Re: Query failed (timed out)

2019-11-07 Thread Chris Thompson
-users/2019-June/101930.html -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo

Re: Strange DNS problem

2019-06-10 Thread Chris Thompson
3.74] which doesn't have this server cookie problem. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

When to use the "invalid" TLD

2019-04-09 Thread Chris Thompson
reasonable use of "invalid", and consistent with the remarks in section 6.4 of RFC 6761 (also dating from 2013, incidentally). -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc

Re: Cached negative responses

2018-12-21 Thread Chris Thompson
he counter for these negative responses in Cache, or could there really be that many objects in the cache ? Assuming these were output as uint64_t but then reinterpreting them as int64_t, they are very *small* negative numbers, -57 and -9 respectively. I suspect something other than overflow is responsible.

Re: DNSSEC: give KSK from my domain to parent zones

2018-10-05 Thread Chris Thompson
he www.[zonename] RRs in different zones), because the full owner name is included in the hashing input. (Use a different Key) Yes. Because there are no advantages whatsoever in doing otherwise! -- Chris Thompson Email: c...@cam.ac.uk ___ Please v

Re: NTP through DNS?

2018-09-26 Thread Chris Thompson
.yourdomain CNAME externalntp.otherdomain CNAME externalntp.someotherdomain Assuming that you are running name server software that actually allows you to have several CNAMEs with the same label, of course. BIND8 with "multiple-cnames yes", perhaps? :-)

Re: tool for finding undelegated children in your DNS

2018-07-27 Thread Chris Thompson
approach is to do a dig axfr to get the actual zone... If you do need to work from the zone files, I would strongly recommend normalising them with "name-checkzone -o outfile zonename infile" or an equivalent, before trying to unpick them with "Perl, awk, etc". -- Chr

Re: Administrivia.

2018-04-23 Thread Chris Thompson
/ Thanks for the heads up - I'll make sure our Ops team is aware. To further increase our Schadenfreude, please do let the list know just how ISC managed to let that happen! Or will you be able to blame ARIN? -- Chris Thompson Email: c...@cam.ac.uk

Re: Slow zone signing with ECDSA

2017-04-20 Thread Chris Thompson
should all be looking forward to the time when BIND, inter alia, supports them... -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lis

Reply to digests [was: RE: bind-users Digest, Vol 1727, Issue 1]

2016-07-05 Thread Chris Thompson
ot;Re: [the subject format for the list's digest messages]". Maybe a scan of the message content for a copy of the digest prologue would be a good idea as well. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/lis

Re: g.root-servers.net not reachable anymore

2016-04-18 Thread Chris Thompson
https://lists.dns-oarc.net/pipermail/dns-operations/2016-April/014765.html which is fairly tight-lipped! -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind

Re: response case in-sensitivity?

2015-07-30 Thread Chris Thompson
the cache). -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Future of BIND's built-in empty zone list

2015-05-17 Thread Chris Thompson
that they will remain cached. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind

Re: Future of BIND's built-in empty zone list

2015-05-17 Thread Chris Thompson
is described. Would this actually break a validating resolver with a locally defined (unsigned) empty zone 2.0.192.IN-ADDR.ARPA ? The parent zone can produce a proof that there is no signed delegation, but only by revealing the signed DNAME. -- Chris Thompson Email: c...@cam.ac.uk

Future of BIND's built-in empty zone list

2015-05-14 Thread Chris Thompson
in the public DNS acquire DNAMEs pointing to that (hopefully ones with large TTLs). -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: Future of BIND's built-in empty zone list

2015-05-14 Thread Chris Thompson
On May 14 2015, I wrote: Now that RFCs 7434 7435 have been published, how do ISC see the future ... That should be 7_5_34 7_5_35 of course. Curses. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo

Re: Automatic flushing of the jnl files

2015-01-21 Thread Chris Thompson
. (Of course, as Phil Mayers points out, this would cause downstream IXFRs to become AXFRs,) -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

RE: Inline-signing feature request: Directly set the signed zone's serial number

2014-10-18 Thread Chris Thompson
uses HINFO for its original purpose anywhere in the DNS. and I think I might get away with it. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing

Re: Inline-signing feature request: Directly set the signed zone's serial number

2014-10-17 Thread Chris Thompson
when we later had to put an A record (sorts before HINFO) at the apex of cam.ac.uk and I had to modify our normalised-zone-file- comparsion program to allow for that! -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org

To DLV or not to DLV [was Re: recursive lookups for UNSECURE names ...]

