Re: oddity with trubuiltpambula.com.au

2020-04-20 Thread Karl Auer
On Mon, 2020-04-20 at 13:06 +1000, Mark Andrews wrote:
> Note there isn’t a “additional lookup occurring” because what you are
> seeing is a referral and a answer.

Yes, I realised that after sending my email. r.au returned the webcity
nameservers, and one of those returned the NS details requested.

After being twice told by the webcity people that everything was fine,
they escalated it and have informed me that they have corrected the
delegation:

"We have received an update from our higher support that the name
servers have been synced correctly to show the right name servers added
in the account."

Well - almost. The zone is delegated in .au to three webcity
nameservers, but those nameservers return only the first two webcity
nameservers when asked. So not quite 100% consistent, but good enough.

Thanks, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: oddity with trubuiltpambula.com.au

2020-04-19 Thread Karl Auer
On Sun, 2020-04-19 at 12:26 +0100, Matthew Richardson wrote:
> The answer is that the .au registry has NS (delegation) records for
> the webcity.com.au servers, but those servers return NS records for
> the instanthosting.com.au servers.  As you observed, they have the
> same IPs.

I didn't pose my question clearly enough. Why would WebCity put NS
records into .au that delegate to themselves with different names?

It's common enough that the .au delegations made by registry X point to
the nameservers of hosting company Y, but in this case they point to
themselves, so why the different names?

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


oddity with trubuiltpambula.com.au

2020-04-19 Thread Karl Auer
In the "Nameservers" section of the DNS management interface at a
hosting provider (webcity.com.au), we see three nameservers for the
above domain:

ns1.webcity.com.au (203.17.36.33)
ns2.webcity.com.au (203.17.36.4)
ns3.webcity.com.au (116.0.23.249)

However, when we query the DNS for the nameservers for this domain, we
get different answers:

kauer@kt:~$ dig +short trubuiltpambula.com.au ns
ns1.instanthosting.com.au.
ns2.instanthosting.com.au.

The two instanthosting nameservers returned have the same IP addresses
as ns1.webcity.com.au and ns2.webcity.com.au. And for completeness we
checked and there is also an instanthosting A record pointing to the
same IP as ns3.webcity.com.au:

kauer@kt:~$ dig +short ns3.instanthosting.com.au
116.0.23.249

We also get the two instanthosting nameserver names when we query any
of those webcity nameservers directly. For example:

kauer@kt:~$ dig +short trubuiltpambula.com.au ns @ns1.webcity.com.au
ns1.instanthosting.com.au.
ns2.instanthosting.com.au.

A trace shows an additional lookup occurring between the website
nameservers and the instanthosting nameservers being returned.

kauer@kt:~$ dig +trace trubuiltpambula.com.au ns
[...]
trubuiltpambula.com.au. 900 IN NS ns1.webcity.com.au.
trubuiltpambula.com.au. 900 IN NS ns2.webcity.com.au.
trubuiltpambula.com.au. 900 IN NS ns3.webcity.com.au.
[...]
;; Received 660 bytes from 65.22.197.1#53(r.au) in 51 ms
[...]
trubuiltpambula.com.au. 43200 IN NS ns2.instanthosting.com.au.
trubuiltpambula.com.au. 43200 IN NS ns1.instanthosting.com.au.
;; Received 102 bytes from 203.17.36.4#53(ns2.webcity.com.au) in 30 ms

Is there a good explanation for what's happening?

Yours mystifiedly, K.


-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: allow-update in global options (was Re: bind and certbot with dns-challenge)

2019-03-18 Thread Karl Auer
On Mon, 2019-03-18 at 09:57 -0400, Alan Clegg wrote:
> Having said that, my $DAYJOB revolves (just a bit) around doing
> BIND/DHCP stuff all day long, so I may have a leg up on being able to
> twiddle with my configurations a bit more.  ;-)

Put that leg down, young man, and stop twiddling with your
configurations! You'll go BIND...

