Re: adding zone forwards without restart

> On 29.09.16 12:25, Frank Even wrote: > > I am running chrooted. I'm relying on the "feature" of BIND "mounting" the > > standard dirs into a chroot via the standard startup scripts in Cent6/7. Aha, I should have actually read setup-named-chroot.sh rather than assuming that it copied the

Re: Minimal responses and speeding up queries

Mark Andrews wrote: > > Both of these are on my to do list. Yay! Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Rockall: South 5 to 7, occasionally gale 8 later. Moderate or rough, becoming very rough later in west. Rain or showers.

Re: root.hind or named.hint file update

Pol Hallen wrote: > > is it recommend put a cron script for auto-update root.hind and named.hint db? No, it's best not to have a hints file and just use the one built in to BIND. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode

Re: Minimal responses and speeding up queries

Reindl Harald wrote: > > just because without additional responses are part of the inital question and > may save asking for that information - in case the additional info is not > needed by the client it saves traffic There are a few situations in which additional data

Re: Minimal responses and speeding up queries

Job wrote: > > Actually, dig @host some_url still shows an additional query, maybe not > needed for a caching-only resolver: > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 That isn't an additional query, it's a record in the additional section

Re: Wildcard

rams wrote: > When we have widlcard in middle labels, are we not treating as wildcard > record? In the DNS, a wildcard only occurs when the leftmost label is a *. > Do we have any specific RFC for this. https://tools.ietf.org/html/rfc4592#section-2.1 NOTE that wildcard

Re: adding zone forwards without restart

Benny Pedersen wrote: > > why does reload not flush ? Often you want to reload zone files without throwing away the cache. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Bailey: Southeast 6 to gale 8, becoming cyclonic, mainly southwest,

Re: replicate a whole master

Mukund Sivaraman wrote: > > There's an attempt to make it go one step further by refreshing whole > zones in the cache: > > https://github.com/muks/dnsrefresh > > It needs another section to be completed before upload, possibly in time > for IETF-97. Oh dear, that is deeply

Re: adding zone forwards without restart

Frank Even wrote: > Is there a way to add forwarders for specific zones without a restart? > Everything I've read seems to indicate an "rndc reconfig" or an "rndc > reload" should take care of this, but they do not. I add forwarders to > "named.conf" and neither will

Re: replicate a whole master

/dev/rob0 wrote: > > If you're thinking that you can do this replication to improve DNS > performance, you're right, it will do that. But it certainly will > not scale (if it's even possible to get axfr/ixfr), and it won't > handle modern CDN systems properly. BIND 9.10 and

Re: BIND-RPZ and Views

Tom wrote: > > What is the supported/preferred way for implementing slave-rpz's in views? > I want to achieve, that view1 has a different policy-configuration (passthru, > given, nxdomain..) than the ones configured in view2 using the same > slave-rpz-files. If not

Re: BIND-RPZ and Views

Anand Buddhdev wrote: > > In newer versions of BIND, you cannot share a writable file in different > views. This is a bad configurtion, and newer versions of BIND reject it. > Just use different file names. To clarify, you couldn't in older versions of BIND either! It would

Re: minimal-any on master

Jim Popovitch wrote: > > Hmmm, this is counter to what I've believed all along. I > thought it was > prudent to have key overlap during rollovers. There are two separate things which you can overlap semi-independently: * is the key published in the zone? * is the key

Re: minimal-any on master

Jim Popovitch via bind-users wrote: > > Thanks. Now I'm seeing something slighly different. I have 3 NS > servers, ns{1-3}.domainmail.org. > > When I first asked 3 days ago I was seeing long ANY repsonses on the > master (ns1). Today I am seeing long ANY responses on

Re: minimal-all on master

Jim Popovitch via bind-users wrote: > > Should minimal-all (v9.11.0-rc1) work on a master? My testing shows > that it only works on the slave DNS servers. Works for me :-) minimal-any is implemented at the point the records are being assembled into an answer - it still