2014-08-28 Thread Chris Thompson
tribulations summarised above (and believe me, I could go on about it at *much* greater length! you should be grateful) have occasionally made me regret that. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind

Re: Why the heck my NS are not working

2014-07-20 Thread Chris Thompson
lbtest.isnlab.in, You are always going to get inconsistent results until you fix the delegation. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind

Re: bind 9.10..0-P1 rndc: 'retransfer' failed: not found; other rndc commands are ok

2014-05-23 Thread Chris Thompson
what would normally happen when the refresh interval expires. That is, it will do an SOA query against the master(s), and if the serial has increased attempt an (if possible incremental) zone transfer. -- Chris Thompson Email: c...@cam.ac.uk ___ Please

Re: a note on 9.10.0rc2: eleven, twelve; dig and delv(e)

2014-04-27 Thread Chris Thompson
, not another two-letter command for the benefit only of the digit-ally challenged... Not to mention what http://en.wikipedia.org/wiki/DQ has to say... -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind

Re: Windows dig resolv.conf

2014-04-11 Thread Chris Thompson
by default. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: What do you do when the Root records are wrong?

2014-04-03 Thread Chris Thompson
? No, they are authoritative for udrtld.net, self-consistently claiming themselves as the only NS records for it. This looks like a simple case of a change of nameservers for a zone not propagating too well, because the old ones haven't stopped serving it. -- Chris Thompson Email: c...@cam.ac.uk

Re: What do you do when the Root records are wrong?

2014-04-03 Thread Chris Thompson
the zone, or at least serve a version with the new NS records in situation. but the (highly anti-social, by the way) behaviour of these nameservers makes that impossible to arrange. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org

Re: nsec3 opt-out confusion (bug report)

2014-04-01 Thread Chris Thompson
, is not a bug. It is mandated by RFC 5155 - see section 4.1.2. This was really nic.at (and not example.com), wasn't it? Your domain obfustication was half-hearted! I tried looking at it, but things were changing too fast for me to get consistent results... -- Chris Thompson Email: c...@cam.ac.uk

Re: localhoast A record?

2014-03-24 Thread Chris Thompson
On Mar 21 2014, SM wrote: Hi Chris, At 11:18 21-03-2014, Chris Thompson wrote: We used to create lots of localhost.[subdomain].cam.ac.uk records, even to the extent of adding an record just for those institutions that had IPv6 enabled on their networks. But we have pretty much given up

Re: localhoast A record?

2014-03-21 Thread Chris Thompson
described above before it goes any further. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org

Re: Converting an inline-signed zone to unsigned

2014-03-06 Thread Chris Thompson
On Feb 19 2014, Alan Clegg wrote: On 2/19/14, 8:59 PM, Chris Thompson wrote: What is the right way ... or maybe I should be asking IS there a right way ... to change a zone that has been signed by inline signing (i.e. with inline-signing yes; auto-dnssec maintain; in it zone statement

Re: Converting an inline-signed zone to unsigned

2014-03-06 Thread Chris Thompson
inline signing, and find some other way of achieving what I want. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Converting an inline-signed zone to unsigned

2014-02-19 Thread Chris Thompson
/IN: not loaded due to errors. and the zone goes into SERVFAIL state. The only way I found out of this was to remove the [zone-file].signed and [zone-file].signed.jnl files manually, and *then* do rndc reconfig. Surely there must be something better than that? -- Chris Thompson Email: c...@cam.ac.uk

