Re: Resolve any query to same IP address

2021-07-21 Thread Kevin Darcy via bind-users
[ Classification Level: GENERAL BUSINESS ] Dot "." instead of asterisk "*" as the zone name. Remove the "hint" zone, since that doesn't apply when you host your own root zone. You need a proper MNAME for the SOA RR too. - Kevin On Wed, Jul 21, 2021 at 11:18

Re: query-source and listened interfaces

2021-07-13 Thread Kevin Darcy via bind-users
[ Classification Level: GENERAL BUSINESS ] I've done the match-destinations/query-source thing before, but in addition to that, it should theoretically be possible to also use a shared cache between the views, via attach-cache. I've never played with that directive myself, however.

Re: Managing localhost

2021-06-21 Thread Kevin Darcy via bind-users
[ Classification Level: GENERAL BUSINESS ] That chapter doesn't show any PTR records, for the reverse zones of any *public* address range, pointing back to a "localhost" name. It only shows a PTR record in the reverse zone for the 127.0.0/24 private range, which is what enables a reverse lookup

Re: How to return REFUSED

2021-05-05 Thread Kevin Darcy via bind-users
[ Classification Level: GENERAL BUSINESS ] I just checked the ARM, and it denotes that "match-recursive-only" (boolean) still exists for views. So, you might be able to set up a special view with that, as well as a negated match-clients, specifying allow-query { none; }. Put it as the first view,

Re: Bind9 weighted load balancing

2021-04-30 Thread Kevin Darcy via bind-users
[ Classification Level: GENERAL BUSINESS ] Duplicate RRs are suppressed, as per the standards. RFC 2181, Section 5: Each DNS Resource Record (RR) has a label, class, type, and data. It is meaningless for two records to ever have label, class, type and data all equal - servers should

Re: Configuring the location of named .jnl files

2021-04-26 Thread Kevin Darcy via bind-users
[ Classification Level: GENERAL BUSINESS ] Ivan, I've never done the Let's Encrypt thing myself, but from my skim of the documentation, it appears they want you to place a TXT record in a specific part of your domain's namespace hierarchy. I sincerely hope you're not trying to write

Re: Preventing a particular type of nameserver abuse

2021-04-12 Thread Kevin Darcy via bind-users
[ Classification Level: GENERAL BUSINESS ] It's not a "BIND" solution, per se, but if you have a sufficiently-sophisticated IPS (Intrusion Prevention System) you could have it simply drop all queries of a particular QNAME, or any particular combination of QNAME, QTYPE, QCLASS, before those

Re: Logging on a Bind server

2020-10-20 Thread Kevin Darcy
, a dynamic, reputation-based RPZ feed. See https://dnsrpz.info/ for more. - Kevin On Tue, Oct 20, 2020 at 10:45 AM Kevin Darcy wrote: > [ Classification Level: GENERAL BUSINESS ] > > According to securitytrails.com (for

Re: Logging on a Bind server

2020-10-20 Thread Kevin Darcy
[ Classification Level: GENERAL BUSINESS ] According to securitytrails.com (for instance), there are over 3,000 domains hosted on ns2.honeybot.us (securitytrails only shows the first few domains hosted -- to see more, one presumably needs a subscription to their service). If one of your clients

Re: "forward first" set on a master zone not working as expected

2020-09-03 Thread Kevin Darcy
[ Classification Level: GENERAL BUSINESS ] Or, if you absolutely *must* use the same namespace internally and externally (oftentimes you can't talk the business out of that), your internal version should be a more-or-less a superset of your external version. How you keep those in sync is up to

Re: CNAME restrictions

2020-08-04 Thread Kevin Darcy
[ Classification Level: GENERAL BUSINESS ] Offhand, it looks like the server side is configured to only allow authenticated updates, but you're sending an unauthenticated one. A more nuanced issue might be if the ID you're running the nsupdate as, can't read the key files, so even though you may

Re: Fun with nsudpate and ac1.nstld.com

2020-07-06 Thread Kevin Darcy
[ Classification Level: GENERAL BUSINESS ] You didn't dot-terminate covisp.net in the "zone" statement, so it may be appending who-knows-what to one of its queries, and going awry. nsupdate -d (or -D) shows all :-) - Kevin On Mon, Jul

Re: [Non-DoD Source] Re: BIND Masters and slaves

2020-06-15 Thread Kevin Darcy
[ Classification Level: PUBLIC ] My 2 cents... The "master" nomenclature is appropriate from a *data*dependency* standpoint. The "master" holds the "master copy" of the zone contents ( https://www.collinsdictionary.com/us/dictionary/english/master-copy). All other copies are duplicates of that.

