Re: Enable systemd hardening options for named

Robert Edmonds wrote: > > I would guess that retaining CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE > during the process runtime permits open-ended reloading of the config at > runtime (e.g., binding to a new IP address on port 53 without needing to > restart the daemon). BIND

Re: Enable systemd hardening options for named

Ludovic Gasc wrote: > > 1. The list of minimal capabilities needed for bind to run correctly: > http://man7.org/linux/man-pages/man7/capabilities.7.html named already drops capabilities - have a look at the code around here:

Re: response-rate-limiting - "window" explained?

Bob Harold wrote: >That's a good test, with the default window of 15 seconds, but could you > please repeat it with a window like 120, and see if it changes > accordingly? With a window of 5 I got a recovery time of 6s. Tony. -- f.anthony.n.finch

Re: response-rate-limiting - "window" explained?

Tom wrote: > > Slip is set to "0" (always drop). After stopping the flood, I'm immediately > able to query the same record (www.example.com) with a positive answer. Does > the "window 5;" or "window 30;" or "window 3600;" possibly has no effect? The script below works for

Re: IPV6 & BULK DNS Resource Records

Neil wrote: > > would be very valuable for IPv6 PTR record creations without using the > memory consuming $GENERATE directive. There's no need for blanket IPv6 reverse DNS. Only set up reverse DNS for your statically allocated v6 addresses. Leave everything else with no

Re: response-rate-limiting - "window" explained?

Tom wrote: > > If I set the "responses-per-second 5;" and the "window 30;", then begin > flooding (the responses are correctly dropped), then stop flooding, then > querying the nameserver from the same source for the same RR, I'll get > immediately the right answer. > > Any

Re: response-rate-limiting - "window" explained?

Tom wrote: > Mmmh...I can't verify the meaning of the "window"-value. In my flood-tests, it > makes no differences, if I set this value to 5 or 60 or even 3600. You'll only notice the window if you pause your flood test - it's basically the recovery time. (This is why the

Re: response-rate-limiting - "window" explained?

Tom wrote: > Could someone explain the problem here? Why do I never have to wait longer > than about 5s until I'm able to query the nameserver from the unique client > with the same query again? The 60s is the delay after a client has stopped making queries when the

Re: Question about: "rate-limit: stop limiting responses to 1.1.1.0/24 for www.example.com"

Tom wrote: > Why does this logentry only appears about 60-65 seconds later, after > I've stopped the "test"-attack (confirmed multiple times..)? There's a hardcoded cleanup timeout of 60 seconds. The extra is (I think) due to the time needed to make the token bucket

Re: Keeping dynamic and static zone data separated

Matthias Pigulla <m...@webfactory.de> wrote: > Tony Finch wrote: > > > Best solution is to put the dynamic stuff in a subdomain so it can be > > in a separate zone. > > Unfortunately, I need to have a final result of dynamic-rr.myzone.tld and > static-rr.myz

Re: Keeping dynamic and static zone data separated

Matthias Pigulla wrote: > > So, how do you handle the situation of mixed static and dynamic RRs? Is > there another way to keep these separated and possibly under version > control? Best solution is to put the dynamic stuff in a subdomain so it can be in a separate zone.

Re: questions about rndc zonestatus

Klaus Darilion wrote: > > Unfortunately the slave-status is not dumped, e.g. if the zone is n > sync, if SOA refresh-checks suceed, if XFRs succeed? I agree this is could be improved. > Further, I would like to know if there are existing tools to parse the >

Re: Daisy chaining slaves

Mark Andrews wrote: > The expiry inflation can be removed if you use a servers that support > the EDNS EXPIRE option. Ooh, I forgot about that, thanks for the reminder! (It's reassuring too, because it means my secondaries should never serve expired RRSIGs despite my chained

Re: Max slaves limit?

Bob McDonald wrote: > I've seen cases where folks have added all of the Domain Controller > addresses for an AD forest to the NS list for a domain. This results in > huge TCP response packets for ALL requests to that domain. You can safely reduce the size of answers using

Re: Daisy chaining slaves

vijay bommareddy wrote: > > I generally do multiple slaves to a set of masters. But I'm just wondering > if daisy chaining slaves i.e slave to a slave to a slave to a master, a > good practice in general? What are the pros and cons of it? In my setup there are a couple of

Re: Max slaves limit?

