> On 29.09.16 12:25, Frank Even wrote:
> > I am running chrooted. I'm relying on the "feature" of BIND "mounting" the
> > standard dirs into a chroot via the standard startup scripts in Cent6/7.
Aha, I should have actually read setup-named-chroot.sh rather than
assuming that it copied the
Mark Andrews wrote:
>
> Both of these are on my to do list.
Yay!
Tony.
--
f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode
Rockall: South 5 to 7, occasionally gale 8 later. Moderate or rough, becoming
very rough later in west. Rain or showers.
Pol Hallen wrote:
>
> is it recommend put a cron script for auto-update root.hind and named.hint db?
No, it's best not to have a hints file and just use the one built in to BIND.
Tony.
--
f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode
Reindl Harald wrote:
>
> just because without additional responses are part of the inital question and
> may save asking for that information - in case the additional info is not
> needed by the client it saves traffic
There are a few situations in which additional data
Job wrote:
>
> Actually, dig @host some_url still shows an additional query, maybe not
> needed for a caching-only resolver:
>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
That isn't an additional query, it's a record in the additional section
rams wrote:
> When we have widlcard in middle labels, are we not treating as wildcard
> record?
In the DNS, a wildcard only occurs when the leftmost label is a *.
> Do we have any specific RFC for this.
https://tools.ietf.org/html/rfc4592#section-2.1
NOTE that wildcard
Benny Pedersen wrote:
>
> why does reload not flush ?
Often you want to reload zone files without throwing away the cache.
Tony.
--
f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode
Bailey: Southeast 6 to gale 8, becoming cyclonic, mainly southwest,
Mukund Sivaraman wrote:
>
> There's an attempt to make it go one step further by refreshing whole
> zones in the cache:
>
> https://github.com/muks/dnsrefresh
>
> It needs another section to be completed before upload, possibly in time
> for IETF-97.
Oh dear, that is deeply
Frank Even wrote:
> Is there a way to add forwarders for specific zones without a restart?
> Everything I've read seems to indicate an "rndc reconfig" or an "rndc
> reload" should take care of this, but they do not. I add forwarders to
> "named.conf" and neither will
/dev/rob0 wrote:
>
> If you're thinking that you can do this replication to improve DNS
> performance, you're right, it will do that. But it certainly will
> not scale (if it's even possible to get axfr/ixfr), and it won't
> handle modern CDN systems properly.
BIND 9.10 and
Tom wrote:
>
> What is the supported/preferred way for implementing slave-rpz's in views?
> I want to achieve, that view1 has a different policy-configuration (passthru,
> given, nxdomain..) than the ones configured in view2 using the same
> slave-rpz-files. If not
Anand Buddhdev wrote:
>
> In newer versions of BIND, you cannot share a writable file in different
> views. This is a bad configurtion, and newer versions of BIND reject it.
> Just use different file names.
To clarify, you couldn't in older versions of BIND either! It would
Jim Popovitch wrote:
>
> Hmmm, this is counter to what I've believed all along. I
> thought it was
> prudent to have key overlap during rollovers.
There are two separate things which you can overlap semi-independently:
* is the key published in the zone?
* is the key
Jim Popovitch via bind-users wrote:
>
> Thanks. Now I'm seeing something slighly different. I have 3 NS
> servers, ns{1-3}.domainmail.org.
>
> When I first asked 3 days ago I was seeing long ANY repsonses on the
> master (ns1). Today I am seeing long ANY responses on
Jim Popovitch via bind-users wrote:
>
> Should minimal-all (v9.11.0-rc1) work on a master? My testing shows
> that it only works on the slave DNS servers.
Works for me :-) minimal-any is implemented at the point the records are
being assembled into an answer - it still
/dev/rob0 wrote:
>
> (See also RFC 2317 for "classless" reverse DNS delegation, but no,
> DO NOT read that: I only mention it for completeness, as we have
> pedantic posters on this list ... myself included. ;) )
Yeah, try https://tools.ietf.org/html/draft-ietf-dnsop-rfc2317bis
Tom wrote:
>
> I have a bind-setup with activated response-policy-zones. For *each*
> client-forward-query, which has a valid dns-response, I got an error in the
> client-log (for NXDOMAIN-Reponses, I didn't have such errors... ex. "dig
> @nameserver
Aleks Ostapenko wrote:
>
> Unfortunately, after
>
> 1. rndc freeze myzone
> 2. named-comilezone -f raw -F text -o myzone.text myzone myzone.signed
> change TTL on DNSKEY and RRSIG DNSKEY in myzone.text
> named-comilezone -f text -F raw -o myzone.signed
Darcy Kevin (FCA) wrote:
> From an InfoSec standpoint, of course one would prefer to use
> cryptographic methods of securing DNS data,
Yes, use TSIG for zone transfers. You can also use it for forwarding.
