Re: DNSTAP overload condition logging

Hi Carsten, From our reading of the code, it appears that when the buffer fills up, it refuses to accept new entries. Older events are not overwritten, but newer events are refused. The fstrm_iothr_submit() function can return success, failure, or “fstrm_res_again”, which indicates the queue is

Re: KSK signing zone records

I honestly don’t remember the reasoning, only the outcome. Maybe Mark or someone else from ISC can shed some light? I couldn’t find the answer to this regular (but infrequent) question in the ISC KB. Regards, Chris Buxton > On Aug 30, 2021, at 3:40 PM, raf via bind-users > wrote: >

Re: KSK signing zone records

What algorithm(s) are you using for ZSK and KSK? If they’re not the same algorithm, then both will be used to sign the entire zone. Regards, Chris Buxton > On Aug 30, 2021, at 9:08 AM, Timothy A. Holtzen via bind-users > wrote: > > Signed PGP part > I've had an issue

Re: nsupdate -g always uses master from SOA to form SPN

configure it. Regards, Chris Buxton > On Aug 26, 2021, at 7:32 AM, Magnus Holmgren > wrote: > > When using GSS-TSIG, nsupdate (with the -g flag) always forms the SPN from the > master server specified in the SOA record, rather than the server specified > with the server comma

Re: Logging statements w.r.t. view in Bind 9.16.18

them, or perhaps live with the log messages from that public view. Perhaps your SIEM (if you use one) could split the data based on the view name in the log messages. Regards, Chris Buxton > On Aug 24, 2021, at 7:44 AM, Gaurav Kansal wrote: > > Hi Ged, > > Actually recursion is o

Re: Add DNS records automatically for static IP's

devices register themselves, they might get decommissioned. Perhaps much later, but eventually upgrades happen and needs change. How are you cleaning up the stale records? Your DHCP server will do that for you, for DHCP clients. Regards, Chris Buxton > On Aug 5, 2021, at 9:19 AM, Roberto Ca

Re: Can we provide recursion for forward zones in response to iterative queries?

al forwarding for the subzones also, pointing to the forwarders. Without the delegation, the conditional forwarding won't work -- the MS DNS servers will respond authoritatively. But without the conditional forwarding, the MS DNS servers will send iterati

Re: Issues with Stub Zone

reached? It may be that the behavior you're expecting is more in line with type "static-stub" than with type "stub". Regards, Chris Buxton > On May 7, 2019, at 4:08 PM, Ben Lavender wrote: > > Hi, > > I've been trying to configure a stub zone u

Re: BIND 9.11 no longer respects edns-udp-size?

of stub zones assumes that an SOA query will retrieve all of the required information (SOA, NS, and supporting A/ records) to successfully insert the zone apex into the cache. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/

Re: BIND DNS Enable audit logs - Authoritative

> > On Jan 11, 2019, at 11:33 AM, Dave Warren wrote: > > On 2019-01-11 11:55, Kevin Darcy wrote: >> I don't believe there is any logging category for this, even when zones are >> enabled for Dynamic Update, in which case the versioning is done >> automatically. There used to be a "journalprint

Re: nsupdate with RPZ

case, tell us what your use case is in more detail and perhaps the list can help. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://li

Re: Use case for "." queries

e use case. But the most common use of such queries is to conduct an amplification attack. What are the apparent source addresses of these queries? Are they consistent? If so, that would point to the target of such an attack, not the source. Chris Buxton

Re: Suggestions for a distributed DNS zone hosting solution I'm designing

product to do what you’ve described. BIND on Linux will do everything you’ve described, if properly set up. You could set up some simple scripting to give you secure DDNS so that you can update the data from anywhere. I hope that helps. Chris Buxton Sent from my iPhone > On Mar 6, 2018, at 10

Re: DNAME usage?

do the same job. The use case you describe cannot be solved by RFC-compliant DNS -- the name of a zone cannot be an alias of some other name. Creating the parent zone and putting the CNAME in there will create more problems for you. Regards, Chris Buxton > On Nov 17, 2017, at 9:19 AM, Jef

Re: named-compilezone errors

Thanks for the response, Tony. Responses in-line. On May 30, 2017, at 5:51 AM, Tony Finch wrote: > Chris Buxton wrote: > >> dns_master_load: example.com.dns:6785: bad escape >> dns_master_load: example.com.dns:6789: bad escape >> >> mhtswfw-dellfi01\342\

named-compilezone errors

I would have expected that '-i none' would have allowed it to skip these errors. but it doesn't. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: global server load balancing with the domain name

d have a work-around for the zone apex (example.com itself), such as a simple webserver (right on each GSLB, perhaps) that takes those web requests and redirects them to www.example.com. Then in your main zone (not on the GSLB), you would have a record set pointing that zone

