Re: Why DNSSEC errors for bund.de?
Chris Thompson writes: We are getting DNSSEC-related SERVFAILs on names in bund.de (e.g. mx1.bind.de). This happens with all of BIND 9.7.3-P1, 9.7.4b1 and 9.8.0-P1 configured with the root and dlv.isc.org trust anchors. However, I can't see what is actually wrong with it, using dig +cd as necessary. All the signatures appear to have valid start/stop times, and http://dnsviz.net/d/mx1.bund.de/dnssec/ seems pretty happy with it. There are a lot of false trails (e.g. the DS records for it in de) but that shouldn't stop BIND finding the one that works (DLV in dlv.isc.org - KSK with tag 10923 - ZSK with tag 4814), should it? It may be significant that this problem was reported to us on the same day that obscured DNSKEY records were introduced into the de zone... Maybe this is a symptom of DUdeZ (deliberately unvalidatable DE zone)? http://www.heise.de/newsticker/meldung/DENIC-startet-unbemerkt-mit-der-Verteilung-der-signierten-de-Zone-1247415.html http://www.denic.de/domains/dnssec.html ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RHEL5 BIND in PROD
fakessh @ writes: I recompile the source rpm fedora core 14 bind 9.7.3 to EL4 and EL5 with koji see my blog for explanations http://fakessh.eu/2011/03/10/bind-9-7-3-sur-centos-5-5-depuis-rpm-source-fecora-14/ Yep, that works fine, and even on RHEL3. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Building 9.6.1-P2 for 32-bit Redhat RHEL 5.4
At present I do not have a 32-bit build environment I can try to natively build this on, and was hoping that somebody could suggest how I can get round this problem in the build environment I am using. http://fedoraproject.org/wiki/Projects/Mock ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.4-ESVb1 is now available.
Chris Thompson writes: On Nov 19 2009, Mark Andrews wrote: BIND 9.4-ESVb1 is now available. BIND 9.4-ESVb1 is a extended release version beta for BIND 9.4. What's with the strange new version number? How is this different from, say, a 9.4.4b1? (Lots of the changes seem to be those that got into 9.5.2.) https://www.isc.org/softwaresupportpolicy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind 9.5 on Solaris dies silently
Hi all, I have made the observation that named sometimes dies silently when I look at the stats web page. Pretty much full logging is enabled, except query logging, but nothing at all is logged in this situation. How could I possibly debug this? statistics-channels { inet * port 8080 allow { ACL; }; }; Solaris 9 Bind 9.5.2 compiled on Solaris 8 with configure --prefix=/usr --with-openssl=/usr/local/ssl --enable-ipv6 --localstatedir=/var --sysconfdir=/var/named ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.5 on Solaris dies silently
Milan Jurik writes: [...] If it is silent death at specific time (look at the stats web page) then why not to truss the daemon? Btw. no core file on the system? Thank you (and Andrew) for the suggestion. Unfortunately, the problem seems to be intermittent and I cannot reproduce it at will. I've been bombarding the stats server with wget for hours no, and named is still running. No core files. Will keep trying this for a few days. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
update with no effect
I have started seeing these entries in named.log: 29-Mar-2009 05:02:35.467 general: warning: update with no effect 29-Mar-2009 05:02:35.468 general: warning: update with no effect 29-Mar-2009 05:02:35.469 general: warning: update with no effect 29-Mar-2009 05:02:35.470 general: warning: update with no effect 29-Mar-2009 05:02:35.471 general: warning: update with no effect 29-Mar-2009 05:02:35.472 general: warning: update with no effect 29-Mar-2009 05:02:35.478 general: warning: update with no effect 29-Mar-2009 05:02:35.479 general: warning: update with no effect 29-Mar-2009 05:02:35.480 general: warning: update with no effect 29-Mar-2009 05:02:35.481 general: warning: update with no effect 29-Mar-2009 05:02:35.482 general: warning: update with no effect 29-Mar-2009 05:02:35.483 general: warning: update with no effect 29-Mar-2009 05:02:35.484 general: warning: update with no effect What is that about? This is bind 9.4.2-P2 on Solaris 8. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Exiting due to early fatal error
