Re: Multiple A Records - Followup Question
On 2016-10-02 21:22, Reindl Harald wrote: > > > Am 02.10.2016 um 22:42 schrieb David Ford: >> On 2016-10-02 12:59, Reindl Harald wrote: >>> >>>> IOW, can a given *IP* appear in more than one A record? I realize >>>> that this does have the problem that the reverses would resolve to >>>> hostX not >>>> test >>> >>> on IP should only have on PTR - period >>> >>> avoid anything else than PTR/A-matching if the machine is supposed to >>> send outbound mail >> >> it is very helpful to have multiple PTR records for an IP on a mail >> server so anti-spam engines can accurately make fully verified forward >> and reverse lookups not just for DNS but also certificate verification. > > which is *exactly* what you break with *multiple* PTR records for a > single IP - seems you don't understand what > https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS really means no, it exactly doesn't break. it exactly applies to -every- domain served by that mail server with each domain serviced having fully verified forward and backward reachable chain regardless of how many A or PTR (and even CNAME) records exist in RR answers, each having their own domain set in their MX record. > >> mail servers that can't correctly emit the right EHLO for outbound email >> should remain in the 1990s. > > yes, and your EHLO matches the A record of your IP > > which of the multiple PTR's should the receiving server use? > guess what: it uses a random one > one time it matches your EHLO, the next time not PTR lookup of 1.2.3.4 returns all RR for a.foo.com, b.zee.com, c.lark.com, where each of these also resolves to 1.2.3.4. it is your -client- that determines what to do with each RR after it has received the answer. if your MTA or milter software cannot iterate all the RR records to find the matching hostname, you should get a better MTA or milter. > > congratulations: you are playing lottery you're only playing the lottery with MTAs and anti-spam services that are too naive to understand that multiple records can exist in a single RR answer and it should utilize all the records. > > and yes i had cases where we blocked email because > check_reverse_client_hostname_access when the mailadmin did request a > PTR and the ISP was too dumb to remove the generic one which ended in > some mails hit rules and others not the notion of a 1-to-1 relationship between A and PTR is a relic of history. the internet is always evolving and sharing of IPs to host multiple domains has been around for a long time and increasing considerably as people try to stretch IPv4 further while waiting for their upstream to provide IPv6. there are a considerable number of existing servers that use a many-to-many relationship of A and PTR records and it's only going to increase as more customers request their IPs resolve to all of their hosted domains. the cat and mouse game of spam is always ratcheting upward. as mail providers get better at blocking half-assed setups due to spam, sending providers improve their configuration to rise above the spammers. with the simple fully verified FR of IP/PTR/EHLO, i block more than 87% of incoming spam right at the edge. i have very very few false positives. many-to-many works, and i support it's use. i also support the adoption of MTAs and milters capable of handling modern many-to-many instead of breaking because they expect a legacy 1-to-1 or 1-to-many RR. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple A Records - Followup Question
On 2016-10-02 12:59, Reindl Harald wrote: > >> IOW, can a given *IP* appear in more than one A record? I realize >> that this does have the problem that the reverses would resolve to >> hostX not >> test > > on IP should only have on PTR - period > > avoid anything else than PTR/A-matching if the machine is supposed to > send outbound mail it is very helpful to have multiple PTR records for an IP on a mail server so anti-spam engines can accurately make fully verified forward and reverse lookups not just for DNS but also certificate verification. mail servers that can't correctly emit the right EHLO for outbound email should remain in the 1990s. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9 API & GUI
i have a project i'm in the middle of developing a project that uses postgresql as the dlz backend and has a web interface. it works for most day-to-day operations for zone edits (GUI zone add/remove not yet in place) and it is multi-user concurrent and uses a small middleware to replicate to multiple masters. the backend is a WAMP infrastructure and the system is agnostic regarding clients. i don't have a command line interface but doing so would be pretty easy. most of it is on github at https://github.com/Blue-Labs/ButterflyDNS. -d On 2016-07-25 21:36, Kirk wrote: > I have been looking for a way to provide both an API and a GUI > interface for my multi-master/slave BIND infrastructure. > > There are obviously many GUI options, but finding a solution that will > allow for external programs to add/change/delete records (API), and > allow administrators to manually make the same kinds of changes (GUI) > without each process interfering with each other has proven more > difficult than I expected. > > This seems like it would be a common need, and I can't be the only one > in this "bind". > > Has anyone else solved this problem? > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple A and PTR and the "main" ones?
We are also one of those services that will reject mail if DNS records don't line up sufficiently to a) satisfy RFC requirements for DNS and b) are clearly mismatched with your DNS A/MX/PTR/SPF and who you pretend to be in HELO/EHLO Those two simple rules block more than 92% of incoming spam attempts. "generics" tend to fall into that pit nearly 100% of the time. If your DNS can simply say in MX/SPF that you are legit, you easily avoid that pit. Blocking the majority of spam is really easy if we simply require adherence to what is actually mandated in RFC and a pinch of sensible thinking about DNS. -d On 2015-09-11 14:33, Lightner, Jeff wrote: > Actually some mail servers DO check not only that a PTR exists but also that > it is not "generic". > > Every once in a while we get someone complaining because one of the big sites > (Ebay?) refuses to accept their email due the "generic" (as defined by that > site's policies) nature of our PTR. We typically ignore that because we've > never seen this complaint from other mail servers and no one has ever > provided a business use for the one site that is complaining. > > Other than that I've never seen any complaint about what the actual PTR is so > I can't imagine why you'd need more than one for the same IP.Just pick > the one that helps identify you for anyone that cares to look at IPs vs > names. signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Digging to the final IP
# dig +noall +answer dave.knig.ht a|awk '/IN\tA\t/ {print $NF}' 216.235.14.46 signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 has been released.
