Re: How do I identify if bind9 is using 4 cores?

2021-06-17 Thread Anand Buddhdev
On 17/06/2021 05:32, Manish Rane wrote: Hi Manish, > I have BIND 9.16.17-Ubuntu on ubuntu and have 4 cores. I have configured > > more /etc/default/bind9 > OPTIONS="-n 4" > > And then restarted the services. How do I verify if bind9 has spawned 4 > processes and distributed among those? BIND

Re: A question on logging

2021-06-16 Thread Anand Buddhdev
On 16/06/2021 20:36, ToddAndMargo via bind-users wrote: Hi Todd, > Questions: > > 1) is there some pruning of old stuff mechanism to >    keep my drive from being over run with logging >    data? Yes, see section 4.2.9 of the BIND manual: https://bind9.readthedocs.io/ > 2) If I want to

Re: Need help for Calculate DNS througputs

2021-06-15 Thread Anand Buddhdev
On 15/06/2021 08:12, PRAKASH CHAND wrote: Hi Prakash, Look at DNSPerf. It's an open source tool for benchmarking DNS servers. It has a component called resperf, specifically for resolvers. You could try to use that to find out how far you can push your resolvers. Make sure to measure the packet

Re: configure notify for ixfer?

2021-06-01 Thread Anand Buddhdev
On 01/06/2021 17:18, Cuttler, Brian R (HEALTH) via bind-users wrote: Hi Brian, > From what I'm reading I should be sending a notify from the primary > to the secondary when a dynamic zone is updated but I don't seem to be > doing that. > > Would someone please point me to the option I'm missing

Re: Bind - OPT UDPsize=1232 ?

2021-06-01 Thread Anand Buddhdev
On 01/06/2021 16:01, Karl Pielorz wrote: Hi Karl, > Thanks for the pointer - ok, yes I can see it's probably EDNS / Flag day > related etc. I missed that - probably as it's never caused us an issue. > Annoyingly a value of 1232 causes a TCP fallback to a server out of our > control that doesn't

Re: Bind - OPT UDPsize=1232 ?

2021-06-01 Thread Anand Buddhdev
On 01/06/2021 12:55, Karl Pielorz wrote: Hi Karl, > Anyone know why the Bind query appears to set such a low UDPsize? - > We've nothing in our config setting sizes, or maximums. Here's an answer: https://bind9.readthedocs.io/en/v9_16_16/notes.html#notes-for-bind-9-16-16 Regards, Anand

Re: Syslog with BIND on CentOS

2021-05-20 Thread Anand Buddhdev
On 20/05/2021 23:34, John Thurston wrote: Hi John, > My subsequent read of the docs indicates that BIND on CentOS 7, while > being told it is sending to 'syslogd', is sending to 'journald' which is > handling all the messages and forwarding them on to 'syslogd'. I don't > want journald handling

Re: AW: New BIND releases are available: 9.11.32, 9.16.16, and 9.17.13

2021-05-20 Thread Anand Buddhdev
On 20/05/2021 18:08, Klaus Darilion wrote: Hi Klaus, > Nevertheless I think there is a bug. IIR the previous default was > 100% (switch to AXFR if IXFR would be grater than AXFR) and we also saw > plenty of AXFR although the IXFR difference was very small and far away > from 100% Yes, I agree.

Re: New BIND releases are available: 9.11.32, 9.16.16, and 9.17.13

2021-05-20 Thread Anand Buddhdev
On 20/05/2021 17:22, Manish Rane wrote: > Are those new versions available in Linux distro packages? Bleeding-edge distros like Gentoo Linux will probably have packages within a short time. If you use Homebrew on your system, you'll also have the newest version soonish. Most of the major

Re: New BIND releases are available: 9.11.32, 9.16.16, and 9.17.13

2021-05-20 Thread Anand Buddhdev
On 20/05/2021 00:06, Michael McNally wrote: Hi ISC people, > RELEASE-NOTES-bind-9.16.16.html I was just reading the release notes, and noticed: "The default value of the max-ixfr-ratio option was changed to unlimited, for better backwards compatibility in the stable release series." Thank you

Re: Corrupted Slave Data?

