Re: Zones-unable-update

On 1/6/2020 4:09 AM, Fajar A. Nugraha wrote: zone "kalam.com.sa" { type slave; ... masters { 212.119.92.5; }; }; How many IPs, and what IPs, did you put on the masters there? It should only be ns1 (the master). If you put two, change

Re: Can i remove @0x in my log query message, bind 9.11

On 11/4/2019 5:57 AM, Tony Finch wrote: Nguyen Huy Bac wrote: So, my question is: Can and How to remove @0x in my log query message. There is no convenient way. You have to apply this patch: diff --git a/lib/ns/client.c b/lib/ns/client.c index f16ece8c49..7861f12084 100644 ---

Re: DNSSEC

On 10/25/2019 5:26 AM, Ritah Mulinde wrote: > Hello All > kindly post the procedure for enabling dnssec on bind 9.9.6 running on > OpenSuse 13.2 Step 1: upgrade to a supported version of BIND (see: https://kb.isc.org/docs/aa-00896) Step 2: Follow Tony's advice regarding configuring DNSSEC

Re: Bind-Efficientip

On 10/20/2019 2:09 AM, MEjaz wrote: As you know these days there has been several security threats, So deciding to go with *Efficient iP DDI and DNS Security Solution* https://www.efficientip.com/ You may want to ask what EfficientIP runs under the covers... AlanC

Re: DNS RPZ Protection From DoH

On 10/2/19 8:00 AM, Blason R wrote: > Hmm that is a good idea to block the DOH queries but what I understood > is blocking on perimeter level would be more appropriate. To nullify the abilities of DoH, you can block port TCP/443. That is pretty much guaranteed to keep DoH from working, but you

Re: rndc - sync before reload?

On 7/14/19 8:00 PM, John W. Blue wrote: > Please elaborate on the technical reason why instead of being terse. I'll give a short version: "rndc reload" existed from the early days of BIND with the first notice in CHANGES being [bug] 287 in 9.1.0b1. "rndc sync" came along with [func] 3084 in

Re: Regarding named related issue observed with bind 9.11.5-P4 version

On 4/11/19 9:38 AM, Alan Clegg wrote: > On 4/10/19 3:53 PM, Chandra Rao wrote: >> lrwxrwxrwx 1 root root 6 Apr  2 13:30 /var/run -> ../run > > So, /var/run is a symlink to /var/run. > > That's probably not gonna work to well. Ok, I'm an idiot. Ignore me. (but look

Re: Regarding named related issue observed with bind 9.11.5-P4 version

On 4/10/19 3:53 PM, Chandra Rao wrote: > lrwxrwxrwx 1 root root 6 Apr  2 13:30 /var/run -> ../run So, /var/run is a symlink to /var/run. That's probably not gonna work to well. AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: Regarding named related issue observed with bind 9.11.5-P4 version

On 4/10/19 11:10 AM, Karl Lovink wrote: > Alan, > > Are you running bind on a Linux box with apparmor. Check your apparmor > configuration: /etc/apparmor.d/usr.sbin.named. I'm not, but the OP might be.:-) AlanC ___ Please visit

Re: Regarding named related issue observed with bind 9.11.5-P4 version

On 4/10/19 10:19 AM, Alan Clegg wrote: > On 4/3/19 5:26 AM, Chandra Rao wrote: >> While launching the named service coming from the latest bind as >> mentioned below, We have observed that it's is not able to create >> "/var/run/named" directory with the

Re: Regarding named related issue observed with bind 9.11.5-P4 version

On 4/3/19 5:26 AM, Chandra Rao wrote: > While launching the named service coming from the latest bind as > mentioned below, We have observed that it's is not able to create > "/var/run/named" directory with the named user in the cluster. Due to > this we are not able to store the files "named.pid"

Re: allow-update in global options (was Re: bind and certbot with dns-challenge)

On 4/2/19 6:00 PM, Sam Wilson wrote: >> During a cleanup of other code (specifically named-checkconf), code was >> changed that enforced what was believed to have been the default >> previously: specifically, allow-update was only allowed in zone stanzas. > > Can I ask who believed it was

Last Chance! Was: Re: Whither the statistics? Request from ISC for your input.

