Re: signature expiration

hugo hugoo wrote: > Can anyone tell me why signatures in dnssec mut be renewed every 30 > days? The limited lifetime of the signatures reduces your exposure to a replay attack. After the signature has expired an attacker cannot fool a victim by giving them the stale data. > What are the modific

Re: signature expiration

Alan Clegg wrote: > > I use dynamic zones and never concern myself with expired signatures. > You can also use inline signing to remove this "hassle". Yes! > Better solution: Sign them more often. Why not sign them twice a day? > I personally don't think that extending the signature validity p

Re: NS geo-distribution

Dave Warren wrote: > > With the vast majority of our customers being in North America (probably 75% > of users are in Canada), would it make sense to add a Europe based NS or would > this tend to return slower results on average since a potential user would > have a 1/3 chance of hitting a NS with

Re: architecture question

Jeremy P wrote: > > I will switch to something more "out there" in the future. I take it that > .lan is safe? Don't use .lan either - it is very popular with malware and is likely to get you blacklisted. Use a real domain. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East,

Re: architecture question

Michael McNally wrote: > On 5/8/13 9:33 AM, Jeremy P wrote: > > > > However, there are times where registering a real domain just isn't > > practical. For example, I'm not going to ask all of the students in my > > courses to go out and register a .com for the semester. > > The flip side of this

Re: architecture question

Matus UHLAR - fantomas wrote: > On 09.05.13 10:21, Tony Finch wrote: > > Right. Give each student a subdomain of some existing domain, even if the > > subdomains aren't publicly delegated. > > yes, so they will start using it in their job and home. They shouldn&#x

Re: architecture question

Matus UHLAR - fantomas wrote: > > > On 09.05.13 10:21, Tony Finch wrote: > > > > Right. Give each student a subdomain of some existing domain, even > > > > if the subdomains aren't publicly delegated. > > > Matus UHLAR - fantomas wrote: > >

Re: Stalling slave transfers

Tom Sommer wrote: > > That works fine, but I think I figured out the problem, it was due to > the server having acquired a 2nd (autodiscovered) IPv6 address, and it > was using that as transfer source. It would be very helpful if the > logfile said the actual source IP, and not just 0.0.0.0#53 or

Re: any requests

Leonard Mills wrote: > If your some of your clients are SMTP relays, then ANY is the default > lookup for an MX and is perfectly normal. Much better from the point of > view of the mail servers to do one lookup instead of several. You are not quite correct. See http://fanf.livejournal.com/10

Re: Confused about a basic concept

Bryan Harris wrote: > > After reading everything it looks to me like our hidden master configuration > is basically okay, but by some of the best practices described, it could be > better and easier to work with if we had a separate caching layer. Note that the caches live on the client side of D

Re: any requests

Vernon Schryver wrote: > > If you have a domain to which you can can add records for a subdomain > with differing 5-30 second TTLs and can spend not just 5 seconds but > a few minutes playing around, you might come to my conclusion. I think > they treat ANY as if it were psuedo-rdataset containin

Re: any requests

Doug Barton wrote: > On 06/05/2013 11:33 AM, Tony Finch wrote: > > I believe the ANY hack on mail servers was a Sendmailism 20ish years ago. > > s/Send/q/ No, I meant Sendmail - see http://fanf.livejournal.com/10.html Sendmail at one time tried to use ANY for combined MX+A

Re: any requests

Vernon Schryver wrote: > > > [ANY query for combined MX/A lookup was] a bad hack then and it > > has remained a bad hack :-) > > I would not agree if you could rely on the open resolvers continuing > to do what they're doing, if you didn't care about parsing 3 or 4 > KBytes of irrelevant bits to g

Re: any requests

Barry Margolin wrote: > In article , > Tony Finch wrote: > > > The ANY query does not trigger alias processing, so if there is a CNAME > > chain you have to follow it yourself. This is a waste because if you made > > an MX query in the first place the server wou

