Re: Freezing a Zone vs. Stopping the DNS Server

2021-09-29 Thread Timothe Litt
on the records.  It's easier, doesn't stop service, and because it automates the mechanics, safer. BTW: I recommend using TSIG for authorization with nsupdate rather than IP addresses. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my

Re: Notice of plan to deprecate map zone file format

2021-09-10 Thread Timothe Litt
On 10-Sep-21 13:11, Evan Hunt wrote: > Recently a critical bug was discovered in which map files that were > generated by a previous version of BIND caused a crash in newer versions. > It took over a month for anybody to report the bug to us, which suggests > that the number of people willing to

Re: Notice of plan to deprecate map zone file format

2021-09-10 Thread Timothe Litt
data structure that didn't require "updating node pointers" (e.g. that used offsets instead of pointers) may be worth considering.  In current hardware and with a decent compiler and coding, the apparent cost of this over absolute pointers may well be vanishingly small. OK, that was

Re: Notice of plan to deprecate map zone file format

2021-09-10 Thread Timothe Litt
On 10-Sep-21 08:36, Victoria Risk wrote: > > >> On Sep 10, 2021, at 7:24 AM, Timothe Litt > <mailto:l...@acm.org>> wrote: >> >> Clearly map format solved a big problem for some users.  Asking >> whether it's OK to drop it with no statement

Re: Notice of plan to deprecate map zone file format

2021-09-10 Thread Timothe Litt
t restart times are acceptable for their environment - obviously a function of the number and size/content of zones.  And is a restart "all or nothing", or would some priority/sequencing of zone availability meet requirements? Timothe Litt ACM Distinguished Engineer -- This commu

Re: RE: No more support for windows

2021-06-10 Thread Timothe Litt
BIND won't support windows, that WSL is imperfect, and that an alternative to complaining might be helpful...  Feel free to s/Linux/(Solaris|FreeBSD|VMS|yourfavorite/g. I don't have a need for BIND (except the tools) under Windows, so I'm not volunteering to implement this. FWIW. Timothe Li

Re: root.hints - apparmor access error with Bind from PPA

2021-06-04 Thread Timothe Litt
addresses wrong.  (Didn't have many IPv6.)  root.hint really IS stable - and so, therefore, are the named built-ins. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 03-Ju

Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported)

2021-04-29 Thread Timothe Litt
o make DNS queries[no, not named!], including control) - yes: prefer to keep FWIW - YMMV. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 29-Apr-21 07:35, Ondřej Surý w

Re: Status of zytrax.com "DNS for Rocket Scientists" website

2021-04-21 Thread Timothe Litt
e.org/web/20201223034301/https://www.zytrax.com/books/dns/> Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 20-Apr-21 19:09, Victoria Risk wrote: > Ron Aitchinson called me thi

Re: How Zone Files Are Read

2020-12-16 Thread Timothe Litt
On 16-Dec-20 13:52, Tim Daneliuk wrote: > On 12/16/20 12:25 PM, Timothe Litt wrote: >> On 16-Dec-20 11:37, Tim Daneliuk wrote: >>> I ran into a situation yesterday which got me pondering something about >>> bind. >>> >>> In this case, a single line i

Re: How Zone Files Are Read

2020-12-16 Thread Timothe Litt
ning, > just trying to understand for future reference. > > TIA, > Tim DNS is complicated.  The scope of an error in a zonefile is hard to determine. To avoid this, your automation should use named-checkzone before releasing a zone file. This will perform all the checks that na

Re: [External] Re: How can I launch a private Internet DNS server?

2020-11-08 Thread Timothe Litt
tment, since broken DNS is externally visible - and frequently catastrophic." I'll finish with a 1987 quote from Leslie Lamport on distributed systems, which the DNS most certainly is: "A distributed system is one in which the failure of a computer you didn't even know existed can render y

Re: How can I launch a private Internet DNS server?

