Re: Nice new logging feature

2021-12-18 Thread Michael Sinatra
On 12/16/21 06:42, Borja Marcos wrote: On 16 Dec 2021, at 14:55, Reindl Harald wrote: Am 16.12.21 um 14:49 schrieb Borja Marcos: bind-9.16.23-1.fc34.x86_64 16-Dec-2021 13:08:10.598 lame-servers: connection refused resolving 'ns2.serverion.eu/A/IN': 94.228.210.122#53 16-Dec-2021

Re: BIND 'max-cache-size' Value on FreeBSD-13.0

2021-09-02 Thread Michael Sinatra
On 9/2/21 2:59 PM, Mark Tinka wrote: On 9/2/21 23:51, Michael Sinatra wrote: I have noticed this also and have opened a (similar but different) issue, but it's a bit weird how it manifests itself. On your freebsd installation, make sure that all of your interfaces are configured

Re: BIND 'max-cache-size' Value on FreeBSD-13.0

2021-09-02 Thread Michael Sinatra
On 9/2/21 2:35 PM, Mark Tinka wrote: Not sure if this issue offers some clue: https://gitlab.isc.org/isc-projects/bind9/-/issues/2575 I see its maintainer just closed it 11hrs ago... I have noticed this also and have opened a (similar but different) issue, but it's a bit weird how it

Does BIND support "conservative" (RFC 6781, sec 4.1.4) algorithm rollovers?

2021-08-30 Thread Michael Sinatra
Hi, I have, in the past, used the "conservative" approach to performing algorithm rollovers for various domains. For many domains, this is probably overkill, but I'd prefer to have the option of doing it, especially for those mission-critical domains where you really don't want to rely

Re: BIND-9.16.1 memory leak?

2020-04-20 Thread Michael Sinatra
On 2020-04-17 06:45, sth...@nethelp.no wrote: > We have what appears to be a significant memory leak in BIND-9.16.1. > > Environment: > FreeBSD 12.1-STABLE. > BIND-9.16.1 installed from packages. > Also uses libuv-1.35.0 installed from packages. > Authoritative only. > Around 800 zones of

redundant bump-in-the-wire signers using BIND

2018-06-25 Thread Michael Sinatra
To close the loop a bit on this... On 05/22/18 03:22, Tony Finch wrote: > Michael Sinatra wrote: >> >> My only concern is that serial numbers might get out of sync between the >> two signers at some point. > > You can avoid this problem with `serial-update-method

redundant bump-in-the-wire signers using BIND

2018-05-21 Thread Michael Sinatra
Hi all: First, let me explain the trade-off I am trying to manage (as succinctly as possible): My current setup has an DNS/IPAM system that backs up to a redundant one in a different location, a bump-in-the-wire hardware signing appliance (different from the IPAM), and a bunch of authoritative

Re: Unable to slave root zones

2017-04-07 Thread Michael Sinatra
On 04/07/17 09:21, Tony Finch wrote: Mark Knight wrote: I've just noticed (after the slave zones expired), that the root name servers have been refusing my zone transfer requests since the end of March. This is because Cloudflare are now helping isc.org to host

Re: MAcOS X 10.9 upgrade removes BIND

2013-10-25 Thread Michael Sinatra
On 10/25/13 1:33 PM, Carsten Strotmann wrote: Hello Eduardo, thanks for confirming that MacOS X removed BIND. Our new BIND installers for MacOS X 10.9 are now available at http://support.menandmice.com/download/bind/macosx/10.9-Mavericks/ I've build BIND 9.9.4 (with and without RRL)

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-17 Thread Michael Sinatra
It appears to me that the NSEC3 record that is denying the existence of the DS record for ic.fbi.gov does not have a corresponding RRSIG. That's based on a fairly cursory glance. This seems to be the case for all of the NSEC3 records in fbi.gov. Something's messed up in fbi.gov. michael PS:

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-17 Thread Michael Sinatra
On 7/17/13 2:38 PM, Mark Andrews wrote: In message 1673423961.50595218.1374096753729.javamail.r...@k-state.edu, Lawr ence K. Chen, P.Eng. writes: - Original Message - On Wed, Jul 17, 2013 at 01:58:25PM -0400, Bill Owens wrote: On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van

