Re: Can we provide recursion for forward zones in response to iterative queries?

2020-04-06 Thread Chris Buxton
forwarding for the subzones also, pointing to the forwarders. Without the delegation, the conditional forwarding won't work -- the MS DNS servers will respond authoritatively. But without the conditional forwarding, the MS DNS servers will send iterative queries, not

Re: Issues with Stub Zone

2019-05-08 Thread Chris Buxton
d? It may be that the behavior you're expecting is more in line with type "static-stub" than with type "stub". Regards, Chris Buxton > On May 7, 2019, at 4:08 PM, Ben Lavender wrote: > > Hi, > > I've been trying to configure a stub zone using both BIND 9.8x

Re: BIND 9.11 no longer respects edns-udp-size?

2019-03-12 Thread Chris Buxton
zones assumes that an SOA query will retrieve all of the required information (SOA, NS, and supporting A/ records) to successfully insert the zone apex into the cache. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate with RPZ

2018-05-23 Thread Chris Buxton
's not your use case, tell us what your use case is in more detail and perhaps the list can help. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@list

Re: Use case for "." queries

2018-05-07 Thread Chris Buxton
ANY ? There could be a legitimate use case. But the most common use of such queries is to conduct an amplification attack. What are the apparent source addresses of these queries? Are they consistent? If so, that would point to the target of s

Re: Suggestions for a distributed DNS zone hosting solution I'm designing

2018-03-07 Thread Chris Buxton
product to do what you’ve described. BIND on Linux will do everything you’ve described, if properly set up. You could set up some simple scripting to give you secure DDNS so that you can update the data from anywhere. I hope that helps. Chris Buxton Sent from my iPhone > On Mar 6, 2018, at 10

Re: DNAME usage?

2017-11-17 Thread Chris Buxton
he same job. The use case you describe cannot be solved by RFC-compliant DNS -- the name of a zone cannot be an alias of some other name. Creating the parent zone and putting the CNAME in there will create more problems for you. Regards, Chris Buxton > On Nov 17, 2017, at 9:19 AM, Jeff Sa

Re: named-compilezone errors

2017-05-30 Thread Chris Buxton
Thanks for the response, Tony. Responses in-line. On May 30, 2017, at 5:51 AM, Tony Finch <d...@dotat.at> wrote: > Chris Buxton <cli...@buxtonfamily.us> wrote: > >> dns_master_load: example.com.dns:6785: bad escape >> dns_master_load: example.com.dns:6789: bad esca

named-compilezone errors

2017-05-22 Thread Chris Buxton
. but it doesn't. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: global server load balancing with the domain name

2017-04-14 Thread Chris Buxton
nting that zone apex to each of those web servers. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Allow dns queries for specific subdomain x.domain.com and block rest of the queries for *.domain.com

2017-04-11 Thread Chris Buxton
> On Apr 11, 2017, at 2:19 AM, Manuel Ramírez > wrote: > > Hi, > > I would like to allow queries for specific blogspot.com > subdomains and block the rest of the queries. > I have a file with several zones configured, one of those zones is

Re: forwarder (YES/NO)

2016-09-21 Thread Chris Buxton
Funny email address. I could be wrong, but it looks like you might have a firewall problem. The one really slow response is the one over 512 bytes. Is it possible you have a firewall that examines the contents of DNS messages? Regards, Chris Sent from my iPhone > On Sep 21, 2016, at 12:34

Re: Selective forwarding from an internal only name server

2016-08-17 Thread Chris Buxton
Try it without "+trace". Regards, Chris > On Aug 17, 2016, at 2:59 AM, anup albal wrote: > > Hi > > First up apologies if this is not the right list to email and for a long > email. I am hoping you can give me a clue as to what I am doing wrong here? > Or may be this

Re: Delegation questions

2016-08-12 Thread Chris Buxton
Forwarding is more similar to how some other systems work. But it's not how DNS naturally works. I think the biggest source of "forwarding = natural" is perhaps from admins coming from other parts of IT, rather than any regional difference. But I could be wrong. From a technical perspective,

Re: Multiple AD domains

2016-07-28 Thread Chris Buxton
--- > Kevin Darcy > NAFTA Information Security Projects > > FCA US LLC > 1075 W Entrance Dr, > Auburn Hills, MI 48326 > USA > > Telephone: +1 (248) 838-6601 > Mobile: +1 (810) 397-0103 > Email: kevin.da...@fcagroup.com > > From: Chr

Re: BIND 9 API & GUI

2016-07-28 Thread Chris Buxton
Kirk, Have a look at the commercial offerings. All of them offer a GUI and an API for managing BIND servers, including managing zones and records. Some of them are limited to managing their own appliances. Some of them do offer the ability to overlay on existing BIND servers, too, though.

