Re: Questions on how to setup Reverse DNS in bind 9
On Sun, 17 Jul 2016, Spork Schivago wrote: > So, in the /var/named directory, I create a file > called: 0.117.238.104.in-addr.arpa > > The contents of 0.117.238.104.in-addr.arpa are as follows: > $TTL 1D > @ IN SOA ns1.jetbbs.com. spork.jetbbs.com. ( > 2016071705 ; serial > 1D ; refresh > 1H ; retry > 1W ; expire > 3H ) ; minimum > > 0.117.238.104.in-addr.arpa. IN NS ns1.jetbbs.com. > 0.11.148.132.in-addr.arpa. IN NS ns2.jetbbs.com. > > 104 IN PTR franklin.jetbbs.com. > 44 IN PTR franklin.jetbbs.com. This won't work as you need NS records that match up to the zone name, In this case, the common zone name is only "in-addr.arpa." but no NS for that. Also if it was only "in-addr.arpa." the two PTR records would be useless. If your zone name does match so you have a NS record, as it is now, you'd have "out-of-zone data" which is ignored. Try using two different more specific zone files such as for 11.148.132.IN-ADDR.ARPA. and 117.238.104.IN-ADDR.ARPA. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RES: RHEL, Centos, Fedora rpm 9.10.4-P1
On Wed, 22 Jun 2016, Leonardo Oliveira Ortiz wrote: > Someone had success to build it? I got make test errors... What was the error? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Nsupdate usage scenario
Also for the generated master file, have a look at "masterfile-style full;" option. Have a look at the named-compilezone -j with -s full or -s relative so you can compare outputs. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Nsupdate usage scenario
What about using a specific zone file just for the purpose of the single A record you want to maintain using dynamic updates? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get BIND logs to write to the correct file.
On Mon, 2 May 2016, Sean Son wrote:
> I am trying to get BIND to write its logs to two files:
>
> /var/log/named/named.log
>
> and
>
> /var/log/named/dnsreqs.log
>
>
> No matter what I do , the logs are still being written to
> /var/named/data/named.run
>
> Here is the part of my named.conf which deals with logging:
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> channel default_info {
> file "/var/log/named/named.log";
> print-time yes;
> print-category yes;
> print-severity yes;
> };
> channel log_requests {
> file "/var/log/named/dnsreqs.log";
> print-time yes;
> print-category yes;
> print-severity yes;
> };
> category lame-servers { null; };
>
> };
>
>
> The default_info and log_requests sections were copied from an older BIND
> server that we are running. I am upgrading to a new version of Red Hat Linux
> as well as a new version of BIND on a different server.
>
> Any help is greatly appreciated! What am I doing wrong here?
Hi Sean,
Also use a "category" configuration. For example:
category default { default_info; };
category queries { log_requests; };
(If not, you may want to tell us what specifically you do and maybe
don't want logged.)
Jeremy C. Reed
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.11.0a1
On Thu, 21 Apr 2016, ap...@yandex.ru wrote: > Would be great to hear smth about question #2. I've tried to use rndc > trace with various levels of debugging and still edns subnet is not > shown anywhere. > > 2) I have looked through sources and bind 9.11 guide, but have not > > found the way to add client-subnet into queries logging. Would be > > really great to have it. So to see not just client IP-address, but > > also ECS subnet itself. Did I miss something? We will soon be adding some logging for geoip and ECS. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Question about managed-keys-zone
On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote:
> Thanks Jeremy
>
>
> Logging section from named.conf
>
> logging {
> channel "named-log" {
> file "/usr/local/named-jail9.10.3P4/var/adm/named.log"
> versions 3 size 30m;
...
> category "general" { "named-log"; };
...
> And yes the directory "/usr/local/named-jail9.10.3P4/var/adm/" exists
> and the files are thereowned by named:named.
The error:
isc_stdio_open '/usr/local/named-jail9.10.3P4/var/adm/named.log'
failed: file not found
happens when the directory doesn't exist as one example.
What switches are using to start named?
(The top of the logging output was excluded in previous email which
should show the "starting BIND 9.10.3-P4" and "built with" lines.)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Question about managed-keys-zone
On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote:
> I know it using rndc is a good practice but is there an option to
> specify in named.conf to disable it?
It is disabled by default because there is no complete command channel
configuration in the first place, but this will make it so it doesn't
even try to enable it:
controls { };
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about managed-keys-zone
On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote: > '--enable-newstats' '--with-libxml2' '--enable-fullreport' 'CFLAGS=-O2 Unrelated to your problem, but the --enable-newstats configure switch is not used for BIND 9.10. > 1. Cannot seem to start named and it seems that it is looking for some > keys to validation locally. (I reordered your email some:) > Apr 7 15:15:32 cfdnsquar01 named[37952]: isc_stdio_open > '/usr/local/named-jail9.10.3P4/var/adm/named.log' failed: file not > found > Apr 7 15:15:32 cfdnsquar01 named[37952]: configuring logging: file not > found > Apr 7 15:15:32 cfdnsquar01 named[37952]: loading configuration: file > not found > Apr 7 15:15:32 cfdnsquar01 named[37952]: exiting (due to fatal error) Your named cannot start due to logging configuration. You didn't share your configuration elated to it, but does the directory /usr/local/named-jail9.10.3P4/var/adm/ exist? > I believe managed-key-zone validation is by default enabled in > Bind..is there an option that I can use in named.conf file to > disable that so that it does not look for the key..I guess this is > just a self-validation on the master itself and has nothing to do with > DNSSEC signing as it seems I am not even able to get the named up... Yes, it is unrelated. > I guess question is do I have an option that I can specify such that > it will not look for self-validation keys at all so that I do not have > to deal with rndc.key and rndc.conf or is this something I cannot get > by with when I use "views" ? Or am I not understanding this properly? The rndc keys (used for connecting to the control interface) are unrelated to the keys used with DNSSEC. But for operations it is a good idea. See the ARM and/or rndc-confgen manpage about generating the rndc configuration. Let's get your named startup working first before we work on your goal. (If I understand correctly, you want named to serve internally unsigned zones, an external appliance will sign the zones, and then named can then serve the signed zones publicly.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: make test fails without Net::DNS::Nameserver
On Tue, 14 Jul 2015, Maria Iano wrote: I don't see this mentioned anywhere else, although I'm suprised by that so maybe I'm missing something. When I build bind-9.10.2-P2 I find that make test fails for reclimit with Couldn't start server ans2 if I don't have Net::DNS::Nameserver installed. After I install it the testing is successful. We recently added a bin/tests/system/reclimit/prereq.sh script to check for it. CHANGES entry: 4113. [test] Check for Net::DNS is some system test prerequisites. [RT #39369] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: #service named restart fails with a weird message
On Fri, 19 Jun 2015, Samad Agha wrote:
Error in named configuration:
/etc/named.conf:3: missing ';' before '}'
Look on line 3
/etc/named.conf:11: missing ';' before '}'
Look on line 11
options {
directory /var/named;
allow-recursion {207.151.36.0/24; 206.117.117.0/24};
Add a semicolon before the } to end the list of networks.
};
zone 0.0.127.in-addr.arpa {
type master;
file db.127.0.0
Add missing semicolon at the end of that line.
