Re: Issues in configuring Bind 9.10 in CentOS 6.3 with --open-ssl

Hi Gaurav On Fri, May 02, 2014 at 01:17:40PM +0530, Gaurav Kansal wrote: --with-openssl=/usr/include/openssl/ --with-openssl should not point to the include directory, but to the prefix. Try --with-openssl=/usr or even just --with-openssl. checking for OpenSSL library... configure: error:

Re: Bind 9.10 and OpenBSD 5.5

Hi paranoid sysadmin On Sun, May 04, 2014 at 03:20:40PM -0500, paranoid.schizophrenic.2 wrote: I don't know if anyone else has found this issue yet, but there is a problem building bind 9.10 (and 9.9.5) under the new release of OpenBSD (5.5). The problem is caused by the OpenBSD's team

Re: Error when using GeoIP

Hi Ali On Tue, Jul 01, 2014 at 08:41:32PM +0200, Ali Jawad wrote: [root@uk etc]# ls -lart /usr/share/GeoIP/ -rw-r--r-- 1 root root 1206078 Jul 1 10:08 GeoIP.dat Though this is not the problem causing the failure: This filesize looks too large for it to be the current country database

Re: BUG report, BIND crash when dlz postgresql driver receives error from database server.

Hi Dennis On Thu, Jul 24, 2014 at 10:51:00AM -0500, Dennis Jenkins wrote: Bind, configured with dlz postgresql, successfully connects to the database, but crashes (or corrupts the heap, randomly) on the very first query submitted, if the find zone query receives a permission denied error from

Re: Metazones or Something Else?

Hi John On Mon, Aug 04, 2014 at 04:33:24PM +, John Anderson wrote: Has this metazone idea gained any traction? Is there a distributable implementation? If not, has another technology emerged which essentially injects restart-persistent zone SOA record information into BIND so that it may

Re: race condition in bind

Hi Yadi On Tue, Aug 05, 2014 at 02:53:33PM +0800, yhu2 wrote: There seems to be a race condition in bind/named that leads to a segfault. This is the patch that solves the problem,and it is not fixed in upstream: Thank you for the report and the patch. I have forwarded it to our internal bug

Re: DNS reverse sub delegation NXDOMAIN problem, Class C

Hi Bazy On Tue, Aug 19, 2014 at 08:12:58AM -0400, Bazy V wrote: so I set up the following in my reverse file for ns2.sub.test.com domain --- $ORIGIN 20.172.IN-ADDR.ARPA. NS ns1.test.com 0.220/24 NS ns2.sub.test.com 43.222 IN

Re: How does bind 9.x chooses root servers?

Hi Jittinan On Fri, Sep 19, 2014 at 03:57:32PM +0700, Jittinan Suwanruengsri wrote: How does bind 9.x chooses root servers? The question is better phrased as How does BIND choose name servers? The SRTT selection method used by BIND is not quite described anywhere in an ISC document (such as

Re: Putting weird characters into zone files ?

Hi Ronald On Sat, Sep 27, 2014 at 04:31:07AM -0700, Ronald F. Guilmette wrote: For a special project, I need to be able to create resource records within a BIND zone file where some of the domain labels in some of the FQDNs on the left-hand-side will need to be either (a) literal asterisks or

Re: Wildcard oddity

On Mon, Sep 29, 2014 at 08:52:41PM -0700, Ronald F. Guilmette wrote: *.colors IN A 127.0.0.2 *.jason.purple.colors IN A 127.0.0.3 ; *.purple.colors IN A 127.0.0.4 === Note that that last line is commented out.

Re: Paper on IPv6 DNS Measurement

Hi Gaurav On Tue, Sep 30, 2014 at 03:57:49PM +0530, Gaurav Kansal wrote: Our finding was:- 1. About 50% of the query is from Google AS 2. Around 7.4% queries are from Facebook AS (i.e., 32934) and many other.. Fb is on the 2nd spot in the AS wise query statistics. (Paper

Re: bind-9.10.0-P2 memory leak?