2020-11-07 Thread Timothe Litt
ps://tools.ietf.org/html/rfc2182) is fairly readable and describes many of the considerations involved in selecting secondary DNS servers.  DNS appears deceptively simple at first blush.  Setting up a serviceable infrastructure requires an investment of thought and on-going maintenance.  You will not be h

Re: Request for review of performance advice

2020-07-10 Thread Timothe Litt
orld...)  While full automation can be fun, it's amazing how much one can get out of a spreadsheet with/autofilter.  (For the next level, pivot tables and/or charts...) Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer

Re: Question About Recursion In A Split Horizon Setup

2020-04-17 Thread Timothe Litt
what you intend.  Use -b to explicitly bind to a particular interface. (Or, if you use TSIG to match views, -k) Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matter

Re: DNSSEC - many doubts

2020-04-03 Thread Timothe Litt
or AMD cpu since ~2015 has RDRAND/RDSEED. There are some religious arguments about booby-trapped hardware sources - these days, kernels will mix all sources, so I don't get too upset.  But YMMV. Timothe Litt ACM Distinguished Engineer -- This communication may not represe

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread Timothe Litt
to do (TSIG-signed) updates. As for the next layer - XML or whatever - that's another project.  If you speak Perl, it would not be difficult to wrap Net::DNS to meet your needs. P.S. Other than using it (and reporting the occasional bug), I have no relationship with Net::DNS :-) Timothe Litt ACM

Re: with dot in NAME for ACME via dynamic update (Axel Rau)

2020-03-14 Thread Timothe Litt
Er, dig _acme-challenge.imap.lrau.net <http://acme-challenge.imap.lrau.net>. is missing a record type.  The default is A. dig _acme-challenge.imap.lrau.net <http://acme-challenge.imap.lrau.net>. txt will likely give you better results Timothe Litt ACM Distinguis

Re: Advice on balancing web traffic using geoip ACls

2020-02-23 Thread Timothe Litt
ort, which may be worthwhile if it allows you to concentrate on your unique value proposition. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 22-Feb-20 20:25, Scott A. W

Re: A policy for removing named.conf options.

2019-07-07 Thread Timothe Litt
ied should be produced.  --fix would shift the burden of finding the affected options from the user to software - making it (a) more likely to happen (b) easier - especially for configurations that span dozens (or hundreds) of 'include'd files. I don't think there's a single universal solution to h

Re: allow-update in global options (was Re: bind and certbot with dns-challenge)

2019-03-17 Thread Timothe Litt
"only zone, not options or view". My 3.5¢ (USD, but your local currency will do :-) Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 17-Mar-19 16:37, Alan Clegg

Re: bind and certbot with dns-challenge

2019-03-17 Thread Timothe Litt
s, or ideas that work in one context but not another. They're responsive to criticism & contributions.  But name-calling is generally not an effective way to get anyone to help you. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my

Re: named cpu usage pretty high because of dns_dnssec_findzonekeys2 -> file not found

2019-03-11 Thread Timothe Litt
On 11-Mar-19 03:52, Mark Andrews wrote: > Because you removed the key from disk before it was removed from the zone. > Presumably named > was logging other error messages before you removed the key from disk or the > machine was off > for a period or you mismanaged the key roll and named keep

Re: Forward zone inside a view

2019-02-12 Thread Timothe Litt
ot helpful.  Even though they are correct in other contexts. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. > On 12-Feb-19 17:45, Kevin Darcy wrote: > Define root zone

Re: Forward zone inside a view

2019-02-11 Thread Timothe Litt
set up distinct address pools - and possibly VLANs. DNS is the wrong hammer for this nail.  Whether you should hammer the nail at all is a political, not a technical issue. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer'

Re: forward all but ANY requests

2018-11-30 Thread Timothe Litt
On 30-Nov-18 08:14, Erich Eckner wrote: > On 30.11.18 12:26, Timothe Litt wrote: >> On 30-Nov-18 06:04, Erich Eckner wrote: >>> Hi, >>> >>> I'm running a bind9 name server (9.13.4 on debian) which forwards some >>> zone (onion.) to tor's name serv

Re: forward all but ANY requests

2018-11-30 Thread Timothe Litt
. You have to ask explicitly for the record types that you want. Many people have fallen into the trap of thinking that an ANY query will return all records in the DNS, and assume that therefore it can be used to make fewer queries.  You're not the first. Any software (or wetware) that relie

