Robert Edmonds wrote:
>
> I would guess that retaining CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE
> during the process runtime permits open-ended reloading of the config at
> runtime (e.g., binding to a new IP address on port 53 without needing to
> restart the daemon).
BIND
Ludovic Gasc wrote:
>
> 1. The list of minimal capabilities needed for bind to run correctly:
> http://man7.org/linux/man-pages/man7/capabilities.7.html
named already drops capabilities - have a look at the code around here:
Bob Harold wrote:
>That's a good test, with the default window of 15 seconds, but could you
> please repeat it with a window like 120, and see if it changes
> accordingly?
With a window of 5 I got a recovery time of 6s.
Tony.
--
f.anthony.n.finch
Tom wrote:
>
> Slip is set to "0" (always drop). After stopping the flood, I'm immediately
> able to query the same record (www.example.com) with a positive answer. Does
> the "window 5;" or "window 30;" or "window 3600;" possibly has no effect?
The script below works for
Neil wrote:
>
> would be very valuable for IPv6 PTR record creations without using the
> memory consuming $GENERATE directive.
There's no need for blanket IPv6 reverse DNS.
Only set up reverse DNS for your statically allocated v6 addresses. Leave
everything else with no
Tom wrote:
>
> If I set the "responses-per-second 5;" and the "window 30;", then begin
> flooding (the responses are correctly dropped), then stop flooding, then
> querying the nameserver from the same source for the same RR, I'll get
> immediately the right answer.
>
> Any
Tom wrote:
> Mmmh...I can't verify the meaning of the "window"-value. In my flood-tests, it
> makes no differences, if I set this value to 5 or 60 or even 3600.
You'll only notice the window if you pause your flood test - it's
basically the recovery time. (This is why the
Tom wrote:
> Could someone explain the problem here? Why do I never have to wait longer
> than about 5s until I'm able to query the nameserver from the unique client
> with the same query again?
The 60s is the delay after a client has stopped making queries when the
Tom wrote:
> Why does this logentry only appears about 60-65 seconds later, after
> I've stopped the "test"-attack (confirmed multiple times..)?
There's a hardcoded cleanup timeout of 60 seconds. The extra is (I think)
due to the time needed to make the token bucket
Matthias Pigulla <m...@webfactory.de> wrote:
> Tony Finch wrote:
>
> > Best solution is to put the dynamic stuff in a subdomain so it can be
> > in a separate zone.
>
> Unfortunately, I need to have a final result of dynamic-rr.myzone.tld and
> static-rr.myz
Matthias Pigulla wrote:
>
> So, how do you handle the situation of mixed static and dynamic RRs? Is
> there another way to keep these separated and possibly under version
> control?
Best solution is to put the dynamic stuff in a subdomain so it can be in a
separate zone.
Klaus Darilion wrote:
>
> Unfortunately the slave-status is not dumped, e.g. if the zone is n
> sync, if SOA refresh-checks suceed, if XFRs succeed?
I agree this is could be improved.
> Further, I would like to know if there are existing tools to parse the
>
Mark Andrews wrote:
> The expiry inflation can be removed if you use a servers that support
> the EDNS EXPIRE option.
Ooh, I forgot about that, thanks for the reminder! (It's reassuring too,
because it means my secondaries should never serve expired RRSIGs despite
my chained
Bob McDonald wrote:
> I've seen cases where folks have added all of the Domain Controller
> addresses for an AD forest to the NS list for a domain. This results in
> huge TCP response packets for ALL requests to that domain.
You can safely reduce the size of answers using
vijay bommareddy wrote:
>
> I generally do multiple slaves to a set of masters. But I'm just wondering
> if daisy chaining slaves i.e slave to a slave to a slave to a master, a
> good practice in general? What are the pros and cons of it?
In my setup there are a couple of
Barry Margolin wrote:
> vijay bommareddy wrote:
> >
> > Can someone tell me, how many number of slaves does BIND technically
> > support? Is there a maximum limit per master server?
>
> Why would there be any limit? The master doesn't need to keep track
Petr Menšík wrote:
>
> This is related to booting with NTP client, when the only configuration
> is hostname that has to be resolved. There is a bit circle dependencies.
Yes awkward, and there still aren't any convincing answers. One of the
more interesting projects is
Ray Bellis wrote:
>
> The main thing you may wish to consider is whether you ever wish to
> DNSSEC sign your reverse zones.