-- 
~~~~~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Questions about NAPTR

2017-09-18 Thread Karl Auer
On Tue, 2017-09-19 at 13:56 +1000, Mark Andrews wrote:
> In message <1505734269.2518.70.ca...@biplane.com.au>, Karl Auer
> writes:
> > And is it true that "if the Regexp field is not empty, the
> > Replacement field will not be used"?
> With the current flags no but who know what will happen in the
> future.

Not sure what "no" means. My fault for putting up a statement with two
negatives.

It seems to me that the output from a NAPTR is EITHER the result of
applying a regexp to the left-hand side domain name, OR the value of
the replacement field. I.e., they are mutually exclusive. So if the
regexp is empty, the replacement is used verbatim. If the regexp is NOT
empty, the replacement is ignored (but still has to conform to domain
name syntax, hence the need for a dot).

Is that understanding correct?

Thanks, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Questions about NAPTR

2017-09-18 Thread Karl Auer
On Mon, 2017-09-18 at 19:45 +1000, Mark Andrews wrote:
> In message <1505723565.2518.54.ca...@biplane.com.au>, Karl Auer
> writes:
> > 2: Can the Replacement field be empty? It looks from the text and
> > examples as if it should always contain a complete domain name BUT
> > that if the Regexp field is not empty, the Replacement field will
> > not be used.
> No.  Use '.' as a place holder.

Er - isn't "." a complete domain name?

And is it true that "if the Regexp field is not empty, the Replacement
field will not be used"?

Thanks for the info.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Questions about NAPTR

2017-09-18 Thread Karl Auer
I've been reading RFC2915 and have a couple of questions about NAPTR
records. I'm trying to do *basic* validation of data from a database
being processed into the DNS.

1: Can the Flags field be empty? It seems to me that it can be under
some circumstances.

2: Can the Replacement field be empty? It looks from the text and
examples as if it should always contain a complete domain name BUT that
if the Regexp field is not empty, the Replacement field will not be
used.

3: Can the Regexp field be empty? It seems to me that it can be, in
which case the Replacement field will be used without alteration.

Regards, K.
 
-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Sending extra info in bind dns query packet

2016-07-14 Thread Karl Auer
On Thu, 2016-07-14 at 11:19 +0530, Sachin Patil wrote:
> I am just looking into bind and want to send extra information while
> querying dns bind server. This information will be used at the bind 
> server side to return the resolved ip.

I've had an off-list discussion with Sachin Patel, asking him what he
was actually trying to achieve. It turns out that it is this:

"I am just trying to fiddle with dns server to block certain users to
certain resources."

I have suggested that he look for solutions to *that* problem, rather
than starting by modifying BIND.

That said, there may be ways to use the DNS to achieve what he needs,
and this is not such a bad place to ask for pointers in that direction.

Is it?

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: UDP Packet Hack

2016-06-21 Thread Karl Auer
On Wed, 2016-06-22 at 01:06 +, Jun Xiang X Tee wrote:
>   I am working on hacking UDP packets returned to "dig" client. I
> wish to include some extra information about the "digged" domain
> (e.g., facebook.com) at Additional Section of "dig" reply in TXT
> format. The ideal result is to be able to see the hacked UDP packets
> having the extra information using tools such as Wireshark.

You can't change what the authoritative servers for the facebook.com
domain return.

You could hack a server in between your dig client and Facebook, though
- dig requests info from your server, your server requests info from
Facebook, your server modifies the response from Facebook, your server
returns the modified response to dig (or whatver made the query)

You would need to either return the new information in a form
compatible with what dig expects, or you would have to hack dig as
well. If you did that, ordinary clients might no longer be able to use
the server.

>I am still confused on where "dig" gets the UDP packets from.

dig makes its own outbound UDP packets (and TCP packets don't forget!).
Inbound packets come from whatever server is responding to dig's
request.

Below are my questions:

>   (1) Does "dig" get its UDP packets from "named" server? Or "lwresd"
> server? Or others?

>From whatever server its request went to. You could find out by
watching the traffic with eg Wireshark. If you specify the server to
dig with @server, then that is the server sending responses packets to
dig.

>   (2) For hacking purpose, I should work on BIND9 source codes. I
