Re: srv lookup in record

In article you write: >> [@temp3]$ dig +short srv _http-apps._server.test._tcp.marathon.mesos >> 0 1 31024 server.test-usbzr-s3.marathon.mesos. >> 0 1 31852 server.test-z9x84-s3.marathon.mesos. >> 0 1 31790 server.test-k7g8r-s4.marathon.mesos. These SRV records say that the service is on ports

Re: SRV is not CNAME, was srv lookup in record

In article you write: >On 2020-08-21 16:26, Marc Roos wrote: >> Is it possible to use srv lookups, like eg cname. I do not want to >> create SRV record, I just want to 'get' the ip addresses, that I would >> get vai srv lookup. > >SRV records are more than just pointers to a specific server,

Re: Invalid class in dns query

In article you write: >Hi all, > >Looking for a temporary work around, while an issue gets resolved. I have a >DNS query coming in with an invalid class requested (65 or 0x41). The only classes ever assigned were 1, 2, 3, 4, and pseudo-classes 254 and 255. What is class 65 supposed to be? Why

Re: Best way to force a TC=1 response?

In article you write: >What's the best way to force an A query via UDP to return a TC=1 result: >a really long CNAME chain? I'd suggest lots of records. You could do it with A records but you'd need four times as many $ dig wordy.examp1e.com ;; Truncated, retrying in TCP mode. ;

Re: What is the proper way to delegate to a private / hidden sub-domain?

In article you write: >-=-=-=-=-=- > > >On 5/6/20 4:12 PM, John Levine wrote: >> Since they can't access the root servers, how do you expect them to >> do DNS lookups at all? >There is a copy of the root zone in the environment. > >There is also enough net zon

Re: What is the proper way to delegate to a private / hidden sub-domain?

In article you write: >-=-=-=-=-=- > >On 5/6/20 3:40 PM, John Levine wrote: >> Can clients on the internal network contact hosts in the outside >> world, or is it really disconnected? >It depends on which particular lab is being used and what is being tested. >

Re: What is the proper way to delegate to a private / hidden sub-domain?

In article you write: >-=-=-=-=-=- > >On 5/6/20 2:29 PM, Grant Taylor wrote: >> That's one of the hard requirements of what I'm doing.  Not doing that >> is not an option. > >To elaborate, the internal clients are in a sequestered network which >will never have outside access to it. As such,

Re: What is the proper way to delegate to a private / hidden sub-domain?

ifferent networks could work, although you're asking for trouble with route leaks anytime someone adjusts a router anywhere near one or the other. Remember that with normal anycast all of the mirrors send identical or at least equivalent answers so the routes are not a security issue. -- Regards,

Re: What is the proper way to delegate to a private / hidden sub-domain?

> >I don't see any options that avoid anycast. This really seems like ordinary split horizon DNS. -- Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly

Re: DoH plugin for BIND

In article you write: >On Sat, 2 May 2020, Michael De Roover wrote: > >> Even if your ISP allows it, chances are that other mail servers will >> reject it ... >My residential-class static IP mail server has never had problems >delivering mail. I've checked it many times over the years on many

Re: Using different OS for Master and Slaves

In article you write: >I suspect the pain he was referring to is not really DNS-specific, but >just due to having to manage servers with different operating systems. >This means using a more diverse set of management tools, different >configuration syntax, etc. I have masters running NSD on

Re: Proper Way to Configure a Domain which never sends emails

In article you write: >El 20/08/2019 a las 9:28, Marco Davids via bind-users escribió: >> A TXT _dmarc.domain.tld "v=DMARC1; p=reject" might also be useful. >Wouldn't that imply having DKIM set up for the domain? No, of course not. It says that if mail isn't authenticated, reject it. An

Re: Bind has a database option instead of zone files?

