Harshith Mulky wrote:
>
> Can max-cache-ttl be used on the client( client which supports bind) to
> override the default ttl time sent in response by Bind server for
> Positive Responses?
Yes.
Tony.
--
f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode
Irish Sea: Southwest becoming c
Wolfgang Riedel wrote:
>
> not sure if this is a bug or a feature but had been scratching my head
> for months now running BIND on Fedora22-24 and all the time I did a
> reboot BIND didn’t came up and I needed to restart the process to get it
> running. After some googling around I realized that I
Aleks Ostapenko wrote:
> As for second variant - unfortunately I don't know how to edit manually TTL
> in the signed (not raw) master file.
(1) Use `rndc freeze` which makes `named` rewrite the zone file with all
pending changes from the journal, and makes it stop making further changes
to the z
Baird, Josh wrote:
>
> In the past, when I have had a requirement to bring a slave zone into
> our environment; I created a slave zone on my master(s) (defining the
> external nameserver as a master) and then created slave zones on my
> slaves using *my* master as a master (not the master outside
Andreas Meyer wrote:
>
> Do I need to create keys first when I create a new zone and
> use inline signing or is keycreation done by named?
named does not create keys for you, but have a look at dnssec-keymgr in
BIND 9.11
Tony.
--
f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode
Fai
Darcy Kevin (FCA) wrote:
> From an InfoSec standpoint, of course one would prefer to use
> cryptographic methods of securing DNS data,
Yes, use TSIG for zone transfers. You can also use it for forwarding.
Tony.
--
f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode
Fair Isle, North F
Aleks Ostapenko wrote:
>
> Then I made `rndc freeze `. But after this command - the
> signed zone file (`.signed`) still remain
> in raw format (not text readable) - so I can read it via
> `named-compilezone` utility, but unfortunately I can't change it.
Ah, I should have checked that more thorou
Aleks Ostapenko wrote:
>
> Unfortunately, after
>
> 1. rndc freeze myzone
> 2. named-comilezone -f raw -F text -o myzone.text myzone myzone.signed
> change TTL on DNSKEY and RRSIG DNSKEY in myzone.text
> named-comilezone -f text -F raw -o myzone.signed myzone myzone.text
> 3. rndc thaw myz
Tom wrote:
>
> I have a bind-setup with activated response-policy-zones. For *each*
> client-forward-query, which has a valid dns-response, I got an error in the
> client-log (for NXDOMAIN-Reponses, I didn't have such errors... ex. "dig
> @nameserver aasledkfjasdlkfjsadlf.asdlfkjsadlfkjasdjflk"):
/dev/rob0 wrote:
>
> (See also RFC 2317 for "classless" reverse DNS delegation, but no,
> DO NOT read that: I only mention it for completeness, as we have
> pedantic posters on this list ... myself included. ;) )
Yeah, try https://tools.ietf.org/html/draft-ietf-dnsop-rfc2317bis instead :-)
Tony.
Jim Popovitch via bind-users wrote:
>
> Should minimal-all (v9.11.0-rc1) work on a master? My testing shows
> that it only works on the slave DNS servers.
Works for me :-) minimal-any is implemented at the point the records are
being assembled into an answer - it still does all the usual ANY
pro
Jim Popovitch via bind-users wrote:
>
> Thanks. Now I'm seeing something slighly different. I have 3 NS
> servers, ns{1-3}.domainmail.org.
>
> When I first asked 3 days ago I was seeing long ANY repsonses on the
> master (ns1). Today I am seeing long ANY responses on ns3 (but not
> ns1). O.o
>
Jim Popovitch wrote:
>
> Hmmm, this is counter to what I've believed all along. I
> thought it was
> prudent to have key overlap during rollovers.
There are two separate things which you can overlap semi-independently:
* is the key published in the zone?
* is the key active, i.e. being used t
Anand Buddhdev wrote:
>
> In newer versions of BIND, you cannot share a writable file in different
> views. This is a bad configurtion, and newer versions of BIND reject it.
> Just use different file names.
