Moderators note

2008-12-03 Thread Alan Clegg
Due to technical difficulties, a number of messages were being held in the moderation queue. These postings have now been cleared out (some may be duplicates, for which I apologize). We are still working out a couple of minor kinks in the move to the new mailing list system. Thanks for your

Re: Random nx name queries, anyone see this before?

2008-12-15 Thread Alan Clegg
ponga2...@gmail.com wrote: I'm seeing name queries from a couple clients on the network that occur around every two minutes - the queries are evidently random and are looking for A IN records of this form, as an example: ungzbvyf.lzghmccim They always look like this, 8 lowercase chars,

Re: Random nx name queries, anyone see this before?

2008-12-16 Thread Alan Clegg
Frank Behrens wrote: ponga2...@gmail.com ponga2...@gmail.com wrote on 15 Dec 2008 16:34: I'd be very interested in what others find. I do have an update and correction to my original post: The format is 9chars.8chars - as an example: qjnqrtfun.wxsifmgj Sometimes a colon appears, so the char

Mailman and bounces...

2009-01-18 Thread Alan Clegg
bounces that your mailers generate by adding ISC to the appropriate white-lists, we would much appreciate it. This e-mail will probably not make it to the people to-whom it is addressed because it contains things that their filters will not allow to pass. Alan Clegg bind-*/dhcp-* list manager

Re: rndc halt -p behavior

2009-01-21 Thread Alan Clegg
Rich Goodson wrote: If -p is specified named's process id is returned. This allows an external process to determine when named had completed halting. Whether named is still answering queries or just cleaning up its allocated memory, the PID is returned BEFORE named is gone, as named is

Re: How can you verify TSIG is working b/t Master Slave servers

2009-01-22 Thread Alan Clegg
Mark A. Moore wrote: I have setup and configured TSIG on our Bind 9. DNS servers. How can you verify/test that it is working correctly? Check your logging: xfer.log:20-Jan-2009 20:06:24.677 xfer-out: info: client 149.20.XX.XX#60073: transfer of '154.XX.XX.in-addr.arpa/IN': AXFR-style IXFR

Re: How can you verify TSIG is working b/t Master Slave servers

2009-01-22 Thread Alan Clegg
Vincent Rivellino wrote: Shouldn't using dig fail from the slave? For example: [...@stuey ~]$ dig -t AXFR domain.tld @ns1.someserver ; DiG 9.5.1-P1 -t AXFR domain.tld @ns1.someserver ;; global options: printcmd ; Transfer failed. It all depends on what you do with the TSIG. I

Re: [DNSSEC] Validating resolver which is also authoritative: no AD bit set

2009-01-23 Thread Alan Clegg
Stephane Bortzmeyer wrote: I configure a BIND 9.5.0 P2 which is both a DNSSEC-validating resolver and an authoritative server. With proper trust anchors, it DNSSEC-validates domains like iis.se or sources.org and sets the AD bit in the answers to 'dig +dnssec XXX iis.se'. Except for one

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal

2009-01-25 Thread Alan Clegg
Al Stu wrote: ISC’s message that a CNAME/alias in an MX record is illegal is incorrect and just an attempt by ISC to get people to go along with what is only a perceived rather than actual standard/requirement, and should be removed so as not to further the fallacy of this perceived

Re: Split view multiple zones

2009-01-27 Thread Alan Clegg
Reinis Rozitis wrote: view custom { match-clients { custom-clients; } zone customzone.com { ... }; } view normal { match-clients { any; }; zone customzone.com { ... }; zone otherzone.com { ... }; zone otherzone2.com { ... }; } The problem is that if the client

Re: Open Ports in BIND

2009-02-01 Thread Alan Clegg
Bind wrote: Dear Admins I installed Bindv9.5.1 and it works properly,,but i have some questions about these parameters: # netstat -an |grep 53 |wc 3911223 20656 I think you might want to use lsof (or your system equivalent) to find the open ports that are directly related to

Re: Slave to master with multiple views

2009-02-13 Thread Alan Clegg
Jeffrey Collyer wrote: This older article http://www.oreillynet.com/pub/a/oreilly/networking/news/views_0501.html seems to indicate that the only way to get the slave to fully sync the zones in both views is to create a virtual IP on the slave (with an IP in the sandbox range) so the zone

Re: Adding records to a domain I don't control for anyone who uses my nameserver

2009-03-03 Thread Alan Clegg
Spoofing the dns zones are the only solution. Why not using your own XMPP server, that you control and where you can activate logging? Actually, in a previous lifetime, we discovered that the MOST effective way to deal with this was to write it into the policy and procedures manual and make

Re: $generate lhs problem. Manual needs to be updated.

