Re: [External] Re: How can I launch a private Internet DNS server?

2020-10-15 Thread Stephane Bortzmeyer
On Thu, Oct 15, 2020 at 02:03:52PM -0400, Kevin A. McGrail wrote a message of 8 lines which said: > Firewalls are cheap and the level of effort to run a bastion host are > significant. Firewalls are useful when you want to protect unamanaged printers and Windows boxes (or Web servers with a

Re: How can I launch a private Internet DNS server?

2020-10-15 Thread Stephane Bortzmeyer
On Thu, Oct 15, 2020 at 11:16:05AM -0700, Fred Morris wrote a message of 50 lines which said: > 2) If you want to run your own DNS nameservers, you will need to buy a >book, read the (BIND) Administrator's Reference Manual, and/or some >RFCs Very bad advice. RFCs are not for the

Re: How can I launch a private Internet DNS server?

2020-10-15 Thread Stephane Bortzmeyer
On Thu, Oct 15, 2020 at 04:57:16PM +, Jason Long via bind-users wrote a message of 173 lines which said: > I have two static IP addresses. One is for DNS server and one is for > my website. Note that you can put the two servers on the same machine, using the same IP address, since the

Re: How can I launch a private Internet DNS server?

2020-10-15 Thread Stephane Bortzmeyer
On Thu, Oct 15, 2020 at 04:36:58PM +, Jason Long via bind-users wrote a message of 1594 lines which said: > in the panel of it, I can enter my DNS server IP addresses. I assume you refer to the panel of your domain name registrar. If so, it would be useful to know which is the label near

Re: How can I launch a private Internet DNS server?

2020-10-15 Thread Stephane Bortzmeyer
On Thu, Oct 15, 2020 at 06:45:01PM +0200, Michael De Roover wrote a message of 65 lines which said: > Your router can port forward traffic to port 53/udp to your local IP > that your DNS server is on. He said that the DNS server has a public IP address so port forwarding is probably not

Re: DNS security, amplification attacks and recursion

2020-07-07 Thread Stephane Bortzmeyer
On Tue, Jul 07, 2020 at 03:00:13PM +0200, Michael De Roover wrote a message of 46 lines which said: > The command used to test this was apparently "dig +short > test.openresolver.com TXT @your.name.server". ANY instead of TXT may be more efficient (specially with +dnssec), if the goal is to

Re: Bind 9 not responding to queries

2020-04-12 Thread Stephane Bortzmeyer
On Sun, Apr 12, 2020 at 01:41:52AM +, sir izake wrote a message of 153 lines which said: > At specific times of day bind fails to respond to queries even > though service is shown to run (configured to respond to my network > IPs, this works fine till this time when service fails to

Re: Unable to completely transfer root zone

2020-02-11 Thread Stephane Bortzmeyer
On Mon, Feb 10, 2020 at 02:32:55PM -0500, Warren Kumari wrote a message of 70 lines which said: > Also, can you try: > dig +tcp . axfr @192.0.32.132 > dig +tcp . axfr @192.0.47.132 > dig +tcp . axfr @b.root-servers.net > > (no, I'm not really sure why trying with the first 2 IPs instead of >

Re: Strange DNS problem

2019-06-10 Thread Stephane Bortzmeyer
On Mon, Jun 10, 2019 at 05:43:02PM +, Jukka Pakkanen wrote a message of 58 lines which said: > Then, unfortunately our nameservers won't resolve ns.kpk.fi either. Same authoritative name server, same problem. See my email. % dig @ns.datatower.fi. NS kpk.fi. ;; Warning: Client COOKIE

Re: Strange DNS problem

2019-06-10 Thread Stephane Bortzmeyer
On Mon, Jun 10, 2019 at 02:28:46PM +, Jukka Pakkanen wrote a message of 382 lines which said: > An example, the client domain is raimoasikainenoy.fi. dig clearly says it's a cookie issue: % dig @193.184.54.212 NS raimoasikainenoy.fi ;; Warning: Client COOKIE mismatch An DNSviz

Re: cyberia.net.sa

2018-06-26 Thread Stephane Bortzmeyer
On Tue, Jun 26, 2018 at 03:36:25PM +0200, Matus UHLAR - fantomas wrote a message of 19 lines which said: > Some web DNS checkers do great job. And some are really bad and/or broken. Let's mention the right ones: https://dnsviz.net/ https://zonemaster.net/

Re: My domain name name not propagating through the Internet.

2018-05-26 Thread Stephane Bortzmeyer
On Sat, May 26, 2018 at 12:57:26PM -0400, Rick Dicaire wrote a message of 276 lines which said: > Hi Thomas, obfuscating IP addresses doesn't help in the least. No problem, the IP address is known by the TLD name servers. % dig @a.gtld-servers.net ns1.sleepyvalley.net ;

Re: My domain name name not propagating through the Internet.

