Re: Bind not starting

2010-10-01 Thread Stephane Bortzmeyer
On Fri, Oct 01, 2010 at 09:44:42AM +0530, rams brames...@gmail.com wrote a message of 300 lines which said: But bind is started successfully when commented below ns domains which are marked as RED. Some people are color-blind and some do not use a Web browser to read email. Using colors on

Re: Bind not starting

2010-10-01 Thread Matus UHLAR - fantomas
On Fri, Oct 01, 2010 at 09:44:42AM +0530, rams brames...@gmail.com wrote a message of 300 lines which said: But bind is started successfully when commented below ns domains which are marked as RED. On 01.10.10 08:57, Stephane Bortzmeyer wrote: Some people are color-blind and some do

Re: per-zone-recursion?

2010-10-01 Thread Kalman Feher
On 1/10/10 9:15 AM, Joerg Dorchain jo...@dorchain.net wrote: On Thu, Sep 30, 2010 at 07:13:11PM -0400, Kevin Darcy wrote: Per-zone recursion control doesn't exist in BIND, because frankly it doesn't make sense. I used to think that, too, until I came to my specific problem. Either a

nsupdate

2010-10-01 Thread rams
An observation in nsupdate: Suppose we have two A records as , *addforixfr.bind9712.com. 3456 IN A 10.32.21.30* *addforixfr.bind9712.com. 3456 IN A 10.32.21.20* When we update TTL value as below for one of the records , the TTL value changes for both the

Re: nsupdate

2010-10-01 Thread Stephane Bortzmeyer
On Fri, Oct 01, 2010 at 02:58:28PM +0530, rams brames...@gmail.com wrote a message of 240 lines which said: Suppose we have two A records as , These two records have the same {name, class, type} and therefore belong to the same RRset (Resource Record Set). When we update TTL value as below

Re: per-zone-recursion?

2010-10-01 Thread Joerg Dorchain
On Fri, Oct 01, 2010 at 11:25:31AM +0200, Kalman Feher wrote: Yes. To explain my setup further, there is a view based on src-IPs for some clients, where recursion is turned on. The rest of the world gets non-recursive answers, e.g. with authoritative data, or refused. In case of that

Re: GSS-TSIG and Active Directory

2010-10-01 Thread Nicholas F Miller
Yea, it seems that people got it working when the functionality came out but subsequently I haven't seen it working for anyone in a production environment. _ Nicholas Miller, ITS, University of Colorado at Boulder On Sep 30, 2010, at 3:24

Re: GSS-TSIG and Active Directory

2010-10-01 Thread Nicholas F Miller
Thanks, I'll give it a try and see if things begin to work. _ Nicholas Miller, ITS, University of Colorado at Boulder On Sep 30, 2010, at 10:15 AM, Tony Finch wrote: On Thu, 30 Sep 2010, Nicholas F Miller wrote: Does anyone actually

Re: tkey-gssapi-credential

2010-10-01 Thread Nicholas F Miller
That is how I created my keytab as well. It is interesting, when I try an update from a client all I get are denies. When I try an update using nsupdate -g from the DNS server I will get a REFUSED but I will also get a DNS/h...@domain kerb ticket from the keytab.

Where is managed-keys.bind ?

2010-10-01 Thread Magali Bernard
Hello bind-users, Today I jumped from BIND 9.6.2 to 9.7.2-P2 Seems to be ok, except: Oct 1 08:30:19 stroph named[24453]: set up managed keys zone for view _default, file 'managed-keys.bind' Oct 1 08:30:19 stroph named[24453]: managed-keys-zone ./IN: loading from master file

Re: Where is managed-keys.bind ?

2010-10-01 Thread Chris Thompson
On Oct 1 2010, Tony Finch wrote: On Fri, 1 Oct 2010, Magali Bernard wrote: Oct 1 08:30:19 stroph named[24453]: set up managed keys zone for view _default, file 'managed-keys.bind' Oct 1 08:30:19 stroph named[24453]: managed-keys-zone ./IN: loading from master file managed-keys.bind

Re: tkey-gssapi-credential

2010-10-01 Thread Rob Austein
At Fri, 1 Oct 2010 07:05:40 -0600, Nicholas F Miller wrote: It is interesting, when I try an update from a client all I get are denies. When I try an update using nsupdate -g from the DNS server I will get a REFUSED but I will also get a DNS/h...@domain kerb ticket from the keytab. It might

Re: Where is managed-keys.bind ?