Coming up on the end of this opportunity for input. This is a great chance to help us out! On Saturday, I'll share some interesting info about this request for input! Alan Clegg, ISC On 3/23/19 4:04 PM, Alan Clegg wrote: > Some of you have already seen this and I thank you for your respon

Whither the statistics? Request from ISC for your input.

Some of you have already seen this and I thank you for your responses! I'm now opening the question up to the entirety of BIND users. I've been asked to lead a discussion next weekend on "what statistics our users really care about". I'd like to get the presentation done by Friday, so if you

9.14.0 now available

For those of you (like me) that may not be on the -announce list, I would like to make you aware of the following: https://lists.isc.org/pipermail/bind-announce/2019-March/001122.html AlanC ___ Please visit

Re: ISC BIND 9.12.3-P1 Question re: DNSSEC Zone Signing

On 3/18/19 7:33 PM, LeBlanc, Daniel James wrote: > I have a pair of ISC BIND 9.12.3-P1 servers that are configured as > slaves to a pair of Hidden Master servers.  The Hidden Masters are a > proprietary product and unfortunately when used to sign the zones, the > SOA records are not populated as

Re: allow-update in global options (was Re: bind and certbot with dns-challenge)

On 3/17/19 10:43 PM, Grant Taylor via bind-users wrote: > On 3/17/19 6:31 PM, Alan Clegg wrote: >> The change was an unintended consequence ending up in what was thought >> to have been the correct behavior all along, so.. Yes. >> >> How many zones are you authoritative

Re: allow-update in global options (was Re: bind and certbot with dns-challenge)

on, 18 Mar 2019, or possibly earlier, Alan Clegg wrote: > >> The change was an unintended consequence ... > > Please try not to let things like that escape into the wild, and > please, please, NEVER turn them into deliberate actions purely for > your own convenience.  If this m

Re: allow-update in global options (was Re: bind and certbot with dns-challenge)

On 3/17/19 5:52 PM, Grant Taylor via bind-users wrote: > On 3/17/19 2:37 PM, Alan Clegg wrote: >> It turns out that this series of changes, taken as a whole, removed >> allow-update as a global option. > > That sounds like either an unintended consequence -or- a ch

allow-update in global options (was Re: bind and certbot with dns-challenge)

On 3/17/19 2:51 PM, Alan Clegg wrote: > On 3/17/19 7:13 AM, Stephan von Krawczynski wrote: >> Hello all, >> >> I am using "BIND 9.13.7 (Development Release) " on arch linux. Up >> to few days ago everything was fine using "certbot renew". I

Re: bind and certbot with dns-challenge

ort these "collapses"? This is the type of thing that tends to happen when your distribution runs "Development Release" code. > Nevertheless there are some things that can be enhanced quite a bit. Tell us! Help us! Together we can be stronger! Alan Clegg, ISC ___

Re: DNS load balancing: UDP or TCP ?

On 2/20/19 10:22 AM, Alan Clegg wrote: > On 2/20/19 7:55 AM, Roberto Carna wrote: > >> DNS clients send a UDP query to a DNS server, if no response is received >> until some seconds, then they try with UDP. >> You tell me this is not true, just clients try with UDP is the

Re: DNS load balancing: UDP or TCP ?

