Re: difference between default views in named_statistics.txt

ile this points to the 9.9 ARM, but the statistics channel has existed since 9.5. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mail

Re: auto-dnssec maintain: KSK being used as a ZSK as well?

signs the DNSKEY RRset, but it should > still use the ZSK (and not the KSK) for all the other data in the zone. Eh, yep. Thanks for that catch, Evan. I think we may have found the problem "off-list" and it may be another thing for the signer to look into... more in a bi

Re: auto-dnssec maintain: KSK being used as a ZSK as well?

On Dec 22, 2012, at 10:03 AM, Kyle Brantley wrote: > On 12/21/2012 3:56 PM, Alan Clegg wrote: >> On Dec 22, 2012, at 9:52 AM, Kyle Brantley wrote: >> >>> # named.conf >>> options { >>>[...] >>>dnssec-enable yes; >>>

Re: auto-dnssec maintain: KSK being used as a ZSK as well?

On Dec 22, 2012, at 9:56 AM, Alan Clegg wrote: > > By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as > a(mother) ZSK. Stupid autocorrect. a(nother) not anything about anyone's mother. AlanC -- Alan Clegg | +1-919-355-8851 |

Re: auto-dnssec maintain: KSK being used as a ZSK as well?

use the KSK as a(mother) ZSK. Don't do that. Also, unless you are planning on deleting the DNSKEY resource records, get rid of the "secure-to-insecure" as well. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com ___ Please visit

Re: Need to improve named performance

ething is doing it. Send us your logging stanza... (And yes, I'm absolutely sure that logging queries to syslog is handled by named.conf) AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com ___ Please visit https://lists.isc.org/mailman/lis

Re: Need to improve named performance

; in your options stanza so that it is not started when named starts (I'm not sure what version introduced the querylog option, so you may need to test this. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com ___ Please visit https://

Re: Need to improve named performance

midst of this that might be messing around with TCP connections? If you do a "rndc recursing", what do you get? If you are only doing 20-30 transactions per second, the stats on the UDP counts would have taken a long time to get there... something doesn't add up. Alan

Re: Need to improve named performance

On Nov 10, 2012, at 1:39 PM, Ed LaFrance wrote: > Running BIND 9.3.6-P1-RedHat-9.3.6-16.P1.el5 Before everyone else says it... upgrade. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com signature.asc Description: Message signed with OpenPGP using GPGM

Re: Is there a way to count the number of queries?

on your nameserver) than playing with query logging. Additionally, it logs both the query and response... AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from t

Re: BIND and DNSSEC

On Nov 1, 2012, at 7:45 AM, Alan Clegg wrote: > > On Nov 1, 2012, at 7:34 AM, Tony Finch wrote: > >> I recommend using "auto-dnssec maintain" so named keeps the zone signed, >> instead of dnssec-signzone. > > I do as well, and this will be documented in

Re: BIND and DNSSEC

On Nov 1, 2012, at 7:34 AM, Tony Finch wrote: > I recommend using "auto-dnssec maintain" so named keeps the zone signed, > instead of dnssec-signzone. I do as well, and this will be documented in the next version of this document. AlanC -- Alan Clegg | +1-919-355-8851

Re: BIND and DNSSEC

On Nov 1, 2012, at 7:34 AM, Tony Finch wrote: > I recommend using "auto-dnssec maintain" so named keeps the zone signed, > instead of dnssec-signzone. I do as well, and this will be documented in the next version of this document. AlanC -- Alan Clegg | +1-919-355-8851

Re: BIND and DNSSEC

On Nov 1, 2012, at 7:34 AM, Tony Finch wrote: > I recommend using "auto-dnssec maintain" so named keeps the zone signed, > instead of dnssec-signzone. I do as well, and this will be documented in the next version of this document. AlanC -- Alan Clegg | +1-919-355-8851

Re: BIND and DNSSEC

On Nov 1, 2012, at 7:34 AM, Tony Finch wrote: > I recommend using "auto-dnssec maintain" so named keeps the zone signed, > instead of dnssec-signzone. I do as well, and this will be documented in the next version of this document. AlanC -- Alan Clegg | +1-919-355-8851