On 02/26/2014 05:48 PM, Lawrence K. Chen, P.Eng. wrote: Except that security patches haven't been going into BIND 4 for some time probably because BIND4 has been deprecated since 2007. BIND8 was deprecated in 2008. BIND 9.4 was deprecated in 2008 with the last release of 9.4-ESV in 2012. the last release of 9.5 was in 2010. 9.7 is also deprecated, last released in 2012. 9.6-ESV is the oldest ISC supported version for the public, it last had an update a few weeks ago. this is the last version of 9.6 as support ended in January. supported versions: 9.8.7 was released a month ago 9.9.5 two weeks ago 9.10.0b1 a month ago if you are running BIND software older than these three trees, you're responsible for creating or finding security patches for that software. ISC doesn't support deprecated versions. the current ESV tree is BIND 9.9 which will be supported until June, 2017. DHCP 4.1-ESV is the oldest supported ESV, which will become unsupported in December of this year. 4.3 will be the next ESV version. 3.1-ESV and 4.0 were deprecated in 2010. -david ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Duplicates in newsgroup gateway
it's posted 2x, slightly different. To: comp.protocols.dns.b...@googlegroups.com To: comp-protocols-dns-b...@isc.org both cc the newsgroup -david On 06/25/2012 06:11 PM, Barry Margolin wrote: I read bind-users through the comp.protocols.dns.bind newsgroup. I'm seeing lots of duplicate posts. Most of the replies in the CNAME Rules thread showed up twice. Is there a problem with the gateway? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.8.2 followup announcement
fyi, DLZ external has been broken post 9.8.1p1. fails to compile with an undefined reference to main. both for 9.8.2 and 9.9.0 -david make[4]: Entering directory `/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/bin/tests/system/dlzexternal' /bin/sh /usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/libtool --mode=compile --tag=CC x86_64-pc-linux-gnu-gcc -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0 -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/lib/dns/include -I../../../../lib/dns/include -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/lib/isc/include -I../../../../lib/isc -I../../../../lib/isc/include -I../../../../lib/isc/unix/include -I../../../../lib/isc/nothreads/include -I../../../../lib/isc/x86_32/include -I/usr/include -D_GNU_SOURCE -march=native -mtune=native -O2 -pipe -DHAVE_GEOIP -DHAVE_GEOIP_V6 -I/usr/include/libxml2 -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -c dlopen.c libtool: compile: x86_64-pc-linux-gnu-gcc -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0 -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/lib/dns/include -I../../../../lib/dns/include -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/lib/isc/include -I../../../../lib/isc -I../../../../lib/isc/include -I../../../../lib/isc/unix/include -I../../../../lib/isc/nothreads/include -I../../../../lib/isc/x86_32/include -I/usr/include -D_GNU_SOURCE -march=native -mtune=native -O2 -pipe -DHAVE_GEOIP -DHAVE_GEOIP_V6 -I/usr/include/libxml2 -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -c dlopen.c -fPIC -DPIC -o .libs/dlopen.o libtool: compile: x86_64-pc-linux-gnu-gcc -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0 -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/lib/dns/include -I../../../../lib/dns/include -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/lib/isc/include -I../../../../lib/isc -I../../../../lib/isc/include -I../../../../lib/isc/unix/include -I../../../../lib/isc/nothreads/include -I../../../../lib/isc/x86_32/include -I/usr/include -D_GNU_SOURCE -march=native -mtune=native -O2 -pipe -DHAVE_GEOIP -DHAVE_GEOIP_V6 -I/usr/include/libxml2 -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -c dlopen.c -o dlopen.o /dev/null 21 /bin/sh /usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/libtool --mode=link --tag=CC x86_64-pc-linux-gnu-gcc -march=native -mtune=native -O2 -pipe -DHAVE_GEOIP -DHAVE_GEOIP_V6 -I/usr/include/libxml2 -fPIC \ -o dlopen dlopen.lo -ldl -lcap -lm -lGeoIP -lxml2 -lz -lm libtool: link: x86_64-pc-linux-gnu-gcc -march=native -mtune=native -O2 -pipe -DHAVE_GEOIP -DHAVE_GEOIP_V6 -I/usr/include/libxml2 -fPIC -o dlopen .libs/dlopen.o -ldl -lcap -lGeoIP -lxml2 -lz -lm /bin/sh /usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/libtool --mode=compile --tag=CC x86_64-pc-linux-gnu-gcc -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0 -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/lib/dns/include -I../../../../lib/dns/include -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/lib/isc/include -I../../../../lib/isc -I../../../../lib/isc/include -I../../../../lib/isc/unix/include -I../../../../lib/isc/nothreads/include -I../../../../lib/isc/x86_32/include -I/usr/include -D_GNU_SOURCE -march=native -mtune=native -O2 -pipe -DHAVE_GEOIP -DHAVE_GEOIP_V6 -I/usr/include/libxml2 -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -c driver.c libtool: compile: x86_64-pc-linux-gnu-gcc -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0 -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/lib/dns/include -I../../../../lib/dns/include -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/lib/isc/include -I../../../../lib/isc -I../../../../lib/isc/include -I../../../../lib/isc/unix/include -I../../../../lib/isc/nothreads/include -I../../../../lib/isc/x86_32/include -I/usr/include -D_GNU_SOURCE -march=native -mtune=native -O2 -pipe -DHAVE_GEOIP -DHAVE_GEOIP_V6 -I/usr/include/libxml2 -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -c driver.c -fPIC -DPIC -o .libs/driver.o libtool: compile: x86_64-pc-linux-gnu-gcc -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0 -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/lib/dns/include -I../../../../lib/dns/include -I/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/lib/isc/include -I../../../../lib/isc -I../../../../lib/isc/include -I../../../../lib/isc/unix/include -I../../../../lib/isc/nothreads/include -I../../../../lib/isc/x86_32/include -I/usr/include -D_GNU_SOURCE -march=native -mtune=native -O2 -pipe -DHAVE_GEOIP -DHAVE_GEOIP_V6
Re: DLZ provider other than a database?
