Re: error (broken trust chain) resolving

On 11/2/2010 8:36 AM, Brian J. Murrell wrote: > Alan Clegg isc.org> writes: >> > > Hi Alan, > >> There isn't a chain of signed DS records that lead from a trust anchor >> to the thing that you are trying to resolve. > > I guess I'm going to

Re: no. of Views and Zones

On 11/4/2010 12:22 AM, Alans wrote: >> On 10/31/2010 4:48 AM, Alans wrote: >> Have 2 questions, is there any limitation (beside hardware) on number of >> views? I mean creating a view/customer? >> And is there any limitation for number of zones/view? > > Since I didn't got exact answer for my ques

Re: no. of Views and Zones

> Thanks Alan, I'll try to do more research and I really like to hear from > you or anyone else about better solutions if possible. I think your best solution is to not try to play traffic cop with DNS. If "customers" don't want their users to access XYZ, let THEM run a proxy or firewall that fi

Re: DNSSEC with 9.7.2-P2

On 11/12/2010 7:49 AM, David Forrest wrote: > While running BIND 9.7.2-P2 built with defaults on F11 [..] > and, on checking named.conf, I found the entry for br. as: > trusted-keys { > "br." 257 3 5 > "AwEAAdDoVnG9CyHbPUL2rTnE22uN66gQCrUW5W0NTXJBNmpZXP27w7PMNpyw3XCFQWP/XsT0pdzeEGJ400kdbbPqXr

Re: IPAM advantages (was Re: MySQL BIND SDB)

On 11/17/2010 7:15 AM, Gary Wallis wrote: [.. Discussion of non-open-source IPAM solutions ..] > (If we use FOSS BIND why should we support anti FOSS businesses like > many mentioned above?) Several of the businesses listed in the original post are BIND Forum members and are supporting ISC in th

Re: ZSK syntax problems bind9.7.1P2

On 12/3/2010 9:55 PM, Martin McCormick wrote: > dnssec-keygen -K /var/named/etc/namedb/dynamic/okstate.edu -s 7 RSASHA1 -b > 1024 -n ZONE okstate.edu [..] > So, what should I have in that particular command to make it generate the ZSK? dnssec-keygen -K /var/named/etc/namedb/dynamic/okstate.

Re: ZSK syntax problems bind9.7.1P2

On 12/3/2010 10:14 PM, Martin McCormick wrote: > Alan Clegg writes: >> dnssec-keygen -K /var/named/etc/namedb/dynamic/okstate.edu okstate.edu >> >> Nothing else needed since you are using the defaults... > > Thank you. I was trying to make things difficult, I

Re: Almost Ready for DNS-SEC but Slightly Confused in Home Stretch

On 12/10/2010 11:17 AM, Martin McCormick wrote: > Is there, somewhere, a linear description of this > process that starts out like: > > 1. Do this. > > and leading up to > > x. Congratulations! you have dnssec working. > > None of these steps in the puzzle have been hard, so far, but >

Re: dnssec subzone not signed question

> Showing my ignorance, can I > Just not sign the dynamic subzones, wirelessN/buildingN.example.edu > , even though example.edu > is signed? Sure. As long as you don't put a DS record in the parent, you most certainly don't HAVE to sign the chi

Re: dnssec subzone not signed question

On 12/22/2010 6:49 PM, jim wrote: > Sorry, still needing spoon fed. No problem. You might be interested in a presentation that I gave at NANOG earlier in the year: ftp://ftp.isc.org/isc/pubs/pres/NANOG/50/DNSSEC-NANOG50.pdf > When you say DS record in the parent, would this be .example.edu >

Re: auto update signatures dnssec

On 12/27/2010 1:07 AM, fakessh wrote: > good day and merry christmas. Thanks, and to you as well. > I just put in place guidelines in bind config to update the signatures > dnssec > I'm looking for options that require the least amount of maintenace that > all updates of signatures are performed

Re: auto update signatures dnssec

On 12/28/2010 5:04 PM, fakessh @ wrote: >>> Dec 28 22:04:02 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: >>> error reading private key file fakessh.eu/DSA/9552: file not found >> >> It seems that the .key and .private files are not in the right place. > what is the right place ? In your na

