Re: 'managed-keys' is deprecated ??

2021-06-19 Thread Evan Hunt
of both "trusted-keys" and "managed-keys". For the moment, using the old syntax only generates a warning, not a fatal error, but the old options will be removed in a future release (9.20, I think, but don't quote me on that). -- Evan Hunt -- e..

Re: No more support for windows

2021-06-09 Thread Evan Hunt
happy to get help with that project from anyone who knows windows better than I do - it wouldn't take much.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: where are the testing docs ?

2021-05-08 Thread Evan Hunt
m/ifconfig.sh up"). I think the message got lost when we switched to automake. Some tests will be skipped if there are missing dependencies, so you may also wish to install the Net::DNS, Net::DNS::Nameserver and XML::Simple modules for perl, and dnspython for python. -- Evan Hunt -- e..

Re: GeoIP ACL

2021-04-25 Thread Evan Hunt
give an example to achieve the same? match-clients { !geoip country A; !geoip country B; !geoip country C; any; }; -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to un

Re: Does bind9 support adding acl and view through commands, not by updating config file?

2021-04-16 Thread Evan Hunt
ot;reconfig" either. Views don't scale well. Finding the correct view for a query is a linear search, so your performance will decline quite badly if you have more than a few views to search through. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _

Re: DoH Support in bind 9.17?

2021-02-23 Thread Evan Hunt
.17.11. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Cont

Re: how to revert signed db zone file to unsgined plain text (remove dnssec keys)

2020-08-09 Thread Evan Hunt
cally sorted. "named" can do this automatically if you dynamically update a zone and remove the DNSKEY rrset. I think "dnssec-signzone -SPRQ" would do it if you marked the keys as deleted with "dnssec-settime" first; I haven't tested this, but it should. But I think t

Re: how to revert signed db zone file to unsgined plain text (remove dnssec keys)

2020-08-08 Thread Evan Hunt
r/cache/bind/db.powercraft.nl.signed You can just regex out all the DNSSEC-related types. Something like this ought to work: $ named-compilezone -f raw -F text -s full -o - powercraft.nl | \ awk '$4 ~ /(DNSKEY|DS|RRSIG|NSEC|NSEC3|NSEC3PARAM)/ {next} {print}' -- Evan Hunt -- e...@isc.

Re: /etc/bind.keys in a chrooted environment

2020-07-22 Thread Evan Hunt
her domains listed there will be ignored. So, this would already not work. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC fu

Re: rndc valid key types

2020-07-07 Thread Evan Hunt
- HMAC-SHA512? No, go ahead. I tend to use sha256, just because it's the default from rndc-confgen. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe fro

Re: Syntex for primary/secondary

2020-07-06 Thread Evan Hunt
d syntax will continue working so old named.conf files don't need to be changed, at least for the next several releases. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to

Re: can bind support DOH and DoT

2020-06-02 Thread Evan Hunt
>1. Can bind support DoH and DoT >2. If yes Which version of bind support DoH or DoT It's in development now. The plan is for it to be supported in 9.18 when it comes out next year, and backported to the 9.16 branch as a compile-time option. -- Evan Hunt -- e...@isc.org Internet S

Re: DLZ: dlz/modules, dlz/drivers ?

2020-05-26 Thread Evan Hunt
in contrib/dlz/drivers ones do need to be linked in at compile time, so they still turn up as configure options even though they're kinda obsolete now. I expect them to go away in 9.17/9.18; the only reason they're still there now is that a few of them support databases that we don't have modules

Re: maxminddb support in 9.16

2020-05-21 Thread Evan Hunt
docs/aa-01149 Ah, thank you, I hadn't seen that. The only thing I see in that article that's out of date is that the "--with-geoip" option is no longer needed, or valid; it's "--with-maxminddb" now, and it's enabled by default. -- Evan Hunt

Re: maxminddb support in 9.16

2020-05-21 Thread Evan Hunt
nfrequently used keywords like "areacode" and "netspeed" became unavailable in the new API, and three-letter country codes are now obsolete. "Country" is definitely still supported, and since you used "us" rather than &quo

Re: DoH plugin for BIND

2020-04-29 Thread Evan Hunt
ration for an nginx proxy in the BIND source tree under contrib/dnspriv that you can use now, if you wish. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: DoH plugin for BIND

2020-04-29 Thread Evan Hunt
> Does BIND have a DoH plugin official? > Or is there any guide to customize that one? Not yet, but we plan to have a DoH implementation in named by the end of this year. In the meantime, there are DoH proxies that can run BIND as the back-end. -- Evan Hunt -- e...@isc.org Internet S

Re: Nsupdate and TTL

2020-04-22 Thread Evan Hunt
.com in a > update add example.com in a 192.0.2.1 > update add example.com in a 192.0.2.2 > update add example.com in a 192.0.2.3 > send -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/l

Re: Vim Syntax, New Release for ISC Bind named.conf 5.16

2020-04-22 Thread Evan Hunt
chance? -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinf

Re: BIND-9.16.1 memory leak?

