Re: DoH plugin for BIND
Dont flatter yourself troll, I've always been active on a number of lists, but as I do have a life, I may not comment on every single thread on every list. Like I told you before stop being a f'wit and i'll have no reason to warn anyone of how caustic you will get towards them, and we'll also have no reason to list your netblock on RBL no need to reply, just let it sink in, but since its failed to in over 5 years, i dont expect miracles. On 03/05/2020 15:13, Reindl Harald wrote: > Am 03.05.20 um 01:42 schrieb Noel Butler: > >> Dont waste your time trying to argue with that troll > > given that you *never* had to say anything useful on *any* mailing list > and only creep out of your hole when you hear my name to fire your > personal vendetta what about stay in your hole? > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On 03/05/2020 02:17, Sten Carlsen wrote: > About mail servers from residential IPs. I have done that for a number of > years, very rarely any issue. Most SP's do this > The major problem was that at one time MS required a reverse lookup for the > actual mail server name. Many SP's still do this, some take it the extra mile and block anything with things like cpe/dsl/cable/hfc/dyn/ppp... etc in the hostname, we still do it, have done for over 20 years and seen no collateral damage. > . > In my part of the world it is very bad taste for an ISP to block anything, > its not their business. Ordinarily, I agree, but the overall security and protection of the network must come first, the protection of teh majority must come first. Then there's the law, in Australia we are required as part of the outcome of the iinet V hollywood, to block pirate sites, 99% do this by DNS, the Federal court accepts this method, the Federal court knows it can be avoided by most 8yos in under 10 seconds, its the sweet spot everybody agreed to so they approved it. There are also other laws that require its use as well. That said we dont block any ports and have no intention of. That said, DoH is fairly pointless here because there is no requirement to log DNS queries, most of us have far better things to do than to know who's going where, none that I know do it, though there is a question of Telstra mobile lets face it, if we really want to know whos going where, netflow tells us a whole lot more anyway -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Dont waste your time trying to argue with that troll google his name, he's well banned on many lists, he was moderated on this list as well, seems he's changed his user@ to get around it. He's been quiet for a while thought he learned his lesson, but leopards never change their spots. On 03/05/2020 01:11, Michael De Roover wrote: > I'm sure that most of the list members here are aware of how net neutrality > and the internet in general works - we're internet operators after all. What > we're here for is ports and protocols, not policy or internet culture. On > that subject, we are not policy makers. Let's leave that to politicians who > studied for it. Vote some technical people in government while we're at it, > but I digress. > > The DoT/DoH argument or what a mail server could be operated from is not one > of policy.. well maybe mail servers are, to some extent. Perhaps there's some > ISP employees here too. Those are in power to allow or disallow things on > their network. But DoT/DoH certainly isn't. What are we supposed to worry > about? How do we implement this new encrypted DNS. Do we piggyback off an > existing port and rely on its ubiquitous allowance on the internet or do we > create a new port for it, where we can make a dedicated new protocol suite? > > On 5/2/20 5:03 PM, Reindl Harald wrote: -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Security sssues with Ubuntu bind9 11.9.3 ?
ISC can not control what ubuntu provides, you are best taking this up with ubuntu on their mailing lists. On 24/02/2020 02:28, Brett Delmage wrote: > But 1:9.11.3+dfsg-1ubuntu1.1 is the version that Ubuntu 18.04 LTS supports, > and will continue to for 2 more years. > > Clearly, it is earlier than 9.11.4 > > Has Ubuntu properly patched it for relevant security updates? Is it safe to > run? Of course it will be missing the latest features and software defects > (which I am exploring on a test server sing a version I compiled myself). -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change source IP at outgoing packet send by Bind9 as forwarder.
OK, it might be too early and i'm not getting your question, I'm only half way through my first coffee of the day... But if you have 192.168.0.1 as lan, and the wan, lets say is 1.1.1.1, and needs to resolve a hostname, it has to go to the big wide world of internets, and it can only do that using 1.1.1.1, therefor thats the only way it will work, your internal LAN IP is not asking the root serves or subsequent in chain, your WAN IP is, because routing, pvt address space etc, you know... On 18/10/2019 07:16, CpServiceSPb . wrote: > I have Bind9 on Ubuntu 18.04 x64 LTS working as a cache and forwarding one. > There are some forwarders IPs. > > Server has 2 NICs (lan and wan) . > > BInd9 binds strictly to localhost and lan NICs, that is to 127.0.0.1 and > 192.168.0.1. > But when Bind9 forwards queries to external servers, it do it via wan > interface but uses at the first onset server external IP as sources, which > is not changed by SNAT or MASQUERADE Iptables. > Unlike other soft, for example Asterisk, what is binded to lan interface > only and uses internal (192.168.0.1) IP as source for outgoing packet and > then iptables changes source address of such outgoing packets from internal > to external using either SNAT or MASQUERADE. > > So how is to change Bind9 , what and where is to set up and waht setting > that Bind9 would send forwarding packet via wan interface but would use > address what it is binded to or internal, if it is binded to 127.0.0.1 and > 192.168.0.1 ? > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone transfers can be lost forever
Edit the primary zone, just put a TXT record in it, saying anything, gibberish even, save and reload the zone let us know so we can check it for currency on both your NS1 and NS2 If you followed Tony's advice there is no reason it is not in sync and I don't see an issue. On 18/10/2019 05:48, jean-christophe manciot wrote: >> If the zone file on the primary can be edited by `named` (dynamic >> updates, signing, etc) then you need to `rndc freeze`, edit, `rndc thaw` >> instead. > > I did all that, even restarted the systemd service on the primary after > noticing the the issue. > Then, on *both* servers: -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ for reverse lookups ?
On 25/08/2019 06:56, J Doe wrote: > Hello, > > I have a basic question regarding RPZ on Bind 9.11.x. > > Is it possible to re-write a response on a reverse lookup ? For instance, if > I considered example.com [1] a "bad domain", can I write a RPZ policy so that > a reverse lookup of IP's that map to example.com [1] fails or is blocked ? > > I know I can do this with a forward lookup to generate NXDOMAIN: > > ; Forward resolution of: example.com [1] and subdomains generates: NXDOMAIN > > example.co [2]mIN CNAME . > *.example.com [1] IN CNAME . > > ...but can this also be done on reverse lookups ? > > Thanks, This can have disastrous affects if this is for a public network given shared hosting. An Australian govt dept (ASIC) ordered a s313 block on an IP couple years back, turns out that IP supplied about 2K hosts, 99.9% all of which were very legitimate, including many aussie businesses. And I still dont know whats worse, the clueless idiots in ASIC (who thankfully have now due to that incident lost most that power), or the clueless idiots in the ISP's networking who blindly accepted and enacted the block. To put it in RFC terms for non aussies, s313 is a SHOULD, and _not_ a MUST. If theres genuine reason, ie mass collateral damage, you can lawfully refuse to carry out such requests. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [3] and ODF [4] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://example.com [2] http://example.co [3] http://www.adobe.com/ [4] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate reject
did you allow for it under the zone ? Adding a key as such will not give
you global operations
zone foo {
...
allow-update { key "keyname"; };
...
}
and nsLOOKUP ? Its either to early in the morning here and i'm
mis-reading what you're doing, or you should be using or at least meant
to say, nsUPDATE
On 20/05/2019 10:27, @lbutlr wrote:
> Trying to update some DNS under a relatively newly installed bin 9.14 with
> nsupdate.
>
> I have a file admin.key that looks basically like this:
> key "rndc-key" {
> algorithm hmac-sha256;
> secret "SECRETSTUFF=";
> };
>
> This is the same key block that is in named.conf. I am launching NSLOOKUP
> with -k admin.key, but when I try to make a change and then "send", I get
> "update failed: REFUSED."
>
> Is this not the key that is wanted? It appears to be the only key I have. Do
> I need to change to some different key type for bind 9.14, or am I forgetting
> something else.
>
> I did make some changes to the DNS back in 9/12 several months ago, and I
> don't recall having to even provide the key then.
--
Kind Regards,
Noel Butler
This Email, including any attachments, may contain legally
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents
Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 23/02/2019 05:28, @lbutlr wrote: > I did try manually updating vi nsupdate -l > >> zone example.com >> update add example.com. 86400 IN SOA ns1.example.net. >> admin.example.com. 2019022200 3600 300 1209600 3600 >> update add konamicode.example.com. 86400 IN CNAME www.example.com [1]. >> send > ; Communication with ::1#53 failed: timed out > update failed: FORMERR > > Why is it defaulting to IPv6? This system is not setup for IPv6. Do I have to > setup named.conf to listen on ::1? Obviously your machine *is* setup for IPv6, it's just not configured, named sees the capability, so tries it. I bet ifconfig shows it, below is an example from this pc which does not use IPv6... lo: inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 probably eth0 does as well eth0: inet6 fe80::e2cb:4eff:feda:9842 prefixlen 64 scopeid 0x20 You might also want to read up on gai.conf and set some precedence's, I dont use it, but on slackware I dont have the problems you have, it might help - I recall having to use it well over 10 years ago on a few centos servers we inherited at the time. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [2] and ODF [3] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.example.com [2] http://www.adobe.com/ [3] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 22/02/2019 07:03, @lbutlr via bind-users wrote: >> I don't recall if reloading or thawing will automatically re-sign the zone >> or if you need to also explicitly "rndc sign $ZONE". > > Sign recreates the .jnl file, but doesn't touch the .signed file. > > Doing the following recreated the .signed file, but still didn't add the new > subdomains. > > Freeze, flush, edit, thaw, > > Then service named stop, service named start. freeze, edit, thaw, rndc_reload is all thats needed -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SSL cert for lists.isc.org expired on Saturday, December 29, 2018
hehehe indeed it is, so much so I use it on my desktop and a laptop :) nice how they dont butcher everything like RH/debian and their offset flavors do /ducks On 02/01/2019 15:42, John W. Blue wrote: > "It looks like you are using a System V-style OS. BSD is waiting for you. > Would you like some help?" > > Kidding aside, Slackware is old school awesome. > > ;) > > FROM: bind-users [mailto:bind-users-boun...@lists.isc.org] ON BEHALF OF Noel > Butler > SENT: Tuesday, January 01, 2019 5:32 PM > TO: bind-users@lists.isc.org > SUBJECT: Re: SSL cert for lists.isc.org expired on Saturday, December 29, > 2018 > > On 02/01/2019 04:48, Doug Barton wrote: > >> I've had LE fail after a cerbot upgrade because it grew a dependency that >> didn't automatically get installed with the upgrade. >> >> So yes, automation good, but not perfect. > > Yes likewise on the one box I could actually get certbot to run on, just > wouldnt run on any of the slackware boxes - which are all but 1, so it too > was quickly replaced with acme.sh which has *never* failed us. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SSL cert for lists.isc.org expired on Saturday, December 29, 2018
On 02/01/2019 04:48, Doug Barton wrote: > I've had LE fail after a cerbot upgrade because it grew a dependency that > didn't automatically get installed with the upgrade. > > So yes, automation good, but not perfect. Yes likewise on the one box I could actually get certbot to run on, just wouldnt run on any of the slackware boxes - which are all but 1, so it too was quickly replaced with acme.sh which has *never* failed us.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SSL cert for lists.isc.org expired on Saturday, December 29, 2018
On 01/01/2019 12:54, John W. Blue wrote: > nuff said, eh? > > I thought that Let's Encrypt wanted to roll / revalidate SSL certs every 90 > days. IIRC they have automation for apache and DNS tools when it comes to > revalidation. acme.sh FTW -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND and UDP tuning
Hi Alex, Have you tried on a separate physical server? To rule out the actual hardware as being the problem? Is this some user grade PC with either onboard or external ethernet interface, or a proper server grade equipment? Age of equipment? What else does that machine do? Cheers On 28/09/2018 02:07, Alex wrote: > Hi, > >> Just a wild thought: >> It works with a lower speed line (at least I read it that way) but has >> problems with higher speeds. >> Could it be that the line is so fast that it "overtakes" the host in >> question? >> >> A faster incoming line will give less time between the packets for >> processing. > > No, I actually upgraded from a 65/20mbit to a 165/35mbit recently, > thinking it was too slow because it was happening at the slower speeds > as well. I've also implemented some basic QoS to throttle outgoing > smtp and prioritize DNS but it made no difference. > > Thanks, > Alex > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Stopping name server abuse
On 25/06/2018 10:09, ma...@isc.org wrote: > Sorry for the noise What noise? Your post is to the point and appropriate, lots of members of this list may be in this situation and ignore it because they have NFI on what to do, so you've helped them. Though personally I have done a few times what John Blue suggested, might not stop my resources being abused, but it gets the point across :) -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
OFF TOPIC Re: Sorbs List on Bind Help