Re: Multiple AD domains

2016-07-28 Thread Chris Buxton
The OP's question was about setting up BIND, not MS DNS, related to using Samba, not Windows, as the domain controller. Regards, Chris Sent from my iPhone > On Jul 27, 2016, at 12:36 PM, Darcy Kevin (FCA) > wrote: > > My preference? Have all your clients use BIND

Re: Resolving issue on specific domain

2016-07-15 Thread Chris Buxton
On Jul 15, 2016, at 8:48 AM, Matus UHLAR - fantomas wrote: > > On 15.07.16 14:05, Daniel Dawalibi wrote: >> Dig domainname -> Server failed > > please show us output of it. > when 127.0.0.1 is first in /etc/resolv.conf, dig should contact localhost > first, and the result

Re: separation of authoritative and recursive functions on internal networks

2016-01-31 Thread Chris Buxton
> On Jan 29, 2016, at 3:58 PM, Darcy Kevin (FCA) > wrote: > > Data obtained from the recursive function will never outrank authoritative > data of a master or a slave. Kevin, That's true, but authoritative servers also sometimes serve up referrals, sometimes

Re: Newbie's BIND Questions on DNSSEC, HA and SD

2016-01-19 Thread Chris Buxton
name server, which is the target for dynamic updates and is therefore fairly important; even a few minutes of downtime of this server might cause outages for DHCP service, for example. There are several commercial offerings that include this sort of HA. I work for one of these vendors

Re: Cloud DNS providers for secondary DNS

2015-12-30 Thread Chris Buxton
> On Dec 29, 2015, at 5:36 PM, Michelangelo De Simone wrote: > > also, in order to avoid > unecessary polling, you may think of enabling the "notify" options from > your master toward your slaves. No, that's not what that does. The notify mechanism is enabled by default,

Re: does bind depends on system DNS settings for lookup?

2015-11-23 Thread Chris Buxton
ate this is that "iterative resolution" uses RD=0 queries and > "recursive resolution" uses RD=1 queries. (Whether the resolution attempt is > *successful* is another question, of course: sending an RD=1 query to a node > that doesn't honor recursion is likely to result i

Re: refresh: retry limit for master 10.133.253.128#53 exceeded (source 0.0.0.0#0)

2015-11-14 Thread Chris Buxton
offenders in my experience. Regards, Chris Buxton Sent from my iPhone > On Nov 13, 2015, at 10:12 PM, Lawrence K. Chen, P.Eng. <lkc...@ksu.edu> wrote: > > So, the last couple of days I've been banging my head on this problem > > Where I'm seeing this strangeness. > &g

Re: SRV Request to DNS

2015-10-13 Thread Chris Buxton
On Oct 5, 2015, at 11:51 PM, Harshith Mulky wrote: > Let us say we are having a FQDN and we need to Resolve it. It goes through > the procedure of determining the IP and Port using NAPTR/SRV/A query > mechanisms > > The question I have is if I have a FQDN with a

Re: DNS Negative Caching

2015-08-31 Thread Chris Buxton
On Aug 28, 2015, at 5:27 PM, Barry Margolin wrote: > Note that if a server is authoritative-only, caching is mostly > irrelevant, so the negative cache TTL doesn't much apply. In this case, > the SOA Minimum is just being used as the default TTL. No, that is not correct.