Re: dig @ipv6-address

2018-11-29 Thread Timothe Litt
not in anyone's interest when people post obfuscated questions... Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. signature.asc De

Re: Method of writing zone files

2018-11-13 Thread Timothe Litt
on the minutiae of BINDs implementation. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 12-Nov-18 14:39, Marcus Frenkel wrote: > Thank you for the quick reply Tony! > > Fo

Re: Dropping queries from some well-known ports

2018-08-03 Thread Timothe Litt
NA. [Although this is a security issue, I'm not revealing anything new here.  The commit is 12 years old.  It has been standard advice for many years not to run these services on the public internet.  If anyone IS running them(I think NIST is still running the time services), they should know the risk, and

Re: Authoritative dns with private IP for hostname

2018-07-27 Thread Timothe Litt
On 27-Jul-18 11:59, Elias Pereira wrote: > hello, > > Can an authoritative dns for a domain, eg mydomain.tdl, have a > hostname, example, wordpress.mydomain.tdl with a private IP? > > Would this be accessible from the internet via hostname, if I did a > nat on the firewall? > > -- > Elias

Re: tool for finding undelegated children in your DNS

2018-07-27 Thread Timothe Litt
ve checks (dnsviz is oriented around DNSSEC, but does many other checks). It's a good idea to run one or the other regardless of this point issue.  Actually - I run both. Of course the usual caveats about stealth (unlisted) servers apply. Timothe Litt ACM Distinguished Engineer -

Re: PKCS#11 vs OpenSSL (BIND Future Development Question)

2018-06-03 Thread Timothe Litt
the best long-run option.  If you can't, (or are encouraged not to by other customers), you could solve a lot of the customer pain by making the provider loadable. For entropy, I use a mixture of USB keys and CPU hardware generators.  As I may have mentioned, I use EntropyBroker to distribute

Re: Should we bundle the MaxMind GeoIP db?

2018-05-30 Thread Timothe Litt
On 30-May-18 17:27, Victoria Risk wrote: > Hello GeoIP users, > > We are aware that Maxmind is discontinuing their older free GeoLite > location database and replacing it with a new database with a new > format (GeoLite2). https://dev.maxmind.com/geoip/geoip2/geolite2/ > > We have an issue open

Re: BIND Server running but not responding

2018-04-18 Thread Timothe Litt
On 18-Apr-18 09:51, Admin Hardy wrote: > > I would be so grateful of your help in this issue. > > I am running BIND 9 on Windows 7 > Service "ISC BIND" shows as started up > Warren's right.  And change your rndc-key's secret ASAP. Timothe Lit

Re: Re: Suggestions for a distributed DNS zone hosting solution I'm designing

2018-03-09 Thread Timothe Litt
. noc.esgob.com has a recently expired certificate, and redirects to one line text page (his name). The github repository is empty. So it appears to be defunct. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, i

Re: Re: DNSSEC validation without current time

2017-12-18 Thread Timothe Litt
rature & PCB layout), so 5 min/month.  TSIG fudge is nominally 5 min, so resyncing every 1-2 weeks is close enough.  And also close enough for sane DNSSEC configurations.  You can resync more often, but it's a fair bit of bit-banging on a slow bus (I2C or SPI for most), and there's no point.

Re: Re: DNSSEC validation without current time

2017-12-15 Thread Timothe Litt
adafruit.com/?q=ultimate%20gps - I'm not affiliated with Adafruit, and while I've looked at the specs, don't have direct experience.  YMMV. Enjoy. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on th

Re: DNSSEC validation without current time

2017-12-15 Thread Timothe Litt
ake sure that dependencies on a valid time are properly expressed in your startup scripts. Bottom line: your problem is getting a reasonable time, not with the consumer(s). Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my empl

Re: DNAME usage?

2017-11-21 Thread Timothe Litt
On 17-Nov-17 18:04, Mark Andrews wrote: > DYN used to just require a TSIG signed update request set to a server > specified in > a SRV record. Depends on which service.  The one I referred to is the one that was popular (free) for people who wanted to reach a machine on a dynamic IP address. 

