Re: no _smtp_tls in published zone

2021-06-01 Thread Mark Andrews 


> On 2 Jun 2021, at 14:59, Brett Delmage  wrote:
> 
> I have added the following two records
> _mta-sts.BrettDelmage.ca. 180 IN TXT"v=STSv1; 
> id=2021060102;"
> _smtp._tls.BrettDelmage.ca.   180 IN TXT"TLSRPTv1; 
> rua=mailto:br...@brettdelmage.ca";
> to a signed zone to enable Mail Transfer Agent Strict Transport Security.
> 
> When I run
> 
> /var/lib/bind/master# named-compilezone -k warn -o - BrettDelmage.ca 
> BrettDelmage.ca
> 
> I get the expected error for the leading _, but only for _mta_sts.

Underscore is not an issue for TXT records.  The check-names report is for 
mta_sts.BrettDelmage.ca not _mta_sts.BrettDelmage.ca.

> BrettDelmage.ca:21: mta_sts.BrettDelmage.ca: bad owner name (check-names)
> zone BrettDelmage.ca/IN: loaded serial 2021060110
> BrettDelmage.ca.  180 IN SOA
> cacloud.brettdelmage.ca. hostmaster.BrettDelmage.ca. 2021060110 180 300 
> 1814400 3600
> ...
> _mta-sts.BrettDelmage.ca. 180 IN TXT"v=STSv1; 
> id=2021060102;"
> _smtp._tls.BrettDelmage.ca.   180 IN TXT"TLSRPTv1; 
> rua=mailto:br...@brettdelmage.ca";
> ...
> OK
> 
> When I load the zone I can fetch _mta-sts.BrettDelmage.ca
> dig @127.0.0.1 _mta-sts.brettdelmage.ca txt +short
> "v=STSv1; id=2021060102;"
> 
> but not _smtp._tls.BrettDelmage.ca.:
> 
> dig @127.0.0.1 _smtp._tls.brettdelmage.ca txt
> 
> ; <<>> DiG 9.16.16-Ubuntu <<>> @127.0.0.1 _smtp._tls.brettdelmage.ca txt
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37893
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: a70534bd6a80a8c7010060b70dbd54a4db11f1a5b7d1 (good)
> ;; QUESTION SECTION:
> ;_smtp._tls.brettdelmage.ca.IN  TXT
> 
> ;; AUTHORITY SECTION:
> BrettDelmage.ca.180 IN  SOA cacloud.brettdelmage.ca. 
> hostmaster.BrettDelmage.ca. 2021060110 180 300 1814400 3600
> 
> -
> named -v
> BIND 9.16.16-Ubuntu (Stable Release) 
> 
> What am I doing wrong here?

Not looking at the nameserver’s logs when the zone is loaded.  If it has failed 
to load for any reason that will be reported.

> Thanks!
> 
> Brett
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

no _smtp_tls in published zone

2021-06-01 Thread Brett Delmage 

I have added the following two records
_mta-sts.BrettDelmage.ca. 180 IN TXT"v=STSv1; 
id=2021060102;"
_smtp._tls.BrettDelmage.ca.   180 IN TXT"TLSRPTv1; 
rua=mailto:br...@brettdelmage.ca";
to a signed zone to enable Mail Transfer Agent Strict Transport Security.

When I run

/var/lib/bind/master# named-compilezone -k warn -o - BrettDelmage.ca 
BrettDelmage.ca

I get the expected error for the leading _, but only for _mta_sts.