>
> If you do, the zone cut on the parent name servers (which is where the
> DS records would be) must match the zone cut on your own servers, which
> would
Reindl Harald wrote:
>
> interesting - but however "administrators often mistakenly drop the trailing
> dot" is nonsense
Yeah that's irrelevant, but it doesn't change the conclusion that
localhost entries in zones are harmful and unnecessary.
Tony.
--
f.anthony.n.finch
Reindl Harald wrote:
> Am 21.11.2017 um 14:42 schrieb G.W. Haywood via bind-users:
> > The address for localhost (127.0.0.1) should be in /etc/hosts,
> > not in your zone file, and very probably it already is
>
> that part is not true
>
>
Ron Wingfield wrote:
> ns1 IN A 162.202.233.81
> ns2 IN A 162.202.233.81
This address isn't responding to DNS queries.
Tony.
--
f.anthony.n.finch http://dotat.at/ - I xn--zr8h
Ben Croswell wrote:
>
> I have looked through the ARM and found references to setting the option in
> a dig. However I was not able locate options for sourcing that option on
> the DNS server.
BIND currently supports ECS on authoritative servers in ACLs for selecting
Filipe Cifali wrote:
>
> I'm trying to have an Auth Server that says the auth flags ('aa') even on
> NXDOMAIN.
BIND (well, all DNS servers) have to do that. It doesn't need to be
configured. See the first example dig output below.
However the example query in your first
Filipe Cifali wrote:
>
> I need to make an authoritative server that gives 'AA' flags to every query, I
> would need to set only auth-nxdomain right?
Don't use auth-nxdomain, it has been obsolete for 15 years.
> I'm running this config:
That looks like a recursive
Paul Kosinski wrote:
> Exact matching needs a search algorithm too.
Maybe Munkhbaatar is after something like:
http://www.zytrax.com/books/dns/ch2/#queries
Tony.
--
f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode
Biscay, Fitzroy: North 4 or 5,
Mark Andrews wrote:
>
> More correctly _tcp.mail.thesandiegos.com is delegated to
> ns1._tcp.mail.thesandiegos.com (75.149.33.153) but the machine is
> not configured to serve that zone.
This also explains the puzzling check-names problem earlier -
ns1._tcp.mail.thesandiegos.com
Trevor Woolley wrote:
>
> The issue lies with RPZ's and static stubs.
>
> Required functionality: Override main domain for some entries, but allow
> look ups for the main domain if not located in the RPZ rewrite zone file.
This caught my eye because I want this to work
Michael Hare wrote:
>
> It appears that there is some bad glue "somewhere" and I'm having
> trouble finding where it is coming from.
This is a weird case. The .edu registry is semi-linked to the the
.com/.net registry in some way - I am vague about the details.
We're also
seanliam73 wrote:
>
> I know the forwarding is working because I can query the main bind9
> instance at receive the expected results. However if I query from the AD
> server that is doing the delegation I get a SERVFAIL error.
I guess one possible cause for this problem
MAYER Hans wrote:
>
> I also tried to define these records in my own RPZ and hoping it has
> higher priorities.
It should work if you put your passthru RPZ before any blocking RPZs.
A tangential aside...
The ordering in a response-policy section can affect performance,
rams wrote:
>
> When we change any resource record like A or , then SOA serial number
> gets incremented. But If we update only SOA record ,Is serial number of SOA
> remain same as before or serial number of SOA will increment?.
It needs to increment, yes, because that's
Dirk Gottschalk via bind-users wrote:
>
> The bind.keys file is available and I set dnssec-validation and dnssex-
> lookaside to auto.
That should work - however you should omit dnssec-lookaside since it does
not do anything any more. I also prefer not to have a
Sun Guonian via bind-users wrote:
> I meet a problem, I want to conceal the host information from the
> Internet, but want it bevisible to the special client. I know it could
> be realize via bind view, but I need createa special CHAOSNET zone for
> every BIND instance,
> On 20 Sep 2017, at 15:32, rams wrote:
>
> We are getting two RRSIGs and 3 DNSKEY [ 1-256 and 2-257] when we do KSK
> rollover. Is it correct we are returning two RRSIGs for DNSKEY?
Yes :-)
There are multiple ways to do a KSK rollover: you are doing a double-KSK
Job wrote:
>
> Do you also know if it can slow down performances or it is fully transparent?