2018-05-26 Thread Stephane Bortzmeyer
On Sat, May 26, 2018 at 11:44:58AM -0500, Thomas Strike wrote a message of 269 lines which said: > they say that the problem is with my server. They were right. > I am here asking for fresh sets of eyes to look at my setup file and the > domain zone record that is

Re: TLD Registries supporting RFC 7344/8078

2018-03-13 Thread Stephane Bortzmeyer
On Tue, Mar 13, 2018 at 10:52:50AM +0100, Carsten Strotmann wrote a message of 19 lines which said: > is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078) > already support at the TLD level somewhere? I know it is implemented > in BIND 9.11+ and Knot, but can it

Re: BIND9 and AS112

2018-03-09 Thread Stephane Bortzmeyer
On Fri, Mar 09, 2018 at 03:28:18PM +0300, Diarmuid O Briain wrote a message of 427 lines which said: > However quite frankly I do not get how the AS112 service is accessed via > anycast. Did you configure your routing as mentioned in section 3.4 of RFC 7534? > Another

Re: BIND9 and AS112

2018-03-09 Thread Stephane Bortzmeyer
On Fri, Mar 09, 2018 at 12:32:41PM +0300, Diarmuid O Briain wrote a message of 122 lines which said: > Mar 09 08:11:43 as112 named[3787]: internal_send: 2620:4f:8000::42#53: > Invalid argument > Mar 09 08:11:43 as112 named[3787]: internal_send: 192.175.48.42#53: Invalid

Re: Suggestions for a distributed DNS zone hosting solution I'm designing

2018-03-09 Thread Stephane Bortzmeyer
On Thu, Mar 08, 2018 at 12:52:57PM +, Tony Finch wrote a message of 49 lines which said: > Best way to achieve this is with anycast, which can be pretty > time-consuming to set up - try searching for Nat Morris's > presentation "anycast on a shoestring" which he gave at

Re: dnssec validation issue

2017-08-30 Thread Stephane Bortzmeyer
On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote a message of 677 lines which said: > # dig @localhost www.icann.org A +dnssec When you suspect a DNSSEC issue, always retry dig with +cd (Checking Disabled). And post the result.

Re: Forward record for WWW

2016-05-05 Thread Stephane Bortzmeyer
On Thu, May 05, 2016 at 04:06:06PM +, Cuttler, Brian R. (HEALTH) wrote a message of 34 lines which said: > I configured the change for my external test server only > (199.184.16.7, which is _probably_ available for external query) No. % dig @199.184.16.7 A

Re: Forward record for WWW

2016-05-05 Thread Stephane Bortzmeyer
On Thu, May 05, 2016 at 03:42:24PM +, Cuttler, Brian R. (HEALTH) wrote a message of 29 lines which said: > External record in the zone file is actually > wadsworth.org. 300 IN A 199.184.16.22 None of the three name servers for wadsworth.org serve this A

Re: Intermittent Issues Resolving Microsoft Hostnames

2016-05-04 Thread Stephane Bortzmeyer
On Wed, May 04, 2016 at 02:02:24PM -0400, Rob Heilman wrote a message of 305 lines which said: > We run BIND 9.9.5-9 on Debian x86_64 to support a moderately sized > email hosting system. System info listed at the end of this > message. We are seeing intermittent but

Re: Monitor DNS queries toward Root severs

2016-05-04 Thread Stephane Bortzmeyer
On Wed, May 04, 2016 at 07:03:13PM +1000, Mark Andrews wrote a message of 15 lines which said: > fill in with the rest of the root servers names. And if you don't like to type, or if you use another root: sudo tcpdump -n -i ${INTERFACE} port 53 and \( $(for ns in $(dig

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer
On Wed, Apr 27, 2016 at 07:32:48AM -0700, Matthew Pounsett wrote a message of 49 lines which said: > One of these days I'd like to lead a serious lobbying effort against > the browser developers at the W3C to have SRV records for HTTP > standardized. I fully agree and, if

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer
On Wed, Apr 27, 2016 at 10:23:19AM -0400, Barry Margolin wrote a message of 28 lines which said: > You would only be able to do this if you could put the CNAME record > in the parent domain, instead of delegating domain.com to your own > server. But do any domain

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer
On Wed, Apr 27, 2016 at 05:26:53PM +0300, Daniel Dawalibi wrote a message of 50 lines which said: > DNS registrar that can offer this option by using apex/naked/root > domain redirection Sorry, but I cannot parse this sentence. Also, as I said, this is not about

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer
On Wed, Apr 27, 2016 at 05:05:50PM +0300, Daniel Dawalibi wrote a message of 52 lines which said: > our setup requires a CNAME record. Bad setup. (And has always been bad.) ___ Please visit

