Re: What if the link is failed between master/slave

[wbrown]

From: "Blason R" 

> OK - Got it so is there any settings available at master by which it
> will keep on probing slave and as soon it is contacted NOTIFY Message is 
sent.

No.  The slave will try every REFRESH interval to see if it can contact 
the master.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What if the link is failed between master/slave

[wbrown]

--
William Brown
Messaging Team
Technology Services, WNYRIC, Erie 1 BOCES
(716) 821-7285

"bind-users"  wrote on 06/29/2018 
12:53:07 PM:

> From: "Blason R" 

> I have bind Master server with me and slave is at other remote 
> location. My query is since I have opted for PUSH update from master
> to slave over random port.
> 
> What if the link at slave is down and NOTFY message is not reached? 
> When will slave then pull the update?

Yes, according to the refresh interval in the SOA record.  The pertinent 
values are REFRESH, RETRY and EXPIRE.  See section 3.3.13 of RFC1035 
https://tools.ietf.org/html/rfc1035#page-19 




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Server running but not responding

[wbrown]

From: "/dev/rob0" 

> Your OS denies named the permission to create the UDP socket on which 
> to listen for queries.
> 
> That means, of course, that you're not able to receive queries.  It's 
> Windows doing this, so you need Windows help.  I'm unable to provide 
> that.  Good luck.

One thing the OP can check is to see if there is another DNS server 
(Active Directory?) running on poort 53.  That will prevent named from 
binding to the port and running.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Separate DNS slaves as internal and external

[wbrown]

From: "G.W. Haywood via bind-users" 

> On Mon, 19 Mar 2018, King, Harold Clyde wrote:
> 
> > I have DNS slaves for internal and external entities. I don't know
> > how to work the NS records so that outside users would only get the
> > external slave and internal would only get the internal slave.
> >
> > How can I do this? ...
> 
> You could use a firewall to route the queries as required.
> 
> You might look at Bind 'Views', for example see the Cricket book.

Or use different instances of bind for internal and external resolution. 
Hardly any extra cost if using virtual servers. Simplifies bind 
configuration at the expense of maintaining double the number of servers. 



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minimum TTL?

[wbrown]

From: "Reindl Harald" 
> To: bind-users@lists.isc.org

> the ISP has no business to touch any package bewteen source and me 
> because he can't know the implications - he even must not know about 
> them because it#s not his business

And yet they do (Supercookies?), and sell that data to any and all buyers.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SOA settings

[wbrown]

From: "Alan Clegg" 

> Wait... who are you guys??!?

Alan, you're the only one I've actually met.  Are the rest are all Russian 
bots?



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Domain Not Resolving

[wbrown]

Does the lone DNS server even respond on the local network?  Do you see 
DNS traffic flowing to that server? 

Time for the divide and conquer method of troubleshooting to find where 
the failure is occurring.

Good luck.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[wbrown]

MX records cannot point to an IP address.  try this:

x.tld   MX  10  x.tld.

--
William Brown
Messaging Team
Technology Services, WNYRIC, Erie 1 BOCES
(716) 821-7285

"bind-users" <bind-users-boun...@lists.isc.org> wrote on 08/23/2017 
03:28:12 PM:

> From: Tom Browder <tom.brow...@gmail.com>
> To: bind-users@lists.isc.org
> Date: 08/23/2017 03:29 PM
> Subject: Need DNS records help for single server (and IP), and 
> multi-domain mail server.
> Sent by: "bind-users" <bind-users-boun...@lists.isc.org>
> 
> I have a single remote server with one IP address (142.54.186.2) I 
> am using it to host multiple, independent domains.  I am working on 
> configuring a single postfix instance to serve mail for all domains 
> (assuming I can successfully rewrite appropriate parts of mail in and 
out).
> 
> From referring to "DNS and BIND" and previous discusssions here and 
> on the postfix users list I have re-examined my domain DNS records 
> to see if I can cover my requirements more easily.
> 
> Given such a configuration described in the first paragraph, does 
> the following set of DNS records for a domain look look appropriate:
> 
> # For each domain X.TLD:
> X.TLD.  INA 142.54.186.2. 
> *.X.TLD.IN   CNAME   X.TLD.
> X.TLD.  INMX  10   142.54.186.2.
> X.TLD.  INTXT "v=spf1 mx -all"
> 
> Thanks.
> 
> With warmest regards,
> 
> -Tom
> 
> Stream: WBROWN

> 
> Spam
> Not spam
> Forget previous vote___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: designing the DNS from the scratch

[wbrown]

> But you do know the approximate speed of light in a vacuum?

~3 x 10**8 m/s

More importantly, what is the speed of light in a fiberoptic connection? 
Speed of electrons in copper wire?



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: wildcard not working after record deleted

[wbrown]

Can you post a copy of the zone file, changing any server names that 
absolutely must be obscure?




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: wildcard not working after record deleted

[wbrown]

> Thanks for your answer. There are no other records with that name in the
> zone, and an ANY query comes back empty but still with status of
> NOERROR. Unfortunately, I can't provide the query and zone data, and I
> do understand that prevents you from helping.

Not even an SOA record?



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: make AAAA type the default for dig

[wbrown]

Mark Andrews wrote on 06/15/2017 12:02:37 AM:

> Other ISP's should try to match Google's level of IPv6 commitment.

I'll be they would if they had Google's level of cash flow.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enforce EDNS

[wbrown]

From: Matthew Pounsett 

> I fully support breaking resolution for such servers.  I'd rather 
> have a hard failure on my end that I can investigate, and work 
> around if necessary, than have my server wasting cycles trying to 
> guess what sort of broken state there is on the far end.   It would 
> also give me the heads up I need to contact the admin on the far end
> and report their servers' broken behaviour. 

And the remote admin would say "Well, it must be your problem because no 
one else is complaining."

I get the same line of BS when I refuse to honor a whitelisted domain in 
my spam filter if they fail SPF checks.  Not many filters do that, but I 
think it is a great idea.  People dread hearing from the IRS, but they 
can't afford to block the emails.


Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need feedback on RPZ service setup

[wbrown]

From: Tony Finch 

> BIND will only send NOTIFY to a zone's advertised name servers - 
"stealth
> slaves" like your consumers have to rely on the SOA refresh timer.

Why not use also-notify to specify client servers?


Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Sites that points their A Record to localhost

[WBrown]

From: Tony Finch d...@dotat.at

  ;; ANSWER SECTION:
  www.p3net.net.  0   IN   A   199.101.28.20
 
 That IP address indicates that your ISP is lying to you. It belongs to
 Skye By Nominum which is a cloud DNS service. I guess this is Skye 
Search
 since that sounds like a rent-seeking scheme based on replacing 
NXDOMAINs
 with advertising.
 
 
http://www.darkreading.com/nominum-rolls-out-skye-dns-cloud-service/220100568


Maybe this is why the .berlin TLD is including the copyright notice in 
their TXT record:
https://lists.dns-oarc.net/pipermail/dns-operations/2014-January/011211.html 




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Sites that points their A Record to localhost

[WBrown]

From: Alan Clegg a...@clegg.com
 Yes, it seems that they have an A record for that label that 
 provides the IP address 127.0.0.1.
 
 You probably want to ask the owner of the zone about this, as I?m 
 not sure what the community can do about it.

They have an MX record, so perhaps the domain is only intended for email.

# host p3net.net
p3net.net has address 127.0.0.1
p3net.net mail is handled by 10 aspmx.l.google.com.

Although, they should have more MX records if using google.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slowing down bind answers ?

[WBrown]

 From: Nicolas C. b...@nryc.fr

  Or really mess with them and answer all A queries with 199.181.132.249
 
 It's not a bad idea. I could wildcard all requests to an internal HTTP 
 server saying that the DNS configuration of the client is deprecated.

But that's not as much fun as sending them someplace they weren't 
expecting...

wbrown@WBrown:~$ dig +short disney.com
199.181.132.249



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slowing down bind answers

[WBrown]

From: Bob McDonald bmcdonal...@gmail.com

 Of course, anycast would have solved this issue by allowing one to 
 add/remove a server from a properly configured environment without 
 affecting the clients...

Unless the goal is to move all DNS services off that subnet.  Our network 
staff would love to reclaim the /24 our DNS servers are tying up with very 
little else on it wasting 250 addresses.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slowing down bind answers ?

[WBrown]

From: Mark Andrews ma...@isc.org
 After that specify a final date for them to fix their machines by
 after which you will send NXDOMAIN responses.  Sometimes sending a
 poisoned reponse is the only way to get peoples attention.
 
 zone . {
type master;
file empty;
 };
 
 empty:
 @ 0 IN SOA . stop.using.this.nameserver 0 0 0 0 0
 @ 0 IN NS .
 @ 0 IN A 127.0.0.1

Or really mess with them and answer all A queries with 199.181.132.249



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS with several ip adessess

[WBrown]

From: Barry S. Finkel bsfin...@att.net

 One caveat with using virtual servers.   Make sure that the DNS server
 on which the host machine relies is NOT the DNS server that is
 virtualized on that host.  The host machine needs to be up before
 the VMs residing on that host come up.

