hugo hugoo wrote:
> Can anyone tell me why signatures in dnssec mut be renewed every 30
> days?
The limited lifetime of the signatures reduces your exposure to a replay
attack. After the signature has expired an attacker cannot fool a victim
by giving them the stale data.
> What are the modific
Alan Clegg wrote:
>
> I use dynamic zones and never concern myself with expired signatures.
> You can also use inline signing to remove this "hassle".
Yes!
> Better solution: Sign them more often. Why not sign them twice a day?
> I personally don't think that extending the signature validity p
Dave Warren wrote:
>
> With the vast majority of our customers being in North America (probably 75%
> of users are in Canada), would it make sense to add a Europe based NS or would
> this tend to return slower results on average since a potential user would
> have a 1/3 chance of hitting a NS with
Jeremy P wrote:
>
> I will switch to something more "out there" in the future. I take it that
> .lan is safe?
Don't use .lan either - it is very popular with malware and is likely to
get you blacklisted. Use a real domain.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East,
Michael McNally wrote:
> On 5/8/13 9:33 AM, Jeremy P wrote:
> >
> > However, there are times where registering a real domain just isn't
> > practical. For example, I'm not going to ask all of the students in my
> > courses to go out and register a .com for the semester.
>
> The flip side of this
Matus UHLAR - fantomas wrote:
> On 09.05.13 10:21, Tony Finch wrote:
> > Right. Give each student a subdomain of some existing domain, even if the
> > subdomains aren't publicly delegated.
>
> yes, so they will start using it in their job and home.
They shouldn
Matus UHLAR - fantomas wrote:
> > > On 09.05.13 10:21, Tony Finch wrote:
> > > > Right. Give each student a subdomain of some existing domain, even
> > > > if the subdomains aren't publicly delegated.
>
> > Matus UHLAR - fantomas wrote:
> >
Tom Sommer wrote:
>
> That works fine, but I think I figured out the problem, it was due to
> the server having acquired a 2nd (autodiscovered) IPv6 address, and it
> was using that as transfer source. It would be very helpful if the
> logfile said the actual source IP, and not just 0.0.0.0#53 or
Leonard Mills wrote:
> If your some of your clients are SMTP relays, then ANY is the default
> lookup for an MX and is perfectly normal. Much better from the point of
> view of the mail servers to do one lookup instead of several.
You are not quite correct. See http://fanf.livejournal.com/10
Bryan Harris wrote:
>
> After reading everything it looks to me like our hidden master configuration
> is basically okay, but by some of the best practices described, it could be
> better and easier to work with if we had a separate caching layer.
Note that the caches live on the client side of D
Vernon Schryver wrote:
>
> If you have a domain to which you can can add records for a subdomain
> with differing 5-30 second TTLs and can spend not just 5 seconds but
> a few minutes playing around, you might come to my conclusion. I think
> they treat ANY as if it were psuedo-rdataset containin
Doug Barton wrote:
> On 06/05/2013 11:33 AM, Tony Finch wrote:
> > I believe the ANY hack on mail servers was a Sendmailism 20ish years ago.
>
> s/Send/q/
No, I meant Sendmail - see http://fanf.livejournal.com/10.html
Sendmail at one time tried to use ANY for combined MX+A
Vernon Schryver wrote:
>
> > [ANY query for combined MX/A lookup was] a bad hack then and it
> > has remained a bad hack :-)
>
> I would not agree if you could rely on the open resolvers continuing
> to do what they're doing, if you didn't care about parsing 3 or 4
> KBytes of irrelevant bits to g
Barry Margolin wrote:
> In article ,
> Tony Finch wrote:
>
> > The ANY query does not trigger alias processing, so if there is a CNAME
> > chain you have to follow it yourself. This is a waste because if you made
> > an MX query in the first place the server wou
Vernon Schryver wrote:
>
> About chasing CNAMEs safely or otherwise, please recall the somewhat
> controversial DontExpandCnames. The current cf/README says:
>
> confDONT_EXPAND_CNAMES DontExpandCnames
> [False] If set, $[ ... $] lookups that
> do DNS base
Chris Buxton wrote:
>
> If an authoritative server is configured to send minimal responses, will
> a stub zone get all the necessary data from that server? What I'm seeing
> is, the recursive server sends an SOA query; the response contains only
> the SOA record, and no NS or A records. The recurs
Ronald F. Guilmette wrote:
>
> P.P.S. Yes, yes, I _am_ aware... as someone will surely point out...