BrettDelmage.ca:21: mta_sts.BrettDelmage.ca: bad owner name (check-names)
zone BrettDelmage.ca/IN: loaded serial 2021060110
BrettDelmage.ca.  180 IN SOA
cacloud.brettdelmage.ca. hostmaster.BrettDelmage.ca. 2021060110 180 300 1814400 
3600
...
_mta-sts.BrettDelmage.ca. 180 IN TXT"v=STSv1; 
id=2021060102;"
_smtp._tls.BrettDelmage.ca.   180 IN TXT"TLSRPTv1; 
rua=mailto:br...@brettdelmage.ca";
...
OK

When I load the zone I can fetch _mta-sts.BrettDelmage.ca
 dig @127.0.0.1 _mta-sts.brettdelmage.ca txt +short
"v=STSv1; id=2021060102;"

but not _smtp._tls.BrettDelmage.ca.:

dig @127.0.0.1 _smtp._tls.brettdelmage.ca txt

; <<>> DiG 9.16.16-Ubuntu <<>> @127.0.0.1 _smtp._tls.brettdelmage.ca txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37893
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: a70534bd6a80a8c7010060b70dbd54a4db11f1a5b7d1 (good)
;; QUESTION SECTION:
;_smtp._tls.brettdelmage.ca.IN  TXT

;; AUTHORITY SECTION:
BrettDelmage.ca.180 IN  SOA cacloud.brettdelmage.ca. 
hostmaster.BrettDelmage.ca. 2021060110 180 300 1814400 3600

-
named -v
BIND 9.16.16-Ubuntu (Stable Release) 

What am I doing wrong here?

Thanks!

Brett

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: configure notify for ixfer?

2021-06-01 Thread Dan Sjolseth via bind-users 
Inside the zone statement of the primary add:

 also-notify { ipofsecondary };

This will make transfer in microseconds.

Let me know if it works for you.

Dan



On Jun 1, 2021, at 7:24 PM, Mark Andrews  wrote:


On 2 Jun 2021, at 01:18, Cuttler, Brian R (HEALTH) via bind-users 
 wrote:

My dns secondary is often behind on its dynamic zone tables.
It looks to me like we are doing automatic transfer IXFR but not requently 
enough, but randomly.

It looks to me that default 10 second interval for min transfer wait time.

I'm missing something but haven't found the magic yet.

Both primary/secondary BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 on Centos 7.9.

Goal is to have dynamic entries replicated on the secondary within a few 
minutes if not a few seconds.

From what I’m reading I should be sending a notify from the primary to the 
secondary when a dynamic zone is updated but I don’t seem to be doing that.

Would someone please point me to the option I’m missing to do so? I’ve either 
completely missed it, mis-understood what I read or am going in the wrong 
direction.

01-Jun-2021 07:49:05.425 xfer-out: client @0x7f17335f9450 10.50.156.70#45583 
(dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR started (serial 
1501355783 -> 1501355796)
01-Jun-2021 07:49:05.426 xfer-out: client @0x7f17335f9450 10.50.156.70#45583 
(dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR ended
01-Jun-2021 08:46:52.595 xfer-out: client @0x7f17334a7e80 10.50.156.70#39191 
(dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR started (serial 
1501355796 -> 1501355835)
01-Jun-2021 08:46:52.596 xfer-out: client @0x7f17334a7e80 10.50.156.70#39191 
(dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR ended
01-Jun-2021 09:35:10.776 xfer-out: client @0x7f1732f45d60 10.50.156.70#39230 
(dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR started (serial 
1501355835 -> 1501355858)
01-Jun-2021 09:35:10.776 xfer-out: client @0x7f1732f45d60 10.50.156.70#39230 
(dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR ended

Thanks in advance,
Brian

Named uses the NS records for the zone to find the addresses of the secondary 
servers to send the NOTIFY messages to. Both primary and secondary servers do 
this by default.  The nameserver listed in the SOA record MNAME field is 
excluded this process.  Ensure you have address record for all your nameservers.

If a secondary is not listed in the NS RRset then you can use also-notify as 
Anand said.

Brian Cuttler

ITG - Information Technology Group, Network and System Administrator
Wadsworth Center, NYS Department of Health
Empire State Plaza, Albany, NY 12201
(518) 486-1697 | brian.cutt...@health.ny.gov


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: configure notify for ixfer?

