Re: dig +trace question

2019-06-20 Thread Nico Cartron 
Are you sure it's not your setup?
I have plenty of dig running on FreeBSD (with bind-utils 9.14) and also Debian 
and they work just fine. 

-- 
Nico

> On 21 Jun 2019, at 09:14, Ronald F. Guilmette  wrote:
> 
> In message <9ba154cc-2272-46ec-a793-47ff31dca...@arin.net>, you wrote:
> 
>> Hi Ronald,
>> You usually need to reinstall packages and ports after you do a major
>> version upgrade to FreeBSD.
> 
> I guess that I did not make myself clear.  Everything on this system is
> freshly installed, from scratch.
> 
> I have the FreeBSD package "bind-tools-9.12.4P1" installed the latest,
> undoubtedly compiled against FreeBSD 12.0.
> 
> Anyway, it really does appear now that this problem *is* a regression in
> dig, and that it's not just me.
> 
> I tried my dig with both +trace -and -x also on *two* different Ubuntu
> system I have here.
> 
> On Ubuntu 16.04 LTS it works as expected.
> 
> On Ubuntu 18.04 LTS it fails as I have reported.
> 
> It looks to me like somebody broke dig.
> 
> Where do I file the formal bugreport?
> 
> 
> Regards,
> rfg
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS load balancing: UDP or TCP ?

2019-02-19 Thread Nico CARTRON 
On 19-Feb-2019 20:00 CET,  wrote:

> Agree with Tony on TCP not going to be tried. Have you looked at using
> anycast? It is not true load balancing but it allows you to stand up
> multiple DNS servers that “shares” a single IP address.

or just use a software load-balancer which has been designed to deal
specifically with DNS, i.e. dnsdist - as mentioned by Tony already :)

-- 
Nico

> On Wed, Feb 20, 2019 at 12:25 AM Tony Finch  wrote:
> 
> > Roberto Carna  wrote:
> >
> > > Dear, I have to balance two DNS servers for a special reason.
> >
> > https://www.powerdns.com/dnsdist.html
> >
> > > The DNS clients are a mix of Windows, Cisco and Linux machines, so I
> > > think they ask for a FQDN using UDP and after that -if there is no
> > > response-, they ask the same FQDN using TCP, and so the load balancing
> > > will be succesful.
> >
> > No, fallback to TCP relies on receiving a truncated UDP response. You
> > never want a DNS client to be waiting around for a response that will
> > not arrive.
> >
> > Tony.
> > --
> > f.anthony.n.finchhttp://dotat.at/
> > Rockall, Malin: Southeast veering southwest 6 to gale 8, occasionally 5
> > later.
> > Rough or very rough. Rain. Moderate or poor.
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >

> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unbound 1.9 release date

2019-01-23 Thread Nico CARTRON 
Hi Ramesh,

On 23-Jan-2019 07:03 CET,  wrote:

> Greetings,
> Is anyone knows unbound 1.9 release date?
> 
> Regards,
> Ramesh

Did you ask on the Unbound-users mailing list?
https://nlnetlabs.nl/mailman/listinfo/unbound-users

That would be more appropriated than a Bind mailing-list I believe.

Cheers,

-- 
Nico
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ zone update how to sync

2018-05-18 Thread Nico CARTRON 
> 
> On 18 May 2018, at 16:16, Blason R  wrote:
> 
> why? is there any logic in this? 
> 
> yeah management does not want to allow direct syncing with master as they 
> dont want to expose any info to them.  

Interesting statement - especially since the slave servers will serve the exact 
same data as the master! =)


> On Fri, May 18, 2018 at 7:32 PM, Matus UHLAR - fantomas  > wrote:
> On 18.05.18 19:29, Blason R wrote:
> I have this other query on RPZ; I have one master server [lets say
> masterns.test.com .] on cloud. One slave 
> [slavens.test.com ] in my
> organization and our partner would also want to sync with slave but not
> with master server.
> 
> why? is there any logic in this? 
> 
> How can one slave can sync with other slave? Can someone please enlighten
> me?
> 
> 
> masterns.test.com  <=>slavens.test.com 
>  <>partnerns.partner.com 
> 
> 
> it possible without problems - just allos xfers from partner on your slave.
> you can also configure your slave to notify your partner.
> 
> However I would recommend your partner trying master - this way they can
> fetch the zone even if your slave fails.
> 
> 
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk  ; 
> http://www.fantomas.sk/ 
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Linux is like a teepee: no Windows, no Gates and an apache inside...
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users 
>  to unsubscribe from this 
> list
> 
> bind-users mailing list
> bind-users@lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS primary and secondary receiveing queries at the same time