Re: DNSSEC - mismatch between algorithm and type of NSEC

On 12/29/2010 3:37 AM, Marc Lampo wrote: > However, we now found the following case : > 1) registrar offers us DNSKEY information with algorithm 7 : > RSASHA1-NSEC3-SHA1 > 2) in the zone file, there are NSEC (and not NSEC3) records This is not an error. The only reason for there being "different

Re: question about multiple queries in a single dns packet

On 12/29/2010 2:17 PM, Federico Barbieri wrote: > Not sure if this is the right place to ask but I've been trying to dig > around and found nothing... > > reading the dns specification it would seems possible to send multiple > request in a single packet. I'm not sure what the actual reference is

Re: bind replication

On 12/31/2010 9:39 AM, p...@mail.nsbeta.info wrote: > Ben Croswell writes: >> It seems like you >> are making the process more complex, instead of just letting BIND do it's >> job. > > No. because I have many zones, and each zone has some views. > So the standard zone-transfer will most likely get

Re: Dynamic zone...

On 12/31/2010 9:59 PM, Lyle Giese wrote: > My approach would be to use a dynamic host service like dyndns.com. > > I setup a remote1.homedns.org with a cname in my zone: > > remote.abc.com 3600 in cname remote1.homedns.org > > And use a dynamic dns client on the laptop. Then you don't even car

Re: bind replication

On 12/31/2010 9:50 PM, p...@mail.nsbeta.info wrote: > Alan Clegg writes: >> >> Done carefully (which will be the case in all circumstances), doing zone >> transfers within views of many zones is no more "likely to get broken" >> than doing it with external

Re: transfer with views

On 1/1/2011 9:15 AM, Gary Wallis wrote: > You will need to setup one virtual IP for each extra view. Not since very versions of BIND that are long-since EOL'd. The FAQ goes into how to use TSIG keys to deal with "picking the right one". > This is what no one here addresses clearly and upfront:

Re: DNSSEC validation on combined auth+recursive server

On 1/6/2011 3:38 AM, Eivind Olsen wrote: > I seem to remember seeing something about DNSSEC validation not working > when a BIND server is used both to serve the DNSSEC signed zone > authoritatively, and as a resolver? Unfortunately, I haven't managed to > find this information again, and now I'm

Re: check the master/slave status

On 1/7/2011 3:08 PM, blr maani wrote: > 1. For each zones, check serial number on both master(s) and slave(s) > for the zone and compare it. Report mismatch if any. dig +nssearch AlanC signature.asc Description: OpenPGP digital signature ___ bind-u

Re: bind9 and IPV6

On 1/13/2011 9:19 AM, hugo hugoo wrote: > For all users... > > Can anybody give me informations on the IPV6 compatibility of BIND9 > compared to BIND8? > It is not clear what is present in BIND9 and not in BIN8 regarding IPV6. > > I have created an IPV6 record in BIND8 and it works... > > Tha

Re: rndc addzone and file name

On 1/13/2011 9:43 AM, Peter Andreev wrote: > I have several includes which are edited via hand-written script and > now I'm trying to simplify it by using add/delzone options of rndc. Yay! > So, the question is: how can I specify files where rndc addzone puts > new zones' descriptions? You prov

Re: rndc addzone and file name

On 1/13/2011 11:08 AM, Peter Andreev wrote: > I've executed > rndc addzone test.test '{ type master; file "/etc/namedb/master/test.1"; };' > > and have got the file /etc/namedb/3bf305731dd26307.nzf: > zone test.test { type master; file "/etc/namedb/master/test.1"; }; > > The question was: can I

Re: rndc addzone and file name

> You haven't understood. I have several includes within one default > view and I need to add zones to them. Different zones to different > includes. For me name of view doesn't matter. The zones added using "addzone" and removable using "delzone" aren't going to show up in your include files. T

Re: rndc addzone and file name

On 1/14/2011 4:06 PM, Timothe Litt wrote: >>> You can use the 'named-checkconf -p' to create a fully "expanded" >>> version of the running configuration file as needed for bug reports, etc. > > ?? Including zones added by "addzone"? How does checkconf find them? Well, it _should_ find them the s

Re: DNSSEC auto-dnssec issue bind-9.7.2-P3

On 1/25/2011 9:51 AM, Kalman Feher wrote: > If the nsec3param has been removed, the automated signing will be weird if > you are using nsec3 keys. I havent tested this scenario, since it isnt > really a working scenario. There is no such thing as an "nsec3 key". If you auto-sign a zone that does

Re: bind Bind or BIND?

