Re: Bind > 9.12 Will Not Start On FreeBSD

2019-04-28 Thread Doug Barton
On 4/27/19 9:22 PM, Tim Daneliuk wrote: On 4/27/19 5:33 PM, @lbutlr wrote: On 27 Apr 2019, at 16:21, Tim Daneliuk wrote: Why is 9.12+ now suddenly so grumpy about who owns the files? Is this a recent fix to reduce the attack surface on files owned by root? Pretty sure. I thought it was

Re: SSL cert for lists.isc.org expired on Saturday, December 29, 2018

2019-01-01 Thread Doug Barton
I've had LE fail after a cerbot upgrade because it grew a dependency that didn't automatically get installed with the upgrade. So yes, automation good, but not perfect. On 2018-12-31 6:54 PM, John W. Blue wrote: nuff said, eh? I thought that Let's Encrypt wanted to roll / revalidate SSL

Re: about the effect of installing with "--without-openssl"

2018-08-26 Thread Doug Barton
On 08/26/2018 07:30 PM, takahiro wrote: That's why I want to know the effect of installing with "without-openssl". What specifically are you trying to accomplish by compiling without openssl? ___ Please visit

Re: Local Slave copy of root zone

2018-08-21 Thread Doug Barton
On 08/21/2018 08:53 AM, Grant Taylor via bind-users wrote: On 08/20/2018 11:06 PM, Doug Barton wrote: But that doesn't mean that slaving a zone, any zone, including the root, is "dangerous." If slaving zones is dangerous, the DNS is way more fragile than it already is. Sorry,

Re: nslookup oddities (Was: SRV record not working)

2018-08-20 Thread Doug Barton
On 08/20/2018 10:14 AM, Lee wrote: On 8/19/18, Mark Andrews wrote: nslookup applies the search list by default and doesn’t stop on a NODATA response. Some versions of nslookup have been modified by OS vendors to use /etc/hosts for address lookups. nslookup doesn’t display the entire response

Re: Local Slave copy of root zone

2018-08-20 Thread Doug Barton
On 08/20/2018 09:00 AM, Grant Taylor via bind-users wrote: On 08/20/2018 05:23 AM, Tony Finch wrote: If the local root zone gets corrupted somehow (maliciously or otherwise) the usual setup cannot detect a problem, but it'll cause DNSSEC validation failures downstream. The normal resolver /

Re: nslookup oddities (Was: SRV record not working)

2018-08-19 Thread Doug Barton
vendors to use /etc/hosts for address lookups. nslookup doesn’t display the entire response by default. On 20 Aug 2018, at 12:28 pm, Lee wrote: On 8/19/18, Doug Barton wrote: On 08/19/2018 12:11 PM, Lee wrote: On 8/18/18, Doug Barton wrote: nslookup uses the local resolver stub. That's fine

Re: nslookup oddities (Was: SRV record not working)

2018-08-19 Thread Doug Barton
On 08/19/2018 12:11 PM, Lee wrote: On 8/18/18, Doug Barton wrote: nslookup uses the local resolver stub. That's fine, if that's what you want/need to test. If you want to test specific servers, or what is visible from the Internet, etc. dig is the right tool, as the answers you get from

Re: SRV record not working

2018-08-18 Thread Doug Barton
On 08/18/2018 04:53 PM, Barry Margolin wrote: In article , Grant Taylor wrote: On 08/18/2018 07:25 AM, Bob McDonald wrote: I don't think anyone hates nslookup (well maybe a few do ) I suppose the immense dislike stems from the fact that it's the default utility under Windows. Folks who use

Re: Local Slave copy of root zone

2018-08-18 Thread Doug Barton
On 2018-08-15 10:43, Tony Finch wrote: Doug Barton wrote: Slaving the root and ARPA zones is a small benefit to performance for a busy resolver, [...] This technique is particularly useful for folks in bad/expensive network conditions. While the current anycast networks of root servers

Re: Local Slave copy of root zone

2018-08-15 Thread Doug Barton
On 08/15/2018 09:11 AM, Bob McDonald wrote: I've recently been investigating having a local slave copy of the root zone on a caching/forwarder type server. I've even put the local slave copy of the root zone into a separate view accessed via a different loopback address. (An limited example of

Re: Modification in dhcpd.conf does not update ddns

2016-01-28 Thread Doug Barton
On 01/28/2016 10:23 AM, Bernard Fay wrote: Hi, I have DDNS and DHCPD setup and it works ok so far. But, while testing the integration of dhcpd and dns, I found that if I change the IP address in dhcpd.conf for a previously configured client the change is not reflected in DNS once the client