2009-03-05 Thread Alan Clegg
Takahiro Masuda wrote: Yes I guess I didn't understand it totally because in the example syntax is shown as lhs defined at the beginning *$GENERATE* /|range|/ /|lhs|/ [/|ttl|/] [/|class|/] /|type|/ /|rhs|/ [ /|comment|/ ] and when you read the explanation for lhs it shows the example

Re: Make changes en mass [done]

2009-03-24 Thread Alan Clegg
John D. Vo wrote: Thanks Jeff. I prefer your way better, more eloquent than the brute force method I did. To this point, nobody has updated the serial. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list

Re: stealth master DNS Security

2009-03-25 Thread Alan Clegg
Ram Akuka wrote: but encrypting the file system won't do the work here. i agree that storing the key and the encrypted data on the same machine is useless in security terms. that why i'm looking for a build in solution . is there's any way the slave server can save the zone in format diffent

Re: Psuedo-Master Zones

2009-03-25 Thread Alan Clegg
Chris Dew wrote: No, we've had to work around these limitations of axfr/notify, so that we can take this concern away from our customers. What limitations are you talking about specifically? I would love to find a nice bind-supported way of dealing with views/axfr/notify, so if you find

Re: stealth master DNS Security

2009-03-25 Thread Alan Clegg
Ram Akuka wrote: Is there's any way I can encrypt the zone transfer date (without using any third-party encryption tool)? Why exactly do you want to do this? DNS data is NOT PROTECTED DATA. As long as queries and responses are permitted in the clear (which is the way DNS works), you are only

Re: Stats

2009-03-27 Thread Alan Clegg
John D. Vo wrote: What do you guys use to turn this: --- Statistics Dump --- (1238151600) +++ Statistics Dump +++ (1238155200) success 3280261 referral 363 nxrrset 745513 nxdomain 392614 recursion 1173408 failure 1115632 --- Statistics Dump --- (1238155200) into something more

Re: name server zone list

2009-04-03 Thread Alan Clegg
The entire list of zones is available in XML format in the statistics channel in 9.5 Yep, you need to parse for it, but it's there... AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org

Re: DNS Maintenance

2009-07-08 Thread Alan Clegg
Alans wrote: Can someone tell me how webhosting providers or ISPs do maintenance on their DNSs? I mean, can they take it offline? What is the procedure usually? You need to define maintenance. With very few exceptions (none?) I can't think of a reason to take a DNS server off-line to do

Re: Migrating DNS servers, need advice on hardware

2009-09-20 Thread Alan Clegg
Frank Bulk wrote: Perhaps the inverse would be more interesting: what's the lowest-spec hardware that could host an OS that would run the latest version of BIND. =) It's not exactly low-end hardware, but I have BIND 9.4.2 running on my iPhone. AlanC

Re: cache dead records

2009-10-22 Thread Alan Clegg
On Oct 23, 2009, at 5:45, net...@royal.net wrote: We are using bind9 for DNS Cache. What the problem is, sometime the IP address for a domain is dead, but Bind won't know, and still responds the dead IP to clients, after that clients access the sites failed. So is there a way to do health

Re: 2 simultaneous hung Bind boxes

2009-10-28 Thread Alan Clegg
Justin Shore wrote: The boxes are running fairly old Bind code, 9.5.1b2. Tomorrow I will upgrade to 9.6.1rc1 (unless people believe 9.7.0b1 is ready for use). I would recommend not using beta or release candidate code in your deployment. If you want something that will stand up to customer

Re: multiple internal views not working (requested conf files

2009-11-02 Thread Alan Clegg
Kevin Darcy wrote: Views are matched in order, so !10.x.5.0/24; is redundant -- anything in that range would have been matched by the previous view. But, but by explicitly putting it there, the ordering of the views is no-longer important. Better safe than sorry. AlanC