2018-05-17 Thread Nico CARTRON 
Hi Roberto,

> On 17 May 2018, at 16:25, Roberto Carna  wrote:
> 
> Dear Tony, so you say that it's impossible what I want...
> 
> In this scenario that my two DNS servers respond queries at the same
> time, suppose the primary server goes downhow do clients know that
> they have to query the secondary DNS server at this moment?
> 
> Thanks again.

since your servers are Authoritative, clients won’t query them directly, but 
it’s rather Recursive DNS servers who will do so.
If one of your DNS server is unreachable, Recursive servers will try the next 
one(s).

Cheers,
Nico


> 
> 2018-05-17 11:19 GMT-03:00 Tony Finch :
>> Roberto Carna  wrote:
>>> 
>>> I always believed that all the client queries coming from Internet go
>>> to the DNS primary server, and if it is down, just in this case go to
>>> the DNS secondary server.
>> 
>> It can't happen that way because there's no way for a resolver to tell
>> which is which.
>> 
>> Tony.
>> --
>> f.anthony.n.finch    http://dotat.at/
>> Hebrides: Southeast 4, veering south 5 or 6, then veering west later. 
>> Moderate
>> or rough. Rain later. Good, occasionally moderate.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS primary and secondary receiveing queries at the same time

2018-05-17 Thread Nico CARTRON 
Hi Roberto,

> On 17 May 2018, at 16:06, Roberto Carna  wrote:
> 
> Hi people, I've implemented two BIND9 servers for my company, one as
> primary public DNS server and the other as secondary public DNS
> server.
> 
> I always believed that all the client queries coming from Internet go
> to the DNS primary server, and if it is down, just in this case go to
> the DNS secondary server.
> 
> But it seems it is different than I believedwhen I see the query
> log file in primary and secondary DNS servers, I can see queries
> coming from Internet in both serversin other words, the two DNS
> servers are being contacted all the time.
> 
> Is there any way to make DNS clients from Internet always contact my
> primary DNS server and just if it is down the clients must contact the
> secondary DNS server ???

are those servers Authoritative, or Recursive?
It’s not quite clear in your above explanation.

Cheers, 

-- 
Nico

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND srtt algorithm not working as expected

2018-05-17 Thread Nico CARTRON 
Hi Paul,

> On 17 May 2018, at 13:46, Paul Roberts  wrote:
> 
> Good grief indeed!
> 
> I would love to implement 'fetches-per-zone' but we need to get them onto 
> BIND 9.11 first, that's a few months away.
> 
> Unfortunately I can't just block this traffic else I'll have the security 
> teams wanting to know why we are compromising their desktop security.
> 
> Even 'fetches-per-zone' is a bit contentious, if we are rate limiting and one 
> of those queries happens to be for a malicious file which doesn't get 
> quarantined (because we never got the actionable response code from Sophos) 
> we'll be in big trouble.
> 
> So we are caught between a rock and a hard place. :-(

Why not putting dnsdist in front of those BIND 9.8, and having it redirect DNS 
traffic at destination of Sophos to dedicated BIND servers?
And have the other, non Sophos DNS traffic, sent to the current BIND servers?

Cheers,
Nico


> 
> From: Tony Finch 
> Sent: 17 May 2018 12:34
> To: Paul Roberts
> Cc: bind-users@lists.isc.org
> Subject: Re: BIND srtt algorithm not working as expected
>  
> Paul Roberts  wrote:
> 
> > After doing some more packet captures, it looks like a lot of the
> > queries are related to Sophos live protection DNS lookups (lots of
> > queries for sophosxl.net), so there are a lot of queries which don't get
> > resolved.
> 
> Good grief.
> 
> There are a few things you might do to mitigate this idiocy:
> 
> 0. Block sophosxl.net. Your colleagues responsible for AV might not
>appreciate this :-)
> 
> 1. In BIND 9.11+ there are options `fetches-per-zone` and
>`fetches-per-server` for helping a resolver to cope with overloaded
>authoritative servers. When you are forwarding you'll have to rely on
>fetches-per-zone since fetches-per-server will throttle everything.
>I don't know how fetches-per-zone discovers zone cuts or how well that
>works in the forwarding case when your resolver is relying on an
>upstream to do the iteration.
> 
> 2. Set up sacrificial forwarding IP addresses. These can be additional
>addresses on your existing forwarders. Configure your resolvers to
>forward queries for sophosxl.net to the sacrificial addresses instead
>of the usual ones. Then BIND's address database entries used by most
>queries won't get polluted by the non-responding servers.
> 
> You might profitably combine 1. and 2. to make the resolver eagerly drop
> queries to the sacrificial forwarders.
> 
> Tony.
> -- 
> f.anthony.n.finch    http://dotat.at/ 
> 
> the quest for freedom and justice can never end
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: allow-transfer with distinct IP rejected

