Re: compile and install from source

On Mar 30, 2015, at 2:30 AM, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 03/30/15 00:35, @lbutlr wrote: Downloaded and compiled bind-9.9.7 (FreeBSD 8.4-RELEASE) and it built fine (./configure make make install). On FreeBSD, building software out of the ports is definitely

Re: compile and install from source

On Mar 31, 2015, at 02:46, Mathieu Arnold m...@freebsd.org wrote: +--On 30 mars 2015 19:32:09 -0600 @lbutlr krem...@kreme.com wrote: | # /usr/local/sbin/named -u bind -c /etc/namedb/named.conf \ |-t /var/named | | Yes, that works without reporting any errors, so the issue appears

Re: Reasons to upgrade?

On 2017-01-18 (09:07 MST), Mukund Sivaraman <m...@isc.org> wrote: > > On Wed, Jan 18, 2017 at 08:02:04AM -0700, lbutlr wrote: >> It looks like there are three version of Bindcurrently supported, >> 9.9.9, 9.10, and 9.11. >> >> Are there specific reasons to

Reasons to upgrade?

It looks like there are three version of Bindcurrently supported, 9.9.9, 9.10, and 9.11. Are there specific reasons to move from 9.9 to 9.10 or 9.11 other than the usual "it's newer and you're going to have to move at some point anyway"? Any gotchas? -- Apple broke AppleScripting signatures

Re: base domain doesn't respond with an IP

On Nov 2, 2016, at 3:24 AM, Alberto wrote: > @INAip.ip.ip.ip Ah, of course! Thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

Bind with dnscrypt-proxy

Running bind 9.9.9 and am interested in setting up dnscrypt to go with it. Is dnscrypt-proxy the right way to go, or encrypt-wrapper? (it looks like wrapper is a client tool and that -proxy is what actually talks to the clients). If anyone has done this is it reasonably simple to setup and

SOA settings

I am looking at a config file and seeing: 2017112100 ; serial 1H ; refresh 15 ; retry 1w ; expire 1H ; minimum Is that 15 15 seconds? I'm guess ion it should be 15m? -- ADVANCE TO THE REAR! ___ Please visit

Re: SOA settings

On 2 Feb 2018, at 12:57, Warren Kumari war...@kumari.net> wrote: > > ) yes, that is 15 seconds, and is almost definitely not what > you want. That's what I figured. I suspect, based on the spacing in the file, someone<1> inadvertently deleted the 'm'. Thanks all (and yes, that was /PART/ of an

Re: Minimum TTL?

On 2018-02-10 (12:15 MST), Barry Margolin wrote: > > Just because you have the right to do something doesn't mean it's a > reasonable thing to do. No one has made an argument that would imply this is not reasonable. > And if you're offering a service, you have

Re: Minimum TTL?

On 2018-02-08 (03:10 MST), Michelle Konzack wrote: > > Hi, > > Am 2018-02-08 hackte LuKreme in die Tasten: >> Is it possible to tell bind to ignore very short TTLs and enforce >> a...say... 5 second minimum TTL? > > VERY SHORT TTL? YEs. > 5 sec minimum? Yes.

Re: Minimum TTL?

On 2018-02-08 (08:51 MST), Mukund Sivaraman wrote: > > Also, just for argument's sake, one user wants to extend TTLs to > 5s. Another wants 60s TTLs. What is OK and what is going too far? For the record, the issue is not RBLs or legitimate domains, it is spammer scum that set

Re: Minimum TTL?

