Marc,
A stub zone tells BIND to load SOA and NS records from its masters {}.
(forwarders {} is, I belive, both useless and incorrect here.) From that
point onwards, your BIND will use the data in the stub to recursively
find answers to queries for that zone.
The forwarder on the other hand,
Where can I find a description of what the variables at the end of the
line in the query log mean? For example:
The full set is +SETDC
+ recursion requested (- no recursion)
S request is signed
E EDNS0 enabled
T TCP (else UDP)
D
I'd like to reinforce what Chris said, and recommend the use of an
internal root zone for networks/enterprises which have no public
Internet connectivity
+1
A lot of people seem to be scared by the prospect of setting up
their own root zone.
It really isn't difficult, and I discuss this
Over the years I wondered why public dynamic DNS services reinvented
these wheels, with custom clients rather than using nsupdate. Now it
makes sense.
How I wish they'd used a term other than dynamic DNS for their
services, though...
While indeed, RFC 2136 had *me* covered,
While writing this, a compromise came to me. :) I can run forward
zones as children of a single TLD, and use 168.192.in-addr.arpa. as
parent for all my reverse zones. :)
If you're setting up your own DNS root server, you could sign that root
zone, have your clients enter that island of trust
Juergen,
I use GSS-TSIG and the handbook says that in gss-tsig the content of the
identity field ist the common secret which is the kerberos principal.
I believe you'll have to set `tkey-gssapi-credential' and `tkey-domain` for
this to work the way you want, though I do confess to not have a
So I look for a way that I can say that all clients from EXAMPLE.TEST are
allowed to update their own record (or whatever).
Sounds like a task for update-policy external [1], but note that that
requires updates to be sent via TCP and not UDP. [2]
-JP
[1]:
Mark my words. You will know the truth in future.
Ah: DNSSEC -- the guy is on topic.
-JP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
# host -t TXT _adsp._domainkey.federalreserve.gov
bind dies with
May 26 19:59:02 resolv04 named[8237]: buffer.c:285: REQUIRE(b-used + 1
= b-length) failed
May 26 19:59:02 resolv04 named[8237]: exiting (due to assertion failure)
This is reproducible and should only affected in 9.7.3.
This is reproducible and should only affected in 9.7.3.
For the record, the problem has been fixed:
http://www.isc.org/software/bind/advisories/cve-2011-1910
-JP
___
bind-users mailing list
bind-users@lists.isc.org
I have a BIND 9.8.0-P2 server instance running on a production server. My
firewall is showing repeated attempts by named.exe to connect to IP
addresses in foreign countries on ports , 6667 and 6669 - common IRC
ports used by worms/trojans/zombies.
Sounds like you're running an IRC bot...
Does anyone else find the bind-users list to be very slow?
Yes, very. [Pressing 's'end at 09:54 CET]
-JP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Evan,
may find this information useful:
very useful and quite impressive.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
If Bind version of primary dns is bind-libs-9.3.6-16.P1.el5 and for
secondary dns bind-9.5.0-29.b2.fc9.i386.
Something wrong there: libs vs. server, but I assume you mean server
for both.
Is it mandatory the same version for
primary and secondary DNS.
Not unless you rely on a particular
But just for the sake of convenience, is there a way to rename
TYPE# to something that I want?
If you dig (pun not necessarily intended) into the source of BIND you
can actually change the source so that `named' can read your type from a
zone master file and `dig' displays it however you wish.
Well, I'm going to run the modified bind on a local testbed
disconnected of internet.
You won't be causing harm, even if connected. :)
Thanks on the hint, now I have to find out where to dig first.
Any knowledge?
I'm no specialist, but this might get you started:
lib/dns/code.h
On Tue Sep 27 2011 at 17:32:22 CEST, Issam Harrathi wrote:
and you say here it's cached for 30 seconds?!
Evan said:
and we've discussed implementing it in BIND9, but haven't had time yet.
In other words, they are *not* cached in BIND9.
