Re: 9.18 BIND not iterated over all authoritative nameservers

fferent. Please do not > feel obligated to reply outside your normal working hours. > > On 28. 10. 2023, at 17:50, Paul Stead wrote: > >  > As a previous ISP admin I too have come across similar situations and > frustrations. > > I can only say that Google and Cloudfl

Re: 9.18 BIND not iterated over all authoritative nameservers

works everywhere else, you must be broken" Paul On Sat, Oct 28, 2023, 3:56 PM Rick Frey wrote: > As Mark mentions, the NS records gtm.bankeasy.com need to be corrected > and failure is not due to lack of iterating through all auth nameservers > (all of the auth nameservers have the b

Re: Bind forgets my changes with nsupdate

Op 06-10-2023 om 10:39 schreef Mark Andrews: You need to figure out what is updating the zone. This isn’t named. Thanks for your answer. It makes me find the reason. See my other message. With regards, Paul -- Paul van der Vlis Linux systeembeheer Groningen https://vandervlis.nl/ -- Visit

Re: Bind forgets my changes with nsupdate

Op 06-10-2023 om 10:28 schreef Paul van der Vlis via bind-users: Hello, I try to give a dynamic IP to a name, using nsupdate. This works fine, but after some hours the IP is gone from the master (which I update). Something like this: Host home.customer.nl not found: 3(NXDOMAIN) The IP

Bind forgets my changes with nsupdate

about the removal in the logs. But I saw a "freeze" and a "thaw" in the logs for the domain. Any idea why the IP removes after some time? With regards, Paul van der Vlis -- Paul van der Vlis Linux systeembeheer Groningen https://vandervlis.nl/ -- Visit https://lis

Re: consolidating in-addr.arpa data

On Sat, 16 Sep 2023 10:22:26 +0100 (BST) "G.W. Haywood via bind-users" wrote: > Hi there, > ... >I'd be surprised if the OP couldn't manage with 2^20 IPs in a segment - > but then I guess he does work in the .gov domain. ^^^ The OP's contact

Re: Controlling which interface named uses

On Sat, 10 Jun 2023 19:24:03 +0200 Ondřej Surý wrote: > You are over-complicating things. If unconfigured, named binds the outgoing > UDP to 0.0.0.0 (::0), which means the chosen IP address is picked by the > kernel. You need to configure priorities on your interfaces in the kernel - > ip

Re: Correlation between NOTIFY-Source and AXFR-Source

of the list. Anand has done a better job at describing this function in other software than my attempts Paul On Sat, 11 Mar 2023, 17:16 Grant Taylor via bind-users, < bind-users@lists.isc.org> wrote: > Hi Paul, > > Thank you for explaining. > > On 3/10/23 12:21 AM, Paul Ste

Re: Correlation between NOTIFY-Source and AXFR-Source

On Thu, 9 Mar 2023, 23:53 Grant Taylor via bind-users, < bind-users@lists.isc.org> wrote: > On 3/9/23 2:25 PM, Paul Stead wrote: > > Chiming in to say +1 to Kalus' logic and sight of benefit here. > > Please forgive my ignorance in asking: > > Why doesn't the order

Re: Correlation between NOTIFY-Source and AXFR-Source

On Thu, 9 Mar 2023, 20:27 Klaus Darilion via bind-users, < bind-users@lists.isc.org> wrote: > > -Ursprüngliche Nachricht- > > Von: bind-users Im Auftrag von Mark > > Andrews > > Gesendet: Donnerstag, 9. März 2023 21:04 > > > > Named just uses the notify to trigger an early refresh

Re: automatic reverse and forwarding zones

grant> I'd be interested in learning what other things /require/ or are grant> at least predicated on having PTR records for IPs. Been a few years since I last delved but was appalled at some of the pointless uses of rev-ptrs. NYT used to require it to let you connect to their website, as one

Re: ,Re: caching does not seem to be working for internal view

On Wed, 3 Aug 2022 15:10:39 -0400 Timothe Litt wrote: > Hmm.  Your resolv.conf says that it's written by NetworkManager. > > What I suggested should have stopped it from updating resolv.conf. > > See >

