Mike Hoskins (michoski) micho...@cisco.com wrote:
/dev/rob0 r...@gmx.co.uk wrote:
I would suggest that if you're making much use of rndc freeze, YDIW.
Consider using nsupdate(8) to make your changes.
True, but I just setup two new networks where the tenants wanted exactly
this
Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote:
And, the prior ZSK was 14565
; This is a zone-signing key, keyid 14565, for ksu.edu.
; Created: 2013060109 (Sat Jun 1 04:00:00 2013)
; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013)
; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013)
Nicholas F Miller nicholas.mil...@colorado.edu wrote:
The problem is the reply will ALWAYS be five seconds when doing an 'ANY'
query. It is not a matter of the TTL counting down.
Is there a middlebox of some kind between you and the name server?
Tony.
--
f.anthony.n.finch d...@dotat.at
Simon Forster fors...@spamteq.com wrote:
As a matter of interest, if one had a DNSBL with 5.5 million entries
(i.e. 5.5 million IPs):
1) What needs to be done to rewrite that to a BIND zone?
2) What sort of machine would be required to load that zone?
3) How long would it take to load into
Simon Forster fors...@spamteq.com wrote:
Excellent info. Thank you. What's the specs of the machine you're testing on?
An old-ish Dell Optiplex 760, Core 2 Duo, 3.16 GHz, 4GB RAM.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5,
Vernon Schryver v...@rhyolite.com wrote:
It's convenient that with binary zone files and the dynamic update
protocol, loading from text (or signing a whole zone) is not something
you need to do every hour on the hour.
Right. Timings from named-checkzone give a rough idea of a worst-case cold
Red Cricket red.cricket.b...@gmail.com wrote:
How can I determine if it was built with rate-limiting?
named -V
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers,
babu dheen babudh...@yahoo.co.in wrote:
I would like to understand DNSSEC on BIND Recusive DNS server running
in RHEL 5.0.
First upgrade BIND to version 9.8 or newer.
Check your network connectivity isn't funted. See for instance
Jim Pazarena b...@paz.bz wrote:
I see in my logs DNS format error from 205.178.190.53#53 resolving
excelwetsuits.com/MX for client 207.34.147.83#54521: invalid response
The client is *my* mail server IP.
I am wondering is this error on MY side or their's ?
Theirs.
; DiG 9.9.4rc1 ns
Barry Margolin bar...@alum.mit.edu wrote:
If the server is authoritative for both the CNAME and the target of the
CNAME, no recursion should be necessary -- the target is already in its
memory. Doesn't the server normally fill in the whole CNAME chain in
this case?
Yes - see the
The nsdiff program examines the old and new versions of a DNS zone, and
outputs the differences as a script for use by BIND's nsupdate program. It
provides a bridge between static zone files and dynamic updates. If you
use BIND 9.7 or 9.8, you can use nsdiff as an alternative to the DNSSEC
Tobias Wolter tobias.wol...@b1-systems.de wrote:
# rndc -s localhost -c ~/rndc-localhost.conf addzone metazone. '{type master;
file master/metazone.zone;};'; tail /var/log/messages -n 4
rndc: 'addzone' failed: file not found
Dec 11 10:01:15 hostname named[21120]: received control channel
Thomas Schulz sch...@adi.com wrote:
Am I correct in thinking that in the case of a hidden master and a chain
of slaves, that the first publicly acessable slave would do the signing
and that in any case only one instance of bind should do the signing?
It is better if the hidden master does the
Thomas Schulz sch...@adi.com wrote:
Checking the resulting serial number, I find that it is 2013120423. The
serial number in the static zone file is 2013120400. Why did it bump it
up to 23? I expected something like 02.
Have a look at the sig-signing-signatures option which says (by default)
Joseph S D Yao j...@tux.org wrote:
On 2014-01-12 10:04, Chris Thompson wrote:
That would be more plausible if www.p3net.net actually resolved to
something, rather than giving NXDOMAIN ...