On 12/04/2018 15:13, Klaipedaville on Google wrote: > Hello list, > > I was wondering if anybody could advise please, on the line below that I > always seem to get in my Bind 9.8.4 logs: > > error (unexpected RCODE SERVFAIL) resolving > 'dul.dnsbl.sorbs.net/A/IN':174.36.198.232#53 > > I know what it generally stands for, that is the name server was unable to > process this query due to a problem with the name server (according to RFC > 1035, 4.1.1). > > I am using ACL and I white-listed 174.36.198.232. I also white-listed and > made sure the IP in question is not blocked anywhere else, like iptables and > so on. However. I also notice that dul.dnsbl.sorbs.net has no A records so I > think that this may not be the issue. Plus, I also noticed later that IP > addresses changed regularly (it can be just about any other IP instead of > where 174.36.198.232 is) so my white-listing was useless. > > I would be really thankful if anybody could assist on the correct setting to > allow my named (Bind) server to communicate with dul.dnsbl.sorbs.net as all > the other DNSBLs etc. I use on my server work and resolve well. > > I would appreciate any comments / pointers / help at all. > > Many thanks in advance! > > Regards, > Dennis You're going about this all wrong. dul.dnsbl.sorbs.net will not have an A record, its not how dnsbl's normally work. You placing them in an ACL makes no difference, SORBS is the one who controls access to their resources, its SORBS server not answering you, there is nothing you can do about it, though you shouldnt be querying a particular SORBS NS, just the name itself. you should have no entries anywhere for SORBS except in your SMTP/WWW_Module configs, like, for example in postfix: reject_rbl_client dul.dnsbl.sorbs.net I wont go into the fact bind 9.8 is so old its unsupported :) -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC considering a change to the BIND open source license
On 15/06/2016 10:29, Ted Mittelstaedt wrote: On 6/14/2016 4:28 PM, Noel Butler wrote: On 15/06/2016 05:38, Ted Mittelstaedt wrote: It seems some on the list are short on philosophy? Well here is the actual philosophy and I'll apologize in advance that it won't fit in a SMS message for those people unable to have deep thoughts more complex than a SMS message. Hopefully you are not one of them. I guess we can read this as you are, or are related to, one of these commercial entities that are not playing nice... There is absolutely no other reason one would be so dead against it as you are. Or, you could simply just copy and paste my name into Linkedin and see who my current employer is. Wow there's even a click-able website there! What will they think up next, Maw!!! I know, too boring. Ted Why? Its not important to me who your employer is, I have far far far far far better things to do than research every poster I reply to. I have also notes the quality of your posts on other lists over time, so I would be even less inclined to bother. I havent and arent going to bother, its irrelevant who they are, most of us have several ties to orgs outside our main income stream. I can assure you my linkedin page which hasnt been updated in ages, even when current, didnt list half of mine. Again, if you are a user - there is no change if you are a redistributor: there is no change - UNLESS you modify BIND and keepo it to yourself - thats fair, Vicky's post explained it so well a child could understand it, if someone is affected by the pending change, then they are part of the problem that brought this about. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC considering a change to the BIND open source license
On 15/06/2016 05:38, Ted Mittelstaedt wrote: It seems some on the list are short on philosophy? Well here is the actual philosophy and I'll apologize in advance that it won't fit in a SMS message for those people unable to have deep thoughts more complex than a SMS message. Hopefully you are not one of them. I guess we can read this as you are, or are related to, one of these commercial entities that are not playing nice... There is absolutely no other reason one would be so dead against it as you are. I have no doubt (just like spammers say what they do aint spamming) that you will use extreme energy to disagree, dispute or despise, as one famous actor once said " frankly, I dont give a damn" -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Interesting behavior with wildcard domains
On 24/02/2016 09:13, Mathew Ian Eis wrote: > Hi BIND, > > I've encountered (quite by accident) an interesting behavior in BIND with > wildcard domains: > > The relevant configuration is a zone; e.g. bar.com, with what I'll call a > "second level" wildcard host, e.g. *.foo.bar.com A 10.10.10.5 in that zone. > (as opposed to what might be considered the more usual wildcard host record > of *.bar.com). > > buz.foo.bar.com returns A 10.10.10.5 as expected. > > However, a query for foo.bar.com returns NOERR with zero results, when I > would expect a NXDOMAIN. > > Anyone know if the NOERR with zero results is the expected / correct > behavior? > > Thanks in advance, > > Mathew Eis > Northern Arizona University > Information Technology Services It's expected, since its a * "." foo... you are asking for anything thast dot foo, your not asking for foo -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using bind and ad blocking
On 06/02/2016 07:28, Olliver Schinagl wrote: ; BIND db file for ad servers - point all addresses to an invalid IP $TTL864000 ; ten days @ IN SOA ns0.example.net. hostmaster.example.net. ( 2008032800 ; serial number YYMMDDNN 288000 ; refresh 80 hours 72000; retry20 hours 864 ; expire 100 days 864000 ) ; min ttl 10 day NS ns0.example.net. A 0.0.0.0 * IN A 0.0.0.0 Why point them to an IP at all, just use TTL and SOA , no A no nothing else. They'll get NXDOMAIN when trying to look it up, problem solved. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple A and PTR and the "main" ones?
On 12/09/2015 00:54, David Ford wrote:
We are also one of those services that will reject mail if DNS records
don't line up sufficiently to a) satisfy RFC requirements for DNS and
b)
are clearly mismatched with your DNS A/MX/PTR/SPF and who you pretend
to
be in HELO/EHLO
Those two simple rules block more than 92% of incoming spam attempts.
"generics" tend to fall into that pit nearly 100% of the time. If your
DNS can simply say in MX/SPF that you are legit, you easily avoid that
pit.
Blocking the majority of spam is really easy if we simply require
adherence to what is actually mandated in RFC and a pinch of sensible
thinking about DNS.
+1
these regex rules catch about 40% of rejects, (no A/PTRs' about 50% and
RBL's 10%)
connect /.*[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}\..*/ei //
connect /.*[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}\-.*/ei //
connect /.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\..*/ei //
Don't see much ipv6 traffic <1%, so I have plenty of times to rewrite
them to catch them as well :)
(I did have to whitelist one local CSP who defaulted to this kinda
"GENERATE" dns rules for their hosts, no one there has a clue on how to
change it, even my contact within said company told me their network
staff are all clueless university fxxs and questions their degrees)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Installing bind is not very clear for me
On 05/09/2015 04:49, Reindl Harald wrote: mostly people who are throwing as much as possible appliances and firewalls in front of their machines doing that because missing knowledge and falling for some salesman's BS, the moment they sniff you have no idea, they rub their hands together thinking how big their Christmas bonus will be, many moons ago an apprentice nearly fell for cisco's hype of their pix junk, I showed him how to use , hrmm ipchains I think was back then, did just as good job as any multi thousands dollars box of vendor crap would. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Installing bind is not very clear for me
On 05/09/2015 05:00, Leandro wrote: > Reindl , I agree with you. > One Firewall should be enough. > So, what you consider this firewall should do ? > In my opinion: > Block requests coming from a blacklist (Who will generate this list ?) > Block denial of service requests. It needs to measure the requests rate to > detects when is under attack. > Block port scanners on publics ips. > > I dont know what else > Thanks. > Leandro. The only blacklists you should trust are your own, each network is different, our gear in Australia fights off completely different miscreants than our stuff in L.A does which again differs from our stuff in Frankfurt, they rarely see the same miscreants. My background is ISP and web hosting, that hosting also included game servers so we saw a few DDoS against them, but nothing we couldn't handle. If you are a direct target for such activity you need to consult someone who knows what they are doing if your bandwith cant cope, if you're not a constant target, stop being so bloody paranoid :) I assume your in the private corporate world, so the best thing is appropriate ACL's on your border router(s), allowing only the sort of traffic you want for server group X of http(s) ports to web servers, only p 53 to your DNS servers, layer7 policies are a bit overkill in my opinion, so just use ports, if you do need such, then you need to consult a network specialist, the bind users group is hardly the place, but there is a person on this list who specialise in anti DoS and he might pop his head up. In general iptables works a treat for X queries in X time, also fail2ban works wonders to block those that persist if your servers are *nix based, dont have a single M$ product so no idea what you should use on them. and use modern version of bind and RRL. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Installing bind is not very clear for me
On 05/09/2015 11:41, Mike Hoskins (michoski) wrote: Actually, PIX had issues... I can attest to that, having administered several Cisco-based networks including PIX years before I was "a Cisco The biggest issues we really saw with PIX protected networks was in early 2000's, it used to bite in smtp transactions, it never liked qmail. That said, PIX was at least stateful (unlike ipchains, as you know that was the big selling point of iptables), I should also have included that some people even today still configure iptables wrong blocking fragmentation, though not a huge problem as in early days since netfilter guys must have added code to accommodate those who dont know better, but it still happens. AAA infra (also didn't really like the state of PAM back then)... as it is now, the best approach really decided on your use cases. PAM is evil, its why I like slackware, much much less evil :) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: configuration error in lists.isc.org
On 11/08/2015 07:59, Lawrence K. Chen, P.Eng. wrote: On 2015-08-10 16:49, Lawrence K. Chen, P.Eng. wrote: Though I realize my error not recalling that there is a middle (neutral) level, and which is more appropriate, since softfail is somewhere between fail and neutral which is not where I had intended the servers to be. Went to fix it, only to discover that I had fixed it 1.5 years agomaybe I am losing my mind. Did while cleaning up SPF after an O365 verification, too. Thought read somewhere that the SPF RR has been discontinued. Should I, and is it safe to, remove those now? The removal drive has been very vocal mostly from one person, a debian maintainer, it matters not if he got his own way or not, the SPF RR wont go away overnight (for example it took debian YEARS to modernise to understand that type, so it'll take em years to drop it LOL), expect it to be supported and used for many years to come, either way, it wont hurt to have it there, it will not break anything, if the code is ever removed (highly unlikely) named and co just wont care, it'll be just another DNS RR and ignore it. I have no intention of removing mine until such a time, if that time comes, that the code is removed from named. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [OT] Re: configuration error in lists.isc.org
On 08/08/2015 01:23, Heiko Richter wrote: The spf2.0/pra ?all is SenderID, where pra forces the DMARC server to check only the Envelope-Sender against v=spf1 mx -all. If you don't set that, SPF will always check both Envelope-From and Header-From. Note that it's the SenderID specification that is horribly broken (btw, just because of mailing lists) and further any protocol that uses it (does DMARC?) Blaming the ISC mailserver for not changing header address is blaming it for doing something (all?) list servers did years before microsoft came with the braindead SenderID specification that broke this behaviour. You seem to mix up SenderID and SPF. SPF is the thing that is broken as it always checks Envelope- and Header-From. Sender-ID is a way (the only way) to tell SPF it should just check one of them. poppycock I've been using SPF since its very VERY early days since befopre it was even mainstream, never had a problem with mailing lists, not even the antiquated majordomo or that shitty qmail thing, the ONLY SPF From checking that has screwed up mailing lists is mickey$ofts piss poor attempt at going it their own with their own SPF, yeah that spf2.0 garbage, and DKIM doesnt play nice with lists either, waste of time. As much a it pains me to agree with him, Harry is right, you're full of shit. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-web-based control panel
Hi, No, not directly, there are things like webmin that used to let people manage DNS, not sure how manageable though or if its even still supported. On 07/07/2015 19:26, Ejaz wrote: All. Dees bind support for web-based control panel? I need one that can automatically push updates to both the master and slave servers, as well as having logins for customers to modify their zone information. Regards, Mohammed Ejaz CYBERIA(R) SAUDI ARABIA P.O.Box 301079, Riyadh 11372, Saudi Arabia Tel: +966 11 464 7114 Ext. 140 Fax: +966 11 465 4735 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users [1] to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users [1] Links: -- [1] https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL settings that work for you
On 27/05/2015 07:00, Mike Hoskins (michoski) wrote:
Hi folks,
I've read about RRL with interest since its inception, but just now
getting around to rolling it out. That is partially because we run a very
small authoritative infrastructure serving mostly as Akamai EDNS origins.
However, since it is exposed externally, used by a few tenants and RRL has
been running in the wild for awhile now...we decided to finally hop on the
bandwagon as part of our latest round of DNS infrastructure upgrades.
We are experimenting in log-only mode, and wanted to get feedback on
settings which work well for others in production. So far we have the
following which appears to work well (not limiting typical clients during
normal operation):
rate-limit {
log-only yes;
ipv4-prefix-length 32;
window 10;
responses-per-second 20;
nxdomains-per-second 10;
exempt-clients {
[...]
};
};
However, as we've mostly just been turning knobs in an attempt to minimize
log entries... insight from operators is appreciated.
Looks good, its pretty close to what I use, however one thing to
consider (maybe you have) is the ipv6 prefix, its default from memory is
56, in Australia, the typical assignments for those few ISP's issuing
IPv6, is /64, so I set ipv6-prefix-length 64, but depends on
geographic's I suppose, maybe if your traffic is mostly U.S. and if the
average U.S. ISP dishes out /56's, it doesn't matter much to change it.