Tony.
--
f.anthony.n.finch http://dotat.at/
Andreas Meyer wrote:
>
> Do I need to create keys first when I create a new zone and
> use inline signing or is keycreation done by named?
named does not create keys for you, but have a look at dnssec-keymgr in
BIND 9.11
Tony.
--
f.anthony.n.finch
Baird, Josh wrote:
>
> In the past, when I have had a requirement to bring a slave zone into
> our environment; I created a slave zone on my master(s) (defining the
> external nameserver as a master) and then created slave zones on my
> slaves using *my* master as a master
Aleks Ostapenko wrote:
> As for second variant - unfortunately I don't know how to edit manually TTL
> in the signed (not raw) master file.
(1) Use `rndc freeze` which makes `named` rewrite the zone file with all
pending changes from the journal, and makes it
Wolfgang Riedel wrote:
>
> not sure if this is a bug or a feature but had been scratching my head
> for months now running BIND on Fedora22-24 and all the time I did a
> reboot BIND didn’t came up and I needed to restart the process to get it
> running. After some googling around
Harshith Mulky wrote:
>
> Can max-cache-ttl be used on the client( client which supports bind) to
> override the default ttl time sent in response by Bind server for
> Positive Responses?
Yes.
Tony.
--
f.anthony.n.finch http://dotat.at/ - I
Александр Остапенко wrote:
> Thanks for a workaround. But in this case - after "dnssec-settime -L ttl" I
> need unsign/sign zone (p.1 of steps above) in order to new TTL value
> appeared in DNSKEY RRset ("service bind9 reload" or "rndc loadkeys" has no
> effect).
Fima Leshinsky wrote:
>
> It seems like setting the TC flag is what I'm after but curious if there's
> a way to do this via configuration rather than a patch.
You can do this by setting the rate-limit slip parameter to 1. This might
be the right answer if you want to use an
Andreas Meyer <a.me...@nimmini.de> wrote:
> Tony Finch <d...@dotat.at> schrieb am 04.08.16 um 09:21:36 Uhr:
> >
> > The error message refers to the key ID rather than the filename - in more
> > recent versions it has been clarified to use the actual fil
Andreas Meyer wrote:
>
> dns_dnssec_keylistfromrdataset: error reading private key file
> bitcorner.de/RSASHA1/16938: file not found
>
> I think it must have something to do with the name itself, could it be?
>
> The key is named Kbitcorner.de.+005+16938.private but named is
Spumonti Spumonti wrote:
>
> We have an authoritative server and it has a zone with secondary name
> servers owned by another organization.
>
> This authoritative name server needs to send a NOTIFY to these other
> name servers.
>
> I thought it was enough for BIND to use the
Paul A wrote:
>
> named[7062]: client xx.xx.64.2#51056: received notify for zone 'xxx: not
> authoritative
>
> However some zones I don't get the message above some I do, I'm not using
> views so I'm lost as to why this is happening.
Are you sure the zone is actually
Ejaz wrote:
>
> Such as, if someone is sending ANY request , by default it should be
> denied when users requests for it..
BIND 9.11 will have a minimal-any option.
https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any
S Carr wrote:
>
> You might want to check whether the requests are legitimate before
> completely blocking them, rate limiting would be a better option.
Remember this is TCP traffic.
RRL is designed to deal with spoofed UDP traffic. It can actually make
non-spoofed floods
Ejaz wrote:
>
> I am not using iptable firewall from my redhat Linux box, all traffic
> manged by network team..
Well then, you should co-operate with them to fix the problem.
You might find that it helps to put the following in the options{} section
of named.conf, but
Ian Veach wrote:
>
> So, any ideas on why I would see that slave initiate transfers on it's OS
> IP versus the transfer-source IP... especially when the other three work
> fine?