I haven't given dnstap a serious test I am afraid.
Tony.
--
f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode
Forties, Cromarty, Forth, Tyne,
Mukund Sivaraman wrote:
> On Tue, Sep 19, 2017 at 05:16:36PM +0200, Job wrote:
> >
> > is there a way to log resolved IP in Bind log files?
> > I am able to do it with tcpdump, but i do not like a "sniffering" solution!
>
> Turn up logging level to over 10, such as named -d 11. It
Mark Elkins wrote:
>
> On my side, I can 'import' the KSK from the properly signed zone,
> Generate the DS record and EPP it up to the Registry. That all works
> fine, currently with the push of one (web) button. Will change/add this
> to something RESTful. Then, for full
Mark Elkins wrote:
> With BIND version 9.12 coming out - I'm wondering if I've missed any
> announcements on some form of Automatic (DNS)Key Management?
> Something that will create and retire keys according to some sort of policy.
See dnssec-keymgr (new in 9.11) which will
Mukund Sivaraman wrote:
>
> Missing a trailing period(.)
Here's a fun trick to avoid making this mistake: use FQDNs everywhere in
the zone file, and use the directive
$ORIGIN .
so that it doesn't matter whether you have the trailing . or not.
Downside, of course, is that
Grant Taylor wrote:
>
> There is additional footer content (as well as headers) in messages from the
> mailing list.
>
> Does Gmail detect that and ignore it? Or is the message simply folded into
> the conversation in Gmail?
No, I believe deduplication is based
Alan Clegg wrote:
>
> It appears that I just don't see my own posts for whatever reason. 8-)
You seem to be using Gmail which does de-duplication across all messages
in your account, so your messages received from the list are deleted since
they are duplicates of the copies in
Petr Mensik wrote:
>
> But presence of pid files also work as notification of completed
> initialization (which is done BEFORE forking and finishing ExecStart
> command).
named writes its pidfile relatively early during startup. The parent
doesn't exit until the child daemon
Ganga R. Dhungyel wrote:
>
> **debug log
>
> 23-Aug-2017 16:17:57.567 dnssec: debug 3:
> validating @0x7f3ffc96e4d0: www.vip.icann.org A:
> attempting insecurity proof
>
> With dnssec-validation turned on, resolving sites like www.icann.org fails.
I think that
rams wrote:
> we have two scenarios as follows. Is there any chance to copy DS records
> through AXFR or any another method to copy child DS records into parent
> zone.
Sort of...
> Scenario 1:
>
> Customer has domain2.com on Bind1 signed with DS records for domain2.com at
Tom Browder wrote:
> I want to host my own DNS servers, but I need the master to share Bind with
> other services, specifically Apache 2.4, Postfix 3.3, and Mailman 3.
It's how we did things in the 1990s :-)
Tony.
--
f.anthony.n.finch http://dotat.at/
Latitude wrote:
>
> Should DNSSEC key signing keys and zone signing keys also be located in a
> directory inside the /dynamic directory? Would it be acceptable to have them
> in a directory such as /var/named/chroot/etc/keys/dnssec?
On my master server I have zone
b...@zq3q.org wrote:
> One of my real hosts is below xen.prgmr.com, like the fake 'zap' above,
> so I would have to email prgmr.com support to get them to add
>
> mynew.org. IN NS zap.xen.prgmr.com.
> ^^^ << Is this valid?
>
> to the
b...@zq3q.org wrote:
> I have several linux VMs, that are under used, so I want to use them
> for the nameservers for 'mynew.org'. Neither are in 'mynew.org';
> is that going to work?
Yes, that is perfectly normal. For example,
$ dig +noall +answer ns dotat.at
dotat.at.
Reindl Harald wrote:
>
> well, bind10 is dead so far and at least no longer a ISC project
Catalog zones are a BIND 9.11 feature.
https://kb.isc.org/article/AA-01432/81/BIND-9.11.0-Release-Notes.html#relnotes_features
Tony.
--
f.anthony.n.finch
Darcy Kevin (FCA) wrote:
> There is no "automatic" mechanism within BIND to tell replicas to start
> slaving new zones.
Fans of new features pop up in response to say, you might be able to use
catalog zones to automatically configure replication :-)
Jim Yang wrote:
>
> What is the DNS name label length limit? As per RFC 1035, it is 63
> characters. I tested a few DNS names that contains a label that is
> longer than 63 characters, and found that these records were
> successfully loaded in RPZ zone.