2020-04-20 Thread Evan Hunt
unusual in your server configuration? -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org h

Re: BIND-9.16.1 & KASP

2020-04-13 Thread Evan Hunt
last 'modified'. Would be perfect for > small zones that are rarely updated. I think the zone option "serial-update-method date;" does this. (I haven't tested it with dnssec-policy though.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc.

Re: checkzone from stdin?

2020-04-08 Thread Evan Hunt
On Wed, Apr 08, 2020 at 10:22:55PM +, Evan Hunt wrote: > You didn't mention what version you're running, but IIRC, this was > added in 9.16. My mistake, 9.17. On most Unices you can specify /dev/stdin as the filename though, and that should work with any version. -- Evan Hun

Re: checkzone from stdin?

2020-04-08 Thread Evan Hunt
On Wed, Apr 08, 2020 at 02:58:12PM -0400, Matthew Pounsett wrote: > It looks to me like named-checkzone isn't able to read a zone file from > stdin. You didn't mention what version you're running, but IIRC, this was added in 9.16. -- Evan Hunt -- e...@isc.org Internet Systems Consortiu

Re: managed-keys update when outgoing UDP is blocked

2020-02-25 Thread Evan Hunt
:47 GMT > > name: . > keyid: 20326 > algorithm: RSASHA256 > flags: SEP > next refresh: Tue, 25 Feb 2020 19:16:47 GMT > trusted since: Mon, 03 Feb 2020 18:10:26 GMT "trusted since" indicates it managed to get at least query through on Feburary 3. If it hadn't, it

Re: function in DNS to provide an answer depending on the source of query.

2019-12-05 Thread Evan Hunt
l module, but views are easier. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists

Re: DNSSEC basic information

2019-09-23 Thread Evan Hunt
On Tue, Sep 24, 2019 at 03:15:42AM +, Evan Hunt wrote: > Six years is a long time, I've probably forgotten a few. Oh here's one: "dig +sigchase" is dead now, use "delv" to check DNSSEC validation chains. -- Evan Hunt -- e...@isc.org Internet

Re: DNSSEC basic information

2019-09-23 Thread Evan Hunt
In newer releases there's also a configuration option, "validate-except", which permanently disables validation below specified domains. This can be used, for example, if you have an internal network using a fake TLD and you want to prevent it f

Re: Exempt .local from dnssec validation on resolver?

2019-07-25 Thread Evan Hunt
On Thu, Jul 25, 2019 at 09:03:26PM +, Evan Hunt wrote: > In 9.11, no. In 9.14, you can use "validate-except { local; };" (Afterthought: In 9.11, you can also use "rndc nta" to suppress validation on a given domain, but negative trust anchors expire after a while, so

Re: Exempt .local from dnssec validation on resolver?

2019-07-25 Thread Evan Hunt
On Thu, Jul 25, 2019 at 12:52:18PM -0800, John Thurston wrote: > Is there any way to tell my resolver it shouldn't be validating > responses for foo.local? In 9.11, no. In 9.14, you can use "validate-except { local; };" -- Evan Hunt -- e...@isc.org Internet Systems

Re: rndc - sync before reload?

2019-07-14 Thread Evan Hunt
ds the zone from the master file *plus* the journal file, if there is one. There's no need to sync the journal file to the master file before reloading. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lis

Re: dnssec-keymgr fails to apply policy

2019-06-23 Thread Evan Hunt
On Sun, Jun 23, 2019 at 05:01:11PM +, Evan Hunt wrote: > It's a bug. I see the same result. Thanks for pointing it out, I'm > looking into it. Ah, I see the problem. You overrode the default policy by using the name "default", but you didn't set a "coverage" valu

Re: dnssec-keymgr fails to apply policy

2019-06-23 Thread Evan Hunt
ug. I see the same result. Thanks for pointing it out, I'm looking into it. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users maili

Re: A policy for removing named.conf options.