Re: Allow dns queries for specific subdomain x.domain.com and block rest of the queries for *.domain.com

> On Apr 11, 2017, at 2:19 AM, Manuel Ramírez > wrote: > > Hi, > > I would like to allow queries for specific blogspot.com > subdomains and block the rest of the queries. > I have a file with several zones configured, one of those zones is the > specific subdomain type

Re: forwarder (YES/NO)

Funny email address. I could be wrong, but it looks like you might have a firewall problem. The one really slow response is the one over 512 bytes. Is it possible you have a firewall that examines the contents of DNS messages? Regards, Chris Sent from my iPhone > On Sep 21, 2016, at 12:34 PM,

Re: Selective forwarding from an internal only name server

Try it without "+trace". Regards, Chris > On Aug 17, 2016, at 2:59 AM, anup albal wrote: > > Hi > > First up apologies if this is not the right list to email and for a long > email. I am hoping you can give me a clue as to what I am doing wrong here? > Or may be this is not supposed to work

Re: Delegation questions

Forwarding is more similar to how some other systems work. But it's not how DNS naturally works. I think the biggest source of "forwarding = natural" is perhaps from admins coming from other parts of IT, rather than any regional difference. But I could be wrong. From a technical perspective, in

Re: Multiple AD domains

evin Darcy > NAFTA Information Security Projects > > FCA US LLC > 1075 W Entrance Dr, > Auburn Hills, MI 48326 > USA > > Telephone: +1 (248) 838-6601 > Mobile: +1 (810) 397-0103 > Email: kevin.da...@fcagroup.com > > From: Chris Buxton [mailto:cli...@buxtonfa

Re: BIND 9 API & GUI

Kirk, Have a look at the commercial offerings. All of them offer a GUI and an API for managing BIND servers, including managing zones and records. Some of them are limited to managing their own appliances. Some of them do offer the ability to overlay on existing BIND servers, too, though. Blue

Re: Multiple AD domains

The OP's question was about setting up BIND, not MS DNS, related to using Samba, not Windows, as the domain controller. Regards, Chris Sent from my iPhone > On Jul 27, 2016, at 12:36 PM, Darcy Kevin (FCA) > wrote: > > My preference? Have all your clients use BIND to resolve DNS (this gives

Re: Resolving issue on specific domain

On Jul 15, 2016, at 8:48 AM, Matus UHLAR - fantomas wrote: > > On 15.07.16 14:05, Daniel Dawalibi wrote: >> Dig domainname -> Server failed > > please show us output of it. > when 127.0.0.1 is first in /etc/resolv.conf, dig should contact localhost > first, and the result should be the same as d

Re: separation of authoritative and recursive functions on internal networks

> On Jan 29, 2016, at 3:58 PM, Darcy Kevin (FCA) > wrote: > > Data obtained from the recursive function will never outrank authoritative > data of a master or a slave. Kevin, That's true, but authoritative servers also sometimes serve up referrals, sometimes including glue records. This data

Re: Newbie's BIND Questions on DNSSEC, HA and SD

target for dynamic updates and is therefore fairly important; even a few minutes of downtime of this server might cause outages for DHCP service, for example. There are several commercial offerings that include this sort of HA. I work for one of these vendors, Blue

Re: Cloud DNS providers for secondary DNS

> On Dec 29, 2015, at 5:36 PM, Michelangelo De Simone wrote: > > also, in order to avoid > unecessary polling, you may think of enabling the "notify" options from > your master toward your slaves. No, that's not what that does. The notify mechanism is enabled by default, although it probably ne

Re: does bind depends on system DNS settings for lookup?

> and communicate this is that "iterative resolution" uses RD=0 queries and > "recursive resolution" uses RD=1 queries. (Whether the resolution attempt is > *successful* is another question, of course: sending an RD=1 query to a node > that doesn't honor recursion is likely to result in

Re: does bind depends on system DNS settings for lookup?

