Re: error (broken trust chain) resolving

On 11/2/2010 8:11 AM, Brian J. Murrell wrote: > Since enabling DNSSEC on my resolving server I have been seeing various > instances of the following sort of messages: > > named error (broken trust chain) resolving '133.168.163.66.sa- > trusted.bondedsender.org/TXT/IN': 173.45.100.146#53 [..] > '1

Re: no. of Views and Zones

On 10/31/2010 4:48 AM, Alans wrote: > Have 2 questions, is there any limitation (beside hardware) on number of > views? I mean creating a view/customer? > And is there any limitation for number of zones/view? Instead of saying "how many views can I get", I think you would be much better off sayin

Re: Script to creat PTR zone from zone file

On 10/30/2010 1:42 AM, Sukman wrote: >> Looking to write a script to create the PTR records.. >> Not much on the Web.. > > I had some script that may help you... :) > > Example of input file to be generated: > > InstitutTeknologiBandung192.168.0.154 router2.id192.168.0.153 > router1.i

Re: Key ID from DNSKEY - how?

On 10/27/2010 1:46 PM, Mark Elkins wrote: > I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to > do this in PHP as this is inside some existing PHP (Web) scripts but I > guess calling a C program would not be too inconvenient. [...] > Anyway - does anyone have existing code

Re: bind9.7.1 Skipping lots of Zone Transfers

On 10/26/2010 8:45 AM, Martin McCormick wrote: > 26-Oct-2010 07:30:46.497 zone 78.139.IN-ADDR.ARPA/IN: refresh: > skipping zone transfer as master 139.78.100.1#53 (source 0.0.0.0#0) is > unreachable (cached) Are you able to "dig @139.78.100.1 78.139.IN-ADDR.ARPA axfr" when logged into the slave

Re: Force Bind caching resolver to always obey DNSSSEC

On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote: > Sorry for being unclear. We want the SERVFAIL as it should be for > invalid DNSSEC data *in all cases* eg. even if a client ask with the > cdflag (checking disable) set. CD means "don't check", so you can't by definition. AlanC signature.asc

Re: Force Bind caching resolver to always obey DNSSSEC

On 10/1/2010 4:26 PM, lst_ho...@kwsoft.de wrote: > Hello > > after the root zones are now DNSSEC signed we like to use DNSSEC at our > caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and > basically it is working fine. What i have not managed is to alwawys > force obeying DNSSEC sign

Re: 2038 problem and BIND.

On 9/19/2010 6:57 AM, kalpesh varyani wrote: > > > I would just like to know, how BIND takes care of the 2038 problem. > Since now DNSSEC has a lot to do with timings, there could be issues if > someone would set the signature expiry time to a large value (possibly > after Y2K38). This can create

Re: dnssec questions

On 8/27/2010 11:42 AM, CT wrote: > Per my isc class and the book I received by Jeremy C. Reid .. > you still need to "include" your keys in the zone file either > > via > $include /KSK > $include /ZSK1 > $include /ZSK2 > or > (cat *.key > allkeys) which is what I have done.. > $include /allkeys >

Re: zero SOA TTL - still best practice?

On 8/26/2010 10:52 AM, Alexander Gall wrote: >> - should I update my program to allow non-zero SOA TTLs? > > Yes, unless I'm the one with the wrong end of the stick :) Zero TTLs are evil. Please don't use them (and if possible, update the zones that you have deployed with zero TTLs to u

Re: differences between version

On 8/13/2010 8:01 AM, Ram Akuka wrote: > hi , > i want to know what's the differences between bind 9 version (especially > between 9.4 and 9.5/6/7) , > where can i find a table that can describe it? > i tried to google it but i didn't anything useful , . In the source directory, you will find the

Re: RRSIG for glue records

On 8/4/2010 2:58 AM, rams wrote: > I have delegated NS records and those records pointed to A records in > signed zone. When I queired for my delgated domain against bind 9.6-p3. > > Bind is returning NS records and RRSIG for NS in authority section > correctly. Glue records are returned correct