Re: Stopping ddos

On Wed, 3 Aug 2022 13:47:41 +0200 Victor Johansson via bind-users wrote: > Hey, > > I just want to add that there is a better way to do this in iptables > with hashlimit. The normal rate limit in iptables is too crude. > > Below is an example from the rate-limit-chain, to which you simply

DNSSEC adoption

There has been lots of discussion recently about DNSSEC issues, including whether it's desirable to sign internal zones. Independent of this most recent issue, a couple of weeks ago I did an informal survey, using DNSVIZ, of various TLDs. I found the following rather surprising results:

Re: Problem resolving a domain

Agreed, but without the upstream provider actually fixing the issue I couldn't find a way to provide resolution of this domain to my customers - are there better ways to resolve this from our side? There seems to be a document about this issue - https://kb.isc.org/docs/aa-01387 Paul On Fri, 13

Re: Problem resolving a domain

software seem to fall back gracefully and resolve these problems Paul On Fri, 13 May 2022 at 13:51, Paul Stead wrote: > I have noticed this, too, > > The problem seems to be related to edns - disabling edns for the upstream > servers looks to resolve the issue, this can be seen with la

Re: Problem resolving a domain

along the lines of - server 157.83.102.245 { edns no; }; for each of the problematic upstreams. I contacted Barclays a few months ago about this, but never got a solid response. Paul On Fri, 13 May 2022 at 13:12, Ondřej Surý wrote: > Hi Rainer, > > I believe this is unrelated to an

RE: Chroot Bind failed to start

via chron. It restarted early this morning and of course it failed to come up with no errors in the log, making it difficult to troubleshoot ☹. Paul -Original Message- From: bind-users On Behalf Of Reindl Harald Sent: Tuesday, March 15, 2022 10:01 AM To: bind-users@lists.isc.org

RE: Chroot Bind failed to start

PKG itself. Just wondering why that mistake down bind down and how I can get more meaningful logs on the logs even those a prepackaged bind version. TIA Paul From: bind-users On Behalf Of Paul Amaral via bind-users Sent: Tuesday, March 15, 2022 9:08 AM To: 'bind-users@lists.isc.org

Chroot Bind failed to start

Hi, I realize this is related to Centos, but all the sudden chroot bind failed to start up with any meaningful errors. Anyone know what might be the issue here? I have no clues on that the issue is. Paul Job for named-chroot.service failed because the control process exited with error code

Re: Windows 9.16.25 fails to start (1067 Terminated unexpectedly)

On Thu, 17 Feb 2022 15:26:35 +0100 Ondřej Surý wrote: ... > This is part of the problem - debugging on Windows is extremely painful and > requires expertise with extremely high learning curve. > > -- > Ondřej Surý — ISC (He/Him) I wonder if difficult debugging is deliberate -- it would

Re: Certbot rfc2136

Hi Mark, and others, Op 25-10-2021 om 23:58 schreef Mark Andrews: On 26 Oct 2021, at 08:02, Paul van der Vlis wrote: Hello, I've made some progress.. Op 24-10-2021 om 21:39 schreef Paul van der Vlis: (...) I've tried to specify the "key-directory" in the bind configuration,

Re: Certbot rfc2136

Hello, I've made some progress.. Op 24-10-2021 om 21:39 schreef Paul van der Vlis: (...) I've tried to specify the "key-directory" in the bind configuration, but when I do that I get an error during "rndc reload", so I cannot specify a key-directory.  This is Bind 9.

Certbot rfc2136

11. What do I wrong? Does somebody know a good howto to get this working? I use now this: https://certbot-dns-rfc2136.readthedocs.io/en/stable/ but in my opinion it's not complete enough. With regards, Paul -- Paul van der Vlis Linux systeembeheer Groni

Re: Contents of bind-users digest...

On Tue, 6 Jul 2021 12:44:15 + "MURTARI, JOHN" wrote: > Folks, let me add my desire for a quick download dig supporting DoH. It > could really help with some testing, some ready stuff for Ubuntu 18/20, > Redhat/CentOS, could make a lot of people happy. Maybe the libs included > and we

Re: Limit actions on control channel?

