Hi,
I used this tutorial as reference to setup DNSSEC with SoftHSM2:
https://kb.isc.org/docs/bind-9-pkcs11
I installed the Debian package instead of building libp11:
libengine-pkcs11-openssl:amd640.4.12-0.1
It works until reaching this command:
$ dnssec-keyfromlabel \
-E pkcs11
Hi everyone,
I'm a developer on the Apache Pekko project, an open source fork of Akka.
One of our mentors has queried if we have a licensing issue for the files in
this directory.
https://github.com/apache/incubator-pekko/tree/main/actor-tests/src/test/bind/etc
The configs there are Bind9
figuration, to avoid
potential issues in future versions of BIND?
Thanks,
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more
stinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
So here is a theory if a client asks a query and bind goes out for that
query and the reply is delayed but you get the answer then for what ever
reason the reply to the client from bind is delayed more! So the quicker
the answer the quicker the answer to the client.
Why? I have no idea
and this from dig maybe a routing iusse why it take so long for me?
C:\Program Files\ISC BIND 9\bin>dig @213.227.191.1
router14.teamviewer.com +norecurs
; <<>> DiG 9.16.45 <<>> @213.227.191.1 router14.teamviewer.com +norecurs
; (1 server found)
;; global
This is the thing the setup works for many site fast just this
Teamviewer and their DNS servers are a problem and bind does reply to
192.168.53.19 all be it 26 seconds later! but Teamviewer trys over and
over then it connects yet the for the WAN side took under 4 seconds to
get the answer WAN
are going, whether you receive ICMP unreachables
or retries etc.
Also do some tests. If you have BIND you should also have dig. If you don't
have dig, use Windows nslookup in interactive mode and send queries to the
teamviewer NSs.
Right now I would prove that the network is clean first. I see no reason to
This might show the problem even more on two interfaces WAN side and LAN
you can see 192.168.53.19 ask for routerpool8 #60 then bind goes out #62
gets a answer # 75 and no reply back to 192.168.53.19
https://ufile.io/v8oob3jg
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
On starting Teamviewer it can say no connection when bind does the
lookup with this delay it cause bind to not reply LAN side sometimes
which causes the app to fail yet with a bind on Ubuntu there is no problem.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
I'm just using bind to do my DNS look ups with no forwarders thats all
Teamviewer app uses DNS to find its servers from what I can tell it can
take over 4000ms to get a answer.
The following seems to help in bind
resolver-retry-interval 5000;
I think if I can then find a setting in windows
Hi there.
Can you send some information, for those unfamiliar with what you're trying
to do?
- Full BIND config
- IP addresses of relevant things, like interfaces of the servers on which
you are running BIND and of Teamviewer.
- What does Teamviewer need from DNS? What kinds of queries
Now its not working fast again! I don't know now must be Teamviewer DNS
delaying replies causing windows bind to fail in some way.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions
So more tests and the problem has come back but I think I know why
thinking internet sharing was the problem I found a way to disable it
because it bind shared access for port 53 on 0.0.0.0 so that the problem
I think now after testing with it on.
For any interested MS has made it really hard
I'm by no means an expert in DNS or how it fully works so I can't be of
any more help about this problem then I already have. But it seems
Teamviewer have rebooted their DNS servers and now windows bind allows
the Teamviewer to load faster
--
Visit https://lists.isc.org/mailman/listinfo/bind
https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org
I don't know if this will be fixed before EOL for windows bind but here
is the problem
Teamviewer (and maybe other sites too) when you do the recursion when no
answer under 1000ms it tries again which is trigged by client windows
(not the one running bind) which also tries again for a answer
" (respectively). This was in spite of the fact that all
RRSIG records were replaced with the new ZSK more than a week prior. I
can only assume that the 9 days somehow relates to how long BIND wanted
to allow itself to generate RRSIGs for all the records in a really,
really large zone file?
will work, but at this
point I'm grasping at straws.
Thanks for your help
PS - sorry for the double post to the mailing list, I wasn't sure if my
last message in this thread went through.