2019-06-13 Thread Evan Hunt
ith it. But a standard policy that covers all deprecated options would need to be stricter than "enh". -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsub

Re: A policy for removing named.conf options.

2019-06-13 Thread Evan Hunt
en an option must removed, and how to ensure operators aren't blindsided by that. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing l

Re: dnssec-validation auto vs yes

2019-06-12 Thread Evan Hunt
be available in BIND 9.15.1, which should be out next week; the old syntax will be phased out later.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: Should we remove the DLV code?

2019-05-22 Thread Evan Hunt
te corporate domain. AIUI, there are some people doing that; I don't know how many. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-u

Re: bind 9.14.1 qname-minimization

2019-04-27 Thread Evan Hunt
ion relaxed" really ought to be able to work around this, though, and I thank you for bringing it up. You can file a bug report at gitlab.isc.org/isc-projects/bind9/issues if you wish. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Pl

Re: 9.14.0 filter-aaaa

2019-04-15 Thread Evan Hunt
On Sun, Apr 14, 2019 at 05:35:42PM -0700, Carl Byington via bind-users wrote: > named-checkconf likes that, but named gets a segfault in filter-.so. > Anyone using filter-.so in a working configuation? The log shows: > > Apr 14 17:15:18 ns named[29299]: mem.c:1795: INSIST(mpctx->allocated

Re: allow-update in global options (was Re: bind and certbot with dns-challenge)

2019-04-03 Thread Evan Hunt
and comments in configure_view() you might see how easy it is to be misled.) I actually do still think that *ought* to be the rule for allow-update, but it wasn't, so when I cleaned things up I cleaned them up wrong, mea culpa. -- Evan Hunt -- e...@isc.org Internet Systems Co

Re: allow-update in global options (was Re: bind and certbot with dns-challenge)

2019-03-24 Thread Evan Hunt
but I think Grant was suggesting having named itself dump its current configuration state, which would be useful in a whole different way. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/list

Re: question about "Assertion Failure" in BIND

2019-03-07 Thread Evan Hunt
radigm, so I' not sure if every assertion failure can cause BIND to > crash and is there any mechanism in BIND that can just drop the event > which triggers an assertion failure and move on to other events? Thanks. An assertion failure is always a crash. -- Evan Hunt -- e...@isc.org Inte

Re: EDNS Client-Subnet

2019-03-01 Thread Evan Hunt
ure, but so far we've hesitated out of skepticism that ECS is a good idea that will be needed very much in the long term - we don't want to have to support it forever if it fizzles. But we do revisit the conversation periodically. -- Evan Hunt -- e...@isc.org Internet Sy

Re: Bind has a database option instead of zone files?

2019-01-27 Thread Evan Hunt
others. I'd need to know what database you're using and what kind of zones you're serving (big or small, DNSSEC signed or not, high-traffic or not) to be of much help. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit

Re: DNS Flag Day may cause any problem in private DNS servers ?

2019-01-24 Thread Evan Hunt
that specific server. That option will still be available after flag day. An easy way to check would be to install the latest BIND development release (version 9.13.5) and see if it works. It already has all the flag day changes in it. -- Evan Hunt -- e...@isc.org Internet Sy

Re: BIND 9.12.3-P1: No additional section

2019-01-15 Thread Evan Hunt
forgotten, but I think we intended to leave the "no" behavior alone. Thanks for bringing it up, I'll open a bug ticket about it. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/list

Re: BIND 9.12.3-P1: No additional section

2019-01-15 Thread Evan Hunt
ct the > authoritative behavior. But I don't understand, why this happens when > "minimal-responses no;" is configured. Authoritative or recursive? Can you give a specific example of a query that isn't getting an additional section and should? -- Eva

Re: stop on unrecognized qresult in rpz_rewrite()

2018-11-16 Thread Evan Hunt
dnssec doesn't exist in 9.11, there must be another cause in your case. Very sorry for misleading you. How often are you seeing this? -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bin

Re: odd failures from 9.12.2-P2

2018-10-18 Thread Evan Hunt
test -- they would have been deleted if it had passed but should still be there now -- which can also be used to work out what went wrong. If you want to just tar up bin/tests/system and send it to me, I'd be happy to take a look. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. __

Re: stop on unrecognized qresult in rpz_rewrite()

2018-09-29 Thread Evan Hunt
"). It's fixed in the upcoming release. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://li