};___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Native pkcs#11 and auto-dnssec feature
My question is about auto-dnssec feature that maintain zone by internally signing RRs. How this feature will work without a PIN since BIND needs access to private key when it needs to resign automatically and i did't find a way to provide the PIN throught configuration files ? Hi, Does the reference manual section about proving the PIN help? http://ftp.isc.org/isc/bind9/9.10.2/doc/arm/Bv9ARM.ch04.html#id2639064 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: compile and install from source
On Sun, 29 Mar 2015, INVALID_ADDRESS wrote: named_conf=/etc/namedb/named.conf # Path to the configuration file ... So I changed the path (in /etc/rc.conf) to /usr/local/sbin/named But now I get: $ /etc/rc.d/named start Starting named. /etc/rc.d/named: WARNING: failed to start named But nothing is logged in /var/log/messages Try running: /usr/local/sbin/named -g -c /etc/namedb/named.conf -u bind to see what the output tells you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Finding authoritative server and last update
On Tue, 3 Feb 2015, Robert Moskowitz wrote: I am trying to find out which comcast server is authoritative for 4.254.253.50.in-addr.arpa and when the zone file for the ptr rr was last updated. I was told a week ago that the ptr would be updated, but I am still not seeing any change... I am not really good at keeping good notes on using dig. Have a look at output from: dig +trace 4.254.253.50.in-addr.arpa PTR dig 254.253.50.in-addr.arpa SOA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Finding authoritative server and last update
By the way, it looks like the SOA MNAME has a misspelling typo in it. I wonder if that is on purpose to foil automated/unintelligent spammers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
On Sat, 17 Jan 2015, John wrote: is there a separate DNSSEC mailing list? You may use this bind-users list to discuss DNSSEC. There are other lists for DNSSEC managed outside of ISC and not specific to BIND, such as: Dnssec-deployment.org (but I cannot access their mailman webpage currently) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND DNSSEC Guide draft
ISC is seeking feedback and review for our first public draft of the BIND DNSSEC Guide. It was written in collaboration with DeepDive Networking. The document provides introductory information on how DNSSEC works, how to configure BIND to support some common DNSSEC features, as well as some basic troubleshooting tips. It has lots of interesting content, including examples of using ISC's delv tool and using a common provider's web-based interface to manage DS records. This is a beta edition of the guide. We'd appreciate any feedback or suggestions, good or bad. You may email me directly, or to our bind9-bugs@ bug tracker email, or back to this list as appropriate (such as needing further community discussion). Or you may use the GitHub to provide feedback (or fixes). We plan to announce the first edition of this BIND DNSSEC Guide at the end of January. The guide also has a recipes chapter with step-by-step examples of some common configurations. If you have any requests or would like to contribute some content, please let us know. The beta of the guide is available in HTML and PDF formats at http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.pdf The docbook source for the guide is at GitHub: https://github.com/isc-projects/isc-dnssec-guide/ Happy New Year! Jeremy C. Reed ISC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9 Return different IP address based on subnet
On Sat, 27 Dec 2014, Christian Kette wrote: I have some questions. Q1: Why do I get the IP address 192.168.2.100 for DEV.home.lan from both the 192.168.2.0/24 and the 192.168.10.0/24 network? The view that matches first is used. #include /etc/bind/named.conf.default-zones; ... Q2: What exactly are these zones in the file for? Do I need them? You didn't include the file in the email. But I found a copy via google which may be the same. You probably don't need it. (For example, the priming hints are builtin to named.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dumping the statistics channel
On Mon, 3 Nov 2014, Thomas Schulz wrote: I have been asked to dump the statistics to help document a suspected memory leak in named. When I look at the statistics with Firefox, I see a nicely formatted set of statistics. If I then dump the statistics to a file with wget and then use Firefox to view the file, I see data but there is no formatting and the output seems to be unreadable. So, is this file what I should send to isc.org? Should I be using some options to wget to get a file that displays nicely in Firefox? I have also tried to use Firefox's 'Save Page As' option to dump the statistics, but that resulted in the same saved file as I got with wget. I assume it is the correct file and the nice rendering is using the stylesheet also. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.10.0-P2 memory leak?
On Mon, 13 Oct 2014, Thomas Schulz wrote: I restarted bind 9.9.6 with a max-cache-size of 30M. We have 3 views. The inital process size was 36 MB. The process grew to 184 MB. It grew to 596 MB without the max-cache-size being set and was still growing when I restarted it. BUT when I now do an rndc dumpdb -cache, the named_dump.db file contains only the line ; Dump complete and nothing else. So, if you put any limit on the cache size, you will end up with an empty cache. I do believe that there is a bug that needs to be fixed. I wasn't able to reproduce this with 9.9.6 (or a recent master). Can you please send your configuration (like named-checkconf -px) to bind9-bugs AT isc.org? Thank you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.1rc2 won't build on FreeBSD 10-STABLE
On Fri, 12 Sep 2014, Mathieu Arnold wrote: Yes, you can't use bmake if you try to build the python bits, I had to force gmake in the port: It looks to be a bug in the NetBSD bmake used by FreeBSD. I cannot find a bug report for it in FreeBSD. I opened one for NetBSD: http://gnats.netbsd.org/49198x ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.1rc2 won't build on FreeBSD 10-STABLE
On Fri, 12 Sep 2014, Jeremy C. Reed wrote: It looks to be a bug in the NetBSD bmake used by FreeBSD. I cannot find a bug report for it in FreeBSD. I opened one for NetBSD: http://gnats.netbsd.org/49198x http://gnats.netbsd.org/49198 (My system types a random x on its own often. Imagine the frustration with using alpine mail client and vi.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.1rc2 won't build on FreeBSD 10-STABLE
On Fri, 12 Sep 2014, Mark Andrews wrote: Try collapsing the multiple .SUFFIXES into a single entry. That doesn't work (for me). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.10.0-P2 memory leak?
On Tue, 9 Sep 2014, Thomas Schulz wrote: What version did you upgrade from? I am seeing bind 9.9.5 and 9.9.6 grow without any evidence that it will ever stop. See my mail to this list with the subject Re: Process size versus cache size. Mine is growing slower than yours, but it is now up to 548 MB. Can you copy and paste the out of memory error you are seeing? Is it still growing? Does it appear to work? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.10.0-P2 memory leak?
Can you copy and paste the out of memory error you are seeing? Is it still growing? Does it appear to work? I see your other thread answers some. https://lists.isc.org/pipermail/bind-users/2014-July/093618.html ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: no servers found
In the virtual server, use dig @a.b.c.d with the IP address of the DNS servers you want to use to see if that works. If you are running named in that same virtual server, try dig @127.0.0.1. If that works, then just change your resolv.conf to point to only that nameserver 127.0.0.1 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: no servers found
On Thu, 21 Aug 2014, Adamiec, Lawrence wrote: Using dig @My-NAME-SERVER works. I am not running named on the virtual server using dig @ 127.0.0.1 does not work. Okay. Then change your /etc/resolv.conf to contain just the nameserver and IP of that name server (and a couple others if you want) that works. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: geoip asnum matching
On Thu, 21 Aug 2014, Dietrich Oberhausen wrote:
I've got an issue with bind 9.10 and GeoIP asnum based matching.
As far as I can tell I need to match not only the AS number but also
the org name?
This works:
match-clients { geoip asnum AS8767 M-net Telekommunikations GmbH,
Germany; };
While these do not:
match-clients { geoip asnum AS8767; };
match-clients { geoip asnum 8767; };
match-clients { geoip asnum 8767; };
This makes working with this feature unnecessarily complicated, especially
when dealing with non-ASCII characters for example with
AS27699 TELEF?NICA BRASIL S.A or AS28573 Servi?os de Comunica??o S.A..
Is there a way to only match the as number without the org name?
I'm using the free geolite maxmind asn database from
http://dev.maxmind.com/geoip/legacy/geolite/
It is the strings as defined as a single entry in the original database.
I agree that the just matching the first part (up to first space) is
good enough (like AS8767). (I looked at the 209K entries in the
database and no AS number was ever reused with a different name as
expected but maybe there could have been a mistake.)