It ought to be possible to write a front-end to listen on the standard control channel and only forward (properly-keyed) 'status' requests to the "real" port that BIND listens to. >From looking at the RNDC exchange via Wireshark however, you'd have to adapt >some of BIND's code that does the

Re: Need Help with BIND9

The site mxtoolbox.com has a suite of tools to check your DNS, email and Web servers from the outside. They're easy to use and might turn up something. On Fri, 11 Jun 2021 09:10:32 -0700 techli...@phpcoderusa.com wrote: > Hi, > > The two domains I am working with on my SOHO home server are 1)

Re: No more support for windows

On Fri, 4 Jun 2021 13:58:40 -0700 Gregory Sloop wrote: > This feels a lot like responding to trolls, but I'll instead assume that > you're asking (or making a point) in good faith. > > So, we'll stipulate that - you're actually interested in truth and knowledge. > > So, it's easily compiled

Re: Syslog with BIND on CentOS

If you can have BIND log directly to a file, couldn't you use a FIFO (prwxrwxrwx) or Unix domain socket (srwxrwxrwx) and avoid the disk I/O by sending the log data directly to the forwarder? (E.g., Pulse Audio listens on a socket for audio data from an application, and sends it in real-time to

Re: where are the testing docs ?

Actually, it's in keeping with the *original* definition of hacking! On Sun, 9 May 2021 23:55:13 -0600 @lbutlr wrote: > On 06 May 2021, at 09:57, Dennis Clarke via bind-users > wrote: > > I do NOT trust a build result where I had to go hacking into all the > > Makefiles just to get it to

Re: Using RNDC to control remote access to my BIND server

A couple of years ago, I tried using nsupdate to modify a dynamic (DHCP) IP address for my very simple domain. It worked, except that it totally messed up the organization of the zone file. Since the file only has 44 active lines (which are organized logically), I maintain it by hand. After

Re: Preventing a particular type of nameserver abuse

, but they all were on Apr 13 (and near your times). == On Tue, 13 Apr 2021 15:23:20 +0100 (WET-DST) Peter Coghlan wrote: > Hi Paul, > > Many thanks for your reply. Yours is exactly the sort of reply I was hoping >

Re: Preventing a particular type of nameserver abuse

Interesting observation. I just did lookups on 4 recent (< 24 hrs ago) 'sl/ANY/IN' queries logged by our BIND and got: 2 Comcast cable IPs (hsd1.tx.comcast.net and hsd1.ma.comcast.net) 1 OVH Hosting IP (Montreal) 1 Afranet IP (Tehran!) The whois info for the OVH IP contains the line:

Re: Preventing a particular type of nameserver abuse

We also get *lots* of suspicious queries of the same kind, from various privileged and unprivileged ports, which I'm pretty sure are DDoS attempts. For example: 12-Apr-2021 23:44:17.767 security: info: client 107.213.131.17#80 (sl): query (cache) 'sl/ANY/IN' denied 12-Apr-2021 23:44:19.477

Re: BIND 9.16.13 and Mac OS X 10.13.6 - problems with ./configure

Well said! On Mon, 29 Mar 2021 16:11:54 +0100 Tony Finch wrote: > alcol alcol wrote: > > > seriously? is like linux/unix FAQ  > > Please, if you can't be helpful, don't reply at all. We all have to learn > somehow, and the best way to show your knowledge is to share it generously. > >

Re: BIND 9.16.13 and Mac OS X 10.13.6 - problems with ./configure

Bruce, indeed the named is in /Applications/Server.app/Contents/ServerRoot/usr/sbin/named. > On Mar 26, 2021, at 12:20 PM, Bruce Johnson > wrote: > > > >> On Mar 26, 2021, at 9:17 AM, Paul Cizmas wrote: >> >> Ondrej: >> >> Thank you - I in