And you should never have only one DNS server and for reliability, they 
shouldn't be on the same host.  Or even in the same chassis if using 
blades.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: R: DNS with several ip adessess

[WBrown]

  Use views
 
 Views +1 

When were views added to BIND?  We started using using multiple servers in 
BIND 4, and I don't recall views being available back then, but I didn't 
configure the servers, just maintained the zones.

We're still using multiple servers for internal vs. external resolution.  



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enabing RRL in bind

[WBrown]

From: Gaurav Kansal gaurav.kan...@nic.in

 In bind 9.9.4, Reponse-Rate Limit doesn?t work until you configure bind 
with 
 ??enable-rrl? option.
 
 I was wondering why is it so ?
 
 Why not this feature is enabled by default in bind.
 
 I tried to find out the same in ARM but didn?t get any success.


BIND 9.9.4 provides support for Response Rate Limiting (RRL).  However it 
is not enabled by default when building BIND.  The reason for this is that 
BIND 9.9 is an Extended Support Version of BIND and per our policy on 
mangement of ESVs, we do not introduce any new features or functionality 
to a stable ESV version.

https://kb.isc.org/article/AA-01058/0 



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enabing RRL in bind

[WBrown]

I wrote on 12/30/2013 11:17:58 AM:

 
 BIND 9.9.4 provides support for Response Rate Limiting (RRL).  However 
it 
 is not enabled by default when building BIND.  The reason for this is 
that 
 BIND 9.9 is an Extended Support Version of BIND and per our policy on 
 mangement of ESVs, we do not introduce any new features or functionality 

 to a stable ESV version.
 
 https://kb.isc.org/article/AA-01058/0 

For more information on Extended Support Versions see 
https://www.isc.org/downloads/software-support-policy/ 



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bad owner name - Unable to add forward map from Nintendo Wii U ... REFUSED

[WBrown]

From: David C. Rankin drankina...@suddenlinkmail.com

   I have bind 9.9.1.P1-2 with dynamic updates from dhcp 4.2.3.2-2. 
 It has worked
 great, but I've run into a problem with a dreaded kids-present that 
 I suspect is
 due to the game console attempting to provide a hostname containing 
 spaces -- of
 all things. (Nintendo\032Wii\032U) Here is the transaction in detail:
 

Clearly Nintendo doesn't want you to install two of these consoles on the 
same network either.  Bad marketing!



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Performance Tuning RHEL 5 and Bind

[WBrown]

 From: Alan Clegg a...@clegg.com

 Fix your windows clients.

You can't fix stupid.




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how-to configure BIND or any DNS implementation for cloud infrastructure

[WBrown]

From: Odimegwu David odimegwuda...@yahoo.fr
 Is it possible for one to configure BIND or any DNS implementation 
 for the cloud?
 I was forced to search for this forum because the exigences of my 
 situation necessitates a cloud. But yet, in a cloud:
 1. I cannot be systems administrator, even if, I don't know yet, if 
 the company can give me administrator privileges. 
 2. The IP address of the machine will not possibly be my own because
 the machine will be shared by numerous subscribers to the cloud 
 infrastructure. 
 3. I know that like all other users, i will be given set of user 
 privileges that are restrictive. 
 So, i am doubtful if my intentions are possible?
 Although, the domain name and zone administration recourses to me.
 With this constraints, is it possible for cloud DNS to be possible? 
 I have this site in mind: polarhome.com, where i intend paying for 
 server space. 


This information should be provided by the service provider as it will 
vary from vendor to vendor.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: redirecting root hints to fake internal root server

[WBrown]

From: Colin Harvey colinedwardhar...@yahoo.com
 My environment is firewalled from the real world.  For queries on 
 zones to which I'm not master, I want to recurse to a corporate 
 server.  nslookup some.internal.hostname.com 
 internal.corporate.server works fine.  Setting . to use this 
 internal server in the root.hints file does not.  In fact I do not 
 even see my system trying to recurse.  (I'm looking at network 
 traffic with a sniffer.)
 
 My root.hints:
 
 .600INNSinternal.corporate.server.
 internal.corporate.server.600INA192.168.1.1
 
 
 Alternatively I've setup a forwarding zone in named.conf to query 
 192.168.1.1 for 'internal.hostname.com'.  When monitoring the 
 network for udp data over port 53, I'm not even seeing the query 
 being forwarded.  Why?

Add these lines to your options section:

forward only;
forwarders {192.168.1.1;};

see 
ftp://ftp.isc.org/isc/bind9/9.9.3-P2/doc/arm/Bv9ARM.ch06.html#id2578567



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Secondary DNS question...

[WBrown]

 From: SH Development listacco...@starionline.com

 No, there is definitely something going on.  I shut down our 
 ns2.starionhost.net this morning for a while.  Sure enough, emails 
 started bouncing from customers even though our ns1.starionhost.net 
 is up and on the faster machine.

What exactly do the delivery failures say when the email bounces?  Are 
their problems with other servers for your domain such as not getting to 
your website?  Again, what error is returned?  I miss the old days of 
simple browser error messages, IE's full page of nothing drives me crazy!




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What happens when one out of three NSs are down?

[WBrown]

 From: Chris Buxton cli...@buxtonfamily.us

 In practice, though, your best bet is to find out why that small 
 group of customers are having problems. Are they querying the 
 servers directly?

Are they behind the routing problem and can get to the isolated name 
server and not the other two servers?



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Configuration

[WBrown]

I don't know how it's done, I'm not a networking guru, but here we have 2 
upstream providers and somehow we route out through both, and both can 
route in to our /16 network.  No messing with DNS changes depending on 
which ISP is having problems, 

As Clarke's third law states, Any sufficiently advanced technology is 
indistinguishable from magic.

Bill



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

[WBrown]

 From: Jeremy P jpcra...@gmail.com

 In my experience the students who get it and comprehend the 
 concepts are able to heed the warnings of in real life, we would do
 this a little different.  The students who don't get it are gonna
 misconfigure regardless of what TLD I tell them to use in the lab.  
 They'll probably also assign addresses in the 2001:DB8::/32 range 
 because they saw it in documentation.  My advice: hire the former 
 and pass on the latter and everything will be ok ;-)
 

Many students are more clued in than some teachers give them credit for. 
They will understand that what they see in class is not the same as 
they'll see in the real world.  It's that other portion that will go on to 
cause mayhem or get elected to public office.  It's easy to say pass on 
the later, but they will eventually get hired because they managed to 
squeak through an A+ or Microsoft certification and someone scrapes the 
bottom of the barrel because they're not willing to pay for talent.

Or maybe they'll just be the the offspring of a friend of the person in 
the corner office.  I wish I could say I've never seen that happen!



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

[WBrown]

 From: b...@bitrate.net

 on a side note, i would strongly discourage you from using .local in
 dns.  .local is a pseudo tld, reserved for use with mdns.

This just came up with a site I support.  Thanks to this list and the 
DNS-OARC list, I know better. Hopefully, I can redirect them to use 
something below their real domain for Active Directory such as 
ad.example.org.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list reply-to setting

[WBrown]

 From: Steven Carr sjc...@gmail.com

 Any chance someone can correct the settings on this mailing list to
 reply to the list by default instead of the user posting the message?

Why, Are the settings wrong?

I have used and later run lists for years, and supported Listserv(tm) 
servers for others for most of those years.  There is no right or wrong 
for the reply settings.  It's really a personal preference of the list 
owner as to how replies should be handled.  If the message should go back 
to the list, use reply all.  That's supported by all the major mail 
clients.

Subject tagging is another preference item - no right or wrong.  I have my 
mail client filter on the sender moving list traffic into the appropriate 
folder.  Works just as well as filtering on the tag.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Courses

[WBrown]

 From: rohan.he...@cwjamaica.com

 Can anyone say why Bind course offering appears so expensive? Is 
 something else included in the package that is not specified?
 
 2-Day Introduction to DNS  BIND Training
 Price: $1,795.00

I took this class about 2 years ago.  IIRC, the instructor wasn't just a 
trainer, but a support engineer from ISC who could also teach.  He pops up 
here on the list from time to time. 

Another advantage to taking this class is you can bring your DNS issues 
and discuss them with others to see how they are tackling them, and get an 
expert's opinion on it too.  Some training company instructors and just 
certification mill graduates with little hands on experience.  Other than 
the ISC course, I haven't had a truly knowledgeable instructor since my 
Netware 3 and 4 CNE classes.  Aren't most Microsoft classes running about 
$1600/day.

Don't forget that any modest profit from this class will go towards the 
continued development of BIND.