2021-06-01 Thread Mark Andrews 

> On 2 Jun 2021, at 01:18, Cuttler, Brian R (HEALTH) via bind-users 
>  wrote:
> 
> My dns secondary is often behind on its dynamic zone tables.
> It looks to me like we are doing automatic transfer IXFR but not requently 
> enough, but randomly.
>  
> It looks to me that default 10 second interval for min transfer wait time.
>  
> I'm missing something but haven't found the magic yet.
>  
> Both primary/secondary BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 on Centos 
> 7.9.
>  
> Goal is to have dynamic entries replicated on the secondary within a few 
> minutes if not a few seconds.
>  
> From what I’m reading I should be sending a notify from the primary to the 
> secondary when a dynamic zone is updated but I don’t seem to be doing that.
>  
> Would someone please point me to the option I’m missing to do so? I’ve either 
> completely missed it, mis-understood what I read or am going in the wrong 
> direction.
>  
> 01-Jun-2021 07:49:05.425 xfer-out: client @0x7f17335f9450 10.50.156.70#45583 
> (dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR started (serial 
> 1501355783 -> 1501355796)
> 01-Jun-2021 07:49:05.426 xfer-out: client @0x7f17335f9450 10.50.156.70#45583 
> (dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR ended
> 01-Jun-2021 08:46:52.595 xfer-out: client @0x7f17334a7e80 10.50.156.70#39191 
> (dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR started (serial 
> 1501355796 -> 1501355835)
> 01-Jun-2021 08:46:52.596 xfer-out: client @0x7f17334a7e80 10.50.156.70#39191 
> (dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR ended
> 01-Jun-2021 09:35:10.776 xfer-out: client @0x7f1732f45d60 10.50.156.70#39230 
> (dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR started (serial 
> 1501355835 -> 1501355858)
> 01-Jun-2021 09:35:10.776 xfer-out: client @0x7f1732f45d60 10.50.156.70#39230 
> (dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR ended
>  
> Thanks in advance,
> Brian

Named uses the NS records for the zone to find the addresses of the secondary 
servers to send the NOTIFY messages to. Both primary and secondary servers do 
this by default.  The nameserver listed in the SOA record MNAME field is 
excluded this process.  Ensure you have address record for all your nameservers.

If a secondary is not listed in the NS RRset then you can use also-notify as 
Anand said.

> Brian Cuttler
>  
> ITG - Information Technology Group, Network and System Administrator
> Wadsworth Center, NYS Department of Health
> Empire State Plaza, Albany, NY 12201
> (518) 486-1697 | brian.cutt...@health.ny.gov
>  
>  
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Any interest in a write-up showing how to configure BIND 9.17x with DoH and LetsEncrypt?

2021-06-01 Thread Richard T.A. Neal 
To everyone who expressed an interest in this: my write-up has now been 
published on the ISC Blog:

https://www.isc.org/blogs/doh-talkdns/

Thanks to Ondrej, Artem, Suzanne and Vicky for critiquing and reposting.

Best,

Richard.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: configure notify for ixfer?

2021-06-01 Thread Anand Buddhdev 
On 01/06/2021 17:18, Cuttler, Brian R (HEALTH) via bind-users wrote:

Hi Brian,

> From what I'm reading I should be sending a notify from the primary
> to the secondary when a dynamic zone is updated but I don't seem to be
> doing that.
> 
> Would someone please point me to the option I'm missing to do so?
> I've either completely missed it, mis-understood what I read or am going in
> the wrong direction.

You need an "also-notify" option for that zone. Read more about this in
the BIND documentation:

https://bind9.readthedocs.io/en/v9_16_16/reference.html#zone-transfers

While this documentation refers to the latest stable version of BIND, it
should still apply to the older version you're using.

Regards,
Anand
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

configure notify for ixfer?

2021-06-01 Thread Cuttler, Brian R (HEALTH) via bind-users 
My dns secondary is often behind on its dynamic zone tables.
It looks to me like we are doing automatic transfer IXFR but not requently 
enough, but randomly.

It looks to me that default 10 second interval for min transfer wait time.

I'm missing something but haven't found the magic yet.

Both primary/secondary BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 on Centos 7.9.

Goal is to have dynamic entries replicated on the secondary within a few 
minutes if not a few seconds.

