Re: Conflicting glue records?

On 08-Jan-2009, at 03:41 , Dawn Connelly wrote: Right, but his question was regarding the host record for the name server. You tell the registrar the name and IP address of the name servers that are authoritative for the domain. The registrar then pushes those glue records to the root servers.

Re: unwanted delegations was: What to do about openDNS

On 21-Jan-2009, at 03:23 , Scott Haneda wrote: On Jan 20, 2009, at 6:42 PM, Matthew Pounsett wrote: Registries that implement host records (so, at least the gTLDs) could accept the word of the registrant of the zone that contains a name server (or the word of their registrar

Re: allow-query-cache and resolution time

On 22-Jan-2009, at 16:00 , LENA MATUSOVSKAYA, BLOOMBERG/ 731 LEXIN wrote: Hello, Thank you for answering my quesiton yesterday. I have a new question about allow-query-cache and its effect on a dns server' response resolution time. allow-query-cache specifies which hosts are allowed

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal

On 25-Jan-2009, at 03:44 , Al Stu wrote: When a domain name associated with an MX RR is looked up and the associated data field obtained, the data field of that response MUST contain a domain name.That domain name, when queried, MUST return at least one address record (e.g., A or

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal

On 25-Jan-2009, at 13:15 , Al Stu wrote: Yes, blah was supposed to be srv1. I do receive both the CNAME and A records for the A mx.xyz.com query. See attached capture file. In the capture file three global search and replacements were performed to match the previous example. 1)

Re: Forcing a secondary update...

On 26-Jan-2009, at 17:50, Jeff Justice wrote: Without getting into how I managed to accomplish this, I have wound up with a secondary DNS that has incorrect information in it but the serial numbers are the same as on the master. So, my question is: how can I get the secondary to sync up?

Re: my DNS not resolving

On 29-Jan-2009, at 13:49, S. Jeff Cold wrote: BIND List, I have a server running OpenSuse 11.1 with BIND 9.5.0P2-18.1. This server has a dedicated IP address from my ISP. I want this server to resolve my registered domain jatec.us. The server has internet connectivity. If I dig

Re: single-character host names

On 25-Feb-2009, at 16:46, Mike Bernhardt wrote: So what is the accepted view on this currently? Is there another RFC that has made it OK now? I'm not going to say this definitively, because I'm not certain, but I think 952 may have been updated by a later RFC. Certainly there are

Re: TSIG verify failure

On 28-Feb-2009, at 04:11, Jeremie Le Hen wrote: AXFR fails invariably with the following error: tsig verify failure. Do, by chance, TSIG packets use IP address during encryption? I've been struggling to understand the problem for maybe 8 hours, but I'm clueless now... Any help would be

Re: named-xfer?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02-Apr-2009, at 18:33, Michelle Konzack wrote: Hello, I have to fetch some zones from http://www.zonedit.com/ but it seems, named-xfer does not more exist in bind9. How can I now manualy download a zone? dig IN AXFR zone @server file

Re: Delegation of DHCP blocks within same server?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20-May-2009, at 19:03, John Cole wrote: For a concrete example: 10.0.0.0/16 is presently handled by a single zone file. 10.1.3.0/24 is DHCP issued 10.1.4.0/24 is DHCP issued I haven't tested this... but I'm 99% certain that you can simply

Re: proving a server doesn't have a zone

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01-Jun-2009, at 15:42, Todd Snyder wrote: I'm sure I'm just having a dumb moment, and that the return codes from dig can give me what I need, but I can't figure it out. Indeed, dig can help you here. Send the server a non-recursive query

Re: Dynamic DNS and Slave Servers

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18-Jun-2009, at 14:25, Gregory Hicks wrote: Kevin: I'll bite! What is the difference between a sub*domain* and a sub*zone*? I don't see how you could have the one w/o the other. But that could be because I'm feeling especially slow today.