What does the log say about interface addresses? Which version of BIND are
you running? Has
Manuel Ramírez wrote:
>
> I would like to know if is possible to see in the queries.log output the ip
> address resolved
No, it only logs the query not the answers.
Have a look at passive DNS or dnstap if you want more detailed telemetry.
Tony.
--
Nis Wechselberg wrote:
> Am I getting it right that the rest of the zone is not (re)signed
> because the current signature is still valid for some time?
>
> So if I were to set sig-validity-interval to a shorter value, this would
> help with the issue?
If you are testing out a
Mathew Ian Eis wrote:
>
> sig-validity-interval seems to only affect the expiration date of newly
> created signatures, and of course signatures are only rolling over to
> new keys as they expire.
>
> I am wondering if I can ask bind to set the expiration for, say 30 days
>
Georg Kahest wrote:
> On 07/13/2016 03:16 PM, Mark Andrews wrote:
> >
> > You have a delegation without a DS record.
>
> Or have a DS record without actual dnskey/rrsig records in the
> delegated zone.
Be aware that these are very different things!
Mark's suggestion
rams wrote:
> Is any one explain how to break trusted chain in dnssec with example how to
> create zone or data with trusted chain break.
Create a delegation without a DS record.
Tony.
--
f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode
Lundy,
Vlad Shpolyanskiy wrote:
> Yep, I'm able to query servers directly, so it's not a network problem.
Are you running dig on the resolver itself?
Tony.
--
f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode
Biscay: Variable becoming west or
Vlad V. Shpolyanskiy wrote:
>
> I have problems resolving zone retn.net.
It works for me...
> I guess that bind does not like name server's IP ending with zero.
> But that's only my suggestion.
Are you able to query the authoritative servers directly? If not, you
Mathew Ian Eis wrote:
>
> Does all of that sound right?
I believe so, yes.
Tony.
--
f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode
Humber, Thames, Dover, Wight, Portland, Plymouth, North Biscay: Northwesterly,
backing southwesterly, 3 or 4,
Mathew Ian Eis wrote:
>
> > Are you allowing enough time for named to go through a zone key
> > maintenance cycle? (which is hourly if I remember correctly)
>
> I’m not sure, it sounds like perhaps not always? You’ve
> mentioned a “zone
> key maintenance cycle” of an hour, and
Daniel A. Ramaley wrote:
>
> From the responses i received, it seems i completely misunderstood how
> automatic signing is supposed to work. If i'm now understanding
> correctly, there are 2 mutually exclusive ways to do things:
> 1) Maintain zone files with a text
Mathew Ian Eis wrote:
>
> We think that in some cases, named may be choosing to use a key past the
> removal date (as in [2]), while our file maintenance process removes the
> keys as per their deletion date – after which named no longer has the
> necessary metadata to
Tony Finch <d...@dotat.at> wrote:
> dramaley <daniel.rama...@drake.edu> wrote:
>
> > Hello. I'm running Bind 9.9.4 (the default that comes with RHEL 7). I'm
> > trying to figure out a workflow for doing DNS updates with auto-dnssec
> > turned on. When I
dramaley wrote:
> Hello. I'm running Bind 9.9.4 (the default that comes with RHEL 7). I'm
> trying to figure out a workflow for doing DNS updates with auto-dnssec
> turned on. When I have to update a zone file, I do so by editing the zone
> file and incrementing the
Alan Clegg wrote:
>
> As for NOTIMP, I'm not aware of an easy path, but I'm sure that someone here
> knows.
; <<>> DiG 9.11.0a1 <<>> +noedns dotat.at in maila
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 42331
;; flags: qr rd ra;
bind-us...@arminpech.de wrote:
>
> I would like to handle KSK updates of second level domains using that
> tool (option -k applies policy only on KSKs). And especially I'm looking
> for an interface to trigger updates of DS records.
>
> The call on dnssec-settime may
Jun Xiang X Tee wrote:
>
> For the past two weeks, I have searched through many articles online
> and asked many people on how to do this, but I am still confused on
> where "dig" gets the UDP packets from.
It sounds like you should start off with a good DNS textbook, such as
Jun Xiang X Tee wrote:
>
> I wish to know efficient ways to query "resolver" and "lwresd". To my
> understanding, "resolver" is the iterative full DNS resolver,
"resolver" is a generic term. I think you are thinking of "named", BIND's
DNS server.