>From what I'm reading I should be sending a notify from the primary to the 
>secondary when a dynamic zone is updated but I don't seem to be doing that.

Would someone please point me to the option I'm missing to do so? I've either 
completely missed it, mis-understood what I read or am going in the wrong 
direction.

01-Jun-2021 07:49:05.425 xfer-out: client @0x7f17335f9450 10.50.156.70#45583 
(dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR started (serial 
1501355783 -> 1501355796)
01-Jun-2021 07:49:05.426 xfer-out: client @0x7f17335f9450 10.50.156.70#45583 
(dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR ended
01-Jun-2021 08:46:52.595 xfer-out: client @0x7f17334a7e80 10.50.156.70#39191 
(dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR started (serial 
1501355796 -> 1501355835)
01-Jun-2021 08:46:52.596 xfer-out: client @0x7f17334a7e80 10.50.156.70#39191 
(dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR ended
01-Jun-2021 09:35:10.776 xfer-out: client @0x7f1732f45d60 10.50.156.70#39230 
(dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR started (serial 
1501355835 -> 1501355858)
01-Jun-2021 09:35:10.776 xfer-out: client @0x7f1732f45d60 10.50.156.70#39230 
(dai.wadsworth.org): transfer of 'dai.wadsworth.org/IN': IXFR ended

Thanks in advance,
Brian


Brian Cuttler

ITG - Information Technology Group, Network and System Administrator
Wadsworth Center, NYS Department of Health
Empire State Plaza, Albany, NY 12201
(518) 486-1697 | brian.cutt...@health.ny.gov


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind - OPT UDPsize=1232 ?

2021-06-01 Thread Anand Buddhdev 
On 01/06/2021 16:01, Karl Pielorz wrote:

Hi Karl,

> Thanks for the pointer - ok, yes I can see it's probably EDNS / Flag day
> related etc. I missed that - probably as it's never caused us an issue.
> Annoyingly a value of 1232 causes a TCP fallback to a server out of our
> control that doesn't do TCP very well.

That is frustrating, of course. If you're able to talk to the server
operator, get them to see value in improving their TCP response.

If it's still causing you problems, you have the option of advertising a
bigger EDNS0 buffer size to that specific server with something like
this in your config:

server a.b.c.d/n {
  edns-udp-size 2000; // adjust appropriately
}

Read the BIND documentation for details so that you understand this fully.

Regards,
Anand
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TCP connections left in CLOSE_WAIT in 9.16.15/16

2021-06-01 Thread usenet 
Folks, further to this issue, we still had the named.conf option

keep-response-order { any; }; // Disable TCP-pipelining

set as a workaround to an old vulnerability.  Removing that appears
to have fixed the CLOSE_WAIT connections we were accumulating.

Regards,
Ronan Flood

On Thu, May 27, 2021 at 12:21 PM  wrote:
>
> Hello
>
> We updated on Monday from bind-9.16.6/8 to bind-9.16.15/16 on some
> public-facing authoritative nameservers.  Since then, we are seeing
> a build-up of inbound TCP connections to port 53 being left in
> CLOSE_WAIT state indefinitely until named is restarted, or exhausting
> the tcp-clients limit if not restarted.  Anyone else seeing similar?
>
> Platform is 64bit ArchLinux 5.12.6-arch1-1.
>
> This sort of thing (netstat -tn):
>
> tcp1  0 194.83.56.250:5340.113.98.76:13214  CLOSE_WAIT
> tcp1  0 194.83.56.250:5352.232.251.180:61357CLOSE_WAIT
> tcp1  0 194.83.56.250:53137.116.220.118:11234   CLOSE_WAIT
> tcp1  0 194.83.56.250:5323.100.54.67:17825  CLOSE_WAIT
> tcp1  0 194.83.56.250:5394.245.94.142:12397 CLOSE_WAIT
> etc etc etc
>
> On cursory examination, all of the querying IPs appear to be registered
> to Microsoft, may imply Windows resolvers, querying for large TXT records
> without EDNS, eg the first above:
>
> May 27 10:06:50 ns12.ja.net named[156930]: client @0x7f7b08033908 
> 40.113.98.76#50868 (gbmc.ac.uk): query: gbmc.ac.uk IN TXT - (194.83.56.250)
>
> May 27 10:06:50 ns12.ja.net named[156930]: client @0x7f7b0895b348 
> 40.113.98.76#13214 (gbmc.ac.uk): query: gbmc.ac.uk IN TXT -T (194.83.56.250)
>
>
> Regards,
> Ronan Flood
> (resurrecting an old bind-users subbed address for this, if it works!)
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind - OPT UDPsize=1232 ?

