On 4/27/19 9:22 PM, Tim Daneliuk wrote:
On 4/27/19 5:33 PM, @lbutlr wrote:
On 27 Apr 2019, at 16:21, Tim Daneliuk wrote:
Why is 9.12+ now suddenly so grumpy about who owns the files? Is this a recent
fix to reduce the attack surface on files owned by root?
Pretty sure. I thought it was
I've had LE fail after a cerbot upgrade because it grew a dependency
that didn't automatically get installed with the upgrade.
So yes, automation good, but not perfect.
On 2018-12-31 6:54 PM, John W. Blue wrote:
nuff said, eh?
I thought that Let's Encrypt wanted to roll / revalidate SSL
On 08/26/2018 07:30 PM, takahiro wrote:
That's why I want to know the effect of installing with "without-openssl".
What specifically are you trying to accomplish by compiling without openssl?
___
Please visit
On 08/21/2018 08:53 AM, Grant Taylor via bind-users wrote:
On 08/20/2018 11:06 PM, Doug Barton wrote:
But that doesn't mean that slaving a zone, any zone, including the
root, is "dangerous." If slaving zones is dangerous, the DNS is way
more fragile than it already is.
Sorry,
On 08/20/2018 10:14 AM, Lee wrote:
On 8/19/18, Mark Andrews wrote:
nslookup applies the search list by default and doesn’t stop on a NODATA
response.
Some versions of nslookup have been modified by OS vendors to use /etc/hosts
for address lookups.
nslookup doesn’t display the entire response
On 08/20/2018 09:00 AM, Grant Taylor via bind-users wrote:
On 08/20/2018 05:23 AM, Tony Finch wrote:
If the local root zone gets corrupted somehow (maliciously or
otherwise) the usual setup cannot detect a problem, but it'll cause
DNSSEC validation failures downstream. The normal resolver /
vendors to use /etc/hosts
for address lookups.
nslookup doesn’t display the entire response by default.
On 20 Aug 2018, at 12:28 pm, Lee wrote:
On 8/19/18, Doug Barton wrote:
On 08/19/2018 12:11 PM, Lee wrote:
On 8/18/18, Doug Barton wrote:
nslookup uses the local resolver stub. That's fine
On 08/19/2018 12:11 PM, Lee wrote:
On 8/18/18, Doug Barton wrote:
nslookup uses the local resolver stub. That's fine, if that's what you
want/need to test. If you want to test specific servers, or what is
visible from the Internet, etc. dig is the right tool, as the answers
you get from
On 08/18/2018 04:53 PM, Barry Margolin wrote:
In article ,
Grant Taylor wrote:
On 08/18/2018 07:25 AM, Bob McDonald wrote:
I don't think anyone hates nslookup (well maybe a few do ) I
suppose the immense dislike stems from the fact that it's the default
utility under Windows. Folks who use
On 2018-08-15 10:43, Tony Finch wrote:
Doug Barton wrote:
Slaving the root and ARPA zones is a small benefit to performance for
a busy
resolver, [...]
This technique is particularly useful for folks in bad/expensive
network
conditions. While the current anycast networks of root servers
On 08/15/2018 09:11 AM, Bob McDonald wrote:
I've recently been investigating having a local slave copy of the root
zone on a caching/forwarder type server. I've even put the local slave
copy of the root zone into a separate view accessed via a different
loopback address. (An limited example of
On 01/28/2016 10:23 AM, Bernard Fay wrote:
Hi,
I have DDNS and DHCPD setup and it works ok so far.
But, while testing the integration of dhcpd and dns, I found that if I
change the IP address in dhcpd.conf for a previously configured client
the change is not reflected in DNS once the client
On 01/22/2016 05:30 PM, Rama Krishna Prasad Chunduru wrote:
Hi All,
I am trying to use RPZ ( Response Policy Zone) in DNS views (BIND
9.8.2) but i am getting the below error
service named restart
Stopping named:[ OK ]
Starting named:
Error in
On 01/13/2016 04:34 AM, Philippe Maechler wrote:
My idea for the new setup is:
---
caching servers
- Setup new caching servers
- Configure the ipv4 addresses of both (old) servers on the new servers as a
/32 and setup an anycast network.