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer
On Wed, Apr 27, 2016 at 01:56:27PM -, John Levine wrote a message of 23 lines which said: > Assuming you mean this (notice the dots): > > Domain.com. CNAME x.y.com. > www CNAME x.y.com. > > it should work. I disagree. I have the same experience as Daniel

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer
On Wed, Apr 27, 2016 at 02:55:18PM +0300, Daniel Dawalibi wrote a message of 99 lines which said: > We are facing a resolving problem on BIND DNS when adding a CNAME RR > for root domain and other records. I don't think that you manage the root domain so you

Re: named DNS resolution latency

2016-04-27 Thread Stephane Bortzmeyer
On Wed, Apr 27, 2016 at 02:33:26AM -0400, digen wrote a message of 169 lines which said: > Any inputs on debugging this problem will be much appreciated. The usual stuff: 1) Is the machine hosting the resolver overloaded? top, for instance 2) is the link to the

Re: g.root-servers.net not reachable anymore

2016-04-14 Thread 'Stephane Bortzmeyer'
On Thu, Apr 14, 2016 at 11:55:04AM +0300, Daniel Dawalibi wrote a message of 22 lines which said: > Do you think it is better to remove it from named.root? Certainly not, your resolver removes it automatically from the list of authoritative servers for the zone.

Re: g.root-servers.net not reachable anymore

2016-04-14 Thread Stephane Bortzmeyer
On Thu, Apr 14, 2016 at 08:35:00AM +0200, Daniel Stirnimann wrote a message of 14 lines which said: > Looks like you are not alone! > > https://atlas.ripe.net/dnsmon/group/g-root Only broken over UDP. Works on TCP and still replies to traceroute.

Re: Resolution differences for getaddrinfo versus host/dig/delv

2015-11-18 Thread Stephane Bortzmeyer
On Wed, Nov 18, 2015 at 12:19:57PM +, Phil Mayers wrote a message of 44 lines which said: > I suspect getaddrinfo isn't parsing the DNS response for some reason. ... > Obviously the *.thing on the RHS of the first CNAME is weird, but is it > illegal? Yes, for a

Re: How are DNS Records added dynamically in DNS Servers?

2015-09-07 Thread Stephane Bortzmeyer
On Mon, Sep 07, 2015 at 03:33:00PM +0530, Harshith Mulky wrote a message of 60 lines which said: > How do System administrators add DNS Zone records in DNS Servers? By not using outlook.com for email :-) No, I'm kidding, there are several ways: > Is there a

[DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Stephane Bortzmeyer
[The domain has recently changed its configuration so do not test it.] With Unbound, I get a SERVFAIL: % dig DNSKEY cepn.asso.fr ; DiG 9.9.5-8-Debian DNSKEY cepn.asso.fr ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 62442 ;; flags: qr rd ra; QUERY: 1,

Re: [DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Stephane Bortzmeyer
On Tue, Feb 17, 2015 at 07:34:37AM +1100, Mark Andrews ma...@isc.org wrote a message of 171 lines which said: The validator is *not* supposed to *check* if the zone has been signed with all the alogorithms in the DS RRset. It is supposed to keep trying all RRSIG/DS/DNSKEY combinations

SERVFAIL when increasing recursive-clients? (Was: bind-users Digest, Vol 1902, Issue 2

2014-08-01 Thread Stephane Bortzmeyer
On Fri, Aug 01, 2014 at 09:56:53AM +0700, Xuan Hung hungn...@viettel.com.vn wrote a message of 298 lines which said: I think this problem of me, need have version new of Bind. 9.9.5 is quite recent. Actually, it is the latest in 9.9 branch. What makes you think upgrading would change

Re: problem registering DS records with EDUCAUSE, sanity check please

2014-07-15 Thread Stephane Bortzmeyer
On Mon, Jul 14, 2014 at 07:14:57PM -0700, Paul B. Henson hen...@acm.org wrote a message of 56 lines which said: I also don't think this is what educause is doing, as I haven't had any trouble entering DS records for published but not activated KSK's in the past, You can also note that it

Re: problem registering DS records with EDUCAUSE, sanity check please

2014-07-14 Thread Stephane Bortzmeyer
On Mon, Jul 14, 2014 at 01:24:38PM -0700, Paul B. Henson hen...@acm.org wrote a message of 135 lines which said: And finally, the new key I just created, for which I'm trying to add DS records. The dsset file created by dnssec-signzone says these records should be: I find the same values

Re: problem registering DS records with EDUCAUSE, sanity check please

2014-07-14 Thread Stephane Bortzmeyer
On Mon, Jul 14, 2014 at 10:40:19PM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 19 lines which said: So, I suspect a bug in EDUCAUSE. Your DNSKEY set being a little over 1500 bytes, you may suspect a MTU issue. ___ Please visit