I will forward this on to bind9-bugs so this can be improved. (Also the
documentation didn't have any example about it, but the system tests
did.)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Runtime disable RRL
On Tue, 19 Aug 2014, Olsen, Richard William (Rick) CTR DISA PEO-MA (US) wrote:
Is there a runtime switch or config option to disable RRL. The bind
9.9.5-S1 by default included the RRL enable but we would like to run
test with and without the RRL active.
There isn't a way to disable the code, but you can disable the
rate limiting with:
rate-limit {
responses-per-second 0;
};
If your tests involve builtin CHAOS, see
https://lists.isc.org/pipermail/bind-users/2014-May/093107.html
Jeremy C. Reed
ISC
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: both recursive-only BIND9 went deaf until rebooted
On Wed, 13 Aug 2014, lcon...@go2france.com wrote: fbsd 8.2 VM with BIND 9.9.5 fbsd 10.0-RELEASE VM with BIND 9.10.0-P2 the older machine had uptime of 400+ days, the new machine only a couple weeks 24 hour query logging shows several million queries/day At about the same time last night, both stopped answering queries until rebooted. before reboot, load of about 1 (we see elevated load alerts with ssh brute force attacks) memory not swapping, plenty of free MBs. nothing in syslog, no sign of ssh brute force, ssh worked rndc status showed ok sockstat -4 showed bind listening on :53 This part doesn't sound right. sockstat should show the local IP (or host) and the :53 port for the the local bound end of the socket for all the interfaces as allowed by listen-on. The sockstat output shouldn't be just :53 nor *:53 for example. So maybe it wasn't listening to the interfaces that you expected since below you suggest that the loopback one did work. Maybe something temporarily happened during the interface-interval scan and it detected that some interface went away? Do your logs have anything like no longer listening on 192.168.99.99#53? I wonder if rndc scan would have helped in that case to re-detect it before next interface-interval. all DNS queries from outside the machines timed out ssh shell command: dig @127.0.0.1 domain.tld any answered normally What other forensics could have been checked? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: test bind before moving to production
On Thu, 3 Jul 2014, brian wrote: I'm new to bind. I want to be able to test the dns server on my local machine before launching it by putting the domain names (ie example.com) in my browser and browsing the site. Both the dev and production machines are CentOS. I assume I'll need to edit the host file to redirect to the local dns. But with this method I'm not sure how it will resolve multiple domains (i.e. example.com and example2.com). The host file (/etc/hosts I assume) won't help. You can use /etc/resolv.conf and have nameserver line point to your localhost for testing. Or use dig with the @ argument to set the address of the nameserver to use. For example, dig @127.0.0.1 www.example.com. Then also try that from outside systems to using the @ with the network interface's address. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
Please upgrade your BIND. There was a bug in allow-query-on that was
fixed since 9.8.6rc2.
Please note that currently allow-query-on is only used for zone
configurations. Use allow-cache-on if restricting accessing cache (or
allow-recursion-on like you also used).___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Error when using GeoIP
On Tue, 1 Jul 2014, Ali Jawad wrote: [root@uk etc]# ls -lart /usr/share/GeoIP/ -rw-r--r-- 1 root root 1206078 Jul 1 10:08 GeoIP.dat The output from the logs is Jul 1 14:38:56 uk named[1795]: using /usr/share/GeoIP as GeoIP directory Jul 1 14:38:56 uk named[1795]: GeoIP Country (IPv4) (type 1) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP Country (IPv6) (type 12) DB not available You may want to try another database. I use GeoLiteCity.dat for testing. Make a symlink to it named /usr/share/GeoIP/GeoIP.dat Maybe your geoiplookup tools appears to work but is providing different results not identified as country? Does your geoiplookup output say GeoIP Country Edition? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AIX and 9.9.5 compiling
Currently, some of the systems that we automatically build and run various tests on include: FreeBSD 4.11 i386 FreeBSD 6.3 i386 FreeBSD 8.4 i386 FreeBSD 10.0-CURRENT i386 Fedora 18 Linux 3.8.1-201.fc18.x86_64 x86_64 Fedora 19 Linux 3.11.6-200.fc19.x86_64 x86_64 HPUX B11.11 HPPA2.0w (HP 9000/800) MacOSX 10.6.6 Darwin 10.8.0 x86_64 NetBSD 5.2 i386 NetBSD 6.0 i386 NetBSD 6.0.2 amd64 Solaris 10 SunOS 5.10 sun4u sparc SUNW,Sun-Fire-V240 Solaris 10 SunOS 5.10 sun4u sparc SUNW,UltraAX-i2 Solaris 11 SunOS 5.11 i86pc i386 Ubuntu 13.10 Linux 3.11.0-15-generic x86_64 The developers also use a variety of other systems like FreeBSD 9.1-RELEASE-p4 amd64, Mac OS 10.8.4 and 10.8.5, Ubuntu Linux 13.04, Fedora 19 Linux, NetBSD 6, and others, but they may have newer versions than these. There are also some Windows build systems with VS2005, VS2008, VS2010express, VS2010, and VS2012 (and maybe others). I was also doing automated builds on OpenBSD, Debian, and Ubuntu LTS, but need to replace the server. Also our AIX machine crashed. If you have a suggestion for an important or popular OS version I should add to our build farm, please let me know why. Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issues in configuring Bind 9.10 in CentOS 6.3 with --open-ssl
On Fri, 2 May 2014, Gaurav Kansal wrote: checking for OpenSSL library... using OpenSSL from /usr/lib and /usr/include checking whether linking with OpenSSL works... no configure: error: Could not run test program using OpenSSL from /usr/lib and /usr/include. Please check the argument to --with-openssl and your shared library configuration (e.g., LD_LIBRARY_PATH). I have OpenSSL and openssl-devel package installed in my machine. The config.log debugging file should contain further details that may be used to troubleshoot this. Please look in config.log for lines around checking whether linking with OpenSSL works (and above ## Cache variables ## line).___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL active by default?
On Thu, 1 May 2014, Lawrence K. Chen, P.Eng. wrote:
Does compiling in RRL mean its active, even without a rate-limit {}
control block?
Only for the built-in Chaos _bind view (for id.server, authors.bind,
hostname.bind, and version.bind).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Issues in configuring Bind 9.10 in CentOS 6.3 with --open-ssl
On Fri, 2 May 2014, Gaurav Kansal wrote: Config.log doesn't showing any useful data to troubleshoot this. configure:15338: checking for OpenSSL library configure:15436: error: /usr/include/openssl//include/openssl/opensslv.h not found You looked at config.log after you did a different ./configure run with the wrong --with-openssl=/usr/include/openssl/. You want to run ./configure without the --with-openssl switch. Then please look in config.log for lines around checking whether linking with OpenSSL works (and above ## Cache variables ## line). (You don't have the checking whether linking with OpenSSL works in this output.) ## ## ## Cache variables. ## ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL active by default?
On 05/02/14 09:23, Jeremy C. Reed wrote:
Only for the built-in Chaos _bind view (for id.server, authors.bind,
hostname.bind, and version.bind).
On Fri, 2 May 2014, Lawrence K. Chen, P.Eng. wrote:
Awww...I found messages about version.bind.