Re: Glue record miunderstanding

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01-Oct-2009, at 16:03, Scott Haneda wrote: Is it also correct, I only need a NS glue record for the actual NS itself. There does not need to be a glue record for very zone that I am providing DNS for? The only case where glue *must* be

Re: Glue record miunderstanding

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01-Oct-2009, at 19:03, Scott Haneda wrote: So I see my NS is listed in the additional section. This to me tells me there is in fact glue, so I should consider the report at http://intodns.com/hostwizard.com to be inaccurate? Yeah, I just

Re: Nslookup not showng TTL

On 15-Oct-2009, at 16:03, John Horne wrote: On Thu, 2009-10-15 at 13:15 -0400, Kevin Darcy wrote: Removing features from nslookup gets us that much closer to KILLING and BURYING it. Forever. So why does the ISC still distribute it? (Although I guess the answer may simply be because

Re: isc.org has signed delegation

On 22-Oct-2009, at 01:16, Loren M. Lang wrote: I just noticed that isc.org has a signed delegation from the .org name servers. I am curious what registrar you went through to get this. .org is doing a limited production release of DNSSEC right now, referred to as Friends Family. There

Re: BIND9 slave

On 07-Dec-2009, at 08:37, George wrote: Is there a way to make the slave server automatically get and update any new domains that are added to the master server? This question pops up about once every two months on the list. There are several other discussions on the subject that you

Re: Is an IPv6-only glue/delegation record a problem in a world of IPv4?

On 2010/01/11, at 12:57, Rick Dicaire wrote: If I understand this correctly, the lack of an ANSWER section for query would denote there is no ipv6 glue at the TLD? No, that would indicate that the name server you queried is not authoritative for the record you queried about. Glue, by

Re: Is an IPv6-only glue/delegation record a problem in a world of IPv4?

On 2010/01/11, at 12:29, Mathew J. Newton wrote: Specifically, the Dig tool at http://www.kloth.net/services/dig.php seems unable to resolve my records and I can't help but feel it's a problem at my end rather than theirs! The problem may be at Kloth.. but at least one of the many possible

Re: Is an IPv6-only glue/delegation record a problem in a world of IPv4?

On 2010/01/11, at 14:48, Mathew J. Newton wrote: FWIW, at least one of the afilias hosts had the same IPv4 address for ns[12].v6ns.org. ns1.v6ns.org. 86400 IN A 77.103.161.36 ns1.v6ns.org. 86400 IN 2a01:348:133::a1 ns2.v6ns.org.

Re: Is an IPv6-only glue/delegation record a problem in a world of IPv4?

On 2010/01/11, at 15:16, Matthew Pounsett wrote: By contrast, Verisign's servers have long included glue in the ANSWER section. This is widely considered to be at best suboptimal, and by many (or most) to be a bug. Verisign has indicated that this behaviour is coming to an end, although

Re: Notify storms

On 2010/01/20, at 13:03, Dave Sparro wrote: We would like to make this better. Can anyone help with ideas on this? Are we missing something obvious? In that situation I'd consider using CVS on all of the servers to maintain the DNS data. Just make all of the servers masters, and

Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled

On 2010/03/28, at 18:48, Roy Badami wrote: configured). The queries are resulting in SERVFAIL, and I'm pretty sure the failures are DNSSEC-related, as when I've seen problems as they occur (dig failing from the command line) then repeating the query with the CD bit allowed it to succeed.

Re: MX records for new additional domain on existing authoritative name servers

Hi Karen. Please don't start a new thread by replying to an email in an existing discussion -- your message can get lost in that other discussion, rather than appearing as a new topic for anyone who threads their email. On 2010/03/30, at 16:30, Lear, Karen (Evolver) wrote: I'm adding a new

Re: Using an MX record from a different domain

On 2010/03/30, at 16:57, Lear, Karen (Evolver) wrote: I'm adding a new domain to my existing authoritative name servers, and need to add an MX record for a device residing on existing domain. When I run named-checkzone, I get a message about the MX record being out of zone and not

Re: Subdomain delegation only returns SOA on dig

On 2010/03/29, at 15:34, Prabhat Rana wrote: Hello all, I'm running BIND 9.6.1-P1 on a Solaris box. This DNS (ns1.spx.net) is authoritative to domain spx.net (this is just example). And I'm trying to delegate nse.spx.net to ns1.nse.spx.net. I think I have configured correctly but when

Re: how to read and answer to this mailing list

On 2010/03/30, at 19:04, Markus Feldmann wrote: Warren Kumari schrieb: In the footer of every message lurks the following link: https://lists.isc.org/mailman/listinfo/bind-users Yes ... i read this but you can not answer a mail this way. You can answer an email this way. I'm not sure if

Re: how to read and answer to this mailing list

On 2010/03/31, at 04:08, Markus Feldmann wrote: Matthew Pounsett schrieb: On 2010/03/30, at 19:04, Markus Feldmann wrote: Warren Kumari schrieb: In the footer of every message lurks the following link: https://lists.isc.org/mailman/listinfo/bind-users Yes ... i read this but you can

IXFR size limit?