2021-05-20 Thread Anand Buddhdev
On 20/05/2021 15:30, Tim Daneliuk via bind-users wrote: Hi Tim, > Recently - and for no obvious reason - the on-prem instance stops resolving > properly. The fix is to stop it, clear out the slave files, and restart. > Then it works for a few days and repeats its misbehavior. > > The logs show

Re: Using RNDC to control remote access to my BIND server

2021-04-27 Thread Anand Buddhdev
Hi Greg, Read the "ddns-confgen" man page. And then read all the material here: https://bind9.readthedocs.io/en/v9_16_13/advanced.html Regards, Anand On 27/04/2021 11:27, Greg Donohoe wrote: > Thank you for the excellent advise, it is a lot clearer to me now. > I am checking the nsupdate &

Re: Using RNDC to control remote access to my BIND server

2021-04-26 Thread Anand Buddhdev
; > Rgds, > Greg. > > On Fri, Apr 23, 2021 at 2:21 PM Anand Buddhdev wrote: > >> On 23/04/2021 14:24, Greg Donohoe wrote: >> >> Hi Greg, >> >>> In regards to the nsupdate, what is the best way to secure the >> connection, >>> so to

Re: Using RNDC to control remote access to my BIND server

2021-04-23 Thread Anand Buddhdev
quot; option): https://bind9.readthedocs.io/en/v9_16/ Regards, Anand Buddhdev ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Cont

Re: Using RNDC to control remote access to my BIND server

2021-04-23 Thread Anand Buddhdev
Hi Greg, You don't need to SSH into a remote server to do dynamic DNS updates! The "nsupdate" tool can send the dynamic DNS updates directly to your remote server over the DNS protocol. You appear to be confused about what the various tools do, so here's a summary: 1. ssh is used to log into a

Re: Preventing a particular type of nameserver abuse

2021-04-14 Thread Anand Buddhdev
On 14/04/2021 00:29, @lbutlr wrote: >> A legitimate client, following a normal chain of referrals, has *no* >> reason to query a server for zones it is not authoritative for. > > Well, that's not really true. A mobile user might have their device > configured to always check their corporate DNS

Re: Preventing a particular type of nameserver abuse

2021-04-13 Thread Anand Buddhdev
Hi Ondrej, and others, A legitimate client, following a normal chain of referrals, has *no* reason to query a server for zones it is not authoritative for. Most of the time, such a query would only arrive at a name server from a naughty client. And then, replying with any response, even REFUSED,

Re: hardware requirements

2021-03-04 Thread Anand Buddhdev
Hello Shubham, Running a DNS resolver service that can handle a million queries/s isn't a simple matter of just installing some servers and clicking some buttons. You need to have a clear and well-structured project that considers many things. Hardware requirements are just a very small part of

Re: Reg - zone data of in-addr.arpa and ip6.arpa

2020-12-12 Thread Anand Buddhdev
Hi Gaurav, You can transfer the "in-addr.arpa" and "ip6.arpa" zones from these servers: iad.xfr.dns.icann.org lax.xfr.dns.icann.org For the full list of zones provided by ICANN, check out this page: https://www.dns.icann.org/services/axfr/ Regards, Anand On 12/12/2020 13:39, Gaurav Kansal

Re: Zonefile Management in git

2020-12-08 Thread Anand Buddhdev
Sure, Cameron. However, since it's no longer BIND-related, I'll email you off-list. Anand On 08/12/2020 22:58, Cameron Banowsky wrote: > Thank you Anand, > > Would it be possible to look at your script and gitlab-ci yaml? This is > incredibly helpful. Thank you so much. > Cameron Banowsky >

Re: Zonefile Management in git

2020-12-08 Thread Anand Buddhdev
Hi Cameron, We do something like this for our zones. In our zone repository, I have a script called "checkzones". I can run it any time in my checkout of the repository, and it checks all the zones for various things. For example, it checks for implicit owner names, missing TTL, etc. It also runs

Re: Filter out TSIG records from zone transfer

2020-12-07 Thread Anand Buddhdev
Hey Daniel, That's *exactly* what I was after! Thank you :) On 07/12/2020 08:25, Daniel Stirnimann wrote: > Hello Anand > > this works for me: > > dig -k KEY @PRIMARY ZONE +noall +answer +noidnout +onesoa AXFR ___ Please visit

Filter out TSIG records from zone transfer

2020-12-06 Thread Anand Buddhdev
hrough an awk script to filter out these records, but it would be nice if I could tell dig itself to suppress them. Regards, Anand Buddhdev ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC f

Re: Servfail on Bind -9.16.1

2020-11-21 Thread Anand Buddhdev
On 21/11/2020 21:53, upen wrote: Hi Upen, > Could you someone guide me to troubleshoot this further? Thank you for the > list. Your instance of BIND is probably logging to syslog. Look for these logs (usually /var/log/messages), and see what BIND is logging. It may shed a light on the problem.