> that part (1) above contains the seed of potential abuse. A malicious
> prankster could, in theory send spoofed packets of type (1) above to
> lots and lots of DNS servers which he believes that
Bryan Harris wrote:
>
> I have discovered that we have an excessive amount of old zones not being
> used. Is there a trick, or a simple way to determine which zones have not
> been referenced in a long time?
BIND can keep per-zone counts of response codes (success, various kinds of
failure, etc.
Klaus Darilion wrote:
>
> Some software allows to configure the syslog prefix, but I couldn't find that
> for bind.
Rename the named executable.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or
Sam Wilson wrote:
> Tony Finch wrote:
> > Klaus Darilion wrote:
> > >
> > > Some software allows to configure the syslog prefix, but I couldn't
> > > find that for bind.
> >
> > Rename the named executable.
>
> Assuming a Unix-li
Stephane Bortzmeyer wrote:
>
> 24-Jul-2013 07:39:25.480 zone example/IN (signed): Key
> example/RSASHA256/46747 missing or inactive and has no replacement: retaining
> signatures.
>
> Which I do not understand. They key is there:
>
> % ls -lt /tmp/bind/Kexample.+008+46747*
> -rw-r--r-- 1 bortzme
On 26 Jul 2013, at 07:52, Stephane Bortzmeyer wrote:
> On Thu, Jul 25, 2013 at 12:05:35AM +0100,
> Tony Finch wrote
> a message of 21 lines which said:
>
>> Does the zone have only one key which is a KSK?
>
> Yes. I tested with two keys, a KSK and a ZSK and the warn
Dave Warren wrote:
>
> Change the zones from master to slave in your named.conf? There really isn't
> much more to it than that, assuming you have a new authoritative master is
> already configured and serving the zones.
However, beware that BIND 9.9 defaults to "raw" zone files for slaved
zones,
Mike Hoskins (michoski) wrote:
> /dev/rob0 wrote:
> >
> >I would suggest that if you're making much use of rndc freeze, YDIW.
> >Consider using nsupdate(8) to make your changes.
>
> True, but I just setup two new networks where the tenants wanted exactly
> this capability...so use cases exist. [.
Lawrence K. Chen, P.Eng. wrote:
>
> And, the prior ZSK was 14565
>
> ; This is a zone-signing key, keyid 14565, for ksu.edu.
> ; Created: 2013060109 (Sat Jun 1 04:00:00 2013)
> ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013)
> ; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013)
> ; Rev
Nicholas F Miller wrote:
> The problem is the reply will ALWAYS be five seconds when doing an 'ANY'
> query. It is not a matter of the TTL counting down.
Is there a middlebox of some kind between you and the name server?
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, v
Simon Forster wrote:
>
> As a matter of interest, if one had a DNSBL with 5.5 million entries
> (i.e. 5.5 million IPs):
>
> 1) What needs to be done to rewrite that to a BIND zone?
> 2) What sort of machine would be required to load that zone?
> 3) How long would it take to load into BIND?
I did
Simon Forster wrote:
>
> Excellent info. Thank you. What's the specs of the machine you're testing on?
An old-ish Dell Optiplex 760, Core 2 Duo, 3.16 GHz, 4GB RAM.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough,
Vernon Schryver wrote:
>
> It's convenient that with binary zone files and the dynamic update
> protocol, loading from text (or signing a whole zone) is not something
> you need to do every hour on the hour.
Right. Timings from named-checkzone give a rough idea of a worst-case cold
start.