Barry Margolin wrote: > vijay bommareddy wrote: > > > > Can someone tell me, how many number of slaves does BIND technically > > support? Is there a maximum limit per master server? > > Why would there be any limit? The master doesn't need to keep track

Re: DNSSEC validation without current time

Petr Menšík wrote: > > This is related to booting with NTP client, when the only configuration > is hostname that has to be resolved. There is a bit circle dependencies. Yes awkward, and there still aren't any convincing answers. One of the more interesting projects is

Re: Reverse Zone, Can It Be One Big Class B?

Ray Bellis wrote: > > The main thing you may wish to consider is whether you ever wish to > DNSSEC sign your reverse zones. > > If you do, the zone cut on the parent name servers (which is where the > DS records would be) must match the zone cut on your own servers, which > would

Re: localhost entries in zones, was Re: Domain Not Resolving

Reindl Harald wrote: > > interesting - but however "administrators often mistakenly drop the trailing > dot" is nonsense Yeah that's irrelevant, but it doesn't change the conclusion that localhost entries in zones are harmful and unnecessary. Tony. -- f.anthony.n.finch

localhost entries in zones, was Re: Domain Not Resolving

Reindl Harald wrote: > Am 21.11.2017 um 14:42 schrieb G.W. Haywood via bind-users: > > The address for localhost (127.0.0.1) should be in /etc/hosts, > > not in your zone file, and very probably it already is > > that part is not true > >

Re: Domain Not Resolving

Ron Wingfield wrote: > ns1 IN A 162.202.233.81 > ns2 IN A 162.202.233.81 This address isn't responding to DNS queries. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h

Re: EDNS0 client subnet in BIND 9.10

Ben Croswell wrote: > > I have looked through the ARM and found references to setting the option in > a dig. However I was not able locate options for sourcing that option on > the DNS server. BIND currently supports ECS on authoritative servers in ACLs for selecting

Re: Bind/Named 9.9 auth-nxdomain question

Filipe Cifali wrote: > > I'm trying to have an Auth Server that says the auth flags ('aa') even on > NXDOMAIN. BIND (well, all DNS servers) have to do that. It doesn't need to be configured. See the first example dig output below. However the example query in your first

Re: Bind/Named 9.9 auth-nxdomain question

Filipe Cifali wrote: > > I need to make an authoritative server that gives 'AA' flags to every query, I > would need to set only auth-nxdomain right? Don't use auth-nxdomain, it has been obsolete for 15 years. > I'm running this config: That looks like a recursive

Re: search algorithm in DNS

Paul Kosinski wrote: > Exact matching needs a search algorithm too. Maybe Munkhbaatar is after something like: http://www.zytrax.com/books/dns/ch2/#queries Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Biscay, Fitzroy: North 4 or 5,

Re: head scratcher: nsupdate, Bind views, and TLSA record updates

Mark Andrews wrote: > > More correctly _tcp.mail.thesandiegos.com is delegated to > ns1._tcp.mail.thesandiegos.com (75.149.33.153) but the machine is > not configured to serve that zone. This also explains the puzzling check-names problem earlier - ns1._tcp.mail.thesandiegos.com

Re: RPZ and static stubs

Trevor Woolley wrote: > > The issue lies with RPZ's and static stubs. > > Required functionality: Override main domain for some entries, but allow > look ups for the main domain if not located in the RPZ rewrite zone file. This caught my eye because I want this to work

Re: need another pair of eyes: edu/net (educause?) glue issues?