On 2018-02-09 (21:11 MST), John Levine wrote: > > In article you write: >> For the record, the issue is not RBLs or legitimate domains, it is = >> spammer scum that set super-low DNS because they are shotgunning spam = >> from

Re: DNS not resolving on google, but is on other services

On 2018-02-17 (02:48 MST), Niall O'Reilly wrote: > > In my not-very-extensive experience, Google's 8.8.8.8 service seems to have > limited tolerance of badly-behaving authority servers; in such a case, it > seems to give up early and report SERVFAIL. > > As it happens,

Re: DNS not resolving on google, but is on other services

On Feb 17, 2018, at 06:04, Reindl Harald wrote: > "Is google just b0rked?" is mostly wrong to start with As I said, that seems unlikely. But the different behavior from multiple large DNS services was odd. > Delegation > > Failed to find name servers of

questions on allow-query

If I set allow-query { 127.0.0.1; [myipblock]; } Then my DNS doesn't respond to any other servers, right? This would be bad for being authoritative. so, should I set that and then set allow-query { any; }; in each zone? Is that better than simply setting the IPs that are allowed recursion?

Re: DNSSEC and secondary DNS servers

On 08 Sep 2018, at 09:59, Niall O'Reilly wrote: > On 8 Sep 2018, at 14:58, @lbutlr wrote: > >> so I think there must be something else. > > You might need to so some other housekeeping: > > https://zonemaster.net/domain_check > http://dnsviz.net/d/c

Re: DNSSEC and secondary DNS servers

On 08 Sep 2018, at 11:46, @lbutlr wrote: > I need to check that I am supposed to generate the digest. to check *HOW* I am supposed to generate the digest. -- Ille Qui Nos Omnes Servabit ___ Please visit https://lists.isc.org/mailman/listinfo/b

Re: DNSSEC and secondary DNS servers

On 08 Sep 2018, at 10:21, Mark Elkins wrote: > Have you DNSSEC Signed your Domain - that is "covisp.net" because I > don't see any DS records for it in the "net" zone. Not yet, I want to have everything working on my side before I go upstream. Hover is pretty simple to setup the DNSSEC but I

DNSSEC and secondary DNS servers

So, I setup up DNSSEC on my authoritative bind 9.12 server, which was very straightforward and works fine: dig covisp.net +dnssec +short @8.8.8.8 65.121.55.42 A 7 2 86400 20181008122535 20180908122535 17363 covisp.net. pkpVdFONJ2dYN+7wQ4pVcQTlWIThY3+mbNdXsE8p5uWiLNvIefVT32JE

Re: DNSSEC and secondary DNS servers

On 9 Sep 2018, at 14:58, Mark Elkins wrote: > Umm... this initially looks great but something is seriously strange. The > first numerical value after DS should be the Key ID (or Key Tag). I really > doubt that you would (randomly) create two different DNSKEY records with > sequential Key-ID's

Re: Cause BIND 9.10.6-P1 running dnssec to update zone A record

On 2018-03-29 (11:58 MDT), Kim Culhan wrote: > > Made a change to an ip address in an A record and bind is still showing the > old > address. > Updated the serial and it doesn't show the new serial either. > > How can I get bind to update from the data in the zone file? > >

Re: Odd behavior on a secondary server

On 2018-03-22 (08:13 MDT), John Miller wrote: > > Is this normal or am I missing something. It is normal. It is confusing, but it is normal. -- Traveling through hyperspace ain't like dusting crops, boy. ___ Please visit

Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

On Feb 28, 2018, at 09:57, G.W. Haywood via bind-users wrote: > On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote: >> Good morning, I'm trying to make it more difficult for an attacker to >> get my DNS server version. > > Waste of time. The attacks are

Re: BIND and UDP tuning

On 30 Sep 2018, at 09:59, Alex wrote: > It also tends to happen in bulk - there may be 25 SERVFAILs within the > same second, then nothing for another few minutes. That really makes it seem like either you modem or you ISP is interfering somehow, or is simply not able to keep up. -- 'Who's

DNSEC and Bin 9.12

A couple of questions First, guides on setting up DNSSEC say to add dnssec-lookaside auto; in the options, but bind repots an error: /usr/local/etc/namedb/named.conf:35: dnssec-lookaside 'auto' is no longer supported Does this mean the entire declaration is not supported, or that auto should