> don't need to install BIND9 using "apt-get install", right?

If you are building and installing from source, right.

>   (3) Lastly, the most important question: How should I configure DNS
> server for "dig"?

You don't need to unless you are modifying the protocol. The server
will not know it is "dig" querying it; as far as the server is
concerned it's just receiving and responding to queries from clients.

> I think what I should do is "./dig @chosen_DNS_server
> google.com",  but I do not know how to configure the server.

Not sure what you mean by "configure the server". What DO you mean by
"configure the server"?

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Why two lookups for a CNAME?

2015-10-21 Thread Karl Auer
On Wed, 2015-10-21 at 20:42 +, Lightner, Jeff wrote:
> Because the purpose of DNS primarily is to equate a name with an IP as
> applications talk to IPs not to names.   When you have a CNAME you’re
> equating one name with another name.   That other name then has to be
> looked up so the application knows what IP access.

This doesn't answer the OPs question (which is a good one). He's saying
that the required IP address has *already been returned* in the first
response, so why is a second query made?

When I use dig to do a lookup of a cname, it makes only one query:

; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> www.angihigh.com.au
[...]
;; ANSWER SECTION:
www.angihigh.com.au/ ... CNAME   angihigh.com.au.
angihigh.com.au. ... A   27.121.64.62
[...]

Maybe the application mentioned by the OP is not a smart as dig.

Regards, K.


-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
Old fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Set up a recursive servers to provide different data

2015-06-10 Thread Karl Auer
On Wed, 2015-06-10 at 17:17 +0800, liumingxing wrote:
 We have a domain name example.com while now we have application
 servers that are located in in the localnet with private addresses and
 ones in the external internet. We want to setup a recursive in local
 networks that can provide recursive service and auth service that
 internal users are redirected to the internal servers and the external
 users are guided to outside servers. 

Set up one or more authoritative servers that provide two views - an
internal and an external view.

Then set up your recursive servers anywhere you like. A recursive
servers you put in the space served by the internal view will get
internally valid responses from your authoritative servers. A recursive
server you place outside the space served by the internal view will get
externally valid responses from your authoritative servers, as will any
other queriers from outside your internal spaces. Queries that don't
involve your domain(s) will go to the wider Internet.

Aside from setting up the appropriate views and siting the authoritative
servers appropriately, you don't need any special configuration for all
this to happen. You don't have to configure the recursive servers in any
way specially either, except to make sure they accept queries only from
your own networks.

Don't set up one server as both a recursive and an authoritative server,
though. Bad idea.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
Old fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Strange DLZ issues

2014-12-29 Thread Karl Auer
On Mon, 2014-12-29 at 10:57 +0100, Lars Hanke wrote:
 Ooops! It fails on the zone added first! And what does it want to tell 
 me by already exists?
 Any ideas how to troubleshoot the issue?

Inspect your input files very carefully. That smells like a cut and
paste error to me.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Digging to the final IP

2014-10-19 Thread Karl Auer
On Sun, 2014-10-19 at 00:26 -0500, Frank Bulk wrote:
 Is there a dig option that will list out the final (IPs) or query result??
 By default, even with +short, it can list intermediate CNAME(s) and not what
 IP(s) that CNAME may have. 

Not great, but might be enough to be helpful:

   dig +nonssearch $1 | egrep -i STATUS|^$1

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Does bind read /etc/hosts?

2014-07-15 Thread Karl Auer
   What I want to know is whether the named access the hosts file.

I wonder if the OP is actually asking for a way to have BIND return
specific values for specific host names, without having them looked up
in the real DNS.

Guanghua, can you tell us the result you wish to achieve? From your
example, it looks as if you are trying to get BIND to return a value of
your choice, rather than the value that would normally be returned by a
DNS lookup.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


case in responses

2013-08-11 Thread Karl Auer
Hi all.

I have an odd issue - a particular device is apparently ignoring
apparently legal DNS responses. The only differences I can see between