Re: [BIND] RE: KSK Rollover

2018-09-07 Thread Evan Hunt
secroots" already existed before that change, we left its default behavior the same as it had been before, and added a "-" option to return text over the command channel. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Ple

Re: KSK Rollover

2018-09-06 Thread Evan Hunt
t, run "rndc-confgen" and follow the directions. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-use

Re: 'tsig-keygen' vs 'dnssec-keygen' - keysize

2018-09-06 Thread Evan Hunt
nt to). Is it a 9.12 onwards > thing? No, but Mark's comment may have been confusing. You can set up keys that way in named.conf ("algorithm hmac-md5-96;" or whatever). At first I thought he was talking about tsig-keygen; perhaps you read it the same way I did? -- Evan Hunt

Re: about the effect of installing with "--without-openssl"

2018-08-26 Thread Evan Hunt
quot;configure --without-openssl". There will be features you can't use. They're good features, and in my opinion disabling them is a mistake, but you are allowed to do so. In BIND 9.13, the option to disable these features no longer exists. -- Evan Hunt -- e...@isc.org Int

Re: about the effect of installing with "--without-openssl"

2018-08-25 Thread Evan Hunt
o libraries, which meant openssl wasn't available on all platforms, and I've always guessed it was because of that. No longer an issue, anyway. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/l

Re: BIND 9.11.4 dnstap not capturing updates

2018-08-03 Thread Evan Hunt
quot;query" is the same as "request". I can't think of any reason not to tap update requests, but I do wonder whether an extension to the type enum would reduce confusion. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc.

Re: TR: Slave Zones for Bind 9.11

2018-06-17 Thread Evan Hunt
rnal and external views, then views are unnecessary. Just use "allow-recursion { localnets; };" and external queries won't be allowed to do recursion. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.o

Re: TR: Slave Zones for Bind 9.11

2018-06-17 Thread Evan Hunt
transferred at all. There's a single copy of the zone in memory, and both views have pointers to it. You can still use the file option. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/

Re: v9.12.1-P2 changed files

2018-05-18 Thread Evan Hunt
d between 9.12.1 and 9.12.1-P2 are: lib/dns/rbtdb.c lib/dns/zone.c lib/ns/include/ns/query.h lib/ns/query.c And all other differences are from rebuilding the documentation with the new version number. -- Evan Hunt -- e...@isc.org Internet Systems Consor

Re: BIND source distribution missing?

2018-05-04 Thread Evan Hunt
On Fri, May 04, 2018 at 04:19:43PM +, Evan Hunt wrote: > You're right, something's broken. I see it too, and not just on chrome. > I'll escalate. Thanks for bringing this to our attention. It's fixed now. -- Evan Hunt -- e...@isc.org Internet Systems Consortiu

Re: BIND source distribution missing?

2018-05-04 Thread Evan Hunt
e > BIND doesn't seem to be distributed from there anymore. As others have already pointed out, it's still there: 'cd isc/bind9/$version'. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailma

Re: Does anyone have BIND 9.11.3 RPM

2018-04-20 Thread Evan Hunt
building BIND packages for various distributions, and while we're still testing the process and haven't started publishing them yet, I do have an experimental 9.11.2-P1 RPM that you can try out if you like. -- Evan Hunt -- e...@isc.org Internet Systems Consor

Re: BIND GeoIP2 support

2018-04-04 Thread Evan Hunt
ributions would speed things up.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.

Re: Roadmap for DNSSEC signing/automation?

2018-03-13 Thread Evan Hunt
ether domain registrars make use of it. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https:

Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

2018-03-10 Thread Evan Hunt
ovide a nice speed-up, as well as allowing the validator to avoid > looking into insecure subtrees, which will have the side-effect of > avoiding problems with apex CNAMEs. Yep, that's one of the approaches we've discussed. -- Evan Hunt -- e...@isc.org Internet Syste

Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

2018-03-09 Thread Evan Hunt
t rid of the second problem, but brought back the first one. Apex CNAMEs are bogus, of course, but we do need to cope with them when they appear. We're going to revisit this issue in 9.12.2, once we've figured out how to solve the one problem without causing the other one. -- Evan Hunt -- e...@isc.org

Re: questions on allow-query

2018-02-20 Thread Evan Hunt
g in the recursive code. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.or