i guess that depends on how particular you are about what a piece of static data is, where it's stored, and what API you want to do your talking with. all our dns is managed via a modified Ant web interface that talks to a pgsql backend. that sql backend is what named uses. -david On 12/21/2011 01:10 PM, Doug Barton wrote: [...] Thanks, I'll take a look at that. Any other ideas? :) Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.8.1: INSIST(! dns_rdataset _isassociated(sigrdataset)) failed
ISC have replied and indicated that BIND 10 was designed, with resilience to abnormal events, in mind. i'm eagerly looking forward to trying it out now. i disagree that it's easier to find and fix. many people will simply wrap it in a while(1) and ignore it because we don't have the time to sit and debug it, which puts us precisely at the same footing as simply logging an alert and continuing -- except we now have the lag during the restart period. events often occur at inopportune moments. -d On 11/16/2011 11:47 AM, Paul Wouters wrote: These however do guarantee internal state so any kind of new bug is much easier to find and fix. Openswan does the same thing for this very reason. However, openswan does have an init script that runs a while(1) loop over its daemon. This means once we encounter unexpected state, we drop all state and restart. Perhaps bind and/or distributions should also use such an init script. I would prefer that over attempting to continue with a bad internal state and seeing apparent random state/crashers later on in bind because it tried to continue after something bad. Paul ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.8.1 dlz bug
methinks a few bytes got missed --- sdlz_helper.c~ 2010-05-14 02:29:37.0 -0400 +++ sdlz_helper.c 2011-09-05 01:22:55.394409909 -0400 @@ -50,7 +50,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#ifdef DLZ +#ifdef CONTRIB_DLZ #include config.h :) -david ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: incorrect dns returned by public servers for our domain
https://blue-labs.org/software/dns/bogon-update.py -david On 02/23/11 23:04, Gregory Machin wrote: Hi. Thanks for the support and assitance. I see that the issue is related to the bogon filter in bind configuration. Where can I get a valid bogon list . Thanks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind problems, 9.7.0 p1
A snippet of the log to start with 11-Jun-2010 06:35:08.959 Postgres driver unable to find available connection after searching 30 times 11-Jun-2010 06:35:08.959 Postgres driver unable to return result set for findzone query /*% * Loops through the list of DB instances, attempting to lock * on the mutex. If successful, the DBI is reserved for use * and the thread can perform queries against the database. * If the lock fails, the next one in the list is tried. * looping continues until a lock is obtained, or until * the list has been searched dbc_search_limit times. * This function is only used when the driver is compiled for * multithreaded operation. */ static dbinstance_t * postgres_find_avail_conn(db_list_t *dblist) { dbinstance_t *dbi = NULL; dbinstance_t *head; int count = 0; /* get top of list */ head = dbi = ISC_LIST_HEAD(*dblist); /* loop through list */ while (count dbc_search_limit) { /* try to lock on the mutex */ if (isc_mutex_trylock(dbi-instance_lock) == ISC_R_SUCCESS) return dbi; /* success, return the DBI for use. */ /* not successful, keep trying */ dbi = ISC_LIST_NEXT(dbi, link); /* check to see if we have gone to the top of the list. */ if (dbi == NULL) { count++; dbi = head; } } isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_INFO, Postgres driver unable to find available connection after searching %d times, count); return NULL; } 11-Jun-2010 06:35:09.080 name.c:2091: REQUIRE(suffixlabels 0) failed 11-Jun-2010 06:35:09.081 exiting (due to assertion failure) void dns_name_split(dns_name_t *name, unsigned int suffixlabels, dns_name_t *prefix, dns_name_t *suffix) { unsigned int splitlabel; REQUIRE(VALID_NAME(name)); REQUIRE(suffixlabels 0); REQUIRE(suffixlabels name-labels); REQUIRE(prefix != NULL || suffix != NULL); REQUIRE(prefix == NULL || (VALID_NAME(prefix) prefix-buffer != NULL BINDABLE(prefix))); REQUIRE(suffix == NULL || (VALID_NAME(suffix) suffix-buffer != NULL BINDABLE(suffix))); splitlabel = name-labels - suffixlabels; if (prefix != NULL) dns_name_getlabelsequence(name, 0, splitlabel, prefix); if (suffix != NULL) dns_name_getlabelsequence(name, splitlabel, suffixlabels, suffix); return; } There are two issues here. a) why is bind rapid firing, and i mean RAPID, the logs are overflowing with these messages. bind attempts to find a free mutex connection and failing? 14 of these pairs in 3ms with 80 seconds of silence prior to this and a minute of silence after this. 420 attempts in 3ms. my postgresql logs aren't indicating anything is going on and the machine is almost a blank slate for activity. it's entirely idle. there's no hangup on resources for the DB so i have to presume that bind itself has somehow gotten into a full-up state without good reason. postgresql is indicating 4 idle connections normally. i have maybe one or two queries per second averaged out of small 4-12 queries in an ~8 second interval. maybe a microsleep pause would be beneficial. better would be a dump showing which threads were doing what to figure out why a supposedly idle system is all tied up. Next, b) named keeps dying with this entirely ambiguous assertion failure. i'm sure it's a fault of my own but without any indication where the issue lies, this like asking to find a leaf in a forest without knowing what type of leaf you're looking for ^_^. Why is bind so prone to falling over and dying from typos? don't get me wrong please, i love bind which is why i've been using it for ~15 years now. i've noted that bind has a strong tendancy to simply flat out abort if it encounters zone data it doesn't like rather than report it and drop the bad data. that's not really very reliable. it's ok for testing in the lab but really bad manners for production. : A bit of help on these please :) -david ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.6.2 with threads hangs
BIND has long had issues with threading since it started supporting threaded operation. I recommend you simply recompile without thread support. I retry compiling with thread support about twice a year and as of late last year, BIND still hung soon after restart with threading enabled. -david On 03/19/2010 09:09 AM, Fabien Seisen wrote: Hi, We have several recursive cache bind servers and experiencing weird things when named is compiled with-threads: [...] -- Linux: freedom to build is good Please top-post and trim when replying to my messages. I most often read mail on a small device. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Favorite bind-dlz / mysql web based frontend?