My workaround I use is like:
# for builtin tests do not rate-limit
# redefine chaos builtin zones
# can't redefine builtin view '_bind'
view _dnsbench_bind chaos {
recursion no;
notify no;
allow-new-zones no;
rate-limit {
responses-per-second 0;
};
zone version.bind chaos {
type master;
database _builtin version;
};
zone hostname.bind chaos {
type master;
database _builtin hostname;
};
zone authors.bind chaos {
type master;
database _builtin authors;
};
zone id.server chaos {
type master;
database _builtin id;
};
};
Or edit bin/named/config.c (you will quickly find the configuration) and
make and install.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: GeoIP in 9.10 RC2
So the the IPv4 Country DB is recognized and loaded, but digs from US to that server still result in queries from the ALL view, which is the last view in the config file and the test View above is the first View in teh config file. You may want to try the geoiplookup (provided by GeoIP software) to confirm that the IPs are really matching the database. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GeoIP in 9.10 RC2
On Wed, 30 Apr 2014, Ali Jawad wrote:
view US {
match-clients { US; };
For now please change to:
match-clients { geoip country US; };___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: R: DNS with several ip adessess
On Thu, 2 Jan 2014, wbr...@e1b.org wrote: When were views added to BIND? We started using using multiple servers in BIND 4, and I don't recall views being available back then, but I didn't configure the servers, just maintained the zones. Views were introduced in BIND 9.0.0 (September 2000). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND10 : how do I import zone files stored in mysql to BIND10 ?
On Mon, 16 Dec 2013, blrmaani wrote:
ok, so, If I have mysql DNS tables converted to sqlite3 format (binary
files) and then upload to BIND10, how do I do it?
Enable the auth server using the bindctl interface:
config add Init/components b10-auth
config set Init/components/b10-auth/special auth
config set Init/components/b10-auth/kind needed
config commit
The datasources should have a default configuration, like:
data_sources/classes/IN[0]/type sqlite3
data_sources/classes/IN[0]/params {database_file:
/home/reed/opt/bind10/var/bind10/zone.sqlite3}
Try:
config show data_sources/classes/IN[0]/params
to see where you should put your database file.
I will also try digging code meanwhile ..
Have fun
Jeremy C. Reed
ISC
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: caps compiling error
Please see https://kb.isc.org/article/AA-01060/0/Building-BIND-9.9.4-9.8.6-and-9.6-ESV-R10-on-RHEL-and-CentOS-with-libcap-dev-installed.html ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9-ARM (HTML) feature request: better hyperlinking in/of chapter 6
On Wed, 20 Nov 2013, /dev/rob0 wrote: Chapter 6 is the comprehensive configuration reference. What I'd like to see is more (and plain-language, consistent) hyperlinking. The basic idea is that any named.conf setting could be found at an anchor: Bv9ARM.ch06.html#that-setting Yes that would be great. We do something similar with the unique log messages for BIND10 and Kea; for example: http://bind10.isc.org/docs/bind10-messages.html#AUTH_XFRIN_CHANNEL_CREATED http://bind10.isc.org/docs/bind10-messages.html#XFROUT_IXFR_NO_ZONE The corresponding docbook code was like: varlistentry id=AUTH_XFRIN_CHANNEL_CREATED ... varlistentry id=XFROUT_IXFR_NO_ZONE This sounds grand and relatively simple, but in practice it will require some thought and work. For example, we have Grammar and Definition and Usage subsections for each Statement section. Which one would we link to? Ideally, both, but we'd have to think about a good anchor naming scheme. I'd say that the name in each Grammar should hyperlink to each Definition and Usage name and vice versa. I had thought about this several times. I published a print book based on the ARM and considered having the grammar for a specific item statement included next to the corresponding documentation -- so you don't have to look in multiple places. Also, what do we do in the case where the same setting is usable in more than one context? Looking at Zone Options, with numerous See the description of ..., this would actually help, because it would take you directly to the setting rather than to the subsection heading. Yes. I did a lot of work on this also, but never made it into the released ARM. By the way, I have found that the maintained dblatex (http://dblatex.sourceforge.net/) framework is easier and more reliable to use than the existing db2latex stylesheets. Hopefully someday I can finish the conversion of our Makefiles to use it instead (or as an alternative). Thank you much for your suggestions and potential work. If you have any questions or need assistance with the PDF/HTML builds, please let me know. (I can also share with you my detailed plans also.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Upgrade Bind documentation
On Thu, 24 Oct 2013, Davis, Donald W wrote: Does anyone have any advice or perhaps documentation for upgrading Bind? I currently have two AIX servers running as Master/Slave. I need to upgrade from v9.8.1-P1 to v9.8.6. I will need to document an implementation plan for change control and was hoping someone else may have something they can share. I?ve browsed the ISC web site looking for release notes, install/compile instructions, migration plans, etc without much success. Here are some links for you: http://ftp.isc.org/isc/bind9/9.8.6/RELEASE-NOTES-BIND-9.8.6.txt https://kb.isc.org/article/AA-01054/81/BIND-9.8.6-Release-Notes.html The brief installation directions are in the tarballs' README file. Our operating specific hints are at https://kb.isc.org/category/48/0/10/Software-Products/BIND9/FAQs/Operating-System-Specific/ but none for AIX. We don't have a migration guide specific for 9.8 series (we do have a migration details from 8 to 9). I'd expect that all the configurations from 9.8.1 through 9.8.6 are compatible. The 9.8.6 reference is at http://ftp.isc.org/isc/bind9/9.8.6/doc/arm/Bv9ARM.html (and in the tarball). I am working on a chart listing the major features introduces and any incompatible changes to be aware of for all of our releases. But it is not ready yet. Jeremy C. Reed ISC___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: the location of dig and named
On Wed, 28 Aug 2013, Nidal Shater wrote: when I typed dig or named ,,, what is the location of the executable program dig and named is ? Maybe one of these will help: command -v dig type dig which dig whereis dig command -v named type named which named whereis named There are many other ways to find out. If you built from source, the default is /usr/local/bin/dig and /usr/local/sbin/named. Unless you used --prefix (or --sbindir or --bindir).___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: auto-dnssec maintain and no key: no error message?
On Tue, 30 Jul 2013, Stephane Bortzmeyer wrote: Of course, there is no signature: % dig +multi @localhost SOA auto.rd.nic.fr Add +dnssec ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Notice: BIND Security Jul2013 CVE2013-4854
On Sat, 27 Jul 2013, Emil Natan wrote: How the downloads can be verified? Are there any checksums/signatures available? Thanks. The signatures I created are available via the download server: http://ftp.isc.org/isc/bind9/9.8.5-P2/ http://ftp.isc.org/isc/bind9/9.9.3-P2/ (also available via FTP) Jeremy C. Reed ISC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: make test fails on Fedora 10
On Wed, 27 Mar 2013, Luther, Dan wrote: For the tests, BIND starts up with an empty group descriptor: I:issuing command '/home/luther/bind-9.9.2-P2/bin/named/named -m record,size,mctx -T clienttest -c named.conf -d 99 -g named.run 21 echo $!' I guess you are talking about -g. It is not a switch for group.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: make test fails on Fedora 10
On Wed, 27 Mar 2013, Luther, Dan wrote: Working with the BIND 9.9.2-P2 compile, I just spent several minutes tracking the source of this down with some judicious use of ?print? in the ?bin/tests/system/start.pl? script and viewing the ?*.run? output. It really comes down to file permissions -- a particular line from ?bin/tests/system/inline/ns1/named.run? pointed me in that direction: 27-Mar-2013 14:24:53.970 could not open file 'named.pid': Permission denied Apparently, the file ownerships for this entire test suite are for a user and group I do not have: -rw-rw-r-- 1 10292 9901 2806 Mar 6 11:56 run.sh I assume you extracted the tarball as root. If you are using GNU tar, have a look at the --same-owner documentation in the manual page about this. Maybe your problem will go away if you extract as yourself.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 10 - 1.0.0 Release Candidate
/ Please feel free to participate and share your feedback on the BIND 10 mailing lists: https://lists.isc.org/mailman/listinfo/bind10-users https://lists.isc.org/mailman/listinfo/bind10-dev Jeremy C. Reed ISC Release Engineering -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (NetBSD) iEYEARECAAYFAlEdqlYACgkQs9Bv5D4YwC3t9QCdFmHE9bVZq0WRa4E1pq5t1JtK CMgAoNTXHYMMlvMU6bzARXBOsgYq2ZW5 =JulM -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Performance impact of a large ACL list.
