On 22/12/2022 13:30, Jesus Cea wrote:
I have a validating DNSSEC bind server. I get AD (Authenticated Data)
flag when requesting details from a DNSSEC protected domain. Good.
The point is that when the requested DNS name belongs to a domain with
this server is authoritative and that domain
On 21/11/2022 17:26, Petr Špaček wrote:
Speaking of default CHAOS zones, I have another idea:
Do we need them after NSID was standardized?
Yes.
There is a lot of special code just for built-in CH zones, and IIRC
we have had at least one CVE which affected default config only
because of
On 12/04/2022 13:43, rams wrote:
Could someone please share all supported DNS RRs and examples of each RR.
That's a *very* big ask.
IANA maintains a list of all RRs and pointers to the documentation for
each of them:
On 04/01/2022 21:12, Grant Taylor via bind-users wrote:
Yep. This is where I have settled. But I don't feel I can defend
it when asked. Hence my seeking to better understand.
There are categories of bugs that specifically affect recursion, and in
BIND these are _much_ more common than
On 04/01/2022 16:53, Mik J via bind-users wrote:
Hello,
How can I check which variables are loaded in memory and considered as
active.
For example, I would like to check that the value of lame-ttl is 0
In my named.conf configuration file I have
include "myconf.conf";
lame-ttl 600;
And in
On 04/01/2022 03:52, Grant Taylor via bind-users wrote:
If I'm allowing recursion and authoritative on the same server, I'd have
the recursive + authoritative server do secondary zone transfers off of
the internal MS-DNS / AD server. That way the clients can get the info
off of the first
that
DLV is disabled in all configurations. We have provided some additional
guidance for this on our Knowledge Base.[2]
We apologise for any disruption caused, and will be taking steps to try
to ensure that this does not recur, including improvements to our
monitoring systems.
Ray Bellis
Director
On 14/06/2019 09:38, Pete Fry via bind-users wrote:
Interestinly as we have the same problem on our dev box (running the
same versions)
I took the decision to install the ISC-BIND following
(https://copr.fedorainfracloud.org/coprs/isc/bind/)
running 9.14.2 and repeated the tests and it
On 28/09/2018 10:55, Anand Buddhdev wrote:
> On 11 October, the old key won't be removed. On that day, the new key
> will start signing the DNSKEY RRset. The old key (id 19036), will remain
> in the root zone; it just won't sign the DNSKEY RRset. Eventually, in
> the first quarter of 2019, it
for experienced BIND administrators with good familiarity with DNSSEC:
<https://kb.isc.org/docs/aa-01529>
The second is a much more detailed document with more DNSSEC background
material and an overview of the entire key roll process:
<https://kb.isc.org/docs/aa-01525>
Ray Bellis
On 22/09/2018 02:39, Danny Mayer wrote:
> No, that's not true. Consider what you are doing. You are substituting
> SRV records for CNAME records. There is nothing magical here. NTP can
> use the CNAME records. Either way the records have to be configured.
> What do you think you are discovering?
On 21/09/2018 12:47, Danny Mayer wrote:
> Putting on both my BIND9 and NTP hats for a moment:
>
> This answer makes no sense. NTP uses standard DNS FQDN's for all of its
> references to NTP servers whether it's using pool, server or peer. I
> have no idea where the reverse zone comes in though I
On 19/09/2018 15:59, Mauricio Tavares wrote:
>> An NTP serice doesn't belong to a domain, so maybe not (I don't know of
>> one off my mind).
>>
> Not necessarily; I can name a few universities and business who
> offer their own NTP servers to their internal systems. AFAIK, this is
>
On 09/09/2018 18:51, Mark Elkins wrote:
> Just for the record, although I do look from a curiosity point of view
> for Identical Key ID's once every few month - I've never seen them -
> until now.
>
> Now I have them - generated by BIND within a few days of each other...
>
> I've been running
On 04/09/2018 15:13, Tony Finch wrote:
> `mdig` comes with BIND and does multiple concurrent queries, so you can
> check pipelining behaviour like this:
>
> ...