Re: BIND and DNSSEC

On Nov 1, 2012, at 7:34 AM, Tony Finch wrote: > I recommend using "auto-dnssec maintain" so named keeps the zone signed, > instead of dnssec-signzone. I do as well, and this will be documented in the next version of this document. AlanC -- Alan Clegg | +1-919-355-8851

Re: BIND and DNSSEC

se externally, or that their printer really _should_ be named myprinter.example.com and not myprinter.internal.example.com. All the best, AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind

Re: BIND and DNSSEC

lover) that you must be extremely careful with. > A question: is implementing dnssec a good enough reason to abandon split > horizon DNS? I'd find any excuse to abandon views/split-horizon. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com

Re: Disable log message

his message was added by general recognition that being able to rebuild a "drop-in" binary for BIND when you didn't have access to the build directory (where the config.log contains the information) was a good thing. I, for one, see no reason to suppress this message (but I do have

Re: How to Setup DNSSEC

4 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11 This problem has been solved. I inserted the DS record last night. :) AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com smime.p7s Description: S/MIME cryptographic signature ___

Re: How to Setup DNSSEC

On Oct 16, 2012, at 8:17 PM, pangj wrote: > 于 2012-10-17 11:10, Alan Clegg 写道: >> No, it means that I haven't inserted the DS record for dnslab.org into the >> .org zone. > > for DS record's data, is it the public key of ZSK? thanks. No, it's a hash of the

Re: How to Setup DNSSEC

e .org zone. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind

Re: How to Setup DNSSEC

On Oct 16, 2012, at 3:11 PM, Noel Butler wrote: > Alan Clegg wrote a quick howto DNSSEC in 6 minutes, you might want to google > it, since ISC has destroyed their "new" website, I no longer see it in quick > look to show you a link, apparently, it might be buried somewhe

Re: How to Setup DNSSEC

On Oct 16, 2012, at 3:11 PM, Noel Butler wrote: > Alan Clegg wrote a quick howto DNSSEC in 6 minutes, you might want to google > it, since ISC has destroyed their "new" website, I no longer see it in quick > look to show you a link, apparently, it might be buried somewhe

Re: Convice Bind to listen on IP alias with a range of IPs.

On 4/30/2012 7:14 PM, Augie Schwer wrote: > I think you've all missed the netmask there, 10.0.0.2 is in that range. > > augie@augnix:~$ sudo ifconfig lo:1 10.0.0.1 netmask 255.255.255.224 Netmask says what addresses are REACHABLE on that interface, not the addresses assigned to that interface. A

Re: Don't understand why I get a FORMERR (quad-A - ipv6 related)

On 4/25/2012 10:28 AM, Matus UHLAR - fantomas wrote: >> In message >> >> , Nicolas Michel writes: >>> I only get no answer but a return code of NOERROR. > On 25.04.12 23:53, Mark Andrews wrote: >> The root cause is that the name servers for www.ryanair.com are >> misconfigured. They are returni

Re: Configuring CNAME for nosslsearch.google.com

On 4/16/2012 9:40 AM, Matthew Huff wrote: > Actually, this can be done. > > Create a zone file for "www.google.com", not "google.com". The zone file > should like this (replace THIS_HOSTNAME with the name of your nameserver: > > > @ IN SOA localhost root@localhost. ( >

Re: NS record outside of our name space

On 3/13/2012 1:35 PM, King, Harold Clyde (Hal) wrote: > I tried adding the NS records but it looked like the entire example.com > was now subject to the NS of wordpress.com. I just want the sub domain to > get it's DNS from the wordpress.com NS servers. Not to give away my whole > example.com doma

Re: NS record outside of our name space

On 3/13/2012 9:49 AM, King, Harold Clyde (Hal) wrote: > Here's an example of my zone record: > > $ORIGIN . > $TTL 1800 ; 30 minutes > Wordpress.example.com. IN SOA hiddenmaster.example.com. > ipmgr.example.com. ( > 2012020601 ; serial >

