On 14-04-2021 22:30, Greg Rivers via bind-users wrote:
On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote:
Does anyone have an automated KSK roll process, that checks for the DS
record at the parent, that they can share?
As far as I can tell, the automated signing in BIND will roll th
> On 15 Apr 2021, at 11:35, @lbutlr wrote:
>
> On 14 Apr 2021, at 01:48, Anand Buddhdev wrote:
>> This is a short-sighted opinion. If just one authoritative server sends
>> out REFUSED responses towards an innocent, it won't matter. But if 1000
>> authoritative servers all send out REFUSED res
On 14 Apr 2021, at 01:48, Anand Buddhdev wrote:
> This is a short-sighted opinion. If just one authoritative server sends
> out REFUSED responses towards an innocent, it won't matter. But if 1000
> authoritative servers all send out REFUSED responses towards an innocent
> IP address, their combine
Tony Finch wrote:
>Peter Coghlan wrote:
>> Instead, isn't it the case that bind knows what domains it is authoritative
>> for (or which ones it is supposed to be authoritative for) and bind is
>> therefore in the ideal position to know which queries are abusive and which
>> are not rather than wra
Peter Coghlan wrote:
>
> I wouldn't describe it as background radiation or probes. It doesn't seem
> to be caused by misconfigured or faulty resolvers or anything of that nature.
Hmm, maybe air pollution would be a better metaphor? What I mean is the
kind of continuous low levels of abuse that's
On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote:
> Does anyone have an automated KSK roll process, that checks for the DS
> record at the parent, that they can share?
>
> As far as I can tell, the automated signing in BIND will roll the KSK if I
> set the timing in the policy file, but i
Does anyone have an automated KSK roll process, that checks for the DS
record at the parent, that they can share?
As far as I can tell, the automated signing in BIND will roll the KSK if I
set the timing in the policy file, but it won't check the DS record, so it
will happily break DNSSEC if some
Thanks
Sten
> On 14 Apr 2021, at 19.47, Carl Byington via bind-users
> wrote:
>
> Signed PGP part
> On Wed, 2021-04-14 at 12:58 -0400, Paul Kosinski via bind-users wrote:
> > Interesting, although we host different domains, in and from different
> > geographic areas, we got the same queries a
On 2021-04-14 04:38, Gaurav Kansal wrote:
Is there a way, by which we can log denied statement w.r.t. view
somewhere in logging ?
The thing is, your view did not deny anything. Your non-.IN client
simply does not match the match-clients list for that view.
On 14/04/21 1:48 am, ma...@isc.org
Tony Finch wrote:
> Peter Coghlan wrote:
> >
> > I have a nameserver which is authoritative for three or four domain names.
> > It receives around 1000 queries per day that could be regarded as plausably
> > legitimate. It receives around ten times that number of absive queries per
> > day from p
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Wed, 2021-04-14 at 12:58 -0400, Paul Kosinski via bind-users wrote:
> Interesting, although we host different domains, in and from different
> geographic areas, we got the same queries as yours on the same day,
> with some at about the same time (
Interesting, although we host different domains, in and from different
geographic areas, we got the same queries as yours on the same day, with some
at about the same time (we're EDT).
13-Apr-2021 02:19:58.468 security: info: client 76.20.145.58#3074 (sl): query
(cache) 'sl/ANY/IN' denied
13-Ap
sth...@nethelp.no wrote:
>
> Agree that you should be able to ignore them. But as a practical matter,
> ignoring them *may* result in the question being asked again and again,
> while REFUSED *may* stop the client from asking more.
REFUSED leads to retries too: if the client is a legit resolver i
On Wed 14/Apr/2021 00:37:22 +0200 Richard T.A. Neal wrote:
Julien Salort wrote:
Reading this thread, I considered simply enabling the fail2ban named-refused
jail, but they advise against it because it would end up blocking the victim
rather than the attacker.
I'm happy to be corrected by mo
On Wed, 2021-04-14 at 08:07 +, Richard T.A. Neal wrote:
>
> Just out of interest, because I run some services on OVH, I know what
> that term means. When you rent a dedicated server from OVH you are
> assigned a single IPv4 address. Let's assume that you then want to use
> VMware or Hyper-V on
Hi Mark,
Is there a way, by which we can log denied statement w.r.t. view
somewhere in logging ?
Regards,
Gaurav
On 14/04/21 1:48 am, ma...@isc.org wrote:
Real world configurations would have a catch all view after the more
specific views. Add one.
--
Mark Andrews
On 13 Apr 2021, at 22:41
> I'm not talking of DNS *resolvers* here. I'm talking of authoritative
> servers. If my authoritative server is authoritative for zones A, B and
> C, then I should only get queries for those zones from legitimate
> resolvers and clients. Queries for any other zones should *not* be
> coming to my s
Anand,
I understand that this topic is something you feel passionate about, but alas,
it’s more complicated than just dropping REFUSED answers. Any lame delegation
would be then susceptible to cache poisoning. Also it would be a protocol
violation.
A small well-maintained authoritative server
Paul Kosinksi wrote:
> Interesting observation. I just did lookups on 4 recent (< 24 hrs ago)
> 'sl/ANY/IN' queries logged by our BIND and got:
> ...1 OVH Hosting IP (Montreal)
> The whois info for the OVH IP contains the line:
> Comment: Failover IPs
Just out of interest, because I run some
On 14/04/2021 00:29, @lbutlr wrote:
>> A legitimate client, following a normal chain of referrals, has *no*
>> reason to query a server for zones it is not authoritative for.
>
> Well, that's not really true. A mobile user might have their device
> configured to always check their corporate DNS s
20 matches
Mail list logo