Re: Latest bind for centos7

2020-11-05 Thread Anand Buddhdev
On 05/11/2020 14:02, rams wrote: Hi Ramesh, > What is the latest bind version for Centos 7? > Where we can download it? "yum info bind" will give you all the information you need. Regards, Anand Buddhdev ___ Please visit https://lists

Re: Reverse lookup response format

2020-08-25 Thread Anand Buddhdev
On 25/08/2020 16:29, Brad Stevenson wrote: Hi Brad, I would like to have the behavior of the reverse lookup responses to only include the hostname, not the hostname with the reverse zone appended. So for example: # nslookup 192.168.2.206 206.2.168.192.in-addr.arpa name =

Re: Algorithm compatibility between BIND 9.6.2 and 9.16

2020-08-05 Thread Anand Buddhdev
quot;. You will find the answer in there. Regards, Anand Buddhdev ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact u

Re: /etc/bind.keys in a chrooted environment

2020-07-22 Thread Anand Buddhdev
On 22/07/2020 16:51, Josef Moellers wrote: It turns out that it is mainly the warning the partner is irritade about. So, let me put the question the other way round: what would happen if we *always* copied /etc/bind.keys to the chroot environment? If there would be no harm, I could easily add

Re: /etc/bind.keys in a chrooted environment

2020-07-22 Thread Anand Buddhdev
On 22/07/2020 15:30, Josef Moellers wrote: Or just ignore the warning, and let BIND use its built-in keys. If /etc/bind.keys contains some additional keys, this will not work ;-) Sure, but what additional keys do you expect this file to contain? Are you serving an alternate signed root

Re: /etc/bind.keys in a chrooted environment

2020-07-22 Thread Anand Buddhdev
On 22/07/2020 15:06, Josef Moellers wrote: Hi Josef, named complains about the missing file /etc/bind.keys if run chrooted: unable to open '/etc/bind.keys' using built-in keys What is the preferred way around this? Add "/etc/bind-keys" to NAMED_CONF_INCLUDE_FILES? Or just ignore the

Re: Dumb Question is an A or AAAA record required?

2020-07-09 Thread Anand Buddhdev
On 09/07/2020 16:06, Matthew Richardson wrote: On a related issues there were (perhaps long ago) issues if the A record for a domain had an SMTP server on it, where email could sometimes be delivered to that A record rather than the MX. I had (again long ago: 10-15 years) actually seen this

Re: Dumb Question is an A or AAAA record required?

2020-07-09 Thread Anand Buddhdev
On 09/07/2020 14:21, @lbutlr wrote: Given a domain that is hosted and used for email and web, is an A record for that domain actually required? It's not *required*. But see below. That is, if bob.tld is hosted by example.com can you simply have NS ns1.example.com NS

Re: Bind IPV6 issue

2020-07-09 Thread Anand Buddhdev
On 09/07/2020 12:56, Duleep Thilakarathne wrote: Hi Duleep, After starting BIND, can you examine its log entries? It should print all the addresses it is binding to, eg: 09-Jul-2020 13:50:57.674 listening on IPv4 interface lo0, 127.0.0.1#53 09-Jul-2020 13:50:57.676 IPv6 socket API is

Re: Starting bind 9.16.x with systemctl fails

2020-07-09 Thread Anand Buddhdev
On 09/07/2020 12:08, Adrian van Bloois wrote: Hi Adrian, Run "journalctl -u named" to see any systemd logs for this unit. Also look in /var/log/messages to see what (if anything) BIND has logged to syslog. Finally, you would help yourself and everyone else to help you better if you show your

Re: Bind IPV6 issue

2020-07-09 Thread Anand Buddhdev
On 09/07/2020 11:01, Duleep Thilakarathne wrote: Hi Duleep, I have configured bind with IPV6 support enabled. However bind does not listen to IPV6 address. Any particular reason.is there any place to enable IPV6 support other than named.conf. Version : BIND 9.11.4-P1 (Extended Support

Re: BIND 9.16 incoming TCP connection errors

2020-06-18 Thread Anand Buddhdev
On 16/06/2020 20:17, Tony Finch wrote: Hi Tony, 16-Jun-2020 15:21:58.815 general: Accepting TCP connection failed: socket is not connected What does this log message mean? I think this error comes from getpeername() and it can occur if the connection is closed between accept() and

BIND 9.16 incoming TCP connection errors

2020-06-16 Thread Anand Buddhdev
Hi folks, I'm running an authoritative server on BIND 9.16. It gets about 3500 q/s, of which around 200 q/s are over TCP. At least, this is what DSC reports (DSC is a libpcap application sniffing traffic independent of BIND). In my named.conf, I have set: reserved-sockets 1000; tcp-clients

Re: bind DoH ANd DoT Implementation

2020-06-08 Thread Anand Buddhdev
On 08/06/2020 07:13, ShubhamGoyal wrote: Hi Shubham, Dear all, I want to ask about bind DoH Implementation by proxy server, Is there any Documentation of DoH Implementation.