How interesting. From here I see (and saw before I posted):
;; ANSWER SECTION:
www.p3net.net.
Graham Clinch g.cli...@lancaster.ac.uk wrote:
I'm seeing a dnssec validation error that I can't pin down, for the domain:
newsletter.postbank.de.
Looks like a bug in BIND to me. It works out that there is no DS in the
parent then gets muddled. I note that postbank.de is in the middle of a
Pika.Aman a...@thingsto.me wrote:
Is that possible to use the bind-util “nsupdate” to insert a new record
into the zone file of response policy zone ? I got “NOTZONE” reply from
the bind.
NOTZONE means you have used a domain name that is not in the zone you
are trying to update.
#nsupdate
Mark Andrews ma...@isc.org wrote:
In message 52ea4c56.5060...@pernau.at, Klaus Darilion writes:
Are there any tools/ways to query Bind for the incoming serial?
rndc zonestatus zone [class [view]]
I think that's a BIND-9.10 feature :-)
On 9.9 I think you either have to look at
Klaus Darilion klaus.mailingli...@pernau.at wrote:
named-compilezone -j -f raw -o - example.com \
/etc/bind/zones/example.com 21| grep SOA|awk '{print $7;}'
Another option might be to use named-journalprint and grab the last SOA
from the output. I don't know which is faster... actually,
David Newman dnew...@networktest.com wrote:
2. For five domains, the log contains signature-has-expired warnings.
In all five cases, these are for NSEC3PARAM records.
Is any action needed on my part, for example manually doing NSEC3
signing of these zones?
See if named has already
David Newman dnew...@networktest.com wrote:
What action, if any, is needed?
Does rndc sign zone make it wake up? Is there anything in the logs
reporting problems, e.g. inability to read the key files?
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Forties, Cromarty: East, veering
David Newman dnew...@networktest.com wrote:
On 1/31/14 10:35 AM, Tony Finch wrote:
David Newman dnew...@networktest.com wrote:
What action, if any, is needed?
Does rndc sign zone make it wake up?
Alas, no. There are a bunch of successful IXFR messages to slave servers
but the dates
Olsen, Richard William (Rick) CTR DISA PEO-MA (US) richard.w.olsen.ctr@mai...:
We have been trying to build bind using with-openssl=PATH and not have
it require the full openssl install on the destination system.
Try building BIND with --without-gost
Tony.
--
f.anthony.n.finch d...@dotat.at
Mark Andrews ma...@isc.org wrote:
If you really want to go down this path then you need to copy over
the shared library which is dynamically loaded into named at runtime
specifically lib/engines/libgost.so
or rebuild openssl to include the gost code in libcrypto.
How do you do that? The
Terry Burton t...@terryburton.co.uk wrote:
Is the following expected or is it a bug?
It is correct. See RFC 4592 for the full explanation of how wildcards work.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at
Sarath sar...@slashroot.in wrote:
The internal xyz.example.com is on an internal host (private address )
which is the default DNS server for all internal hosts (all hosts use
this DNS server in their resolve.conf ) And the external xyz.example.com
is on another public ip server (aws route 53
Aki Tuomi cmo...@cmouse.fi wrote:
We have A records
5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi
and
5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.pasilehto.fi
Now. If I ask DNSSEC validating BIND version 9.9.3-P2 or 9.9.4-P2 to
resolve either of those A records, I get
Aki Tuomi cmo...@cmouse.fi wrote:
Hi, can you try again? Just to be sure.
This time it failed in the way you described earlier:
19-Feb-2014 12:23:27.043 queries: info: client ::1#32049
(5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi): view rec:
query:
Gaurav Kansal gaurav.kan...@nic.in wrote:
I have doubt in this only. What's the difference between Zone or Host ??
Zone keys are used for DNSSEC signing zones.
Host keys are used for TSIG transaction authentication, for securing zone
transfers or dynamic updates.
I also want to know which
houguanghua houguang...@hotmail.com wrote:
What's the meaning of bind decaying? Where can I find the detailed
description? Thanks!
