Right now we have our external view for adi.com set up to use
inline-signing with the following entries in our named.conf file;
inline-signing yes;
key-directory "dnssec";
auto-dnssec maintain;
I now need to allow dynamic updates to support letsencrypt which needs
to add txt records when the
> Just wonder if there is some agreed guidance on what steps I SHOULD take =
> to get bind-9.11.0-P2 successfully build on Debian 9.0?
>
>
> /usr/bin/ld: //lib64/libcrypto.a(a_object.o):
> relocation R_X86_64_PC32 against symbol `ASN1_OBJECT_free'
> can not be used when making a shared object;
In the following I ment to say 'dnssec-validation' instead of 'dnssec-enable'.
> > https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bin
> > d-users/
> >
> > Towards the end of the blog, there is a short list of possible corner
> > cases that could trip people up during the
> https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bin
> d-users/
>
> Towards the end of the blog, there is a short list of possible corner
> cases that could trip people up during the rollover. If
> you folks can think of others, please do share them.
I found a case
> In message
>
colostate.edu. 172800 IN NS dns1.colostate.edu.
colostate.edu. 172800 IN NS dns3.colostate.edu.
;; Received 119 bytes from 192.41.162.30#53(l.edu-servers.net) in 78 ms
www.cloudsat.cira.colostate.edu. 3600 IN CNAME
> > That is mostly how I thought it worked. What I had in mind more
> > specifically was:
> >
> > adi.com zone:
> > mackerel.adi.com. IN A 75.100.245.141
> > mackerel.adi.com. IN A 96.85.104.76
> >
> > reverse zones:
> > 141.245.100.75.in-addr.arpa. IN PTR mackerel.adi.com
> >
This is not a BIND question but I hope people here will know the answer.
We are switching service providers and I understand that many email SPAM
prevention systems insist on the reverse DNS matching the forward DNS.
If I have two A records for our mail server and the reverse record matches
one of
> Am 17.03.2016 um 14:53 schrieb Thomas Schulz:
>> This is not a BIND question but I hope people here will know the answer
>> We are switching service providers and I understand that many email
>> SPAM prevention systems insist on the reverse DNS matching the forward
We currently have adi.com signed using options:
inline-signing yes;
auto-dnssec maintain;
If I change an A record or add a new A record, will the signing be
automatically updated or do I have to do an rndc sign zone?
Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
A recommended way to set up a ZSK rollover is to set the inactive date of
the current key one month later than the publish date of the replacement key.
This makes sense as the RRSIG records are created to last one month from
their creation date.
Now if I try to speed up the ZSK rollover to make
As of the time I am sending this, you can point your browser to
http://com.google and get a web page. How did they get com.google
to resolve?
Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit
This last week we had a sudden large increase in the size of the named
process resulting in the machine running out of memory and hanging.
This is with bind 9.9.6 on a Solaris 10 Sparc machine.
I have posted in the past about a steady continuous growth in the
size of the named process. The
I have been asked to dump the statistics to help document a suspected
memory leak in named. When I look at the statistics with Firefox, I see
a nicely formatted set of statistics. If I then dump the statistics to
a file with wget and then use Firefox to view the file, I see data but
there is no
On Mon, 13 Oct 2014, Thomas Schulz wrote:
I restarted bind 9.9.6 with a max-cache-size of 30M. We have 3 views.
The inital process size was 36 MB. The process grew to 184 MB. It grew
to 596 MB without the max-cache-size being set and was still growing
when I restarted it. BUT when I
Hi,
After reinitialising the inline-signing process (for example by
removing the journal files or redeploying the master server) the
freshly signed zone's serial number will usually be behind the
authoritative version on the slaves causing transfers to fail
possibly leading to expired
...
Heh thanks, yeah...initially I was erring on the side of caution and using
9.9.x because it's served us well (~20k recursive clients without any
significant problems). Meanwhile we've been keeping a close eye on
community comments, and to be honest opinions wax and wane. Just as I
...
Heh thanks, yeah...initially I was erring on the side of caution and using
9.9.x because it's served us well (~20k recursive clients without any
significant problems). Meanwhile we've been keeping a close eye on
community comments, and to be honest opinions wax and wane. Just as I
9, 2014 at 10:17 AM
To: Thomas Schulz sch...@adi.com
Cc: bind-us...@isc.org bind-us...@isc.org
Subject: Re: bind-9.10.0-P2 memory leak?
I'm having the exactly same issue. Take a look at my post @ServerFault:
http://serverfault.com/questions/616752/bind-9-10-constantly-killed-on-fre
ebsd-10-0
Can you copy and paste the out of memory error you are seeing? Is it
still growing? Does it appear to work?