Re: DNSEC and Bin 9.12

On 21 Jan 2019, at 13:49, Mark Andrews wrote: Thanks for the info on the first two questions. >> Third, what does “not at top of zone” mean in dnssec-verify? > > Some record that should have been at the zone’s apex (name) wasn’t. Either > you passed the wrong > zone name to dnssec-verify or

Re: DNSEC and Bin 9.12

On 26 Jan 2019, at 12:20, @lbutlr wrote: > I then removed "auto-dnssec maintain" and "inline-signing yes" from the zone > record in name.conf and now everything is behaving as expected when I query > localhost for the DNSSEC info. I should have said, I have upd

Re: DNSEC and Bin 9.12

On 26 Jan 2019, at 12:55, Alan Clegg wrote: > With the appropriate trust anchors in place, data in the zone validates. Everything appears to be working locally at this point, including with "auto-dnssec maintain;" which I swear was not working a few hours ago. Perhaps I tyoped. > Does this

Re: Freeze/thaw and signed zone files

On 23 Feb 2019, at 14:45, Mark Andrews wrote: > On IPv6 why wouldn’t you support it? Our ISP does not support it. We get 5 static IPv4 addresses and no IPv6 at all. -- Critics look at actresses one of two ways: you're either bankable or boinkable.

Re: Freeze/thaw and signed zone files

On 22 Feb 2019, at 12:28, @lbutlr wrote: > ; Communication with ::1#53 failed: timed out I am still getting this error whenever I try to make a change in the zone with nsupdate -l, should I not worry about it? I mean, the records appear to be updating… 路‍♀️ -- First we must ass

Re: Freeze/thaw and signed zone files

On 22 Feb 2019, at 12:12, Tony Finch wrote: > Get it from the link above, if you want :-) Doh! OK, got it, installed it, changed the path to perl, and that’s pretty slick. -- "I don't think the kind of friends I'd have would care.” ___ Please visit

Re: Freeze/thaw and signed zone files

I did try manually updating vi nsupdate -l > zone example.com > update add example.com. 86400 IN SOA ns1.example.net. admin.example.com. > 2019022200 3600 300 1209600 3600 > update add konamicode.example.com. 86400 IN CNAME www.example.com. > send ; Communication with ::1#53 failed:

Re: Freeze/thaw and signed zone files

>> OK, but rndc flush example.com results in: >> rndc: 'flush' failed: not found > > *FACEpalm* > > I'm sorry. I gave you the wrong command. You want "sync", not "flush". My > brain always thinks "flush the journal to disk" when it's really supposed to > be "sync the journal to disk". You

Re: allow-update in global options (was Re: bind and certbot with dns-challenge)

On 17 Mar 2019, at 15:52, Grant Taylor via bind-users wrote: > If the consensus is that the new behavior is desired, I would hope ~> expect > for a survey of the BIND user community like I've seen in the past about > removing / significantly altering functionality. I disagree. I'd prefer the

Re: Selective forwarding?

> On 29 Jan 2019, at 00:25, ObNox wrote: > > On 24/01/2019 10:26, Sam Wilson wrote: > Note: I'm assuming a zone expiry of a week to a month. I think that would accommodate most outages. >>> >>> I thought of that too :-) A week would be far enough in my case. >> Be careful of

DNSSEC setup hint

This may be obvious to everyone else, and it may be documented somewhere in large letters with circles and arrows, but it was a surprise to me. key-directory in named.conf refers to the location for the .private key files, the .key files need to go with the domain conf files. (At least if there

Re: Dnssec setting resolving weird

On 30 Jan 2019, at 14:21, Ismael Suarez wrote: > This is puzzling me big time. Maybe I’m missing something obvious. Don’t know. There must be something in the logs? -- 'I don't see why everyone depends on me. I'm not dependable. Even I don't depend on me, and I'm me.’

Refresh of the .signed DNSSEC file?

Based having update-policy local; auto-dnssec maintain; in the zone, when I make changed to example.com I was expecting that example.com.signed will be refreshed. This doesn’t seem to be happening. I just went through several domains and changed the serial number and removed an old subdomain

Re: Refresh of the .signed DNSSEC file?