Re: new webserver ip

On 8/3/2010 8:07 AM, dhottin...@harrisonburg.k12.va.us wrote: > $TTL 259200; 3 days > harrisonburg.k12.va.us. A 174.143.193.47 > > > I made the entry for the new website's ip (174.143.193.47). But when I > do a dig, it still comes back with 204.111.40.10. What do I need to do

Re: Odd query issue

On 8/2/2010 10:17 AM, Atkins, Brian (GD/VA-NSOC) wrote: > Any ideas to point me in the right direction? What do the log files show surrounding the query? AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-use

Re: Dynamically add zones

On 7/29/2010 8:45 PM, Alan Clegg wrote: > (+1-919-355-885) and let's talk about it... +1-919-355-8851 (I seem to have been "off by one"). AlanC signature.asc Description: OpenPGP digital signature ___ bind-users maili

Re: Dynamically add zones

On 7/29/2010 5:38 PM, Jack Tavares wrote: > Will this functionality be available through an api? > Or will it just be through rndc ? Not sure what API we would use beyond rndc. If you have recommendations, please e-mail me directly or give me a phone call (+1-919-355-885) and let's talk about it

Re: Dynamically add zones

On 7/29/2010 8:23 PM, Alan Clegg wrote: > SNIP > options { > directory "/etc/namedb"; > dnssec-enable yes; > dnssec-validation yes; > new-zone-file "/etc/namedb/managed.zone.list"; > key-directory "/et

Re: Dynamically add zones

On 7/29/2010 7:19 PM, Dan Durrer wrote: > Alan, > > I was playing around with your example. I can get it to add the zone > ( that is no rndc errors or syslog messages). > > I see it send notifies for the new zone in my log. > > 29-Jul-2010 23:06:47.063 notify: info: zone exampledomain.com/IN: >

Re: Dynamically add zones

On 7/28/2010 10:41 PM, Mike Flathers wrote: > Is there a patch for bind 9 to add new zones dynamically without > having to run rndc reconfig? The server stops answering queries when > reconfig is loading in the new config as the config grows this timeout > increases. I haven't hit the source cod

Re: reject or drop AAAA queries

On 7/22/2010 8:42 PM, Rock July wrote: > This is my current setup right now and the reason why I want to reject > or drop the queries; > > PC Clients: XP, Vista and 7 (Vista and 7 clients are sending both A and > queries) send queries to DNS A. > DNS A: will just forward the query to My

Re: IPv6 Records on an IPv4 Network

On 7/22/2010 8:33 AM, Phil Mayers wrote: >> only IPv4 interface is enabled. If I put the option "filter--on-v4 >> {yes;};", will my DNS reject the queries? > > This option breaks DNSSEC. Actually, it doesn't. If the DO bit is set in the query, the default behavior (I'll let you dig to

Re: root-anchor.xml & anchors.xml in Bind

On 7/17/2010 9:49 AM, Lyle Giese wrote: > What is the difference between managed-keys and trusted-keys? Managed keys automatically watch for RFC-5011 "roll over" and update when new keys are made available. Trusted keys are manually managed and will cause you to have problems if you forget to c

ISC to be at OSCON next week...

With the signing of the root and all of the related activities, I thought I'd take this opportunity to let you know that I'll be giving a presentation at OSCON (O'Reilly's Open Source Convention) next week in Portland. http://www.oscon.com/oscon2010/public/schedule/detail/14112 I'm not sure wh

Re: Signed root - missing RRSIG for delegation?

On 7/16/2010 7:42 AM, Niobos wrote: > On 2010-07-16 12:36, Alan Clegg wrote: >> .net isn't signed, and you don't sign "out-of-zone" data (glue and >> delegation NS records). > > But org. is signed, and gives the same result. .org does not have a DS recor

Re: Signed root - missing RRSIG for delegation?

