Re: DNS Negative Caching

2015-08-27 Thread Kevin Oberman
. -- Kevin Oberman, Network Engineer, Retired E-mail: rkober...@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

Re: Automatic . NS queries from BIND

2015-06-15 Thread Kevin Oberman
admit to being unfamiliar with the algorithm used to make these periodic checks. -- Kevin Oberman, Network Engineer, Retired E-mail: rkober...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

Re: Automatic . NS queries from BIND

2015-06-15 Thread Kevin Oberman
to see any documentation on the algorithm used to detect the closest root server as well as the log of someone else running a similar setup. -- Kevin Oberman, Network Engineer, Retired E-mail: rkober...@gmail.com On Monday, June 15, 2015 6:14 AM, Gaurav Kansal gaurav.kan...@nic.in wrote

Re: DNS anycast node monitor

2015-04-19 Thread Kevin Oberman
no longer have access to the trivial script since I retired. It's really harder than it looks to do right and I don't think my code was adequately rigorous, but was capable of responding to most issues. I'm sure more heuristics really needed to be added. -- Kevin Oberman, Network Engineer, Retired E

Re: compile and install from source

2015-03-30 Thread Kevin Oberman
. -- Kevin Oberman, Network Engineer, Retired E-mail: rkober...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo

Re: SRV records etc

2015-02-10 Thread Kevin Oberman
in testing, so we considered it useful and happily supported it. :-) SRV records are almost essential for some applications. I can't imagine not supporting them. HINFO is getting pretty rare. The security issues are pretty obvious and its advantages are rather limited. -- Kevin Oberman

Re: DNSSEC

2015-01-17 Thread Kevin Oberman
-January. That should mean about now. -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkober...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: still have named memory leak

2014-12-13 Thread Kevin Oberman
. The standard tool for this on FreeBSD is fetch(1). E.g. fetch -o FILE URL In a script I usually also use '-q' to eliminate noise, but YMMV. I suspect most systems have wget and/or curl installed, but fetch is always present on FreeBSD. -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkober

Re: Master to Slave initial zone transfer question

2014-04-16 Thread Kevin Oberman
add the new zone to the slave's configuration (usually named.conf)? I assume so, or it would never load. But named.conf is only read when named is started or a 'reload' command is sent to it (rndc reload). Until then, hte slave has no way of knowing that the zone was added. -- R. Kevin Oberman

Re: How can I increase the TTL for the cached entries in my local dns serveder?

2014-03-28 Thread Kevin Oberman
is the ncache time. One day is very, very long. Times like 1 minute are more appropriate, but again, this is a maximum, so the large value may not be an issue. Sorry. -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkober...@gmail.com ___ Please visit

Re: Does anyone have DNSSEC problem with uscg.mil

2013-11-14 Thread Kevin Oberman
Don't forget that Google will white-list domains with known (by them) broken DNSSEC and reply even though validation is broken, so using 8.8.8.8 for checking on whether validation is broken is not the best idea. -- R. Kevin Oberman, Network Engineer E-mail: rkober...@gmail.com

Re: Dig gives ;; connection timed out; no servers could be reached

2013-10-03 Thread Kevin Oberman
. There is no information to provide any clue as to whether the PC or the server is at fault. I would suggest packet capture. On a Windows system, I suggest wireshark. The same for the server, if it is yours. If the server is Unix and you have access to do so, just simple tcpdump will work well. -- R. Kevin Oberman

Re: Dig gives ;; connection timed out; no servers could be reached

2013-10-02 Thread Kevin Oberman
communication? The list of possibilities just goes on and on. If you want help, you have to tell us something more than that it failed. -- R. Kevin Oberman, Network Engineer E-mail: rkober...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo

Re: Reverse Records on a leash?

2013-08-10 Thread Kevin Oberman
is delegated to your server. -- R. Kevin Oberman, Network Engineer E-mail: rkober...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: How to minimize the downtime in my case

2013-03-16 Thread Kevin Oberman
short... A few minutes. The TTL on most stable RRs should be hours or even days. You shorten the TTL when you plan some change in a permanent record. -- R. Kevin Oberman, Network Engineer E-mail: rkober...@gmail.com ___ Please visit https://lists.isc.org

Re: How to measure the impact of enabling DNSSEC?

2013-01-27 Thread Kevin Oberman
that will always be there. Except for a couple of major goofs early on by a few large orgs (e.g. NASA), the impact of validation is about zip. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com I heard a presentation from NIST on the .gov DNSSEC deployment last month...which was quite

Re: How to measure the impact of enabling DNSSEC?