On the wire the length
Mark Andrews wrote:
>
> See https://tools.ietf.org/html/rfc6763 for details of how it is
> designed to work. Section 11 shows how to go from IP address and
> netmask to the forward domain where the _dns-sd._udp subdomains
> reside.
>
> lb._dns-sd._udp.0.43.168.136.in-addr.arpa PTR
Arun Natarajan wrote:
>
> any idea?
Without knowing the server host name and zone name there could be lots of
different reasons, so there isn't really any way to answer.
Tony.
--
f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode
Dover: Southwest 5 to
James Brown via bind-users wrote:
>
> If I use:
>
> ./configure --with-atf —without-gssapi
>
> I get it failing with:
>
> Undefined symbols for architecture x86_64:
> "_gss_accept_sec_context", referenced from:
Looks like you need to `make clean` to get rid of old
Latitude wrote:
>
> I have read in Michael W. Lucas' DNSSEC Mastery book that BIND 9.9 and newer
> can automatically sign zones and refresh signatures (RRSIGs), but older
> versions cannot (p. 53).
That isn't entirely correct: BIND has had automatic signing since 9.7
Job wrote:
>
> is it possible to match "destination port" in view clauses, instead of
> "destination ip"?
I don't believe so, but instead you might be able to run a second instance
of BIND listening on the other port.
Tony.
--
f.anthony.n.finch
Bernard Fay wrote:
>
> should I understand while using named-checkzone I need to enter *only*
> the top domain and named-checkzone will understand the subdomains
> defined by the multiple $ORIGIN in the zone file?
Yes, named-checkzone basically just loads the zone file
Bernard Fay wrote:
>
> I took control of a DNS based on Bind 9.9. One of the zone files have
> multiple $ORIGIN for example:
The key thing to understand is that $ORIGIN just controls how unqualified
domain names are expanded into fully-qualified domain names. In
Chris Buxton wrote:
> dns_master_load: example.com.dns:6785: bad escape
> dns_master_load: example.com.dns:6789: bad escape
>
> mhtswfw-dellfi01\342\200\223mgmt A10.152.224.231
> mhtswfw-dellfi02\342\200\223mgmt A10.152.224.232
Snigger. That's an en dash (U+2013,
Gordon Messmer wrote:
>
> I'm happy that it's working, but it seems like it was fairly difficult to get
> right. Am I doing an unusual thing?
Yes, it is fiddly, and a relatively common problem - which is why in-view
was introduced!
> Is it considered best-practice (or
devz...@web.de wrote:
>
> i´m curious why it doesn`t work with rpz zone like normal zones.
The RPZ machinery (mostly) works between getting an answer and returning
it to a client, which is why it is called "response policy". At the moment
it is a one-shot thing, but you are
devz...@web.de wrote:
>
> We use lot`s of CNAME aliasses for server virtual host name aliasses, i.e.
>
> myserver IN A 1.2.3.4
> myserver-vhost1IN CNAME myserver.
> myserver-vhost2IN CNAME myserver.
> myserver-vhost3IN CNAME
Paul Seward wrote:
>
> I thought I might get that sort of response, I'm not so much asking for a
> fix as asking how I can find more information.
It'll be one of the 42 CVEs in the table at the top of this page:
Gordon Messmer <gordon.mess...@gmail.com> wrote:
> On 05/08/2017 03:26 AM, Tony Finch wrote:
> > You can't have zones in different views (which sre by implication
> > different zones, or different versions of the same zone) pointing to the
> > same files on disk, bec
Gordon Messmer wrote:
> I have a zone that I'd like to serve in two different views, with dnssec in
> both views.
You can't have zones in different views (which sre by implication
different zones, or different versions of the same zone) pointing to the
same files on
Gordon Messmer wrote:
>
> After new keys are introduced, and after the old key has expired,
Wait right there!
dnssec-settimes has two times that are usually relevant to the old key
when rolling keys: the retire time and the delete time. (There's also a
revocation time
Harshith Mulky wrote:
>
> Is there a easy way to turn off/ Disable the DNS server to stop
> listening the requests over TCP and turn it ON whenever required?
It is always required :-)
As well as what Reindl said, you might like to look at:
Mark Andrews wrote:
>
> DSA requires random values as part of the signing process.