There's a summary of the SRTT algorithm in
http://securityintelligence.com/subverting-binds-srtt-algorithm-derandomizing-ns-selection/
Tony.
--
Gaurav Kansal gaurav.kan...@nic.in wrote:
We are running slave services for our customers.
We want to have log of what entries has been changed in the master (which is
causing this zone transfer) at the time of zone transfer.
I want to know whether it is possible to have some sort of log
Jason Hellenthal jhellent...@dataix.net wrote:
I recall spending a LOT of time with DNSSEC figuring out all the
nonsense but like anything else stability and friendliness has to start
somewhere. And development should not be impeded by adoption of bad
practices. Fix the root cause not the
James Brown jlbr...@bordo.com.au wrote:
I have recently upgraded to openSSL 1.0.1f.
When I try to configure bind 9.9.5 I'm getting an error:
checking for OpenSSL library... using OpenSSL from /usr/local/ssl/lib and
/usr/local/ssl/include
checking whether linking with OpenSSL works... no
Andreas Ntaflos d...@pseudoterminal.org wrote:
Using Bind 9 on Ubuntu 12.04 for internal DNS (master for zones
dc01.example.at., 7.1.10.in-addr.arpa., ...) with forwarders (ISP's
nameservers) for everything outside of internal zones.
The Problem: Clients, when running hostname -f or hostname
Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote:
If you have FQDN for machines, the problem might be that the domain
isn't set in resolv.conf?
The machines are configured with a bare hostname. If there isn't a search
or domain directive in /etc/resolv.conf and there isn't an entry for the
Ramanou Biaou rama...@netim.com wrote:
Someone has resources, links or tutorial to understand and implement the
dynamic update zone files with BIND
If you search the web for [nsupdate howto] or [nsupdate tutorial] you
should find some useful resources.
If you are running BIND 9.7 or newer
Daniel Ryslink daniel.rysl...@dialtelecom.cz wrote:
At first, when the zone was not signed at all, all that sufficed was to
do rndc loadkeys example.com, and when I later used rndc signing
-list example.com, the keys set via
dnssec-settime as active in the keys directory were displayed.
Note
Tom Limoncelli t...@whatexit.org wrote:
I have 4 DNS servers all running BIND 9.8.2 (the CentOS 6.5 package). One
is configured as the master for about 100 zones. The other 3 are slaves
for those 100 zones. On the master the amount of entropy reported by cat
Carsten Strotmann c...@strotmann.de wrote:
You can enable DNSSEC validation support on a BIND 9 caching server that
is used as a resolver by your clients. BIND 9 9.9.x already comes with
DNSSEC validation enabled, for older versions you need to enable it
manually in the configuration.
DNSSEC
r...@iastate.edu r...@iastate.edu wrote:
If we implement DNSSEC for iastate.edu, admin.iastate.edu and
its.iastate.edu, must DNSSEC be implemented for the delegated zones as
well?
No, in exactly the same way that signing .edu does not mean iastate.edu
has to be signed. If there are no DS
We have a couple of recursive servers running 9.9.5 which are persistently
unable to validate answers.ssh.com, returning SERVFAIL. With debug logging
turned on we get (amongst lots of other things):
24-Apr-2014 16:41:23.087 client 131.111.56.28#35569 (answers.ssh.com): query
(cache)
Theodotos Andreou t...@theo-andreou.org wrote:
Now I have a different problem. After converting alll the zones to master many
zones failed to load because of this:
29-Apr-2014 11:21:32.613 dns_rdata_fromtext: db.0.210.10.in-addr.arpa:26:
near 'android_b2b2b8cdeedf92d3.example.com.': bad
Tony Finch d...@dotat.at wrote:
We have a couple of recursive servers running 9.9.5 which are persistently
unable to validate answers.ssh.com, returning SERVFAIL.