Re: RPZ in dns views

2016-01-22 Thread Doug Barton
On 01/22/2016 05:30 PM, Rama Krishna Prasad Chunduru wrote: Hi All, I am trying to use RPZ ( Response Policy Zone) in DNS views (BIND 9.8.2) but i am getting the below error service named restart Stopping named:[ OK ] Starting named: Error in

Re: Bind9 on VMWare

2016-01-15 Thread Doug Barton
On 01/13/2016 04:34 AM, Philippe Maechler wrote: My idea for the new setup is: --- caching servers - Setup new caching servers - Configure the ipv4 addresses of both (old) servers on the new servers as a /32 and setup an anycast network. This way the stupid

GSS-TSIG updates with multiple KSPs on the same BIND server?

2015-06-03 Thread Doug Barton
Folks, Reading through manuals, HOWTOs, etc. on line it SEEMS possible that BIND 9.8+ could be configured to use multiple KSPs. The traditional way of configuring GSS-TSIG is the following in options{}: tkey-domain FOO.BAR; tkey-gssapi-credential DNS/dns1.foo.bar; However that

Re: Digging to the final IP

2014-10-24 Thread Doug Barton
It's interesting to see the discussion about trying to turn dig into something it isn't. :) It's a really good DNS diagnostic tool, but if you just want to get the answer for a query, host does the job quite well, with a lot less fuss. Doug ___

Re: DLV verify issue

2014-10-24 Thread Doug Barton
On 10/23/14 4:34 AM, Péter-Zoltán Keresztes wrote: Hello I am trying to add a dnssec signed tomain to DLV isc. Is there a DNSSEC path from this domain up to the root zone? (It would be helpful to list what domain it is.) If so, why are you adding it to DLV? Doug

Re: Digging to the final IP

2014-10-24 Thread Doug Barton
On 10/21/14 8:31 PM, Frank Bulk wrote: Dave, Thanks for the input, but what I was looking for was a dig command that returns the IP(s) or a fail. It looks like the host command is the right solution in this case, not dig. Yep. :) You can check the return value of the call to get your fail

Re: BIND resource requirements

2014-10-20 Thread Doug Barton
On 10/20/14 11:50 AM, Mike Bernhardt wrote: Anyone have some input on this? No one has commented so far. -Original Message- From: Mike Bernhardt [mailto:bernha...@bart.gov] Sent: Tuesday, October 14, 2014 11:59 AM To: bind-users@lists.isc.org Subject: BIND resource requirements We are

Re: Inline-signing feature request: Directly set the signed zone's serial number

2014-10-07 Thread Doug Barton
On 10/7/14 11:03 AM, Terry Burton wrote: With inline signing you have a hidden serial number in the unsigned zone and an exposed serial number in the signed versions which your slaves track. After redeployment (following DR, emergency relocation, elastic capacity expansion, etc.) I want to be

Re: Diagnostic help part 2

2014-10-01 Thread Doug Barton
On 10/1/14 8:17 AM, Barry Margolin wrote: In article mailman.1035.1412133286.26362.bind-us...@lists.isc.org, Eli Heady eli.he...@gmail.com wrote: With response sizes growing (dnssec, ipv6), answers are more likely to be too large for UDP. That's unlikely. That's why EDNS was created, so

Re: Two domains reporting errors

2014-09-27 Thread Doug Barton
On 9/25/14 4:49 PM, LuKreme wrote: Wait a second, so the zone name comes from the named.conf? Not quite. When named loads the zone file it does it in the context of the zone stanza from named.conf. If the zone name in the SOA is listed literally then named will check to make sure that it

Re: Change in behaviour regarding ndots and searchlist

2014-09-15 Thread Doug Barton
On 9/15/14 7:04 AM, Lightner, Jeff wrote: While the final dot has been required within zone files to prevent unwanted appendages to records it has NOT been required by tools such as host and nslookup on either Windows or Linux/UNIX which routinely use search domains. On Windows the behavior

Re: bind-9.10.0-P2 memory leak?