Re: BIND installed on a Solaris 11.4 x 86 virtual server

2020-06-01 Thread Anand Buddhdev
On 01/06/2020 20:08, DeCaro, James John (Jim) CIV DISA FE (USA) via bind-users wrote: Hi Jim, Installed BIND 9.16.3 and I discovered that the SMF dns/server is trying to read named.conf from /usr/local/etc/: "/usr/local/etc/named.conf: file not found". I am trying to figure out how point

Re: Chaining NOTIFY and slave servers - is it supported?

2020-04-21 Thread Anand Buddhdev
On 21/04/2020 17:05, Petr Bena wrote: Hi Petr, > So when someone changes zone on A via nsupdate, NOTIFY and subsequent > IXFR goes like this: A -> B -> C instead of: This is just fine. There are many DNs setups organised like this. Your configuration isn't unique or strange. > What confuses me

Re: BIND-9.16.1 memory leak?

2020-04-17 Thread Anand Buddhdev
On 17/04/2020 17:02, Karl Pielorz wrote: Hi Karl, > I seem to remember we got 'bitten' by large memory use when moving from > a previous version of bind - do you have 'max-cache-size' set in your > config? It's an authoritative-only server, so there is (almost) no caching involved. Anand

Re: checkzone from stdin?

2020-04-08 Thread Anand Buddhdev
and named-checkzone reads the "file" /dev/fd/42, getting the decompressed data. Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Compile errors for Bind 9.16.1 on RHEL7.x and RHEL 6.X

2020-03-24 Thread Anand Buddhdev
On 24/03/2020 20:44, Bhangui, Sandeep - BLS CTR via bind-users wrote: Hi Sandeep, [snip] > As far as I can tell has the libuv library packageis installed on this > RHEL 7.X machine. > > sh-4.2# rpm -qa | grep -i libuv > > libuv-1.34.0-1.el7.x86_64 This package contains just the runtime

Re: BIND 9.16.1 on CentOS 6

2020-03-18 Thread Anand Buddhdev
Thank you for your swift and clear response Ondrej! Regards, Anand On 18/03/2020 15:35, Ondřej Surý wrote: > Hi Anand, > > yes, it is. The broken code was introduced in the glibc 2.26, and generally > RedHat/CentOS/Fedora/Debian libc6 already has the required patches. > > Ubuntu 18.04 (and

BIND 9.16.1 on CentOS 6

2020-03-18 Thread Anand Buddhdev
Hi BIND developers, The 9.16.1 release notes say: "The system-provided POSIX Threads read-write lock implementation is now used by default instead of the native BIND 9 implementation. Please be aware that glibc versions 2.26 through 2.29 had a bug that could cause BIND 9 to deadlock. A fix was

Re: Is -DISC_SOCKET_MAXEVENTS still needed in BIND 9.16?

2020-02-20 Thread Anand Buddhdev
On 20/02/2020 09:08, Ondřej Surý wrote: Ah, thank you for this Ondrej! I've adjusted our spec file, and removed the define. > Hi Anand, > > on the contrary, we set tuning to large by default (it’s default or > small now), so with the define you are actually setting it to lower value: > >

Is -DISC_SOCKET_MAXEVENTS still needed in BIND 9.16?

2020-02-20 Thread Anand Buddhdev
Hi BIND developers, We build our own RPMs of BIND, and ever since the 9.9 builds, we have been setting -DISC_SOCKET_MAXEVENTS=256. This is based on advice we received from someone at ISC. Is this setting still relevant in BIND 9.16? Regards, Anand ___

Re: Problem resolving domain

2020-01-27 Thread Anand Buddhdev
On 27/01/2020 16:26, Stephan von Krawczynski wrote: Hi Stephan, > I would have expected that bind finds the domain by using the working > nameserver and ignoring the dead one. But obviously it does not. > Did I misconfigure something? I thought both nameservers should be questioned > and the

Re: named-service-stopped

2019-12-15 Thread Anand Buddhdev
On 15/12/2019 09:44, MEjaz wrote: > Our bind name version is = BIND 9.12.3-P1 > Is that advisable to upgrade our bind from the above version to the latest > stable one I can't comment on the cause of the failure, but 9.12 isn't supported any more. You should run the latest stable version,

Re: BIND on ipv6-only server. SERVFAIL problem

2019-12-06 Thread Anand Buddhdev
On 06/12/2019 13:32, Andrey Geyn wrote: Hi Andrey, > Is it any option which will allow us to proxy SERVFAIL (and other «bad» > responses) from forwarder and not to try make recursive requests by itself)? Yes. Set the option "forward only" in your BIND configuration, so that it doesn't do any

Re: rndc - sync before reload?