Re: Allowable reverse mapping zone file names

/dev/rob0 wrote: > > (See also RFC 2317 for "classless" reverse DNS delegation, but no, > DO NOT read that: I only mention it for completeness, as we have > pedantic posters on this list ... myself included. ;) ) Yeah, try https://tools.ietf.org/html/draft-ietf-dnsop-rfc2317bis

Re: Latest BIND: Error "rpz_rewrite_name: mismatched summary data; continuing"

Tom wrote: > > I have a bind-setup with activated response-policy-zones. For *each* > client-forward-query, which has a valid dns-response, I got an error in the > client-log (for NXDOMAIN-Reponses, I didn't have such errors... ex. "dig > @nameserver

Re: DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL

Aleks Ostapenko wrote: > > Unfortunately, after > > 1. rndc freeze myzone > 2. named-comilezone -f raw -F text -o myzone.text myzone myzone.signed > change TTL on DNSKEY and RRSIG DNSKEY in myzone.text > named-comilezone -f text -F raw -o myzone.signed

RE: Slaves or Forwarders?

Darcy Kevin (FCA) wrote: > From an InfoSec standpoint, of course one would prefer to use > cryptographic methods of securing DNS data, Yes, use TSIG for zone transfers. You can also use it for forwarding. Tony. -- f.anthony.n.finch http://dotat.at/

Re: keys and inline signing

Andreas Meyer wrote: > > Do I need to create keys first when I create a new zone and > use inline signing or is keycreation done by named? named does not create keys for you, but have a look at dnssec-keymgr in BIND 9.11 Tony. -- f.anthony.n.finch

Re: Slaves or Forwarders?

Baird, Josh wrote: > > In the past, when I have had a requirement to bring a slave zone into > our environment; I created a slave zone on my master(s) (defining the > external nameserver as a master) and then created slave zones on my > slaves using *my* master as a master

Re: DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL

Aleks Ostapenko wrote: > As for second variant - unfortunately I don't know how to edit manually TTL > in the signed (not raw) master file. (1) Use `rndc freeze` which makes `named` rewrite the zone file with all pending changes from the journal, and makes it

Re: creating IPv6 interface eth0 failed; interface ignored

Wolfgang Riedel wrote: > > not sure if this is a bug or a feature but had been scratching my head > for months now running BIND on Fedora22-24 and all the time I did a > reboot BIND didn’t came up and I needed to restart the process to get it > running. After some googling around

Re: Query on Bind Operations

Harshith Mulky wrote: > > Can max-cache-ttl be used on the client( client which supports bind) to > override the default ttl time sent in response by Bind server for > Positive Responses? Yes. Tony. -- f.anthony.n.finch http://dotat.at/ - I

Re: DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL

Александр Остапенко wrote: > Thanks for a workaround. But in this case - after "dnssec-settime -L ttl" I > need unsign/sign zone (p.1 of steps above) in order to new TTL value > appeared in DNSKEY RRset ("service bind9 reload" or "rndc loadkeys" has no > effect).

Re: forcing clients to TCP

Fima Leshinsky wrote: > > It seems like setting the TC flag is what I'm after but curious if there's > a way to do this via configuration rather than a patch. You can do this by setting the rate-limit slip parameter to 1. This might be the right answer if you want to use an

Re: named is not finding the keys for DNSSEC

Andreas Meyer <a.me...@nimmini.de> wrote: > Tony Finch <d...@dotat.at> schrieb am 04.08.16 um 09:21:36 Uhr: > > > > The error message refers to the key ID rather than the filename - in more > > recent versions it has been clarified to use the actual fil

Re: named is not finding the keys for DNSSEC

Andreas Meyer wrote: > > dns_dnssec_keylistfromrdataset: error reading private key file > bitcorner.de/RSASHA1/16938: file not found > > I think it must have something to do with the name itself, could it be? > > The key is named Kbitcorner.de.+005+16938.private but named is

Re: named and use of resolv.conf? - how to "learn" this

Spumonti Spumonti wrote: > > We have an authoritative server and it has a zone with secondary name > servers owned by another organization. > > This authoritative name server needs to send a NOTIFY to these other > name servers. > > I thought it was enough for BIND to use the

