Shumon Huque wrote:
>
> In recent versions of BIND, the jitter is no longer 1 hour, but spread
> out over the signature validity period.
Oh, nice, I must have looked at a stale branch by accident :-)
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Lundy, Fastnet, Irish Sea: North or northwest 6
Brandon Applegate wrote:
>
> Tonight though in about an hour, the serial number was incremented 12
> times and NOTIFYs sent. My home firewall is stable, and my DKIM
> rotation happens monthly via cron. So there’s nothing in the logs
> regarding a DDNS update.
>
> My question is - what could prom
Miguel Mucio Santos Moreira wrote:
>
> I'd like to know if this hexadecimal number is fixed, in other words if
> each dns client (smartphones, workstations, etc) has a specific
> hexadecimal number, how this string is constructed on bind and what kind
> of information would be possible to extract
Lee wrote:
>
> Can someone please explain why using this as my rpz zone does NOT
> block everything for *.2o7.net?
>
> 2o7.net CNAME .
> *.2o7.net CNAME .
> bcbsks.com.102.112.2o7.net CNAME .
I suspect this is RPZ obeying the weird semantics of DNS wildcard
matching. The * only matches if the ans
LeBlanc, Daniel James wrote:
>
> Our authoritative servers are not sending notifies anywhere, and we use
> only IPs within the config file (Ansible managed) so I wouldn’t expect
> that any NS records are being resolved.
You need to have `notify no` or `notify explicit` in the authoritative
view,
LeBlanc, Daniel James wrote:
>
> This is occurring only on my authoritative servers and only for the view
> that I do not have recursion enabled for (the “externals” view; the
> “internals” view has recursion enabled and it is working).
It's curious that trust anchor maintenance works for one vie
Klaus Darilion wrote:
>
> So, is this then a bug or just some suboptimal processing which should
> not cause any operational issues?
Both a bug and benign, I think :-)
Tony.
--
f.anthony.n.finchhttp://dotat.at/
the fundamental values of liberty, equality, and community
_
Klaus Darilion wrote:
>
> What does the log message "journal file is out of date: removing journal
> file" exactly mean? Is it somehow problematic?
After loading a zone, named discovers the serial number of the zone
doesn't match the serial number of the journal.
Something weird is happening, be
Klaus Darilion wrote:
>
> I wonder how Bind as master handles IXFR when the requested IXFR would
> be much than the AXFR. (For example: if you change the NSEC3 salt).
>
> Are there some mechanisms to detect such a situation and trigger a
> fallback to AXFR or will Bind always perform IXFR?
No. It
Lefteris Tsintjelis via bind-users wrote:
>
> Why would you want something like that?
https://datatracker.ietf.org/wg/dprive/about/
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Great Orme Head to the Mull of Galloway: Southwesterly 3 to 5, veering
northwesterly 4 or 5, occasionally 6 later in
@lbutlr wrote:
> Is it possible to setup bind to use DOH (FNS over HTTPS) rather than
> unencrypted DNS lookups? Our in addition to?
To give DoH access to clients you need a proxy such as dnsdist or doh101.
https://dotat.at/cgi/git/doh101.git
https://dnsprivacy.org/wiki/display/DP/Using+dnsdist
Roberto Carna wrote:
>
> As I have shown above, I use two views with a TSIG key for each view, but
> the zone transfer doesn't work.
The redacted config you posted did not consistently use key one in view
one and key two in view two. I don't know if your real config has the same
mistake or not.
Josh Kuo wrote:
>
> There are 6 DS records total, but only 1 RRSIG. This leads me to believe
> that the single RRSIG is generated by somehow concatenating all DS records
> together.
Correct.
> This then leads me to believe that the validating resolver needs to
> process _all_ DS records, not jus
Lefteris Tsintjelis via bind-users wrote:
>
> If I set it though, and named no longer has access to modify and rewrite
> other files but its own, will it break things?