Hi Thomas On Mon, Oct 13, 2014 at 02:31:37PM -0400, Thomas Schulz wrote: I restarted bind 9.9.6 with a max-cache-size of 30M. We have 3 views. The inital process size was 36 MB. The process grew to 184 MB. It grew to 596 MB without the max-cache-size being set and was still growing when I

Re: Bug/Vulnerability in `Dig' in latest dnsutils/bind9

Hi Joshua On Tue, Oct 28, 2014 at 07:30:45PM +1100, Joshua Rogers wrote: Using the +nssearch and +tcp flags together, when looking at a domain with an ipv6 address, Dig crashes with a segmentation fault. Thank you for this bug report. I've forwarded it to our bug tracker. If you want to

Re: Bug/Vulnerability in `Dig' in latest dnsutils/bind9

Hi Joshua On Tue, Oct 28, 2014 at 07:30:45PM +1100, Joshua Rogers wrote: I'm not sure if this is really severe enough for a CVE-ID or not, but let me know about it anyways. This crashes out almost immediately after next is assigned -1, by dereferencing *(-1) which is likely not mapped on any

Re: still have named memory leak

Hi Len On Fri, Dec 12, 2014 at 09:52:23AM -0600, lcon...@go2france.com wrote: binary upgraded Freebsd 10 to Freebsd 10.1 named 9.10.1, compiled from source at named start, 305 MB memory after several hours of running named is approaching 800 MB. I'm sure after a couple of days, as

Re: still stuck with named memory leak

Hi Len On Tue, Dec 23, 2014 at 03:02:49PM -0600, lcon...@go2france.com wrote: sent data to a ISC.org guy, no response. Is this about the config file that you sent me? I had asked you to send me dumps over time of the named statistics that are available via HTTP, as the named process grows. See

Re: Strange DLZ issues

Hi Lars On Mon, Dec 29, 2014 at 10:57:57AM +0100, Lars Hanke wrote: Dec 29 10:29:20 verdandi named[2522]: samba_dlz: starting configure Dec 29 10:29:20 verdandi named[2522]: samba_dlz: configured writeable zone '10.16.172.in-addr.arpa.' Dec 29 10:29:20 verdandi named[2522]: samba_dlz:

Re: DIG Info Request

On Tue, Feb 03, 2015 at 01:50:14PM -0500, Linux Addict wrote: I do dig . +trace and the results seem show .new servers. This is causing SERVFAIL for root query. Any ideas? dig . +trace Contact the person who runs the resolver at 172.27.254.11 and report the problem about the root hints. dig

Re: [DNSSEC] BIND validates but not Unbound: who is right?

Hi Stephane On Mon, Feb 16, 2015 at 05:34:53PM +0100, Stephane Bortzmeyer wrote: DNSviz, like Unbound, says the domain is broken: http://dnsviz.net/d/cepn.asso.fr/VOGwhA/dnssec/ DNSviz complains about missing RRs, but shows status:SECURE in epn.asso.fr. with green outlines for DNSKEY, SOA,

Re: [DNSSEC] BIND validates but not Unbound: who is right?

On Mon, Feb 16, 2015 at 10:39:52PM +0530, Mukund Sivaraman wrote: DNSviz also has explanation for why the green shapes are secure. (1) There is one item that bothers me: fr. to cepn.asso.fr.: The DS RRset for the zone included algorithm 5 (RSASHA1), but no key with algorithm 5 was found signing

Re: [DNSSEC] BIND validates but not Unbound: who is right?

On Mon, Feb 16, 2015 at 11:26:00PM +0530, Mukund Sivaraman wrote: On Mon, Feb 16, 2015 at 11:19:51PM +0530, Mukund Sivaraman wrote: But while RFC 4509 sec. 6 talks about this issue in the case of DS with SHA-2 algorithms, there is no requirement there. There is this nugget here

Re: [DNSSEC] BIND validates but not Unbound: who is right?

On Mon, Feb 16, 2015 at 05:34:53PM +0100, Stephane Bortzmeyer wrote: ;; ANSWER SECTION: cepn.asso.fr. 171998 IN DS 36778 5 2 ( D21FC827CF4621DF88D06A8F6EA5F4B4DE72A362AB2E 03D440C315A9D8FE1407 ) cepn.asso.fr. 171998

Re: Possible memory leak on BIND 9.10.1-P1 running on FreeBSD 10.1-RELEASE-p4 - part 2

Hi Daniel On Mon, Jan 26, 2015 at 02:56:44PM +0100, Daniel Ryšlink wrote: Downgraded to BIND 9.9.6, the leak is gone, using the same named.conf, same HW, same environment. It is highly likely there is really a memory leak problem in Bind 9.10. Because many of these reports are on FreeBSD

Re: Possible spnego licensing problem

Hi Israel On Mon, Feb 02, 2015 at 03:05:43AM -0500, israel shahak wrote: The file spnego.asn1 in lib/dns appears to be non-free. It says to look at RFC 4178 for the full legal notice and RFC 4178 is under a non-free license. The file spnego.asn1 is also used to generate other files. The