Re: DNSSEC validation works with DLV, but not with just trusted-key

2009-11-25 Thread Alan Clegg
Hanno Böck wrote: dig baddata-A.test.dnssec-tools.org @localhost There is no DS record for dnssec-tools.org in .org (chain of trust is broken), so you can't validate the response -- thus the data being passed back to you. AlanC ___ bind-users

Re: DNSSEC validation works with DLV, but not with just trusted-key

2009-11-25 Thread Alan Clegg
Hanno Böck wrote: Am Mittwoch 25 November 2009 schrieb Alan Clegg: There is no DS record for dnssec-tools.org in .org (chain of trust is broken), so you can't validate the response -- thus the data being passed back to you. Ok, that explains it. Are there any example domains with known

Re: CLASS support

2009-11-30 Thread Alan Clegg
JFC Morfin wrote: At 19:36 30/11/2009, Florian Weimer wrote: I understand that. But I need to use Private Use classes. The question is how do I do it? Use CLASS999 and similar identifiers (just like TYPE999 for types). I guessed the format from the code. But it fails. named-checkconf says

Re: dnssec updated zone data is not live ??

2009-12-18 Thread Alan Clegg
Niobos wrote: On 17 Dec 2009, at 20:50, Kevin Darcy wrote: Cat'ing the zone file is no longer reliable once you've enabled a zone for Dynamic Update. There might be updates in the log file which haven't been committed to the actual zone file yet. That's why I recommended that you use an AXFR of

Re: strange dig behavior

2009-12-20 Thread Alan Clegg
Pamela Rock wrote: I don't know what is causing the refused. IP tables is off everywhere, and there are no ACL's on routers or firewalls. Has nothing to do with firewalls (or ACLs on routers). The only error I'm seeing is the following in the debug log 20-Dec-2009 19:21:09.443

Re: Remove/add [A] records based upon server availability

2009-12-26 Thread Alan Clegg
Ryan S wrote: Is there a method in BIND to add/remove A records based upon server availability? i.e. host www has A records 1.1.1.1, 2.2.2.2, 3.3.3.3 If 3.3.3.3 is 'down' (via a ping test, for example) we remove it from the [A] record until such time that it is back 'up' and the host is

Re: limit for cache-size?

2010-01-04 Thread Alan Clegg
Thomas Vogt wrote: Are there any limits in bind 9.6.* or 9.7.* for cache-size or know issues? I'm planing to use 8GB ram for named cache. The LRU cache cleaning introduced in BIND 9.5.0 should make your large cache work as expected. AlanC ___

Re: dig query

2010-01-06 Thread Alan Clegg
Pamela Rock wrote: The following dig query dig gov +dnssec +noadflag @10.10.10.1 produces the following flags in the header section: ;; flags: qr rd ra ad; Question - what is the relation with the +dnssec and +noadflag options in the query. I would think the query would produce a

Re: dig query

2010-01-06 Thread Alan Clegg
Tony Finch wrote: On Wed, 6 Jan 2010, Pamela Rock wrote: Does that imply that +adflag sets the ad bit on the query and the response where +dnssec only sets the ad bit on the responce? The AD flag is meaningless in a query. In a response it tells you whether the server is authoritative or

Re: bindvrs Vulnerability

2010-01-12 Thread Alan Clegg
Lightner, Jeff wrote: Sometimes you have to do things like hiding your version just because it came up on the security audit. It's a lot easier to make them shut up by doing what they want than by explaining to them that what they want is meaningless. That said, if your security audit allows

Re: a question on bind cache

2010-01-14 Thread Alan Clegg
Tech W. wrote: So, do you think is there a resolving way for Bind which can implement the features: 1. check the popular domains' original IPs (like google's, yahoo's, aol's etc), and exclude the dead IPs from its cache. 2. for the popular domains, testing the access speed to each of

Re: a question on bind cache

2010-01-14 Thread Alan Clegg
http://lmgtfy.com/?q=content+distribution+network Thanks, I know something about CDN. But I also want to know if it's possible to let DNS handle this? BIND itself does not do this. You could monitor your services and then use dynamic DNS to change resource records based on the results, but

[Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]

2010-02-05 Thread Alan Clegg
I find this important enough to forward on to bind-users. Please not the importance of trust anchor management. AlanC ---BeginMessage--- [Apologies for duplicates] Dear Colleagues, We have discovered that recent versions of the Fedora Linux distribution are shipping with a package called

Re: [Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]

2010-02-05 Thread Alan Clegg
Paul Wouters wrote: With the current success of the DLV, and the root zone deployment half a year away, it is not really required anymore. I think it is much better to get rid of all trust anchors apart from the ISC DLV key. Do remember, however, that the DLV keys also roll, so this does need

Re: multi master primary nameserver.