Yes.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Southeast Iceland: Southwesterly 5 to 7. Moderate, occasionally rough at
fi
Lefteris Tsintjelis via bind-users wrote:
>
> That makes perfect sense, but I was still shocked when I first saw it
> specially to a file owned by root. This is the part that surprised me
> and worried me the most! I was under the impression that after start up,
> named would switch to the user co
Grant Taylor via bind-users wrote:
>
> The only way that I see that BIND, running as something other than root, could
> change them is if the user it's running as has write on the directory and
> deletes & recreates new zone files as itself. But that would surprise me too.
`named` requires write
Lefteris Tsintjelis via bind-users wrote:
> On 26/6/2019 17:39, Grant Taylor via bind-users wrote:
> > Or are you wanting to update the zone contents without actually updating
> > the zone file on disk?
>
> Yes, exactly this. That is the reason I changed the actual zone disk
> file permissions to
Mik J via bind-users wrote:
>
> I registered in spamhaus but don't know how to be able to axfr the
> content of the zone
When you signed up for the free DROP RPZ account you should have received
an email with login details for spamhaus's customer portal. I think the
axfr server details can be fou
Harshith Mulky wrote:
>
> 1. How is Negative Caching Applied for other RCODES : FORMERR, SERVFAIL,
> REFUSED and NOTIMPL? What is the minimum TTL Value for these responses?
Good question: this isn't well specified. BIND has servfail-ttl (1s by
default) and lame-ttl (600s by default). The lame-ttl
Shawn Zhou via bind-users wrote:
> Thanks Even. Sounds like "dnssec-validation auto" is a more
> future-proof option for what want it. I will use that instead.
My recommendation is to avoid configuring or installing root trust
anchors, and let named handle all that itself. In BIND 9.14 and lat
Mukund Sivaraman wrote:
> On Tue, Jun 11, 2019 at 10:03:30AM -0400, Warren Kumari wrote:
> >
> > I manually use nsupdate to make some changes to some of my zones -
> > most recently I had to add a bunch of reverse DNS records. These are
> > all very similar - the first octet changes, and then the
LeBlanc, Daniel James wrote:
>
> I am performing a dig command from and against localhost and that has
> firewalled access to the Internet but am getting an exit status of 10
> and the following textual error:
dig +trace simulates iterative resolution so it tries to connect to
authoritative serve
Mark Andrews wrote:
> As for the NAT box that chooses those ports. If you can’t keep the
> original port it should choose a ephemeral port at random. Choosing a
> well known port is problematic for lots of reasons.
If I understand the documentation that was linked previously
https://www.cisco.c
greg.ra...@bt.com wrote:
> However when I specify this freshly built OpenSSL 1.1.1c install
> location when configuring BIND 9.14.2, it still complains:
Try
LD_RUN_PATH=/opt/tmp/openssl/lib ./configure --with-openssl=/opt/tmp/openssl
What's probably happening is that the configure script's Ope
Mukund Sivaraman wrote:
> On Wed, Jun 05, 2019 at 12:07:56PM +0100, Tony Finch wrote:
> > The maximum length is 254 including the terminating dot. The maximum
>
> 254 excluding the terminating dot or 255 including the terminating dot.
255 is the wire format limit not the pres
Borja Marcos wrote:
>
> Problem 1:
>
> I had a problem resolving the rigol.com domain. Looking at packet
> captures and comparing I saw that the authoritative servers for
> rigol.com were ignoring packets with a cookie option.
>
> Problem 2:
>
> I also noticed that 9.14.2 is not resolving login.re
Blason R wrote:
> As soon as I find the longs URLs with more than 150 words and remove it. It
> start perfectly
>
> Though 150 is I considered and even tried with 200 and it worked. So
> wondering what is the limit?
I infer that you are talking about length of domain names, specifically
owner na
Mike Woods wrote:
>
> So, the long and short of things, is it actually possible to point the
> response policy at a forward zone
No, the RPZ zone file has to be present on the resolver. The RPZ is parsed
into a special fast lookup data structure so that policies can be applied
efficiently.
Tony.
Greg Rivers wrote:
> As Rick Dicaire said previously, "Notifications themselves don't use TSIG".