-JP
'_' is an illegal character in hostnames in the DNS...
Yeah, I got hosed by that one by a consultant.
MCSE per chance? [Sorry; couldn't resist.]
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
On Wed Sep 28 2011 at 16:43:17 CEST, 风河 wrote:
this is the stuff what should be done by webserver rather than by DNS. i,e,
Apache rewrite will do that.
That is incorrect. DNS is needed to find the Web server. Web server
rewriting/configuration is needed to find the site.
-JP
*except that perhaps those who enable this feature will use it as an
excuse to avoid enabling validation, which would be a very bad result
+1 +1
A *very* bad result.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
On Fri Sep 30 2011 at 11:50:51 CEST, Hauke Lampe wrote:
*except that perhaps those who enable this feature will use it as an excuse
to avoid enabling validation, which would be a very bad result, IMO. . .
My reading of the docs says that BIND's NXDOMAIN redirections won't
break
[ pardon the possible duplicate ]
I'm a fan of RFC 2136 Dynamic DNS and, if I think it appropriate for a
particular use case, sometimes suggest DDNS to customers. I often have
a hard time convincing people to use DDNS and am doubted regarding its
stability and/or performance.
I'm looking
4. Perceived second-class status of DLZ
Ack.
6. Too-tight coupling between the SQL DB and DNS
It'll be interesting to see how BIND 10 [1] handles this coupling [2]. I
haven't (yet) had the inclination to experiment, mainly because (and now
back on topic :-) DDNS is apparently not yet ready
What have you tried so far?
@ IN CNAME linuxsystems.it.
No CNAME and other data [1]. You have an SOA and NS at the apex, so a
CNAME isn't allowed.
-JP
[1] Until you start with DNSSEC :)
___
Please visit
host is four characters shorter.
Use `dig' and save 25% ;-)
`nslookup' must die. (Until a few years ago, it printed a deprecation
notice which, unfortunately, has since been removed.)
-JP
___
Please visit
I'm looking for success (or failure) stories to back up my statement :)
Thank you all for replies, on and off-list. If you are interested in a
summary, I've posted it at [1].
Regards,
-JP
[1] http://dnssexy.net/538
___
Please visit
Is there an IETF/ICANN reserved TLD for internal use? I've seen plenty of
.loc and .local, but I haven't seen an RFC reserving it. RFC 2606
reserves .example, .invalid, .localhost and .test but these don't seem
approriate.
Not IETF/ICANN reserved, but ISO 3166 [1] reserves the following
Note, the new .XXX TLD is included in that list.
Does that mean it is or isn't safe for work? ;-)
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
I have one more question - how can I block every update for every zone
in options section using update-policy?
Are you actually *reading* the documentation: the ARM actually defines
`allow-update':
Specifies which hosts are allowed to submit Dynamic DNS updates
for master
So the error being logged isn't really an error, it just looks like
one; we should probably see about silencing it.
The error is indeed confusing, maybe it should say not yet signed ?
11-Nov-2011 12:32:35.838 zone inline.aa/IN/internal (unsigned): loaded serial 2
11-Nov-2011 12:32:35.838 zone
I have found that www.thisisgame.com does not resolve on our DNS servers
You haven't done anything wrong. thisisgame.com has a single name
server, and that is currently not open to business, at least not from
my part of the world, maybe due to some firewall rule. (Google's NS do
indeed have
Hello,
I'm looking at a BIND installation with a largish number of views, each
of which allow recursion and contain a couple of RPZ zones. Each view
has a `match-clients{}' option limiting access to the view to a very
small number of addresses. (Typically the single address of a client
with a
afaik your client can identify itself by TSIG instead of IP address.
of course, this requires tyour client to support TSIG ...
Unfortunately the clients are dumb stub resolvers (Linux, Mac, Windows),
so TSIG is not an option.
-JP
___
Please
22-Nov-2011 11:25:28.320 general: notice: all zones loaded
22-Nov-2011 11:25:28.320 general: notice: running
This looks to me as though you've cycled the server, which isn't
currently allowed. Evan pointed out recently here that it can actually
corrupt the zone...