> and "lwresd" is the
Darcy Kevin (FCA) wrote:
> My understanding is that the "extra" stuff wouldn't have any signature
> at all.
I'm not sure if the question was that well specified :-)
> Wouldn't that break DNSSEC if the rest of the response had signatures?
> Or does the
Phil Mayers wrote:
>
> For what it's worth, I've been aggressively monitoring DNS resolution of
> outlook.office365.com from all four of our recursives, both A & , once a
> minute for the past 3 months.
I wonder if you would notice more problems if your query
Thomas Sturm wrote:
>
> We are experiencing strange intermittent issues when resolving
> outlook.office365.com, but also with other domains like e.g.
> amazonaws.com or snort.org.
Based on recent discussions on the mailop list
(https://chilli.nosignal.org/mailman/listinfo/mailop)
Darcy Kevin (FCA) wrote:
>
> It'll also, irrespective of caching, break DNSSEC.
No, extra stuff in the additional section should not break DNSSEC
because the signatures are per-RRset not per-message.
Tony.
--
f.anthony.n.finch http://dotat.at/ - I
Harshith Mulky wrote:
> Is it necessary for named.conf in the chroot path and /etc path to be same
If they aren't the same, at some point in the future you or your
colleagues are going to get very confused about which one is the right
one.
> I have 2 different
Harshith Mulky wrote:
>
> test1.zone has following set of records,
>
[snip]
> test1 IN NAPTR 22 32 "u""SIP+D2U" ""
> _sip._udp.test1.com.
[snip]
>
> ;; QUESTION SECTION:
> ;test1.com.IN NAPTR
The only NAPTR record
Jonathan Del Campo wrote:
>
> So if I have to create two /24 reverse zones for my case, I will, but I was
> hopping a smarter solution.
Oh, I had a brainfart, I read /23 as /25 :-) Yes, two /24s is the best
solution.
For smarter solutions, see the rfc2317bis I-D, though
Jonathan Del Campo wrote:
>
> We are trying to create a zone for a /23 subnet (192.168.222.0/23), but we
> can't get the reverse zone working.
What error messages do you get in your logs? Any other symptoms of
"not working"?
> I don't know if the naming convention is
Job wrote:
> But, if i have two different zones (or three), in the response-policy
> sentence, can i trigger the Client only for a zone and not for the other
> zone?
> Some Client would not have to match together the two zones!
I think your question is answered by
Job wrote:
>
> is there a way to define more response-policy in Bind or the possibility
> to apply a response-policy only to certain client ip?
There is the RPZ-CLIENT-IP trigger, which applies to any query from a
matching client IP address. Or you can use views to
Job wrote:
>
> i add that, if i have a pass-throu define in second zone
> (rpz-dyndns.lan), the third RPZ zone is NOT applied.
>
> If i have no pass-through in the previous definition, it works!
That's how passthru is supposed to work.
Tony.
--
f.anthony.n.finch
Marc Haber wrote:
>
> in Debian, the bind9 packages have recently started to trouble me in
> chrooted environments since some cryptographic libraries are loaded
> after bind has chrooted itself, which results - in the case of a
> minimal chroot - in a fatal run-time
Rajesh M <24x7ser...@24x7server.net> wrote:
>
> however after installation i am getting the same error as earlier
>
> The ISC BIND service failed to start due to the following error:
> ISC BIND is not a valid Win32 application.
Googling for the error message produces this KB article:
Paul Kosinski wrote:
> Except for this single dynamic IP address, the zone file is maintained
> by hand with a text editor, so rearranging it into an arbitrary order
> would make hand maintenance much more difficult.
>
> If there is a way to have nsupdate preserve the original
Baird, Josh wrote:
> Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]?
>
> [1]
> https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/
Run a command like this from cron
aname example.com www.example.com |
Matthew Pounsett wrote:
>
> Privsep doesn't actually fix the same problem chroot does. As I
> understand it, privsep reduces the attack surface for remote execution
> exploits by shuffling off privileged operations to a separate process, but
> if that process isn't chrooted
sth...@nethelp.no wrote:
>
> Have you checked your operating system limits? One recursive client
> often means one open socket (waiting for response from authoritative
> server), i.e. one open file descriptor. If you have thousands of
> simultaneous recursive clients, you will
Robert Edmonds <edmo...@mycre.ws> wrote:
> Tony Finch wrote:
> > Phil Mayers <p.may...@imperial.ac.uk> wrote:
> > >
> > > What is considered the source of the ownername for, say, "com."?
