RE: Multiple BIND instances

2012-02-07 Thread Lightner, Jeff
Virtualization doesn't reduce use of resources but DOES separate into what are perceived to be multiple "servers" so I'm not sure what you mean by "you still have one server". -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jl

RE: Name Resolution issue with one domain

2012-03-21 Thread Lightner, Jeff
I don’t think the target is blocking as I get the following: dig www.dubaiairport.com ; <<>> DiG 9.8.1 <<>> www.dubaiairport.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36668 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;

RE: Restricting access & keeping identical data across views

2012-03-28 Thread Lightner, Jeff
Is signing not done at zone file level? For our views even when the zones are identical I keep separate copies for the internal and external views so I would have thought this wouldn't be an issue. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto

RE: Split DNS and zone transfers

2012-04-16 Thread Lightner, Jeff
You can also do it by IP in views but need separate IPs for each view. You can do that with virtual IPs on the same NICs as the primary IPs. Such virtual IPs of course have to be in the same subnet as the primary and also you’d need to insure firewall (including host level if any) is opened

RE: multiple ints: views or separate records?

2012-05-25 Thread Lightner, Jeff
As far as influence it seems you could restrict the connections on virtual IPs to specific subnets so that they don’t have a choice. This can be done via ACLs in the views and/or via firewall rules (e.g. in iptables if this were a Linux host). From: bind-users-bounces+jlightner=water@lists

RE: Moving DNS out of non-cooperative provider

2012-06-18 Thread Lightner, Jeff
Just to verify - when you say "old provider" you're just talking about somewhere you had pointed your DNS records to and NOT the actual Registrar for the domain? If it is the Registrar you have to make changes at the Registrar's site to change which DNS servers to use. If they're not being coo

RE: Compiling and testing on Fedora

2012-06-21 Thread Lightner, Jeff
Turning off SELinux also requires a reboot after changing mode. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Shawn Bakhtiar Sent: Thursday, June 21, 2012 1:19 AM To: bind-us...@isc.org Subject: RE: Compi

RE: bind dies with assertion failure

2012-07-03 Thread Lightner, Jeff
As mentioned more than once on this list. Redhat starts with an upstream version of a given package (say BIND 9.7) then backports security and bug fixes from later upstream versions into theirs and add extended versioning (say 9.7-2.3.1). One would have to check Redhat's version to see what fi

RE: bind dies with assertion failure

2012-07-03 Thread Lightner, Jeff
I disagree about this being off topic. It IS in fact a BIND question but like many BIND implementations is specific to the user's setup. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Be

RE: Loaded zone files query

2012-07-10 Thread Lightner, Jeff
That assumes its Linux and is being logged to local /var/log/messages. For other *nix the log location and name is apt to be different. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Be

RE: disabling "Any" requests

2012-07-12 Thread Lightner, Jeff
Your answer was clearly meant to be tongue in cheek but I'm not sure you understood. The OP wasn't asking how to stop all (any) lookups - it was how to stop "dig -t any" which isn't the same thing at all. Presumably they still want to allow dig -t mx, dig www... etc... Personally I don't know

RE: Can't receive emails from another machine

2012-07-31 Thread Lightner, Jeff
To check whether BIND is your problem simply run "dig -t MX " on the host that is trying to send the email to your mail host. If it returns the right IP address for your mail host then BIND isn't the problem. For iptables/postfix this isn't really the right forum. You might want to try posti

RE: 2 dns records for same server

2012-08-20 Thread Lightner, Jeff
That is to say don't put the external servers in /etc/resolv.conf on your clients - only put the internal one there. (Or the Windows equivalent setup should only see your internal DNS server.) I would correct the prior post not to say "EVER" but rather "not directly". Often in an internal/ex

RE: What can cause excessive amount of _dns-sd queries?

