi usage. [RT #32405] Fixes a couple of linked-list pointer initialization bugs. [RT #32651] dnssec-keygen and dnssec-setttime disallow setting the delete date to be sooner than the inactive date. [RT #31719] Update HSM PKCS#11 patches to openssl to add support for openssl versions 0.9.8x, 1.0.0j, and 1.0.1c. [RT #29749] ddns-confgen now accepts all the TSIG algorithms that it is documented as supporting when generating keys. [RT #31927] Missing 'managed-keys-directory' is now handled better. Prior to this change, when misconfigured, named could loop and consume 100% CPU. [RT #30625] Handle cases where a port is reserved and cannot be used as the source for a query. [RT #31778] Correct a case where a negative response could incorrectly be flagged as being DNSSEC authenticated when it was not actually authenticated. [RT #32237] Fix missing includes in testing support library that caused it to fail to build on some platforms. [RT #32012] Return correct error code (FORMERR) when presented with malformed requests containing overly long domain names. [RT #29682] Instead of rejecting and logging a FORMERR, named now accepts duplicate singleton records in a DNS query response. (In some situations, query responses may contain duplicates - and whilst this is not technically correct, BIND has been updated to be more tolerant). [RT #32329] When named allocates an initial per-thread stack size, it first checks the operating system's default value, and if specified, uses that. In the situation where it appears that none is provided, it uses an internal default. This default has been increased from 64K to 1M to accommodate operating systems that require a larger initial stack. [RT #32230] The allow-query-on ACL is now processed correctly in all situations. [RT #29486] The configure script now
BIND 9.6-ESV-R9b2 is now available
Introduction BIND 9.6-ESV-R9b2 is the second beta release of BIND 9.6-ESV-R9. BIND 9.6-ESV is an Extended Support Version of BIND. This document summarizes changes from BIND 9.6-ESV-R8 to BIND 9.6-ESV-R9b2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817] [RT #30025] A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] New Features Add support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836] Feature Changes Updates the built-in root hints for D.ROOT-SERVERS.NET whose IPv4 address changed to 199.7.91.13 (as of 3rd January 2013). Note that recursive servers running with an older set of root hints will still operate successfully because there are 12 other root servers whose addresses are correct and who will respond during root priming with the new root nameserver RRset. [RT #32164] Adds RFC 6598 reverse zones to the built-in empty zones list: 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336] Bug Fixes nsupdate could exit with an assertion when the local and remote address families didn't match. [RT #22897] Fixes some potential memory leaks with gssapi usage. [RT #32405] Prevent a crash-on-shutdown race condition. [RT #32777] Fixes a couple of linked-list pointer initialization bugs. [RT #32651] Handle cases where a port is reserved and cannot be used as the source for a query. [RT #31778] Correct a case where a negative response could incorrectly be flagged as being DNSSEC authenticated when it was not actually authenticated. [RT #32237] Fix missing includes in testing support library that caused it to fail to build on some platforms. [RT #32012] Return correct error code (FORMERR) when presented with malformed requests containing overly long domain names. [RT #29682] Instead of rejecting and logging a FORMERR, named now accepts duplicate singleton records in a DNS query response. (In some situations, query responses may contain duplicates - and whilst this is not technically correct, BIND has been updated to be more tolerant). [RT #32329] When named allocates an initial per-thread stack size, it first checks the operating system's default value, and if specified, uses that. In the situation where it appears that none is provided, it uses an internal default. This default has been increased from 64K to 1M to accommodate operating systems that require a larger initial stack. [RT #32230] The allow-query-on ACL is now processed correctly in all situations. [RT #29486] The configure script now supports and detects libxml2-2.9.x correctly. [RT #32231] When loading a zone file, named now emits a warning if it encounters a non-blank owner name following $ORIGIN. The