Disclosure, I have no ties to ISC other than user of BIND and past student 
of the 2 day Intro to DNS and BIND.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: clients-per-query

[WBrown]

 From: Dwayne Hottinger dhottin...@harrisonburg.k12.va.us

 I keep seeing messages in my named.log file that say things 
 like clients-per-query increased to 30, then later it says clients-
 per-query decreased to a lower number.  When this happens, lookups 
 seem to not be working.What is an acceptable value for a large 
network?

For the same reason it was increased to 15 in this thread: 
https://lists.isc.org/pipermail/bind-users/2013-April/090402.html 

Do you have a bottleneck on your queries to authoritative servers?  If 
your recursive server can't resolve it for the first few clients that ask 
the question, it queues the query for subsequent clients that ask the same 
question.  And it can't respond to any of them until it receives the 
answer from the authoritative server.

What do your client queries look like?  Have you turned on query logging 
to see what the clients are trying to resolve?  Which are your top 
clients?  Did you do something to the cache settings?  How many clients 
are you trying to support?



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: clients-per-query

[WBrown]

Dwayne Hottinger dhottin...@harrisonburg.k12.va.us wrote on 04/10/2013 
10:27:24 AM:

 Sorry, My spambox grabbed your earlier reply, my apologies.My 
 clients are a mixed enviroment of macs,windows 7/xp, androids, etc. 
  At any one time I'll have over 3000 devices connected to the 
 network.  I actually have one internal dns server for internal 
 network and 2 external dns servers.   I turned on logging for 
 queries on all the dns servers and will monitor that. Im currently 
 searching the logs to see if some clients query more than others to 
 try and figure out if one is infected with somekind of malware.


3000 devices isn't much, even for a modest BIND server.  Did this 
configuration work in the past?  What changed?  Is there a network rate 
limiting device in place that could be affecting the queries to the 
authoritative servers?  Have you talked to your networking team?  They 
would never make changes without informing, I'm sure.  :)

 



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[WBrown]

Warren Kumari war...@kumari.net wrote on 04/05/2013 06:48:08 PM:

  And then there's theses folks:
  
  http://no-www.org/ 
  
 
 Oh wow!
 
 Gee, thanks for that?

And it's always fun when you tell someone to go to a URL that doesn't 
include the W's and they want to type them in anyways, ie. 
chat.example.com.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Some Server not Resolving certain address

[WBrown]

 From: Arie L. Putra ari...@smartfren.com

 Some of my server reported SERVFAIL,
 
 i try some reference on http://www.whatsmydns.net/ and some result 
 fail indeed, but why some of my server still resolve ok?
 or my other server which resolve the domain actually late to see 
 the invalid record?

In your first message, you said All server virtually the same 
configuration.  What are the differences? What do the servers that do 
resolve have in common that is missing on the others?  What do the ones 
that fail have in common?  Could it be an issue with IPv6?  Are they all 
running the same version of bind?  Differences in named.conf?  Could there 
be differing firewall rules for the different servers?

Try running dig from each server.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[WBrown]

 Incidentally, we have just been asked for an A record for cam.ac.uk to
 duplicate www.cam.ac.uk because, and I quote, all the publicity 
material
 sent out by the nominator [for an award for the web site] gave the URL
 as http://cam.ac.uk/ and this has been retweeted around.
 
 Yes, sadly I've lost that technical battle with marketing several places
 now.

And then there's theses folks:

http://no-www.org/ 



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Suspecious DNS traffic

[WBrown]

babu dheen wrote on 03/25/2013 12:21:30 PM:

 Still not convinced because if i need to allow 1024 port from  our 
 DNS server to external world(internet).. where is the security?

Total security requires total isolation.  It is a matter of accepting some 
risks to perform the needed task.
 
 I beleive we just need to allow TCP and UDP 53 from our DNS server 
 to internet(any) which is already done. Not sure why we have to open
 non standard port from our DNS server to internet?
 
 Kindly provide some details.

You send request via UDP from random high port to an authoritative server. 
 Answer is too large to fit in UDP packet, so it responds via TCP to the 
source port of the request (random high port from above).  If you block 
that TCP connection, you cannot receive answer to your query.

Another reason for TCP replies is DNS Response Rate Limiting (RRL). 

Some modern stateful firewalls understand DNS and if there is a UDP 
packet sent to port 53, it will accept TCP connections back from the 
destination address on port 53 to the source address/port.






Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND roadmap

[WBrown]

Shane Kerr sh...@isc.org wrote on 02/28/2013 05:37:26 AM:

 On Thursday, 2013-02-28 11:19:01 +1100, 
 Mark Andrews ma...@isc.org wrote:
  
 
 ISC has no specific plans to end BIND 9 development. As Mark correctly
 says:

Thanks for the clarification.
 
  BIND 10 is still a way off being a replacement for BIND 9.
 
 We are missing a lot of features in BIND 10 that are present in BIND 9.
 However, it is not as correct to say:
 
  Development for both is still proceeding in parallel.  BIND 9 is
  still the server to install for production.  BIND 10 is more for test
  environments at this stage though we would like people to play with
  it give feedback (good or bad). 
 
 If BIND 10 has the functionality that you need - authoritative-only
 without BIND-managed DNSSEC signing - then BIND 10 *is* production
 ready today.

I need recursion, at least for some of our servers and I'd rather not have 
learn and maintain different versions.
 
 The main issue is that it is a 1.0.0 version, so does not have the
 history of installed bases to increase confidence.

Will it ever be referred to and Bind 10.0.1 or will it always be bind 10 
version 1.0.1?  The later sees confusing IMO.
 
  As of BIND 9.9.3, BIND 9.9 will be
  a extended support version.  BIND 9.9.0 was released March 2012
  so it will be supported until March 2016 and perhaps further as per
  the software support policy.
  
  https://www.isc.org/wordpress/software/software-support-policy/
 
 Note though that as far as I can tell, few people actually use the ESV
 software. Please let us know if the ESV policy works for you!

We're on a really, really old distro version (well, our externals are now 
9.9.2 w/ RRL patches).  New servers will run BIND compiled from source so 
I can pick my own upgrade path.
 
 Finally, we are currently discussing the BIND 9 and BIND 10 roadmaps
 and should have something we can publish shortly. Sorry to be so
 mysterious about it - it's nothing weird. :)
 

I look forward to seeing that.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND roadmap

[WBrown]

Doug wrote on 02/28/2013 12:31:21 PM:

 You probably want to have some discussions with OS vendors that embed 
 BIND to familiarize yourself with how many people are using ESV versions 

 from that channel.

Or even older versions.

FWIW, Ubuntu 8.04LTS uses bind 9.4.2.  They backport critical fixes to it 
though.  Ubuntu LTS releases are supported for 5 years so it is nearly 
EOL.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND roadmap

[WBrown]

Congrats to ISC and everyone that has worked on BIND 10!

I am building new name servers and redesigning our infrastructure with an 
eye towards streamlining, improving security and implementing DNSSEC.  I 
had been testing a few things with BIND 9.9.x.  Now that BIND 10 is 
released, I am wondering which way to go.  Will ISC continue to develop 
the BIND 9 code stream?  I saw a mention of RRL being added to 9.10, but 
how long will development continue before hitting ESV?


-- 

William Brown
Core Hosted Application Technical Team and Messaging Team
Technology Services, WNYRIC, Erie 1 BOCES
(716) 821-7285




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: disabling lame server logging

[WBrown]

Robert wrote on 02/26/2013 02:23:44 PM:

  There is a logging category for lame-servers. It's in the ARM.
 
 So far 2 reads and I am not getting out of it what to do for selective 
 logging based on return codes.  I am going to let it stay for now as I 
 move on to other parts of this project.

From my named.conf.logging:

// Send all lame server errors to the null channel
category lame-servers { null; };



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND master , Windows 2008 stub zone not transferring

[WBrown]

 From: Sowmya Manjanatha sowmy...@gmail.com

 Well, I have a stub zone on Windows 2008 server set-up to use two 
 different BIND server as its list of IPs to use as masters.  In the 
 DNS manager on Windows, you can always right click on the zone and 
 select Transfer zone from Master.  With Wireshark on Windows, I 
 have found that this triggers a DNS request for the given zone 
 name.  

Yes.  DNS does a query for the SOA record so it can compare serial 
numbers.  If the received serial number is not higher, no transfer is 
started.

 You may be right that it may very well not be a zone transfer
 and just a regular query/response.  However, I was just going by the
 terminology on the zone from Windows.  

Bad plan.  Microsoft like to redefine terms.  They do so in many of their 
products, even terms that have been around since before Johannes Gutenberg 
was moving type.

 In any case, the problem is 
 that this zone transfer is finicky.  Sometimes, the zone is loaded 
 correctly and sometimes that Zone Tranfer failed or Zone Not 
 Loaded by DNS Server.  It has also been hard to understand what 
 makes this failure occur.

