On 13/11/2021 07:16, Erich Eckner wrote:
On Sat, 13 Nov 2021, Reindl Harald wrote:
> Am 12.11.21 um 18:55 schrieb lejeczek via bind-users:
>> On 12/11/2021 17:14, Reindl Harald wrote:
>>> wouldn't it be easier to setup two different
subdomains in which case you don&#
On Wed, Dec 29, 2021 at 5:31 AM Danilo Godec via bind-users
wrote:
> I have an authoritative DNS server for a domain, but I was also going to
> use the same server as a recursive DNS for my internal network, limiting
> recursion by the IP. Apparently, this is a bad idea that can lead t
here and
all working.
I have seen, that Bind logs in messages log file sometimes the following
error logs :
_dns_dnssec_keylistfromrdataset: error reading
/xxx/xxx/xxx/xx-domain/named.aaa/aaa.xx.+008+41919.private: file not
found_
That "file not found" is due to a rename of "
Hi Klaus,
Thank you so much for your answer but when Bind deletes a key from a
zone, if I remember correctly, there should not be any rrsig still
active, signed previously by the deleted key. Isn't it?. So I assume in
that case, I should be doing it properly but still see these messages.
These are the contents of a cat of the private file I have renamed to
samename.private-OLD :
Created: 20211031230338
Publish: 2020220241
Activate: 2020220341
Inactive: 20211215230338
Delete: 20211217230338
Not understandable
Cheers,
El 2022-01-24 14:58, egoitz--- via bind-u
date of
44526 is very old
Anyway that could explain the error : "dns_dnssec_keylistfromrdataset:
error reading .private: File not found", because it seems Bind
source code, checks the DNSKEY and later tries to load that keys. As the
files for keyid 44526 don't exist, tha
he delete date of 44526 is
> very old
>
> Anyway that could explain the error : "dns_dnssec_keylistfromrdataset: error
> reading .private: File not found", because it seems Bind source code,
> checks the DNSKEY and later tries to load that keys. As the fi
se you see the delete date of 44526 is
> very old
>
> Anyway that could explain the error : "dns_dnssec_keylistfromrdataset: error
> reading .private: File not found", because it seems Bind source code,
> checks the DNSKEY and later tries to load that keys. As the
ion. No
> pinche en los enlaces ni abra los adjuntos a no ser que reconozca el
> remitente y sepa que el contenido es seguro.
>
> egoitz--- via bind-users wrote:
>
>> These are the contents of a cat of the private file I have renamed to
>> samename.private-OLD :
>&g
ault sig-validity-interval (30) that takes up to 22.5 days to
> which you have to add the record TTL.
>
> OK, BUT DOES SIG-VALIDITY-INTERVAL AFFECT TOO, AFTER THE KEY DELETION DATE?.
> OR DOES IT AFFECT ONLY FROM THE INACTIVATION DATE TO THE DELETION DATE OF A
> KEY?.
>
you have to add the record TTL.
>>
>> Ok, but does sig-validity-interval affect too, after the key deletion date?.
>> Or does it affect only from the inactivation date to the deletion date of a
>> key?.
sig-validity-interval and re-signing is independent of inacti
; Or does it affect only from the inactivation date to the deletion date of a
>> key?.
sig-validity-interval and re-signing is independent of inactive and
delete dates.
> Mark
>
> Best regards
>
> On 25 Jan 2022, at 05:21, egoitz--- via bind-users
> wrote:
>
> Hi!
SPONSIBILITY FOR ANY UNAUTHORIZED USE OF THIS COMMUNICATION OR ANY
ATTACHMENTS TO IT.
On 1/25/22, 8:51 AM, "bind-users on behalf of Benny Pedersen"
wrote:
On 2022-01-25 17:45, Greg Choules wrote:
> Hello.
Authentication-Results: lists.isc.org;
dk
o 22.5 days to
>> which you have to add the record TTL.
>>
>> Ok, but does sig-validity-interval affect too, after the key deletion date?.
>> Or does it affect only from the inactivation date to the deletion date of a
>> key?.
sig-validity-interval and re-signing
wildcard is forwarding anything towards the the IP ( example , "cc.bb."
> which is not a vaild subdomain). How can I limit that so it will only
> forwards ( bb.aa.example.com) and drops any invalid subdomains (
> cc.bb.aa.example.com ).