Re: Possible spnego licensing problem

On Mon, Feb 02, 2015 at 02:07:11PM +0530, Mukund Sivaraman wrote: The contents of the file are taken (adapted) from here: https://tools.ietf.org/html/rfc4178#page-16 IETF has published RFC 3978 about IETF Rights in Contributions: https://tools.ietf.org/html/rfc3978 RFC 3978 is obsoleted

Re: Time stamp in query log

Hi Divya On Fri, Jan 09, 2015 at 12:26:38PM +0530, Divya wrote: Dear All, We are facing misbehaviour of Time stamp in query log since January2015. We are using RHEL 6.2 and bind version 9.9.5-P1 for DNS Server. We are in the IST time zone. Our Server time is showing correct time but

Re: Disable DNSSEC Validation for selected Domains

Hi Stefen On Tue, Jan 13, 2015 at 11:35:26AM +0100, stefan.las...@t-systems.com wrote: Some of the internal Domains of our customers will fail the proof-of-non-existence. While this is technically correct, we still need access to their internal Domain to do our business... So the current

Re: Of long names...

On Sun, Mar 15, 2015 at 08:26:35AM -0400, Timothe Litt wrote: Discussing a 'you don't handle long names' issue that I discovered with an application's developer, I thought I'd create a test case or two for him. I did, but they don't resolve. I might be missing something, so some other eyes

Re: Querying regarding ADDITIONAL records in named

Hi Gaurav On Fri, Mar 27, 2015 at 11:18:33AM +0530, Gaurav Kansal wrote: While querying through dig utility, I am getting ADDITIONAL :3 in the Header section while I am only getting 2 additional records. The 3rd one is the OPT RR which is printed separately under OPT PSEUDOSECTION.

Re: size limit on RDATA in nsupdate

On Sun, Feb 22, 2015 at 12:20:28AM +1100, Mark Andrews wrote: I doubt that it is a buffer issue. The input text buffer is 128K which should be big enough for a 64K rdata. At the top of nsupdate.c, MAXCMD is (128 * 1024) in master and v9_10 whereas it is (4 * 1024) in v9_9. This is probably

Re: RPZ and client matching

Hi Job On Sat, May 09, 2015 at 06:34:26PM +0200, Job wrote: Hello, i noticed i can write a RPZ file for blocking some websites resolution, as example, and excluse come Client IP from this policy. I would like to do exactly the opposite: i want to define some blocking resolution policy

Re: [bind-users] Re: BIND9-ARM (HTML) feature request: better hyperlinking in/of chapter 6

Hi Jerry On Sat, May 09, 2015 at 04:56:08PM -0500, Jerry K wrote: Was going thru some old messages, and came across this one about generating the ARM doc as HTML. Just wondering if anything ever became of it? Is this what you want: http://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.html

Re: CAA RR type

On Fri, May 15, 2015 at 12:39:21PM +0530, rams wrote: I am using bind 9.6. Did I miss/mistake anything here? Could you please guide me to work for CAA. BIND 9.6 is unsupported. Please use a current version of BIND. Mukund pgpWkn0oAFeYC.pgp Description: PGP signature

Re: R: RPZ and client matching

Hi Job On Mon, May 11, 2015 at 01:49:54AM +0200, Job wrote: Hello, You can use a combination of rpz-client-ip. trigger and rpz-passthru. action to achieve either effect. i notice i can define a policy and then, with rpz-passtru, i can make exceptions for client. But i did not find how

Re: RPZ Question

Hi Bob On Thu, Apr 16, 2015 at 12:26:41PM -0500, Bob McDonald wrote: I'm using RPZ to return fake addresses for hosts. Although it seems to work well for A records, I'm questioning the way it processes CNAME records. Shown below is the output from DIG. Both records are in RPZ. However,

Re: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA

Hi Gaurav On Mon, Jun 15, 2015 at 06:11:26PM +0530, Gaurav Kansal wrote: Can anyone connected to Indian ISP check the same and let me know whether the issue is only with my network or for all NIXI connected users. I'd like to to help and am probably a stone's throw away from the f node in

Re: DNS format error

On Wed, Jul 29, 2015 at 08:13:38AM +0200, Matus UHLAR - fantomas wrote: On 29.07.15 03:06, Yang Yu wrote: I configured bind to forward queries to 8.8.8.8 do you have any reason to do this? BIND can resolve properly itself, it does not need to forward queries to anyone unless you are