Re: any requests

Vernon Schryver wrote: > > About chasing CNAMEs safely or otherwise, please recall the somewhat > controversial DontExpandCnames. The current cf/README says: > > confDONT_EXPAND_CNAMES DontExpandCnames > [False] If set, $[ ... $] lookups that > do DNS base

Re: Stub zones vs minimal responses

Chris Buxton wrote: > > If an authoritative server is configured to send minimal responses, will > a stub zone get all the necessary data from that server? What I'm seeing > is, the recursive server sends an SOA query; the response contains only > the SOA record, and no NS or A records. The recurs

Re: DNS Amplification Attacks... and a trivial proposal

Ronald F. Guilmette wrote: > > P.P.S. Yes, yes, I _am_ aware... as someone will surely point out... > that part (1) above contains the seed of potential abuse. A malicious > prankster could, in theory send spoofed packets of type (1) above to > lots and lots of DNS servers which he believes that

Re: Discover Unreferenced Zones/Records

Bryan Harris wrote: > > I have discovered that we have an excessive amount of old zones not being > used.  Is there a trick, or a simple way to determine which zones have not > been referenced in a long time? BIND can keep per-zone counts of response codes (success, various kinds of failure, etc.

Re: configure syslog prefix

Klaus Darilion wrote: > > Some software allows to configure the syslog prefix, but I couldn't find that > for bind. Rename the named executable. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or

Re: configure syslog prefix

Sam Wilson wrote: > Tony Finch wrote: > > Klaus Darilion wrote: > > > > > > Some software allows to configure the syslog prefix, but I couldn't > > > find that for bind. > > > > Rename the named executable. > > Assuming a Unix-li

Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"

Stephane Bortzmeyer wrote: > > 24-Jul-2013 07:39:25.480 zone example/IN (signed): Key > example/RSASHA256/46747 missing or inactive and has no replacement: retaining > signatures. > > Which I do not understand. They key is there: > > % ls -lt /tmp/bind/Kexample.+008+46747* > -rw-r--r-- 1 bortzme

Re: "auto-dnssec maintain; " and key "missing or inactive and has no replacement"

On 26 Jul 2013, at 07:52, Stephane Bortzmeyer wrote: > On Thu, Jul 25, 2013 at 12:05:35AM +0100, > Tony Finch wrote > a message of 21 lines which said: > >> Does the zone have only one key which is a KSK? > > Yes. I tested with two keys, a KSK and a ZSK and the warn

Re: Bind99 and a slave named server

Dave Warren wrote: > > Change the zones from master to slave in your named.conf? There really isn't > much more to it than that, assuming you have a new authoritative master is > already configured and serving the zones. However, beware that BIND 9.9 defaults to "raw" zone files for slaved zones,

Re: detect if zone/s is frozen

Mike Hoskins (michoski) wrote: > /dev/rob0 wrote: > > > >I would suggest that if you're making much use of rndc freeze, YDIW. > >Consider using nsupdate(8) to make your changes. > > True, but I just setup two new networks where the tenants wanted exactly > this capability...so use cases exist. [.

Re: ZSK rollover weirdness

Lawrence K. Chen, P.Eng. wrote: > > And, the prior ZSK was 14565 > > ; This is a zone-signing key, keyid 14565, for ksu.edu. > ; Created: 2013060109 (Sat Jun 1 04:00:00 2013) > ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013) > ; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013) > ; Rev

Re: Weird dig behavior when querying ANY

Nicholas F Miller wrote: > The problem is the reply will ALWAYS be five seconds when doing an 'ANY' > query. It is not a matter of the TTL counting down. Is there a middlebox of some kind between you and the name server? Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, v

Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)

Simon Forster wrote: > > As a matter of interest, if one had a DNSBL with 5.5 million entries > (i.e. 5.5 million IPs): > > 1) What needs to be done to rewrite that to a BIND zone? > 2) What sort of machine would be required to load that zone? > 3) How long would it take to load into BIND? I did

Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)

Simon Forster wrote: > > Excellent info. Thank you. What's the specs of the machine you're testing on? An old-ish Dell Optiplex 760, Core 2 Duo, 3.16 GHz, 4GB RAM. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough,

Re: RRL probably not useful for DNS IP blacklists,

Vernon Schryver wrote: > > It's convenient that with binary zone files and the dynamic update > protocol, loading from text (or signing a whole zone) is not something > you need to do every hour on the hour. Right. Timings from named-checkzone give a rough idea of a worst-case cold start. I ran

Re: Occasional SERVFAILs from "dig NS iq."

Chris Thompson wrote: > I have noticed that I get occasional (fast) SERVFAIL responses from > "dig NS iq.", e.g. > > "iq" is partially signed, in the sense that some of its nameservers > deliver a signed version, and some an unsigned one, but I don't see > how that leads to the effect observed.

Re: How can I determine if 9.9.4 bind named executable was built with --enable-rrl?

Red Cricket wrote: > How can I determine if it was built with rate-limiting? named -V Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasi

Re: Test logging

Paweł Ch. wrote: > Can I request server with special packet which named add entry to it? You can make named log something under the security category by sending a query with a TSIG key, like $ dig -y abc123:abc123abc123 . Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East,

Re: Help on DNSSEC

babu dheen wrote: > > I would like to understand DNSSEC on BIND Recusive DNS server running > in RHEL 5.0. First upgrade BIND to version 9.8 or newer. Check your network connectivity isn't funted. See for instance http://www.cisco.com/web/about/security/intelligence/dnssec.html Then add the fol

Re: DNS format error

Jim Pazarena wrote: > I see in my logs "DNS format error from 205.178.190.53#53 resolving > excelwetsuits.com/MX for client 207.34.147.83#54521: invalid response" > The client is *my* mail server IP. > > I am wondering is this error on MY side or their's ? Theirs. ; <<>> DiG 9.9.4rc1 <<>> ns ex

Re: Gi/Gn DNS for telecoms

Stephane Bortzmeyer wrote: > > I have no idea what Gi/Gn is. Can anyone post an explanation? https://en.wikipedia.org/wiki/GPRS_Core_Network Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or mode

Re: Allow recursion for esternal resources in a authoritative zone on a "not open" dns server

Barry Margolin wrote: > > If the server is authoritative for both the CNAME and the target of the > CNAME, no recursion should be necessary -- the target is already in its > memory. Doesn't the server normally fill in the whole CNAME chain in > this case? Yes - see the additional-from-auth config

[announce] nsdiff version 1.51

The nsdiff program examines the old and new versions of a DNS zone, and outputs the differences as a script for use by BIND's nsupdate program. It provides a bridge between static zone files and dynamic updates. If you use BIND 9.7 or 9.8, you can use nsdiff as an alternative to the DNSSEC inline-s

Re: rndc addzone, global allow-new-zones, 'file not found'

Tobias Wolter wrote: > > # rndc -s localhost -c ~/rndc-localhost.conf addzone metazone. '{type master; > file "master/metazone.zone";};'; tail /var/log/messages -n 4 > rndc: 'addzone' failed: file not found > Dec 11 10:01:15 named[21120]: received control channel command > 'addzone metazone. {t

Re: rndc refresh fails for signed zones

Thomas Schulz wrote: > > Am I correct in thinking that in the case of a hidden master and a chain > of slaves, that the first publicly acessable slave would do the signing > and that in any case only one instance of bind should do the signing? It is better if the hidden master does the signing, s

Re: Serial numbers for inline signing

Thomas Schulz wrote: > Checking the resulting serial number, I find that it is 2013120423. The > serial number in the static zone file is 2013120400. Why did it bump it > up to 23? I expected something like 02. Have a look at the sig-signing-signatures option which says (by default) that named s

Re: Sites that points their A Record to localhost

Joseph S D Yao wrote: > On 2014-01-12 10:04, Chris Thompson wrote: > > > > That would be more plausible if www.p3net.net actually resolved to > > something, rather than giving NXDOMAIN ... > > How interesting. From here I see (and saw before I posted): > > ;; ANSWER SECTION: > www.p3net.net.