reason for this is that when parsing a zone file, the blank owner name indicates that the current name (i.e. the name from the previous record that named loaded) should be used, even though $ORIGIN has changed. Particularly when handling subdomains, this can result in those records being unexpectedly loaded with different labels than intended. [RT #31848] Resolves a problem that when answering queries for nonexistent names via wildcard CNAME records, DNSSEC responses could fail to include the NSEC/NSEC3 records proving the lack of a better answer. [RT #21409] Prevents a named abort (assertion fail) during recovery from an out of memory condition. This crash would be encountered in module general: dst_api.c and logged as REQUIRE((&key->refs)->refs == 0). [RT #32131] A new configure option --with-ecdsa has been added to force building with ECDSA, bypassing the script-based checks that this functionality is available in the build environment. The converse, --without-ecdsa, explicitly disables ECDSA support during the BIND build. Both of these options have been added to assist cross-compilation to environments that do (or don't) support ECDSA, overriding the default build behaviour. [RT #32078]
Re: How to minimize the downtime in my case
Will my new config would look like this? will it be a Slave for my new servers? ns1.example.com1.2.3.4---> Master > ns2.example.com 5.6.7.8-->Slave > mynewns1.example.com 20.20.20.20 --> Slave > mynewns2.example.com 30.30.30.30 > Slave On Fri, Mar 15, 2013 at 12:44 AM, Manish Rane wrote: > hmm...you are talking about SOA TTL Value? > > > > > On Fri, Mar 15, 2013 at 12:40 AM, Andrew Latham wrote: > >> Manish >> >> That is a perfectly good plan. One note is to study your TTL. If >> your ISP has set a longer TTL on your NS records then you would need >> to first ask for a shorter TTL and wait until the time has passed. >> >> Example: if TTL is set to one week, ask for change to shorter period >> and then wait for 1.5(or more) times the old TTL to pass before you >> begin your process. >> >> >> >> On Thu, Mar 14, 2013 at 3:04 PM, Manish Rane wrote: >> > Hey Folks, >> > >> > I right now have NS server hosted with ISP and I am planning to set up >> my >> > own BIND servers. Now I would like to understand that I need to ask my >> > Registrar to populate the entry of my new NS server which would take 4-6 >> > hours to propagate over the internet. >> > >> > To reduce the downtime, can I not add those two new NS servers along >> with my >> > old DNS server with exact zone? once all the NS entries populate over >> the >> > internet I can have my ISP's DNS removed and have one of my DNS server >> as >> > Master? >> > >> > >> > Current Scenario >> > >> > >> > ns1.example.com1.2.3.4 >> > ns2.example.com 5.6.7.8 >> > >> > >> > I am thnking of below scenario >> > >> > ns1.example.com1.2.3.4 >> > ns2.example.com 5.6.7.8 >> > mynewns1.example.com 20.20.20.20 >> > mynewns2.example.com 30.30.30.30 >> > >> > Then after few days >> > >> > mynewns1.example.com 20.20.20.20 >> > mynewns2.example.com 30.30.30.30 >> > >> > Which eventually should have all the records. >> > >> > Please advise!! >> > >> > >> > >> > ___ >> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> > unsubscribe from this list >> > >> > bind-users mailing list >> > bind-users@lists.isc.org >> > https://lists.isc.org/mailman/listinfo/bind-users >> >> >> >> -- >> ~ Andrew "lathama" Latham lath...@gmail.com http://lathama.net ~ >> > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking private addresses with a optionq
> From: "Lawrence K. Chen, P.Eng."
> ... So, being able to filter out these 'bad' things when responding
> queries against that data might be a good thing.
RPZ might be used for such things. However, by design RPZ rewrites
entire responses. It is triggered by individual records in a response,
but changes the entire response and not just individual records within
the response.
To use RPZ for such filtering, you would probably use views with
a response-policy{} statement in the external view to be filtered.
The RPZ rules could be triggered by rpz-ip records for 10.0.0.0/8 or
similar. The rules might rewrite responses to a CNAME or to sets of
A and records suitable for outsiders. That sounds a lot more
fragile and error prone than distinct zones for insiders and outsiders
specified in the view statements. However, RPZ might be good as a
failsafe against leaks (perhaps rewriting to NXDOMAIN).