This way the stupid
Folks,
Reading through manuals, HOWTOs, etc. on line it SEEMS possible that
BIND 9.8+ could be configured to use multiple KSPs. The traditional way
of configuring GSS-TSIG is the following in options{}:
tkey-domain FOO.BAR;
tkey-gssapi-credential DNS/dns1.foo.bar;
However that
It's interesting to see the discussion about trying to turn dig into
something it isn't. :) It's a really good DNS diagnostic tool, but if
you just want to get the answer for a query, host does the job quite
well, with a lot less fuss.
Doug
___
On 10/23/14 4:34 AM, Péter-Zoltán Keresztes wrote:
Hello
I am trying to add a dnssec signed tomain to DLV isc.
Is there a DNSSEC path from this domain up to the root zone? (It would
be helpful to list what domain it is.) If so, why are you adding it to DLV?
Doug
On 10/21/14 8:31 PM, Frank Bulk wrote:
Dave,
Thanks for the input, but what I was looking for was a dig command that
returns the IP(s) or a fail. It looks like the host command is the right
solution in this case, not dig.
Yep. :)
You can check the return value of the call to get your fail
On 10/20/14 11:50 AM, Mike Bernhardt wrote:
Anyone have some input on this? No one has commented so far.
-Original Message-
From: Mike Bernhardt [mailto:bernha...@bart.gov]
Sent: Tuesday, October 14, 2014 11:59 AM
To: bind-users@lists.isc.org
Subject: BIND resource requirements
We are
On 10/7/14 11:03 AM, Terry Burton wrote:
With inline signing you have a hidden serial number in the unsigned zone
and an exposed serial number in the signed versions which your slaves
track. After redeployment (following DR, emergency relocation, elastic
capacity expansion, etc.) I want to be
On 10/1/14 8:17 AM, Barry Margolin wrote:
In article mailman.1035.1412133286.26362.bind-us...@lists.isc.org,
Eli Heady eli.he...@gmail.com wrote:
With response sizes growing (dnssec, ipv6), answers are more likely to be
too large for UDP.
That's unlikely. That's why EDNS was created, so
On 9/25/14 4:49 PM, LuKreme wrote:
Wait a second, so the zone name comes from the named.conf?
Not quite. When named loads the zone file it does it in the context of
the zone stanza from named.conf. If the zone name in the SOA is listed
literally then named will check to make sure that it
On 9/15/14 7:04 AM, Lightner, Jeff wrote:
While the final dot has been required within zone files to prevent unwanted appendages to
records it has NOT been required by tools such as host and nslookup on either Windows or
Linux/UNIX which routinely use search domains.
On Windows the behavior
On 9/12/14 11:07 AM, Mike Hoskins (michoski) wrote:
I do have a lot of interest in the community getting to the bottom of
this, as we are just planning a large upgrade in one of our environments
which will move caching clusters serving 6-8k clients over to 9.10.1.
Given all of the problems
On 8/28/14 10:55 AM, Timothe Litt wrote:
Aside from the use of the word 'absurdity', I'm not offended. I am
trying to educate. And while I recognize that I'm arguing
pragmatism with a market purist,
It's nice to be called pure, in some context anyway. :) However as I
pointed out I'm not
On 8/26/14 10:35 AM, Timothe Litt wrote:
I think this is misleading, or at least poorly worded and subject to
misinterpretation.
I chose my words carefully, and I stand by them.
I did not say that the DLV has no value, and I specifically mentioned
that there are circumstances when it is
On 8/27/14 3:03 PM, Timothe Litt wrote:
So you really meant that validating resolvers should only consult DLV if
their administrator knows that users are looking-up names that are in
the DLV? That's how I read your advice.
You're correct.
I don't see how that can work; hence we'll disagree.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 8/26/14 5:50 AM, Tomas Hozza wrote:
| On 08/26/2014 02:27 PM, Mark Andrews wrote:
| Why would you expect them to succeed?
|
| Because validation using root servers and authoritative servers
| proved that the domain is intentionally unsecure.