On 2/20/19 7:55 AM, Roberto Carna wrote: > DNS clients send a UDP query to a DNS server, if no response is received > until some seconds, then they try with UDP. > You tell me this is not true, just clients try with UDP is the response > is truncated. Tony is correct, the first paragraph above

Re: Forward zone inside a view

On 2/7/19 2:30 PM, Roberto Carna wrote: > Dear, thanks for your contact. I've used teamviewer.com > just for tests. > > Desktops I mentioned can only access to web apps from internal domains, > but in some web apps there are links to download Teamviewer client > software

Re: incorrect section name: $ORIGIN

On 2/4/19 9:47 AM, Alan Clegg wrote: > On 2/4/19 7:03 AM, @lbutlr wrote: > >> # nsupdate -d -v -l example.com >> Creating key... >> namefromtext >> keycreate >> incorrect section name: $ORIGIN > > I'd recommend that you use nsupdate in interactive m

Re: incorrect section name: $ORIGIN

On 2/4/19 7:03 AM, @lbutlr wrote: > # nsupdate -d -v -l example.com > Creating key... > namefromtext > keycreate > incorrect section name: $ORIGIN I'd recommend that you use nsupdate in interactive mode first. --SNIP-- root@svlg-gateway:/etc/namedb# nsupdate -l > update add funnyrecord.boat

Re: Refresh of the .signed DNSSEC file?

On 2/2/19 7:54 AM, @lbutlr wrote: > Based having update-policy local; auto-dnssec maintain; in the zone, > when I make changed to example.com I was expecting that > example.com.signed will be refreshed. > > This doesn’t seem to be happening. > > I just went through several domains and changed

Re: SSHFP observation

On 1/31/19 7:19 PM, Mark Andrews wrote: >> Question: How does named (actually 'dig') know that any given data (in >> this case "AA") can't be a fingerprint? >> Difficulty: You are only allowed to use the information provided in RFC >> 4255 and errata in your answer. > > Mathematics. I’ll

Re: SSHFP observation

On 1/31/19 6:44 PM, Lee wrote: > On 1/31/19, Alan Clegg wrote: >> On 1/31/19 4:57 PM, Mark Andrews wrote: >> >>> Given type 1 is a SHA-1 fingerprint it isn’t legal. Named just >>> hasn’t added type to length to the parsing code. >>> >>> No r

Re: SSHFP observation

On 1/31/19 4:57 PM, Mark Andrews wrote: > Given type 1 is a SHA-1 fingerprint it isn’t legal. Named just > hasn’t added type to length to the parsing code. > > No real SSHFP will be 1 octet long. While I agree that it's junk, the RFC doesn't give the DNS software the ability to make that

Re: SSHFP observation

On 1/31/19 2:16 PM, Alan Clegg wrote: > Ok, fair point. I'll bring it up with the BIND team. > > If I don't return in 2 weeks, send in a search party. After a bit of discussion: https://gitlab.isc.org/isc-projects/bind9/issues/852 has been re-opened. I still think it's a junk fi

Re: SSHFP observation

On 1/31/19 1:12 PM, Matus UHLAR - fantomas wrote: > On 31.01.19 12:33, Alan Clegg wrote: >> These are not valid SSH Fingerprints. >> >> Garbage in, garbage out. >> >> I see no bug. > > well, either BIND should reject those records as invalid and not to

Re: SSHFP observation

On 1/31/19 12:30 PM, rams wrote: > Thank you Mukund,Jim and Alan to look my issue. > > We are seeing the issue only when sshfp fingerprint value less than 4 > characters. > > It is working fine value with >=4 characters. These are not valid SSH Fingerprints. Garbage in, garbage out. I see no

Re: Fwd: SSHFP observation

On 1/31/19 10:56 AM, Jim Popovitch via bind-users wrote: > est1.ramesh-sshfp.com. 86400   IN  SSHFP 1 1 aa > test2.ramesh-sshfp.com. 86400   IN  SSHFP 1 1 00 When I use these exact lines (with the "aa" and "00"), I get just what he did. When I use lines with correct SSHFP values, they work fine:

Re: Bind has a database option instead of zone files?