> >
> > It should be the root zone master file.
&g
Michael Brunnbauer wrote:
>
> I am using bind on a server that does massive crawling with a multithreaded
> Java app. This server occasionally has to do lookups for hosts in our local
> zone netestate.de - for which it is not authoritative - and those lookups tend
> to fail
Phil Mayers wrote:
>
> What is considered the source of the ownername for, say, "com."?
It should be the root zone master file.
However authoritative server implementations differ in whether they echo
the query case or preserve the master case. e.g. a.root-servers.net
Phil Mayers <p.may...@imperial.ac.uk> wrote:
> On 30/03/16 10:50, Tony Finch wrote:
> >
> > Yes, we encountered that problem recently :-) You can revert to the old
> > behaviour using
> >
> > no-case-compress { any; };
>
> +1 super confusing when w
Mike Bernhardt wrote:
> I rebooted one of our BIND VMs this morning. It's running BIND 9.10.3-P3. We
> noticed that queries for domains with domain.com were answered with
> domain.COM with the .COM in capital letters. Other high-levels like .org
> were not changed. It caused
Dave Warren <da...@hireahit.com> wrote:
> On 2016-03-24 09:46, Ray Bellis wrote:
> > On 24/03/2016 16:41, Tony Finch wrote:
> >
> > > >When I changed our TTLs from 24h to 1h last year, it didn't have a
> > > >visible
> > > >effec
Ben Bridges wrote:
> Microsoft wants a short TTL for their Office 365 records, but I would
> prefer to generally use a longer TTL for most records (including other
> TXT records) in order to reduce the query load on our servers.
I gather MS ask for a 1 hour TTL - at
Lightner, Jeff wrote:
>
> With systemd the methodology isn't that BIND notifies other things that
> it is up. It is that other things, if dependent upon BIND, have in
> their systemd files a requirement that BIND be up before they start.
Yes, but how does systemd know
Reindl Harald <h.rei...@thelounge.net> wrote:
> Am 23.03.2016 um 13:36 schrieb Tony Finch:
> >
> > BIND does not do that - it forks too early. It's a bit tiresome
>
> than this is a bug in BIND which should be fixed instead worked around -
Yes.
> the whol epurpose
Reindl Harald wrote:
>
> > The problem that I alluded to above is that if you have services that
> > depend on the DNS, there should be a mechanism for the DNS server to say
> > when it is ready and that it's OK to start services that need DNS. I don't
> > know the right
Reindl Harald <h.rei...@thelounge.net> wrote:
> Am 23.03.2016 um 11:54 schrieb Tony Finch:
> >
> > There's a sample unit file in the chroot setup instructions at
> > https://wiki.debian.org/Bind9
> >
> > (It looks a bit half-baked to me since it doesn't see
Sean Son wrote:
>
> I recently compiled and installed BIND 9.10.3-p4 from source on a system
> running CentOS 7. This is for practice purposes. Ive been searching all of
> the net and I cannot find the answer to this one question of mine: How do I
> create the
Charles Swiger wrote:
>
> You could always ask the A root server (or one of the others) what it
> thinks the IP should be:
>
> % dig l.root-servers.net. @a.root-servers.net | grep l
It's the record which is changing, not the A record, and it won't
change until tomorrow.
Olsen, Richard William (Rick) CTR (US) wrote:
> I'm looking into the GEOIP functionality but we are in the 9.9 release tree.
> I don't see in it in the documentation but wanted to check here incase I'm
> just missing it.
It's a 9.10 feature.
Tony.
--
Mike Bernhardt wrote:
> Please confirm that if a DNS query is sent to the virtual address, the reply
> will be sourced from the virtual address.
Yes.
(query-source doesn't affect replies.)
> The documentation for keepalived isn't very good, but as near as I can tell
> it
Thomas Schulz wrote:
> We currently have adi.com signed using options:
>
> inline-signing yes;
> auto-dnssec maintain;
>
> If I change an A record or add a new A record, will the signing be
> automatically updated or do I have to do an rndc sign zone?