To clarify, you couldn't in older versions of BIND either! It would cause
weird data corru
Branko Mijuskovic wrote:
>
> We have an authoritative DNS hidden master (bind-9.11.4-9) running behind
> the network where outgoing UDP traffic to unlisted IPs is blocked.
>
> We are using DNSSEC and I've noticed that we are getting following errors
> in the bind9 logfile: 'managed-keys-zone/defau
Branko Mijuskovic wrote:
>
> But I'm curious, do you know does BIND failover to TCP if UDP timeouts
> during DNSKEY fetching?
Dunno. I have blocked both UDP and TCP on my hidden primary, and it is
refreshing its trust anchors via my recursive servers OK, so it is not
something I have had to worry
Scott A. Wozny wrote:
>
> Failures aside, I’m worried about creating a bad user experience EVERY
> time I need to take a DNS server down for patching.
I generally let resolvers handle retry/failover when I'm patching my
authoritative servers. Each resolver that encounters an authoritative
server
Erich Eckner wrote:
>
> is it possible to set up a zone in bind similar to a http(s) reverse
> proxy:
You're looking for dnsdist https://dnsdist.org/
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Fitzroy: West 5, increasing 6 to gale 8. Rough or very rough. Rain or showers.
Good, occasionally
Shaun via bind-users wrote:
>
> The 9.16.0 version of delv seems to have trouble reading the root trust
> anchor from the bind.keys file.
I see this too. The bug is that dns_client_addtrustedkey() has a buffer
for parsing DNSKEY or DS records, but it's only big enough for DS.
diff --git lib/dns/
Alan Batie wrote:
>
> This is timely as I was about to ask if there's any reason to generate
> SHA1 DNSKEY records? I should think that anything I care about can
> handle SHA256 these days...
There are extremely strong reasons for NOT generating SHA1 DNSKEY records!
https://www.dns.cam.ac.uk/ne
von Dein, Thomas wrote:
>
> we're seeing a lot of malformed dns queries to our recursive nameservers
> like these:
[snip queries for notification. / antivirusix. / kubeinspect. /
organization. / history. / go-kms. ]
> Obviously these clients (there are many) are misconfigured in some weird
> way
Alan Batie wrote:
>
> That was my thought, but the tools complain about not having both...
[snip]
> Still working out which ones it thinks are missing, as both appear to be
> there - it would be nice if the tool was more specific...
If you are doing an algorithm rollover, you should have 2 keys
Alan Batie wrote:
>
> I'm letting named do the automatic signing/generation of RRSIG records,
> but unless I'm missing something, you still have to generate the DNSKEY
> records manually. dnssec-verify is the tool in question complaining
> about not including RSASHA1 keys and signatures.
Oh whoo
Gabriel Gbs wrote:
> In case that this is not possible out of the box, where should I start in
> source code doing some modifications or workarounds?
Have a look in lib/dns/dst_* and lib/dns/openssl_*
Tony.
--
f.anthony.n.finchhttp://dotat.at/
a world in which all people share the same bas
Petr Bena wrote:
>
I think your approach of using standard protocols (DNS queries and
updages) to edit zones is very good!
> Is there any alternative to nsupdate, something that can work with XML
> or JSON payloads or provide output in such machine parseable format?
I've done a lot with wrappin
Petr Bena wrote:
>
> The problem with this approach is that it's not atomic.
That's the point of the prerequisite section! You can package up the
atomicity checks and updates into one request. You will have to deal with
concurrent update clashes in some way, but that's true for any system that
ha
Shumon Huque wrote:
>
> The implication is that "ignore" also means set the response code to
> NOERROR. Although, I suppose CNAME related UPDATE processing could have
> been special cased to return an error code like YXRRSET (even without a
> specified prerequisite clause).
Ah, yes, now you menti
Jim Popovitch via bind-users wrote:
>
>update-policy {grant webserver-tsig-key wildcard _acme-challenge.* TXT;};
Sadly in the DNS a wildcard * can only occur as the leftmost label in a name.
RFC 4592 has more than you ever wanted to know about DNS wildcards. It's
not pretty.
Tony.
--
f.ant
David Alexandre M. de Carvalho wrote:
>
A few hints and tips...
