Re: process of updating slave servers

2011-02-15 Thread donovan jeffrey j

On Feb 14, 2011, at 8:31 PM, Terry. wrote:

 check your configure especially for:
 
 * notify/ also-notify/ allow-notify

Thanks you all who replied, I needed the allow notify.
-j


 * allow-transfer
 * does slave named have the permittion to write to data dir?
 
 Regards.
 
 2011/2/15 donovan jeffrey j dono...@beth.k12.pa.us:
 Greetings
 
 I have a new slave server. I edited my master, incremented the serial number 
 and reloaded named. The master is fine, and contains the new entry but the 
 slaves are still running the previous entries.
 
 what is the basic operation of updating a slave ?
 
 I reloaded the zone with rndc and the slave pulled the zone. The serial 
 number was incremented on the slave, but the old entry's were still there.
 I checked the forward and reverse records, and nothing had changed except 
 the serial number. So I deleted the slave files, and pulled the zone again, 
 and kick started named, everything works fine.
 I highly doubt my procedure was the correct way to do it.
 
 can someone explain to me the proper work flow for updating records on 
 slaves ?
 
 TIA
 
 -j
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 
 
 
 -- 
 Free SmartDNS Hosting:
 http://DNSbed.com/

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


process of updating slave servers

2011-02-14 Thread donovan jeffrey j
Greetings

I have a new slave server. I edited my master, incremented the serial number 
and reloaded named. The master is fine, and contains the new entry but the 
slaves are still running the previous entries.

what is the basic operation of updating a slave ?

I reloaded the zone with rndc and the slave pulled the zone. The serial number 
was incremented on the slave, but the old entry's were still there.
I checked the forward and reverse records, and nothing had changed except the 
serial number. So I deleted the slave files, and pulled the zone again, and 
kick started named, everything works fine.
I highly doubt my procedure was the correct way to do it.

can someone explain to me the proper work flow for updating records on slaves ?

TIA

-j

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: process of updating slave servers

2011-02-14 Thread donovan jeffrey j

On Feb 14, 2011, at 8:31 PM, Terry. wrote:

 check your configure especially for:
 
 * notify/ also-notify/ allow-notify
 * allow-transfer
 * does slave named have the permittion to write to data dir?

yes , salve can write.

slave options;
   allow-transfer { 10.1.1.2; };
   allow-notify {10.1.1.2};
   transfer-format many-answers;

master options;
allow-transfer { 10.135.1.3; };

is that correct ?
-j

 
 Regards.
 
 2011/2/15 donovan jeffrey j dono...@beth.k12.pa.us:
 Greetings
 
 I have a new slave server. I edited my master, incremented the serial number 
 and reloaded named. The master is fine, and contains the new entry but the 
 slaves are still running the previous entries.
 
 what is the basic operation of updating a slave ?
 
 I reloaded the zone with rndc and the slave pulled the zone. The serial 
 number was incremented on the slave, but the old entry's were still there.
 I checked the forward and reverse records, and nothing had changed except 
 the serial number. So I deleted the slave files, and pulled the zone again, 
 and kick started named, everything works fine.
 I highly doubt my procedure was the correct way to do it.
 
 can someone explain to me the proper work flow for updating records on 
 slaves ?
 
 TIA
 
 -j
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 
 
 
 -- 
 Free SmartDNS Hosting:
 http://DNSbed.com/

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


dealing with multi-homed machine

2011-02-08 Thread donovan jeffrey j
Greetings

I have an external dns server that serves a group of systems. One of the 
systems has a secondary interface with private address space. Dns should not be 
requesting from here but i am seeing these warnings coming from my external 
system;

security: warning: client 209.96.96.108#49534: view com.basd.DNS.public: RFC 
1918 response from Internet for 108.1.135.10.in-addr.arpa


how do I keep that internal zone from being seen ? Do I have to firewall dns 
queries between interfaces on the server ?
tia
-j

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: dealing with multi-homed machine