2012-08-23 Thread Lightner, Jeff
Maybe blocking access by that IP will force the customer's tech folks to contact you? -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of wbr...@e1b.org Sent: Thursday, August 23, 20

RE: Zone Transfer issue on BIND9

2012-08-24 Thread Lightner, Jeff
You're putting the allow transfer on each zone? I don't think that's your issue but it seems odd to me. Here we do it at the view level. Also it appears you're using the same IP for at least two of your views - for view transfers to work properly here we setup virtual IPs on the DNS servers

Dig from workstation to answer?

2012-09-18 Thread Lightner, Jeff
I know that dig +trace can be used to see the path of name resolution starting from root server down to final answer. What I’m wondering is if there is some set of options that would go from workstation to final answer? That is to say only go to the root server if that is where the DNS topolo

RE: Moving BIND from Solaris to Linux

2012-10-01 Thread Lightner, Jeff
We use RHEL mainly because that's our distro of choice for most of our applications. It is the most popular "commercial" distro is the one most 3rd party commercial applications (e.g. Oracle) support. (Of course SLES has a lot of support as well but not quite a much - others will tell you Ubu

RE: Moving BIND from Solaris to Linux

2012-10-01 Thread Lightner, Jeff
The reason I did the full discussion is that many shops are moving from proprietary UNIX (Solaris, AIX, HP-UX) or Windows to Linux solutions.If they are moving much infrastructure but just starting with BIND then he needs to consider what I wrote. Also I don't really agree that Ubuntu is th

RE: Moving BIND from Solaris to Linux

2012-10-03 Thread Lightner, Jeff
sc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Barry S. Finkel Sent: Tuesday, October 02, 2012 10:47 PM To: bind-users@lists.isc.org Subject: RE: Moving BIND from Solaris to Linux On 10/2/2012 4:26 AM, "Lightner, Jeff" wrote: > The reason I did the f

RE: issues with BIND since a change of server

2012-10-04 Thread Lightner, Jeff
Have you checked the host level firewall (e.g. iptables)? -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of John Miller Sent: Thursday, October 04, 2012 12:01 PM To: bind-users@list

RE: Performance tuning

2012-11-26 Thread Lightner, Jeff
For question 1: “Loading” is a function of the web site not DNS. Your first question could have to do what the default site is in your web configuration and what kind of rewrite rules are getting you to the other. If it were me I’d probably do some timed “host” or “dig” commands for the two re

RE: restart named; missing TCP socket

2012-12-12 Thread Lightner, Jeff
Why use rndc to stop then the init script to start? Is there no /etc/rc.d/rc.named restart? On RHEL5 the init script has a restart option so it will stop then start. If a socket is open then it could take a finite amount of time for it to close making it unavailable on the restart if you ha

RE: How can I migrate my Domain from ISP hosted to my own BIND server?

2012-12-14 Thread Lightner, Jeff
To expand on that. The steps Manish wrote are what you do internally. What Sten is writing is external – your domains are “registered” somewhere and the “Registrar” points to the appropriate DNS servers – you’ll need to insure that it is pointing to your internal DNS servers. You can find out

RE: chroot/etc/named/ directory?

2013-02-13 Thread Lightner, Jeff
Haven't done it on RHEL/CentOS 6.x yet but in RHEL5 with the bind-chroot installed I've always had: /var/named/chroot as the jail for BIND. /var/named/chroot/etc = Location of global config files such as named.conf /var/named/chroot/var/named = Location of the zone files. I don't see a /var/named

RE: SOA issue

2013-02-13 Thread Lightner, Jeff
Also make sure you’ve incremented the serial number in the zone file by at least 1. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Chris Buxton Sent: Wednesday, February 13, 2013 12:58 PM To: Paul A Cc: b

RE: Install DNS Server

2013-10-10 Thread Lightner, Jeff
Any reason why you’re using CentOS 5.7 given that 6.4 (and maybe later) is available? if this is a new system you really ought to think about use the 6.x stuff. 5.x is long in the tooth even though still supported it has many older upstream packages of things including BIND. CentOS does put

