semicolons in dig output

I had a question from a one of our developers today about semicolons in TXT records. It seems he and someone he's working with were getting different output from dig when querying for TXT records that contained semi-colons. One person saw them escaped, the other didn't. It caused some confusion b

Re: semicolons in dig output

On Fri, Nov 4, 2016 at 13:51 Robert Edmonds wrote: > Matthew Pounsett wrote: > > Was this actually a change between BIND 9.8 and 9.9? Was it deliberate, > or > > an accident that might be reversed at some point? > > It's this change: > > 3953. [bug]

Re: BIND transferring zones with incorrect view

On 20 December 2016 at 16:45, Asai wrote: > Greetings, > > Quick question. Using BIND 9.9.4. I have 2 zones. One for LAN traffic, > and one for WAN traffic. My secondary server is transferring the wrong > zones, so that my WAN zone has all the A records for my LAN zone. > > Any insights on th

Re: BIND transferring zones with incorrect view

68.0.0/16; ! > 10.233.0.0/24; }; > > include "/etc/rndc.key"; > controls { > inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; > }; > > view "LAN” { > > match-clients { lan_hosts; }; > > zone “intranet.site" { > typ

Re: Graphing BIND 9.11/9.10 Queries

On 19 January 2017 at 10:16, Phil Mayers wrote: > On 19/01/17 15:12, John W. Blue wrote: > >> Daniel, >> >> Thanks for sharing. I like the HTTP statistics channel but trying slice >> up the XML has been challenging. Going to be checking this combo out. >> > > We moved to the JSON stats recently

Re: Enforce EDNS

On 6 February 2017 at 19:59, Mark Andrews wrote: > > Unfortunately we then need to decide what to do with servers that > don't answer EDNS + DNS COOKIE queries. Currently we fall back to > plain DNS which works except when there is a signed zone involved > and the server is validating. > > I rea

Re: Can bind works without defining root servers

On 15 August 2017 at 11:29, King, Harold Clyde (Hal) wrote: > How does Bind update the root servers? Does it go out and check, or is a > release made for each change? > Yes. :) BIND has a compiled-in root hints list that is kept up to date at each release, which can be overridden with a zone of

Re: botched KSK rollover

On 21 August 2017 at 07:18, Phil Mayers wrote: > > Gandi are another excellent registrar that I can recommend. They have a > comprehensive API for all their features, including uploading DNSSEC public > keys and consequent creation of the DS record. > > I'm hoping CDS eventually makes this all ob

Re: Strange recursor response time pattern

On 5 September 2017 at 11:56, Havard Eidnes wrote: > Hmm... > > some further local discussion has made me aware that us running > "collectd" for monitoring BIND may be contributing to the > problem; collectd fetches data each 10s by using the BIND- > configured statistics-channel, thus BIND is pr

Re: Query for newly added/modified data in zone fails at random

On 12 October 2017 at 11:03, Nikkilä, Tommi wrote: > Hi! > > > > My BIND (version 9.9.4-RedHat-9.9.4-51.el7) is displaying some odd > behavior. When updating a zone, BIND randomly refuses to return the newly > added and/or modified data for client. In my named.conf I have dozens of > views, main

Re: Email & PTR Issues

On 7 November 2017 at 10:31, James Pifer wrote: > Hello. I'm looking for help with an issue I've been fighting for some time. > > Background: > Running BIND 9.9. > Forwarding UDP & TCP Port 53 through firewall. > > I have issues emailing to certain domains. I use my own mail server to > deliver m

Re: Proper use of keyid in allow-transfer

On 7 December 2017 at 07:41, MURTARI, JOHN wrote: > > > The slave server defines the same key and is located at > 192.168.1.1. When we use the above on the master, transfers for any zone > work fine. If we remove the IP address and try a transfer we get > ‘denied’. What are we

Re: [Question] zone transfer issue with multiple views

On 8 December 2017 at 17:37, Eoin Kim wrote: > Hi, > > > Thanks for your help. But is it possible to do it without additional IP > address? I thought that I am not really bad with BIND but as soon as I > started using views, I'm going nowhere [image: 😊] > > > In order for the slave's View A to tr

Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

On 26 January 2018 at 16:23, NNEX Support wrote: > I'm sure I'm doing something wrong, but for the life of me I can't figure > out what. I'm running named 9.12 in a simple recursive setup (built from > source on CentOS 7). > > [...] > When I try to run "dig txt rs.dns-oarc.net" I get SERVFAIL.

Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

On 27 January 2018 at 16:24, NNEX Support wrote: > Good thought but no luck, it doesn’t matter how many times I run “dig txt > rs.dns-oarc.net” or how long I wait it continues to SERVFAIL until I run > "dig txt rs.dns-oarc.net +trace" Interestingly I've found that running > "dig txt dns-oarc.net

Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

On 27 January 2018 at 19:11, Matthew Pounsett wrote: > The only thing I can think of that has changed in that time, which has > ever caused me query issues, is the addition of DNS cookies in the default > query. Some broken authoritative servers will incorrectly respond with >

Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

On 10 March 2018 at 04:08, Matus UHLAR - fantomas wrote: > Cathy Almond wrote: >> >>> The rs.dns-oarc.net zone is broken because it returns a CNAME for >>> queries at the apex. >>> >> > On 09.03.18 15:23, Tony Finch wrote: > >> I just got a problem report from a user who has a few personal domai

Re: clean up an ddns zone

On 23 March 2018 at 13:32, Meike Stone via bind-users < bind-users@lists.isc.org> wrote: > Hello, > > at the moment, I use ISC dhcpd to register all client names in the DNS > (Bind) via isc's ddns api. Every thing is working well. > But now, some notebook clients should get company access via UMTS

Re: RRSIG query

On 10 April 2018 at 12:05, rams wrote: > Hi > Greetings!! > We have 1Million signed zone records in bind. My zone is going to > auto-resign after 3 days. If we change RRSIG expire date to greater than > two months from now then if restart bind, Can we avoid auto-resign in this > week? is ther

Release Strategy Clarification

This is a question for ISC about the new BIND release plan which I thought might be a useful clarification for others as well. I didn't notice this when the new plan was first presented in March, but the key text in the legend of the Example Release Plan[0] for the red blocks is "a release that is

Re: Release Strategy Clarification

On 26 April 2018 at 13:42, Victoria Risk wrote: > > > You have correctly interpreted the chart in the blog post, but you don’t > have to update in January, just when there is a bug you need a fix for. If > that bug is a security bug, the red block means, we will issue a security > patch even tho

BIND source distribution missing?

Hi ISC! I'm writing to let you know there seems to be a bug on the ISC web site. Coming from MacOS Chrome, I'm only being offered the binary Windows distribution of BIND for download from and from . Browser-detection bug aside.

Re: BIND source distribution missing?

On 4 May 2018 at 08:18, Anand Buddhdev wrote: > > Also, needs an update to its 'welcome' file, because > > BIND doesn't seem to be distributed from there anymore. > > I can see all the BIND downloads at: > > ftp://ftp.isc.org/isc/bind9/ > > Ah yes, there they are! Thanks. I w

Re: BIND source distribution missing?

On 4 May 2018 at 12:23, Evan Hunt wrote: > On Fri, May 04, 2018 at 04:19:43PM +, Evan Hunt wrote: > > You're right, something's broken. I see it too, and not just on chrome. > > I'll escalate. Thanks for bringing this to our attention. > > It's fixed now. > > Thanks Evan! That looks a lot

Re: also-notify and allow-notify

On 17 May 2018 at 13:30, Blason R wrote: > Hi, > > I have RPZ installed on server and its acting as a master server but > somehow port setting is not working on master > > [...] > > So here I am sending notification to 192.168.5.49 on port 4545; my > queries are > > How do I configure port on s

Re: Intermittent "failure trying master... operation canceled" on zone refresh

On 17 May 2018 at 17:05, Rob Moser wrote: > We're running a series of RHEL 7.4 machines (kernel version > 3.10.0-693.1.1.el7.x86_64) running bind version 9.9.4-RedHat-9.9.4-51.el7. > Our configuration consists of a hidden master and three hidden > slave/recursive resolvers. I'm getting a LOT of

Re: Can we define masters as hostsname?