On 02 Feb 2019, at 06:34, Alan Clegg wrote: > when you make changes with "nsupdate -l", does the right thing happen? Hmm. I don’t know, I’ve never done that. Trundles off to read the nsupdate man page. -- W is for WINNIE embedded in ice X is for XERXES devoured by mice

incorrect section name: $ORIGIN

Here is a domain zone file for example.com which is hosted by covisp.net: $ORIGIN . $TTL 86400 ; 1 day example.com. IN SOA ns1.covisp.net. admin.example.com. ( 2019020100 ; serial 300; refresh (5 minutes)

Re: incorrect section name: $ORIGIN

On 4 Feb 2019, at 05:34, Tony Finch wrote: > nsupdate doesn't take zone files as input; OK, then how do I get Bind9.122 to update the .signed files? -- Can't seem to face up to the facts Tense and nervous and I can't relax Can't sleep, bed's on fire Don't touch me I'm a real live wire

Re: incorrect section name: $ORIGIN

> On 5 Feb 2019, at 04:57, Tony Finch wrote: > > @lbutlr wrote: >> >> OK, then how do I get Bind9.122 to update the .signed files? > > Did you see my previous message? I did not, sorry. > https://lists.isc.org/pipermail/bind-users/2019-February/101335.html

Re: DNSEC and Bin 9.12

On 21 Jan 2019, at 12:32, @lbutlr wrote: > A couple of questions I’d like to thank everyone who helped out on this, got it all sorted, added to the registrar, and it is all working, Now to do it for all the other domains. :) -- The most perfidious way of harming a cause consists of defend

Updating to 9.14

Currently running latest release of Bind 9.12, which is now EOLed and want to move to 9.14. I was looking on google for update "bind9.12" "bind 9.14" But did not find anything of use. I did find the 9.14 announcement, but there isn't a link there to release notes. I know there has been at

Re: A policy for removing named.conf options.

On 13 Jun2019, at 17:48, Browne, Stuart via bind-users wrote: > For options that have passed their warning phase and have been removed, I'm > all for BIND failing to start and named-checkconf erroring out , rather than > quietly ignoring them. Yes, I think this is the best way, otherwise

Re: Should we remove the DLV code?

On 22 May 2019, at 23:31, Evan Hunt wrote: > One possible reason is distribution of trust anchors for a private corporate > domain. Aren't there better days to do this? Or at least other ways to do this? Anything to make bind leaner and meaner and with fewer LOCs seems like a plus to me.

nsupdate reject

Trying to update some DNS under a relatively newly installed bin 9.14 with nsupdate. I have a file admin.key that looks basically like this: key "rndc-key" { algorithm hmac-sha256; secret "SECRETSTUFF="; }; This is the same key block that is in named.conf. I am launching NSLOOKUP

Re: nsupdate reject

On 19 May 2019, at 18:27, @lbutlr wrote: > This is the same key block that is in named.conf. I am launching NSLOOKUP > with -k admin.key, but when I try to make a change and then "send", I get > "update failed: REFUSED." I found a page that recommended adding a dd

Re: nsupdate reject

On 20 May 2019, at 16:21, Noel Butler wrote: >allow-update { key "keyname"; }; Ah, no I did not. The instructions I found, as I mentioned in a later post, were to add grant dons-key. iOS this a change in 9.14, because I did not have to do this in 9.12? > and nsLOOKUP ? Just a thinko.

Re: nsupdate reject

On 20 May 2019, at 20:45, @lbutlr wrote: > > On 20 May 2019, at 16:21, Noel Butler wrote: >> allow-update { key "keyname"; }; > > Ah, no I did not. The instructions I found, as I mentioned in a later post, > were to add grant dons-key. iOS this a change

Re: Bind > 9.12 Will Not Start On FreeBSD

On 27 Apr 2019, at 16:21, Tim Daneliuk wrote: > Why is 9.12+ now suddenly so grumpy about who owns the files? Is this a > recent fix to reduce the attack surface on files owned by root? Pretty sure. I thought it was mentioned in the 9.12 release notes, but now I can't find it. -- One of

Re: Bind and HTTPS?