RE: Performance Tuning RHEL 5 and Bind

2013-10-21 Thread Lightner, Jeff
Any reason you're using RHEL5 as opposed to RHEL6 if you're building new servers? RHEL5 is very long in the tooth and will go EOL sooner than RHEL6. Since you're using a BIND package not shipped with RHEL5 there's no reason on that account not to move up to RHEL6. -Original Message-

RE: Adding DS records

2013-12-20 Thread Lightner, Jeff
FYI: web.com recently bought NetSol and at least one other Registrar that escapes me at the moment. It might be worthwhile to see if any of their companies do this as you might have an easier time transferring and avoid some of the common games Registrars play to prevent it. I heartily recom

RE: Same internal and external zone

2014-02-14 Thread Lightner, Jeff
There is nothing that precludes you from having the same zone on different DNS servers. You make each "authoritative" so that any look up that hits that DNS server gets that server's records. You can then have separate entries for some items and the same for others. We do that here with at

whois expiration limit?

2014-02-19 Thread Lightner, Jeff
Hi, I know this is the BIND list but I’m thinking folks who deal with DNS probably may be able to answer this question about whois. We recently transferred and renewed a domain by 2 years which pushed its expiration to 01/25/2025. The order confirmation shows that expiration and looking at t

RE: whois expiration limit?

2014-02-19 Thread Lightner, Jeff
, February 19, 2014 4:17 PM To: bind-users@lists.isc.org Subject: Re: whois expiration limit? On 2014-02-19 20:44, Lightner, Jeff wrote: Hi, I know this is the BIND list but I’m thinking folks who deal with DNS probably may be able to answer this question about whois. We recently transferred and

RE: Does bind read /etc/hosts?

2014-07-15 Thread Lightner, Jeff
The confusion can come in because some UNIX variants (notably HP-UX) nslookup was modified to honor /etc/nsswitch.conf so it DOES check /etc/hosts if "files" precedes "dns". However, in most things (e.g. Linux, Solaris) nslookup (and the newer host command) do not look at /etc/hosts regardless

RE: Value of memory

2014-08-07 Thread Lightner, Jeff
Also remember that "used" reported by "free" in Linux on the first line includes memory pre-allocated to cache and buffers that is readily usable on demand so isn't really allocated to specific processes like you'd see in a similarly configured UNIX system. Be sure when trying to determine "us

RE: Change in behaviour regarding ndots and searchlist

2014-09-15 Thread Lightner, Jeff
I've begun seeing this recently in nslookup on Windows workstations as well. It appears it is appending search domains even when I've specified an FQDN. That is I have two search domains such as ex1.com and ex2.net and I typed short name "ralph" for nslookup or host it would give me "ralph.

RE: Change in behaviour regarding ndots and searchlist

2014-09-15 Thread Lightner, Jeff
hlist * Barry Margolin [2014-09-15 15:18]: > In article , > Steven Carr wrote: > > > On 15 September 2014 13:29, Lightner, Jeff wrote: > > > I've begun seeing this recently in nslookup on Windows workstations as > > > well.It appears it is appending sea

RE: SRV records etc

2015-02-11 Thread Lightner, Jeff
SRV definitely still required for some applications. Some cloud based application providers have you add them to verify you own the domain to which they're tying their services so you don't use them to hijack other people's domains. -Original Message- From: bind-users-boun...@lists.is

RE: Getting Error || unable to convert errno to isc_result

2015-02-11 Thread Lightner, Jeff
On RHEL the kernel doesn't change within the main release (RHEL6) in this case will always be 2.6.32-xx and RHEL does the support including back porting bug and security fixes into their extended release (which isn't the same as the base kernel). They do the same thing for the BIND release

RE: Getting Error || unable to convert errno to isc_result

2015-02-11 Thread Lightner, Jeff
a. s. Křižíkova 36a/237 186 00 Praha 3, Česká Republika Tel.:+420.226204627 daniel.rysl...@dialtelecom.cz --- www.dialtelecom.cz Dial Telecom, a.s. Jednoduše se připojte ------- On 02/11/2015 10:32 PM, Lightner, Jef