Re: ISC Bind in Active Directory

2012-10-18 Thread Michael Sinatra
On 10/18/12 11:03 AM, Aaron Thompson wrote: Hi All, I'm hopping to get some feedback from people who use ISC Bind and DHCPD in Active Directory environments. Currently we use Bind/DHCPD for dynamic DNS and DHCP. It's been a pretty stable service, redundant and we are polling statistics

Re: Moving from type forward to type static-stub

2012-09-21 Thread Michael Sinatra
On 9/20/12 5:49 PM, Oscar Ricardo Silva wrote: If I'm correct, it will send non-recursive queries to the listed servers and will honor delegations. I've tested this configuration in our lab and it all appears to be working. Yup, static stub will do exactly that. With our configuration, are

Re: OpenSSL problem: bind98-base FreeBSD port

2012-07-08 Thread Michael Sinatra
On 07/08/12 09:54, Matthew Pounsett wrote: 08-Jul-2012 16:45:00.352 initializing DST: openssl failure 08-Jul-2012 16:45:00.352 exiting (due to fatal error) In particular the logs above suggest that named is unable to find the necessary openssl libraries. In the case where openssl 1.x.x is

Re: VMware Bind

2012-06-05 Thread Michael Sinatra
On Tue, 5 Jun 2012, Manson, John wrote: Will bind run on VMware? Yes. I have a few machines running BIND 9.9.x on FreeBSD as a guest os on vmware. michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: zone transfer with DIG: SOA duplicate

2012-03-19 Thread Michael Sinatra
On 03/19/12 10:33, hugo hugoo wrote: Dear all, I have this strange behaviour when I do a zone transfer with the following commande: dig @name_server zone_name AXFR == I received 2 SOA records (duplicates). One SOA record is at the end of the received information. Is this normal? Yes.

Re: Name Resolution issue with one domain

2012-03-19 Thread Michael Sinatra
On 03/19/12 13:28, babu dheen wrote: Dear Support, I am trying to resolve www.dubaiairport.com http://www.dubaiairport.com from my GW BIND server as below. But not getting any output $ dig A www.dubaiairport.com http://www.dubaiairport.com ; DiG 9.3.4-P1 A www.dubaiairport.com

Re: Problem with ed.gov

2012-01-19 Thread Michael Sinatra
Please be aware that RFC 2671, which specifies EDNS0, allows for buffer sizes to reach 64k, not just 4k. Most implementations default to 4k, but the buffer size can easily be set higher. Moreover, the EDNS0 buffer size merely specifies the size where the UDP response becomes truncated and

Re: DNSSEC not populating parent zone files with DS records

2011-10-01 Thread Michael Sinatra
On 10/01/11 04:54, Bill Owens wrote: On Fri, Sep 30, 2011 at 10:26:34PM +, Raymond Drew Walker wrote: In our initial implementation of DNSSEC, we chose to try out the auto functionalities in version 9.8.0 P4 ie. using auto-dnssec maintain in all master zones. When going live, we found that

Re: BIND DNSSEC-Validation issue sceggs.nsw.edu.au

2011-09-13 Thread Michael Sinatra
On 09/12/11 22:12, Neil wrote: Hi BIND Users I am currently trialing Bind v9.8.1 and have come across a issue with 1 particular domain. For some reason when I query the below domain on bind resolver-cache nothing gets returned.? dig @server sceggs.nsw.edu.au ns The debug logs show 13-Sep-2011

Re: Clients get DNS timeouts because ipv6 means more queries for each lookup

2011-07-11 Thread Michael Sinatra
Users are experiencing this problem now in the field, and more users will be experiencing it as BIND is upgraded in more and more places. Every single user relying on a Fedora 15 DNS server, for example, is going to see occasional unnecessary DNS timeouts when trying to resolve host

Re: nameserver registration

2011-06-19 Thread Michael Sinatra
On 06/18/11 19:22, Casey Deccio wrote: In particular, if the name of the name server is itself in the subzone, we could be faced with the situation where the NS RRs tell us that in order to learn a name server's address, we should contact the server using the address we wish to learn. To fix

Re: nameserver registration

2011-06-18 Thread Michael Sinatra
On 06/18/11 10:26, David Miller wrote: All domains, at every level, have to configure their records such that the tree can be walked from root to their domain. Follow the .s. For: this.long.chain.example.com. com. must be delegated by . example.com. must be delegated by com.