>
> Note: aa, bb, and cc being any
valid signature found
...
I'd imagine must some up-the-chain servers doing something
there - my local 'bind' does not point/use any specific
forwarders.
many thanks, L.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the deve
?
servfail or a missing ad-bit?
Daniel
On 18.03.22 15:25, lejeczek via bind-users wrote:
Hi guys
how to troubleshoot that?
...
18-Mar-2022 14:17:41.725 warning: EVP_VerifyFinal failed
(verify failure)
18-Mar-2022 14:17:41.725 info: error:0398:digital
envelope routines::invalid digest:crypto/evp
away from the signed file (O've been using ALG 13 for a couple of years.
--
"Are you pondering what I'm pondering?"
"Yes, Brain, I think so, but do nuts go with pudding?"
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
econdary' is less clear than
> master/slave.
>
> My understanding is that it is possible to have a standalone BIND server that
> is running as a 'master' yet acting as a 'secondary' for a particular domain.
> In this context, secondary doesn't necessari
/find-subdomains/
> Thanks again for your attention,
> Michael
cheers,
raf
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for mo
i've bind9 running as a primaryhost to a number of bind-andb-other
slaves.
i'm trying to set up to use different TSIG keys with different
secondaries.
in my named.conf, i've
...
acl acl_slave_1 { 1.1.1.1; };
acl acl_slave_2 { 2.2.2.2; 3.3.3.3; 4
eys, so do you need to have the
> IPs mentioned here?
the goal is to have both IP- & key- restrictions in place.
fwiw, the orig example i found for this was @:
https://lists.isc.org/pipermail/bind-users/2009-April/075985.html
thanks!
___
bind-users
ave1 -- slave2 no longer seems to initiate any
transfers, as if it's not getting any notify.
still poking around ...
> I wrote an explanation of BIND ACLs on this list a few years back that
> you may find helpful in explaining the syntactic insanity:
>
> http://www.mail-archive.c
1 2017.
The replacement keys published as expected and haven't been used for
signing yet as expected.
I woke up last Friday Dec 23rd to find my zones failing validation. When
I investigated I found the existing signatures expired on the 22nd and
bind never resigned the records wit
On 6/27/17 12:13 PM, Michael W. Fleming wrote:
We're setting up a wireless printing service that uses
Zeroconf/bonjour/rendevouz dns entries. The product, Presto, has it's
own dns server for a private, on-campus only zone (presto.). We're
running bind 9.9 with a master server, t
-evans ] [
https://github.com/jakedevans ] [ https://keybase.io/jacobdevans ]
- Original Message -
From: "Niall O'Reilly"
To: "bind-users"
Sent: Friday, July 14, 2017 2:40:49 PM
Subject: Re: delegation NS records
On 14 Jul 2017, at 14:07, b...@zq3q.org wrote:
>
I'm running into an odd issue with Bind 9.9.4 whereby I'm trying to run a
scripted nsupdate to rotate TLSA records. I'm running nsupdate via a Bash
script that executes the following nsupdate batch commands which are directed
to a Bind "view" that is accessible from the
From: "Warren Kumari"
To: "Kevin"
Cc: "bind-users"
Sent: Tuesday, October 31, 2017 11:28:58 AM
Subject: Re: head scratcher: nsupdate, Bind views, and TLSA record updates
On Tue, Oct 31, 2017 at 1:50 PM, Kevin via bind-users
wrote:
> I'm running int
- Original Message -
> From: "Kevin"
> To: "Warren Kumari"
> Cc: "Kevin" , "bind-users"
>
> Sent: Tuesday, October 31, 2017 12:18:41 PM
> Subject: Re: head scratcher: nsupdate, Bind views, and TLSA record updates
> Fro
- Original Message -
> From: "Kevin"
> To: "Kevin"
> Cc: "Warren Kumari" , "bind-users"
>
> Sent: Tuesday, October 31, 2017 12:33:56 PM
> Subject: Re: head scratcher: nsupdate, Bind views, and TLSA record updates
> --
- Original Message -
> From: "Warren Kumari"
> To: "Kevin"
> Cc: "bind-users"
> Sent: Tuesday, October 31, 2017 12:47:06 PM
> Subject: Re: head scratcher: nsupdate, Bind views, and TLSA record updates
> So, can you confirm that you a
I think it's sorted, thanks all.
