Re: Problem upgrading to 9.18 - important feature being removed

Matthijs Mekking wrote: > As the main developer of dnssec-policy, I would like to confirm that > what has been said by Michael and Nick are correct. Cool. > - When migrating to dnssec-policy, make sure the configuration matches > your existing keys. Is there a way

Re: Problem upgrading to 9.18 - important feature being removed

curity :-D.) But in this case, I think the BIND developers did a good job ensuring there was a way to create policies that integrate well with key-management regimes external to BIND. michael -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the d

Re: tsig key not found

https://bind9.readthedocs.io/en/v9.16.42/advanced.html#errors). As it is, I was too focused on finding a problem with defining a key at all. Maybe pointing out this would be an acceptable issue... Thanks again!  - Michael Am 17.01.24 um 18:26 schrieb Anand Buddhdev: On 17/01/2024 18:18, Michael

tsig key not found

ent-definition-and-usage>. It is defined globally and should be available in all views (and the output from tsig-list confirms this). As this has been rejected as an error within minutes (https://gitlab.isc.org/isc-projects/bind9/-/issues/4539) it must be a user error. However, I have gone through

Re: How should I configure internal and external DNS servers

Greg Choules via bind-users wrote: > What would be better (IMHO) is for you to keep "example.com" as your > external zone in an external (hopefully in a DMZ) primary server, > serving the world with public addresses they need to reach, and > internally create a new zone -

Re: How should I configure internal and external DNS servers

Given VPNs, RemoteAccess and the like, I strongly recommend against split-DNS configurations. They were great ideas in 1993, when all sites were concave, but that's just not the case anymore. Instead, I recommend having a sub-zone, "internal.example.com", or some other convenient name. Put a

RE: 9.18 BIND not iterated over all authoritative nameservers

, but it will take a large company to push them to do so. Michael Martinell Network/Broadband Technician Interstate Telecommunications Coop., Inc. From: bind-users On Behalf Of Paul Stead Sent: Saturday, October 28, 2023 11:35 AM Cc: bind-users@lists.isc.org Subject: Re: 9.18 BIND not iterated

9.18 BIND not iterated over all authoritative nameservers

2607:d600:9000:330:75:102:160:227) ;; WHEN: Fri Oct 27 09:56:31 CDT 2023 ;; MSG SIZE rcvd: 125 [root@brkr-dns2 bind-9.18.12]# Michael Martinell Network/Broadband Technician Interstate Telecommunications Coop., Inc. 312 4th Street West * Clear Lake, SD 57226 Phone: (605) 874-8313 michael.m

Re: Bind forgets my changes with nsupdate

s the problem if interactive. Cron running a week later usually works) -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/

Re: Bind forgets my changes with nsupdate

In general, you don't want to mix dynamic update zones with ones that you want to edit by hand. I see that you are doing manual DNSSEC signing in your cron job. Your choices are: a) do everything with dynamic update, and turn on automatic DNSSEC management in bind9. b) do your DNSSEC

Re: Hyperlocal RFC8806 Root Mirror

Silva Carlos wrote: > On server A I configured HyperLocal. On Server B I did NOT configure > HyperLocal. > I ran the command "dig @localhost EXAMPLES" on both servers. > EXAMPLES: blabla.sdf.dd or teste.com.eroterrter or world.nanana > Problem: Both Servers report that

Re: BIND 9.18 unable to successfully transfer zone from axfrdns primary

stion section empty." There are some older implementations out there that don't do this correctly. I have a vendor supported IPAM implementation, where I have gone back to the vendor and quoted the above, and they have fixed the implementation. michael On 8/31/23 17:34, Ian Bobbitt wrote:

Re: Master file permission denied

Mark Andrews wrote: > where wrong and wouldn’t normally be that way. Something or someone > changed them. It may have happened again. We can’t see what you see And, AppArmor can turn things into permission denied, which are rather mysterious. So, I'd ask for dmesg output too.

dnssec not automatically updating on 1 server

r/named/forward/itctel.com.zone.new /var/named/forward/itctel.com.zone.signed.jnl Michael Martinell Network/Broadband Technician Interstate Telecommunications Coop., Inc. 312 4th Street West * Clear Lake, SD 57226 Phone: (605) 874-8313 michael.martin...@itccoop.com www.itc-web.com -- Visit https://

Re: Reverse Policy Zone to make MS Azure stuff work?