On Sat, Nov 11, 2023 at 11:31 AM Evan Hunt wrote:
> On Fri, Nov 10, 2023 at 05:24:59PM -0500, Lannar Dean via b
quot; to the cf1 zone in view B, I get
zone 'cf1': 'in-view' used with incompatible zone options
So it appears my goal is still not achievable, unless I'm missing
something. Is there some other mechanism to achieve this end result
(sharing some zones between different user populations witho
missing something.
Is there some other mechanism to achieve this end result (sharing zones between
different user populations without loading multiple copies of the zone into
memory)?
I am currently running BIND 9.16.44 by the way.
Thanks for any advice!
--
Visit https://lists.isc.org/mailman/list
of the
child domain zone is to delete the /var/cache/bind contents and restart the
slave daemon. What is the correct method of letting slave servers know that the
child domain zones are changed? I really want to avoid putting an "also-notify"
in the definition for child zone on the master.
--
V
://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman
ot;, "internal-mail.example.com" and what have you
are fine because they are more specific than the general "example.com",
queries for which will just fall through to the outide world along with any
other name.
That was a bit of an essay, but I hope at least some of it made sens
on completely. Zones like
"internal-www.example.com <http://internal-www.example.com>",
"internal-mail.example.com <http://internal-mail.example.com>" and
what have you are fine because they are more specific than the general
"example.com <http://example.com&g
/www.ietf.org/archive/id/draft-ietf-add-split-horizon-authority-06.html#name-internal-only-subdomains
It's just so much easier, particularly if you are starting from scratch.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of t
any chance of pushing this through. Also DNSMasq does not
support replication (but it could be scripted). I could look for other
solutions but I doubt I would get anywhere in the company.
I'll spend some time investigating option F, thanks.
Nick
On 04/11/2023 02:03, Nick Tait via bind-users
certainly something that you will have no control over.
E.g. It could be something bogus on a web page that these devices have
all accessed?
Nick.
On 4/11/23 11:30, J Doe wrote:
Hello,
On a Bind 9.18.19 server configured as a recursive resolver, I
sometimes see URL's being noted in the log
distinct sets of authoritative servers, which don't
overlap in any way currently. E.g. Servers A (primary/master), B & C
(secondaries/slaves) are authoritative for internal zone
("Bind-internal"); Servers C (primary), D & E (secondaries) are
authoritative for external zo
On 03/11/2023 20:07, Marco M. wrote:
Am 03.11.2023 um 19:54:32 Uhr schrieb Nick Howitt:
How do you mean remove the zone information?
In your /etc/bind are configuration files.
Look for named.conf* and find those that include zones:
zone "f.8.1.1.0.7.1.0.1.0.a.2.ip6.arpa" {
t
On 03/11/2023 19:30, Marco M. wrote:
Am 03.11.2023 um 19:18:49 Uhr schrieb Nick Howitt via bind-users:
Can the bind-internal not be made to caching only and not
authoritative? If so, how?
Of course it can, simply remove the zone configuration, but it will
then cache the records from
Unfortunately they are not separate subdomains. They are all part of the
same domain. Can the bind-internal not be made to caching only and not
authoritative? If so, how?
On 03/11/2023 19:01, Andrew Pavlin wrote:
Have you considered making your internal DNS servers unpublished
secondaries
On 03/11/2023 18:06, Marco M. wrote:
Am 03.11.2023 um 17:58:51 Uhr schrieb Nick Howitt via bind-users:
On 03/11/2023 17:54, Marco M. wrote:
Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users:
My problem is the use of external IP's duplicated between the
internal and external
On 03/11/2023 17:54, Marco M. wrote:
Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users:
My problem is the use of external IP's duplicated between the
internal and external masters for some IPs/FQDNs which I want to get
rid of.
Implement IPv6 and get rid of the old IPv4
On 03/11/2023 17:17, Marco M. wrote:
Am 03.11.2023 um 15:51:32 Uhr schrieb Nick Howitt via bind-users:
As this site is externally accessible as well, we also have to put an
identical entry in bind-external so we end up having many identical
entries in bind-internal and bind-external.