-Kevin
From: "Tony Finch"
To: bind-us...@isc.org
Sent: Wednesday, November 1, 2017 2:50:32 AM
Subject: Re: head scratcher: nsupdate, Bind views, and TLSA record updates
Mark Andrews wrote:
>
> More correctly _tcp.mail.thesandiego
to split?
I tried looking at local-data but i was not able to perform this.
Thank you,
F
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.
All,
Operating BIND version "BIND 9.9.10-P1 (Extended Support Version)" DNSSEC
signing in place. DKIM, SPF and DMARC records are also in place for top-level
domain (zone).
Is an "A" record mandatory entry for top-level domain (zone) when using DNSSEC,
DKIM, SPF and DMARC c
: fatal: failed loading zone from : CNAME and other data
On Wednesday, April 11, 2018, 5:56:01 PM EDT, Carl Byington
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Wed, 2018-04-11 at 21:06 +, praveen via bind-users wrote:
> Is an "A" record mandatory entry
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ilman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
On 22/09/18 17:04, Reindl Harald wrote:
Am 22.09.18 um 17:53 schrieb lejeczek via bind-users:
is it possible to update domain(not hosts of/in the domain) records?
there is nothing like "not hosts of/in the domain"
Something like
domain.local A 10.1.1.100
which is simply an A
10.3.1.100#12046/key nsupdate_key: updating zone
'dom.local/IN': attempt to add CNAME alongside non-CNAME ignored
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
Thank you for the https://www.isc.org/blogs/bind-9-packages/ blog post
and various binary distributions mentioned in it.
I am an end user, not a programmer, and I rely on Linux distributions
and application packages and so having up-to-date content from
authoritative sources is both helpful
#53
I checked responses from boxA with +dnssec and as expected these are
secure(d).
boxA does allow-transfer boxB
What is the problem, what I got wrong there?
many thanks, L.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc
Have anyone check where to get an important identification of your documents.
now this is a solution if you lost 1 check it out. Where Fake ID
<http://www.bogusbraxtor.com> is more Real
-
Bogus-Braxtor
--
Sent from: http://bind-users-forum.2342410.n4.nabb
, I tried to move the .signed file aside, thinking maybe thaw might recreate
it, But no, it complains the file doesn’t exist, so I put it back.
Is it possible for me to edit the zone file (as in with vim) and have bind
update, or do I have to do everything through nsupdate and never access the
> On 21 Feb 2019, at 13:41, Grant Taylor via bind-users
> wrote:
>
> On 02/21/2019 01:34 PM, @lbutlr via bind-users wrote:
>> I edited a zone file after issuing a rndc freeze command, added two new sub
>> zones, changed the serial number, saved the file, and then
--Lords and Ladies
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
On 21 Feb 2019, at 20:43, Grant Taylor via bind-users
wrote:
>
> On 2/21/19 6:28 PM, @lbutlr wrote:
>> rndc reload did not recreate (or at least update the time stamp) on the
>> .signed file.
>
> Hum. Maybe it's something different about how you're doing
hose is my example.com.signed file?
Is nsdiff a separate package? It’s not on my FereeBSD 11.2 system with Bind 9.12
--
Well boys, we got three engines out, we got more holes in us than a
horse trader's mule, the radio is gone and we're leaking fuel and if we
was flying any lower why we&
ioutsourcing.nl. IN TXT
;; Query time: 176 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Jun 26 07:57:59 CDT 2019
;; MSG SIZE rcvd: 63
named -v
BIND 9.10.3-P4-Debian
This shows up in the log:
fetch completed at ../../../lib/dns/resolver.c:5082 for
cleanmail4.capgeminioutsourcing.nl/
Hi Mark,
>Given the message says "ran out of space” it indicates that a fixed buffer was
>too small. The lookup also works with current versions of BIND so I would
>say the solution is to stop running EoL’d software and upgrade.
I have upgraded to 9.14.3 and that has solved the
e with dnssec yet, but it would seem that perhaps it
relates here in some capacity, as there is no public .local domain, obviously?
disabling dnssec [dnssec-enable no;] seems to support this, as when doing so,
queries work.
that said, i'm wondering why this is happening - e.g. why bind seem
es still exists that does not provide a fully signed path
>> from root to zone, i.e. .com.au , co.za etc, how would an
>> administrator enable / implement DNSSEC validation for these zones ?