Re: How to get random subset of large rrset (30+ IPs for round robin)?

2020-03-20 Thread Kevin Darcy
[ Classification Level: GENERAL BUSINESS ] Only thing that comes to mind is a constantly-running dynamic update script that adds/deletes records to/from the RRset at random. A more sophisticated version of the script would look at what answers that have been given out in the recent past, and if

Re: Using TSIG Keys Between Linux OS and Windows OS

2019-11-25 Thread Kevin Darcy
[ Classification Level: PUBLIC ] To clarify, the OP didn't specify what DNS software they were using, only the OS (Windows 2016). If using Microsoft DNS, then as Mark pointed out, Microsoft has not implemented regular shared-key TSIG. They have, however, implemented GSS-TSIG, which, I believe,

Re: Zoneformat

2019-10-28 Thread Kevin Darcy
phone dialing ..." > > Except that that proved to be so onerous that people often use "speed > dialing" for commonly dialed numbers. (Not to mention the fact that > people usually address their friends and coworkers by short names.) > > > On Mon, 28 Oct 2019 12:19:35 -0

Re: Zoneformat

2019-10-28 Thread Kevin Darcy
[ Classification Level: PUBLIC ] My opinion? It's better to wean your users away from shortnames than to try to cobble together kludges, on the client side or the BIND side, to support a bad habit. Shortnames introduce ambiguity, lead to nasty surprises, are inefficient and insecure. Just like we

Re: Bind-Efficientip

2019-10-21 Thread Kevin Darcy
[ Classification Level: PUBLIC ] It's not clear to me from the marketing fluff whether EfficientIP is based on BIND or not. If it is, then consider that you have an open-source codebase, and the eternal debate is whether open source is inherently more secure or not. On the one side, is the

Re: Proper Way to Configure a Domain which never sends emails

2019-08-19 Thread Kevin Darcy
commending a null MX. I've concurred that a "-all" SPF will help. - Kevin On Mon, Aug 19, 2019 at 8:07 PM Reindl Harald wrote: > > > Am 19.08.19 um 23:31 schrieb Kevin Darcy: > > [ Classification Level: PUBLIC ] > > > > MXes are for *receiving

Re: Proper Way to Configure a Domain which never sends emails

2019-08-19 Thread Kevin Darcy
[ Classification Level: PUBLIC ] MXes are for *receiving* mail of course. The request is about *sending* mail. Setting the SPF record to "-all" is probably about the best you can do, since AFAIK there is no universally-recognized way to signal "domain X never sends mail". Ironically, in order

Re: SERVFAIL when looking up TXT from particular domain

2019-06-26 Thread Kevin Darcy
There's a huge amount of DNSSEC verbiage in the response to that query (4931-byte response from the authoritative nameservers), when querying with +dnssec. I'm guessing the resolver function of BIND might be having trouble with DNSSEC validation. At least, that's a hypothesis. I'm not familiar

Re: Change DNS records automatically when a link is DOWN

2019-06-05 Thread Kevin Darcy
Publish all 3 NSes. Publish MX records with primary/failover preferencing. Use a load-balancer (free or commercial, software/hardware/cloud-based) to direct the web traffic. - Kevin On Wed, Jun 5, 2019 at 11:16 AM Roberto Carna

Re: Forwarders with static-stub

2019-05-22 Thread Kevin Darcy
TBH, I haven't worked specifically with "static-stub", but with the classic "stub", one would put a "null forwarders" statement in the zone definition to inhibit forwarding. I.e. forwarders { }; - Kevin On Wed, May 22, 2019 at 8:16 AM Ben Lavender

Re: Enable recursive query for only a particular zone

2019-05-07 Thread Kevin Darcy
The simple answer is that you can do this with allow-recursion. Note that "recursion no" is a big (instance-wide or view-wide) "off" switch for recursion, so if you already have that set, you'll have to un-set it in order to apply your allow-recursion controls in a granular fashion. You may also

Re: Problem with zone delegation with private gTLD

2019-04-08 Thread Kevin Darcy
If you're doing stuff at really small scale, you can just define your own root zone and put all of the records into it, including records in the "phishing" subdomain, and any reverse records you care about (in the "in-addr.arpa" and/or "ip6.arpa" subdomains). For that matter, if you only have 1

Re: Combining forward with master zone.