}; }; My apologies for not double-checking earlier, but I think this should be everything. -- Met vriendelijke groet / Best regards, Michael De Roover signature.asc Description: This is a digitally signed message part. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: Reverse Policy Zone to make MS Azure stuff work?

ssue I've been facing with this so far, is that AXFR to secondary and tertiary name servers has some issues, and at least Windows 10 Home will query those when the primary name server does not give a satisfactory answer. -- Met vriendelijke groet / Best regards, Michael De Roover -- Visit htt

Re: Bind listener to an IPv6 from AnyIP subnet

m...@at.encryp.ch wrote: > Regarding the usage of [::] - due to usage of firewall I am able to > block connections to the 53/udp and 53/tcp which are not coming to > specific IP addresses or ranges, I do not need such filtering > functionality within bind itself. Bind doesn't

Re: Bind listener to an IPv6 from AnyIP subnet

Serg via bind-users wrote: > As an alternative approach I have tried to run with a configuration > "listen-on-v6 { any; }", but it does behave in a way I need - it binds > separate socket for each discovered IP address rather wildcard address > of [::]. Bind needs to bind a new

Re: Something other than port 53 is blocking the LAN based BIND9 Servers

Mike Lieberman wrote: > The newer router blocks my local BIND servers (ONLY not clients using > downstream servers) from receiving anything from the Internet. OUR BIND > servers still have the local networks, but nothing else. Your explanation is rather obtuse, but I think you mean

Re: converting from opendnssec/openhsm?

Can you share a bit about why you want to get out of using opendnssec/openhsm? I would regard this as an opportunity to test key rollover with your parent zone :-) -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works

Re: Finding dnssec validation failures in the logs

John Thurston wrote: > On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am > writing "category dnssec" to a log file  at "severity info;"  When I look in > the resulting log file, I'm guessing that lines like this: > validating com/SOA: got insecure

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

E R wrote: > I am planning on implementing the current version of BIND to replace the > aging, undocumented authoritative servers I inherited. I want to hide the > primary server on our internal network and have two secondary servers be > publicly available. While reading the

Re: General DNS / SPF question

ntague WebWorks 20 River Street, Greenfield, MA 413-320-5336 http://MontagueWebWorks.com Powered by ROCKETFUSION On 1/7/2023 6:24 PM, G.W. Haywood via bind-users wrote: Hi there, On Sat, 7 Jan 2023, Michael Muller wrote: This is my first time posting here, and I'm not sure if it's the right

General DNS / SPF question

Hello everyone, This is my first time posting here, and I'm not sure if it's the right place or not to ask my question. This is a general DNS question, specifically, I think, SPF. (Btw, I do use Bind in my system, so that's why I'm here.) I host email using SmarterMail, and all 400+

Re: How do subdomains get discovered by adversaries?

On Thu, 2022-12-22 at 05:19 +, Michael De Roover wrote: > Hello, > > I have been running BIND 9 on my external and internal networks for a > few years now -- as such I have a basic understanding of the most > common RR types and activities such as zone transfers. However, I >

How do subdomains get discovered by adversaries?

, hence my curiosity. If it is at all possible to mitigate, I would of course also appreciate discourse on this matter. Thank you! [1] https://subdomainfinder.c99.nl [2] https://criminalip.io/domain Best regards, Michael -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this

Re: automatic reverse and forwarding zones

Havard Eidnes via bind-users wrote: >To "fill" an ip6.arpa zone for a /64 requires 18446744073709551616 > records (yes, that's about 18 x 10^18 if my math isn't off). I predict > you do not posess a machine capable of running BIND with that many > records loaded -- I know we

Re: Zone transfer over VPN

algorithm and usage (ZSK or KSK) [1] https://www.cyberciti.biz/faq/unix-linux-bind-named-configuring-tsig/ Thanks again for your time to read this email, and for your insights. -- Met vriendelijke groet / Best regards, Michael De Roover -- Visit https://lists.isc.org/mailma