Cheers
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 2085, Issue 1
On 07/04/2015 17:15, G.W. Haywood wrote: Hi there, On Tue, 7 Apr 2015, bind-users-requ...@lists.isc.org wrote: Message: 1 [Snip 51 lines] Message: 2 [Snip 75 lines] Message: 1 [Snip 37 lines] Message: 1 [Snip 45 lines] Message: 2 [Snip 49 lines] Message: 2 [Snip 16 lines] Message: 1 [Snip 49 lines] Message: 3 [Snip 95 lines] Please guys, trim your posts. Some of us are on the digest list. True it is good and proper netiquette to trim posts, but its also good netiquette to quote inline and only whats required ala trimming posts, and SFA people bother with that (funny that though since they are the same bunch of whingers complaining about top posting). But when you choose digest , those rules hardly apply since you get all your eggs in one basket anyway :) If digest is a problem for you, and for some reason you cant take normal reception, this group is also available by usenet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 2083, Issue 1
On 07/04/2015 17:07, Matus UHLAR - fantomas wrote: On 06.04.15 15:19, Noel Butler wrote: you need an allow-query and ACL, eg: No. Don't play with allow-query if it is supposed to be authoritative for any zones (unless those zones are internal). If the server is supposed to host any zones visible from the net, allow-query would make them invisible. Which is why I asked him to include one zone in his pasting, since you then need the allow query any inside the zone statements, which works perfectly, its also how I've always done it, and always seen it done, including on the thousands of zones I've maintained that I never wrote. Been doing it that way for as long as I can recall, so over 20 years? dunno, I stopped counting my age at 21, some decades ago :) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 2084, Issue 1
Well, that certainly does not include what I told you to add, however it
doesnt seem to be open to me, so you must have cleaned it up since
posting this.
You only have one nameserver? that is not compliant, you require a
primary and secondary, how your domain registrar passed that is beyond
me. Ohh and they can not be on the same machine.
~$ host server1.sportshost.co.uk
server1.sportshost.co.uk has address 84.92.56.54
Your DNS is working, well, OK, it's kind of working, still lots of
failures, including not listening on tcp.
On 07/04/2015 01:37, STEPHEN EYRE wrote:
My named.conf.options is as follows
Options {
directory /var/cache/bind;
recursion no;
allow transfer { none; };
dnssec-validation auto;
auth-nxdomain no;
listen-on { any; };
};
By the way my A records are still not not showing up on mydns.net.
Thanks
Sent from Yahoo Mail on Android [1]
-
FROM:bind-users-requ...@lists.isc.org bind-users-requ...@lists.isc.org
DATE:Mon, 6 Apr, 2015 at 13:00
SUBJECT:bind-users Digest, Vol 2084, Issue 1
Send bind-users mailing list submissions to
bind-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users [2]
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org
You can reach the person managing the list at
bind-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of bind-users digest...
Today's Topics:
1. Re: bind-users Digest, Vol 2083, Issue 1 (STEPHEN EYRE)
2. Re: bind-users Digest, Vol 2083, Issue 1 (Reindl Harald)
3. Re: bind-users Digest, Vol 2083, Issue 1 (Noel Butler)
--
Message: 1
Date: Sun, 5 Apr 2015 16:52:07 +0100
From: STEPHEN EYRE sce...@btinternet.com
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: bind-users Digest, Vol 2083, Issue 1
Message-ID:
1428249127.19697.yahoomailandroidmob...@web172401.mail.ir2.yahoo.com
Content-Type: text/plain; charset=iso-8859-1
The aim is to make it authoritive as well as hosting my web sites.
Sent from Yahoo Mail on Android
From:bind-users-requ...@lists.isc.org bind-users-requ...@lists.isc.org
Date:Sun, 5 Apr, 2015 at 13:00
Subject:bind-users Digest, Vol 2083, Issue 1
Send bind-users mailing list submissions to
??? bind-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
??? https://lists.isc.org/mailman/listinfo/bind-users [2]
or, via email, send a message with subject or body 'help' to
??? bind-users-requ...@lists.isc.org
You can reach the person managing the list at
??? bind-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of bind-users digest...
Today's Topics:
? 1. Dig, open servers and A records (Stephen Eyre)
? 2. Re: Dig, open servers and A records (Steven Carr)
--
Message: 1
Date: Sun, 05 Apr 2015 09:32:36 +0100
From: Stephen Eyre sce...@btinternet.com
To: bind-users@lists.isc.org
Subject: Dig, open servers and A records
Message-ID: 5520f324.7050...@btinternet.com
Content-Type: text/plain; charset=utf-8; format=flowed
Dear All
The good news is that I have my server running. The not so good news is
that there are a few problems which could be interconnected.
My server is called server1.sportshost.co.uk and its ip address is
84.92.56.54.
Going on to whatsmydns.net I find that sportshost.co.uk returns suitable
entries under the NS and SOA section. There are nothing but red crosses
under A records section - I was expecting my ip address.
Then when I dig a domain name like google.co.uk I get suitable replies
but when I dig an ip address like 8.8.8.8 the request gets the reply
REFUSED.
Further enquiries show that I dont have an open recursive site when the
errors above still apply.
When I change my /etc/bind/named.conf.local file from 'recursion no;' to
'recursion yes;' I get an inverse of the above. I get full replies from
all my dig enquiries but I get an open recursive warning - which I
obviously dont want.
whatsmydns.net replies remain the same.
So todays question is - what do I need to do to keep my server closed,
get proper dig replies and get my A records showing up on whatsmydns.net?
Or is everything working well and its not necessary to have dig
providing proper replies?
Thanks
Stephen Eyre
--
Message: 2
Date: Sun, 5 Apr 2015 09:57:08 +0100
From: Steven Carr sjc...@gmail.com
Cc: bind-users bind-users@lists.isc.org
Subject: Re: Dig, open servers and A records
Message-ID:
??? calmep05dmfy0a_ybbtunk3cqigybjvsy_43w212sug0wgkp...@mail.gmail.com
Content-Type: text/plain; charset=UTF-8
Re: bind-users Digest, Vol 2083, Issue 1
you need an allow-query and ACL, eg:
Assuming for example your LAN ip range is 192.168.0.0/24, then you would
use
for simplicity, at top of named.conf:
acl trust { localhost; 192.168.0.0/24; };
then in...
options {
allow-query { trust; };
allow-query-cache { trust; };
};
That should do it, if you need further assistance you'll need to supply
a copy of named.conf - in particular the options , ACL's and at least
one of your zones, but if your named.conf isnt 5 miles long, just past
the whole thing.
On 06/04/2015 01:52, STEPHEN EYRE wrote:
The aim is to make it authoritive as well as hosting my web sites.
Sent from Yahoo Mail on Android [1]
-
When I change my /etc/bind/named.conf.local file from 'recursion no;' to
'recursion yes;' I get an inverse of the above. I get full replies from
all my dig enquiries but I get an open recursive warning - which I
obviously dont want.
Links:
--
[1] https://overview.mail.yahoo.com/mobile/?.src=Android
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: named 9.10 halted
so what about named's syslog entries, most commonly found in daemon log On 21/08/2014 10:59, Len Conrad wrote: uname -a FreeBSD rns1..net 10.0-RELEASE named -v BIND 9.10.0-P2 this is a recursive-only NS restricted allowing recursive queries from ournetworks ACL monitor reported port 53 not responding I started it manually, then found this in /var/log/messages, which stared about 18:46 and ran until BIND stopped, followed by my manual start: Aug 20 19:12:23 rns1 kernel: Limiting icmp unreach response from 696 to 200 packets/sec Aug 20 19:12:23 rns1 kernel: Limiting icmp unreach response from 745 to 200 packets/sec Aug 20 19:12:24 rns1 kernel: Limiting icmp unreach response from 727 to 200 packets/sec Aug 20 19:12:25 rns1 kernel: Limiting icmp unreach response from 773 to 200 packets/sec Aug 20 19:12:27 rns1 kernel: Limiting icmp unreach response from 773 to 200 packets/sec Aug 20 19:12:27 rns1 kernel: Limiting icmp unreach response from 765 to 200 packets/sec Aug 20 19:12:28 rns1 kernel: Limiting icmp unreach response from 755 to 200 packets/sec Aug 20 19:12:29 rns1 kernel: Limiting icmp unreach response from 777 to 200 packets/sec Aug 20 19:12:30 rns1 kernel: Limiting icmp unreach response from 830 to 200 packets/sec Aug 20 19:12:32 rns1 kernel: Limiting icmp unreach response from 719 to 200 packets/sec Aug 20 19:12:32 rns1 kernel: Limiting icmp unreach response from 817 to 200 packets/sec Aug 20 19:12:34 rns1 kernel: Limiting icmp unreach response from 729 to 200 packets/sec Aug 20 19:12:34 rns1 kernel: Limiting icmp unreach response from 739 to 200 packets/sec Aug 20 19:12:35 rns1 kernel: Limiting icmp unreach response from 737 to 200 packets/sec Aug 20 19:12:37 rns1 kernel: Limiting icmp unreach response from 796 to 200 packets/sec Aug 20 19:12:37 rns1 kernel: Limiting icmp unreach response from 811 to 200 packets/sec Aug 20 19:12:38 rns1 kernel: Limiting icmp unreach response from 796 to 200 packets/sec Aug 20 19:12:39 rns1 kernel: Limiting icmp unreach response from 874 to 200 packets/sec Aug 20 19:12:40 rns1 kernel: Limiting icmp unreach response from 769 to 200 packets/sec Aug 20 19:12:42 rns1 kernel: Limiting icmp unreach response from 839 to 200 packets/sec Aug 20 19:12:42 rns1 kernel: Limiting icmp unreach response from 815 to 200 packets/sec Aug 20 19:12:43 rns1 kernel: Limiting icmp unreach response from 749 to 200 packets/sec Aug 20 19:12:44 rns1 kernel: Limiting icmp unreach response from 820 to 200 packets/sec Aug 20 19:12:45 rns1 named[80366]: starting BIND 9.10.0-P2 -t /var/named -u bind -c /usr/local/etc/namedb/named.conf The is the 2nd time in 10 days named as just halted. Len ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users [1] to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users [1] Links: -- [1] https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISP caching server setup
On 07/08/2014 06:03, Jared Empson wrote: What our cache server receives: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 38342 ;; flags: qr ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1280 ;; QUESTION SECTION: ;losscontrol360.com [2]. IN A ;; ANSWER SECTION: losscontrol360.com [2]. 173 IN A 74.208.98.80 What Google provides: ; DiG 9.8.3-P1 losscontrol360.com [2] @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 17193 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;losscontrol360.com [2]. IN A ;; ANSWER SECTION: losscontrol360.com [2]. 586 IN A 74.208.98.80 ;; Query time: 174 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Aug 6 16:01:07 2014 ;; MSG SIZE rcvd: 52 Apart from stupid SOA values, losscontrol360.com seems OK, and from your two examples here even proves that, if your customers don't see what your cache server does, they cant be using the same cache server as you showed here. what error does bind log when your customer looks it up? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISP caching server setup
You are in fact correct Harry, I never bothered with a whois, had I done so I would have picked it up, put it down to too early in the morning, so this problem is out of Jared's control, unless he also manages that domain. Ohh and nice to see you are actually behaving yourself on this list :) On 07/08/2014 08:40, Reindl Harald wrote: Am 07.08.2014 um 00:33 schrieb Noel Butler: Apart from stupid SOA values, losscontrol360.com seems OK OK? the failing NS query is caused by the errors below this domain only works by luck from time to time [harry@srv-rhsoft:~]$ dig NS losscontrol360.com ; DiG 9.9.4-P2-RedHat-9.9.4-15.P2.fc20 NS losscontrol360.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 49902 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 http://www.intodns.com/losscontrol360.com [1] Error Nameservers are lame ERROR: looks like you have lame nameservers. The following nameservers are lame: 54.241.6.128 54.243.153.234 107.6.6.8 Error Missing nameservers reported by parent FAIL: The following nameservers are listed at your nameservers as nameservers for your domain, but are not listed at the parent nameservers (see RFC2181 5.4.1). You need to make sure that these nameservers are working.If they are not working ok, you may have problems! b1.uberns.com a1.uberns.com Error Missing nameservers reported by your nameservers ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are: ns22.netriplex.com ns21.netriplex.com ns23.netriplex.com ns20.netriplex.com This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example) Error Stealth NS records sent Stealth NS records were sent: b1.uberns.com a1.uberns.com if your customers don't see what your cache server does, they cant be using the same cache server as you showed here true ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users [2] to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users [2] Links: -- [1] http://www.intodns.com/losscontrol360.com [2] https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: slave zone files unreadable
On 12/07/2014 11:08, Mark Andrews wrote:
The real problem is humans. They like to tinker with files (hence
the subject line). There really shouldn't be a reason for anyone
to need to read slave database files. They are there so named can
have the zone content when it starts up rather than having to
re-transfer the content at startup. If you need the contents of the
zone axfr them from the server. That way you actually get up to
date content not 15 minute old content.
If we could get people away from wanting to use a editor on master
files directly we would. The practice is highly error prone even
for experts.