Please don't reply to a message on the list and change the subject line.
Doing so causes your new topic to show under the previous one for
those using mail readers that thread properly, and may cause your
message to be missed altogether if someone has blocked that thread.
Instead, save the
On 08/04/2014 09:33 AM, John Anderson wrote:
I've recently inherited a project that is going to require some method of
automatically disseminating zone information to slave DNS servers running BIND.
The traditional solution to this problem is rsync, although I realize
that's not very sexy.
Almost certainly not running BIND. Almost certainly is running a
creative load balancing solution.
hth,
Doug
On 07/31/2014 12:56 PM, Ray Van Dolson wrote:
Not BIND-related specifically... (though the server below could be
running BIND I suppose).
This seems weird. Why is this
On 06/27/2014 08:27 AM, Johannes Kastl wrote:
The slave server (HOST B) is reachable from the internet via a dynDNS
hostname.
Now I want to setup another bind as slave on a server hosted at my
provider. It should use HOST B as its master, to transfer the zone and
act as a slave.
BUT I found
On 06/10/2014 08:56 AM, Mohammed Ejaz wrote:
Any help would be highly appreciated.
Switch to BlueCat which does all communication with TSIG by default? :)
Sorry, couldn't resist ...
Doug
___
Please visit
Please don't reply to a message on the list and change the subject line.
Doing so causes your new topic to show under the previous one for
those using mail readers that thread properly, and may cause your
message to be missed altogether if someone has blocked that thread.
Instead, save the
Please don't reply to a message on the list and change the subject line.
Doing so causes your new topic to show under the previous one for
those using mail readers that thread properly, and may cause your
message to be missed altogether if someone has blocked that thread.
Instead, save the
On 05/28/2014 07:39 AM, Mark Andrews wrote:
In message d6c04ec67151214dad5e55e7ebf5207e425e3...@wrxxentexmb01.na.follett.l
an, Baird, Josh writes:
Hi,
I have historically hosted authoritative slave zones on my internal caching/r
ecursive servers to override recursion for internal zones.
On 05/27/2014 03:51 PM, Baird, Josh wrote:
Hi,
Can someone recommend a modern/new-ish book on DNS (specifically BIND)? I know
there have been several O'Reily books throughout the years, but haven't kept up
on anything in the past few years. I'm looking for architecture design, best
On 05/08/2014 05:53 AM, Mart van de Wege wrote:
I have a couple, all of them 'retry limit for master $foo exceeded'.
Only 2 hits for the master that's giving trouble though, and none of
those around the time we had trouble.
If you're seeing any of these errors the problem is worse than you
Evan,
I mulled over your response and considered not pursuing this further,
but apparently I can't help myself. :)
On 04/27/2014 12:00 PM, Evan Hunt wrote:
On Sun, Apr 27, 2014 at 07:36:22PM +0100, Chris Thompson wrote:
I rather liked delve, but the truncation to delv does indeed seem
On 04/25/2014 02:25 PM, Evan Hunt wrote:
So, after consultation with the bottoms of one or two bottles, and
consideration of several alternative names (including dredge, bore,
shovel and -- taking it in a slightly different direction --
groove) we decided to simply send the second 'e' in delve
On 04/11/2014 10:59 AM, John Wobus wrote:
My understanding has been that two views that are masters for
a zone can safely share a zone file if the zone isn't dynamic (e.g.
dnsupdate, dnssec auto signing, etc), but that two views of
a slave zone shouldn't do that: you could have two
different
On 04/07/2014 02:46 PM, Dimitar Georgievski wrote:
Hi,
I am trying to configure a subnet (example: 10.1.16.32/27
http://10.1.26.96/27) zone files for internal domains, and have hard
times with setting up the reverse lookup zone file. The couple examples
I found on the internet didn't help
On 04/07/2014 08:14 PM, Dimitar Georgievski wrote:
Hi Doug,
Thanks, your article really cleared my confusion with the naming and
delegation of zones. I did read initially RFC 2317
https://tools.ietf.org/html/rfc2317 when I started working on this
task, but I was lost with the use of the /
On 03/17/2014 12:29 PM, Mathieu Arnold wrote:
Hum, so, it will also use pkcs11 for dnssec validation too ? (Sorry if this
seems a silly question.)