On 23 May 2018 at 07:37, Blason R wrote: > Hi Guys, > > Can we define masters as hostname instead of IP address? I guess its not > possible but wondering if community can shed come light on this? > > The short answer.. no, you can't do that. The definition for the slave zone statement's 'masters'

Re: inline-signing: SOA serial out of sync

On 7 June 2018 at 07:36, Axel Rau wrote: > Hi all, > > occasionally named 9.11.3 fails to increment SOA serial like here: > > file: 2018060605 dns: 2018060604 > > zone file was edited by script and a rndc reload given. > [...] > Manual fixing requires another cycle with zone file editing

Re: BIND rejecting key to update a zone

On 8 June 2018 at 11:01, Mark E. Jeftovic wrote: > I've started a fresh install here and started over and still having the > same issue, even when I crank the debug trace up to 5, I'm not seeing > anything additional in the logs: > > Another long shot... any chance there is an overlapping ACL in

Re: inline-signing: SOA serial out of sync

On 14 June 2018 at 06:27, Axel Rau wrote: > > Am 07.06.2018 um 13:36 schrieb Axel Rau : > > > occasionally named 9.11.3 fails to increment SOA serial like here: > > file: 2018060605 dns: 2018060604 > > > It just happened again. An included zone file has been changed from 2 TLSA > RRs to one: > -

Re: inline-signing: SOA serial out of sync

On 14 June 2018 at 10:16, Axel Rau wrote: > > Am 14.06.2018 um 16:12 schrieb Alan Clegg : > > Additionally, I read this as "the records changed are in an included > file" -- is the serial number in the "including" zone being incremented? > > Yes. > > I think at this point you're going to need to

Re: Operational Notification: Extremely large zone transfers can result in corrupted journal files or server process termination

On 9 July 2018 at 16:22, Klaus Darilion wrote: > What is an "extraordinarily large zone transfer"? We do have regularly > AXFR and IXFRs around 2GB. Is this "extraordinarily large"? > I've also been curious about this. Are we talking millions of records, tens or hundreds of millions, or billion

Re: Operational Notification: Extremely large zone transfers can result in corrupted journal files or server process termination

On 13 July 2018 at 06:04, Michał Kępień wrote: > Hopefully this will shed some light on the matter: > > https://gitlab.isc.org/isc-projects/bind9/issues/339#note_12805 > > That is helpful, thanks. That comment says the issue requires a journal entry of over 4G, however the original bug repor

Re: bind and certbot with dns-challenge

On Sun, 17 Mar 2019 at 13:34, Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > > > I mean, sure you can use it perfectly, only not good if hosting hundreds > > or thousands domains > > Why can't you use BIND to host hundreds or thousands of domains? > You definitely can. My perso

Re: Problem with zone delegation with private gTLD

On Mon, 8 Apr 2019 at 10:35, Xavier Humbert wrote: > > On 08/04/2019 13:05, Matus UHLAR - fantomas wrote: > > I believe there should be reserved gTLD for such usage. > > Is this not what the TLD /.invalid/ is supposed to be ? RFC2606 reserves test, example, invalid, and localhost, for "testing an

Re: Problem with zone delegation with private gTLD

On Mon, 8 Apr 2019 at 14:33, Matus UHLAR - fantomas wrote: > > I don't find any of existing domains suitable for more permanent usage. Yes, and I believe that's the desirable situation. More permanent uses (such as the (mis)use of .local you mentioned) should make use of registered domains to en

Re: Problem with zone delegation with private gTLD

On Tue, 9 Apr 2019 at 06:32, Tony Finch wrote: > > Matthew Pounsett wrote: > > > > RFC2606 reserves test, example, invalid, and localhost, for "testing > > and documentation," > > However you must either disable validation or set up your own root zone to

CloudSmith repository missing

Hi! It looks like the BIND Cloudsmith repository, which was there earlier this week, is no longer present. Hit:9 https://packages.icinga.com/debian icinga-stretch InRelease > Ign:10 https://dl.cloudsmith.io/public/isc/bind/deb/debian stretch > InRelease > Err:11 https://dl.cloudsmith.io/public/is

Re: CloudSmith repository missing

On Wed, 9 Oct 2019 at 19:14, Ondřej Surý wrote: > Hi Matt, > > sorry for the confusion with the CloudSmith repositories. We’ve been > experimenting with the different models, and we’ve decided to keep the BIND > 9 packages closer to the official distributions, that means that the > packages for

<    1   2