Re: dig -t txt output variation

On 3/9/2012 2:24 PM, M. Meadows wrote: > Thanks to both of you for your feedback. > I see the rrset ordering explanation in the arm. > Good information. Don't base anything on RRset ordering. Be sure that the application is able to handle the "random" order -- you never know who owns the interme

Re: named.conf splitting

While not _exactly_ what was asked for, "rndc addzone" and "rndc delzone" seem to be able to do what you want... Just an idea.. AlanC -- a...@clegg.com | 1.919.355.8851 signature.asc Description: OpenPGP digital signature ___ Please visit https://li

Re: Efficacy of using short timeout values for an A record

On 2/14/2012 1:42 PM, Chuck Swiger wrote: > ISC's BIND has (or had) a MINTTL value of 5 minutes / 300 seconds. > It's probably unreasonable to expect other platforms to refetch DNS > records faster than that. Uh... no. BIND has always respected TTL when caching information. AlanC -- a...@clegg

Re: Unknown RR in .in domain

On 2/6/2012 1:35 PM, Gaurav kansal wrote: > Can anyone please tell me why TYPE50 RR is showing in response > coming from .in domain Because your version of DIG does not understand NSEC3 records. http://tools.ietf.org/html/rfc5155 AlanC -- a...@clegg.com | 1.919.355.8851 signature.as

Re: bind 9.9 & inline-signing issue..

On 1/30/2012 11:59 AM, Mark Elkins wrote: >>> Lastly - how does one 'view' the 'raw' format of a zone file? >> >> Use named-compilezone > > Guess that kind of makes some obscure logical sense. Works though > I do think that 'named-compilezone' should be able to work out the > format of the 'i

Re: bind 9.9 & inline-signing issue..

On 1/30/2012 5:28 AM, Howard Leadmon wrote: > Jan 30 05:23:26 minbari named[30332]: zone leadmon.org/IN/external > (unsigned): loaded serial 2012012901 > Jan 30 05:23:26 minbari named[30332]: zone leadmon.org/IN/external (signed): > serial 2012012901 (unsigned 2012012901) > Jan 30 05:23:26 minbari

Re: How can someone know Sub-Domains?

On 12/25/2011 6:25 PM, Michelle Konzack wrote: > OK, first thanks to Carsten S. which pointed me to ldns-walk and yes, I > can see all hosts configured with NSEC and. > > If I use 'ldns-walk debian.org' which is secured through DNSSEC too, I > get only tonns of > > no rrlist > > which my

Re: dnssec-keygen not responding

On 11/30/2011 12:15 AM, vishesh kumar wrote: > Hi All > > I am trying to generate keys for signing vishesh.com > domain using following command (for testing purpose) > > dnssec-keygen -a RSASHA1 -b 768 -n ZONE vishesh.com . > > But its not responding , i

Re: rndc flush does not work

On 11/22/2011 2:30 AM, Binu B Nair wrote: > On attempting to clear cache using “rndc flush”, this does not work. > However a named restart clears the cache. What could be the problem? Am > I doing something wrong or have I understoos the “rndc flush” incorrectly? What makes you think that "rndc f

Re: Bind and ntp.org server refused issue

On 11/21/2011 10:47 PM, Eduardo Bonsi wrote: > Hello; > > Does NTP interfere with DNSSEC configuration? Apple computers have their > own time synchronized and configured through the time.apple.com. > -Is that enough or do I have to configure NTP to work with their > pool.ntp.org server? No. That

Re: Query zone expiration time

On 11/16/2011 5:11 PM, Hajducko, Steven wrote: > We had a master die and we’ve been meaning to move it off to a newer > system. We’re trying to determine how much time is left on the zones in > order to see if we can do it right or if we have to quickly recover the > master. Change the "type sla

Re: BIND started several times at one time

On 11/15/2011 7:19 PM, Aleksander Kurczyk wrote: > This will not be a server for public use. I just wan't to try make a > configuration of two or more servers with zone transfers, > master/slave, notify, etc. locally (on 127.0.0.1 but on different > ports). How can I do that? I have to install name

