Re: Fwd: Facing weird issue with DNS-RPZ

2018-04-26 Thread Carl Byington
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Wed, 2018-04-25 at 19:30 +0530, Blason R wrote: > I tried that couple of times on CentOS and it fails :(. http://www.five-ten-sg.com/mapper/bind I just updated the instructions. It looks like the built-in tests (that are normally run as part of

Re: Release Strategy Clarification

2018-04-26 Thread Victoria Risk
> On Apr 26, 2018, at 5:53 AM, Matthew Pounsett wrote: > > This is a question for ISC about the new BIND release plan which I thought > might be a useful clarification for others as well. > > I didn't notice this when the new plan was first presented in March, but the >

Question about upgrade the version of BIND

2018-04-26 Thread koji.matsumoto
Hello All, I am using BIND 9.10.2-P1. I have a question. [Situation] In order to upgrade the version of BIND, I uninstalled BIND 9.10.2-P1 and installed BIND 9.11.3. I started the service, but the startup of the service failed. ? Error code 1067 ? Application event log managed-keys-directory

what's wrong with recent bind-utils against dnsmasq

2018-04-26 Thread Reindl Harald
when the server is dnsmasq you get all sort of funny results from SERVFAIL to REFUSED combined with the right answer that now even goes so far that named is no longer able to resolve zone-delegations pointing to a dnsmasq [root@testserver:~]$ nslookup rhsoft.testserver.example.com 127.0.0.1

Release Strategy Clarification

2018-04-26 Thread Matthew Pounsett
This is a question for ISC about the new BIND release plan which I thought might be a useful clarification for others as well. I didn't notice this when the new plan was first presented in March, but the key text in the legend of the Example Release Plan[0] for the red blocks is "a release that

Re: Whitelisting sites using RPZ

2018-04-26 Thread Daniel Stirnimann
On 26.04.18 09:46, Blason R wrote: > Oh thats great...in that case general practice would be always whitelist > the zones first then blacklist? I'm using: whitelist with "policy passthru log no" test zones with "policy passthru" blacklists with "policy cname LANDINGPAGE" Note, "[ log yes_or_no

Re: Whitelisting sites using RPZ

2018-04-26 Thread Blason R
9.12 is not yet stable; i believe? On Thu, Apr 26, 2018 at 1:23 PM, Daniel Stirnimann < daniel.stirnim...@switch.ch> wrote: > On 26.04.18 09:46, Blason R wrote: > > Oh thats great...in that case general practice would be always whitelist > > the zones first then blacklist? > > I'm using: > >

Re: Whitelisting sites using RPZ

2018-04-26 Thread Blason R
Oh thats great...in that case general practice would be always whitelist the zones first then blacklist? On Thu, Apr 26, 2018 at 11:53 AM, Daniel Stirnimann < daniel.stirnim...@switch.ch> wrote: > > response-policy { zone "malware.trap"; zone "whitelist.allow" policy > > passthru; }; > > ... >

Re: Whitelisting sites using RPZ

2018-04-26 Thread Daniel Stirnimann
> response-policy { zone "malware.trap"; zone "whitelist.allow"  policy > passthru; }; ... > So which one will take precendence in this case? Policy processing will search the zone files in the order in which they appear in the response-policy statement. So, you need to change the order in

Re: Whitelisting sites using RPZ

2018-04-26 Thread Daniel Stirnimann
> Note, "[ log yes_or_no ]" has been added in BIND 9.12. Sorry, this has been added in BIND 9.11 already. Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

Re: Whitelisting sites using RPZ

2018-04-26 Thread Daniel Stirnimann
On 26.04.18 10:10, Blason R wrote: > 9.12 is not yet stable; i believe? 9.12 is stable. 9.13 is current development. 9.11 is the current Extended Support Version (ESV). You may want to read this: https://www.isc.org/blogs/bind-release-strategy-updated/ https://kb.isc.org/article/AA-01540

Re: problems changing NS records

2018-04-26 Thread Alberto Colosi
have you changed zone registration? there is DNS FQDN reference if you change dns fqdn you have to update zone on your NIC as it on NIC it or where you registered the domain From: bind-users on behalf of Lucio Crusca

Re: problems changing NS records

2018-04-26 Thread Matus UHLAR - fantomas
On 26.04.18 15:18, Lucio Crusca wrote: Until a few hours ago, I had several domains and 3 nameservers for them: ns1.virtualbit.it (master, 136.243.232.142) ns11.virtualbit.it (slave, 158.69.210.19) ns2.virtualbit.it (slave, 136.243.232.143) Nameservers A recordsERROR: Some of your DNS

Re: problems changing NS records

2018-04-26 Thread Iván García
Hi. I think the problem is this: *dig NS +noadditional +noquestion +nocomments +nocmd +nostats +trace virtualbit.it. @208.67.222.222* . 518400 IN NS a.root-servers.net.. 518400 IN NS

problems changing NS records

2018-04-26 Thread Lucio Crusca
Until a few hours ago, I had several domains and 3 nameservers for them: ns1.virtualbit.it (master, 136.243.232.142) ns11.virtualbit.it (slave, 158.69.210.19) ns2.virtualbit.it (slave, 136.243.232.143) Then I tried to migrate to a new master, names.virtualbit.it (46.4.38.130). Here is the

Re: problems changing NS records

2018-04-26 Thread Tony Finch
Lucio Crusca wrote: > Until a few hours ago, I had several domains and 3 nameservers for them: > > ns1.virtualbit.it (master, 136.243.232.142) > ns11.virtualbit.it (slave, 158.69.210.19) > ns2.virtualbit.it (slave, 136.243.232.143) Oh dear, this is a bit of a rabbit