Re: changing NSEC3 salt

2014-02-12 Thread Chris Thompson
iterations increases the probability of a collision. Of course, it's pretty damn small to begin with, so that doesn't really matter. But the algorithm, described in RFC 5155 section 5, could have been better designed from that point of view. -- Chris Thompson Email: c...@cam.ac.uk

Re: Case-Insensitive Response Compression May Cause Problems With Mixed-Case Data and Non-Conforming Clients

2014-02-06 Thread Chris Thompson
(case-sensitive) compression rules themselves, they will only respond to clients with different casing in the question and answer sections if they have themselves been queried for the same name with different casings (possibly by different clients, of course). -- Chris Thompson Email: c

Re: Insecurity proof failed resolving newsletter.postbank.de - but why?

2014-01-20 Thread Chris Thompson
in the referral). Note the absence of opt-out in the NSEC3. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: Sites that points their A Record to localhost

2014-01-14 Thread Chris Thompson as IP Register
On Jan 14 2014, Joseph S D Yao wrote: On 2014-01-12 10:04, Chris Thompson wrote: [...] That would be more plausible if www.p3net.net actually resolved to something, rather than giving NXDOMAIN ... How interesting. From here I see (and saw before I posted): ;; ANSWER SECTION

Re: Sites that points their A Record to localhost

2014-01-12 Thread Chris Thompson
of typing in www.p3net.net to get to his or her Web site. That would be more plausible if www.p3net.net actually resolved to something, rather than giving NXDOMAIN ... -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman

Re: Serial numbers for inline signing

2013-12-18 Thread Chris Thompson
the journal has been pruned as a result of exceeding the max-journal-size setting. But this won't tell you *when* each increment happened. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc refresh fails for signed zones

2013-12-12 Thread Chris Thompson
be strange to have signing done in more than one place, yes. The sort of scenario when you want to do signing on a slave is that in Example 2 in https://kb.isc.org/article/AA-00626/ -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https

Re: dig ignores +notcp when doing IXFR (DiG 9.5.0-P2)

2013-12-06 Thread Chris Thompson
is possible and if so whether it would fit into the UDP payload. Of course, if the client's supplied SOA serial is the same, this response indicates that no zone transfer is needed. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https

Non-recursive nameserver response to DS request

2013-11-14 Thread Chris Thompson
in the zone cam.ac.uk, which of course is true.] -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: TXT Record Format with multiple records?

2013-10-13 Thread Chris Thompson
A paragraph of text that -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind

Re: Occasional SERVFAILs from dig NS iq.

2013-09-25 Thread Chris Thompson
I have reported this problem to bind9-bugs [ISC bug #34839]. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Occasional SERVFAILs from dig NS iq.

2013-09-24 Thread Chris Thompson
with beta and rc versions earlier, and I can provoke it with 9.9.3-P2 on another server as well). iq is partially signed, in the sense that some of its nameservers deliver a signed version, and some an unsigned one, but I don't see how that leads to the effect observed. -- Chris Thompson Email: c

Re: Occasional SERVFAILs from dig NS iq.

2013-09-24 Thread Chris Thompson
On Sep 24 2013, Tony Finch wrote: Chris Thompson c...@cam.ac.uk wrote: I have noticed that I get occasional (fast) SERVFAIL responses from dig NS iq., e.g. iq is partially signed, in the sense that some of its nameservers deliver a signed version, and some an unsigned one, but I don't see

Re: nxdomain

2013-08-29 Thread Chris Thompson
) an NXDOMAIN for, rather than the unqualified one. The OP would probably have been a lot less mystified if the message had been Host www.undernet.org.my-domain.example not found: 3(NXDOMAIN) rather than Host www.undernet.org not found: 3(NXDOMAIN) -- Chris Thompson Email: c...@cam.ac.uk

Re: internal network PTR records, necessary?

2013-08-14 Thread Chris Thompson
the option empty-zones-enable yes; explicitly. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman

Re: writing .jnl files to another path possible?