It seems
Hmm, I'll admit to only skim reading it but is seems quite complicated
for what I was hoping for. It would be trivial if I could change the
bind-internal machine to using dnsmasq (ugh!). Then the bind-internal
machine would serve up anything it explicitly knew about to the internal
clients
Hi,
I am fairly new to bind but I am thinking my company's use of it is
sub-optimal. We have two bind masters (and a few slaves), one for
internal use so all our internal servers point to it or its slaves as
their DNS resolvers. I will call the internal one bind-internal and the
external one
, but it will take a large company to push them to do so.
Michael Martinell
Network/Broadband Technician
Interstate Telecommunications Coop., Inc.
From: bind-users On Behalf Of Paul Stead
Sent: Saturday, October 28, 2023 11:35 AM
Cc: bind-users@lists.isc.org
Subject: Re: 9.18 BIND not iterated
ain:
mofa.gov.bd.86400 IN NS ns1.bcc.gov.bd.
mofa.gov.bd.86400 IN NS ns2.bcc.gov.bd.
couldn't get address for 'ns1.bcc.gov.bd': not found
couldn't get address for 'ns2.bcc.gov.bd': not found
dig: couldn't get address for 'ns1.bcc.gov.bd': no more
root
Hello,
At this point I am hoping that somebody might have a workaround so that we can
exclude domains from this behavior if they are broken on the far end. Does
anybody have a workaround for this?
We are a small ISP and run BIND compiled from source. We currently run 9.16.x
Every time we try
o refresh my
> certificates.
Not perfect? What issues did you see? Thanks!
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for m
https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org
Op 06-10-2023 om 10:28 schreef Paul van der Vlis via bind-users:
Hello,
I try to give a dynamic IP to a name, using nsupdate. This works fine,
but after some hours the IP is gone from the master (which I update).
Something like this:
Host home.customer.nl not found: 3(NXDOMAIN)
The IP
about the removal in the logs. But I saw a "freeze"
and a "thaw" in the logs for the domain.
Any idea why the IP removes after some time?
With regards,
Paul van der Vlis
--
Paul van der Vlis Linux systeembeheer Groningen
https://vandervlis.nl/
--
Visit https://lis
Hi there
On 02/10/2023 11:06, Kurt Jaeger wrote:
In the light of the recent exim security issues[1,2]
I'm trying to find out if bind 9.18.19, if used as resolver,
does enough validation to shield exim instances from CVE-2023-42119 ?
I added 'check-names response fail;' to the internal view
stick around.
I can only assume that the reason you have rumoured state is because you
are trying to roll your ZSK to soon after the previous ZSK rollover?
Have you checked the various timing settings in the KASP definition?
Nick.
On 30/09/23 11:32, Nick Tait via bind-users wrote:
On 29/09/
me both
DNSKEY records for the ZSK after I initiate the rollover when there
should be overlap as described in Automatic DNSSEC Zone Signing Key
rollover explained (isc.org) <https://kb.isc.org/docs/aa-00822>?
Bind 9.16.23 which seems to be the newest release provided by my
distributi
sec>/./
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
if that server is publishing the new DS record.
I suppose the theoretical risk with #1 is that because the responses
from the authoritative servers aren't validated, it would be possible
for a MITM to trick BIND into thinking that the new DS records had been
published before they actually had, which
/@marcodavids | Matrix: @marco:sidnlabs.nl
Nostr: 11ed01ff277d94705c2931867b8d900d8bacce6f27aaf7440ce98bb50e02fb34
OpenPGP_signature
Description: OpenPGP digital signature
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
https://www.five-ten-sg.com/mapper/bind contains links to the source
rpm, and build instructions. This .src.rpm contains a .tar.gz file with
the ARM documentation, so the rpm rebuild process does not need sphinx-
build and associated dependencies
"example.com" IN {
> type forward;
> forwarders { 127.0.0.1 port xxx; a.b.c.d port xxx; };
> forward only;
> };
>
>
> Please share any other possible solutions.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this li
; technologies both want a piece of the 10 pie. So it doesn't make sense that
> both of them have the whole /8. He needs to make a decision about which DNS
> is higher in the pecking order. Personally I would make it BIND.