Traditionally, yes, but it isn't actually required -
https://tools.ietf.org/html/rfc6979
(PuTTY has been using deterministic DSA since 2001, because of
problems with obtaining random numbers on old
Grant Taylor via bind-users wrote:
>
> The only occurrences I found for "ecs" on the two release notes didn't
> include more details about how to configure views to use it.
Yes, it's a bit mysterious.
> Nor did I see details on how to have BIND send ECS with queries
Alberto Rinaudo wrote:
> I have a bind installation on a aws server and I'm trying to set up views
> to give different responses based on the source location.
>
> It works fine when this dns server is the first dns used by a client, I
> guess because the source address
Manuel Ramírez wrote:
>
> I would like to allow queries for specific blogspot.com subdomains and
> block the rest of the queries.
> Any idea about how can i achieve my goal?
I think this should be easy to achieve with RPZ.
Tony.
--
f.anthony.n.finch
Mark Knight wrote:
> I've just noticed (after the slave zones expired), that the root name servers
> have been refusing my zone transfer requests since the end of March.
This is because Cloudflare are now helping isc.org to host
f.root-servers.net, and the Cloudflare instances
Hika van den Hoven wrote:
>
> Running named with `-d 10 -g -u named` from the command line got me
> some more info but I still do not understand what goes wrong.
I looked at this, but I can't work out what the problem is either.
Something mysterious is going wrong inside
Tom wrote:
> Can someone explain the behaviour of "window" in the rate-limit-context?
It basically determines the time after a client that was querying very
fast but then stopped is allowed to receive responses again.
When a client repeats a query, its counter is
Xavier Humbert wrote:
>
> I'm really lost. I've configured dozens of DNSs with no such problems.
> Did I miss something obvious ?
I can't see anything obvious... Did you obfuscate the zone name so we
can't see if there's a typo?
Tony.
--
f.anthony.n.finch
Johannes Kastl wrote:
>
> client 192.168.99.2#22059 (ojkastl.de): query (cache) 'ojkastl.de/DS/IN'
> denied
>
> Is this actually something to worry about?
It's annoying but benign. The recursive server is sending DS queries to
the wrong server, to the child zone's server (from
Wolfgang Gehrke wrote:
> BIND 9.11 introduces catalog zones to simplify the management of slave
> servers. The documentation just mentions support for the "masters" (also
> with key), "allow-query" and "allow-transfer" options within the
> contents of a catalog
Wolfgang Riedel wrote:
>
> Just wonder if someone had success compiling bind-9.11.0-P2 on Debian 9.0
> (stretch)?
I haven't tried it myself.
> 1) OpenSSL dependency dance
>
> I removed OpenSSL 1.1 and compiled OpenSSL 1.0.2e from source
You'll probably have better luck
Jim Garrison via bind-users wrote:
>
> Looking at the traffic with Wireshark, I see the RRSIG uses
> ECDSA Curve P-256 with SHA-256. Should bind 9.8.2 be able to
> recognize that algorithm or is a newer version of bind needed?
The CHANGES file on the 9.8 branch says
Volker Janzen wrote:
>
> when my Bind resolver tries to get the A record for info.nominet.uk the
> syslog gets lots of messages like this:
>
> Jan 25 21:15:52 box named[25097]: DNS format error from 173.245.58.93#53
> resolving info.nominet.uk/DS:
Michael Dahlberg wrote:
> I can discern what almost all of the fields signify except for the
> part "@0x7f6450002ef0".
It's the address in memory of the data structure representing the client.
It is mentioned in the CHANGES file (#4471) and in the release notes - see
Stephan Lagerholm wrote:
> Mark I hear you but who gets called when a domain is not working on
> provide A that is v6 only but works fine on provider B that is still v4
> only?
I wonder if you can work around this kind of problem with RPZ - though I
have no idea if the
Michelle Konzack wrote:
>
> OK, I can grep the whole /etc/bind/master/ directory, but since my Name
> Server is responsable for several 1000 (sub)domains, the execution of
> the script takes ages!
Your approach seems reasonable to me. I'm surprised it takes that
> On 5 Jan 2017, at 22:09, Lars Kulseng wrote:
>
> Any other thoughts on the naming of the zone? If I wanted to obfuscate the
> name, I could use a reserved TLD like .test or .invalid. This would never
> appear in the wild.