Are they allowed to do zone transfers (allow-transfer option)?
 
 Another problem I am also having is that Windows 2008 server doesn't
 seem to pick up the latest SOA i.e. it does not seem to honour the 
 serial number within the SOA.  It appears it just picks up the 1st 
 response it gets.  So, I find that sometimes the records are stale. 
 I am trying to understand if there is any configuration in BIND that
 can help provide the right response the 2008 server prefers.  

Do all of your masters agree on the serial number? 





Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cannot create A record issue

[WBrown]

Jsilliman wrote on 02/20/2013 01:44:20 PM:

 No, I think it's only loaded once, but port 53 is listening on

Try ps aux |grep named to prove it.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Export / Import all zone data

[WBrown]

Daniel wrote on 02/14/2013 02:52:55 PM:

 Just make the new server a slave of the old one, let it do zone 
transfers of
 all of the old zones, then change the config on the new one from slave 
to
 master.

I wonder if that wasn't done once before which is why the zone files don't 
appear to be structured the 'proper' way.Depending on the zone contents 
you can end up with a lot of $ORIGIN and the like which can be a little 
confusing.

Perhaps the original poster could share some examples of what is seeing.

Bill



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slaving from DNS masters behind LVS

[WBrown]

Nick wrote on 02/12/2013 10:00:27 PM:

 We have a pair of DNS servers running BIND behind a direct routing LVS
 director pair running keepalived.  Let's call these two DNS servers A
 and B, and the VIP V.

Several years ago I was lucky enough to take the ISC class on bind. One of 
my questions going into the class was about using a load balancer in front 
to our name servers.  We have two VMs for internal resolution and two more 
for external. 

The instructor said not to use a load balancer as the DNS protocol had the 
resilience to handle a server going down and the load balancer adds to the 
complexity of troubleshooting problems.  We had never had a problem with 
either BIND crashing or network issues making them all unavailable, so the 
load balancer was really a solution looking for a problem.

Recently, we had to take the slave name servers (1 internal, 1 external) 
down to move the VMs to a different storage pool.  There were no issues 
with everyone continuing to use the masters only.

My current goals are to restructure our DNS, but load balancing is not in 
the future here. 

-- 

Bill




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Define an internal zone with only a couple of A records, then forward to an external dns server

[WBrown]

Alberto wrote on 01/17/2013 10:09:00 AM:
 - I want to define in my dns server a zone external_partner.com, 
 which is the domain of our partner who manages it with his dns 
 public server dns.external_partner.com.
 - I need to define into this zone a couple of servers 
 (vpn_host_1.external_partner.com, 
 vpn_host_2.external_partner.com) because we connect via vpn to our 
partner.
 - I want that the rest of the names, e.g. www.external_partner.com
 , are resolved forwarding the requests to the dns of our partner.

Can you use host_[1|2].vpn.external_partner.com instead? 

Then you can define a zone for vpn.external_partner.com with those A 
records, and a forward zone for the rest of external_partner.com (but not 
including vpn.external_partner.com).



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logging

[WBrown]

Timothe Litt l...@acm.org wrote on 01/08/2013 08:19:56 AM:

 What I think would be more useful is if named actually reported the 
 issues to where they'd do some good.  Perhaps a DNS extension I got an 
 invalid message from you - so it shows up in the log of the server (and 

 administrator) with the problem.  (I'd worry about denial of service, 
 though if the server is in fact lame, it's not providing service - at 
 least to that zone .  Abuse of the reporting mechanism is the main risk, 

 and avoiding it would take some careful engineering.)

My sense of most lame servers is they served entities that had disappeared 
from the face of the earth, taking most of their online presence with 
them.  The only thing left was their domain registration and the NS 
records in the parent domain, probably due to multi-year registrations 
that had not yet expired.  Or they could have been spam related domains 
that were no longer being used.

Reporting such domains would simply be noise. 

If there is truly is a domain having technical difficulties with name 
resolution, I suspect that they would find out about it soon enough 
because no one would be able to connect to them:

-  No email
-  outgoing email might be rejected depending on receiver's 
  filtering policies
-  No web presence
-  Failure of other systems relying on DNS

Wouldn't dig +trace reveal the lame server with the BAD REFERRAL error?

From lame.log:

08-Jan-2013 08:52:37.747 lame server resolving 
'mail.desktoptrainingacademy.com' (in 'desktoptrainingacademy.com'?): 
208.89.21.65#53


And dig +trace desktoptrainingacademy.com returns 

;  DiG 9.4.2-P2.1  +trace desktoptrainingacademy.com
;; global options:  printcmd
.   452564  IN  NS  g.root-servers.net.
.   452564  IN  NS  h.root-servers.net.
.   452564  IN  NS  l.root-servers.net.
.   452564  IN  NS  e.root-servers.net.
.   452564  IN  NS  a.root-servers.net.
.   452564  IN  NS  m.root-servers.net.
.   452564  IN  NS  i.root-servers.net.
.   452564  IN  NS  b.root-servers.net.
.   452564  IN  NS  c.root-servers.net.
.   452564  IN  NS  k.root-servers.net.
.   452564  IN  NS  j.root-servers.net.
.   452564  IN  NS  d.root-servers.net.
.   452564  IN  NS  f.root-servers.net.
;; Received 508 bytes from 168.169.12.2#53(168.169.12.2) in 0 ms

com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
;; Received 504 bytes from 202.12.27.33#53(m.root-servers.net) in 188 ms

desktoptrainingacademy.com. 172800 IN   NS  ns2.evolveip.net.
desktoptrainingacademy.com. 172800 IN   NS  ns1.pbp.com.
;; Received 128 bytes from 192.12.94.30#53(e.gtld-servers.net) in 94 ms

desktoptrainingacademy.com. 3600 IN A   216.4.210.253
;; Received 60 bytes from 208.89.23.71#53(ns1.pbp.com) in 12 ms

root@ns5:/etc/bind# dig +trace mail.desktoptrainingacademy.com

;  DiG 9.4.2-P2.1  +trace mail.desktoptrainingacademy.com
;; global options:  printcmd
.   452533  IN  NS  e.root-servers.net.
.   452533  IN  NS  j.root-servers.net.
.   452533  IN  NS  a.root-servers.net.
.   452533  IN  NS  d.root-servers.net.
.   452533  IN  NS  m.root-servers.net.
.   452533  IN  NS  c.root-servers.net.
.   452533  IN  NS  h.root-servers.net.
.   452533  IN  NS  k.root-servers.net.
.   452533  IN  NS  b.root-servers.net.
.   452533  IN  NS  l.root-servers.net.
.   452533  IN  NS  g.root-servers.net.
.   452533  IN  NS  i.root-servers.net.
.   452533  IN  NS  f.root-servers.net.
;; Received 508 bytes 

Re: Distribute named.conf

[WBrown]

How does Puppet compare to Ansible?  http://ansible.cc/


-- 

William Brown
Core Hosted Application Technical Team and Messaging Team
Technology Services, WNYRIC, Erie 1 BOCES
(716) 821-7285




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Distribute named.conf

[WBrown]

Mike wrote on 01/03/2013 02:45:29 PM:

 Thanks for sharing, first I'd heard of it...

I read about it on http://jpmens.net/

 
http://en.wikipedia.org/wiki/Comparison_of_open_source_configuration_manage

 ment_software

It's there today. 

 I highly advise anyone new to configuraton management to setup some
 virtual machines and play with as many solutions as time permits...they
 each have interesting features, and no one solution will work for 
everyone
 IMHO.

Good advice!



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can we load balance traf[f]ic for CNAME records?

[WBrown]

Manis Rane  wrote on 12/14/2012 02:12:59 PM:

 That is true by default rrset-order is cyclic I believe. And even if
 it replies randomly I guess we will have to NAT the traffic on 
 firewall for particular IPs

Your original post made me believe you are running Windows CAS servers. 
Why not use Windows High Availability features to bind one address to both 
servers.   A colleague was setting up a HA cluster for Exchange and was 
explaining some of it to me.  IIRC, you point to one IP address, and it 
points to one server, if it goes down, the other picks up the load.  You 
have MX records point to both of them, the client access uses a different 
address than the SMTP process.  At least that's how I understood it. 
Sorry, I'm not an Exchange guru.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not forwarding all requests

[WBrown]

Romgo wrote on 12/10/2012 06:36:10 AM:

 I had 2 old zone with forwarders configured, the forwarders was down.
 One equipment was still using one of this zone, so bind wasn't able 
 to contact the forwarders and fall back to root zone. 
 
 I don't really why it try the root zone but since I delete those old
 zone I don't have any new queries to the root zone.
 
 According to what I read about forward only :
 
 it doesn't try to contact other name servers to find information if
 the forwarders don't give it an answer.
 
 I had exactly opposite behaviour. 

Actually, it was operating as designed.  The zones with forwarders defined 
were overriding the global option to forward only. 