Some days later one of our servers has been restarted and is successfully
resolving this name. The other is still persistently
Shawn Zhou shawnzho...@yahoo.com wrote:
Any problem has problem building BIND 9.10 for FreeBSD? We are using the
same process that worked for building 9.9.4 to build 9.10 on FreeBSD
6.x/7.x but we are getting ld: invalid BFD target error.
Yes. BIND's linking stage changed between 9.9 and 9.10
Noel Butler noel.but...@ausics.net wrote:
U, since upgrade 9.9.5 to 9.10 every request to the name server is
spewing copious amounts of debug type data (thankfully I only upgraded
the one server)
Was debug left on in the final release source code? :)
When I was running pre-release
Mark Andrews ma...@isc.org wrote:
Also one shouldn't need to add LDFLAGS=-R/opt/OpenSSL/lib. configure
adds it itself if the platform needs it. --with-openssl=/opt/OpenSSL
should be enough.
I think the bug here is that configure assumes the admin has added all
possible library directories to
Dave Warren da...@hireahit.com wrote:
DNSMadeEasy calls this an ANAME record, internally they just lookup the
destination's IP and cache it, updating it as needed.
It works, but it would be nice if this could be done in DNS. Sadly, it can't,
and probably won't in our lifetimes.
Never say
Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote:
And, then it finally crashed complain that there was no root hints for the
view _ksu_bind, and making class IN view _ksu_bind with all the same
zones, including the hint zoneit still complained that there was no root
hints for view _ksu_bind
Mart van de Wege mvdw...@gmail.com wrote:
How do I go about troubleshooting this issue to get a better idea of
what is going on?
Are there any messages in your log containing the string refresh: ?
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Thames, Dover, Wight, Portland,
A few thoughts...
The DNS protocol is already pretty good at replicating zone data - see for
instance John Wingenbach's message in which he describes how their
deployment gradually converged on a fairly standard architecture :-)
I think multi-master makes most sense if the primary master uses
Mart van de Wege mvdw...@gmail.com wrote:
Tony Finch d...@dotat.at writes:
Mart van de Wege mvdw...@gmail.com wrote:
How do I go about troubleshooting this issue to get a better idea of
what is going on?
Are there any messages in your log containing the string refresh: ?
I have
Barry Margolin bar...@alum.mit.edu wrote:
It also has adverse implications for DNS-based CDN routing, e.g. Akamai.
Everyone will be routed to the servers close to the auth servers of the
domain containing the ANAME, instead of routing each end user to their
closest servers.
Good point. This
Mart van de Wege mvdw...@gmail.com wrote:
A lot of the refresh failure logging happens at debug level 1 so you can
get more details by running `rndc trace 1`.
Is there a way to filter that after setting it?
Not without altering the server's logging configuration. Something like
the
Edward DeLargy eddela...@gmail.com wrote:
I just want to verify that 9.9.5 can be compiled in AIX
The README says:
Building
BIND 9 currently requires a UNIX system with an ANSI C compiler,
basic POSIX support, and a 64 bit integer type.
We've had successful builds and
Dave Warren da...@hireahit.com wrote:
On 2014-05-08 15:09, Mark Andrews wrote:
But that does not help when you want a MX record at the apex or
some other record at the apex.
I'd argue that it does -- Since the record is now CNAME'd, the MX record is
now under the control of the
Mimiko vbv...@gmail.com wrote:
May 11 09:56:14 srv58 named[28172]: loading configuration from
'/opt/bind9/etc/named.conf'
May 11 09:56:14 srv58 named[28172]: open: /opt/bind9/etc/named.conf: file not
found
I've put bind in /srv/bind9. Also I use chrooting.
If you are chrooting then all
James Brown jlbr...@bordo.com.au wrote:
Any suggestions as to how to make the logging continue after the rollover?
Either:
(1) configure newsyslog to HUP named after rolling the logs, by telling it
the path to named.pid
(2) configure named to use syslog
(3) configure named to roll its
Mart van de Wege mvdw...@gmail.com wrote:
The only difference I *can* see is that this particular slave zone
occasionally gets a lot of updates in a single day, which is when this
problem seems to be triggered.