Re: DNS Negative Caching

2015-08-28 Thread Chris Buxton
. And no RFC has ever updated its name. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ and client matching

2015-05-09 Thread Chris Buxton
On May 9, 2015, at 9:34 AM, Job j...@colliniconsulting.it wrote: Hello, i noticed i can write a RPZ file for blocking some websites resolution, as example, and excluse come Client IP from this policy. I would like to do exactly the opposite: i want to define some blocking resolution

Re: Basic info on interfaces file

2015-04-01 Thread Chris Buxton
This is not really a BIND question; this mailing list is for BIND questions. RTM. Start with this command: man 5 interfaces You can use the 'q' key to exit from the manual page. The BIND name server will not read /etc/resolv.conf (which is what that dns-nameserver line refers to), so set it

Re: Disable DNSSEC Validation for selected Domains

2015-01-13 Thread Chris Buxton
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: I know that BIND has no feature to disable DNSSEC validation for selected Zones/Domains (when working as a recursor). One can only enable/disable DNSSEC validation globally per view (as a boolean on/off). [...] I'm just

Re: ipv6 AAAA register and ipv4 NS register with the same name

2014-12-15 Thread Chris Buxton
On Dec 15, 2014, at 12:38 AM, Manuel Ramírez manuel.rami...@grupoica.com wrote: Hello, We have bind 9.8.4. P2 with many registers delegated to Link load balancer (we have two public ip´s range and linkproof acts as a dns balancer). Now we need to add the ipv6 register for all

Re: Forward vs Authoritative traffic

2014-11-07 Thread Chris Buxton
On Nov 7, 2014, at 11:35 AM, Nex6|Bill n6gh...@yahoo.com wrote: I am going to be adding a type forward zone for an important zone. how can i test that the forward is working correctly? if i do a dig against the NS the record will return no matter if its auth or fwd zone. Will your server

Re: Forward vs Authoritative traffic

2014-11-07 Thread Chris Buxton
-stub zone is more what you want, but yes, that sounds like it should work. Chris On Nov 7, 2014, at 1:04 PM, Chris Buxton cli...@buxtonfamily.us wrote: On Nov 7, 2014, at 11:35 AM, Nex6|Bill n6gh...@yahoo.com wrote: I am going to be adding a type forward zone for an important zone. how can

Re: Forward vs Authoritative traffic

2014-11-07 Thread Chris Buxton
On Nov 7, 2014, at 1:31 PM, Chris Buxton cli...@buxtonfamily.us wrote: On Nov 7, 2014, at 1:29 PM, Nex6|Bill n6gh...@yahoo.com wrote: our parent org, owns the parent zone, and this zone is delegated from there to a load balancer onsite. which is authoritative. but, the query path

Re: Forwarding request to another DNS server but the same domain

2014-04-30 Thread Chris Buxton
Either do as Kevin Darcy said or else use separate names: company.com office1.company.com office2.company.com The admin in office 2 updates the office2 zone. The dynamic updates in office 1 go to the office1 zone. The company.com zone delegates both. Everyone can find everything via that

Re: Enterprise IPAM/DNS Solutions

2014-04-28 Thread Chris Buxton
On Apr 28, 2014, at 9:31 AM, Baird, Josh jba...@follett.com wrote: Hi, We currently use the Men Mice DNS/IPAM/DHCP suite which is essentially a front-end wrapper for BIND. We deploy our own BIND boxes and simply install the Men Mice agent on them which allows us to centrally manage the

Re: What if no root servers?

2014-04-09 Thread Chris Buxton
On Apr 9, 2014, at 12:02 AM, Dean Gibson (DNS Administrator) i...@ultimeth.com wrote: I'm interested in a special use-case, where (say, in an emergency), access to most of the Internet (and hence the root servers) is cut off. In this situation, there is an emergency connected network

Re: Update Security

2014-03-17 Thread Chris Buxton
with update forwarding. I've certainly never gotten it to work. However, Microsoft will send the updates tot he master listed in the SOA record, so as long as that shows your otherwise-hidden master, and firewall access is set up for it, everything should work fine. Regards, Chris Buxton

Re: Update Security

2014-03-14 Thread Chris Buxton
TSIG, just GSS-TSIG. AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the master. Regards, Chris Buxton. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

Re: IPv6 PTR Records

2014-03-10 Thread Chris Buxton
this, but perhaps others with recent mail server admin experience can comment here. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: Bind vs flood

