Matthijs Mekking wrote:
> As the main developer of dnssec-policy, I would like to confirm that
> what has been said by Michael and Nick are correct.
Cool.
> - When migrating to dnssec-policy, make sure the configuration matches
> your existing keys.
Is there a way
curity :-D.)
But in this case, I think the BIND developers did a good job ensuring
there was a way to create policies that integrate well with
key-management regimes external to BIND.
michael
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the d
https://bind9.readthedocs.io/en/v9.16.42/advanced.html#errors). As it
is, I was too focused on finding a problem with defining a key at all.
Maybe pointing out this would be an acceptable issue...
Thanks again!
- Michael
Am 17.01.24 um 18:26 schrieb Anand Buddhdev:
On 17/01/2024 18:18, Michael
ent-definition-and-usage>.
It is defined globally and should be available in all views (and the
output from tsig-list confirms this).
As this has been rejected as an error within minutes
(https://gitlab.isc.org/isc-projects/bind9/-/issues/4539) it must be a
user error. However, I have gone through
Greg Choules via bind-users wrote:
> What would be better (IMHO) is for you to keep "example.com" as your
> external zone in an external (hopefully in a DMZ) primary server,
> serving the world with public addresses they need to reach, and
> internally create a new zone -
Given VPNs, RemoteAccess and the like, I strongly recommend against split-DNS
configurations. They were great ideas in 1993, when all sites were concave,
but that's just not the case anymore.
Instead, I recommend having a sub-zone, "internal.example.com", or some other
convenient name. Put a
, but it will take a large company to push them to do so.
Michael Martinell
Network/Broadband Technician
Interstate Telecommunications Coop., Inc.
From: bind-users On Behalf Of Paul Stead
Sent: Saturday, October 28, 2023 11:35 AM
Cc: bind-users@lists.isc.org
Subject: Re: 9.18 BIND not iterated
2607:d600:9000:330:75:102:160:227)
;; WHEN: Fri Oct 27 09:56:31 CDT 2023
;; MSG SIZE rcvd: 125
[root@brkr-dns2 bind-9.18.12]#
Michael Martinell
Network/Broadband Technician
Interstate Telecommunications Coop., Inc.
312 4th Street West * Clear Lake, SD 57226
Phone: (605) 874-8313
michael.m
s the problem if interactive. Cron running a week
later usually works)
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/
In general, you don't want to mix dynamic update zones with ones that you
want to edit by hand. I see that you are doing manual DNSSEC signing in your
cron job.
Your choices are:
a) do everything with dynamic update, and turn on automatic DNSSEC management
in bind9.
b) do your DNSSEC
Silva Carlos wrote:
> On server A I configured HyperLocal. On Server B I did NOT configure
> HyperLocal.
> I ran the command "dig @localhost EXAMPLES" on both servers.
> EXAMPLES: blabla.sdf.dd or teste.com.eroterrter or world.nanana
> Problem: Both Servers report that
stion section empty."
There are some older implementations out there that don't do this
correctly. I have a vendor supported IPAM implementation, where I have
gone back to the vendor and quoted the above, and they have fixed the
implementation.
michael
On 8/31/23 17:34, Ian Bobbitt wrote:
Mark Andrews wrote:
> where wrong and wouldn’t normally be that way. Something or someone
> changed them. It may have happened again. We can’t see what you see
And, AppArmor can turn things into permission denied, which are rather
mysterious. So, I'd ask for dmesg output too.
r/named/forward/itctel.com.zone.new
/var/named/forward/itctel.com.zone.signed.jnl
Michael Martinell
Network/Broadband Technician
Interstate Telecommunications Coop., Inc.
312 4th Street West * Clear Lake, SD 57226
Phone: (605) 874-8313
michael.martin...@itccoop.com
www.itc-web.com
--
Visit https://
};
};
My apologies for not double-checking earlier, but I think this should be
everything.
--
Met vriendelijke groet / Best regards,
Michael De Roover
signature.asc
Description: This is a digitally signed message part.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
ssue I've been facing with this so far,
is that AXFR
to secondary and tertiary name servers has some issues, and at least Windows 10
Home
will query those when the primary name server does not give a satisfactory
answer.