2011-02-08 Thread donovan jeffrey j

On Feb 8, 2011, at 5:17 PM, Mark Andrews wrote:

 
 In message 3ad9c812-cba3-4dcd-a27e-26e63d912...@beth.k12.pa.us, donovan 
 jeffr
 ey j writes:
 Greetings
 
 I have an external dns server that serves a group of systems. One of the syst
 ems has a secondary interface with private address space. Dns should not be r
 equesting from here but i am seeing these warnings coming from my external sy
 stem;
 
 security: warning: client 209.96.96.108#49534: view com.basd.DNS.public: RFC 
 1918 response from Internet for 108.1.135.10.in-addr.arpa
 
 
 how do I keep that internal zone from being seen ? Do I have to firewall dns 
 queries between interfaces on the server ?
 tia
 
 Please go read the FAQ. http://www.isc.org/software/bind/faq

thanks mark,

It appears my case may be a programming error from the server admin. But this 
brings up the case of views.

on my external dns server i should add an empty zone file ? what does that send 
back to the offending request?

zone 10.IN-ADDR.ARPA {
type master;
file empty;
};

is there a way i can redirect him back to the Internal dns server for 1918 
requests,... ( and i think the answer is ,.. let the internal answer the 
initial request so it never comes up to the outside).

-j
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: dealing with multi-homed machine

2011-02-08 Thread donovan jeffrey j

On Feb 8, 2011, at 8:44 PM, donovan jeffrey j wrote:
 
 thanks mark,
 
 It appears my case may be a programming error from the server admin. But this 
 brings up the case of views.
 
 on my external dns server i should add an empty zone file ? what does that 
 send back to the offending request?
 
 zone 10.IN-ADDR.ARPA {
type master;
file empty;
 };
 

this sends a nice
query failed (SERVFAIL) for 10.20.135.10.in-addr.arpa/IN/PTR at query.c:3921


thats what i wanted, until I can get that system turned around. thanks
-j

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


compile error bind-9.7.2-P3 osx 10.5.8 ppc

2011-02-08 Thread donovan jeffrey j
greetings

i was able to update ssl to OpenSSL 1.0.0c 2 Dec 2010
when i try and recompile bind I get an error on make

Undefined symbols:
  _RSA_generate_key_ex, referenced from:
  _opensslrsa_generate in libdns.a(opensslrsa_link.o)
  _DSA_generate_parameters_ex, referenced from:
  _openssldsa_generate in libdns.a(openssldsa_link.o)
  _DH_generate_parameters_ex, referenced from:
  _openssldh_generate in libdns.a(openssldh_link.o)
ld: symbol(s) not found
collect2: ld returned 1 exit status
make[2]: *** [named] Error 1
make[1]: *** [subdirs] Error 1
make: *** [subdirs] Error 1

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


rndc confusion

2011-01-26 Thread donovan jeffrey j
Greetings

it has been a while since I have worked with named, and Ive seemed to wrap 
myself in a key confusion.

I had some issue with an invalid key so i ran rndc-confgen -a which gave me a 
new key in /etc/rndc.key.
so now rndc works fine.

but when looked at /etc/rndc.conf the key was different than the  
/etc/rndc.key. i thought they had to be the same for this to work. I'm assuming 
that i should replace the key the rndc.conf, or maybe it's not needed since I'm 
loading directly from named.conf ?

any insight or flames welcome.
-j

config below;

named.conf

//
// Include keys file
//
include /etc/rndc.key;

controls  {
inet 127.0.0.1 port 1234 allow { localhost; } keys { rndc-key; };
   };


options  {
include /usr/local/named/options;
   };

logging {
include /usr/local/named/loggingOptions.conf;
};

include /etc/dns/privateView.conf.basd;


rndc.conf

# Start of rndc.conf
key rndc-key {
algorithm hmac-md5;
secret xxx...Bmw==;
};

options {
default-key rndc-key;
default-server 127.0.0.1;
default-port 1234;
};
# End of rndc.conf


rndc.key
key rndc-key {
algorithm hmac-md5;
secret yyy,,3MA==;
};