Zone transfer over VPN

r time to read this, and thanks in advance for any insights. -- Met vriendelijke groet / Best regards, Michael De Roover -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact

Re: Stopping ddos

. Regarding the legitimate queries, it would be prudent to allow common recursors (Google, Cloudflare, Quad9 etc) to have exceptions to this rule. Just allow their IP addresses to send traffic either unrestricted, or using a more relaxed version of the above. HTH, Michael On Tue, 2022-08-02 at 16

Re: Using nsupdate remotely

Philip Prindeville wrote: > What do I need to do on both ends (remote DHCP server and central DNS > server) to push updates over? Your list is pretty accurate. One thing that bites me regularly is that names of the TSIG keys matters, and that if you have a trailing . in the key name,

Re: understanding keymgr handling of KSK

I found this message: May 8 16:41:18 tilapia named[1268]: zone ox.org/IN: zone_rekey:dns_dnssec_keymgr failed: error occurred writing key to disk It would be great if it could tell me the file name that failed to write, and ideally what the error was (EPERM is my guess, but there could also be

understanding keymgr handling of KSK

hat else I can find out, but there sure is a lot of stuff going on. Maybe lots of flotsam from my previous situation that needs to expunged. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works

Re: How to allow recursion on my own (cross) domains only after upgrade to 9.16.27 (lack of additional-from-auth option) ?

Mark Andrews wrote: > Unless you are pointing recursive clients directly at your > authoritative servers there is no need. The recursive servers will > lookup the CNAME target themselves. Additionally recursive servers just > process the CNAME and ignore the rest of the response

invalid prefix

I upgraded to 9.18 from 9.11 or something that was in debian nulleye. Mar 11 18:14:27 tilapia named[9206]: /etc/bind/named.conf.options:40: invalid prefix, bits [64..71] must be zero Alas, line 40 has multiple IPv6 prefixes on it: 40 dns64 2607:f0b0:f:0:::/96 { 41 clients {

Re: Nice new logging feature

"/var/log/named/lamers.log" versions 9; print-time yes; }; [...] category lame-servers { lamers; }; [...] michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the d

Re: BIND 'max-cache-size' Value on FreeBSD-13.0

On 9/2/21 2:59 PM, Mark Tinka wrote: On 9/2/21 23:51, Michael Sinatra wrote: I have noticed this also and have opened a (similar but different) issue, but it's a bit weird how it manifests itself. On your freebsd installation, make sure that all of your interfaces are configured

Re: BIND 'max-cache-size' Value on FreeBSD-13.0

on your 'listen-on' statements and make sure there aren't any stray addresses in there. michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support

Does BIND support "conservative" (RFC 6781, sec 4.1.4) algorithm rollovers?

y and the zone/RRSIG TTLs stay in cache longer. But that is still a fairly tricky approach and I am not sure it would work... michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the developm

Important: A significant flaw is present in June BIND releases 9.16.17 and 9.17.14

our plans for issuing replacement releases will be provided later; at the moment our priority is getting the news to parties as quickly as possible so that those who have not already adopted the new releases can postpone until corrected versions are available. Michael McNally Internet Systems

New BIND releases are available: 9.11.32, 9.16.16, and 9.17.13

that there are no Windows zips provided for the 9.17 branch this month. Zip files with Windows packages were provided as usual for the 9.11 and 9.16 branches. Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: Possibly stupid Q

rg/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bin

Re: How can I launch a private Internet DNS server?

otocol has no > means to distinguish among different types of NS host. (Yes, there > is > the SOA MNAME, but that is not used by resolvers.) One NS is as good > as any other NS. These (SOA and behavior for resolvers) probably describe where I got confused, thanks for the explanation

Re: How can I launch a private Internet DNS server?

hing like that). -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/

Re: How can I launch a private Internet DNS server?

ely right; I wrote this Linux-centric article about it: > > https://kb.isc.org/docs/aa-01183 > > It has not been updated to cover nftables. > > Note also that this is a good reason NOT to use the NAT that > other posters have encourage

Re: [External] Re: How can I launch a private Internet DNS server?

ally UDP based, and every new query is going > to create state. Read up on state table exhaustion. > > Steinar Haug, Nethelp consulting, sth...@nethelp.no -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to u