2014-09-12 Thread Doug Barton
On 9/12/14 11:07 AM, Mike Hoskins (michoski) wrote: I do have a lot of interest in the community getting to the bottom of this, as we are just planning a large upgrade in one of our environments which will move caching clusters serving 6-8k clients over to 9.10.1. Given all of the problems

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

2014-08-28 Thread Doug Barton
On 8/28/14 10:55 AM, Timothe Litt wrote: Aside from the use of the word 'absurdity', I'm not offended. I am trying to educate. And while I recognize that I'm arguing pragmatism with a market purist, It's nice to be called pure, in some context anyway. :) However as I pointed out I'm not

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

2014-08-27 Thread Doug Barton
On 8/26/14 10:35 AM, Timothe Litt wrote: I think this is misleading, or at least poorly worded and subject to misinterpretation. I chose my words carefully, and I stand by them. I did not say that the DLV has no value, and I specifically mentioned that there are circumstances when it is

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

2014-08-27 Thread Doug Barton
On 8/27/14 3:03 PM, Timothe Litt wrote: So you really meant that validating resolvers should only consult DLV if their administrator knows that users are looking-up names that are in the DLV? That's how I read your advice. You're correct. I don't see how that can work; hence we'll disagree.

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

2014-08-26 Thread Doug Barton
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 8/26/14 5:50 AM, Tomas Hozza wrote: | On 08/26/2014 02:27 PM, Mark Andrews wrote: | Why would you expect them to succeed? | | Because validation using root servers and authoritative servers | proved that the domain is intentionally unsecure.

Re: Bind RPZ dnsfirewall howto's version 2 are here

2014-08-23 Thread Doug Barton
Please don't reply to a message on the list and change the subject line. Doing so causes your new topic to show under the previous one for those using mail readers that thread properly, and may cause your message to be missed altogether if someone has blocked that thread. Instead, save the

Re: Metazones or Something Else?

2014-08-04 Thread Doug Barton
On 08/04/2014 09:33 AM, John Anderson wrote: I've recently inherited a project that is going to require some method of automatically disseminating zone information to slave DNS servers running BIND. The traditional solution to this problem is rsync, although I realize that's not very sexy.

Re: OT: Authoritative Server returning RR's with decrementing TTL's?

2014-07-31 Thread Doug Barton
Almost certainly not running BIND. Almost certainly is running a creative load balancing solution. hth, Doug On 07/31/2014 12:56 PM, Ray Van Dolson wrote: Not BIND-related specifically... (though the server below could be running BIND I suppose). This seems weird. Why is this

Re: Public facing authoritative NS all masters

2014-07-12 Thread Doug Barton
Please don't reply to a message on the list and change the subject line. Doing so causes your new topic to show under the previous one for those using mail readers that thread properly, and may cause your message to be missed altogether if someone has blocked that thread. Instead, save the

Re: Using a DynDNS hostname in master-statement for a bind slave?

2014-06-27 Thread Doug Barton
On 06/27/2014 08:27 AM, Johannes Kastl wrote: The slave server (HOST B) is reachable from the internet via a dynDNS hostname. Now I want to setup another bind as slave on a server hosted at my provider. It should use HOST B as its master, to transfer the zone and act as a slave. BUT I found

Re: tsig-key

2014-06-10 Thread Doug Barton
On 06/10/2014 08:56 AM, Mohammed Ejaz wrote: Any help would be highly appreciated. Switch to BlueCat which does all communication with TSIG by default? :) Sorry, couldn't resist ... Doug ___ Please visit

Re: SPF RR type

2014-06-06 Thread Doug Barton
Please don't reply to a message on the list and change the subject line. Doing so causes your new topic to show under the previous one for those using mail readers that thread properly, and may cause your message to be missed altogether if someone has blocked that thread. Instead, save the

Re: Problem dlz_mysql_driver

2014-06-03 Thread Doug Barton
Please don't reply to a message on the list and change the subject line. Doing so causes your new topic to show under the previous one for those using mail readers that thread properly, and may cause your message to be missed altogether if someone has blocked that thread. Instead, save the

Re: Architecture Questions

2014-06-01 Thread Doug Barton
On 05/28/2014 07:39 AM, Mark Andrews wrote: In message d6c04ec67151214dad5e55e7ebf5207e425e3...@wrxxentexmb01.na.follett.l an, Baird, Josh writes: Hi, I have historically hosted authoritative slave zones on my internal caching/r ecursive servers to override recursion for internal zones.

Re: Book recomendations?