Re: DNS format error

Hi Tony, Yang On Tue, Jul 28, 2015 at 10:41:49PM +0100, Tony Finch wrote: However the weirdness in the NSEC3 record is not what is upsetting BIND, and it might be a bug. A noerror response with just NSEC3 and RRSIG(NSEC3) in the authority section should (I think) be treated as a type 3 nodata

Re: ERROR : - writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 - loading configuration: failure

Hi Prakash On Mon, Aug 03, 2015 at 10:14:50AM +0530, prakash wrote: Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15424: writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 Aug 3 09:59:34 govindnsvm named[7436]:

Re: Order and Preference Priority in DNS Responses

Hi Harshith On Mon, Aug 03, 2015 at 05:08:50PM +0530, Harshith Mulky wrote: I wanted to understand how Order and Preference Values have an impact on the answers Received from the DNS Server I am asking because, I have 4 records for NAPTR Query, as below carrier1.com 86400 IN NAPTR 50

Re: Need for Additional Records in a

Hi Harshith On Wed, Jul 22, 2015 at 11:51:53AM +0530, Harshith Mulky wrote: Hello, When we are getting Additional Section for a DNS Response like this, What is the need for this ADDITIONAL SECTION? Why is this ADDITIONAL SECTION returned? Is there a way to turn off these ADDITIONAL RESPONSE

Re: RPZ - override TXT records

Hi Wolfgang On Thu, Oct 08, 2015 at 11:25:14PM +0200, Wolfgang Riedel [CISCO] wrote: > Hi Folks, > > I am currently struggling with using RPZ for inserting or overriding TXT > resource records. > > This is my goal: > >; do not rewrite www.cisco.com (so, PASSTHRU) and add or override >

Re: logging bug for rpz at load-time?

Hi Phil On Thu, Sep 03, 2015 at 01:22:48PM +0100, Phil Mayers wrote: > Minor cosmetic bug, but we're seeing logs like: > > 03-Sep-2015 12:18:50.751 (re)loading policy zone 'rpz.' changed from > 0 to 77406 qname, 0 to 0 nsdname, 769 to 771 IP, 0 to 0 NSIP, 0 to 0 > CLIENTIP entries > >

Re: How is a $ORIGIN directive used inside a DNS Zone File

On Mon, Dec 14, 2015 at 11:18:08AM +, Tony Finch wrote: > Mukund Sivaraman <m...@isc.org> wrote: > > > > Zone files do not require use of $ORIGIN. It is in fact an extension to > > the master format in RFC 1035. > > No, it is specified in RFC 1

Re: How is a $ORIGIN directive used inside a DNS Zone File

Hi Harshith On Mon, Dec 14, 2015 at 07:36:15AM +, Harshith Mulky wrote: > Why is a $ORIGIN directive used in DNS Zone Files? $ORIGIN directive sets a name to be appended to relative names in the zone file so that they can be made into absolute names. The current origin is appended to such

Re: Bind 9.10.3 on CentOS 7.1 - Recv-q on vmware

Hi Rasmus On Tue, Dec 15, 2015 at 03:20:05PM +0100, Rasmus Edgar wrote: > We started noticing 1s+ latency problems on clients resolving using the > vmware guest at a load around 6000 qps. > > Test setup: > > 1 x x86_64 vmware guest on Esx 5.5 > 8xVCPU > 8G RAM > vmxnet3 10Gb virtual interface >

Re: Does EDNS0 work with bind-9.10.3-P2?

Hi Sury On Tue, Jan 05, 2016 at 10:50:39PM +0800, Sury Bu wrote: > I installed the latest version of bind-9.10.3-P2 but when I using dig > EDNS feature with +subnet, I found my local DNS can not carry client > subnet, does this version support EDNS0 now? 9.10 branch as no support for ECS except

Re: Does EDNS0 work with bind-9.10.3-P2?

Hi Sury On Wed, Jan 06, 2016 at 02:35:37PM +0800, Sury Bu wrote: > Hi Mukund, > > Thanks for your reply, and do you know what bind version will support > ECS option? BIND 9.11 will introduce authoritative support for ECS. Mukund signature.asc Description: PGP signature

Re: Mitigation of server's load by queries for non-existing domains

Hi Tomas On Tue, Jan 12, 2016 at 05:53:20PM +0100, Tomas Hozza wrote: > Hello all. > > Recently I was trying to find a mechanism in BIND that could prevent > the server from processing a recursive query for non-existing > domains. The issue I was trying to solve was that when server was >

Re: Assertion failure when RPZ zone returns NS records?