2013-01-23 Thread Kevin Oberman
at the delta after enabling validation might be interesting, but in my experience you are unlikely to see any difference beyond the jitter that will always be there. Except for a couple of major goofs early on by a few large orgs (e.g. NASA), the impact of validation is about zip. -- R. Kevin Oberman

Re: restart named; missing TCP socket

2012-12-13 Thread Kevin Oberman
named restart' for newer versions of FreeBSD. If the service command is not available, you can use '/etc/rc.d/named restart'. It wil properly stop named and then restart it. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit

Re: Update view without using 2 ip for each DNS Server

2012-12-04 Thread Kevin Oberman
easily maintained to use an ACL with the 'allow-recursion' option. Views provide a lot of benefits for more complex cases, but to just control recursion strikes my as over-kill. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please

Re: cache does truely in local and doesn't work in remote

2012-09-04 Thread Kevin Oberman
On Mon, Sep 3, 2012 at 5:24 PM, Mohsen Pahlevanzadeh moh...@pahlevanzadeh.org wrote: On Mon, 2012-09-03 at 15:42 -0700, Kevin Oberman wrote: On Sun, Sep 2, 2012 at 10:12 AM, Mohsen Pahlevanzadeh moh...@pahlevanzadeh.org wrote: Dear all, I installed bind in Debian/lenny, and i run

Re: cache does truely in local and doesn't work in remote

2012-09-03 Thread Kevin Oberman
that you are trying to, but it looked quite possible.) -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: How to validate SRV record?

2012-08-25 Thread Kevin Oberman
proprietary service is quite unlikely to register it or want to do so. After all, it would serve no purpose at all, even if the SRV records were used between enterprise facilities over the wider Internet. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com

Re: How to validate SRV record?

2012-08-23 Thread Kevin Oberman
things into RFCs that are simply not there. That said the example you provide is silly, but I believe it is valid. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: dig query

2012-08-13 Thread Kevin Oberman
this or let you move on to other options. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: Inline Signing does not update SOA?

2012-05-07 Thread Kevin Oberman
really can't edit a zone that is subject to any operation that makes use of journal files (dynamic updates, in-line signing) while the zone may be changing during the edit. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit

Re: Clarification on question and the answer section uppercase lower case mis match

2012-04-10 Thread Kevin Oberman
sensitive. That means that a query with differences in case will return a match with the appropriate data, just the same as when case matches, but will return the case of the authoritative record. See RFC1034 3.1 for a general description or RFC1035, section 2.3.3 for detail. -- R. Kevin Oberman

Re: Recursive queries fail after bind has been running for a few hours

2012-03-12 Thread Kevin Oberman
at it. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind

Re: A few conceptual question about dnssec.

2012-03-03 Thread Kevin Oberman
DNSSEC software that does not support SHA256 at this time, but I suspect someone, somewhere is running it. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: Adding DS record to parent

2012-02-24 Thread Kevin Oberman
'interesting'. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman

Re: lists.isc.org rDNS failed, DNSSEC?

2012-02-23 Thread Kevin Oberman
details when DNSSEC is added. It simply can't be the set and forget DNS of the past, at least not until and unless tools become far more bullet-proof. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org

Re: lists.isc.org rDNS failed, DNSSEC?

2012-02-23 Thread Kevin Oberman
that it is possible and I suspect that BIND 10 will move closer to that point. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing

Re: .IN Domain is DNSSEC enabled or not

2012-01-06 Thread Kevin Oberman
was not yet ready to accept DS keys in any standard way. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: Suspecious DNS queries dropped by Firewall

2011-12-14 Thread Kevin Oberman
. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Using IPv6/IPv4 tunnels to send queries to a DNS server

2011-11-09 Thread Kevin Oberman
on the other side of the tunnel must talk IPv6. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: udp vs tcp query

2011-10-22 Thread Kevin Oberman
is a band-aid that will just keep breaking things. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: Setting Up Permissions

2011-10-20 Thread Kevin Oberman
should be able to read the named.conf file, but should not own it or have write access to it. named must have read access to all zone files as well as both read and write to the directory where they are located. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com

Re: CNAME record for the root of the domain

2011-10-16 Thread Kevin Oberman
. Depending on exactly what you are trying to accomplish, you might get there by: 1. A DNAME in the parent. This aliases the entire domain, so this might or might not do what you want. 2. Use a A (and other records as needed) instead of a CNAME. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com