2014-06-01 Thread Doug Barton
On 05/27/2014 03:51 PM, Baird, Josh wrote: Hi, Can someone recommend a modern/new-ish book on DNS (specifically BIND)? I know there have been several O'Reily books throughout the years, but haven't kept up on anything in the past few years. I'm looking for architecture design, best

Re: Slave zone intermittently not refreshing

2014-05-11 Thread Doug Barton
On 05/08/2014 05:53 AM, Mart van de Wege wrote: I have a couple, all of them 'retry limit for master $foo exceeded'. Only 2 hits for the master that's giving trouble though, and none of those around the time we had trouble. If you're seeing any of these errors the problem is worse than you

Re: a note on 9.10.0rc2: eleven, twelve; dig and delv(e)

2014-04-30 Thread Doug Barton
Evan, I mulled over your response and considered not pursuing this further, but apparently I can't help myself. :) On 04/27/2014 12:00 PM, Evan Hunt wrote: On Sun, Apr 27, 2014 at 07:36:22PM +0100, Chris Thompson wrote: I rather liked delve, but the truncation to delv does indeed seem

Re: a note on 9.10.0rc2: eleven, twelve; dig and delv(e)

2014-04-25 Thread Doug Barton
On 04/25/2014 02:25 PM, Evan Hunt wrote: So, after consultation with the bottoms of one or two bottles, and consideration of several alternative names (including dredge, bore, shovel and -- taking it in a slightly different direction -- groove) we decided to simply send the second 'e' in delve

Re: Clients Matching Multiple Views

2014-04-11 Thread Doug Barton
On 04/11/2014 10:59 AM, John Wobus wrote: My understanding has been that two views that are masters for a zone can safely share a zone file if the zone isn't dynamic (e.g. dnsupdate, dnssec auto signing, etc), but that two views of a slave zone shouldn't do that: you could have two different

Re: Example of classless reverse-lookup zone

2014-04-07 Thread Doug Barton
On 04/07/2014 02:46 PM, Dimitar Georgievski wrote: Hi, I am trying to configure a subnet (example: 10.1.16.32/27 http://10.1.26.96/27) zone files for internal domains, and have hard times with setting up the reverse lookup zone file. The couple examples I found on the internet didn't help

Re: Example of classless reverse-lookup zone

2014-04-07 Thread Doug Barton
On 04/07/2014 08:14 PM, Dimitar Georgievski wrote: Hi Doug, Thanks, your article really cleared my confusion with the naming and delegation of zones. I did read initially RFC 2317 https://tools.ietf.org/html/rfc2317 when I started working on this task, but I was lost with the use of the /

Re: BIND 9.10.0b1 is now available

2014-03-17 Thread Doug Barton
On 03/17/2014 12:29 PM, Mathieu Arnold wrote: Hum, so, it will also use pkcs11 for dnssec validation too ? (Sorry if this seems a silly question.) HSMs are typically an auth-only tool, although I suppose that in a super-high-security environment that they could be justified for validation

Re: BIND 9.10.0b1 is now available

2014-03-17 Thread Doug Barton
On 03/17/2014 01:06 PM, Evan Hunt wrote: On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote: Yes, it was my understanding of how HSM worked. That's why I was trying to build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one side, and PKCS11 interface for zone

Re: Sporadic but noticable SERVFAILs in specific nodes of an anycast resolving farm running BIND

2014-03-09 Thread Doug Barton
On 3/8/2014 1:30 PM, sth...@nethelp.no wrote: One mitigation approach is to blackhole the domains using local zones. That�s not much of a mitigation. Not having open resolvers would be mitigation. Not having open resolvers is good - but unfortunately doesn't help against misbehaving clients

Re: bind-9.9.5 regression test error

2014-02-23 Thread Doug Barton
On 02/12/2014 10:16 PM, Christoph Moench-Tegeder wrote: ## Doug Barton (do...@dougbarton.us): If you don't have enough random bits on your system to run these simple tests, your /dev/random is seriously underpopulated, and likely a security risk. You should definitely not put BIND

Re: Monitoring Zonefiletransfer

2014-02-18 Thread Doug Barton
On 02/18/2014 04:39 PM, Mark Andrews wrote: Only transfer from one AD master. Microsoft AD doesn't maintain consistent serials across the servers. The serials should be monotonically increasing from a individual server. Also try to determine what the primary master is

Re: how to modify the cache

2014-02-17 Thread Doug Barton
On 02/17/2014 11:37 AM, Kevin Darcy wrote: Ugh, that mixes apples (recursive resolution) and oranges (iterative resolution). Out of curiosity, what bad thing do you think will happen if you mix these two functions? Doug ___ Please visit