2013-07-29 Thread Chris Thompson
at the journal option in the zone statement. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org

Re: Rate-Limit Question

2013-06-14 Thread Chris Thompson
status of the BIND 9.9 series. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman

Re: New Versions of BIND Are Now Available

2013-05-29 Thread Chris Thompson
to built in empty zones list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336] That doesn't apply if you have automatic empty zones disabled, e.g. by recursion no in options, of course. -- Chris Thompson Email: c...@cam.ac.uk

Re: Bind 9.9.3b2

2013-05-10 Thread Chris Thompson
. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: resolver, search command....

2013-05-08 Thread Chris Thompson
a negative result, but it doesn't. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman

Re: Simple question about zone and CNAME

2013-04-05 Thread Chris Thompson
because, and I quote, all the publicity material sent out by the nominator [for an award for the web site] gave the URL as http://cam.ac.uk/ and this has been retweeted around. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org

Re: queries aborted due to quota

2013-03-19 Thread Chris Thompson
need to increase named's -S option, or it may run out of sockets before query queue slots. I have to say I am a bit suspicious of your reference to forward servers. There are all sorts of possible misconfigurations using forwarders that might provoke problems of this sort. -- Chris Thompson Email

Re: a lot of transfer when slave start

2013-03-05 Thread Chris Thompson
specifying a file value for the zones on the slave server? -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: lame-servers: error (FORMERR) resolving [something]

2013-01-15 Thread Chris Thompson
with dig +trace +nodnssec www.isc.org -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman

Re: set directory for auto key files

2013-01-07 Thread Chris Thompson
can't tell named-checkzone / named-compilezone with the -j option where to find the journal is it isn't in the default location. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Noisy messages from BIND about root hints change

2013-01-07 Thread Chris Thompson
for . and the address records for the *.root-servers.net names so referenced. But why did it keep going on and on about it? And what made it stop? Has anyone else seen anything similar? -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https

Re: BIND and DNSSEC

2012-11-01 Thread Chris Thompson
On Nov 1 2012, Jan-Piet Mens wrote: I do as well, and this will be documented in the next version of this document. I believe you've mentioned that here before. Several times. Today. ;-)  What I tell you three times is true.” The Bellman, pp Lewis Carroll -- Chris Thompson Email: c

Re: Delegations

2012-10-31 Thread Chris Thompson
of labels between cuts. I don't see how safer would apply, either. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: Delegations

2012-10-31 Thread Chris Thompson
. It was hard work to change it to allow the domain part for authorisation purposes to be any trailing set of labels, but by ${DEITY?} it was necessary! -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind

Using BIND-DLZ for a hidden master [was: Re: dns master-slave transfer]

2012-10-31 Thread Chris Thompson
by a DLZ interface? -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable log message

2012-10-21 Thread Chris Thompson
, the more that the actually executing named says about itself, the better. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: Disable log message

2012-10-18 Thread Chris Thompson
difficulty understanding why anyone would want it suppressed. It's true that BIND is a bit noisier than it used to be at this stage, but can this really be a problem? Do you let the black hats see your system logs? -- Chris Thompson Email: c...@cam.ac.uk

Re: about the wild record

2012-10-15 Thread Chris Thompson
- rcode NOERROR with an empty data section - is what RFC 2308 calls NODATA, and not an NXDOMAIN. This is because test.cloudns.tk is an empty non-terminal in the name tree within the zone, and it is that which prevents *.cloudns.tk from applying to anything under it. -- Chris Thompson Email: c

Re: error (unexpected RCODE REFUSED) resolving

2012-10-12 Thread Chris Thompson
to happen when the nameservers for a zone behave abnormally. This time I have got around to reporting it to bind9-bugs. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: Listen-on per view?

