> On 15 Mar 2023, at 15:42, Tim Maestas wrote:
>
> Named should be sending queries with DO=1 and it should be getting back
> signed responses. I suspect that you will need to run packet captures of the
> traffic to and from 162.140.15.100 and 162.140.254.200 port 53 from the
> nameserver.
>
>
> Named should be sending queries with DO=1 and it should be getting back
> signed responses. I suspect that you will need to run packet captures of
> the traffic to and from 162.140.15.100 and 162.140.254.200 port 53 from the
> nameserver. Either signed responses will cease or DNSSEC
> On 15 Mar 2023, at 11:14, Tim Maestas wrote:
>
>
>
> On Tue, Mar 14, 2023 at 4:34 PM Mark Andrews wrote:
>
>
> > On 15 Mar 2023, at 02:08, Alexandra Yang wrote:
> >
> > Hi Group,
> >
> > I wonder if anyone can shed some light on this, our nameserver(BIND 9.16.37
> > )keeps giving
rndc dumpdb
rndc flushtree gov
Did that help? Going back to the dumped cache, what do the relevant names
have in there?
On Tue, Mar 14, 2023 at 5:46 PM Alexandra Yang wrote:
> Hi Mark,
>
> We noticed the problem because client can't resolve
> www.federalregister.gov, hosted by ns3.gpo.gov and
Hi Mark,
We noticed the problem because client can't resolve www.federalregister.gov,
hosted by ns3.gpo.gov and ns4.gpo.gov. Our error is similar to the previous
post, plus some errors with the gpo.gov nameserver.I just wonder if it's
the config problem with our BIND 9.16.37 or problem with the
On Tue, Mar 14, 2023 at 4:34 PM Mark Andrews wrote:
>
>
> > On 15 Mar 2023, at 02:08, Alexandra Yang wrote:
> >
> > Hi Group,
> >
> > I wonder if anyone can shed some light on this, our nameserver(BIND
> 9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov, here
> are the errors:
>
> On 15 Mar 2023, at 02:08, Alexandra Yang wrote:
>
> Hi Group,
>
> I wonder if anyone can shed some light on this, our nameserver(BIND 9.16.37
> )keeps giving error on resolving gpo.gov and ns3.gpo.gov, here are the errors:
>
> Mar 14 10:23:32 ipam-dns-in-1 named[3713]: validating
Why are you trying to query this address? The IPv4 servers are 162.140.15.100
and 162.140.254.200.
> On 15 Mar 2023, at 07:53, Darren Ankney wrote:
>
> This is failing for me regularly:
>
> $ dig ns3.gpo.gov +dnssec +norecurse @162.140.15.200
> ;; communications error to 162.140.15.200#53:
> I am not sure how to start debugging this. Can anyone help?
Well, start with sharing as much details as you can. It’s hard to tell what you
are doing from a single configuration line.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not
Hi Vlad,
Did you specify the socket filename (/tmp/sock from your update-policy
example) when running it? According to the man page:
https://bind9.readthedocs.io/en/v9_18_11/manpages.html#nsupdate-dynamic-dns-update-utility
the final argument for the command line is an optional filename. If
not
This is failing for me regularly:
$ dig ns3.gpo.gov +dnssec +norecurse @162.140.15.200
;; communications error to 162.140.15.200#53: timed out
;; communications error to 162.140.15.200#53: timed out
;; communications error to 162.140.15.200#53: timed out
; <<>> DiG 9.18.11 <<>> ns3.gpo.gov
Thanks, quoting worked!
Does anybody know if the socket of an "external"
update-policy supposed to receive data for every dynamic DNS
update?
I `strace`ed the `named` process and pushed some updates
using nsupdate, but I saw no attempts to do anything with
the socket file (no opens, no
I haven't used this personally, but in the system tests, this works:
update-policy {
grant administra...@example.nil wildcard * A SRV CNAME;
grant testden...@example.nil wildcard * TXT;
grant "local:/tmp/auth.sock" external * CNAME;
I've been having problems resolving www.federalregister.gov which is served
by ns3.gpo.gov and ns4.gpo.gov, using BIND 9.16.27. Haven't been able to
quite figure out why so I've stuck an NTA in for the time being.
On Tue, Mar 14, 2023 at 8:52 AM Stephane Bortzmeyer
wrote:
> On Tue, Mar 14,
Hello
I am trying to set up an "external" dynamic DNS update
policy but I can't figure out the syntax.
The documentation [1] says that the "identity" field needs
to be in the form local:PATH, but using something like the
following results in an error: "expected unquoted string
near '/'",
On Tue, Mar 14, 2023 at 11:35:38AM -0400,
Alexandra Yang wrote
a message of 183 lines which said:
> I wonder if any of your nameserver resolve it just fine, like 8.8.8.8
> works
Among RIPE Atlas probes, most succeed:
% blaeu-resolve --displayvalidation -r 100 --type A gpo.gov
[ (Authentic
I wonder if any of your nameserver resolve it just fine, like 8.8.8.8
works, and the verification through verisign site gives no error,
https://dnssec-analyzer.verisignlabs.com/gpo.gov
Also this one only warning instead of hard fail, or maybe these web check
are not up-to-date:
Keep in mind that SHA1 may not have been included by choice.
If gpo.gov is using Infoblox there is a, what I like to call, Infoblox-ism in
play regarding DNSSEC where even if you choose RSA256 or RSA512 or whatever it
will create a SHA1.
John
-Original Message-
From: bind-users
On Tue, Mar 14, 2023 at 11:08:28AM -0400,
Alexandra Yang wrote
a message of 154 lines which said:
> I wonder if anyone can shed some light on this, our nameserver(BIND
> 9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov,
> here are the
> errors:
"DS record for zone gpo.gov
Hi Group,
I wonder if anyone can shed some light on this, our nameserver(BIND 9.16.37
)keeps giving error on resolving gpo.gov and ns3.gpo.gov, here are the
errors:
Mar 14 10:23:32 ipam-dns-in-1 named[3713]: validating gpo.gov/SOA: got
insecure response; parent indicates it should be secure
20 matches
Mail list logo