I don't use mysql, I use postgresql. For web mgt, I use a locally modified copy of Ant. -david On 01/22/10 13:34, da...@from525.com wrote: All, I was wondering if any of the folks out there using bind-dlz with mysql have found a decent web based tool for managing their data? Thanks, David Porsche ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind is hanging on CentOS 4.4
Bind and threading don't get along, I have always had to force bind to compile without thread support entirely. Jesse Cabral wrote: So I can understand the original goal, let me re-clarify the objective. The problem of Bind hanging is thought to be caused by an interthread lock. The suggestion is to disables threads. Let me ask this questions, is the goal to disable threads on multi-processors or threads completely ? [...] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind is hanging on CentOS 4.4
Every few releases I try to add threads back in and get the same results. Both on my 32bit linux and 64bit linux machines (current gentoo). Named crashes or hangs. Jeff Lightner wrote: This may have something to do with the different way Linux does threads compared to UNIX. On my RHEL5 servers I see named humming along quite happily with 5 threads across two processors so it may be the original hang problem had nothing to do with threads. I tried to find something that would document a process apparently running threads when told not to do so but couldn't. There was a change in the way threading is done by Linux between 2.4 and 2.6 kernel and CentOS 4 is based on earlier 2.6 kernel than RHEL5 so its conceivable there is kernel version issue there but if so I didn't find reference to it. Jesse - did you try the --disable-linux-caps mentioned in the link I sent you yesterday?: http://linux-vserver.org/Problematic_Programs ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Semi-OT, BIND dlz and excessive queries
afaik, yes it's expected - for the reason that we don't yet have a smart way across all types of database to find the most specific match without doing multiple queries. -david Scott Haneda wrote: The DLZ users mailing list is pretty quiet, thought to ask here in case someone can elaborate. I have MySql query logging on so I can see the queries as they come in for testing. dig example.com @localhost This yields a hit to the database of 090509 5:50:56 2593 Query SELECT zone FROM resource_records WHERE zone = 'example.com' 2593 Query SELECT zone FROM resource_records WHERE zone = 'com' Two hits. dig a.b.c.d.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.example.com @localhost A Small snip of the log for that one, I am sure you get the idea: 2593 Query SELECT zone FROM resource_records WHERE zone = 's.t.u.v.w.x.y.z.example.com' 2593 Query SELECT zone FROM resource_records WHERE zone = 't.u.v.w.x.y.z.example.com' 2593 Query SELECT zone FROM resource_records WHERE zone = 'u.v.w.x.y.z.example.com' 2593 Query SELECT zone FROM resource_records WHERE zone = 'v.w.x.y.z.example.com' 2593 Query SELECT zone FROM resource_records WHERE zone = 'w.x.y.z.example.com' 2593 Query SELECT zone FROM resource_records WHERE zone = 'x.y.z.example.com' 2593 Query SELECT zone FROM resource_records WHERE zone = 'y.z.example.com' 2593 Query SELECT zone FROM resource_records WHERE zone = 'z.example.com' 2593 Query SELECT zone FROM resource_records WHERE zone = 'example.com' 2593 Query SELECT zone FROM resource_records WHERE zone = 'com' Is this expected behavior? This seems quite a simple way to potentially bring a data source to it's knees. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Postgres v MySQL v Berkely backend for BIND
I use the DLZ/PG backend and it's rock solid. I use Ant with a few modifications for my front end. Stephen Carville wrote: I have to bother you all again. I was asked Friday afternoon about using a database with the new BIND servers. To me it seems using MySQL or PostgreSQL is a bit like hunting rabbits with a howitzer though Berkely DB looks like a good fit. I can find patches for all three but no real information on reliability or performance. Performance is not the big deal but reliability and ease of maintenance is. Anyone here have experience or an informed opinion in using a database backend to BIND? This is for BIND 9 on a CentOS or Redhat 5 system. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
9.6.0, DLZ still missing link library
libtool: link: i686-pc-linux-gnu-gcc -O2 -mtune=i686 -march=i686 -pipe -D_GNU_SOURCE -I/usr/include/libxml2 -o .libs/named .libs/builtin.o .libs/client.o .libs/config.o .libs/control.o .libs/controlconf.o .libs/interfacemgr.o .libs/listenlist.o .libs/log.o .libs/logconf.o .libs/main.o .libs/notify.o .libs/query.o .libs/server.o .libs/sortlist.o .libs/statschannel.o .libs/tkeyconf.o .libs/tsigconf.o .libs/update.o .libs/xfrout.o .libs/zoneconf.o .libs/lwaddr.o .libs/lwresd.o .libs/lwdclient.o .libs/lwderror.o .libs/lwdgabn.o .libs/lwdgnba.o .libs/lwdgrbn.o .libs/lwdnoop.o .libs/lwsearch.o .libs/dlz_drivers.o .libs/sdlz_helper.o .libs/dlz_postgres_driver.o .libs/dlz_bdb_driver.o .libs/dlz_bdbhpt_driver.o .libs/dlz_filesystem_driver.o .libs/dlz_ldap_driver.o .libs/dlz_stub_driver.o unix/.libs/os.o ../../lib/lwres/.libs/liblwres.so ../../lib/dns/.libs/libdns.so ../../lib/bind9/.libs/libbind9.so /var/tmp/portage/net-dns/bind-9.6.0_p1/work/bind-9.6.0-P1/lib/isccfg/.libs/libisccfg.so ../../lib/isccfg/.libs/libisccfg.so /var/tmp/portage/net-dns/bind-9.6.0_p1/work/bind-9.6.0-P1/lib/dns/.libs/libdns.so /var/tmp/portage/net-dns/bind-9.6.0_p1/work/bind-9.6.0-P1/lib/isccc/.libs/libisccc.so ../../lib/isccc/.libs/libisccc.so /var/tmp/portage/net-dns/bind-9.6.0_p1/work/bind-9.6.0-P1/lib/isc/.libs/libisc.so ../../lib/isc/.libs/libisc.so -L/usr/lib/postgresql-8.3/lib -lpq /usr/lib/libdb-4.2.so -lpthread -L/usr/lib /usr/lib/libldap.so /usr/lib/libsasl2.so -lcrypt -lresolv -lssl -lcrypto /usr/lib/liblber.so -lnsl /usr/lib/libxml2.so -ldl -lz -lm .libs/dlz_bdb_driver.o: In function `bdb_opendb':dlz_bdb_driver.c:(.text+0x39f): undefined reference to `db_create' -ldb is missing from the link flags. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Inconsistent failure to resolve
JINMEI Tatuya / 神明達哉 wrote: At Fri, 06 Feb 2009 21:36:18 -0500, David Ford da...@blue-labs.org wrote: You specify the IP address of the NS in question as bogon. That should be the reason for the SERVFAIL. acl bogon { ... 174.0.0.0/8; ... }; blackhole { // Deny anything from the bogon networks as // detailed in the bogon ACL. bogon; }; }; ; glue howtoburndvd.NET. 170900 NS ns1.linkyo.com. 170900 NS ns2.linkyo.com. ; answer ns1.linkyo.com. 170900 A 174.132.250.26 ; answer ns2.linkyo.com. 170901 A 174.132.249.226 --- JINMEI, Tatuya Internet Systems Consortium, Inc. Recap summary. Sometimes we miss the glaringly obvious things since in our mind it just isn't likely that this is the answer, like fighting with a piece of equipment for an hour before realizing it's not plugged in. My bogon list is built automatically and came from a friend. The update used to be working just fine but recently it was silently failing. The update process has been updated and it's functional again. Thank you again JINMEI. -david -- Linux: freedom to build is good Please top-post and trim when replying to my messages. I most often read mail on a small device. VERY NOT-IMPORTANT NOT-LEGAL NOTICES: Recalling a message does in no way delete it from my computer. Rather, it brings attention to your original email and recalling it causes me to search for a reason to find embarrassment. Please don't send message recall messages. It's silly and obnoxious and wastes even more bandwidth and patience. Regardless of what legal message you append to your email message, I am not obligated or constrained in any way shape or form. If I feel like printing it outand taping it up at the local gym, or mass mailing it to 15,000 people, I will. I feel especially inclined to do so the longer your legal advisory is. Such notices are unenforceable and do not protect you or your company from things you say, or things others do with the email. Millions of innocent men, women and children, since the introduction of Christianity, have been burnt, tortured, fined, imprisoned; yet we have not advancedone inch towards uniformity. What has been the effect of coercion? To make half the world fools, and the other half hypocrites. --Thomas Jefferson This message is confidential to the Internet at large, unless otherwise indicated or apparent from its nature. It may not be reproduced on Mars unless it has previously been printed on Uranus. This message is directed to the intended recipient only (usually everyone, but sometimes nobody and once in a blue moon, just somebody), who may be readily determined by the sender of this message and its contents. This email message (including any attachments) is not for the sole use of the intended recipient(s) and may or may not contain confidential, proprietary and privileged information. It may include sarcastic holier than tho content. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient: (a) any dissemination or copying of this message is strictly prohibited unless you feel otherwise; and (b) immediately notify the sender by return message (but only if the sun has gone black) and destroy any copies of this message in any form (electronic, paper or carved in stone) that you have. Please destroy by smashing your computer with a 21lb sledge hammer approximately 17 times to ensure destruction of your system. Any unauthorized review, use, disclosure or distribution is most assuredly not prohibited and you will not IMMEDIATELY be PROSECUTED to the fullest ... or emptiest ... extent of the law. If you are not the intended recipient, please immediately notify some random person of your age, sex, and location and your undying desire to fornicate with them by email and destroy all copies of the original message if you sent it to an underage person. Oh, and definitely don't tell me about it. The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. If you happen to be a corporation that uses lawyer-think-speak-asinine-thoughts well then please sit your ass back down and we will promptly ignore the hell out of you and your disclaimers. Wait, no we won't. We have this urgent primal need to publicly make fun of you, and then we'll repost your message in blazing full frontal nudity across the internet. The authority of the individual sending this message to legally bind any entity is neither apparent nor implied, and must be independently verified - uh ... duh? Isn't that obvious? Of course not. Only people with intelligence recognize
Re: loads of Query denied... is it an attack or a misconfiguration ?