Re: Insecurity proof failed resolving newsletter.postbank.de - but why?

Graham Clinch wrote: > > I'm seeing a dnssec validation error that I can't pin down, for the domain: > newsletter.postbank.de. Looks like a bug in BIND to me. It works out that there is no DS in the parent then gets muddled. I note that postbank.de is in the middle of a double-signature ZSK rollo

Re: Using nsupdate to insert/delete record in the RPZ zone file

Pika.Aman wrote: > > Is that possible to use the bind-util “nsupdate” to insert a new record > into the zone file of response policy zone ? I got “NOTZONE” reply from > the bind. "NOTZONE" means you have used a domain name that is not in the zone you are trying to update. > #nsupdate > > debug

Re: How to query the "incoming" serial of a zone while inline signing

Mark Andrews wrote: > In message <52ea4c56.5060...@pernau.at>, Klaus Darilion writes: > > > > Are there any tools/ways to query Bind for the incoming serial? > > rndc zonestatus [class [view]] I think that's a BIND-9.10 feature :-) On 9.9 I think you either have to look at named's logs an

Re: How to query the "incoming" serial of a zone while inline signing

Klaus Darilion wrote: > > named-compilezone -j -f raw -o - example.com \ > /etc/bind/zones/example.com 2>&1| grep SOA|awk '{print $7;}' Another option might be to use named-journalprint and grab the last SOA from the output. I don't know which is faster... actually, let's test... $ time named-

Re: DNSSEC and upgrading/restoring

David Newman wrote: > > 2. For five domains, the log contains signature-has-expired warnings. > > In all five cases, these are for NSEC3PARAM records. > > Is any action needed on my part, for example manually doing NSEC3 > signing of these zones? See if named has already re-signed them - check th

Re: DNSSEC and upgrading/restoring

David Newman wrote: > > What action, if any, is needed? Does rndc sign make it wake up? Is there anything in the logs reporting problems, e.g. inability to read the key files? Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at f

Re: DNSSEC and upgrading/restoring

David Newman wrote: > On 1/31/14 10:35 AM, Tony Finch wrote: > > David Newman wrote: > >> > >> What action, if any, is needed? > > > > Does rndc sign make it wake up? > > Alas, no. There are a bunch of successful IXFR messages to slave servers >

Re: Trouble building bind with Openssl support

Olsen, Richard William (Rick) CTR DISA PEO-MA (US) We have been trying to build bind using with-openssl=PATH and not have > it require the full openssl install on the destination system. Try building BIND with --without-gost Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East

Re: Trouble building bind with Openssl support

Mark Andrews wrote: > > If you really want to go down this path then you need to copy over > the shared library which is dynamically loaded into named at runtime specifically lib/engines/libgost.so > or rebuild openssl to include the gost code in libcrypto. How do you do that? The documentation

Re: BUG? Wildcard lookup masked by more specific record of alternative type

Terry Burton wrote: > > Is the following expected or is it a bug? It is correct. See RFC 4592 for the full explanation of how wildcards work. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or mod

Re: Same internal and external zone

Sarath wrote: > > The internal xyz.example.com is on an internal host (private address ) > which is the default DNS server for all internal hosts (all hosts use > this DNS server in their resolve.conf ) And the external xyz.example.com > is on another public ip server (aws route 53 ). > > The prob