I see your other thread answers some.
https://lists.isc.org/pipermail/bind-users/2014-July/093618.html
Unfortunately the logs containing the out of memory errors have been
purged.
On 9/11/2014 11:51 AM, Mark Elkins wrote:
On Thu, 2014-09-11 at 11:27 -0400, Kevin Darcy wrote:
Mark,
Depending on implementation, a PTR RRset with multiple
records either
-- only ever gets answered with the first record of the set (in
which case the second and subsequent
Hi,
xxx.com and IP address 192.168.1.100 is just a example domain name and IP
address. Our boss want everybody access our domain example.com through
browser, then it will redirect to our web site www.example.com. So I want
to get more information about unexpected impact when we changed DNS
Hello
I recently upgraded my authoritative nameservers to bind-9.10.0-P2 and
after a while one of them ended up using all its swap and the named
process got killed. The other servers are seeing similar behaviour, but
I restarted named on all of them to postpone further crashes.
I am
On Wed, Jul 23, 2014 at 02:15:34PM -0400, Thomas Schulz wrote:
In investigating an out of memory error on a Solaris 8 Sparc
machine (compiled as a 32 bit executable), I find that the process
size increase due to the cache does not make sense.
Over about a week the process size had grown
On Thu, Aug 14, 2014 at 02:26:54PM -0500, Bill Christensen wrote:
I'm seeing some root server errors on startup:
14-Aug-2014 13:14:08.142 info: host unreachable resolving
'd.gtld-servers.net//IN': 2001:503:ba3e::2:30#53
14-Aug-2014 13:14:08.215 info: host unreachable resolving
On Wed, Jul 23, 2014 at 02:15:34PM -0400, Thomas Schulz wrote:
In investigating an out of memory error on a Solaris 8 Sparc
machine (compiled as a 32 bit executable), I find that the process
size increase due to the cache does not make sense.
Over about a week the process size had grown
On Wed, Jul 23, 2014 at 02:15:34PM -0400, Thomas Schulz wrote:
In investigating an out of memory error on a Solaris 8 Sparc
machine (compiled as a 32 bit executable), I find that the process
size increase due to the cache does not make sense.
Over about a week the process size had
In investigating an out of memory error on a Solaris 8 Sparc
machine (compiled as a 32 bit executable), I find that the process
size increase due to the cache does not make sense.
Over about a week the process size had grown to 257 MB, up from an
initial size of 36 MB. But when I dumped the cache
You'll want to use max-cache-size to enforce a hard limit on the size
of your cache.
http://www.zytrax.com/books/dns/ch7/hkpng.html#max-cache-size
/Tim
---
Tim Krzywonos
e:: t...@krzywonos.ca
Thanks for reminding me of that. Now that I have some confidence
that the problem is the
Have you tried an rndc flush? You can also dump the contents of the
cache to find the (approximate) size of the cache. If related to cache,
you can tweak parameters to cache, most namely max-cache-size. IIRC,
the cache doesn't have a size limit by default.
/Tim
I did an rndc
Have you tried an rndc flush? You can also dump the contents of the
cache to find the (approximate) size of the cache. If related to cache,
you can tweak parameters to cache, most namely max-cache-size. IIRC,
the cache doesn't have a size limit by default.
/Tim
I did an rndc dumpdb
We are running Bind on a Sun Sparc machine running Solairs 8. Bind is
built as a 32 bit executable as that is the default and is the way
libcrypto and libxml2 are built. We have been running Bind 9.9.5.
I am now trying Bind 9.9.6b1 as that claims to have fixed some memory
leaks.
For some time now
Asking again, in a different and more generic form: When rebuilding a
bind 9.9.4 server running DNSSEC with auto maintain, are there any steps
I need to take beyond just backing up /var/named/etc/namedb (this is on
FreeBSD) and restoring?
This server is authoritative and primary, and has
I just remembered there was also the change to the db file
having a default raw format on slaves unless specified.
Interesting. I did not notice that when it happened, but now that I
look, I see that my slaves indeed have raw format files. Apparently
the switch over did not require me to do
Once the DS record is removed from the .edu zone, queriers won't
expect your zone to be signed any more. At that point, you can leave
it signed or remove the signatures, and it won't make any difference.
You just need to wait at least 24 hours from the time the record
disappears from the
Views have been in bind for all recent history.
I've watched this thread and have been biting my tongue as long as I
could.
I'm a proponent of separating servers and NOT using views, as any of
you that have taken a class that I've taught will attest.