Re: Handling of expired RRSIG records - ise.gov

2014-05-21 Thread Stephane Bortzmeyer
On Wed, May 21, 2014 at 12:56:32PM +0100, Simon Waters simon.wat...@surevine.com wrote a message of 58 lines which said: BIND 9 logs report: RRSIG has expired for www.ise.gov Indeed. www.ise.gov.43200 IN RRSIG CNAME 5 3 43200 ( 20140513120652

Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Stephane Bortzmeyer
On Fri, Mar 14, 2014 at 12:33:47PM +, Phil Mayers p.may...@imperial.ac.uk wrote a message of 25 lines which said: dig @server zone axfr file diff file file.real diff is not clever enough, you'll find many spurious differences. Try feeding the two files (the local one and the AXFRed one)

Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Stephane Bortzmeyer
On Fri, Mar 14, 2014 at 12:33:47PM +, Phil Mayers p.may...@imperial.ac.uk wrote a message of 25 lines which said: dig @server zone axfr file diff file file.real If you're really paranoid, it may not be sufficient since a server may reply differently to normal DNS queries and to zone

Re: source address problem

2014-02-04 Thread Stephane Bortzmeyer
On Tue, Feb 04, 2014 at 10:40:46AM +0100, ro...@ip-plus.net ro...@ip-plus.net wrote a message of 19 lines which said: I use the options query-source, notify-source, and transfer-source. Still I get outgoing queries with another source address. Are you sure they come from BIND and not from,

Re: Rate-limiting - working? How to test?

2014-01-17 Thread Stephane Bortzmeyer
On Fri, Jan 17, 2014 at 01:34:00PM +, John Horne john.ho...@plymouth.ac.uk wrote a message of 40 lines which said: log-only yes; From the ARM: Use commandlog-only yes/command to test rate limiting parameters without actually dropping any requests. I get 10

Re: Gi/Gn DNS for telecoms

2013-11-15 Thread Stephane Bortzmeyer
On Fri, Nov 15, 2013 at 02:47:10PM +0530, benjamin fernandis benjo11...@gmail.com wrote a message of 50 lines which said: Can we use bind DNS for Gi/Gn DNS? I have no idea what Gi/Gn is. Can anyone post an explanation? ___ Please visit

Re: Does anyone have DNSSEC problem with uscg.mil

2013-11-15 Thread Stephane Bortzmeyer
These name servers have another interesting feature: the serial number is different depending on whether you set the DO bit or or: % dig +short +dnssec +bufsize=4096 @ns1.uscg.mil SOA uscg.mil osc-bloxmaster.iap.uscg.mil. hostmaster.uscg.mil. 2012079853 10800 1080 604800 900 ... % dig +short

DNS 64 and the new domain ipv4only.arpa

2013-10-21 Thread Stephane Bortzmeyer
I try to understand DNS64 and there is a problem I don't get. I have BIND configured with: dns64 2001:db8:1:64::/96 { // Network-Specific Prefix clients { me; }; }; and it works, synthesis happens when the domain name has no records: % dig +cd @localhost -p

Re: DNS 64 and the new domain ipv4only.arpa

2013-10-21 Thread Stephane Bortzmeyer
On Tue, Oct 22, 2013 at 12:47:38AM +1100, Mark Andrews ma...@isc.org wrote a message of 98 lines which said: dns64 { clients { me; }; break-dnssec yes; }; OK, it works without the DO bit (dig +nodnssec, I had +dnssec in my ~/.digrc) or with

Logging of rate-limited queries way too talkative

2013-09-29 Thread Stephane Bortzmeyer
I'm trying RRL on the new BIND 9.9.4. When RRL steps in, if I understand the documentation properly, two things are logged, a summary of the beginning and end of RRL, and one message per rejected query (!) Since RRL is used when there is an attack, there are *many* such messages. Worse, the

SERVFAIL when two SOA in the domain

2013-08-29 Thread Stephane Bortzmeyer
One of my contacts noticed that you cannot query 42.fr's SOA with BIND: SERVFAIL. Querying other types, or using Unbound (or Google Public DNS) instead of BIND works. The only thing special he sees is the double SOA: % dig SOA 42.fr ; DiG 9.9.2-P1 SOA 42.fr ;; global options: +cmd ;; Got

Re: How to get AD flag

2013-08-02 Thread Stephane Bortzmeyer
On Fri, Aug 02, 2013 at 10:49:22AM +0530, rams brames...@gmail.com wrote a message of 41 lines which said: I have 9.7 bind installed and configured recursive. When i query against forwader i am not getting AD flag. Could you please guide me how to get AD flag. Several possible reasons:

[auto-dnssec] Switching to NSEC3 leaves behind stale NSEC signatures?

