Re: managed-keys.bind's directory problem

Chris Buxton wrote: > On Dec 13, 2009, at 5:40 PM, Doug Barton wrote: >> On Fri, 11 Dec 2009, Mark Andrews wrote: To repeat my primary >> objection, if the named user can write to the configuration >> directory it can change the contents of named.conf. That's a >>

Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1

While this reminder is timely and helpful, more welcome would be the news that BIND 9.6.2 is going to have actual support for RSASHA{256|512}. My cursory reading of the 9.6.2b1 code does not seem to indicate that it does, although I would be happy to be proven wrong. I personally don't think it's

Re: managed-keys.bind's directory problem

fujiw...@wide.ad.jp wrote: > I'm using BIND 9.7.0b3 an DLV (dns-lookaside auto;). FYI I recently committed the port for 9.7.0rc1. Hopefully this will make it easier for you to continue testing. Please try the port and let me know if you have any problems with it. > The named tried to write "manag

Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1

Chris Thompson wrote: > (Evan Hunt) >> Adding SHA-2 to 9.6.x would violate our policy of making major >> functional changes only in major releases, so I don't expect we'll >> do that. Given the odd circumstances you mentioned, I won't say for >> certain that we won't--but I doubt it. >> >> 9.7.0 i

Re: Delegating in reverse lookup zones

Simon Dodd wrote: > Thanks for the replies, everyone; I think the consensus is that having > ARIN redelegate is the correct solution, and that's fine by me. (As > mentioned, my marching orders were to do this without redelegating, but > if that's the correct way to do it, I can make that case.) It

Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1

Evan Hunt wrote: >> BIND 9.6.2 is in the "b1" phase atm, which means that there is plenty >> of time to get SHA2 in there and get the release out before a signed >> root goes live. I encourage the folks at ISC to do so, and if you >> agree I encourage you to make your voice heard. > > We hear you.

Re: Bind crashs sometimes

Nadir, If it's crashing, it's not working normally. :) The advice Matthew gave is the right solution, but let's do some more digging. Do the following: /etc/rc.d/named stop ps -ax | grep named You may see a syslog line for the logging socket in the chroot directory but you should not see a name

Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1

On 1/14/2010 8:11 AM, Evan Hunt wrote: >>> We hear you. Expect a decision in the next few days. >> >> So, has the decision been made? >> >> [I am tentatively planning on going to 9.7 in production round about Easter, >> in good time for the RSASHA256-signed root zone in July, but it would be >> ni

Re: Can bind log the IP of clients requesting lookups to a domain?

On 2/5/2010 3:16 PM, Keith Christian wrote: > Version - bind 9.5.1 on CentOS 5.x. Is there a way to log either the > IP of clients requesting lookups of a particular domain? > > In other words, I'd like to know the IP of clients trying to resolve > app01.foocompany.net (for example.) > > There i

Re: multi master primary nameserver.

On 2/5/2010 2:41 PM, fddi wrote: > Hello I wanted to ask how could be possible in some way > to have 2 or more multi master name servers authoritative for one domain, > instead of the classical master slave model. Yes. -- Improve the effectiveness of your Internet presence with

Re: reverse Zone example!

On 02/06/10 00:49, Alans wrote: Hi everyone, Anyone can give me an example of a reverse zone for a customer (have their own DNS) from an ISP (own customers IP)? Just want to make sure what is did is right or no? I’m a little confused about the SOA and ns records in the zone file, should be ours

Re: reverse Zone example!

delegate to the CUSTOMER? 3. Do you have a zone file for your netblock already? 4. What nameservers do you have the zone configured on now? ... and just in case it's not obvious yet, what you posted won't work, which is why we need to dig a little deeper. hth, Doug -Origi

Re: Different handling of referrals by dig and nslookup

On 02/13/10 18:42, kalpesh varyani wrote: Hi Rick, I am aware that it is a somewhat odd (but not incorrect, am I right ?) to put a non-recursive name server in the resolv.conf There are certain very specific circumstances where you might want to do this, but in general I can't see any reason

Re: ISC BIND 9.7.0 is now available

On 02/18/10 16:20, ic.nssip wrote: Hi Mark, This is what I suspect too. Syslog gives me this record when I start BIND: named[14380]: [ID 873579 daemon.notice] built with '--with-openssl=yes' '--enable-largefile' '--sysconfdir=/usr/local/etc' '--localstatedir=/usr/local/var' Since no PREFIX w

Re: Different handling of referrals by dig and nslookup

On 02/20/10 08:51, kalpesh varyani wrote: > On Sun, Feb 14, 2010 at 8:53 AM, Doug Barton <mailto:do...@dougbarton.us>> wrote: > > On 02/13/10 18:42, kalpesh varyani wrote: > > What is it that you want to understand? You seem quite focused on > figurin

Re: Duplicating queries??