On Nov 18, 2015, at 3:50 PM, Darcy Kevin (FCA) wrote: > "Iterative" resolution means following the delegation hierarchy (by sending > queries with the RD flag set to 0) to get an answer; "recursive" resolution > means sending a query off (with the RD flag set to 1) and relying on the > other p

Re: refresh: retry limit for master 10.133.253.128#53 exceeded (source 0.0.0.0#0)

ost common offenders in my experience. Regards, Chris Buxton Sent from my iPhone > On Nov 13, 2015, at 10:12 PM, Lawrence K. Chen, P.Eng. wrote: > > So, the last couple of days I've been banging my head on this problem > > Where I'm seeing this strangeness. > &g

Re: SRV Request to DNS

On Oct 5, 2015, at 11:51 PM, Harshith Mulky wrote: > Let us say we are having a FQDN and we need to Resolve it. It goes through > the procedure of determining the IP and Port using NAPTR/SRV/A query > mechanisms > > The question I have is if I have a FQDN with a Port Number already > determine

Re: DNS Negative Caching

On Aug 28, 2015, at 5:27 PM, Barry Margolin wrote: > Note that if a server is authoritative-only, caching is mostly > irrelevant, so the negative cache TTL doesn't much apply. In this case, > the SOA Minimum is just being used as the default TTL. No, that is not correct. When responding negati

Re: DNS Negative Caching

aching TTL. And no RFC has ever updated its name. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ and client matching

> On May 9, 2015, at 9:34 AM, Job wrote: > > Hello, > > i noticed i can write a RPZ file for blocking some websites resolution, as > example, and excluse come Client IP from this policy. > > I would like to do exactly the opposite: i want to define some blocking > resolution policy and ASSIGN

Re: Basic info on interfaces file

This is not really a BIND question; this mailing list is for BIND questions. RTM. Start with this command: man 5 interfaces You can use the 'q' key to exit from the manual page. The BIND name server will not read /etc/resolv.conf (which is what that dns-nameserver line refers to), so set it to

Re: Disable DNSSEC Validation for selected Domains

On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: > I know that BIND has no feature to disable DNSSEC validation for selected > Zones/Domains (when working as a recursor). > One can only enable/disable DNSSEC validation globally per view (as a boolean > on/off). [...] > I'm just

Re: ipv6 AAAA register and ipv4 NS register with the same name

> On Dec 15, 2014, at 12:38 AM, Manuel Ramírez > wrote: > > Hello, > > We have bind 9.8.4. P2 with many registers delegated to Link load > balancer (we have two public ip´s range and linkproof acts as a dns > balancer). > Now we need to add the ipv6 register for all those registers that >

Re: Forward vs Authoritative traffic

-stub is probably what you want. Chris > On Nov 7, 2014, at 1:31 PM, Chris Buxton wrote: > >> On Nov 7, 2014, at 1:29 PM, Nex6|Bill wrote: >>> >>> our parent org, owns the parent zone, and this zone is delegated from >>> there to a load balancer onsite.

Re: Forward vs Authoritative traffic

I suspect a static-stub zone is more what you want, but yes, that sounds like it should work. Chris > On Nov 7, 2014, at 1:04 PM, Chris Buxton wrote: > >> On Nov 7, 2014, at 11:35 AM, Nex6|Bill wrote: >>> >>> I am going to be adding a type forward zone for

Re: Forward vs Authoritative traffic

On Nov 7, 2014, at 11:35 AM, Nex6|Bill wrote: > > I am going to be adding a type forward zone for an important zone. how can i > test that the forward is working correctly? if i do a dig against the NS the > record will return no matter if its auth or fwd zone. Will your server be receiving

Re: Forwarding request to another DNS server but the same domain

Either do as Kevin Darcy said or else use separate names: company.com office1.company.com office2.company.com The admin in office 2 updates the office2 zone. The dynamic updates in office 1 go to the office1 zone. The company.com zone delegates both. Everyone can find everything via that delega

Re: Enterprise IPAM/DNS Solutions

On Apr 28, 2014, at 9:31 AM, Baird, Josh wrote: > Hi, > > We currently use the Men & Mice DNS/IPAM/DHCP suite which is essentially a > front-end "wrapper" for BIND. We deploy our own BIND boxes and simply > install the Men & Mice agent on them which allows us to centrally manage the > zones

Re: What if no root servers?