HSMs are typically an auth-only tool, although I suppose that in a
super-high-security environment that they could be justified for
validation
On 03/17/2014 01:06 PM, Evan Hunt wrote:
On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote:
Yes, it was my understanding of how HSM worked. That's why I was trying to
build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one
side, and PKCS11 interface for zone
On 3/8/2014 1:30 PM, sth...@nethelp.no wrote:
One mitigation approach is to blackhole the domains using local zones.
That�s not much of a mitigation. Not having open resolvers would be mitigation.
Not having open resolvers is good - but unfortunately doesn't help
against misbehaving clients
On 02/12/2014 10:16 PM, Christoph Moench-Tegeder wrote:
## Doug Barton (do...@dougbarton.us):
If you don't have enough random bits on your system to run these simple
tests, your /dev/random is seriously underpopulated, and likely a
security risk. You should definitely not put BIND
On 02/18/2014 04:39 PM, Mark Andrews wrote:
Only transfer from one AD master. Microsoft AD doesn't maintain
consistent serials across the servers. The serials should be
monotonically increasing from a individual server.
Also try to determine what the primary master is
On 02/17/2014 11:37 AM, Kevin Darcy wrote:
Ugh, that mixes apples (recursive resolution) and oranges (iterative
resolution).
Out of curiosity, what bad thing do you think will happen if you mix
these two functions?
Doug
___
Please visit
On 02/12/2014 11:16 AM, Christoph Moench-Tegeder wrote:
## Bruce Dubbs (bruce.du...@gmail.com):
I've been trying to run the regression tests for bind-9.9.5 and keep
getting lots of timeouts and errors in the system/inline test.
I saw the same symptoms when packaging/testing bind-9.9.5. I
On 02/12/2014 05:17 AM, Chris Thompson wrote:
On Feb 11 2014, David Newman wrote:
[...]
That's interesting. It seems to contradict Lucas' advice to always
use '1 0 10' for these [NSEC3] flags, as fewer aren't secure enough
and more aren't any more secure.
It's difficult to see how that can
On 02/06/2014 06:27 AM, Chuck Anderson wrote:
I was kinda hoping that newer
versions of BIND could share zones (with identical zone contents)
between views without requiring the messy multiple IP alias setup.
You have always been able to do this with include files.
hth,
Doug
On 02/06/2014 04:27 AM, Klaus Darilion wrote:
Hi!
I just noticed that on rndc signing -clear all zone, Bind removes the
private RRs, updates the NSEC3 RR, and increases the serial, but it does
not send NOTIFYs.
I guess this is a bug.
I tested bind 9.9.5, with inline-signing of a zone.
Does
On 01/20/2014 11:21 AM, Jim Pazarena wrote:
Thank you for this. I am familiar with the setup; I suppose that my
question was unclear.
Can the SAME named.conf handle BOTH the /24 cname assignments AND
the /25 in-addr.arpa records.
Which sounds like a dumb question, but I thought named may not
On 01/14/2014 08:14 AM, LuKreme wrote:
so I should change
zone kreme.com { type slave; masters { 75.148.37.67; }; file
slave/kreme.com; };
to
zone kreme.com { type slave; masters { 75.148.37.67; }; file
“/var/named/etc/namedb/slave/kreme.com; };
and that will eliminate the errors?
No.
Howdy,
Without going into too much detail, doing some performance testing and
am seeing a weird result. On the same systems authoritative queries will
happily peg the CPU. However when running recursive queries (with a
small zone, all data cached before testing) the CPU never gets above
80%.
Thanks for the response, but that's not it. The auth-only responses are
generating a lot more traffic than the recursive.
Doug
On 01/12/2014 05:21 PM, Sten Carlsen wrote:
Wild guess: network bandwidth runs out before CPU? Why the difference, I
have no clue.