It's automatic :-)
Tony.
Thomas Schulz wrote:
> We are switching service providers and I understand that many email SPAM
> prevention systems insist on the reverse DNS matching the forward DNS.
> If I have two A records for our mail server and the reverse record matches
> one of them, will that be good
Mike Bernhardt wrote:
>
> I'm setting up a new CentOS 7 DNS server cluster to replace our very old
> CentOS 4 cluster. The old one uses heartbeat which is no longer supported,
> so I'm now using pcs, corosync, and pacemaker.
I suggest having a look at keepalived: it's
Oto BREZINA wrote:
>
> I need to create one subzone of public zone which is served by another server.
> This can not be transfered. Server is located on LAN.
Tricky. I don't think it is possible to do what you want with BIND.
You probably can do it with dnsdist - see
MURTARI, JOHN wrote:
>
> So far, all the postings I've seen just echo what he already said (and
> knows). The question is - what happens when you set it to ZERO?
>
> I'm wondering myself - anyone have a real answer?
The code says zero means zero, so in effect it would disable
James Ralston wrote:
>
> We're running a recursive resolver on RHEL6, using the latest
> RHEL-provided BIND package, bind-9.8.2-0.37.rc1.el6_7.6. The
> recursive resolver only has an IPv4 interface; it does not have an
> IPv6 interface. DNSSEC is enabled (by default).
Dunno
Grant Taylor wrote:
>
> Is there anything that the networking team can do to help alleviate some of
> the pain? I.e. make sure that equipment returns no route to host error
> messages? Will this make named abort queries before they would otherwise
> timeout?
Dunno
John Miller wrote:
> Thanks for the reply, Tony. With the recent glibc bug, I figured most
> folks would be off putting out those fires!
If they haven't done it by now then, gosh, I feel sorry for them.
(It's SO NICE to have a redundant service that you can patch and
John Miller wrote:
> A couple of weeks ago, we experienced an outage on our external
> Internet links. Ideally, this shouldn't affect queries for internal
> resources - we expect those queries to continue to be answered.
We've had a few connectivity losses over the last
> On 18 Feb 2016, at 18:59, Robert Edmonds wrote:
>
> A large proportion of records are only ever used "once, or a handful of
> times", according to researchers: [...]
Yes, and there's an amazing amount of crap in the cache too. About 14% of our
cache is weird Sonicwall
Tony Finch <d...@dotat.at> wrote:
>
> Funnily enough I recently wrote a tool to do this but I have been failing
> to publish a blog article about it... Have a look at this:
> https://git.csx.cam.ac.uk/x/ucs/ipreg/adns-masterfile.git
Longer blurb now published at: http://fa
William Taylor wrote:
> Is there anyway to pre-heat the cache in bind on startup besides having
> a custom script that did a bunch of queries on top hosts?
Funnily enough I recently wrote a tool to do this but I have been failing
to publish a blog article about it...
Andreas Meile wrote:
> The question is: How can I place the ActiveDirectory DNS as forwarder DNS
> server in such a way that it is responsible for a specific DNS zone only?
You very nearly have the right idea, but you are trying to use the wrong
zone type. There
Mark Andrews wrote:
>
> With a modern nameserver that supports the expire edns option you can
> also do "dig +expire soa zone @server" which will tell you how long
> until the zone will expire on this server.
By "modern", Mark means BIND 9.10 or later :-)
Tony.
--
Klaus Darilion wrote:
>
> I want to monitor the freshness of my slaves zones. Is it somehow
> possible to extract the status of slave-zones from bind?
If you are running 9.10 or later you can use `rndc zonestatus`.
I have an older script which just looks at the
Arun N S wrote:
>
> but with dynamic signing the logs were showing
> "dns_dnssec_findmatchingkeys: error reading key file
> Kexample.com.+008+01234.private: no engine"
>
> any idea?
Wild guess (I know nothing about PKCS#11): are you running chrooted, and
if so is the relevant
David Li wrote:
>
> Another question I haven't quite figured out is the HA architecture.
> Is it possible to set up a cluster of BIND servers (> 2) for each VLAN
> subnet with one of them as master the rest as slaves?
Are these recursive or authoritative servers?
For
501 - 600 of 986 matches
Mail list logo