Depends on your configuration :-)
28-May-2019 01:43:13.162 notify: info:
client @0x5591b0877080 2001:630:212:8::d:aa#31085/key tsig-ipreg:
view main: received notify for zone 'cam.ac
Daniel Stirnimann wrote:
>
> I would like BIND to also more gracefully handle qmin errors. This could
> mean changing the to the query type A (See attached patch for BIND
> 9.14.2) or disabling qmin on errors.
I tend to think that making A queries instead of NS is the best way to
reduce the compl
Matthijs Mekking wrote:
>
> The BIND 9 development team has been discussing whether we should remove
> the DLV code from the BIND 9 source.
DLV as it currently works is not useful and it's a lot of complexity to
carry around. However, with some tweaks it might be made useful. On the
gripping hand
@lbutlr wrote:
>
> If I remove "update-policy local; " the nsupdate works, but it seems
> like it should have worked with the update-policy since I was in fact
> local to the bind server.
The "local" keyword enables server-side support for `nsupdate -l`, which
makes dynamic updates really easy to
Bhangui, Sandeep - BLS CTR via bind-users wrote:
>
> I am trying to compile the 9.14.1 source code on Sparc Solaris 10 and I
> see that following options are not recognizes any more when used with
> configure.
>
> " -enable-ipv6" and "-enable-threads"
Yes, they have gone. The HISTORY file sa
Martin Meadows via bind-users wrote:
> Wondering if anyone is aware of a max file size or max number of lines that
> a given BIND zone file can contain?
There isn't a limit as such, so it depends on the capabilities of your
hardware. I have an old 7.7 million record RPZ zone here which
named-com
Jakob Dhondt wrote:
>
> I was wondering if this option only includes DNS queries/responses
> getting cached or anything else as well, e.g. RPZ zones being kept in
> memory.
RPZ counts as authoritative data, so I believe it isn't included in the
cache size.
Tony.
--
f.anthony.n.finchhttp://d
Matthew Pounsett wrote:
>
> RFC2606 reserves test, example, invalid, and localhost, for "testing
> and documentation,"
However you must either disable validation or set up your own root zone to
use them. [ RFC 6761 has more details than RCF 2606 about how to use these
names. ]
Tony.
--
f.anthon
Karl Lovink via bind-users wrote:
> I cannot use a registered domain name because I’am building a phishing
> demo environment and I do not want to use an internet connection.
It's not particularly easy to get a resolver to work without an Internet
connection. You'll need to set up your own root
Matus UHLAR - fantomas wrote:
>
> many users/organizations use private TLDsm, just like they often use
> private IP ranges instead of public.
Smoking is popular too but that doesn't mean it's a good idea :-)
> I believe there should be reserved gTLD for such usage.
That's a very bad idea, becau
Karl Lovink via bind-users wrote:
> I am trying to set up a private gTLD with BIND9 and underneath that gTLD
> a subdomain.
Why a TLD?
You will have fewer problems if you get a properly registered domain and
set up a subdomain of that for private use.
Tony.
--
f.anthony.n.finchhttp://dota
Anand Buddhdev wrote:
>
> I'm not sure why it's doing that, but I think I know the reason for this
> error message. The release notes of 9.14.0 say that on Linux, BIND uses
> libcap to set certain privileges. However, if the /usr/sbin/named binary
> is not marked as being able to use privileges, t
Klaus Malorny wrote:
>
> The main problem is that I don't know which zones I will have to serve
> beforehand, and they may be many and may change over time, i.e. simply the
> typical pattern of an ISP. I want to avoid to dynamically create the
> configuration file and trigger the reloading process
Milan Jeskynka Kazatel wrote:
>
> your suggested workflow working for me in most of the cases. Unfortunately,
> it happens that the resigning mechanism creates whitespace in the DNSKEY
That should be benign, provided it is horizontal space without newlines.
For example, BIND creates .key files wi
Erich Eckner wrote:
>
> I am running a recursive resolver for my local network and was wondering
> whether it is possible (and if so: how) to make it resolve via DNS-over-TLS if
> that's available on the authoritative name servers.