On Sat, Jun 11, 2016 at 11:40:17PM +0530, Mukund Sivaraman wrote: > On Sat, Jun 11, 2016 at 05:19:41PM +, McDonald, Daniel (Dan) wrote: > > Apparently it’s not the way to do what I needed, but I created an RPZ > > record like this: > > foo.example.com IN

Re: Assertion failure when RPZ zone returns NS records?

On Sat, Jun 11, 2016 at 05:19:41PM +, McDonald, Daniel (Dan) wrote: > Apparently it’s not the way to do what I needed, but I created an RPZ record > like this: > foo.example.com IN NS ns1.example.org > IN NS

Re: ISC considering a change to the BIND open source license

Hi Evan On Tue, Jun 14, 2016 at 05:45:59PM +, Evan Hunt wrote: > May I ask you to expand on why the MPL is a problem? So far the distros > have all been supportive. The BSD camp dislikes copyleft because copyleft prevents exactly what we're trying to stop: the ability to ship a

Re: ISC considering a change to the BIND open source license

On Tue, Jun 14, 2016 at 08:06:55PM +, Evan Hunt wrote: > On Tue, Jun 14, 2016 at 12:38:14PM -0700, Ted Mittelstaedt wrote: > > In reality, there IS no "middle ground" If you truly believe a > > piece of software SHOULD be freely licensed, then that includes the > > idea that commercial

Re: Complete DNS fake root setup example

Hi John On Wed, Jan 20, 2016 at 05:12:44PM +, MURTARI, JOHN wrote: > Folks, > Had to do some testing where we wanted our own > insulated fake root environment. We wanted to start > from simulated root name servers. I was surprised I >

Re: pre heat cache

On Wed, Feb 17, 2016 at 11:31:54AM -0800, William Taylor wrote: > Is there anyway to pre-heat the cache in bind on startup besides having > a custom script that did a bunch of queries on top hosts? > I know you can dump it with rndc but can you load it back ? It used to be possible to load the

Re: REG: configuring BIND to respond with EDNS client subnet option

Hi Ramachandra On Tue, Mar 29, 2016 at 02:32:28PM -0700, Ramachandra Kasyap Marmavula wrote: > Request for some help with configuring a BIND DNS server to respond with > EDNS0 client subnet option. I am using the enhanced 'dig' utility available > with the BIND distribution to generate DNS

Re: RPZ logging

On Fri, May 20, 2016 at 01:36:42PM +0200, Job wrote: > Hello, > > is it possible to log, regarding the RPZ responce policy, everything > EXPECT the CLIENT PASS THROUGH events? I would like to log only what > is matched. 9.11 (alpha release) has a "log" clause to enable/disable logging per

Re: Problems after upgrade to 9.10.4

Hi Michael On Fri, May 06, 2016 at 02:57:59PM +0200, Michael Brunnbauer wrote: > I tried running bind with dnssec-enable no and still the exchanges with > tld nameservers involved many packets and TCP sessions. Why? See below: > > 07:25:08.157974 IP (tos 0x0, ttl 64, id 22351, offset 0, flags

Re: Sending extra info in bind dns query packet

On Thu, Jul 14, 2016 at 11:15:03PM +1000, Karl Auer wrote: > On Thu, 2016-07-14 at 11:19 +0530, Sachin Patil wrote: > > I am just looking into bind and want to send extra information while > > querying dns bind server. This information will be used at the bind > > server side to return the

Re: Adding rdataset to a List

Hi Jun On Fri, Jul 01, 2016 at 02:56:48AM +, Jun Xiang X Tee wrote: > Dear all, > > > I set up named server, and my dig client can connect to the server > successfully. For a UDP packet, I wish to add an artificial rdataset > to name list of Additional Section. Note that this question

Re: bind-users Digest, Vol 1727, Issue 1

Hi Amit On Mon, Jul 04, 2016 at 04:32:07PM +0530, Amit Kumar Gupta wrote: > Dear All, > > We are Tier 2 ISP in Delhi. Our subscribers are not able to open dropbox.com > using our DNS IPs. > BIND version is 9.8.0. > > Regards > Manager(Internet-Systems) > MTNL Delhi As an internet user, I'd

Re: bind-users Digest, Vol 2427, Issue 1

On Mon, Jul 04, 2016 at 05:18:27PM +0530, Amit Kumar Gupta wrote: > Dear All, > Please find the desired o/ps. > > bash-3.2# dig dropbox.com @203.94.243.70 > > ; <<>> DiG 9.6-ESV-R4-P2 <<>> dropbox.com @203.94.243.70 > ;; global options: +cmd > ;; connection timed out; no servers could be reached