In article you write: >-=-=-=-=-=- > >On 1/27/19 8:57 AM, John Levine wrote: >> No. If that's what you want to do, I'd suggest looking at PowerDNS. > >John, why would you recommend PowerDNS over BIND's DLZ options? PowerDNS was designed to serve the data out of databases a

Re: Bind has a database option instead of zone files?

In article you write: >-=-=-=-=-=- > >Greetings!! >Does Bind has a database option to read zones [if zones are in database] >instead of zone files? if yes , how to setup? can someone help me. No. If that's what you want to do, I'd suggest looking at PowerDNS.

Re: Reverse lookup for classless networks

In article you write: >-=-=-=-=-=- > >On 12/27/18 11:24 AM, John Levine wrote: >> Well, there's those pesky old DNS standards, but we're used to software >> working around screwed up zones. > >Agreed. Which standard(s) does this run afoul of? > >> If th

Re: Reverse lookup for classless networks

From: John Levine To: bind-users@lists.isc.org Subject: Re: Reverse lookup for classless networks In-Reply-To: Organization: Taughannock Networks Cc: gtay...@tnetconsulting.net Bcc: johnl-sent X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding

Re: DMARC question

In article you write: >We have a couple of small domains whose DNS is served by BIND on our dedicated >machines. Almost 3 years ago we had set up DMARC records, >and were getting reports from various MXs every day until a couple of days ago >(Aug 13). Then they suddenly stopped! > >Nothing in

Re: Minimum TTL?

In article you write: >The target, instead of very quickly rejecting the spam because of the = >lack of a domain or the lack of DNS, instead has to deal with thousands = >of different IPs. That's not how spam filters work. They do filtering

Re: Minimum TTL?

In article you write: >For the record, the issue is not RBLs or legitimate domains, it is = >spammer scum that set super-low DNS because they are shotgunning spam = >from a a vast botnet and they want to have maximal impact, so you get a =

Re: Minimum TTL?

In article you write: >As long as you understand the implications of what you're doing? > >The zone owner may be using short TTLs to implement load balancing >and/or quick failover. If you extend the TTLs, your users may experience >poor

Re: Minimum TTL?

In article you write: >you miss the topic > >many DNSBL's have a very short TTL and at the same time a limit of >queries froma single IP until you need to pay for the service This doesn't sound like a technical problem. Is there some reason

Re: search algorithm in DNS

In article you write: >-=-=-=-=-=- > >I am Munkhbaatar, a master course student studying on mechanism and algorithm >of DNS.I want to search algorithm in DNS, but >i have not found the documents clearly explaining this on the web.I guess it's

Re: Email & PTR Issues [Solved]

In article you write: >> I have issues emailing to certain domains. I use my own mail >> server to deliver mail. It is currently not sending through SMTP >> Relay. The failure says that I have a missing PTR record. For example: I'm

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

This has nothing to do with BIND, but anyway. In article you write: >I would personally try to use -all for new domains from the word go. Only if you want your mail to mysteriously disappear. There are a lot of perfectly legitimate ways to

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

In article you write: >> X.TLD IN MX 10 mail.example.com. >> >> is perfectly valid, and quite common for people who don't host their own >> e-mail. > >Okay, but for now each domain will have its one mail server. If you have one host

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

In article you write: >>* IP with *one* PTR >>* the A-Record for the PTR matches >>* smtp_helo_name of your MTA matches the same name > >Even this is not required. In fact, requiring this breaks SMTP RFC. >The only requirement on helo name is

Re: High performance DNS server configuration?