--
Met vriendelijke groet / Best regards,
Michael De Roover
--
Visit htt
m...@at.encryp.ch wrote:
> Regarding the usage of [::] - due to usage of firewall I am able to
> block connections to the 53/udp and 53/tcp which are not coming to
> specific IP addresses or ranges, I do not need such filtering
> functionality within bind itself.
Bind doesn't
Serg via bind-users wrote:
> As an alternative approach I have tried to run with a configuration
> "listen-on-v6 { any; }", but it does behave in a way I need - it binds
> separate socket for each discovered IP address rather wildcard address
> of [::].
Bind needs to bind a new
Mike Lieberman wrote:
> The newer router blocks my local BIND servers (ONLY not clients using
> downstream servers) from receiving anything from the Internet. OUR BIND
> servers still have the local networks, but nothing else.
Your explanation is rather obtuse, but I think you mean
Can you share a bit about why you want to get out of using
opendnssec/openhsm?
I would regard this as an opportunity to test key rollover with your parent
zone :-)
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works
John Thurston wrote:
> On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am
> writing "category dnssec" to a log file at "severity info;" When I look
in
> the resulting log file, I'm guessing that lines like this:
> validating com/SOA: got insecure
E R wrote:
> I am planning on implementing the current version of BIND to replace the
> aging, undocumented authoritative servers I inherited. I want to hide the
> primary server on our internal network and have two secondary servers be
> publicly available. While reading the
ntague WebWorks
20 River Street, Greenfield, MA
413-320-5336
http://MontagueWebWorks.com
Powered by ROCKETFUSION
On 1/7/2023 6:24 PM, G.W. Haywood via bind-users wrote:
Hi there,
On Sat, 7 Jan 2023, Michael Muller wrote:
This is my first time posting here, and I'm not sure if it's the
right
Hello everyone,
This is my first time posting here, and I'm not sure if it's the right
place or not to ask my question. This is a general DNS question,
specifically, I think, SPF.
(Btw, I do use Bind in my system, so that's why I'm here.)
I host email using SmarterMail, and all 400+
On Thu, 2022-12-22 at 05:19 +, Michael De Roover wrote:
> Hello,
>
> I have been running BIND 9 on my external and internal networks for a
> few years now -- as such I have a basic understanding of the most
> common RR types and activities such as zone transfers. However, I
>
, hence
my curiosity. If it is at all possible to mitigate, I would of course
also appreciate discourse on this matter. Thank you!
[1] https://subdomainfinder.c99.nl
[2] https://criminalip.io/domain
Best regards,
Michael
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this
Havard Eidnes via bind-users wrote:
>To "fill" an ip6.arpa zone for a /64 requires 18446744073709551616
> records (yes, that's about 18 x 10^18 if my math isn't off). I predict
> you do not posess a machine capable of running BIND with that many
> records loaded -- I know we
algorithm and usage (ZSK or KSK)
[1] https://www.cyberciti.biz/faq/unix-linux-bind-named-configuring-tsig/
Thanks again for your time to read this email, and for your insights.
--
Met vriendelijke groet / Best regards,
Michael De Roover
--
Visit https://lists.isc.org/mailma
r time to read this, and thanks in advance for
any insights.
--
Met vriendelijke groet / Best regards,
Michael De Roover
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact
.
Regarding the legitimate queries, it would be prudent to allow common
recursors (Google, Cloudflare, Quad9 etc) to have exceptions to this
rule. Just allow their IP addresses to send traffic either
unrestricted, or using a more relaxed version of the above.
HTH,
Michael
On Tue, 2022-08-02 at 16
Philip Prindeville wrote:
> What do I need to do on both ends (remote DHCP server and central DNS
> server) to push updates over?
Your list is pretty accurate.
One thing that bites me regularly is that names of the TSIG keys matters, and
that if you have a trailing . in the key name,
I found this message:
May 8 16:41:18 tilapia named[1268]: zone ox.org/IN:
zone_rekey:dns_dnssec_keymgr failed: error occurred writing key to disk
It would be great if it could tell me the file name that failed to write, and
ideally what the error was (EPERM is my guess, but there could also be
hat else I can find out,
but there sure is a lot of stuff going on. Maybe lots of flotsam from my
previous situation that needs to expunged.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works
Mark Andrews wrote:
> Unless you are pointing recursive clients directly at your
> authoritative servers there is no need. The recursive servers will
> lookup the CNAME target themselves. Additionally recursive servers just
> process the CNAME and ignore the rest of the response
I upgraded to 9.18 from 9.11 or something that was in debian nulleye.