the responses that do work and the responses that don't work are that in
the responses that don't work: 

a) the case of the response has been folded to lower case

b) the response includes an additional servers section

Here are two samples. The first fails, and was obtained by querying a
MikroTik embedded caching server. The second works, and was obtained by
querying a BIND caching server. If we tell the device to query the
embedded server, it ignores the responses; if we tell the device to
query the BIND server, it works.

I guess I just want to know if the embedded server is doing anything
wrong in folding the case down, or if the other device is doing
something wrong by not accepting the folded response.

Regards, K.

kauer@karl:~/pcaps$ dig @192.168.1.1 pioneer.vTuner.com

;  DiG 9.8.1-P1  @192.168.1.1 pioneer.vTuner.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 16432
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 7

;; QUESTION SECTION:
;pioneer.vtuner.com.IN  A

;; ANSWER SECTION:
pioneer.vtuner.com. 1800IN  CNAME   primary8.vtuner.com.
primary8.vtuner.com.1800IN  A   173.193.193.67

;; AUTHORITY SECTION:
vtuner.com. 8745IN  NS  ns1.securityspace.com.
vtuner.com. 8745IN  NS  ns1.dnsmadeeasy.com.
vtuner.com. 8745IN  NS  ns2.securityspace.com.
vtuner.com. 8745IN  NS  ns0.dnsmadeeasy.com.
vtuner.com. 8745IN  NS  ns4.dnsmadeeasy.com.
vtuner.com. 8745IN  NS  ns2.dnsmadeeasy.com.
vtuner.com. 8745IN  NS  ns3.dnsmadeeasy.com.

;; ADDITIONAL SECTION:
ns1.securityspace.com.  154 IN  A   67.19.79.219
ns1.dnsmadeeasy.com.4002IN  A   208.80.124.2
ns2.securityspace.com.  154 IN  A   66.36.230.78
ns0.dnsmadeeasy.com.10840   IN  A   208.94.148.2
ns4.dnsmadeeasy.com.692 IN  A   208.80.127.2
ns2.dnsmadeeasy.com.10326   IN  A   208.80.126.2
ns3.dnsmadeeasy.com.692 IN  A   208.80.125.2

;; Query time: 445 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Aug 12 11:33:20 2013
;; MSG SIZE  rcvd: 339

The second works, and was obtained by querying a BIND caching server:

kauer@karl:~/pcaps$ dig @192.168.1.35 pioneer.vTuner.com

;  DiG 9.8.1-P1  @192.168.1.35 pioneer.vTuner.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 12903
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 0

;; QUESTION SECTION:
;pioneer.vTuner.com.IN  A

;; ANSWER SECTION:
pioneer.vTuner.com. 1800IN  CNAME   primary8.vTuner.com.
primary8.vTuner.com.1800IN  A   173.193.193.67

;; AUTHORITY SECTION:
vTuner.com. 83375   IN  NS  ns0.dnsmadeeasy.com.
vTuner.com. 83375   IN  NS  ns1.dnsmadeeasy.com.
vTuner.com. 83375   IN  NS  ns1.securityspace.com.
vTuner.com. 83375   IN  NS  ns2.dnsmadeeasy.com.
vTuner.com. 83375   IN  NS  ns2.securityspace.com.
vTuner.com. 83375   IN  NS  ns3.dnsmadeeasy.com.
vTuner.com. 83375   IN  NS  ns4.dnsmadeeasy.com.

;; Query time: 2477 msec
;; SERVER: 192.168.1.35#53(192.168.1.35)
;; WHEN: Mon Aug 12 11:36:02 2013
;; MSG SIZE  rcvd: 227


 
-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A
Old fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


SPF records in reverse zones?

2012-12-05 Thread Karl Auer
This may be a silly question, but are SPF records supposed to be
supported in reverse zones? I'm thinking of a mail server that has no
entry in the DNS.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://www.biplane.com.au/blog

GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017
Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DNS64 Query

2011-11-03 Thread Karl Auer
On Thu, 2011-11-03 at 16:15 +0530, Gaurav Kansal wrote:
 Is there any functionality available for accessing IPv6 internet from IPv4
 only host??
 [...]
 I have a website ipv6.nkn.in running on ipv6.
 
 Now I want to access this website from ipv4 machine. For this, I need DNS
 Translation. Is this is possible?

instant6.com

Regards, K.

PS: I have an interest in this service.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent bad horizontal referral?

2011-10-19 Thread Karl Auer
.
.   113019  IN  NS  d.root-servers.net.
.   113019  IN  NS  b.root-servers.net.
.   113019  IN  NS  a.root-servers.net.
.   113019  IN  NS  g.root-servers.net.
.   113019  IN  NS  c.root-servers.net.
;; Received 512 bytes from 139.130.4.4#53(139.130.4.4) in 3 ms

au. 172800  IN  NS  b.au.
au. 172800  IN  NS  r.au.
au. 172800  IN  NS  a.au.
au. 172800  IN  NS  o.au.
au. 172800  IN  NS  p.au.
au. 172800  IN  NS  v.au.
au. 172800  IN  NS  l.au.
au. 172800  IN  NS  m.au.
au. 172800  IN  NS  n.au.
au. 172800  IN  NS  h.au.
au. 172800  IN  NS  s.au.
au. 172800  IN  NS  u.au.
;; Received 496 bytes from 2001:dc3::35#53(m.root-servers.net) in 178 ms

pps.com.au. 14400   IN  NS  ppsdns3.pps.com.au.
pps.com.au. 14400   IN  NS  ppsdns2.pps.com.au.
pps.com.au. 14400   IN  NS  ppsdns4.pps.com.au.
pps.com.au. 14400   IN  NS  ppsdns1.pps.com.au.
pps.com.au. 14400   IN  NS  ppsdns6.pps.com.au.
;; Received 214 bytes from 69.36.145.34#53(n.au) in 227 ms