Re: Re: DNAME usage?

2017-11-17 Thread Timothe Litt
On 17-Nov-17 14:48, Mark Andrews wrote: > Alternatively use a http server that can update the records for the > interfaces it is listening on. > > This sort of thing is possible. Named gets informed by the OS when addresses > get added and removed. It currently just adds and removes listening

Re: Re: checkhints: view “internal”: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints

2017-09-10 Thread Timothe Litt
them... The effort of maintaining a private copy of the root hints isn't worthwhile. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 09-Sep-17 23:14, Stefan Sticht wrote: > H

Re: Re: make AAAA type the default for dig

2017-06-14 Thread Timothe Litt
On the original topic, it would be nice to have a dig option that returned both A and with one command. Since it does this, I tend to use 'host' (note that host -v gives the same response detail as dig -t A ; dig -t ; and dig -t MX). On the other remarks, inline. On 14-Jun-17 21:09,

Re: RE: Providing GeoIP information for servers

2017-05-11 Thread Timothe Litt
if they'll fix your address. https://support.maxmind.com/geoip-data-correction-request/ They may require evidence that Comcast has delegated the address to you. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if an

Re: Re: Slow zone signing with ECDSA

2017-04-19 Thread Timothe Litt
akes a distinction...you get to pick one for everything. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. ___ Please visit htt

Re: Re: Bind Queries log file format

2017-02-04 Thread Timothe Litt
On 04-Feb-17 04:27, Phil Mayers wrote: > On 03/02/17 16:45, Mukund Sivaraman wrote: > >> The query log is getting more fields at the end of it such as >> CLIENT-SUBNET logging. > > Although it would be super-disruptive, has any thought been given to > moving to an entirely new log format, for

Re: Re: DNSSEC validation failures for www.hrsa.gov

2016-06-25 Thread Timothe Litt
ules] If this is correct, the project website for Eagle DNS would appear to be: http://www.unlogic.se/projects/eagledns It seems a rather odd choice for a .gov (US Health and Human Services) owned domain...though one never knows what IT outsourcing will produce :-) Timothe Litt ACM Distinguishe

Re: Writeable file already in use

2016-01-05 Thread Timothe Litt
s a lot of work, or the next technology comes along. To misappropriate a K quote - "Your constant is my variable". Or the ever popular "If you don't take the time to do it right, you'll have to make the time to do it over...and over again". Timothe Litt ACM Distinguished Engineer --

Re: Re: intermittent SERVFAIL with a DLV domain

2015-12-24 Thread Timothe Litt
arpa//IN': > 2a01:8000:1ffa:f003:bc9d:1dff:fe9b:7466#53 > 23-Dec-2015 13:20:54.398 lame-servers: info: broken trust chain resolving > '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/A/IN': > 217.168.153.95#53 > > T

Re: Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477

2015-09-08 Thread Timothe Litt
enssl. Make sure that you have the openssl-dev RPMs installed. Don't try to build that from source; RedHat heavily patches it & other packages depend on the changes. Switching to the RedHat version of named may be your best option. This should not be difficult; make uninstall; yum in

Re: Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477

2015-09-07 Thread Timothe Litt
on't have too many patch conflicts to resolve. After you've done this once or twice, you'll want to revisit you need for local changes - either decide they're not that important, or offer them to ISC. Maintaining a private version is work. Timothe Litt ACM Distinguished Engineer --

Re: Re: Identify source of rndc reconfig command?

2015-08-25 Thread Timothe Litt
case, report a bug in the log manager's config - named's own log file management avoids all those hassles.) Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 24-Aug-15 17:55

Re: DNSSEC secondary (free) - Was - Re: Can I run two name servers on one host with two IP addresses?

2015-08-20 Thread Timothe Litt
On 20-Aug-15 10:50, /dev/rob0 wrote: On Thu, Aug 20, 2015 at 02:07:57PM +0200, Robert Senger wrote: There are a number of providers out there offering secondary dns services for free or for a few bucks/month. Even DNSSEC is possible for free. This is good news! I knew there were several good

Of long names...