2019-07-13 Thread Anand Buddhdev
On 10/07/2019 20:08, John Thurston wrote: Hi John, > On a server with both static and dynamic zones, is there any reason to > perform an: >   rndc sync > prior to issuing an: >   rndc reload No, there is no need for a sync before reload. Regards, Anand

Re: dig +trace question

2019-06-21 Thread Anand Buddhdev
On 21/06/2019 22:01, Ronald F. Guilmette wrote: Hi Ronald, > I'll switch to using the 9.14.3 or 9.15.0 dig command as soon as possible. > Until then I have a nice temprary workaround, which is to just append > @a.root-servers.net to my dig +trace commands. Just one note. 9.15.0 has the same

Re: dig +trace question

2019-06-21 Thread Anand Buddhdev
who correctly said that dig, even with +trace, should do its initial ./NS query WITH the RD flag set. He reported it to ISC in issue #1028, and it has been fixed with BIND version 9.14.3. So if you are able to try this newest version with your setup, I hypothesise that it will work. Regards, Anan

Re: Dig Hangs during axfr request when not on localhost.

2019-06-14 Thread Anand Buddhdev
On 14/06/2019 09:53, Pete Fry via bind-users wrote: Hi Pete, > however if you fun dig @IP.OF.MASTER ZONE axfr from a machine on the same > subnet > the zone starts to transfer and then hangs at certain points around 150k > bytes give or take and fails to complete. > > any idea on what i can

Re: what is this python stuff in 9.11.7 ??

2019-05-30 Thread Anand Buddhdev
On 31/05/2019 00:21, Dennis Clarke wrote: > Someone somewhere figured it made sense to drag in a dependency the size > of python? The dnssec-keymgr and a couple of other utilities were introduced in 9.11.0. This is mentioned in the release notes. They are not new to 9.11.7. > It must be a

Re: what is this python stuff in 9.11.7 ??

2019-05-30 Thread Anand Buddhdev
On 30/05/2019 23:45, Dennis Clarke wrote: Hi Dennis, Some of the utilities in newer version of BIND, such as dnssec-keymgr, are written in python. This utility is very useful if you're going to sign zones using BIND. If you don't want or need this and a couple of other utilities for DNSSEC key

Re: Logging of notify sending

2019-05-25 Thread Anand Buddhdev
On 25/05/2019 18:26, Axel Rau wrote: Hi Axel, > category notify seems to cover reception of notifies. > How can I log sending of notifies? > I want to check, if the TSIG key is being used for the notify. > > tcpdump seems not to show any keys. BIND *does* log sending notifies, in the "notify"

Re: Bind > 9.12 Will Not Start On FreeBSD

2019-04-27 Thread Anand Buddhdev
On 27/04/2019 21:52, Tim Daneliuk wrote: Hi Tim, > Running: FreeBSD 11.2-STABLE #0 r345904 > > Bind 9.11 works fine. If I attempt to install 9.12 or greater, the > installation succeeds but any attempt to start the daemon fails silently. > Output of 'sh -x /usr/local/rc.d/named start' follows

Re: Make install error compiling Bind 9.12.4 on RHEL 6.X

2019-04-03 Thread Anand Buddhdev
On 03/04/2019 14:05, Bhangui, Sandeep - BLS CTR via bind-users wrote: Hi Sandeep, > Trying to compile Bind 9.12.4 on RHEL 6.X running on physical HP blade server. > > Looks like I am missing something trivial but have looked at things > couple of times but cannot figure it out. One cause

Re: BIND 9.14.0: unable to set effective uid to 0: Operation not permitted

2019-04-02 Thread Anand Buddhdev
On 02/04/2019 17:12, Tony Finch wrote: Hi Tony, > I have not noticed these errors on my toy server. I had a look at the code > and I thought Stephan's explanation was correct. My guess is that he is > starting named without root privileges, so it is unable to switch back and > forth between

Re: BIND 9.14.0: unable to set effective uid to 0: Operation not permitted

2019-04-02 Thread Anand Buddhdev
'm going to try and do some process tracing to figure it out as well. Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: Problems removing a domain

2019-03-05 Thread Anand Buddhdev
On 05/03/2019 01:01, Paul van der Vlis wrote: > Not sure. It was a domain used for testing purposes. > > Before it was in /etc/bind/named.conf.local, but I removed it from there. Did you run "rndc reconfig" after removing it from the named.conf.local file? Anand

Re: Bind regular reload

2018-11-23 Thread Anand Buddhdev
On 23/11/2018 15:47, Martin Nino wrote: Hi Martin, > I noticed that the Bind is reloading weekly on my RHEL6, RHEL7 and CentOS7 > systems with up-to-date version of distribution Bind package. This is caused by logrotate. When logrotate rotates log files at 04:02 UTC, it reloads bind to make it