Ah. Well. You explained your reason for
Lars Kulseng wrote:
>
> I wasn't aware that the ACL-clause could include TSIG-keys as well as
> IP-addresses. So far I've been using the masters-clause to make the actual
> list of servers and keys, but also using the server-clause. Perhaps the
> server-clause is
Lars Kulseng wrote:
> I am setting up BIND to be used as a way to disseminate RPZ-zones for use
> by third parties. I would like some feedback on my setup.
Overall it sounds very sensible to me. A few notes...
> Access control is done by using TSIG-keys, with separate
Debarghya Mandal wrote:
>
> 1. Is there a way to load custom DNS record from zone file?
https://tools.ietf.org/html/rfc3597
Handling of Unknown DNS Resource Record (RR) Types
It isn't very pretty, though :-)
> 2. Once bind loads that data, for certain zones, for
Thomas Schulz wrote:
>
> I found that I had 'dnssec-enable yes' along with a managed-keys
> statement with an initial-key. If I change to 'dnssec-enable auto'
> do I still need a managed-keys statement? If not will it hurt to have
> one? Can I have a managed-keys statement without
Sachin Patil <04sac...@gmail.com> wrote:
> I want to return nxdomain for any private ip reverse lookup.
BIND does this by default. Look for "built-in empty zones" in
https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch06.html
Tony.
--
f.anthony.n.finch http://dotat.at/ -
Emil Natan wrote:
>
> I also compiled BIND 9.11.0rc3, but nothing changed, no more verbosity,
> only the name of the .nzf file created changed from hash to plain text.
Try 9.11.0-P1 which has a few changes since rc3.
> Another finding is that the failure .nzf file is created,
Emil Natan wrote:
>
> I'm trying to add zone of type "forward" with rndc addzone, but it fails with:
>
> rndc addzone zone.org '{type forward; forward only; forwarders {
> 192.168.20.115; }; };'
> rndc: 'addzone' failed: not found
I think this happens if you are using a
Jim Glassford wrote:
>
> Doing dig +cd on prod.msocnd.com will get the CNAME, without +cd either
> timeout or SERVFAIL depending on version of bind.
It works for me with BIND 9.11 and 9.10.4-P4.
There are some EDNS-related changes in 9.10 which might be why these
versions are
Dns Administrator wrote:
>
> Thought the querying appears to be correct, when I reload the dns server I
> get the following message:
>
> 27-Oct-2016 09:31:29.208 general: info: zone ./IN: (static-stub) removed
Yes, this log message is spurious.
The reason seems to be that
blrmaani wrote:
> On Sunday, October 23, 2016 at 2:56:37 PM UTC-7, blrmaani wrote:
> >
> > We have hosts in two different zones but use same subnet. Zone1 is
> > generated by Master1 and Zone2 is generated by Master2.
> >
> > Slave1 runs BIND and would like to merge the
Tom wrote:
>
> What's the reason, that it isn't necessary to run modern version of bind in a
> jail?
chroot is a defence against privilege escalation following a remote code
execution vulnerability. It isn't a very solid defence. And BIND 9 tends
to die of a self-check
Daniel Stirnimann wrote:
>
> BIND9 (and not Unbound, PowerDNS Recursor, Google Public DNS) is failing
> to validate the following non-existent domain name:
>
> dig @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec
>
> I believe, the reason for the validation error
Mark Andrews wrote:
> Sebastian Wiesinger wrote:
> >
> > Thank you for explaining this for me. I was reading RFC6781, which I
> > now realize is probably outdated in this regard so I was a bit
> > confused.
RFC 7583 (DNSSEC Key Rollover Timing) is also
Eoin Kim wrote:
>
> So, all zone data files were created and when I restarted BIND the zone
> transfer happens except for one zone - reverse zone for external view. I
> checked the log file and it shows the following message.
>
> general: info: zone
Veaceslav Revutchi wrote:
> I see the server forwarding the query and it gets the answer below:
>
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> ;;
> ;; ANSWER SECTION:
> aaa.example.org. 200 IN CNAME bbb.example.net.
> bbb.example.net. 60 IN
ben thielsen via bind-users wrote:
>
> zone "example.com" {
> type stub;
> masters {
> "example.com" ;
> };
> };
>
> masters "example.com" {
> 192.168.81.50 ;
> };
If you want a fixed set of master servers for a zone, use
401 - 500 of 986 matches
Mail list logo