On 13/01/14 02.16, Doug Barton
Thanks for the response, but you're answering a different question than
I asked. :) The question I'm interested in is, Why is the recursive
server not pegging the CPU? I'm aware that there will be a difference
in qps between auth-only and recursive, but the recursive server seems
to be
On 01/12/2014 07:30 PM, Barry Margolin wrote:
In article mailman.2014.1389579103.20661.bind-us...@lists.isc.org,
Doug Barton do...@dougbarton.us wrote:
Thanks for the response, but you're answering a different question than
I asked. :) The question I'm interested in is, Why is the recursive
On 07/30/2013 02:49 PM, Lawrence K. Chen, P.Eng. wrote:
From 9.9.2-P2...I had build 9.9.3, but just as I was about to deploy came the
announcement to either go to 9.9.3-P1 or stay with 9.9.2-P2.
All the picky messages of this version
You had a lot of issues in your message. IMO they
On 07/23/2013 04:48 PM, David Newman wrote:
On 7/23/13 3:44 PM, Mark Andrews wrote:
In message 51ef00af.4090...@networktest.com, David Newman writes:
FreeBSD 9.1-RELEASE-p4, BIND 9.9.3-P1 ESV installed from ports
[...]
zone example.org {
type master;
file
On 07/12/2013 09:09 AM, Michael Hare wrote:
Bind-users;
I have been asked to slave a /24 from a microsoft SOA, however, their
authority for the /24 is false in that they really only have authority
to 192/26.
Am I correct in that there is no way to slave said zone
[x.y.z.in-addr.arpa] but serve
It's not at all clear from your description what you're trying to
accomplish. Particularly it's not clear what you seem to be trying to
accomplish with the 2317 delegation for a /24 zone.
Can you describe what you're trying to do, and why? It may be easier to
help you that way. Please use the
, Doug Barton do...@dougbarton.us
mailto:do...@dougbarton.us wrote:
It's not at all clear from your description what you're trying to
accomplish. Particularly it's not clear what you seem to be trying
to accomplish with the 2317 delegation for a /24 zone.
Can you describe what you're
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/03/2013 07:52 PM, Novosielski, Ryan wrote:
| On 07/03/2013 04:39 AM, Matus UHLAR - fantomas wrote:
| On 02.07.13 08:53, Daniel McDonald wrote:
| I've had trouble with OSI-Soft PI historian without reverse
| entries. If there is no reverse,
On 07/02/2013 06:34 AM, Sam Wilson wrote:
In article mailman.731.1372769988.20661.bind-us...@lists.isc.org,
Tony Finch d...@dotat.at wrote:
Klaus Darilion klaus.mailingli...@pernau.at wrote:
Some software allows to configure the syslog prefix, but I couldn't find
that
for bind.
Rename
On 06/26/2013 07:54 AM, Matus UHLAR - fantomas wrote:
All very interesting, but I'm afraid at my level of expertise on DNS,
I'm
not following. If I'm broken, how do I attempt to fix? Someone
mentioned
that our ns1.starionhost.net was not authoritative. How does one even
decide that? As far
On 06/26/2013 06:50 PM, SH Development wrote:
Okay, so I got to it sooner than I thought. So, could you take a look at:
starionhost.net
stariontech.com
starionline.com
Any one of those, but they should all be identical now and on some new
secondary DNS.
The delegations are now identical,
Yes, seems fine now. Can you share more information about what it was
you turned off? Sounds odd, but the results speak for themselves.
Doug
On 06/26/2013 09:39 PM, SH Development wrote:
Sure could use some direction about where to start looking. I thought I had
everything working for the
On Jun 26, 2013, at 11:53 PM, Doug Barton do...@dougbarton.us wrote:
Yes, seems fine now. Can you share more information about what it was you
turned off? Sounds odd, but the results speak for themselves.
Doug
On 06/26/2013 09:39 PM, SH Development wrote:
Sure could use some direction about where
Norman,
It's virtually certain that the error you're seeing is not related to
BIND. You would almost certainly get your problem solved faster by
posting on a list related to the web server software that you are using
and walking through your complete configuration with them.