On 11 Jul 2019, at 10:52, Lefteris Tsintjelis via bind-users wrote: > On 11/7/2019 15:35, Tony Finch wrote: >> Lefteris Tsintjelis via bind-users wrote: >>> >>> Why would you want something like that? >> https://datatracker.ietf.org/wg/dprive/about/ > > If you are willing to sacrifice speed.

Bind and HTTPS?

Is it possible to setup bind to use DOH (FNS over HTTPS) rather than unencrypted DNS lookups? Our in addition to? -- 'An appointment is an engagement to see someone, while a morningstar is a large lump of metal used for viciously crushing skulls. It is important not to confuse the two.’

Re: max file size or line count for BIND zone file

On 25 Apr 2019, at 06:10, Martin Meadows via bind-users wrote: > > ns ms,sans-serif">Wondering if anyone is aware of a max file size or max nu= > mber of lines that a given BIND zone file can contain?=C2=A0 s=3D"gmail_default" style=3D"font-family:comic sans ms,sans-serif"> v> f">Thanks, s

Re: Advice on balancing web traffic using geoip ACls

On 22 Feb 2020, at 18:25, Scott A. Wozny wrote: > I’m setting up hot-hot webserver clusters hosted on the west and east coasts > of the US and would like to use Bind 9.11.4 I’d consider changing that version. While Bind 9.11 *is* still supported, it is EOL at the end of this year. If you

Bind 9.14 and bind-tools 9.16

With my install of bind 9.14 bindtools 9.16.0 was also installed. This version is missing some (legacy) algorithms that I am still using on my system, specifically hmac-sha256 dnssec-keygen [options] name Version: 9.16.0 name: owner of the key Options: -a : RSASHA1 |

Re: Batch updating all DNS records on my Bind server

On 18 Apr 2020, at 09:34, Reindl Harald wrote: > Am 18.04.20 um 17:23 schrieb @lbutlr: >> Is it possible to batch update all the domains? Looking at nsupdate it looks >> like I have to step through and do every domain individually. > well, where is the issue iterate all your

Batch updating all DNS records on my Bind server

We are making some changes to our NSP account and the NSP is threatening to change our IP block. This means I will have to update all the domains on the system (all using DNSSEC). We are still arguing with them since there is no technical reason for forcing this change on us, but chances are

Re: DoH plugin for BIND

On 29 Apr 2020, at 14:19, Tony Finch wrote: > DoT is easier since you only need a raw TLS reverse proxy, and there are > lots of those, for example, nginx: DOH is better because it cannot be blocked without blocking all https traffic. (FSVO of better, of course. I am sure there is a vi/emacs

Re: forwarders used in order or based on RTT ?

On 16 Oct 2020, at 08:36, Bob Harold wrote: > That is certainly not obvious. How do I request improving the manual? > > "in turn" would seem to imply "in order", and the order would logically be > the order I listed them.] I disagree. In turn means one is tried, then if that fails the next is

Re: Malformed transaction errors

On 19 Oct 2020, at 00:54, Matus UHLAR - fantomas wrote: > On 18.10.20 11:00, @lbutlr wrote: >> I am getting the following error on one specific domain and I am unsure how >> to fi it. Searching for the error lead to suggestions about not running >> multiple copies of bin

Malformed transaction errors

I am getting the following error on one specific domain and I am unsure how to fi it. Searching for the error lead to suggestions about not running multiple copies of bind on the same machine, but that is not the case here (and it is only affecting one domain). named[652] malformed

Re: Malformed transaction errors

On 19 Oct 2020, at 08:57, Bob McDonald wrote: > When you talk about "putting the .jnl file aside" what are you doing? > Stopping named THEN deleting the .jnl file? I did not delete the file. I stopped named and moved the file, then restarted named. After everything seemed to be working, then I