Try taking down (or block access to) the target of your forward only 
statement and see if you get any resolution.  Everything that you are not 
authoritative for should fail.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SPF records in reverse zones?

[WBrown]

Dan Mahoney wrote on 12/05/2012 06:52:43 PM:

 I can't even imagine what spamfilters would think of such an address. :)

To quotes some annoying TV ads here in the US: 

REJECTED!



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SPF records in reverse zones?

[WBrown]

Karl Auer wrote on 12/05/2012 06:44:01 PM:

 This may be a silly question, but are SPF records supposed to be
 supported in reverse zones? I'm thinking of a mail server that has no
 entry in the DNS.


THe SPF query is looking for the sender's domain, not the sender's server, 
so the record would be added for biplane.com.au, not for 
4.251.58.117.in-addr.arpa



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: OT - Dns test Q/A

[WBrown]

I don't have any source of a a DNS exam, but since you seem to be 
expecting a limited set of skills, how about a few questions of the sort 

What is an A record? 
What is an MX record? 
What does the SOA record contain
What does the serial number control

Think about what they will be working with and make up simple questions 
about it.  Perhaps come up with a few questions on what could happen if 
they see certain behaviors and how they would troubleshoot.

Years ago, I was told that you  can either spend time creating an exam or 
you can spend time grading it.  Creating short answer or essay questions 
is quick and easy.  Grading them takes time.  Creating a good true/false 
or multiple choice test is very difficult and time consuming.  Grading it 
is a snap.

Good luck. 
-- 



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Performance tuning

[WBrown]

Adamiec, Lawrence ladam...@kentlaw.iit.edu wrote on 11/26/2012 
01:12:48 PM:


 To the best of my knowledge, there are no problems with our DNS.  We
 only host 25 domains.
 
 The report must also address these two specific questions:
 
 1. Why does www.kentlaw.iit.edu load quicker than kentlaw.iit.edu in
 any browser?

Are you sure this is a DNS issue?  Test it by adding both to /etc/hosts 
(or Windows equal).   Reboot and flush all caches between tests.

 2. What happens if we remove the forwarders option from named.conf?

Depends why you have the forwarders.
.
 I can't duplicate the issue in Q1 and I'm trying to determine a way 
 of testing Q2.

Oh the joys of intermittent problems. Are you sure the issues reported as 
Q1 are real?  Have the web site folks been involved in discussions or are 
they just blaming DNS without testing anything?

If possible sneak host file entries onto a handful of user machines and 
see if they still complain. 





Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Delegations

[WBrown]

I have a zone file for example.org that has entries for a subdomain 
l2.example.org like this:

vpn.l2 IN A10.1.2.3

Now they want to add a subdomain below l2, ie. ad.l2.eboces.org with hosts 
such as dc.ad.l2.eboces.org

In the zone file for example.org, I can add NS and glue records for 
ad.l2.example.org as this:
dc.ad.l2  IN A 10.2.3.4
dr.ad.l2  IN A 10.4.5.6
ad.l2 IN NS dc.ad.l2.example.org.
ad.l2 IN NS  dr.ad.l2.eboces.org.

Will this work, or do I need to delegate l2.example.org before I can 
delegate ad.l2.example.org?


-- 

William Brown
Core Hosted Application Technical Team and Messaging Team
Technology Services, WNYRIC, Erie 1 BOCES





Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegations

[WBrown]

Phil wrote on 10/31/2012 02:15:16 PM:

 You terminology is a bit confusing here. subdomain is imprecise. 

Sorry, I meant it as a piece of the FQDN.

 Specify what *zones* you want, and where you want the delegations, and 
 it should be easy to see what will work and not.


 Yes, if I've understood what you want.

I think you got it.
 
  or do I need to delegate l2.example.org before I can delegate 
 ad.l2.example.org?
 
 No. Zone cuts can be at any label inside a zone.

Thanks.  Waiting for firewall changes tonight to test.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Glue from Root Servers returns wrong A record, why?

[WBrown]

ponga2...@gmail.com wrote on 09/10/2012 03:11:30 PM:

 
 SOA points correctly to the DNS provider (zoneedit).. there is no 
 mention of that 216 address anywhere in the registrar :(

Is the information below correct?

wbrown@wbrown-D630:~$ whois intaq.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: INTAQ.COM
   Registrar: NETWORK SOLUTIONS, LLC.
   Whois Server: whois.networksolutions.com
   Referral URL: http://www.networksolutions.com/en_US/
   Name Server: NS1.INTAQ.NET
   Name Server: NS2.INTAQ.NET
   Status: clientTransferProhibited
   Updated Date: 23-may-2011
   Creation Date: 31-may-2002
   Expiration Date: 31-may-2013

 Last update of whois database: Mon, 10 Sep 2012 19:15:16 UTC 

[Blah blah blah]


Registrant:
Finger Rock Technology
   5030 N. Post Trail
   Tucson, AZ 85750
   US

   Domain Name: INTAQ.COM

[Blah blah blah]

   Administrative Contact, Technical Contact:
  Finger Rock Technologyarma...@fingerrock.com
  5030 N. Post Trail
  Tucson, AZ 85750
  US
  (520) 906-5437 fax: 123 123 1234


   Record expires on 31-May-2013.
   Record created on 31-May-2002.
   Database last updated on 10-Sep-2012 15:15:47 EDT.

   Domain servers in listed order:

   NS1.INTAQ.NET216.146.46.198
   NS2.INTAQ.NET216.146.46.198




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ho to filter hundeds of domains ?

[WBrown]

Russell Jones wrote on 08/30/2012 09:39:17 AM:

 Normal web filtering software that auto updates is a better 
 approach. Using Bind with a manual list of domains to try to achieve
 this is like trying to kill an ant hill 1 ant at a time 

There are several sources of RPZ data such as Spamhaus and SURBL.  Both 
are respected sources of spam filtering data.

(Disclosure: My employer subscribes to both for spam filtering, I have no 
financial stake)



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ho to filter hundeds of domains ?

[WBrown]

Russell Jones russ...@jonesmail.me wrote on 08/30/2012 10:28:07 AM:

 Oh I know, I use spamhaus myself for spam filtering - catches a 
 ridiculous amount of spam. It is my understanding though the OP wants to 

 filter domains for NSFW web browsing, not spam - specifically gambling 
 sites.

Spamhaus describes it this way:

The DBL is managed as a zero false-positive list, safe to use by 
production mail systems to reject emails that are flagged by it. The DBL 
includes URIs (domains/hostnames) which are used in spam including 
phishing, fraud/'419' or domains sending or hosting malware/viruses. 

Sounds like what I would want in an RPZ, but may not include the gambling 
sites the OP was looking to block.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Typical Bind slave failure scenario - What happens and when?

[WBrown]

Russell Jones russ...@jonesmail.me wrote on 08/27/2012 06:39:31 PM:

 Is there any documentation outlining what will actually occur, and 
 when, with a slave server when it cannot contact a zone's master for 
updates?

The authoritative documentation is the Bind Administrators Reference 
Manual (ARM).  Another excellent resource is DNS and BIND by Paul Albitz 
and Cricket Liu, also known as the Grasshopper Book because of its 
cover.  It is published by O'Reilly  Associates.

If you have a chance to attend an ISC training, I recommend it too.  I 
took their Intro to DNS and BIND after running bind for over a decade. I 
still learned a lot!  I would love to take the Advanced session if I get 
the opportunity.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What can cause excessive amount of _dns-sd queries?

[WBrown]

Elvind wrote on 08/23/2012 09:18:06 AM:

 Yeah, now I'm just wondering which OS / application / malware / whatever
 could be responsible for this :)

Someone trying to use ZeroCOnf:  http://zeroconf.org  I believe Macs come 
configured to use it by default, Linux and Windows can be configured to 
use it.
 
 (no, the client isn't directly under my control, it belongs to some 
customer)

Good luck with that!



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 2 dns records for same server

[WBrown]

Dwayne wrote on 08/19/2012 07:37:39 PM:
 My hosts get the ip's of all 3 dns 
 servers when they recieve dhcp information. 

I think this is the issue.  The internal clients should only point to the 
internal DNS server.  They should never be querying the DNS that returns 
the public IP addresses EVER! 




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: 2 dns records for same server

[WBrown]

Lightner, Jeff jlight...@water.com wrote on 08/20/2012 08:56:56 AM:

 That is to say don't put the external servers in /etc/resolv.conf on
 your clients - only put the internal one there.  (Or the Windows 
 equivalent setup should only see your internal DNS server.)

Or push via DHCP as in this case.
 
 I would correct the prior post not to say EVER but rather not 
 directly.   Often in an internal/external configuration only the 
 external server queries the internet and the internal one forwards
 requests it gets to the external one.   It doesn't matter if the 
 external server the internal DNS server is pointing to also has 
 records for the domains because the internal server would already 
 have answered for the domains it is authoritative for before trying 
 to forward.   We have internal/external setup here for one domain 
 and have no problems doing this.   (Oddly enough we also have views 
 but that's another story...)