I ran
Chris Thompson wrote:
> I have noticed that I get occasional (fast) SERVFAIL responses from
> "dig NS iq.", e.g.
>
> "iq" is partially signed, in the sense that some of its nameservers
> deliver a signed version, and some an unsigned one, but I don't see
> how that leads to the effect observed.
Red Cricket wrote:
> How can I determine if it was built with rate-limiting?
named -V
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasi
Paweł Ch. wrote:
> Can I request server with special packet which named add entry to it?
You can make named log something under the security category by sending a
query with a TSIG key, like
$ dig -y abc123:abc123abc123 .
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East,
babu dheen wrote:
>
> I would like to understand DNSSEC on BIND Recusive DNS server running
> in RHEL 5.0.
First upgrade BIND to version 9.8 or newer.
Check your network connectivity isn't funted. See for instance
http://www.cisco.com/web/about/security/intelligence/dnssec.html
Then add the fol
Jim Pazarena wrote:
> I see in my logs "DNS format error from 205.178.190.53#53 resolving
> excelwetsuits.com/MX for client 207.34.147.83#54521: invalid response"
> The client is *my* mail server IP.
>
> I am wondering is this error on MY side or their's ?
Theirs.
; <<>> DiG 9.9.4rc1 <<>> ns ex
Stephane Bortzmeyer wrote:
>
> I have no idea what Gi/Gn is. Can anyone post an explanation?
https://en.wikipedia.org/wiki/GPRS_Core_Network
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or mode
Barry Margolin wrote:
>
> If the server is authoritative for both the CNAME and the target of the
> CNAME, no recursion should be necessary -- the target is already in its
> memory. Doesn't the server normally fill in the whole CNAME chain in
> this case?
Yes - see the additional-from-auth config
The nsdiff program examines the old and new versions of a DNS zone, and
outputs the differences as a script for use by BIND's nsupdate program. It
provides a bridge between static zone files and dynamic updates. If you
use BIND 9.7 or 9.8, you can use nsdiff as an alternative to the DNSSEC
inline-s
Tobias Wolter wrote:
>
> # rndc -s localhost -c ~/rndc-localhost.conf addzone metazone. '{type master;
> file "master/metazone.zone";};'; tail /var/log/messages -n 4
> rndc: 'addzone' failed: file not found
> Dec 11 10:01:15 named[21120]: received control channel command
> 'addzone metazone. {t
Thomas Schulz wrote:
>
> Am I correct in thinking that in the case of a hidden master and a chain
> of slaves, that the first publicly acessable slave would do the signing
> and that in any case only one instance of bind should do the signing?
It is better if the hidden master does the signing, s
Thomas Schulz wrote:
> Checking the resulting serial number, I find that it is 2013120423. The
> serial number in the static zone file is 2013120400. Why did it bump it
> up to 23? I expected something like 02.
Have a look at the sig-signing-signatures option which says (by default)
that named s
Joseph S D Yao wrote:
> On 2014-01-12 10:04, Chris Thompson wrote:
> >
> > That would be more plausible if www.p3net.net actually resolved to
> > something, rather than giving NXDOMAIN ...
>
> How interesting. From here I see (and saw before I posted):
>
> ;; ANSWER SECTION:
> www.p3net.net.
Graham Clinch wrote:
>
> I'm seeing a dnssec validation error that I can't pin down, for the domain:
> newsletter.postbank.de.
Looks like a bug in BIND to me. It works out that there is no DS in the
parent then gets muddled. I note that postbank.de is in the middle of a
double-signature ZSK rollo
Pika.Aman wrote:
>
> Is that possible to use the bind-util “nsupdate” to insert a new record
> into the zone file of response policy zone ? I got “NOTZONE” reply from
> the bind.
"NOTZONE" means you have used a domain name that is not in the zone you
are trying to update.
> #nsupdate
> > debug
Mark Andrews wrote:
> In message <52ea4c56.5060...@pernau.at>, Klaus Darilion writes:
> >
> > Are there any tools/ways to query Bind for the incoming serial?