Is there an MTU problem between your slave and the master? Or a problem
with
Mark Andrews ma...@isc.org wrote:
2275. [func] Add support to dig to perform IXFR queries over UDP.
[RT #17235]
DiG has supported ixfr over udp since 2007. It just defaults to TCP.
you have to disable TCP after specifying ixfr.
Ah I am sure you have told me
Techs_Maru tec...@gmail.com wrote:
viewinternal {
recursion yes;
zone . IN { ... };
I think it is better to use named's built-in root hints, so you don't need
to explicitly configure this.
zone hoge.com IN {
type slave;
masters
Techs_Maru tec...@gmail.com wrote:
The mastering server side cannot be touched as this assumption.
Ah, I missed that difficulty.
It can solve what I wanted to do by forwarding the zone in the local.
Method of sending notify to other view when source in zone forwarding
origin is confirmed
Jorge Fábregas jorge.fabre...@gmail.com wrote:
This change is going to impact thousands of users for us and I'm a bit
worried about it. How do you deal with DNSSEC bogus data?
We don't do anything special to reduce the problem. It has not caused
noticable pain or complaints from our users.
Noel Butler noel.but...@ausics.net wrote:
Does this also address the crazy amount of logging (as previously discussed
here)?
If you mean the EDNS logging, that should be fixed in 9.10.1.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
East Sole, Lundy, Fastnet: Variable 3 or 4.
Levi Pederson levipeder...@mankatonetworks.net wrote:
I have an authoritative DNS server that is supposed to forward any
unknowns to a specific upstream server.
You are mixing authoritative and recursive service in a way that is not
going to work well.
Forwarding is designed for recursive
Nick n...@nsnpc.net wrote:
Is there a way to setup RRL to rate limit by source IP / or certain net
blocks?
For simple cases where you want to rate-limit by default, but allow some
clients to be unlimited, use the exempt-clients clause.
If you want different limits for different clients, use
Stewart, Larry C Sr CTR DISA JITC (US) larry.c.stewart@mail.mil wrote:
I have configured the Solaris service admin to run
/nithr/sbin/named -t /dns -u dnsuser
when I start the dns server now since I have upgraded to 9.10.0-P2 I get
a daemon notice that it is unable to set the
Stewart, Larry C Sr CTR DISA JITC (US) larry.c.stewart@mail.mil wrote:
Correct, so is there some negative impact I can expect or is it just a
log entry I can ignore?
If you aren't getting any Could not open... warnings as well then you
are probably OK.
Tony.
--
f.anthony.n.finch
Ali Jawad alijaw...@gmail.com wrote:
acl US {
geoip country US;
};
view US {
match-clients { US; }; //Once I add this it throws the error below
};
/etc/named.conf:47: no GeoIP database installed which can answer queries of
type 'country'
This is a bug in 9.10.0 which will be
Wolfgang Rosenauer wrosena...@gmail.com wrote:
dnssec-validation auto;
dnssec-lookaside . trust-anchor dlv.isc.org.;
Why not use dnssec-lookaside auto; ?
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
West Forties, Cromarty, Forth, Tyne, Dogger: Northerly or
Wolfgang Rosenauer wrosena...@gmail.com wrote:
Changed it now to dnssec-lookaside auto and it still behaves exactly
the same way.
What happens if you delete the managed-keys files and restart?
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
North Utsire, South Utsire, East
Wolfgang Rosenauer wrosena...@gmail.com wrote:
first thing:
2014-07-10T16:04:56.862405+02:00 s15418965 named[29815]:
managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': timed out
Eventually the file appeared a bit later with the dlv.isc.org key.
Suspicious. What do you get if you
Wolfgang Rosenauer wrosena...@gmail.com wrote:
s15418965:~ # dig @127.0.0.1 +short rs.dns-oarc.net txt
there is no output at all. Is that also expected and the reason is the
UDP limitation?