Re: Delegation check failed

2011-09-21 Thread Kevin Oberman
On Wed, Sep 21, 2011 at 2:25 AM, Niall O'Reilly niall.orei...@ucd.ie wrote: On 21 Sep 2011, at 02:08, Kevin Oberman wrote: dig confirms that .com had the glue for water.com.        As does dnscheck.iis.se.        Indeed, none of the test history (5 tests, today and yasterday

Re: Delegation check failed

2011-09-20 Thread Kevin Oberman
checks and I think dnscheck is broken. I get the same error for several different domains that I am pretty confident are NOT broken and have confirmed the glue for all of them is correct. -- R. Kevin Oberman, Network Engineer - Retired E-mail: kob6...@gmail.com

Re: Delegation check failed

2011-09-20 Thread Kevin Oberman
that .com had the glue for water.com. R. Kevin Oberman, Network Engineer Retired kob6...@gmail.com LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: Query regarding NS record

2011-09-16 Thread Kevin Oberman
servers, all answering and all having identical data for queries from any particular source. Kevin Oberman Network Engineer -- Retired kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

Re: problem with spinsix.com?

2011-08-30 Thread Kevin Oberman
. dns.jomax.net. 2011080600 28800 7200 604800 86400 from server 216.69.185.42 in 75 ms. SOA ns63.domaincontrol.com. dns.jomax.net. 2011080600 28800 7200 604800 86400 from server 208.109.255.42 in 75 ms. -- R. Kevin Oberman, Network Engineer - Retired E-mail: kob6...@gmail.com

Re: I use ProBind and you ?

2011-08-30 Thread Kevin Oberman
On Tue, Aug 30, 2011 at 11:33 AM, mfla kona_i...@yahoo.fr wrote: Dears, I use ProBIND to administrate my BIND servers. I would like to know which other possibities be available for DNS central management ? At my former employer, we used Nixu Namesurfer. -- R. Kevin Oberman, Network Engineer

Re: Breaking up RFC 1918 reverse space

2011-07-23 Thread Kevin Oberman
. -- R. Kevin Oberman, Network Engineer - Retired E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman

Re: BIND and DNS protocol

2011-07-20 Thread Kevin Oberman
of BIND v4.3(?) were four grad students at UC. See BIND on Wikipedia (https://secure.wikimedia.org/wikipedia/en/wiki/BIND) for more details. -- R. Kevin Oberman, Network Engineer - Retired E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org

Re: Reverse lookup flood from a single host

2011-07-15 Thread Kevin Oberman
generate the volume of queries you are seeing. The query rate is really not that high. My first guess is some sort of logging tool, but there are a great many other possibilities. R. Kevin Oberman, Network Engineer Retired kob6...@gmail.com ___ Please visit

Re: better performance with 32 bit ! why?

2011-06-28 Thread Kevin Oberman
it in 32-bit mode on the same hardware. This is mostly because of the added data that must be moved for 64-bit operations. It also means the 64-bit binaries are larger, often by a significant amount. I recommend sticking with 32-bit systems unless you have a specific need for 64-bit capacity. -- R. Kevin

Re: subdomain delegation question

2011-05-22 Thread Kevin Oberman
suggest changing it. (See the ARM Chapter 6 Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486

Re: start script for bind9

2011-04-14 Thread Kevin Oberman
. I know that if bind is installed via apt-get install (I am using debian linux version), there is automatically a bind9 startup script in /etc/init.d/ directory. It would help a bit if you gave us a hint as to what OS and OS version as well as the version of BIND. -- R. Kevin Oberman

Re: BIND 9.4.3-P2 assertion failure

2011-04-01 Thread Kevin Oberman
is now at 8.2 and includes 9.6-ESV-R4. 7.4 is also fully supported and has 9.4-ESV. Of course, as you mention, the ports are more current. It has several versions including 9.7.3 and 9.8.0. (Lots of people avoid .0 releases of anything.) -- R. Kevin Oberman, Network Engineer Energy Sciences Network

Re: TTLs and Timeout Question

2011-03-29 Thread Kevin Oberman
that it does not exist until the negative cache TTL expires. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4

Re: root zone initial key in bind.keys

2011-02-23 Thread Kevin Oberman
with a GOOD reason for it. Most people move their trust anchors out of the DLV when they are confident that the keys are properly located in the parent zone. In other words, I think that this should be considered a feature and not a bug. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet

Re: Please Help

2011-02-17 Thread Kevin Oberman
. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 -Original Message- From: bind

Re: cache server with authoritative answer

2011-01-30 Thread Kevin Oberman
On Sat, 2011-01-29 at 14:49 +0800, p...@mail.nsbeta.info wrote: The book Pro DNS and BIND says: If the caching server obtains its data directly from an authoritative DNS, then it too will respond as authoritative. Ohterwise, if the data is supplied from its cache, the response is