pps.com.au. 3600IN  NS  ppsdns2.pps.com.au.
pps.com.au. 3600IN  NS  ppsdns3.pps.com.au.
pps.com.au. 3600IN  NS  ppsdns4.pps.com.au.
pps.com.au. 3600IN  NS  ppsdns6.pps.com.au.
pps.com.au. 3600IN  NS  ppsdns1.pps.com.au.
;; Received 342 bytes from 2406:a000::5#53(ppsdns2.pps.com.au) in 22 ms




-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

intermittent bad horizontal referral?

2011-10-17 Thread Karl Auer
Hi there.

I have three domains, biplane.com.au, nullarbor.com.au and
footprint.org.au. All are show intermittent but frequent bad horizontal
referral. It happens at the .com.au level.

To see it, do (for example):

   dig+trace biplane.com.au ns

Some such queries return correctly, some end up in a BHR loop.

I can't see how this is in my power to control; I have not changed those
zones for some time, but the problem only arose a week or so ago. It
also seems odd to me that it affects domains in both org.au and com.au,
and managed by three different organisations (that is the zone files for
those domains are spinning on computers at three different companies).

I appreciate that this is probably not a BIND problem as such, but I'm a
bit stumped as to where to start looking for a solution.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Breaking up RFC 1918 reverse space

2011-07-23 Thread Karl Auer
On Sun, 2011-07-24 at 01:01 +, Laws, Peter C. wrote:
 Decloaking to ask for pointers to some help regarding RFC 1918 zone
 delegation.  
 
 We use 10/8 space extensively over multiple campuses.  We need to
 delegate at the 10/ essentially, the 10/16 level.  Is there a better
 way to do it than

Maybe this is an overly naive approach, but can't you set up one zone
for 10.0.0.0/8 and delegate as necessary from that single zone file?
Anything that you don't have an answer for will get NXDOMAIN, which is
presumably what you want.

So:

   zone 10.IN-ADDR.ARPA {
   type master;
   file internal/db.10.rev;
   allow-query { network_internal; };
   };

Then in the zone file internal/db.0.rev:

   $ORIGIN 10.in-addr.arpa.
   [...]
   0 3600 IN NS ns00.mydomain.
   1 3600 IN NS ns01.mydomain.
   ... etc

Your forward zone for mydomain would need entries for the ns00, ns01
etc.
   
ns00, ns01 etc are the nameservers to which 0.10.in-addr.arpa,
1.10.in-addr.arpa etc are delegated. Those servers will then have conf
entries like:

   zone 0.10.IN-ADDR.ARPA {
   type master;
   file internal/db.10.0.rev;
   allow-query { network_internal; };
   };

and in the zone file internal/db.10.0.rev on ns00, for example, entries
for the subnet:

   $ORIGIN 0.10.in-addr.arpa.
   [...]
   @ 3600 IN NS ns00.mydomain.
   ...
   1.1 3600 IN PTR gw.mydomain.
   2.1 3600 IN PTR somehost.mydomain.
   ... etc

The other delegated nameservers would have zone files like db.10.1.rev,
db.10.2.rev etc with the appropriate zone data for those /16 subnets of
10.0.0.0/8.

In short, all the delegations are in one zone file. You do still need
one delegation per delegated subnet, there's no way around that.

All this is off the top of my head, so treat with great caution :-)

Regards, K.




 zone 1.10.IN-ADDR.ARPA {
 type master;
 file internal/db.10.rev;
 allow-query { network_internal; };
 };
 
 zone 2.10.IN-ADDR.ARPA {
 type master;
 file internal/db.10.rev;
 allow-query { network_internal; };
 };
 
 et cetera, ad nauseum and then putting in NS records as necessary?
 
 A little less than half of the zones would remain with us with the other 
 half-and-a-bit delegated away.  
 
 I'm afraid of the answer since I fear I'm stuck with making 256 zones ...
 
 BIND 9.3 as hacked by Red Hat, though now that we found the bind97 packages 
 in the supported repo, we may go with that.  
 
 --
 Peter Laws / N5UWY
 National Weather Center / Network Operations Center 
 University of Oklahoma Information Technology
 pl...@ou.edu (Remote)
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

monitoring BIND

2011-07-13 Thread Karl Auer
We have some nameservers :-) that are used by quite a few thousands of
people. Every now and then someone comes to us and complains that the
DNS is responding slowly. Sometimes they are right, and we find the
problem and fix it. But most of the time everything runs fine, and the
DNS is not, in fact, responding slowly when that someone comes to
complain. It turns out to be their PC, or a local network issue, or
whatever.

So we have a homegrown system in place that watches the traffic to and
from the nameservers, matches queries to answers, ignores everything
else, and notes how long it was between the question going past and the
answer going past in the opposite direction. It writes summarised
information second by second into a database so we can see exactly when
problems with response times happen, how long they happen for, and how
bad they are when they happen.

