RE: Facing issues while resolving only one record

Recommend you turn off DNSSEC validation and see if it starts working. If it does, then you know the issue is with how DNSSEC is configured on your server. John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Blason R Sent: Wednesday, August 30, 2023 8:20 AM To:

RE: host restriction

Zoltan, There may be another way to make this work but this is what comes to my mine: acl’s in a view. https://kb.isc.org/docs/aa-00851 # named.conf acl google-is-good { 192.168.7.0/24; localhost; }; acl google-is-evil { 192.168.8.0/24; }; view google-good { match-clients { google-is-good;

RE: DNSSEC error resolving gpo.gov ?

Subject: Re: DNSSEC error resolving gpo.gov ? That is done also by bind 9.11, not only infoblox. It creates both digests on common operations. On 3/14/23 16:23, John W. Blue via bind-users wrote: > Keep in mind that SHA1 may not have been included by choice. > > If gpo.gov is using

RE: DNSSEC error resolving gpo.gov ?

Keep in mind that SHA1 may not have been included by choice. If gpo.gov is using Infoblox there is a, what I like to call, Infoblox-ism in play regarding DNSSEC where even if you choose RSA256 or RSA512 or whatever it will create a SHA1. John -Original Message- From: bind-users

Re: Something other than port 53 is blocking the LAN based BIND9 Servers

Recommend you run tcpdump on the affected server: tcpdump -n -i ethxxx port 53 This should give you a better lay of the land instead of observational troubleshooting. If you do not see packets leaving then there is something on your side. If you see port 53 packets leaving and not returning

RE: named out of swap on NetBSD/amd64

At the risk of stating the obvious .. have you tried 9.16.37 or 9.18.11? While I am usually down for an off in the weeds hardcore root cause analysis of problem is nice to get a quick win with a different version. John -Original Message- From: bind-users

RE: Email migration and MX records

Hi Bruce, It would be better to have an SMTP server return 421 "4.3.0" or 421 "4.7.0" while the migration is under way instead of bouncing the connection. 421 will tell all SMTP servers everywhere to "try again later". The 421 error is a proven greylisting configuration. Not knowing what is

RE: Add TXT records for SPF when CNAME exists in same sub-domain

RFC 1034 3.6.2 second paragraph: “If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different. This rule also insures that a cached CNAME can be used without checking with an authoritative server for

Re: Issue with dns resolution for www.ssa.gov

Sandeep, Are you all using CISA's Protective DNS? If so, there might be a ruleset that is causing problems. If not, and I have not checked, but is DNSSEC for SSA working correctly? John Sent from Nine From: "Bhangui, Sandeep - BLS

RE: DNSSEC signing of an internal zone gains nothing (unless??)

zone gains nothing (unless??) On Aug 1, 2022, at 12:15, John W. Blue via bind-users wrote: > > As some enterprise networks begin to engineer towards the concepts of > ZeroTrust, one item caught me unaware: PM’s asking for the DNSSEC signing of > an internal zone. > > Granted

RE: DNSSEC signing of an internal zone gains nothing (unless??)

rsive mode at the same time - should be two separate instances of BIND. On 8/1/22 7:51 PM, John W. Blue via bind-users wrote: Also do not disagree. However, the intent of the thread is to talk about the lack of an AD flag from a non-public internal authoritative server. Based upon what I am seeing on

RE: DNSSEC signing of an internal zone gains nothing (unless??)

: Monday, August 1, 2022 12:45 PM To: John W. Blue Cc: bind-users@lists.isc.org Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??) On Aug 1, 2022, at 12:15, John W. Blue via bind-users wrote: > > As some enterprise networks begin to engineer towards the co

RE: DNSSEC signing of an internal zone gains nothing (unless??)

@lists.isc.org Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??) On 8/1/22 10:15 AM, John W. Blue via bind-users wrote: > While that extra overhead is true, it is more accurate to say that if > internal clients are talking directly to an authoritative server the >

DNSSEC signing of an internal zone gains nothing (unless??)