On 1/27/19 1:42 AM, rams wrote: > Does Bind has a database option to read zones [if zones are in database] > instead  of zone files? if yes , how to setup? can someone help me. A search with the terms "bind backend database" provides a number of resources that might interest you. Now, if you

Re: DNSEC and Bin 9.12

On 1/26/19 2:30 PM, @lbutlr wrote: > On 26 Jan 2019, at 12:20, @lbutlr wrote: >> I then removed "auto-dnssec maintain" and "inline-signing yes" from the zone >> record in name.conf and now everything is behaving as expected when I query >> localhost for the DNSSEC info. > > I should have said,

Re: Named Service

On 1/22/19 10:12 AM, Jordan Tinsley wrote: > Just wondering how to get the named service setup when compiling from > source? I'm kinda old school, but adding "/usr/local/sbin/named" to /etc/rc.local has always worked for me. AlanC ___ Please visit

Tuning BIND servers - looking for operational experience

Greetings, BIND Operators! As the maintainers of BIND, ISC is often approached by users of our software asking about tuning for maximized performance. To assist in this, we are working on a number of knowledge base articles and we are asking for community input. The majority of

Re: BIND and UDP tuning

On 9/28/18 9:26 AM, Alex wrote: >> Has your provider enabled qos? I'd bet their dropping packets that >> exceed qos rate limits would be considered "working as expected". > > I asked and they had no idea what that even meant. The technician that > was here replacing the modem also had no idea

Re: My IXFR/AXFR stopped suddenly

On 7/7/18 12:25 AM, Blason R wrote: > Well, I just tried transferring zone using dig and it was successful > from slave > > On slave > dig AXFR block.now @xx.xx.xx.xx > > On master xfer-out.log > > 07-Jul-2018 09:53:11.520 client xx.xx.xx.xx#16129 (immediate.block): > transfer of

Re: inline-signing: SOA serial out of sync

On 6/14/18 9:44 AM, Matthew Pounsett wrote: > It just happened again. An included zone file has been changed from > 2 TLSA RRs to one: [...] > This now sounds very different from the original report.  Are you saying > that the zone started with two TLSA records, you changed it to have

Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

On 2/28/18 10:57 AM, Bob Harold wrote: > Those instructions assume that the  /etc/bind/named.conf.options file > is 'included' in the main named.conf file. > Just add the "version" line to your named.conf file options section. [...] > So my config file is at: >

Re: SOA settings

On 2/2/18 2:57 PM, Warren Kumari wrote: > Hopefully Lewis knows / understand that we are just squabbling amongst > ourselves because we've know each other for a long time and this is in > good humor. Wait... who are you guys??!? Happy Friday! signature.asc Description: OpenPGP digital

Re: DNSTAP output file rolling trouble in BIND 9.12.0rc1

Looks like something that ISC would like to have logged as a bug... And a perfect thing to find in rc1. 8-) AlanC On 1/2/18 3:00 PM, Jay Ford wrote: > I'm having some odd trouble with DNSTAP output file rolling in BIND > 9.12.0rc1. > > I have named built like: >    BIND 9.12.0rc1 >    running

Re: bind-users Digest, Vol 2770, Issue 2

On 11/21/17 12:05 PM, Ron Wingfield wrote: > . . .well, I never expected to get "flamed" as by GED, "/As a general > observation, not knowing what you're doing is dangerous > on the Internet.  Please take some time out of your undoubtedly busy > life to try to ensure that you aren't a menace to

Re: What is wrong with my second $ORIGIN

On 9/14/17 8:35 AM, Reindl Harald wrote: >> so that it doesn't matter whether you have the trailing . or not. >> >> Downside, of course, is that you have to repeat your domain name about a >> gazillion times. > > scripting is the better answer Dynamic zones is the better, better answer. 8-)

Re: Testing...

On 8/30/17 12:44 PM, Tony Finch wrote: > There are reasons I am no longer a postmaster... And they all said Ramen... AlanC signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to

Re: Testing...