2014-02-28 Thread Chris Buxton
resolved normally first. It does not short-circuit recursion. Chris Buxton From: bind-users-bounces+jason.brown=kcom@lists.isc.org [mailto:bind-users-bounces+jason.brown=kcom@lists.isc.org] On Behalf Of Ivo Sent: 28 February 2014 10:10 To: bind-users@lists.isc.org Subject: Re

Re: Non-responsive name servers when started during boot on OS X Mavericks 10.9

2014-01-20 Thread Chris Buxton
like that) before starting named. It would then stay open. I’d bet that the package from Men Mice includes this script or an equivalent workaround. When I wrote the original script I wrote about above, I worked at Men Mice. Regards, Chris Buxton

Re: additional section policy

2014-01-20 Thread Chris Buxton
1034 or 1035, I believe. As for responding to this data by following up on a referral and asking a listed name server, the BIND name server uses the RTT (round trip time) algorithm. Basically, it tries to guess which remote server would respond fastest and queries that server. Regards, Chris

Re: When Updates Fail

2014-01-07 Thread Chris Buxton
. Or there’s a release candidate for 0.74 that apparently fixes it, but I haven’t tested it. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: Error logs in bind resolving

2014-01-02 Thread Chris Buxton
checked were caused by broken implementations. Is this a broken implementation of IPv6 or something else. As this DNS Server is running IPv6 only. Broken implementations of name servers. They’re probably mostly load balancers. Regards, Chris Buxton

Re: Error logs in bind resolving

2013-12-31 Thread Chris Buxton
On Dec 30, 2013, at 9:46 PM, Gaurav Kansal gaurav.kan...@nic.in wrote: I am getting the error message for lot of domains. Log of error entries are attached. All the ones I checked were caused by broken implementations. Is it possible to configure bind so that error message should not be

Re: Error logs in bind resolving

2013-12-30 Thread Chris Buxton
an otherwise-proper-looking negative response that claims to be from the wrong zone. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: RPZ help on BIND

2013-12-28 Thread Chris Buxton
configuration. I don’t know the purpose of this RPZ, so I can’t give you the exact syntax. Perhaps someone from Spamhaus can help you with that. I don’t have enough context to answer your question about a whitelist. Perhaps someone else can help you with that. Regards, Chris Buxton On Dec 23

Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)

2013-09-23 Thread Chris Buxton
On Sep 23, 2013, at 7:59 AM, Vernon Schryver v...@rhyolite.com wrote: From: Eliezer Croitoru elie...@ngtech.co.il I was looking for something like that but I am sure a dynamic DB is needed for the task right? Large DNSBLs are not very dynamic, because they have relatively few changes

Re: 9.9.4 Bug Fixes - RT #34583

2013-09-23 Thread Chris Buxton
On Sep 21, 2013, at 8:35 AM, Steve Arntzen i...@arntzen.us wrote: Good morning/day/evening. What exactly does beneath mean in the following line from the 9.9.4 bug fixes? Fix forwarding for forward only zones beneath automatic empty zones. [RT #34583] Beneath in this case refers to the

Re: Problem with authoritative answer

2013-09-13 Thread Chris Buxton
. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: the location of dig and named

2013-08-28 Thread Chris Buxton
On Aug 28, 2013, at 2:35 PM, Nidal Shater ngiw2...@hotmail.com wrote: when I typed dig or named ,,, what is the location of the executable program dig and named is ? Your answer can be found with this command, available on many operating systems: which dig or: which named Regards, Chris

Re: BIND 9.8.1-P1: 'make test' fails

2013-08-20 Thread Chris Buxton
. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: bind9 and logrotation

2013-07-29 Thread Chris Buxton
BIND write and rotate log files, but then process them with logrotate afterward. Another option is to send all log messages through syslog, which allows for: - asynchronous (batched) file writing - all kinds of other, more advanced features that BIND doesn't support natively Regards, Chris Buxton

Re: New warning message...