>
> rndc zonestatus [class [view]]
I think that's a BIND-9.10 feature :-)
On 9.9 I think you either have to look at named's logs an
Klaus Darilion wrote:
>
> named-compilezone -j -f raw -o - example.com \
> /etc/bind/zones/example.com 2>&1| grep SOA|awk '{print $7;}'
Another option might be to use named-journalprint and grab the last SOA
from the output. I don't know which is faster... actually, let's test...
$ time named-
David Newman wrote:
>
> 2. For five domains, the log contains signature-has-expired warnings.
>
> In all five cases, these are for NSEC3PARAM records.
>
> Is any action needed on my part, for example manually doing NSEC3
> signing of these zones?
See if named has already re-signed them - check th
David Newman wrote:
>
> What action, if any, is needed?
Does rndc sign make it wake up? Is there anything in the logs
reporting problems, e.g. inability to read the key files?
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at f
David Newman wrote:
> On 1/31/14 10:35 AM, Tony Finch wrote:
> > David Newman wrote:
> >>
> >> What action, if any, is needed?
> >
> > Does rndc sign make it wake up?
>
> Alas, no. There are a bunch of successful IXFR messages to slave servers
>
Olsen, Richard William (Rick) CTR DISA PEO-MA (US) We have been trying to build bind using with-openssl=PATH and not have
> it require the full openssl install on the destination system.
Try building BIND with --without-gost
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East
Mark Andrews wrote:
>
> If you really want to go down this path then you need to copy over
> the shared library which is dynamically loaded into named at runtime
specifically lib/engines/libgost.so
> or rebuild openssl to include the gost code in libcrypto.
How do you do that? The documentation
Terry Burton wrote:
>
> Is the following expected or is it a bug?
It is correct. See RFC 4592 for the full explanation of how wildcards work.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or mod
Sarath wrote:
>
> The internal xyz.example.com is on an internal host (private address )
> which is the default DNS server for all internal hosts (all hosts use
> this DNS server in their resolve.conf ) And the external xyz.example.com
> is on another public ip server (aws route 53 ).
>
> The prob
Aki Tuomi wrote:
>
> We have A records
> 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi
> and
> 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.pasilehto.fi
>
> Now. If I ask DNSSEC validating BIND version 9.9.3-P2 or 9.9.4-P2 to
> resolve either of those A records, I get errors, w
Aki Tuomi wrote:
>
> Hi, can you try again? Just to be sure.
This time it failed in the way you described earlier:
19-Feb-2014 12:23:27.043 queries: info: client ::1#32049
(5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi): view rec:
query: 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1
Gaurav Kansal wrote:
>
> I have doubt in this only. What's the difference between Zone or Host ??
Zone keys are used for DNSSEC signing zones.
Host keys are used for TSIG transaction authentication, for securing zone
transfers or dynamic updates.
> I also want to know which algorithm is the bes
houguanghua wrote:
>
> What's the meaning of bind "decaying"? Where can I find the detailed
> description? Thanks!
There's a summary of the SRTT algorithm in
http://securityintelligence.com/subverting-binds-srtt-algorithm-derandomizing-ns-selection/
Tony.
--
f.anthony.n.finchhttp://dotat.a
Gaurav Kansal wrote:
>
> We are running slave services for our customers.
>
> We want to have log of what entries has been changed in the master (which is
> causing this zone transfer) at the time of zone transfer.
>
> I want to know whether it is possible to have some sort of log generation
> (ei
Jason Hellenthal wrote:
>
> I recall spending a LOT of time with DNSSEC figuring out all the
> nonsense but like anything else stability and friendliness has to start
> somewhere. And development should not be impeded by adoption of bad
> practices. Fix the root cause not the symptom.
dnssec-keyg
James Brown wrote:
> I have recently upgraded to openSSL 1.0.1f.