Is there, by any chance, a maximum size to the IXFRs BIND will send? I've noticed an upstream server I slave from is being suspiciously consistent in the number of records it sends per IXFR (86,450 plus or minus ~10 records). The upstream server is part of an appliance, but fingerprints as

Re: IXFR size limit?

On 2011/02/14, at 10:47, Matthew Pounsett wrote: Is there, by any chance, a maximum size to the IXFRs BIND will send? I've noticed an upstream server I slave from is being suspiciously consistent in the number of records it sends per IXFR (86,450 plus or minus ~10 records). The upstream

Re: [dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

While it's possible you have encountered a bug with BIND, it's generally a bad idea to mix recursive and authoritative service in the same process. The RFCs that define the resolution algorithms were never written with mixed service in mind, and there are conflicts that can result in

Re: [dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

On 2011-05-20, at 00:35, Carlos Vicente wrote: That's news to me. What's the failure mode? Does the server return SERVFAIL, or does it not set the AD flag, or...? It's another undefined condition in the RFCs, and so the outcome is implementation specific. I believe in the case of BIND the

Re: [dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

On 2011-05-19, at 21:58, Michael Sinatra wrote: If you're saying that you shouldn't *offer* recursive and authoritative services on the same box, then I generally agree. If you're saying that you shouldn't ever prime your cache with a zone, or have a recursive server be a slave to

Re: big improvement in BIND9 auth-server startup time

On 2011/07/13, at 11:15, Evan Hunt wrote: People who operate big authoritative name servers (particularly with large numbers of small zones, e.g., for domain hosting and parking), and have had trouble with slow startup, may find this information useful:

OpenSSL problem: bind98-base FreeBSD port

I upgraded my OpenSSL and BIND ports on one of my machines yesterday afternoon, and ended up with BIND being unable to start due to some problem with OpenSSL. Unfortunately, it's not giving me any real information to go on about what the problem is. openssl version WARNING: can't open

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 15:04, Michael Sinatra wrote: What makes me doubt what I just said is that this has been an issue for more than a year now, so I am not sure why you have escaped it for so long. I assume you had openssl 1.0.x installed before you upgraded it--or was it an earlier

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 17:46, Doug Barton wrote: On 07/08/2012 13:40, Matthew Pounsett wrote: Yeah, I have to wonder if there's something that can be done in ports to prevent this from being an issue. You need to ask the nice openssl people to turn gost into a library instead of an engine

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 20:26, Mark Andrews wrote: One can also build named w/o GOST support if one wants. We statically link all the engines when building named on Windows. Unfortunately the port doesn't provide the config hooks to disable GOST support.

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 20:29, Matthew Pounsett wrote: On 2012/07/08, at 20:26, Mark Andrews wrote: One can also build named w/o GOST support if one wants. We statically link all the engines when building named on Windows. Unfortunately the port doesn't provide the config hooks to disable

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 20:40, Doug Barton wrote: On 07/08/2012 17:33, Matthew Pounsett wrote: On 2012/07/08, at 20:29, Matthew Pounsett wrote: On 2012/07/08, at 20:26, Mark Andrews wrote: One can also build named w/o GOST support if one wants. We statically link all the engines when

Re: OpenSSL problem: bind98-base FreeBSD port

On 2012/07/08, at 22:25, Barry Margolin wrote: In article mailman.Okay. So to answer my earlier question, what file were you talking about copying into the chroot environment for BIND? The shared library. When you link dynamically, all the libraries have to be in $chroot/usr/lib.

dig ignores +notcp when doing IXFR (DiG 9.5.0-P2)

I'm trying to debug an IXFR problem with a client, and using dig in its place to compare IXFR requests between it and the misbehaving client. I noticed that when I do an IXFR with dig it defaults to TCP rather than UDP. I tried forcing it over with +notcp but I still get a TCP query. From

Re: dig ignores +notcp when doing IXFR (DiG 9.5.0-P2)

On 2013-12-04, at 21:22 , Mark Andrews ma...@isc.org wrote: The options are processed left to right so the +notcp has to be after the ixfr=serial. There are two reasons I don't understand why this is the case. 1) Since there is only one query in the command, I don't understand why left to