As some enterprise networks begin to engineer towards the concepts of ZeroTrust, one item caught me unaware: PM's asking for the DNSSEC signing of an internal zone. Granted, it has long been considered unwise by DNS pro's with a commonly stated reason that it increasing the size of the zone

RE: your mail

mail Am 16.01.22 um 04:47 schrieb John W. Blue via bind-users: > Lol. I am not going to do that either. Lol. can you do us all a favor and stop writing useless mails to lists at saturday night? that footer is for morons which send messages with "unsubscribe" to mailing lists

RE: your mail

Lol. I am not going to do that either. Lol. -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Reindl Harald Sent: Saturday, January 15, 2022 9:44 PM To: bind-users@lists.isc.org Subject: Re: your mail Please visit

RE: your mail

/diverging tangent I don't want to diminish any contribution to the good of the cause that anyone is willing to make but ... I am not going to stop top posting. Personally, commentary about top posting is so 1997. Perhaps it is also because I have reached an age where I just don't care

RE: your mail

Not be ornery but honestly, for me, globs of text that is pasted into an email is TLDR because I cannot *do* anything with it. So I skip it out of hand. A real tcpdump packet capture is a file that can be loaded by wireshark and analyzed. tcpdump -n -i port 53 -w One from the client and

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

Your using the wrong tools to troubleshoot or investigate this error. Instead of relying upon resolvers to provide situational awareness you need to inspect DNSSEC itself using dnsviz.net: https://dnsviz.net/d/pms.psc.gov/dnssec/ psc.gov is giving the world ID 5089 when they need to handing

RE: Sorry

I’m not judging but it sounds like to me what you are really describing is PTSD from installing Windows 7 and “upgrading” it to Windows 10. :D I too use Microsoft products but for infrastructure services facing the open Internet (like DNS) I only use BIND running on FreeBSD. Not knowing

Re: Best DNSSEC documentation for current version?

Hello Brett, Have you seen the webinar videos on ISC's youtube channel? https://www.youtube.com/user/ISCdotorg/search?query=DNSSEC I would encourage you to attend them as they are presented. One even had a VM's for the attendees to practice the information presented and ask questions. John

Re: Inline signing fails dnsviz test.

Hello Dan. Does your registrar have the ability via a UI to place a DS record in the .name zone? And if so, have you done that already? John Sent from Nine From: Dan Egli Sent: Monday, May 10, 2021 12:20 AM To:

RE: Update DNSSEC Zone

Hi Peter .. How do you know your DNSSEC is working to begin with? Here is a URL that I prefer to use that will help answer that question: https://dnsviz.net/ What you are looking for is your to zone to be “secure”. Since you are an experienced BIND admin .. any clues to be found in the logs?

Re: Name server delegation

Since "" is a subzone inside of the example.com zone the answer is yes, it can be delegated. John Sent from Nine From: Karol Nowicki via bind-users Sent: Monday, April 26, 2021 10:24 AM To: bind-users@lists.isc.org Subject: Name

RE: Testing KASP, CDS, and .ch

M To: bind-users@lists.isc.org Subject: Re: Testing KASP, CDS, and .ch On Fri, 2021-04-09 at 19:05 +0000, John W. Blue via bind-users wrote: > So the issue here is that the DS record that sit in .ch has an ID of 22048 > but the domainmail.ch servers are telling the world that the correc

RE: Testing KASP, CDS, and .ch

+, John W. Blue via bind-users wrote: > So the issue here is that the DS record that sit in .ch has an ID of 22048 > but the domainmail.ch servers are telling the world that the correct ID is > 17870. > > Thus the DNSSEC breakage. Of course, however there is no 22048 id in Gandi

RE: Testing KASP, CDS, and .ch

So the issue here is that the DS record that sit in .ch has an ID of 22048 but the domainmail.ch servers are telling the world that the correct ID is 17870. Thus the DNSSEC breakage. John -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jim