## end
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: rndc confusion

2011-01-26 Thread donovan jeffrey j

On Jan 26, 2011, at 9:50 PM, Alan Clegg wrote:

 On 1/26/2011 9:39 PM, donovan jeffrey j wrote:
 
 I had some issue with an invalid key so i ran rndc-confgen -a which
 gave me a new key in /etc/rndc.key. so now rndc works fine.
 
 but when looked at /etc/rndc.conf the key was different than the
 /etc/rndc.key. i thought they had to be the same for this to work.
 I'm assuming that i should replace the key the rndc.conf, or maybe
 it's not needed since I'm loading directly from named.conf ?
 
 any insight or flames welcome. -j
 
 If you use /etc/rndc.key, you don't want an /etc/rndc.conf.
 
 BIND reads /etc/rndc.key on startup and rndc reads /etc/rndc.key when it
 runs.


thanks for replies,
okay
so what is the rndc.conf for ? -- my finger is on the rm button.
is it for listing other server keys ?
-j
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


testing bounces please ignore

2010-10-12 Thread donovan jeffrey j
test
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Is 10.in-addr.arpa not recommended?

2010-09-27 Thread donovan jeffrey j

On Sep 27, 2010, at 4:03 PM, Christopher Cain wrote:

 Hi all.
 
 I am setting up a new appliance-based DNS solution that will contain a fair 
 number of separately managed Windows DNS slave servers (in addition to the 
 DNS appliances that will handle the .
 
 Currently there are just over 8000 host records that resolve to IP's in the 
 10.x.x.x space.  I am wrestling with whether or not I should create a single 
 10.in-addr.arpa zone or if I should create 256 /16 zones (i.e. - 
 0.10.in-addr.arpa to 255.10.in-addr.arpa).
 
 The reason I want to encompass the entire 10 space is so new arpa zones will 
 not have to be defined on all servers (specifically on the Windows slaves) if 
 a new part of the 10 space is used at some point.
 
 Any recommendations or comments would be greatly appreciated.

Hi Chris,

I run a number of internal clients on 10 address space. what i did was break up 
each Zone into Class B's 10.1.x.x , 10.2.x.x then my forward and reverse files 
into class C's. Each record 10.1.1.x . 10.1.2.x, 10.1.3.x, . then scale ass 
needed. providing the means to add forward and reverse to any address within 
that address space.

here is a sample, note the sub folders for sanity sake.

## my LAB 
## 10.153 #

zone 1.153.10.in-addr.arpa IN {
file /var/named/in-arpa-10/153/in-arpa.my-lab1.db;
type master;
};
zone 2.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab2.db;
};

zone 3.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab3.db;
};

zone 4.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab4.db;
};

zone 5.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab5.db;
};

zone 6.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab6.db;
};

zone 7.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab7.db;
};

zone 8.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab8.db;
};

zone 9.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab9.db;
};

zone 10.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab10.db;
};


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: differences between version

2010-08-13 Thread donovan jeffrey j

On Aug 13, 2010, at 8:01 AM, Ram Akuka wrote:

 hi , 
 i want to know what's the differences between bind 9 version (especially 
 between 9.4 and 9.5/6/7) , 
 where can i find a table that can describe it?
 i tried to google it but i didn't anything useful , .

click on the release notes for each
http://www.isc.org/downloads/all
-j

 
 
 can someone assist me here?
 
 thanks in advance ,
 
 Ram
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


My ISP's private address space has dns entries available on the public net , is this right ?

2010-08-09 Thread donovan jeffrey j
Greetings

my isp has some private address space which has dns resolution and can be 
queried from the outside world.