Re: nameserver registration

2011-06-18 Thread Michael Sinatra
On 06/18/11 15:23, Chris Thompson wrote: On Jun 18 2011, Michael Sinatra wrote: In theory, you can insert glue records anywhere above the zone in question. See RFC 2181, section 5.4.1. As an example, glue for the servers adns1.berkeley.edu and adns2.berkeley.edu exist in the root zone

Re: question about thehartford.com domain

2011-06-15 Thread Michael Sinatra
On Wed, 15 Jun 2011, M. Meadows wrote: Question : our check of whois indicates that ns1.thehartford.com and ns2.thehartford.com are the authoritative nameservers for thehartford.com. A dig with a +trace for eftc.thehartford.com seems to indicate that they are indeed the auth nameservers.

Re: querylog format

2011-06-06 Thread Michael Sinatra
On 6/6/11 8:09 PM, Jeff Peng wrote: Hello, The querylog of BIND in my hosts is like: client 58.240.56.18#16768: query: s18.mhxx.game.yy.com IN A -EDC For the last part, I know the '-' means non-recursion´╝î'E' means EDNS. But what are the 'D' and 'C' flags? D = DO (DNSSEC Okay), client is

Re: [dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

2011-05-28 Thread Michael Sinatra
This will be in BIND 9.8.1 final. BIND 9.8.1b1 is already cut and will need this to be applied. I just noticed that the patch for query.c has been added as an extra patch to the FreeBSD port for 9.8.0-P2, so if you build the bind98 port from the latest FreeBSD ports collection, you'll get

Re: BIND Security Advisory May 2011: Large RRSIG RRsets and Negative Caching can crash named

2011-05-27 Thread Michael Sinatra
On Fri, 27 May 2011, Frank Kloeker wrote: Hello, I would want to say thank you very much for the wonderful work of the ISC team and the quick solution of the problem and a very professional appearance. I have come to expect such performance from everyone at ISC, but yesterday the exceeded

Re: Bug in bind 9.7.3?

2011-05-26 Thread Michael Sinatra
On Thu, 26 May 2011, Frank Kloeker wrote: Hi, I using bind 9.7.3 as resolver in a slightly larger server farm with some mail servers that use domain key validation. If a try # host -t TXT _adsp._domainkey.federalreserve.gov bind dies with May 26 19:59:02 resolv04 named[8237]:

Re: question about multiple queries in a single dns packet

2010-12-29 Thread Michael Sinatra
On 12/29/10 14:06, Alan Clegg wrote: On 12/29/2010 2:17 PM, Federico Barbieri wrote: Not sure if this is the right place to ask but I've been trying to dig around and found nothing... reading the dns specification it would seems possible to send multiple request in a single packet. I'm not

Re: about nsupdate

2010-12-20 Thread Michael Sinatra
On 12/19/10 23:47, Jorg W Young wrote: Hello, We primarily update the DNS records by nsupdate from a web interface. Under this case, if I modified the zone file directly by hand, will nsupdate overwrite the modification? If you attempt to update a dynamic zone by hand, without first freezing

Re: DNS Redundancy

2010-10-21 Thread Michael Sinatra
On 10/21/10 08:26, Gordon A. Lang wrote: It is actually counter-productive to have two resolvers configured with this architecture, but to circumvent human nature, we publish two. There is absolutely no functional difference between the two, and there is no redundancy value for the second one

Re: repository for zone files

2010-09-23 Thread Michael Sinatra
On 09/23/10 12:53, Stewart Dean wrote: On AIX, I'm used to /etc/dns. CentOS seems to place in /var/named. Is there any blessed, bestofallpossibleworlds place for the zone files. I'm moving our DNS from from AIX to CentOS/Fedora. I'm inclined to create the /etc/dns dir but maybe it'd be better

Re: USADOTGOV.NET Root Problems?