Re: Problem looking up domain dryfire.com

On Tue, Aug 16, 2016 at 11:04:14AM +0200, Eivind Olsen wrote: > Hello. > > I'm seeing some odd problems where BIND (9.10.4-P2) has issues resolving > getsurfed.com. This is when using the "510 Software Group" BIND 9.10 for > RHEL/CentOS/Fedora. > > I can do manual lookups of the domain with

Re: bind 9 goes rogue and revert zone information

Hi Raul On Tue, Feb 07, 2017 at 12:03:40PM -0200, Raul Dias wrote: > Hello, > > I have a very strange behavior that I am failing to understand. > > 2 to 5 times a week, a named server revert back to a previous version os a > master zone. > This happens during the night, usually around 20h EST.

Re: Bind Queries log file format

Hi John On Fri, Feb 03, 2017 at 01:43:50PM +, MURTARI, JOHN wrote: > Folks at ISC, > > > I agree, there are an awful lot of systems and SIEM products that > > process querylogs. This one change will require a huge amount > of > > re-engineering work in customer environments. > > You

Re: Bind Queries log file format

On Fri, Feb 03, 2017 at 08:51:01AM -0600, Alan Clegg wrote: > On 2/3/17 8:01 AM, Mukund Sivaraman wrote: > > > We have the debug log level, but consider the case when an operator has > > a non-deterministic or rare crash that isn't reproducible because the > > operator

Re: DNS RPZ triggers

Hi ard On Fri, Jan 27, 2017 at 08:51:14PM +, der...@mskcc.org wrote: > Hi All, > > Back in December 2016, I worked on a problem in which a particular hostname > (a website) would not resolve from our DNS servers, but Level3, Google DNS, > and OpenDNS resolved it. It was clear that

Re: Bind Queries log file format

Hi Michael On Wed, Jan 25, 2017 at 09:11:41AM -0500, Michael Dahlberg wrote: > Mukund: > > Yea, I can respect that. However, I'm not confident that dropping it right > in the middle of the log entry was the best place for it. I have a number > of processes that monitor the query logs (it seems

Re: Bind Queries log file format

On Wed, Jan 25, 2017 at 12:44:21PM +, Steven Carr wrote: > On 25 January 2017 at 10:59, Tony Finch wrote: > > It's the address in memory of the data structure representing the client. > > It is mentioned in the CHANGES file (#4471) and in the release notes - see > >

Re: Bind Queries log file format

On Wed, Jan 25, 2017 at 08:37:45AM -0500, Alan Clegg wrote: > On 1/25/17 7:44 AM, Steven Carr wrote: > > On 25 January 2017 at 10:59, Tony Finch wrote: > >> It's the address in memory of the data structure representing the client. > >> It is mentioned in the CHANGES file (#4471)

Re: NTA (Negative Trust Anchor) lifetime

Hi Miguel On Tue, Feb 14, 2017 at 01:17:00PM -0200, Miguel Mucio Santos Moreira wrote: > Hi folks > > > I'd like to know if it's possible to use NTA (Negative Trust Anchor) in a way > I can set it's lifetime as unlimited for a specific domain. > I have a situation that will be necessary to

Re: Reasons to upgrade?

On Wed, Jan 18, 2017 at 08:02:04AM -0700, lbutlr wrote: > It looks like there are three version of Bindcurrently supported, > 9.9.9, 9.10, and 9.11. > > Are there specific reasons to move from 9.9 to 9.10 or 9.11 other than > the usual "it's newer and you're going to have to move at some point >

Re: bind used as resolver: matching the source ip

On Thu, Aug 18, 2016 at 11:27:01AM +0200, pm8...@t-online.de wrote: > Dear all, > > As far as I understand, BIND is not only used for authoritative name > servers, but is also often used as a (recursive) resolver. > When receiving a response to a DNS query, does BIND match the source ip of >

Re: creating IPv6 interface eth0 failed; interface ignored

On Fri, Aug 19, 2016 at 11:32:43AM +0200, Wolfgang Riedel wrote: > ### bootup with: empty-zones-enable no; > > [root@ns1 ~]# systemctl status named-chroot.service > ● named-chroot.service - Berkeley Internet Name Domain (DNS) >Loaded: loaded (/usr/lib/systemd/system/named-chroot.service;

Re: creating IPv6 interface eth0 failed; interface ignored

On Fri, Aug 19, 2016 at 11:46:36AM +0200, Wolfgang Riedel wrote: > Hi Mukund, > > yes this had been my fist assumption also but WHY should/would the > statement "empty-zones-enable” within named.conf change the bring > process of the network interface process? > > It’s courios, right? I suspect