>
> A good selection of sites near and far should nicely demonstrate
> out-of-order replies. If you don't flush the cache first then
On 18/05/2018 21:28, Jim Popovitch via bind-users wrote:
> Honest question Why are there so many sourcecode
> modifications/additions/deletions between v9.12.1 and v9.12.1-P2? Some
> files should obviously change between minor versions, but ~1300 ?
>
> Bin9 v9.12.1-P2 changed files:
>
On 23/04/2018 16:34, Chris Thompson wrote:
> To further increase our Schadenfreude, please do let the list know just
> how ISC managed to let that happen! Or will you be able to blame ARIN?
We're blaming ARIN :p
149.20/16 was previously delegated to us with its own DNSKEY / DS, and
then we used
On 23/04/2018 14:18, Anand Buddhdev wrote:
> If you repeat your query with the +cd option, you'll get a response.
>
> DNSViz shows problems with the DNSSEC setup of this zone. The DS and
> DNSKEY records don't match:
>
> http://dnsviz.net/d/1.20.149.in-addr.arpa/dnssec/
Thanks for the heads up
On 14/03/2018 12:08, Anand Buddhdev wrote:
> Not that I know of. The amount of RAM in a server is probably the most
> significant limit for loading zones into BIND.
Anand is correct - there's no intrinsic limit other than RAM.
I personally know of BIND instances running with in the region of 25
On 09/03/2018 05:32, Diarmuid O Briain wrote:
> Hi,
>
> I have been following RFC7534 to setup an AS112 Service. I am getting
> the following errors from /*systemctl*/ status, what do they mean ?
>
> Mar 09 08:11:43 as112 named[3787]:
> ../../../../lib/isc/unix/socket.c:2104: unexpected error:
>
On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
> what's the difference, when the domain doesn't exist?
>
> is it because .eu is signed?
Perhaps, although I'm not sure why given that .eu is signed with NSEC3
and opt-out.
Are you *sure* that the domain doesn't now actually exist in the DNS?
On 06/02/2018 16:00, Matus UHLAR - fantomas wrote:
> Hello,
>
> our customer uses a domain that is registered, but hidden
> (doesn't exist in DNS).
>
> The domain is used by multiple organizations and we are required to forward
> lookups for the domain to foreign internal servers.
>
> The
On 03/01/2018 12:48, Ingeborg Hellemo wrote:
> What am I missing? Bug in named-checkconf?
Yes, it's a known bug, fixed in the forthcoming 9.11.3 release:
4695. [bug] cookie-secrets were not being properly checked by
named-checkconf. [RT #45886]
kind regards,
Ray
For those of you that like Javascript, and like it server side, there's
now an implementation of the RNDC protocol available for NodeJS:
<https://www.npmjs.com/package/bind9-rndc>
We hope people may find this useful.
Please note that this is not officially supported ISC software.
Ray
On 30/11/2017 22:13, Reineman, Rick wrote:
> The subject is a little off, I have a Class B network masked down to
> a bunch of Class C networks.
>
> I am replacing an old DNS service where they configured it as one
> might expect with one reverse mapping file per network. So we have
> many of
On 11/11/2017 19:46, Ben Croswell wrote:
> The use case i am looking at is using ECS or some other mechanism to
> pass the IP of client making the query to the global load-balancer. This
> information could then be used by the global load-balancer in making
> proximity decisions when crafting its
On 11/11/2017 04:50, Mukund Sivaraman wrote:
> I'm not sure how ECS would be useful for load-balancing, as in the best
> case scenario it would require one to control every client side to send
> the client-subnet option.
It would help if Ben provided more details about what he's trying to
On 11/10/2017 16:12, MURTARI, JOHN wrote:
> lists.isc.org uses an invalid security certificate. The certificate
> expired on Sunday, October 08, 2017 3:09 AM. The current time is
> Wednesday, October 11, 2017 11:08 AM.
Our Ops team is already aware.
Thanks for the report!
Ray
On 05/09/2017 16:56, Havard Eidnes wrote:
> Hmm...