Most management systems in hosting comps typically open file blah EOF
and stuff, so maybe 99.% of the internet :D (of course
these, and those of us who know how to write them by hand have no
trouble - because we all learnt the hard way at some time)
Also, I may be having a blonde moment (got a nasty case of te flu at
present) but whatever happened to the once discussed advantages of
having bind load zone files in the same way Apache httpd does using
(Include/IncludeOptional sompath_under_directory/* ), if the zone is
there it loads it, if not, it doesnt/ignores it - not just bail out
completely, that removes the dangers of a corrupted named.conf with tens
of thousands of zones. Testing showed with 11.5K hosts, the load time
was only 3 or so seconds longer IIRC (maybe less), not bad for peace of
mind ('n yes I know in DNS 3 seconds is a long time, but WTF takes pri
and sec's offline at same time (ok I guess the clowns who run them both
on hte same cheap over subscribed VPS but thats another rant for another
day)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Private IP address in A record
On 27/06/2014 12:32, Teerapatr Kittiratanachai wrote: Dear List, Yesterday I try to map a private IP address on Public DNS Server, but some server, actually 1 server, doesn't show the answer. But the Rcode is 0. So I already removed that record for now. Is it possible to set DNS server for not show answer that be the private IP address? Regards, Teerapatr Kittiratanachai Do not ever do this. If you need a private IP in DNS, use a view that affects your local network only. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A Note About Today's New BIND Releases
On 12/06/2014 20:58, Tony Finch wrote: Noel Butler noel.but...@ausics.net wrote: Does this also address the crazy amount of logging (as previously discussed here)? If you mean the EDNS logging, that should be fixed in 9.10.1. Tony. Yes, this has been the talking point of town, for all wrong reasons :) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A Note About Today's New BIND Releases
On 12/06/2014 08:04, mcna...@isc.org wrote: In summary: BIND 9.10.0-P2: - fixes security issue CVE-2014-3859 - fixes issue from ISC Operational Notification of 4 June 2014 - includes other minor fixes Michael, Does this also address the crazy amount of logging (as previously discussed here)? or is that set to only change way down the track as IIRC, Jeremy earlier eluded to? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NO_PIE bind port build fail
Not a BSD user, but are you running any sort of extra security enforcement toolsets? PIE is IIRC, Position Independent Executable. On Fri, 2014-06-06 at 19:27 -0400, Rick Dicaire wrote: Hi folks, in trying to update bind 9.8.7_15 on freebsd 8.4, I get the following: ... Configuration summary: Optional features enabled: Multiprocessing support (--enable-threads) Print backtrace on crash (--enable-backtrace) Dynamically loadable zone (DLZ) drivers: None Features disabled or unavailable on this platform: GSS-API (--with-gssapi) PKCS#11/Cryptoki support (--with-pkcs11) Allow 'fixed' rrset-order (--enable-fixed-rrset) Automated Testing Framework (--with-atf) GOST algorithm support (--with-gost) === Building for bind98-9.8.7_15 env: NO_PIE: No such file or directory *** Error code 1 Stop in /usr/ports/dns/bind98. *** Error code 1 Stop in /usr/ports/dns/bind98. === make failed for dns/bind98 === Aborting update === Update for bind98-9.8.7_14 failed === Aborting update === You can restart from the point of failure with this command line: portmaster flags dns/bind98 databases/db48 irc/weechat What is NO_PIE? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF RR type
On Thu, 2014-06-05 at 12:18 -0400, Kevin Darcy wrote: Given the heated and bitter debates over the SPF record type (see http://www.ietf.org/mail-archive/web/dnsext/current/maillist.html, search SPF, around August of last year), I'm thinking that a couple years probably translates into indefinitely or even never. Agreed, there is one in particular debian dev who is viciously against the record type, I for one wont be withdrawing it any time Some people seem to think the role of the IETF is merely to passively document terrible designs and/or implementations... - Kevin signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: fe80 errors - thousands
On Sat, 2014-06-07 at 13:35 +1000, Edwardo Garcia wrote:
Halo,
in recent week we have see fill daemon_log of this errors, is way to
fix?
I do wrong?
you are doing nothing wrong, the idiot advertising fe80 is the one doing
it wrong
in the meantime you could add to your named.conf - server fe80::/16
{ bogus yes; }; - this will shut those messages up.
socket.c:5367: unexpected error:
Jun 2 05:43:53 korali named[2951]: connect(fe80::#53) 22/Invalid
argument
_
signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bin 9.10 verbose logging
On 04/05/2014 05:28, Jeremy C. Reed wrote: It is at the notice severity level. The code says: We didn't get a OPT record in response to a EDNS query. and also says We need to drop/remove the logging here when we have more experience. Are you getting this debugging for EDNS-related problems for every request? Maybe need to realize why. Yes, at a guess I'd day every single request to the caching server was logging, daemon log which rarely sees more than 200k a week, grew to 210mb in 24 hours :) Maybe you can change the setting in from ISC_LOG_NOTICE to ISC_LOG_DEBUG(10) in your ./lib/dns/resolver.c. that didnt seem to do anything, I'm going to revert that server back to 9.9.5 to stop this madness. I'll maybe look for a logging option to null out, tomorrow. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: verifying bind-9.10.0 download
OK here too. On 03/05/2014 11:07, Evan Hunt wrote: On Fri, May 02, 2014 at 05:50:45PM -0700, mm half wrote: I have downloaded bind-9.10.0.tar.gz from the ISC download site, imported in the pgpkey2013.txt located at: https://www.isc.org/downloads/software-support-policy/openpgp-key/ [1] , and can't seem to get any of the signature files to pass the verify test using gpg : gpg --verify bind-9.10.0.tar.gz.asc bind-9.10.0.tar.gz gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html [2] for more information gpg: Signature made Tue Apr 29 16:12:28 2014 EDT using RSA key ID 189CDBC5 gpg: BAD signature from Internet Systems Consortium, Inc. (Signing key, 2013) codes...@isc.org Works fine for me. Check the fingerprint on the tarball, it should be: SHA256(bind-9.10.0.tar.gz)= acc2f5cc58c121f927e02c23e7e3e2e4876139eaac4a9df71800d4a38917c887 Links: -- [1] https://www.isc.org/downloads/software-support-policy/openpgp-key/ [2] http://www.gnupg.org/faq.html ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bin 9.10 verbose logging
Hi, U, since upgrade 9.9.5 to 9.10 every request to the name server is spewing copious amounts of debug type data (thankfully I only upgraded the one server) named[23250]: received packet from 207.66.8.132#53 (no opt): ;; -HEADER- opcode: QUERY, status: NOERROR, id: 20501 ;; flags: qr aa; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;dns2.osogrande.com.^I^IIN^I ;; AUTHORITY SECTION: osogrande.com.^I^I86400^IIN^ISOA^Idns1.osogrande.com. hostmaster.osogrande.com. 2002041909 14400 7200 604800 600 WTF ? Was debug left on in the final release source code? :) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enabing RRL in bind
On 30/12/2013 22:17, Gaurav Kansal wrote: Hi Guys, In bind 9.9.4, Reponse-Rate Limit doesn't work until you configure bind with “—ENABLE-RRL” option. I was wondering why is it so ? Because it can be detrimental to existing sites if configured wrongly, its something not all sites would need, greater than 50% of resolvers are caching, not authoritative, therefore currently it's an extra option, it's also new, in 5 years time maybe it will be a default, but to do so now would be wrong. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
On Fri, 2013-12-20 at 12:58 -0500, Thomas Schulz wrote: Well, we started with them back when they were the only company registering domain names. And up to now there were no problems (other than perhaps price). and their highly unethical business practices, OK my experiences with them ended ten years ago, but, that's one book I judged by its cover after what they did to me. Any recomendations for another company for a .com domain in the US? I suppose that I could always use the DLV, but I would rather not. T I use cheapdomainregistration.com , reseller from wild west domains, owned by godaddy, and despite a lot of peoples opinions, I've not in ten years had one single issue with WWD. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is SpamHaus Feed for RPZ is free or subscription based?
On 06/11/2013 18:52, babu dheen wrote: Dear All, I would like to integrate BIND DNS with Spamhaus Malware DB feed. But i need clarity whether Spamhaus offers this feed for free or subscription(cost) based? If you want your local copy it will cost, and they charge like 20 counties of farms with herding bulls, so forget it, stick to their dns based stuff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL probably not useful for DNS IP blacklists,
On Mon, 2013-09-23 at 19:21 +, Vernon Schryver wrote: As a matter of interest, if one had a DNSBL with 5.5 million entries (i.e. 5.5 million IPs): 1) What needs to be done to rewrite that to a BIND zone? 2) What sort of machine would be required to load that zone? 3) How long would it take to load into BIND? Likely wouldnt have 5.5 mill IP's because you can fine grain it with any CIDR (and exclude by /32 or any CIDR) By the way, how much smaller would that DNSBL be if it could use wildcards? I suspect a real (as opposed to synthetic) DNSBL has a lot of repetition in all except the last labels. We used to run our int bl on bind, it was a resource hog compared to rbldnsd But there is no way in hell, I'd run rbldnsd on anything else other than a BL, IMO, they are both designed to do different things, and they both do their own thing, much better than the other because if it. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL probably not useful for DNS IP blacklists,
On Tue, 2013-09-24 at 13:40 +, Vernon Schryver wrote: From: Noel Butler noel.but...@ausics.net We used to run our int bl on bind, it was a resource hog compared to rbldnsd But there is no way in hell, I'd run rbldnsd on anything else other than a BL, IMO, they are both designed to do different things, and they both do their own thing, much better than the other because if it. 10 years ago rbldnsd was the right choice for a DNSBL. Today rbldnsd is an egregious mistake engrained the uninformed and unexamined preconceptions and prejudices of DNSBL users. The hand wringing about IPv6 spam ending the usefulness of DNSBLs and the proposals to put B-trees into the DNS wire protocol make only if you assume that rsync is the only way to distribute DNSBL data and that wildcards cannot be used in DNSBLs because rbldnsd didn't like them and that rsync is the only way to distribute DNSBL data. -rbldnsd blocks ipv6 spammers just as good as ipv4 spammers (I'm assuming thats part of your whinge?) -combined zones use *exponentially* less resources than bind is alone makes it worth it -as for normal resources, a rbldnsd zone is 106K lines, in bind is 2M lines, because of its CIDR handling which is messy, and especially in tset zones -there is more to DNSBL's than just transfers of zones you clearly have a bias set-in-concrete mindset about rbldnsd, maybe you and its author hate each others guts, I dunno, dont care, our decision is based on real world live usages, tests, and experiences, for over ten years of using rbldnsd and twenty with bind, so Vernon I suggest the only person here who is hand wringing as you put it, is yourself, whatever your problem is, get over it. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
Hi Shane, On Fri, 2013-09-20 at 11:38 +0200, Shane Kerr wrote: Noel, On 2013-09-20 12:48:31 (Friday) Noel Butler noel.but...@ausics.net wrote: On Fri, 2013-09-20 at 01:59 +, Vernon Schryver wrote: plenty of delayed mail - hostname lookup failures (mostly because of URI/DNS BL's), so it certainly works as intended :) That sounds unrelated to RRL. Again, RRL affects standards compliant DNS clients no more than a 50% packet loss rate on the path from the DNS client and to the server. If your mail system suffered hostname lookup failures, then I think something else was broken. With a 50% packet loss and 3 retries you'll have about 1 in 16 lookups fail, right? If you've got enough legitimate lookups going on to trigger RRL then you're going to get lots of failures. One workaround for this is to set SLIP to 1. I know Vernon recommends against that, but personally I don't think there is any downside. Might give that a go, thanks for suggestion Nope, either way, daemon.log was filling up with messages indicating RRL, last time I tried, Aug 29, lots of limit NXDOMAIN responses to /24 for zen.spamhaus.org , limit NXDOMAIN responses to xx/24 for xxx.net pretty much one for every DNSBL, URIBL etc used This doesn't indicate that anything actually failing for the querying hosts, just that they are issuing a lot of queries. maybe not directly, but along with time corresponding maillog filling up with errors certainly is all the proof I need. The problem occurred within a minute of enabling RRL, and ended right after disabling RRL. on that date, log files show the version was actually BIND 9.9.4rc1 Now I've read your link, I can perhaps understand more the options and fine tune it, but bout to head out for lunch so, might pla around later this afternoon. I think the actual issue is that for DNS IP blacklists (or whitelists) RRL is probably harmful. Many or even most queries to those servers will result in the same NXDOMAIN response. This is expected and desired behavior, but RRL interprets this as potential abuse. While the fallback to TCP (combined with my recommendation of SLIP 1 above) will mean that service will continue without problem, one reason that DNS was chosen for such services is that it is very lightweight, and forcing traffic to TCP is an anti-goal. :) Probably you should disable RRL for servers that are primarily used for IP-based blacklists (or whitelists). Will try with views and SLIP 1, likely tomorrow now since its rather late here, will post a followup with results Cheers signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
On Thu, 2013-09-19 at 16:04 -0700, Michael McNally wrote: New versions of BIND are now available from http://www.isc.org/downloads New Features 9.9.4 Added Response Rate Limiting (RRL) functionality to reduce the effectiveness of DNS as an amplifier for reflected denial-of-service attacks by rate-limiting substantially-identical responses. [RT #28130] I have been using this since 9.9.4bx, and although documentation is/was lacking at the time, so there might be a whitelisting somewhere , but in its absence, I highly advise against using RRL if your mail servers use those DNS servers signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
On Thu, 2013-09-19 at 23:40 +, Evan Hunt wrote: On Fri, Sep 20, 2013 at 09:20:29AM +1000, Noel Butler wrote: I have been using this since 9.9.4bx, and although documentation is/was lacking at the time, so there might be a whitelisting somewhere , but in its absence, I highly advise against using RRL if your mail servers use those DNS servers A mail server should be talking to a caching resolver, not an authoritative DNS server; RRL is for authoritaive servers. So the situation shouldn't ordinarily arise. Yes true, but in some cases, some servers are both, using views, try tell a small business with 3 staff and only a combined mail/web, plus one DNS (I act as secondary so that saves them a bit) that they need to install another server, dedicated to caching if they insist of having this feature enabled :) - this resembles countless small business and SOHO setups, so it would be advantageous in future releases if it can not currently, be configured using views. attachment: face-smile.png signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
Hi Vernon,
On Thu, 2013-09-19 at 23:42 +, Vernon Schryver wrote:
BIND RRL has had whitelisting for trusted DNS clients that send repeated
DNS requests since early days, long before any version of BIND 9.9.4.