Re: Need of caching on bind server

Hi Harshith On Thu, Aug 25, 2016 at 04:47:03AM +, Harshith Mulky wrote: > Hello, > > > I am trying to understand why caching is required on the bind server, > when the client receiving the responses would be caching based on TTL > values. > > > So, > > Is caching required on the server,

Re: Latest BIND: Error "rpz_rewrite_name: mismatched summary data; continuing"

Hi Tom On Tue, Sep 06, 2016 at 07:37:50AM +0200, Tom wrote: > Is there a workaround/configuration-directive not to log every request with > this "error"? One way would be using BIND 9.9.9-P2 (because this code was > added in 9.10.x...), but I would prefer 9.10.x. (1) Don't use regular BIND 9.9

Re: Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1

On Wed, Aug 31, 2016 at 02:02:45PM +1000, James Brown via bind-users wrote: > System is a Mac mini (late-2009) running a new install of Mac OS X 10.11.6. > > Installed OpenSSL 1.1.0 using: > ./Configure --prefix=/usr/local shared darwin64-x86_64-cc > enable-ec_nistp_64_gcc_128 no-ssl2 no-ssl3 >

Re: replicate a whole master

On Mon, Sep 19, 2016 at 04:40:17PM +0100, Tony Finch wrote: > /dev/rob0 wrote: > > > > If you're thinking that you can do this replication to improve DNS > > performance, you're right, it will do that. But it certainly will > > not scale (if it's even possible to get axfr/ixfr),

Re: Organization IP address is getting redirected to a website which does not belong to the organization.

On Sat, Sep 17, 2016 at 03:51:00PM +, Bhangui, Sandeep - BLS CTR wrote: > Hi > > Not exactly sure whether this is a DNS issue but hoping someone here on this > forum can provide some advice/suggestion as I am trying to figure out what is > going on. > > Our organization BLS owns (

Re: BIND 9.11.0 RPZ performance issue

Hi Phil On Tue, Oct 18, 2016 at 09:15:45AM +0100, Phil Mayers wrote: > On 18/10/16 08:26, Mukund Sivaraman wrote: > > > We know that IXFR with RPZ policy zones (esp. this DBL zone) causes some > > trouble due to a less than desirable design / implementation of RPZ in > &

Re: BIND 9.11.0 RPZ performance issue

Hi Bob On Tue, Oct 18, 2016 at 03:26:00PM -0400, Bob Harold wrote: > On Tue, Oct 18, 2016 at 3:26 AM, Mukund Sivaraman <m...@isc.org> wrote: > > > > > Firstly, RPZ in BIND 9.9 (vanilla) is broken, unmaintained and should > > not be used by anyone. If you know

Re: BIND 9.11.0 RPZ performance issue

Hi Daniel On Tue, Oct 18, 2016 at 09:08:37AM +0200, Daniel Stirnimann wrote: > It currently looks like that only having the spamhaus rpz zones active > causes the occasional timeouts. Maybe it's related to the zone size as > dbl.rpz.spamhaus.org is quite large. If i/o performance on the virtual >

Re: Master/Slave communication not working if I use HMAC-SHA* algorithms when views are implemented

Hi Nagesh On Fri, Oct 14, 2016 at 11:00:24AM +0530, Nagesh Thati wrote: > Hi, > > Can anybody implemented master/slave communication with views and algorithm > HMAC-SHA* algorithms. I tried with all the HMAC-SHA* algorithms it didn't > work for me, only HMAC-MD5 algorithm worked for

Re: Slow zone signing with ECDSA

On Thu, Apr 20, 2017 at 04:03:21PM +0100, Chris Thompson wrote: > On Apr 20 2017, Tony Finch wrote: > > > Mark Andrews wrote: > > > > > > DSA requires random values as part of the signing process. > > > > Traditionally, yes, but it isn't actually required - > >

Re: Latest BIND on Debian 8.7 (jessie) crashed due to assertion failure

Hi Carlos On Thu, Apr 20, 2017 at 12:54:47AM -0300, Carlos Pizarro wrote: > Today the bind9 service crashed and this were the last few log lines when > it happened: > > Apr 19 20:46:23 host named[32115]: error (unexpected RCODE REFUSED) > resolving 'heroditus.touchtype-systems.com/A/IN': >