2019-02-20 Thread Kevin Darcy
Delegate needs.example.com from example.com and you should be set. - Kevin On Wed, Feb 20, 2019 at 3:40 PM King, Harold Clyde (Hal) wrote: > Could I just define needs.example.com as a zone in a separate file so: > > > > zone "example.com" { type master; notify no; file

Re: Combining forward with master zone.

2019-02-20 Thread Kevin Darcy
As discussed in another thread, delegate the zone you want to forward, in addition to defining the zone as "type forward". If you already tried a "type forward" and it didn't work, it was probably because the delegation was missing. It's a non-obvious requirement, but named needs to see the zone

Re:

2019-02-20 Thread Kevin Darcy
Define teamviewer.com as 'type >> forward'". >> >> > >> >> >An also what is the benefit in defining a root zone with the >> teamviewer.com >> >> >delegated into it??? Because I put to work this zone just as a forward >> >> >z

Re: DNS load balancing: UDP or TCP ?

2019-02-19 Thread Kevin Darcy
If you go with Anycast via BGP, make sure your network infrastructure has "multipath" enabled, otherwise the traffic will be skewed to one node or the other. https://tools.ietf.org/id/draft-lapukhov-bgp-ecmp-considerations-01.html is one source which summarizes some of the literature and standards

Re: Malicious-DNS

2019-02-18 Thread Kevin Darcy
Another approach is to define a "fake" vitaminc.pro domain, point it at an internal webserver (assuming you have a spare, or can spin one up for the purpose), and see what clients are hitting it. Of course, that assumes the communication is web-based. If it's some other protocol(s), you'd need to

Re:

2019-02-18 Thread Kevin Darcy
I've already posted a solution for this. Basically, "Define root zone. Delegate teamviewer.com from root zone. Define teamviewer.com as 'type forward'". "Recursion yes" is implied. No views necessary. It doesn't make any sense anyway, to have the same match-clients list for all of one's views,

Re: Forward zone inside a view

2019-02-12 Thread Kevin Darcy
in > other contexts. > > > Timothe Litt > ACM Distinguished Engineer > -- > This communication may not represent the ACM or my employer's views, > if any, on the matters discussed. > > On 12-Feb-19 17:45, Kevin Darcy wrote: > > > Defi

Re: Forward zone inside a view

2019-02-12 Thread Kevin Darcy
Define root zone. Delegate teamviewer.com from root zone. Define teamviewer.com as "type forward". "recursion no" is incompatible with *any* type of forwarding or iterative resolution. Should only be used if *everything* you resolve is from authoritative data, i.e. for a hosting-only BIND

Re: BIND DNS Enable audit logs - Authoritative

2019-01-11 Thread Kevin Darcy
I don't believe there is any logging category for this, even when zones are enabled for Dynamic Update, in which case the versioning is done automatically. There used to be a "journalprint" utility that one could run against the .jnl files to show the update history. But, even if the journaling

Re: dns cache issue

2019-01-10 Thread Kevin Darcy
Offhand, sounds like your LAN is saturated so the queries might not be getting to BIND in the first place. Or the replies aren't getting back. It's unlikely that QoS is going to help this, you indicated that QoS was on your "router", and that is typical -- usually QoS is found on WAN links.

Re: one-zone-only forwarding DNS

2018-11-13 Thread Kevin Darcy
9.5.5 is old -- upgrade. But, to the architecture issue... sounds like you need an "internal root with forwarding exceptions" setup. - As per best practices, consider separating the recursive-resolver and hosting functions into separate views, separate named instances (listening on

Re: Rewrite/Override QTYPE with RPZ

2018-11-08 Thread Kevin Darcy
The only scenario in which I could see this being accepted by the client, is if the replacement is a CNAME, since that's a "universal" type. But it's still unclear what the ultimate intent would be. - Kevin On Thu, Nov 8,

Re: 2 Questions - forward zone and DNS firewalling

2018-10-26 Thread Kevin Darcy
My basic rule of thumb is: use forwarding when connectivity constraints require it. Those constraints may be architectural, e.g. a multi-tiered, multi-layer network for security purposes, or may be the result of screwups or unintended consequences, e.g. a routing blackhole. Use forwarding to get

Re: Strange DIG behavior on Windows 10:

2018-10-23 Thread Kevin Darcy
To be honest, I don't have a lot of experience running dig on Windows, but I assume it would use the same resolvers as everything else, in which case they're either statically defined (typically through Control Panel) or assigned via DHCP. One thing to consider, though: on Windows, resolvers tend

Re: need two Domain in Named.local, but not resolv

2018-10-08 Thread Kevin Darcy
Offhand, it looks like 192.168.201.92 is giving SERVFAIL for anything in the carag.local zone, but is fine for the olh.local zone. Did the zone load properly? Look in the logs at startup or reload time. But, the tools you're using, and how you're using them, makes troubleshooting very difficult

Re: Forward type "only" no longer working (possibly a regression)?

2018-10-01 Thread Kevin Darcy
One of the most useful initial steps in troubleshooting is to establish your ability to reproduce the error. So, I'd look at getting to the command-line of the originating resolver, if possible, and using a command-line tool like "dig" to generate queries towards the intended target and see if

Re: Forward type "only" no longer working (possibly a regression)?

2018-10-01 Thread Kevin Darcy
You need to get to the root cause of what's causing the SERVFAIL. Removing "forward only" just masks the problem by telling the resolver algorithm to fail over to iterative resolution when it encounters the SERVFAIL. So, sure, the query resolves, but probably not from the correct server, and

Re: NTP through DNS?

2018-09-19 Thread Kevin Darcy
I'll just toss in the factoid that NTP can be run on multicast or anycast, which may negate some of the motivation for using a DNS name to access the service. - Kevin On Wed, Sep 19, 2018 at 11:38 AM Andrew Latham wrote: > On Wed, Sep 19, 2018 at 10:19 AM Ray

Re: Net::DNS::Update when Something Goes Wrong

2014-09-18 Thread Kevin Darcy
On 9/18/2014 12:33 PM, Martin G. McCormick wrote: This is a perl module but my question is pure bind. Is anyone familiar enough with this perl module to say whether the packets are sent as TCP or udp? If udp, one would think that if a packet was sent to do a job and the DNS failed to

Re: How to block part of a zone

2014-09-16 Thread Kevin Darcy
You have multiple choices here. Loopback is sometimes a bad choice, since the client may try to connect to itself, and in pathological cases this could cause an infinite loop. You could consider an A record with RDATA 0.0.0.0, the null or unspecified address. It is not legal for that ever to

Re: A record of domain name must be name server ?

2014-09-11 Thread Kevin Darcy
On 9/11/2014 3:47 AM, Matus UHLAR - fantomas wrote: On 10.09.14 18:13, Kevin Darcy wrote: No, what I'm saying is that if example.com owns an A record 203.0.113.48, and www.example.com owns an A record 203.0.113.48, then where does 48.113.0.203.in-addr.arpa point? Completely your decision

Re: A record of domain name must be name server ?

2014-09-11 Thread Kevin Darcy
AM, Mark Elkins wrote: On Wed, 2014-09-10 at 18:13 -0400, Kevin Darcy wrote: No, what I'm saying is that if example.com owns an A record 203.0.113.48, and www.example.com owns an A record 203.0.113.48, then where does 48.113.0.203.in-addr.arpa point? Some people will point it at example.com

Re: A record of domain name must be name server ?

2014-09-11 Thread Kevin Darcy
On 9/11/2014 12:08 PM, Matus UHLAR - fantomas wrote: On 9/11/2014 3:47 AM, Matus UHLAR - fantomas wrote: On 10.09.14 18:13, Kevin Darcy wrote: No, what I'm saying is that if example.com owns an A record 203.0.113.48, and www.example.com owns an A record 203.0.113.48, then where does

Re: A record of domain name must be name server ?

2014-09-11 Thread Kevin Darcy
On 9/11/2014 11:51 AM, Mark Elkins wrote: On Thu, 2014-09-11 at 11:27 -0400, Kevin Darcy wrote: Mark, Depending on implementation, a PTR RRset with multiple records either -- only ever gets answered with the first record of the set (in which case the second and subsequent records

Re: A record of domain name must be name server ?

2014-09-10 Thread Kevin Darcy
On 9/10/2014 11:58 AM, Alan Clegg wrote: On 9/10/14, 8:42 AM, Sam Wilson wrote: And you could reduce maintenance very slightly by replacing www in A 75.100.245.133 with www in CNAME @ And now you have an MX record, 3 NS records and a bunch of other

Re: A record of domain name must be name server ?