BIND doesn't have any TLS support, and (as you said) it really ne
Petr Mensik wrote:
>
> Maybe, just maybe it would be easier to modify that tool to be able
> producing also the other direction.
Definitely, if the key conversion isn't a one-off :-)
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Viking, North Utsire: Southwesterly 4 or 5, increasing 6 to gale
Stephan von Krawczynski wrote:
>
> But to us it was clearly time to at least present the idea to configure
> zones based on a user-defined default zone entry.
Catalog zones have that kind of structure: there are options at the level
of the whole catalog which individual zones can override.
Tony.
Milan Jeskynka Kazatel wrote:
>
> Now I´m able to sign my zone. But in dsset file, which should contain the
> same DS as I already have in the parent zone a have different "keytag" and
> different hash.
>
> In my case is "keytag" in dsset file is 43120.
OK, referring to your previous message...
Milan Jeskynka Kazatel wrote:
>
> When I tried to re-sign my zone in BIND by Webmin, then I get this error
> message below. My original "keytag" is 43121. I don´t understand, where is
> written information like example.com/ECDSAP256SHA256/45623
BIND often does not refer to key files by filename,
Tom wrote:
>
> DNSSEC is working fine on the zone "example.com", but as I mentioned: The
> severity is "error" and it's not clear why.
It looks to me like the code is re-using its error path clean-up in a case
where there is nothing to do, and if it is as simple as that then the
patch below shoul
Milan Jeskynka Kazatel wrote:
>
> I received a hint for a tool which allows converting .pem format used in
> Knot to .key and .private used in BIND, but it, unfortunately, does not
> support ECDSAP256SHA256 algorithm which I used.
Ah, sounds like Knot uses a relatively familiar key format, so we
Stéphane Bortzmeyer wrote:
>
> Does minimal-responses make sense for an authoritative name server?
> (Note there was no glue involved.)
I think it helps reduce fragmentation if the max-udp-size is larger than
the MSS, but apart from that it probably doesn't make much difference.
As far as I can
Stéphane Bortzmeyer wrote:
> ; <<>> DiG 9.10.3-P4-Debian <<>> @194.0.9.1 DNSKEY ma
To properly diagnose UDP message size issues you need +ignore +notcp on
the command line. (You actually need both options to stop dig using TCP in
all situations.) The response you pasted looked to me like what I
Grant Taylor via bind-users wrote:
>
> My test query is returning the A record for an NS that is out of zone but in a
> different zone on the same server.
>
> something.aaa.example.net.NS ns1.bbb.example.net.
>
> dig is still showing ns1.bbb.example.net's A record in additional data when
Grant Taylor via bind-users wrote:
>
> options {
> …
> additional-from-auth no;
> additional-from-cache no;
> allow-recursion { myACL; };
> // recursion no;
> …
> };
There's an old entry in the CHANGES file:
912. [bug] Attempts to set the 'additio
Tom wrote:
>
> I've enabled deep log-debugging in BIND 9.12.2-P1 (resolver) for DNSSEC
> purposes and was wondering, why my resolver received a "authenticated data"
> answer from one of the authoritative server for "org." (199.19.57.1), while
> the response has the TC (truncated) flag set too:
Th
@lbutlr via bind-users wrote:
> On 22 Feb 2019, at 09:54, Tony Finch wrote:
> > You might want a config like
> >
> > zone "example.com" {
> > type master;
> > file "master/example.com”;
>
> Not example.com.signed?
@lbutlr wrote:
>
> Nope, now the .signed file isn’t touched at all after the zone file is edited.
>
> zone "example.com" {
> type master;
> file "master/example.com.signed";
> update-policy local;
> auto-dnssec maintain;
> };
It sounds to me like you are expecting it to wo
Grant Taylor via bind-users wrote:
>
> I'm sorry. I gave you the wrong command. You want "sync", not "flush".
You don't need to sync as well as freeze: `rndc freeze` also syncs the zone.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Faeroes, Southeast Iceland: Southerly, veering southwesterl
Roberto Carna wrote:
>
> Can you confirm thgis is true in 100% of clients???