Re: BIND 9.16.13 and Mac OS X 10.13.6 - problems with ./configure

’ and it is /Applications/Server.app/Contents/ServerRoot/usr/sbin/named When I ran rndc status I got ~$ rndc status rndc: error: open: /Library/Server/named/rndc.key: permission denied rndc: could not load rndc configuration Thank you, Paul > On Mar 26, 2021, at 1:44 PM, Tony Finch wrote: >

Re: BIND 9.16.13 and Mac OS X 10.13.6 - problems with ./configure

o, why is it still 9.9.7-P3? Thank you, Paul > On Mar 26, 2021, at 9:25 AM, Ondřej Surý wrote: > > $ brew info bind > bind: stable 9.16.13 (bottled), HEAD > Implementation of the DNS protocols > https://www.isc.org/bind/ > Not installed > From: https://github.com/Homebrew/h

Re: BIND 9.16.13 and Mac OS X 10.13.6 - problems with ./configure

Ondrej: I did not think of doing it. Let me try. Thank you for your suggestion! Paul > On Mar 26, 2021, at 2:04 AM, Ondřej Surý wrote: > > Paul, > > why don’t you just install BIND 9 from Homebrew? > > Ondřej > -- > Ondřej Surý — ISC (He/Him) > > My wor

Re: BIND 9.16.13 and Mac OS X 10.13.6 - problems with ./configure

-proctitle.lo] Error 1 > On Mar 25, 2021, at 10:58 PM, Larry Stone wrote: > > I’ve been building BIND on MacOS for years (currently on Catalina but has > worked on almost the entire Mac OS X series. > >> >> On Mar 25, 2021, at 7:50 PM, Paul Cizmas wrote: >&

Re: BIND 9.16.13 and Mac OS X 10.13.6 - problems with ./configure

Eddy, I fully agree with you. I wish I could do it. Unfortunately I failed to install libuv from scratch and I took a shortcut by using homebrew (and now I am paying for it, as I should). Paul > On Mar 25, 2021, at 11:05 PM, Eddy Hahn wrote: > > I do not use either of them because

Re: BIND 9.16.13 and Mac OS X 10.13.6 - problems with ./configure

I did use homebrew. It installed libuv 1.41.0 without any complaints. Is there something I could do to manually point BIND to libuv? Thank you, Paul > On Mar 25, 2021, at 10:12 PM, Mark Andrews wrote: > > libuv discovery requires pkg-config to be found. macports/homebrew

BIND 9.16.13 and Mac OS X 10.13.6 - problems with ./configure

read_np.h... no checking for libuv... checking for libuv >= 1.0.0... no configure: error: libuv not found I have libuv installed, however. It is version 1.41.0. I would appreciate any suggestions on how to fix this. Thank you, Paul ___ Please

how to stop and remove BIND 9.9.7-P3 on Mac OS X High Sierra 10.13.6?

Is there another command I should issue to stop BIND? Thank you, Paul ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Con

Re: lists.isc.org and DMARC

Our DMARC Policy has been "p=quarantine" since 30 Jun 2019, so I guess it won't affect us. (It was "p=none" before that -- we only started using DKIM in Apr 2017.) On Tue, 16 Feb 2021 20:54:30 + (UTC) Dan Mahoney wrote: > Greetings bind-users netizens. > > Dan Mahoney, ISC SysAdmin

Re: Problems with interfaces going down

the interface to be reactivated (if it's a privileged port issue). Just brainstorming. Paul On Fri, 12 Feb 2021 18:33:21 -0500 bindus...@prograde.net wrote: > Greetings, > > I’ve been fighting a two-fold problem with named (bind 9.16.11) running on > macOS. > > 1: If an ethern

Re: Bind 9.11 serving up false answers for a single domain.

I don't think tcpdump was installed by default with various versions of Debian that I set up in the last few years for networking. I didn't bother to install it, as it's output is different enough (old fashioned?) from the sharks to be annoying. It *was* installed with OpenSuSE 15.2 though.

Re: Bind 9.11 serving up false answers for a single domain.