Re: bind-9.9.5 regression test error

2014-02-12 Thread Doug Barton
On 02/12/2014 11:16 AM, Christoph Moench-Tegeder wrote: ## Bruce Dubbs (bruce.du...@gmail.com): I've been trying to run the regression tests for bind-9.9.5 and keep getting lots of timeouts and errors in the system/inline test. I saw the same symptoms when packaging/testing bind-9.9.5. I

Re: changing NSEC3 salt

2014-02-12 Thread Doug Barton
On 02/12/2014 05:17 AM, Chris Thompson wrote: On Feb 11 2014, David Newman wrote: [...] That's interesting. It seems to contradict Lucas' advice to always use '1 0 10' for these [NSEC3] flags, as fewer aren't secure enough and more aren't any more secure. It's difficult to see how that can

Re: Disabling RPZ for a few clients / views sharing zones

2014-02-06 Thread Doug Barton
On 02/06/2014 06:27 AM, Chuck Anderson wrote: I was kinda hoping that newer versions of BIND could share zones (with identical zone contents) between views without requiring the messy multiple IP alias setup. You have always been able to do this with include files. hth, Doug

Re: missing NOTIFY after rndc signing -clear all zone

2014-02-06 Thread Doug Barton
On 02/06/2014 04:27 AM, Klaus Darilion wrote: Hi! I just noticed that on rndc signing -clear all zone, Bind removes the private RRs, updates the NSEC3 RR, and increases the serial, but it does not send NOTIFYs. I guess this is a bug. I tested bind 9.9.5, with inline-signing of a zone. Does

Re: classless ptr setup

2014-01-20 Thread Doug Barton
On 01/20/2014 11:21 AM, Jim Pazarena wrote: Thank you for this. I am familiar with the setup; I suppose that my question was unclear. Can the SAME named.conf handle BOTH the /24 cname assignments AND the /25 in-addr.arpa records. Which sounds like a dumb question, but I thought named may not

Re: dumping master file: tmp-xxx: open: permission denied

2014-01-14 Thread Doug Barton
On 01/14/2014 08:14 AM, LuKreme wrote: so I should change zone kreme.com { type slave; masters { 75.148.37.67; }; file slave/kreme.com; }; to zone kreme.com { type slave; masters { 75.148.37.67; }; file “/var/named/etc/namedb/slave/kreme.com; }; and that will eliminate the errors? No.

Generic reasons for recursive performance not to peg CPU?

2014-01-12 Thread Doug Barton
Howdy, Without going into too much detail, doing some performance testing and am seeing a weird result. On the same systems authoritative queries will happily peg the CPU. However when running recursive queries (with a small zone, all data cached before testing) the CPU never gets above 80%.

Re: Generic reasons for recursive performance not to peg CPU?

2014-01-12 Thread Doug Barton
Thanks for the response, but that's not it. The auth-only responses are generating a lot more traffic than the recursive. Doug On 01/12/2014 05:21 PM, Sten Carlsen wrote: Wild guess: network bandwidth runs out before CPU? Why the difference, I have no clue. On 13/01/14 02.16, Doug Barton

Re: Generic reasons for recursive performance not to peg CPU?

2014-01-12 Thread Doug Barton
Thanks for the response, but you're answering a different question than I asked. :) The question I'm interested in is, Why is the recursive server not pegging the CPU? I'm aware that there will be a difference in qps between auth-only and recursive, but the recursive server seems to be

Re: Generic reasons for recursive performance not to peg CPU?

2014-01-12 Thread Doug Barton
On 01/12/2014 07:30 PM, Barry Margolin wrote: In article mailman.2014.1389579103.20661.bind-us...@lists.isc.org, Doug Barton do...@dougbarton.us wrote: Thanks for the response, but you're answering a different question than I asked. :) The question I'm interested in is, Why is the recursive

Re: Updated to bind 9.9.3-P2

2013-07-30 Thread Doug Barton
On 07/30/2013 02:49 PM, Lawrence K. Chen, P.Eng. wrote: From 9.9.2-P2...I had build 9.9.3, but just as I was about to deploy came the announcement to either go to 9.9.3-P1 or stay with 9.9.2-P2. All the picky messages of this version You had a lot of issues in your message. IMO they

Re: permissions for DNSSEC zone signing

2013-07-23 Thread Doug Barton
On 07/23/2013 04:48 PM, David Newman wrote: On 7/23/13 3:44 PM, Mark Andrews wrote: In message 51ef00af.4090...@networktest.com, David Newman writes: FreeBSD 9.1-RELEASE-p4, BIND 9.9.3-P1 ESV installed from ports [...] zone example.org { type master; file

Re: bind classless slave from microsoft dns classful SOA?