> my named.conf already has the following:
>
> dnssec-enable yes;
You don't need this because it's on by default :-)
> dnssec-lookaside auto;
You want to remove this because the DNSSEC lookaside validation service
> Because the AD domain controllers already own 10.in-addr.arpa, they
> refuse to allow us to configure conditional forwarding for its
> subdomains. So we delegated the subdomains to the inbound endpoints.
> Because they are delegations, the domain controllers set the recursion
> desired flag to 0
David Alexandre M. de Carvalho wrote:
> So I'm still fighting with dnssec in BIND 9.8.2 (oracle linux 6).
> Unfortunately no automatic sigining before Bind 9.9, from what I read.
BIND 9.8 has automatic signing, but not inline signing. However nsdiff is
almost as good as inline signing, and I wro
Matthew Pounsett wrote:
>
> I like your suggestion of using /dev/stdin as the file though.. I bet I can
> make that work until 9.18 is out.
Anand's trick has worked for me for many years :-) nsdiff has used
`named-compilezone /dev/stdin` since I originally wrote it in 2011...
Tony.
--
f.anthony
Witold Kręcicki wrote:
> I'm currently working on DoH/DoT design - most specifically, the configuration
> syntax that will be used to set up DoH/DoT. Since removing or modifying
> options in named.conf is very hard I want it to be done properly - hence this
> request for comments. The current des
John Wiles wrote:
>
> I am running into a problem that I think is caused by either a
> misconfiguration in Bind9, our Cisco NAT, or perhaps both.
>
> When I am on our internal network, I am able to query both servers and
> get the appropriate external ip address. However, when I try to do the
> sa
@lbutlr wrote:
>
> Is it possible to batch update all the domains? Looking at nsupdate it
> looks like I have to step through and do every domain individually.
An UPDATE request can change many records, so long as they are all in the
same zone, and so long as they fit in the 64KB limit of DNS mes
Petr Bena wrote:
>
> So when someone changes zone on A via nsupdate, NOTIFY and subsequent IXFR
> goes like this: A -> B -> C instead of:
>
> A -> B
> -> C
Chaining NOTIFY like A -> B -> C is very common - I would guess most TLDs
do it. In many cases, A is a secure hidden primary, B are zone tr
Lars Kollstedt wrote:
>
> what do the following messages in loose combination mean?:
>
> Apr 22 09:23:01 resolver1 named[1201]: validating ip6.arpa/SOA: got insecure
> response; parent indicates it should be secure
This means there is a DS record for ip6.arpa in the .arpa zone, but there
were n
Mark Andrews wrote:
> > On 23 Apr 2020, at 07:20, Evan Hunt wrote:
> >
> > As far as I can recall, the only way to change a TTL in nsupdate is to
> > delete the whole RRset and then add it back in the same transaction:
There's actually a standard shortcut for TTL changes which is a
consequence o
Steve Egbert wrote:
> I haven't worked on the zone syntax file yet. It hasn't changed since v9.5
> days. That should be my next subproject.
That will be great! when I use nsvi, vim gets bright red and angry about
lots of fun records like DS, SSHFP, URI, EUI48, and RFC 3597 custom
records. Which
Lars Kollstedt wrote:
> One of the arpa-Nameservers 192.5.5.241, 2001:500:2::c which is the C-Root-
> Server is shown to be not responsive for queries over UDP by DNSviz for a long
> time.
This is due to a stupid peering disagreement between a couple of very
stubborn tier 1 transit providers.
T
Sarah Newman wrote:
> What should happen when for a given domain:
>
> - The domain resolves via TCP but not UDP - UDP for this domain had no
> response at all.
I would expect the domain to be completely unresolvable: the resolver will
only try TCP if it gets a truncated reaponse over UDP.
> - T
Havard Eidnes via bind-users wrote:
>
> Looking at the code in BIND 9.14.10 (BIND 9.16.2 doesn't appear to be
> significantly different in this regard), there appears to be a "cache
> of bad records" implemented by lib/dns/badcache.c. There are two
> invocations of dns_resolver_addbadcache() in l
Havard Eidnes via bind-users wrote:
>
> If it was due to validation failure, I would have thought that it
> would be more persistent than only last for 10 minutes.