Re: several master ip's for a slave zone

On 11/5/2011 9:32 AM, Felix New wrote: > if i have several master servers, whether i must ensure that all the > master server's serial are the same? i think this is a little complex, > in particular zone is updated by dynamic update(In such a scenario, the > serial number is controled by every sin

Re: several master ip's for a slave zone

On 11/5/2011 4:21 AM, kalpesh varyani wrote: > How does this feature address the risk that data provided by one master > might get overwritten by another? The use of the word "masters" in the configuration of a slave zone is a bit misleading. Under most circumstances, you list the authoritative s

Re: NS also in SOA doesn't get NOTIFY

On 10/27/2011 11:02 AM, Jonathan Stewart wrote: > Also, is this normal/expected behaviour? How can i get ns0 (and the > others) to NOTIFY ns1 when the serial is incremented? Must i use an > explicit {also-notify} ? Yes, this is expected. Since NS1 is the "master" server (since it is in the SOA

Re: Using DNSSec with BIND

On 10/26/2011 1:53 PM, Mike Rostermund wrote: > Hi all, > > I've managed to set up two new DNS servers. One as a master, and the > second as a slave. > All works perfectly using the traditionally DNS services, but I want to > get DNSSec up and running. > So far I've managed to create the key's nee

Re: Logging queries and answers

On 10/6/2011 7:27 AM, 风河 wrote: > On Thu, Oct 6, 2011 at 4:32 PM, Job wrote: >> Hello Bind-Users ML, >> >> is there a way, a patch or something else, in order to log: >> >> - date/time >> - client >> - request (es www.site.com) >> - reply (es. 1.1.1.1) >> >> in a file, without using debug log form

Re: DNSSEC SERVFAIL when parent zone has no DS record

On 10/5/2011 5:21 AM, Sergio Charpinel Jr. wrote: > After suplying DS and the respective NS record for subdomain in the > parent zone (domain.com), it works. If I disable dnssec in my > recursive server, it also works. > So, if a zone is not signed properly (or doesnt have DS records) the > query

Re: "auto-dnssec maintain" stoped working again...

On 10/3/2011 6:25 AM, Michelle Konzack wrote: > Hello Mark Andrews, > > Am 2011-10-03 20:16:33, hacktest Du folgendes herunter: >> No. It looks completely wrong. Someone/something has re-named the K* files. >> As the K* files have been renamed named can't find them. > > No, they are found correc

Re: Query regarding NS record

On 9/18/2011 9:01 AM, babu dheen wrote: > mycompany-dns-server-ip INA 10.10.10.10 > mail.myoffice.com INNS One thing to note that is that NS records take labels and not IP addresses. AlanC signature.asc Description: OpenPGP digital signature ___

Re: SERVFAIL

On 9/15/2011 4:14 AM, kshitij mali wrote: > ; <<>> DiG 9.2.4 <<>> completefreight.net.au [...] If your version of BIND matches your version of dig, all bets are off. Please upgrade and see if you continue to have problems. AlanC signature.asc Description: OpenPGP digital signature __

Re: Stats ouput 9.3 vs 9.7

On 9/7/2011 11:13 AM, Baird, Josh wrote: > Is there a way to revert back to the old stats format? Is there an > easier way to reveal query stats via SNMP in 9.7? Any recommendations? > I'm really looking to get QPS statistics. I can modify my parser script > if necessary, but I thought I would c

Re: make zones default to frozen while allowing dynamic updates

On 7/30/2011 6:22 PM, Naveen Nathan wrote: > I'm running BIND 9.3.1. Is there a way to specify a zone should default > to frozen if an allow-update { ... } statement is specified? 1) upgrade 2) no I'm curious as to why you would want to do this. AlanC signature.asc Description: OpenPGP dig

Re: Format of the IPv6 reversed zone

On 7/28/2011 3:35 PM, eugene tsuno wrote: > > There is a little perl ipv6 calc that I use ipv6calc so I don't mis-typo it. > > ipv6calc --addr_to_ip6arpa 2001:1930:c00::2 > No input type specified, try autodetection...found type: ipv6addr > 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.0.3.9.1