>
> When I try to configure bind 9.9.5 I'm getting an error:
>
> checking for OpenSSL library... using OpenSSL from /usr/local/ssl/lib and
> /usr/local/ssl/include
> checking whether linking with OpenSSL works... no
> configure: er
Evan Hunt wrote:
>
> What should happen is:
>
> - the old NSEC3PARAM is removed
Isn't that a bit early? Can a secondary transfer the zone while there is
no NSEC3PARAM?
> - a private-type record is created, indicating that a
>new NSEC3 chain is being created
> - all the new NSEC3 records a
Andreas Ntaflos wrote:
>
> Using Bind 9 on Ubuntu 12.04 for internal DNS (master for zones
> "dc01.example.at.", "7.1.10.in-addr.arpa.", ...) with forwarders (ISP's
> nameservers) for everything outside of internal zones.
>
> The Problem: Clients, when running "hostname -f" or "hostname -i",
> cre
Lawrence K. Chen, P.Eng. wrote:
> If you have FQDN for machines, the problem might be that the domain
> isn't set in resolv.conf?
The machines are configured with a bare hostname. If there isn't a search
or domain directive in /etc/resolv.conf and there isn't an entry for the
machine in /etc/hos
Ramanou Biaou wrote:
> Someone has resources, links or tutorial to understand and implement the
> dynamic update zone files with BIND
If you search the web for [nsupdate howto] or [nsupdate tutorial] you
should find some useful resources.
If you are running BIND 9.7 or newer then it has a built
Daniel Ryslink wrote:
>
> At first, when the zone was not signed at all, all that sufficed was to
> do "rndc loadkeys example.com", and when I later used "rndc signing
> -list example.com", the keys set via
> dnssec-settime as active in the keys directory were displayed.
Note that `rndc signing -
Tom Limoncelli wrote:
>
> I have 4 DNS servers all running BIND 9.8.2 (the CentOS 6.5 package). One
> is configured as the master for about 100 zones. The other 3 are slaves
> for those 100 zones. On the master the amount of entropy reported by "cat
> /proc/sys/kernel/random/entropy_avail" was
Carsten Strotmann wrote:
>
> You can enable DNSSEC validation support on a BIND 9 caching server that
> is used as a resolver by your clients. BIND 9 9.9.x already comes with
> DNSSEC validation enabled, for older versions you need to enable it
> manually in the configuration.
DNSSEC validation n
r...@iastate.edu wrote:
> If we implement DNSSEC for iastate.edu, admin.iastate.edu and
> its.iastate.edu, must DNSSEC be implemented for the delegated zones as
> well?
No, in exactly the same way that signing .edu does not mean iastate.edu
has to be signed. If there are no DS records at the del
We have a couple of recursive servers running 9.9.5 which are persistently
unable to validate answers.ssh.com, returning SERVFAIL. With debug logging
turned on we get (amongst lots of other things):
24-Apr-2014 16:41:23.087 client 131.111.56.28#35569 (answers.ssh.com): query
(cache) 'answers.ssh.
Theodotos Andreou wrote:
>
> Now I have a different problem. After converting alll the zones to master many
> zones failed to load because of this:
>
> 29-Apr-2014 11:21:32.613 dns_rdata_fromtext: db.0.210.10.in-addr.arpa:26:
> near 'android_b2b2b8cdeedf92d3.example.com.': bad name (check-names)
Tony Finch wrote:
> We have a couple of recursive servers running 9.9.5 which are persistently
> unable to validate answers.ssh.com, returning SERVFAIL.
Some days later one of our servers has been restarted and is successfully
resolving this name. The other is still persistently f
Shawn Zhou wrote:
> Any problem has problem building BIND 9.10 for FreeBSD? We are using the
> same process that worked for building 9.9.4 to build 9.10 on FreeBSD
> 6.x/7.x but we are getting "ld: invalid BFD target" error.
Yes. BIND's linking stage changed between 9.9 and 9.10 so instead of
in
Noel Butler wrote:
>
> U, since upgrade 9.9.5 to 9.10 every request to the name server is
> spewing copious amounts of debug type data (thankfully I only upgraded
> the one server)
>
> Was debug left on in the final release source code? :)
When I was running pre-release versions I hacked out
Mark Andrews wrote:
>
> Also one shouldn't need to add LDFLAGS="-R/opt/OpenSSL/lib". configure
> adds it itself if the platform needs it. --with-openssl=/opt/OpenSSL
> should be enough.