RE: Request to provide procedure for bind upgrade

2015-02-16 Thread Lightner, Jeff
The package is “bind” not “named”. The daemon is called “named”. You can type “rpm –qf $(which named)” to determine which package installed that daemon. (Likely it was bind.) Also if you’re running the chroot’ed version you’d want the package “bind-chroot”. I’d suggest you run “rpm –qa |

RE: Request to provide procedure for bind upgrade

2015-02-16 Thread Lightner, Jeff
Good point. Fedora isn't really a good choice for Production systems - it is bleeding edge with short life cycle (usually new version is out 6 months later and they only support the most recent 2.) Fedora is used as a test bed for what ends up in RHEL later. RHEL has much longer life cycle b

RE: Config large tuning and out of memory

2015-03-03 Thread Lightner, Jeff
CentOS 5.x does have a 64 bit version. 5.2 is quite old - they're up to 5.10 or 5.11 these days. I don't think you can just change from 32 bit to 64 bit - I think it requires a reinstall from the 64 bit installation media. If you have do a reinstall you're better off going to at least Cen

RE: Single slave zone definition for two view (cache file name problem)

2015-03-17 Thread Lightner, Jeff
4.x would be quite ancient. Where are you getting those version numbers? You should be using 9.x these days so I suspect the BIND version isn't what you think it is.Is it possible the version you're reporting is you OS rather than your BIND? What is reported when you run "named -v"? An

RE: Single slave zone definition for two view (cache file name problem)

2015-03-18 Thread Lightner, Jeff
It isn't really that hard to maintain two separate zone files for each domain. We've been doing it for years. It isn't really clear why you're using views if all your zone files are the same as you seem to imply. Here we do views specifically because for some domains the zone files DO need

RE: subdomain with domain

2015-04-01 Thread Lightner, Jeff
You can do subdomains with the one zone file rather than having separate zones you just have to put a new ORIGIN for the subdomain. In the domain file for after the SOA and existing records (NS, A, CNAME etc...) add a line: $ORIGIN _msdcs..; New subdomain Then add the records (A, CNAM

Recall: subdomain with domain

2015-04-01 Thread Lightner, Jeff
Lightner, Jeff would like to recall the message, "subdomain with domain". CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distri

RE: com.google how did they do that

2015-04-02 Thread Lightner, Jeff
Not all the new TLDs are company specific. Some are more generic but useful to certain industries. There are 2 or 3 TLDs that I assume will appear sooner or later and I really wish I had the capital to make them as I know as soon as they are available many companies will use them so they'd be

RE: stumped on sub domain addition

2015-07-23 Thread Lightner, Jeff
Did you change the sequence/serial in the SOA and reload the zone? Doing dig tests for euca.us I get it’s “A” record and for www.euca.us I get is CNAME. That suggests you didn’t setup onqsolutions record properly. Looking at your www CNAME in your zone file might let you k

RE: stumped on sub domain addition

2015-07-23 Thread Lightner, Jeff
Services of America, Inc. 2300 Windy Ridge Pkwy Suite 600 N Atlanta, GA  30339-8461   P: 678-486-3516 C: 678-772-0018 F: 678-460-3603 E: jlight...@dsservices.com -Original Message- From: lists - euca [mailto:li...@euca.us] Sent: Thursday, July 23, 2015 2:23 PM To: Lightner, Jeff Cc: Bin

RE: How to properly update chroot-bind

2015-07-28 Thread Lightner, Jeff
Since the OP says he's not in Production yet I'd strongly advise moving on to CentOS 7 for multiple reasons. I has a new base version of BIND and also has a 3.x kernel. However, there is a learning curve because it also uses systemd rather than Sys V init. The way bind-chroot runs is signifi

RE: DNS format error

2015-07-28 Thread Lightner, Jeff
http://www.vip.icann.org/DS? The http:// and /DS wouldn't be part of DNS name itself so you can't dig for that. You'd have to point a browser (or command line tool like wget or curl) to get that web page. The vip IS part of the DNS name. Did you try "dig www.vip.icann.org"? It works for m

RE: Multiple A and PTR and the "main" ones?