Re: Bind/PowerDNS interoperatiblity issue

Aki Tuomi wrote: > > We have A records > 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi > and > 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.pasilehto.fi > > Now. If I ask DNSSEC validating BIND version 9.9.3-P2 or 9.9.4-P2 to > resolve either of those A records, I get errors, w

Re: Bind/PowerDNS interoperatiblity issue

Aki Tuomi wrote: > > Hi, can you try again? Just to be sure. This time it failed in the way you described earlier: 19-Feb-2014 12:23:27.043 queries: info: client ::1#32049 (5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi): view rec: query: 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Gaurav Kansal wrote: > > I have doubt in this only. What's the difference between Zone or Host ?? Zone keys are used for DNSSEC signing zones. Host keys are used for TSIG transaction authentication, for securing zone transfers or dynamic updates. > I also want to know which algorithm is the bes

Re: which Name sever is selected?

houguanghua wrote: > > What's the meaning of bind "decaying"? Where can I find the detailed > description? Thanks! There's a summary of the SRTT algorithm in http://securityintelligence.com/subverting-binds-srtt-algorithm-derandomizing-ns-selection/ Tony. -- f.anthony.n.finchhttp://dotat.a

Re: Regarding zone trf from master to slave

Gaurav Kansal wrote: > > We are running slave services for our customers. > > We want to have log of what entries has been changed in the master (which is > causing this zone transfer) at the time of zone transfer. > > I want to know whether it is possible to have some sort of log generation > (ei

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Jason Hellenthal wrote: > > I recall spending a LOT of time with DNSSEC figuring out all the > nonsense but like anything else stability and friendliness has to start > somewhere. And development should not be impeded by adoption of bad > practices. Fix the root cause not the symptom. dnssec-keyg

Re: Configure error - openSSL. Mac OS X

James Brown wrote: > I have recently upgraded to openSSL 1.0.1f. > > When I try to configure bind 9.9.5 I'm getting an error: > > checking for OpenSSL library... using OpenSSL from /usr/local/ssl/lib and > /usr/local/ssl/include > checking whether linking with OpenSSL works... no > configure: er

Re: changing NSEC3 salt

Evan Hunt wrote: > > What should happen is: > > - the old NSEC3PARAM is removed Isn't that a bit early? Can a secondary transfer the zone while there is no NSEC3PARAM? > - a private-type record is created, indicating that a >new NSEC3 chain is being created > - all the new NSEC3 records a

Re: Internal clients' queries for "myhostname." get sent to forwarders. Why?

Andreas Ntaflos wrote: > > Using Bind 9 on Ubuntu 12.04 for internal DNS (master for zones > "dc01.example.at.", "7.1.10.in-addr.arpa.", ...) with forwarders (ISP's > nameservers) for everything outside of internal zones. > > The Problem: Clients, when running "hostname -f" or "hostname -i", > cre

Re: Internal clients' queries for "myhostname." get sent to forwarders. Why?

Lawrence K. Chen, P.Eng. wrote: > If you have FQDN for machines, the problem might be that the domain > isn't set in resolv.conf? The machines are configured with a bare hostname. If there isn't a search or domain directive in /etc/resolv.conf and there isn't an entry for the machine in /etc/hos

Re: Dynamic update with bind

Ramanou Biaou wrote: > Someone has resources, links or tutorial to understand and implement the > dynamic update zone files with BIND If you search the web for [nsupdate howto] or [nsupdate tutorial] you should find some useful resources. If you are running BIND 9.7 or newer then it has a built

Re: Problems with auto-dnssec maintain on BIND 9.9.5 (latest patch, FreeBSD)

Daniel Ryslink wrote: > > At first, when the zone was not signed at all, all that sufficed was to > do "rndc loadkeys example.com", and when I later used "rndc signing > -list example.com", the keys set via > dnssec-settime as active in the keys directory were displayed. Note that `rndc signing -

Re: BIND 9's entropy consumption

Tom Limoncelli wrote: > > I have 4 DNS servers all running BIND 9.8.2 (the CentOS 6.5 package). One > is configured as the master for about 100 zones. The other 3 are slaves > for those 100 zones. On the master the amount of entropy reported by "cat > /proc/sys/kernel/random/entropy_avail" was

Re: All client resolvers support DNSSEC compatible queries ???