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How to minimize the downtime in my case
Also when my ISP DNS servers are live do I need to add mine one as a slave ones? both? On Fri, Mar 15, 2013 at 12:44 AM, Manish Rane wrote: > hmm...you are talking about SOA TTL Value? > > > > > On Fri, Mar 15, 2013 at 12:40 AM, Andrew Latham wrote: > >> Manish >> >> That is a perfectly good plan. One note is to study your TTL. If >> your ISP has set a longer TTL on your NS records then you would need >> to first ask for a shorter TTL and wait until the time has passed. >> >> Example: if TTL is set to one week, ask for change to shorter period >> and then wait for 1.5(or more) times the old TTL to pass before you >> begin your process. >> >> >> >> On Thu, Mar 14, 2013 at 3:04 PM, Manish Rane wrote: >> > Hey Folks, >> > >> > I right now have NS server hosted with ISP and I am planning to set up >> my >> > own BIND servers. Now I would like to understand that I need to ask my >> > Registrar to populate the entry of my new NS server which would take 4-6 >> > hours to propagate over the internet. >> > >> > To reduce the downtime, can I not add those two new NS servers along >> with my >> > old DNS server with exact zone? once all the NS entries populate over >> the >> > internet I can have my ISP's DNS removed and have one of my DNS server >> as >> > Master? >> > >> > >> > Current Scenario >> > >> > >> > ns1.example.com1.2.3.4 >> > ns2.example.com 5.6.7.8 >> > >> > >> > I am thnking of below scenario >> > >> > ns1.example.com1.2.3.4 >> > ns2.example.com 5.6.7.8 >> > mynewns1.example.com 20.20.20.20 >> > mynewns2.example.com 30.30.30.30 >> > >> > Then after few days >> > >> > mynewns1.example.com 20.20.20.20 >> > mynewns2.example.com 30.30.30.30 >> > >> > Which eventually should have all the records. >> > >> > Please advise!! >> > >> > >> > >> > ___ >> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> > unsubscribe from this list >> > >> > bind-users mailing list >> > bind-users@lists.isc.org >> > https://lists.isc.org/mailman/listinfo/bind-users >> >> >> >> -- >> ~ Andrew "lathama" Latham lath...@gmail.com http://lathama.net ~ >> > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to minimize the downtime in my case
hmm...you are talking about SOA TTL Value? On Fri, Mar 15, 2013 at 12:40 AM, Andrew Latham wrote: > Manish > > That is a perfectly good plan. One note is to study your TTL. If > your ISP has set a longer TTL on your NS records then you would need > to first ask for a shorter TTL and wait until the time has passed. > > Example: if TTL is set to one week, ask for change to shorter period > and then wait for 1.5(or more) times the old TTL to pass before you > begin your process. > > > > On Thu, Mar 14, 2013 at 3:04 PM, Manish Rane wrote: > > Hey Folks, > > > > I right now have NS server hosted with ISP and I am planning to set up my > > own BIND servers. Now I would like to understand that I need to ask my > > Registrar to populate the entry of my new NS server which would take 4-6 > > hours to propagate over the internet. > > > > To reduce the downtime, can I not add those two new NS servers along > with my > > old DNS server with exact zone? once all the NS entries populate over the > > internet I can have my ISP's DNS removed and have one of my DNS server as > > Master? > > > > > > Current Scenario > > > > > > ns1.example.com1.2.3.4 > > ns2.example.com 5.6.7.8 > > > > > > I am thnking of below scenario > > > > ns1.example.com1.2.3.4 > > ns2.example.com 5.6.7.8 > > mynewns1.example.com 20.20.20.20 > > mynewns2.example.com 30.30.30.30 > > > > Then after few days > > > > mynewns1.example.com 20.20.20.20 > > mynewns2.example.com 30.30.30.30 > > > > Which eventually should have all the records. > > > > Please advise!! > > > > > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > > -- > ~ Andrew "lathama" Latham lath...@gmail.com http://lathama.net ~ > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking private addresses with a optionq
- Original Message -
> On Mar 14, 2013, at 3:29 AM, Tony Finch wrote:
>
> > King, Harold Clyde (Hal) wrote:
> >
> >> Is there an option for bind like the allow-recursion {
> >> }
> >> For blocking out going records of 10.0.0.0/8 and 192.168.0.0/16 so
> >> I could do a view like:
> >
> > I'm not sure what you mean by "blocking out going records" but
> > there are a
> > couple of options that might do what you want:
> >
> > There is the "blackhole" acl which makes named ignore all requests
> > and
> > never send queries to a particular address range.
> >
> > There is the server ... { bogus yes; }; clause which stops named
> > from
> > sending queries to a particular address range.
>
> No, I'm pretty sure the OP wants to strip records from responses if
> the records are A records referring to private address space (RFC
> 1918).
>
> I've no idea how you would do this.
>
This actually sounds like something I might want to do
We do have RFC1918 addresses in use. And, I've heard of people abusing IPv6
since its currently blocked at the border. Plus people publishing DNS64
addresses for their hosts.
While I run the authoritative servers here, and do split horizon. So, I try to
keep the RFC1918 addresses out of the external view. Either by refusing the
add/change request, or for certain groups do selective $INCLUDE and other
trickery. Though someday I should audit the existing zone data.