2015-09-11 Thread Lightner, Jeff
Actually some mail servers DO check not only that a PTR exists but also that it is not "generic". Every once in a while we get someone complaining because one of the big sites (Ebay?) refuses to accept their email due the "generic" (as defined by that site's policies) nature of our PTR. We

RE: init script

2015-09-29 Thread Lightner, Jeff
Which Linux or UNIX distribution and version are you using? As Omer suggests most of them include a bind package with prebuilt init scripts - you can download the BIND package then extract the init scripts from it. (deb is for Debian derived Linux distros, rpm for Redhat derived distros - mig

RE: Why two lookups for a CNAME?

2015-10-21 Thread Lightner, Jeff
Because the purpose of DNS primarily is to equate a name with an IP as applications talk to IPs not to names. When you have a CNAME you’re equating one name with another name. That other name then has to be looked up so the application knows what IP access. This saves time if you have multi

RE: Cloud DNS providers for secondary DNS

2015-12-30 Thread Lightner, Jeff
The OP mentioned notifying Registrars. He'll also need to notify whoever his ISP is if he has arpa zones for reverse lookups and they are delegating to his name servers. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of J

RE: Bind9 on VMWare

2016-01-13 Thread Lightner, Jeff
We chose to do BIND on physical for our externally authoritative servers. We use Windows DNS for internal. One thing you should do if you're doing virtual is be sure you don't have your guests running on the same node of a cluster. If that node fails your DNS is going down. Ideally if

RE: PCS, Corosync, Pacemaker, and Bind

2016-03-19 Thread Lightner, Jeff
You might want to try "ip a" vs ifconfig. RHEL7 uses Network Manager and in the past I've found some things don't show up in ifconfig output when doing alias/virtual interfaces. Usually even when other products (e.g. Oracle RAC/GRID) create virtual interfaces they still show up as valid int

RE: about NS server authorize

2016-03-21 Thread Lightner, Jeff
As others said this isn't really a BIND issue. EPP key is what some Registrars call the authorization code for domain registration transfers. Did you recently attempt to transfer this zone from one Registrar to another? Did you get confirmation that the transfer (not just the request for t

RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

2016-03-23 Thread Lightner, Jeff
Since there are BIND packages (9.9.4) for RHEL7/CentOS7 available from default repositories you could download those packages and extract the systemd files from them and examine what they've done. With systemd the methodology isn't that BIND notifies other things that it is up. It is that othe

RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

2016-03-23 Thread Lightner, Jeff
s here. -Original Message- From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch Sent: Wednesday, March 23, 2016 9:52 AM To: Lightner, Jeff Cc: bind-users@lists.isc.org Subject: RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro Lightner, Jeff wrote: > > Wit

RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

2016-03-25 Thread Lightner, Jeff
The RedHat/CentOS version starts with an upstream version from ISC. At the time they first get it they optimize to fit within the other packages they’ve setup on the specific major release (e.g. RHEL5 had BIND 9.3.6, RHEL7 has BIND 9.9.4). After that they put their own extended versioning o

RE: I get "No mail exchanger (MX) records available for rimm.com" errorjust for a couple of domains

2010-08-19 Thread Lightner, Jeff
What is so obvious about it not being down? If folks like AT&T and other major corporations could have outages I don't see any reason why this one couldn't. Note that you typed "rimm.com" (two m's) not "rim.com". The former has a red WOT rating so I suspect it is used to spoof the latter bu

RE: I get "No mail exchanger (MX) records available for rimm.com"error just for a couple of domains

2010-08-19 Thread Lightner, Jeff
"from ns2"? Are you sitting on your ns2 server and typing this command? If so it may be your resolv.conf file doesn't specify "localhost". Or it may be you haven't configured ns2 to do root hints to look for external domains. Or it may be your ns1 has another server completely in its reso