Re: dig ignores +notcp when doing IXFR (DiG 9.5.0-P2)

On 2013-12-06, at 12:11 , Chris Thompson c...@cam.ac.uk wrote: The sense in which BIND forces use of TCP is that when it gets an IXFR request over UDP, it always just replies with the current SOA. It doesn't bother to work out whether an incremental transfer is possible and if so whether

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 25 April 2016 at 13:53, wrote: > > > I suspect that there's something wrong with what is/isn't copied , and > maybe when, in that chroot build/destroy script. > It's not clear to me why one would want to destroy/rebuild the chroot every time you restart the process.

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On Sunday, 24 April 2016, wrote: > > This zone would not pass named-checkzone, which interestingly, is the > same code which named itself uses when initially loading a zone. > > It appears to > > named-checkzone -t /var/chroot/named example.com >

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 25 April 2016 at 13:44, <jaso...@mail-central.com> wrote: > > > On Mon, Apr 25, 2016, at 10:19 AM, Matthew Pounsett wrote: > > > TBH I don't understand WHAT to 'expect' from dig to test/verify this^. > > > What do I dig to get an answer with "

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On Monday, 25 April 2016, <jaso...@mail-central.com> wrote: > > > On Mon, Apr 25, 2016, at 10:58 AM, Matthew Pounsett wrote: > > It's not clear to me why one would want to destroy/rebuild the chroot > every > > time you restart the process. > > Well, here >

Re: Compiling BIND9 on CentOS 7

On 27 April 2016 at 08:34, Sean Son wrote: > Thank you for your response. Basically what I am trying to do is migrate > the BIND server from a Centos 5.11 machine to a CentOS 7.2 machine. The > BIND on CentOS 5.11 was compiled manually by source and its

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 27 April 2016 at 03:07, Tony Finch <d...@dotat.at> wrote: > Matthew Pounsett <m...@conundrum.com> wrote: > > > > Privsep doesn't actually fix the same problem chroot does. As I > > understand it, privsep reduces the attack surface for remote execution > &g

Re: Adding CNAME for the root domain issue

On 27 April 2016 at 07:42, Baird, Josh wrote: > Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]? > > [1] > https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/ It's possible. We do a similar thing at eNom... we

Re: Adding CNAME for the root domain issue

On 27 April 2016 at 07:40, Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > On Wed, Apr 27, 2016 at 07:32:48AM -0700, > Matthew Pounsett <m...@conundrum.com> wrote > a message of 49 lines which said: > > > One of these days I'd like to lead a serious lobbying

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 25 April 2016 at 11:44, wrote: > > > > I completely gave up on chroot'd ntpd because of the endless weirdness. > Finally just moved to openntpd as (1) it had safe privsep, (2) no chroot > req'd, and (3) did the job I need. > Privsep doesn't actually fix the same

Re: Forward zone not working

On 17 May 2016 at 09:29, Woodworth, John R wrote: > > > > > >Ideally every machine should be registering its own PTR record in the > > > >DNS and addresses without machines shouldn't have PTR records. > > > >The only reason ISP did this is that they were too lazy

Re: Logging question about message 'update-security: error: client update denied'

On 16 May 2016 at 19:03, Josh Nielsen wrote: > Thank you for the response Mark. I'm still a little confused at what this > might mean though. Clearly the originating address is my slave DNS server > (every single one of the messages say "error: client 10.20.0.101"). > >

Re: Shared libraries loaded after chroot

On 16 May 2016 at 04:38, Marc Haber wrote: > I have filed Debian Bug #820974 (http://bugs.debian.org/820974) > accordingly. The Debian bind people suggest that I copy the respective > libraries to the chroot so that bind can find them. > Yeah, this has been the fix

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On 2 May 2016 at 10:05, wrote: > General question -- > > When I want to change a zone file's data manually, say to add an A record, > what's the right procedure: > > If the zone is set up for dynamic updates, like the examples you've given, then in order to touch the

Re: also-notify and nsupdate doesnt work

On 1 May 2016 at 23:57, wrote: > hi, > i have a setup with one normal and some hidden slaves. > i set up a zone with also-notify and all worked fine. > all slaves got notifies and updates. > now i added a key and policy to remote update the zone. > the updates with nsupdate woks