> For instance, if you use 10.1 in MS land but 10.2, 10.3 and other
On Sat, 16 Sep 2023 10:22:26 +0100 (BST)
"G.W. Haywood via bind-users" wrote:
> Hi there,
> ...
>I'd be surprised if the OP couldn't manage with 2^20 IPs in a segment -
> but then I guess he does work in the .gov domain.
^^^
now in case I ever
come up against this myself.
(And it's the thirtieth anniversary of RFC1517. What did we miss? :)
--
73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions
. Haywood via bind-users <
bind-users@lists.isc.org> wrote:
> Hi there,
>
> On Sat, 16 Sep 2023, John Thurston wrote:
>
> > A host which auto-registers in MS DNS, creates an A in foo.alaska.gov
> > and PTR in whatever.10.in-addr.arpa. MS DNS is happy to publish those.
>
Hi there,
On Sat, 16 Sep 2023, John Thurston wrote:
A host which auto-registers in MS DNS, creates an A in foo.alaska.gov
and PTR in whatever.10.in-addr.arpa. MS DNS is happy to publish those.
But the DNS system running on BIND also has a whatever.10.in-addr.arpa
zone.
So if I want
zones. Screenshots? In a mailing list?? Try it anyway. You can redact
hostnames if you like, though they won't mean anything out of context.
Secondly, why do you have ...10 in BIND at all? What's its purpose?
Next, I would keep it simple. Don't try and replicate data in different
places if you
Hi John.
Can you tell me a bit more please?
- What zones exist in both BIND and MS DNS for something.10.in-addr.arpa?
- Where are hosts auto registering to? I'd guess MS, but it would be good
to confirm.
- What does fragmentation look like? A few real examples would be useful.
I'm trying
mples. Not the whole
config.- "rndc zonestatus ". Use the same zones you chose from above.
Let’s see what we see.Cheers, Greg
On 8 Sep 2023, at 01:24, Leroy Tennison via bind-users
wrote:
Just to clarify, the configuration I was referring to was supposed to have a
master and slave DNS serv
one file stored locally. Just change the "type", leave the
> "file" statement alone and delete (or comment) the "primaries".
Agreed.
> Does that help?
No. I have personally set up and administered a corosync / pacemaker
cluster to do a standby to master
primary because it
already has the zone file stored locally. Just change the "type", leave the
"file" statement alone and delete (or comment) the "primaries".
Does that help?
Greg
On Thu, 7 Sept 2023 at 19:31, Fred Morris wrote:
> Re-reading the KB article refe
Thanks for your reply, I certainly appreciate it.
On Tuesday, September 5, 2023 at 12:24:30 PM CDT, Fred Morris
wrote:
On Tue, 5 Sep 2023, Leroy Tennison via bind-users wrote:
>
> After some recent upgrading it was discovered that both DNS servers were
> configured as mas
for those issues? Thanks for any insight.--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing
ame
time. This is so that, for popular domains, BIND only has to get an answer
once, for all clients who want it.
There is no such thing though as per-client query rate limiting. However,
there is response rate limiting, configured with "rate-limit", which (as
the name implies) limits th
NS - Posix Systems - (South) Africa
m...@posix.co.za Tel: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the developmen
This seems to be an issue with the domain incometax.gov.in.
DNSSEC looks like is broken for that domain.
NS servers at our location also cannot resolve that directly but if I forward
that query to any ISP provider NS which are more lax it resolves just fine.
Thanks
Sandeep
From: bind-users
Hi Blason.
"incometax.gov.in" is a domain known to cause problems. Take a binary
packet capture and look at it in Wireshark. Also see this
https://dnsviz.net/d/incometax.gov.in/dnssec/
A workaround in BIND is to disable DNSSEC validation for just that domain
whilst leaving it on gene
Recommend you turn off DNSSEC validation and see if it starts working.
If it does, then you know the issue is with how DNSSEC is configured on your
server.
John
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Blason R
Sent: Wednesday, August 30, 2023 8:20 AM
To: bind
isit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
You may already have BIND installed; most distros do. If not, it's easy.