My experience is that, after
On Tue Nov 22 2011 at 20:34:46 CET, Spain, Dr. Jeffry A. wrote:
I did something similar, using nsupdate to modify the unsigned zone
instead of a manual edit. [...] rndc reload is not necessary.
`rndc reload' never is necessary if you use DDNS to update master zones.
-JP
I have 1 domain name, and 1 reverse in-addr.arpa
citires.ca and0-127.254.194.207.in-addr.arpa
which my two slaves log that the master is not authoritative for
Seen from here (.DE) the NS for citires.ca both refuse to answer
queries, so they are indeed not authoritative:
On Wed Nov 23 2011 at 20:21:00 CET, Evan Hunt wrote:
Correct, but... let me start by explaining the situation in releases prior
to 9.9, without the inline-signing feature.
And would you now kindly do all of us and all future readers a favor and
copy/paste that text *verbatim* into the ARM?
On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote:
I use `dig axfr dotat.at | grep -v RRSIG`
... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM
hoping, of course, that no owner name is called 'RRSIG' et. al. ;-)
-JP
Jeffry,
I have had a tendency to dig axfr from my Windows workstation
+1 to you for using `dig' on Windows; most don't even know it exists
and suffer the `nslookup' pain. ;-)
-JP
___
Please visit
Do I *have* to use views to deal with such distinction or can I specify
it just as above without views?
You have to use views so that the server can decide which clients get
which responses. This you specify in a match-clients {} stanza within
the view.
-JP
given that their respective administrators have
declared an intention to follow RFC 5011 if they ever roll over their
KSKs.
As you say if they ever roll; I'm not placing any money on that. ;-)
I could of course set up such a test zone and try to perform an RFC 5011
rollover on it, using
The documentation for `match-clients' isn't comprehensive enough... Can
I add all host from, for example 172.16/16 except a single host? Does:
match-clients { 172.16.0.0/16;!172.16.1.1; }
BIND checks the ACL in the order you specify. In your example,
172.16.1.1 will be allowed by the first
May I transfer *views* rather than zone description files?
No. That's why it is called zone transfer. :)
May I transfer two zone description files for a single zone to a
single server?
Again no. (See previous thread on your request to serve two zone files
for the same zone in the one view;
Judicious use of views with ACLs
I haven't actually tested this, but there's a recent thread [1] which
describes what I mean. Pay particular attention to the issue of getting
master notification into the slaves.
-JP
[1] https://lists.isc.org/pipermail/bind-users/2011-May/083664.html
Feature suggestion: some sort of synthetic clock option to named for
use in the test suite (--test-unixtime-offset) or something?
Obviously non-trivial.
Indeed.
I think Chris' Evan's suggestion of a public zone that revokes and
replaces trust anchors periodically (every few hours?) is
On Wed Nov 30 2011 at 20:45:30 CET, Michael Graff wrote:
For my VM environment, I bought a USB random source, and share it
across the VMs with a little daemon I wrote.
Would you be willing to give us a few more details, such as the name of
the USB random source generator (is it an Entropy
I'd recommend checking the next four octets as well; they'll be 00 00 00 00
or 00 00 00 01.
I've hacked up a magic(5) file which seems to work for me:
$ file *
inline.aa:BIND raw format zone file v9.9
inline.aa.jnl:BIND journal file v9
I don't know what you mean by that. Apex of what exactly - my zone
file? Can you tell me exactly what the zone file should look like
with the CNAME record at the apex?
Determine the address(es) for the target domain name
shop4water.hostedbywebtstore.com (I'm using 127.0.0.1 as an example),
During a bout of excessive boredom I created a Lua back-end for DLZ's
dlopen() driver. If anybody is interested, I've put up a short
description [1] and the source code [2]. Patches are welcome. :)
-JP
[1] http://jpmens.net/2011/12/01/lua-back-end-for-bind/
[2]
Has anyone tried the new features of rndc addzone|delzone with
BIND-9.7?