On Apr 9, 2014, at 12:02 AM, Dean Gibson (DNS Administrator) wrote: > I'm interested in a special use-case, where (say, in an emergency), access to > most of the Internet (and hence the root servers) is cut off. In this > situation, there is an emergency connected network consisting of severa

Re: Update Security

;t believe it works with update forwarding. I've certainly never gotten it to work. However, Microsoft will send the updates tot he master listed in the SOA record, so as long as that shows your otherwise-hidden master, and firewall access is set up for it, everything should work fine. Rega

Re: Update Security

oesn't support TSIG, just GSS-TSIG. AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the master. Regards, Chris Buxton. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

Re: IPv6 PTR Records

uestion, for the names of your A records. I don't know why a mail server would complain about this, but perhaps others with recent mail server admin experience can comment here. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/li

Re: Bind vs flood

ed normally first. It does not short-circuit recursion. Chris Buxton > From: bind-users-bounces+jason.brown=kcom@lists.isc.org > [mailto:bind-users-bounces+jason.brown=kcom@lists.isc.org] On Behalf Of > Ivo > Sent: 28 February 2014 10:10 > To: bind-users@lists.isc.

Re: additional section policy

ears you’re asking about specifically this case. This behavior is described in RFC 1034 or 1035, I believe. As for responding to this data by following up on a referral and asking a listed name server, the BIND name server uses the RTT (round trip time) algorithm. Basically, it tries to guess

Re: Non-responsive name servers when started during boot on OS X Mavericks 10.9

or something like that) before starting named. It would then stay open. I’d bet that the package from Men & Mice includes this script or an equivalent workaround. When I wrote the original script I wrote about above, I worked at Men & Mice. Regards, Chris Buxton __

Re: When Updates Fail

72. Or there’s a release candidate for 0.74 that apparently fixes it, but I haven’t tested it. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-u

Re: Error logs in bind resolving

t; >> All the ones I checked were caused by broken implementations. > > Is this a broken implementation of IPv6 or something else. As this DNS Server > is running IPv6 only. Broken implementations of name servers. They’re probably mostly load balancers. Regards, Chris Buxton

Re: Error logs in bind resolving

On Dec 30, 2013, at 9:46 PM, Gaurav Kansal wrote: > I am getting the error message for lot of domains. > > Log of error entries are attached. All the ones I checked were caused by broken implementations. > Is it possible to configure bind so that error message should not be > generated in log

Re: Error logs in bind resolving

hat when asked for an record, the load balancer gives an otherwise-proper-looking negative response that claims to be from the wrong zone. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: RPZ help on BIND

extra configuration. I don’t know the purpose of this RPZ, so I can’t give you the exact syntax. Perhaps someone from Spamhaus can help you with that. I don’t have enough context to answer your question about a whitelist. Perhaps someone else can help you with that. Regards, Chris Buxton On D

Re: 9.9.4 Bug Fixes - RT #34583

On Sep 21, 2013, at 8:35 AM, Steve Arntzen wrote: > Good morning/day/evening. > > What exactly does "beneath" mean in the following line from the 9.9.4 > bug fixes? > > "Fix forwarding for forward only "zones" beneath automatic empty zones. > [RT #34583]" "Beneath" in this case refers to the

Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)

On Sep 23, 2013, at 7:59 AM, Vernon Schryver wrote: > From: Eliezer Croitoru > >> I was looking for something like that but I am sure a dynamic DB is >> needed for the task right? > > Large DNSBLs are not very dynamic, because they have relatively few > changes per day. From another perspect

Re: Problem with "authoritative answer"

name servers behave this way, but they are supposed to. BIND 9 behaves correctly. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: the location of dig and named

On Aug 28, 2013, at 2:35 PM, Nidal Shater wrote: > when I typed dig or named ,,, what is the location of the executable program > dig and named is ? Your answer can be found with this command, available on many operating systems: which dig or: which named Regards, Chris

Re: BIND 9.8.1-P1: 'make test' fails

bout what has changed since Net::DNS was taken over by a new maintainer, meaning post-0.68. A small number of quite disruptive changes were made in 0.69. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: bind9 and logrotation

let BIND write and rotate log files, but then process them with logrotate afterward. Another option is to send all log messages through syslog, which allows for: - asynchronous (batched) file writing - all kinds of other, more advanced features that BIND doesn't support nativel

Re: New warning message...