On Mon, 4 Feb 2013, Augie Schwer wrote: Does anyone have any experience using a large ( 1k ) entry ACL list? Was there any performance degradation? I haven't implemented my ACL yet, but it has quickly ballooned up, and I am hoping to get some advice from others in a similar situation. It has been a few years since I researched this. (I should re-add this to my existing performance and resource usage tests.) BIND 9.5 had various ACL improvements including support for O(1) ACL processing, based on radix tree code. As one example, with 20,000 to 100,000 ACLs some of my tests for 9.4 only has around 80 to 400 qps, while the new version has around 21,000 qps. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
what do you use for logging?
BIND 9 by default has logging using syslog, using its daemon facility, and logging of info or higher. Is using syslog a sane default for new installations or when using official vendor packages with their startup scripts? Do any packagers provide a configuration with different-than-default logging setup? (What and why?) (I am researching this to help decide on a good default for BIND10. I currently logs to the console by default, but does have syslog and log to file support available. By the way, all of the BIND10 logging messages are unique and we provide a paragraph or more documentation for each of its 933 possible log identifiers!) Thanks! Jeremy C. Reed ISC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 10 - 1.0.0 Beta Release
distcheck' failure when running perfdhcp unit tests. The unit tests used to read files from the folder specified with the path relative to current folder, thus when the test was run from a different folder the files could not be found. (Trac #2479, git 4e8325e1b309f1d388a3055ec1e1df98c377f383) 515.[bug] jinmei The in-memory data source now accepts an RRSIG provided without a covered RRset in loading. A subsequent query for its owner name of the covered type would generally result in NXRRSET; if the covered RRset is of type NSEC3, the corresponding NSEC3 processing would result in SERVFAIL. (Trac #2420, git 6744c100953f6def5500bcb4bfc330b9ffba0f5f) 514.[bug] jelte b10-msgq now handles socket errors more gracefully when sending data to clients. It no longer exits with 'broken pipe' errors, and is also better at resending data on temporary error codes from send(). (Trac #2398, git 9f6b45ee210a253dca608848a58c824ff5e0d234) 513.[func] marcin Implemented the OptionCustom class for DHCPv4 and DHCPv6. This class represents an option which has a defined structure: a set of data fields of specific types and order. It is used to represent those options that can't be represented by any other specialized class. (Trac #2312, git 28d885b457dda970d9aecc5de018ec1120143a10) 512.[func] jelte Added a new tool b10-certgen, to check and update the self-signed SSL certificate used by b10-cmdctl. The original certificate provided has been removed, and a fresh one is generated upon first build. See the b10-certgen manpage for information on how to update existing installed certificates. (Trac #1044, git 510773dd9057ccf6caa8241e74a7a0b34ca971ab) 511.[bug] stephen Fixed a race condition in the DHCP tests whereby the test program spawned a subprocess and attempted to read (without waiting) from the interconnecting pipe before the subprocess had written anything. The lack of output was being interpreted as a test failure. (Trac #2410, git f53e65cdceeb8e6da4723730e4ed0a17e4646579) 510.[func] marcin DHCP option instances can be created using a collection of strings. Each string represents a value of a particular data field within an option. The data field values, given as strings, are validated against the actual types of option fields specified in the options definitions. (Trac #2490, git 56cfd6612fcaeae9acec4a94e1e5f1a88142c44d) 509.[func] muks Log messages now include the pid of the process that logged the message. (Trac #1745, git fc8bbf3d438e8154e7c2bdd322145a7f7854dc6a) 508.[bug] stephen Split the DHCP library into two directories, each with its own Makefile. This properly solves the problem whereby a make operation with multiple threads could fail because of the dependencies between two libraries in the same directory. (Trac #2475, git 834fa9e8f5097c6fd06845620f68547a97da8ff8) Thanks again to those who contributed bug reports, code, and reviews. Jeremy C. Reed ISC Release Engineer -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (NetBSD) iEYEARECAAYFAlDTEgsACgkQs9Bv5D4YwC2tfwCgrNj7PDAlfeTQd3qGZddFmavl HWIAnjqQqt/QKmPM9nxXT5fN94ivPn/q =UK2x -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange Issue
On Wed, 12 Dec 2012, Paula Bailey wrote: I have a zone file in a view and there seems to be a single entry in the file that shows and nxdomain when queried. I have confirmed the view is correct and other entries are resolvable. I have also run named-checkconf which shows no errors. There are also no errors in the logs. Any ideas? You may want to verify you are querying the correct name server? (and enable extra logging for that) Also it may be easier for others to point out problems if you show the actual configurations, data, reproducable steps, etc. Jeremy C. Reed ISC___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: another performance tuning question
On Fri, 30 Nov 2012, Adamiec, Lawrence wrote: I got similar results when running against the master server. Then why so many lost? Queries sent: 11000 queries Queries completed: 8968 queries Queries lost: 2032 queries ... Percentage completed: 81.53% Percentage lost: 18.47% Look at your queryperf data file and figure out what is not hosted by you. Some of my systems get around 60,000 QPS with none lost. If really do host these on same system, and are really lost, then will need other research. Even if you are doing recursive work, your results are quite slow. you may want to look in your queryperf input to see what is causing problems. (It may not be a realistic, real world input set.)___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need to improve named performance
On Mon, 12 Nov 2012, Ed LaFrance wrote: Currently I'm not using query logging, it's not in my options at all. I think rndc querylog was used to enable it (even if no corresponding logging configuration). You can use it again to toggle it off. rndc status will show if query logging is on or off. I think in an earlier message you said rndc didn't work for you, but your named.conf does have some configuration for it, so maybe you need to use a different rndc (maybe installed multiple times?) or point to the correct configuration. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.9.1-P4 is now available
Let me define what hung means in our experience: We find that named is running but will not respond to queries, rndc status will respond with output but that output shows that named is not processing any queries (see below), other rndc commands appear to work as well (e.g., rndc dumpdb). Does it work if you restart named? If not, can you confirm it is listening on your intended interfaces (including 127.0.0.1) even if not working? $ time host www.google.com 127.0.0.1 ;; connection timed out; no servers could be reached Can you confirm that you can query for that without? (Such as dig @216.239.34.10 www.google.com or dig @8.8.8.8 www.google.com) $ time host localhost 127.0.0.1 ;; connection timed out; no servers could be reached Do you have a localhost zone defined? (Sometimes the messages from host like the one above are misleading and even the named may be working correctly but it is slow.) Jeremy C. Reed ISC___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable log message
On Thu, 18 Oct 2012, Jack Tavares wrote: I am running bind9.8.x built from source and I see this message in the logs built with '--prefix=/blah' '--sbindir=/blah' '--sysconfdir=/blah' '--localstatedir=/var' '--exec-prefix=/usr' '--libdir=/usr/lib' '--mandir=/usr/share/man' '--with-openssl=/blah' '--enable-fixed-rrset' '--enable-shared' '--enable-threads' '--enable-ipv6' '--with-libtool' etc etc etc I would prefer to not have that show up in the log. Short of modifying the source, is there an easy way to disable that? No way to disable just it. It is in the general catch-all category. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: squash 'client query (cache) denied' syslog entries
On Thu, 18 Oct 2012, David Dowdle wrote:
Some of my external facing nameservers are under attack, and the biggiest
fallout, is the machines goign into iowait from logging all the client query
denied syslog messages.
note: yes, recursion is turned off on these machines.