>>
>>
>> ___
>> Please visi
or the ".com.au" zone.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Bind 9.7.1 - 9.14.5 - 9.14.7 and 9.15.3 is dropping this into sys.log, but
still runs fine:
named[459]: unable to set effective uid to 0: Operation not permitted
named[459]: generating session key for dynamic DNS
named[459]: unable to set effective uid to 0: Operation not permitted
named[459
Dear Wil,
Your email was fascinating. Thank you
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Wednesday, November 6, 2019 3:15 AM,
wrote:
> Send bind-users mailing list submissions to
> bind-users@lists.isc.org
>
> To subscribe or unsubscribe via the Wo
hat a standard DNS
resolver should have.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
documentation!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
On Thu, Oct 3, 2024 at 6:23 PM Lyle Giese via bind-users
wrote:
> I get this:
> ; <<>> DiG 9.16.50-Debian <<>> ns socialinnovation.ca
>...
> socialinnovation.ca.3600IN NS dns.rebel.ca.
> socialinnovation.ca.3600
old Debian 10 linux. I downloaded the
bind 9.18.30 source[2] and build by myself.
-8<-8<-8<-
$ /usr/local/sbin/named -V
BIND 9.18.30 (Extended Support Version)
running on Linux aarch64 5.10.103-v8+ #1529 SMP PREEMPT Tue Mar 8 12:26:46 GMT
2022
built by make with '--w
e internal
zone is 10
.0.2.0/24 and it not Internet routable.
Let's say that .com has NS recording point example.com to 10.0.1.10 and
10.0.1.11. Those are bind servers hosting zones for example.com and
dmz.exmaple.com.
There are two BIND servers in the internal zone, 10.0.1.10 and
10.0.1.1
Every release since then is
also available to download, should you want to check them all.
So the fact that you *do* have a file called “db.local", I think means
nothing. Anyone could have created that for some purpose only they
knew at the time.
ftr ubuntu also ships bind with a db.local f
> From: bind-users on behalf of Duan Duan
> via bind-users
>
> Hey Guys,
>
> I am upgrading my bind version from 9.11.0 to 9.18.31.
>
> But I have some questions about Access Control Lists(acls).
>
> I am in version 9.11.0 acl file is like this
>
>
n the primary zone server initially, which I believe will be too
late to make any intelligent decisions.
Is the idea to create a do-nothing dnssec policy to have some method of
enforcement?
Thoughts?
Stuart
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC
Hi,
This is mostly just me wondering if this is just a "me" issue or whether this
is endemic of BIND on OSX.
I use BIND as distributed by brew.sh on OSX (14.7.6, M2 Pro) for local testing
of various things and ran into an issue last week. When I configured BIND to
listen on an alte
> From: bind-users on behalf of Greg Choules
> via bind-users
> Reply to: Greg Choules
> Date: Wednesday 6 August 2025 at 20:06
> To: Renzo Marengo
> Cc: "bind-users@lists.isc.org"
> Subject: Re: configure bind in chroot jailenzo. The Linux distros packag
none; }; recursion yes;
In configuration #(2) forward would be configured as follows:
zone "other.example.com" {
type forward; forward only; forwarders { 10.10.10.10.10; 10.10.10.20; }; }; Bind is ver. bind-9.16.23Will configuration #(2) be secure?Is there any risk o
I’m running bind 9.18.10 and having a hell of a time with AWS Route53 and
DNSSEC.
I’m testing dnssec-policy and have algorithms 8, 13, and 15 set. On the test
domain I’m using, I wiped the old keys, deleted the DS records in the parent
zone and basically started from scratch.
I started named
-e' print
> Net::DNS::RR->new("ericgermann.photography. DS 22755 8 2
> 2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9")->keytag,"\n"'
>
>
>
> Enjoy.
>
> Timothe Litt
> ACM Distinguished Engineer
> --
-setup-dnssec-on-an-authoritative-bind-dns-server-2
For entering the DS record in to Route53, you enter the whole public key in
Base64 without spaces or newlines, not the hash of the key like the registrars
I’ve used for other domains.