On Jul 22, 2013, at 1:24 PM, Barry S. Finkel wrote: > On 7/22/2013 11:17 AM, bind-users-requ...@lists.isc.org wrote: This was discussed here already, and imho this is anti-spf bullshit like >>all those "spf breaks forwarding" FUD. The SPF RR is already here and is >>preferred over

Re: bind classless slave from microsoft dns classful SOA?

y its master server. Were I you, I would refuse to slave the /24 reverse zone. Regards, Chris Buxton BLUECAT ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.o

Re: BIND Performance with Huge RPZ

f configuration settings can impact performance. Once such example is query logging to file (instead of to syslog), which can completely gut performance. Regards, Chris Buxton BLUECAT ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users t

Re: BIND Service Hung

On Jul 2, 2013, at 7:33 PM, Arie Lendra Putra wrote: > PS: sometimes this happens when our upstream is down, many unanswered DNS > request sometimes trigger named not responding. Stop forwarding. Do your own recursion. Regards, Chris Buxton___ Please

Re: Answers from cache or authority section?

nal name servers internally (but this can require firewall changes) - Make your internal name servers reachable from the Internet Regards, Chris Buxton BLUECAT ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 2.1a3 on centos 6.4

On Jun 24, 2013, at 10:09 AM, Brian Cuttler wrote: > On Mon, Jun 24, 2013 at 09:40:36AM -0700, Chris Buxton wrote: >> On Jun 22, 2013, at 12:50 PM, "Lawrence K. Chen, P.Eng." >> wrote: >> >>> Or don't use nslint? >> >> +1 >> &

Re: bind 2.1a3 on centos 6.4

On Jun 22, 2013, at 12:50 PM, "Lawrence K. Chen, P.Eng." wrote: > Or don't use nslint? +1 Use 'named-checkconf -z' instead. Or run it without '-z', and then use 'named-checkzone' against each zone file, with suitable options to tweak the tests to meet your needs. Chris __

Re: SPF record with include:

On Jun 20, 2013, at 7:30 PM, Julie Xu wrote: > Hi Steven, Jason, Ged and Bind expert > > Thanks for the reply. It is great help. > > However, I need ask more. > > For this include clause to be added in, I have also need to add DKIM records. SPF and DKIM are unrelated. There is no way to refe

Re: What happens when one out of three NSs are down?

match? > > Any comments and best practice solution info very welcome. You might consider using anycast to route around the problem. In practice, though, your best bet is to find out why that small group of customers are having problems. Are they querying the servers directly? Chris Buxton ___

Re: Stub zones vs minimal responses

On Jun 12, 2013, at 5:23 AM, Tony Finch wrote: > Chris Buxton wrote: >> >> If an authoritative server is configured to send minimal responses, will >> a stub zone get all the necessary data from that server? What I'm seeing >> is, the recursive server sends an

Stub zones vs minimal responses

that zone get a SERVFAIL response. Am I understanding the evidence correctly? Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists

Re: any requests

On Jun 5, 2013, at 11:59 AM, Doug Barton wrote: > On 06/05/2013 11:33 AM, Tony Finch wrote: >> I believe the ANY hack on mail servers was a Sendmailism 20ish years ago. > > s/Send/q/ That makes even more sense. DJB always thinks he knows best. ___ Plea

Re: any requests

e A record, not the MX record. And that represents a failure of the SMTP protocol implementation. Chris Buxton On Jun 3, 2013, at 3:42 PM, Leonard Mills wrote: > If your some of your clients are SMTP relays, then ANY is the default lookup > for an MX and is perfectly normal. > >

Re: Negative zones; NXDOMAIN responses

On May 20, 2013, at 12:51 AM, Narcis Garcia wrote: > - Yes, I thought about not using DNS from the same internet provider, > but wanted to know if there is a way to patch only the .local response. > > - This is the configuration I use in one of the LANs: > > view "local-nets" { >match-c

Re: Mailing list "reply-to" setting

lder to see if there are new messages in it. My mail client shows the number of unread messages next to each mail folder, except for those that have no unread messages. I do not have to click on each folder to cause this to happen. Regards, Chris Buxton _

Re: NS geo-distribution

would have a 1/3 chance of hitting a NS with a higher latency? RTT means almost always hitting the fastest server. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing lis

Re: How does bind select what master to use?

to forwarders, then yes, RTT is used. If you're talking about recursion, then yes, RTT is used. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Courses

ught DNS and BIND courses for Men & Mice, the live interaction was a key component of the value of the class. You just don't get that remotely. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: Mirror Masters

On Apr 24, 2013, at 2:21 PM, Manson, John wrote: > Works great. Got the conf file down to about 12 lines (only transferring 1 > zone file for test). > Only problem is the file is in slave format. > Is the master going to have a problem sending the db.x.bak to slaves? > When a slave receives the t