On 02/19/10 23:07, Daniel Morgan wrote: > I have a couple of BIND servers that I have inherited. I'm getting some > upstream complaints that one of them is issuing duplicate queries on > occasions - probably about a dozen times a day. You didn't mention what version of BIND you're running. I'm

Re: Different handling of referrals by dig and nslookup

On 02/20/10 08:54, kalpesh varyani wrote: > Thanks Dave for pointing this out. > > the first server did not fail, it behaved as per its configuration. > But for a stub resolver, which cannot follow referrals, isnt it logical > for it to detect referrals and move on to the next name server in the

Re: hosts or subnet number in delegation?

On 02/23/10 23:01, sasa sasa wrote: > Hello, > > for a 192.168.199.64/26 in zone file to delegate to a customer; > should i put subnet number: > > 64/26 IN NS ns1.example.com. > 64/26 IN NS ns2.example.com. > > or host ranges: > > 64-126 IN NS ns1.example.com. > 64-126 IN NS ns2.example.com. >

Re: The thread is dead?

On 3/2/2010 8:38 AM, donovan jeffrey j wrote: > > On Jan 14, 2010, at 8:43 AM, pollex wrote: > >> I do not see any activity in the thread... is everyone on holidays? >> >> Regards > > nope not dead just sleeping :) ... pining for the fjords. -- ... and that's just a little bit of h

Confused about 9.6.2-P1 and 9.6-ESV

I noticed that the patchfix releases of BIND came out today, so congratulations on that. :) However I was confused by the existence of both a 9.6.2-P1 and a 9.6-ESV (with the same code inside). Is 9.6.2-P1 the last release on the 9.6 branch? For the purpose of "following" a branch in the FreeBSD p

Re: Confused about 9.6.2-P1 and 9.6-ESV

On 03/16/10 20:57, Mark Andrews wrote: > In message <4ba04e63.8090...@dougbarton.us>, Doug Barton writes: >> I noticed that the patchfix releases of BIND came out today, so >> congratulations on that. :) However I was confused by the existence of >> both a 9.6.2-P1 a

Re: Confused about 9.6.2-P1 and 9.6-ESV

On 03/16/10 22:17, Mark Andrews wrote: > ESV's are supposed to be releases which are stable, no dot-o-itis. I'm not suggesting that they should be the latter, thus my comment that what I _thought_ would happen is that once the dot-releases were done in a given branch the -ESV would start. Frankly

Re: PTR format question

First off, please don't grab an unrelated message and reply to it when starting a new thread. Please actually post a new message. > In the process of cleaning up a much neglected PTR file > > Bind: 9.6.2.1 > OS: CentOS 5.4 > > Current PTR in this format: (1 tab between entries) > > $ORI

Re: BIND9 Internal Reverse Look-ups Fail

On 03/20/10 16:46, michael peters wrote: > I've been reading documentation, searching the archives, searched Google > for the answer, but have found nothing that solves the problem. > > I have an Ubuntu 9.10 system with BIND 9.6.1 installed for my internal > DNS system. You'll want to update to

Re: BIND9 Internal Reverse Look-ups Fail

On 03/20/10 17:11, michael peters wrote: > zone "0.253.150.10.in-addr.arpa" in { > type master; > file "/etc/bind/10.150.253.0.rev"; > }; > zone "0.0.16.172.in-addr.arpa" in { > type master; > file "/etc/bind/172.16.0.0.rev"; > }; This is your probl

Re: BIND9 Internal Reverse Look-ups Fail

On 03/21/10 08:29, michael peters wrote: > That did the trick! Thank you so much for your assistance. Glad it worked out for you. Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet

Re: CNAME Issue - Whether to use CNAME-data or Response-Flag

When I try to resolve mail.wilmot.me.uk against my local resolver (which happens to be BIND 9.6.2-P1 atm) I get the expected result: host mail.wilmot.me.uk mail.wilmot.me.uk is an alias for wilmot.me.uk.mail.aaisp.net.uk. wilmot.me.uk.mail.aaisp.net.uk has address 81.187.30.19 wilmot.me.uk.mail.aa