>Problem is procmail + postfix with rbl's (zen.spamhaus.org and others). > >Really big problem are spam botnet's and some day we can get over 5-6 >million messages per day or even more. > >Procmail/postfix is doing every check per msg at localdns (localdns => >rbl's) server and average check time

Re: Request reverse dns mapping advice

>1. pick a primary domain from the list of virtual hosts (example2.com) >2. use the "real" host name of the server (juvat.example1.com) >3. the mail server name (mail.example1.com) >4. the dns server name (ns2.example1.com) >5. another domain from the virtual hosts list (example 3.com)

Re: Question about dynamic IPv6-PTR-Generation

>It is true at first glance the regex-esque syntax in our I-D may seem a >bit complex but I don't believe anywhere near the complexity of NAPTR None of the complexity of NAPTR is in the DNS or the DNS servers; it's all in the applications that use NAPTR. For DNS servers, NAPTR is just a record

Re: Question about dynamic IPv6-PTR-Generation

PS: >I understand rwhois exists but it is much more complicated to manage >than DNS and for the most part is only used at the RIR level for >reverse IP namespace. This would probably be a good time to read up on RDAP. R's, John ___ Please visit

Re: Question about dynamic IPv6-PTR-Generation

>beginning of DNS. It allows address space to be "tagged" and >organized in a manner that just makes sense. We'll have to agree to violently disagree at this point. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to

Re: Question about dynamic IPv6-PTR-Generation

>Though, if you want to participate in the cargo cult of generic PTRs, >you don't need the complexity of draft-woodworth-bulk-rr's regex-driven >templates in your nameserver. Knot DNS's "minimal viable product" >implementation is ~300 SLOC and uses a hardcoded template. Having looked at the

Re: Question about dynamic IPv6-PTR-Generation

>A very popular option is to only create or delegate IPv6 PTR entries for >hosts with static address assignments, and to return NXDOMAIN for >address space used for dynamic address assignments. I talk to a lot of large providers at M3AAWG and that's the consensus about what to do. If it doesn't

Re: Adding CNAME for the root domain issue

>> You would only be able to do this if you could put the CNAME record >> in the parent domain, instead of delegating domain.com to your own >> server. But do any domain registrars support that option? > >And would the registry (here, Verisign) accept it? As far as I know, >no. This smells a lot

Re: Adding CNAME for the root domain issue

Assuming you mean this (notice the dots): Domain.com. CNAME x.y.com. www CNAME x.y.com. it should work. Some people believe that you can't have other records at names below a name with a CNAME, but they are mistaken. On the other hand, this will not work. domain.com. CNAME x.y.com.

Re: frequent queries to root servers

>If chained CNAMEs work for you, more power to you. But don't be >surprised if they fail unexpectedly at some point. If they don't, you'll have a lot of unhappy users since there's a whole lot of the Internet they won't be able to see. Try www.apple.com and www.microsoft.com, both of which

Re: Cloud DNS providers for secondary DNS

>My more specific question is this: If I'm a site on the internet looking for a >server in my domain for the first time, I query the TLD >servers for a list of name servers for my domain and pick one to query. >Suppose I pick one that has the correct zone information and can >answer the query,

Re: Cloud DNS providers for secondary DNS

>Am 30.12.2015 um 03:12 schrieb Luis Daniel Lucio Quiroz: >> You could use dyndns for that, but it is not free. > >do the provide anycast? Yes, of course. Dyn is one of the largest DNS providers in the world. Their basic secondary service is $40/yr. R's, John

Re: Cloud DNS providers for secondary DNS

>IN NS ns1.mydomain.com. >IN NS ns2.mydomain.com. >IN NS ns1.d-zone.ca <== Addition >IN NS ns2.d-zone.ca <== Addition These questions would, as always, be easier to answer if you gave us the

Re: SPF RR type

In article mailman.348.1401978387.26362.bind-us...@lists.isc.org you write: Are SPF RR types finally dead or not? I�ve read through rfc7208 it appears that they are: They're dead as in nobody looks at them other than legacy software that hasn't been updated. The SPF record was a screwup from

Re: Point domain name of my zone to name in somebody else's zone?