BIND 9.4.3-P1, Solaris 8 I'm trying to get a chroot setup to work following the instructions here http://www.boran.com/security/sp/bind9_20010430.html # /usr/sbin/named -g -t /var/named/chroot 17-Feb-2009 12:05:56.789 starting BIND 9.4.3-P1 -g -t /var/named/chroot 17-Feb-2009 12:05:56.790 found 2 CPUs, using 2 worker threads 17-Feb-2009 12:05:56.793 ./main.c:506: unexpected error: 17-Feb-2009 12:05:56.793 isc_socketmgr_create() failed: file not found 17-Feb-2009 12:05:56.794 create_managers() failed: unexpected error 17-Feb-2009 12:05:56.794 exiting (due to early fatal error) # The log gives no indication which file is not found, and truss doesn't help either: ... chroot(/var/named/chroot) = 0 chdir(/) = 0 brk(0x0025CEF8) = 0 brk(0x0025EEF8) = 0 pipe() = 6 [7] fork1() = 10598 lwp_sigredirect(0, SIGWAITING, 0x) Err#22 EINVAL lwp_cond_wait(0xFF275548, 0xFF275558, 0xFF26EDB0) = 0 lwp_mutex_wakeup(0xFF275558)= 0 lwp_mutex_lock(0xFF275558) = 0 lwp_mutex_wakeup(0xFF275558)= 0 lwp_mutex_lock(0xFF275558) = 0 close(7)= 0 read(6, 0xFFBEFC0F, 1) = 0 _exit(1) This bind was compiled for threads, and /dev/poll is not in the jail. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: in-addr.arpa delegation failure
Stephane Bortzmeyer writes: [...] IMHO, you need to go back to the drawing board and, before writing named.conf and zone files, deciding on a general architecture. Who will be the master for 30.172.in-addr.arpa? Who will be authoritative for 30.172.in-addr.arpa? Who will be the master for 10.30.172.in-addr.arpa? Who will be authoritative for 10.30.172.in-addr.arpa? I've solved it, I think. The top level ns is authority and master for 30.172.in-addr.arpa, and the subnets are delegated to the subdomain name servers. Nice application of $GENERATE :) I prever not to set up the top level ns as a slave. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
in-addr.arpa delegation failure
I've been beating my head against the wall with this issue, and I'm out of ideas: I can't get reverse lookups for a particular, delegated RFC1918 net to work. Setup: Internal root dns.domain.com running bind 9.4.2-P2. This host is set up as a master for 172.30/16. It delegates 172.30 to a subdomain (A record for ns1.sub.domain.com is present elsewhere). db.172.30: @ IN SOA dns.domain.com. root. 2009012001 10800 3600 604800 300 IN NS ns1.sub.domain.com. Working query (status: NOERROR) returns as expected: $ dig @dns.comain.com 30.172.in-addr.arpa. soa ; DiG 9.3.4-P1 @dns.comain.com 30.172.in-addr.arpa. soa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41833 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;30.172.in-addr.arpa. IN SOA ;; ANSWER SECTION: 30.172.in-addr.arpa.86400 IN SOA dns.comain.com. root. 2009012001 10800 3600 604800 300 ;; AUTHORITY SECTION: 30.172.in-addr.arpa.86400 IN NS ns1.sub.domain.com. ;; ADDITIONAL SECTION: ns1.sub.domain.com. 1818 IN A 172.30.112.4 ... $ Now, the setup of ns1.sub.domain.com: bind 9.4.2-P2 This host is set up as a master for 172.30/16 and 172.30.10/24. It delegates 172.30.10 to itself. db.172.30: @ IN SOA ns1.sub.domain.com. root. 2009011900 10800 3600 604800 300 10.30.172.in-addr.arpa. IN NS ns1.sub.domain.com. A lookup for 10.30.172.in-addr.arpa. fails everywhere except on ns1.sub.domain (status: NXDOMAIN): $ dig @dns.comain.com. 10.30.172.in-addr.arpa. soa ; DiG 9.3.4-P1 @dns.comain.com. 10.30.172.in-addr.arpa. soa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 54056 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;10.30.172.in-addr.arpa.IN SOA ;; AUTHORITY SECTION: 30.172.in-addr.arpa.0 IN SOA dns.domain.com. root. 2009012001 10800 3600 604800 300 ... $ Why is the delegation chain not working? Is it a conflict for having both the top level dns.domain.com. and ns1.sub.domain.com. as master for 172.30? Would it be better to use stubs to delegate 172.30 down from the top level? I have a feeling they wouldn't solve this particular problem, though. Do I need to delegate all 255 /24 subnets explicitly at the top level server? That would kind of defeat the purpose of having delegation in the first place. I think I'm missing something fundamental here ... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC launches new website and mailing list manager
The mailing list conversion requires a little explanation: * The new one-stop page for all the lists under isc.org is https://lists.isc.org/mailman/listinfo Now, can it be configured to strip or reject html rubbish? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users