Re: getting not authoritative with some notifies

Paul A wrote: > > named[7062]: client xx.xx.64.2#51056: received notify for zone 'xxx: not > authoritative > > However some zones I don't get the message above some I do, I'm not using > views so I'm lost as to why this is happening. Are you sure the zone is actually

RE: outgoing-traffic

Ejaz wrote: > > Such as, if someone is sending ANY request , by default it should be > denied when users requests for it.. BIND 9.11 will have a minimal-any option. https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any

Re: outgoing-traffic

S Carr wrote: > > You might want to check whether the requests are legitimate before > completely blocking them, rate limiting would be a better option. Remember this is TCP traffic. RRL is designed to deal with spoofed UDP traffic. It can actually make non-spoofed floods

RE: outgoing-traffic

Ejaz wrote: > > I am not using iptable firewall from my redhat Linux box, all traffic > manged by network team.. Well then, you should co-operate with them to fix the problem. You might find that it helps to put the following in the options{} section of named.conf, but

Re: weird transfer-source problems with one DNS node

Ian Veach wrote: > > So, any ideas on why I would see that slave initiate transfers on it's OS > IP versus the transfer-source IP... especially when the other three work > fine? What does the log say about interface addresses? Which version of BIND are you running? Has

Re: doubt about queries.log format

Manuel Ramírez wrote: > > I would like to know if is possible to see in the queries.log output the ip > address resolved No, it only logs the query not the answers. Have a look at passive DNS or dnstap if you want more detailed telemetry. Tony. --

Re: SOA record not signed with new key at key-rollover

Nis Wechselberg wrote: > Am I getting it right that the rest of the zone is not (re)signed > because the current signature is still valid for some time? > > So if I were to set sig-validity-interval to a shorter value, this would > help with the issue? If you are testing out a

Re: auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis wrote: > > sig-validity-interval seems to only affect the expiration date of newly > created signatures, and of course signatures are only rolling over to > new keys as they expire. > > I am wondering if I can ask bind to set the expiration for, say 30 days >

Re: Breaking trusted chain in dnssec

Georg Kahest wrote: > On 07/13/2016 03:16 PM, Mark Andrews wrote: > > > > You have a delegation without a DS record. > > Or have a DS record without actual dnskey/rrsig records in the > delegated zone. Be aware that these are very different things! Mark's suggestion

Re: Breaking trusted chain in dnssec

rams wrote: > Is any one explain how to break trusted chain in dnssec with example how to > create zone or data with trusted chain break. Create a delegation without a DS record. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Lundy,

Re: bind issue

Vlad Shpolyanskiy wrote: > Yep, I'm able to query servers directly, so it's not a network problem. Are you running dig on the resolver itself? Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Biscay: Variable becoming west or

Re: bind issue

Vlad V. Shpolyanskiy wrote: > > I have problems resolving zone retn.net. It works for me... > I guess that bind does not like name server's IP ending with zero. > But that's only my suggestion. Are you able to query the authoritative servers directly? If not, you

Re: auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis wrote: > > Does all of that sound right? I believe so, yes. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Humber, Thames, Dover, Wight, Portland, Plymouth, North Biscay: Northwesterly, backing southwesterly, 3 or 4,

Re: auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis wrote: > > > Are you allowing enough time for named to go through a zone key > > maintenance cycle? (which is hourly if I remember correctly) > > I’m not sure, it sounds like perhaps not always? You’ve > mentioned a “zone > key maintenance cycle” of an hour, and

Re: Automatic DNSSEC signing workflow

Daniel A. Ramaley wrote: > > From the responses i received, it seems i completely misunderstood how > automatic signing is supposed to work. If i'm now understanding > correctly, there are 2 mutually exclusive ways to do things: > 1) Maintain zone files with a text