An intelligently designed firewall rule that drops the incoming requests isn't doing exactly what the attacker wants. It's the opposite. The main effect of forged lookups is a response flood. And so it is also intended to flood the victim with overwhelming amounts of DNS responses. It, like any solution, is a two edged blade. Allowing all the responses to flow back to the victim floods them. Dropping the incoming request prevents that but it also prevents them from doing lookups on your nameserver for domains that you are authoritative for. So if you drop all these forged queries to your authoritative nameservers save one or two, the victim will get less traffic, and still be able to do lookups - they'll just take a wee bit longer on average. If your nameserver is only getting one or two of these every several minutes, then your impact on the victim is insignificant and you need not take any action - assuming your BIND configuration is proper. However if you happen to be a fat target and you're getting dozens or hundreds of these per second, then you're having a significant impact on the victim and that particular server should do some filtering. Firewalls are smart these days. It's entirely possible to do some deep packet inspection and drop only the . requests, and/or do rate limiting. The only firewalls left that can't do this are ancient beasts that have too many layers of dust on them. So in addition to ensuring your BIND configuration is setup properly to refuse upward referrals, recursion, answers from cache to strangers so forth and so on, it is also important to judiciously apply firewall rules. There can be more than one proper thing to do. -d Stephane Bortzmeyer wrote: On Wed, Feb 11, 2009 at 01:35:31AM +0100, Thomas Manson dev.mansontho...@gmail.com wrote a message of 80 lines which said: I'll temporray block the ip on my firewall Very bad idea, since it is forged. You do exactly what the attacker wanted you to do. The proper thing to do is: https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful -- Linux: freedom to build is good Please top-post and trim when replying to my messages. I most often read mail on a small device. VERY NOT-IMPORTANT NOT-LEGAL NOTICES: Recalling a message does in no way delete it from my computer. Rather, it brings attention to your original email and recalling it causes me to search for a reason to find embarrassment. Please don't send message recall messages. It's silly and obnoxious and wastes even more bandwidth and patience. Regardless of what legal message you append to your email message, I am not obligated or constrained in any way shape or form. If I feel like printing it outand taping it up at the local gym, or mass mailing it to 15,000 people, I will. I feel especially inclined to do so the longer your legal advisory is. Such notices are unenforceable and do not protect you or your company from things you say, or things others do with the email. Millions of innocent men, women and children, since the introduction of Christianity, have been burnt, tortured, fined, imprisoned; yet we have not advancedone inch towards uniformity. What has been the effect of coercion? To make half the world fools, and the other half hypocrites. --Thomas Jefferson This message is confidential to the Internet at large, unless otherwise indicated or apparent from its nature. It may not be reproduced on Mars unless it has previously been printed on Uranus. This message is directed to the intended recipient only (usually everyone, but sometimes nobody and once in a blue moon, just somebody), who may be readily determined by the sender of this message and its contents. This email message (including any attachments) is not for the sole use of the intended recipient(s) and may or may not contain confidential, proprietary and privileged information. It may include sarcastic holier than tho content. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient: (a) any dissemination or copying of this message is strictly prohibited unless you feel otherwise; and (b) immediately notify the sender by return message (but only if the sun has gone black) and de stroy any copies of this message in any form (electronic, paper or carved in stone) that you have. Please destroy by smashing your computer with a 21lb sledge hammer approximately 17 times to ensure destruction of your system. Any unauthorized review, use, disclosure or distribution is most assuredly not prohibited and you will not IMMEDIATELY be PROSECUTED to the fullest ... or emptiest ... extent of the law. If you are not the intended recipient, please immediately notify some random person of your age, sex, and location and your undying desire to fornicate with them by email and destroy all copies of the original message if you sent it to an
Re: Inconsistent failure to resolve
My nameservers have nothing to do with authority. They simply fail to resolve it most of the time. 72.34.249.230, 198.106.134.21. Some DNS testors report things like: CheckDNS.NET is asking root servers about authoritative NS for domain Got DNS list for 'emailimage2.howtoburndvd.net' from ns1.linkyo.com Found NS record: ns1.linkyo.com[174.132.250.26], was resolved to IP address by H.GTLD-SERVERS.net Found NS record: ns2.linkyo.com[174.132.249.226], was resolved to IP address by H.GTLD-SERVERS.net Domain has 2 DNS server(s) CheckDNS.NET is verifying if NS are alive Error fetching SOA from ns1.linkyo.com[174.132.250.26], server returned non-SOA record, type 5 Error fetching SOA from ns2.linkyo.com[174.132.249.226], server returned non-SOA record, type 5 0 server(s) are alive No DNS servers alive, tests stopped I have inconsistent failures to resolve the linkyo nameservers too. -d Andy Shellam wrote: David, What are the hostnames/IPs addresses of your nameservers? Can you post the relevant sections of your named.conf and/or zone files for howtoburndvd.net? I can query the hostname fine, and as you see it comes from linkyo.com's nameservers. ;; ANSWER SECTION: emailimage2.howtoburndvd.net. 14400 IN CNAME supermedia.howtoburndvd.net. supermedia.howtoburndvd.net. 3600 INA 174.132.250.26 ;; AUTHORITY SECTION: supermedia.howtoburndvd.net. 3600 INNS ns2.linkyo.com. supermedia.howtoburndvd.net. 3600 INNS ns1.linkyo.com. Andy David Ford wrote: The hostname is: emailimage2.howtoburndvd.net I have two nameservers running 9.6.0-p1. If I query ns{1,2}.linkyo.com directly I always get an answer. If I use my own nameservers I get mostly failures of NXDOMAIN of linkyo.net or SERVFAIL for the hostname. DNS testers yield similar but without explanation. Would someone care to explore and explain? -d ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Linux: freedom to build is good Please top-post and trim when replying to my messages. I most often read mail on a small device. VERY NOT-IMPORTANT NOT-LEGAL NOTICES: Recalling a message does in no way delete it from my computer. Rather, it brings attention to your original email and recalling it causes me to search for a reason to find embarrassment. Please don't send message recall messages. It's silly and