The current logging is a very vanilla
logging {
category default { default_syslog; default_debug; };
category lame-servers { null; };
// below 2 lines are for logging EVERY query. this can fill a drive
//channel querylog { file /var/log/named/query.log; print-time
yes; };
//category queries { querylog; };
};
I'd like to keep logging going, for obvious reasns, but need to kill the
'client query (cache) denied' messages
sofar all the google-found 'solutions' are: turn off all logging
Maybe discard all security logging with:
category security { null; };
Or setup a new channel for handling security with a severity of
notice or higher --and then set the category for security to use that
custom channel. (This cache denied logging is at the info level so
shouldn't be logged at notice or higher.)
A custom my_security_channel example is in the ARM documentation
which may provide some hints.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How to prevent BIND from resolving addresses in logs
On Thu, 27 Sep 2012, Spumonti Spumonti wrote: I just installed BIND 9.9.1-P3 from source and while looking through the query log files I noticed that IP addresses were being resolved: 27-Sep-2012 12:01:56.512 client 192.168.5.10#44863 (host.foo.com): query: www.ibm.com ... That is: 2570. [func] Log the destination address the query was sent to. [RT #19209] In my other servers which are running the redhat packaged version of BIND (9.8.2), my query logs look like: 27-Sep-2012 14:04:03.523 client 192.168.5.30#64638: query: www.amazon.com ... I'm sure there's something completely obvious that I've missed. How do I stop BIND from resolving these addresses and just including the IP address in the log file? That feature isn't offered. Is it inconvenient to know where the query was sent to? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issue with Minumum Value for named9
On Fri, 21 Sep 2012, Robert JR wrote: i have the minimum value in my dns server as 60 mins, and my TTL is 60 Seconds , but still when users hit a non exist record , the other dns hold the negative cache for 60 secs instead of 60 mins .. ? why ? $TTL 60 @ IN SOA NS1.TEST.BIZ. Abuse.TEST.BIZ. ( 201208281 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1H ) ; minimum, seconds ; Although my configuration above, all DNS servers that query my server, cache the non exist record for 60 seconds only and not 60 mins As mentioned in my configuration ? any ideas why ? See RFC 2308 in regards to Caching Negative Answers about how the auth server returns an SOA for a NXDOMAIN: ``When the authoritative server creates this record its TTL is taken from the minimum of the SOA.MINIMUM field and SOA's TTL.'' It used the the smaller TTL. I often see the reverse -- for example, the SOA's TTL is 7200 and the MINIMUM is 3600, so the returned record (in the auth section) has the TTL as 3600.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
On Thu, 30 Aug 2012, GS Bryan wrote:
also-notify { alladdr; };
This uses an ip_addr instead of an address_match_list. Some versions of
named-checkconf will tell you expected IP address.
/etc/named.conf:111: masters alladdr not found
I can't reproduce your problem. What version of BIND are you running?
(I am surprised it didn't log the version.) Also please consider using
named-checkconf in your testing.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone Transfer issue on BIND9
On Fri, 24 Aug 2012, sn...@email.it wrote:
***MASTER server (FreeBSD 9.0-RELEASE-p3 (i386)|| BIND 9.8.3-P2)***
view internal {
match-clients { !key TSIG-KEY; internal; datacentre; };
...
view dmz {
match-clients { !key TSIG-KEY; internal; datacentre; };
A client request will be resolved in the context of the first view that
it matches. The above match-clients are identical for different views so
the dmz view is not used.
***SLAVE server (FreeBSD 9.0-RELEASE-p3 (amd64)|| BIND 9.8.1-P1)***
view internal {
match-clients { !key TSIG-KEY; internal; datacentre; };
view dmz {
match-clients { !key TSIG-KEY; internal; datacentre; };
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone Transfer issue on BIND9
On Fri, 24 Aug 2012, sn...@email.it wrote:
view internal {
...
zone 1.16.172.in-addr.arpa IN {
type master;
file /etc/namedb/master/1.16.172.in-addr.arpa.ext.zone;
Previous zone file names in this same view were called int. Why the
filename change? (ext means external even though in the internal
view?)
***SLAVE server (FreeBSD 9.0-RELEASE-p3 (amd64)|| BIND 9.8.1-P1)***
key TSIG-KEY. {
...
allow-notify { 171.XX.YY.27; 10.0.0.15; };
listen-on { 171.XX.YY.27; 127.0.0.1; };
Is the allow-notify 171.XX.YY.27 address same as the listen-on
171.XX.YY.27 address? This is confusing as the allow-notify is a
different server and listen-on is this server.
view internal {
match-clients { !key TSIG-KEY; internal; datacentre; };
What defines that TSIG-KEY? Notice it doesn't have the trailing period
TSIG-KEY. as defined earlier.
From your later email:
Files are identical within the DOMAIN, not the VIEW.
For example, on the slave server:
DOMAIN01.eu.int.zone
DOMAIN01.eu.ext.zone
are exactly the same (also same checksum)
Are they a copy of the internal or external view's zone on the master?
It is a little difficult to follow the configuration when using maybe
fake IP addresses, fake zone names, and fake filenames. You may want to
simplify your named.conf to bare minimum (two views and one zone each)
for initial testing.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Version statement...
How are you testing it? Where do you see the wrong version? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig 9.9.1 AD-bit
On Thu, 2 Aug 2012, Marco Davids (SIDN) wrote: Dig 9.9.1 is setting the AD-bit in queries by default. Does anyone know why? 3205. [func] Upgrade dig's defaults to better reflect modern nameserver behaviour. Enable dig +adflag and dig +edns=0 by default. Enable +dnssec when running dig +trace. [RT #23497] Took me a while to figure out, among other things because Wireshark has a little bug that prevents the AD-bit being shown in queries. (reported as bug 2472 and 7555 on https://bugs.wireshark.org/bugzilla/) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operation cancelled Error
On Thu, 24 May 2012, Ben wrote: version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 CPUs found: 8 worker threads: 8 number of zones: 19 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 6400/29900/3 tcp clients: 0/100 server is up and running i constanly watch rndc status command , and at recuresive-clients tab , first values increases maximum up to 6000-6500, why it is not going to maximum which i define 3..? I don't know why it never reached the maximum. resperf should try to scale up to attempting 100,000 questions in its last second. (At 60th second I think; the final 40 seconds is waiting for responses.) It only tries 74038 during its total time, but I am not sure what is limiting it. Maybe your datafile is not unique enough? Maybe your source port range is not large enough? So then BIND 9 is matching existing requests and dropping. It depends a lot on the dataset. (I think I have seen around 17,000 queries with resperf and as low as 236 qps -- in this case it was depending on number of ACLs.) I don't know why you have the burst of operation canceled. (The ISC_R_CANCELED can happen from different problems.) rndc status shows 8 worker process, when i checked by pgrep named , it shows only single instance.so does it need to show 8 instance or ? 8 worker threads is different than 8 processes. Currently we use bind as caching name server , so why rndc status shows number of zones 19..? The 19 zones are built-in zones. (See the ARM for the list.) By the way, to set some comparison maximum baseline you can try having resperf query the built-in zones. (It won't be real recursive work, but should show you some potential maximum qps.) Jeremy C. Reed ISC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Host command timing out sporadically
On Wed, 2 May 2012, Paul Marais wrote: I'm having an issue where my postfix server is having trouble with some lookups. When I type 'host hostname', 80% of the time I get decent reply speed, but for 20% I get a 5 second delay, or even a timeout. My nameserver is configured to only allow recursion for hosts on my local network, and I have my ISP dns in my forwarders. My resolv.conf has 127.0.0.1, my internal ip, and the ip for my isp DNS Any help will be greatly appreciated. You may want to give us some specific examples. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Convice Bind to listen on IP alias with a range of IPs.