Mar 11 18:14:27 tilapia named[9206]: /etc/bind/named.conf.options:40: invalid
prefix, bits [64..71] must be zero
Alas, line 40 has multiple IPv6 prefixes on it:
40 dns64 2607:f0b0:f:0:::/96 {
41 clients {
"/var/log/named/lamers.log" versions 9;
print-time yes;
};
[...]
category lame-servers { lamers; };
[...]
michael
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the d
On 9/2/21 2:59 PM, Mark Tinka wrote:
On 9/2/21 23:51, Michael Sinatra wrote:
I have noticed this also and have opened a (similar but different)
issue, but it's a bit weird how it manifests itself.
On your freebsd installation, make sure that all of your interfaces
are configured
on your 'listen-on'
statements and make sure there aren't any stray addresses in there.
michael
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support
y and the zone/RRSIG TTLs stay in cache longer. But that is still
a fairly tricky approach and I am not sure it would work...
michael
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the developm
our plans for issuing replacement releases will be
provided later; at the moment our priority is getting the news to parties as
quickly as possible so that those who have not already adopted the new releases
can postpone until corrected versions are available.
Michael McNally
Internet Systems
that there are no
Windows zips provided for the 9.17 branch this month.
Zip files with Windows packages were provided as usual for the 9.11 and
9.16 branches.
Michael McNally
ISC Support
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
rg/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bin
otocol has no
> means to distinguish among different types of NS host. (Yes, there
> is
> the SOA MNAME, but that is not used by resolvers.) One NS is as good
> as any other NS.
These (SOA and behavior for resolvers) probably describe where I got
confused, thanks for the explanation
hing like that).
--
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/
ely right; I wrote this Linux-centric article about it:
>
> https://kb.isc.org/docs/aa-01183
>
> It has not been updated to cover nftables.
>
> Note also that this is a good reason NOT to use the NAT that
> other posters have encourage
ally UDP based, and every new query is going
> to create state. Read up on state table exhaustion.
>
> Steinar Haug, Nethelp consulting, sth...@nethelp.no
--
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to u
irewalls are cheap and the level of effort to run a bastion host
> > are
> > significant.
>
> Firewalls are useful when you want to protect unamanaged printers and
> Windows boxes (or Web servers with a lot of crappy PHP) but a BIND
> server on a reasonably managed Unix box
ne server for DNS and that tutorial is about
> secondary DNS server too. Can you show me another tutorial with one
> server and same goal?
> The Internet DNS server for my goal is "Authoritative DNS" ?
--
Michael De Roover
___
Please
e development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Michael De Roover
___
e signed by
putting a green square around it (useful for signed emails from e.g.
security mailing lists), and so on. Definitely recommended!
--
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from t
_Please visit
> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
into it.
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https
20 2:39 PM, Fred Morris wrote:
Perhaps slightly OT, but here's a company which has a whole business
model based on one nonobvious (?) reason to compile from source:
https://polyverse.com/
--
Fred Morris
--
Met vriendelijke groet / Best regards,
Michael
rce (be it
upstream or their downstream version) easy, either to compare or to
actually put it to use, all the better.
(My preferred term for for crashing and burning servers would probably
not be suitable for this list)
--
Met vriendelijke groet / Best regard
compilation servers can do exactly that, and a million times better?
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the developm
extremely confusing.
On 7/20/20 9:05 PM, Ted Mittelstaedt wrote:
On 7/20/2020 11:23 AM, Michael De Roover wrote:
If that is true, I hereby lost all faith in humanity.. well whatever
faith I had left. This has been going on for like half a decade now.
Nobody ever went broke catering to the human
gs to be annoyed over ..
I am still ticked that FreeBSD dropped BIND from the distribution for something
called unwinding or whatever it is.
John
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/list
from amplification attack so is there
any method in bind to stop DNS Amplification attack.
I am thinking to stop or drop ANY type queries from our DNS Recursive
resolver , so please tell me how can we drop or stop ANY type queries
from bind.
--
Met vriendelijke groet / Best regards,
Michael De
not match at least one of your A records?