On 8/30/17 11:25 AM, Adamiec, Lawrence wrote: > I see your email on the list. Thanks to those that have responded both on- and off-list. It appears that I just don't see my own posts for whatever reason. 8-) [You know how long it's been since I debugged a mailing list issue??!] No additional

Testing...

I don't think I can post to this list for some reason. I'd like to be able to respond to questions, but my responses never seem to show up... this is just a test to see if I am visible on the list. Thanks! AlanC signature.asc Description: OpenPGP digital signature

Re: Can bind works without defining root servers

Root hints have been built in forever. (and that's "forever" in Internet years) On 8/15/17 10:58 AM, Duleep Thilakarathne wrote: > Hi, > > I can observe, bind can resolve host names without following entry in > named.conf. could anyone help me to understand this default behavior. > > > zone

Re: header intact

But body missing. On 7/19/17 4:30 AM, Moosa Karimulla Shaik wrote: > > > -- > > Thanks > > Moosa Karimulla Shaik. > Cont: +91-9642451252 > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list >

Re: difference in responses between UDP and TCP

On 6/15/17 6:20 AM, Arun Natarajan wrote: > Hello, > > Wondering why we are seeing different serial numbers from a bind > authoritative server for requests over UDP and TCP. > > dig +tcp soa @ns.example.com example.com > +short > ns1.example.com

Re: Troubleshooting BIND stops responding

On 3/30/17 6:02 AM, Mark Elkins wrote: > Stopping right here, Recursive lookup and Authoritative services are > completely different services - and require different servers > (preferably, though you could run multiple incidents of nameservers on a > single server - but that can get ugly).

Re: Bind failing to start on new 9.9.4 server

On 2/9/17 8:53 AM, Robert Moskowitz wrote: > > > On 02/09/2017 09:31 AM, Ray Bellis wrote: >> On 09/02/2017 14:28, Robert Moskowitz wrote: >>> I am migrating to Centos7 from Centos6. Going from Bind 9.8.2 to 9.9.4, >>> I am building this on a new server. I currently do not have DNSSEC >>>

Re: bind 9 goes rogue and revert zone information

On 2/7/17 4:31 PM, Alberto Colosi wrote: > lucky you say > > zombie host and hijacked resourced poisoned DNS are not an hack > > In years as Security Desk Seat I had at leat one attack from zombie > hosts from a US University. Admins even not known was hacked. > > Target of hackers is not only

Re: bind 9 goes rogue and revert zone information

On 2/7/17 8:42 AM, Alberto Colosi wrote: > IP ports not open does not mean is not hacked. > > a vulnerability can be used to make a change or an access Occam's razor... if you were a hacker and broke into someone's DNS server, would the thing that you focus on be resetting the data every 24

Re: Enforce EDNS

On 2/7/17 3:11 PM, Mark Andrews wrote: >>> Break them. That's the only way it will eventually get fixed >> >> if things would be that easy >> >> the admins of the broken servers ar the very last which are affected, >> admins with a recent named have to bite the bullet of user terror and >>

Re: Bind Queries log file format

On 2/3/17 10:45 AM, Mukund Sivaraman wrote: > On Fri, Feb 03, 2017 at 08:51:01AM -0600, Alan Clegg wrote: >> On 2/3/17 8:01 AM, Mukund Sivaraman wrote: >> Adding code to allow enabling or disabling this output on the fly would >> work MUCH better (as an example, see &qu

Re: Bind Queries log file format

On 2/3/17 8:01 AM, Mukund Sivaraman wrote: > We have the debug log level, but consider the case when an operator has > a non-deterministic or rare crash that isn't reproducible because the > operator has no information about what caused it. All we have is the > config, log that was already

Re: bind-9.11.0-P2 on Debian 9.0 (stretch)

On 1/26/17 1:50 PM, Dennis Clarke wrote: > On 01/26/2017 06:39 PM, Alan Clegg wrote: >> On 1/26/17 1:31 PM, Dennis Clarke wrote: >>> The POSIX and XPG4 approach [is a great idea] >> >> (My text in brackets) >> >> Said no one, ever. > >Clearl