Looking for vaguely plausible causes I guess what might have happened is
there was a DNSKEY lookup failure (transient network problem
In my experience getting rpaths to work properly is a massive pain because
most autoconf/libtool build systems don't automatically set the rpath as
required for the --with-libwhatever=PATH options to work properly, and
they often prevent attempts to set rpath linker flags. In BIND there has
been a
Ondřej Surý wrote:
>
> On Linux, just put the path to /etc/ld.so.conf.d/local.conf and that should
> do the trick.
I'm usually using per-build install paths for experimentation or for easy
rollback, so I prefer not to fiddle with the global path. I make things
difficult for myself :-)
Tony.
--
Walter Peng wrote:
>
> Does BIND have a DoH plugin official?
> Or is there any guide to customize that one?
You'll need to run a DoH proxy in front of BIND, for example
https://dnsdist.org/ - my DoH service uses
https://dotat.at/cgi/git/doh101.git
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Michael De Roover wrote:
> On that subject, how about DoT?
DoT is easier since you only need a raw TLS reverse proxy, and there are
lots of those, for example, nginx:
http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48
Note that if you enable DoT on port 853 on your
Erich Eckner wrote:
>
> Will there be client-side DoT/DoH support in bind, too? E.g. will my recursive
> (or forwarding) resolver be able to resolve upstream dns via those?
At the moment the specifications are not yet done for encrypted DNS
between recursive and authoritative servers. It's very d
rams wrote:
>
> On the CAA record iodef filed, do we force this to be unique or can it
> match a CNAME?
The specification says the iodef field contains a URL so normal URL
resolution applies.
https://tools.ietf.org/html/rfc8659#section-4.4
Questions about CNAMEs are at the wrong layer. HTTP URL
ShubhamGoyal wrote:
>
> 1. Can bind support DoH and DoT
It isn't built in, you need to run a proxy in front. See this thread from
a month ago -
https://lists.isc.org/mailman/htdig/bind-users/2020-April/103075.html
There was more discussion in May but unfortunately the mailing list
archive seems
Jukka Pakkanen wrote:
> Thx for the info, had missed this one and actually we have that minor
> misconfiguration too. Have had since 1995 when started our nameservers
> and never noticed...
Yes, it used to be recommended -
https://tools.ietf.org/html/rfc1537#section-10
But not any more, because
Steffen Breitbach via bind-users wrote:
>
> I am having issues with my bind server setup. When I try to resolve the PTR
> for 130.248.154.166 or 172.82.233.25, I will get the proper result only after
> a few tries so. After that, resolving will work.
Looks like there are some discrepancies with t
Vinícius Ferrão via bind-users wrote:
>
> But the prevalence of terms are still master and slave. And I really
> hope this thing of changing nomenclatures doesn’t go any further due to
> political correctness.
"Political correctness" just means being considerate for other people,
especially peopl
Kevin Darcy wrote:
>
> The "master" nomenclature is appropriate from a *data*dependency*
> standpoint. The "master" holds the "master copy" of the zone contents (
> https://www.collinsdictionary.com/us/dictionary/english/master-copy). All
> other copies are duplicates of that.
There isn't in gene
Anand Buddhdev wrote:
>
> 16-Jun-2020 15:21:58.815 general: Accepting TCP connection failed: socket is
> not connected
>
> What does this log message mean?
I think this error comes from getpeername() and it can occur if the
connection is closed between accept() and getpeername(), which I wouldn'
Jakob Dhondt wrote:
>
> I am generating dnstap files using bind and regularly roll them using
> 'rndc dnstap -roll [number]'. The way I understand the documentation is
> that there should be max [number] old dnstap files after executing this
> command but what actually happens is that all files ar
Chuck Aurora wrote:
nice domain name :-)
> On 2020-07-01 00:55, Harshith Mulky wrote:
>
> > Any methods or links which can be shared to help us reload the zone
> > files automatically once we make changes to the zone files ( cron
> > methods or shell scripts)
>
> A different paradigm which would
@lbutlr wrote:
> When a domain configuration file contains an include line for the key,
> where is that include looking for the key file?