RE: underscores in A queries

It would seem that underscores is one of those characters in DNS that leads a double life. RFC’s say that underscores are disallowed for use in hostnames but SRV records use it to indicate service type et al. And then you have the acm-validations.aws geniuses who use it their hostnames to

RE: Timeout setting

When I queried the authoritative server directly it worked: ;; QUESTION SECTION: ;111.250.179.17.in-addr.arpa. IN PTR ;; ANSWER SECTION: 111.250.179.17.in-addr.arpa. 86400 IN PTR rn2-msbadger07105.apple.com. ;; Query time: 62 msec ;; SERVER: 17.47.176.10#53(17.47.176.10) I would

RE: Bind 9.11 serving up false answers for a single domain.

ts.isc.org] On Behalf Of @lbutlr Sent: Thursday, February 11, 2021 6:18 PM To: bind-users Subject: Re: Bind 9.11 serving up false answers for a single domain. On 11 Feb 2021, at 16:38, John W. Blue via bind-users wrote: > I have found to tshark to be useful as well but the f

RE: Bind 9.11 serving up false answers for a single domain.

eb 2021 22:20:08 +0000 "John W. Blue via bind-users" wrote: > Three words: tcpdump and wireshark > > It is like peanut and jelly .. hall and oates .. salt and pepper .. ebb and > flow .. pen and paper .. I could go on but … > > Know them. Love them. They are your

RE: Bind 9.11 serving up false answers for a single domain. (OT)

serving up false answers for a single domain. (OT) Ah, SHA1 DS record or an RSASHA256 DNSKEY, yes. Stuart On 11/2/21, 11:42 am, "bind-users on behalf of John W. Blue via bind-users" wrote: Notice: This email is from an external sender. Well .. as best as I can tell ..

RE: Bind 9.11 serving up false answers for a single domain. (OT)

of "John W. Blue via bind-users" Reply to: "John W. Blue" Date: Thursday, 11 February 2021 at 9:21 am To: bind-users Subject: RE: Bind 9.11 serving up false answers for a single domain. Notice: This email is from an external sender.   Three words:  tcpdump and wireshark

RE: Bind 9.11 serving up false answers for a single domain.

Three words: tcpdump and wireshark It is like peanut and jelly .. hall and oates .. salt and pepper .. ebb and flow .. pen and paper .. I could go on but … Know them. Love them. They are your newest best friends. Using tcpdump IMHO should be the first tool anyone uses when troubleshooting

RE: Testing a new master server...

Hello Bruce! For opening comments .. I have nothing but empathy for you and the firefight you are in. "Intuitional inertia" is never enjoyable especially when you are the one tasked with change. So you indicated "upstream network management" is sending DNS/DHCP traffic but then you say that

Re: DNSSEC migration sanity check

Howdy bind-users list. TLDR: we were able to move zones between DNS servers with different KSK/ZSK while keeping the zones secure. First I want to say a BIG thank you for the replies received since it helped in documenting our workflow for these migrations. Off list, Paul E. mentioned that a

DNSSEC migration sanity check

We are in the process of moving from one IPAM vendor to another. All of our zones are DNSSEC signed and the TTL's have been lowered to 300 seconds. At a high level, the playbook is to update the registrar with names/IP addresses of the new servers and update the DSKEY. Depending on the time

RE: broken trust chain

What version of BIND are you using? John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of youssef.fassifi...@inwi.ma Sent: Tuesday, July 28, 2020 6:10 PM To: bind-users@lists.isc.org Subject: broken trust chain Hi All, I am using Bind as resolver for end users .

RE: BIND DNS problem (?)

I could not zoom in to see anything. Please post a better screenshot or better yet post the .pcap itself for download and review. John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jukka Pakkanen Sent: Wednesday, September 26, 2018 2:46 AM To:

Re: Frequent timeout

tcpdump is your newest best friend to troubleshoot network issues. You need to see what (if anything) is being placed on the wire and the responses (if any). My goto syntax is: tcpdump -n -i eth0 port domain I like -n because it prevents a PTR lookup from happing. Why add extra noise? As