Re: bind-9.11.0-P2 on Debian 9.0 (stretch)

On 1/26/17 1:31 PM, Dennis Clarke wrote: > The POSIX and XPG4 approach [is a great idea] (My text in brackets) Said no one, ever. AlanC signature.asc Description: OpenPGP digital signature ___ Please visit

Re: Bind Queries log file format

On 1/25/17 7:44 AM, Steven Carr wrote: > On 25 January 2017 at 10:59, Tony Finch wrote: >> It's the address in memory of the data structure representing the client. >> It is mentioned in the CHANGES file (#4471) and in the release notes - see >>

Re: Spurious DNSKEY records on slave

On 8/18/16 1:29 PM, Jim Fenton wrote: > The extra DNSKEY records were not present in the zone file of the master > server, so I reinitiated a zone transfer and this did not help. I > checked the signed zone file on the master with named-checkzone and only > the desired DNSKEY records were there.

Re: OPenssl 1.1 and Bind

On 8/18/16 12:32 AM, Vinícius Ferrão wrote: > OpenSSL 1.0 will continue to be supported. There's no rush to go to 1.1 > release. > > I can't see this as an issue. You've never dealt with "The Doctor" before, have you? signature.asc Description: OpenPGP digital signature

Re: Help required to test some Negative Responses from Bind Server.

SERVFAIL: create a delegation NS record in your zone to a server that isn't authoritative for the zone being delegated. REFUSED: create an ACL that matches (and denies) the query being done NOERROR w/ no RR: query for example.com As for NOTIMP, I'm not aware of an easy path, but I'm

Re: writeable file 'domain.com': already in use

Change where it says: file "foo"; so that you don't have two zones with "foo". AlanC On 6/16/16, 4:16 AM, "Daniel Dawalibi" wrote: >Do you have the correct syntax to be adjusted on both views? > >-Original

Re: native-pkcs11 and smartcard-hsm

I'd like to say a big THANK YOU for the work you are doing on this. I've made a couple of half-hearted attempts at doing exactly what you are doing and never had the time to complete the task - or to document where I got. Once it's all working (and documented), I'll be more than happy to run a

Re: Forward zone not working

On 5/16/16, 6:30 PM, "Mark Andrews" wrote: >Ideally every machine should be registering its own PTR record in >the DNS and addresses without machines shouldn't have PTR records. >The only reason ISP did this is that they were too lazy to manage >PTR records for their customers.

Re: Forward zone not working

On 5/16/16, 5:35 PM, "MegaBrutal" <megabru...@gmail.com> wrote: >2016-05-16 19:45 GMT+02:00 Alan Clegg <a...@clegg.com>: >> On 5/16/16, 1:30 PM, "MegaBrutal" <bind-users-boun...@lists.isc.org on >> behalf of megabru...@gmail.com> wrote: >&

Re: Forward zone not working

On 5/16/16, 1:30 PM, "MegaBrutal" wrote: >I want to have valid reverse & forward hostnames set up >for this /64 subnet. This is silly. Don't do this. AlanC ___ Please visit

Re: Nsupdate usage scenario

On 5/4/16, 4:27 PM, "/dev/rob0" wrote: >My personal recommendation: get over the idea of looking at zone >files; use "dig axfr example.com. | less". Let named manage and >serve the DNS data as it will. Comments can be included as

Re: also-notify and nsupdate doesnt work

Aye... I'm sitting here looking for zone transfer use of TSIG... It's too early in the morning. *sigh* On 5/2/16, 10:30 AM, "jo...@hasig.de" wrote: >hi, > > > There's nothing in this part of the configuration that links key usage >to > > the zone. > >sure. the * is. >and the

Re: also-notify and nsupdate doesnt work

On 5/2/16, 10:09 AM, "bind-users-boun...@lists.isc.org on behalf of jo...@hasig.de" wrote: > >1. >zone "abc.net" { > notify yes; > type master; > file "abc.net"; > allow-transfer { any; }; >