2013-07-31 Thread Stephane Bortzmeyer
I have a zone maintained by: inline-signing yes; auto-dnssec maintain; update-policy local; I switched it from the default NSEC to NSEC3 with: rndc signing -nsec3param 1 0 10 68f499ee auto.rd.nic.fr It seems to work but the zone still contains NSEC signatures (but no

auto-dnssec maintain and no key: no error message?

2013-07-30 Thread Stephane Bortzmeyer
When I run a BIND with auto-dnssec maintain and inline-signing yes, if I create no key, there is no error message and, worse, the log file says the zone is signed: Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (unsigned): loaded serial 2013073000 Jul 30 16:31:42 u12-33673

Re: auto-dnssec maintain and no key: no error message?

2013-07-30 Thread Stephane Bortzmeyer
On Tue, Jul 30, 2013 at 09:50:46AM -0500, Jeremy C. Reed jr...@isc.org wrote a message of 7 lines which said: Of course, there is no signature: % dig +multi @localhost SOA auto.rd.nic.fr Add +dnssec [I thought it was in my .digrc.] It changes nothing. Without a key, BIND could not

Re: auto-dnssec maintain; and key missing or inactive and has no replacement

2013-07-26 Thread Stephane Bortzmeyer
On Thu, Jul 25, 2013 at 12:05:35AM +0100, Tony Finch d...@dotat.at wrote a message of 21 lines which said: Obvious question: does BIND have permission to read the private key? Yes, it runs (it is an experimental setup) as the same user which owns the private key file. I guess it does since

Re: auto-dnssec maintain; and key missing or inactive and has no replacement

2013-07-26 Thread Stephane Bortzmeyer
On Wed, Jul 24, 2013 at 09:58:08AM -0700, David Newman dnew...@networktest.com wrote a message of 89 lines which said: Not sure if this is the problem, but have you tried with managed-keys-directory in options instead of key-directory? I just tried, and same warning: 26-Jul-2013

Re: auto-dnssec maintain; and key missing or inactive and has no replacement

2013-07-26 Thread Stephane Bortzmeyer
On Fri, Jul 26, 2013 at 08:54:26AM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 23 lines which said: I just tried, and same warning: But only at startup and not afterwards so it is an improvment. ___ Please visit https

Re: auto-dnssec maintain; and key missing or inactive and has no replacement

2013-07-26 Thread Stephane Bortzmeyer
On Fri, Jul 26, 2013 at 08:52:04AM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 24 lines which said: Yes. I tested with two keys, a KSK and a ZSK and the warning disappears. Another solution, even if using only one key, is to add: update-policy local; # Necessary

auto-dnssec maintain; and key missing or inactive and has no replacement

2013-07-24 Thread Stephane Bortzmeyer
I'm trying auto-dnssec maintain; with a BIND 9.9.3-P1. My configuration is: options { directory /tmp/bind; key-directory /tmp/bind; }; zone example { type master; file example; inline-signing yes; auto-dnssec maintain; }; Apparently, everything

Re: New warning message...

2013-07-24 Thread Stephane Bortzmeyer
On Mon, Jul 22, 2013 at 03:01:47PM +1000, Mark Andrews ma...@isc.org wrote a message of 56 lines which said: It SHOULD have record of type SPF as per RFC 4408. Named will complain if both types are not present. Then, named is now wrong, since RFC 6686.

Re: New warning message...

2013-07-24 Thread Stephane Bortzmeyer
On Mon, Jul 22, 2013 at 12:39:53PM +0200, Matus UHLAR - fantomas uh...@fantomas.sk wrote a message of 28 lines which said: This was discussed here already, and imho this is anti-spf bullshit like all those spf breaks forwarding FUD. The SPF RR is already here and is preferred over TXT that

Re: Can I change the zone file from command line?

2013-07-24 Thread Stephane Bortzmeyer
On Tue, Jul 23, 2013 at 02:30:49PM -0400, Kevin Darcy k...@chrysler.com wrote a message of 565 lines which said: When you dial a telephone number, do you worry that your dialing may have consequences against telephone numbers that you *didn't* dial? Seems very unlikely. OK, but switching

Re: dns update issue

2013-07-24 Thread Stephane Bortzmeyer
On Wed, Jul 24, 2013 at 10:52:51AM -0400, James Chase chase1...@gmail.com wrote a message of 64 lines which said: However if I try to ping dns3.mandala-designs.com from different network locations it still returns the IP address of our old server, Probably the usual problem with in-zone

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-19 Thread Stephane Bortzmeyer
On Wed, Jul 17, 2013 at 05:05:31PM -0700, Ray Van Dolson rvandol...@esri.com wrote a message of 36 lines which said: Tried dns-ad...@fbi.gov but got a bounce. :( You want Sandra Bullock's, er, Sarah Ashburn's phone number? http://en.wikipedia.org/wiki/The_Heat_%28film%29