Re: auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis wrote: > > We think that in some cases, named may be choosing to use a key past the > removal date (as in [2]), while our file maintenance process removes the > keys as per their deletion date – after which named no longer has the > necessary metadata to

Re: Automatic DNSSEC signing workflow

Tony Finch <d...@dotat.at> wrote: > dramaley <daniel.rama...@drake.edu> wrote: > > > Hello. I'm running Bind 9.9.4 (the default that comes with RHEL 7). I'm > > trying to figure out a workflow for doing DNS updates with auto-dnssec > > turned on. When I

Re: Automatic DNSSEC signing workflow

dramaley wrote: > Hello. I'm running Bind 9.9.4 (the default that comes with RHEL 7). I'm > trying to figure out a workflow for doing DNS updates with auto-dnssec > turned on. When I have to update a zone file, I do so by editing the zone > file and incrementing the

Re: Help required to test some Negative Responses from Bind Server.

Alan Clegg wrote: > > As for NOTIMP, I'm not aware of an easy path, but I'm sure that someone here > knows. ; <<>> DiG 9.11.0a1 <<>> +noedns dotat.at in maila ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 42331 ;; flags: qr rd ra;

Re: dnssec-keymgr: Plans and usage?

bind-us...@arminpech.de wrote: > > I would like to handle KSK updates of second level domains using that > tool (option -k applies policy only on KSKs). And especially I'm looking > for an interface to trigger updates of DS records. > > The call on dnssec-settime may

Re: UDP Packet Hack

Jun Xiang X Tee wrote: > > For the past two weeks, I have searched through many articles online > and asked many people on how to do this, but I am still confused on > where "dig" gets the UDP packets from. It sounds like you should start off with a good DNS textbook, such as

Re: Query "resolver" and "lwresd" via "dig"

Jun Xiang X Tee wrote: > > I wish to know efficient ways to query "resolver" and "lwresd". To my > understanding, "resolver" is the iterative full DNS resolver, "resolver" is a generic term. I think you are thinking of "named", BIND's DNS server. > and "lwresd" is the

RE: Append a Hard-coded Text Tuple into Additional Section of "dig" Feature

Darcy Kevin (FCA) wrote: > My understanding is that the "extra" stuff wouldn't have any signature > at all. I'm not sure if the question was that well specified :-) > Wouldn't that break DNSSEC if the rest of the response had signatures? > Or does the

Re: Issues resolving outlook.office365.com

Phil Mayers wrote: > > For what it's worth, I've been aggressively monitoring DNS resolution of > outlook.office365.com from all four of our recursives, both A & , once a > minute for the past 3 months. I wonder if you would notice more problems if your query

Re: Issues resolving outlook.office365.com

Thomas Sturm wrote: > > We are experiencing strange intermittent issues when resolving > outlook.office365.com, but also with other domains like e.g. > amazonaws.com or snort.org. Based on recent discussions on the mailop list (https://chilli.nosignal.org/mailman/listinfo/mailop)

RE: Append a Hard-coded Text Tuple into Additional Section of "dig" Feature

Darcy Kevin (FCA) wrote: > > It'll also, irrespective of caching, break DNSSEC. No, extra stuff in the additional section should not break DNSSEC because the signatures are per-RRset not per-message. Tony. -- f.anthony.n.finch http://dotat.at/ - I

Re: Questions on bind-chroot

Harshith Mulky wrote: > Is it necessary for named.conf in the chroot path and /etc path to be same If they aren't the same, at some point in the future you or your colleagues are going to get very confused about which one is the right one. > I have 2 different

Re: Why isn't my Bind server answering this query

Harshith Mulky wrote: > > test1.zone has following set of records, > [snip] > test1 IN NAPTR 22 32 "u""SIP+D2U" "" > _sip._udp.test1.com. [snip] > > ;; QUESTION SECTION: > ;test1.com.IN NAPTR The only NAPTR record

Re: Reverse Zone CIDR

Jonathan Del Campo wrote: > > So if I have to create two /24 reverse zones for my case, I will, but I was > hopping a smarter solution. Oh, I had a brainfart, I read /23 as /25 :-) Yes, two /24s is the best solution. For smarter solutions, see the rfc2317bis I-D, though