2013-07-22 Thread Chris Buxton
On Jul 22, 2013, at 1:24 PM, Barry S. Finkel bsfin...@att.net wrote: On 7/22/2013 11:17 AM, bind-users-requ...@lists.isc.org wrote: This was discussed here already, and imho this is anti-spf bullshit like all those spf breaks forwarding FUD. The SPF RR is already here and is preferred over

Re: BIND Performance with Huge RPZ

2013-07-12 Thread Chris Buxton
such example is query logging to file (instead of to syslog), which can completely gut performance. Regards, Chris Buxton BLUECAT ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

Re: bind classless slave from microsoft dns classful SOA?

2013-07-12 Thread Chris Buxton
server. Were I you, I would refuse to slave the /24 reverse zone. Regards, Chris Buxton BLUECAT ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: BIND Service Hung

2013-07-03 Thread Chris Buxton
On Jul 2, 2013, at 7:33 PM, Arie Lendra Putra ari...@smartfren.com wrote: PS: sometimes this happens when our upstream is down, many unanswered DNS request sometimes trigger named not responding. Stop forwarding. Do your own recursion. Regards, Chris

Re: Answers from cache or authority section?

2013-06-25 Thread Chris Buxton
, Chris Buxton BLUECAT ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 2.1a3 on centos 6.4

2013-06-24 Thread Chris Buxton
On Jun 22, 2013, at 12:50 PM, Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: Or don't use nslint? +1 Use 'named-checkconf -z' instead. Or run it without '-z', and then use 'named-checkzone' against each zone file, with suitable options to tweak the tests to meet your needs. Chris

Re: bind 2.1a3 on centos 6.4

2013-06-24 Thread Chris Buxton
On Jun 24, 2013, at 10:09 AM, Brian Cuttler br...@wadsworth.org wrote: On Mon, Jun 24, 2013 at 09:40:36AM -0700, Chris Buxton wrote: On Jun 22, 2013, at 12:50 PM, Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: Or don't use nslint? +1 Use 'named-checkconf -z' instead. Or run it without

Re: SPF record with include:

2013-06-21 Thread Chris Buxton
On Jun 20, 2013, at 7:30 PM, Julie Xu j...@uws.edu.au wrote: Hi Steven, Jason, Ged and Bind expert Thanks for the reply. It is great help. However, I need ask more. For this include clause to be added in, I have also need to add DKIM records. SPF and DKIM are unrelated. There is no

Re: Stub zones vs minimal responses

2013-06-12 Thread Chris Buxton
On Jun 12, 2013, at 5:23 AM, Tony Finch d...@dotat.at wrote: Chris Buxton cli...@buxtonfamily.us wrote: If an authoritative server is configured to send minimal responses, will a stub zone get all the necessary data from that server? What I'm seeing is, the recursive server sends an SOA

Re: What happens when one out of three NSs are down?

2013-06-12 Thread Chris Buxton
anycast to route around the problem. In practice, though, your best bet is to find out why that small group of customers are having problems. Are they querying the servers directly? Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind

Stub zones vs minimal responses

2013-06-10 Thread Chris Buxton
response. Am I understanding the evidence correctly? Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo

Re: any requests

2013-06-05 Thread Chris Buxton
On Jun 5, 2013, at 11:59 AM, Doug Barton do...@dougbarton.us wrote: On 06/05/2013 11:33 AM, Tony Finch wrote: I believe the ANY hack on mail servers was a Sendmailism 20ish years ago. s/Send/q/ That makes even more sense. DJB always thinks he knows best.

Re: any requests

2013-06-03 Thread Chris Buxton
, not the MX record. And that represents a failure of the SMTP protocol implementation. Chris Buxton On Jun 3, 2013, at 3:42 PM, Leonard Mills l...@yahoo.com wrote: If your some of your clients are SMTP relays, then ANY is the default lookup for an MX and is perfectly normal. Much better

Re: Negative zones; NXDOMAIN responses

2013-05-20 Thread Chris Buxton
On May 20, 2013, at 12:51 AM, Narcis Garcia informat...@actiu.net wrote: - Yes, I thought about not using DNS from the same internet provider, but wanted to know if there is a way to patch only the .local response. - This is the configuration I use in one of the LANs: view local-nets {

Re: Mailing list reply-to setting

2013-05-09 Thread Chris Buxton
messages in it. My mail client shows the number of unread messages next to each mail folder, except for those that have no unread messages. I do not have to click on each folder to cause this to happen. Regards, Chris Buxton ___ Please visit https