Look for 'exempt-clients{address_match_list};' in either the ARM that
comes with 9.9.4 or via the old link labeled Draft text for BIND9
Administrators Reference Manual (ARM) describing DNS Response Rate
Limiting (RRL) on the original ratelimits web page at
http://www.redbarn.org/dns/ratelimits
[ rate-limit {
...
[ exempt-clients { address_match_list } ; ]
...
} ; ]
...
DNS clients within a view can be exempted from rate limits with
the exempt-clients clause.
Thanks for the pointers, I see what I need to do now.
RRL is not recommend for recursive DNS servers, because in theory
it could squelch repeated requests from legitimate DNS clients
without caches such as some SMTP servers.
As per my previous to Evan, dealing with views, I'm on redbarn reading
now, I never ran it as patches, my policy is only use official upstream
sources, so my first play around was with 9.9.3.b2 I think it was.
However, I do not recall reports of significant real, as opposed to
anticipated or minor problems with RRL on recursive DNS servers. The
worst that should happen is that legitimate clients will be slowed,
such as SMTP servers (mail receivers) receiving spews of spam or SMTP
clients (mail senders) spewing spam or without required DNSBL whitelisting.
A legitimate DNS client that is squelched by RRL will time-out every
other repeated request and (with the default SLIP=2) retry with TCP.
What problems did you see with your mail system and your recursive DNS
server with RRL?
plenty of delayed mail - hostname lookup failures (mostly because of
URI/DNS BL's), so it certainly works as intended :)
I will play around with views here over next day or so, from previous
plays, it did not take long to see the undesired results, so if its all
good I'll commit it to the serves I look after
(I did not see any issues on ns1/2, only ns0 which is split views,
authoritative and cache)
Cheers
attachment: face-smile.png
signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
On Fri, 2013-09-20 at 01:59 +, Vernon Schryver wrote: From: Noel Butler noel.but...@ausics.net now, I never ran it as patches, my policy is only use official upstream sources, so my first play around was with 9.9.3.b2 I think it was. BIND 9.9.4 and its immediately preceding beta and release candidate releases are the first versions of BIND that were not patched. Some third parties including FreeBSD and a Linux distributor added RRL patches to their versions, but those BIND+RRL versions differed from any other version of BIND+RRL patch only by someone else having applied the patch. yeah, as I said, I thought it was that beta, I dont use distros versions of key daemons, most are too outdated for my liking, even Slackware and Gentoo, whoich are more current than most. plenty of delayed mail - hostname lookup failures (mostly because of URI/DNS BL's), so it certainly works as intended :) That sounds unrelated to RRL. Again, RRL affects standards compliant DNS clients no more than a 50% packet loss rate on the path from the DNS client and to the server. If your mail system suffered hostname lookup failures, then I think something else was broken. Nope, either way, daemon.log was filling up with messages indicating RRL, last time I tried, Aug 29, lots of limit NXDOMAIN responses to /24 for zen.spamhaus.org , limit NXDOMAIN responses to xx/24 for xxx.net pretty much one for every DNSBL, URIBL etc used The problem occurred within a minute of enabling RRL, and ended right after disabling RRL. on that date, log files show the version was actually BIND 9.9.4rc1 Now I've read your link, I can perhaps understand more the options and fine tune it, but bout to head out for lunch so, might pla around later this afternoon. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nxdomain
replying to ones self a few times in one day or a sign I need a break.. but... I think the issue is this Trying www.undernet.org Received 34 bytes from 198.147.21.12#53 in 348 ms Trying www.undernet.org.ausics.net Using domain server: Host www.undernet.org not found: 3(NXDOMAIN) it comes down the host etc once again needing the period after the domain - this was a reported and fixed bug a few years ago, it seems sometime between then and now, it is become broken again. So I guess those 3rd party servers I've tested still use te older and fixed version. On Thu, 2013-08-29 at 13:09 +1000, Noel Butler wrote: On Thu, 2013-08-29 at 11:52 +1000, Noel Butler wrote: Hey Mark, Looks like it might be a bug, *BUT* a client utils bug, so I think his server is likely fine, he's panicking over what's reported not what's actually going on, I'm sure its not the intended response to display so I've just added bug rep on it, if you disagree, you can always nuke it :) from here, dig answers REFUSED , but host and nslookup answer NXDOMAIN noel@tardis:~$ dig www.undernet.org @ns1.ausics.net ; DiG 9.9.4rc1 www.undernet.org @ns1.ausics.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 9347 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.undernet.org. IN A ;; Query time: 366 msec ;; SERVER: 62.113.243.167#53(62.113.243.167) ;; WHEN: Thu Aug 29 11:29:35 EST 2013 ;; MSG SIZE rcvd: 45 noel@tardis:~$ host www.undernet.org ns1.ausics.net Using domain server: Name: ns1.ausics.net Address: 62.113.243.167#53 Aliases: Host www.undernet.org not found: 3(NXDOMAIN) Interesting, I get 5(REFUSED) off host using iinet' s DNS, but they report as running 9.7, perhaps its the way hte lattter versions interpret responses? no idea... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users attachment: face-smile.png signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nxdomain
Yeah, I went out for a bit, came back and fresh, decided to take another look, I got no further than looking at my own confs and it clicked this was an old bug, that _was_ fixed... I've updated my RT entry to reflect that. On Thu, 2013-08-29 at 07:47 +0100, Steven Carr wrote: I think the short answer is don't use the host command, always use dig. Not sure how to find the version of host (none of the usual -V -v -h flags seem to work with it) but on my system (OS X 10.8) host returns refused for the same query... sjcarr@elmo:~ $ host www.undernet.org. ns1.ausics.net Using domain server: Name: ns1.ausics.net Address: 62.113.243.167#53 Aliases: Host www.undernet.org not found: 5(REFUSED) Same as dig... sjcarr@elmo:~ $ dig www.undernet.org. @ns1.ausics.net ; DiG 9.8.3-P1 www.undernet.org. @ns1.ausics.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 49412 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.undernet.org.INA ;; Query time: 62 msec ;; SERVER: 62.113.243.167#53(62.113.243.167) ;; WHEN: Thu Aug 29 07:45:35 2013 ;; MSG SIZE rcvd: 34 Steve signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nxdomain
Barry, On Thu, 2013-08-29 at 16:16 -0400, Barry Margolin wrote: In article mailman.1210.1377758162.20661.bind-us...@lists.isc.org, Noel Butler noel.but...@ausics.net wrote: replying to ones self a few times in one day or a sign I need a break.. but... I think the issue is this Trying www.undernet.org Received 34 bytes from 198.147.21.12#53 in 348 ms Trying www.undernet.org.ausics.net Using domain server: Host www.undernet.org not found: 3(NXDOMAIN) it comes down the host etc once again needing the period after the domain - this was a reported and fixed bug a few years ago, it seems sometime between then and now, it is become broken again. So I guess those 3rd party servers I've tested still use te older and fixed version. What does your /etc/resolv.conf look like? This looks like it might be an ndots issue, causing host (and other applications that use the default search option) to try adding the default domain to names that it shouldn't. domain and 2x nameservers , nothing special is defined From memory this bug was confirmed and fixed, but, if my summary proves correct, was back in ... March 2007 ndots appears to be where the bug is, since nothing is defined, it should 1, so it should have seen, in our example, www.undernet.org, as www.undernet.org and nothing more, and returned REFUSED, not carried on. The default value is that defined using the ndots statement in /etc/resolv.conf, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf. proving the point... ~$ host -v -N1 www.undernet.org ns1.ausics.net Trying www.undernet.org Received 34 bytes from 62.113.243.167#53 in 365 ms Trying www.undernet.org.ausics.net Using domain server: Name: ns1.ausics.net Address: 62.113.243.167#53 Aliases: Host www.undernet.org not found: 3(NXDOMAIN) (even -N0 reports same as above) Cheers signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nxdomain
Hey Mark,
Looks like it might be a bug, *BUT* a client utils bug, so I think his
server is likely fine, he's panicking over what's reported not what's
actually going on, I'm sure its not the intended response to display so
I've just added bug rep on it, if you disagree, you can always nuke
it :)
from here, dig answers REFUSED , but host and nslookup answer NXDOMAIN
noel@tardis:~$ dig www.undernet.org @ns1.ausics.net
; DiG 9.9.4rc1 www.undernet.org @ns1.ausics.net
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: REFUSED, id: 9347
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.undernet.org. IN A
;; Query time: 366 msec
;; SERVER: 62.113.243.167#53(62.113.243.167)
;; WHEN: Thu Aug 29 11:29:35 EST 2013
;; MSG SIZE rcvd: 45
noel@tardis:~$ host www.undernet.org ns1.ausics.net
Using domain server:
Name: ns1.ausics.net
Address: 62.113.243.167#53
Aliases:
Host www.undernet.org not found: 3(NXDOMAIN)
noel@tardis:~$ nslookup www.undernet.org ns1.ausics.net
Server: ns1.ausics.net
Address:62.113.243.167#53
** server can't find www.undernet.org: NXDOMAIN
On Thu, 2013-08-29 at 10:20 +1000, Mark Andrews wrote:
In message
CAMD-=VK7MtwDoUv8uRTL5WR=1ouMHbmzKMPp=uk5pqevo10...@mail.gmail.com
, Nick Edwards writes:
Mark,
On 8/29/13, Mark Andrews ma...@isc.org wrote:
In message
CAMD-=VKA_dftLRqtJMs=egmepzhu82q06+p_j8rmbgzxvvg...@mail.gmail.com
, Nick Edwards writes:
The typos was more of how I came about my request, forget the typo as
such, it the actual answer, to use a more common well known name, if
I type
~$ host www.undernet.org ns1
Using domain server:
Name: ns1
Host www.undernet.org not found: 3(NXDOMAIN)
Above should be, and I'm darn sure used to be, REFUSED - not NXDOMAIN
perhaps I should also include my options in my original post, that was
remiss of me
acl trust contains localhost and the servers actual IP addresses,
nowhere does it permit the IP range I tried from
options {
directory /var/named;
allow-query { trust; };
allow-transfer { localhost; };
blackhole { bogon; };
recursive-clients 2000;
clients-per-query 40;
tcp-clients 100;
recursion no;
additional-from-cache no;
transfer-format many-answers;
masterfile-format text;
interface-interval 0;
dnssec-enable yes;
dnssec-validation yes;
};
Given www.undernet.org exists on the Internet (so you wouldn't be
getting NXDOMAIN if it was recursing to the Internet) and you havn't
shown the entire configuration we can't tell if it is a lack of
understanding about your configuration or a bug.
The only other components to our pure authoratitive only server
configuration are
The bogon acl from team cymru
include /var/named/root_trusted_key;
logging {
category lame-servers { null; };
category edns-disabled { null; };
category client { null; };
};
zone . {
type hint;
file root.hints;
};
zone 127.in-addr.arpa {
type master;
file localhost.rev;
notify no;
};
zone localhost {
type master;
file localhost.zone;
notify no;
};
zone somedomain.org {
type master;
allow-transfer { slave.ip; };
file somedomain.org.signed;
allow-query { any; };
allow-update { none; };
};
zone .in-addr.arpa {
type master;
allow-transfer { sec.IP; };
file 00v4.zone;
allow-query { any; };
allow-update { none; };
}
zone xxx.ip6.arpa {
type master;
allow-transfer { sec.IP; };
file 00v6.zone;
allow-query { any; };
allow-update { none; };
};
zone {
type slave;
masters { x.x.x.x; };
file xx.signed;
allow-query { any; };
};
there are 27 more master/slave zones, but they all are in identical
format as above and
we certainly do not host undernet :-)
and with no customer IP ranges included in any ACL since these are
not caching servers), and, having friends trying from different ISP's,
we get NXDOMAIN, be it undernet, or google Host www.google.com not
found: 3(NXDOMAIN) or whateve else it is not configured for, yes, it
does respond correctly to domains it is supposed too
in the end because of this config, I expect to see REFUSED here, like
we have in the past, not sure when this changed.