I rather prefer tshark to tcpdump: it's essentially the command line version of wireshark, and thus has wireshark's protocol "dissecting" abilities. On Wed, 10 Feb 2021 22:20:08 + "John W. Blue via bind-users" wrote: > Three words: tcpdump and wireshark > > It is like peanut and jelly

Re: Bind 9.11 serving up false answers for a single domain.

Do you know about mxtoolbox.com? It (and other similar sites) does a good job of diagnosing DNS-related problems. I use it now and then to check out my own sites, as it gives a "second opinion". In particular its "DNS Lookup' function reported the following for "internet-dns1.state.ma.us"

Re: Scripting dnssec-verify - processing command output

It sounds to me like dnssec-verify is sending the output in question to STDERR instead of STDOUT. On Sat, 06 Feb 2021 19:02:28 + Matthew Richardson wrote: > I have been using Perl to do a reasonable amount of scripting, running bind > utilities and processing the results into variables.

Re: Two copies of recent posts

of "Received:" headers. This would indicate that the duplication was caused by an intermediate MTA. (The one I previously indicated was mx.pao1.isc.org, which is the one and only MX for lists.isc.org.) -Paul K. On Tue, 24 Nov 2020 22:46:06 -0500 Jim Popovitch via bind-users wrote:

Re: Two copies of recent posts

t 21:56 -0500, Paul Kosinski via bind-users wrote: > > I've been getting two identical copies of recent posts to this list... > > Me too, but it's because of people hitting reply-all thinking that they > are replying to the list and the poster. People really need to verify > who

Two copies of recent posts

I've been getting two identical copies of recent posts to this list (such as this item). This only started happening in the past 24 hours or so. Is anyone else seeing this? Upon examination of the headers of the two copies, it looks like ISC's list-servers are doing the duplication. (The first

Re: How can I launch a private Internet DNS server?

With regard to using chroot, hasn't named/BIND long had the "-u" (user) and "-t" (directory) options to accomplish the same thing more easily? On Fri, 16 Oct 2020 12:47:35 -0500 Chuck Aurora wrote: > /me catching up on earlier parts of this thread, > > On 2020-10-15 11:42, alcol alcol wrote:

Re: Deconstructing the Great Firewall of China

The article is from 2016, probably before DNSSEC become so widespread. But I would guess that their current overall approach is not a radical departure from what was outlined in the article. On Tue, 23 Jun 2020 13:41:18 +0200 Alessandro Vesely wrote: > On 2020-06-05 9:29 p.m., Paul Kosin

Deconstructing the Great Firewall of China

A very interesting article on how China uses DNS (among other things) to "control" Internet usage. https://blog.thousandeyes.com/deconstructing-great-firewall-china/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: TSIG DDNS and windows clients

rharolde> Thanks for the link. Lots of pieces to get working there. Not rharolde> nearly as simple as TSIG. But good if you are already using rharolde> Kerberos. MS active directory is kerberos under the hood. You don't need to run a classic mit/hesiod KDC to get GSS-TSIG to work. But it is

Re: DoH plugin for BIND

ernet connection" > > > Even if your ISP allows it, chances are that other mail servers will reject > > it > > that's a completl different story > > > On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote: > >> How many ISPs allow traffi

Re: DoH plugin for BIND

How many ISPs allow traffic on port 25? My impression is that even many (non-enterprise) business customers can't use port 25. On Sat, 2 May 2020 09:28:54 +0200 Reindl Harald wrote: > Am 02.05.20 um 09:00 schrieb Michael De Roover: > > That's actually my biggest concern with DoH, ISP blocking.