DNSMadeEasy calls this an ANAME record, internally they just lookup the destination's IP and cache it, updating it as needed. It works, but it would be nice if this could be done in DNS. Sadly, it can't, and probably won't in our lifetimes. I do a similar thing in my DNS crudware, a

Re: Variable SOAs in negative responses

For addresses that aren't listed, some of the NXDOMAINs are a lot less likely to change than others, e.g, the address of an outbound mail server at a large mail provider is unlikely ever to be listed, but a random host at a hosting provider in India, who knows. So he'd like to have the TTLs on

Variable SOAs in negative responses

A friend (really) asks this question: they have some DNSBLs, which get a lot of queries. Sometimes the answer has A or TXT records, meaning the corresponding address is listed in the DNSBL, sometimes it's NXDOMAIN which means the address isn't. For addresses that aren't listed, some of the

Re: Can we do a sub-domain delegation with godaddy?

I mean I have example.com hosted with Go Daddy while I need sub-domain ftp.example.com to be delegated to my internal BIND server. Does any one know how do I do it in Go Daddy? The easiest approach in the long run is to move the DNS for the whole domain to your own DNS servers. Large cheap

Re: Query regardign CNAME

the DNAME already recommended by Dave Warren is what you want: xyz.gov.in.DNAME xyz.in. Except that DNAME only applies to names under xyz.gov.in, not to xyz.gov.in itself. There are a variety of ways to deal with this but in practice: another possibility is to include the same file to

Re: Query regardign CNAME

xyz.gov.in. DNAME xyz.in. On 01.01.14 18:16, John Levine wrote: Except that DNAME only applies to names under xyz.gov.in, not to xyz.gov.in itself. Usually because xyz.gov.in must already have SOA and NS records and therefore it's not possible to redirect it easily. That's what DNAME does

Re: TXT Record Format with multiple records?

Please forgive my ignorance, and sorry about all the details. I have not been able to find a detailed specification. TXT records haven't changed since RFC 1034 and 1035. You can have multiple strings per record, and multiple records per name. At the application level, some applications glom

Re: TXT Record Format with multiple records?

How, precisely, is the second (or third) string added? plugh.example TXT foo bar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: DNS Amplification Attacks... and a trivial proposal

OK. I just want to be clear here, and make sure that I have properly understood what you have said. Would it be correct, then, to say that at the present moment you are not actually able to produce, cite, or describe, with any particularity or specificity, even one individual specific incident

Re: DNS Amplification Attacks... and a trivial proposal

The entire problem is fundamentally a result of the introduction of EDNS0. Wwouldn't you agree? No, that just makes it a little easier. You pound the patoot out of someone with 512 byte packets just as much as you can with 4K packets, just by making your attacking botnet bigger. The real

Re: DNS Amplification Attacks... and a trivial proposal

The real solution is BCP 38... I agree completely John. I cannot do otherwise. But I have to ask the obvious elephant-in-the-room question... How is that comming along so far? Based on discussions I've had with people who work at large networks and in policy positions in various governments

Re: DNS Amplification Attacks... and a trivial proposal

So, may I infer that rather than being put off until the end of the century, which seemed to be the previous implementation timeline, pervasive implementation of BCP 38 may now be expected at around the time that 32-bit UNIX clocks are anticipated to wrap-around to negative? Perhaps, but I think

Re: Mailing list reply-to setting

Any chance someone can correct the settings on this mailing list to reply to the list by default instead of the user posting the message? This is a religious argument. Please, leave it alone. And, If I might add, adding a tag to the subject like [bind-users] would be extremely nice. It's

Re: spf ent txt records.

I've not been keeping up with the IETF; is there a document that describes what looks like a de facto standard of using _pname labels with TXT RRs that is being followed by at least DMARC and DANE in *._tcp.example.com, *._smimecert.example.com, and _dmarc.example.com No, but Dave Crocker is

Re: spf ent txt records.

It is or would have been, very little cost to publish SPF records. Not until we fix the provisioning problem. (News flash: in 99.9% of the Internet, people do not edit master files with vi.) In the early days of SPF, it was remarkably hard to get TXT records provisioned, even though TXT records