Good luck,
Great! Now step 2 is to remove the tag from the subject line before
sending mail back to the list. :)
On 06/16/2013 02:50 PM, Jerry K wrote:
Hello Warren,
Thank you so much for this post.
Long time procmail user here. I'm only sad I didn't think of this
myself first.
Its been working
On 06/14/2013 09:08 AM, Evan Hunt wrote:
(Our usual policy is not to add substantial new features in maintenance
releases like 9.9.4; making it a compile-time option that defaults to off
is our way of tiptoeing around the rule.)
Quite reasonable, and much appreciated. :)
wrote:
In message 51baa714.9020...@dougbarton.us,
Doug Barton do...@dougbarton.us wrote:
It's obvious you're frustrated (understandable), and enthusiastic
(commendable), but you might want to consider dialing down your
rhetoric a bit.
Great idea! I have only one small question... Would you
On 06/14/2013 05:13 PM, Vernon Schryver wrote:
From: Doug Barton do...@dougbarton.us
is that (like RRL) your proposal relies on people updating their
software.
RRL needs only authority and open recursive servers to be updated.
The vast majority of DNS installations are closed
On 06/13/2013 02:01 PM, Ronald F. Guilmette wrote:
The entire problem is fundamentally a result of the introduction of EDNS0.
Wwouldn't you agree?
No. You can still get pretty good amplification with 512 byte responses.
There are 2 causes of this problem, lack of BCP 38, and improperly
.10...@dougbarton.us,
Doug Barton do...@dougbarton.us wrote:
No. You can still get pretty good amplification with 512 byte responses.
That is an interesting contention. Is there any evidence of, or even any
reasonably reliable report of any DDoS actually being perpetrated IN PRACTICE
using
Jason,
What you're saying here doesn't make sense, so some more details are
needed.
On 06/11/2013 08:54 PM, Jason Hellenthal wrote:
I have a domain or two that I'm serving up and have traffic from some
mobile devices and a few pieces of software that also try to resolve to
the hostname.tld
On 06/05/2013 11:33 AM, Tony Finch wrote:
I believe the ANY hack on mail servers was a Sendmailism 20ish years ago.
s/Send/q/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
On 05/21/2013 12:39 AM, Phil Mayers wrote:
On 05/21/2013 08:23 AM, Matus UHLAR - fantomas wrote:
On 21.05.13 11:03, Mark Andrews wrote:
The simplest solution is to slave the root zone and
turn off notify to so you don't spam the official
root servers. 192.5.5.241 is
No problem here from 2 different sites. Seems to be a problem between
your resolving name server and their authorities:
;; AUTHORITY SECTION:
pointhq.com.3190IN NS dns6.pointhq.com.
pointhq.com.3190IN NS dns7.pointhq.com.
;; ADDITIONAL
Seriously, can we stop discussing this now?
If you need subject line tags, or your mail client doesn't properly know
how to respond only to the list, or whatever -- please go work that out
on your own.
The majority of users on the list don't want or need these things, and
many of us find
On 05/07/2013 01:50 PM, Matus UHLAR - fantomas wrote:
On 07.05.13 11:06, Michael Varre wrote:
So interestingly they did give me their setup and this is their
response, and my warm and fuzzy feeling continues to go out the window:
They use SimpleDNS
Record Name: 65.246.59.108.in-addr.arpa
DNS
On 05/03/2013 11:44 AM, rohan.he...@cwjamaica.com wrote:
What if both authoritative and recursive are running on the same server
That's a simple answer, don't do that.
Doug (ever)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
Ted made some really good points. It's also worth pointing out that
overhead, like renting the facility to teach the classes in, food,
travel expenses for the trainers to get to the site, course materials,
insurance, etc. often run into the 'many hundreds' of dollars per
student before the
Michael,
Thanks for this announcement, and a welcome change.