Re: broken trust chain

2018-10-14 Thread Anand Buddhdev
sqqls3eNbuv7pr+e > oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd > RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN > R1AkUTV74bU="; > }; > > > > >> On Oct 14, 2018, at 8:54 AM, Anand Buddhdev

Re: broken trust chain

2018-10-14 Thread Anand Buddhdev
On 14/10/2018 14:17, Cody Allen wrote: > issue just started on 10/13/2018 both servers impacted at same time, clocks > are correct, version of bind is 9.11.1 impacting recursion on internal view, > authoritative zones work fine, servers have been running for couple of years > or longer with

Re: DNSSEC: give KSK from my domain to parent zones

2018-10-03 Thread Anand Buddhdev
On 03/10/2018 21:24, Roberto Carna wrote: Hi Roberto, > Dear people, I have DNSSEC implemented in my authoritative domain in BIND > 9.10. I've created the KSK and ZSK too. > > Let's say my domain is "robert.com.uk". > > How do I have to give the KSK (key signing key) to my parent zones, let's

Re: Root zone DNSSEC KSK rollover event - 2018/10/11, 16:00 UTC

2018-09-28 Thread Anand Buddhdev
On 28/09/2018 11:37, Ray Bellis wrote: Hi Ray, > At this time the old key will be removed from the root zone leaving only > the new key (id 20326) in the zone. If your DNS servers don't know and > trust the new key at that point then DNSSEC validation errors will occur. On 11 October, the old

Re: Error parsing file

2018-09-12 Thread Anand Buddhdev
On 12/09/2018 20:22, BARAJAS BERMEJO, Sergio wrote: Hi Sergio, > $TTL2d > @ IN SOA sergiobarajas ( > 17 ; Serial > 604800 ; Refresh > 86400 ; Retry >

Re: DNSSEC will eventually generate Identical Key ID's

2018-09-09 Thread Anand Buddhdev
On 09/09/2018 19:51, Mark Elkins wrote: > Never assume a KeyID is unique.  :-) One of the DNSSEC RFCs specifically says that the KeyID is not meant to be unique. I can't remember which one, and it's too late on a Sunday evening to be reading RFCs :) Even then, I've had the misfortune of dealing

Re: about the effect of installing with "--without-openssl"

2018-08-25 Thread Anand Buddhdev
On 25/08/2018 17:27, takahiro wrote: Hi Takahiro, >> There are other features in BIND, such as TSIG keys, that require >> cryptographic functions, so you still need openssl. > Now I don't use TSIG keys. > Maybe rndc ,too? > (When I found out the word "cryptographic", rndc was displayed.) > >>

Re: about the effect of installing with "--without-openssl"

2018-08-25 Thread Anand Buddhdev
On 25/08/2018 15:58, takahiro wrote: Hi Takahiro, > I would like someone to help me. > > I don't use DNSSEC, so I think I'm trying not to use OpenSSL. > > If when I install BIND9.11.4 with "./configure --without-openssl", > what kind of functions can no be used other than DNSSEC? > and are

Re: timestamp in journal

2018-07-09 Thread Anand Buddhdev
On 09/07/2018 13:50, Klaus Darilion wrote: Hi Klaus, > named-journalprint dumps the journal without any time information. > > Does the journal include time information? (Timestamp of add/del) > > If yes, can I somehow extract the timestamps? As far as I know, the journal does not have any

Re: My IXFR/AXFR stopped suddenly

2018-07-07 Thread Anand Buddhdev
On 07/07/2018 13:31, Alan Clegg wrote: >> Well, I just tried transferring zone using dig and it was successful >> from slave >> >> On slave >> dig AXFR block.now @xx.xx.xx.xx >> >> On master xfer-out.log >> >> 07-Jul-2018 09:53:11.520 client xx.xx.xx.xx#16129 (immediate.block): >> transfer of

Re: My IXFR/AXFR stopped suddenly

2018-07-06 Thread Anand Buddhdev
On 06/07/2018 23:52, Sten Carlsen wrote: Hello Sten, >> The slave is configured to listen on port 15455. > Where in the slave's configuration is that specified? Rather the master > sends notifys on two ports: 53 and 15455. Blason has not shown his full config, but it must be listening on port

Re: My IXFR/AXFR stopped suddenly

2018-07-06 Thread Anand Buddhdev
On 06/07/2018 19:36, Matus UHLAR - fantomas wrote: > customised port, that's why transfers stopped working. No Matus, you're wrong. > on the slave, you must configure the master with port 15455. > see "server" directive. > of course, it will use port 15455 for all queries then. No, you're off

Re: Logrotate for bind9

2018-07-04 Thread Anand Buddhdev
On 04/07/2018 17:43, Tom wrote: Hi Tom, > ...or you use "copytruncate", so the file will be copied and the other > stuff (compress, rotate 180, etc..) and then truncated, so BIND has > still the same filedescriptors open, but the logfile is rotated :-). > This way, you don't need to "rndc