On 7/16/2010 6:36 AM, Alan Clegg wrote: > On 7/16/2010 6:25 AM, Niobos wrote: > >> It's probably just my lack of knowledge, but there seems to be a missing >> RRSIG in the root zone. >> >> I try to securely resolve example.net. I obviously get a delegation &g

Re: Signed root - missing RRSIG for delegation?

On 7/16/2010 6:25 AM, Niobos wrote: > It's probably just my lack of knowledge, but there seems to be a missing > RRSIG in the root zone. > > I try to securely resolve example.net. I obviously get a delegation > returned (dig output below), but I can't seem to validate that > delegation. The deleg

Re: newb alert: how to make v4 and v6 "A" records resolve to same website

On 7/14/2010 4:47 PM, Bill Buhlman wrote: > I am just now playing with IPv6 and wondering about how to make an IPv6 > record resolve to the same website as the IPv4 A record. Probably a > simple thing but how? Assign the to the IPv6 address of the given host... ie: baremetal.wetworks.o

Re: Here's trouble -- Was: [Does bind send email?]

On 7/9/2010 7:25 AM, Alan Clegg wrote: > For those of you that don't follow bind-users closely, this is a bit of > troubling news. I'm not surprised that a "bad guy" would masquerade his > malware as BIND, but to actually see it documented is sad. [this was supposed

Here's trouble -- Was: [Does bind send email?]

il? Date: Fri, 9 Jul 2010 12:18:07 +0100 From: tomasz dereszynski To: Alan Clegg CC: bind-users@lists.isc.org > On 7/9/2010 4:57 AM, Chiesa Stefano wrote: > >> "27/05/2010 17.06.32 1094 C:\bind\bin\named.exe Protezione >> antivirus standard:Impedisci a worm distribuiti

Re: Does bind send email?

On 7/9/2010 4:57 AM, Chiesa Stefano wrote: > "27/05/2010 17.06.32 1094 C:\bind\bin\named.exe Protezione > antivirus standard:Impedisci a worm distribuiti tramite mass-mailing di > inviare messaggi 93.49.247.253:25" > > (translated from italian: Prevent mass mailing worms from sending mail

Re: Split view - differing SOA serial number

On 7/8/2010 7:58 AM, John Horne wrote: >> You need to specify different "file" locations for each of the slaved >> zones (even if the data is the same) in each view. >> > Okay, but why? As said this generally works, it just seems a bit out of > step between the views. Because BIND won't do what y

Re: Split view - differing SOA serial number

On 7/8/2010 7:26 AM, John Horne wrote: > However, when checking the SOA serial number of our reverse zone we are > seeing different values depending on whether we are inside or outside of > the campus. This zone is maintained internally by MS Windows servers, > and so our main servers (141.163.1.2

Re: Help me- Bind9.71 service not start on Windows XP

On 7/5/2010 2:56 AM, Alans wrote: > BE CARFUL: my antivirus detects certain .png files on that website as > potential viruses, please don't open it in the browser. > The Website is: [...] Again, be careful. Due to two replies to un-related threads with this, I've removed the user from the list. A

Re: Can I start multiple processes(named) in a server?

On 7/1/2010 4:21 AM, ShanyiWan wrote: > Multiple processes(named): Can I start multiple processes(named) in a > server and each process can provide services normally? See > information so that on the internet(I think this may be wrong).How > can i do to maximize the ability of concurrent queries(n

Re: Nsupdate -l not using session.key

On 6/30/2010 11:13 AM, Kalman Feher wrote: > While testing bind 9.7.1 features including automated signing and > update-policy local. I encountered some strange behaviour using nsupdate -l. > > When using nsupdate -l I was not able to update the zone in question and the > following error was gener

Re: bind-users Digest, Vol 538, Issue 1

On 6/7/2010 9:21 AM, rams wrote: > When we resign using "dnssec-signzone -o -f name> " , we don't get SOA incremented . In general > AXFR looks for SOA comparison to reload zone file. In this case how will > AXFR happen? You probably want to use "-N increment". Check the man page for additiona