2013-07-14 Thread Doug Barton
On 07/12/2013 09:09 AM, Michael Hare wrote: Bind-users; I have been asked to slave a /24 from a microsoft SOA, however, their authority for the /24 is false in that they really only have authority to 192/26. Am I correct in that there is no way to slave said zone [x.y.z.in-addr.arpa] but serve

Re: Reverse Lookups with Forwarders

2013-07-09 Thread Doug Barton
It's not at all clear from your description what you're trying to accomplish. Particularly it's not clear what you seem to be trying to accomplish with the 2317 delegation for a /24 zone. Can you describe what you're trying to do, and why? It may be easier to help you that way. Please use the

Re: Reverse Lookups with Forwarders

2013-07-09 Thread Doug Barton
, Doug Barton do...@dougbarton.us mailto:do...@dougbarton.us wrote: It's not at all clear from your description what you're trying to accomplish. Particularly it's not clear what you seem to be trying to accomplish with the 2317 delegation for a /24 zone. Can you describe what you're

Re: Reverse address entries

2013-07-03 Thread Doug Barton
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/03/2013 07:52 PM, Novosielski, Ryan wrote: | On 07/03/2013 04:39 AM, Matus UHLAR - fantomas wrote: | On 02.07.13 08:53, Daniel McDonald wrote: | I've had trouble with OSI-Soft PI historian without reverse | entries. If there is no reverse,

Re: configure syslog prefix

2013-07-02 Thread Doug Barton
On 07/02/2013 06:34 AM, Sam Wilson wrote: In article mailman.731.1372769988.20661.bind-us...@lists.isc.org, Tony Finch d...@dotat.at wrote: Klaus Darilion klaus.mailingli...@pernau.at wrote: Some software allows to configure the syslog prefix, but I couldn't find that for bind. Rename

Re: Secondary DNS question...

2013-06-26 Thread Doug Barton
On 06/26/2013 07:54 AM, Matus UHLAR - fantomas wrote: All very interesting, but I'm afraid at my level of expertise on DNS, I'm not following. If I'm broken, how do I attempt to fix? Someone mentioned that our ns1.starionhost.net was not authoritative. How does one even decide that? As far

Re: Secondary DNS question...

2013-06-26 Thread Doug Barton
On 06/26/2013 06:50 PM, SH Development wrote: Okay, so I got to it sooner than I thought. So, could you take a look at: starionhost.net stariontech.com starionline.com Any one of those, but they should all be identical now and on some new secondary DNS. The delegations are now identical,

Re: Secondary DNS question...

2013-06-26 Thread Doug Barton
Yes, seems fine now. Can you share more information about what it was you turned off? Sounds odd, but the results speak for themselves. Doug On 06/26/2013 09:39 PM, SH Development wrote: Sure could use some direction about where to start looking. I thought I had everything working for the

Re: Secondary DNS question...

2013-06-26 Thread Doug Barton
On Jun 26, 2013, at 11:53 PM, Doug Barton do...@dougbarton.us wrote: Yes, seems fine now. Can you share more information about what it was you turned off? Sounds odd, but the results speak for themselves. Doug On 06/26/2013 09:39 PM, SH Development wrote: Sure could use some direction about where

Re: PTR files

2013-06-17 Thread Doug Barton
Norman, It's virtually certain that the error you're seeing is not related to BIND. You would almost certainly get your problem solved faster by posting on a list related to the web server software that you are using and walking through your complete configuration with them. Good luck,

Re: Thank you Warren!!! - WAS::Re: This list's prefix

2013-06-16 Thread Doug Barton
Great! Now step 2 is to remove the tag from the subject line before sending mail back to the list. :) On 06/16/2013 02:50 PM, Jerry K wrote: Hello Warren, Thank you so much for this post. Long time procmail user here. I'm only sad I didn't think of this myself first. Its been working

Re: Rate-Limit Question

2013-06-14 Thread Doug Barton
On 06/14/2013 09:08 AM, Evan Hunt wrote: (Our usual policy is not to add substantial new features in maintenance releases like 9.9.4; making it a compile-time option that defaults to off is our way of tiptoeing around the rule.) Quite reasonable, and much appreciated. :)