Re: Logrotate for bind9

2018-07-04 Thread Anand Buddhdev
On 04/07/2018 15:50, Blason R wrote: > Hi There, > > I am not getting appropriate results for my custom daily logrorate for > bind9 logs on Ubuntu. It's more useful if you show us your logrotate snippet, so we can point out what is wrong with it. > Can someone please help me with the settings

Re: location for master file dump

2018-05-26 Thread Anand Buddhdev
On 26/05/2018 19:47, André Rodier via bind-users wrote: Hi André > I need to precise, I have also added this option in named.conf.options: > > directory "/var/cache/bind"; > > And bind is creating the journal files inside: > > -rw-r--r-- 1 bind bind 1.4K May 26 18:36 managed-keys.bind >

Re: Queries regarding Master/Slave

2018-05-06 Thread Anand Buddhdev
I could answer this, but I think you need to read the documentation first, and *then* ask questions if you don't understand, so here's a link to the relevant documentation: https://ftp.isc.org/isc/bind9/9.12.1/doc/arm/Bv9ARM.ch05.html Regards, Anand On 06/05/2018 18:15, Blason R wrote: > This

Re: BIND source distribution missing?

2018-05-04 Thread Anand Buddhdev
On 04/05/2018 14:04, Matthew Pounsett wrote: Hi Matt, [snip] > Also, needs an update to its 'welcome' file, because > BIND doesn't seem to be distributed from there anymore. I can see all the BIND downloads at: ftp://ftp.isc.org/isc/bind9/ and

Re: notify explicit and also-notify

2018-05-04 Thread Anand Buddhdev
On 04/05/2018 10:02, Blason R wrote: > Ok -My question was about port number if not explicitly defined then it > sends update on port TCP/53 No. BIND sends NOTIFY messages over UDP to port 53 by default. You can change the port, but not the transport. Regards, Anand

Re: root hints

2018-05-03 Thread Anand Buddhdev
On 02/05/2018 23:39, Rick Dicaire wrote: > Thanks for the responses folks...so if I don't need to manage root.hints, > can I remove the line: > > zone "." IN {type hint;file "root.cache";}; > > from named.conf? Yes, you can remove it. Regards, Anand

Re: Administrivia.

2018-04-23 Thread Anand Buddhdev
On 23/04/2018 15:02, G.W. Haywood via bind-users wrote: > Below is from our own DNS server; I get the same response from all the > public servers that I've tried. > > 8<-- > mail6:~$ >>> dig -x 149.20.1.60 > > ; <<>> DiG

Re: BIND 9.9 cannot resolve PTR record but +trace can

2018-04-11 Thread Anand Buddhdev
The delegation of 131.161.213.in-addr.arpa points to dns.est.com.tr and dns2.est.com.tr. But these two names are aliased to dns3.est.com.tr and dns4.est.com.tr. However, one cannot use alias names as targets of NS records. This is forbidden by RFC 2181, section 10.3. The operator of this reverse

Re: dig warns that some TSIG could not be validated

2018-04-06 Thread Anand Buddhdev
On 06/04/2018 12:38, Tony Finch wrote: Hi Tony, > There is a weird bit in the TSIG spec, RFC 2845: > >4.4. TSIG on TCP connection > >A DNS TCP session can include multiple DNS envelopes. This is, for >example, commonly used by zone transfer. Using TSIG on such a >connection

Re: dig warns that some TSIG could not be validated

2018-04-06 Thread Anand Buddhdev
On 06/04/2018 13:42, Mukund Sivaraman wrote: Hi Mukund, > I am wondering if you have a badly ported patch. Is the AXFR server of > an NSD flavour, or more specifically, doesn't sign every DNS message in > a TCP continuation (a sequence of DNS messages used during AXFR and > IXFR)? Yes, the

dig warns that some TSIG could not be validated

2018-04-06 Thread Anand Buddhdev
Hello folks, I'm on CentOS 7, which has an older version of dig from this package: # rpm -qf /usr/bin/dig bind-utils-9.9.4-51.el7_4.2.x86_64 When I use this dig to AXFR a zone from a Secure64 DNSSEC signer appliance, I'm seeing this at the end of the AXFR: ;; Query time: 32899 msec ;; SERVER:

Re: Maximum zone file size

2018-03-14 Thread Anand Buddhdev
On 14/03/2018 12:54, Klaus Darilion wrote: > Hi! > > I couldn't find it online - is there a limit on the zone file size? Not that I know of. The amount of RAM in a server is probably the most significant limit for loading zones into BIND. Regards, Anand