Re: Reverse Zone CIDR

Jonathan Del Campo wrote: > > We are trying to create a zone for a /23 subnet (192.168.222.0/23), but we > can't get the reverse zone working. What error messages do you get in your logs? Any other symptoms of "not working"? > I don't know if the naming convention is

Re: R: R: R: Three RPZ zone definition

Job wrote: > But, if i have two different zones (or three), in the response-policy > sentence, can i trigger the Client only for a zone and not for the other > zone? > Some Client would not have to match together the two zones! I think your question is answered by

Re: R: R: Three RPZ zone definition

Job wrote: > > is there a way to define more response-policy in Bind or the possibility > to apply a response-policy only to certain client ip? There is the RPZ-CLIENT-IP trigger, which applies to any query from a matching client IP address. Or you can use views to

Re: R: Three RPZ zone definition

Job wrote: > > i add that, if i have a pass-throu define in second zone > (rpz-dyndns.lan), the third RPZ zone is NOT applied. > > If i have no pass-through in the previous definition, it works! That's how passthru is supposed to work. Tony. -- f.anthony.n.finch

Re: Shared libraries loaded after chroot

Marc Haber wrote: > > in Debian, the bind9 packages have recently started to trouble me in > chrooted environments since some cryptographic libraries are loaded > after bind has chrooted itself, which results - in the case of a > minimal chroot - in a fatal run-time

Re: installation issues

Rajesh M <24x7ser...@24x7server.net> wrote: > > however after installation i am getting the same error as earlier > > The ISC BIND service failed to start due to the following error: > ISC BIND is not a valid Win32 application. Googling for the error message produces this KB article:

Re: Nsupdate usage scenario

Paul Kosinski wrote: > Except for this single dynamic IP address, the zone file is maintained > by hand with a text editor, so rearranging it into an arbitrary order > would make hand maintenance much more difficult. > > If there is a way to have nsupdate preserve the original

RE: Adding CNAME for the root domain issue

Baird, Josh wrote: > Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]? > > [1] > https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/ Run a command like this from cron aname example.com www.example.com |

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

Matthew Pounsett wrote: > > Privsep doesn't actually fix the same problem chroot does. As I > understand it, privsep reduces the attack surface for remote execution > exploits by shuffling off privileged operations to a separate process, but > if that process isn't chrooted

Re: Recursive bind becomes unresponsive with high load

sth...@nethelp.no wrote: > > Have you checked your operating system limits? One recursive client > often means one open socket (waiting for response from authoritative > server), i.e. one open file descriptor. If you have thousands of > simultaneous recursive clients, you will

Re: BIND started replying to queries for .com with .COM

Robert Edmonds <edmo...@mycre.ws> wrote: > Tony Finch wrote: > > Phil Mayers <p.may...@imperial.ac.uk> wrote: > > > > > > What is considered the source of the ownername for, say, "com."? > > > > It should be the root zone master file. &g

Re: Recursive bind becomes unresponsive with high load

Michael Brunnbauer wrote: > > I am using bind on a server that does massive crawling with a multithreaded > Java app. This server occasionally has to do lookups for hosts in our local > zone netestate.de - for which it is not authoritative - and those lookups tend > to fail

Re: BIND started replying to queries for .com with .COM

Phil Mayers wrote: > > What is considered the source of the ownername for, say, "com."? It should be the root zone master file. However authoritative server implementations differ in whether they echo the query case or preserve the master case. e.g. a.root-servers.net

Re: BIND started replying to queries for .com with .COM

Phil Mayers <p.may...@imperial.ac.uk> wrote: > On 30/03/16 10:50, Tony Finch wrote: > > > > Yes, we encountered that problem recently :-) You can revert to the old > > behaviour using > > > > no-case-compress { any; }; > > +1 super confusing when w