Re: Forward record for WWW

On 5 May 2016 at 11:55, Stephane Bortzmeyer wrote: > On Thu, May 05, 2016 at 03:42:24PM +, > Cuttler, Brian R. (HEALTH) wrote > a message of 29 lines which said: > > > External record in the zone file is actually > > wadsworth.org. 300 IN A

Re: Nsupdate usage scenario

On 2 May 2016 at 16:38, wrote: > > > On Mon, May 2, 2016, at 12:15 PM, Jeremy C. Reed wrote: > > What about using a specific zone file just for the purpose of the single > > A record you want to maintain using dynamic updates? > > Well, this is a timely idea for another

Re: also-notify and nsupdate doesnt work

On 2 May 2016 at 10:09, wrote: > hi, > > What you're describing sounds wrong. It shouldn't work that way. >> > what do you mean by "wrong" and which "it" should not work? :-) > > What I mean is, given a typical configuration, the brokenness you're observing shouldn't be broken.

Re: Adding CNAME for the root domain issue

On 27 April 2016 at 07:26, Stephane Bortzmeyer wrote: > On Wed, Apr 27, 2016 at 05:05:50PM +0300, > Daniel Dawalibi wrote > a message of 52 lines which said: > > > our setup requires a CNAME record. > > Bad setup. (And has always been bad.) > >

Re: Delegation questions

On 11 August 2016 at 09:13, Bob McDonald wrote: > I have a child domain that is delegated to a second site. Pretty > straightforward situation. In the parent zone I have NS records that point > to the DNS servers at the second site. > > The issue comes up when a slaved

Re: Delegation questions

On 11 August 2016 at 10:14, Bob McDonald wrote: > > Currently, clients sending queries for domain child.example.com. to > server A get good results. > However, clients sending queries for domain child.example.com. to server > C get SERVFAIL because server C has no access

Re: named and use of resolv.conf? - how to "learn" this

On 2 August 2016 at 12:25, Spumonti Spumonti wrote: > (I've done several searches for this first but the general nature of some > of these terms returned way too many non-relevant responses) > > I was recently told that named does not use resolv.conf when resolving > names.

Re: Loading all zone files in a directory

On 23 July 2016 at 15:25, Danilo wrote: > Is there a way to get Bind to automatically include config files in a > directory? If not, might it make sense to place a feature request for > this with the Bind developers? If yes, what would the process be for > such a request? Or is

Re: named and use of resolv.conf? - how to "learn" this

On 2 August 2016 at 17:01, Ray Bellis <r...@isc.org> wrote: > On 02/08/2016 19:47, Matthew Pounsett wrote: > > > In the authoritative configuration, BIND has no need to do DNS lookups > > of its own, so it wouldn't be any use there. > > That's not strictly true - B

Re: named and use of resolv.conf? - how to "learn" this

On 2 August 2016 at 19:50, Evan Hunt <e...@isc.org> wrote: > On Tue, Aug 02, 2016 at 05:04:33PM -0400, Matthew Pounsett wrote: > > Yes it will. But, as far as I understand, it uses the recursive code > paths > > to do that, and won't consult resolv.conf. Yes? > &g

Re: Enforce EDNS

On 6 February 2017 at 19:59, Mark Andrews wrote: > > Unfortunately we then need to decide what to do with servers that > don't answer EDNS + DNS COOKIE queries. Currently we fall back to > plain DNS which works except when there is a signed zone involved > and the server is

Re: Graphing BIND 9.11/9.10 Queries

On 19 January 2017 at 10:16, Phil Mayers wrote: > On 19/01/17 15:12, John W. Blue wrote: > >> Daniel, >> >> Thanks for sharing. I like the HTTP statistics channel but trying slice >> up the XML has been challenging. Going to be checking this combo out. >> > > We moved

Re: Multiple IPs Associated With A Single Name

On 29 September 2016 at 12:02, Tim Daneliuk wrote: > In the dark and dusty reaches of my elderly DNS experience, ISTR a way to > set up A records so that the request to resolve a name returns a *list > of associated IPs*. This is distinct from DNS RR (I think?) which >

Re: dig +trace = Bad Referral orBad Horizontal referral

g to have to share details of your configuration. > > On Tue, Sep 20, 2016 at 8:58 AM, Matthew Pounsett <m...@conundrum.com> > wrote: > >> >> >> On 16 September 2016 at 11:12, project722 <project...@gmail.com> wrote: >> >>> I have an interest