2017-04-26 Thread Nico CARTRON 
Hi Lars,

On 26-Apr-2017 09:10 CEST,  wrote:

> Am 26.04.2017 um 08:22 schrieb Steven Carr:
> > On 26 April 2017 at 06:53, Dr. Lars Hanke  wrote:
> > > allow-transfer { 172.16.11.35; };
> > This IP ^^^
> > 
> > > transfer of '178.168.192.in-addr.arpa/IN' from 172.16.10.16#53: failed 
> > > while
> > > receiving responses: REFUSED
> > Is not the same as the IP the AXFR request is coming from? ^^^
> 
> At least it is the IP of the slave:
> 
> ifconfig eth0
> eth0  Link encap:Ethernet  HWaddr 00:16:3e:2b:22:05
>   inet addr:172.16.11.35  Bcast:172.16.11.255 Mask:255.255.255.0
> 
> dig @172.16.10.16 dmz.microsult.de. axfr
> 
> ; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> @172.16.10.16 dmz.microsult.de. axfr
> ; (1 server found)
> ;; global options: +cmd
> ; Transfer failed.

BIND logs refers to the IP address 172.16.10.16, can you tell us what is this
IP?
It appears that this is this IP address which is trying to transfer the zone,
and as you are restricting zone transfers to the slave IP address
(172.16.11.35), it makes sense that this is refused.
And also explains why it works when you allow the entire /16.

Cheers,

-- 
Nico
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: views

2017-04-19 Thread Nico CARTRON 
On 19-Apr-2017 16:47 BST,  wrote:

> On 19-Apr-2017 15:59 BST,  wrote:
> [...] 
> > I'd also like to see if it's possible to have dig send ECS info.
> 
> +edns / +noedns , but you'll need a recent dig version.

Of course I meant +subnet / +nosubnet

-- 
Nico
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: views

2017-04-19 Thread Nico CARTRON 
Hi Grant,

On 19-Apr-2017 15:59 BST,  wrote:

> On 04/19/2017 03:37 AM, Tony Finch wrote:
> > This is what the EDNS client subnet option is about. You can use it in
> > BIND by adding "ecs" clauses to your address match lists for views or
> > acls. However it isn't documented in the ARM and it has significant
> > problems. See
> > https://kb.isc.org/article/AA-01432/0/BIND-9.11.0-Release-Notes.html
> > and especially
> > https://kb.isc.org/article/AA-01480/0/BIND-9.11.1rc3-Release-Notes.html
> 
> The only occurrences I found for "ecs" on the two release notes didn't
> include more details about how to configure views to use it.  

As pointed out by Tony, it is not document in the ARM, so you need to dig a
little bit :)

Googling a little, you'll find things such as:

acl ecs-area01 { ecs 192.168.164.0/24; }
acl no-ecs-area01 { 192.168.164.0/24; };

and then you can use these ACLs as part of your DNS views.

> Nor did I see
> details on how to have BIND send ECS with queries when it's a recursive
> server.  

As far as I know, ECS for Recursive queries is not yet implemented by ISC, or
at least it is not publicly available.

> I'd also like to see if it's possible to have dig send ECS info.

+edns / +noedns , but you'll need a recent dig version.

Cheers,

-- 
Nico
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: debug SERVFAIL

2016-10-02 Thread Nico CARTRON 
Hi Per,

> On 2 Oct 2016, at 19:07, Per olof Ljungmark  wrote:
> 
> [...]
> 
>> Just use the "hint" type configuration. This is just fine for most users.
> 
> The interesting thing is why FreeBSD includes the recommendation in the
> default named.conf if that is not good, and I thought it would be
> interesting to know why.

I just checked one of my FreeBSD servers and couldn't find this 
section/recommendation. 
If I'm not mistaken the default named.conf does include hints and also RFC1918 
in-addr.arpa, not more. 

Cheers,

-- 
Nico
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Option in named to turn off EDNS Globally

2016-08-05 Thread Nico CARTRON 
On 5 August 2016 at 09:15:29, Harshith Mulky (harshith.mu...@outlook.com) wrote:
Hello Nico,



This was only for Testing between 2 devices, 1 supporting edns and the other 
not supporting edns and checking how the Application behaves(lwresd and named)

OK.