obnoxious and wastes even more bandwidth and patience. Regardless of what legal message you append to your email message, I am not obligated or constrained in any way shape or form. If I feel like printing it outand taping it up at the local gym, or mass mailing it to 15,000 people, I will. I feel especially inclined to do so the longer your legal advisory is. Such notices are unenforceable and do not protect you or your company from things you say, or things others do with the email. Millions of innocent men, women and children, since the introduction of Christianity, have been burnt, tortured, fined, imprisoned; yet we have not advancedone inch towards uniformity. What has been the effect of coercion? To make half the world fools, and the other half hypocrites. --Thomas Jefferson This message is confidential to the Internet at large, unless otherwise indicated or apparent from its nature. It may not be reproduced on Mars unless it has previously been printed on Uranus. This message is directed to the intended recipient only (usually everyone, but sometimes nobody and once in a blue moon, just somebody), who may be readily determined by the sender of this message and its contents. This email message (including any attachments) is not for the sole use of the intended recipient(s) and may or may not contain confidential, proprietary and privileged information. It may include sarcastic holier than tho content. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient: (a) any dissemination or copying of this message is strictly prohibited unless you feel otherwise; and (b) immediately notify the sender by return message (but only if the sun has gone black) and de stroy any copies of this message in any form (electronic, paper or carved in stone) that you have. Please destroy by smashing your computer with a 21lb sledge hammer approximately 17 times to ensure destruction of your system. Any unauthorized review, use, disclosure or distribution is most assuredly not prohibited and you will not IMMEDIATELY be PROSECUTED to the fullest ... or emptiest ... extent of the law. If you are not the intended recipient, please immediately notify some random person of your age, sex, and location and your undying desire to fornicate with them by email and destroy all copies of the original message if you sent it to an underage person. Oh, and definitely don't
Re: named and database backed systems
Use the DLZ extension. It's been around for a while. I.e. put the following in your named.conf and use whatever interface you wish. I use Ant with a few modifications. I don't have nearly the number of domains that you do so my simple system works fine. dlz postgres zone { database postgres 2 {host=localhost dbname=dns_data user=bind password=xx} {SELECT 'TRUE' FROM canonical WHERE lower(content) = lower('%zone%') limit 1} {SELECT ttl, type, priority, data FROM record, canonical WHERE lower(content) = lower('%zone%') AND host = '%record%' AND zone = domain} {} {SELECT ttl, type, host, priority, data FROM record, canonical WHERE zone = domain AND lower(content) = lower('%zone%')} {SELECT 'TRUE' FROM xfr, canonical WHERE zone = domain AND lower(content) = lower('%zone%') AND client = inet '%client%'}; }; Rather spiffy for centralizing your record store with immediate change visibility. -david Scott Haneda wrote: Hello, my past post about wildcarding the . in a named server seems it may be wrought with issues in the long term. In short, my issues is a auto website creation tool that needs to be simple for users to change their registrar data, and have their site be served up. The old method works, but is being outgrown, I can come in and try to solve it with scripts to sync the website to local named files, but it will always be a battle. I am coming up short on finding any database backed store for named. I think sqllite would be the best for raw performance, but then again, even a million records in mysql is trivial. I am just worried about volume of selects. Can anyone point me to any info on database backed named solutions? Thank you named users, you are all very helpful. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Linux: freedom to build is good Please top-post and trim when replying to my messages. I most often read mail on a small device. VERY NOT-IMPORTANT NOT-LEGAL NOTICES: Recalling a message does in no way delete it from my computer. Rather, it brings attention to your original email and recalling it causes me to search for a reason to find embarrassment. Please don't send message recall messages. It's silly and obnoxious and wastes even more bandwidth and patience. Regardless of what legal message you append to your email message, I am not obligated or constrained in any way shape or form. If I feel like printing it outand taping it up at the local gym, or mass mailing it to 15,000 people, I will. I feel especially inclined to do so the longer your legal advisory is. Such notices are unenforceable and do not protect you or your company from things you say, or things others do with the email. Millions of innocent men, women and children, since the introduction of Christianity, have been burnt, tortured, fined, imprisoned; yet we have not advancedone inch towards uniformity. What has been the effect of coercion? To make half the world fools, and the other half hypocrites. --Thomas Jefferson This message is confidential to the Internet at large, unless otherwise indicated or apparent from its nature. It may not be reproduced on Mars unless it has previously been printed on Uranus. This message is directed to the intended recipient only (usually everyone, but sometimes nobody and once in a blue moon, just somebody), who may be readily determined by the sender of this message and its contents. This email message (including any attachments) is not for the sole use of the intended recipient(s) and may or may not contain confidential, proprietary and privileged information. It may include sarcastic holier than tho content. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient: (a) any dissemination or copying of this message is strictly prohibited unless you feel otherwise; and (b) immediately notify the sender by return message (but only if the sun has gone black) and de stroy any copies of this message in any form (electronic, paper or carved in stone) that you have. Please destroy by smashing your computer with a 21lb sledge hammer approximately 17 times to ensure destruction of your system. Any unauthorized review, use, disclosure or distribution is most assuredly not prohibited and you will not IMMEDIATELY be PROSECUTED to the fullest ... or emptiest ... extent of the law. If you are not the intended recipient, please immediately notify some random person of your age, sex, and location and your undying desire to fornicate with them by email and destroy all copies of the original message if you sent it to an underage person. Oh, and definitely don't tell me about it. The delivery of this message and its information is neither intended to be nor
Re: Richmond H Dyes/mchhosp.gov is out of the office.