Re: NS geo-distribution

2013-04-29 Thread Chris Buxton
chance of hitting a NS with a higher latency? RTT means almost always hitting the fastest server. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: ISC Courses

2013-04-27 Thread Chris Buxton
courses for Men Mice, the live interaction was a key component of the value of the class. You just don't get that remotely. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing

Re: Mirror Masters

2013-04-24 Thread Chris Buxton
On Apr 24, 2013, at 2:21 PM, Manson, John wrote: Works great. Got the conf file down to about 12 lines (only transferring 1 zone file for test). Only problem is the file is in slave format. Is the master going to have a problem sending the db.x.bak to slaves? When a slave receives the

Re: Mirror Masters

2013-04-23 Thread Chris Buxton
, change all the zone statements from slave to master. That way, you won't be dependent on OS processes for transferring and synchronizing the data between the two masters. Your other choice is to use rsync to synchronize files between the two masters, perhaps as a cron job. Chris Buxton

Re: BIND 9.4.x and check-names

2013-04-17 Thread Chris Buxton
: warning: zone /IN: gc._msdcs./A: bad owner name (check-names) Hmm, aren't those supposed to be SRV records? No, they are the addresses of the global catalog servers. If they were SRV records, check-names would not complain. Chris Buxton

Re: RPZ and negative answers

2013-04-04 Thread Chris Buxton
On Apr 4, 2013, at 1:42 AM, Phil Mayers wrote: On 04/04/2013 12:50 AM, Chris Buxton wrote: Thanks for the explanation. It seems to me this is a gap in coverage of RPZ -- the algorithm should be updated, in my opinion, to cover the case of a negative answer. AIUI it's a deliberately

Re: RPZ and negative answers

2013-04-03 Thread Chris Buxton
On Apr 3, 2013, at 4:13 PM, Vernon Schryver wrote: From: Chris Buxton cli...@buxtonfamily.us If a name exists in the response policy, and also exists in the real Internet namespace, the value from the policy is returned. But if it doesn't exist out on the Internet, then the value

Re: Dynamic Update Policy.....

2013-03-30 Thread Chris Buxton
not to have DHCP update the host records as well as the reverse? Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: Disable logging for a view

2013-03-30 Thread Chris Buxton
On Mar 29, 2013, at 1:46 AM, Francesco wrote: Hello, i need to log queries into bind.log for all views except only one view (i call it the deafult view, where it logs all attacks, flood, ecc.). But i noticed i can not insert logging clause into a view. Is there a way? No. Chris Buxton

Re: Understanding rndc referral statistics

2013-03-30 Thread Chris Buxton
of the response is concerned) coming from BIND 9.9, 9.3, 9.1, 8.2, or 4.9. (I can't speak for 4.8.) Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: Recursion issue

2013-03-28 Thread Chris Buxton
, I see: www.speaker.gov.300 IN CNAME wc.house.gov.edgekey.net. wc.house.gov.edgekey.net. 17789 IN CNAME e4776.g.akamaiedge.net. e4776.g.akamaiedge.net. 20 IN A 184.26.83.91 Chris Buxton BlueCat Networks ___ Please

Re: Recursion issue

2013-03-28 Thread Chris Buxton
(143.231.1.67) ;; WHEN: Thu Mar 28 08:45:23 2013 ;; MSG SIZE rcvd: 80 There is no need to configure recursion on your external authoritative name servers. Other name servers will not query them recursively anyway. I continue to fail to see the problem that you're trying to solve. Chris Buxton

Re: Recursion issue

2013-03-28 Thread Chris Buxton
recommend turning it off using 'recursion no;' in your options or view statement. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: Recursion Issue

2013-03-28 Thread Chris Buxton
Everything is as it should be. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind

Re: Blocking private addresses with a optionq

2013-03-14 Thread Chris Buxton
to a particular address range. No, I'm pretty sure the OP wants to strip records from responses if the records are A records referring to private address space (RFC 1918). I've no idea how you would do this. Chris Buxton BlueCat Networks ___ Please