Sudden DNS issues

Getting these in the logs: named[652] malformed transaction: managed-keys.bind.jnl last serial 1204 != transaction first serial 1159 named[652] managed-keys-zone: keyfetch_done:dns_journal_write_transaction -> unexpected error named[652] managed-keys-zone: error during managed-keys processing

Re: Sudden DNS issues

On 23 Sep 2020, at 19:19, @lbutlr wrote: > named[652] malformed transaction: managed-keys.bind.jnl last serial 1204 != > transaction first serial 1159 > named[652] managed-keys-zone: keyfetch_done:dns_journal_write_transaction -> > unexpected error > named[652] managed-keys-

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

On 21 Jul 2020, at 06:37, Mark Andrews wrote: > On 21 Jul 2020, at 18:23, @lbutlr wrote: >> >> Bind is a poor choice for desktop use. Packages like unbound are much better >> for that sort of use, and it is fr less critical if those packages have >> security issue

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

On 17 Jul 2020, at 11:56, Ted Mittelstaedt wrote: > In fact, the ONLY reason that the name "bind9" was ever even coined > at all was because the changes from bind8 both in the syntax of the > config file and how the program operated they wanted to boot admins > in the behind to get them to change

Re: $INCLUDE Kexamle.com.+007...

On 05 Jul 2020, at 10:12, Tony Finch wrote: > @lbutlr wrote: > >> When a domain configuration file contains an include line for the key, >> where is that include looking for the key file? > > ... good question, I have avoided having to find that out ... Heh. > So

Syntex for primary/secondary

When seeing up a secondary zone what do I replace # with in following (the old syntax was masters instead od master, so I am guessing it needs a new keyword)? zone "example.com" { type secondary; # { 192.168.10.1; }; file "/var/lib/bind/db.example.com"; }; in

Re: unknown option 'trust-anchors'

On 05 Jul 2020, at 07:51, @lbutlr via bind-users wrote: > mail # rndc reload > rndc: 'reload' failed: failure > mail # tail /var/log/messages > Jul 5 07:41:24 mail.covisp.net named[53940] > /usr/local/etc/namedb/bind.keys:29: unknown option 'trust-anchors' > Jul 5 07:41:

Dumb Question is an A or AAAA record required?

Given a domain that is hosted and used for email and web, is an A record for that domain actually required? That is, if bob.tld is hosted by example.com can you simply have NS ns1.example.com NS ns2.example.com MX mx.example.com www CNAME www.example.com Without

Re: Bind 9.16.x won't start from systemd

On 08 Jul 2020, at 05:03, Adrian van Bloois wrote: > When I try to start bind 9.16.x from systemd it fails not being able to > find something. … > What could be the problem??? Not really possible to guess without the error message. -- "Are you pondering what I'm pondering?" "I think so,

Re: issue in bind installation

On 06 Jul 2020, at 22:00, ShubhamGoyal wrote: > I am installing bind latest version with additional feature , it gave me > "configure: error librpz.so and dlopen needed for dnsrps" error. > I am searching for that error but i did not find the solution. You have configured bind for dnsrps

Re: Fun with nsudpate and ac1.nstld.com

On 06 Jul 2020, at 17:59, Mark Andrews wrote: > Nsupdate can normally determine the name of the zone that has to be updated > so most of the time you don’t need to specify the zone. There are a few > cases, like when adding delegating NS records or glue to the parent zone you > have to

Re: scripts-to-block-domains

On 14 Jul 2020, at 00:31, MEjaz wrote: > Please do not post images. Copy and paste the text. (Over 100 lines of quoted lines with no content deleted) -- I WILL NOT BARF UNLESS I'M SICK Bart chalkboard Ep. 8F15 ___ Please visit

$INCLUDE Kexamle.com.+007...