Re: Mirror Masters

raw format. Then in the event of a disaster, change all the zone statements from slave to master. That way, you won't be dependent on OS processes for transferring and synchronizing the data between the two masters. Your other choice is to use rsync to synchronize files between the tw

Re: BIND 9.4.x and check-names

Apr-2013 00:45:37.447 general: warning: zone >> /IN: gc._msdcs./A: bad owner name (check-names) > > Hmm, aren't those supposed to be SRV records? No, they are the addresses of the global catalog servers. If they were SRV records, check-n

Re: RPZ and negative answers

On Apr 4, 2013, at 1:42 AM, Phil Mayers wrote: > On 04/04/2013 12:50 AM, Chris Buxton wrote: > >> Thanks for the explanation. It seems to me this is a gap in coverage >> of RPZ -- the algorithm should be updated, in my opinion, to cover >> the case of a negative

Re: RPZ and negative answers

On Apr 3, 2013, at 4:13 PM, Vernon Schryver wrote: >> From: Chris Buxton > >> If a name exists in the response policy, and also exists in the real >> Internet namespace, the value from the policy is returned. But if it >> doesn't exist out on the Internet, then th

RPZ and negative answers

n the Internet or can't be resolved due to an error." Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Understanding rndc referral statistics

nario would be the same (at least as far as the answer section of the response is concerned) coming from BIND 9.9, 9.3, 9.1, 8.2, or 4.9. (I can't speak for 4.8.) Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/b

Re: Disable logging for a view

On Mar 29, 2013, at 1:46 AM, Francesco wrote: > Hello, > i need to log queries into bind.log for all views except only one view (i > call it the deafult view, where it logs all attacks, flood, ecc.). > > But i noticed i can not insert logging clause into a view. > > Is the

Re: Dynamic Update Policy.....

to allow dhcpd to make the changes > (and they work correctly), however the forward zone does not. At a guess, you're not using GSS-TSIG for reverse record updates, correct? Is there a reason not to have DHCP update the host records as well as the reverse? Chris Buxton BlueCat Networks __

Re: Forward First on Master Zone (bypass SOA)

l, and common. Note that this is not compatible with dynamic zones. If you need to support dynamic zones (and who doesn't, these days?), you're out of luck. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listin

Re: Recursion Issue

12640 IN CNAME a1164.g.akamai.net. a1164.g.akamai.net. 19 IN A 165.254.47.115 a1164.g.akamai.net. 19 IN A 165.254.47.112 Everything is as it should be. Chris Buxton BlueCat Networks ___ Please visit http

Re: Recursion issue

Therefore, I would recommend turning it off using 'recursion no;' in your options or view statement. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users m

Re: Recursion issue

em recursively anyway. I continue to fail to see the problem that you're trying to solve. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Recursion issue

urrent environment is not working? In your public data, I see: www.speaker.gov.300 IN CNAME wc.house.gov.edgekey.net. wc.house.gov.edgekey.net. 17789 IN CNAME e4776.g.akamaiedge.net. e4776.g.akamaiedge.net. 20 IN A

Re: Blocking private addresses with a optionq

On Mar 14, 2013, at 9:07 AM, Niall O'Reilly wrote: > > On 14 Mar 2013, at 15:57, Chris Buxton wrote: > >> No, I'm pretty sure the OP wants to strip records from responses if the >> records are A records referring to private address space (RFC 1918). >>

Re: Blocking private addresses with a optionq

er ... { bogus yes; }; clause which stops named from > sending queries to a particular address range. No, I'm pretty sure the OP wants to strip records from responses if the records are A records referring to private address space (RFC 1918). I've no idea how you would do this. Chri

Re: 3rd party CNAMEs and open recursion

east until you start rolling out DNSSEC (at which point you will probably need to use either views or separate servers). Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Stop of logging of No Valid Signature Found

precise and complete in his explanation. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Building a fresh named.root

inations network list and it is still using the external > view. The hostname 'localhost' can mean different things to different computers. It probably means ::1 (IPv6 localhost) in this case. Try explicitly specifying the IP address rather than using the hostname. Chris Buxton

Re: Export / Import all zone data

igrating customers from their old platform to our appliances: #!/bin/bash mv $2{,.orig} named-compilezone -i none -k ignore -o $2 $1 $2.orig Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: Building a fresh named.root

s available. - Start named with the -4 argument to prevent it from trying to contact IPv6 addresses. Chris Buxton BlueCat Networks___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

  1   2   3   4   >