On 1/26/2011 9:22 PM, Chuck Swiger wrote: > On Jan 26, 2011, at 6:02 PM, p...@mail.nsbeta.info wrote: >> When talk to others, I never describe it clearly for naming bind. >> is it "bind" or "Bind" or "BIND"? is bind an abbreviation word? > > Yes, BIND is an acronym for Berkeley Internet Name Daem

Re: rndc confusion

On 1/26/2011 9:39 PM, donovan jeffrey j wrote: > I had some issue with an invalid key so i ran rndc-confgen -a which > gave me a new key in /etc/rndc.key. so now rndc works fine. > > but when looked at /etc/rndc.conf the key was different than the > /etc/rndc.key. i thought they had to be the sam

Re: rndc confusion

On 1/26/2011 10:27 PM, donovan jeffrey j wrote: > okay > so what is the rndc.conf for ? -- my finger is on the rm button. > is it for listing other server keys ? rndc.conf is used by rndc in the circumstances that you have put the required "controls" section into your named.conf directly (where t

Re: bind Bind or BIND?

On 1/27/2011 5:20 AM, Stacey Jonathan Marshall wrote: > On 27/01/2011 02:43, Alan Clegg wrote: >> On 1/26/2011 9:22 PM, Chuck Swiger wrote: >>> Yes, BIND is an acronym for Berkeley Internet Name Daemon. >> Berkeley Internet Name Domain. > > Hi Alan, > > Could

Re: Good news! Very good!

On 1/30/2011 4:41 AM, p...@mail.nsbeta.info wrote: > listman, > why this user has been always staying here for sending spams? > Regards. Things happen, spammers send junk, they are then unsubscribed from the list as soon as we notice (and get back from the weekend). All done, user zapped. AlanC

Re: Clarification on wildcard scenario

On 1/31/2011 10:42 PM, rams wrote: > $ORIGIN joshfeb1.com . > @ IN SOA rboddeti.yahoo.com . > rboddeti.gmail.com . ( > 2011013101 ; serial > 10800 ; refresh >

Re: syntax/format of zone on slave $ORIGIN/paragraph - sorted?

On 2/10/2011 8:40 AM, Walter Smith wrote: > Oh Thanks - I understand that - I can't comprehend the logic behind > composing _same_ $ORIGIN paragraphs over-and-over again - this is an > example [...] I'd recommend using "masterfile-format raw;" on the slaves and then you don't care how BIND takes t

Re: syntax/format of zone on slave $ORIGIN/paragraph - sorted?

On 2/10/2011 10:11 AM, Walter Smith wrote: > So - I want to combine and sort unique $ORIGINs without seeing same > $ORIGIN again and again. The question was asked, but I didn't see an answer... What are you doing with the zones on the slave server that you think is actually safe to do? Why not j

Re: process of updating slave servers

On 2/14/2011 10:30 PM, Terry. wrote: >> slave options; >> allow-transfer { 10.1.1.2; }; > > In practical the slave doesn't have the allow-transfer option. Sure it does. Any authoritative server (master or slave) can act as the source for a zone transfer. AlanC signature.asc Description: O

Re: $GENERATE for /8 networks

On 2/17/2011 10:20 AM, Mark Watts wrote: > > Is there a way I can use $GENERATE to generate PTR records for the whole > of 10.0.0.0/8 in one line? No. There is not. I must ask -- do you REALLY need to fill all of a /8? What is the requirement for this? AlanC signature.asc Description: Open