On Mon, 30 Apr 2012, Augie Schwer wrote:
I must be doing something wrong, because what I want to do doesn't
seem that difficult.
I have a range of IPs bound to a local interface:
lo:1 Link encap:Local Loopback
inet addr:10.0.0.1 Mask:255.255.255.224
And I want to convince Bind to listen on sub-set of the given range (
10.0.0.2 for example ), yet when I configure that IP:
listen-on { 10.0.0.2; };
Bind won't listen on that interface:
named[15035]: not listening on any interfaces
Bind has no problem listening on 10.0.0.1 however, so there must be
some configuration option I am missing.
Any help is appreciated.
augie@augnix:~$ named -v
BIND 9.7.0-P1
Your interface output above doesn't show the other IP.
Maybe you need to run something like:
ifconfig lo:1 10.0.0.2 up
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging issue with bind
On Fri, 17 Feb 2012, Andrea Gozzi wrote: All further tests haven't produced any results. Any related log messages in your other named logging about it. (Maybe some isc_stdio_open error for example?) Why were the permissions of your log file rwxrwxrwx? (Why executable? Why writable by other?) (Your other email showed it changed to rw-r--r-- so maybe this is unrelated.) Just to be clear, did named create the zero byte file, or did you manually create it? Is it possible there weren't any queries? (Maybe testing wrong system?) Maybe your rndc is configured to control a different server so the querylog was enabled at wrong place? (But maybe not since your named.stats file is growing.) Should I escalate this with the bind9-bug or to the debian package maintainer? Anyone else reproduce problem? (I tested and it still works for me, but not same version.) What is the name and version of the Debian BIND package(s) you are using? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging issue with bind
On Fri, 17 Feb 2012, Mark Andrews wrote: Do: rndc querylog or querylog yes; But the previous email showed rndc status had: query logging is ON ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: make bind-9.7.4-P1 fails when --prefix and --exec-prefix switches are used
On Wed, 30 Nov 2011, jagan padhi wrote: checking build system type... sparc-sun-solaris2.10 checking for a sed that does not truncate output... ./configure: line 4579: /usr/bin/cmp: cannot execute binary file What does this tell you? file /usr/bin/cmp (Maybe you have /usr/bin/cmp for non-sparc?) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: make bind-9.7.4-P1 fails when --prefix and --exec-prefix switches are used
I am unable to reproduce this (on a CentOS Linux system). Please tell us about your platform, what shell, what make, and provide a copy of your full configure output, and config.log and generated bin/named/Makefile. You may send these to me off-list if you'd like. Thanks, Jeremy C. Reed ISC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
nanny (was Re: bind-9.8.1: INSIST(! dns_rdataset _isassociated(sigrdataset)) failed)
On Wed, 16 Nov 2011, Phil Mayers wrote: It might be good if bind were able to re-start itself, rather than dying outright (e.g. re-exec the process) but that is dangerous too; it's better done by an unrelated supervising process. In the bind9 tarball's contrib directory there is a simply nanny perl script. Basically every 30 seconds it checks if PID still exists and does a dig. If no PID, it starts named. If dig fails, it kills the process and starts named. And waits 120 seconds before checking again. I am curious if any users of the nanny.pl script (or similar parent) had any crash but didn't notice it. (Maybe look at logs to see if named started.) Also what other types of nanny scripts do you use? (I already saw other emails with a few suggestions.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named web statistics
On Wed, 6 Jul 2011, King, Harold Clyde (Hal) wrote: I know there is a web front end to DNS stats, but I can not remember the option in the named.conf that defines the port. I'm running 9.8.0-P4 (just now being able to upgrade to a version that supports the statistics) statistics-channels has optional port ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Description of log file contents
It is in the ARM. http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#id2575842 (search for queries or querylog) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind8 and bind9 installed on the same server: possible?
On Tue, 1 Feb 2011, hugo hugoo wrote: I plan to upgrade my nameservers from bind8 to bind9. I guess I will encounter some compatibility problems notably in the layout of the zone files - can anybody give me the point of attention for this upgrade? Your experience will be appreciated. The BIND 9 source includes BIND 8 to BIND 9 Migration Notes. Please see doc/misc/migration - is it possible to install bind9 without removing bind8 in order to could easily and quickly swith from bind8 to bind9 and vice versa? If installing from source, you can build BIND 9 using ./configure --prefix=/usr/local/bind9 (change path has you like to not overwrite existing). Jeremy C. Reed ISC___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rcode 5, refused since upgrade
On Thu, 6 Jan 2011, jim wrote: Upgraded today from BIND 9.2.4 to BIND 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1. Pretty much copied the named.conf file from one to the other. We are a slave for a three other sites, two I download the zones OK, one I get REFUSED since the upgrade. Check your BIND logging too. Are you using allow-transfer configuration? You may also want to read http://www.isc.org/faq/item/773 and the ARM which describe some changes. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: error (broken trust chain) resolving
On Wed, 24 Nov 2010, Brian J. Murrell wrote: Yeah, I was hoping to have caught the attention of a BIND developer here with all of this by now. Perhaps they just don't hang out here. Maybe I will try to find out where to ask questions that they might see. I was reading it all along, but could never reproduce. I thought it was a temporary issue. I see your new bug report. Someone will follow up soon. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clarification
On Fri, 22 Oct 2010, rams wrote: I have a record in BIND as follows: mxdomain.com. 86400 IN MX 65536 gmail.com. How did you get named to load this? If your named does load it, what version of BIND are you using? You should get out of range. (See named-checkzone too.) When I query mxdomain.com. with type MX. What is the bind response. Is there any RFC mentioned about this . I didn't test with BIND 9 (because can't load it), but with BIND 10 (using a SQL database) returns SERVFAIL.___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc.key vs. rndc.conf
On Sat, 2 Oct 2010, online-reg wrote: Hi All: One more conf issue on bind 9.7.1-P2 After running rndc-confgen and reloading BIND I?m getting this error: WARNING: key file (/etc/namedb/rndc.key) exists, but using default configuration file (/etc/namedb/rndc.conf) rndc: connection to remote host closed This may indicate that * the remote server is using an older version of the command protocol, * this host is not authorized to connect, * the clocks are not synchronized, or * the key is invalid. It seems like I have a valid key in both files...what do I need to change? And clocks are close in time? Also this same problem could happen if you have a custom key file, but it is still using the default configuration file instead (so maybe using old, wrong key).___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PKCS#11 engine implementation
On Wed, 3 Mar 2010, Nikolay Elenkov wrote: I've a few question about the PKCS#11 support in BIND 9.7, specifically the OpenSSL engine implementation. Is this the right place to ask? There appears to be no bind-dev mailing list. I see you already asked your question. This list is okay. There is a developers list. It is called bind-workers. https://lists.isc.org/mailman/listinfo/bind-workers ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: no hostname become unresolvable.