>
> some further local discussion has made me aware that us running
> "collectd" for monitoring BIND may be contributing to the
> problem; collectd fetches data each 10s by using the BIND-
> configured statistics-channel, thus BIND is processing
On 19/07/2017 11:53, Tony Finch wrote:
> It's how we did things in the 1990s :-)
Yup - in '96 I was running the entire set of customer-facing services
for a newly-formed ISP on a single Alpha workstation :)
Ray
___
Please visit
On 10/07/2017 14:02, wbr...@e1b.org wrote:
> ~3 x 10**8 m/s
>
> More importantly, what is the speed of light in a fiberoptic connection?
~0.66c
> Speed of electrons in copper wire?
Individual electrons move *very* slowly - it's the electric *field* that
moves at between 0.5c and 1c.
On 01/06/2017 23:26, Mathew Ian Eis wrote:
> … and for one last really crazy idea, you could try running a pair of
> named instances on the machine and fronting them with nginx’s
> supposedly scalable UDP load balancer. (As long as you don’t get a
> performance hit, it also opens up other
was changed to ncores-1. This makes a *very* big difference.
kind regards,
Ray Bellis
ISC Research Fellow
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.i
On 09/02/2017 15:32, Robert Moskowitz wrote:
> Now doing it 'right' and seeing:
>
> 09-Feb-2017 09:59:52.191 could not open file '/run/named/named.pid':
> Permission denied
> 09-Feb-2017 09:59:52.192 generating session key for dynamic DNS
> 09-Feb-2017 09:59:52.192 could not open file
On 09/02/2017 14:28, Robert Moskowitz wrote:
> I am migrating to Centos7 from Centos6. Going from Bind 9.8.2 to 9.9.4,
> I am building this on a new server. I currently do not have DNSSEC
> enabled, and not enabling it for the initial migration work.
>
> I have looked over changes in named.conf
On 21/12/2016 12:57, Harshith Mulky wrote:
> So I wanted to understand some things about this Domain
>
> A. Why are there 2 $ORIGIN directives?
Because someone thought they were being clever? :)
>
> B. Can the above be replaced as below
Yes, and you could even remove the trailing
On 08/08/2016 20:59, Frank Even wrote:
> Thanks for the info. Also I'll have to note that I completely missed
> that the "offending IP" is one of the .uk root servers so the next
> logical conclusion is I've probably got a box in one of my environments
> driving an amplification attack of some
On 08/08/2016 18:43, Darcy Kevin (FCA) wrote:
> As already noted, allow-query will cause you to send back a REFUSED
> response. That’s sort of the whole point of the REFUSED RCODE.
>
>
>
> If you want to not send back any response **whatsoever**, then take a
> look at the “blackhole”
On 02/08/2016 22:04, Matthew Pounsett wrote:
> Yes it will. But, as far as I understand, it uses the recursive code
> paths to do that, and won't consult resolv.conf. Yes?
I believe that's correct, yes.
Ray
___
Please visit
On 02/08/2016 19:47, Matthew Pounsett wrote:
> In the authoritative configuration, BIND has no need to do DNS lookups
> of its own, so it wouldn't be any use there.
That's not strictly true - BIND will in some circumstances use its own
internal resolver to handle the host lookups for NOTIFYs and
n officially supported ISC product, it's more of a "skunk
works" project, so if you try it and have feedback please either post
here on bind-users or get back to me directly.
Ray Bellis
ISC Research Fellow
___
Please visit https://lists
On 16/06/2016 09:01, Evan Hunt wrote:
> Use the "in-view" statement so that there's only one copy of the zone
> shared by both views.
Yes, or that, if they really are the same zone contents in both views.
Ray
___
Please visit
On 16/06/2016 07:53, Daniel Dawalibi wrote:
> We are upgrading our DNS authoritative BIND version 9.10.4-P1 but we are
> facing “writing errors” on the slave zone files that are transferred
> from other Master DNS servers.
>
> Our configuration consists of two views (local and inter) and the
>
On 15/06/2016 12:31, Harshith Mulky wrote:
> How can I enable EDNS on the bind server?