Our system has two faults (well, two that we are actually concerned
about): It only watches UDP, and it can't deal with fragmented packets.

So I was wondering if there is a better solution out there?

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: monitoring BIND

2011-07-13 Thread Karl Auer
More info to my question:

dig and Nagios have been suggested as possible solutions.

dig (and I suspect Nagios, which someone else mentioned) can only test
resolution times from one point in the network, or maybe several, and
using a very small number of tests.

Our current system watches ALL queries and responses to and from the
nameservers and summarises ALL the response times, regardless of where
the queries came from. For every second of the day we can say what the
average, minimum, maximum, etc response times were.

We're looking for something that can do that, or something similar...

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help needed

2011-06-14 Thread Karl Auer
On Tue, 2011-06-14 at 13:34 +0530, Vignesh Gadiyar wrote:
 from which function do we get the IP addresses looked up from the
 Domain names inputted, so as to perform the required functions on
 those ip addresses and return my result back to the client.i don't
 want to hack the the name server as such. I just want to know
 where i will be able to get the results obtained from the name server
 as in from which function?.Any sort of help will be appreciated.

I wonder if you may be looking for the resolver library functions? Try
man gethostbyname for information about the C-language API to the
resolver libraries. That's *nix-ish - but practically every programming
language for practically every operating system supports access to the
resolver libraries too...

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156


signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Stumped - SERVFAIL vs NOERROR?

2011-04-27 Thread Karl Auer
  mailergoat.rsi.co.jp 

;  DiG 9.7.1-P2  @gtm2.rsi.co.jp mailergoat.rsi.co.jp 
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 13474
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mailergoat.rsi.co.jp.  IN  

;; AUTHORITY SECTION:
rsi.co.jp.  60  IN  SOA gtm1.rsi.co.jp. 
hostmaster.gtm1.rsi.co.jp. 31
10800 3600 604800 60

;; Query time: 239 msec
;; SERVER: 202.25.214.15#53(202.25.214.15)
;; WHEN: Wed Apr 27 21:40:16 2011
;; MSG SIZE  rcvd: 90

kauer@karl:~$ dig mailergoat.rsi.co.jp 

;  DiG 9.7.1-P2  mailergoat.rsi.co.jp 
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 59506
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mailergoat.rsi.co.jp.  IN  

;; Query time: 692 msec
;; SERVER: 192.168.1.35#53(192.168.1.35)
;; WHEN: Wed Apr 27 21:40:24 2011
;; MSG SIZE  rcvd: 38

Asking gtm2 about nameservers for the domain:

kauer@karl:~$ dig @gtm2.rsi.co.jp mailergoat.rsi.co.jp ns

;  DiG 9.7.1-P2  @gtm2.rsi.co.jp mailergoat.rsi.co.jp ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 44302
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mailergoat.rsi.co.jp.  IN  NS

;; AUTHORITY SECTION:
rsi.co.jp.  60  IN  SOA gtm1.rsi.co.jp. 
hostmaster.gtm1.rsi.co.jp. 31
10800 3600 604800 60

;; Query time: 222 msec
;; SERVER: 202.25.214.15#53(202.25.214.15)
;; WHEN: Wed Apr 27 22:02:01 2011
;; MSG SIZE  rcvd: 90

Asking gtm1 about nameservers for the domain:

kauer@karl:~$ dig @gtm1.rsi.co.jp mailergoat.rsi.co.jp ns

;  DiG 9.7.1-P2  @gtm1.rsi.co.jp mailergoat.rsi.co.jp ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 28074
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mailergoat.rsi.co.jp.  IN  NS

;; AUTHORITY SECTION:
rsi.co.jp.  60  IN  SOA gtm1.rsi.co.jp. 
hostmaster.gtm1.rsi.co.jp. 31
10800 3600 604800 60

;; Query time: 272 msec
;; SERVER: 202.214.41.51#53(202.214.41.51)
;; WHEN: Wed Apr 27 22:05:33 2011
;; MSG SIZE  rcvd: 90

And in fact, only A and TXT records exist:

kauer@karl:~$ dig @gtm1.rsi.co.jp mailergoat.rsi.co.jp any

;  DiG 9.7.1-P2  @gtm1.rsi.co.jp mailergoat.rsi.co.jp any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 30639
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mailergoat.rsi.co.jp.  IN  ANY

;; ANSWER SECTION:
mailergoat.rsi.co.jp.   600 IN  A   202.214.41.103
mailergoat.rsi.co.jp.   600 IN  TXT v=spf1 a:mailergoat.rsi.co.jp 
?all

;; AUTHORITY SECTION:
rsi.co.jp.  500 IN  NS  gtm1.rsi.co.jp.

;; Query time: 264 msec
;; SERVER: 202.214.41.51#53(202.214.41.51)
;; WHEN: Wed Apr 27 22:06:19 2011
;; MSG SIZE  rcvd: 120

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156


signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND error: opcode: QUERY, status: SERVFAIL

2011-04-27 Thread Karl Auer
On Wed, 2011-04-27 at 17:45 +0530, kshitij mali wrote:
 we are unable to lookup the domain goelexports.com
 ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 63082

A trace shows the likely problem:

dns2-rz-ap:[log]$ dig +trace goelexports.com
[...]
;; Received 505 bytes from 192.58.128.30#53(j.root-servers.net) in 32 ms

goelexports.com.172800  IN  NS  ns.hostsearchindia.com.
goelexports.com.172800  IN  NS  ns2.hostsearchindia.com.
;; Received 116 bytes from 192.52.178.30#53(k.gtld-servers.net) in 29 ms

dig: Couldn't find server 'ns.hostsearchindia.com': node name or service
name not known

Neither of those allegedly authoritative nameservers appears to exist.

Has there been a very recent change to the nameservers for this domain?
My servers seem to have it cached and are responding with what looks
like good data:

dns2-rz-ap:[log]$ dig goelexports.com

;  DiG 9.2.4  goelexports.com
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 1596
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;goelexports.com.   IN  A

;; ANSWER SECTION:
goelexports.com.14057   IN  A   69.16.253.121

;; AUTHORITY SECTION:
goelexports.com.84408   IN  NS  ns5.webcomindia.net.
goelexports.com.84408   IN  NS  ns4.webcomindia.net.

;; ADDITIONAL SECTION:
ns4.webcomindia.net.12408   IN  A   69.16.253.121
ns5.webcomindia.net.12408   IN  A   69.16.253.122

;; Query time: 2 msec
;; SERVER: 129.132.98.12#53(129.132.98.12)
;; WHEN: Wed Apr 27 14:58:26 2011
;; MSG SIZE  rcvd: 132

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156


signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Silently drop queries for AAAA records

2010-12-07 Thread Karl Auer
On Tue, 2010-12-07 at 16:31 -0600, David A. Evans wrote:
 I would like to silently drop the  record lookups instead
 of responding back with NXDOMAIN.  Thusly generating a performance hit
 as the application waits 2 seconds for the reply. 

Responding with NXDOMAIN will have a definite effect on your
recalcitrant application owner - it will stop the v4 lookup as well :-)
If you can do it just for him, that would be ideal.

If the application exists only at one or very few locations you could
rate limit inbound queries at your firewall.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156


signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: clarification on SOA

2010-12-01 Thread Karl Auer
On Wed, 2010-12-01 at 19:05 +0530, rams wrote:
 I have one SOA record as follows in zone.
 
 qa.com.   86400   IN SOA ramesh.com. qa.com. (
 2009111903 ; serial
 10800  ; refresh (3 hours)
 3600   ; retry (1 hour)
 2592000; expire (4 weeks 2 days)
 300  ; minimum (1 day)
 )
 
 I queried for non exist domain against bind. Bind is returning SOA
 record with 300 as TTL value. Is it correct? Because in my zone , SOA
 has 86400 TTL.
 
For NXDOMAIN, the TTL returned will be the lower value of the SOA TTL
and NCACHE/MINIMUM. So in this case, 300 seconds.

See RFC mumblemumble. I know this through being comprehensively
ejumacated on this very list because I thought the SOA TTL had to be
zero...

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF


signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig domain ns fails when local name servers misconfigured

2010-09-29 Thread Karl Auer
On Wed, 2010-09-29 at 19:51 -0400, Tristan Goguen wrote:
 We would like to take some action when domain authority transfers take  
 place. Can we configure dig to return the name server list based  
 exclusively on a query to the root / TLD servers? Can local name  
 servers be ignored?

   dig +trace ilap.ca ns | grep ^ilap\.ca\. | cut -f6

Might need something a bit more robust than that cut if you are working
with other domains.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF


signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zero SOA TTL - still best practice?

2010-08-26 Thread Karl Auer
On Thu, 2010-08-26 at 23:17 +1000, Karl Auer wrote:
 - should I update my program to allow non-zero SOA TTLs?

The answer appears to be yes, right now! :-)

RFC2308.

Many thanks for your swift responses (and Alex, how could I ever have
doubted you?)

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF


signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zero SOA TTL - still best practice?

2010-08-26 Thread Karl Auer
On Thu, 2010-08-26 at 11:23 -0400, Josh Littlefield wrote:
 Confirming, RFC 2308 makes it clear that the negative caching of all
 records for a zone is limited to the minimum of the SOA TTL and the SOA
 minimum TTL field (which was given this new negative caching TTL role
 in RFC 2308).

It's not clear to me why the lesser of the two is taken, or indeed why
they have a relationship at all. What is the rationale there? Why not
just use the minimum TTL as the negative cache TTL?

Having read the history in RFC2308, I suspect it is because the minimum
TTL has had a few meanings over time, and was often set far too high, so
the SOA TTL is being used to sanity check it, as even a feral zone