When a domain configuration file contains an include line for the key, where is that include looking for the key file? I'm in a situation where the keys seems to work fine for updating DNSSEC, but nsdiff complains the key file is not found. Obviously something in named.conf or the domain file

Re: issue of Amplification attack

On 12 Jul 2020, at 06:28, Matus UHLAR - fantomas wrote: >> On 7/12/20 6:23 AM, ShubhamGoyal wrote: >>> I am thinking to stop or drop ANY type queries from our DNS Recursive >>> resolver , so please tell me how can we drop or stop ANY type queries from >>> bind. Don't do this. > On 12.07.20

Re: your mail

On 28 Jun 2020, at 09:13, Matus UHLAR - fantomas wrote: >> zone "abc.com" { >> type forward; >> forwarders {1.1.1.1;}; > > of 1.1.1.1 is IP of nameserver for abc.com, you should better configure it > as "type stub" or "type static-stub". 1.1.1.1 is a DNS resolver for Cloudflare and

Re: DNS security, amplification attacks and recursion

On 07 Jul 2020, at 08:06, Tony Finch wrote: Excellent post, and a nice summary of some best practices. I have a couple of questions. > Response rate limiting is very effective. Start off by putting the > following in your options{} section, and look in the BIND ARM for other > directives you

Re: DNS security, amplification attacks and recursion

On 07 Jul 2020, at 12:06, Michael De Roover wrote: > On 7/7/20 4:06 PM, Tony Finch wrote: > >> max-udp-size 1420; >> https://dnsflagday.net/2020/ > Interesting, I wasn't aware of this campaign. I don't know if I'm > knowledgeable enough on UDP to be able to make educated decisions on

Re: DNS Misconfiguration on- http://cyberia.net.sa/

On 05 Jun 2020, at 04:10, Jukka Pakkanen wrote: > Thx for the info, had missed this one and actually we have that minor > misconfiguration too. Have had since 1995 when started our nameservers and > never noticed… If it makes you feel better, it wasn't an error in 1995. I remember removing

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

On 20 Jul 2020, at 10:09, tale wrote: > And for what it's worth, not all systems moved away from "named" to > "bind9". I've been running FreeBSD for decades, and I can't remember > ever calling the service "bind9". The service is always named, the package is bind. I stopped adding the 9 many

Fun with nsudpate and ac1.nstld.com

Trying to verify that I can make changes with nsupdatem and running into something I don’t understand. mail # nsupdate -k admin.key > zone name covisp.net > update delete ns1.covisp.net. INA 65.121.55.42 > update add ns1.covisp.net. 3601 INA 65.121.55.42 > send ;

Re: Fun with nsudpate and ac1.nstld.com

On 06 Jul 2020, at 16:47, Kevin Darcy wrote: > You didn't dot-terminate covisp.net in the "zone" statement Ow! Sigh. -- The whole thing that makes a mathematician's life worthwhile is that he gets the grudging admiration of three or four colleagues

Re: Abour RRL and Best Practise

On 27 Nov 2020, at 00:00, Onur GURSOY wrote: > Hello Everyone, Oh, come on! -- "Are you pondering what I'm pondering?" "Wuh, I think so, Brain, but if we didn't have ears, we'd look like weasels." ___ Please visit

Quick dynamic DNS?

Give that I have a authoritative bind9 server for example.com and given that I have a home connection that is (technically) dynamic home.example.com what is the easiest way for me to automatically update the DNS on the rare occasions that it changes? The example.com domain is setup with DNSSEC

Re: Quick dynamic DNS?