... good question, I have avoided having to find that out ...
> I'm in a situation where the keys seems to work fine for updating
> DNSSEC, but nsdiff compla
Tom wrote:
>
> But: The zone-forwarding is only working, when I enable "recursion" on the
> authoritative server. Does this means, that zone-forwarding really requires
> recursion?
Yes, forwarding is completely specific to recursive servers. That is, the
server doing the forwarding must be recurs
Michael De Roover wrote:
>
> Said friend said to me that he tested my authoritative name servers and
> found them to be not vulnerable. [snip] They do not respond to recursive
> queries. It appears that the test of whether a server is "vulnerable" or
> not has to do with this. The command used to
@lbutlr wrote:
>
> The latest surprise was that dnssec-enable yes; is obsolete in Bind 9.16.
`dnssec-enable yes` has been the default since 2007, so that directive has
been useless for quite a long time :-) What changed in 9.16 is that you
now can't turn DNSSEC off. (Specifically, support for cor
@lbutlr wrote:
>
> > rate-limit { responses-per-second 10; };
>
> Does that apply to local queries as well (for example, a mail server may
> easily make a whole lot of queries to 127.0.0.1, and rate limiting it
> would at the very least affect logging and could delay mail if the MTA
> cannot v
Brett Delmage wrote:
> On Tue, 7 Jul 2020, Tony Finch wrote:
> >
> > minimal-any yes;
>
> Why only reduce and not eliminate?
The reason is a bit subtle. If an ANY query comes via a recursive
resolver, it is much better to give the resolver an answer so that it will
put
Klaus Darilion wrote:
>
> A signed zone shall be moved to another DNS provider. Hence I want to
> add the public KSK of the gaining DNS provider as additional DNSKEY to
> the zone.
I guess you might already have seen this draft - it discusses long-term
multi-provider setups rather than transition
程智勇 wrote:
>
> So could anybody tell me why DNS_RRL_MAX_RATE defined 1000?
RRL is designed for authoritative DNS servers. Legitimate queries come
from recursive resolvers with caches. There should not be more than one
query for each RRset from each resolver per TTL. So a normal response rate
limi
Zhiyong Cheng wrote:
>
> We are using named cluster in our internal network as the authoritative
> DNS. So there are no cache servers between clients and named cluster.
> Maybe we should add one but it is just another story.
Sorry, I wasn't completely clear: I was not saying that your authoritati
Anand Buddhdev wrote:
> On 22/07/2020 15:06, Josef Moellers wrote:
>
> > named complains about the missing file /etc/bind.keys if run chrooted:
> > unable to open '/etc/bind.keys' using built-in keys
> >
> > What is the preferred way around this? Add "/etc/bind-keys" to
> > NAMED_CONF_INCLUDE_FILE
ShubhamGoyal wrote:
> We have enabled " minimal-any yes;" in our Bind DNS Sever, Yet an ANY
> query provides complete details instead of providing reduced details .
Testing minimal-any with dig is tricky and very obscure!
For an example of how to test it, try:
dig cam.ac.uk any @131.11
Scott Nicholas wrote:
>
> Primary nameserver is behind a cache/proxy on enterprise network such that
> all external traffic hits this. Zone went bogus. I blame policy but on
> further inspection 2/3 proxys had differing TTL between the DNSKEY and it's
> RRSIG.
Hmm, that's suspicious. In the DNS,
Veaceslav Revutchi wrote:
> Given this soa:
>
> fe80.info. 3600 IN SOA ns-538.awsdns-03.net.
> awsdns-hostmaster.amazon.com. 1 7200 900 1209600 60
>
> I see bind caching negative answers for 3600 instead of 60. The rfc
> and my google searches suggest that it should pick the MIN(soa ttl,
> soa mi
Axel Rau wrote:
>
> I can’t see any notifies to 2001:470:100::2 in the logs.
>
> What am I doing wrong?
Normally BIND only logs "sending notifies" without saying anything about
where it is sending them. You need to increase the log level using `rndc
trace 3` (or more than 3) to get the informatio
Axel Rau wrote:
>
> Has anybody a working IPv6 notify address in use?