We're using different semantics here.  I meant that the workstation should 
only send queries to the internal server and get answers from same.  Where 
that data comes from, is not important, at least from the perspective of 
the workstation as long as it is correct. 

Put another way, packets are only exchanged between workstation and the 
internal name server. 

Also, this is only for normal operations.  Use of host/dig/nslookup 
directed at any specific DNS servers not included.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SRV query with no domain?

[WBrown]

kevin wrote on 08/15/2012 12:52:18 PM:

 I don't believe SRV lookups use the search directive in /etc/
 resolv.conf; I think that's only for A (name-to-address) lookups. 
 But I could be wrong on that...

Using host I was able to do a search for _sip._tcp for the search domain 
on my system (domain changed to example.org):

wbrown@wbrown-D630:~$ host -t srv _sip._tcp
_sip._tcp.example.org has SRV record 0 0 5060 tandberg-vcse.example.org.
wbrown@wbrown-D630:~$ host -t srv _sip._tcp.example.org
_sip._tcp.example.org has SRV record 0 0 5060 tandberg-vcse.example.org.

Dig fails on same query without domain, succeeds if it is included:

wbrown@wbrown-D630:~$ dig +short  _sip._tcp srv
wbrown@wbrown-D630:~$ dig +short  _sip._tcp.example.org srv
0 0 5060 tandberg-vcse.example.org.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can't receive emails from another machine

[WBrown]

Stayvoid wrote on 07/30/2012 08:22:30 PM:

 I'm using Postfix.
 I can send / receive emails from / to localhost via telnet. [1]
 But I can't receive emails from another machine.
 
 I guess that there are three variants:
 1. Postfix doesn't work properly;
 2. Bind doesn't work properly;
 3. IPTables doesn't work properly.
 
 I can't be 100% sure but I think that it's not connected with Postfix.
 So I have to check Bind or / and IPTables.
 
 I hope that you'll help me to check my Bind settings.
 What should I paste?

As Jeff Lightner said, this really isn't the right forum, but you need to 
check what the sending server is failing on.  Check the logs there.  Is it 
unable to resolve the domain for the message?  Is it unable to connect? 

Find the disease before asking for a cure.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Journal File Question

[WBrown]

Chris wrote on 07/25/2012 09:04:49 AM:

 Is it possible to restore a zone file from its associated journal file?

No.  The journal file only records updates to the zone.  At best you would 
only recover the changes since last commit to the zone file.
 
 The docs seem to indicate that a restart of bind will sync the two
 files, but in practice I get such as this:

It doesn't sync the files to make two equal copies. It applies all of the 
outstanding transactions in the journal file to the zone file and then 
empties the journal.
 
 zone foo.bar/IN: journal rollforward failed: journal out of sync with 
zone

Yep, the journal is out of sync because the zone file is non-existent.
 
 The problem here is that a large portion of the zone file was
 accidentally deleted.

Oops.  That's what backups are for.  Slaves are not backups.  However, you 
might be able to extract some meaningful data from the slave's zone file. 
It won't be pretty though.
 





Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Journal File Question

[WBrown]

Chris Buxton chris.p.bux...@gmail.com wrote on 07/25/2012 12:07:22 PM:

  It doesn't sync the files to make two equal copies. It applies all of 
the 
  outstanding transactions in the journal file to the zone file and then 

  empties the journal.
 
 I don't believe that is entirely correct. The journal file needs to 
 be retained to support ixfrs. My understanding is that it will be 
 automatically trimmed to max-journal-size, if that option is set.

Do you know how it determines what is kept?





Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Basic scope question

[WBrown]

Gary wrote on 07/10/2012 11:27:24 AM:

 If I have domain-name-servers configured globally and a different 
 set configured on a subnet DHCP pool, which takes precedence for the
 client?  My understanding is the more specific, or the subnet DHCP 
 pool, but could someone please confirm?   Thanks.

The client will only query the DNS servers they are told about, either 
statically (/etc/resolv.conf) or by your DHCP server.




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind dies with assertion failure

[WBrown]

Oscar Ricardo Silva wrote on 07/02/2012 06:40:51 PM:

 The reason I'm running is that we're currently running the stock version 

 of BIND available with RHEL6.  It's their policy to backport patches and 

 if there's a patch available then they may apply it faster rather than 
 deploying a new version.

At an ISC Intro to DNS and BIND class, the instructor pointed out that if 
you rely on the distro provided version of BIND, you are at the mercy of 
the package maintainers to upgrade/patch versions of BIND.  With Ubuntu 
LTS (not sure about other distros), you are stuck at the same version of 
bind until you upgrade your distro.  For Ubuntu 8.04LTS which is still 
supported, BIND is stuck at 9.4, which is no longer supported by ISC. 

I am building/redesinging our DNS infrastructure and I am building BIND 
from tarball.  It's really quite easy.  Plus, I can run the latest and 
greatest version to get the best DNSSEC features.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPM [was: Re: bind dies with assertion failure]

[WBrown]

Jan-Piet wrote on 07/03/2012 10:41:20 AM:

 Building BIND is easy; turning it into an installable RPM not so.
 I highly recommend fpm [1] which makes building an RPM trivial. :)

Any advice or tricks for making a DEB for Ubuntu?

So far my plan was to copy the source directory to each server and just 
run make install on each.  I'm only looking at 8 to 10 servers.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Moving DNS out of non-cooperative provider

[WBrown]

Did you update your whois information to point to the name servers at 
NEWprovider.net?

After this change is made and any cached data expires, the world will 
query them (NEWProvider), with the exception of anyone that uses name 
servers at OLDprovider.net who still thinks they are authoritative for 
your domain. 

Alexander wrote on 06/18/2012 11:49:36 AM:

 Can someone enlighten me on the following scenario
 (I guess it's explained somewhere, but can't find the info.):
 
 example.com was served by ns.OLDprovider.net
 example.com owner wants to move his domain to ns.NEWprovider.net
 oldprovider.net is not cooperating, and continues to serve
 example.com 172800 NS ns.OLDprovider.net
 (*.gtld-servers.net and ns.newprovider.com now serve
 example.com 172800 NS ns.NEWprovider.net)
 
 Recursive resolver ns.isp.com queried for www.example.com every few 
minutes,
 and currently have 
 example.com 45892 NS ns.OLDprovider.net
 in it's cache. www.example.com have TTL of 3600.
 Thus each hour ns.isp.com queries ns.OLDprovider.net,
 with each query gets new NS record, and... refreshes the NS TTL ?
 
 Will ns.isp.com EVER query ns.NEWprovider.net ?
 
 I'd be happy to know how BIND behaves, but also
 how other servers may behave in this case.
 




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: limiting number of requests of a single hosts

[WBrown]

bind-users-bounces+wbrown=e1b@lists.isc.org wrote on 06/15/2012 
04:25:16 AM:

 We have a problem with one of our firewalls caused by DNS peaks. 
 Once or twice a day a DNS burst (20K requests/15sec) kills all 
 connections on the firewall.
 The firewall is due for replacement but in the mean time we would 
 like to stop these peaks at their origin or at least try to limit 
 their impact.
 
 We have 6 dns servers (bind) on our campus, that are all 
 authoritative for our domains and also resolver for our campus hosts.
 Most of our clients however use our AD/LDAP/DNS Microsoft servers as
 their resolver, which on their turn contact our 6 dns servers for 
 further resolving.
 
 What we figured out by packet capturing, is that at a certain point 
 in time these AD/LDAP/DNS servers start ?collecting? dns requests 
 without sending them further and then in a burt pass them on to our 
 6 dns servers which try to resolve these queries. Due to the fact 
 that one request of a client mostly results in several queries of 
 our dns servers to the outside world (root server contact, NS record
 resolving,..) , this results in a burst of dns requests through our 
 firewalls, killing them.
 
 I have 2 questions, one, is there a way  to rate-limit the amount of
 request a single client (the AD servers in this case) can have 
 standing out against a bind server ? Kind of rate-limiting parameter
 for bind name server.
 Two, has anyone already seen this type of behavior on a Microsoft 
 AD/LDAP/DNS server and has a clue what could cause this stalling ? 
 Solving that would be the best solution.


Any chance of using network devices (firewalls, intelligent switches) to 
rate limit connections from the AD/DNS server to the bind server?

Is the odd behavior of the AD/DNS server causing issues with the clients 
making the original request?  Have you tried tracking down the original 
source of the query?  Could that be the ultimate source of the traffic 
burst? 

It seems unlikely that MSDNS would intentionally hold DNS requests.  Have 
you tried troubleshooting that?





Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: random-device purpose in DNSSEC

[WBrown]

Warren wrote on 05/10/2012 04:14:01 PM:

 Multiple options:
 1: install haveged (http://www.irisa.fr/caps/projects/hipsor/) -- 
 this will provide you with much randomness [0].
 2: buy a USB entropy widget (for example: http://www.entropykey.co.uk/)
 3: See if there is a driver for your TPM -- many boxes have them, 
 and many provide good randomness.
 4: NOT RECOMMENDED: use /dev/urandom (only for testing)

You forgot an option:

5:  Patience, Grasshopper.  /dev/random will eventually fill and the 
crypto function will get enough data to complete.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC

[WBrown]

Jan-Piet wrote on 05/11/2012 02:17:53 AM:

 Indeed, which brings on the question why BIND (still) doesn't have the
 a negative trust anchor feature.

So how do we implement one?  Create a separate caching server with DNSSEC 
validation turned off and forward all queries for the broken domain to it?




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Secondary Master

[WBrown]

John  wrote on 05/11/2012 11:05:58 AM:

 I found this article about setting up a secondary master.
 This may be useful as we are bringing up a disaster recovery site.
 The author explains that the zone type should be ?slave?? so it can 
 receive db updates from the normal master.
 Seems like that makes it a slave instead of a master for that zone?
 We are also looking at the app rsync for db transfers so we will 
 have mirrored masters, IP traffic separated by routers.
 Thanks
 
 https://help.ubuntu.com/8.04/serverguide/dns-configuration.html

What they describe is a typical slave server.  I wonder if they are 
misusing the term master for authoritative.

They are correct that more than one server is needed in order to maintain 
the availability of the domain should the Primary become unavailable. 
It's a good idea to make sure that your DNS servers are physically 
separated so a network failure does not block access to all of them. 

I would just let zone transfers take care of keeping things in sync 
instead of using rsync and a bunch of custom procedures to so it. 



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hi;

[WBrown]

William Thierry wrote on 05/10/2012 08:02:57 AM:

 i'm trying to have a TTL of a zone just by typing a command, but i 
 can't seen which command line i can used to have the solution.
 
 Can someone have an idea? is it possible to found that?
 
 PS: The zone file is not created by me. For example, i made a dig 
+dnssec 
 www.google.fr and i want to know what is the TTL of www.google.com 
 not the period of querry.

Ask an authoritative server:

cowman@ns-homer:~$ dig @ns1.google.com www.google.com

;  DiG 9.9.0  @ns1.google.com www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 32683
;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.google.com.IN  A

;; ANSWER SECTION:
www.google.com. 604800  IN  CNAME   www.l.google.com.
www.l.google.com.   300 IN  A   173.194.73.103
www.l.google.com.   300 IN  A   173.194.73.147
www.l.google.com.   300 IN  A   173.194.73.105
www.l.google.com.   300 IN  A   173.194.73.106
www.l.google.com.   300 IN  A   173.194.73.99
www.l.google.com.   300 IN  A   173.194.73.104

;; Query time: 35 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Thu May 10 08:12:13 2012
;; MSG SIZE  rcvd: 148



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC

[WBrown]

Warren wrote on 05/10/2012 11:50:30 AM:

 Nope -- Comcast does a large amount of checking before turning off 
 validation for a failing domain. 
 This is (IMO) more secure than the alternative, which is to simply 
 leave it failing, and have users move to a non-validatiing resolver 
instead?

Does Comcast have a process to re-enable validation once the issue is 
resolved?



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question about KSK

[WBrown]

We are authoritative for a few dozen small zones.  Is it possible to use 
the same KSK for all of them?  I can see where if it gets compromised we 
would need to resign all zones using the KSK at once.  How much effort 
would I be saving sharing the KSK?

I'm sure there are plenty of other good reasons not to do this... 
Enlighten me!


-- 

William Brown
Messaging and Core Hosted Application Technical Teams
Technology Services, WNYRIC, Erie 1 BOCES
(716) 821-7285




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about KSK

[WBrown]

Jan-Piet wrote on 04/27/2012 10:22:39 AM:

  When the shared KSK needed to be rolled over, you would have to
  process DS records in the parents of your few dozen zones all at the
  same time.
 
 *If* you want to roll the KSK, a.k.a. when did you last roll your SSH
 keys? :-)

Correct.  I was mistakenly thinking the KSK also had an expiration as the 
the ZSK does.





Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: generate a set of request DNSsec

[WBrown]

William wrote on 04/18/2012 05:45:21 AM:

 I'm faced with a big problem, How can i generate a log file for my test?
 it's a big problem for me, i'm working on Bind 9.8.1-P1
 and i'm using dnsperf to inject requests on my servers.
 
 Did you have an idea? thank you for your help.

What do you want to log?  The ARM covers the topic of logging pretty well, 
as does the grasshopper book.

Bind's logging is nice in that you can log different information to 
different locations.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to reset the serial number?

[WBrown]

-- 

William Brown
Messaging and Core Hosted Application Technical Teams
Technology Services, WNYRIC, Erie 1 BOCES
(716) 821-7285


Chuck Swiger wrote on 03/26/2012 02:35:24 PM:

 Shut down the slave server(s).
 Use scp or rsync to copy over the zone file, one with a corrected serial 
#.
 Restart the slave server(s).

If I have access to the slave, I just deleted slave zone and issue rndc 
reload.  It will transfer the missing zone.

Several advantages:
 
No need to shut down slave.
Less typing/less chance to mis-type something.






Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: external view recursion issue

[WBrown]

Who will be using this in-house DNS server?  Your local users?  If yes, 
then you will need to enable recursion so they can look up outside 
resources (google.com, etc.)

If this server will strictly be an authoritative server for your domain, 
then it won't need recursion but queries that return a CNAME will cause 
the recursive server to look up anything in otherdomain.com, CNAME or A.

Samantha  wrote on 03/16/2012 10:13:30 AM:

 I am getting prepped to migrate dns from one service to in-house 
 servers. While going through the zone file to ensure I got 
 everything, I found that we have CNAME in our domain pointing to a 
 CNAME in another domain that is pointing to the A record in the other 
domain: 
 
 host record.ourdomain.com
 record.ourdomain.com is an alias for record.client.otherdomain.com.
 record.client.otherdomain.com is an alias for otherhost.otherdomain.com.
 otherhost.otherdomain.com has address x.x.x.x
 
 To duplicate this exactly on our servers, it appears that I have to 
 enable recursion but the provider said that they are not doing that.
 I get the feeling that I am not going to get the information from 
 them on how they are accomplishing this without recursion. 
 
 Right now I have replaced the CNAME with an A record pointing to the
 IP directly and am getting the proper results, but feel that this 
 leaves me having to watch for changes that the otherdomain.com 
 administrator might make. 
 
 Am I missing something else that I can do to replicate? A separate 
 external view? 




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: external view recursion issue

[WBrown]

Put record.ourdomain.com as a CNAME in both your internal and external 
views.

Internal user will query internal view and get CNAME record to 
record.client.otherdomain.com.  Your recursive name server will look up 
record.client.otherdomain.com and get the CNAME record to 
otherhost.otherdomain.com.  It will look up that name and get the A 
record.  Address is returned to the DNS client.

External user queries your authoritative serve for record.ourdomain.com 
and get CNAME to record.client.otherdomain.com.  Their recursive name 
server will look up record.client.otherdomain.com and get the CNAME record 
to otherhost.otherdomain.com.  It will look up that name and get the A 
record.  Address is returned to the external DNS client.

-- 

William Brown
Messaging and Core Hosted Application Technical Teams
Technology Services, WNYRIC, Erie 1 BOCES
(716) 821-7285


Samantha Steers sam.fait...@gmail.com wrote on 03/16/2012 03:09:52 PM:

 From: Samantha Steers sam.fait...@gmail.com
 To: wbr...@e1b.org, 
 Date: 03/16/2012 03:09 PM
 Subject: Re: external view recursion issue
 
 Thank you for getting back to me. 
 
 We have a set up with internal and external views. The internal 
 is handling all the internal/recursive queries and the external is 
 supposed to be authoritative without recursion. I am trying to 
 reverse engineer the existing setup so I can match it. I guess the 
 long and short of it is, if there are  CNAMES looking for 
otherdomain.com
 then recursion has to  = yes on the existing server, correct?
 
 The existing server is giving the result mentioned previously 
 (below) while the new server is giving REFUSED. 
 
   host record.ourdomain.com
   record.ourdomain.com is an alias for 
 record.client.otherdomain.com.
   record.client.otherdomain.com is an alias for 
 otherhost.otherdomain.com.
   otherhost.otherdomain.com has address x.x.x.x
 
 My thought is that it is either one way or the other, recursive or 
 not, and that the record are going to have to be changed when they 
 are migrated to the new servers to be A records pointing to the IP 
 of the related, existing CNAMES. 
 