And we shouldn't be leaking those IPs anymore. :)
But, there are groups on campus that run their own master server for their 3rd
level domains (i.e. the college engineering has most of the engineering related
3rd level domains). So, my authoritative servers are only slaves and possibly
the only ones that can be reached from the outside. So, being able to filter
out these 'bad' things when responding queries against that data might be a
good thing.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How to minimize the downtime in my case
Manish That is a perfectly good plan. One note is to study your TTL. If your ISP has set a longer TTL on your NS records then you would need to first ask for a shorter TTL and wait until the time has passed. Example: if TTL is set to one week, ask for change to shorter period and then wait for 1.5(or more) times the old TTL to pass before you begin your process. On Thu, Mar 14, 2013 at 3:04 PM, Manish Rane wrote: > Hey Folks, > > I right now have NS server hosted with ISP and I am planning to set up my > own BIND servers. Now I would like to understand that I need to ask my > Registrar to populate the entry of my new NS server which would take 4-6 > hours to propagate over the internet. > > To reduce the downtime, can I not add those two new NS servers along with my > old DNS server with exact zone? once all the NS entries populate over the > internet I can have my ISP's DNS removed and have one of my DNS server as > Master? > > > Current Scenario > > > ns1.example.com1.2.3.4 > ns2.example.com 5.6.7.8 > > > I am thnking of below scenario > > ns1.example.com1.2.3.4 > ns2.example.com 5.6.7.8 > mynewns1.example.com 20.20.20.20 > mynewns2.example.com 30.30.30.30 > > Then after few days > > mynewns1.example.com 20.20.20.20 > mynewns2.example.com 30.30.30.30 > > Which eventually should have all the records. > > Please advise!! > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- ~ Andrew "lathama" Latham lath...@gmail.com http://lathama.net ~ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to minimize the downtime in my case
Hi-- On Mar 14, 2013, at 12:04 PM, Manish Rane wrote: > I right now have NS server hosted with ISP and I am planning to set up my own > BIND servers. Now I would like to understand that I need to ask my Registrar > to populate the entry of my new NS server which would take 4-6 hours to > propagate over the internet. > > To reduce the downtime, can I not add those two new NS servers along with my > old DNS server with exact zone? once all the NS entries populate over the > internet I can have my ISP's DNS removed and have one of my DNS server as > Master? You can. > once all the NS entries populate over the internet I can have my ISP's DNS > removed and have one of my DNS server as Master? Sure. Validate that your new servers work before turning off the old ones for the zone with your registrar, but otherwise, you should be fine. Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to minimize the downtime in my case
Hey Folks, I right now have NS server hosted with ISP and I am planning to set up my own BIND servers. Now I would like to understand that I need to ask my Registrar to populate the entry of my new NS server which would take 4-6 hours to propagate over the internet. To reduce the downtime, can I not add those two new NS servers along with my old DNS server with exact zone? once all the NS entries populate over the internet I can have my ISP's DNS removed and have one of my DNS server as Master? Current Scenario ns1.example.com1.2.3.4 ns2.example.com 5.6.7.8 I am thnking of below scenario ns1.example.com1.2.3.4 ns2.example.com 5.6.7.8 mynewns1.example.com 20.20.20.20 mynewns2.example.com 30.30.30.30 Then after few days mynewns1.example.com 20.20.20.20 mynewns2.example.com 30.30.30.30 Which eventually should have all the records. Please advise!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking private addresses with a optionq
On 3/14/2013 6:29 AM, Tony Finch wrote:
King, Harold Clyde (Hal) wrote:
Is there an option for bind like the allow-recursion { }
For blocking out going records of 10.0.0.0/8 and 192.168.0.0/16 so I could do a
view like:
I'm not sure what you mean by "blocking out going records" but there are a
couple of options that might do what you want:
There is the "blackhole" acl which makes named ignore all requests and
never send queries to a particular address range.
There is the server ... { bogus yes; }; clause which stops named from
sending queries to a particular address range.
I think he wants to strip addresses (A and/or ) of certain ranges
from his outgoing responses. Circa BIND 9.7-ish, there used to be a
focused way to do this (deny-answer-addresses?), but I think the more
"modern" way to accomplish the same thing is with RPZ.