Re: Optimising rndc reload times on a slave server with 50,000 zones

On 2/27/2011 1:15 AM, Dennis Perisa wrote: > Thanks Doug. Yes, helps a lot. And yes, this is to handle adding new > zones. Look into BIND 9.7.2 or newer and the "rndc addzone" capabilities. Solves the problem without needing to reload/restart/reconifg at all. AlanC signature.asc Description

Re: Slaves and views

On 3/4/2011 11:46 AM, John Wobus wrote: > I'm going to split our authoritative servers into internal > and external views. Is there anything I can do to try to talk you out of doing this? AlanC signature.asc Description: OpenPGP digital signature _

Job opening at ISC -- come work with us!

We are currently looking for someone to jump into the fray that is support here at ISC... https://www.isc.org/about/jobs/open-source-sw-sup-eng If you have any questions about the position, feel free to send me e-mail (please not to the list -- that wouldn't work out well for anyone). AlanC

Re: named crashed (mem.c:1099: INSIST(ctx->stats[i].gets == 0U) failed)

On 4/12/2011 8:32 AM, Khuu, Linh Contractor wrote: > Last night, our named crashed with the following errors: > > daemon:crit named[221184]: mem.c:1099: INSIST(ctx->stats[i].gets == 0U) > failed > daemon:crit named[221184]: exiting (due to assertion failure) > > named restarted fine and runnin

Re: Job opening at ISC -- come work with us!

On 4/12/2011 7:18 AM, Alan Clegg wrote: > We are currently looking for someone to jump into the fray that is > support here at ISC... > > https://www.isc.org/about/jobs/open-source-sw-sup-eng I've been asked about the "location" of this job and I feel tha

Re: AW: ipv6 PTR in zone file

On 4/13/2011 6:58 PM, Michel de Nostredame wrote: > Not sure how large will be the effort to add a new directive into > BIND, but that just a feed back, and wish, from me and my team > members, who needs to maintain few hundreds of statically assigned IPs > for servers and CE/PE routers. Dynamic

Re: start script for bind9

On 4/14/2011 10:23 AM, hugo hugoo wrote: > I know that if bind is installed via apt-get install (I am using debian > linux version), there is automatically a bind9 startup script in > /etc/init.d/ directory. Since named "just works" and I do everything else using rndc, I have the following line i

Re: DNS Racing -Multi ISP load balancing with failover using DNS.

On 5/29/2011 5:12 PM, Maren S. Leizaola wrote: > IT is a poor man’s replacement for BGP multihoming and IP anycast. > Hey it is Free and you can implement it using BIND. And you've just broken DNSSEC. AlanC signature.asc Description: OpenPGP digital signature

Re: Slow list

On 6/1/2011 7:16 AM, /dev/rob0 wrote: > On Wed, Jun 01, 2011 at 09:54:04AM +0200, Jan-Piet Mens wrote: >>> Does anyone else find the bind-users list to be very slow? >> >> Yes, very. [Pressing 's'end at 09:54 CET] > > I think it's moderated. Sending at 11:16 UTC. It's not moderated. I'll have op

Re: question about thehartford.com domain

On 6/15/2011 8:28 AM, M. Meadows wrote: > Question : why does eftc as an address record in the thehartford.com > zone file have a 30 second TTL? Seems … very … short. I think most > nameservers won’t do less than a minute for an address record. Right? No. There is no problem with a short TTL. >

Re: no servers could be reached

On 7/28/2011 4:16 AM, uifid...@gmail.com wrote: > view localhost_resolver { > match-clients { localhost; }; > match-destinations { localhost; }; > recursion yes; > include "/etc/named.rfc1912.zones"; > }; > view czj { > match-clients { 192.168.18.128; localhost

Re: Format of the IPv6 reversed zone

On 7/28/2011 3:35 PM, eugene tsuno wrote: > > There is a little perl ipv6 calc that I use ipv6calc so I don't mis-typo it. > > ipv6calc --addr_to_ip6arpa 2001:1930:c00::2 > No input type specified, try autodetection...found type: ipv6addr > 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.0.3.9.1