Re: Implementing the bogon list

On 04/09/10 13:27, Alex wrote: > Hi, > > I'm interested in implementing an updated Cymru bogon list, Why don't you take a step back and let us know what you're trying to accomplish first. Doug -- ... and that's just a little bit of history repeating. -- Prope

Re: CNAME Issue - Whether to use CNAME-data or Response-Flag

On 04/09/10 13:28, David Forrest wrote: > > Doug: I think it is a server error that is being reported because > the status is NXDOMAIN instead of the expected NOERROR. Well that's all you really had to say. :) I admit that I didn't catch the NXDOMAIN bit when I looked at the dig output, I was fo

Re: Implementing the bogon list

On 04/09/10 14:23, Kevin Oberman wrote: > The FreeBSD default configuration does this, Let's be clear on what "this" is please, since I don't think the OP's post was clear about what he wanted to implement. :) The default named.conf for FreeBSD implements local, empty zones for various things tha

Re: Implementing the bogon list

On 04/09/10 20:50, Alex wrote: > Hi, > >> Let's be clear on what "this" is please, since I don't think the OP's >> post was clear about what he wanted to implement. :) > > I'm really interested in security, reducing resources, and making sure > the server is current with today's standards. I'd li

Re: Need help to write a specific bindzone

On 04/10/10 02:27, Hedy Dargère wrote: > Hi, > > I'm not an expert with Bind but I have to make a specific bindzone for a > domain. > And excuse me for my english :o/ > > What is the situation ? > == > - the domain name is ag2s.fr > - for now, this domain has 2 DNS : ns6.oleane.net/

Re: rdns for /20

On 4/13/2010 6:42 PM, Jason Davis wrote: > Hello, > Is their an easy way to rdns a /20. I can only find examples for a /24 You need to create individual zones for each /24. -- ... and that's just a little bit of history repeating. -- Propellerheads Impr

Re: Views on differrent interfaces

On 4/22/2010 5:30 AM, Tom Schmitt wrote: > > Thank you for your answer. > But this doesn't work: With match-destination and match-clients I can only > define the same match-clients statement for both destionation interfaces, not > differrent one. > > The only workaround I see how to rech my goa

Re: one record to be redirected to a specific IP

On 04/23/10 08:15, hugo hugoo wrote: > Hello all, > > I plan to use BIND as caching DNS. > But I need to could redirect a specific record to a specific IP. > > How can I do this? > > This redirection must only be applied for one record. > > Ex: a query for www.ABCD.com

Re: one record to be redirected to a specific IP

On 04/25/10 13:19, hugo hugoo wrote: > Yes I need more help on this item. > Your answer seems to indicate thate there is no way to only redirect > www.abcd.com to IP 1.2.3.4 That's essentially correct. > toto.www.abcd.com will either be redirected to the same IP (zone file > with * A 1.2.3.4) It

Re: problem with domain and sub-domain configuration

On 05/03/10 08:37, fddi wrote: > > > Hello I have one domain > > test.com with namserver ns.test.com (10.0.0.1) > > and a subdomain > > cr.test.com with nameserver ns.cr.test.com (10.1.0.1) > > > my problem is that if I update hostnames inside test.com zone > updates are not seen by cr.test.

Re: Side-effects of edns-udp-size 512

On 05/03/10 09:34, Ray Van Dolson wrote: > > I believe having edns-udp-size set at 512 gives us maximum > compatibility with anything out there behind a broken firewall, etc, > though we should look at removing the limit at some point in the future > when possible. Doing this will simply perpetuat

Re: Side-effects of edns-udp-size 512

On 05/03/10 16:46, Ray Van Dolson wrote: > On Mon, May 03, 2010 at 04:20:30PM -0700, Doug Barton wrote: >> On 05/03/10 09:34, Ray Van Dolson wrote: >>> >>> I believe having edns-udp-size set at 512 gives us maximum >>> compatibility with anything out there behin

Re: Side-effects of edns-udp-size 512

On 05/03/10 17:04, Ray Van Dolson wrote: > My workflow is as follows: > > 1. We notice slow DNS resolution to a given external domain (either >via user complaint or other means) > 2. Troubleshoot and identify that the given domain's primary >nameservers don't properly handl

Re: Dnssec zone signing problem

On 5/20/2010 12:51 PM, Hauke Lampe wrote: Did you load the unsigned zone into BIND before? It should have logged a warning about that record. named-checkzone would be useful here as well. hth, Doug -- ... and that's just a little bit of history repeating. --

Re: dnssec-keygen is waiting endless...