Re: Problem to transfer reverse zone DNS on secondary DNS servers

I was pleased that I was able to get our two (successive) ISPs to set up reverse DNS for our small number of IP addresses, and each twice to change them when they moved us to moved us to new IP ranges (due to the IPv4 crunch). It never even occurred to me that it might be possible to have them

Peculiar DNS queries

134.0.217.53#27016 (WWw.imENT.cOm): query: WWw.imENT.cOm IN A -E (216.55.100.245) Dec 22 12:05:44 iment0 named[10333]: client 134.0.217.69#23417 (WWw.IMeNt.cOM): query: WWw.IMeNt.cOM IN A -E (216.55.100.245) Thanks, Paul Kosinski ___ Please visit https

Re: Zoneformat

"... long ago adapted to using full numbers, including area codes, for pretty much *all* phone dialing ..." Except that that proved to be so onerous that people often use "speed dialing" for commonly dialed numbers. (Not to mention the fact that people usually address their friends and coworkers

Re: search and ndots support in bind utilities

he PTR lookup result of such a group's external IP address, although unique, is usually not suitable. Most can change without notice due to DHCP, and they also tend to be something unworkable, like "c-66-31-152-1.hsd1.ma.comcast.net.". On Mon, 30 Sep 2019 09:35:57 -0600 Paul Ebersman wrote:

Re: search and ndots support in bind utilities

pemensik> I am aware search is a no-no in DNS community. However, is pemensik> there any public documentation to this change? Is there RFC pemensik> recommending not to use search or how it should be used, pemensik> related to today's top level domains? pemensik> While I agree it is dangerous,

DMARC test

Testing how lists.isc.org handles DMARC "Quarantine" (and "Reject") policy. The enterpr...@mozilla.org mailing list forwards such email in a way that some recipients choke on it (i.e., can't validate it). ___ Please visit

Re: Barclays bank domain unresolvable only on some servers

A *bank* not using DNSSEC?? Glad I don't have any money there. On Sun, 16 Jun 2019 14:00:36 +0100 (BST) "G.W. Haywood via bind-users" wrote: > Hi there, > > On Sun, 16 Jun 2019, Mark Andrews wrote: > > > The servers for this zone are broken, they do not respond to > > queries with DNS

RE: dns latency

from the GLTD to comcast’s DNS I even got, dig: couldn't get address for 'dns101.comcast.net': no more at one point. Although now it seems to be back to normal, not sure what to make of it. Thanks for your reply Bob. Paul a ;; Query time: 26 msec b ;; Query time: 172 msec

RE: dns latency

t.net': no more" so I doubt it's a dig version issue. Paul ;; Received 239 bytes from 192.5.6.30#53(192.5.6.30) in 32 ms net.172800 IN NS k.gtld-servers.net. net.172800 IN NS b.gtld-servers.net. net.172800

dns latency

DNS server tried doing a new query it timeout on GTLD server to Comcast? When I query directly to their DNS servers there is no latency, so I suspect this is a link issue at Comcast affecting DNS? TIA paul ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> @1

Re: Help: BIND _ Recursive query

? On Mon, 4 Mar 2019 19:30:36 +0100 Matus UHLAR - fantomas wrote: > >On 4 Mar 2019, at 16:20, Paul Kosinski wrote: > >> provides our users with general caching DNS service for > >> all other domains. > > > >[...] > > > >> Its "named.conf"

Re: Problems removing a domain

Op 05-03-19 om 16:32 schreef Matus UHLAR - fantomas: >>> On 05.03.19 14:41, Paul van der Vlis wrote: >>>> This was a long time ago. In the meantime I have rebooted the server. >>>> >>>> What I see, is that the resolving does not work from othe

Re: Problems removing a domain

Op 05-03-19 om 15:21 schreef Matus UHLAR - fantomas: >>> On 05/03/2019 01:01, Paul van der Vlis wrote: >>>> Not sure. It was a domain used for testing purposes. >>>> >>>> Before it was in /etc/bind/named.conf.local, but I removed it from >>

Re: Problems removing a domain

Op 05-03-19 om 11:51 schreef Anand Buddhdev: > On 05/03/2019 01:01, Paul van der Vlis wrote: > >> Not sure. It was a domain used for testing purposes. >> >> Before it was in /etc/bind/named.conf.local, but I removed it from there. > > Did you run "rn

Re: Problems removing a domain

s zone added via "rndc addzone" originally? Not sure. It was a domain used for testing purposes. Before it was in /etc/bind/named.conf.local, but I removed it from there. With regards, Paul van der Vlis > Regards, > > > Jie > > * Paul van der Vlis wrote: >