Re: HELP - Domain resolution failed

> root@recursivo-a:~# dig icap-to.com.br > > ; <<>> DiG 9.10.3-P4-Ubuntu <<>> icap-to.com.br > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32316 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: >

Re: RPZ zone name label length limit

Hi Jim On Thu, Jun 29, 2017 at 01:57:16PM +, Jim Yang wrote: > Hi, > > What is the DNS name label length limit? As per RFC 1035, it is 63 > characters. I tested a few DNS names that contains a label that is > longer than 63 characters, and found that these records were > successfully loaded

Re: BIND 9.11.1-P3 revives expired zones briefly during reconfig

Hi Anand On Sun, Aug 06, 2017 at 09:30:01AM +0200, Anand Buddhdev wrote: > Hello BIND developers, > > I've updated from BIND 9.10 to 9.11, and noticed the following happening > whenever "rndc reconfig" is run: > > 05-Aug-2017 11:11:42.066 general: received control channel command > 'reconfig' >

Re: BIND 9.11.1-P3 revives expired zones briefly during reconfig

On Sun, Aug 06, 2017 at 08:07:51PM +0200, Anand Buddhdev wrote: > On 06/08/2017 13:49, Mukund Sivaraman wrote: > > Hi Mukund, > > > Which exact version of 9.11 is this? Is their master NSD or some 3rd > > party signer? Can you create a bug ticket with your named config

Re: Can a NAPTR query over TCP contain OPT section in Additional Records

Hi Harshith On Thu, Jun 22, 2017 at 05:36:12AM -0700, Harshith Mulky wrote: > Client > DNS > EDNS query, buffer size=4096 > ---> > >DNS Response,

Re: What is wrong with my second $ORIGIN

On Thu, Sep 14, 2017 at 07:02:52AM +, Harshith Mulky wrote: > Whats wrong with my second $ORIGIN here: > > > $ORIGIN lab.example.com. > $TTL 1d > @ IN SOA colombo root.lab.example.com. ( > 2003022720 ; Serial >

Re: Logging resolved IP

On Tue, Sep 19, 2017 at 05:16:36PM +0200, Job wrote: > Hi guys, > > is there a way to log resolved IP in Bind log files? > Example: > www.google.com 4.3.2.1 > > I am able to do it with tcpdump, but i do not like a "sniffering" solution! Turn up logging level to over 10, such as named -d 11. It

Re: SOA serial increment when we update SOA RR

On Wed, Oct 04, 2017 at 11:43:18AM +0100, Tony Finch wrote: > rams wrote: > > > > When we change any resource record like A or , then SOA serial number > > gets incremented. But If we update only SOA record ,Is serial number of SOA > > remain same as before or serial

Re: dnssec validation issue

Hi Ganga On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote: > With dnssec-validation turned on, resolving sites like www.icann.org > fails. The alternative is to remove validation > which of course is not the desired solution. Are you able to reproduce the

Re: Differences Between Recursion Desired and Recursion Available

On Fri, Oct 06, 2017 at 08:11:56AM +, Harshith Mulky wrote: > What I am not able to understand is, What would happen when resolver > does not set Recursion Desired bit in the query it sends? > > If Recursion is supported on the server, Would the server do the > Referral Queries and set the RA

Re: DNSSEC validation without current time

On Fri, Dec 15, 2017 at 12:45:11PM +0100, Petr Menšík wrote: > Hi folks. > > I am looking for a way to validate name also on systems, where current > time is not available or can be inaccurate. I use a Garmin 18x LVC 1pps GPS receiver device connected to RS-232 serial port. The device plus

Re: EDNS0 client subnet in BIND 9.10

I'm not sure how ECS would be useful for load-balancing, as in the best case scenario it would require one to control every client side to send the client-subnet option. On Fri, Nov 10, 2017 at 04:44:10PM +, Tony Finch wrote: > Ben Croswell wrote: > > > > I have

Re: DDNS - limitation and excluding updates from certain networks

On Wed, Dec 20, 2017 at 12:39:33PM +, MAYER Hans wrote: > > > Dear All, > > My environment: We are using the latest version of BIND and DHCP from ISC. > Our workstations ( mostly Windows and some Mac ) are in certain networks. > Only these networks are allowed to do dynamic DNS updates.

Re: DDNS - limitation and excluding updates from certain networks

On Wed, Dec 20, 2017 at 01:27:17PM +, MAYER Hans wrote: > > Dear Mukund, > > Many thanks for coming back. > > > You'll have to explain what you mean better for a more specific answer, > > but see the manual for the "allow-update" ACL config option > > In my zone configuration I have an

  1   2   >