Notifies from my primary to my on-site servers go over IPv6 with a TSIG
key. They are all dual-stack.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Sole: Variable 4 at first in east, otherwise westerly or southwesterly 4 to
senthan.sivasunda...@szkb.ch wrote:
> One Day it came an alert from Cybereason (Antivirus-Software), that our
> Bind server tried to Connect to a suspicious domain "ns2.honeybot.us".
> But I couldn't find the log, which domain the BIND server was searching
> for, so that the BIND server has to c
Duleep Thilakarathne wrote:
>
> How does bind select NS entry during recursive queries , when the answer
> section has multiple NS entries.
It's roughly based on measuring the smoothed round trip time (SRTT) to
each nameserver and picking the closest, with a lot of randomness in the
mix. Try sea
Gregory Sloop wrote:
> Would you mind showing me how you got there?
I like https://dnsviz.net/ and https://zonemaster.net/ - dnsviz is better
at showing DNSSEC issues, and zonemaster has a bigger collection of
general DNS checks, so it's worth using them both.
Tony.
--
f.anthony.n.finchhtt
Marki wrote:
>
> I am seeking a combination of either a combined configuration on one, or a
> config of several different DNS servers together to achieve the following:
>
> * Some clients should be able to resolve authoritative local zones as well as
> some forwarded zones.
>
> * Other clients sho
Marki wrote:
>
> Concerning static-stub: Using a (bogus) forwarder together with "forward
> first" (default) seems to work (Note: using "forward only" gives SERVFAIL).
> All outside requests get a SERVFAIL even with "forward first" but that's an
> esthetic problem.
Yes, SERVFAIL is ugly - I shoul
Marki wrote:
>
> But if you need granular filtering, that could become a lot of views...
Yes, I think RPZ is really designed to be a ban hammer for dealing with
abuse, rather than a general-purpose access control mechanism. If you need
to get really fancy then you should look at dnsdist which can
lejeczek via bind-users wrote:
>
> Have a zone on a server, say:
>
> - the.zone
>
> with "flat" files being the backend for it. Now wanting to have:
>
> - sub.the.zone
>
> served by the same BIND server, but stored in.. "SQL" backend.
>
> How... well how to make that work if at all possible?
> I'd
Prasanna Mathivanan (pmathiva) via bind-users wrote:
>
> I couldn’t find anything from logs (checked both xfer and messages)
The best way to find out if a secondary server thinks a zone is
out-of-date is to look at the notify log messages. On the primary you'll
see something like
17-Mar-2021 12:
Jonathan via bind-users wrote:
> It makes no difference from which subnet the queries come from. For
> testing I used a server in the same subnet like my DNS is, so there is
> no firewall or NAT in between. I also captured the network traffic of
> the DNS-Server and -Client. All I can see is, tha
Paul Cizmas wrote:
>
> but it appears that “service” must be replaced by something else
Yes: init on macOS is called launchd, and the service control program is
called launchctl, which has a reasonably useful man page.
Tony.
--
f.anthony.n.finchhttps://dotat.at/
Mull of Galloway to Mull of
Paul Cizmas wrote:
> ~$ named -v
> BIND 9.9.7-P3 (Extended Support Version)
What's probably happening here is that the BIND on your $PATH isn't
necessarily the BIND that homebrew installed and (hopefully) is running.
You can run `dig @localhost version.bind ch txt` to see what the running
serve
alcol alcol wrote:
> seriously? is like linux/unix FAQ 😄
Please, if you can't be helpful, don't reply at all. We all have to learn
somehow, and the best way to show your knowledge is to share it generously.
Tony.
--
f.anthony.n.finchhttps://dotat.at/
Trafalgar: Easterly 6 to gale 8 in sout
Cuttler, Brian R (HEALTH) via bind-users wrote:
>
> We are seeing a delay in the primary DNS server updating the secondary
> and would like to shorten that interval.
This is probably due to NOTIFY messages not working. NOTIFY is the
mechanism that allows primary servers to tell secondaries to get
Tom Preissler wrote:
>
> at my work place we have a three resolver setup in /etc/resolv.conf.