Yes.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Trafalgar: Easterly or
Phil Pennock bind-users+p...@spodhuis.org wrote:
Seeing little things like this:
deleting db.spodhuis.org.signed.jnl
deleting db.spodhuis.org.signed
deleting db.spodhuis.org.jnl
deleting db.spodhuis.org.jbk
worry me.
Is there any way to get back the on-disk state files
Gary Wallis wgg1...@gmail.com wrote:
What are the drawbacks, if any, of running only master name servers for the
set of authoritative NSs?
That depends entirely on how you are replicating the zone data.
The DNS's own replication (AXFR, IXFR, NOTIFY, TSIG) is pretty hard to
beat: it is fast,
Tracy, Tedd C. Contractor tedd.c.tr...@ssa.gov wrote:
;; ANSWER SECTION:
www.securityplusfcuhb.org. 86399 IN CNAME
securityplusfcuhb.flb.intuit.com.
securityplusfcuhb.flb.intuit.com. 30 IN CNAME
03845.olb.prd1.flb.digitalinsight.com.
03845.olb.prd1.flb.digitalinsight.com. 30 IN
Carsten Strotmann c...@strotmann.de wrote:
I do not understand how the NSEC3 hash can be defeated by an
attacker. Could you give a link to additional information or could you
explain the issue with NSEC3 salt in other words?
Lily truelil...@gmail.com wrote:
will 9.8 branch reach end of life support soon?
Go to http://www.isc.org/downloads/ and click on BIND towards the
bottom. EOL for 9.8 is September.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
West Bailey: Northerly 4 or 5 becoming variable 3.
Reindl Harald h.rei...@thelounge.net wrote:
Am 31.07.2014 um 21:08 schrieb /dev/rob0:
The proper tool to manage zone data is nsupdate(8). Likewise well
suited for automation.
zone file *editing*?
sorry, no, i developed 2008 a interface to create all zone files based
on database
Mike Hoskins (michoski) micho...@cisco.com wrote:
Tony Finch d...@dotat.at wrote:
In our setup, changes made in the database are turned into an nsupdate
script, so we don't need to bounce the name server and we can use
BIND's automatic signing.
no argument on nsupdate, but even if you copy
Tomas Hozza tho...@redhat.com wrote:
Right now it is not possible, and when named is built with
--enable-native-pkcs11
it can not run without HSM and some PKCS#11 provider library.
Would using SoftHSM solve your problem?
http://www.opendnssec.org/softhsm/
Timothe Litt l...@acm.org wrote:
There are still registrars that don't accept DNSSEC records, and a
non-trivial number of domain holders can't easily switch registrars.
In some cases it isn't possible to switch to a better registrar, e.g. if
you need DNSSEC for your reverse DNS.
So yes, there
Mukund Sivaraman m...@isc.org wrote:
BIND will not allow you to use special characters such as '!' in owner
names of certain RRs types such as A, MX, etc. as they don't form valid
hostnames (see RFCs 1123 and 1912).
But you can set the check-names option to relax the restrictions.
Tony.
--
Ronald F. Guilmette r...@tristatelogic.com wrote:
In a nutshell, I'd just like to know whether or not Punycode
encoded strings may ever validly contain either (a) leading
periods or else (b) two consecutive periods. Would any strings
that contain either of those things be considered to be
Mike Hoskins (michoski) micho...@cisco.com wrote:
This isn't even specific to DNS...for example, there was a time when just
turning on what sounds good for cisco, netscreen and even checkpoint
would break other things like ESMTP.
You mean Cisco have fixed the grossly damaging bugs in the
Terry Burton t...@terryburton.co.uk wrote:
This is especially useful in bootstrapping scenarios where the zone
data is held under strict revision control or generated by some
provisioning system that owns the serial number.
Our provisioning system used to think it owned zone serial numbers,
Giles Coochey gi...@coochey.net wrote:
It looks like adobe are entertaining use of a CNAME chain (a CNAME to a CNAME
which points to a CNAME which points to a CNAME which eventually points to an
A record).