Re: BIND started replying to queries for .com with .COM

Mike Bernhardt wrote: > I rebooted one of our BIND VMs this morning. It's running BIND 9.10.3-P3. We > noticed that queries for domains with domain.com were answered with > domain.COM with the .COM in capital letters. Other high-levels like .org > were not changed. It caused

Re: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

Dave Warren <da...@hireahit.com> wrote: > On 2016-03-24 09:46, Ray Bellis wrote: > > On 24/03/2016 16:41, Tony Finch wrote: > > > > > >When I changed our TTLs from 24h to 1h last year, it didn't have a > > > >visible > > > >effec

RE: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

Ben Bridges wrote: > Microsoft wants a short TTL for their Office 365 records, but I would > prefer to generally use a longer TTL for most records (including other > TXT records) in order to reduce the query load on our servers. I gather MS ask for a 1 hour TTL - at

RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

Lightner, Jeff wrote: > > With systemd the methodology isn't that BIND notifies other things that > it is up. It is that other things, if dependent upon BIND, have in > their systemd files a requirement that BIND be up before they start. Yes, but how does systemd know

Re: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

Reindl Harald <h.rei...@thelounge.net> wrote: > Am 23.03.2016 um 13:36 schrieb Tony Finch: > > > > BIND does not do that - it forks too early. It's a bit tiresome > > than this is a bug in BIND which should be fixed instead worked around - Yes. > the whol epurpose

Re: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

Reindl Harald wrote: > > > The problem that I alluded to above is that if you have services that > > depend on the DNS, there should be a mechanism for the DNS server to say > > when it is ready and that it's OK to start services that need DNS. I don't > > know the right

Re: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

Reindl Harald <h.rei...@thelounge.net> wrote: > Am 23.03.2016 um 11:54 schrieb Tony Finch: > > > > There's a sample unit file in the chroot setup instructions at > > https://wiki.debian.org/Bind9 > > > > (It looks a bit half-baked to me since it doesn't see

Re: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

Sean Son wrote: > > I recently compiled and installed BIND 9.10.3-p4 from source on a system > running CentOS 7. This is for practice purposes. Ive been searching all of > the net and I cannot find the answer to this one question of mine: How do I > create the

Re: *Reminder of the* L-Root IPv6 address renumbering

Charles Swiger wrote: > > You could always ask the A root server (or one of the others) what it > thinks the IP should be: > > % dig l.root-servers.net. @a.root-servers.net | grep l It's the record which is changing, not the A record, and it won't change until tomorrow.

Re: GEOIP, 9.9.8

Olsen, Richard William (Rick) CTR (US) wrote: > I'm looking into the GEOIP functionality but we are in the 9.9 release tree. > I don't see in it in the documentation but wanted to check here incase I'm > just missing it. It's a 9.10 feature. Tony. --

RE: PCS, Corosync, Pacemaker, and Bind

Mike Bernhardt wrote: > Please confirm that if a DNS query is sent to the virtual address, the reply > will be sourced from the virtual address. Yes. (query-source doesn't affect replies.) > The documentation for keepalived isn't very good, but as near as I can tell > it

Re: Changing records with inline-signing

Thomas Schulz wrote: > We currently have adi.com signed using options: > > inline-signing yes; > auto-dnssec maintain; > > If I change an A record or add a new A record, will the signing be > automatically updated or do I have to do an rndc sign zone? It's automatic :-) Tony.

Re: Multiple A records and reverse DNS

Thomas Schulz wrote: > We are switching service providers and I understand that many email SPAM > prevention systems insist on the reverse DNS matching the forward DNS. > If I have two A records for our mail server and the reverse record matches > one of them, will that be good

Re: PCS, Corosync, Pacemaker, and Bind

Mike Bernhardt wrote: > > I'm setting up a new CentOS 7 DNS server cluster to replace our very old > CentOS 4 cluster. The old one uses heartbeat which is no longer supported, > so I'm now using pcs, corosync, and pacemaker. I suggest having a look at keepalived: it's

Re: forward only single zone

Oto BREZINA wrote: > > I need to create one subzone of public zone which is served by another server. > This can not be transfered. Server is located on LAN. Tricky. I don't think it is possible to do what you want with BIND. You probably can do it with dnsdist - see

Re: what does "max-ncache-ttl 0;" mean?