- Kevin
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking private addresses with a optionq
On 14 Mar 2013, at 16:22, Chris Buxton wrote: > Well, yes, if the server in question is authoritative for all the data in > question. But if it's just a resolver, that may be more difficult. Fair comment. I was (perhaps naïvely) being led by my aversion to open resolvers to assume that any externally-facing name server must be authoritative. Things might not be that simple. /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking private addresses with a optionq
On Mar 14, 2013, at 9:07 AM, Niall O'Reilly wrote: > > On 14 Mar 2013, at 15:57, Chris Buxton wrote: > >> No, I'm pretty sure the OP wants to strip records from responses if the >> records are A records referring to private address space (RFC 1918). >> >> I've no idea how you would do this. > > Other than separate views, with a "trimmed" zone in the external view? Well, yes, if the server in question is authoritative for all the data in question. But if it's just a resolver, that may be more difficult. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking private addresses with a optionq
On 14 Mar 2013, at 15:57, Chris Buxton wrote: > No, I'm pretty sure the OP wants to strip records from responses if the > records are A records referring to private address space (RFC 1918). > > I've no idea how you would do this. Other than separate views, with a "trimmed" zone in the external view? /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking private addresses with a optionq
On Mar 14, 2013, at 3:29 AM, Tony Finch wrote:
> King, Harold Clyde (Hal) wrote:
>
>> Is there an option for bind like the allow-recursion { }
>> For blocking out going records of 10.0.0.0/8 and 192.168.0.0/16 so I could
>> do a view like:
>
> I'm not sure what you mean by "blocking out going records" but there are a
> couple of options that might do what you want:
>
> There is the "blackhole" acl which makes named ignore all requests and
> never send queries to a particular address range.
>
> There is the server ... { bogus yes; }; clause which stops named from
> sending queries to a particular address range.
No, I'm pretty sure the OP wants to strip records from responses if the records
are A records referring to private address space (RFC 1918).
I've no idea how you would do this.
Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RFC 5011 trust anchor rollover status
In response to ICANN's consultation on DNSSEC root key rollovers
http://www.icann.org/en/news/public-comment/root-zone-consultation-08mar13-en.htm
I was wondering how to check that a rollover is progressing OK. BIND
doesn't provide much help with this (unless I have missed something) so I
thought it might be useful to write a script to summarize the RFC 5011
managed keys status. Run it with the path to your managed-keys.bind file
as an argument.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
#!/usr/bin/perl
use warnings;
use strict;
use POSIX qw(strftime);
my $now = strftime "%Y%m%d%H%M%S", gmtime;
sub ext8601 ($) {
my $d = shift;
$d =~ s{()(..)(..)(..)(..)(..)}
{$1-$2-$3.$4:$5:$6};
return $d;
}
sub getkey ($$) {
my $h = shift;
my $k = shift;
m{\s+(\d+)\s+(\d+)\s+(\d+)\s+[(]\s*$};
$k->{flags} = $1;
$k->{protocol} = $2;
$k->{algorithm} = $3;
my $data = "(";
while (<$h>) {
s{^\s+}{};
s{\s+$}{};
last if m{^[)]};
$data .= $_;
}
m{ alg = (\S+); key id = (\d+)};
$k->{alg} = $1;
$k->{id} = $2;
$k->{data} = $data;
return $k;
}
sub fmtkey ($) {
my $k = shift;
return sprintf "%16s tag %s", $k->{name}, $k->{id};
}
sub printstatus ($) {
my $a = shift;
if ($a->{removehd} ne "1970010100") {
printf " untrusted and to be removed at %s\n", ext8601
$a->{removehd};
} elsif ($a->{addhd} lt $now) {
printf " trusted\n";
} else {
printf " waiting for %s\n", ext8601 $a->{addhd};
}
}
sub digkeys ($) {
my $name = shift;
my $keys;
open my $d, "-|", qw{dig +multiline DNSKEY}, $name;
while (<$d>) {
next unless m{^([a-z0-9.-]*)\s+\d+\s+IN\s+DNSKEY\s+};
next unless $name eq $1;
push @$keys, getkey $d, { name => $name };
}
return $keys;
}
my $anchor;
while (<>) {
next unless m{^([a-z0-9.-]*)\s+KEYDATA\s+(\d+)\s+(\d+)\s+(\d+)\s+};
my $k = getkey *ARGV, {
name => $1,
refresh => $2,
addhd=> $3,
removehd => $4,
};
$k->{name} =~ s{[.]*$}{.};
push @{$anchor->{$k->{name}}}, $k;
}
for my $name (keys %$anchor) {
my $keys = digkeys $name;
my $anchors = $anchor->{$name};
for my $k (@$keys) {
if ($k->{flags} & 1) {
printf "%s %s KSK", fmtkey $k, $k->{alg};
} else {
# ZSK - skipping
next;
}
if ($k->{flags} & 512) {
print " revoked";
}
my $a;