RE: Verizon Users Can't See Site

2010-09-14 Thread Lightner, Jeff
>From our AT&T based network it works but the individual server digs (dns1 & >dns2) were significantly slower than the dig in which I didn't specify a >server. $ dig @dns2.mbc.irides.com www-mbclive.mbc.irides.com ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @dns2.mbc.irides.com www-mbcli

RE: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-21 Thread Lightner, Jeff
I always liken arguments such as this to a leaky boat. While one certainly does more to eliminate the boat filling with water by plugging the big holes that does NOT mean there is no value is caulking the small ones. Over time enough of the small ones might be enough to swamp the boat. -Ori

RE: All zone blocks for "public" view should be listed here in "internal"too!

2010-09-23 Thread Lightner, Jeff
In views order is important. If you have internal before others (e.g. external) then that is the default view. What I *think* it is telling you is that if you have an internal view that you restrict to certain networks that you need to insure you have all the public zones in the external

RE: repository for zone files

2010-09-23 Thread Lightner, Jeff
/etc = named.conf, rndc.conf and other config files /var/named = zone files. Are you running just bind or bind-chroot. If the latter then named.conf goes in /var/named/chroot/etc rather than /etc and the zone files go into /var/named/chroot/var/named instead of /var/named. You can configure thin

RE: repository for zone files

2010-09-24 Thread Lightner, Jeff
No the prior poster was correct - you can do chroot or SELinux or both. While it is true that RedHat teaches SELinux and ships it you can always disable it if you prefer not to use it. You are asked during the install of the OS and you can disable it or enable it any time you want after the insta

RE: repository for zone files

2010-09-24 Thread Lightner, Jeff
Up until Bill came out with NT with the stated intention of killing UNIX I was somewhat of an M$ fan (over Apple that is). All he really succeeded in killing was Netware. Now years later Apple is running a UNIX based OS - go figure. -Original Message- From: bind-users-bounces+jlightn

RE: repository for zone files

2010-09-24 Thread Lightner, Jeff
nces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of dhottin...@harrisonburg.k12.va.us Sent: Friday, September 24, 2010 10:24 AM To: bind-users@lists.isc.org Subject: RE: repository for zone files Quoting "Lightner, Jeff" : > Up unt

RE: repository for zone files

2010-09-24 Thread Lightner, Jeff
And of course VMWare is 80% owned by EMC: http://www.boston.com/business/technology/articles/2010/03/03/emc_to_maintain_80_vmware_stake/ -Original Message- From: Dale Kiefling [mailto:dale.kiefl...@cbsinteractive.com] Sent: Friday, September 24, 2010 1:46 PM To: Lightner, Jeff Cc

RE: DNS resolution based on source network

2010-09-27 Thread Lightner, Jeff
Yes - It's called "views". There are many good examples of BIND Views on the internet and in the documentation. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Thomas Elsgaard Sent: M

RE: Unable to query the nameserver

2010-10-06 Thread Lightner, Jeff
Of course some versions of nslookup arent' "standard" even for nslookup. The one on HP-UX actually interrogates local /etc/hosts file if nsswitch.conf says to use files first. I got so used to doing that for years that when I tried to use nslookup on Linux back in 2005 I was miffed because it was

RE: named-checkzone Test Runs

2010-10-13 Thread Lightner, Jeff
Can you share what you're talking about since it appears you're saying you got the reply off list? -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Martin McCormick Sent: Wednesday, Octo

RE: No cache for NS RR in public DNS

2010-10-15 Thread Lightner, Jeff
You're saying its getting the records because they are cached at org? -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Mark Andrews Sent: Friday, October 15, 2010 9:21 AM To: Tech W. Cc

RE: limiting number of recursion/queries per IP address

2010-10-26 Thread Lightner, Jeff
iptables is available in most Linux distros and it is definitely better to block things there than in BIND itself. I don't know that BIND has a rate limiter. It DOES have a "blacklist" option where you can completely block a site's access to it but as noted above it is better to do it in iptables