Re: dig +trace = Bad Referral orBad Horizontal referral

On 16 September 2016 at 11:12, project722 wrote: > I have an interesting problem. I started noticing that when I do a dig > +trace against one of the domains we are authoritative for, we get errors > from our nameservers for "Bad Referral" and you can see where it forwarded

Re: Question about dynamic IPv6-PTR-Generation

On 26 August 2016 at 13:45, Matus UHLAR - fantomas wrote: > On 26.08.16 07:34, Tom Tom wrote: > >> I'm searching a way to respond to IPv6-PTR-Queries like the >> "$GENERATE"-mechanism for IPv4 has done it. >> > > why? configuring single IP addresses or taking them from DHCP is

Re: Question about dynamic IPv6-PTR-Generation

On 26 August 2016 at 15:41, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > >>> On 26.08.16 14:01, Matthew Pounsett wrote: > >> That's not necessarily true for IPv6, where even a modest network could >> have trillions of addresses that may need PTR records

Re: Multiple IPs Associated With A Single Name

On 29 September 2016 at 15:07, Tim Daneliuk wrote: > > > No, not really. It's for a private cloud microservices system we're > thinking through. We already run most/many of the various service > backends in user space so that the app devs and support folks can control >

Re: semicolons in dig output

On Fri, Nov 4, 2016 at 13:51 Robert Edmonds <edmo...@mycre.ws> wrote: > Matthew Pounsett wrote: > > Was this actually a change between BIND 9.8 and 9.9? Was it deliberate, > or > > an accident that might be reversed at some point? > > It's this change: > &g

Re: acl

On 8 October 2016 at 09:57, Pol Hallen wrote: > 192.168.1/24 is not a valid netmask >> > > huh? > In linux and BSD I always use 192.168.1/24 (how shortcut of 192.168.1.0/24) > and so on... You're confusing network configuration with ACL syntax. Where you're using

Re: Wildcard SRV record?

On 31 October 2016 at 12:35, Stephen Pape wrote: > Is there a better way for me to do this, or do I have to generate a > whole lot of specific CNAME records? > If your subdomains follow a predictable pattern, then this seems like a prime use of the $GENERATE statement. You

Re: BIND transferring zones with incorrect view

On 20 December 2016 at 16:45, Asai wrote: > Greetings, > > Quick question. Using BIND 9.9.4. I have 2 zones. One for LAN traffic, > and one for WAN traffic. My secondary server is transferring the wrong > zones, so that my WAN zone has all the A records for my LAN

Re: BIND transferring zones with incorrect view

et.site" { > type slave; > masters { > 10.233.0.198; > }; > file "/var/named/slaves/intranet.site.LAN.hosts"; > }; > } > > > > On Dec 21, 2016, at 10:59 AM, Asai <a...@globalchangemusic.org> wrote: > > Yes, thank you. I think Mark’s l

Re: Can bind works without defining root servers

On 15 August 2017 at 11:29, King, Harold Clyde (Hal) wrote: > How does Bind update the root servers? Does it go out and check, or is a > release made for each change? > Yes. :) BIND has a compiled-in root hints list that is kept up to date at each release, which can be overridden

Re: Strange recursor response time pattern

On 5 September 2017 at 11:56, Havard Eidnes wrote: > Hmm... > > some further local discussion has made me aware that us running > "collectd" for monitoring BIND may be contributing to the > problem; collectd fetches data each 10s by using the BIND- > configured

Re: botched KSK rollover

On 21 August 2017 at 07:18, Phil Mayers wrote: > > Gandi are another excellent registrar that I can recommend. They have a > comprehensive API for all their features, including uploading DNSSEC public > keys and consequent creation of the DS record. > > I'm hoping CDS

Re: Query for newly added/modified data in zone fails at random

On 12 October 2017 at 11:03, Nikkilä, Tommi wrote: > Hi! > > > > My BIND (version 9.9.4-RedHat-9.9.4-51.el7) is displaying some odd > behavior. When updating a zone, BIND randomly refuses to return the newly > added and/or modified data for client. In my named.conf I have