2014-09-10 Thread Kevin Darcy
On 9/10/2014 5:20 PM, Alan Clegg wrote: On 9/10/14, 2:13 PM, Kevin Darcy wrote: On 9/10/2014 11:58 AM, Alan Clegg wrote: On 9/10/14, 8:42 AM, Sam Wilson wrote: And you could reduce maintenance very slightly by replacing www in A 75.100.245.133 with www

Re: A record of domain name must be name server ?

2014-09-10 Thread Kevin Darcy
even use a CNAME as a PTR??? Eliezer On 09/11/2014 12:37 AM, Kevin Darcy wrote: Also, have you considered the forward/reverse ambiguity that arises when multiple owner names resolve to the same address? To which of those names does the PTR point? - Kevin

Re: A record of domain name must be name server ?

2014-09-08 Thread Kevin Darcy
Based on the zone contents below, you shouldn't have any problem changing the 192.168.1.100 address to anything you want. But, of course, the zone is illegal because it only has 1 NS record published at the apex (there is a strict minimum of at least 2), and, as it stands now, if it is an

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

2014-08-26 Thread Kevin Darcy
So you care enough about security to implement DNSSEC, but you run your forwarder on port 80. Interesting... - Kevin On 8/26/2014 8:19 AM, Tomas Hozza wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello. I found out that

Re: rndc

2014-07-31 Thread Kevin Darcy
On 7/31/2014 11:56 AM, Reindl Harald wrote: Am 31.07.2014 um 17:41 schrieb /dev/rob0: On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote: i am doing reloads of named with killall -HUP named just because i disabled rndc completly for security reasons and configurations are generated

Re: rndc (and now nsupdate too)

2014-07-31 Thread Kevin Darcy
On 7/31/2014 3:08 PM, /dev/rob0 wrote: On Thu, Jul 31, 2014 at 05:56:08PM +0200, Reindl Harald wrote: Am 31.07.2014 um 17:41 schrieb /dev/rob0: On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote: i am doing reloads of named with killall -HUP named just because i disabled rndc

Re: One question about 'Stealth servers'

2014-07-24 Thread Kevin Darcy
I know of no way to do this within BIND itself, but if you Anycast your nameservers, and carefully tweak route preferences and whatnot, you could ensure that some instances (call it set A) only get used if all of the members of another set of instances (call it set B) stop advertising the

Re: Checking proper SPF record

2014-07-08 Thread Kevin Darcy
http://www.kitterman.com/spf/validate.html - Kevin On 7/8/2014 12:43 PM, Alex wrote: Hi, I have a mail server that manages mail for about ten domains, using bind-9.9.4-12.P2 on fedora20. I'd like to make sure my SPF record in my SOA is set up correctly,

Re: Name-server redundancy

2014-06-10 Thread Kevin Darcy
...@lists.isc.org, Kevin Darcy k...@chrysler.com wrote: That scenario still shouldn't have led to an NXDOMAIN. If none of the delegated nameservers are responding, you'd get a timeout or SERVFAIL. So I think there's still some investigation to be done. But using dig instead of nslookup at least makes

Re: Name-server redundancy

2014-06-09 Thread Kevin Darcy
-rad.com Bio-Rad Corporate IT - Desk: (510) 741-6846 Mobile: (510) 224-4343 On Mon, Jun 9, 2014 at 2:32 PM, Kevin Darcy k...@chrysler.com mailto:k...@chrysler.com wrote: Well, you shouldn't be getting an NXDOMAIN just because some of your auth servers are off-line, but you could get

Re: slave: WARNING: recursion requested but not available

2014-06-06 Thread Kevin Darcy
On 6/6/2014 7:35 AM, Reindl Harald wrote: Am 06.06.2014 13:28, schrieb Matus UHLAR - fantomas: On 06.06.14 13:13, Reindl Harald wrote: why does in case of asking the slave always come a WARNING: recursion requested but not available even if you dig a A-record he is authoritative? because you

Re: SPF RR type

2014-06-05 Thread Kevin Darcy
On 6/5/2014 10:34 AM, Mike Hoskins (michoski) wrote: -Original Message- From: Nicholas F Miller nicholas.mil...@colorado.edu Date: Thursday, June 5, 2014 at 10:25 AM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: SPF RR type Are SPF RR types finally dead or not? I¹ve

Re: stub zones

2014-06-02 Thread Kevin Darcy
The typical use case for a stub zone is where the delegation chain is broken, or incorrect, but you don't want to incur the overhead of slaving the zone (or some other sort of bureaucratic snafu like the owner/admin of the zone not letting you do zone transfers). As a general rule, stub zones

Re: Reply Code 0x8083 vs 0x8080

2014-05-29 Thread Kevin Darcy
Why the different RCODES? See RFC 2308. Short version: the NODATA response occurs when the QNAME exists, but no records match QTYPE. It will also occur if the QNAME is merely a branch to something further down in the hierarchy (a so-called empty non-terminal), and owns no records of its own.