Will the zone added|deleted get transfered between master and slaves?
No, the newly added (or deleted) zone will not be automatcially added to
(deleted from) slave servers. (Slaves require a different zone
definition
$ORIGIN 184.16.172.in-addr.arpa.
$TTL 14400; 4 hours
105 PTR GVC-E237-A01.wks-gvc.domain.com.
88PTR GVC-LIB-C07.wks-gvc.domain.com.
9 PTR gvc-busdrivers.wks-gvc.domain.com.
90PTR
I tried from google dns (8.8.8.8) also but didnt get AD bit set. This may
be because 8.8.8.8 might not be configured for DLV validation.
Google's DNS servers don't do proper DNSSEC validation.
Is there any open dns available from which I can check my domain for AD
flag set?
DNS OARC runs a pair of validating servers, open to the public.
It appears their BIND server has DLV anchor configured, but their
Unbound instance doesn't.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
Next great thing would be for ISC to support the Soft-HSM that
OpenDNSSEC uses. I believe that this would make the step of moving to a
real hardware HSM a lot easier (if necessary).
BIND has supported the PKCS#11 interface (./configure --with-pkcs11)
since 9.6 IIRC, so it ought to be possible
Now if FreeBSD would just add 9.9 to the ports collection
I generally don't add new versions until they are released,
ISC said today in the inline-signing Webinar, that 9.9 would probably be
released on February 7th. Maybe wait for that?
-JP
include /etc/bind/sites-enabled/*
That won't work.
What you could do though is to create the content of the file you're
including, which ought to solve your problem.
cd /var/path
ls /etc/bind/sites-enabled.include
And then in named.conf [ include
the online documentation it says
that addzone will add it to the config files. But after running a test,
all this does is add it to the cache. So does this would mean that every
time the cache is purged, I would have to run addzone again?
No. Zones are added to / removed from a .nzf cache
Hello,
FWIW and for the record, I received an EntropyKey and have shortly described my
experience with it so far at http://dnssexy.net/903
Regards,
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
After setting up a zone with DNSSEC using inline-signing, I have run into
the issue where if I do anything that updates the unsigned file that is
input into BIND, that it never seems to update the signed data it generated.
I've previously [1] received the Gold Star for suggesting ;-)
That said, instead of using 'rndc reload leadmon.org', I actually have to
use 'rndc reload leadmon.org IN external', or internal as the case may be to
separate the zone I am reloading.
Not here, in spite of multiple views; BIND 9.9.0rc1
-JP
I consider it a feature, though opinions may vary.
I consider it a bug, and it's going to bite hard.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
For My internal DNS setup i want to create a internal root hint file .
Should i follow the pattern of standard root hint file ?
Yes, create your own hints zone containing one or more NS RRsets with
their respective glue. Something along these lines:
.360 IN NS
What is the starting and ending SOA record?
In the original zone, there is ony one SOA record...
The starting SOA is the SOA in your zone. The final SOA is used to
indicate end-of-transfer and is a copy of the first; you can safely
ignore it or, as Michael pointed out, supress it.
The question is: how to generate the name of a nzf file?
Is there a tool or an easy way?
The code is in lib/dns/view.c
if (allow) {
char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(NZF)];
isc_sha256_data((void *)view-name, strlen(view-name), buffer);
What is the best way to log DNSSEC failures in Bind without enforcing
DNSSEC validation?
That is I want to see what Bind would have rejected because of failed
DNSSEC validation, but I do not want to return SERVFAIL to my client.
I don't think that is possible without modifying the client(s)
Augie,
Is there a way to exclude a domain from DNSSEC validation, like
Unbound's domain-insecure?
That is regrettably not possible at the moment, at least not in BIND
9.9.0.
The only (quite impracticable) workaround would be to define the zone
authoritatively yourself and populate it
When the shared KSK needed to be rolled over, you would have to
process DS records in the parents of your few dozen zones all at the
same time.