2010-07-24 Thread Michael Sinatra
On Sat, 24 Jul 2010, Warren Kumari wrote: On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote: On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote: Thanks for the confirmation that the problem was related to DNSSEC. I didn't see your message until I got home from work; however, I did find the

Re: USADOTGOV.NET Root Problems?

2010-07-23 Thread Michael Sinatra
On 07/23/10 05:37, Danny Mayer wrote: On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote: Thanks for the confirmation that the problem was related to DNSSEC. I didn't see your message until I got home from work; however, I did find the root of the problem late this afternoon. At each of

Re: Automated DNSSEC (command line)

2010-05-28 Thread Michael Sinatra
On 05/28/10 14:18, Michelle Konzack wrote: Hello DNSSEC Experts, I am ongoing to install 4 new Name Servers and increse my registrar and hosting service... OK, I have tried to make my own 4 domains with 16 zones signed and it took me one hour of my life! Since I have to re-sign the zones

Re: Resolving .gov w/dnssec

2010-04-23 Thread Michael Sinatra
On 04/22/10 18:48, Timothe Litt wrote: I get a connection timed out; no servers could be reached after the Truncated, retrying in TCP mode even with +bufsiz=512 I get a correct response when I use +bufsiz=512. After Truncated, retrying in TCP mode I get a response, but apparently you don't.

Re: Resolving .gov w/dnssec

2010-04-22 Thread Michael Sinatra
On 4/22/10 8:55 AM, Timothe Litt wrote: So, others are also seeing this, and it's not unique to bind or my corner of the internet. Thanks. It seems to have been going on for weeks, so it isn't going to fix itself. Who do I report this to so that it gets resolved? I have had good luck

Re: Understanding 'format error Messages

2010-04-15 Thread Michael Sinatra
b19...@anl.gov wrote: I am trying to understand format error messages like this one from BIND 9.7.0-P1: Apr 15 15:36:02 dnsserver.it.anl.gov named[8662]: [ID 873579 daemon.notice] DNS format error from 209.234.234.42#53 resolving markets.nytimes.wallst.com/ for

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-03-08 Thread Michael Sinatra
On 3/7/10 10:46 AM, Danny Mayer wrote: Autokey is not a cryptographic signature protocol. It *is* a authentication protocol for the server only and there are a number of exchanges that need to be done to complete the authentication of the server. You cannot compare this with DNSSEC and nothing

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-24 Thread Michael Sinatra
On 02/24/10 01:25, Jonathan de Boyne Pollard wrote: DNScurve advocates, on the other hand, point out that DNS isn't encrypted. Well, neither is the phone book. So what? So the protocol is vulnerable to both local and remote forgery attacks, just like other unencrypted protocols

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-23 Thread Michael Sinatra
On 02/23/10 18:31, Joe Baptista wrote: Now that OpenDNS the largest provider of public DNS supports DNSCurve http://twitter.com/joebaptista/status/9555178362 Would it be possible to include DNScurve support in bind? thanks joe baptista I'd love to see BIND adopt DNScurve...when it becomes

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-23 Thread Michael Sinatra
On 02/23/10 19:54, Joe Baptista wrote: It would be nice to see it as an RFC. I agree with that. But from what I know it will be a pretty cold day in hell before it becomes an RFC. I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of wackos. So it is unlikely he will

Re: DNSSEC DSSET KEYSET

2010-01-28 Thread Michael Sinatra
On 01/28/10 07:57, prock...@yahoo.com wrote: That was very helpful. Thanks. One last query. For signed domains registered with and using ISC.ORG trust anchor, is there a sanity check similar to what you displayed below? If you mean ISC DLV registry, that service continually does sanity

Re: Added new master zone, copy .hosts does not replicate properly

2010-01-21 Thread Michael Sinatra
On 1/21/10 3:40 PM, Ryan S wrote: So my setup has been working great modifying existing zones adding and removing records. But when I add a new zone, it apparently does not work. So I think I am missing an important file that lists all the zones BIND uses? What BIND file am I needing to