Given the following:
1. bind-announce is very low volume, and carries only critical
information that the community needs to know
2. Currently all posts to bind-announce are duplicated to the other lists
Wouldn't it make sense to
On 04/08/2013 06:54 AM, Sam Wilson wrote:
In article mailman.61.1365232319.20661.bind-us...@lists.isc.org,
Doug Barton do...@dougbarton.us wrote:
On 04/05/2013 11:53 PM, Novosielski, Ryan wrote:
| It is funny you should mention that... my questions about using views
| to create a situation
On 04/08/2013 06:42 AM, Sam Wilson wrote:
In article mailman.49.1365191296.20661.bind-us...@lists.isc.org,
wbr...@e1b.org wrote:
Incidentally, we have just been asked for an A record for cam.ac.uk to
duplicate www.cam.ac.uk because, and I quote, all the publicity
material
sent out by the
On 04/01/2013 11:46 AM, Kevin Darcy wrote:
On 3/29/2013 12:09 AM, Doug Barton wrote:
On 03/28/2013 12:28 PM, Ben-Eliezer, Tal (ITS) wrote:
My organization is evaluating the use of split-view DNS in our
environment.
Simple ... don't do it. It's almost never the right answer, and as
you're
On 04/02/2013 12:47 AM, Martin T wrote:
Is NS record pointing to some other name server needed in case of
classless IN-ADDR.ARPA delegations? What happens if one does not
specify this?
It's very common for the parent name server(s) to slave the 2317 zone so
that it can answer directly. It's
On 04/03/2013 05:30 PM, Kevin Darcy wrote:
It's still not clear to me what you think is the right way to do it.
I'm not saying that there is only one right way. I'm saying you first
have to answer the question, What might we want to achieve by having
different answers internally vs.
On 03/28/2013 12:28 PM, Ben-Eliezer, Tal (ITS) wrote:
My organization is evaluating the use of split-view DNS in our environment.
Simple ... don't do it. It's almost never the right answer, and as
you're learning carries with it more administrative overhead than the
problems it's designed to
There is no need to post to both the mailing list and the news group.
You can safely post only to the list, and it will be sent to the group
for you.
Rather than us guessing what it is you're trying to accomplish, can you
say a little more about it? I can think of some legitimate reasons why
On 03/05/2013 11:08 AM, Pat Suwalski wrote:
Hello everyone,
I have a question about using the $INCLUDE directive in my zone files.
We run DNS for a moderately large number of domains, largely pointing at
the same servers. So, I'd really like to have the following setup:
db.common.inc:
On 02/28/2013 02:37 AM, Shane Kerr wrote:
Note though that as far as I can tell, few people actually use the ESV
software. Please let us know if the ESV policy works for you!
You probably want to have some discussions with OS vendors that embed
BIND to familiarize yourself with how many
On 02/28/2013 09:34 AM, Robert Moskowitz wrote:
Only for my internal tld does the lookup fail.
Are you distributing the trust anchor for htt to all of the servers that
are doing validation?
Doug
___
Please visit
You want to set up your resolver on your mail server to forward to your
main resolver, using the forward only option. This will allow your mail
server resolver to benefit from the cache already populated on your main
resolver, while still maintaining the value of caching the answers
itself
On 02/26/2013 10:38 AM, Robert Moskowitz wrote:
I would like a scalpel for lame logging, but probably would not discover
any actionable data.
There is a logging category for lame-servers. It's in the ARM.
Doug
___
Please visit
On 02/22/2013 01:26 AM, Nikita Koshikov wrote:
On Thu, Feb 21, 2013 at 10:47 PM, Doug Barton do...@dougbarton.us
mailto:do...@dougbarton.us wrote:
Can you slave the 11.2.10.in-addr.arpa zone instead of forwarding?
That would be easier, and avoid the pitfalls already described
On 02/21/2013 10:20 AM, Nikita Koshikov wrote:
Hello list,
I'm trying to cut /24 network from the scope of /8 network, here is
example:
zone 11.2.10.in-addr.arpa {
type forward;
forwarders { 192.168.1.23; 192.168.1.24; };
};
zone
1 - 100 of 324 matches
Mail list logo