*If* you want to roll the KSK, a.k.a. when did you last roll your SSH
keys? :-)
-JP
___
Please
I was mistakenly thinking the KSK also had an expiration as the
the ZSK does.
Keys don't expire; signatures (RRSIGs) do.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users
-%-
@ IN SOA localhost root@localhost. (
2012041100
7200
1800
1209600
Comcast has taken a pragmatic view. I'm glad to see they've turned on
validation, but I can see why they need to configure exceptions. Without
being able to manage exceptions, large ISPs are not going to turn on
validation.
Indeed, which brings on the question why BIND (still) doesn't have
So how do we implement one? Create a separate caching server with DNSSEC
validation turned off and forward all queries for the broken domain to it?
Unbound can be configured (on the fly) to ignore DNSSEC for individual
zones. From the unbound.conf(5) page:
domain-insecure: domain name
rd1.ramesh40finalround.com. 98400 INA 11.11.11.11
rd1.ramesh40finalround.com. 96400 INA 12.12.12.12
rd1.ramesh40finalround.com. 99 IN A 13.13.13.13
rd1.ramesh40finalround.com. 1 INA 14.14.14.14
RFC 2181, section 5.2 specifies:
the use of
server 127.0.0.1
zone ccnr.biotechnology.
update add second 86400 in cname first
send
update failed: NOTZONE
Have you tried specifying qualified names?
update add second.ccnr.biotechnology. 86400 in cname
first.ccnr.biotechnology.
-JP
Warren,
I wrote a tool to do this a while back --
http://code.google.com/p/dns-slave-expire-checker/
Cool stuff and very useful. I took it for a tiny spin, and here are my
EUR 0.02 :)
1. Doesn't seem to grok all RRtypes in slave zones, due probably to
missing functionality of dnspython;
I need to understand the difference between configuring bind views and
having multiple instances of bind. I have 5 network interfaces on my server
and I want to have 2 instances of DNS server (just for testing) and I don't
know which one to do ?
BIND views are powerful, but configuring them
2) When I tried a test master BIND in a VM, there was not enough entropy
to generate DNSSEC keys.
Entropy has been discussed frequently on this list. As a quick
workaround, I recommend running http://www.issihosts.com/haveged/
-JP
___
Probably nothing. I believe the default format for slave zones is now
compiled rather than text. Remove all the zone files on the slave and
reload it.
... after defining `masterfile-format text;' :-)
-JP
___
Please visit
We have a script that generates the zonefiles for bind. This script is
working correct, i.e. the files are correctly generated and have no
syntax errors. When adding e.g a CNAME to our database, the script
generates a correct file, including this CNAME. BIND reloads this file
with its correct
The serialnumber in the SOA record is lower than the serial number BIND
pretends to load in the logs. But why would BIND log to load the right
zone, but use an old one?
Because it's loading the wrong file?
Have you (or somebody else) changed `directory' option or path to master
zone file?
While it's always better to compile and install from the latest
stable version, it's also nice to use their package management
system especially when you have to deal with multiple systems.
Building BIND is easy; turning it into an installable RPM not so.
I highly recommend fpm [1] which makes
Building BIND is easy; turning it into an installable RPM not so.
I highly recommend fpm [1] which makes building an RPM trivial. :)
Any advice or tricks for making a DEB for Ubuntu?
Yes: use fpm. :)
So far my plan was to copy the source directory to each server and just
run make
Is it possible to configure my slave to receive zones using an
specific interface from master?
Your slave's zone stanza looks like this:
zone example.net {
type slave;
file ...;
masters { 10.1.1.1; };
};
The `masters' statement
Yes. That´s the problem. I have this statement defined, but it still
try to connect using the wrong IP. Any ideas?
I misunderstood then. Try `transfer-source'.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
That's really odd...
I note that on the master zone you have
allow-query { local; };
Does local contain the slave's address? It must be allowed to query
the SOA record of the zone to transfer.