Re: Rate-Limit Question

2013-06-14 Thread Stephane Bortzmeyer
On Fri, Jun 14, 2013 at 02:27:50PM +, Manson, John john.man...@mail.house.gov wrote a message of 138 lines which said: We are running Bind 9.9.2 and would like to invoke the rate-limit option but named says 'unknown option'. RRL (Response Rate Limiting) is an unofficial patch. You'll

Re: querying TLD nameservers - limitations

2013-03-26 Thread Stephane Bortzmeyer
On Sun, Mar 24, 2013 at 04:55:13PM -0700, blrmaani blrma...@gmail.com wrote a message of 17 lines which said: I am developing a monitoring script for internal use and this requires extensive querying of TLD nameservers (a .. m).tld servers. [TLD operator hat on.] Hard to ansdwer without

Re: jabber.isc.org

2013-01-21 Thread Stephane Bortzmeyer
On Mon, Jan 21, 2013 at 04:35:39PM +0200, Georg Kahest georg.kah...@internet.ee wrote a message of 19 lines which said: I'm unable to figure out where does one register for jabber.isc.org account. I don't speak for ISC but may I ask why you need one? There are many XMPP providers in the

Re: jabber.isc.org

2013-01-21 Thread Stephane Bortzmeyer
On Mon, Jan 21, 2013 at 04:44:53PM +0200, Georg Kahest georg.kah...@internet.ee wrote a message of 19 lines which said: I was interested of idling in bind 10 dev channel. So? XMPP is federated, like any good system (like email). You don't need an account in the isc.org email server to use

Re: jabber.isc.org

2013-01-21 Thread Stephane Bortzmeyer
On Mon, Jan 21, 2013 at 05:09:16PM +0200, Georg Kahest georg.kah...@internet.ee wrote a message of 20 lines which said: I'm failing to understand how i should configure my xmpp client ( pidgin ) without user credentials. Without entering username/password i can't add the account, and with

Re: jabber.isc.org

2013-01-21 Thread Stephane Bortzmeyer
On Mon, Jan 21, 2013 at 04:17:40PM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 19 lines which said: 1) Choose a XMPP provider. I would recommend Google Talk (gratis, very reliable) since this is the one I use. If you don't like/use Google, jabber.org offers a gratis

Re: How to Limit DNS Request per ip source ?

2013-01-14 Thread Stephane Bortzmeyer
On Mon, Jan 14, 2013 at 06:36:44PM +0530, Gaurav Kansal gaurav.kan...@nic.in wrote a message of 156 lines which said: I tried the following commands, but unfortunately didn't succeed. Why do you want to limit? If it is against a DoS attack, I warn you that most Netfilter modules (for

Re: Caching name server - Choosing the root-servers

2012-12-14 Thread Stephane Bortzmeyer
On Fri, Dec 14, 2012 at 09:00:31AM +, Can ┼×irin sirin...@itu.edu.tr wrote a message of 114 lines which said: I mean, choosing the faster ones (root-servers) is gonna be better for speed performans. Yes, but BIND does it (testing the fastest) and probably better than you. Is there any

Re: multiple entries for TXT record

2012-10-26 Thread Stephane Bortzmeyer
On Fri, Oct 26, 2012 at 06:08:32AM -0700, enigmedia online-...@enigmedia.com wrote a message of 29 lines which said: TXT IN (v=spf1 a mx ptr ip4:65.49.39.152/29 ~all DZC=DlaVBmG) This is *one* TXT record made of two strings. Whether or not the SPF standard

Re: multiple entries for TXT record

2012-10-26 Thread Stephane Bortzmeyer
On Fri, Oct 26, 2012 at 06:31:31AM -0700, enigmedia online-...@enigmedia.com wrote a message of 34 lines which said: I wasn't sure if I was allowed to have more than one TXT record in a zone, and when I googled around the only references I saw were to concatenating multiple name-value pairs

[DNSSEC] Dealing with an inconsistent NSEC

2012-10-23 Thread Stephane Bortzmeyer
It may be a bug in BIND and it is certainly a bug in the zone pcextreme.nl. BIND validating resolvers are unable to get the IP address of v1.pcextreme.nl. I believe this is because of the strange NSEC: tools-newerst.pcextreme.nl. 2315 IN NSECv2.pcextreme.nl. RRSIG NSEC which says

Re: [DNSSEC] Dealing with an inconsistent NSEC

2012-10-23 Thread Stephane Bortzmeyer
On Tue, Oct 23, 2012 at 06:27:12AM -0700, Casey Deccio ca...@deccio.net wrote a message of 88 lines which said: The issue here is that no delegation NS records exist for v1.pcextreme.nlin its parent zone, pcextreme.nl. Thus when any server (authoritative for both zones) is queried for

Re: DNS software used by cloudflare

2012-09-18 Thread Stephane Bortzmeyer
On Tue, Sep 18, 2012 at 08:31:13PM +0800, pangj pa...@riseup.net wrote a message of 12 lines which said: do you know what dns software is used by cloudflare? I don't know. and how they defend the DDoS against DNS? http://blog.cloudflare.com/65gbps-ddos-no-problem

Re: Glue from Root Servers returns wrong A record, why?