Problems removing a domain

/cache/bind# rgrep extensus.nl /var/cache/bind Binary file /var/cache/bind/_default.nzd matches I've also tried to add and remove it again, but I don't get it away. Somebody an idea? With regards, Paul van der Vlis -- Paul van der Vlis Linux systeembeheer Groningen https

Re: Help: BIND _ Recursive query

We have a BIND server on our LAN which is authoritative for our ".local" domain and also provides our users with general caching DNS service for all other domains. Its "named.conf" file doesn't list any "forwarders" any more, and "forward-only" is gone, but it still has a leftover "recursion yes"

Re: Forward zone inside a view

I haven't analyzed the details and pitfalls, but could a Web proxy mechanism of some sort be of help? In particular, rather than having your users directly access "teamviewer.org" (or whatever), have them to access "teamviewer.local", which is resolved by your internal DNS to a specialized proxy

error sending response: would block

I recently updated a couple servers that were running OpenBSD 6.3 with bind 9.11.3 to OpenBSD 6.4 and bind 9.11.4pl2. Since then, I'm been getting a large number of "error sending response: would block" log messages: Nov 15 11:03:58 lisa named[79587]: client @0x6f2f02bc440 10.128.30.77#65198

Re: Question about visibility

Maybe port scanners will find open ports pretty quickly, but I've found that using non-standard ports is helpful in reducing traffic, at least. For example, SSH on port 22 gets lots of SYNs but moving it elsewhere, and making 22 totally unresponsive discourages most such attempts. This increases

Re: Operational Notification: Some releases of BIND are too strict when handling referrals containing non-empty answer sections

Code refactoring is nothing compared to what Mozilla did to Firefox! It's hard to believe they didn't change the name, given that they totally changed the add-on interface and thereby removed so many of the features that made Firefox our browser of choice. On Thu, 20 Sep 2018 09:48:08 +0100

Re: Sign ZSK key permanently

Hi Tony, Thanks for your answer! Op 23-08-18 om 18:40 schreef Tony Finch: > Paul van der Vlis wrote: >> >> Is it possible to sign the ZSK key permanently with the KSK key? >> In this way I could keep the KSK key offline. > > The only(*) revocation mechanisms in DNS

Sign ZSK key permanently

Hello, Is it possible to sign the ZSK key permanently with the KSK key? If yes: how to do that? In this way I could keep the KSK key offline. With regards, Paul van der Vlis -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl

Re: SRV record not working

t, 18 Aug 2018 20:12:01 +0200 Reindl Harald wrote: > > > Am 18.08.2018 um 20:02 schrieb Paul Kosinski: > > When I started using Linux almost 20 years ago, I think there was > > only nslookup, and no dig. So by habit, I tend to use it unless the > > extra power of dig ou

Re: SRV record not working

When I started using Linux almost 20 years ago, I think there was only nslookup, and no dig. So by habit, I tend to use it unless the extra power of dig outweighs its extra complexity. I don't remember what I used on Windows back when I was regularly using both. On Sat, 18 Aug 2018 11:42:20

DMARC question

We have a couple of small domains whose DNS is served by BIND on our dedicated machines. Almost 3 years ago we had set up DMARC records, and were getting reports from various MXs every day until a couple of days ago (Aug 13). Then they suddenly stopped! Nothing in the BIND config or zone files

Re: Domain name based multihome routing?

We do something somewhat similar with our LAN. We have a new cable connection and an old DSL connection. The cable is 60x faster, but has a dynamic IP and blocks various ports (esp. 25), so we keep the DSL so we can send email directly etc. Obviously, we don't want to stream video or even do much

Re: Stopping name server abuse

Most of your replies seem not to address the (immediately preceding) paragraph they appear to be responding to. On Mon, 25 Jun 2018 22:15:07 +0200 Reindl Harald wrote: > > > Am 25.06.2018 um 22:01 schrieb Paul Kosinski: > > Somebody who has irresponsibly (and apparently want