Re: how to resign a zone

On 6/6/2010 11:28 PM, rams wrote: > Hi, > > How to resign a zone? Make it dynamic, allow BIND to have access to the keys and you don't have to do anything "manually". If you don't have (or want to use) that option, you need to run "dnssec-signzone" on the signed data (to refresh existing signat

Re: disable dnssec in bind resolver

On 6/4/2010 1:52 PM, R. Kevin Oberman wrote: > First, dns-validation is 'off' by default in all BIND versions. It's > dnssec-enable that started defaulting to 'yes'. No, it isn't. The only reason that dnssec-validation appears "off" is that without trust anchors, it doesn't do anything. Insert

Re: How to resign a signed zone

On 5/27/2010 6:36 AM, Alan Clegg wrote: > On 5/27/2010 1:43 AM, rams wrote: > >> How do we resign the signed zone? What is the command to do the RESIGNING ? > > Run dnssec-signzone on the signed zone file. I recommend that you: But, of course my PRIMARY recommendation wo

Re: How to resign a signed zone

On 5/27/2010 1:43 AM, rams wrote: > How do we resign the signed zone? What is the command to do the RESIGNING ? Run dnssec-signzone on the signed zone file. I recommend that you: mv example.com.signed example.com vi example.com dnssec-signzone example.com rndc reload example.com Note

Re: add a record into signed zone

On 5/13/2010 6:18 AM, rams wrote: > As you said I tried with nsupdate but unable to add a record into signed > zone. It is giving SERVFAIL. Do we need to send any special value? Were you able to insert using nsupdate BEFORE you signed the zone? I'd take a look at logging to start debugging this.

Re: KAMINSKY vulnerability !!

On 5/10/2010 10:19 AM, P.A wrote: > Primary server: BIND 9.4.3b2 Continue your upgrade process to a version of BIND that is supported. :) http://www.isc.org/software/bind/versions AlanC signature.asc Description: OpenPGP digital signature ___ bind-

Re: Preparing for upcoming DNSSEC changes on 5/5

On 5/5/2010 1:32 PM, Lightner, Jeff wrote: > 8:30 EDT 05/05/2010 and the world hasn't ended here yet. > > We can celebrate Cinco de Mayo in peace. If only I didn't detest > tequila. > > Side note: I've actually been to Puebla Mexico which is where the > battle that Cinco de Mayo commemorates to

Re: Preparing for upcoming DNSSEC changes on 5/5

On 5/3/2010 4:36 PM, Lightner, Jeff wrote: > It sounds as if he read an article saying we have to implement DNSSEC on > our DNS servers or we'll quit working on 5/5? Is that the case? > > Also what is the drop dead date/time if so? 5/5 Midnight UTC? Some > other time? You don't need to do any

Re: INSIST failed in memcluster.c with message "memcluster.c:436: INSIST(stats[size].gets != 0U) failed."

On 4/29/2010 7:37 PM, Almond d wrote: > I am using bind-9.3.1. [[..]] > Can anybody please tell me what is the solution to this problem? Yes. Upgrade. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-user

Re: DNSSEC and ISAKMP?

On 4/16/2010 4:03 PM, Roy Badami wrote: >> DNSSEC and ISAKMP are not related. > > Well, that's no longer entirely true... AIUI Microsoft seem to have > decided that in their DNSSEC implementation they will use IPsec (and > hence IKE with GSS-API) to secure communications from the client to > the

Re: DNSSEC and ISAKMP?