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with pa
PTR and that the name maps back to the IP the dns system couldn't
care less
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds
if needed,
saves traffic either way I suppose.
Thanks a lot for the detailed reply, I really appreciate it :)
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
re likely my
search terms aren't right), so yeah... I wonder why the idea of
recursion became associated with a vulnerable server in the first place.
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/m
ptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit h
bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Met vriend
ve too, and it's
nicely terse.
https://www.thesaurus.com/browse/master?s=t
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the developm
not the people I
want to support in my effort to end racism, which I /do/ support, and
quite heavily so.
On 6/15/20 8:00 PM, DeCaro, James John (Jim) CIV DISA FE (USA) wrote:
Or you can call the slave servers 'secondary' servers.
--
Met vriendelijke groet / Best rega
, software and
documentation just because some people can’t handle terms like master
and slave. Slavery still exists today and making the word disappear
will not solve the issue.
And you’re correct about the BDSM thing. It’s a waste of time, efforts
and lines of code.
--
Met vriendelijke groet / Best regard
[*] for small issues like this. They (and other wealthy companies)
should be paying money only for original security research and not this
nonsense.
* $100 is a helluva money in some economies...
Ondrej
--
Ondřej Surý
ond...@isc.org
--
Met vriendelijke groet / Best regards,
Michael De Roover
ts, should they occur, will be posted to the bind-announce
list and you can see the first example of one in the list archives even if
you are not a subscriber:
https://lists.isc.org/pipermail/bind-announce/2020-May/001153.html
Michael McNally
ISC Support
___
Pl
my ISP allows 25 in- and outbound first,
that could work.
On 5/2/20 6:25 PM, Brett Delmage wrote:
On Sat, 2 May 2020, Michael De Roover wrote:
Even if your ISP allows it, chances are that other mail servers will
reject it
Nope, not always.
My residential-class static IP mail server has never
1:58 +0200
Reindl Harald wrote:
Am 02.05.20 um 15:41 schrieb Michael De Roover:
In my experience and from what I've heard, very few.
if that would be true how comes that most mail clients still default to
25 for submission and years after closing port 25 on our mailserver i
still struggle with
get
away with not running a mail server, don't run one. They suck so much.
But if you do, a home IP is not where you'll want to start regardless.
Get a VPS if anything.
On 5/2/20 3:51 PM, Reindl Harald wrote:
Am 02.05.20 um 15:41 schrieb Michael De Roover:
In my experience and from what I've heard
port 25.
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo
to be hardcoded in every web browser that supports
it. It doesn't scale up at all. At that point we might as well go back
to hosts files.
On 5/2/20 9:28 AM, Reindl Harald wrote:
Am 02.05.20 um 09:00 schrieb Michael De Roover:
That's actually my biggest concern with DoH, ISP blocking. It doesn't
seem
and rainbows in DoH-land, of course. Use of cookies
is “discouraged” but not prevented, most obviously.
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
PM, Tony Finch wrote:
Michael De Roover wrote:
On that subject, how about DoT?
DoT is easier since you only need a raw TLS reverse proxy, and there are
lots of those, for example, nginx:
http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48
Note that if you enable DoT
implementation in named by the end of
this year.
In the meantime, there are DoH proxies that can run BIND as the back-end.
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
2 166.2H 13.47%
named
It definitely looks like a memory leak in 9.16.1 when configured as
authoritative-only. The leak seems slow enough as to be manageable, but
the footprint does appear to growing monotonically (and is still
growing--by another 4M as I wro
n-handling-tcp-client-quota-limits-can-exhaust-tcp-connections-in-bind-9160
The short version, though, is that we introduced a problem with TCP client
quota enforcement during the later releases of the 9.15 development branch
which was not noticed until 9
and (for those who are not interested)
please accept my apologies for the digression from the usual list content.
Michael McNally
ISC Support
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users
(domain name compression or alike) I have to live
with? Is issue #45854 back in the game?
Regards,
Michael
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users
ld: 0711-317 ERROR: Undefined symbol: .isc_string_strlcpy
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
collect2: error: ld returned 8 exit status
make: 1254-004 The error code from the last command is 1.
Stop.
--
Michael Niksch /Zurich/
To close the loop a bit on this...