I've seen too many problems over
Has anyone been able to get Network Solutions to add DS records for
their domain? I am trying to get DS records added for my domain and
so far it looks like Network Solutions can not do that.
Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please
If I was a NetSol customer, I would ask them, Why not?
And if I were a NetSol customer, I would ask myself, Why?
If I were a capitalist, I'd vote with my wallet and go somewhere with the
features I want.
Well, we started with them back when they were the only company registering
domain
gandi.net +1
I transferred from NS to Gandhi in December 1998. I don't know about their
hosting of primary DNS but they do host a secondary of mine and it seems to
resolve there with an aa flag:
Yep, secondary works, but they can't be a DNSSEC primary.
Steve
We host the primary
Sorry for the bad advice.
Am I correct in thinking that in the case of a hidden master and a chain
of slaves, that the first publicly acessable slave would do the signing
and that in any case only one instance of bind should do the signing?
Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
Hi!
# named -V
BIND 9.9.3-rl.13204.02-P2
I have configured slave zones with inline signing:
zone mydomain.at {
type slave;
file /etc/bind/mydomain.at;
masters { 1.2.3.4; };
key-directory /etc/bind/keys;
auto-dnssec maintain;
Acording to the book Dnssec Mastery, I should be able to test if my
Bind is correctly set up to use the DLV with the command:
dig +dnssec nsec3.dlvtest.dns-orac.net
And I should expect expect to see the RRSIG records and see the AD
flag set. I do get the RRSIG records but I do not see the AD
On Wed, Nov 27, 2013 at 01:30:37PM -0500, Thomas Schulz wrote:
Acording to the book Dnssec Mastery, I should be able to test if my
Bind is correctly set up to use the DLV with the command:
dig +dnssec nsec3.dlvtest.dns-orac.net
dns-oarc, not dns-orac. (OARC: Operations, Analysis
At Tue, 28 Dec 2010 15:50:23 -0500 (EST), Thomas Schulz wrote:
It looks like I am a little dim today. Given gpg and the key, what steps
do I do to verify a source package?
General case:
$ gpg --verify sigfile tarball
Eg:
$ gpg --verify bind-9.7.2-P3.tar.gz.sha256.asc bind
When I copied the key for root from
http://www.isc.org/community/blog/201007/using-root-dnssec-key-bind-9-resolvers
I ended up with spaces in the key. I assumed that they should not be there
and removed them. I since noticed that the key in /etc/bind.keys supplied
with the bind distribution has
In article glpv2m$2l4...@sf1.isc.org,
Andre LeClaire alecla...@yahoo.com wrote:
Mark Andrews wrote:
In message 497caef2.80...@yahoo.com, Andre LeClaire writes:
Hello everyone,
I've been seeing these syslog messages for about a week on a FreeBSD
server running BIND 9.4.3-P1:
Jan 25 02:35:21
In article glp3rc$23p...@sf1.isc.org,
Jan Arild =?iso-8859-1?Q?Lindstr=F8m?= j...@telenor.net wrote:
Hi,
ah, of course. I did not think about it as a Solaris bug.
I patched BIND 9.6.0-P1 os.c code so it first checks for the diretory
before it tries the fast approach of just running mkdir. And
In article gkqqei$1nq...@sf1.isc.org,
Frank Bulk - iName.com frnk...@iname.com wrote:
Yes, I read that last night before posting. I changed it to 256M. Is
there a way using rndc to see if that took?
Note that 9.5.1 reverts the limit to unlimited AND fixes the bug causing
the failure. You
In article gi2uke$2d8...@sf1.isc.org,
=?UTF-8?B?TGVvbmFyZG8gUm9kcmlndWVzIE1hZ2FsaMOjZXM=?=
leolis...@solutti.com.br wrote:
CgpQZXRlciBEYW1iaWVyIGVzY3JldmV1Ogo+IEkgY2FuIGNvbmZpcm0gYmluZCA5LjQgZG9lcyBy
dW4gb24gYW4gKElCTSwgbm90IEludGVsKSA0ODYtU0NMLzIgd2l0aCAxNiBNQi4KPiBUaGF0IGNw
In article ghtmfl$2rc...@sf1.isc.org,
Sam Wilson sam.wil...@ed.ac.uk wrote:
In article ghtjng$2pd...@sf1.isc.org,
Barry Margolin bar...@alum.mit.edu wrote:
Does anyone still read this list via the comp.protocols.dns.bind Usenet
gateway? I do, and ever since the web site and mailing list
50 matches
Mail list logo