What is annoying is it accepts the hash as perfectly valid and
it
is worth throwing it over the fence.
Again, thanks for all the help!
Eric
signature.asc
Description: Message signed with OpenPGP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscrip
x27;s a little padlock in the box at the top it's secure..."
The bank is anonymous here not to protect the guilty, but to highlight
the fact that it almost doesn't matter which one you choose.
$ whois UK_bank_domain | grep DNSSEC
$
--
73,
Ged.
--
Visit https://lists.isc.org/mailman
Information Technology Group
Institutions do not have opinions, merely customs
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more
Hi E R.
My short answer would be, don't configure views unless you have a good use
case for them. For example you are running resolvers that have two
different kinds of clients that need to be handled differently - one client
set needs RPZ, the other doesn't. Or something like that.
to:wbr...@e1b.org>>
wrote:
Last I saw, both M365 and Google only retry for 24 hours before returning as
undeliverable.
--
William Brown
WNYRIC/Erie 1 BOCES
-Original Message-
From: bind-users
mailto:bind-users-boun...@lists.isc.org>> On
Behalf Of Marcus Kool
Sent: Wednesda
Hello everyone,
This is my first time posting here, and I'm not sure if it's the right
place or not to ask my question. This is a general DNS question,
specifically, I think, SPF.
(Btw, I do use Bind in my system, so that's why I'm here.)
I host email using Smar
ee everything
that's needed in our server logs.
--
73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
Hi there,
On Sun, 8 Jan 2023, Mark Andrews wrote:
Please don't hijack an existing thread by replying to an existing message for a
unrelated subject. It is bad form. Just create a new message and send it to
bind-us...@isc.org.
Oh, blast, I missed that, sorry.
--
73,
Ged.
--
Visit
Hi,
I want to configure "allow-transfer" statement for "XoT" secondaries as well as
"non-XoT" secondaries for a single zone.
Please help in configuring the same.
Regards,
Sachchidanand
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr
r, president
Montague WebWorks
20 River Street, Greenfield, MA
413-320-5336
http://MontagueWebWorks.com
Powered by ROCKETFUSION
On 1/7/2023 6:24 PM, G.W. Haywood via bind-users wrote:
Hi there,
On Sat, 7 Jan 2023, Michael Muller wrote:
This is my first time posting here, and I'm not sure if i
Hi there,
On Mon, 9 Jan 2023, Michael Muller wrote:
Thanks for responding to my question. Again, if there's a better place
to ask this question, I can go there. ...
Taking this off list.
--
73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this
:
> I’ve turned on query logging, then grepped for the count of lines logged
> in a particular second.
>
>
>
> Worked well enough for the job at the time.
>
>
>
> J
>
>
>
> *De: *bind-users em nome de "King,
> Harold Clyde (Hal) via bind-users"
_/_/_/_/_/ _/_/ _/_/
> "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions
x27;s not worth worrying about.
Cheers, Greg
On Fri, 13 Jan 2023 at 06:19, Jesus Cea wrote:
> On 13/1/23 7:12, Greg Choules via bind-users wrote:
> > Hi Jesus.
> > No. Zone Transfer always uses TCP. Is it really that much of an overhead
> > for you?
>
> Not now
Hi,
Please help in configuring "allow-transfer" (Please see the trail mail) if any
solution is available in BIND. I am using bind 9.18.10
Regards,
Sachcidanand
From: "Sachchidanand Upadhyay"
To: bind-users@lists.isc.org
Sent: Monday, January 9, 2023 2:35:34 PM
On 12/01/2023 18:20, King, Harold Clyde (Hal) via bind-users wrote:
I need to find some answers like queries per second. Any fast ideas folks?
--
Hal King - h...@utk.edu
Systems Administrator
Office of Information Technology
Shared Services
The University of Tennessee
103c5 Kingston Pike
Hi.
I’m migrating an old bind from Oracle Linux 6 to Oracle linux 9.16.
The first thing I noticed was that there were 2 bind versions available in this
new distro. I went for the newest.
It is “named-chroot” and a “slave” configuration for my domain. The files are
already being transferred
quot;, tcpdump shows it trying to connect to top
level IPs
And I keep getting SERVFAIL.
Regards.