Re: no servers could be reached

On 7/28/2011 4:16 AM, uifid...@gmail.com wrote: > view localhost_resolver { > match-clients { localhost; }; > match-destinations { localhost; }; > recursion yes; > include "/etc/named.rfc1912.zones"; > }; > view czj { > match-clients { 192.168.18.128; localhost

Re: question about thehartford.com domain

On 6/15/2011 8:28 AM, M. Meadows wrote: > Question : why does eftc as an address record in the thehartford.com > zone file have a 30 second TTL? Seems … very … short. I think most > nameservers won’t do less than a minute for an address record. Right? No. There is no problem with a short TTL. >

Re: Slow list

On 6/1/2011 7:16 AM, /dev/rob0 wrote: > On Wed, Jun 01, 2011 at 09:54:04AM +0200, Jan-Piet Mens wrote: >>> Does anyone else find the bind-users list to be very slow? >> >> Yes, very. [Pressing 's'end at 09:54 CET] > > I think it's moderated. Sending at 11:16 UTC. It's not moderated. I'll have op

Re: DNS Racing -Multi ISP load balancing with failover using DNS.

On 5/29/2011 5:12 PM, Maren S. Leizaola wrote: > IT is a poor man’s replacement for BGP multihoming and IP anycast. > Hey it is Free and you can implement it using BIND. And you've just broken DNSSEC. AlanC signature.asc Description: OpenPGP digital signature

Re: start script for bind9

On 4/14/2011 10:23 AM, hugo hugoo wrote: > I know that if bind is installed via apt-get install (I am using debian > linux version), there is automatically a bind9 startup script in > /etc/init.d/ directory. Since named "just works" and I do everything else using rndc, I have the following line i

Re: AW: ipv6 PTR in zone file

On 4/13/2011 6:58 PM, Michel de Nostredame wrote: > Not sure how large will be the effort to add a new directive into > BIND, but that just a feed back, and wish, from me and my team > members, who needs to maintain few hundreds of statically assigned IPs > for servers and CE/PE routers. Dynamic

Re: Job opening at ISC -- come work with us!

On 4/12/2011 7:18 AM, Alan Clegg wrote: > We are currently looking for someone to jump into the fray that is > support here at ISC... > > https://www.isc.org/about/jobs/open-source-sw-sup-eng I've been asked about the "location" of this job and I feel tha

Re: named crashed (mem.c:1099: INSIST(ctx->stats[i].gets == 0U) failed)

On 4/12/2011 8:32 AM, Khuu, Linh Contractor wrote: > Last night, our named crashed with the following errors: > > daemon:crit named[221184]: mem.c:1099: INSIST(ctx->stats[i].gets == 0U) > failed > daemon:crit named[221184]: exiting (due to assertion failure) > > named restarted fine and runnin

Job opening at ISC -- come work with us!

We are currently looking for someone to jump into the fray that is support here at ISC... https://www.isc.org/about/jobs/open-source-sw-sup-eng If you have any questions about the position, feel free to send me e-mail (please not to the list -- that wouldn't work out well for anyone). AlanC

Re: Slaves and views

On 3/4/2011 11:46 AM, John Wobus wrote: > I'm going to split our authoritative servers into internal > and external views. Is there anything I can do to try to talk you out of doing this? AlanC signature.asc Description: OpenPGP digital signature _

Re: Optimising rndc reload times on a slave server with 50,000 zones

On 2/27/2011 1:15 AM, Dennis Perisa wrote: > Thanks Doug. Yes, helps a lot. And yes, this is to handle adding new > zones. Look into BIND 9.7.2 or newer and the "rndc addzone" capabilities. Solves the problem without needing to reload/restart/reconifg at all. AlanC signature.asc Description