2012-09-11 Thread Stephane Bortzmeyer
On Mon, Sep 10, 2012 at 11:47:38AM -0700, Ponga ponga2...@gmail.com wrote a message of 55 lines which said: But if I ask any root server, [...] DiG 9.7.3 -t ns intaq.com @192.42.93.30 192.42.93.30 is not a root name server. ___ Please visit

Re: Root hints updates

2012-09-06 Thread Stephane Bortzmeyer
On Thu, Sep 06, 2012 at 08:06:45AM -0400, Timothe Litt l...@acm.org wrote a message of 466 lines which said: This is a script to automagically update the root hints file. Since the first thing BIND does at startup is to check the root NS set, and since DNSSEC guarantees that it is genuine,

Re: Question related to domain names and less to bind straight.

2012-09-05 Thread Stephane Bortzmeyer
On Wed, Sep 05, 2012 at 07:51:05AM +0100, Phil Mayers p.may...@imperial.ac.uk wrote a message of 18 lines which said: See also: http://publicsuffix.org/ And remember it is unofficial, not perfectly maintained and has several holes. It's OK if you accept a few misclassifications.

Re: Sunos 5.8 Error:EDNS not supported by your namesever

2012-09-05 Thread Stephane Bortzmeyer
On Wed, Sep 05, 2012 at 10:01:45AM +0300, syed haq smu...@gmail.com wrote a message of 66 lines which said: EDNS not supported by ***.**.**.** 1) Test your name server to be sure the diagnostic is correct: dig +bufsize=4096 @YOUR-NAME-SERVER SOA YOUR-DOMAIN You should get in the answer

Re: Sunos 5.8 Error:EDNS not supported by your namesever

2012-09-05 Thread Stephane Bortzmeyer
On Wed, Sep 05, 2012 at 11:11:43AM +0300, syed haq smu...@gmail.com wrote a message of 134 lines which said: That means EDNS is not supported by that var of SunOS ,can you give me the commands for checking the ENDS,BIND version in sunos I already gave them (dig). You simply cannot expect to

Re: Sunos 5.8 Error:EDNS not supported by your namesever

2012-09-05 Thread Stephane Bortzmeyer
On Wed, Sep 05, 2012 at 04:29:25PM +0300, syed haq smu...@gmail.com wrote a message of 769 lines which said: That means I need to completely upgrade the OS to make the EDNS support Personal opinion: you need to follow a serious Unix sysadmin training first. From your messages, it seems you

Re: ho to filter hundeds of domains ?

2012-08-30 Thread Stephane Bortzmeyer
On Thu, Aug 30, 2012 at 02:14:38PM +0200, fddi f...@gmx.it wrote a message of 23 lines which said: I need to implement a bind filter for many hundreds of domains which are considered outlaw and illegal See http://pwd.io/guide/. Very good ebook.

Re: ho to filter hundeds of domains ?

2012-08-30 Thread Stephane Bortzmeyer
On Thu, Aug 30, 2012 at 01:34:07PM +0100, Niall O'Reilly niall.orei...@ucd.ie wrote a message of 32 lines which said: Don't waste your time. This approach is superficial. http://www.bortzmeyer.org/images/please-close-gate.jpg :-)

Re: ho to filter hundeds of domains ?

2012-08-30 Thread Stephane Bortzmeyer
On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote a message of 15 lines which said: Actually many telephone companies in the world are doing this, They're wrong politically (censorship) and they're wrong technically (see O'Reilly's answer). Copying telephone companies is not

Re: Filtering IPv6 AAAA records?