Re: Default BIND query timeouts

2014-05-20 Thread Kevin Darcy
queries are non-recursive and we expect the name server should have answers. We are sending test host with very high query rate so BIND may be too busy to respond to all the queries. On Monday, May 19, 2014 4:25 PM, Kevin Darcy k...@chrysler.com wrote: If a client sends a recursive query

Re: Default BIND query timeouts

2014-05-19 Thread Kevin Darcy
If a client sends a recursive query to the BIND instance, and that instance needs to fetch the answer from one or more other upstream sources, then my understanding is that the resolver-query-timeout global option (see the BIND docs) controls the timeout for each one of those upstream

Re: Some GUI for zone updates.

2014-05-10 Thread Kevin Darcy
On 5/10/2014 3:00 AM, Mimiko wrote: Hello. I know there are WEB GUIs for bind, which uses a DB to store its information and need read/write access to bind's config files and zones files. Is there a GUI utility which will user zone transfers with keys and dynamic updates? In windows I

Re: Point domain name of my zone to name in somebody else's zone?

2014-05-09 Thread Kevin Darcy
On 5/9/2014 6:59 AM, Tony Finch wrote: Dave Warren da...@hireahit.com wrote: On 2014-05-08 15:09, Mark Andrews wrote: But that does not help when you want a MX record at the apex or some other record at the apex. I'd argue that it does -- Since the record is now CNAME'd, the MX record is now

Re: Multi-master (HA)

2014-05-09 Thread Kevin Darcy
On 5/9/2014 3:01 PM, John Wobus wrote: ...if anyone has specific thoughts on how to make this sort of thing easier in BIND -- even just at the level of boy, it irritates me that I can't make BIND do X -- such comments will fall on welcoming ears. I agree that it would be nice if effort were

Re: Point domain name of my zone to name in somebody else's zone?

2014-05-09 Thread Kevin Darcy
On 5/8/2014 5:13 PM, John Levine wrote: DNSMadeEasy calls this an ANAME record, internally they just lookup the destination's IP and cache it, updating it as needed. It works, but it would be nice if this could be done in DNS. Sadly, it can't, and probably won't in our lifetimes. I do a

Re: Point domain name of my zone to name in somebody else's zone?

2014-05-06 Thread Kevin Darcy
The apex name of a zone can't own a CNAME, if that's what you're asking. E.g. the name example.com can't be a CNAME pointing at otherexample.com. But, of course, you can certainly put A and/or records at the apex, that resolve to one or more addresses in one or more ranges you don't

Re: How to setup a backup NameServer?

2014-05-04 Thread Kevin Darcy
Forwarder selection has been based on RTTs for quite a while now. So, if what you're trying to protect against is your primary forwarders being DoS'ed, why not just define your primary and backup forwarders in the same forwarder list? Due to RTT calculations, the backup forwarders would

Re: Forwarding request to another DNS server but the same domain

2014-04-30 Thread Kevin Darcy
Being authoritative means that you know everything about the zone. If you know everything about a zone, why ask anyone else? Split DNS does not follow the DNS paradigm, so there is no standard way to implement it, and despite many people asking over the years, there is no NXDOMAIN failover

Re: Forwarding request to another DNS server but the same domain

2014-04-30 Thread Kevin Darcy
Oh, I thought this was an external-versus-internal scenario. But, this is even easier. A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the stealth variety, if you want) of the other B) People use nsupdate to maintain the zone For security, TSIG-sign the updates. For fast

Re: Forwarding request to another DNS server but the same domain

2014-04-30 Thread Kevin Darcy
. Thanks again On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy k...@chrysler.com mailto:k...@chrysler.com wrote: Oh, I thought this was an external-versus-internal scenario. But, this is even easier. A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the stealth

Re: BIND transfers records to Windows DNS server

2014-04-29 Thread Kevin Darcy
On 4/29/2014 3:12 PM, Roberto Carna wrote: Dear, I have this scenario: 1) Windows DNS with dynamic update zone (Windows clients) 2) BIND with manually update zone (Linux and Cisco clients) Is there any way to transfer all BIND zone records to the Windows DNS in order to have just one and

Re: How to setup a backup NameServer?