On 05/28/10 13:53, Michelle Konzack wrote: Hello Evan, Am 2010-05-28 18:33:14, hacktest Du folgendes herunter: Operating System is "Debian GNU/Linux 5.0 Lenny" with bind9 in version 1:9.7.0.dfsg.P1-1~bpo50+1 I get the same problem on Ubuntu, which is Debian-based. /dev/random runs out of ent

Re: Glue Record Error

On 06/01/10 23:02, itservices88 wrote: Hi, Can someone suggest why i am having Glue Record Error ? And how i can resolve it. Well the tool tells you the problem, click the link and you'll see: The address of a name server differed from the child and the parent. This is a configuration error a

Re: max-cache-size query

On 06/02/10 01:31, Techi wrote: but, my question is still not answered. Why on earth such huge defference in the number of connections on the firewall with the max-cache-size on and off? I still don't get it. Imagine the cache as a bucket. With a large bucket the chances of the answer that any

Re: disable dnssec in bind resolver

On 06/04/10 11:19, JINMEI Tatuya / 神明達哉 wrote: The DO bit is always set whenever the server includes an EDNS OPT RR (I thought it was based on the specification, but don't remember which sentence of which RFC says so). Given that concern about whether or not it's a good idea to always send DO=

Re: disable dnssec in bind resolver

On 06/04/10 19:40, Paul Vixie wrote: Doug Barton writes: I have a guess at why ISC would want to enable it by default, and even in the presence of an option to turn it off I'm still Ok with that default. But if it's not a standards requirement to have it on, giving the admin a choic

Re: disable dnssec in bind resolver

On 06/04/10 21:58, Paul Vixie wrote: Doug Barton writes: With my business hat on though I can see at least 2 possible use cases for DO=0. The first being related to this thread, "I can't/won't fix/remove the firewall today, I just want my resolver to work." it wor

Re: disable dnssec in bind resolver

On 06/05/10 07:22, Mark Andrews wrote: In message<4c09c562.7030...@dougbarton.us>, Doug Barton writes: The resolver works. It figures out that it can't make the new style queries and falls back to the old style queries. If the user is really worried they can turn off EDNS and w

Re: .org registrars allowing DS records

On 06/06/10 17:14, Kevin Oberman wrote: I am using godaddy.com for my .org domains and as per the customer support replies, they donot support DNSSEC and thus cannot add DS records for my domains. Which other registrars people are using that allow DS records. Thanks -dani Last I checked, .org

Re: Upgrade path?

On 06/13/10 06:15, sasa sasa wrote: Hi list, Is it ok to upgrade from 9.4.2 to 9.7.0-P2 directly? Yes, but you should do some testing before you install the new version on your live, production system. There are some differences in the defaults for named.conf, and when upgrading to a new ver

Re: Can't get BIND to use GSSAPI from /usr/local on FreeBSD

On 06/11/10 02:51, John Marshall wrote: BIND 9.7.1rc1 FreeBSD 8.1-PRERELEASE I've just stepped into the world of nsupdate (instead of doing the freeze/edit/thaw dance). I have had success using TSIG (nsupdate -k) but I would like to use TKEY-GSS (nsupdate -g). When I try to do that, nsup

Re: Microsoft's nslookup Implementation Problems

On 06/13/10 13:00, Merton Campbell Crockett wrote: Microsoft's nslookup is broken. What alternative applications that can be installed and used in a Windows XP environment that will continue to work in a Windows 7 environment after a decision is made to upgrade Windows? In the past I've instal

Re: Microsoft's nslookup Implementation Problems

On 06/13/10 14:08, Merton Campbell Crockett wrote: On Jun 13, 2010, at 1:08 PM, Doug Barton wrote: On 06/13/10 13:00, Merton Campbell Crockett wrote: Microsoft's nslookup is broken. What alternative applications that can be installed and used in a Windows XP environment that will contin

Re: Microsoft's nslookup Implementation Problems

On 06/13/10 15:55, Merton Campbell Crockett wrote: Providing access to the web-based tools to IT personnel might not be that big of a challenge; Excellent! however, the problem remains: Using "nslookup" is an ingrained behavior for the general user. I would assert that "the general user" h

Re: the one A record that must be in a Zone

On 06/15/10 09:53, Martin McCormick wrote: Is there any kind of dummy A record one can stuff in to a zone which satisfies this requirement such that one can then use aliases or CNAME records for the valid hosts in the zone? localhost A 127.0.0.1 hth, Doug -- ...