-JP
___
Please visit
no A record, but if I log into my samba server, where I have:
Is your name server configured to use views? Looks to me as though a
view is hiding your answer.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
20-Jul-2012 15:26:40.181 config: error:
/var/named/etc/namedb/conf/zone_0.conf:1529: zone 'x.net':
already exists previous definition:
/var/named/etc/namedb/conf/zone_0.conf:1529
20-Jul-2012 15:26:46.270 general: error: reloading configuration
failed: failure
That looks very
I find it realy annoying, if I have ask every time the owner of the Slave,
to add a new zone.
Assuming your version of BIND is new enough, look at `rndc addzone' with
which you can add and remove zones at run-time w/out having to edit
`named.conf'.
-JP
Which mean, my DNS partner need his own rndc key which let him add/remove
zones as slave?
You are the master. He is the slave. You have an rndc key for his slave
server, so that you can add a slave zone on his server. [Substitute
he/his by she/hers if required.]
And vice versa. :)
Grab a
IIRC that will add the zone to the master, the question, as I heard it,
was to add it to the slave server, to avoid disturbing the owner of
the slave to manually editing the slave config.
With `rndc addzone' you specify whether you are adding a master or slave
zone, just as you would in
Check the 'allow-transfer' option in your named.conf.
I don't have this option. Should I include it?
If you want to provide zone transfers, you include it. If you don't,
leave it out. (You might also want to glance at BIND's Administrator's
Reference [ARM] while you're at it ...)
After upgrade to Bind V9.9.1-P2:
[root@localhost ~]# file /var/named/zzy4.com.dom
/var/named/zzy4.com.dom: data
Use named-compilezone to convert from one to the other.
You can force the previous text-transfers by setting this option on a
per/zone or globally:
masterfile-format text;
They are currently being block from connecting to 443 since these
servers are only DNS. Is there any reason for clients to connect to
tcp 443 for any type of DNS resolution?
Sounds a bit as though your clients think the BIND box is a HTTP origin
server... I'd look into what programs they're
Chris,
Can one use BIND 9.9 inline signing
with the unsigned version provided by a DLZ interface?
there's no reason why you shouldn't be able to.
Your BIND 9.9 inline signer would AXFR from BIND DLZ without trouble,
but your signer won't be notified by DLZ; you'd have to manually
issue NOTIFY
YPYMAYTYP
Zero results from my favorite search engine -- congratulations. ;-)
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
Thanks, Phil. Those were my thoughts as well. For the present,
I'll write my own monitoring plugin to parse the XML data.
If you need some inspiration, I wrote a bit of C code [1] which does
that rather effectively. It doesn't do what you want, but it may get you
started. ;-)
-JP
GitNamed is a project that manage name server by git. you can clone
the git repo to any workstation, edit zone file, commit and push it.
the data will push to the master and slave name server on the fly.
Very interesting; thanks for sharing.
I hear the Fedora Project does something along
Is there anything technically wrong with having a SOA MNAME field
that isn't listed as a NS record?
Not at all; that works fine.
The server listed as MNAME will host the zone and is authoritative
for the zone, but out of latency concerns it isn't ideal to have
other resolvers querying this
Is using syslog a sane default for new installations or when using
official vendor packages with their startup scripts?
I for one would not want to miss BIND9's logging to auto-rotated files:
file /var/named/log/named.log versions 10 size 5m;
Other than that, I'd say logging via
Note that the log message related to outgoing zone transfers from named,
The shame! That's what I get for being at it 17 hours non-stop. I
overlooked the -out. Sorry and thank you, Tony.
-JP
___
Please visit
Hello,
we have a few BIND (9.9) slave servers, each slaving a couple of hundred
thousand small zones (a dozen records in each). A file included into
named.conf is periodically generated from a database, and named is
reconfigured (rndc reconfig) to load new slave zones.
I'm considering replacing
1 - 100 of 166 matches
Mail list logo