2012-08-11 Thread Chris Thompson
, i.e. on which of the the nameservers's own addresses it arrived on.) Thinking in terms of listen-on was a category error. Views don't have separate listening apparatus. Instead the queries that come in are farmed out to the views on the basis of their matching conditions. -- Chris Thompson Email

Re: Journal File Question

2012-07-25 Thread Chris Thompson
utility distributed with BIND. Although I have to say I would hate to be dependent on this way of recovering a lost zone file: you should probably be rethinking your whole backup and recovery strategy. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit

Re: rndc stats command

2012-07-18 Thread Chris Thompson
--- (1342566900) ^^ which are in time_t format (seconds since the Unix epoch). [What's annoyingly missing, by the way, is the time when named was in fact started. That's present in the XML on the statistics channel, but not in the file written by rndc stats.] -- Chris

Re: check-names via command line

2012-07-11 Thread Chris Thompson
) ... :-( Apologies for the FUD. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo

Re: check-names via command line

2012-07-10 Thread Chris Thompson
want to use fail. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: check-names via command line

2012-07-10 Thread Chris Thompson
that back. As far as I can see the -k option of named-checkzone has no effect at all, despite the man page, at least with BIND 9.8.3-P1. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: Recommended value for max-cache-size for cache-only shared hosts..

2012-06-01 Thread Chris Thompson
9.5.0, but 2457. [tuning]max-cache-size is reverted to 0, the previous default. It should be safe because expired cache entries are also purged. [RT #18684] was there before 9.5.1, and AFAICS it has been like that ever since. -- Chris

Re: Checking for zone expiration?

2012-05-21 Thread Chris Thompson
in a separate directory (or directories) from the type master ones, if any. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: Interaction of -S and recursive-clients?

2012-05-18 Thread Chris Thompson
On May 17 2012, Daniel Deighton wrote: On 05/17/2012 12:20 PM, Chris Thompson wrote: [... snip ...] named: general: error: socket: file descriptor exceeds limit (4096/4096) last message repeated 1194 times named: general: error: socket: file descriptor exceeds limit (4096/4096) last message

Interaction of -S and recursive-clients?

2012-05-17 Thread Chris Thompson
as these numbers are reached only when the network has gone pear-shaped anyway.) -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: records via GENERATE

2012-05-14 Thread Chris Thompson
while the zone file is being read, at startup or after e,g, an rndc reload [zone]. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind

Re: Configuring CNAME for nosslsearch.google.com

2012-05-08 Thread Chris Thompson
rely on it defaulting to the SOA.MINTTL value (or specify all TTLs explicltly). You probably meant root.localhost. for the SOA.rname. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: Secondary Zone 'Raw' File format

2012-05-04 Thread Chris Thompson
what's in the file with: named-checkzone -D -f raw zonename filename The other things that changed in BIND 9.9 is that there is a new version of the raw format (as in -F raw=1 versus -F raw=0 in named-checkzone, q.v. its man page). What was the motivation for that change? -- Chris Thompson Email

Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.

2012-04-30 Thread Chris Thompson
well for them ever appearing in BIND. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org

Re: Exercising RFC 5011 rollovers

2012-04-21 Thread Chris Thompson
entry, and then restarting it. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo

Re: www.glb.hud.gov

2012-04-19 Thread Chris Thompson
be bothering to (try to) fetch the DNSKEY records. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org

Re: How to reset the serial number?

2012-03-27 Thread Chris Thompson
from MMDDNN style to seconds-since-1970, the stealth-slaving Windows DNS servers of that time (even the 2008 ilk) just could not cope, and went into a tizzy continuously trying to fetch the zones and then rejecting them for their smaller serials. -- Chris Thompson Email: c...@cam.ac.uk

Re: How to reset the serial number?

2012-03-27 Thread Chris Thompson
? Or did you mean something like (1) remove the zone from the slave's configuration and rndc reconfig (reload is overkill) (2) delete the slave zone file (3) add the zone to the slave's configuration again and rndc reconfig ? That would work, but rndc retransfer [zone] is a lot simpler! -- Chris

Re: rndc reconfig vs. rndc reload

2012-03-22 Thread Chris Thompson
reload after updaing some of the zone files, I loop through the list of updated zone files and run rndc reload zone for each one. This is better, of course, if you can do it. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org

Re: NS record for subzone definition

2012-03-13 Thread Chris Thompson
to the overall limit of 253 characters on the fully qualified name -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: Exercising RFC 5011 rollovers

2012-03-08 Thread Chris Thompson
indicate that the data structure in managed-keys.bind cannot quite capture all the complexities of RFC 5011. The BIND version used in the later part of this experiment was (early-access) 9.8.2rc2 but I doubt that is particularly significant. -- Chris Thompson Email: c...@cam.ac.uk

Re: fermat primes and dnssec-keygen bug?