2015-03-15 Thread Timothe Litt
that bind is happy to create and resolve similar names... Oh, and the third record does resolve, which makes me suspicious of the name length. Any ideas on this mystery? -- Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my

Re: Of long names...

2015-03-15 Thread Timothe Litt
, they refuse to escalate. I've made an out-of-band attempt to get the attention of their management. FWIW, bind is quite happy to accept these names in a domain where I run my own servers. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM

Re: Of long names...

2015-03-15 Thread Timothe Litt
, which is why I stepped into the support morass. I'm tempted to move the domain to my own servers, but I really hate to let vendors get away with customer-unfriendly support. Other people don't have the same ability to fight back. Timothe Litt ACM Distinguished Engineer

Re: BIND DNSSEC Guide draft

2015-01-04 Thread Timothe Litt
to generate TLSA records. And it supports SPKI selectors... So you might want to point to it. I'll try to have a closer look later. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters

Re: Re: Wrong NSEC3 for wildcard cname

2014-11-20 Thread Timothe Litt
On 19-Nov-14 19:03, Graham Clinch wrote: Hi Casey List folks, My apologies - this was actually a bug in DNSViz. The NSEC3 computation was being performed on the wrong name (the wrong origin was being applied). It should be fixed now, as shown in:

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

2014-08-28 Thread Timothe Litt
On 27-Aug-14 20:35, Doug Barton wrote: On 8/27/14 3:03 PM, Timothe Litt wrote: So you really meant that validating resolvers should only consult DLV if their administrator knows that users are looking-up names that are in the DLV? That's how I read your advice. You're correct. I don't see

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

2014-08-27 Thread Timothe Litt
On 27-Aug-14 14:54, Doug Barton wrote: On 8/26/14 10:35 AM, Timothe Litt wrote: I think this is misleading, or at least poorly worded and subject to misinterpretation. I chose my words carefully, and I stand by them. The OP was asking about configuring a resolver (bind's). Where I thought

Re: Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

2014-08-26 Thread Timothe Litt
that in an ideal world, retiring the DLV would be worth celebrating. We're not there, and until we are, my advice is that resolvers consult the DLV. It's not perfect, but it's what we have. See dnssec-deployment for other discussions of this (sometimes controversial) topic. Timothe Litt ACM

Re: Re: clients-per-query vs max-clients-per-query

2014-06-08 Thread Timothe Litt
would seem to produce more sensible behavior than dropping every 5i-th packet. And for it to make any sense at all, it must be adjusted per server, not globally... Or I'm missing something, in which case the documentation needs some more/different words :-( Timothe Litt ACM Distinguished Engineer

Re: Re: AIX and 9.9.5 compiling

2014-05-09 Thread Timothe Litt
. (Including routine builds during development.) Including ARM - native and cross-compiled - would support parts of the community that don't get much attention (nor make much noise.) Embedded and cross-architecture compilers. Timothe Litt ACM Distinguished Engineer

Re: Re: changing NSEC3 salt

2014-02-06 Thread Timothe Litt
. if read from a zone file, pick a salt, treat the record as if loaded with that value, and do all the requisite (re-)signing.) I'm copying bind9-bugs so this doesn't get lost. Please don't copy that list if you comment on this. (Careful with that 'reply all'!) Timothe Litt ACM Distinguished

Re: Re: changing NSEC3 salt

2014-02-06 Thread Timothe Litt
On 06-Feb-14 09:14, Klaus Darilion wrote: On 06.02.2014 14:58, Cathy Almond wrote: On 06/02/2014 12:58, Timothe Litt wrote: On 06-Feb-14 05:56, Cathy Almond wrote: On 05/02/2014 18:54, David Newman wrote: The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every time a zone's

Re: Re: Slowing down bind answers ?