You don't *have* to run named, but tools like this (and dig, particularly)
are very useful to have.
Do "which arpaname" to see if you have it already.
Cheers, Greg
On Thu, 24 Aug 2023 at 08:00, Marco wr
On 8/21/23 10:11 AM, Mark Elkins via bind-users wrote:
Hi,
Hi,
1) Count how many delegated domains there are (Names with NS records)
Mind your $ORIGIN and check the number of NS record owners.
2) Extract the above Names - so I can look for changes (Added/Deleted names)
I suspect
ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>
Posix SystemsVCARD for MJ Elkins
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www
oesn’t yet exist but is tentatively planned for the
9.19.x timeframe. You can see more about it here:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2748
<https://gitlab.isc.org/isc-projects/bind9/-/issues/2748>
Best,
Richard.
*From:*bind-users *On Behalf Of
*Ritterhoff, Florian
*
.
Original message From: Ondřej Surý Date:
31/07/23 8:10 PM (GMT+12:00) To: matt...@peregrineit.net Cc:
bind-users@lists.isc.org Subject: Re: Zone Transfers Being Refused Well, for
starters your primaries list 192.168.2.10, but your logs show connection from
192.168.1.1…--Ondřej Surý — ISC
Hi Petr!
> > For example, there are 8 secondaries (Mumbai, LosAngeles, Melbourne,
> > Atlante, SaoPaulo...) to which the XFR took 2361 seconds.
> >
> > Are there some mechanisms in Bind that put multiple XFRs together into
> a
> > common stream? Or do you
ds
2361 seconds
2362 seconds
For example, there are 8 secondaries (Mumbai, LosAngeles, Melbourne, Atlante,
SaoPaulo...) to which the XFR took 2361 seconds.
Are there some mechanisms in Bind that put multiple XFRs together into a common
stream? Or do you have any other ideas how it come that several XF
give the result
> you were expecting.
> - I did a dig for "specific.wildcard-test.dynx.me" against my own BIND
> server and it resolved to 1.1.1.1. So the issue is with your resolver. This
> is not new, just confirming that this must be the problem end, not the auth
> end.
&
Real data please:
- example queries (genuine, not invented for illustration)
- real domains
- real IP addresses
- packet captures
- both BIND server configs
- zone file contents
- startup logs
There are so many things it *could* be, the more information the better.
Cheers, Greg
On Sun, 16 Jul
2
> 11-Jul-2023 10:36:21.146 query-errors: debug 4: fetch completed at
> resolver.c:4983 for cadyst.com/A in 10.000118: timed out/success [domain:
> cadyst.com
> ,referral:0,restart:3,qrysent:6,timeout:5,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
>
> Regards Sam
ailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
A ns3.dnsv5.com.
enterprise3dnsadmin.dnspod.com. 1688974445 3600 180 1209600 180
...
Again, "Additional" count is wrong, and the SOA owner name is
wrong -- it should have been cloud.huawei.com, since the copy of
the NS RRset from the huawei.com zone indicates that
cloud.huaw
On 2023-07-07 12:17, Emmanuel Fusté wrote:
Le 07/07/2023 à 11:57, Jakob Bohm via bind-users a écrit :
On 2023-06-02 05:02, Jesus Cea wrote:
On 2/6/23 4:25, Mark Andrews wrote:
Yep, some people just don’t take care with delegations. Complain
to Huawei.
Complain to the other companies you
this misconfiguration works fine for 99.9%
of their users, clients of more "lax" DNS resolvers.
What I get from your reply is that BIND is not expected to do anything
about this. It is a bit disappointed but I agree that BIND is doing
the right thing. Too bad big players don't care. But I need
/23 11:29 PM (GMT+12:00) To: bind-users@lists.isc.org Subject: How
to update zone with dnssec-policy Dear all,I have the following problem that
changes in a zone file do not get active, no matter if I reload the zone using
rndc or restarting bind 9.16.42 on FreeBSD.If I update a zone I edit
it should be 755 or 750.
(As to linux a directory is a file the x is needed to parse(execute)
it.)