Re: DNS Amplification Attacks... and a trivial proposal

2013-06-14 Thread Doug Barton
wrote: In message 51baa714.9020...@dougbarton.us, Doug Barton do...@dougbarton.us wrote: It's obvious you're frustrated (understandable), and enthusiastic (commendable), but you might want to consider dialing down your rhetoric a bit. Great idea! I have only one small question... Would you

Re: DNS Amplification Attacks... and a trivial proposal

2013-06-14 Thread Doug Barton
On 06/14/2013 05:13 PM, Vernon Schryver wrote: From: Doug Barton do...@dougbarton.us is that (like RRL) your proposal relies on people updating their software. RRL needs only authority and open recursive servers to be updated. The vast majority of DNS installations are closed

Re: DNS Amplification Attacks... and a trivial proposal

2013-06-13 Thread Doug Barton
On 06/13/2013 02:01 PM, Ronald F. Guilmette wrote: The entire problem is fundamentally a result of the introduction of EDNS0. Wwouldn't you agree? No. You can still get pretty good amplification with 512 byte responses. There are 2 causes of this problem, lack of BCP 38, and improperly

Re: DNS Amplification Attacks... and a trivial proposal

2013-06-13 Thread Doug Barton
.10...@dougbarton.us, Doug Barton do...@dougbarton.us wrote: No. You can still get pretty good amplification with 512 byte responses. That is an interesting contention. Is there any evidence of, or even any reasonably reliable report of any DDoS actually being perpetrated IN PRACTICE using

Re: Serving up two domains

2013-06-11 Thread Doug Barton
Jason, What you're saying here doesn't make sense, so some more details are needed. On 06/11/2013 08:54 PM, Jason Hellenthal wrote: I have a domain or two that I'm serving up and have traffic from some mobile devices and a few pieces of software that also try to resolve to the hostname.tld

Re: any requests

2013-06-05 Thread Doug Barton
On 06/05/2013 11:33 AM, Tony Finch wrote: I believe the ANY hack on mail servers was a Sendmailism 20ish years ago. s/Send/q/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

Re: Negative zones; NXDOMAIN responses

2013-05-21 Thread Doug Barton
On 05/21/2013 12:39 AM, Phil Mayers wrote: On 05/21/2013 08:23 AM, Matus UHLAR - fantomas wrote: On 21.05.13 11:03, Mark Andrews wrote: The simplest solution is to slave the root zone and turn off notify to so you don't spam the official root servers. 192.5.5.241 is

Re: Problem query (SERVFAIL)

2013-05-17 Thread Doug Barton
No problem here from 2 different sites. Seems to be a problem between your resolving name server and their authorities: ;; AUTHORITY SECTION: pointhq.com.3190IN NS dns6.pointhq.com. pointhq.com.3190IN NS dns7.pointhq.com. ;; ADDITIONAL

Re: Mailing list reply-to setting

2013-05-09 Thread Doug Barton
Seriously, can we stop discussing this now? If you need subject line tags, or your mail client doesn't properly know how to respond only to the list, or whatever -- please go work that out on your own. The majority of users on the list don't want or need these things, and many of us find

Re: Classless PTR query issue

2013-05-07 Thread Doug Barton
On 05/07/2013 01:50 PM, Matus UHLAR - fantomas wrote: On 07.05.13 11:06, Michael Varre wrote: So interestingly they did give me their setup and this is their response, and my warm and fuzzy feeling continues to go out the window: They use SimpleDNS Record Name: 65.246.59.108.in-addr.arpa DNS

Re: DDOS attack Bind 9.9 - P2

2013-05-03 Thread Doug Barton
On 05/03/2013 11:44 AM, rohan.he...@cwjamaica.com wrote: What if both authoritative and recursive are running on the same server That's a simple answer, don't do that. Doug (ever) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Courses

2013-04-26 Thread Doug Barton
Ted made some really good points. It's also worth pointing out that overhead, like renting the facility to teach the classes in, food, travel expenses for the trainers to get to the site, course materials, insurance, etc. often run into the 'many hundreds' of dollars per student before the

Re: ANNOUNCEMENT: New BIND versions are available.