Both our ns1 ans ns2 respond in same
You still havn't provided enough information to workout whether
there is a
Re: nxdomain
On Thu, 2013-08-29 at 11:52 +1000, Noel Butler wrote: Hey Mark, Looks like it might be a bug, *BUT* a client utils bug, so I think his server is likely fine, he's panicking over what's reported not what's actually going on, I'm sure its not the intended response to display so I've just added bug rep on it, if you disagree, you can always nuke it :) from here, dig answers REFUSED , but host and nslookup answer NXDOMAIN noel@tardis:~$ dig www.undernet.org @ns1.ausics.net ; DiG 9.9.4rc1 www.undernet.org @ns1.ausics.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 9347 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.undernet.org. IN A ;; Query time: 366 msec ;; SERVER: 62.113.243.167#53(62.113.243.167) ;; WHEN: Thu Aug 29 11:29:35 EST 2013 ;; MSG SIZE rcvd: 45 noel@tardis:~$ host www.undernet.org ns1.ausics.net Using domain server: Name: ns1.ausics.net Address: 62.113.243.167#53 Aliases: Host www.undernet.org not found: 3(NXDOMAIN) Interesting, I get 5(REFUSED) off host using iinet' s DNS, but they report as running 9.7, perhaps its the way hte lattter versions interpret responses? no idea... attachment: face-smile.png signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind99 and a slave named server
On Sun, 2013-08-18 at 17:36 -0600, LuKreme wrote: On 18 Aug 2013, at 14:06 , Dave Warren da...@hireahit.com wrote: Change the zones from master to slave in your named.conf? There really isn't much more to it than that, assuming you have a new authoritative master is already configured and serving the zones. Oh, there's a bit more to it than that. There's allow transfer or something and notify and text or binary (I want text). Keep in mind, the reason I am running two masters right now is that the slave was not working. As has been said already, there is really very little to it, and unless you sent it to Alan off-list, you still have _NOT_ provided the error logs after being asked by more than one person. There is NOTHING we can do until such time as you provide this information, until then, we, and you, are wasting our time, because we are not about to get into guessing games. Furthermore, unless I missed it, you also have not provided any config examples that you are using, I dunno about where you are, but here today it is 4 octas overcast, so ESP is having a very bad day trying to work. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind99 and a slave named server
On Sat, 2013-08-17 at 01:18 -0400, Alan Clegg wrote: On Aug 17, 2013, at 12:42 AM, LuKreme krem...@kreme.com wrote: [...] I could not get the slave to do anything other than post errors and refuse to start. Usually they were along the lines of not being able to bind to port 953 or of not being able to receive the zone updates. Can you provide the actual error messages? It sounds like there may have been two BIND instances running, but it's definitely not clear by the problem report. I'm still trying to work out what the hell bind99 is :) I assume he means 9.0 to 9.9, but yes, without logs... attachment: face-smile.png signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ipv4, ipV6 DNS BIND configuration and deployment
On Sun, 2013-08-04 at 13:28 -0700, Eduardo Bonsi wrote:
Hello Everyone,
I have some questions about ipV6 transition and DNS configuration!
I am preparing to make my transition to a dual stack ipv4, ipv6 and I
have some concerns in regards to the security of the network since ipv6
do not have NAT. My ISP gave me a Global
2602:000:000:000:000:000:000:000/64 Range and I can just turn on ipV6 on
the router and set the network to automatic on the computer and I am
connected through what they call a SLAAC ipV6 automatic conf network,
that runs using the machine MAC address in which I am not very happy to
adopt. I well know there is a way to mask the MAC address to random
addresses as a security measure but I am still not happy about it.
Beside, there are all the BIND DNS configuration that needs to be routed
or I am stack with a slow broke SLAAC connection that it works, but not
to the level of the a DNS Server that I want to achieve. Therefore, as a
network design after analyzing my options, I have decided to use the
static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last
bit of the ipv4 NAT addresses already in place. This static option does
not expose the machine MAC addresses. However the addresses are directed
connected through ipV6 bypassing the NAT environment. On BIND, the only
change I have in the named.conf file is the,
listen-on-v6 { any; };
listen-on-v6 ::1 and your dns server ipv6 address
Therefore, here are my questions:
1. I am open to ideas or anything you think is best choosing the best
internal network design for ipV6.
Static IP assignments on your LAN, as far as your ISP is concerned they
will just route your /64 via your routers IP. sure you can do auto
assignments, but I think if they are servers its best to do static.
2. Since this static ipV6 deployment lacks the non-rotatable NAT
environment, what are the security measures to take on BIND in regards
to the recursive issues on ipV6?
with ipv6, no more do you have security by accident (NAT) if you have
a /64 your router will route for all, forget all the bad habits of the
lazy ipv4 days, now you need to configure access lists on your router,
but also play it safe and configure firewalls on each machine,
especially if they are winblows boxes
3. Are there any other security issues that should I considerate?
Don't be over aggressive with filtering, you do not mention the OS, but
if its linux -
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW
-j LOG
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
... insert ACCEPT's for your lan and whatever other ipv6 addresses you
need with full access here...
ip6tables -A INPUT -p udp -d you:ipv6:dns:server:address --dport 25 -j
ACCEPT
ip6tables -A INPUT -p tcp -d you:ipv6:dns:server:address --dport 25 -j
ACCEPT
and.. importantly..
ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT# Destination
unreachable
ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT# Packet too
big
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT# Time
exceeded
ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT# Parameter
problem
ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 135 -j
ACCEPT
ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 136 -j
ACCEPT
You *will* need the above accepts regardless since your default policy
is DROP, if not, you may find ipv6 reachable problems, in fact, you may
not even be able to connect outbound without types 135/136 (neighbour
discovery)
signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: New warning message...
On Mon, 2013-07-22 at 02:51 -0400, Jason Hellenthal wrote: It's exactly as it says... Instead of ... TXT SPF ... You now do ... SPF SPF ... Mark Andrews wrote: No. It has a legacy SPF TXT record. It SHOULD have record of type SPF as per RFC 4408. Named will complain if both types are not present. ^ signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New warning message...
On Mon, 2013-07-22 at 08:50 -0500, Barry S. Finkel wrote: This was discussed here already, and imho this is anti-spf bullshit like all those spf breaks forwarding FUD. The SPF RR is already here and is preferred over TXT that is generik RR type, unlike SPF. It is not Fear, Uncertainty, and Doubt that SPF breaks forwarding. SPF *DOES* break forwarding. I have a case I am researching right now where forwarded mail is undeliverable due to SPF checking at the new destination. Nothing is perfect, every single gmail user coming via mailing lists also fails DKIM. There is no magic answer, but I wish more would enforce SPF, especially banks, but cant expect them to have any clue, their only expertise is ripping people off. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
On Fri, 2013-06-28 at 13:57 -0400, Novosielski, Ryan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The short answer is some software once cared. Does it still now, I'm not sure. But we do it. SMTP does, IRC does signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mailing list reply-to setting
On Wed, 2013-05-08 at 13:59 -0400, Chip Marshall wrote: On 2013-05-08, Steven Carr sjc...@gmail.com sent: Any chance someone can correct the settings on this mailing list to reply to the list by default instead of the user posting the message? I'd argue the settings are already correct. Having the mailing list software rewrite the Reply-to line causes information to be lost, and can make it difficult to reply to the original poster of a message. I argue different, If I post on a list, I want anyone replying to my list post, to also be on list, and same expectation for others posting on list, ie, if you post on list like now, you replies should go on list, unless you (or I) specifically ask for off-list replies. If I want direct, I'll be bad and scrape the list and mail you all direct :) POC: This email address is for lists only, it is not my personal address, anything not put in its appropriate mailing list folder is placed in z_lists direct not my inbox, now I am a member of some 37 mailing lists, of which 26 are active non-new/announce types, so the z_lists direct folder named deliberately to sit at the bottom may not be noticed, and frankly I don't always bother checking it for days, given 99% of the posts in it ends up being spam that gets passed our anti-spam rules - years of lists web archiving see's to that. attachment: face-smile.png signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mailing list reply-to setting
On Wed, 2013-05-08 at 13:59 -0400, Chip Marshall wrote: On 2013-05-08, Steven Carr sjc...@gmail.com sent: Any chance someone can correct the settings on this mailing list to reply to the list by default instead of the user posting the message? I'd argue the settings are already correct. Having the mailing list software rewrite the Reply-to line causes information to be lost, and can make it difficult to reply to the original poster of a message. Mail-Followup-To is more appropriate for replying to the mailing list. See: http://cr.yp.to/proto/replyto.html And just because DJB says it, doesn't make it so, it is just his opinion, and one only needs look at his track history to know that. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig 9.9 FORMERR with NetWare
On Tue, 2013-04-30 at 17:04 -0500, Pascal wrote: Dig 9.9 consistently gives me FORMERR against NetWare DNS servers. Previous versions worked fine. Suggestions on how to figure out if the bug is in Dig or NetWare? -Pascal O:\Documents and Settings\admin\dig\9.9.2-P2dig www.alarmspecs.com @172.31.123.6 ; DiG 9.9.2-P2 www.alarmspecs.com @172.31.123.6 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: FORMERR, id: 47614 ;; flags: qr rd ra ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ~$ dig www.alarmspecs.com ; DiG 9.9.2 www.alarmspecs.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 50631 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3 signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: signature expiration
Sign them for longer, I typically use 90 days On Thu, 2013-04-11 at 12:14 +, hugo hugoo wrote: Hello, Can anyone tell me why signatures in dnssec mut be renewed every 30 days? What are the modifications made on a zone with a resign? Thanks in advance for the clarifications. Hugo, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ and negative answers
On Fri, 2013-04-05 at 08:51 +0200, Torsten Segner wrote: $TTL 43200 @ IN SOA a.prim-ns.de. hostmaster.de.easynet.net. ( 2012041802 ; 28800 ; 7200; 604800 ; 1200; ) IN NS localhost. subdomain.domain.de 60 A 172.26.30.231 The above setting is rewriting NXDOMAIN answers for subdomain.domain.de to the above IP address while every other host still has the information of the customers outside zone. Am I doing something substantially wrong here RPZ wise? to cover the domain and its sub domains you need to enter it twice, once as absolute and once as dot.domain using your example it would then be: subdomain.domain.de 60 A 172.26.30.231 .subdomain.domain.de 60 A 172.26.30.231 or if you want higher, domain.de 60 A 172.26.30.231 .domain.de 60 A172.26.30.231 signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ and negative answers
On Tue, 2013-04-02 at 14:16 -0700, Chris Buxton wrote: Can anyone explain this to me? If a name exists in the response policy, and also exists in the real Internet namespace, the value from the policy is returned. But if it doesn't exist out on the Internet, then the value is not returned -- an NXDOMAIN (or SERVFAIL, or whatever) is returned instead. I've known this for a while but haven't understood why it is thus. Today, it has become a problem for me. If I set a policy of this name gets response X, I expect that policy to be used rather than this name gets response X unless it doesn't exist out on the Internet or can't be resolved due to an error. Perhaps because it is a response zone, not an actual authoritative zone? Sounds strange, but makes sense to me. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Lots of RSA_verify failed after upgrade to 9.7.7
On Mon, 2013-04-01 at 15:03 +1100, Mark Andrews wrote: In message 1364786722.6226.2.camel@tardis, Noel Butler writes: On Mon, 2012-11-05 at 21:21 +1100, Mark Andrews wrote: Ignore them. They will be addressed in the next maintenance release. it was, but now seems to have reared its ugly head again in 9.9.2-p2 Apr 1 12:20:35 fox named[589]: RSA_verify failed Apr 1 12:20:35 fox named[589]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: Apr 1 12:20:35 fox named[589]: RSA_verify failed Apr 1 12:20:35 fox named[589]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: BIND 9.7.7 and BIND 9.9.2 were both released at the same time (Oct 9, 2012). BIND 9.9.2-P1 and BIND 9.9.2-P2 are security releases. The betas of the next maintenance release 9.9.3b1 and 9.9.3b2 contain the fix. Using 9.9.3b3 on one nameserver now, yes all seems good Have always used the latest version, applied a patch you gave me earlier, could of sworn it was fixed, unless I applied two patches and didnt think about second one. If b3 remains stable after a few days I'll throw it on main production. Cheers signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Lots of RSA_verify failed after upgrade to 9.7.7
On Mon, 2012-11-05 at 21:21 +1100, Mark Andrews wrote: Ignore them. They will be addressed in the next maintenance release. it was, but now seems to have reared its ugly head again in 9.9.2-p2 Apr 1 12:20:35 fox named[589]: RSA_verify failed Apr 1 12:20:35 fox named[589]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: Apr 1 12:20:35 fox named[589]: RSA_verify failed Apr 1 12:20:35 fox named[589]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: spf ent txt records.
On Mon, 2013-03-18 at 16:52 -0700, SM wrote: SPF RR type Had a bit of a read of that thread, and the most noise comes from a guy who should know better, but doesn't, Mr Kitterman repeatedly says If it's all so obvious that it makes sense to publish SPF records, why aren't more people doing it? The answer is simple, and he knows it, very few system admins know or care about which specific RFC covers what, they hear things, it gains momentum, like googling for anti spam, stop spoofing, stuff like that, Ohhh they say, 'nice, I'll check that out' they load googlecreate an SPF record Now google shows me as of 60 seconds ago, first five entries using only TXT RR's as examples (at lucky number 6 it shows me someone saying to use SPF RR) So, new -to-spf adminy type, fires up vi, pico, whatever... adds it, it works! yay they say, they spread the word, adminy2 says nice how did you do it adminy1 shows adminy2 copies, and its just like life, the cycle repeats over and over and... Secondly, Mr Kitterman, as a debian packager, would be highly aware of how many deprecated versions of debian are out there running resolvers that do not understand SPF and have not been supported by any upstream in ten years, and, I'm sure that is also probably true of early RHEL's as well. Back in the dark ages, I learned about SPF from word-of-mouth too, like most here I'm sure, and if WOM shows you one way, thats the way you do it, lets face it, you discover a new method, you dont go rushing to rfc website to read all about it, I have only been doing SPF RR's since hrmm, maybe 4 years back? not sure, too long ago, but have used TXT since, it started to get bandied around the sendmail newsgroup some ancient time ago. I found out about the existence of SPF RR type, from this very list, how many subscribers to this list? 1500 odd, how many sys admins world wide? hundred thousand plus maybe, how many are even aware of the SPF RR? probably not that many, I recently discovered that a 'drinks session' out of 9 sys admins, myself and ONE other were even aware of the SRV RR type. Not all corporations/SP's/ASP's or ISP's, have dedicated DNS admins who can concentrate full time on all things DNS, I'm not a full time DNS admin, since it works nicely and doesnt occupy all my time :) Many of the domain parking organisations are just as guilty, even up until two years ago, I used zoneedit for my personal DNS, and they did not have an option for SPF, I hounded them for a couple of months before they eventually replied saying, no intentions, so how many others also did not offer it. So, there are a myriad of reasons as to why the SPF RR type 99 never took of attachment: face-smile.png signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: spf ent txt records.