On 05/22/18 03:22, Tony Finch wrote:
> Michael Sinatra wrote:
>>
>> My only concern is that serial numbers might get out of sync between the
>> two signers at some point.
>
> You can avoid this problem with `serial-update-method
We have had reports that posts to bind-users are (in at least
some cases) triggering unwelcome direct-to-the-submitter messages
from spammers.
Please disregard this message while I try to gather some information
in the hopes of stopping this unwelcome behavior.
to do an active-active redundant
configuration with BIND inline-signing.
thanks!
michael
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/
CVE: CVE-2018-5737
Document Version:2.0
Posting date:18 May 2018
Program Impacted:BIND
Versions affected: 9.12.0, 9.12.1
Severity:Medium
Exploitable: Remotely
Description:
A problem with the implementation of the new serve-stale feature
disclosure, rather than risk a leak. We do regret the
inconvenience that will be incurred by server operators due to the
timing of this announcement.
Michael McNally
ISC Security Officer
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
CVE: CVE-2018-5736
Document Version:2.0
Posting date:18 May 2018
Program Impacted:BIND
Versions affected: 9.12.0 and 9.12.1
Severity:Medium
Exploitable: Remotely, if an attacker can trigger a zone transfer
Description:
An error in zone
: DNSSEC and nsupdate
Setting the permissions of a *private* key to 0644 sounds like a bad idea.
Maybe you mean 0640?
On Fri, 2 Mar 2018 23:28:28 +
"Prof. Dr. Michael Schefczyk" <mich...@schefczyk.net> wrote:
> Dear Mark,
>
> I did get the issue resolved while sett
dnssec-validation auto;
auth-nxdomain no;# conform to RFC1035
allow-recursion { any; };
};
/etc/bind/named.conf.local
zone "testzone.com" {
type master;
file "/var/lib/bind/testzone.com.hosts";
update-policy { grant nsupdate zonesub TXT; };
convention of K[fqdn]+number+keyid.key or
.private anymore?
Regards,
Michael
Technische Universität Dresden
Fakultät Wirtschaftswissenschaften
Lehrstuhl für Entrepreneurship und Innovation
Prof. Dr. Michael Schefczyk
D-01062 Dresden
Fon: +49
create one
directory per fqdn under /var/lib/bind/ and then one subdirectory
ECDSAP384SHA384 but what would be the (two?) files in 41844 and 55203? Is there
a way to convert?
Thank you very much for your efforts!
Michael Schefczyk
___
Please visit https://lis
We recently received a bug report that newly-added zones (via rndc
addzone) were not inheriting the global allow-transfer directive
and could be transferred using AXFR by anyone able to access the
server to which they had just been added.
Further investigation revealed that the circumstances when
ng culpability.
My 'dig' foo is weak enough that I can't come up with a damning output to know
where to go from here. Any ideas?
-Michael
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing
My apologies if this question has an easily discoverable answer but my
google-fu seems to be failing me today.
If a domain is signed, is it possible to delegate a subdomain to a 3rd
party who is unable to sign that subdomain? For example, I own example.com
and its signed. I'd like to delegate
on the vulnerabilities are available via the ISC Knowledge Base:
https://kb.isc.org/category/74/0/10/Software-Products/BIND9/Security-Advisories/
Please take these bugs seriously and act promptly to safeguard
your servers if you rely on TSIG authentication for zone transfers
or DDNS.
Michael McNally
d. Any help would be appreciated.
Many thanks.
--
Michael Fleming, IT Networking, Datacenter & Telecom, CSU, Bakersfield
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@li
e
separate from the root DNS servers. See:
http://www.dns.icann.org/services/axfr/
It's probably better to use the servers listed there (although they do
appear to be US-centric), to avoid having to deal with changes akin to
f-root.
michael
+1 to Alan. While I work at an ivory tower and support Mark's mission, in
practice I don't have operational time (nor is it necessarily the best use of
my time) to maintain a per-ip bypass.
100% in support of enabling this by default as long as their as an option to
disable.
-Michael
On Fri, Feb 3, 2017 at 11:45 AM, Mukund Sivaraman wrote:
>
>
> We may move it to the end of the log message (bugs ticket #44606 has
> been created for looking at it). Maybe its location was poor.. please
> can everyone who participated in this thread say whether having it at
> the
1 - 100 of 379 matches
Mail list logo