Re: $GENERATE for /8 networks

On 2/17/2011 10:20 AM, Mark Watts wrote: > > Is there a way I can use $GENERATE to generate PTR records for the whole > of 10.0.0.0/8 in one line? No. There is not. I must ask -- do you REALLY need to fill all of a /8? What is the requirement for this? AlanC signature.asc Description: Open

Re: process of updating slave servers

On 2/14/2011 10:30 PM, Terry. wrote: >> slave options; >> allow-transfer { 10.1.1.2; }; > > In practical the slave doesn't have the allow-transfer option. Sure it does. Any authoritative server (master or slave) can act as the source for a zone transfer. AlanC signature.asc Description: O

Re: syntax/format of zone on slave $ORIGIN/paragraph - sorted?

On 2/10/2011 10:11 AM, Walter Smith wrote: > So - I want to combine and sort unique $ORIGINs without seeing same > $ORIGIN again and again. The question was asked, but I didn't see an answer... What are you doing with the zones on the slave server that you think is actually safe to do? Why not j

Re: syntax/format of zone on slave $ORIGIN/paragraph - sorted?

On 2/10/2011 8:40 AM, Walter Smith wrote: > Oh Thanks - I understand that - I can't comprehend the logic behind > composing _same_ $ORIGIN paragraphs over-and-over again - this is an > example [...] I'd recommend using "masterfile-format raw;" on the slaves and then you don't care how BIND takes t

Re: Clarification on wildcard scenario

On 1/31/2011 10:42 PM, rams wrote: > $ORIGIN joshfeb1.com . > @ IN SOA rboddeti.yahoo.com . > rboddeti.gmail.com . ( > 2011013101 ; serial > 10800 ; refresh >

Re: Good news! Very good!

On 1/30/2011 4:41 AM, p...@mail.nsbeta.info wrote: > listman, > why this user has been always staying here for sending spams? > Regards. Things happen, spammers send junk, they are then unsubscribed from the list as soon as we notice (and get back from the weekend). All done, user zapped. AlanC

Re: bind Bind or BIND?

On 1/27/2011 5:20 AM, Stacey Jonathan Marshall wrote: > On 27/01/2011 02:43, Alan Clegg wrote: >> On 1/26/2011 9:22 PM, Chuck Swiger wrote: >>> Yes, BIND is an acronym for Berkeley Internet Name Daemon. >> Berkeley Internet Name Domain. > > Hi Alan, > > Could

Re: rndc confusion

On 1/26/2011 10:27 PM, donovan jeffrey j wrote: > okay > so what is the rndc.conf for ? -- my finger is on the rm button. > is it for listing other server keys ? rndc.conf is used by rndc in the circumstances that you have put the required "controls" section into your named.conf directly (where t

Re: rndc confusion

On 1/26/2011 9:39 PM, donovan jeffrey j wrote: > I had some issue with an invalid key so i ran rndc-confgen -a which > gave me a new key in /etc/rndc.key. so now rndc works fine. > > but when looked at /etc/rndc.conf the key was different than the > /etc/rndc.key. i thought they had to be the sam

Re: bind Bind or BIND?

On 1/26/2011 9:22 PM, Chuck Swiger wrote: > On Jan 26, 2011, at 6:02 PM, p...@mail.nsbeta.info wrote: >> When talk to others, I never describe it clearly for naming bind. >> is it "bind" or "Bind" or "BIND"? is bind an abbreviation word? > > Yes, BIND is an acronym for Berkeley Internet Name Daem

Re: DNSSEC auto-dnssec issue bind-9.7.2-P3

On 1/25/2011 9:51 AM, Kalman Feher wrote: > If the nsec3param has been removed, the automated signing will be weird if > you are using nsec3 keys. I havent tested this scenario, since it isnt > really a working scenario. There is no such thing as an "nsec3 key". If you auto-sign a zone that does

Re: rndc addzone and file name

On 1/14/2011 4:06 PM, Timothe Litt wrote: >>> You can use the 'named-checkconf -p' to create a fully "expanded" >>> version of the running configuration file as needed for bug reports, etc. > > ?? Including zones added by "addzone"? How does checkconf find them? Well, it _should_ find them the s