2014-01-05 Thread Timothe Litt
larger than they were in years past. -- Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. smime.p7s Description: S/MIME Cryptographic Signature

Re: Unable to transfer IPv4 reverse zone

2013-12-19 Thread Timothe Litt
are DNSSEC signed) transfer just fine. Not helpful without my configuration? That's the point. Post yours with the log messages showing the transfer attempts failures and maybe someone (else) will help. Timothe Litt ACM Distinguished Engineer -- This communication may

Re: bind-users Digest, Vol 1629, Issue 1

2013-09-19 Thread Timothe Litt
costs less because you kept all the bootstrapping supplies. Further discussion should probably find another list... Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 19

Re: BIND 9.9.3b1 is now available

2013-01-25 Thread Timothe Litt
ago (and could resend). Since you're obviously in the code, would you re-consider this? It's pretty straightforward, it simply selects a subset of the data in the (then-) existing flow. Thanks on both counts. Timothe Litt ACM Distinguished Engineer -- This communication

Re: BIND 9.9.3b1 is now available

2013-01-25 Thread Timothe Litt
the servers going to go down and reboot with the new config synchronously? What if you have lots of them (e.g. 10s or 100s)? In different admin domains? As you say, this is an API Flag days are never fun, and this is avoidable. Timothe Litt ACM Distinguished Engineer

Logging

2013-01-08 Thread Timothe Litt
something about it. Logging at the victim is useful for isolating a problem - but if no-one is actually troubleshooting (and won't), it's largely wasted. DNSSEC is another area where issues need to be forwarded to the source, not the victim. That's my 3 cents. -- Timothe Litt ACM Distinguished

Re: Logging

2013-01-08 Thread Timothe Litt
be a step up from the current situation. Today, the lame server logging delivers data to the source about 0% of the time. If my suggestion increases that to any non-zero number, it would be an improvement. Timothe Litt ACM Distinguished Engineer -- This communication

Root hints updates

2012-09-06 Thread Timothe Litt
literal tabs and spaces are important. [Some environments have very limited regexps.] It's freely redistributable, with the usual caveat that there is no warranty or promise of support that you use it at your own risk. Enjoy. Timothe Litt ACM Distinguished Engineer

RE: Root hints updates

2012-09-06 Thread Timothe Litt
06, 2012 09:08 To: Timothe Litt Cc: bind-users@lists.isc.org Subject: Re: Root hints updates On Thu, Sep 06, 2012 at 08:06:45AM -0400, Timothe Litt l...@acm.org wrote a message of 466 lines which said: This is a script to automagically update the root hints file. Since the first thing BIND

RE: Re: .TLD minimum number of nameservers rule

2011-12-13 Thread Timothe Litt
Actually, there's a simpler solution to meeting the rule for 2 NS. Use any of the secondary nameserver services. The come in a range of prices/service levels. (Price and delivered service don't always correlate.) Generally they act as slaves off your master; some are bind based and use IXFR;

RE: Exercising RFC 5011 rollovers

2011-11-26 Thread Timothe Litt
There are tools for this. E.g. libfaketime - This communication may not represent my employer's views, if any, on the matters discussed. -Original Message- From: Phil Mayers [mailto:p.may...@imperial.ac.uk] Sent: Saturday,

RE: DNAME?

2011-07-02 Thread Timothe Litt
employer's views, if any, on the matters discussed. -Original Message- From: Mark Andrews [mailto:ma...@isc.org] Sent: Friday, July 01, 2011 21:58 To: Timothe Litt Cc: 'Jon F.'; bind-us...@isc.org Subject: Re: DNAME? When DNAME was being developed the working group had to make

RE: DNAME?

2011-07-01 Thread Timothe Litt
employer's views, if any, on the matters discussed. -Original Message- From: Mark Andrews [mailto:ma...@isc.org] Sent: Thursday, June 30, 2011 20:58 To: Jon F. Cc: Timothe Litt; bind-us...@isc.org Subject: Re: DNAME? In message BANLkTim=maau1y+xh7yzibmrznvx30z...@mail.gmail.com, Jon F. write

RE: DNAME?

2011-07-01 Thread Timothe Litt
discussed. _ From: Jon F. [mailto:pikel@gmail.com] Sent: Thursday, June 30, 2011 16:11 To: Timothe Litt Cc: bind-users@lists.isc.org Subject: Re: DNAME? I have a similar set up to that and it works. Have you checked the logs to make sure the zone properly loaded? I'm assuming

DNAME?