Re: Blocking private addresses with a optionq

2013-03-14 Thread Chris Buxton
On Mar 14, 2013, at 9:07 AM, Niall O'Reilly wrote: On 14 Mar 2013, at 15:57, Chris Buxton wrote: No, I'm pretty sure the OP wants to strip records from responses if the records are A records referring to private address space (RFC 1918). I've no idea how you would do

Re: 3rd party CNAMEs and open recursion

2013-03-05 Thread Chris Buxton
servers). Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Stop of logging of No Valid Signature Found

2013-02-26 Thread Chris Buxton
in his explanation. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Building a fresh named.root

2013-02-15 Thread Chris Buxton
to contact IPv6 addresses. Chris Buxton BlueCat Networks___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Export / Import all zone data

2013-02-15 Thread Chris Buxton
none -k ignore -o $2 $1 $2.orig Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind

Re: Building a fresh named.root

2013-02-15 Thread Chris Buxton
'localhost' can mean different things to different computers. It probably means ::1 (IPv6 localhost) in this case. Try explicitly specifying the IP address rather than using the hostname. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org

Re: Slaving from DNS masters behind LVS

2013-02-13 Thread Chris Buxton
, and (if you really must) conditional forwarding zones. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: SOA issue

2013-02-13 Thread Chris Buxton
? Chris Buxton BlueCat Networks rndc reload sturdymemorial.org zone reload up-to-date dig @localhost sturdymemorial.org soa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 57470 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1

Re: private trust anchor

2013-02-11 Thread Chris Buxton
? Really? I didn't expect that to come from someone at ISC. Use 'type stub' instead, with a masters statement rather than a forwarders statement. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

Re: Transfers-out

2013-01-08 Thread Chris Buxton
On Jan 8, 2013, at 1:24 PM, Manson, John wrote: Can this option be used in a ‘slave’ config to prevent out-bound transfers? Transfers-out 0; The 9.9.2 ARM is ambiguous. Wouldn't it be simpler to just write this instead, in your options statement? allow-transfer { none; }; Chris Buxton

Re: Duplicate records?

2012-12-21 Thread Chris Buxton
), the alias need not change to gain the same benefit. Deciding when to use a CNAME record in place of one or more other records is a matter of taste, management tools, and use cases. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org

Re: Requesting tips on setting TTLs so that expired RRSIG data doesn't stay in the zone

2012-12-14 Thread Chris Buxton
query one of the zone's authoritative servers directly (in the absence of forwarding configuration) to get a current RRSIG record. Therefore, the only problem these expired RRSIGs might cause is a little bit of wasted bandwidth. Chris Buxton BlueCat Networks

Re: With the announcement that: “Advisory — D-root is changing its IPv4 address on the 3rd of January.”

2012-12-14 Thread Chris Buxton
-P1 on the resolvers. We currently do not use a root hints file – If we put a hints file in named.conf, then will named will use it, rather than the compiled in hints? Yes. Chris Buxton BlueCat Networks___ Please visit https://lists.isc.org/mailman

Re: Expiration TTLs

2012-12-03 Thread Chris Buxton
in BIND (nothing similar to MS DNS' aging and scavenging feature set), and no way to really implement it purely in DNS. Any attempt to use the expire timer to achieve this is evidence of a profound misunderstanding of the use of these timers. Regards, Chris Buxton BlueCat Networks

Re: Can't find named_dump.db

2012-12-03 Thread Chris Buxton
of the server. Look in /var/cache/bind. That's the working directory for the bind9 package default configuration. (To see this, use 'grep directory /etc/bind/named.conf.options'.) Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman

Re: Expiration TTLs

2012-12-02 Thread Chris Buxton
is not a TTL timer. The two are different. Zone expiration should usually be at least a week. I've set mine to 6 weeks. This timer has nothing to do with the refresh interval, which is also defined in the SOA record. Chris Buxton BlueCat Networks ___ Please

Re:

2012-11-30 Thread Chris Buxton
. 172800 IN A 72.167.164.36 ns2.videolinedvd.com. 172800 IN A 72.167.164.36 Glue records without matching authoritative records are pretty useless. If there isn't a matching A record in the videolinedvd.com zone as served by those two servers, it just won't work. Chris

  1   2   3   4   >