for my $t (@$anchors) {
if ($t->{data} eq $k->{data} and
$t->{protocol} eq $k->{protocol} and
$t->{algorithm} eq $k->{algorithm}) {
$t->{matched} = 1;
$a = $t;
last;
}
}
if (not defined $a) {
print " - WARNING NO MATCHING TRUST ANCHOR\n";
next;
}
printstatus $a;
}
for my $a (@$anchors) {
next if $a->{matched};
printf "%s %s ???", fmtkey $a, $a->{alg};
printstatus $a;
}
}
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Building from source and running in chroot environment
Spumonti Spumonti wrote: > Are there relatively recent instructions on how to build BIND from > source and run it in a chroot environment? It sounds obvious but > everything I've come across assumes BIND is provided by some package > manager or included with the operating system. I'd like to build the > latest version of BIND and run it in a chroot environment. I know you > have to pre-populate the chroot directories but am not entirely clear on > everything that's needed. In the chroot you will need: /dev/random and /dev/urandom A syslog socket (if you are using syslog) and/or somewhere for named's log files Your rndc key Your named.conf and zone files :-) If you have a recent OpenSSL you want to use BIND's configure --without-gost option or copy OpenSSL's "engines" library directory into the chroot. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Building from source and running in chroot environment
> Are there relatively recent instructions on how to build BIND from source and > run it in a chroot environment? It sounds obvious but everything I've come > across assumes BIND is provided by some package manager or included with the > operating system. I'd like to build the latest version of BIND and run it in > a chroot environment. I know you have to pre-populate the chroot directories > but am not entirely clear on everything that's needed. FWIW, I've been running BIND on Ubuntu, which uses AppArmor (https://help.ubuntu.com/12.10/serverguide/apparmor.html) to control file access by applications and services. I'm not able to argue the relative merits of chroot vs. AppArmor vs. other alternatives such as SELinux and SMACK. But stipulating for the moment that AppArmor is a reasonable alternative, it is fairly easy to use it with BIND 9 built from source. I start by installing the current packaged version of BIND on a snapshotted Ubuntu virtual machine that I can subsequently roll back. I save the files /etc/apparmor.d/usr.sbin.named and /etc/apparmor.d/local/usr.sbin.named, which I then place in my built-from-source BIND 9 installation. For this to work without modifying the file user.sbin.named, I use in my build the same ancillary directories that the Ubuntu package uses: /etc/bind for configuration files, /var/lib/bind for master zone data and DNSSEC keys, and /var/cache/bind for secondary zone data. Otherwise y ou can modify the file usr.sbin.named, which you should examine in conjunction with the AppArmor documentation for the details. You can deconstruct the Ubuntu bind9 source package (http://packages.ubuntu.com/quantal/bind9) to see everything else that the package installer does to set up BIND 9. Note that Ubuntu 13.04 (Raring Ringtail), due to be released in late April, will be the first Ubuntu version to include a packaged BIND 9.9.x. Jeffry A. Spain, Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking private addresses with a optionq
King, Harold Clyde (Hal) wrote:
> Is there an option for bind like the allow-recursion { }
> For blocking out going records of 10.0.0.0/8 and 192.168.0.0/16 so I could do
> a view like:
I'm not sure what you mean by "blocking out going records" but there are a
couple of options that might do what you want:
There is the "blackhole" acl which makes named ignore all requests and
never send queries to a particular address range.
There is the server ... { bogus yes; }; clause which stops named from
sending queries to a particular address range.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: spf ent txt records.
On Wed, 2013-03-13 at 19:33 -0700, Dave Warren wrote: > On 3/13/2013 17:11, Noel Butler wrote: > > > > > On Wed, 2013-03-13 at 14:43 -0700, Dave Warren wrote: > > > > > I almost wouldn't bother with SPF records these days though, except that > > > the code was already written. > > > > > > > # grep SPF maillog |grep -c '\-all' > > 2438 > > > > # grep SPF maillog |grep -c '\~all' > > 7509 > > > Can you compare that against queries to TXT style SPF records? I'll see what I can do in the morning, its 30 past beer o'clock now signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