administrator will not want too high a value in the SOA TTL.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF


signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: newb alert: how to make v4 and v6 A records resolve to same website

2010-07-14 Thread Karl Auer
On Wed, 2010-07-14 at 22:04 -0400, Joseph S D Yao wrote:
  but how we transform the A record in 
 There is no such translation.  Rather, there used to be, but it has been
 deprecated (that is, it's not supposed to be used any more).

The IPv4-compatible IPv6 address is indeed deprecated, but there is a
non-deprecated method; the IPv4-mapped IPv6 address (section 2.5.5.2 in
RFC 4291):

   :::a.b.c.d

where a.b.c.d are the four octets, represented in decimal, of an IPv4
address.

However, this just allows an ordinary IPv4 address to be packaged in
an IPv6 address. An application that understands this format will just
extract the IPv4 address and use it *as an IPv4 address*.

It's not a transformation in the sense that the OP seems to want.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/  +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF


signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ipv6 link-local addressing

2010-06-24 Thread Karl Auer
On Fri, 2010-06-25 at 08:20 +1000, repudi8or repu wrote:
 process, i wish to confirm that bind (currently using 9.7.0-p2) can
 manage dns correctly for all ipv6 hosts. 

You don't really need to - it can.

 If i leave off the part on each  from the % onwards, the zone
 loads up ok and names resolve, but of course can not be used to reach
 the intended devices as the resolved addresses are missing the %5. I
 believe the %5 part is called the link-local component of the
 address.

It's called the scope identifier. Link local addresses are not designed
for this use - suggest you use static addressing (you have very few
hosts), or put a DHCPv6 server or route advertiser into your little
network and use DNS with global unicast addresses. The route advertiser
would be simplest. As long as your network is truly isolated you can use
whatever prefix you like, or if you wantto play safe go to sixxs and get
a ULA prefix.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/  +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF


signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv6 validation

2010-06-16 Thread Karl Auer
On Wed, 2010-06-16 at 14:18 +0530, rams wrote:
 The following IPv6 addresses is valid or not?

Looks suspiciously like a school assignment to me...

If speed is not essential, try ping6-ing each address. If you get a
response or network unreachable, it's a valid address. If you get a
really long pause followed by unknown host, it's not a valid address.

:-)

Regards, K.


-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/  +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF


signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv6 TCP

2009-12-29 Thread Karl Auer
On Tue, 2009-12-29 at 07:39 -0800, Pamela Rock wrote:
   [r...@test /]# dig  ip6.test.com @bind6 +tcp
  +short socket.c:4922: 22/Invalid argument dig:
  isc_socket_connect:
   unexpected error
 [...]
 This is a totally closed network.  There is no access to anything.

I apologise because I am coming to this question very late and after not
paying attention to the earlier messages in the thread. However: That
looks a lot like what happens when a link local address is used with no
scope qualifier.

Here it is with plain old ping to one of my local machines:
ka...@karl:~$ ping6 fe80::209:6bff:fe30:3e92
connect: Invalid argument

But:

ka...@karl:~$ ping6 fe80::209:6bff:fe30:3e92%wlan0
PING fe80::209:6bff:fe30:3e92%wlan0(fe80::209:6bff:fe30:3e92) 56 data bytes
64 bytes from fe80::209:6bff:fe30:3e92: icmp_seq=1 ttl=64 time=6.92 ms
[...]

So if your source address is a link local address, try adding a suitable
scope qualifier.

Again, my apologies if this has already been suggested and discarded.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/  +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: IPv6 hostname resolution not working

2009-07-16 Thread Karl Auer
On Wed, 2009-07-15 at 22:54 -0700, vikram wrote:
 I am trying to setup BIND9 as a DNS server for local IPv6 name
 resolution within a LAN. I've been reading through related threads on
 forums and whatever documents Google comes up with. I am new to this
 and haven't been able to get it to work so far and could really use
 some help.
 Windows XP SP2 (IPv6 Protocol installed)

Windows XP cannot resolve over IPv6. It can use IPv6 addresses, but must
make its DNS queries and receive its DNS responses via IPv4 transport.

Sad but true. XP boxes must resolve via IPv4.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/  +61-428-957160 (mob)

GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF



signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users