Re: Stopping name server abuse

assisting in the attack, and should be contacted and asked to help in the remediation. (Note that *their* resources, as well as yours, are being wasted.) On Mon, 25 Jun 2018 17:47:23 +0200 Reindl Harald wrote: > Am 25.06.2018 um 17:37 schrieb Barry Margolin: > > In article , > &

Re: Stopping name server abuse

esn't come until after the connection is established.) On Mon, 25 Jun 2018 15:32:44 +0200 Reindl Harald wrote: > > > Am 25.06.2018 um 05:39 schrieb Paul Kosinski: > > Is it possible to get BIND not to respond at all, thereby causing > > a timeout on the query? That woul

Re: Stopping name server abuse

Is it possible to get BIND not to respond at all, thereby causing a timeout on the query? That would perhaps reduce load more than NXDOMAIN or deleting the sone(s) would. On Mon, 25 Jun 2018 00:03:09 +0200 jo...@hasig.de wrote: > yes, but it minimizes the use of resources because the only

Re: BIND srtt algorithm not working as expected

?), and ensure we can still meet the contracted SLAs. Basically it's a lot of work (+ cost) just to "sort out" this Sophos mess. I'd rather Sophos did their stuff over a separate TCP or UDP port rather than hijacking DNS, but doubt they will listen to "little old me"

Re: BIND srtt algorithm not working as expected

. :-( From: Tony Finch <d...@dotat.at> Sent: 17 May 2018 12:34 To: Paul Roberts Cc: bind-users@lists.isc.org Subject: Re: BIND srtt algorithm not working as expected Paul Roberts <p...@callevanetworks.com> wrote: > After doing some more packet captures, it l

Re: BIND srtt algorithm not working as expected

. I wish the anti-virus vendors would consider the impact they are having on corporate DNS environments and re-think how they implement their reputation lookups, it must be the cause of some pretty serious ouages. :-( Cheers, Paul ___ Please visit

BIND srtt algorithm not working as expected

this because the slow responses back from the UK are impacting application performance for users in HK? We need to keep the UK servers as part of the configuration for failover/redundancy, removing them is not an option. Thanks, Paul Paul Roberts Calleva Networks Ltd. Email: p...@callev

Re: DNSSEC and nsupdate

Setting the permissions of a *private* key to 0644 sounds like a bad idea. Maybe you mean 0640? On Fri, 2 Mar 2018 23:28:28 + "Prof. Dr. Michael Schefczyk" wrote: > Dear Mark, > > I did get the issue resolved while setting up a test environment. > > The issue is

Re: DNS performance Help when query log is off -- which default parameters will impact the DNS performance

s] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file] For more explanation, look at: https://kb.isc.org/article/AA-01249/0/UDP-Listeners-choosing-the-right-value-for-U-when-starting-named.html On Thu, 22 Feb 2018 01:50:22 + "PENG, JUNAN" <jp2...@att.com> w

Re: DNS performance Help when query log is off -- which default parameters will impact the DNS performance

Could it be that you're network limited? In any case, the values of the following parameters may be illuminating (they may be obtained via "rndc status"). CPUs found worker threads UDP listeners per interface For example, my very lightly loaded authoritative server reports: version:

Re: SOA settings

Speaking of units, University of Chicago Professor Nicholas Metropolis (who had been one of the original Manhattan Project scientists at Los Alamos) remarked that the standard lecture period of 50 minutes lasted approximately 1 Micro-Century. On Fri, 2 Feb 2018 17:00:10 -0500 Warren Kumari

Re: Zone give from one second to another error...

Michelle (and others who may be interested), I have found mxtoolbox.com to be helpful in diagnosing DNS and related problems. It is able do all kinds of DNS lookups from *outside* your domain so you can see what your normal Internet users see. It will do basic stuff (manually initiated) for free,

Re: search algorithm in DNS

strings of characters, but rather follow certain linguistic statistics.) On Thu, 9 Nov 2017 17:56:03 +0100 Reindl Harald <h.rei...@thelounge.net> wrote: > > > Am 09.11.2017 um 15:55 schrieb Paul Kosinski: > > Exact matching needs a search algorithm too > > no

  1   2   3   >