Re: make zones default to frozen while allowing dynamic updates

On 7/30/2011 6:22 PM, Naveen Nathan wrote: > I'm running BIND 9.3.1. Is there a way to specify a zone should default > to frozen if an allow-update { ... } statement is specified? 1) upgrade 2) no I'm curious as to why you would want to do this. AlanC signature.asc Description: OpenPGP dig

Re: Stats ouput 9.3 vs 9.7

On 9/7/2011 11:13 AM, Baird, Josh wrote: > Is there a way to revert back to the old stats format? Is there an > easier way to reveal query stats via SNMP in 9.7? Any recommendations? > I'm really looking to get QPS statistics. I can modify my parser script > if necessary, but I thought I would c

Re: SERVFAIL

On 9/15/2011 4:14 AM, kshitij mali wrote: > ; <<>> DiG 9.2.4 <<>> completefreight.net.au [...] If your version of BIND matches your version of dig, all bets are off. Please upgrade and see if you continue to have problems. AlanC signature.asc Description: OpenPGP digital signature __

Re: Query regarding NS record

On 9/18/2011 9:01 AM, babu dheen wrote: > mycompany-dns-server-ip INA 10.10.10.10 > mail.myoffice.com INNS One thing to note that is that NS records take labels and not IP addresses. AlanC signature.asc Description: OpenPGP digital signature ___

Re: "auto-dnssec maintain" stoped working again...

On 10/3/2011 6:25 AM, Michelle Konzack wrote: > Hello Mark Andrews, > > Am 2011-10-03 20:16:33, hacktest Du folgendes herunter: >> No. It looks completely wrong. Someone/something has re-named the K* files. >> As the K* files have been renamed named can't find them. > > No, they are found correc

Re: DNSSEC SERVFAIL when parent zone has no DS record

On 10/5/2011 5:21 AM, Sergio Charpinel Jr. wrote: > After suplying DS and the respective NS record for subdomain in the > parent zone (domain.com), it works. If I disable dnssec in my > recursive server, it also works. > So, if a zone is not signed properly (or doesnt have DS records) the > query

Re: Logging queries and answers

On 10/6/2011 7:27 AM, 风河 wrote: > On Thu, Oct 6, 2011 at 4:32 PM, Job wrote: >> Hello Bind-Users ML, >> >> is there a way, a patch or something else, in order to log: >> >> - date/time >> - client >> - request (es www.site.com) >> - reply (es. 1.1.1.1) >> >> in a file, without using debug log form

Re: Using DNSSec with BIND

On 10/26/2011 1:53 PM, Mike Rostermund wrote: > Hi all, > > I've managed to set up two new DNS servers. One as a master, and the > second as a slave. > All works perfectly using the traditionally DNS services, but I want to > get DNSSec up and running. > So far I've managed to create the key's nee

Re: NS also in SOA doesn't get NOTIFY

On 10/27/2011 11:02 AM, Jonathan Stewart wrote: > Also, is this normal/expected behaviour? How can i get ns0 (and the > others) to NOTIFY ns1 when the serial is incremented? Must i use an > explicit {also-notify} ? Yes, this is expected. Since NS1 is the "master" server (since it is in the SOA

Re: several master ip's for a slave zone

On 11/5/2011 4:21 AM, kalpesh varyani wrote: > How does this feature address the risk that data provided by one master > might get overwritten by another? The use of the word "masters" in the configuration of a slave zone is a bit misleading. Under most circumstances, you list the authoritative s

Re: several master ip's for a slave zone

On 11/5/2011 9:32 AM, Felix New wrote: > if i have several master servers, whether i must ensure that all the > master server's serial are the same? i think this is a little complex, > in particular zone is updated by dynamic update(In such a scenario, the > serial number is controled by every sin

Re: BIND started several times at one time

On 11/15/2011 7:19 PM, Aleksander Kurczyk wrote: > This will not be a server for public use. I just wan't to try make a > configuration of two or more servers with zone transfers, > master/slave, notify, etc. locally (on 127.0.0.1 but on different > ports). How can I do that? I have to install name