It's true of clients that follow the spec.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Rattray Head to Berwick upon Tweed: South or southwest 4 or 5, occasionally 6
at first. Slight or moderate, occasionally rough a
Ben Bridges wrote:
>
> Would it be advisable or inadvisable to define an empty zone for .local
> on a recursive, unicast BIND server that is not hosting any Microsoft
> Windows AD domains or other .local zones in order to keep the queries
> for .local off the root servers?
If you are running BIND
Roberto Carna wrote:
> Dear, I have to balance two DNS servers for a special reason.
https://www.powerdns.com/dnsdist.html
> The DNS clients are a mix of Windows, Cisco and Linux machines, so I
> think they ask for a FQDN using UDP and after that -if there is no
> response-, they ask the same F
MEjaz wrote:
>
> If I enabled the system performs will slow down?
Depends on how much load your servers are under and what their capacity
is.
An alternative to query logs, when you are searching for a known query
name, is to use tcpdump. It's a tedious and fiddly to convert the name to
DNS wire
Grant Taylor via bind-users wrote:
>
> I know it's not yet an option and won't yet work for Roberto C., but would
> BIND's forthcoming "mirror" zone type change any of this?
No.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
safeguard the balance of nature and the environment
__
Roberto Carna wrote:
>
> So how can I define "recursion yes" just for the zone "linux.org" ???
You can turn recursion on and off for the entire server, or per view, but
not per zone.
It isn't clear to me what you want this server to do. If it is providing
DNS service to end-user devices (if it i
Roberto Carna wrote:
> Dear Tony, I forward the "linux.org" queries from our private Bind to our
> Bind resolvers (they have authoritative public zones and also they are
> resolvers that forward the queries to 8.8.8.8).
>
> So why you say they are authoritative only servers?
Oh, I misread your e
Roberto Carna wrote:
> Dear, I have Bind 9.10.3 as our private DNS service with two views, one of
> them let some clients to query linux.org domain from Internet forwarding
> the query to our Bind resolvers, but the query is refused by our private
> Bind.
You can't forward to an authoritative-on
Mik J via bind-users wrote:
> I would like to know how do you manage reverse zones and the 10.x.x.x
> zone particularly.
Our setup is peculiar :-) https://www.dns.cam.ac.uk/domains/reverse/ten.html
We basically set things up to reduce the number of zones we have to
manage, and the zones are pop
AL RSM wrote:
> The faulty slave responded with: "Reply code: Not implemented (4)"
What software is it running? Is there a broken middlebox?
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Southeast Iceland: Cyclonic 5 or 6 in south, otherwise easterly or
northeasterly 7 to severe gale 9. Very
@lbutlr wrote:
>
> No. I was under the impression that when bind reloaded (rndc reload
> and/or service named stop/start and/or service named reload) and saw a
> new serial number, it would generate a new .signed file for that zone as
> part of the process of refreshing its information and notifyi
@lbutlr wrote:
>
> OK, then how do I get Bind9.122 to update the .signed files?
Did you see my previous message?
https://lists.isc.org/pipermail/bind-users/2019-February/101335.html
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Southeast Iceland: Easterly 7 to severe gale 9, occasionally stor
@lbutlr wrote:
>
> # nsupdate -d -v -l example.com
nsupdate doesn't take zone files as input; instead it takes a list of
(incremental) changes. The "invalid section" error refers to keywords in
nsupdate syntax which refer to parts of DNS UPDATE messages: the prereq
section, the update section, et
@lbutlr wrote:
> Based having update-policy local; auto-dnssec maintain; in the zone,
> when I make changed to example.com I was expecting that
> example.com.signed will be refreshed.
>
> This doesn’t seem to be happening.
Are you doing `rndc freeze` and `rndc thaw` before and after editing the
@lbutlr wrote:
>
> key-directory in named.conf refers to the location for the .private key
> files, the .key files need to go with the domain conf files.