2011-06-30 Thread Timothe Litt
I have domain example.net in production, and have recently acquired example.us and example.info. For whatever reason, I want example.us to simply mirror example.net, which is dynamically udpdated (and dnssec). And I want example.us to be zero maintenance. (Well, OK I know I need separate DNSSEC

RE: start script for bind9

2011-04-14 Thread Timothe Litt
YMMV wrt just works. Yes, running the latest ISC bind can be worthwhile after the OS distribution stops updating (or before it gets around to packaging the latest ISC version.) People considering the approach suggested by David Alan should be aware that the OS startup files often do more than

RE: can I set the second nameserver to a public dns cache?

2011-03-28 Thread Timothe Litt
No. But you can use a public (commercial or non-commerical) secondary DNS service. Google secondary dns or free secondary dns. You will find a number of services and reviews. Be careful in selecting - many charge or limit you based on the number of queries and/or zones. QOS and reliablity

RE: DNSSEC, views trusted keys...episode 43

2010-11-01 Thread Timothe Litt
I have tried to consolidate the several suggestions for how to configure a view that would respond with AD to recursive queries for authoritative zoned. I don't have a working recipe. I could use some help. At this point, it looks like the recursive view is still going to the external

Auto signing ARM

2010-09-20 Thread Timothe Litt
I'm trying to get named and my management tool cooperating with named on DNSSEC key management. I'm seeing behavior with auto-signing that doesn't strictly match the ARM and would like to know what's correct. I'm also not clear on what named expects for some cases. 4 questions after a little

RE: DNSSEC, views trusted keys...

2010-09-14 Thread Timothe Litt
Mayers wrote: On 09/10/2010 11:12 PM, Timothe Litt wrote: So it looks like the new (r-internal) view is starting at the root when it resolves -- ignoring what it has data for locally. It sorta works for You'll need a: zone name { type forward; forward only; forwarders { ips

Statistics channel patch

2010-09-13 Thread Timothe Litt
I have found the statistics channel useful for getting the active zone configuration - this lets my management GUI autoconfigure validity checks and pull-down menus for zones. This will be especially helpful when the dynamic add/delete zone situation is sorted out. But it's useful now because it

RE: DNSSEC, views trusted keys...

2010-09-10 Thread Timothe Litt
:06 To: Phil Mayers Cc: bind-us...@isc.org Subject: Re: DNSSEC, views trusted keys... In message 4c891404.3000...@imperial.ac.uk, Phil Mayers writes: On 09/09/2010 03:45 PM, Timothe Litt wrote: There is other advice in the ARM that says to put 'your organization's public keys

DNSSEC, views trusted keys...

2010-09-09 Thread Timothe Litt
I have 9.7.1-P2 running and since it's supposed to be 'for humans', I guess I'm trying to determing if I am one. It's not going as well as hoped... :-) I have a domain - example.net, with two views, the usual 'internal' and 'external'; a third is planned. The master maintaining all the

RE: rndc addzone/delzone in 9.7.2rc1 (was: rndc reconfig delays)

2010-08-28 Thread Timothe Litt
Seems to me that if you stick with this, a couple of things are necessary for manageability: o Some command to translate a zone file name to a view/zone name, and vice-versa. That would enable people to debug based on file contents... o A method to migrate zones from today's

Resolving .gov w/dnssec

2010-04-22 Thread Timothe Litt
I'm having trouble resolving uspto.gov with bind 9.6.1-P3 and 9.6-ESV configured as valdidating resolvers. Using dig, I get a connection timeout error after a long (~10 sec) delay. +cdflag provides an immediate response. state.gov does not get this error. Note that it uses different nameservers

RE: Resolving .gov w/dnssec

2010-04-22 Thread Timothe Litt
may not represent my employer's views, if any, on the matters discussed. -Original Message- From: Chris Thompson [mailto:c...@hermes.cam.ac.uk] On Behalf Of Chris Thompson Sent: Thursday, April 22, 2010 10:52 To: Paul Wouters Cc: Timothe Litt; Bind Users Mailing List Subject: Re: Resolving