No, CNAME chains are OK. The problem is that the wip4.adobe.com name
servers
Thomas Goldberg t.goldber...@gmail.com wrote:
Essentially we're looking for a way to inject DS records into a slave
zone (transfered from another DNS server).
One way to do this is with my nsdiff script which was written to do a
similar job to inline-signing mode for older versions of BIND.
A couple of notes and queries re.
https://kb.isc.org/article/AA-00874/0/Best-Practices-for-those-running-Recursive-Servers.html
RRL: I don't think this is a good idea on recursive servers; at the very
least it is difficult to tune appropriately for recursive servers.
Also, RRL is available as a
houguanghua houguang...@hotmail.com wrote:
Can bind support forwarding zone to another DNS server? In my testing,
for loacl name servers, it can. But for authority name servers, it
can't.
Use stub or static-stub to forward to an authoritative server.
Tony.
--
f.anthony.n.finch
Matus UHLAR - fantomas uh...@fantomas.sk wrote:
On 02.11.14 23:09, Frank Pikelner wrote:
What is the advantage of using a stub or static-stub to using a slave?
you should use them when it's not possible or viable to use slave, e.g.
windows AD domain, RBL domain, domain that can't be
houguanghua houguang...@hotmail.com wrote:
I 'm not familiar with'stub'. The description of 'stub' is hard to
understand.
Yes it's a bit weird. Think of it like the root hints but for other zones:
i.e. a hint zone configuration in a recursive server tells named that
instead of using a
Kaouthar Chetioui kaoutharcheti...@gmail.com wrote:
I want to know the exact path that follows bind to resolve a DNS query
Try running
$ rndc flush
$ rndc trace 11
$ dig www.example.ma
Then look at named's logs which will give you lots of details about
queries, responses, and the parts of BIND
Kaouthar Chetioui kaoutharcheti...@gmail.com wrote:
I don't find any name of source file (like message.c or name.c) or name of
function in this log file, so I can't understand excatly the process of
resolution for dig command.
The log module gives you a rough idea of which part of the system
Evan Hunt e...@isc.org wrote:
However, in this case I think it's because you had an empty cache, and
sending a second query will clear the problem up. In a future release, we
may want to lift the restrictions temporarily while priming.
Yes, I could reproduce it after flushing my cache. Had
양지은 god...@naver.com wrote:
I have a question about new options, max-recursion-depth and
max-recursion-queries in 9.9.6-P1.
Would you teach me how the options work?
The ARM has a fairly complete description. Does it answer your questions?
Bob Harold rharo...@umich.edu wrote:
Two suggestions:
1. Don't stop/start named. Instead, do rndc freeze, update the zone
files, rndc thaw, rndc reload. If a zone is bad, I think BIND will
continue to server the old zone. Also there is no break in service since
BIND is never stopped.
or
Mukund Sivaraman m...@isc.org wrote:
That doesn't exactly mean general public, so does anyone else know
where a license grant to implementors is documented?
Section 4 of http://trustee.ietf.org/license-info/IETF-TLP-3.htm
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Cromarty,
wu shuangrong wushuangr...@yahoo.com wrote:
I'd like to configure BIND in such way that when it failed to get result for
the first time, it'll query for the second time.
Try adjusting resolver-query-timeout.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
East Sole, Lundy,
Enrico Scholz enrico.sch...@sigma-chemnitz.de wrote:
Unfortunately, our ISP (Deutsche Telekom) does not allow AXFR of the
/24 zone. I solved it now by declaring an external (non-recursive)
and internal (recursive) view, where the external one is a master
for 2.1.10.in-addr.arpa covering only
Stuart Henderson s...@spacehopper.org wrote:
On 2015/02/02 21:51, Ray Van Dolson wrote:
Unfortunately, the only solution I'm really seeing right now is an ugly
one -- setting up a new view for this set of clients and then creating
25+ zones -- one zone per record I want to override (so
201 - 300 of 986 matches
Mail list logo