David
-Original Message-
From: Marco
Sent: 13 January 2023 11:33
To: bind-users@lists.isc.org
Cc: David Carvalho
Subject: Re: Can not query localhost
Am 13.01.2023 schrieb David Carv
keys-directory "/var/named/dynamic";
and everything worked. Still don't understand exactly why, I will continue
to investigate, but any feedback is welcome.
Thanks
Regards
David
-----Original Message-
From: bind-users On Behalf Of David
Carvalho via bind-users
Sent: 13 January
Hi.
It was not oracle linux 9.16 but Bind 9.16.
The problem seemed to be about broken dnssec validation, that's why commenting
those entries solved.
For now I'm not using dnssec, I will have to read about key rotation. If that
is still a very manual process, I'll have to be
ecifically what many people do, or not, doesn't translate to a
requirement.
In my opinion, this is the best way to do things, and the in-place signing is
just a total pain.
Your opinions, such as they are, are independent of the OP's question.
I've got an ancient version of BIND
Pirawat.
> -- Forwarded message --
> From: E R
> To: bind-users@lists.isc.org
> Cc:
> Bcc:
> Date: Tue, 17 Jan 2023 17:28:57 -0600
> Subject: DNSSEC With Primary Hidden - Clarifying Question from
> Documentation
> I am planning on implementing the
child (europa.eu) is different to the NS RRSET in
the parent (eu)
2) One of the servers - 2001:978:2:1::93:2 - may have trouble with UDP
queries over v6. Having said that, from where I am I can make UDP queries
over v6 to it, both from dig and from my local BIND. However, it does
report a BADCOOKIE on t
Hi,
I tried using BIND 9.18.10 as a downstream name server of an
OpenDNSSEC 2.1.8 installation, but after sorting out the ACL
issues on the OpenDNSSEC side, zone transfers failed with
messages such as these:
Jan 21 17:15:34 new-ns named[22056]: transfer of '4.38.158.in-addr.arpa/IN'
f
> The consistency checks are not new. The message indicates that
> the IXFR contained a delete request for a record that doesn't
> exist or an add for a record that exists. Named recovers be
> performing an AXFR of the zone.
Interesting.
BIND 9.16.36 does not produce this log m
y differ in IPs and "master/slave" setting.
My questions:
Should I use recursion on both? (Bear in mind that I also want them to
provide chache to clients)
Why do I need "dig +norec" to get the exact output on my slave server?
Kind regards
David
--
Visit https://li
rvers make queries out
to other places? If so, recursion must be enabled.
Secondly, do you have "minimal-responses" configured on either/both
servers? If so, what is it set to? There were changes in 9.16 so maybe
these explain your observations.
Cheers, Greg
On Tue, 24 Jan 2023 at 1
;"?
- Do Akamai have any knobs you can tweak (I believe they have a customer
web portal for viewing/changing settings?) that would make them behave like
an RFC compliant DNS server?
Cheers, Greg
On Tue, 24 Jan 2023 at 21:17, John Thurston
wrote:
> My "resolvers" running BIND 9
understand, there is no downside in maintaining this setting, right?
Thank you!
Kind regards.
David
From: Greg Choules
Sent: 24 January 2023 18:12
To: David Carvalho
Cc: bind-users@lists.isc.org
Subject: Re: recursion yes/no?
Hi David.
"recursion yes;" tells named that it
t
Sent: 24 January 2023 20:12
To: David Carvalho
Cc: bind-users@lists.isc.org
Subject: Re: recursion yes/no?
On Tue, Jan 24, 2023 at 04:48:34PM -, David Carvalho via bind-users wrote:
> Hello.
>
> I hope someone could help to understand the following.
>
> I have "my.
do anything with it anyway) Authority or
Additional data. So a hybrid server is a bit stuck between those two
settings.
However, from 9.16 BIND now has extra choices (as Evan pointed out). To
answer your follow up question I would stick with "no-auth-recursive" as
this is exactly the scenari
It helps a lot!!
I think I understand now.
Have a great day!
Regards
David
From: Greg Choules
Sent: 25 January 2023 10:34
To: David Carvalho
Cc: bind-users@lists.isc.org
Subject: Re: recursion yes/no?
Hi David.
With "minimal-responses", usually I would set it to "n
201 - 300 of 2206 matches
Mail list logo