2010-02-08 Thread Alan Clegg
Gordon A. Lang wrote: Did I recently hear correctly that some future version of BIND will be supporting multi-master? That is in the plans. I know slaves can forward updates to masters, but can masters also forward updates to other masters? (I can look this up, but I'm fishing for others

Re: Bind 9.5.2-P1 and rrset-order

2010-02-19 Thread Alan Clegg
Denis Laventure wrote: Hi, I have multiple ip adresses for one server: www.mydomain.com http://www.mydomain.com A 10.0.0.1 www.mydomain.com http://www.mydomain.com A 10.0.0.2 www.mydomain.com

Re: Strange issue - please enlighten me

2010-02-19 Thread Alan Clegg
Marco Davids (SIDN) wrote: Anyone any clue? I am trying to understand why some resolvers handle this query well, while BIND 9.7.x returns a SERVFAIL. acl...@yellow:~$ dig +short airfrance.fr ns webaf1.airfrance.fr. lasvegas.airfrance.fr. proof.rain.fr. acl...@yellow:~$ dig +short

Re: Scripts for zsk rollover in 9.7

2010-02-23 Thread Alan Clegg
Stephane Bortzmeyer wrote: We have plans to improve this in 9.7.x (where x probably equals 1) in a couple of ways: first, by making it possible to assign each key an explicit successor key and warn the user if a key is set to expire without a successor; second, by making it possible to

Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO

2010-02-23 Thread Alan Clegg
Nicholas Wheeler wrote: On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: (Well, for now the plan is to do it once a year by hand. Then, we'll see...) For the record, NIST recommends to roll the ZSK every three months, and the KSK every two years. And there are lots of other

Re: Modifying a response

2010-02-24 Thread Alan Clegg
Peter Andreev wrote: For example: if user asks for non-existent domain, caching server replies with some address and no-error rcode. _Extremely_ bad idea. Yes, I know, but boss is boss and task is task :). Thank you very much for your answer. You might want to talk to

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-24 Thread Alan Clegg
Joe Baptista wrote: Thats not the case with DNScurve. Again I stress - over 20 billion requests per day at OpenDNS are DNScurve compatible.The traffic in DNSSEC is chicken feed compared to DNScurve. Joe, The fact that queries hit servers that are DNScurve capable does not mean that they are

Re: Zone transfers from slaves to slaves?

2010-02-24 Thread Alan Clegg
Dan Letkeman wrote: I think I have a configuration issue somewhere. It looks like from the logs that my master server is notifying the slaves correctly, but then the other slaves are also notifying the slaves as well. 172.16.0.100 is the master 172.16.0.101 is 1st slave 172.16.0.102 is

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-24 Thread Alan Clegg
Joe Baptista wrote: [] I guess that depends on if DNSSEC is turned on by default in BIND. Incidentally - is it? dnssec-enable yes; and dnssec-validation yes; are the defaults since BIND 9.5 Serving signed zones requires signed zone data to serve. Validation

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-24 Thread Alan Clegg
Joe Baptista wrote: dnssec-enable yes; and dnssec-validation yes; are the defaults since BIND 9.5 How do I turn it off. Since you edited out the most important part of my post, I'll repeat it here before I answer your question: Serving signed zones requires

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-26 Thread Alan Clegg
Jonathan de Boyne Pollard wrote: That's also nothing to do with DNSCurve. You weren't making a DNSCurve query there. You were simply querying, with an ordinary DNS query, a proxy DNS server that is under someone else's control and getting the view of the DNS namespace that that someone else

Re: Help with logrotate and bind

2010-02-26 Thread Alan Clegg
Diosney Sarmiento Herrera wrote: I am trying to rotate my named logfile with logrotate and I configured it as I show: [...] This is much more a question for a list that discusses the logrotate application than it is to bind-users. I would recommend, however, that you look into the

Re: dnsquery for Solaris

2010-03-09 Thread Alan Clegg
ic.nssip wrote: I've got dnsquery working fine from sunfreeware.com bind-8.4.6 on x86-Solaris 10. Does anybody knows if it can be exported to another machine? I tried to binary ftp the file to another machine (same configuration), I fixed owner and permissions but will just not run there.