Michael Hare wrote: > > It appears that there is some bad glue "somewhere" and I'm having > trouble finding where it is coming from. This is a weird case. The .edu registry is semi-linked to the the .com/.net registry in some way - I am vague about the details. We're also

Re: Forwarding from delegated zone not working

seanliam73 wrote: > > I know the forwarding is working because I can query the main bind9 > instance at receive the expected results. However if I query from the AD > server that is doing the delegation I get a SERVFAIL error. I guess one possible cause for this problem

Re: response-policy zones from spamhaus.org

MAYER Hans wrote: > > I also tried to define these records in my own RPZ and hoping it has > higher priorities. It should work if you put your passthru RPZ before any blocking RPZs. A tangential aside... The ordering in a response-policy section can affect performance,

Re: SOA serial increment when we update SOA RR

rams wrote: > > When we change any resource record like A or , then SOA serial number > gets incremented. But If we update only SOA record ,Is serial number of SOA > remain same as before or serial number of SOA will increment?. It needs to increment, yes, because that's

Re: Issue with DNSSEC (BIND 9.10.3-P4-Raspbian )

Dirk Gottschalk via bind-users wrote: > > The bind.keys file is available and I set dnssec-validation and dnssex- > lookaside to auto. That should work - however you should omit dnssec-lookaside since it does not do anything any more. I also prefer not to have a

Re: about build-in server information zones

Sun Guonian via bind-users wrote: > I meet a problem, I want to conceal the host information from the > Internet, but want it bevisible to the special client. I know it could > be realize via bind view, but I need createa special CHAOSNET zone for > every BIND instance,

Re: getting two rrsigs for dnskey after ksk rollover

> On 20 Sep 2017, at 15:32, rams wrote: > > We are getting two RRSIGs and 3 DNSKEY [ 1-256 and 2-257] when we do KSK > rollover. Is it correct we are returning two RRSIGs for DNSKEY? Yes :-) There are multiple ways to do a KSK rollover: you are doing a double-KSK

Re: R: Logging resolved IP

Job wrote: > > Do you also know if it can slow down performances or it is fully transparent? I haven't given dnstap a serious test I am afraid. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Forties, Cromarty, Forth, Tyne,

Re: Logging resolved IP

Mukund Sivaraman wrote: > On Tue, Sep 19, 2017 at 05:16:36PM +0200, Job wrote: > > > > is there a way to log resolved IP in Bind log files? > > I am able to do it with tcpdump, but i do not like a "sniffering" solution! > > Turn up logging level to over 10, such as named -d 11. It

Re: Automatic Key Management

Mark Elkins wrote: > > On my side, I can 'import' the KSK from the properly signed zone, > Generate the DS record and EPP it up to the Registry. That all works > fine, currently with the push of one (web) button. Will change/add this > to something RESTful. Then, for full

Re: Automatic Key Management

Mark Elkins wrote: > With BIND version 9.12  coming out - I'm wondering if I've missed any > announcements on some form of Automatic (DNS)Key Management? > Something that will create and retire keys according to some sort of policy. See dnssec-keymgr (new in 9.11) which will

Re: What is wrong with my second $ORIGIN

Mukund Sivaraman wrote: > > Missing a trailing period(.) Here's a fun trick to avoid making this mistake: use FQDNs everywhere in the zone file, and use the directive $ORIGIN . so that it doesn't matter whether you have the trailing . or not. Downside, of course, is that

Re: Testing...

Grant Taylor wrote: > > There is additional footer content (as well as headers) in messages from the > mailing list. > > Does Gmail detect that and ignore it? Or is the message simply folded into > the conversation in Gmail? No, I believe deduplication is based

Re: Testing...

Alan Clegg wrote: > > It appears that I just don't see my own posts for whatever reason. 8-) You seem to be using Gmail which does de-duplication across all messages in your account, so your messages received from the list are deleted since they are duplicates of the copies in

Re: bind-chroot, runs, works, dies

Petr Mensik wrote: > > But presence of pid files also work as notification of completed > initialization (which is done BEFORE forking and finishing ExecStart > command). named writes its pidfile relatively early during startup. The parent doesn't exit until the child daemon

Re: dnssec validation issue

Ganga R. Dhungyel wrote: > > **debug log > > 23-Aug-2017 16:17:57.567 dnssec: debug 3: > validating @0x7f3ffc96e4d0: www.vip.icann.org A: > attempting insecurity proof > > With dnssec-validation turned on, resolving sites like www.icann.org fails. I think that

Re: Adding DS Records for Subdelegated Domains

rams wrote: > we have two scenarios as follows. Is there any chance to copy DS records > through AXFR or any another method to copy child DS records into parent > zone. Sort of... > Scenario 1: > > Customer has domain2.com on Bind1 signed with DS records for domain2.com at

Re: Bind DNS servers: can they coexist with httpd and mail servers?