Carsten Strotmann wrote: > > You can enable DNSSEC validation support on a BIND 9 caching server that > is used as a resolver by your clients. BIND 9 9.9.x already comes with > DNSSEC validation enabled, for older versions you need to enable it > manually in the configuration. DNSSEC validation n

Re: DNSSEC domain and sub-domains

r...@iastate.edu wrote: > If we implement DNSSEC for iastate.edu, admin.iastate.edu and > its.iastate.edu, must DNSSEC be implemented for the delegated zones as > well? No, in exactly the same way that signing .edu does not mean iastate.edu has to be signed. If there are no DS records at the del

Strange validation failure for answers.ssh.com

We have a couple of recursive servers running 9.9.5 which are persistently unable to validate answers.ssh.com, returning SERVFAIL. With debug logging turned on we get (amongst lots of other things): 24-Apr-2014 16:41:23.087 client 131.111.56.28#35569 (answers.ssh.com): query (cache) 'answers.ssh.

Re: Promoting a slave to master gives syntax error

Theodotos Andreou wrote: > > Now I have a different problem. After converting alll the zones to master many > zones failed to load because of this: > > 29-Apr-2014 11:21:32.613 dns_rdata_fromtext: db.0.210.10.in-addr.arpa:26: > near 'android_b2b2b8cdeedf92d3.example.com.': bad name (check-names)

Re: Strange validation failure for answers.ssh.com

Tony Finch wrote: > We have a couple of recursive servers running 9.9.5 which are persistently > unable to validate answers.ssh.com, returning SERVFAIL. Some days later one of our servers has been restarted and is successfully resolving this name. The other is still persistently f

Re: BIND 9.10 compilation problem for FreeBSD 6.x/7.x

Shawn Zhou wrote: > Any problem has problem building BIND 9.10 for FreeBSD? We are using the > same process that worked for building 9.9.4 to build 9.10 on FreeBSD > 6.x/7.x but we are getting "ld: invalid BFD target" error. Yes. BIND's linking stage changed between 9.9 and 9.10 so instead of in

Re: bin 9.10 verbose logging

Noel Butler wrote: > > U, since upgrade 9.9.5 to 9.10 every request to the name server is > spewing copious amounts of debug type data (thankfully I only upgraded > the one server) > > Was debug left on in the final release source code? :) When I was running pre-release versions I hacked out

Re: BIND 9.10 compilation problem for FreeBSD 6.x/7.x

Mark Andrews wrote: > > Also one shouldn't need to add LDFLAGS="-R/opt/OpenSSL/lib". configure > adds it itself if the platform needs it. --with-openssl=/opt/OpenSSL > should be enough. I think the bug here is that configure assumes the admin has added all possible library directories to the RTL

Re: Point domain name of my zone to name in somebody else's zone?

Dave Warren wrote: > > DNSMadeEasy calls this an "ANAME" record, internally they just lookup the > destination's IP and cache it, updating it as needed. > > It works, but it would be nice if this could be done in DNS. Sadly, it can't, > and probably won't in our lifetimes. Never say never :-) Yo

Re: RRL active by default?