2010-10-01 Thread Magali Bernard
On Oct 1 2010, Tony Finch wrote: On Fri, 1 Oct 2010, Magali Bernard wrote: Oct 1 08:30:19 stroph named[24453]: set up managed keys zone for view _default, file 'managed-keys.bind' Oct 1 08:30:19 stroph named[24453]: managed-keys-zone ./IN: loading from master file

Re: per-zone-recursion?

2010-10-01 Thread Matus UHLAR - fantomas
Yes. To explain my setup further, there is a view based on src-IPs for some clients, where recursion is turned on. The rest of the world gets non-recursive answers, e.g. with authoritative data, or refused. In case of that specfic forward zone, bind answers in the

Re: GSS-TSIG and Active Directory

2010-10-01 Thread Nicholas F Miller
Updating to 9.7.2-P2 seems to be working. Of course it is not working exactly like we think it should. When we have a things set like this: deny DOMAIN ms-self * SRV ; grant DOMAIN ms-self * ANY; Nothing will update. When we set it like this: deny DOMAIN ms-self * SRV; grant DOMAIN ms-self

Re: Bind not starting

2010-10-01 Thread John Wingenbach
NS records must point to an A record. ns1 and ns2 .nsdomain.com do not have A records defined for them according to the zone file. -- John On 10/1/2010 12:14 AM, rams wrote: Hi, I have configured records as follows in bind. When we start the bind 9.7, bind is not starting. But bind is

Re: GSS-TSIG and Active Directory

2010-10-01 Thread Rob Austein
If you're trying to grant update rights to a specific machine (rather than every machine in the realm), something like: grant d...@realm. subdomain dnsname.; might work better, where d...@realm is (eg) the Kerberos principle corresponding to your DC and dnsname is the tree to which you want to

Re: GSS-TSIG and Active Directory

2010-10-01 Thread Nicholas F Miller
YES Brilliant Thanks Rob. I think it is working now. I have the update-policy setup as follows: grant d...@realm wildcard * ANY; grant d...@realm wildcard * ANY; grant dns_serv...@realm wildcard * ANY; deny REALM ms-self *

Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread lst_hoe02
Hello after the root zones are now DNSSEC signed we like to use DNSSEC at our caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and basically it is working fine. What i have not managed is to alwawys force obeying DNSSEC signed zones for resolving eg. if i use dig +cdflag

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread Alan Clegg
On 10/1/2010 4:26 PM, lst_ho...@kwsoft.de wrote: Hello after the root zones are now DNSSEC signed we like to use DNSSEC at our caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and basically it is working fine. What i have not managed is to alwawys force obeying DNSSEC signed

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread lst_hoe02
Zitat von Alan Clegg acl...@isc.org: On 10/1/2010 4:26 PM, lst_ho...@kwsoft.de wrote: Hello after the root zones are now DNSSEC signed we like to use DNSSEC at our caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and basically it is working fine. What i have not managed is to

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread Alan Clegg
On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote: Sorry for being unclear. We want the SERVFAIL as it should be for invalid DNSSEC data *in all cases* eg. even if a client ask with the cdflag (checking disable) set. CD means don't check, so you can't by definition. AlanC signature.asc

Re: Auto signing ARM

2010-10-01 Thread Tony Finch
I haven't seen any answers to Timothe's questions below, though I have been keeping an eye out for them. The documentation in this area is a bit thin... Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ On 20 Sep 2010, at 20:28, Timothe Litt l...@acm.org wrote: I'm trying to get

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread lst_hoe02
Zitat von Alan Clegg acl...@isc.org: On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote: Sorry for being unclear. We want the SERVFAIL as it should be for invalid DNSSEC data *in all cases* eg. even if a client ask with the cdflag (checking disable) set. CD means don't check, so you can't by

managed-keys-zone file not found

2010-10-01 Thread Jack Tavares
Hello While starting up bind I get the following 2 messages 01-Oct-2010 15:13:15.304 set up managed keys zone for view external, file '3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys' and 01-Oct-2010 15:13:15.309 managed-keys-zone ./IN/external: loading from master file

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread Barry Margolin
In article mailman.265.1285967251.555.bind-us...@lists.isc.org, lst_ho...@kwsoft.de wrote: Zitat von Alan Clegg acl...@isc.org: On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote: Sorry for being unclear. We want the SERVFAIL as it should be for invalid DNSSEC data *in all cases* eg.

Re: per-zone-recursion?

2010-10-01 Thread Joerg Dorchain
On Fri, Oct 01, 2010 at 05:39:16PM +0200, Matus UHLAR - fantomas wrote: On 01.10.10 12:39, Joerg Dorchain wrote: Well, I could agree agree that wrong means not thought of by RfC-Designers and bind implementators (yet). probably it was not thought because it's wrong. This point is