I think the bug here is that configure assumes the admin has added all
possible library directories to the RTL
Dave Warren wrote:
>
> DNSMadeEasy calls this an "ANAME" record, internally they just lookup the
> destination's IP and cache it, updating it as needed.
>
> It works, but it would be nice if this could be done in DNS. Sadly, it can't,
> and probably won't in our lifetimes.
Never say never :-)
Yo
Lawrence K. Chen, P.Eng. wrote:
>
> And, then it finally crashed complain that there was no root hints for the
> view "_ksu_bind", and making class IN view "_ksu_bind" with all the same
> zones, including the hint zoneit still complained that there was no root
> hints for view "_ksu_bind" and
Mart van de Wege wrote:
>
> How do I go about troubleshooting this issue to get a better idea of
> what is going on?
Are there any messages in your log containing the string " refresh: "?
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Thames, Dover, Wight, Portland, Plymouth: Southwest 5 to 7,
A few thoughts...
The DNS protocol is already pretty good at replicating zone data - see for
instance John Wingenbach's message in which he describes how their
deployment gradually converged on a fairly standard architecture :-)
I think multi-master makes most sense if the primary master uses DNS
Mart van de Wege wrote:
> Tony Finch writes:
> > Mart van de Wege wrote:
> >>
> >> How do I go about troubleshooting this issue to get a better idea of
> >> what is going on?
> >
> > Are there any messages in your log containing the string "
Barry Margolin wrote:
>
> It also has adverse implications for DNS-based CDN routing, e.g. Akamai.
> Everyone will be routed to the servers close to the auth servers of the
> domain containing the ANAME, instead of routing each end user to their
> closest servers.
Good point. This is relevant to
Mart van de Wege wrote:
>
> > A lot of the refresh failure logging happens at debug level 1 so you can
> > get more details by running `rndc trace 1`.
>
> Is there a way to filter that after setting it?
Not without altering the server's logging configuration. Something like
the following, perhaps
Edward DeLargy wrote:
> I just want to verify that 9.9.5 can be compiled in AIX
The README says:
Building
BIND 9 currently requires a UNIX system with an ANSI C compiler,
basic POSIX support, and a 64 bit integer type.
We've had successful builds and tests on the follo
Dave Warren wrote:
> On 2014-05-08 15:09, Mark Andrews wrote:
> > But that does not help when you want a MX record at the apex or
> > some other record at the apex.
>
> I'd argue that it does -- Since the record is now CNAME'd, the MX record is
> now under the control of the destination of the CN
Mimiko wrote:
> May 11 09:56:14 srv58 named[28172]: loading configuration from
> '/opt/bind9/etc/named.conf'
> May 11 09:56:14 srv58 named[28172]: open: /opt/bind9/etc/named.conf: file not
> found
> I've put bind in /srv/bind9. Also I use chrooting.
If you are chrooting then all the paths com
James Brown wrote:
>
> Any suggestions as to how to make the logging continue after the rollover?
Either:
(1) configure newsyslog to HUP named after rolling the logs, by telling it
the path to named.pid
(2) configure named to use syslog
(3) configure named to roll its log files itself (whi
Mart van de Wege wrote:
>
> The only difference I *can* see is that this particular slave zone
> occasionally gets a lot of updates in a single day, which is when this
> problem seems to be triggered.
Is there an MTU problem between your slave and the master? Or a problem
with fragmented UDP? I w
Mark Andrews wrote:
>
> 2275. [func] Add support to dig to perform IXFR queries over UDP.
>[RT #17235]
>
> DiG has supported ixfr over udp since 2007. It just defaults to TCP.
> you have to disable TCP after specifying ixfr.
Ah I am sure you have told me that be
Techs_Maru wrote:
> > The zone is forwarded only to "View internal" because it matches it
> > internal.