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

> > > > >On Mon, May 2, 2016, at 07:17 AM, Matthew Pounsett wrote: >> The general procedure is >> 1) use 'rndc freeze ' to stop dynamic updates to the zone >> 2) edit the file >> 3) use 'rndc thaw ' to re-enable dynamic updates >> >> If the zone is not set up to use dynamic updates, then: >> 1)

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 5/2/16, 10:17 AM, "Matthew Pounsett" wrote: > > > On 2 May 2016 at 10:05, wrote: >> General question -- >> >> When I want to change a zone file's data manually, say to add an A record, >> what's

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

On 3/17/16, 10:15 AM, "Ron" wrote: > According to the BIND9 docs: > > cleaning-interval This interval is effectively obsolete. Previously, the >server would remove > expired resource records from the cache every

Re: Database driven ACL

On 2/29/16, 4:04 PM, "/dev/rob0" wrote: >On Mon, Feb 29, 2016 at 11:18:33AM +0200, Ali Jawad wrote: >> Is there a mature/tested method of loading ACLs through a DB query >> instead of editing the config file or reading/writing into a

Re: CVE-2015-7547: getaddrinfo() stack-based buffer overflow

On 2/17/16, 11:34 AM, "Reindl Harald" wrote: >Am 17.02.2016 um 17:22 schrieb Dominique Jullier: >> Are they any thoughts around, how to handle yesterday's glibc >> vulnerability[1][2] from the side bind? >> >> Since it is a

Re: Writeable file already in use

On 1/5/16 6:26 AM, Jan-Piet Mens wrote: >> This might make you sad if you have lots of zones or large zones. > > .. or even just want to look at what was transferred (whitout having to > recurse to a `dig axfr'). > > I see no reason to omit 'file' (except on a diskless slave ;-) I ran into one

Re: SRV Request to DNS

On 10/14/15 11:29 AM, Barry Margolin wrote: > Are there *any* current, well-known protocols that make use of SRV > records to find the port? The examples I've seen just use it to find a > server (analogous to the way MX records are used for mail). I guess it depends on what you define as a

Re: Fwd: problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface

On 9/29/15 5:29 PM, Gordon Lang wrote: > But now the question is whether or not there is a way to make things > work without disabling threads? Does anyone have insight into why > supporting threads might interfere with the normal SUID bit based change > of the effective user id? Did you see

Re: Speeding up DNS change propagation

Remember, however, that if you are clearing YOUR caches by restarting, everyone else around the world is still seeing the data with the original TTL still "in place". The right thing to do is to lower the TTL on the auth servers to an acceptable "outage" value before you make the change, wait for

Re: Troubleshooting Information

On 8/28/15 9:19 AM, Bob McDonald wrote: It appears that receiving an NSID response depends on having server-id set in the options block. However, I'm seeing no way to restrict such queries. You don't have to set the server-id information to anything that an external entity would find

Re: DNS Negative Caching

on the DNS Zone file we have these records $ORIGIN e164.arpa. @ IN SOA picardvm2.e164.arpa. e164-contacts.e164.arpa. ( 2002022404 ; serial 3H ; refresh

Re: DNS Negative Caching

On 8/27/15 10:24 AM, Reindl Harald wrote: I wasn't really following this thread, but now that I see this, I would like to add that the expire timer is also used as the default TTL for resource records that do not have one specified, and if there is not an explicit $TTL statement in the zone

Re: Troubleshooting Information

Has anyone recommended doing debugging via NSID instead of the CH class data? On 8/27/15 12:55 PM, Bob McDonald wrote: If I set this up as follow, it works. view bind chaos { recursion no; allow-query { 127.0.0.1; none; }; zone authors.bind ch { type master; database _builtin