Lawrence K. Chen, P.Eng. wrote: > > And, then it finally crashed complain that there was no root hints for the > view "_ksu_bind", and making class IN view "_ksu_bind" with all the same > zones, including the hint zoneit still complained that there was no root > hints for view "_ksu_bind" and

Re: Slave zone intermittently not refreshing

Mart van de Wege wrote: > > How do I go about troubleshooting this issue to get a better idea of > what is going on? Are there any messages in your log containing the string " refresh: "? Tony. -- f.anthony.n.finchhttp://dotat.at/ Thames, Dover, Wight, Portland, Plymouth: Southwest 5 to 7,

Re: Multi-master (HA)

A few thoughts... The DNS protocol is already pretty good at replicating zone data - see for instance John Wingenbach's message in which he describes how their deployment gradually converged on a fairly standard architecture :-) I think multi-master makes most sense if the primary master uses DNS

Re: Slave zone intermittently not refreshing

Mart van de Wege wrote: > Tony Finch writes: > > Mart van de Wege wrote: > >> > >> How do I go about troubleshooting this issue to get a better idea of > >> what is going on? > > > > Are there any messages in your log containing the string "

Re: Point domain name of my zone to name in somebody else's zone?

Barry Margolin wrote: > > It also has adverse implications for DNS-based CDN routing, e.g. Akamai. > Everyone will be routed to the servers close to the auth servers of the > domain containing the ANAME, instead of routing each end user to their > closest servers. Good point. This is relevant to

Re: Slave zone intermittently not refreshing

Mart van de Wege wrote: > > > A lot of the refresh failure logging happens at debug level 1 so you can > > get more details by running `rndc trace 1`. > > Is there a way to filter that after setting it? Not without altering the server's logging configuration. Something like the following, perhaps

Re: AIX and 9.9.5 compiling

Edward DeLargy wrote: > I just want to verify that 9.9.5 can be compiled in AIX The README says: Building BIND 9 currently requires a UNIX system with an ANSI C compiler, basic POSIX support, and a 64 bit integer type. We've had successful builds and tests on the follo

Re: Point domain name of my zone to name in somebody else's zone?

Dave Warren wrote: > On 2014-05-08 15:09, Mark Andrews wrote: > > But that does not help when you want a MX record at the apex or > > some other record at the apex. > > I'd argue that it does -- Since the record is now CNAME'd, the MX record is > now under the control of the destination of the CN

Re: Exiting due fatal error, no named.conf found.

Mimiko wrote: > May 11 09:56:14 srv58 named[28172]: loading configuration from > '/opt/bind9/etc/named.conf' > May 11 09:56:14 srv58 named[28172]: open: /opt/bind9/etc/named.conf: file not > found > I've put bind in /srv/bind9. Also I use chrooting. If you are chrooting then all the paths com

Re: No logging after logfile turned over. v9.10

James Brown wrote: > > Any suggestions as to how to make the logging continue after the rollover? Either: (1) configure newsyslog to HUP named after rolling the logs, by telling it the path to named.pid (2) configure named to use syslog (3) configure named to roll its log files itself (whi

Re: Slave zone intermittently not refreshing

Mart van de Wege wrote: > > The only difference I *can* see is that this particular slave zone > occasionally gets a lot of updates in a single day, which is when this > problem seems to be triggered. Is there an MTU problem between your slave and the master? Or a problem with fragmented UDP? I w

Re: Slave zone intermittently not refreshing

Mark Andrews wrote: > > 2275. [func] Add support to dig to perform IXFR queries over UDP. >[RT #17235] > > DiG has supported ixfr over udp since 2007. It just defaults to TCP. > you have to disable TCP after specifying ixfr. Ah I am sure you have told me that be

Re: Split DNS(view configuration)

Techs_Maru wrote: > > The zone is forwarded only to "View internal" because it matches it > > internal. > > I want to forward hoge.zone of BIND1 to both hoge.zone that uses View > > configuration of BIND2. I am not sure if I understand exactly what you want. A common way to choose what view t

Re: Split DNS(view configuration)

Techs_Maru wrote: > > view"internal" { > recursion yes; > zone "." IN { ... }; I think it is better to use named's built-in root hints, so you don't need to explicitly configure this. > zone "hoge.com" IN { > type slave; > masters { AA

Re: Split DNS(view configuration)