Re: questions on allow-query

2018-02-19 Thread Evan Hunt
any; }; in each zone? > > Is that better than simply setting the IPs that are allowed recursion? The usual approach is allow-query { any; }; and allow-recursion { localhost; localnets; }; -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___

Re: DNSSEC validation

2018-02-13 Thread Evan Hunt
reference. If you need it to be built in to your application, I'm not sure. Warren's suggestion of using getdns-api was a better idea anyway. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mai

Re: DNSSEC validation

2018-02-13 Thread Evan Hunt
ther solution. I'd probably just use dnsmasq and turn on its DNSSEC validation option. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-

Re: DNSSEC validation

2018-02-13 Thread Evan Hunt
s libbind anymore. What's the purpose of this? Why not just use BIND 9, or some other existing resolver? -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

anybody building without crypto?

2017-12-06 Thread Evan Hunt
e building with crypto disabled, would you mind contacting me, either privately or on list, so we can have a conversation about why you chose that option? My guess is this isn't something anybody needs anymore, but in the interest of due diligence I'm prepared to be educated. Thanks, -- Evan

Re: DNSSEC DS Record

2017-07-14 Thread Evan Hunt
d it would also need a DNSKEY at zbc.com, which would be occluded by the cached CNAME, and DNSSEC validation would fail. (This is more or less the exact use case for the proposed ANAME record.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___

are you using lwres?

2017-05-18 Thread Evan Hunt
run lwresd or named-with- lwres? Do you have code that links with liblwres? If so, please let me know. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: BIND 9 windows XP builds

2017-04-17 Thread Evan Hunt
the files for each release, but don't actually use the XP builds. If that turns out to be the only explanation I hear, then we'll drop XP support after the upcoming releases are final. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___

BIND 9 windows XP builds

2017-04-17 Thread Evan Hunt
to understand those needs, so please let us know what yours are. Thanks, -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing

Re: real BIND start time

2017-01-05 Thread Evan Hunt
1-05T22:01:35.313Z", "config-time":"2017-01-05T22:01:35.380Z", "current-time":"2017-01-05T22:18:37.498Z", "version":"9.11.0-P1" } $ curl http://localhost:/xml/v3/status 2017-01-05T22:01:35.313Z2017-01-05T22:01:35.380

Re: rndc addzone type forward

2016-11-16 Thread Evan Hunt
but I don't see it in the ARM; my apologies for that oversight.) We've had a feature request in our queue for some time to make it possible to configure forwarding via rndc. Hopefully in 9.12. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___

Re: receive_secure_serial: bad database

2016-10-20 Thread Evan Hunt
you please open a ticket by mailing bind9-b...@isc.org? It would be easier to discuss it there. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

Re: dnssec-validation [ ddig_sigchase option ]

2016-10-12 Thread Evan Hunt
On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote: > On 10/12/16 13:36, Evan Hunt wrote: > > I recommend using "delv" instead. "dig +sigchase" isn't good code. > > ? well that is news to me :-\ It's code that was contributed over ten years ago

Re: dnssec-validation [ ddig_sigchase option ]

2016-10-12 Thread Evan Hunt
+sigchase" isn't good code. I expect we'll be removing it in a future release. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-us

Re: named and use of resolv.conf? - how to "learn" this

2016-08-02 Thread Evan Hunt
ive servers in order to blah blah etc" and it might be nice to just say no. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users m

Re: writeable file 'domain.com': already in use

2016-06-16 Thread Evan Hunt
o that there's only one copy of the zone shared by both views. Or else use a different file name for the zone in each view, so the two copies of the zone aren't stepping on each other. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___

Re: ISC considering a change to the BIND open source license

2016-06-14 Thread Evan Hunt
On Tue, Jun 14, 2016 at 08:06:55PM +, Evan Hunt wrote: > On a personal level, I actually agree with you, and I find the idea of > relicensing somewhat regrettable. It's not that I'm against the GPL, I > think software creators should be able to share their work on whatever > ter

Re: ISC considering a change to the BIND open source license

2016-06-14 Thread Evan Hunt
e to add any burden to it at all. I do like eating, though, and I won't be able to fix as many bugs if I have to stop doing that. :/ -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/

Re: ISC considering a change to the BIND open source license

2016-06-14 Thread Evan Hunt
gains to you guys. All I can say is once you have your > shiny new license I'm going to be mighty POed if you don't sue > the pants off the next one of those companies that uses the BIND code > and effs it up to make an example for the rest of them. BIND but > without the bugs,

Re: BIND 9.10.4 may have a fatal crash defect.