>
>
> Will just enabling this
>
> edns-udp-size size_in_bytes ;
>
> set the EDNS on the bind server?
>
>
> Or is EDNS Client specfic feature?
EDNS is always enabled on a BIND 9.9 server, but it's only
On 24/03/2016 16:41, Tony Finch wrote:
> When I changed our TTLs from 24h to 1h last year, it didn't have a visible
> effect on authoritative server query load, much to my surprise.
I'm not that surprised - there's definitely not a linear correlation
between the TTL of an RRset and how
On 24/03/2016 14:47, Ben Bridges wrote:
> Greetings.
>
>
>
> Is it possible in BIND to configure multiple resource records for the
> same domain name, TYPE, and CLASS with different TTL values? For example:
>
> ...
>
> I tried it, and BIND set the TTL for all five records to 300 (or more
>
On 14/03/2016 12:23, Phil Mayers wrote:
> Stack overflow or similar may be a better place to start.
Definitely not stackoverflow - unless the question is clearly
programming related it would be closed with extreme prejudice.
I'd suggest the OP should investigate further what's happening in the
On 15/01/2016 13:48, Daniel Dawalibi wrote:
> Hello
>
>
>
> We observed an unusual traffic combining ICMP and UDP packets while
> running the tcpdump command on the DNS caching server
>
> Kindly note that only UDP DNS traffic is allowed on this server (ICMP is
> not allowed from outside to
On 13/01/2016 12:44, Reindl Harald wrote:
> where did you read that?
>
> we don't run *anything* on physical machines and all our nameservers
> (auth, caching with a mix of bind/unbound/rbldnsd) as anything else runs
> on top of VMware vSphere 5.5, previously 4.1/5.0 since 2008
ISTR that some
On 05/01/2016 17:03, Barry Margolin wrote:
> The in-memory copy is likely to end up in the swap partition.
A swap partition? I don't think I've seen one of those for years...
Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
On 27/11/2015 13:02, Tony Finch wrote:
> Use the statistics channel, e.g.
>
> curl --silent http://nameserver:853/json/v1/server | jq -r .opcodes.QUERY
Note that this gives you the absolute total since startup - you need to
take two measurements and divide by the time between them to convert
On 17/11/2015 02:09, Grant Taylor wrote:
> On 11/16/2015 06:56 PM, /dev/rob0 wrote:
>> You either specify a hints file to use, or use the compiled-in root
>> hints.
>
> Interesting. I was not aware that it was an exclusive or type situation.
It's important that they're exclusive - it would be
On 29/09/2015 07:37, Harshith Mulky wrote:
> Hi all,
>
> I had a query
>
> Let us say we are having a FQDN and we need to Resolve it. It goes
> through the procedure of determining the IP and Port using NAPTR/SRV/A
> query mechanisms
>
> The question I have is if I have a FQDN with a Port
On 24/09/2015 15:26, Harshith Mulky wrote:
> Hello,
>
> I have a question on E164 Number Mapping:
>
> Lets say I have a number as "9986012345" with Country Code as "1"
>
> For E164 Number to be mapped and to be queried from DNS, it should be
> converted into ENUM domain like,
>
>
On 27/08/2015 13:53, Harshith Mulky wrote:
Hi,
Needed to understand the different Service fields used in ENUM/DNS Records
specifically,
E2U+sip, E2U+pstn, E2U+sip:pstn, E2U+pstn:sip and other supporting formats
Is there any RFC/documents/Links which helps in understanding this
various
On 10/08/2015 04:18, Leandro wrote:
Thanks !!! it compliled now ...
still trying to get the json output.
http://10.0.0.250:8080
works, but:
http://10.0.0.250:8080/json
Try http://10.0.255:8080/json/v1
[also /json/v1/mem, /json/v1/server, etc.]
Ray
On 03/08/2015 12:38, Harshith Mulky wrote:
I am expecting to receive the answer as _sip._udp.carrier1.com but i
receive _sip._tcp.carrier1.com
How could I change this?
For applications that use NAPTR records it's the job of the client
application to process and sort the entire set of NAPTR
57 matches
Mail list logo