In my setup, all the key files (.private and .key) are in the
`key-directory`, all the zone files are in a "zone" directory,
and configuration
Tom wrote:
>
> We're running BIND-9.12.3-P1 on our authoritative servers and we have the same
> behavior with 0-ttl with a invalid soa-query. Is this bind-specific? Why does
> an invalid soa-record responds with 0-ttl in the authority-section?
Funnily enough, this little obscurity came up elsewhe
Blason R wrote:
>
> not sure if that would take effect?
Based on your description, neither am I, I'm afraid.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Trafalgar: North or northwest 5 or 6. Moderate or rough. Showers. Good.
___
Please visit https:
Blason R wrote:
>
> Can someone guide me on prevention and possible configuration in BIND from
> DNS Re-bind attack?
Have a look for "rebinding" in
https://ftp.isc.org/isc/bind9/9.12.0/doc/arm/Bv9ARM.ch06.html
There is evidence that very few people are using `deny-answer-aliases`
https://kb.isc.
N. Max Pierson wrote:
>
> Under Incoming Requests it has QUERY's among some other stats. Is this
> the total queries across all zones? If it is, it doesn't seem to add up
> to what the total of each zone added together in the per zone stats.
Hmm, good question. I suspected it might be something t
Mik J via bind-users wrote:
> For a zone that I owned, the "recursive" servers forwards the request to
> the authoritative server.
Beware: when you are forwarding the target server must be a recursive
server. If you want to "forward" to an authoritative-only server, you
must use "static-stub" zo
Jordan Tinsley wrote:
>
> DNS01 has extremely high memory usage while DNS02 has memory usage around
> 50% and fluctuates up and down.
I have seen some cases where reconfiguring the server (e.g.
adding/removing views) can cause it to reconstruct all its zone
configuration. Although the old zone da
Daniel Dawalibi wrote:
>
> We edit our zones manually (not through panel interface), is it possible to
> log DNS updates in this case?
I would recommend using version control: git, mercurial, subversion, even
RCS is better than nothing! Best time to start is about 25 years ago;
second best time i
Daniel Dawalibi wrote:
>
> Is it possible to enable the audit logs on BIND DNS so we can track changes
> performed on the DNS records level (Add/Delete/Modify A,MX,NS,. records)?
You can get that by default, depending on how the changes were performed.
If you use `nsupdate` or some other dynamic
Browne, Stuart via bind-users wrote:
>
> I was wondering if anybody had any thoughts on how to limit the
> concurrency or at least the lifetime of these persistent connections
> within BIND.
If you are running BIND 9.12, you have a bunch of new options related to
RFC 7827 EDNS TCP keepalive (see
Havard Eidnes wrote:
>
> I don't suppose there exists a configuration option in BIND which
> corresponds to Unbound's so-rcvbuf: and so-sndbuf: configuration
> options?
There is only `./configure --with-tuning=large` which enables more sockets
and bigger socket buffers. (I thought I also needed t
Leonardo Oliveira Ortiz wrote:
>
> Im configuring DNSSec with nsec3, when i run the first rndc signing
> -list I can check the keys, but when I restart named service this
> command shows nothing... This is a problem?
No, it's benign.
When `named` is signing a zone it puts a couple of extra recor
Warren Kumari wrote:
> I’m also wondering *how* it is doing this — to increment by 2 it sounds
> like there is state being kept - perhaps dig simply relies on the kernel
> for the source port and isn’t randomizing at all ( and so the difference is
> actually OS difference, and not dig differences
Christian Weiske wrote:
>
> $ dig -v
> DiG 9.10.3-P4-Debian
weird, it does the right thing for me:
$ dig @2a01:488:66:1000:53a9:2dde:0:1 dotat.at
; <<>> DiG 9.10.3-P4-Debian <<>> @2a01:488:66:1000:53a9:2dde:0:1 dotat.at
; (1 server found)
;; global options: +cmd
;; connection timed out; no serv
Christian Weiske wrote:
>
> I only get an error when running dig:
>
> > $ dig @2a01:488:66:1000:53a9:2dde:0:1 cweiske.de
> > couldn't get address for '2a01:488:66:1000:53a:53': not found
That's weird, it works for me. Are you using vanilla `dig` or a Linux
distro version?