Re: Query zone expiration time

On 11/16/2011 5:11 PM, Hajducko, Steven wrote: > We had a master die and we’ve been meaning to move it off to a newer > system. We’re trying to determine how much time is left on the zones in > order to see if we can do it right or if we have to quickly recover the > master. Change the "type sla

Re: Bind and ntp.org server refused issue

On 11/21/2011 10:47 PM, Eduardo Bonsi wrote: > Hello; > > Does NTP interfere with DNSSEC configuration? Apple computers have their > own time synchronized and configured through the time.apple.com. > -Is that enough or do I have to configure NTP to work with their > pool.ntp.org server? No. That

Re: rndc flush does not work

On 11/22/2011 2:30 AM, Binu B Nair wrote: > On attempting to clear cache using “rndc flush”, this does not work. > However a named restart clears the cache. What could be the problem? Am > I doing something wrong or have I understoos the “rndc flush” incorrectly? What makes you think that "rndc f

Re: dnssec-keygen not responding

On 11/30/2011 12:15 AM, vishesh kumar wrote: > Hi All > > I am trying to generate keys for signing vishesh.com > domain using following command (for testing purpose) > > dnssec-keygen -a RSASHA1 -b 768 -n ZONE vishesh.com . > > But its not responding , i

Re: How can someone know Sub-Domains?

On 12/25/2011 6:25 PM, Michelle Konzack wrote: > OK, first thanks to Carsten S. which pointed me to ldns-walk and yes, I > can see all hosts configured with NSEC and. > > If I use 'ldns-walk debian.org' which is secured through DNSSEC too, I > get only tonns of > > no rrlist > > which my

Re: bind 9.9 & inline-signing issue..

On 1/30/2012 5:28 AM, Howard Leadmon wrote: > Jan 30 05:23:26 minbari named[30332]: zone leadmon.org/IN/external > (unsigned): loaded serial 2012012901 > Jan 30 05:23:26 minbari named[30332]: zone leadmon.org/IN/external (signed): > serial 2012012901 (unsigned 2012012901) > Jan 30 05:23:26 minbari

Re: bind 9.9 & inline-signing issue..

On 1/30/2012 11:59 AM, Mark Elkins wrote: >>> Lastly - how does one 'view' the 'raw' format of a zone file? >> >> Use named-compilezone > > Guess that kind of makes some obscure logical sense. Works though > I do think that 'named-compilezone' should be able to work out the > format of the 'i

Re: $generate lhs problem. Manual needs to be updated.

Takahiro Masuda wrote: > Yes I guess I didn't understand it totally because in the example syntax > is shown as lhs defined at the beginning > *$GENERATE* /|range|/ /|lhs|/ [/|ttl|/] [/|class|/] /|type|/ /|rhs|/ [ > /|comment|/ ] > and when you read the explanation for lhs it shows the example ${-

Re: PTR zone / VLSM issue

Charles Lee wrote: > I believe its format should be: 96-127.51.212.195.in-addr.arpa > > The problem I seem to be having is what order the 96-127 should be in, > because in normal format the network is 195.212.51.96-127 (we basically > run address .96 to address .127) > > Can anyone help out wit

Re: Make changes en mass [done]

John D. Vo wrote: > Thanks Jeff. I prefer your way better, more eloquent than the brute > force method I did. To this point, nobody has updated the serial. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-us

Re: Make changes en mass [done]

Todd Snyder wrote: > I am looking for a clever way to do the new serial number. Date will do > the first bit no problem (date +%Y%m%d), but I'd love to find a clever > way to auto increment the last 2 digits unless it's a new day. Then I > could use the same script every time. http://www.crufty.