Thank you for this notification. It indicates that today would be a great day for for miscreants to make hacking attempts at your account. You don't put a sign up in the front yard of your home that you're away on vacation do you? ;-) -david rd...@monroehosp.org wrote: I will be out of the office starting 01/20/2009 and will not return until 01/26/2009. If it is an emergency, the help line at 760-6277 -- Confidentiality Notice -- This email message, including all the attachments, is for the sole use of the intended recipient(s) and contains confidential information. Unauthorized use or disclosure is prohibited. If you are not the intended recipient, you may not use, disclose, copy or disseminate this information. If you are not the intended recipient, please contact the sender immediately by reply email and destroy all copies of the original message, including attachments. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Linux: freedom to build is good Please top-post and trim when replying to my messages. I most often read mail on a small device. VERY NOT-IMPORTANT NOT-LEGAL NOTICES: Recalling a message does in no way delete it from my computer. Rather, it brings attention to your original email and recalling it causes me to search for a reason to find embarrassment. Please don't send message recall messages. It's silly and obnoxious and wastes even more bandwidth and patience. Regardless of what legal message you append to your email message, I am not obligated or constrained in any way shape or form. If I feel like printing it outand taping it up at the local gym, or mass mailing it to 15,000 people, I will. I feel especially inclined to do so the longer your legal advisory is. Such notices are unenforceable and do not protect you or your company from things you say, or things others do with the email. Millions of innocent men, women and children, since the introduction of Christianity, have been burnt, tortured, fined, imprisoned; yet we have not advancedone inch towards uniformity. What has been the effect of coercion? To make half the world fools, and the other half hypocrites. --Thomas Jefferson This message is confidential to the Internet at large, unless otherwise indicated or apparent from its nature. It may not be reproduced on Mars unless it has previously been printed on Uranus. This message is directed to the intended recipient only (usually everyone, but sometimes nobody and once in a blue moon, just somebody), who may be readily determined by the sender of this message and its contents. This email message (including any attachments) is not for the sole use of the intended recipient(s) and may or may not contain confidential, proprietary and privileged information. It may include sarcastic holier than tho content. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient: (a) any dissemination or copying of this message is strictly prohibited unless you feel otherwise; and (b) immediately notify the sender by return message (but only if the sun has gone black) and de stroy any copies of this message in any form (electronic, paper or carved in stone) that you have. Please destroy by smashing your computer with a 21lb sledge hammer approximately 17 times to ensure destruction of your system. Any unauthorized review, use, disclosure or distribution is most assuredly not prohibited and you will not IMMEDIATELY be PROSECUTED to the fullest ... or emptiest ... extent of the law. If you are not the intended recipient, please immediately notify some random person of your age, sex, and location and your undying desire to fornicate with them by email and destroy all copies of the original message if you sent it to an underage person. Oh, and definitely don't tell me about it. The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. If you happen to be a corporation that uses lawyer-think-s peak-asinine-thoughts well then please sit your ass back down and we will promptly ignore the hell out of you and your disclaimers. Wait, no we won't. We have this urgent primal need to publicly make fun of you, and then we'll repost your message in blazing full frontal nudity across the internet. The authority of the individual sending this message to legally bind any entity is neither apparent nor implied, and must be independently verified - uh ... duh? Isn't that obvious? Of course not. Only people with intelligence recognize such simple facts. Thank you for standing in the back yard and whining your ass off holding up tiny little posters forbidding mosquitoes from
Re: Multiple PTR records
I see it all the time on both sides of the fence. I personally support it because even though I sometimes am impacted by it, the amount of actual spam I filter out because of this is significant. - it's clear violation of RFC 5321 (and former 2821, 821) - server MUST NOT reject connection because of that. In today's spam-filled environment, a MUST NOT from RFC 5321 probably rates considerably lower than reducing the total amount of spam. So *if* a postmaster finds out that rejecting mail due to such a mismatch indeed reduces the spam level for his users - he'll probably do it. He may not even have any idea what the RFC says... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS issues with tmomail.net
I frequently send short messages to some cellphone users on tmomail.net. Several weeks ago I started noticing that bind is having problems keeping records for tmomail once they get stale. Specifically the MX record. If I restart bind, I can immediately get the MX record again. I'm running 9.5.0_p2 (9.5.0_p2-r1) on Gentoo. Is anyone else noticing this? -david -- Linux: freedom to build is good please top-post and trim when replying to my messages. i most often read mail on a small device. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS issues with tmomail.net
Sam Wilson wrote: I hadn't noticed it but all the records in the response to a request for the MX for tmomail.net have a TTL of 60 seconds, that's the MX record, the NS authority record and the additional A record. The names in the delegation NS records for for tmomail.net are different from the authoritative ones, though they seem to be the same servers. There's considerable opportunity there for things to go wrong, though it all seems to work fine from here. It will work for hours, sometimes a day before bind is unable to fetch records for it again. But immediately upon restarting bind, bind is able to go fetch records for it. I understand that the records for tmomail.net are problematic but what makes the difference in bind from running a while vs. a fresh restart when it comes to fetching records? Why would it be 100% successful on restart? -- Linux: freedom to build is good please top-post and trim when replying to my messages. i most often read mail on a small device. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users