2012-07-25 Thread Stephane Bortzmeyer
On Tue, Jul 24, 2012 at 07:06:09PM +0100, Paul Reilly parei...@tcd.ie wrote a message of 61 lines which said: Is it possible using the BIND resolver to filter out record replies to end clients? It's probably less work to actually enable IPv6 access... In 2012, this is not even a big

Re: lot of 'ripe.net IN ANY +ED' queries

2012-07-24 Thread Stephane Bortzmeyer
On Mon, Jul 23, 2012 at 04:49:24PM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 15 lines which said: Buggy. It parses the DNS packet from the end and therefore fails with EDNS packets (which have the OPT resource record at the end). After checking, I stand corrected

Re: lot of 'ripe.net IN ANY +ED' queries

2012-07-23 Thread Stephane Bortzmeyer
On Mon, Jul 23, 2012 at 02:07:51PM +0200, Marek Salwerowicz marek_...@wp.pl wrote a message of 30 lines which said: What I made now, is just to parse logs and block IPs that ask for ripe.net via ipfw. As mentioned by Phil Mayers, the source IP address is forged. By blocking this IP, you

Re: lot of 'ripe.net IN ANY +ED' queries

2012-07-23 Thread Stephane Bortzmeyer
On Mon, Jul 23, 2012 at 03:09:35PM +0200, Marek Salwerowicz marek_...@wp.pl wrote a message of 18 lines which said: BTW - is this attack any new kind of virus/spyware or sth ? Not every security problem on the Internet is a virus. And I do not see why a spyware would like to DoS people.

Re: lot of 'ripe.net IN ANY +ED' queries

2012-07-23 Thread Stephane Bortzmeyer
On Mon, Jul 23, 2012 at 04:42:11PM +0200, Ond?ej Caletka ondrej.cale...@cesnet.cz wrote a message of 159 lines which said: I use this iptables matcher to identify incoming query type: https://github.com/oskar456/xt_dns Buggy. It parses the DNS packet from the end and therefore fails with

Re: disabling Any requests

2012-07-13 Thread Stephane Bortzmeyer
On Fri, Jul 13, 2012 at 10:26:55AM +0200, Dns Administrator dnsadm...@gmail.com wrote a message of 186 lines which said: Googling the issue I found that it was well known and had something to do with dns amplification and denial of service. Yes. Already discussed a lot on this list and on

Re: A large number of ANY query type queries

2012-03-29 Thread Stephane Bortzmeyer
On Wed, Mar 28, 2012 at 04:08:33PM +0800, ShanyiWan w...@114.com.cn wrote a message of 104 lines which said: On the DNS server, a large number of ANY type queries occur,why? The same IP address, produced a large number of requests within a very short period of time. Can I block these IPs?

Re: A large number of ANY query type queries

2012-03-28 Thread Stephane Bortzmeyer
On Wed, Mar 28, 2012 at 04:08:33PM +0800, ShanyiWan w...@114.com.cn wrote a message of 104 lines which said: On the DNS server, a large number of ANY type queries occur,why? Probably the reflection+amplification attack which goes on, specially in China, for several months. CNCERT knows

Re: A large number of ANY query type queries

2012-03-28 Thread Stephane Bortzmeyer
On Wed, Mar 28, 2012 at 10:20:40AM +0200, Matus UHLAR - fantomas uh...@fantomas.sk wrote a message of 18 lines which said: yes you can. But it is a bad idea, since the source IP addresses are almost certainly forged. ___ Please visit

Re: A large number of ANY query type queries

2012-03-28 Thread Stephane Bortzmeyer
On Wed, Mar 28, 2012 at 10:39:11AM +0200, Anand Buddhdev ana...@ripe.net wrote a message of 25 lines which said: It's probably better to rate-limit the address. You can do that on your server with iptables (Linux) or ipfw (*BSD) or on your router. A possible solution for Linux' Netfilter

rndc flush /recursive ?

2012-02-27 Thread Stephane Bortzmeyer
With Unbound, there are two commands to clear the cache, one which deletes only the records with the exact name and one which is recursive (deletes everything under the name). With BIND, I find only the first one, rndc flushname. Any command that I missed to delete recursively?

Re: rndc flush /recursive ?

2012-02-27 Thread Stephane Bortzmeyer
On Mon, Feb 27, 2012 at 08:36:28AM -0500, Bill Owens ow...@nysernet.org wrote a message of 18 lines which said: It's in the new 9.9.0 rndc: Thanks, exactly what I needed. On Tue, Feb 28, 2012 at 12:37:17AM +1100, Mark Andrews ma...@isc.org wrote a message of 21 lines which said:

Re: DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-10 Thread Stephane Bortzmeyer
On Thu, Feb 09, 2012 at 12:38:42PM -0800, Casey Deccio ca...@deccio.net wrote a message of 67 lines which said: Actually, it should, in the spirit of DNSSEC. OK, so there is nothing that can be done at the registry level. Only the resolver admin can use DNSSEC to solve the ghost domain

DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-09 Thread Stephane Bortzmeyer
In https://www.isc.org/software/bind/advisories/cve-2012-1033, ISC writes: ISC continues to recommend that organizations with security needs who are reliant on the Domain Name System proceed with adoption of DNSSEC; DNSSEC is the best known method of mitigating this issue. But ISC provides

  1   2   3   >