Re: dnsquery for Solaris

2010-03-09 Thread Alan Clegg
ic.nssip wrote: What I'm trying to do is to find a way to get the TTL left for a cached record. I usually use dnsquery like this (12m23s and 9m53s is what interest me): # dnsquery -n 8.8.8.8 -t a ftp.funet.fi ;; -HEADER- opcode: QUERY, status: NOERROR, id: 47912 ;; flags: qr rd ra; QUERY:

Re: recursion

2010-03-10 Thread Alan Clegg
ic.nssip wrote: If there is no option recursion yes (or no); specified in named.conf, is the server still recursive? Is recursion activated by default if option recursion (yes|no) is missing in named.conf? In modern BIND, allow-recursion defaults to: { localhost; localnets; };

Re: recursion

2010-03-10 Thread Alan Clegg
Lightner, Jeff wrote: Modern being? According to CHANGES file: --- 9.5.0a6 released --- 2206. [security] allow-query-cache and allow-recursion now cross inherit from each other. If allow-query-cache is not set in named.conf then

Re: recursion

2010-03-10 Thread Alan Clegg
Lightner, Jeff wrote: Modern being? Actually In the 9.4 CHANGES file I find: --- 9.4.0a4 released --- [...] 2006. [security]Allow-query-cache and allow-recursion now default to the builtin acls localnets and localhost. This is

Re: return address for failed DNSSEC validation

2010-03-11 Thread Alan Clegg
Gilles Massen wrote: As soon as applications (or local stub resolvers) are validating, that would be the place to generate a user compatible error. But in the best case this will take years. In the mean term we are stuck with dummy users, and ISPs that might want to enable validation, but

Re: dynamic update in IPv6 environment

2010-03-11 Thread Alan Clegg
aihua zhang wrote: [...] the BIND version is BIND-9.6.1,my install process is :./configure;make ;make install, is there any wrong with my install or others problem ? thanks! Dynamic updates work correctly in an IPv6 environment to the best of my knowledge, however, nsupdate does not at this

Re: loading from master file failed: unknown class/type

2010-03-14 Thread Alan Clegg
Security Admin (NetSec) wrote: Sunday night brain fart. Having trouble configuring a hosts files. I receive an “ns1 named[27823]: zone prana.us/IN/external: loading from master file pranaustwc.hosts failed: unknown class/type” error. ORIGIN . Missing $ from $ORIGIN

Re: DNSSEC and child zones on same authoritative NS. Expert help needed.

2010-03-16 Thread Alan Clegg
Gary Wallis wrote: [other stuff snipped out] Regarding my main question: How to delegate signing authority from parent yourdomain.com to child ns1.yourdomain.com. Insert the DS records from the child into the parent and re-sign the parent. I still have to setup a DNSSEC resolver to be

Re: PTR format question

2010-03-20 Thread Alan Clegg
groups wrote: In the process of cleaning up a much neglected PTR file Bind: 9.6.2.1 OS: CentOS 5.4 Current PTR in this format: (1 tab between entries) $ORIGIN 58.172.in-addr.arpa. $ORIGIN 0.58.172.in-addr.arpa. 11PTRnat-172-58-0-11.example.com. 12PTR

Re: Error fetching SOA

2010-03-21 Thread Alan Clegg
michael peters wrote: Is it a problem to get a message from a DNS checking tool that indicates Error fetching SOA from ns1.example.com http://ns1.example.com? Both of my external BIND 9.6.1 servers respond the same way and I'm assuming that I need to add something to my configuration. We know

Re: Error fetching SOA from

2010-03-21 Thread Alan Clegg
michael peters wrote: http://castor.lazarusalliance.com [71.12.99.115], request timed out. Probably DNS server is offline. http://pollux.lazarusalliance.com [71.12.99.116], request timed out. Probably DNS server is offline. Neither of these servers respond to queries. acl...@yellow:~$ dig