Re: [External] Re: How can I launch a private Internet DNS server?

irewalls are cheap and the level of effort to run a bastion host > > are > > significant. > > Firewalls are useful when you want to protect unamanaged printers and > Windows boxes (or Web servers with a lot of crappy PHP) but a BIND > server on a reasonably managed Unix box

Re: How can I launch a private Internet DNS server?

ne server for DNS and that tutorial is about > secondary DNS server too. Can you show me another tutorial with one > server and same goal? > The Internet DNS server for my goal is "Authoritative DNS" ? -- Michael De Roover ___ Please

Re: How can I launch a private Internet DNS server?

e development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Michael De Roover ___

Re: It is too hard for me to read from this mailing list

e signed by putting a green square around it (useful for signed emails from e.g. security mailing lists), and so on. Definitely recommended! -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from t

Re: distribution of Bind software through our website

_Please visit > https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information.

Re: BIND, nsupdate and acme.sh DNS authentication

into it. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

20 2:39 PM, Fred Morris wrote: Perhaps slightly OT, but here's a company which has a whole business model based on one nonobvious (?) reason to compile from source: https://polyverse.com/ -- Fred Morris -- Met vriendelijke groet / Best regards, Michael

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

rce (be it upstream or their downstream version) easy, either to compare or to actually put it to use, all the better. (My preferred term for for crashing and burning servers would probably not be suitable for this list) -- Met vriendelijke groet / Best regard

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

compilation servers can do exactly that, and a million times better? -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the developm

Re: AW: Debian/Ubuntu: Why was the service renamed from bind9 to named?

extremely confusing. On 7/20/20 9:05 PM, Ted Mittelstaedt wrote: On 7/20/2020 11:23 AM, Michael De Roover wrote: If that is true, I hereby lost all faith in humanity.. well whatever faith I had left. This has been going on for like half a decade now. Nobody ever went broke catering to the human

Re: AW: Debian/Ubuntu: Why was the service renamed from bind9 to named?

gs to be annoyed over .. I am still ticked that FreeBSD dropped BIND from the distribution for something called unwinding or whatever it is. John -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/list

Re: issue of Amplification attack

from amplification attack so is there any method in bind to stop DNS Amplification attack. I am thinking to stop or drop ANY type queries from our DNS Recursive resolver , so please tell me how can we drop or stop ANY type queries from bind. -- Met vriendelijke groet / Best regards, Michael De

Re: [DoD Source -- ssshhhh Top Secret] Re: Dumb Question is an A or AAAA record required?

not match at least one of your A records? -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with pa

Re: [DoD Source -- ssshhhh Top Secret] Re: Dumb Question is an A or AAAA record required?

PTR and that the name maps back to the IP the dns system couldn't care less -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds

Re: DNS security, amplification attacks and recursion

if needed, saves traffic either way I suppose. Thanks a lot for the detailed reply, I really appreciate it :) -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

DNS security, amplification attacks and recursion

re likely my search terms aren't right), so yeah... I wonder why the idea of recursion became associated with a vulnerable server in the first place. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/m

Re:

ptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit h

Re: BIND Masters and slaves

bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Met vriend

Re: BIND Masters and slaves

ve too, and it's nicely terse. https://www.thesaurus.com/browse/master?s=t -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the developm

Re: [Non-DoD Source] Re: BIND Masters and slaves

not the people I want to support in my effort to end racism, which I /do/ support, and quite heavily so. On 6/15/20 8:00 PM, DeCaro, James John (Jim) CIV DISA FE (USA) wrote: Or you can call the slave servers 'secondary' servers. -- Met vriendelijke groet / Best rega

Re: BIND Masters and slaves

, software and documentation just because some people can’t handle terms like master and slave. Slavery still exists today and making the word disappear will not solve the issue. And you’re correct about the BDSM thing. It’s a waste of time, efforts and lines of code. -- Met vriendelijke groet / Best regard

Re: DNS Misconfiguration on- http://cyberia.net.sa/

[*] for small issues like this. They (and other wealthy companies) should be paying money only for original security research and not this nonsense. * $100 is a helluva money in some economies... Ondrej -- Ondřej Surý ond...@isc.org -- Met vriendelijke groet / Best regards, Michael De Roover