2013-04-12 Thread Doug Barton
Michael, Thanks for this announcement, and a welcome change. Given the following: 1. bind-announce is very low volume, and carries only critical information that the community needs to know 2. Currently all posts to bind-announce are duplicated to the other lists Wouldn't it make sense to

Re: Simple question about zone and CNAME

2013-04-08 Thread Doug Barton
On 04/08/2013 06:54 AM, Sam Wilson wrote: In article mailman.61.1365232319.20661.bind-us...@lists.isc.org, Doug Barton do...@dougbarton.us wrote: On 04/05/2013 11:53 PM, Novosielski, Ryan wrote: | It is funny you should mention that... my questions about using views | to create a situation

Re: Simple question about zone and CNAME

2013-04-08 Thread Doug Barton
On 04/08/2013 06:42 AM, Sam Wilson wrote: In article mailman.49.1365191296.20661.bind-us...@lists.isc.org, wbr...@e1b.org wrote: Incidentally, we have just been asked for an A record for cam.ac.uk to duplicate www.cam.ac.uk because, and I quote, all the publicity material sent out by the

Re: Forward First on Master Zone (bypass SOA)

2013-04-03 Thread Doug Barton
On 04/01/2013 11:46 AM, Kevin Darcy wrote: On 3/29/2013 12:09 AM, Doug Barton wrote: On 03/28/2013 12:28 PM, Ben-Eliezer, Tal (ITS) wrote: My organization is evaluating the use of split-view DNS in our environment. Simple ... don't do it. It's almost never the right answer, and as you're

Re: is NS record pointing to some other name server needed in case of classless IN-ADDR.ARPA delegations?

2013-04-03 Thread Doug Barton
On 04/02/2013 12:47 AM, Martin T wrote: Is NS record pointing to some other name server needed in case of classless IN-ADDR.ARPA delegations? What happens if one does not specify this? It's very common for the parent name server(s) to slave the 2317 zone so that it can answer directly. It's

Re: Forward First on Master Zone (bypass SOA)

2013-04-03 Thread Doug Barton
On 04/03/2013 05:30 PM, Kevin Darcy wrote: It's still not clear to me what you think is the right way to do it. I'm not saying that there is only one right way. I'm saying you first have to answer the question, What might we want to achieve by having different answers internally vs.

Re: Forward First on Master Zone (bypass SOA)

2013-03-28 Thread Doug Barton
On 03/28/2013 12:28 PM, Ben-Eliezer, Tal (ITS) wrote: My organization is evaluating the use of split-view DNS in our environment. Simple ... don't do it. It's almost never the right answer, and as you're learning carries with it more administrative overhead than the problems it's designed to

Re: querying TLD nameservers - limitations

2013-03-25 Thread Doug Barton
There is no need to post to both the mailing list and the news group. You can safely post only to the list, and it will be sent to the group for you. Rather than us guessing what it is you're trying to accomplish, can you say a little more about it? I can think of some legitimate reasons why

Re: spf ent txt records.

2013-03-17 Thread Doug Barton
On 3/17/2013 5:59 PM, Mark Andrews wrote: The rational course would be to set a sunset date on TXT style spf records. April 2016 looks like a good date. 10 years after RFC 4408 was published. +1 ___ Please visit

Re: Overriding Included Zone File Entries

2013-03-05 Thread Doug Barton
On 03/05/2013 11:08 AM, Pat Suwalski wrote: Hello everyone, I have a question about using the $INCLUDE directive in my zone files. We run DNS for a moderately large number of domains, largely pointing at the same servers. So, I'd really like to have the following setup: db.common.inc:

Re: BIND roadmap

2013-02-28 Thread Doug Barton
On 02/28/2013 02:37 AM, Shane Kerr wrote: Note though that as far as I can tell, few people actually use the ESV software. Please let us know if the ESV policy works for you! You probably want to have some discussions with OS vendors that embed BIND to familiarize yourself with how many

Re: Problems with resolving a local tld

2013-02-28 Thread Doug Barton
On 02/28/2013 09:34 AM, Robert Moskowitz wrote: Only for my internal tld does the lookup fail. Are you distributing the trust anchor for htt to all of the servers that are doing validation? Doug ___ Please visit

Re: disabling lame server logging

2013-02-26 Thread Doug Barton
You want to set up your resolver on your mail server to forward to your main resolver, using the forward only option. This will allow your mail server resolver to benefit from the cache already populated on your main resolver, while still maintaining the value of caching the answers itself

Re: disabling lame server logging

2013-02-26 Thread Doug Barton
On 02/26/2013 10:38 AM, Robert Moskowitz wrote: I would like a scalpel for lame logging, but probably would not discover any actionable data. There is a logging category for lame-servers. It's in the ARM. Doug ___ Please visit

  1   2   3   4   >