Re: Email & PTR Issues

On 7 November 2017 at 10:31, James Pifer wrote: > Hello. I'm looking for help with an issue I've been fighting for some time. > > Background: > Running BIND 9.9. > Forwarding UDP & TCP Port 53 through firewall. > > I have issues emailing to certain domains. I use my own

Re: Proper use of keyid in allow-transfer

On 7 December 2017 at 07:41, MURTARI, JOHN wrote: > > > The slave server defines the same key and is located at > 192.168.1.1. When we use the above on the master, transfers for any zone > work fine. If we remove the IP address and try a transfer we get >

Re: [Question] zone transfer issue with multiple views

On 8 December 2017 at 17:37, Eoin Kim wrote: > Hi, > > > Thanks for your help. But is it possible to do it without additional IP > address? I thought that I am not really bad with BIND but as soon as I > started using views, I'm going nowhere [image: ] > > > In order for

Re: BIND source distribution missing?

On 4 May 2018 at 12:23, Evan Hunt wrote: > On Fri, May 04, 2018 at 04:19:43PM +, Evan Hunt wrote: > > You're right, something's broken. I see it too, and not just on chrome. > > I'll escalate. Thanks for bringing this to our attention. > > It's fixed now. > > Thanks Evan!

Re: Release Strategy Clarification

On 26 April 2018 at 13:42, Victoria Risk wrote: > > > You have correctly interpreted the chart in the blog post, but you don’t > have to update in January, just when there is a bug you need a fix for. If > that bug is a security bug, the red block means, we will issue a security

BIND source distribution missing?

Hi ISC! I'm writing to let you know there seems to be a bug on the ISC web site. Coming from MacOS Chrome, I'm only being offered the binary Windows distribution of BIND for download from and from . Browser-detection bug

Re: BIND source distribution missing?

On 4 May 2018 at 08:18, Anand Buddhdev wrote: > > Also, needs an update to its 'welcome' file, because > > BIND doesn't seem to be distributed from there anymore. > > I can see all the BIND downloads at: > > ftp://ftp.isc.org/isc/bind9/ > > Ah yes, there they

Re: Can we define masters as hostsname?

On 23 May 2018 at 07:37, Blason R wrote: > Hi Guys, > > Can we define masters as hostname instead of IP address? I guess its not > possible but wondering if community can shed come light on this? > > The short answer.. no, you can't do that. The definition for the slave zone

Re: Intermittent "failure trying master... operation canceled" on zone refresh

On 17 May 2018 at 17:05, Rob Moser wrote: > We're running a series of RHEL 7.4 machines (kernel version > 3.10.0-693.1.1.el7.x86_64) running bind version 9.9.4-RedHat-9.9.4-51.el7. > Our configuration consists of a hidden master and three hidden > slave/recursive resolvers.

Re: also-notify and allow-notify

On 17 May 2018 at 13:30, Blason R wrote: > Hi, > > I have RPZ installed on server and its acting as a master server but > somehow port setting is not working on master > > [...] > > So here I am sending notification to 192.168.5.49 on port 4545; my > queries are > > How do

Re: BIND rejecting key to update a zone

On 8 June 2018 at 11:01, Mark E. Jeftovic wrote: > I've started a fresh install here and started over and still having the > same issue, even when I crank the debug trace up to 5, I'm not seeing > anything additional in the logs: > > Another long shot... any chance there is an overlapping ACL in

Re: inline-signing: SOA serial out of sync

On 7 June 2018 at 07:36, Axel Rau wrote: > Hi all, > > occasionally named 9.11.3 fails to increment SOA serial like here: > > file: 2018060605 dns: 2018060604 > > zone file was edited by script and a rndc reload given. > [...] > Manual fixing requires another cycle with zone file

Re: inline-signing: SOA serial out of sync

On 14 June 2018 at 06:27, Axel Rau wrote: > > Am 07.06.2018 um 13:36 schrieb Axel Rau : > > > occasionally named 9.11.3 fails to increment SOA serial like here: > > file: 2018060605 dns: 2018060604 > > > It just happened again. An included zone file has been changed from 2 TLSA > RRs to one: > -

Re: inline-signing: SOA serial out of sync

On 14 June 2018 at 10:16, Axel Rau wrote: > > Am 14.06.2018 um 16:12 schrieb Alan Clegg : > > Additionally, I read this as "the records changed are in an included > file" -- is the serial number in the "including" zone being incremented? > > Yes. > > I think at this point you're going to need to

  1   2   >