2012-03-07 Thread Chris Thompson
of 3 again most of the time. I notice that this is what VeriSign do for the DNSKEY records in com, net edu. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind

Re: fermat primes and dnssec-keygen bug?

2012-03-07 Thread Chris Thompson
On Mar 7 2012, Bill Owens wrote: On Wed, Mar 07, 2012 at 12:13:35PM +, Chris Thompson wrote: This is wrong (although I have seen the same thing stated in a number of other places). When the default public exponent was changed from 3 to 2^16+1 (change 2088) the one selected by -e

Re: fermat primes and dnssec-keygen bug?

2012-03-07 Thread Chris Thompson
for the following: com, net edu use 3 for all DNSKEYs gov uses 3 for its KSK and active ZSKs, 232+1 for an idle ZSK cz uses 2^16+1 for its KSK, 2^32+1 for its ZSK la my us use 2^32+1 for all DNSKEYs -- Chris Thompson Email: c...@cam.ac.uk

RE: RFC 6303 and bind 9.9.0

2012-03-01 Thread Chris Thompson
it up to date in most of my own nameserver configurations.] -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: Logging issue with bind

2012-02-16 Thread Chris Thompson
property that it only ARM produces output when the server's debug level is nonzero. It's actually quite a pain that one can't define one's own channels with that special property. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org

Re: Query Regarding NSEC RR in DNSSEC

2012-02-15 Thread Chris Thompson
. The security functions end-to-end, between the zone administrator (she who generates its contents and signs it) and the validator, not point-to-point. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: CVE-2012-1033 (Ghost domain names) mitigation

2012-02-09 Thread Chris Thompson
).Is this correct? AFAIK 'rndc flush' will do the same. If you know the domain name in question, rndc flushname ghost.example should be enough. (BIND 9.9 has rndc flushtree as well, but I think clobbering the cached NS records for the ghost domain should be enough.) -- Chris Thompson Email

RE: Unknown RR in .in domain

2012-02-06 Thread Chris Thompson
of the authoritative in servers. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman

Re: 9.9 query log change

2012-01-16 Thread Chris Thompson
, not just the query log ones. But it does look mighty strange in that case. And maybe people will want the class and type (and even flags) of the query added in the general case, which would sort of reduce the query log specific info to just it happened. -- Chris Thompson Email: c...@cam.ac.uk

9.9 query log change

2012-01-15 Thread Chris Thompson
is new, but seems always to be the same as the later query name. What is it for? If it meant to be the name of the client it has got it horribly wrong! The ARM for 9.9.0rc1 still describes the old format. -- Chris Thompson Email: c...@cam.ac.uk ___ Please

Re: RFC 6303 vs. BIND: NS ... has no address records (A or AAAA)

2012-01-11 Thread Chris Thompson
nobody.invalid as the SOA.rname, but BIND still uses . for empty zones (apparently even in 9.9.0rc1). I imagine we will change that if/when BINS does. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: Exercising RFC 5011 rollovers

2012-01-09 Thread Chris Thompson
to perform this experiment at this time... it happened as a result of specifying a set of key publication and activation times in January 2011 when January 2012 was intended :-) -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org

Re: Fwd: Re: .TLD minimum number of nameservers rule

2011-12-15 Thread Chris Thompson
it? Well, it turns out that the word two above occurs at the beginning of a line in rfc1034.txt, and I was searching for the string two ... :-( [Too many false drops if you search for just the three-character string, because of network.] -- Chris Thompson Email: c...@cam.ac.uk

  1   2   3   >