On Thu, 2013-03-14 at 17:29 +1000, Noel Butler wrote: On Wed, 2013-03-13 at 19:33 -0700, Dave Warren wrote: On 3/13/2013 17:11, Noel Butler wrote: On Wed, 2013-03-13 at 14:43 -0700, Dave Warren wrote: I almost wouldn't bother with SPF records these days though, except that the code was already written. # grep SPF maillog |grep -c '\-all' 2438 # grep SPF maillog |grep -c '\~all' 7509 Can you compare that against queries to TXT style SPF records? I'll see what I can do in the morning, its 30 past beer o'clock now 20741, so direct SPF RR hits is about one third of those using TXT RR, small, but, insignificant? I wouldn't really say so, but some might. I suspect the SPF wanting to be deprecated is because of the lack of take-up, due to lazy admins, there are some resolvers in use from ancient debian boxes that are so old, they dont understand the SPF RR, yes I know, they have bigger problems than that, but, again, comes down to laziness, DNS is not rocket science, I'm sure given ARM and access to google, a 13yo kid could get at least the basics right. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: spf ent txt records.
Vernon Schryver writes: to laziness, DNS is not rocket science, I'm sure given ARM and access to google, a 13yo kid could get at least the basics right. Laziness?--nonsense. Postel's Law and simple logic predict the truth hurts eh. Didn't see your original post, viewed and had to reply via Marks. Seems your original scored 17 and was discarded Mark said: The rational course would be to set a sunset date on TXT style spf records. April 2016 looks like a good date. 10 years after RFC 4408 was published. I'd go along with that, if they can't get their act together within 3 years, then that IS pure laziness. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: spf ent txt records.
On Wed, 2013-03-13 at 19:33 -0700, Dave Warren wrote: On 3/13/2013 17:11, Noel Butler wrote: On Wed, 2013-03-13 at 14:43 -0700, Dave Warren wrote: I almost wouldn't bother with SPF records these days though, except that the code was already written. # grep SPF maillog |grep -c '\-all' 2438 # grep SPF maillog |grep -c '\~all' 7509 Can you compare that against queries to TXT style SPF records? I'll see what I can do in the morning, its 30 past beer o'clock now signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: spf ent txt records.
On Wed, 2013-03-13 at 14:43 -0700, Dave Warren wrote: I almost wouldn't bother with SPF records these days though, except that the code was already written. # grep SPF maillog |grep -c '\-all' 2438 # grep SPF maillog |grep -c '\~all' 7509 since midnight Sunday... looks like its worth bothering with to me. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: broken ISP in china
On Mon, 2013-02-18 at 16:07 -0600, Lyle Giese wrote: Recently I moved this domain(lcrcomputer.net) to a registrar that suports DNSSEC and inserted the DS record for this domain. I checked DNSSEC via http://dnsviz.net and http://dnssec-debugger.verisignlabs.com. Both show DNSSEC is working just fine for lcrcomputer.net. dig +dnssec lcrcomputer.net ds ; DiG 9.9.2 +dnssec lcrcomputer.net ds ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 1749 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 the AD flag says its all working good However, shortly after that one of my customers stopped receiving email from one of their clients in China. They just brought that to my attention and I tried to email the client in China and got this back: For ro...@x.com.cn, Site (x.com.cn/ipv4 address) said: 559 sorry , your helo/ehlo and domain in mail are invalid, you don't connect from there. (#5.5.9) Because this started within 24 hours of when I published the DS record for lcrcomputer.net, I am assuming that this is related. Ensure your SPF records are kept up to date, and yes this is why, you'll need to wait till the TTL cache expires on their end. I see no problem with your SPF IP records though so long as you dont try use ns1. Ignoring most of Vernons anti SPF rhetoric, which BTW this list is NOT the place for (go cry a river on mailop list), he is correct that you shouldn't really be using PTR, or A for that mater, just have your ip4: and ip6: ranges, and perhaps mx and along with -all you'll be fine, I have no problems with SPF and lists and have been using it since very early days, I note though your DKIM fails which is typical of mailing lists. One thing I need to point out, your SOA timings seem extreme... refresh 86400 drop that to 3h retry 3600, drop to 900 expire 604800 change that to 4w and negative cache value 86400 gulp drop that to no more than 3600, maybe even just use 600. Cheers signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
OFF TOPIC Re: broken ISP in china
apparently you have no comprehension of OFF TOPIC I stopped reading at about the half dozen words because you once again went off on your OFF TOPIC rants. But each to our own, you hate it, many stand by it, its only fools like you who cant accept that, thats your problem not mine. Given that your reply to this will be even further off topic, I wont be wasting my precious time with you any further. On Tue, 2013-02-19 at 01:30 +, Vernon Schryver wrote: I see no problem with your SPF IP records though so long as you dont try use ns1. Ignoring most of Vernons anti SPF rhetoric, which BTW this list is NOT the place for (go cry a river on mailop list), he is correct that you shouldn't really be using PTR, or A for that mater, just have your ip4: and ip6: ranges, and perhaps mx and along with -all you'll be fine, I have no problems with SPF and lists and have been using it since very early days, Instead of swallowing the SPF liturgy without chewing, use it and what anyone (including me) says as ideas for your own observations and tests. Follow the DMARC instructions on http://www.dmarc.org/ and get the DMARC reports telling you that your SPF -all prevents the delivery of some of your mail to this mailing list. Then get Gmail and Hotmail mailboxes, configure Hotmail to forward to Gmail and send to Hotmail. You will see in your DMARC reports from Google that your SPF -all causes your message to disappear in a blackhole between Gmail and Hotmail. See also http://www.openspf.org/FAQ/Forwarding and note that neither Hotmail forwarding to Gmail nor many mailing lists including this list rewrite the sender addresses. That has generally been considered a wrong thing to do since long before pobox.com existed. Finally, look at the SPF records for AOL, Google, Yahoo, and Microsoft, and ask yourself whether those organizations don't care about SMTP forgery or don't believe SPF is an answer. If they believed, wouldn't they use SPF -all? I have no problems with SPF and lists and have been using it since very early days, Maybe it was easier to ignore reality before DMARC. On the other hand, http://www.openspf.org/FAQ/Forwarding is unambigous about the interaction of -all with mailing lists such as this. Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Improved SSL Error Logging [RT #29932]
Thanks Shane, I have re-applied previous changes to source files and that has silenced them again in meantime. Cheers Noel On Thu, 2012-12-06 at 17:05 +0100, Shane Kerr wrote: Noel, On Thursday, 2012-12-06 11:03:24 +1000, Noel Butler noel.but...@ausics.net wrote: Hi Shane, Mark, Evan On Tue, 2012-10-16 at 08:22 +0200, Shane Kerr wrote: These changes are in our review queue now, so will go in future releases. I guess this was not pushed in? After update to 9.9.2-p1 the old logging returned, eg: Our security releases only include the specific fix, to insure that they provide the least impact on administrators. We'll be coming out with a beta for 9.9.3 next week or so which will include the changes, along with a number of other non-security fixes and (minor) features. Cheers, -- Shane signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Blackholing
On Wed, 2012-12-05 at 09:13 +, Phil Mayers wrote: On 12/04/2012 06:35 PM, Barry S. Finkel wrote: A question from the OP that has not yet been answered - Make the zones masters on all servers. Surely not for RPZ? The whole point with RPZ is that you have one zone containing all the blacklists, master in one place, and slave it in all the others. For traditional DNS blacklisting (one zone per blacklisted name/suffix) sure, but I'm honestly not sure why anyone would start out down that road today with RPZ available. _ response times would be a good reason an RPZ zone still goes through the motions forged (local empty) zone: dig .xxxtoolbar.com snip ;; Query time: 0 msec (all local zones hte same , 0 msec) RPZ: dig bobi.at ;; Query time: 996 msec (avg response time it seems for RPZ'd zones) So it sure as hell doesnt work the same as a forged empty zones RPZ is awesome if you want to wallgarden a hostname, but for just speedy dropping, empty zone beats it hands down even if it is messier requiring its own zone. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Querying directly a nameserver works, while forwarding not
On Wed, 2012-12-05 at 10:23 +0100, Daniele Imbrogino wrote: /etc/bind/named.conf.option WTF is that file? it certainly is not an ISC named file. if you are using some butchered to buggery distros file, please ask on your distros mailing list we are not to know what that file contains, or expects signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Improved SSL Error Logging [RT #29932]
Hi Shane, Mark, Evan On Tue, 2012-10-16 at 08:22 +0200, Shane Kerr wrote: Noel, These changes are in our review queue now, so will go in future releases. Cheers, I guess this was not pushed in? After update to 9.9.2-p1 the old logging returned, eg: huge snip Dec 6 10:47:30 ns1 named[9671]: RSA_verify failed Dec 6 10:47:30 ns1 named[9671]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: Dec 6 10:47:30 ns1 named[9671]: sucessfully validated after lower casing signer 'US' Dec 6 10:47:30 ns1 named[9671]: RSA_verify failed Dec 6 10:47:30 ns1 named[9671]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: Dec 6 10:47:30 ns1 named[9671]: sucessfully validated after lower casing signer 'US' Dec 6 10:50:09 ns1 named[9671]: RSA_verify failed Dec 6 10:50:09 ns1 named[9671]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: Dec 6 10:50:09 ns1 named[9671]: sucessfully validated after lower casing signer 'CO' Dec 6 10:50:09 ns1 named[9671]: RSA_verify failed Dec 6 10:50:09 ns1 named[9671]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: Dec 6 10:50:09 ns1 named[9671]: sucessfully validated after lower casing signer 'CO' snip -- Shane Kerr ISC On Saturday, 2012-10-13 11:07:01 +1000, Noel Butler noel.but...@ausics.net wrote: Thanks Mark, These changes have been committed for future patch releases? Cheers On Fri, 2012-10-12 at 12:16 +1100, Mark Andrews wrote: Just drop the log level to ISC_LOG_DEBUG(1) and recompile. Search for sucessfully validated after lower casing in lib/dns/dnssec.c signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Upstart job for BIND9
On Thu, 2012-11-29 at 13:35 +0100, Carsten Strotmann wrote: Hello Alexander, Alexander Gurvitz a...@net-me.net writes: Carsten, The script in my original question (it's in the P.S. at the bottom of my first mail) seem to work for me. Ahh, thanks, my Emacs was hiding that :) (I can't decide which one is better: bind.conf, bind9.conf or named.conf :) I would vote for bind9-upstart.conf. named.conf is already the default name for the BIND 9 configuration You would probably get better help for ubuntu-specific things on a ubuntu mailing list. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
On Tue, 2012-10-16 at 15:35 -0700, Alan Clegg wrote: You can still find it at ISC: http://www.isc.org/files/DNSSEC_in_6_minutes.pdf It is a bit long in the tooth. I'll be updating it soon to cover the work done by ISC in BIND 9.9 All are welcome to propose titles for this new work. :) DNSSEC in 5 minutes ? :) attachment: face-smile.png signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Improved SSL Error Logging [RT #29932]
Thanks Mark, These changes have been committed for future patch releases? Cheers On Fri, 2012-10-12 at 12:16 +1100, Mark Andrews wrote: Just drop the log level to ISC_LOG_DEBUG(1) and recompile. Search for sucessfully validated after lower casing in lib/dns/dnssec.c signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Improved SSL Error Logging [RT #29932]
On Wed, 2012-10-10 at 18:44 +, Evan Hunt wrote: BIND 9.7.7, 9.8.4 and 9.9.2 have improved OpenSSL error logging. Unfortunately, our logs are now filling up with RSA_verify failed messages. Yeah, oops, we made that one too noisy. You're not the first one who's noticed. :/ How does one go about tracking down the source of these failures and correcting them? (We are running OpenSSL 1.0.1c.) In BIND9, in lib/dns/opensslrsa_link.c, change this: return (dst__openssl_toresult2(RSA_verify, DST_R_VERIFYFAILURE)); to this: return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); Evan, After applying this change the logs still fill up with some crud (9.9.2) now still fills up with Oct 12 04:13:46 ns1 named[18293]: sucessfully validated after lower casing signer 'US' Oct 12 04:36:35 ns1 named[18293]: sucessfully validated after lower casing signer 'CO' Oct 12 04:36:35 ns1 last message repeated 4 times ... any method to disable this? Is it in its own category we can null out without affecting any other logging? Cheers signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: spam on maillist, stop it !