2014-04-28 Thread Kevin Darcy
I'm not sure this makes sense from an architectural standpoint. If all of the authoritative NSes are down, where is this backup nameserver getting its data from, and how current is that data? If slightly *stale* data is acceptable, in the absence of all authoritative NSes, then why not just

Re: Enterprise IPAM/DNS Solutions

2014-04-28 Thread Kevin Darcy
Are you running *other*, non-network-service functions on these boxes besides BIND/MM? If not, then you might find an appliance-based solution like Bluecat or Infoblox might be more cost-effective than adding a DNS-management layer to a generic server. Your security folks should love you too,

Re: Enterprise IPAM/DNS Solutions

2014-04-28 Thread Kevin Darcy
. Thanks, Josh -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy Sent: Monday, April 28, 2014 12:50 PM To: bind-users@lists.isc.org Subject: Re: Enterprise IPAM/DNS Solutions Are you running *other*, non-network

Re: Zone transfer doesn't work when I set allow-update statement

2014-04-25 Thread Kevin Darcy
allow-update + manual editing of zone file = bad. Use nsupdate. - Kevin On 4/25/2014 4:03 PM, Jeronimo L. Cabral wrote: Dear, I'm using Bind 9.8.4 with a master / slave scenario. Zone transfer works OK when I have this config in named.conf.local from master server, add some A records and

Re: Help with DKIM record

2014-04-15 Thread Kevin Darcy
On 4/14/2014 2:58 PM, Steven Carr wrote: On 14 April 2014 18:53, Felix Rubio Dalmau felixrubiodal...@gmail.com wrote: it is not actually a pure caching server (at least I didn't wanted it to be :S). I have server at home, and the DNS is properly configured at the internet. The

Re: Help with DKIM record

2014-04-15 Thread Kevin Darcy
What isn't clear so far is whether the TXT record you're looking up is in the myserver.org zone or some other zone. If you're authoritative for myserver.org, you're authoritative for *all* of myserver.org. named isn't going to do failover forwarding just because you neglected to add a TXT

Re: Private separate DNS domains

2014-04-08 Thread Kevin Darcy
Regardless of what you've been told, the resolvers (nameservers) in /etc/resolv.conf are tried *in*sequence*, and if a valid response (where NXDOMAIN _is_ a valid response) is received from one resolver, none of the others are tried. So, I'm surprised that your mix-and-match-resolvers hack

Re: Delegation of part of a zone to a global server load balancer

2014-04-07 Thread Kevin Darcy
I'm assuming you have forwarding set up. Make sure to set forwarders { }; in the aelabad.net zone definition. Failure to do so means that your recursive queries for names in subzones forward out towards the Internet, instead of following the delegations down to the austin-energy.net

Re: CNAME to an external domain

2014-03-25 Thread Kevin Darcy
On 3/25/2014 9:01 AM, Ian Braun wrote: Hello, We have a bind server (v9.6) that's hosts mydomain.com http://mydomain.com. I'm trying to create a CNAME for host.mydomain.com http://host.mydomain.com to point to host.otherdomain.com http://host.otherdomain.com. I don't host otherdomain.com

Re: localhoast A record?

2014-03-21 Thread Kevin Darcy
On 3/21/2014 9:03 AM, Casey Deccio wrote: On Fri, Mar 21, 2014 at 8:50 AM, Mitchell Kuch mi...@basejp.com mailto:mi...@basejp.com wrote: Hello - I've adopted a number of zones and most of them contain localhost in a 127.0.0.1 records. I'm curious what current RFC standards state

Re: Audit the consistency of zone files on DNS servers

2014-03-15 Thread Kevin Darcy
On 3/15/2014 6:09 AM, Maren S. Leizaola wrote: On 3/15/2014 1:53 AM, Kevin Darcy wrote: On 3/14/2014 8:28 AM, Maren S. Leizaola wrote: Hello, What do you guys recommend to audit every resource record in a zone file against all the records in all the DNS servers that host

Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Kevin Darcy
On 3/14/2014 8:28 AM, Maren S. Leizaola wrote: Hello, What do you guys recommend to audit every resource record in a zone file against all the records in all the DNS servers that host the zone file. I want something that I feed the master zone file and then goes to each NS

Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Kevin Darcy
On 3/14/2014 2:39 PM, Maren S. Leizaola wrote: On 3/14/2014 9:20 PM, Stephane Bortzmeyer wrote: On Fri, Mar 14, 2014 at 12:33:47PM +, Phil Mayers p.may...@imperial.ac.uk wrote a message of 25 lines which said: dig @server zone axfr file diff file file.real If you're really paranoid,

Re: How to create a fake root server?