Re: forwarding

2010-12-12 Thread Kevin Oberman
is failing on BIND 9. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751

Re: Almost Ready for DNS-SEC but Slightly Confused in Home Stretch

2010-12-10 Thread Kevin Oberman
and be sure that it really works and gives you a chance to fix problems before the outside world can see them. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634

Re: Unusual TSIG problem

2010-12-08 Thread Kevin Oberman
From: Mark Andrews ma...@isc.org Date: Thu, 09 Dec 2010 09:07:53 +1100 In message 20101208214221.566771c...@ptavv.es.net, Kevin Oberman writes: I just ran into an odd issue with a TSIG signed zone transfer. On occasion I was logging a clocks are unsynchronized message doing

Re: Option notify no also disabled query log?

2010-12-06 Thread Kevin Oberman
syslog works great. So I wondering is this a intended behavior, or it's a bug. This was not mentioned in arm9.7, so I'm asking here. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- R. Kevin

Re: Category for refused recursive queries

2010-12-03 Thread Kevin Oberman
Date: Fri, 03 Dec 2010 13:08:23 -0800 From: Kevin Oberman ober...@es.net Sender: bind-users-bounces+oberman=es@lists.isc.org I would really like to get the huge number of rejected recursive quieries out of my logs, but I have failed, so far. I am referring to: Dec 3 13:04:58 nsx named

Re: DNSSEC - 1 RRSIG - expires while in cache

2010-11-27 Thread Kevin Oberman
for an expiring key will always expire first so that the new key will be fetched before the old one expires. I thing the heading in the RFC is TTL Considerations, but I am working from memory. I don't use BIND to sign my data, so I am not sure how smart BIND is about these numbers. -- R. Kevin Oberman

Re: Split Delegation IP Reverse

2010-11-23 Thread Kevin Oberman
: +505 2277-4411 See RFC2317, Classless IN-ADDR.ARPA delegation. http://www.ietf.org/rfc/rfc1035.txt -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486

Re: Strange behaviour after nsupdate

2010-11-09 Thread Kevin Oberman
this is recommended. This was just discussed on the list. If you are doing dynamic updates, having 2 views using the same zone file will not work right. It looks to me like you have demonstrated this. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley

Re: bind9.7.1 Instance seems to not talk to systems on its own network.

2010-11-05 Thread Kevin Oberman
and 'sysctl net.inet6.ip6.fw.enable=0' for IPv6. I suspect other OSes may have similar capabilities. Can these complaining system ping the DNS server? It almost sounds like something has a bad subnet mask, but that is less likely if the host is in the same /24 as the server. -- R. Kevin Oberman

Re: Unknown option 'managed-keys' - why?

2010-10-31 Thread Kevin Oberman
managed-keys. 9.3 does not really support dnssec at all, if that is what you have. Useful DNSSEC shoed up somewhere in 9.6 and rally became usable in 9.7. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober

Re: Reverse Configuration

2010-10-16 Thread Kevin Oberman
that this is unfortunate, but there is too much software out there (including many standard libraries) that make the same silly assumption to things it can be changed. There is even an RFC saying approximately this. Sorry, but I don't recall which one. -- R. Kevin Oberman, Network Engineer Energy

Re: Unable to query the nameserver

2010-10-06 Thread Kevin Oberman
would go away since back in BIND-v4 days. I could save a lot of troubleshooting time if I didn't get trouble reports based on the use of nslookup that is misleading or not completely bogus. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National

Re: Unable to query the nameserver

2010-10-06 Thread Kevin Oberman
Date: Thu, 07 Oct 2010 01:53:29 +1100 From: Ben McGinnes b...@adversary.org On 7/10/10 1:47 AM, Kevin Oberman wrote: I keep hoping for a BIND distro that upgrades nslookup(1) to: print STDERR, nslookup(1) has been replaced by host(1)\n; exit 0; Wasn't nslookup already deprecated

Re: Unable to query the nameserver

2010-10-06 Thread Kevin Oberman
nslookup(1) output. I don;t know that this would be easy, but it LOOKS like it would be easy. Yes, I am sure that some script somewhere depends on some wrong response from nslookup, but I can't see keeping nslookup(1) alive as is for that amazingly unlikely case. -- R. Kevin Oberman, Network

Re: OT: Propagation of my NS records?

2010-10-04 Thread Kevin Oberman
to hijack DNS. Once DNSSEC is in place, it will become feasible to do this, but I would seriously discourage anyone from holding his or her breath while waiting (for technical, economic and political reasons). -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence

Re: When does BIND send queries with DO flag enabled?