On 4/16/2010 9:49 AM, Deny IP Any Any wrote: > Do I need to allow UDP/500 packets (ISAKMP) to my bind DNS servers for DNSSEC? > > I've been seeing a lot of UDP/500 attempts from the general internet > to my public DNS servers, and can't figure out why. The Wikipedia page > for DNSSEC doesn't menti

Re: rndc reload & allow-update

On 4/12/2010 7:25 AM, aihua zhang wrote: > > hi all, > i found if your zone in named.conf set a statement > {allow-update{any};};then when you use rndc reload ,any modifies will > not happen. how can i figure it ? thx You can only modify dynamic zones in two ways: 1) dynamic updates (using

Re: Load Balancer for DNS

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/5/2010 2:06 AM, sasa sasa wrote: > Hello everyone, > > Any one used any load balancer for DNSs? any recommendation? it's 2 > caching-only DNSs, and I'd like to make a load balance between them > using software. I would recommend that before addi

Re: Advertizing a new domain on my existing Authoritative DNS server

Lear, Karen (Evolver) wrote: > I’m running 9.6.1-P3 on RHEL4. Advertising example.com and now have > been asked to advertise a new domain newexample.com (not a subdomain). > What is the best way to go about this? create new zone file add zone entry to named.conf rndc reconfig (I assume that the

Re: Error fetching SOA from

michael peters wrote: > [71.12.99.115], request timed out. > Probably DNS server is offline. > [71.12.99.116], request timed out. > Probably DNS server is offline. Neither of these servers respond to queries. acl...@yellow:

Re: Error fetching SOA

michael peters wrote: > Is it a problem to get a message from a DNS checking tool that indicates > "Error fetching SOA from ns1.example.com ?" Both > of my external BIND 9.6.1 servers respond the same way and I'm assuming > that I need to add something to my configuration.

Re: PTR format question

groups wrote: > In the process of cleaning up a much neglected PTR file > > Bind: 9.6.2.1 > OS: CentOS 5.4 > > Current PTR in this format: (1 tab between entries) > > $ORIGIN 58.172.in-addr.arpa. > $ORIGIN 0.58.172.in-addr.arpa. > 11PTRnat-172-58-0-11.example.com. > 12PTR

Re: DNSSEC and child zones on same authoritative NS. Expert help needed.

Gary Wallis wrote: [other stuff snipped out] > Regarding my main question: > > How to delegate signing authority from parent yourdomain.com to child > ns1.yourdomain.com. Insert the DS records from the child into the parent and re-sign the parent. > I still have to setup a DNSSEC resolver to b

Re: loading from master file failed: unknown class/type

Security Admin (NetSec) wrote: > Sunday night brain fart. Having trouble configuring a hosts files. I > receive an “ns1 named[27823]: zone prana.us/IN/external: loading from > master file pranaustwc.hosts failed: unknown class/type” error. > ORIGIN . Missing $ from "$ORIGIN" > mailgate.netsec

Re: dynamic update in IPv6 environment

aihua zhang wrote: [...] > the BIND version is BIND-9.6.1,my install process is :./configure;make > ;make install, is there any wrong with my install or others problem ? > thanks! Dynamic updates work correctly in an IPv6 environment to the best of my knowledge, however, nsupdate does not at th

Re: return address for failed DNSSEC validation

Gilles Massen wrote: > As soon as applications (or local stub resolvers) are validating, that > would be the place to generate a "user compatible" error. But in the > best case this will take years. In the mean term we are stuck with dummy > users, and ISPs that might want to enable validation, bu

Re: recursion

Lightner, Jeff wrote: > Modern being? Actually In the 9.4 CHANGES file I find: --- 9.4.0a4 released --- [...] 2006. [security]Allow-query-cache and allow-recursion now default to the builtin acls "localnets" and "localhost". This is

Re: recursion

Lightner, Jeff wrote: > Modern being? According to CHANGES file: --- 9.5.0a6 released --- 2206. [security] "allow-query-cache" and "allow-recursion" now cross inherit from each other. If allow-query-cache is not set in named.conf then a

Re: recursion

ic.nssip wrote: > If there is no option "recursion yes (or no);" specified in named.conf, > is the server still recursive? > Is "recursion" activated by default if option recursion (yes|no) is > missing in named.conf? In modern BIND, "allow-recursion" defaults to: "{ localhost; loc