Tom Browder wrote: > I want to host my own DNS servers, but I need the master to share Bind with > other services, specifically Apache 2.4, Postfix 3.3, and Mailman 3. It's how we did things in the 1990s :-) Tony. -- f.anthony.n.finch http://dotat.at/

Re: Automatic RRSIG Refresh in BIND 9.8.2

Latitude wrote: > > Should DNSSEC key signing keys and zone signing keys also be located in a > directory inside the /dynamic directory? Would it be acceptable to have them > in a directory such as /var/named/chroot/etc/keys/dnssec? On my master server I have zone

Re: "spare hosts" as personal DNS nameservers for 'mynew.org'

b...@zq3q.org wrote: > One of my real hosts is below xen.prgmr.com, like the fake 'zap' above, > so I would have to email prgmr.com support to get them to add > > mynew.org. IN NS zap.xen.prgmr.com. > ^^^ << Is this valid? > > to the

Re: "spare hosts" as personal DNS nameservers for 'mynew.org'

b...@zq3q.org wrote: > I have several linux VMs, that are under used, so I want to use them > for the nameservers for 'mynew.org'. Neither are in 'mynew.org'; > is that going to work? Yes, that is perfectly normal. For example, $ dig +noall +answer ns dotat.at dotat.at.

Re: different result between normal query and zone transfer

Reindl Harald wrote: > > well, bind10 is dead so far and at least no longer a ISC project Catalog zones are a BIND 9.11 feature. https://kb.isc.org/article/AA-01432/81/BIND-9.11.0-Release-Notes.html#relnotes_features Tony. -- f.anthony.n.finch

RE: different result between normal query and zone transfer

Darcy Kevin (FCA) wrote: > There is no "automatic" mechanism within BIND to tell replicas to start > slaving new zones. Fans of new features pop up in response to say, you might be able to use catalog zones to automatically configure replication :-)

Re: RPZ zone name label length limit

Jim Yang wrote: > > What is the DNS name label length limit? As per RFC 1035, it is 63 > characters. I tested a few DNS names that contains a label that is > longer than 63 characters, and found that these records were > successfully loaded in RPZ zone. On the wire the length

Re: Problem w/ Forwarding Zone in Caching-Only Config

Mark Andrews wrote: > > See https://tools.ietf.org/html/rfc6763 for details of how it is > designed to work. Section 11 shows how to go from IP address and > netmask to the forward domain where the _dns-sd._udp subdomains > reside. > > lb._dns-sd._udp.0.43.168.136.in-addr.arpa PTR

Re: difference in responses between UDP and TCP

Arun Natarajan wrote: > > any idea? Without knowing the server host name and zone name there could be lots of different reasons, so there isn't really any way to answer. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Dover: Southwest 5 to

Re: BIND 9.11.x build failing on Mac OS X - gssapi errors

James Brown via bind-users wrote: > > If I use: > > ./configure --with-atf —without-gssapi > > I get it failing with: > > Undefined symbols for architecture x86_64: > "_gss_accept_sec_context", referenced from: Looks like you need to `make clean` to get rid of old

Re: Automatic RRSIG Refresh in BIND 9.8.2

Latitude wrote: > > I have read in Michael W. Lucas' DNSSEC Mastery book that BIND 9.9 and newer > can automatically sign zones and refresh signatures (RRSIGs), but older > versions cannot (p. 53). That isn't entirely correct: BIND has had automatic signing since 9.7

Re: Match destinations (port)?

Job wrote: > > is it possible to match "destination port" in view clauses, instead of > "destination ip"? I don't believe so, but instead you might be able to run a second instance of BIND listening on the other port. Tony. -- f.anthony.n.finch

Re: named-checkzone with multiple $ORIGIN

Bernard Fay wrote: > > should I understand while using named-checkzone I need to enter *only* > the top domain and named-checkzone will understand the subdomains > defined by the multiple $ORIGIN in the zone file? Yes, named-checkzone basically just loads the zone file

Re: named-checkzone with multiple $ORIGIN

Bernard Fay wrote: > > I took control of a DNS based on Bind 9.9. One of the zone files have > multiple $ORIGIN for example: The key thing to understand is that $ORIGIN just controls how unqualified domain names are expanded into fully-qualified domain names. In