Experimenting with a new practice for pre-announcing vulnerability disclosures

ts, should they occur, will be posted to the bind-announce list and you can see the first example of one in the list archives even if you are not a subscriber: https://lists.isc.org/pipermail/bind-announce/2020-May/001153.html Michael McNally ISC Support ___ Pl

Re: DoH plugin for BIND

my ISP allows 25 in- and outbound first, that could work. On 5/2/20 6:25 PM, Brett Delmage wrote: On Sat, 2 May 2020, Michael De Roover wrote: Even if your ISP allows it, chances are that other mail servers will reject it Nope, not always. My residential-class static IP mail server has never

Re: DoH plugin for BIND

1:58 +0200 Reindl Harald wrote: Am 02.05.20 um 15:41 schrieb Michael De Roover: In my experience and from what I've heard, very few. if that would be true how comes that most mail clients still default to 25 for submission and years after closing port 25 on our mailserver i still struggle with

Re: DoH plugin for BIND

get away with not running a mail server, don't run one. They suck so much. But if you do, a home IP is not where you'll want to start regardless. Get a VPS if anything. On 5/2/20 3:51 PM, Reindl Harald wrote: Am 02.05.20 um 15:41 schrieb Michael De Roover: In my experience and from what I've heard

Re: DoH plugin for BIND

port 25. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo

Re: DoH plugin for BIND

to be hardcoded in every web browser that supports it. It doesn't scale up at all. At that point we might as well go back to hosts files. On 5/2/20 9:28 AM, Reindl Harald wrote: Am 02.05.20 um 09:00 schrieb Michael De Roover: That's actually my biggest concern with DoH, ISP blocking. It doesn't seem

Re: DoH plugin for BIND

and rainbows in DoH-land, of course. Use of cookies is “discouraged” but not prevented, most obviously. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: DoH plugin for BIND

PM, Tony Finch wrote: Michael De Roover wrote: On that subject, how about DoT? DoT is easier since you only need a raw TLS reverse proxy, and there are lots of those, for example, nginx: http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48 Note that if you enable DoT

Re: DoH plugin for BIND

implementation in named by the end of this year. In the meantime, there are DoH proxies that can run BIND as the back-end. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND-9.16.1 memory leak?

2 166.2H 13.47% named It definitely looks like a memory leak in 9.16.1 when configured as authoritative-only. The leak seems slow enough as to be manageable, but the footprint does appear to growing monotonically (and is still growing--by another 4M as I wro

Re: bind 9.16 vs. 9.14 tcp client connections

n-handling-tcp-client-quota-limits-can-exhaust-tcp-connections-in-bind-9160 The short version, though, is that we introduced a problem with TCP client quota enforcement during the later releases of the 9.15 development branch which was not noticed until 9

Internet Systems Consortium has a position open (Support Engineer III)

and (for those who are not interested) please accept my apologies for the digression from the usual list content. Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users

Dynamic DNS Updates fail once in a while against AD DNS

(domain name compression or alike) I have to live with? Is issue #45854 back in the game? Regards, Michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Undefined symbol: .isc_string_strlcpy compiling bind-9.11.6 on powerpc-ibm-aix7.1.0.0

ld: 0711-317 ERROR: Undefined symbol: .isc_string_strlcpy ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. collect2: error: ld returned 8 exit status make: 1254-004 The error code from the last command is 1. Stop. -- Michael Niksch /Zurich/

redundant bump-in-the-wire signers using BIND

To close the loop a bit on this... On 05/22/18 03:22, Tony Finch wrote: > Michael Sinatra wrote: >> >> My only concern is that serial numbers might get out of sync between the >> two signers at some point. > > You can avoid this problem with `serial-update-method

Test mail to bind-users

We have had reports that posts to bind-users are (in at least some cases) triggering unwelcome direct-to-the-submitter messages from spammers. Please disregard this message while I try to gather some information in the hopes of stopping this unwelcome behavior.

redundant bump-in-the-wire signers using BIND

to do an active-active redundant configuration with BIND inline-signing. thanks! michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/

CVE-2018-5737: BIND 9.12's serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled.