Tony.
--
f.anthony.n.f
Joel Linn wrote:
> or generate a CNAME on the fly "someservice.old.local. IN CNAME
> someservice.int.new.com." for every request it gets.
You can do this with a DNAME record :-)
i.e. set up your stunt DNS server with a zone like
zone old.local {
type master;
Sunghwan Kim(IBI) wrote:
>
> I would like to know what happens if dnssec-enable yes; dnssec-validation
> no; in named.conf are being setting.
>
> Does it come SERVFAIL ?
No. (But see * below...)
`dnssec-enable` is to do with handling of DNSSEC records and query flags:
setting and recognizing the
sethologik wrote:
>
> Is there an option in BIND9 which needs to be set when I want to get full
> query answers from different subnets or something like that?
Exactly, yes :-) In your options section, put
allow-query {
x.x.98.0/24;
x.x.99.0/24;
Sabri MJAHED (VINC) wrote:
>
> I dont have the -l option on the named-checkconf command.
>
> My version of bind is 9.11
Oh, it seems you need 9.12.
Your other option is to parse a zone list out of your other config files
with a bit of perl, which is what I did previously.
Tony.
--
f.anthony.n.
Marcus Frenkel wrote:
>
> I need to know how BIND writes to slave zone files after zone has been
> updated. Does it modify the file in place or it replaces the file with
> new one at once?
Changes are written to a journal append-only style. Every so often the
master file is rewritten to incorpora
Sabri MJAHED (VINC) wrote:
> I want to have the same zone on multiple views, but i didn't find any solution
> that ease the use of this.
I have scripts that generate in-view configurations. In order to make
these scripts easier to write, I contributed the `named-checkconf -l`
feature which lists
Grant Taylor via bind-users wrote:
> Is there a way to enforce a minimum TTL?
Not without changing the code along the lines of
https://salsa.debian.org/dns-team/bind9/blob/master/debian/patches/10_min-cache-ttl.diff
Tony.
--
f.anthony.n.finchhttp://dotat.at/
champion the freedom, dignity,
Stern, Eli wrote:
> Using the client side of Bind in a similar manner to the "resolve"
> sample (resolve.c).
>
> How does one force the queries to be sent via a specific network device?
Look at the -b option in `lib/sample/resolve.c`.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Rockall, Mal
Bahram Bahrambeigy wrote:
>
> I was wondering if it is possible to get the full log of individual
> recursive queries that Bind server makes.
> For example step by step from root servers to the final name server.
> I am aware of "dig +trace" command but it is from users perspective, not
> servers.
Browne, Stuart via bind-users wrote:
> - { name: 'net.ipv4.tcp_sack', value: 0 }
Why? SACK is super important for TCP performance over links that have any
degree of lossiness, and I don't recall hearing of any caveats.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
a just distribution of
Jukka Pakkanen wrote:
> Now got some more debug info, but does it help finding out why we get
> the server failure?
The DNS servers for smg.brightmail.com are broken. They drop most queries
which causes all sorts of problems.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Humber, Thames: South
lejeczek via bind-users wrote:
> client @0x7fd7a40f2e40 127.0.0.1#9489/key nsupdate_key: updating zone
> 'dom.local/IN': update failed: rejected by secure update (REFUSED)
>
> I'm hoping that I can add another A record to dom.local.
> What is the problem here? I must be something obvious, right?
project722 wrote:
> Sounds like to me you are saying that the server would return the updated
> data, because its in the journal file, regardless of whether its made it
> into the regular zone file yet.
Yes, that's how it works.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
South Fitzroy: Var
project722 wrote:
> But the slave still takes @15 minutes for the new data to get populated
> in the file.
Use `dig axfr` or `named-compilezone -j` to get the server's view of the
zone. Zone updates are written to a journal and are not incorporated into
the zone file immediately.
Tony.
--
f.an
201 - 300 of 1038 matches
Mail list logo