Re: dnsquery for Solaris

ic.nssip wrote: > What I'm trying to do is to find a way to get the TTL left for a cached > record. > I usually use dnsquery like this (12m23s and 9m53s is what interest me): > > # dnsquery -n 8.8.8.8 -t a ftp.funet.fi > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47912 > ;; flags: qr rd r

Re: dnsquery for Solaris

ic.nssip wrote: > I've got dnsquery working fine from sunfreeware.com bind-8.4.6 on > x86-Solaris 10. > Does anybody knows if it can be exported to another machine? I tried to > binary ftp the file to another machine (same configuration), I fixed > owner and permissions but will just not run there.

Re: Help with logrotate and bind

Diosney Sarmiento Herrera wrote: >I am trying to rotate my named logfile with logrotate and I > configured it as I show: [...] This is much more a question for a list that discusses the logrotate application than it is to bind-users. I would recommend, however, that you look into the built-

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Jonathan de Boyne Pollard wrote: > That's also nothing to do with DNSCurve. You weren't making a DNSCurve > query there. You were simply querying, with an ordinary DNS query, a > proxy DNS server that is under someone else's control and getting the > view of the DNS namespace that that someone e

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Joe Baptista wrote: > dnssec-enable yes; > and > dnssec-validation yes; > > are the defaults since BIND 9.5 > > > How do I turn it off. Since you edited out the most important part of my post, I'll repeat it here before I answer your question: Serving signed zones requ

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Joe Baptista wrote: > [] I guess that depends on if DNSSEC > is turned on by default in BIND. Incidentally - is it? dnssec-enable yes; and dnssec-validation yes; are the defaults since BIND 9.5 Serving signed zones requires signed zone data to serve. Validation requir

Re: Zone transfers from slaves to slaves?

Dan Letkeman wrote: > I think I have a configuration issue somewhere. It looks like from > the logs that my master server is notifying the slaves correctly, but > then the other slaves are also notifying the slaves as well. > > 172.16.0.100 is the master > 172.16.0.101 is 1st slave > 172.16.0.10

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Joe Baptista wrote: > Thats not the case with DNScurve. Again I stress - over 20 billion > requests per day at OpenDNS are DNScurve compatible.The traffic in > DNSSEC is chicken feed compared to DNScurve. Joe, The fact that queries hit servers that are DNScurve capable does not mean that they ar

Re: Modifying a response

Peter Andreev wrote: > > For example: if user asks for non-existent domain, caching server > > replies with some address and no-error rcode. > > _Extremely_ bad idea. > > > Yes, I know, but boss is boss and task is task :). > > Thank you very much for your answer. You might want t

Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO

Nicholas Wheeler wrote: > On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: >> (Well, for now the plan is to do it once a year by hand. Then, we'll see...) > > For the record, NIST recommends to roll the ZSK every three months, and > the KSK every two years. And there are lots of other op

Re: Scripts for zsk rollover in 9.7

Stephane Bortzmeyer wrote: >> We have plans to improve this in 9.7.x (where x probably equals 1) >> in a couple of ways: first, by making it possible to assign each key >> an explicit successor key and warn the user if a key is set to >> expire without a successor; second, by making it possible to

Re: Strange issue - please enlighten me

Marco Davids (SIDN) wrote: > Anyone any clue? I am trying to understand why some resolvers handle > this query well, while BIND 9.7.x returns a SERVFAIL. acl...@yellow:~$ dig +short airfrance.fr ns webaf1.airfrance.fr. lasvegas.airfrance.fr. proof.rain.fr. acl...@yellow:~$ dig +short @webaf1.air

Re: Bind 9.5.2-P1 and rrset-order

Denis Laventure wrote: > Hi, > > > > I have multiple ip adresses for one server: > > > > www.mydomain.com > A 10.0.0.1 > > www.mydomain.com > A 10.0.0.2 > > www.mydomain.com

Re: multi master primary nameserver.