@ IN MX 10 mail.man169.com. Try adding here: @ IN A 202.68.195.36 www IN A 202.68.195.36___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.7.0 syslog recorded notices
On Fri, 19 Feb 2010, ic.nssip wrote: I just installed ISC 9.7.0 on one of our x86 SUN Solaris 10 machines. I did a fresh local compiled install with all default settings. It looks that DNS is working fine for customers (anyway the time is too short to conclude that), but my syslog suddenly got populated with tones of daemon.notice messages about all kind of DNS format errors from different other servers. Is it something wrong with my DNS server? Were no notices like these before when I was running BIND 9.6.1-P1. I attached a short capture from syslog. Any advice would be appreciated. Hi. This is a new feature as listed in CHANGES file: 2770. [cleanup] Add log messages to resolver.c to indicate events causing FORMERR responses. [RT #20526] Yes, it does seem busy for you. Some loggings maybe could be made more clear, for example: stats.surfaid.ihost.com/ no SOA returned ns6.chordhurry.ru./ In SOA . is not chordhurry.ru. ns1.dayeither.com. In SOA . is not dayeither.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.7.0 syslog recorded notices
On Fri, 19 Feb 2010, Jeremy C. Reed wrote: Some loggings maybe could be made more clear, for example: stats.surfaid.ihost.com/ no SOA returned Not sure why I saw that. Looking again I see com. But I have other problems there too. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: strange problem
Please provide real names. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fatal Error in resolver.c
Thank you very much for your bug report. For your information, you can also submit bugs to our bind9-bugs AT isc.org email address. Your issue is now being tracked as ticket # 20923. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Poblem with ZONE (subdomain)
On Tue, 19 Jan 2010, Michelle Konzack wrote: Jan 19 18:56:42 samba3 named[18333]: 19-Jan-2010 18:56:42.920 general: error: dns_master_load: /etc/bind/net.tamay-dogan.debian:18: lists.debian.tamay-dogan.net: CNAME and other data See line 18 and then look for lists. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig query
On Wed, 6 Jan 2010, Michael Sinatra wrote: I tried this out and I noticed that both BIND and unbound appear to behave the same way when using dig in this manner. So both of the major validating implementations support it. I don't see specific reference to using the AD flag in queries in the RFCs (at least on a cursory glance), but it's a very useful feature. See bottom of 4.7 in http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-bis-updates-09 about using AD in query. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: blockhole'd IP receiving referral?
On Fri, 18 Dec 2009, Len Conrad wrote: dig'ging from a !mynets IP receives a referral to rather than time-out/silence. Please show us. Does dig and tcpdump (or other packet trace) show where the response actually comes from? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insecure response BIND 9.7.0b2
On Thu, 19 Nov 2009, David Forrest wrote: Logged: Nov 19 12:13:45 maplepark named[23329]: validating @0x17b7980: dlv.isc.org SOA: got insecure response; parent indicates it should be secure What does this mean? This is documented in the ARM. The parent zone says (published DS) that it should have been signed. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
http://www.reedmedia.net/software/gethost/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multiple internal views not working (requested conf files and logs)
On Mon, 2 Nov 2009, Paul Krash wrote:
view internal {
zone eng.exegy.net {
Do you have anything to match here? By default, match-clients and
match-destinations default to matching all addresses (even not
internal). So when you reversed, the other view (dot5) would never
match and wouldn't work.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: call for testers (Re: ISC BIND 9.7.0b1 is now available)
Possibly also useful to report success here so that many people aren't needlessly repeating the same test. - NetBSD 4.99.62 amd64, gcc 4.1.3 20080202 prerelease (NetBSD nb1 20080202) - NetBSD 5.0.0_PATCH i386, pcc 0.9.9 (HEAD) for i386-unknown-netbsdelf5.0.0. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem on CNAME configuration.
On Mon, 5 Oct 2009, Cyril Gaudin - Rodacom wrote: But in my browser, if I write http://myapplication/, the dns request failed. Here is the bind log (192.168.6.28 is my computer): queries: client 192.168.6.28#36728: query: myapplication.home.fr IN A + queries: client 127.0.0.1#56888: query: myapplication IN A + queries: client 127.0.0.1#56888: query: myapplication IN A + I don't understand why the first request didn't respond? And why there's a second request without the domain name? You may want to ask your browser users list. Some browsers dont' use the system's resolver libraries and may do DNS lookups their own way. What browser are you using? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig ANY gives SERVFAIL / FORMERR
It looks like that the authoritative name server for youbei.cc actually did return some answers, but somehow bind gave a FORMERR for some unknown reasons, which I think it caused a SERVFAIL to be reported in turn. Interestingly, dig any youbei.cc +trace ran successfully and did not report any error. Does anyone know what might have caused this problem? My custom named logs: 23-Sep-2009 15:00:29.749 resolver: notice: FORMERR: Type didn't match (ANY != A) 23-Sep-2009 15:00:29.770 resolver: notice: FORMERR: Reply has no answer. named wants to know Is the question the same as the one we asked? I think 72dns.com has a broken DNS server. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0a2 - deny-answer-addresses
On Fri, 21 Aug 2009, clemens fischer wrote:
BIND 9.7.0a2 built with '--prefix=/opt/bind/9.7.0a2'
'--with-openssl=yes' '--disable-linux-caps'
'--sysconfdir=/usr/local/etc' '--localstatedir=/var' 'CFLAGS=-O'
Thank you very much for testing the alpha release.
deny-answer-addresses {
127/8; 192.168/16; 10/8; 172.16/12;
} except-from {
zen.spamhaus.org;
dnsbl-1.uceprotect.net;
dnsbl-1.uceprotect.net;
This is repeated, resulting in already exists (via the RBT code).
Maybe we can improve the configuration failure logging for this.
ix.dnsbl.manitu.net;
};
I get:
received SIGHUP signal to reload zones
loading configuration from '/usr/local/etc/named.conf'
...
reloading configuration failed: already exists
Putting a suitably modified version of deny-answer-addresses into
a forwarder zone returns:
Not supported in a type forward zone.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.5.1-P1 to 9.6.1-P1
On Wed, 29 Jul 2009, Sandy Mackenzie wrote:
Any known gotcha's for this upgrade?
The significant 9.6.0 changes are listed at
https://www.isc.org/software/bind/new-features/9.6
The BIND 9.6.1 minor release has numerous improvements
especially in portability, documentation, and DNSSEC.
The release also includes the recent security fixes: correctly check the
OpenSSL DSA_do_verify() and EVP_VerifyFinal() function results; and
handling unknown algorithms in the DNSSEC lookaside validation. (Note that
the BIND 9.6.0 version was not susceptible to the reported cases because
it already had NSEC3 algorithm support.)
The behavior of default allow-query-cache option has now changed to also
possibly be affected by recursion no;. If the allow-query-cache option
is not set, then the default for which hosts are allowed to get answers
from the cache is determined by other configurations in the following
order:
1) The allow-recursion ACL, if configured.
2) A recursion no; configuration implies none;.
3) The allow-query ACL, if configured.
4) Barring all of the above, the final default is { localnets;
localhost }.
So in other words, if you have defined recursion no; and have not defined
the allow-query-cache, allow-recursion, and allow-query ACLs, then
the default will be allow-query-cache { none; } and clients will
not have access to the cache. This is a change from 9.3.6, 9.4.3, 9.5.1,
and 9.6.0. For more details, see the ARM.
The contrib/zkt was updated to version 0.98.
BIND 9.6.1 introduces a new logging category called query-errors which
provides detailed internal information about query failures, such server
failures. (This is documented in the ARM.)
Also new experimental new statistics counters were added, including for
socket I/O events and query RTT (round trip time) histograms.
And a bind.keys file is included in the source tree which contains the
recent dlv.isc.org trust anchor for the administrator's convenience.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: querylog entries
On Fri, 12 Jun 2009, R Dicaire wrote: Hi folks, just upgraded from 9.4x to 9.6.1, and looking at my query.log I'm seeing entries appended with -EC, -ED , -EDC, etc. What does this indicate, and where can I read up on what they mean? Hi, I am just copying and pasting from the great ARM which is included with BIND: The query log entry reports the client's IP address and port number, and the query name, class and type. It also reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). Jeremy C. Reed ISC echo ... naq ninvynoyr va cevagrq obbx sbezng. | \ tr noqrsvxyzabcegi abdefiklmnoprtv ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