Better also answering on the mailing list =)





Cheers,

-- 
Nico


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Option in named to turn off EDNS Globally

2016-08-05 Thread Nico CARTRON 
Hi Harshith,

> On 05 Aug 2016, at 08:47, Harshith Mulky  wrote:
> 
> I have tried enabling with the significant bits
> 
> server 0.0.0.0/0 { edns no; };
> server ::/0 { edns no; };
> 
> But, I get the following Error
> Error in named configuration:
> /etc/named.conf:120: '{' expected near '/'
> 
> Error in /var/log/messages
> 
> Aug  5 11:59:19 coorg named:  failed
> Aug  5 11:59:19 coorg named: /etc/named.conf:120: '{' expected near '/'
> 
> 

You still didn't say why you want to turn off EDNS. 
That shouldn't be needed nowadays and could even cause problems...

-- 
Nico


> Thanks
> Harshith
> 
> From: Mark Andrews 
> Sent: Friday, August 5, 2016 11:11:01 AM
> To: Harshith Mulky
> Cc: bind-users@lists.isc.org
> Subject: Re: Option in named to turn off EDNS Globally
>  
> 
> In message 
>  .COM>, Harshith Mulky writes:
> > Hello,
> > 
> > Is there a option in named to turn off EDNS Responses(not Requests) Globally
> > 
> > I have tried with this Option on named
> > 
> > server 0.0.0.0
> > {
> > edns no;
> > };
> 
> You need specify the significant bits.  By default all the bits are 
> significant.
> 
> server 0.0.0.0/0 { edns no; };
> server ::/0 { edns no; };
>  
> But why do you need to turn off EDNS?  Its almost always not what is needed.
> 
> Mark
> 
> > But does not seem to work
> > 
> > Any other options?
> > 
> > Thanks
> > 
> > Harshith
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to understand why a different A record response being sent by bind

2016-06-20 Thread Nico CARTRON 
Hi Harshith,
On 20 June 2016 at 15:05:58, Harshith Mulky (harshith.mu...@outlook.com) wrote:

I am Running bind (bind-9.9.5P1-2.2.2.x86_64) on Open Suse 13.2



I have the following Records in my Zone file



$ORIGIN test1.com.
$TTL 600
@  IN  SOA atlanta.test1.com. admin.test1.com.  (
  2003022720 ; Serial
  56800  ; Refresh
  14400  ; Retry
  360    ; Expire
  2h )    ; Minimum

  IN  NS  atlanta.test1.com.


atlanta.test1.com.  IN A    10.54.48.68
;A Records

denver1.test1.com.  IN A    10.54.80.150
denver1.test10.com.  IN A    10.54.80.17
denver2.test1.com.  IN A    10.54.80.150
  IN A    10.54.80.35
test1.com.  IN A   10.54.80.150


When I am doing a dig for the record denver2.test1.com. for A

I am receiving this Response:

dig denver2.test1.com. A

; <<>> DiG 9.9.5-rpz2+rl.14038.05-P1 <<>> denver2.test1.com. A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42085
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;denver2.test1.com. IN  A

;; ANSWER SECTION:
denver2.test1.com.  600 IN  A   10.54.80.150
denver2.test1.com.  600 IN  A   10.54.80.35

;; AUTHORITY SECTION:
test1.com. 600 IN  NS  atlanta.test1.com.

;; ADDITIONAL SECTION:
atlanta.test1.com. 600   IN  A   10.54.48.68

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 20 18:22:29 IST 2016
;; MSG SIZE  rcvd: 122


Question:

1. I am not able to understand why this answer is being Received
denver2.test1.com.  600 IN  A   10.54.80.35
as I have not configured any owner-name for the record type
It’s not an “owner”, it’s a RR (Resource Record) ;)
In your zone file you have:

denver2.test1.com.  IN A    10.54.80.150
  IN A    10.54.80.35

So BIND interprets the 2nd line as a 2nd value for denver2.test1.com., which 
makes perfect sense.



2. If there is no owner-name specified in the DNS Records, what owner-name does 
the record actually pick?
See above: it’ll pick the previous line where you have a RR defined.



Cheers,

-- 

Nico

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: different answers from google's authoritative servers

2016-06-01 Thread Nico CARTRON 
Hi Sotiris,
On 1 June 2016 at 14:47:31, Sotiris Tsimbonis (sts...@forthnet.gr) wrote:

On 1/6/16 15:30, Kevin Kretz wrote: 
> There's also no reason to assume that the different responses have 
> anything to do with the client network. They could, of course (with 
> views), but that you get different responses from the same/similar IP 
> is, again, not anything wrong. 
> 

True, so below is probably the visualisation of load balancing ... which 
most of the times gives me "the wrong logical answer". 