2010-09-29 Thread Kevin Oberman
in the RFCs. Again, get the @#$% firewall fixed! As time goes on, more and more queries will be blocked by it as DNSSEC moves to the mainstream. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net

Re: chrooting BIND [was -Re: Here I am again, hat in hand with humble demeanor.......]

2010-09-27 Thread Kevin Oberman
if you are on Solaris, or a Solaris based distro. While both are pretty simple to do on BSD, jail is far more secure, but I certainly find setting up jails more complex than chrooting. (Besides, the FreeBSD BIND is chrooted by default, so there is nothing to set up.) -- R. Kevin Oberman, Network

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-20 Thread Kevin Oberman
Section 9.4 for details. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751

Re: zero SOA TTL - still best practice?

2010-08-26 Thread Kevin Oberman
to shoot oneself in the foot. This has little or no link to how often your data changes (unless you are very confident that new entries will never be made. Note! This is not an argument for a short SOA TTL, but for a short minimum TTL in the SOA. -- R. Kevin Oberman, Network Engineer Energy Sciences

Re: USADOTGOV.NET Root Problems?

2010-07-25 Thread Kevin Oberman
. And, yes, we still have stateless firewalls in front of our DNS servers and other public servers as well as an aggressive IDS/IPS system. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net

Re: Multiple masters expected behavior?

2010-07-25 Thread Kevin Oberman
and DNSSEC stuff has really not been hard. In the time it took me to send my reply, I could have updated BIND on all of our public servers and I don't have to upgrade all that often. I think running 9.3 is false economy. DNS is just too important. -- R. Kevin Oberman, Network Engineer Energy Sciences

Re: .org registrars allowing DS records

2010-06-06 Thread Kevin Oberman
that they will be accepting them immediately. Until then, dlv.isc.org is the best (only?) option. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint

Re: disable dnssec in bind resolver

2010-06-04 Thread R. Kevin Oberman
the firewall is fixed. Sent from my Treo: R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) E. O. Lawrence Berkeley National Laboratory (LBNL) ober...@es.net +1 510-486-8634 -Original Message- From: Paul Wouters p...@xelerance.com Date: Friday, Jun 4

Re: question on query process

2010-05-25 Thread Kevin Oberman
queries to the root. I'll leave why there are as an exercise for network researchers and those who write really stupid, often broken software, that uses DNS. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober

Re: Opinions about zone configuration

2010-05-25 Thread Kevin Oberman
IS a bad idea. Or, maybe I got it right. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751

Re: Implementing the bogon list

2010-04-09 Thread Kevin Oberman
=text%2Fplain You can add the unassigned space to those fairly easily, but make sure that you update it as space is assigned. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net

Re: dnssec signing tools

2010-03-20 Thread Kevin Oberman
urge you to get copy of NIST SP800-81r1, an excellent overview and how-to on DNS security that goes well beyond DNSSEC. It is at: http://csrc.nist.gov/publications/drafts/800-81-rev1/nist_draft_sp800-81r1-round2.pdf. It is still in draft, but is close to being finalized. -- R. Kevin Oberman, Network

Re: T_ANY

2010-03-19 Thread Kevin Oberman
explain it. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-03-08 Thread Kevin Oberman
need to. More specifically, I don't WANT to encrypt the data for either DNS or NTP. In both cases I want the data to always be signed clear-text and that is what DNSSEC does. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory

Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO

2010-02-23 Thread Kevin Oberman
will match these recommendations. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751

Re: A question with forwarder and listen-on

2010-02-19 Thread Kevin Oberman
space. The second is loopback. The configuration is intended for a local server answering authoritatively for internal, NATed addresses and forwarding all other queries to servers in public space. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley

Re: Bind9 overloaded, recursive clients and timeout.

2010-02-10 Thread Kevin Oberman
is the only good way to protect a server. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751

Re: IPv6 TCP

2009-12-28 Thread Kevin Oberman
Date: Mon, 28 Dec 2009 18:02:29 -0800 (PST) From: Pamela Rock prock...@yahoo.com --- On Mon, 12/28/09, Mark Andrews ma...@isc.org wrote: From: Mark Andrews ma...@isc.org Subject: Re: IPv6 TCP To: Pamela Rock prock...@yahoo.com Cc: Kevin Oberman ober...@es.net, Chuck Anderson c

Re: ISC BIND 9.4.3-P4 is now available

2009-11-30 Thread Kevin Oberman
sign your data without enabling validation, it does nothing, as far as I can tell. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B