MURTARI, JOHN wrote: > > So far, all the postings I've seen just echo what he already said (and > knows). The question is - what happens when you set it to ZERO? > > I'm wondering myself - anyone have a real answer? The code says zero means zero, so in effect it would disable

Re: hhs.gov resolvers broken, or BIND misconfigured?

James Ralston wrote: > > We're running a recursive resolver on RHEL6, using the latest > RHEL-provided BIND package, bind-9.8.2-0.37.rc1.el6_7.6. The > recursive resolver only has an IPv4 interface; it does not have an > IPv6 interface. DNSSEC is enabled (by default). Dunno

Re: Tuning for lots of SERVFAIL responses

Grant Taylor wrote: > > Is there anything that the networking team can do to help alleviate some of > the pain? I.e. make sure that equipment returns no route to host error > messages? Will this make named abort queries before they would otherwise > timeout? Dunno

Re: Tuning for lots of SERVFAIL responses

John Miller wrote: > Thanks for the reply, Tony. With the recent glibc bug, I figured most > folks would be off putting out those fires! If they haven't done it by now then, gosh, I feel sorry for them. (It's SO NICE to have a redundant service that you can patch and

Re: Tuning for lots of SERVFAIL responses

John Miller wrote: > A couple of weeks ago, we experienced an outage on our external > Internet links. Ideally, this shouldn't affect queries for internal > resources - we expect those queries to continue to be answered. We've had a few connectivity losses over the last

Re: pre heat cache

> On 18 Feb 2016, at 18:59, Robert Edmonds wrote: > > A large proportion of records are only ever used "once, or a handful of > times", according to researchers: [...] Yes, and there's an amazing amount of crap in the cache too. About 14% of our cache is weird Sonicwall

Re: pre heat cache

Tony Finch <d...@dotat.at> wrote: > > Funnily enough I recently wrote a tool to do this but I have been failing > to publish a blog article about it... Have a look at this: > https://git.csx.cam.ac.uk/x/ucs/ipreg/adns-masterfile.git Longer blurb now published at: http://fa

Re: pre heat cache

William Taylor wrote: > Is there anyway to pre-heat the cache in bind on startup besides having > a custom script that did a bunch of queries on top hosts? Funnily enough I recently wrote a tool to do this but I have been failing to publish a blog article about it...

Re: Zone hints for VPN environments

Andreas Meile wrote: > The question is: How can I place the ActiveDirectory DNS as forwarder DNS > server in such a way that it is responsible for a specific DNS zone only? You very nearly have the right idea, but you are trying to use the wrong zone type. There

Re: How to check slave zone freshness

Mark Andrews wrote: > > With a modern nameserver that supports the expire edns option you can > also do "dig +expire soa zone @server" which will tell you how long > until the zone will expire on this server. By "modern", Mark means BIND 9.10 or later :-) Tony. --

Re: How to check slave zone freshness

Klaus Darilion wrote: > > I want to monitor the freshness of my slaves zones. Is it somehow > possible to extract the status of slave-zones from bind? If you are running 9.10 or later you can use `rndc zonestatus`. I have an older script which just looks at the

Re: native pkcs#11 and dynamic signing issues

Arun N S wrote: > > but with dynamic signing the logs were showing > "dns_dnssec_findmatchingkeys: error reading key file > Kexample.com.+008+01234.private: no engine" > > any idea? Wild guess (I know nothing about PKCS#11): are you running chrooted, and if so is the relevant

Re: Newbie's BIND Questions on DNSSEC, HA and SD

David Li wrote: > > Another question I haven't quite figured out is the HA architecture. > Is it possible to set up a cluster of BIND servers (> 2) for each VLAN > subnet with one of them as master the rest as slaves? Are these recursive or authoritative servers? For

<    1   2   3   4   5   6   7   8   9   10   >