On Fri, 2012-04-27 at 16:18 +0200, Benny Pedersen wrote: What you did is just as bad If you need a list moderator there are appropriate addresses to send your messages to, directly to the list is NOT one of them The information you desire can be obtained from lists.isc.org In future: bind-users-ow...@lists.isc.org signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
On Tue, 2012-03-06 at 08:23 +1100, Mark Andrews wrote:
In message dub109-w57aa00705e65417a6c57e4ac...@phx.gbl, hugo hugoo writes:
Dear all,
Can anyone help me with its experience on reverse dns for IPV6?
Presently, when we reverse an IPV4 subnet for clients, we configure all=
the reverse for the whole subnet.
It is a lot of PTR's but perfectly manageable.
With IPV6, the number of IP's that we will receive is amazing
So...it seems impossible for every single IPV6 inthe range to configure a P=
TR.
So...what to do?
What is the common practice?
What is possible with BIND?
Thanks in advance for your answer.
Let the machines register their own PTR record using TCP as the authenticator.
update-poliy {
grant . tcp-self * PTR;
};
Thats dangerous 14m1337.u.suck.hax0r.org -yeah, it would be
highly abused and why most ISP's don't do/allow it :)
But for a small company that has trustworthy staff, maybe, but then mail
servers will start rejecting some of them trying to send directly
because theres likely no matching A record.
Mark
attachment: face-smile.png
signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS record to parent
On Fri, 2012-02-24 at 11:02 -0500, Bill Owens wrote: I haven't heard of NS supporting DNSSEC, and there haven't been any good resources to find a registrar who *does*, but this popped up recently: http://www.icann.org/en/topics/dnssec/deploy-en.htm . . . and NS isn't on that list. FWIW, DynDNS does a fine job (that's who we've chosen), GoDaddy works okay too (though I think there are many other reasons to avoid using them) and I've heard good things about GKG. A lot are not on that list , I use cheap-domainregistration, which on-registers via wildwest domains, and they certainly support DS records. I wont comment on Network Stuf... err Solutions, I wouldn't touch them if I was handsomely paid too. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Assistance with SPF Records for BIND
On Sun, 2012-02-19 at 17:00 +0100, ml wrote: fakessh.eu descriptive text spf2.0/pra ip4:46.105.34.177 ip4:91.121.7.86 ?all fakessh.eu descriptive text v=spf1 ip4:46.105.34.177 ip4:91.121.7.86 ?all Why did you bother with the record at all? Question mark indicates you don't care and the remote should bascially ignore it. Waste of time, please do some homework before making such foolish recommendations signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Assistance with SPF Records for BIND
On Sat, 2012-02-18 at 11:51 -0500, Jonathan Vomacka wrote: BIND Community Support, I am inquiring about how to setup a proper SPF record? I know there are SPF wizards/generators available but each seem to have a different opinion of what should be included and what should not be included. Let me give you a scenario of my setup, and hopefully someone can help me out. My domain is: test.com My mailserver hostname is: mail.host.com which also has a MATCHING PTR record mail.host.com (for example) resolves to 50.1.1.1 and 50.1.1.1 resolves to mail.host.com This is a STANDALONE mail server without any VIP's or load balancing. There is however one additional host that will send out mail from the domain but it wont be receiving mail, it will only be used as an SMTP server attached to a website automailer... It only generates error reports and sends them out... so technically it isn't a full mail server but it will be sending (outbound only) mail on behalf of the domain. The additional host is: mail2.test.com which resolves to 50.2.2.2 and there is a Matching PTR. These are the ONLY mail servers and IP addresses that will be sending out mail from the test.com domain. Some websites say I should use -all and others say -all will cause some MTA's to reject and ~all is better to use even if those are the only two hosts sending out mail. Would you be able to assist with a solid SPF record? SPFv=spf1 ip4:50.1.1.1 ip4:50.2.2.2 -all TXT v=spf1 ip4:50.1.1.1 ip4:50.2.2.2 -all -- This is to support antiquated resolvers who dont understand SPF record -all will reject if the mail is not from one of the above, this is entire purpose of SPF, to stop dead impersonators. ~all is a softfail, intended for the initial testing phase, so you can use ~all if you are widening your scope, but if only those two above IP's will send mail for your domain, just use -all and make sure all of your users configured smtp auth to send by either of those two machines. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Assistance with SPF Records for BIND
On Sat, 2012-02-18 at 12:34 -0500, Jonathan Vomacka wrote: If someone uses a mobile device to send e-mail? Would ~all be better? I Teach them to use smtp authentication using submission (port 587 stuff) and it doesn't matter where they come from, so long as your MTA is configured correctly of course :) also generated the following SPF using a wizard. Let me know if this looks correct: teamwarfare.com. IN TXT v=spf1 a mx a:mail.teamwarfare.com a:mail2.teamwarfare.com ip4:66.90.73.80 ip4:216.250.250.148 ~all kinda overkill, you are twice declaring the same machines AND saying any host with an A record in teamwarfare.com (risky) just use the IP's, and if those machines have ipv6 interfaces, add them too, eg ip6:2a00:1c18:401:c00::1 I wouldn't need an include: or ptr statement in this right? I would told include: was to include OTHER domains that are allowed to send include is to include other domains SPF records, not plain other domains. e-mail, but then again I see some people writing the domain again as an include. Also is PTR good to use or not? PTR depends on situation, but in your case, not needed. attachment: face-smile.png signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named.conf splitting
On Fri, 2012-02-17 at 07:11 -0800, Chris Buxton wrote:
Yes, it's quite possible to split named.conf into separate per-zone .conf
files and then 'include' them back into named.conf. You can even put the list
of include statements in a separate file, and then include that into
named.conf.
named.conf:
options {
[...]
}
include /path/to/etc/zones.conf;
zones.conf:
include /path/to/etc/zone1.conf;
include /path/to/etc/zone2.conf;
[...]
If the OP is trying to avoid inline editing, does not the above become
pointless? Still requires inline editing to remove the
include /path/to/etc/zone1.conf, else named will have an error on
reload.
Being involved in the apache discussion I think I see where he wants to
do, but I'm not sure if bind works like that.
(/me fires up dev box)
...
OK, Nick, it will not do what you want.
Perhaps this is better off as a feature request, and, one that makes
sound sense to me, although I include one hosts.conf file and put all
entries in that and like most are very happy that way, if people are
including singular zone files from another include file, it would make
far better sense, less messy too (I think)
signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Nameserver Question with dig +trace
On Mon, 2012-01-23 at 22:02 -0500, Kevin A. McGrail wrote: Hi All, On an older Bind server such as 9.3.6-p1, I can run dig +trace www.pccc.com. However, when I'm using 9.8.1-p1 and seeing a problem that stops the trace when it reaches our IPv6 nameserver, ns3.pccc.com. Examples follow. Am I doing something wrong with the newer dig? Regards, KAM dig +trace www.pccc.com @ns.pccc.com ; DiG 9.8.1-P1 +trace www.pccc.com @ns.pccc.com ;; global options: +cmd . 175250 IN NS g.root-servers.net. . 175250 IN NS h.root-servers.net. . 175250 IN NS i.root-servers.net. . 175250 IN NS j.root-servers.net. . 175250 IN NS k.root-servers.net. . 175250 IN NS l.root-servers.net. . 175250 IN NS m.root-servers.net. . 175250 IN NS a.root-servers.net. . 175250 IN NS b.root-servers.net. . 175250 IN NS c.root-servers.net. . 175250 IN NS d.root-servers.net. . 175250 IN NS e.root-servers.net. . 175250 IN NS f.root-servers.net. ;; Received 512 bytes from 38.100.17.53#53(38.100.17.53) in 155 ms com.172800 IN NS j.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. ;; Received 502 bytes from 192.36.148.17#53(192.36.148.17) in 201 ms pccc.com. 172800 IN NS ns.2rad.net. pccc.com. 172800 IN NS ns.pccc.com. pccc.com. 172800 IN NS ns2.pccc.com. pccc.com. 172800 IN NS ns3.pccc.com. dig: couldn't get address for 'ns3.pccc.com': not found Likely because ns3 has only ipv6 address and no ipv4 address and the server you are checking from has no ipv6 capability. You are asking for big problems using this method. You should give all NS records an IPv4 address, and then add in IPv6 on the ones you can eg: ns2 A ip.v.4.add ns2 ip:6:addr I guess the old versions are not so strict on checking, or dont know what to do about ipv6 -- Noel Butler noel.but...@ausics.net signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: udp vs tcp query
I think you have something broken, bind uses UDP by default, if it can not connect to a dns server on UDP it then retries on TCP. It also uses TCP for AXFR's On Sun, 2011-10-23 at 05:50 +0200, Benny Pedersen wrote: On Sat, 22 Oct 2011 20:42:08 -0700, Kevin Oberman wrote: On Sat, Oct 22, 2011 at 8:24 PM, Benny Pedersen m...@junc.org wrote: can i control this pr zone when bind is dns client ? remote server is rbldnsd with is not supporting tcp, how to solve this ? You have a badly broken DNS if it does not support TCP. You need to fix this. Anything else is a band-aid that will just keep breaking things. thanks, its good to know that i am right rbldnsd is not working if its not supporting tcp, i just ask if i can make bind always use udp to zones that are known to be udp only servers ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operating system recommendation
On Thu, 2011-03-10 at 19:11 -0600, Dan wrote: I'll second that, I think everyone starts off on linux as new admins, then eventually figures out how great freebsd ports collection is. Also have openbsd's PF firewall at our disposal, along with rebuilding complete OS in one command, unlike linux people and their reinstalls on any problems. Its like the saying, once you go black, you don't go back. Dan. Some do :) You should do some stress bench tests again sometime. signature.asc Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.8.0 is now available
It should work too, it was fixed within in a few minutes :) On Thu, 2011-03-03 at 04:47 -0500, Dennis Clarke wrote: In addition to my pvt email Evan The dev link page still shows 9.7.3 as current production, no 9.8.0, but going to all downloads shows 9.8.0 as current production, and as things happen in three's ... bind-9.8.0.tar.gz clicking on this yields a file called bind-980targzno periods, looks like some script has collapsed asc sha1 sha256 sha512 works for me : /opt/csw/bin/wget http://ftp.isc.org/isc/bind9/9.8.0/bind-9.8.0.tar.gz $ /opt/schily/bin/mdigest -a sha256 bind-9.8.0.tar.gz e44183f5a4ab7d3deb3c08171c4821c391d6b10ed8d4bc6485a1fc3ba6490c06 bind-9.8.0.tar.gz $ /opt/csw/bin/wget http://ftp.isc.org/isc/bind9/9.8.0/bind-9.8.0.tar.gz.sha512.asc --2011-03-03 09:42:06-- http://ftp.isc.org/isc/bind9/9.8.0/bind-9.8.0.tar.gz.sha512.asc Resolving ftp.isc.org... 204.152.184.110 Connecting to ftp.isc.org|204.152.184.110|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 481 [text/plain] Saving to: `bind-9.8.0.tar.gz.sha512.asc' 0K 100% 9.42M=0s 2011-03-03 09:42:06 (9.42 MB/s) - `bind-9.8.0.tar.gz.sha512.asc' saved [481/481] $ /opt/csw/bin/wget http://ftp.isc.org/isc/bind9/9.8.0/bind-9.8.0.tar.gz.sha256.asc --2011-03-03 09:42:15-- http://ftp.isc.org/isc/bind9/9.8.0/bind-9.8.0.tar.gz.sha256.asc Resolving ftp.isc.org... 204.152.184.110 Connecting to ftp.isc.org|204.152.184.110|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 481 [text/plain] Saving to: `bind-9.8.0.tar.gz.sha256.asc' 0K 100% 8.51M=0s 2011-03-03 09:42:15 (8.51 MB/s) - `bind-9.8.0.tar.gz.sha256.asc' saved [481/481] $ /opt/csw/bin/wget http://www.isc.org/files/pgpkey2009.txt --2011-03-03 09:45:13-- http://www.isc.org/files/pgpkey2009.txt Resolving www.isc.org... 149.20.64.42 Connecting to www.isc.org|149.20.64.42|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2849 (2.8K) [text/plain] Saving to: `pgpkey2009.txt' 0K 100% 51.3M=0s 2011-03-03 09:45:14 (51.3 MB/s) - `pgpkey2009.txt' saved [2849/2849] $ /opt/csw/bin/gpg --import pgpkey2009.txt gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: key 0B7BAE00: public key Internet Systems Consortium, Inc. (Signing key, 2009) pgpkey2...@isc.org imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid: 2 signed: 2 trust: 2-, 0q, 0n, 0m, 0f, 0u $ /opt/csw/bin/gpg --verify bind-9.8.0.tar.gz.sha256.asc bind-9.8.0.tar.gz gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Mon Feb 28 15:57:39 2011 GMT using RSA key ID 0B7BAE00 gpg: Good signature from Internet Systems Consortium, Inc. (Signing key, 2009) pgpkey2...@isc.org gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: FA76 7A86 A371 E359 22F6 A5C8 D811 B53F 0B7B AE00 $ /opt/csw/bin/gpg --verify bind-9.8.0.tar.gz.sha512.asc bind-9.8.0.tar.gz gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Mon Feb 28 15:57:38 2011 GMT using RSA key ID 0B7BAE00 gpg: Good signature from Internet Systems Consortium, Inc. (Signing key, 2009) pgpkey2...@isc.org gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: FA76 7A86 A371 E359 22F6 A5C8 D811 B53F 0B7B AE00 $ signature.asc Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