Re: "stealth master" DNS Security

Ram Akuka wrote: > but encrypting the file system won't do the work here. > i agree that storing the key and the encrypted data on the same > machine is useless in security terms. that why i'm looking for a build > in solution . > is there's any way the slave server can save the zone in format > di

Re: Psuedo-Master Zones

Chris Dew wrote: > No, we've had to work around these limitations of axfr/notify, so that > we can take this concern away from our customers. What "limitations" are you talking about specifically? > I would love to find a nice bind-supported way of dealing with > views/axfr/notify, so if you find

Re: "stealth master" DNS Security

Ram Akuka wrote: > Is there's any way I can encrypt the zone transfer date (without using > any third-party encryption tool)? Why exactly do you want to do this? DNS data is NOT PROTECTED DATA. As long as queries and responses are permitted in the clear (which is the way DNS works), you are onl

Re: Stats

John D. Vo wrote: > What do you guys use to turn this: > --- Statistics Dump --- (1238151600) > +++ Statistics Dump +++ (1238155200) > success 3280261 > referral 363 > nxrrset 745513 > nxdomain 392614 > recursion 1173408 > failure 1115632 > --- Statistics Dump --- (1238155200) > > into something

Re: Lookup of delegation NS records

Cherney John-CJC030 wrote: > Is it possible to use nslookup or dig to look up delegation records? I > can use them to get the nameservers for a particular domain, but I also > want to see the nameservers it would delegate to. So far, the only way I > can figure out to do that is to parse the actual

Re: name server zone list

The entire list of zones is available in XML format in the statistics channel in 9.5 Yep, you need to parse for it, but it's there... AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org http

Re: approach on parsing the query-log file

Jonathan Petersson wrote: > So I gave tail a try in perl both via File::Tail and by putting tail > -f in a pipe. As was stated previously in this thread, you are going down a bad path by using query-log for any purpose beyond short debugging sessions. The loss in performance is rather painful. T

Re: DNS Maintenance

Alans wrote: > Can someone tell me how webhosting providers or ISPs do maintenance on > their DNSs? > > I mean, can they take it offline? What is the procedure usually? You need to define "maintenance". With very few exceptions (none?) I can't think of a reason to take a DNS server off-line to

Re: Migrating DNS servers, need advice on hardware

Frank Bulk wrote: > Perhaps the inverse would be more interesting: what's the lowest-spec > hardware that could host an OS that would run the latest version of BIND. =) It's not exactly "low-end" hardware, but I have BIND 9.4.2 running on my iPhone. AlanC _

Re: cache dead records

On Oct 23, 2009, at 5:45, net...@royal.net wrote: We are using bind9 for DNS Cache. What the problem is, sometime the IP address for a domain is dead, but Bind won't know, and still responds the dead IP to clients, after that clients access the sites failed. So is there a way to do health ch

Re: 2 simultaneous hung Bind boxes

Justin Shore wrote: > The boxes are running fairly old Bind code, 9.5.1b2. Tomorrow I will > upgrade to 9.6.1rc1 (unless people believe 9.7.0b1 is ready for use). I would recommend not using beta or release candidate code in your deployment. If you want something that will stand up to customer

Re: multiple internal views not working (requested conf files

Kevin Darcy wrote: Views are matched in order, so "!10.x.5.0/24;" is redundant -- anything in that range would have been matched by the previous view. But, but by explicitly putting it there, the ordering of the views is no-longer important. "Better safe than sorry". AlanC

Re: DNSSEC validation works with DLV, but not with just trusted-key

Hanno Böck wrote: dig baddata-A.test.dnssec-tools.org @localhost There is no DS record for dnssec-tools.org in .org (chain of trust is broken), so you can't validate the response -- thus the data being passed back to you. AlanC ___ bind-users mai

Re: DNSSEC validation works with DLV, but not with just trusted-key

Hanno Böck wrote: Am Mittwoch 25 November 2009 schrieb Alan Clegg: There is no DS record for dnssec-tools.org in .org (chain of trust is broken), so you can't validate the response -- thus the data being passed back to you. Ok, that explains it. Are there any example domains with

Re: CLASS support

JFC Morfin wrote: At 19:36 30/11/2009, Florian Weimer wrote: > I understand that. But I need to use Private Use classes. The question > is how do I do it? Use CLASS999 and similar identifiers (just like TYPE999 for types). I guessed the format from the code. But it fails. named-checkconf says

Re: dnssec updated zone data is not live ??