Re: Bind-9.7.1 multi thread question (FreeBSD)

On Wed, 30 Jun 2010, Bind wrote: Hello I compiled Bind971 on FreeBSD 8 (amd64). FYI, you may get better results by using /usr/ports/dns/bind97.

Re: Negative Cache won't go!

On 07/05/10 12:01, Alans wrote: > BE CARFUL: my antivirus detects certain .png files on that website as > potential viruses, please don't open it in the browser. > The Website is: Just in case it isn't obvious, this is an attempt to get you to click that link precisely BECAUSE the site is infected

Re: BIND 9.7.1-P1 planned to address issues in BIND 9.7.0 and 9.7.1

On 07/05/10 13:57, Chris Thompson wrote: > On Jun 29 2010, Matus UHLAR - fantomas wrote: > >> On 28.06.10 13:31, Larissa Shapiro wrote: >>> We have received reports that BIND 9.7.0 and 9.7.1 are failing to >>> resolve certain zones. These zones are resolved correctly by earlier >>> versions of BIN

Re: Behavior of a slave to a NOTIFY

On Mon, 12 Jul 2010, Richard Tom wrote: What would delay a slave responding to a notify? More importantly, what would delay a slave from transferring a zone after verifying the master's serial for the zone is newer than the serial the slave has? I've looked over the bug fixes as accumulated

Re: ad flag for RRSIG queries

On Tue, 13 Jul 2010, Marco Davids (SIDN) wrote: Hi, Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What version of BIND are you using? Doug -- Improve t

Re: ad flag for RRSIG queries

On Wed, 14 Jul 2010, Marco Davids (SIDN) wrote: On 07/13/10 23:58, Doug Barton wrote: Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What ver

Re: GeoIP and maintaining high availability

On Fri, 9 Jul 2010, Tomasz Chmielewski wrote: Hi, I'm about to set up bind with GeoIP patches. What I'm not sure, is how do you guys handle high availability? Suppose I have zones for Americas and Europe, Just to be clear, you're saying that you have 2 different zones, one with the Europea

Re: zone syntax question

On Wed, 14 Jul 2010, Lyle Giese wrote: I would replace example.com in the SOA with @ I generally recommend against doing this unless you are explicitly planning to use the same zone file with multiple zones. There is no advantage to using @ in a one-zone file, and unnecessary obfuscation is

Re: root-anchor.xml & anchors.xml in Bind

On Sat, 17 Jul 2010, Stephane Bortzmeyer wrote: On Sat, Jul 17, 2010 at 08:49:04AM -0500, Lyle Giese wrote a message of 30 lines which said: What is the difference between managed-keys and trusted-keys? managed-keys are automatically updated *if* the zone manager follows RFC 5011 (which, as

Re: root-anchor.xml & anchors.xml in Bind

On Sat, 17 Jul 2010, Stephane Bortzmeyer wrote: On Sat, Jul 17, 2010 at 01:36:05PM -0700, Doug Barton wrote a message of 24 lines which said: *if* the zone manager follows RFC 5011 (which, as far as I know, the root does not use yet). How could it, when this is the first key deployed

Re: dnssec-lookaside auto and managed-keys-zone problem with certain views

On 07/18/10 12:28, Matthew Seaman wrote: > Think I'll just drop the external-chaos view. Some script kiddie > working out I'm running the latest version of bind is likely to be lower > risk and a lot less harmful than dealing with broken dnssec chains of trust. I agree, and to take it one step fu

Re: top level zone file transfer fails from the slave

On Fri, 23 Jul 2010, Prabhat Rana wrote: So as can be seen we are using the top level domain as the PTR zone file for all the 10.x.x.x (10/8)address. However it appears in the masters nodes, they don't have a top level zone file and have basically broken down the top level to numerous sub doma

Re: Multiple masters expected behavior?

On Fri, 23 Jul 2010, Peter Laws wrote: Except that the 2 "masters" are simply different interfaces on the same master Why do you think that would be helpful? Or are you just testing the multi-master configuration in the hopes of adding actual diversity down the road? Doug -- Imp

Re: Multiple masters expected behavior?