Re: named-compilezone errors

Chris Buxton wrote: > dns_master_load: example.com.dns:6785: bad escape > dns_master_load: example.com.dns:6789: bad escape > > mhtswfw-dellfi01\342\200\223mgmt A10.152.224.231 > mhtswfw-dellfi02\342\200\223mgmt A10.152.224.232 Snigger. That's an en dash (U+2013,

Re: inline-signing a zone that exists in two views

Gordon Messmer wrote: > > I'm happy that it's working, but it seems like it was fairly difficult to get > right. Am I doing an unusual thing? Yes, it is fiddly, and a relatively common problem - which is why in-view was introduced! > Is it considered best-practice (or

Re: Aw: Re: CNAME with RPZ pointing to RPZ A record ?

devz...@web.de wrote: > > i´m curious why it doesn`t work with rpz zone like normal zones. The RPZ machinery (mostly) works between getting an answer and returning it to a client, which is why it is called "response policy". At the moment it is a one-shot thing, but you are

Re: CNAME with RPZ pointing to RPZ A record ?

devz...@web.de wrote: > > We use lot`s of CNAME aliasses for server virtual host name aliasses, i.e. > > myserver IN A 1.2.3.4 > myserver-vhost1IN CNAME myserver. > myserver-vhost2IN CNAME myserver. > myserver-vhost3IN CNAME

Re: bind unexpectedly quit, how to debug

Paul Seward wrote: > > I thought I might get that sort of response, I'm not so much asking for a > fix as asking how I can find more information. It'll be one of the 42 CVEs in the table at the top of this page:

Re: inline-signing a zone that exists in two views

Gordon Messmer <gordon.mess...@gmail.com> wrote: > On 05/08/2017 03:26 AM, Tony Finch wrote: > > You can't have zones in different views (which sre by implication > > different zones, or different versions of the same zone) pointing to the > > same files on disk, bec

Re: inline-signing a zone that exists in two views

Gordon Messmer wrote: > I have a zone that I'd like to serve in two different views, with dnssec in > both views. You can't have zones in different views (which sre by implication different zones, or different versions of the same zone) pointing to the same files on

Re: error when removing expired key files

Gordon Messmer wrote: > > After new keys are introduced, and after the old key has expired, Wait right there! dnssec-settimes has two times that are usually relevant to the old key when rolling keys: the retire time and the delete time. (There's also a revocation time

Re: Allowing DNS to listen only on UDP

Harshith Mulky wrote: > > Is there a easy way to turn off/ Disable the DNS server to stop > listening the requests over TCP and turn it ON whenever required? It is always required :-) As well as what Reindl said, you might like to look at:

Re: Slow zone signing with ECDSA

Mark Andrews wrote: > > DSA requires random values as part of the signing process. Traditionally, yes, but it isn't actually required - https://tools.ietf.org/html/rfc6979 (PuTTY has been using deterministic DSA since 2001, because of problems with obtaining random numbers on old

Re: views

Grant Taylor via bind-users wrote: > > The only occurrences I found for "ecs" on the two release notes didn't > include more details about how to configure views to use it. Yes, it's a bit mysterious. > Nor did I see details on how to have BIND send ECS with queries

Re: views

Alberto Rinaudo wrote: > I have a bind installation on a aws server and I'm trying to set up views > to give different responses based on the source location. > > It works fine when this dns server is the first dns used by a client, I > guess because the source address

Re: Allow dns queries for specific subdomain x.domain.com and block rest of the queries for *.domain.com

Manuel Ramírez wrote: > > I would like to allow queries for specific blogspot.com subdomains and > block the rest of the queries. > Any idea about how can i achieve my goal? I think this should be easy to achieve with RPZ. Tony. -- f.anthony.n.finch

Re: Unable to slave root zones

Mark Knight wrote: > I've just noticed (after the slave zones expired), that the root name servers > have been refusing my zone transfer requests since the end of March. This is because Cloudflare are now helping isc.org to host f.root-servers.net, and the Cloudflare instances

Re: bind-dyndb-ldap integration

Hika van den Hoven wrote: > > Running named with `-d 10 -g -u named` from the command line got me > some more info but I still do not understand what goes wrong. I looked at this, but I can't work out what the problem is either. Something mysterious is going wrong inside

Re: response-rate-limiting - "window" explained?