Re: rndc addzone and file name

> You haven't understood. I have several includes within one default > view and I need to add zones to them. Different zones to different > includes. For me name of view doesn't matter. The zones added using "addzone" and removable using "delzone" aren't going to show up in your include files. T

Re: rndc addzone and file name

On 1/13/2011 11:08 AM, Peter Andreev wrote: > I've executed > rndc addzone test.test '{ type master; file "/etc/namedb/master/test.1"; };' > > and have got the file /etc/namedb/3bf305731dd26307.nzf: > zone test.test { type master; file "/etc/namedb/master/test.1"; }; > > The question was: can I

Re: rndc addzone and file name

On 1/13/2011 9:43 AM, Peter Andreev wrote: > I have several includes which are edited via hand-written script and > now I'm trying to simplify it by using add/delzone options of rndc. Yay! > So, the question is: how can I specify files where rndc addzone puts > new zones' descriptions? You prov

Re: bind9 and IPV6

On 1/13/2011 9:19 AM, hugo hugoo wrote: > For all users... > > Can anybody give me informations on the IPV6 compatibility of BIND9 > compared to BIND8? > It is not clear what is present in BIND9 and not in BIN8 regarding IPV6. > > I have created an IPV6 record in BIND8 and it works... > > Tha

Re: check the master/slave status

On 1/7/2011 3:08 PM, blr maani wrote: > 1. For each zones, check serial number on both master(s) and slave(s) > for the zone and compare it. Report mismatch if any. dig +nssearch AlanC signature.asc Description: OpenPGP digital signature ___ bind-u

Re: DNSSEC validation on combined auth+recursive server

On 1/6/2011 3:38 AM, Eivind Olsen wrote: > I seem to remember seeing something about DNSSEC validation not working > when a BIND server is used both to serve the DNSSEC signed zone > authoritatively, and as a resolver? Unfortunately, I haven't managed to > find this information again, and now I'm

Re: transfer with views

On 1/1/2011 9:15 AM, Gary Wallis wrote: > You will need to setup one virtual IP for each extra view. Not since very versions of BIND that are long-since EOL'd. The FAQ goes into how to use TSIG keys to deal with "picking the right one". > This is what no one here addresses clearly and upfront:

Re: bind replication

On 12/31/2010 9:50 PM, p...@mail.nsbeta.info wrote: > Alan Clegg writes: >> >> Done carefully (which will be the case in all circumstances), doing zone >> transfers within views of many zones is no more "likely to get broken" >> than doing it with external

Re: Dynamic zone...

On 12/31/2010 9:59 PM, Lyle Giese wrote: > My approach would be to use a dynamic host service like dyndns.com. > > I setup a remote1.homedns.org with a cname in my zone: > > remote.abc.com 3600 in cname remote1.homedns.org > > And use a dynamic dns client on the laptop. Then you don't even car

Re: bind replication

On 12/31/2010 9:39 AM, p...@mail.nsbeta.info wrote: > Ben Croswell writes: >> It seems like you >> are making the process more complex, instead of just letting BIND do it's >> job. > > No. because I have many zones, and each zone has some views. > So the standard zone-transfer will most likely get

Re: question about multiple queries in a single dns packet

On 12/29/2010 2:17 PM, Federico Barbieri wrote: > Not sure if this is the right place to ask but I've been trying to dig > around and found nothing... > > reading the dns specification it would seems possible to send multiple > request in a single packet. I'm not sure what the actual reference is

Re: DNSSEC - mismatch between algorithm and type of NSEC

On 12/29/2010 3:37 AM, Marc Lampo wrote: > However, we now found the following case : > 1) registrar offers us DNSKEY information with algorithm 7 : > RSASHA1-NSEC3-SHA1 > 2) in the zone file, there are NSEC (and not NSEC3) records This is not an error. The only reason for there being "different

Re: auto update signatures dnssec

On 12/28/2010 5:04 PM, fakessh @ wrote: >>> Dec 28 22:04:02 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: >>> error reading private key file fakessh.eu/DSA/9552: file not found >> >> It seems that the .key and .private files are not in the right place. > what is the right place ? In your na