Gordon A. Lang wrote: > Did I recently hear correctly that some future version of BIND will > be supporting multi-master? That is in the plans. > I know slaves can forward updates to masters, but can masters also > forward updates to other masters? (I can look this up, but I'm > fishing for oth

Re: [Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]

Paul Wouters wrote: > With the current success of the DLV, and the root zone deployment half > a year away, it is not really required anymore. I think it is much better > to get rid of all trust anchors apart from the ISC DLV key. Do remember, however, that the DLV keys also roll, so this does ne

[Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]

I find this important enough to forward on to bind-users. Please not the importance of trust anchor management. AlanC --- Begin Message --- [Apologies for duplicates] Dear Colleagues, We have discovered that recent versions of the Fedora Linux distribution are shipping with a package called "dn

Re: a question on bind cache

>> http://lmgtfy.com/?q=content+distribution+network > Thanks, I know something about CDN. > But I also want to know if it's possible to let DNS handle this? BIND itself does not "do" this. You could monitor your services and then use dynamic DNS to change resource records based on the results,

Re: a question on bind cache

Tech W. wrote: > So, do you think is there a resolving way for Bind which can > implement the features: > > 1. check the popular domains' original IPs (like google's, yahoo's, > aol's etc), and exclude the dead IPs from its cache. > 2. for the popular domains, testing the access speed to each of

Re: bindvrs Vulnerability

Lightner, Jeff wrote: > Sometimes you have to do things like hiding your version just because it > came up on the security audit. It's a lot easier to make them shut up > by doing what they want than by explaining to them that what they want > is meaningless. That said, if your "security audit" a

Re: dig query

Tony Finch wrote: > The AD flag is meaningless in a query. In a response it tells you whether > the server is authoritative or not. It has nothing to do with DNSSEC. AD bit is authenticated data. AA bit is authoritative answer. AD has everything to do with DNSSEC. AA has nothing to do with DNS

Re: dig query

Tony Finch wrote: > On Wed, 6 Jan 2010, Pamela Rock wrote: >> Does that imply that +adflag sets the ad bit on the query and the >> response where +dnssec only sets the ad bit on the responce? > > The AD flag is meaningless in a query. In a response it tells you whether > the server is authoritativ

Re: dig query

Pamela Rock wrote: > The following dig query > > dig gov +dnssec +noadflag @10.10.10.1 > > produces the following flags in the header section: > > ;; flags: qr rd ra ad; > > Question - what is the relation with the +dnssec and +noadflag > options in the query. I would think the query would pro

Re: limit for cache-size?

Thomas Vogt wrote: Are there any limits in bind 9.6.* or 9.7.* for cache-size or know issues? I'm planing to use 8GB ram for named cache. The LRU cache cleaning introduced in BIND 9.5.0 should make your "large cache" work as expected. AlanC ___ bi

Re: Remove/add [A] records based upon server availability

Ryan S wrote: Is there a method in BIND to add/remove A records based upon server availability? i.e. host www has A records 1.1.1.1, 2.2.2.2, 3.3.3.3 If 3.3.3.3 is 'down' (via a ping test, for example) we remove it from the [A] record until such time that it is back 'up' and the host is added

Re: strange dig behavior

Pamela Rock wrote: I don't know what is causing the refused. IP tables is off everywhere, and there are no ACL's on routers or firewalls. Has nothing to do with firewalls (or ACLs on routers). The only error I'm seeing is the following in the debug log 20-Dec-2009 19:21:09.443 query-errors

Re: dnssec updated zone data is not live ??