RE: DNSSEC and Bind 9.3.6

2010-11-03 Thread Lightner, Jeff
Some OSes provide an "official" BIND package and maintain it. (e.g. RHEL 5.x uses BIND 9.3.x). This package while initially based on 9.3 from ISC may have security and/or functionality updates backported into it from later versions of BIND. If you are using such an "official" package from your

RE: no. of Views and Zones

2010-11-08 Thread Lightner, Jeff
You would NOT use a single zone for this. Views are designed specifically to control what is seen. However, that control is mainly done by acl's specifying which networks access which views. Do you assign specific subnets to each client? If so you could do this with views but processing neede

RE: no. of Views and Zones

2010-11-08 Thread Lightner, Jeff
support the VMs) if I was concerned about security of each customer. This would especially be true if those customers also had web, mail or other servers being hosted by me as well. -Original Message- From: Chris Buxton [mailto:chris.p.bux...@gmail.com] Sent: Monday, November 08, 2010 12:32

Rules against links or certain links?

2010-11-11 Thread Lightner, Jeff
I've noticed a couple of times on this list that if I post links for certain on line sites with free tools like whois that they never seem to make it to the list. Is there some prohibition against posting those links that would cause them to be filtered out? I know at least one of them also ha

RE: Rules against links or certain links?

2010-11-11 Thread Lightner, Jeff
D'oh - I realize now that the reply ONLY went to you and not to the list. Trying to send it to list with this reply. -Original Message- From: Lightner, Jeff Sent: Thursday, November 11, 2010 9:21 AM To: 'Torsten' Subject: RE: Rules against links or certain links? Yes.

RE: DNSSEC with 9.7.2-P2

2010-11-12 Thread Lightner, Jeff
Not a hole if you look at the reasoning for Fedora itself. It has a short lifecycle and they expressly tell folks not to use it for Production due to this. It is meant to be bleeding edge for testing the latest/greatest. It is used as a test bed for what makes it into RHEL. For Production (RP

RE: bind 9.7.2-P3 does not resolve www.microsoft.com

2010-12-28 Thread Lightner, Jeff
It's working fine for me from RHEL5 Linux DNS servers and from Windows DNS servers. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Eivind Olsen Sent: Tuesday, December 28, 2010 4:16

RE: bind 9.7.2-P3 does not resolve www.microsoft.com

2010-12-30 Thread Lightner, Jeff
If qmail is open source then YOU can patch it to your heart's content and might even want to fork the project so you're maintaining it for others. Expecting BIND to hold itself back or patch itself for 1998 standards is a bit like expecting people that maintain websites to keep support for Mosaic.

RE: get a domain's dns records

2011-01-21 Thread Lightner, Jeff
It checks for test. - I saw it do that for my zone. For us it isn't a subdomain but simply an A record. Apparently when it found your record it went ahead and did another check for your sub-zone. I'm surprised that it does not check for ftp.. Whenever we're doing acquisitions here that is one

RE: about the file command

2011-02-08 Thread Lightner, Jeff
BIND doesn't require you to use any views "by default". The way views work one of them IS a "default" so order of views is important. You would use the "default" as your "catch all". -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounc

RE: Please Help

2011-02-17 Thread Lightner, Jeff
IIRC the U.S. Government last year or the year before mandated all their sites be DNSSEC compliant by early this year. Maybe it is just a sign they are actually doing it. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=wat

RE: Slaves and views

2011-03-04 Thread Lightner, Jeff
Haven't done it but don't see why not. Since every entry in named.conf specifies the zone file you can definitely have multiple zones all pointing to the same zone file. (We do that for many ancillary zones that we want to point to our primary domain so have an aliases file that uses the @ desig

RE: R: Operating system recommendation

2011-03-11 Thread Lightner, Jeff
"Linux people and their reinstalls"?! Somebody has confused Linux with Windows. We've been running RedHat Eneterprise Linux (RHEL) systems commercially for several years (including our DNS servers) and the only time I "reinstall" is when I'm redeploying a system and/or want to go to a newer ma