Matus UHLAR - fantomas wrote: > On 19.05.14 17:26, Tony Finch wrote: > > You must not share slave zone files between zones. > > ...I don't see point in having files for domains fetched from different > view. That's a reasonably sensible point of view :-) There

Re: Split DNS(view configuration)

Techs_Maru wrote: > > The mastering server side cannot be touched as this assumption. Ah, I missed that difficulty. > It can solve what I wanted to do by forwarding the zone in the local. > Method of sending notify to other view when source in zone forwarding > origin is confirmed with client-ma

Re: Slightly Off-Topic: Dealing with DNSSEC Bogus Data

Jorge Fábregas wrote: > > This change is going to impact thousands of users for us and I'm a bit > worried about it. How do you deal with DNSSEC bogus data? We don't do anything special to reduce the problem. It has not caused noticable pain or complaints from our users. We have I think had on

Re: A Note About Today's New BIND Releases

Noel Butler wrote: > Does this also address the crazy amount of logging (as previously discussed > here)? If you mean the EDNS logging, that should be fixed in 9.10.1. Tony. -- f.anthony.n.finchhttp://dotat.at/ East Sole, Lundy, Fastnet: Variable 3 or 4. Smooth or slight. Mainly fair. Mode

Re: FORMERR on packet received from Forwarder

Levi Pederson wrote: > > I have an authoritative DNS server that is supposed to forward any > unknowns to a specific upstream server. You are mixing authoritative and recursive service in a way that is not going to work well. Forwarding is designed for recursive clients. It doesn't make sense to

Re: RRL question

Nick wrote: > Is there a way to setup RRL to rate limit by source IP / or certain net > blocks? For simple cases where you want to rate-limit by default, but allow some clients to be unlimited, use the exempt-clients clause. If you want different limits for different clients, use different vie

Re: daemon warning

Stewart, Larry C Sr CTR DISA JITC (US) wrote: > I have configured the Solaris service admin to run > /nithr/sbin/named -t /dns -u dnsuser > when I start the dns server now since I have upgraded to 9.10.0-P2 I get > a daemon notice that it is unable to set the effective uid to 0: Not > Owner

RE: daemon warning

Stewart, Larry C Sr CTR DISA JITC (US) wrote: > Correct, so is there some negative impact I can expect or is it just a > log entry I can ignore? If you aren't getting any "Could not open..." warnings as well then you are probably OK. Tony. -- f.anthony.n.finchhttp://dotat.at/ Dover, Wight,

Re: Error when using GeoIP

Ali Jawad wrote: > > acl "US" { > geoip country US; > }; > > view "US" { > match-clients { US; }; //Once I add this it throws the error below > }; > > /etc/named.conf:47: no GeoIP database installed which can answer queries of > type 'country' This is a bug in 9.10.0 which will be fixed

RE: daemon warning

Stewart, Larry C Sr CTR DISA JITC (US) wrote: > So I logged in as the user that I normally start named with and I get the > following error: > > Named: chroot(): Not owner You need to start named as root for it to be able to chroot. (Unless Solaris has some cunning fine-grained privilege featur

Re: DLV dnssec setup

Wolfgang Rosenauer wrote: > > dnssec-validation auto; > dnssec-lookaside . trust-anchor dlv.isc.org.; Why not use dnssec-lookaside auto; ? Tony. -- f.anthony.n.finchhttp://dotat.at/ West Forties, Cromarty, Forth, Tyne, Dogger: Northerly or northwesterly 5 or 6, decreasing 4.

Re: DLV dnssec setup

Wolfgang Rosenauer wrote: > Changed it now to dnssec-lookaside auto and it still behaves exactly > the same way. What happens if you delete the managed-keys files and restart? Tony. -- f.anthony.n.finchhttp://dotat.at/ North Utsire, South Utsire, East Forties: Variable, mainly northeasterl

<    1   2   3   4   5   6   7   8   9   10   >