>
> We had sometimes, though rarely, response times for DNS like 14000ms,
> due to the fact that the *first* listed resolver is down for maintenance
> reasons.
Sadly the traditional unix stub resolver be
Matus UHLAR - fantomas wrote:
>
> note that for this kind setup, using dnsmasq with two forwarders and
> www.google.com
> overriden through /etc/hosts would be easier solution.
Or a response policy zone, if you don't want to switch software
https://bind9.readthedocs.io/en/v9_16_13/reference.html
Cuttler, Brian R (HEALTH) via bind-users wrote:
>
> I don't think the issue I'm having is related to notify message not
> being reacted to nor zone transfer requests not being sent to answered.
It's worth checking the logs to make sure that they agree with what you
expect.
> What I think I'm see
Chuck Aurora wrote:
>
> A stub or static-stub zone would not require recursion. In that case
> named is asking for authoritative data from upstream. But type
> forward zones indeed cannot work if recursion is disabled.
Be careful in this kind of situation to be very clear about which client
or
Mark Andrews wrote:
> > On 8 Apr 2021, at 00:37, Tony Finch wrote:
> >
> > Forward zones require the upstream server to be recursive too.
>
> More correctly, the upstream server has to serve the entire namespace being
> forwarded if it does not off recursion to t
Peter Coghlan wrote:
>
> I have a nameserver which is authoritative for three or four domain names.
> It receives around 1000 queries per day that could be regarded as plausably
> legitimate. It receives around ten times that number of absive queries per
> day from presumably spoofed ip addresses
Anand Buddhdev wrote:
>
> A legitimate client, following a normal chain of referrals, has *no*
> reason to query a server for zones it is not authoritative for.
That's true for cases like .sl and other domains whose delegations are set
up correctly, but if a server is accidentally lame then it's
sth...@nethelp.no wrote:
>
> Agree that you should be able to ignore them. But as a practical matter,
> ignoring them *may* result in the question being asked again and again,
> while REFUSED *may* stop the client from asking more.
REFUSED leads to retries too: if the client is a legit resolver i
Peter Coghlan wrote:
>
> I wouldn't describe it as background radiation or probes. It doesn't seem
> to be caused by misconfigured or faulty resolvers or anything of that nature.
Hmm, maybe air pollution would be a better metaphor? What I mean is the
kind of continuous low levels of abuse that's
Matthijs Mekking wrote:
> On 15-04-2021 16:35, Bob Harold wrote:
> >
> > If BIND holds both the child and parent zone, will it add the DS record
> > at the correct time? Or do I still need to write scripts to update the
> > DS records in all my sub-zones? And is there some signal from BIND at
>
Greg Donohoe wrote:
> I have created a CI/CD pipeline in order to amend zone files using nsupdate
> based on a front end user request. This portion of the pipeline is working
> as expected so now I want to be able to connect from my pipeline runner to
> my remote BIND staging server and update th
Paul Kosinski via bind-users wrote:
> A couple of years ago, I tried using nsupdate to modify a dynamic (DHCP)
> IP address for my very simple domain. It worked, except that it totally
> messed up the organization of the zone file. Since the file only has 44
> active lines (which are organized lo
Anand Buddhdev wrote:
>
Anand's advice is good, as usual :-)
But a small pedantic point:
> The DNS protocol itself has recently been updated to allow for
> encryption, using DTLS (DNS-over-TLS).
DTLS usually means "datagram TLS", i.e. TLS-over-UDP (RFC 6347). There's a
spec for DNS-over-DTLS (
Ivan Avery Frey wrote:
> I'm trying to obtain certificates from Let's Encrypt using the DNS-01
> challenge method.
>
> I just want to confirm that there is no option to configure the
> directory for the .jnl files independently of the zone files.
You have had a bunch of helpful replies already,
Anders Löwinger wrote:
> Ivan Avery Frey wrote:
> >
> >We are only using update to provision the acme challenge as described
> >by RFC 8555 8.4. Nothing else.
>
> Acme follows CNAMEs. I've redirected all challenges to my domains to a
> separate subdomain, which allows dynamic updates. Works great
401 - 500 of 1038 matches
Mail list logo