2021-06-01 Thread Karl Pielorz 




--On 1 June 2021 at 13:03:12 +0200 Anand Buddhdev  wrote:


On 01/06/2021 12:55, Karl Pielorz wrote:

Hi Karl,


Anyone know why the Bind query appears to set such a low UDPsize? -
We've nothing in our config setting sizes, or maximums.


Here's an answer:

https://bind9.readthedocs.io/en/v9_16_16/notes.html#notes-for-bind-9-16-16

Regards,
Anand


Hi,

Thanks for the pointer - ok, yes I can see it's probably EDNS / Flag day 
related etc. I missed that - probably as it's never caused us an issue. 
Annoyingly a value of 1232 causes a TCP fallback to a server out of our 
control that doesn't do TCP very well.


Even more annoyingly - all the 'flag day' / online test sites we can find - 
it works with, and passes all the tests.


Which means even if there were a chance of getting the remote server fixed 
it's going to get "well, it works everywhere else and the online tests say 
it's a pass..."


Thanks again though,

-Karl
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Any interest in a write-up showing how to configure BIND 9.17x with DoH and LetsEncrypt?

2021-06-01 Thread Gregory Sloop 
It's not like there's been a paucity of "Yeah, I'm interested" messages, but I 
agree with the rest.
+1000

I'd love to see it!



DNS over HTTPS support appears to be steadily increasing and it looks like the 
next version of Windows 10, Windows 10 21H2, will including support for DoH at 
the operating system level.
 
I spent a little time this weekend setting-up BIND 9.17.13 on Ubuntu 21.04 and 
configuring the system as a recursive resolver offering DNS over HTTPS using a 
LetsEncrypt certificate.
 
Is there any interest in me writing this up as a web article, or has everyone 
who’s interested in DoH already got it running comfortably in their test 
environment?
 
Best.
 
Richard.
 ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind - OPT UDPsize=1232 ?

2021-06-01 Thread Anand Buddhdev 
On 01/06/2021 12:55, Karl Pielorz wrote:

Hi Karl,

> Anyone know why the Bind query appears to set such a low UDPsize? -
> We've nothing in our config setting sizes, or maximums.

Here's an answer:

https://bind9.readthedocs.io/en/v9_16_16/notes.html#notes-for-bind-9-16-16

Regards,
Anand
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind - OPT UDPsize=1232 ?

2021-06-01 Thread Karl Pielorz 



Hi,

If I switch between having Bind go lookup a name, and dig - I can see a 
difference in tcpdump, i.e.


Bind 9.16.16:

11:44:19.041785 IP (tos 0x0, ttl 64, id 3613, offset 0, flags [none], proto 
UDP (17), length 66)
   Us.54445 > Them.53: 3636 [1au] MX? somedomain.org. ar: . OPT 
UDPsize=1232 DO (38)


So, Bind is uses 'OPT UDPsize=1232 DO (38)'

Whereas, dig on the same host generates:

11:48:19.294690 IP (tos 0x0, ttl 64, id 28121, offset 0, flags [none], 
proto UDP (17), length 78)
   Us.30953 > Them.53: 19570+ [1au] MX? somedomain.org. ar: . OPT 
UDPsize=4096 (50)


Dig uses 'OPT UDPsize=4096 (50)'


Anyone know why the Bind query appears to set such a low UDPsize? - We've 
nothing in our config setting sizes, or maximums.



Thanks,

-Karl
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users