On Thu, 22 Jul 2010, Peter Laws wrote: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 9.3.x has been EOL for a long time now, FYI. -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. The

Re: Strange IPv6 messages

On 08/02/10 14:43, Denis BUCHER wrote: > Dear all, > > I have a simple question, when reloading Bind, I get these messages, and > later on in the logs, the transfer seems to work with IPv4. > > Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving > '(host)/A/IN': 2001:620::4#53 > Aug

Re: mem.c:1093: INSIST(ctx->stats[i].gets == 0U) failed

On 08/11/2010 13:43, Carlos Vicente wrote: > One of our recursive resolvers, running 9.7.0-P2 You're a minor version and 2 patches behind the times. Download 9.7.1-P2, and while it's compiling read the Changelog to see if anything there applies. Worst case scenario is that you reproduce the bug bu

Re: Local Slave copy of root zone

On 08/15/2018 09:11 AM, Bob McDonald wrote: I've recently been investigating having a local slave copy of the root zone on a caching/forwarder type server. I've even put the local slave copy of the root zone into a separate view accessed via a different loopback address. (An limited example of

Re: Local Slave copy of root zone

On 2018-08-15 10:43, Tony Finch wrote: Doug Barton wrote: Slaving the root and ARPA zones is a small benefit to performance for a busy resolver, [...] This technique is particularly useful for folks in bad/expensive network conditions. While the current anycast networks of root servers

Re: SRV record not working

On 08/18/2018 04:53 PM, Barry Margolin wrote: In article , Grant Taylor wrote: On 08/18/2018 07:25 AM, Bob McDonald wrote: I don't think anyone hates nslookup (well maybe a few do ) I suppose the immense dislike stems from the fact that it's the default utility under Windows. Folks who use

Re: nslookup oddities (Was: SRV record not working)

On 08/19/2018 12:11 PM, Lee wrote: On 8/18/18, Doug Barton wrote: nslookup uses the local resolver stub. That's fine, if that's what you want/need to test. If you want to test specific servers, or what is visible from the Internet, etc. dig is the right tool, as the answers yo

Re: nslookup oddities (Was: SRV record not working)

fied by OS vendors to use /etc/hosts for address lookups. nslookup doesn’t display the entire response by default. On 20 Aug 2018, at 12:28 pm, Lee wrote: On 8/19/18, Doug Barton wrote: On 08/19/2018 12:11 PM, Lee wrote: On 8/18/18, Doug Barton wrote: nslookup uses the local resolver stub. T

Re: Local Slave copy of root zone

On 08/20/2018 09:00 AM, Grant Taylor via bind-users wrote: On 08/20/2018 05:23 AM, Tony Finch wrote: If the local root zone gets corrupted somehow (maliciously or otherwise) the usual setup cannot detect a problem, but it'll cause DNSSEC validation failures downstream. The normal resolver / val

Re: nslookup oddities (Was: SRV record not working)

On 08/20/2018 10:14 AM, Lee wrote: On 8/19/18, Mark Andrews wrote: nslookup applies the search list by default and doesn’t stop on a NODATA response. Some versions of nslookup have been modified by OS vendors to use /etc/hosts for address lookups. nslookup doesn’t display the entire response

Re: Local Slave copy of root zone

On 08/21/2018 08:53 AM, Grant Taylor via bind-users wrote: On 08/20/2018 11:06 PM, Doug Barton wrote: But that doesn't mean that slaving a zone, any zone, including the root, is "dangerous." If slaving zones is dangerous, the DNS is way more fragile than it already is. Sorry

Re: about the effect of installing with "--without-openssl"

On 08/26/2018 07:30 PM, takahiro wrote: That's why I want to know the effect of installing with "without-openssl". What specifically are you trying to accomplish by compiling without openssl? ___ Please visit https://lists.isc.org/mailman/listinfo/bin

Re: SSL cert for lists.isc.org expired on Saturday, December 29, 2018

I've had LE fail after a cerbot upgrade because it grew a dependency that didn't automatically get installed with the upgrade. So yes, automation good, but not perfect. On 2018-12-31 6:54 PM, John W. Blue wrote: nuff said, eh? I thought that Let's Encrypt wanted to roll / revalidate SSL cert

Re: Bind > 9.12 Will Not Start On FreeBSD

On 4/27/19 9:22 PM, Tim Daneliuk wrote: On 4/27/19 5:33 PM, @lbutlr wrote: On 27 Apr 2019, at 16:21, Tim Daneliuk wrote: Why is 9.12+ now suddenly so grumpy about who owns the files? Is this a recent fix to reduce the attack surface on files owned by root? Pretty sure. I thought it was men

<    1   2   3   4