2014-03-13 Thread Kevin Darcy
for a school project. Regards, Peter On 12/03/14 19:56, Kevin Darcy wrote: First of all, don't use .loc as an internal TLD. There are *many* proposals in process with ICANN for establishing new TLDs, and for all you know, .loc might be one of them. If .loc gets established on the Internet

Re: How to create a fake root server?

2014-03-12 Thread Kevin Darcy
First of all, don't use .loc as an internal TLD. There are *many* proposals in process with ICANN for establishing new TLDs, and for all you know, .loc might be one of them. If .loc gets established on the Internet, and you're using it internally, that presents abundant opportunities for

Re: Internal clients' queries for myhostname. get sent to forwarders. Why?

2014-03-10 Thread Kevin Darcy
Options: 1) Change nameservice-switch order (e.g. /etc/nsswitch.conf) on your hosts to prefer another source of name resolution (e.g. /etc/hosts) which can resolve the shortname. Thus DNS is never used for these lookups 2) Simply :-) change your DNS architecture fundamentally, from one which

Re: Internal clients' queries for myhostname. get sent to forwarders. Why?

2014-03-10 Thread Kevin Darcy
On 3/10/2014 6:05 PM, Andreas Ntaflos wrote: On 2014-03-10 22:23, Kevin Darcy wrote: Options: First, thanks a lot for the reply! So it seems what I described is indeed the expected behaviour for the type of DNS we operate? 1) Change nameservice-switch order (e.g. /etc/nsswitch.conf

Re: how to hidden the salve

2014-02-25 Thread Kevin Darcy
! Guanghua Date: Mon, 24 Feb 2014 13:41:03 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to hidden the salve Message-ID: 530b923f.8070...@chrysler.com Content-Type: text/plain; charset=iso-8859-1; Format=flowed I guess I'm still not understanding your

Re: how to hidden the salve

2014-02-24 Thread Kevin Darcy
? For the 'stealth' slave isn't in the NS records. Also-notify directive. Either in an options stanza or a zone stanza. thanks, Guanghua -- Daniel J McDonald, CISSP # 78281 Date: Thu, 20 Feb 2014 10:48:36 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how

Re: how to hidden the salve

2014-02-20 Thread Kevin Darcy
servers in the NS records are out of service ( maybe in case of ddos attack). Guanghua -- On 2/19/2014 11:54 AM, Kevin wrote: Date: Wed, 19 Feb 2014 11:54:44 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to modify the cache

Re: how to modify the cache

2014-02-19 Thread Kevin Darcy
Not a good solution. Even under normal circumstances, there will be temporary bottlenecks, dropped packets, etc.. that will trigger failover and users will get different answers at different times. Not good for support, maintainability, user experience/satisfaction, etc. If all you want is

Re: how to modify the cache

2014-02-17 Thread Kevin Darcy
... - Kevin On 2/17/2014 5:44 PM, Doug Barton wrote: On 02/17/2014 11:37 AM, Kevin Darcy wrote: Ugh, that mixes apples (recursive resolution) and oranges (iterative resolution). Out of curiosity, what bad thing do you think will happen if you mix these two

Re: how to modify the cache

2014-02-17 Thread Kevin Darcy
/17/2014 5:56 PM, Kevin Darcy wrote: Bad performance, bad reliability, clandestine IP-over-DNS tunnels between networks that are supposed to be isolated... Is that enough? Understanding the pros and cons of iterative versus recursive resolution is one of the few things still separating us from

Re: how to modify the cache

2014-02-17 Thread Kevin Darcy
Indeed. Regular stub only overrides the parent's delegation NS records; static-stub overrides the apex NS records of the zone as well. My uses of the words stub (which I intended to cover both forms of stubbing) and published (which I intended to cover both the delegating and apex records)

  1   2   3   4   5   6   >