Re: auto update signatures dnssec

On 12/27/2010 1:07 AM, fakessh wrote: > good day and merry christmas. Thanks, and to you as well. > I just put in place guidelines in bind config to update the signatures > dnssec > I'm looking for options that require the least amount of maintenace that > all updates of signatures are performed

Re: dnssec subzone not signed question

On 12/22/2010 6:49 PM, jim wrote: > Sorry, still needing spoon fed. No problem. You might be interested in a presentation that I gave at NANOG earlier in the year: ftp://ftp.isc.org/isc/pubs/pres/NANOG/50/DNSSEC-NANOG50.pdf > When you say DS record in the parent, would this be .example.edu >

Re: dnssec subzone not signed question

> Showing my ignorance, can I > Just not sign the dynamic subzones, wirelessN/buildingN.example.edu > , even though example.edu > is signed? Sure. As long as you don't put a DS record in the parent, you most certainly don't HAVE to sign the chi

Re: Almost Ready for DNS-SEC but Slightly Confused in Home Stretch

On 12/10/2010 11:17 AM, Martin McCormick wrote: > Is there, somewhere, a linear description of this > process that starts out like: > > 1. Do this. > > and leading up to > > x. Congratulations! you have dnssec working. > > None of these steps in the puzzle have been hard, so far, but >

Re: ZSK syntax problems bind9.7.1P2

On 12/3/2010 10:14 PM, Martin McCormick wrote: > Alan Clegg writes: >> dnssec-keygen -K /var/named/etc/namedb/dynamic/okstate.edu okstate.edu >> >> Nothing else needed since you are using the defaults... > > Thank you. I was trying to make things difficult, I

Re: ZSK syntax problems bind9.7.1P2

On 12/3/2010 9:55 PM, Martin McCormick wrote: > dnssec-keygen -K /var/named/etc/namedb/dynamic/okstate.edu -s 7 RSASHA1 -b > 1024 -n ZONE okstate.edu [..] > So, what should I have in that particular command to make it generate the ZSK? dnssec-keygen -K /var/named/etc/namedb/dynamic/okstate.

Re: IPAM advantages (was Re: MySQL BIND SDB)

On 11/17/2010 7:15 AM, Gary Wallis wrote: [.. Discussion of non-open-source IPAM solutions ..] > (If we use FOSS BIND why should we support anti FOSS businesses like > many mentioned above?) Several of the businesses listed in the original post are BIND Forum members and are supporting ISC in th

Re: DNSSEC with 9.7.2-P2

On 11/12/2010 7:49 AM, David Forrest wrote: > While running BIND 9.7.2-P2 built with defaults on F11 [..] > and, on checking named.conf, I found the entry for br. as: > trusted-keys { > "br." 257 3 5 > "AwEAAdDoVnG9CyHbPUL2rTnE22uN66gQCrUW5W0NTXJBNmpZXP27w7PMNpyw3XCFQWP/XsT0pdzeEGJ400kdbbPqXr

Re: no. of Views and Zones

> Thanks Alan, I'll try to do more research and I really like to hear from > you or anyone else about better solutions if possible. I think your best solution is to not try to play traffic cop with DNS. If "customers" don't want their users to access XYZ, let THEM run a proxy or firewall that fi

Re: no. of Views and Zones

On 11/4/2010 12:22 AM, Alans wrote: >> On 10/31/2010 4:48 AM, Alans wrote: >> Have 2 questions, is there any limitation (beside hardware) on number of >> views? I mean creating a view/customer? >> And is there any limitation for number of zones/view? > > Since I didn't got exact answer for my ques

Re: error (broken trust chain) resolving

On 11/2/2010 8:36 AM, Brian J. Murrell wrote: > Alan Clegg isc.org> writes: >> > > Hi Alan, > >> There isn't a chain of signed DS records that lead from a trust anchor >> to the thing that you are trying to resolve. > > I guess I'm going to

<    1   2   3   4   5   >