 On Fri, Mar 16, 2012 at 1:47 PM, wbr...@e1b.org wrote:
 Who will be using this in-house DNS server?  Your local users?  If yes,
 then you will need to enable recursion so they can look up outside
 resources (google.com, etc.)
 
 If this server will strictly be an authoritative server for your domain,
 then it won't need recursion but queries that return a CNAME will cause
 the recursive server to look up anything in otherdomain.com, CNAME or A.
 
 Samantha  wrote on 03/16/2012 10:13:30 AM:
 
  I am getting prepped to migrate dns from one service to in-house
  servers. While going through the zone file to ensure I got
  everything, I found that we have CNAME in our domain pointing to a
  CNAME in another domain that is pointing to the A record in the other
 domain:
 
  host record.ourdomain.com
  record.ourdomain.com is an alias for record.client.otherdomain.com.
  record.client.otherdomain.com is an alias for 
otherhost.otherdomain.com.
  otherhost.otherdomain.com has address x.x.x.x
 
  To duplicate this exactly on our servers, it appears that I have to
  enable recursion but the provider said that they are not doing that.
  I get the feeling that I am not going to get the information from
  them on how they are accomplishing this without recursion.
 
  Right now I have replaced the CNAME with an A record pointing to the
  IP directly and am getting the proper results, but feel that this
  leaves me having to watch for changes that the otherdomain.com
  administrator might make.
 
  Am I missing something else that I can do to replicate? A separate
  external view?
 




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig -t txt output variation

[WBrown]

sun-guru wrote on 03/09/2012 01:45:33 PM:


 Is this a BIND bug? 

Check ARM for RRSet Ordering.  



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig -t txt output variation

[WBrown]

Alan wrote on 03/09/2012 02:38:25 PM:

 Don't base anything on RRset ordering.
 
 Be sure that the application is able to handle the random order -- you
 never know who owns the intermediate caching servers, so you will never
 know the order even if you fix it on the authoritative.

That prompted me to look at the original post...  The owner of the domain 
needs to reconcile the two records (including included records) and verify 
all allowed servers are listed.  It's more of an email/spam filtering 
issue than a BIND problem.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Configuring a domain slave to look up subdomain hosts

[WBrown]

Why not set up the zone with its own forward statement like this:

zone subdomain.example.com {
type forward;
forwarders { 10.172.2.50; 10.172.2.51; };
forward only;
};


-- 

bind-users-bounces+wbrown=e1b@lists.isc.org wrote on 02/28/2012 
01:04:46 PM:

 I am simply trying to get the domain slave to make queries for hosts
 in the subdomain which is hosted on other servers, instead of 
 forwarding the queries to the domain master. I thought a stub zone 
 would facilitate this by giving my server the lookup information it 
 needed to do this. Apparently this is not the case. Even though it 
 receives a db file with the NS and SOA information for the 
 subdomain, it is ignoring it. Forwarding works. Being a slave for 
 the subdomain works. Stub zone doesn?t work.
 
 If it?s supposed to ?ignore? the stub zone in my configuration, what
 is the value of a stub zone?




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Configuring a domain slave to look up subdomain hosts

[WBrown]

Perhaps this article from the ISC knowledge base will help:
https://kb.isc.org/article/AA-00302/47/I-want-to-forward-all-DNS-queries-from-my-caching-nameserver-to-another-server-but-configure-exceptions-for-some-domains-how.html





Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Adding DS record to parent

[WBrown]

Does anyone know how to register a DS record for domains registered 
through Network Solutions?  I submitted a query through their website and 
got this response below.  I find the copyright on the canned response an 
amusing touch.

I called the number shown, and fought my way though a tangle of prompts to 
talk to a human in their DNS group.  I could tell DNSSEC was a foreign 
concept to her and asked to speak with someone familiar with DNSSEC.  She 
assured me she could help.  Turns out she was wrong.

http://www.google.com/#q=site%3Anetworksolutions.com ds record returns 
no meaning hits.  Going to GoDaddy's website, I was able to find the 
directions in a couple minutes.


Network Solutions customerserv...@networksolutions.com wrote on 
02/23/2012 01:00:48 PM:

 Dear William Brown,
 
 I apologize for the inconvenience this has caused you.
 
 In order to update your managed name servers, please refer to the 
 link below for instructions:
 
 http://www.networksolutions.com/support/create-a-new-name-server/
 
 If you have any other questions about this issue, please contact our
 Support Center and refer to Service Request # 1-578747785. A 
 Specialist will be happy to further assist you and ensure that we 
 completely resolve your issue as quickly as possible.
 
 Thank you,
 
 Eisset001
 Technical Support Specialist
 Network Solutions
 US/Canada: 1.866.391.4357
 International: 1.570.708.8788
 
 (c) Copyright 2012 Network Solutions, LLC. All rights reserved.

Thanks for any advice you can offer, I'm still reading and trying to learn 
DNSSEC.

Bill




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnsmasq+named together (was: Re: Forward Domain)

[WBrown]

rob0 wrote on 01/19/2012 04:05:26 PM:

 ...
 server=127.0.0.1#1053
 # to use nameserver 127.0.0.1 in resolv.conf(5)
 no-resolv
 ...

 listen-on port 1053 { 127.0.0.1; };

Are both of these listening on port 1053?  That ain't gonna work.  Put one 
of them back on 53 or on some other port such as 2053.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNSSEC made simple, is this possible?

[WBrown]

I took the ISC 2 day Intro to DNS and BIND class.  The instructor made a 
good point that building from source frees you from the dependance on the 
distro's package maintainer.  As part of the class, we had to compile bind 
from scratch.  It was very straight forward ./configure, make, make 
install.  Options to the configure step allowed customization of the 
install if needed, but the defaults are pretty good.

In Ubuntu LTS versions, they do not update versions, other than minor revs 
for bug fixes.  I have some that are running Ubuntu 8.04LTS with bind 9.4. 
 I was worried with the recent vulnerability, but they quickly backported 
the fix.  But they're still runniing 9.4. :(  I am building new servers to 
replace them and I'm going with abare bones distro install and adding 
packages (compilers, etc) as I find I need them.  But the servers will be 
much leaner in terms of what is on them.

Perhaps other distros/flavors of *nix handle new versions differently.

bind-users-bounces+wbrown=e1b@lists.isc.org wrote on 01/11/2012 
11:50:01 AM:

 Now if FreeBSD would just add 9.9 to the ports
 collection, it would save me from having to build it by hand.. 




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About root zones

[WBrown]

micho...@cisco.com wrote on 01/03/2012 04:54:51 PM:

 Maybe it's because I started in networking...  But TCP/IP (or IPv6 these
 days) is quite the subsystem to avoid.  Really, like it or not, you 
are
 actually responsible for understanding interactions with subsystems 
your
 managed system must interact with.  ;-)

Yes, unfortunately we sometimes have to rely on systems and sub-systems 
maintained by others.  But in order to stick to the Principles of Least 
Astonishment, it is easier to rely on those systems under our own control. 
 Otherwise someone else will astonish us with their brilliance. 

I manage the DNS and the spam filters here.  Without warning (I know a 
separate issue), the network was changed causing problems between the spam 
filters and the DNS servers.  Took me 2 days to figure out what was casing 
email to fail.

I cannot chose what network to use.  I can choose what resolver to use.  



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind as a service on windows -c option not working

[WBrown]

 How to tell the named running as a service to read the config file from 
 the path specified with -c option?

Try changing path to executable by moving quote:

D:\bind9\bin\named.exe -c D:\bind_config\etc\named.conf




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind as a service on windows -c option not working

[WBrown]

 No luck: The following information is part of the event: none:0: open: 
 C:\WINDOWS\system32\etc\named.conf: file not found

So why not put the configuration file there.  Then use the directory 
option to direct BIND to look for all the zone files on the D: drive.

options {
directory D:\bind_config; 
other options as required
}




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind as a service on windows -c option not working

[WBrown]

 This is not the answer I am looking. If the parameter exists, it's must 
 working.

Have you tried issuing the command from a command prompt?  



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Botnet Malware issue on bind BIND 9.7.1-P2

[WBrown]

jagan padhi wrote on 12/05/2011 12:16:19 PM:


 First of all i would like to know what all these .ws domians.due to 
 this junk domain query CDNS servers load are  getting very high.
  
 Yes There is a limit set in my CDND server,however out of 100 query 
 60 queries are coming for these junk domains.
 
Without the RPZ feature of bind 9.8, you could add a bogus zone for the 
.ws domain to your servers.  Either return an answer for *.ws as whatever 
you want, or have just the SOA record.  Either way, you're not waiting for 
a recursive query to time out.

What kind of host is the source of the queries?  



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Bind 9.9.0b2 inline signing...

[WBrown]

Todd wrote on 11/24/2011 11:29:14 AM:

 I don't understand why Windows doesn't include dig by default, even 
 now.  Free software hate?

And grep and logrotate!  At least the GnuWin32 project has a good version 
of grep.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users