Re: Update ACLs dynamically

2018-01-19 Thread Anand Buddhdev
Hi Anvar, Yes, you can change ACLs in named.conf, and then run "rndc reconfig" which will pick up the changes. You don't need to restart BIND. Regards, Anand On 19/01/2018 14:48, Anvar Kuchkartaev via bind-users wrote: > Hello I would like to know if it is possible to add or remove IP

Re: Impossible to activate logging

2018-01-18 Thread Anand Buddhdev
On 18/01/2018 11:36, Pierre Couderc wrote: Hi Pierre, > under systemd, and under a lxd stretch container in a minimal stretch host. > > I get : > > Jan 18 10:21:13 bind named[893]: command channel listening on ::1#953 > Jan 18 10:21:13 bind named[893]: isc_file_isplainfile >

Re: BIND 9.11.1-P3 revives expired zones briefly during reconfig

2017-08-06 Thread Anand Buddhdev
On 06/08/2017 13:49, Mukund Sivaraman wrote: Hi Mukund, > Which exact version of 9.11 is this? Is their master NSD or some 3rd > party signer? Can you create a bug ticket with your named config > (named-checkconf -px) ? As I wrote in the subject, it's BIND 9.11.1-P3. The masters of these name

BIND 9.11.1-P3 revives expired zones briefly during reconfig

2017-08-06 Thread Anand Buddhdev
Hello BIND developers, I've updated from BIND 9.10 to 9.11, and noticed the following happening whenever "rndc reconfig" is run: 05-Aug-2017 11:11:42.066 general: received control channel command 'reconfig' 05-Aug-2017 11:11:42.066 general: loading configuration from '/etc/named/named.conf' ...

Re: difference in responses between UDP and TCP

2017-06-15 Thread Anand Buddhdev
On 15/06/2017 12:20, Arun Natarajan wrote: > Hello, > > Wondering why we are seeing different serial numbers from a bind > authoritative server for requests over UDP and TCP. > > dig +tcp soa @ns.example.com example.com +short > ns1.example.com. hostmaster.example.com. 2017061505 10800 3600

Re: What to report for "refresh: failure trying master ... operation canceled" bug?

2016-11-21 Thread Anand Buddhdev
On 22/11/2016 00:27, schilling wrote: > Thanks for the insight. > I added the following rule > sudo firewall-cmd --permanent --direct --get-all-rules > [sudo] password for admin: > ipv4 filter OUTPUT 0 -d 10.10.10.100 -p tcp -m tcp --dport=53 -j ACCEPT > where 10.10.10.100 is our DNS master,

Re: Reloading match-clients

2016-10-14 Thread Anand Buddhdev
On 14/10/16 11:48, Job wrote: Hi Job, > is there a way to update/change this section without reloading or > with a very-soft reload? Yes. Use "rndc reconfig" instead of "rndc reload". Regards, Anand ___ Please visit

Re: dig and IDN

2016-10-12 Thread Anand Buddhdev
On 13/10/16 00:17, Mark Elkins wrote: Hi Mark, > Is there any way within dig to switch off the puny to UTF8 translations? > Some flag? Environmental variable? IDN_DISABLE=1 Regards, Anand ___ Please visit

Re: debug SERVFAIL

2016-10-02 Thread Anand Buddhdev
On 02/10/16 17:22, Per olof Ljungmark wrote: Hello Per, Please see my answers below. You appear to have a bad configuration. > Hmmm, looks like I've found something here. The default named.conf on > FreeBSD has the following section on the root servers. If I comment out > the "traditional" root

Re: BIND-RPZ and Views

2016-09-16 Thread Anand Buddhdev
On 16/09/16 09:06, Tom wrote: Hi Tom, > Using BIND 9.10.4-P2: I've a question about configuring DNS-RPZ and views: > I configured view1 and view2. After configuring all rpz-zones in both > views, I had errors like this (slave file in view2 is already in use > from view1): > config: error:

Re: Which Domain is picked by Bind Server?

2016-05-27 Thread Anand Buddhdev
On 27/05/16 10:25, Harshith Mulky wrote: Hi Harshith, > If I have the following configuration in Bind server inside named.conf > > zone "e164.arpa" IN { > type master; > file "e164.arpa"; > }; > > zone "1.e164.arpa" IN { > type master; > file "e164.arpa"; > }; >

Re: Reverse Zone CIDR

2016-05-25 Thread Anand Buddhdev
Hi Jonathan, If it's a /23, may I suggest creating two reverse zones, for each of the /24s in that prefix? It's much simpler. RFC 2317-style delegation, while possible for a /23, was designed for IPv4 prefixes smaller than a /24. Regards, Anand Buddhdev RIPE NCC On 25/05/16 11:37, Jonathan

  1   2   >