Niobos wrote: On 17 Dec 2009, at 20:50, Kevin Darcy wrote: Cat'ing the zone file is no longer reliable once you've enabled a zone for Dynamic Update. There might be updates in the log file which haven't been committed to the actual zone file yet. That's why I recommended that you use an AXFR of

Re: CLASS support

JFC Morfin wrote: At 19:36 30/11/2009, Florian Weimer wrote: > I understand that. But I need to use Private Use classes. The question > is how do I do it? Use CLASS999 and similar identifiers (just like TYPE999 for types). I guessed the format from the code. But it fails. named-checkconf says

Re: DNSSEC validation works with DLV, but not with just trusted-key

Hanno Böck wrote: Am Mittwoch 25 November 2009 schrieb Alan Clegg: There is no DS record for dnssec-tools.org in .org (chain of trust is broken), so you can't validate the response -- thus the data being passed back to you. Ok, that explains it. Are there any example domains with

Re: DNSSEC validation works with DLV, but not with just trusted-key

Hanno Böck wrote: dig baddata-A.test.dnssec-tools.org @localhost There is no DS record for dnssec-tools.org in .org (chain of trust is broken), so you can't validate the response -- thus the data being passed back to you. AlanC ___ bind-users mai

Re: multiple internal views not working (requested conf files

Kevin Darcy wrote: Views are matched in order, so "!10.x.5.0/24;" is redundant -- anything in that range would have been matched by the previous view. But, but by explicitly putting it there, the ordering of the views is no-longer important. "Better safe than sorry". AlanC

Re: 2 simultaneous hung Bind boxes

Justin Shore wrote: > The boxes are running fairly old Bind code, 9.5.1b2. Tomorrow I will > upgrade to 9.6.1rc1 (unless people believe 9.7.0b1 is ready for use). I would recommend not using beta or release candidate code in your deployment. If you want something that will stand up to customer

Re: cache dead records

On Oct 23, 2009, at 5:45, net...@royal.net wrote: We are using bind9 for DNS Cache. What the problem is, sometime the IP address for a domain is dead, but Bind won't know, and still responds the dead IP to clients, after that clients access the sites failed. So is there a way to do health ch

Re: Migrating DNS servers, need advice on hardware

Frank Bulk wrote: > Perhaps the inverse would be more interesting: what's the lowest-spec > hardware that could host an OS that would run the latest version of BIND. =) It's not exactly "low-end" hardware, but I have BIND 9.4.2 running on my iPhone. AlanC _

Re: DNS Maintenance

Alans wrote: > Can someone tell me how webhosting providers or ISPs do maintenance on > their DNSs? > > I mean, can they take it offline? What is the procedure usually? You need to define "maintenance". With very few exceptions (none?) I can't think of a reason to take a DNS server off-line to

Re: approach on parsing the query-log file

Jonathan Petersson wrote: > So I gave tail a try in perl both via File::Tail and by putting tail > -f in a pipe. As was stated previously in this thread, you are going down a bad path by using query-log for any purpose beyond short debugging sessions. The loss in performance is rather painful. T

Re: name server zone list

The entire list of zones is available in XML format in the statistics channel in 9.5 Yep, you need to parse for it, but it's there... AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org http

Re: Lookup of delegation NS records

Cherney John-CJC030 wrote: > Is it possible to use nslookup or dig to look up delegation records? I > can use them to get the nameservers for a particular domain, but I also > want to see the nameservers it would delegate to. So far, the only way I > can figure out to do that is to parse the actual

Re: Stats

John D. Vo wrote: > What do you guys use to turn this: > --- Statistics Dump --- (1238151600) > +++ Statistics Dump +++ (1238155200) > success 3280261 > referral 363 > nxrrset 745513 > nxdomain 392614 > recursion 1173408 > failure 1115632 > --- Statistics Dump --- (1238155200) > > into something

Re: "stealth master" DNS Security

Ram Akuka wrote: > Is there's any way I can encrypt the zone transfer date (without using > any third-party encryption tool)? Why exactly do you want to do this? DNS data is NOT PROTECTED DATA. As long as queries and responses are permitted in the clear (which is the way DNS works), you are onl

Re: Psuedo-Master Zones

Chris Dew wrote: > No, we've had to work around these limitations of axfr/notify, so that > we can take this concern away from our customers. What "limitations" are you talking about specifically? > I would love to find a nice bind-supported way of dealing with > views/axfr/notify, so if you find

<    1   2   3   4   5   >