Tom wrote: > Can someone explain the behaviour of "window" in the rate-limit-context? It basically determines the time after a client that was querying very fast but then stopped is allowed to receive responses again. When a client repeats a query, its counter is

Re: Bind master keeps saying it is not authoritative

Xavier Humbert wrote: > > I'm really lost. I've configured dozens of DNSs with no such problems. > Did I miss something obvious ? I can't see anything obvious... Did you obfuscate the zone name so we can't see if there's a typo? Tony. -- f.anthony.n.finch

Re: "chase DS servers" while setting up a Split-DNS-Server with static-stub

Johannes Kastl wrote: > > client 192.168.99.2#22059 (ojkastl.de): query (cache) 'ojkastl.de/DS/IN' > denied > > Is this actually something to worry about? It's annoying but benign. The recursive server is sending DS queries to the wrong server, to the child zone's server (from

Re: allow-notify in catalog zones?

Wolfgang Gehrke wrote: > BIND 9.11 introduces catalog zones to simplify the management of slave > servers. The documentation just mentions support for the "masters" (also > with key), "allow-query" and "allow-transfer" options within the > contents of a catalog

Re: bind-9.11.0-P2 on Debian 9.0 (stretch)

Wolfgang Riedel wrote: > > Just wonder if someone had success compiling bind-9.11.0-P2 on Debian 9.0 > (stretch)? I haven't tried it myself. > 1) OpenSSL dependency dance > > I removed OpenSSL 1.1 and compiled OpenSSL 1.0.2e from source You'll probably have better luck

Re: bind 9.8.2 "no valid signature found"

Jim Garrison via bind-users wrote: > > Looking at the traffic with Wireshark, I see the RRSIG uses > ECDSA Curve P-256 with SHA-256. Should bind 9.8.2 be able to > recognize that algorithm or is a newer version of bind needed? The CHANGES file on the 9.8 branch says

Re: Question on Bind validating resolver

Volker Janzen wrote: > > when my Bind resolver tries to get the A record for info.nominet.uk the > syslog gets lots of messages like this: > > Jan 25 21:15:52 box named[25097]: DNS format error from 173.245.58.93#53 > resolving info.nominet.uk/DS:

Re: Bind Queries log file format

Michael Dahlberg wrote: > I can discern what almost all of the fields signify except for the > part "@0x7f6450002ef0". It's the address in memory of the data structure representing the client. It is mentioned in the CHANGES file (#4471) and in the release notes - see

Re: synthetic DNS64 response for sync-na.dyn.itg.com

Stephan Lagerholm wrote: > Mark I hear you but who gets called when a domain is not working on > provide A that is v6 only but works fine on provider B that is still v4 > only? I wonder if you can work around this kind of problem with RPZ - though I have no idea if the

Re: How to get the CNAME for a domain?

Michelle Konzack wrote: > > OK, I can grep the whole /etc/bind/master/ directory, but since my Name > Server is responsable for several 1000 (sub)domains, the execution of > the script takes ages! Your approach seems reasonable to me. I'm surprised it takes that

Re: Need feedback on RPZ service setup

> On 5 Jan 2017, at 22:09, Lars Kulseng wrote: > > Any other thoughts on the naming of the zone? If I wanted to obfuscate the > name, I could use a reserved TLD like .test or .invalid. This would never > appear in the wild. Ah. Well. You explained your reason for

Re: Fwd: Need feedback on RPZ service setup

Lars Kulseng wrote: > > I wasn't aware that the ACL-clause could include TSIG-keys as well as > IP-addresses. So far I've been using the masters-clause to make the actual > list of servers and keys, but also using the server-clause. Perhaps the > server-clause is

Re: Need feedback on RPZ service setup

Lars Kulseng wrote: > I am setting up BIND to be used as a way to disseminate RPZ-zones for use > by third parties. I would like some feedback on my setup. Overall it sounds very sensible to me. A few notes... > Access control is done by using TSIG-keys, with separate