> > I want to forward hoge.zone of BIND1 to both hoge.zone that uses View
> > configuration of BIND2.
I am not sure if I understand exactly what you want. A common way to
choose what view t
Techs_Maru wrote:
>
> view"internal" {
> recursion yes;
> zone "." IN { ... };
I think it is better to use named's built-in root hints, so you don't need
to explicitly configure this.
> zone "hoge.com" IN {
> type slave;
> masters { AA
Matus UHLAR - fantomas wrote:
> On 19.05.14 17:26, Tony Finch wrote:
> > You must not share slave zone files between zones.
>
> ...I don't see point in having files for domains fetched from different
> view.
That's a reasonably sensible point of view :-)
There
Techs_Maru wrote:
>
> The mastering server side cannot be touched as this assumption.
Ah, I missed that difficulty.
> It can solve what I wanted to do by forwarding the zone in the local.
> Method of sending notify to other view when source in zone forwarding
> origin is confirmed with client-ma
Jorge Fábregas wrote:
>
> This change is going to impact thousands of users for us and I'm a bit
> worried about it. How do you deal with DNSSEC bogus data?
We don't do anything special to reduce the problem. It has not caused
noticable pain or complaints from our users.
We have I think had on
Noel Butler wrote:
> Does this also address the crazy amount of logging (as previously discussed
> here)?
If you mean the EDNS logging, that should be fixed in 9.10.1.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
East Sole, Lundy, Fastnet: Variable 3 or 4. Smooth or slight. Mainly fair.
Mode
Levi Pederson wrote:
>
> I have an authoritative DNS server that is supposed to forward any
> unknowns to a specific upstream server.
You are mixing authoritative and recursive service in a way that is not
going to work well.
Forwarding is designed for recursive clients. It doesn't make sense to
Nick wrote:
> Is there a way to setup RRL to rate limit by source IP / or certain net
> blocks?
For simple cases where you want to rate-limit by default, but allow some
clients to be unlimited, use the exempt-clients clause.
If you want different limits for different clients, use different vie
Stewart, Larry C Sr CTR DISA JITC (US) wrote:
> I have configured the Solaris service admin to run
> /nithr/sbin/named -t /dns -u dnsuser
> when I start the dns server now since I have upgraded to 9.10.0-P2 I get
> a daemon notice that it is unable to set the effective uid to 0: Not
> Owner
Stewart, Larry C Sr CTR DISA JITC (US) wrote:
> Correct, so is there some negative impact I can expect or is it just a
> log entry I can ignore?
If you aren't getting any "Could not open..." warnings as well then you
are probably OK.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Dover, Wight,
Ali Jawad wrote:
>
> acl "US" {
> geoip country US;
> };
>
> view "US" {
> match-clients { US; }; //Once I add this it throws the error below
> };
>
> /etc/named.conf:47: no GeoIP database installed which can answer queries of
> type 'country'
This is a bug in 9.10.0 which will be fixed
Stewart, Larry C Sr CTR DISA JITC (US) wrote:
> So I logged in as the user that I normally start named with and I get the
> following error:
>
> Named: chroot(): Not owner
You need to start named as root for it to be able to chroot. (Unless
Solaris has some cunning fine-grained privilege featur
Wolfgang Rosenauer wrote:
>
> dnssec-validation auto;
> dnssec-lookaside . trust-anchor dlv.isc.org.;
Why not use dnssec-lookaside auto; ?
Tony.
--
f.anthony.n.finchhttp://dotat.at/
West Forties, Cromarty, Forth, Tyne, Dogger: Northerly or northwesterly 5 or
6, decreasing 4.
Wolfgang Rosenauer wrote:
> Changed it now to dnssec-lookaside auto and it still behaves exactly
> the same way.
What happens if you delete the managed-keys files and restart?
Tony.
--
f.anthony.n.finchhttp://dotat.at/
North Utsire, South Utsire, East Forties: Variable, mainly northeasterl
101 - 200 of 1038 matches
Mail list logo