I asked them about this because we use this private address space and it is 
showing up in our DNS lookups. here was there response;

I've discussed this with our systems administrators and have been told 
 that this is performing as expected.  ISP DNS servers do contain information 
 about private adresses that are in use on our network.  If you are utilizing 
 our DNS servers, you will see resolution of private IPs to ISP hostnames when 
 appropriate.  That will not occur using external DNS servers.  You will see 
 resolution of PTD hostnames to private IPs from external servers, but not IP 
 resolution to hostnames.  As long as reverse DNS (IP to hostname) is not 
 propogating, things are functioning normally.

so even from google public dns i see lookups that refer back to a private 
address space on my ISP's net.

is that right ?
-j
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: how to handle SPF records for spilt dns

2010-08-02 Thread donovan jeffrey j
On Aug 2, 2010, at 10:23 PM, Noel Butler wrote:

 On Mon, 2010-08-02 at 22:13 -0400, donovan jeffrey j wrote:
 
 Greetings
 
 i have an internal dns server it resolvs all my queries from the inside.
 I have a mail system requesting an spf record.  Should i add the same record 
 on the inside as i do for the outside ? i don't want internal address space 
 to mess with external.
 
 i would say just place it on my external dns. But it's an internal content 
 filter that is asking for the record, so then shouldn't place it on the 
 inside?
 
 any insight suggestions and flames welcome
  
 Hi,
 
 Why not have internal clients use smtp auth on submission only, and bypass 
 spf (and other anti uce) tests?

clamav is picking up from an old relay and I think it's lowering the score 
because of an spf check. 192.168.1.2 is my mail gateway internal interface.

myfilter.mydomain.com] received a message from 192.168.1.2 that claimed an 
envelope sender address of foo.mo...@dealstodaycheap.info.

However, the domain dealstodaycheap.info has declared using SPF that it does 
not send mail through 192.168.1.1. That is why the message was rejected.

i don't want my internal filter to lower scores just because that relay doesn't 
have an spf record, and I do not want to call the relay local. i want 
everything scanned from there.
I may also not be understanding What Spf record clamav is looking for. my relay 
or his relay or mydomain ? i best start with my domain.


 If postfix (since its the MTA used in your post, youm likely are), use:
 submission inet n   -   n   -   -   smtpd
   -o smtpd_sasl_auth_enable=yes
   -o 
 smtpd_client_restrictions=reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
   -o receive_override_options=no_milters
 
 But anyway,  when I ran split views, I used spf on internal range using the 
 int IP, but used ~all  in place of -all (which I use on externals).
 
 Cheers
 Noel
 

thanks for the reply noel,
i saw that option on a web site and i thought it was a typo ( ~ ) vs ( - ) what 
is the difference.

-j

On Aug 2, 2010, at 10:23 PM, Noel Butler wrote:

 On Mon, 2010-08-02 at 22:13 -0400, donovan jeffrey j wrote:
 
 Greetings
 
 i have an internal dns server it resolvs all my queries from the inside.
 I have a mail system requesting an spf record.  Should i add the same record 
 on the inside as i do for the outside ? i don't want internal address space 
 to mess with external.
 
 i would say just place it on my external dns. But it's an internal content 
 filter that is asking for the record, so then shouldn't place it on the 
 inside?
 
 any insight suggestions and flames welcome
  
 Hi,
 
 Why not have internal clients use smtp auth on submission only, and bypass 
 spf (and other anti uce) tests?
 If postfix (since its the MTA used in your post, youm likely are), use:
 submission inet n   -   n   -   -   smtpd
   -o smtpd_sasl_auth_enable=yes
   -o 
 smtpd_client_restrictions=reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
   -o receive_override_options=no_milters
 
 But anyway,  when I ran split views, I used spf on internal range using the 
 int IP, but used ~all  in place of -all (which I use on externals).
 
 Cheers
 Noel
 
 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The thread is dead?

2010-03-02 Thread donovan jeffrey j


On Jan 14, 2010, at 8:43 AM, pollex wrote:


I do not see any activity in the thread... is everyone on holidays?

Regards


nope not dead just sleeping :)
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users