Niobos wrote: On 17 Dec 2009, at 20:50, Kevin Darcy wrote: Cat'ing the zone file is no longer reliable once you've enabled a zone for Dynamic Update. There might be updates in the log file which haven't been committed to the actual zone file yet. That's why I recommended that you use an AXFR of

Re: strange dig behavior

Pamela Rock wrote: I don't know what is causing the refused. IP tables is off everywhere, and there are no ACL's on routers or firewalls. Has nothing to do with firewalls (or ACLs on routers). The only error I'm seeing is the following in the debug log 20-Dec-2009 19:21:09.443 query-errors

Re: Remove/add [A] records based upon server availability

Ryan S wrote: Is there a method in BIND to add/remove A records based upon server availability? i.e. host www has A records 1.1.1.1, 2.2.2.2, 3.3.3.3 If 3.3.3.3 is 'down' (via a ping test, for example) we remove it from the [A] record until such time that it is back 'up' and the host is added

Re: limit for cache-size?

Thomas Vogt wrote: Are there any limits in bind 9.6.* or 9.7.* for cache-size or know issues? I'm planing to use 8GB ram for named cache. The LRU cache cleaning introduced in BIND 9.5.0 should make your "large cache" work as expected. AlanC ___ bi

Re: dig query

Pamela Rock wrote: > The following dig query > > dig gov +dnssec +noadflag @10.10.10.1 > > produces the following flags in the header section: > > ;; flags: qr rd ra ad; > > Question - what is the relation with the +dnssec and +noadflag > options in the query. I would think the query would pro

Re: dig query

Tony Finch wrote: > On Wed, 6 Jan 2010, Pamela Rock wrote: >> Does that imply that +adflag sets the ad bit on the query and the >> response where +dnssec only sets the ad bit on the responce? > > The AD flag is meaningless in a query. In a response it tells you whether > the server is authoritativ

Re: dig query

Tony Finch wrote: > The AD flag is meaningless in a query. In a response it tells you whether > the server is authoritative or not. It has nothing to do with DNSSEC. AD bit is authenticated data. AA bit is authoritative answer. AD has everything to do with DNSSEC. AA has nothing to do with DNS

Re: bindvrs Vulnerability

Lightner, Jeff wrote: > Sometimes you have to do things like hiding your version just because it > came up on the security audit. It's a lot easier to make them shut up > by doing what they want than by explaining to them that what they want > is meaningless. That said, if your "security audit" a

Re: a question on bind cache

Tech W. wrote: > So, do you think is there a resolving way for Bind which can > implement the features: > > 1. check the popular domains' original IPs (like google's, yahoo's, > aol's etc), and exclude the dead IPs from its cache. > 2. for the popular domains, testing the access speed to each of

Re: a question on bind cache

>> http://lmgtfy.com/?q=content+distribution+network > Thanks, I know something about CDN. > But I also want to know if it's possible to let DNS handle this? BIND itself does not "do" this. You could monitor your services and then use dynamic DNS to change resource records based on the results,

[Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]

I find this important enough to forward on to bind-users. Please not the importance of trust anchor management. AlanC --- Begin Message --- [Apologies for duplicates] Dear Colleagues, We have discovered that recent versions of the Fedora Linux distribution are shipping with a package called "dn

Re: [Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]

Paul Wouters wrote: > With the current success of the DLV, and the root zone deployment half > a year away, it is not really required anymore. I think it is much better > to get rid of all trust anchors apart from the ISC DLV key. Do remember, however, that the DLV keys also roll, so this does ne

Re: multi master primary nameserver.

Gordon A. Lang wrote: > Did I recently hear correctly that some future version of BIND will > be supporting multi-master? That is in the plans. > I know slaves can forward updates to masters, but can masters also > forward updates to other masters? (I can look this up, but I'm > fishing for oth

Re: Bind 9.5.2-P1 and rrset-order

Denis Laventure wrote: > Hi, > > > > I have multiple ip adresses for one server: > > > > www.mydomain.com > A 10.0.0.1 > > www.mydomain.com > A 10.0.0.2 > > www.mydomain.com

<    1   2   3   4   5   >