2016-05-17 Thread Evan Hunt
gi-bin/gitweb.cgi?p=bind9.git;a=patch;h=04a6d1de64b2b600f1c3a67b82abc32392048692 We're testing it for a few more days before we publish, just to make sure there isn't another error we haven't spotted yet, but this seems almost certain to be it. -- Evan Hunt -- e...@isc.org Internet Systems Consortiu

Re: BIND assertion failure - 9.10.4

2016-05-02 Thread Evan Hunt
ious version of BIND. > > Hopefully it’s a one-off. Let me know if there is any more information I > can provide. This article lists useful information to include in bug reports. https://kb.isc.org/article/AA-00340 I'll follow up with you about this by private mail. -- Evan Hunt -- e...@isc

Re: Whether Bind (bind-9.10.3-P3) support Edns ?

2016-05-02 Thread Evan Hunt
sive support in a subsequent release. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org ht

Re: generating TSIG keys with 'dnssec-keygen', get "error reading key file ... bad key type"?

2016-04-19 Thread Evan Hunt
ng function is expectingly DNSKEY, and so it complains. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.o

Re: generating TSIG keys with 'dnssec-keygen', get "error reading key file ... bad key type"?

2016-04-19 Thread Evan Hunt
gen example.com". (The name "tsig-keygen" was introduced in BIND 9.10; prior to that, the tool was called "ddns-confgen", and it did essentially the same thing as it does now, but with some extra comments in the output.) -- Evan Hunt -- e...@isc.org Internet S

Re: generating TSIG keys with 'dnssec-keygen', get "error reading key file ... bad key type"?

2016-04-19 Thread Evan Hunt
On Tue, Apr 19, 2016 at 07:40:38AM -0700, jaso...@mail-central.com wrote: > I'm working on generating TSIG keys for use with my bind server. I think you'll be happier if you use "tsig-keygen" instead of "dnssec-keygen". -- Evan Hunt -- e...@isc.org Internet

Re: non-BDB support for DLZ in Bind9?

2016-03-25 Thread Evan Hunt
On Fri, Mar 25, 2016 at 11:59:41PM +, Evan Hunt wrote: > (The name "Dynamically Loadable Zones" is, in retrospect, unfortunate. Now > that it's possible to load DLZ modules at runtime with dlopen(), that means > you can have dynamically loadable Dynamically Loadable Zones z

Re: non-BDB support for DLZ in Bind9?

2016-03-25 Thread Evan Hunt
Zones" is, in retrospect, unfortunate. Now that it's possible to load DLZ modules at runtime with dlopen(), that means you can have dynamically loadable Dynamically Loadable Zones zones. Sorry about that.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___

Re: non-BDB support for DLZ in Bind9?

2016-03-25 Thread Evan Hunt
lopen" part is enabled by default already, and the others are unnecessary.) Then "cd contrib/dlz/modules/bdbhpt" (or whichever one you want to use), and run "make". The resulting .so file needs to be put somewhere that named can find it. There's a sample configuration in the &q

Re: non-BDB support for DLZ in Bind9?

2016-03-25 Thread Evan Hunt
; any alternative such as LMDB, going forward? We have no position on the licensing issue. Technically, the DLZ modules are considered contributed code and are not formally supported by ISC, though we do make our best effort to fix bugs. If someone were to build an LMDB module (which might be pretty strai

Re: Build with GEOIP

2016-03-25 Thread Evan Hunt
d/include/named That file is part of BIND. Look for GeoIP.h, with the capital letters. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

Re: what does "max-ncache-ttl 0;" mean?

2016-03-02 Thread Evan Hunt
> So, it might actually mean "as big as possible". > > Consult the source code to be sure. Tony did consult the source code, upthread. And he was correct: for this particular option, zero does mean zero. -- Evan Hunt -- e...@isc.org Internet Syst

Re: Database driven ACL

2016-02-29 Thread Evan Hunt
9.11, which will have an implementation of something like https://tools.ietf.org/html/draft-muks-dnsop-dns-catalog-zones-00. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to

Re: pre heat cache

2016-02-17 Thread Evan Hunt
s. Using it in a production environment would not be a good idea. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list b

Re: Intended usage of dnssec-must-be-secure?

2016-02-03 Thread Evan Hunt
I would suggest slaving the local zone instead of forwarding it. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-user

  1   2   3   4   5   >