Re: BIND9 Feature Request: 'fowarders' priority round-robin pools

On 8/24/15 3:09 PM, n...@eml.cc wrote: On Mon, Aug 24, 2015, at 11:56 AM, Darcy Kevin (FCA) wrote: So, if your link is saturated to the point that you can't hold up a VPN connection reliably, you fall back to an less-secure method of resolution? No. Actually, yes. That's pretty much

Re: BIND9 Feature Request: 'fowarders' priority round-robin pools

On 8/24/15 3:21 PM, n...@eml.cc wrote: Somehow all that ^ puffery translates into NOT wanting to allow the user to prioritize the use of forwarders the way they want? You are trying to use forwarders in a way that they are not intended, and is not a good idea. That is the translation of all of

Re: Help DNS

On 8/23/15 8:30 PM, Daniel Ryšlink wrote: A few pointers - try to use the recommended MMDDnn format for SERIAL in SOA. Also try not to use nslookup. Half of this I agree with. Half I do not. The serial number is just a number, as long as you increment it, the format is completely up to

Re: Block propagation for a specific record A

On 7/29/15 4:59 AM, Job wrote: Hello, for a test page purpuose, we would like to avoid propagation only for a specific record A, example: test.domain.com We need to test if users set up our DNS server in ethernet configuration, and they display correctly the test page. But, if

Re: tsig indicates error

Possible problems: Mismatched keys. Mismatched key names. Mismatched clocks. On 7/24/2015 10:52 AM, Managed Pvt nets wrote: Hi All, I have recently built a server to act as a secondary / slave for my zones. Built on Debian 8.1 and running BIND 9.9.5. On trying to transfer zones

Re: DNSSEC validation on 9.7.4 not working

I've always recommended either a cache flush or a complete restart of named after turning on DNSSEC. I thought I opened a ticket about this, but probably not. AlanC On 6/24/15 3:46 AM, frnk...@iname.com wrote: Ding-ding-ding -- issuing rndc flushname . did the trick, Mark. I'd encourage

Re: Fwd: Getting an error on a simple DNS configuration

allow-recursion { ... }; not allow-recursion ( ... ); And you need a ; at the end of your list: allow-recursion {207.151.36.0;}; On 6/3/15 5:14 PM, Samad Agha wrote: I put the allow-recursion clause under my options, the #service named restart failed. Where exactly should I place

Re: Suppress log entry...

On 4/13/15 2:08 AM, SH Development wrote: Is there a way to suppress the build information in the log every time BIND restarts/reloads? I’m getting: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix='

Re: Native pkcs#11 and auto-dnssec feature

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 4/9/15 2:58 AM, Catalin Leanca wrote: If the label contains a pin-source field, tools using the generated key files will be able to use the HSM for signing and other operations without any need for an operator to manually enter a PIN. Which,

Re: configured bind 9.10.1 as slave gettting data in binary form

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Or you can allow your slave files to remain in binary format (it gives you a roughly factor-4 speedup in loading the files, which can be significant with large zones). When you want to look at the text version, convert them: $

BIND stats into Munin

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Are you interested in seeing a nice graph of what your BIND server is doing when you aren't live-streaming the query log? Shumon Huque released (quite a while ago, it seems) a nice Python based plugin for Munin that provides a good view of BIND

Re: Is it possible to have separate query logs for different views?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 3/9/15 3:04 AM, Peter Olsson wrote: Hello! Is it possible to have separate query logs for different views? I tried putting this in the view block, but it failed with unknown option 'logging': logging { channel logging_query { file

Re: caching-only name server

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2/19/15 9:52 PM, Vijay Viswanathan wrote: looks like the default /etc/named.conf is designed to run much more than caching server There no named.conf distributed with BIND from ISC. What you are seeing is from your operating system

Re: caching-only name server

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2/20/15 12:59 PM, Vijay Viswanathan wrote: sorry I didn't understand, with the snip i have without the listen directive, i should be able to run BIND (named) as recursion only server installed in all client machines to speed up their

  1   2   3   4   >