[root@syz3ns03 ~]# while true ; do sleep 0.1 ; echo "$(date) $(dig 
+short A www.google.com. @ns3.google.com.)" ; done 
... 
Wed Jun 1 15:42:31 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:32 EEST 2016 216.58.208.100 
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:33 EEST 2016 216.58.208.100 
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:34 EEST 2016 216.58.208.100 
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:35 EEST 2016 172.217.16.36 
... 

So what I'm really trying to find out is if there's anything from my 
side to influence the load balancer's decision.. 


Why would you want to influence the LB decision?  
Is there any difference between the different IP addresses you have as answers?

You mentioned SSL errors in the browser, could you give more details?
I don’t think you should have to fix that on your side, but rather find out 
what is happening.

Cheers,

-- 
Nico___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.11 / edns-client-subnet

2016-05-09 Thread Nico CARTRON 
Hi Bert,
On 9 May 2016 at 21:24:42, bert hubert (bert.hub...@netherlabs.nl) wrote:

On Mon, May 09, 2016 at 05:24:50PM +0200, Nico CARTRON wrote: 
> > Perhaps you should tell us how it works for you, what your testing has  
> > found, and contribute to the development of great open source software?  
> well, I am just starting the tests now, so cannot tell - yet :) 
> I will definitely report once I have progressed, but in the meantime, any 
> feedback from others would be appreciated. 

Let me comment on my snark a bit before I promise to no longer pollute this 
technical list with such remarks. 
ouch, did not see this one coming.
Let me answer to your remarks below.



Any appliance vendor is a net loss of 
revenue and reputation for the open source world unless you contribute back. 
It does not sustain our software otherwise. 
Just because you’ve not heard of something does not mean this does not happen.
And bare in mind that we’re using other non-DNS softwares, so we contributed to 
other fields.



And in fact, by branding BIND (which is a magnificent collection of DNS 
functionality, which you ship) as "the most common victim" of security 
issues, you are hurting open source. [1] Your non-public sales stories are 
worse. 
I don’t see how calling BIND “the most common victim” is hurting open source.
We push for software diversity, which is always good.



Given that, I found it a bit rich for you (from a non-company email 
address!) to ask the community that supplies you with free software to give 
you some free testing too.  
I’ve always used my private email address for mailing lists, that’s easier.
And unless I re-read my previous email incorrectly, I did not ask for “some 
free testing”,
but for feedback from others.



It would be great to see some testing from you perhaps. For example, how DID 
you achieve 27 million queries/second?
That’s 17 million QPS.
If you’re around at the RIPE meeting in Copenhagen, I’ll be more than happy to 
discuss it with you.



> BTW Bert, does PowerDNS support it? ;) 
> I saw (https://github.com/PowerDNS/pdns/issues/573) that’s it’s on git 
> master, does that mean it’s publicly available? 

Yes - see my off list reply. 
Thank you, but I did not receive this off-list reply.

With the above being said, can we please come back to the original topic and 
not pollute this list?
We can continue off-list or talk in Copenhagen if you wish to.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.11 / edns-client-subnet

2016-05-09 Thread Nico CARTRON 
Hi Bert,
On 9 May 2016 at 17:11:54, bert hubert (bert.hub...@netherlabs.nl) wrote:

On Mon, May 09, 2016 at 04:38:13PM +0200, Nico CARTRON wrote: 
> I was wondering whether some folks on the mailing list had a look at the ECS 
> implementation in BIND 9.11, 
> and if they had any feedback to share? 

Perhaps you should tell us how it works for you, what your testing has 
found, and contribute to the development of great open source software? 
well, I am just starting the tests now, so cannot tell - yet :)

I will definitely report once I have progressed, but in the meantime, any 
feedback from others would be appreciated.

BTW Bert, does PowerDNS support it? ;)
I saw (https://github.com/PowerDNS/pdns/issues/573) that’s it’s on git master, 
does that mean it’s publicly available?



Cheers,

-- 

Nico___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.11 / edns-client-subnet

2016-05-09 Thread Nico CARTRON 
Hi everyone,

I was wondering whether some folks on the mailing list had a look at the ECS 
implementation in BIND 9.11,
and if they had any feedback to share?

Cheers,

-- 
Nico

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users