On 23 Dec 2020, at 21:23, Grant Taylor via bind-users wrote: > On 12/23/20 6:53 PM, @lbutlr wrote: >> Give that I have a authoritative bind9 server for example.com and given that >> I have a home connection that is (technically) dynamic home.example.com what >> is t

Re: Forwarded lookup failing on no valid RRSIG

On 18 Dec 2020, at 10:56, Nicolas Bock wrote: > ;; ANSWER SECTION: > com. 63779 IN DS 30909 8 2 > E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 > In other words, the forwarder returns a Delegation Signer > record but not an RRset Signature record. Presumably that > means

Updating a DNSSEC config to use a different algorithm

I've been using alg-7 for DNS, but that is no longer recommended. How difficult is it to change the signing algorithm and what is the process (Bind 9.16.11)? -- "He raised his hammer defiantly and opened his mouth to say, "Oh, yeah?" but stopped, because just by his ear he heard a

Re: Updating a DNSSEC config to use a different algorithm

On 01 Feb 2021, at 07:14, Matthijs Mekking wrote: > Depends on what your DNSSEC configuration is. Are you using > dnssec-signzone/named? auto-dnssec maintain? inline-signing? dnssec-policy? > dnssec-keymgr? These are all good questions, and when I set this up I could have answered with some

Re: Updating a DNSSEC config to use a different algorithm

On 02 Feb 2021, at 07:36, Matthijs Mekking wrote: > If the PDF is not working for you, perhaps https://bind9.readthedocs.io/ > suits you better? The PDF works fine, and I can search for "dnssec" and "policy" but it is using some emdash or similar character for the - in between which makes

Re: Updating a DNSSEC config to use a different algorithm

On 02 Feb 2021, at 02:23, Matthijs Mekking wrote: > 1. Create a dnssec-policy that matches your current keys (so in your case > algorithm 7, also make sure you use the same length). > > So I guess something like: > >dnssec-policy alg13-ksk-unlimited-zsk-60day { >keys { >

$INCLUDE in zone file?

Is the mechanism of using $INCLUDE in the zone file still used? If so, do I need to update the when moving to a new alg method or are they only used when initially creating a signed zone file or are they no longer needed at all? -- 'I'll tell you this!' shouted Rincewind. 'I'd rather trust

non-improving referral

I've been getting a few errors along these lines (bind 9.16.18), the IPs changes, but I don't know what "non0improving referral" means or if I should be concerned. DNS format error from 64.70.78.82#53 resolving ok.contact/NS for 127.0.0.1#16749: non-improving referra This IP is owned bv

Re: non-improving referral

On 2021 Jul 05, at 18:20, Mark Andrews wrote: > On 6 Jul 2021, at 06:40, @lbutlr wrote: >> DNS format error from 64.70.78.82#53 resolving ok.contact/NS for >> 127.0.0.1#16749: non-improving referra > > This is an error with the delegation of ok.contact. The NS records

Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported)

On 29 Apr 2021, at 05:35, Ondřej Surý wrote: > * Windows now has WSL2 > (https://docs.microsoft.com/en-us/windows/wsl/install-win10) that can be used > to run BIND 9 natively I'd suggest this be the first listed reason as it pretty much makes all the other reasons irrelevant. OTOH, I don't

Re: CVE-2021-25216

On 30 Apr 2021, at 08:21, Jordan Tinsley wrote: > Is BIND 9.11.6 (Extended Support Version) vulnerable? > > Is BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 (Extended Support Version) > vulnerable? The CVE descriptions indicates both of those versions are vulnerable. "In BIND 9.5.0 -> 9.11.29 …

Re: DNSSEC upgrade

On 30 Apr 2021, at 12:15, Tony Finch wrote: > > dig +ttlunits example.com ds @$(dig +short com ns | head -1) I update the last of my zones over a month ago and they are still showing alg-7. The longest TTL int e zone files is 2w, but we're 29 days in. Te signed file has

DNSSEC and NSEC missing ZSK?

I feel I am getting close. I got the digest generated for hover.com and updated the DNS on the test zone, but I am getting errors on verify that I don't understand. #v+ # dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed Loading zone 'example.com' from file

Re: DNSSEC and NSEC missing ZSK?

> On 08 Feb 2021, at 07:24, Matthijs Mekking wrote: > > Hi, > > On 08-02-2021 12:20, @lbutlr wrote: >> I feel I am getting close. I got the digest generated for hover.com and >> updated the DNS on the test zone, but I am getting errors on verify that I

  1   2   >