RE: R: Operating system recommendation

2011-03-11 Thread Lightner, Jeff
heeded and some ignored but always knew I wasn't the tail that wags the dog. You apparently think you are in your organization so congrats on that. -Original Message- From: Dan [mailto:d...@sunsaturn.com] Sent: Friday, March 11, 2011 12:33 PM To: Lightner, Jeff Cc: bind-user

RE: RHEL5 BIND in PROD

2011-03-15 Thread Lightner, Jeff
If these are new servers that are only for BIND I'd suggest going with RHEL6 rather than 5.6 - RHEL releases have very long life cycle. When I get a spare moment I intend to update our servers to RHEL6. We use the RHEL5 BIND package for the reasons you give. However, the way RedHat does things

RE: dns RR method is not equal balanced?

2011-03-29 Thread Lightner, Jeff
Not to mention that RedHat just announced pending EOL of RHEL4 last week. RHEL5 has been out since around 2007 and RHEL6 was released around the start of this year. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightne

RE: children whose zones do not reflect the delegation from the parent

2011-03-30 Thread Lightner, Jeff
I'm wondering if the issue isn't because you've not told your ISP what your name servers are. You have to do that for reverse delegations to get to your servers. (This is in addition to telling your Registrar.) -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.o

RE: Migrate domains to different DNS servers

2011-04-20 Thread Lightner, Jeff
By re-delegate do you mean at the Registrars and ISPs? If so and if you have more than one DNS server for redundancy (as you should) then you can replace one server at a time using the same name/IP on the new server as on the old server. When we did this a few years back we simply moved the n

Getting different name resolution for news.google.com from master and slave BIND

2011-05-24 Thread Lightner, Jeff
Is anyone else seeing odd results with news.google.com? My BIND 9 master and slave are getting different results. If I go out to other sites such as Kloth.net or iptools.com they also get different results from each other and different from what my master and slave are reporting. I'm runnin

RE: Getting different name resolution for news.google.com from master and slave BIND

2011-05-24 Thread Lightner, Jeff
are not in different locations or in a separate subnet is why I don't understand why I'd be getting separate "location specific" IPs handed to the two servers. -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Tuesday, May 24, 2011 4:06 PM To:

RE: DNS attacking

2011-05-25 Thread Lightner, Jeff
You can blacklist things in named.conf but we've found it more efficient to simply have iptables drop packets from the offending IPs so they never even get to BIND. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water..

RE: Getting different name resolution for news.google.com from masterand slave BIND

2011-05-25 Thread Lightner, Jeff
c.org Subject: RE: Getting different name resolution for news.google.com from masterand slave BIND Lightner, Jeff wrote: > The master is dswadns1.water.com at 12.44.84.213 and the slave is > dswadns2.water.com at 12.44.84.214. So, they leave your network in the same way, through the same rout

RE: Getting different name resolution for news.google.com from master and slave BIND

2011-05-25 Thread Lightner, Jeff
NS servers rather than our own. -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Tuesday, May 24, 2011 6:12 PM To: Lightner, Jeff Cc: bind-users@lists.isc.org Subject: Re: Getting different name resolution for news.google.com from master and slave BIND And are those defi

RE: Getting different name resolution for news.google.com frommaster and slave BIND

2011-05-25 Thread Lightner, Jeff
4 PM To: bind-users@lists.isc.org Subject: Re: Getting different name resolution for news.google.com frommaster and slave BIND On Tue, May 24, 2011 at 02:28:42PM -0400, Lightner, Jeff wrote: > Is anyone else seeing odd results with news.google.com? My BIND > 9 master and slave are getting di

RE: second nameserver with two IPs

2011-06-08 Thread Lightner, Jeff
You can have a thousand IPs and it won't matter so long as you configure your named.conf to use a specific IP in notify-source and transfer-source. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org]

  1   2   >