Re: Few questions on Bind

Debarghya Mandal wrote: > > 1. Is there a way to load custom DNS record from zone file? https://tools.ietf.org/html/rfc3597 Handling of Unknown DNS Resource Record (RR) Types It isn't very pretty, though :-) > 2. Once bind loads that data, for certain zones, for

Re: Comments on Root Key Rollover impact on BIND users

Thomas Schulz wrote: > > I found that I had 'dnssec-enable yes' along with a managed-keys > statement with an initial-key. If I change to 'dnssec-enable auto' > do I still need a managed-keys statement? If not will it hurt to have > one? Can I have a managed-keys statement without

Re: Blocking reverse lookup queries for private ips

Sachin Patil <04sac...@gmail.com> wrote: > I want to return nxdomain for any private ip reverse lookup. BIND does this by default. Look for "built-in empty zones" in https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch06.html Tony. -- f.anthony.n.finch http://dotat.at/ -

Re: rndc addzone type forward

Emil Natan wrote: > > I also compiled BIND 9.11.0rc3, but nothing changed, no more verbosity, > only the name of the .nzf file created changed from hash to plain text. Try 9.11.0-P1 which has a few changes since rc3. > Another finding is that the failure .nzf file is created,

Re: rndc addzone type forward

Emil Natan wrote: > > I'm trying to add zone of type "forward" with rndc addzone, but it fails with: > > rndc addzone zone.org '{type forward; forward only; forwarders { > 192.168.20.115; }; };' > rndc: 'addzone' failed: not found I think this happens if you are using a

Re: Question on prod.msocdn.com

Jim Glassford wrote: > > Doing dig +cd on prod.msocnd.com will get the CNAME, without +cd either > timeout or SERVFAIL depending on version of bind. It works for me with BIND 9.11 and 9.10.4-P4. There are some EDNS-related changes in 9.10 which might be why these versions are

Re: Zone removal messages

Dns Administrator wrote: > > Thought the querying appears to be correct, when I reload the dns server I > get the following message: > > 27-Oct-2016 09:31:29.208 general: info: zone ./IN: (static-stub) removed Yes, this log message is spurious. The reason seems to be that

Re: merging reverse zone data obtained from two different masters

blrmaani wrote: > On Sunday, October 23, 2016 at 2:56:37 PM UTC-7, blrmaani wrote: > > > > We have hosts in two different zones but use same subnet. Zone1 is > > generated by Master1 and Zone2 is generated by Master2. > > > > Slave1 runs BIND and would like to merge the

Re: Running current version of bind in a jail?

Tom wrote: > > What's the reason, that it isn't necessary to run modern version of bind in a > jail? chroot is a defence against privilege escalation following a remote code execution vulnerability. It isn't a very solid defence. And BIND 9 tends to die of a self-check

Re: Is BIND9 DNSSEC validation too strict?

Daniel Stirnimann wrote: > > BIND9 (and not Unbound, PowerDNS Recursor, Google Public DNS) is failing > to validate the following non-existent domain name: > > dig @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec > > I believe, the reason for the validation error

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

Mark Andrews wrote: > Sebastian Wiesinger wrote: > > > > Thank you for explaining this for me. I was reading RFC6781, which I > > now realize is probably outdated in this regard so I was a bit > > confused. RFC 7583 (DNSSEC Key Rollover Timing) is also

Re: [Question] zone transfer not happening

Eoin Kim wrote: > > So, all zone data files were created and when I restarted BIND the zone > transfer happens except for one zone - reverse zone for external view. I > checked the log file and it shows the following message. > > general: info: zone

Re: need clarification on "forward" behavior

Veaceslav Revutchi wrote: > I see the server forwarding the query and it gets the answer below: > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > ;; > ;; ANSWER SECTION: > aaa.example.org. 200 IN CNAME bbb.example.net. > bbb.example.net. 60 IN

Re: bind caching data from additional section in responses

ben thielsen via bind-users wrote: > > zone "example.com" { > type stub; > masters { > "example.com" ; > }; > }; > > masters "example.com" { > 192.168.81.50 ; > }; If you want a fixed set of master servers for a zone, use

<    1   2   3   4   5   6   7   8   9   10   >