Thus giving the bind user and only the bind user (and root) exclusive
write access.
Whether you want them world readable is a matter of preference, I
don't think it is needed. Any user needing read
: error occurred
writing key to disk (retry in 600 seconds)
So, to bypass it had to change permissions of my /var/cache/bind/keys
directory to rwxrwxr-- (774) and all the files therein to rw-rw-r-- (664).
One step closer, thanks to all :-). Best regards
El 29/6/23 a las 03:16, Matthijs Mekking
b DNS server at 10.32.1.6/192.168.10.183:
> include "/etc/bind/rndc.key";
> include "/etc/bind/ddns-key.key";
>
> zone "lab.domain.com" {
> type master;
> forwarders {};
> file "/var/lib/bind/db.lab.domain.com";
> update-policy {
>
On 6/29/23 6:44 AM, Matus UHLAR - fantomas wrote:
bind has "sortlist" statement that could do what you want. It will
provide all IPs but sorted differently.
+1 to "sortlist". I couldn't remember the exact nomenclature nor how it
was used.
Otherwise, you can s
Hi Ubence.
That is starting to get complex!
Firstly, yes BIND parses views top down, so order matters.
Secondly, most specific domain wins (like more specific routes).
I now see that you have created three levels of zones:
domain.com
lab.domain.com
system.lab.domain.com
This config looks like
El 29/6/23 a las 09:40, Anand Buddhdev escribió:
On 29/06/2023 14:13, Daniel Armando Rodriguez via bind-users wrote:
[snip]
Error is not the same as before, I see it know (fresh eyes maybe)
Jun 29 08:42:37 web kernel: [5679658.761672] audit: type=1400
audit(1688038957.685:548): apparmor
=== /etc/bind
total 84K
drwxr-sr-x 3 root bind 4,0K jun 28 17:07 .
drwxr-xr-x 134 root root 12K jun 22 11:15 ..
-rw-r--r-- 1 root root 2,4K feb 26 06:27 bind.keys
-rw-r--r-- 1 root root 255 feb 26 06:27 db.0
-rw-r--r-- 1 root root 271 jun 30 2017 db.127
-rw-r--r-- 1 root root 237
ystem that has two network cards on both the 192.168.10.X
> network and 10.32.10.X network.
>
> I have a remote system that is also configured to on both networks, with
> hostnames on both domains/networks.
>
> I have a hostname entry in my primary master for the domain.com [
> s
Exactly the same
El 28 de junio de 2023 6:50:26 p. m. GMT-03:00, Mark Andrews
escribió:
>The *exact* same error, word for word, or a different permission denied?
>
>> On 29 Jun 2023, at 06:35, Daniel Armando Rodriguez via bind-users
>> wrote:
>>
>&g
However, as soon as I added this
dnssec-policy "default";
inline-signing yes;
Error came up again :-(
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
El 2023-06-28 16:00, Anand Buddhdev escribió:
On 28/06/2023 20:44, Daniel Armando Rodriguez via bind-users wrote:
Hi Daniel,
[snip]
# ls -alh /etc/bind/zonas/
drw-r-S--- 2 bind bind 4,0K jun 28 14:55 .
drwxr-sr-x 3 root bind 4,0K jun 28 15:06 ..
-rwxr-xr-- 1 bind bind 323 ene 16 10:59
Certainly, you pointed in the right direction :-)
Previously I've had setted up setgid bit to /etc/bind/zonas/ due to
complains from apparmor. Now, I've removed that bit and added an
override to such folder in /etc/apparmor.d/local/usr.sbin.named.
Et voila!
However, I wonder the reason
Hello,
I think
chmod ug+x /etc/bind/zonas/
should solve the issue by giving the
owner (bind) and the group (bind) permissions to enter the
directory.
Danilo
Before I start describing the problem, I should mention that this
incident started when I tried to enable DNSSEC. I understand that it is
unrelated, but previously everything was working correctly.
I'm using Debian 11 and Bind 9.18 from backports
This is current config
# named-checkconf
nce between the two values?
>
>
>
> Regards, Sami
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
&
101 - 200 of 1725 matches
Mail list logo