CVE: CVE-2018-5737 Document Version:2.0 Posting date:18 May 2018 Program Impacted:BIND Versions affected: 9.12.0, 9.12.1 Severity:Medium Exploitable: Remotely Description: A problem with the implementation of the new serve-stale feature

BIND 9.12.1-P2 is now available

disclosure, rather than risk a leak. We do regret the inconvenience that will be incurred by server operators due to the timing of this announcement. Michael McNally ISC Security Officer ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

CVE-2018-5736: Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c

CVE: CVE-2018-5736 Document Version:2.0 Posting date:18 May 2018 Program Impacted:BIND Versions affected: 9.12.0 and 9.12.1 Severity:Medium Exploitable: Remotely, if an attacker can trigger a zone transfer Description: An error in zone

AW: DNSSEC and nsupdate

: DNSSEC and nsupdate Setting the permissions of a *private* key to 0644 sounds like a bad idea. Maybe you mean 0640? On Fri, 2 Mar 2018 23:28:28 + "Prof. Dr. Michael Schefczyk" <mich...@schefczyk.net> wrote: > Dear Mark, > > I did get the issue resolved while sett

AW: DNSSEC and nsupdate

dnssec-validation auto; auth-nxdomain no;# conform to RFC1035 allow-recursion { any; }; }; /etc/bind/named.conf.local zone "testzone.com" { type master; file "/var/lib/bind/testzone.com.hosts"; update-policy { grant nsupdate zonesub TXT; };

AW: DNSSEC and nsupdate

convention of K[fqdn]+number+keyid.key or .private anymore? Regards, Michael Technische Universität Dresden Fakultät Wirtschaftswissenschaften Lehrstuhl für Entrepreneurship und Innovation Prof. Dr. Michael Schefczyk D-01062 Dresden Fon: +49

DNSSEC and nsupdate

create one directory per fqdn under /var/lib/bind/ and then one subdirectory ECDSAP384SHA384 but what would be the (two?) files in 41844 and 55203? Is there a way to convert? Thank you very much for your efforts! Michael Schefczyk ___ Please visit https://lis

FYI: zones created using "rndc addzone" could temporarily fail to inherit option "allow-transfer"

We recently received a bug report that newly-added zones (via rndc addzone) were not inheriting the global allow-transfer directive and could be transferred using AXFR by anyone able to access the server to which they had just been added. Further investigation revealed that the circumstances when

need another pair of eyes: edu/net (educause?) glue issues?

ng culpability. My 'dig' foo is weak enough that I can't come up with a damning output to know where to go from here. Any ideas? -Michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing

Subdomain DNSSEC

My apologies if this question has an easily discoverable answer but my google-fu seems to be failing me today. If a domain is signed, is it possible to delegate a subdomain to a 3rd party who is unable to sign that subdomain? For example, I own example.com and its signed. I'd like to delegate

CVE-2017-3142 and CVE-2017-3143 -- TSIG-related BIND vulnerabilities

on the vulnerabilities are available via the ISC Knowledge Base: https://kb.isc.org/category/74/0/10/Software-Products/BIND9/Security-Advisories/ Please take these bugs seriously and act promptly to safeguard your servers if you rely on TSIG authentication for zone transfers or DDNS. Michael McNally

Problem w/ Forwarding Zone in Caching-Only Config

d. Any help would be appreciated. Many thanks. -- Michael Fleming, IT Networking, Datacenter & Telecom, CSU, Bakersfield ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@li

Re: Unable to slave root zones

e separate from the root DNS servers. See: http://www.dns.icann.org/services/axfr/ It's probably better to use the servers listed there (although they do appear to be US-centric), to avoid having to deal with changes akin to f-root. michael

RE: Enforce EDNS

+1 to Alan. While I work at an ivory tower and support Mark's mission, in practice I don't have operational time (nor is it necessarily the best use of my time) to maintain a per-ip bypass. 100% in support of enabling this by default as long as their as an option to disable. -Michael

Re: Bind Queries log file format

On Fri, Feb 3, 2017 at 11:45 AM, Mukund Sivaraman wrote: > > > We may move it to the end of the log message (bugs ticket #44606 has > been created for looking at it). Maybe its location was poor.. please > can everyone who participated in this thread say whether having it at > the

  1   2   3   4   >