Re: Advertizing a new domain on my existing Authoritative DNS server

2010-03-26 Thread Alan Clegg
Lear, Karen (Evolver) wrote: I’m running 9.6.1-P3 on RHEL4. Advertising example.com and now have been asked to advertise a new domain newexample.com (not a subdomain). What is the best way to go about this? create new zone file add zone entry to named.conf rndc reconfig (I assume that the

Re: Load Balancer for DNS

2010-04-05 Thread Alan Clegg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/5/2010 2:06 AM, sasa sasa wrote: Hello everyone, Any one used any load balancer for DNSs? any recommendation? it's 2 caching-only DNSs, and I'd like to make a load balance between them using software. I would recommend that before adding

Re: rndc reload allow-update

2010-04-12 Thread Alan Clegg
On 4/12/2010 7:25 AM, aihua zhang wrote: hi all, i found if your zone in named.conf set a statement {allow-update{any};};then when you use rndc reload ,any modifies will not happen. how can i figure it ? thx You can only modify dynamic zones in two ways: 1) dynamic updates (using

Re: DNSSEC and ISAKMP?

2010-04-16 Thread Alan Clegg
On 4/16/2010 9:49 AM, Deny IP Any Any wrote: Do I need to allow UDP/500 packets (ISAKMP) to my bind DNS servers for DNSSEC? I've been seeing a lot of UDP/500 attempts from the general internet to my public DNS servers, and can't figure out why. The Wikipedia page for DNSSEC doesn't mention

Re: DNSSEC and ISAKMP?

2010-04-16 Thread Alan Clegg
On 4/16/2010 4:03 PM, Roy Badami wrote: DNSSEC and ISAKMP are not related. Well, that's no longer entirely true... AIUI Microsoft seem to have decided that in their DNSSEC implementation they will use IPsec (and hence IKE with GSS-API) to secure communications from the client to the

Re: INSIST failed in memcluster.c with message memcluster.c:436: INSIST(stats[size].gets != 0U) failed.

2010-04-29 Thread Alan Clegg
On 4/29/2010 7:37 PM, Almond d wrote: I am using bind-9.3.1. [[..]] Can anybody please tell me what is the solution to this problem? Yes. Upgrade. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list

Re: Preparing for upcoming DNSSEC changes on 5/5

2010-05-03 Thread Alan Clegg
On 5/3/2010 4:36 PM, Lightner, Jeff wrote: It sounds as if he read an article saying we have to implement DNSSEC on our DNS servers or we'll quit working on 5/5? Is that the case? Also what is the drop dead date/time if so? 5/5 Midnight UTC? Some other time? You don't need to do

Re: Preparing for upcoming DNSSEC changes on 5/5

2010-05-05 Thread Alan Clegg
On 5/5/2010 1:32 PM, Lightner, Jeff wrote: 8:30 EDT 05/05/2010 and the world hasn't ended here yet. We can celebrate Cinco de Mayo in peace. If only I didn't detest tequila. Side note: I've actually been to Puebla Mexico which is where the battle that Cinco de Mayo commemorates took

Re: KAMINSKY vulnerability !!

2010-05-10 Thread Alan Clegg
On 5/10/2010 10:19 AM, P.A wrote: Primary server: BIND 9.4.3b2 Continue your upgrade process to a version of BIND that is supported. :) http://www.isc.org/software/bind/versions AlanC signature.asc Description: OpenPGP digital signature ___

Re: add a record into signed zone

2010-05-13 Thread Alan Clegg
On 5/13/2010 6:18 AM, rams wrote: As you said I tried with nsupdate but unable to add a record into signed zone. It is giving SERVFAIL. Do we need to send any special value? Were you able to insert using nsupdate BEFORE you signed the zone? I'd take a look at logging to start debugging this.

Re: How to resign a signed zone

2010-05-27 Thread Alan Clegg
On 5/27/2010 1:43 AM, rams wrote: How do we resign the signed zone? What is the command to do the RESIGNING ? Run dnssec-signzone on the signed zone file. I recommend that you: mv example.com.signed example.com vi example.com dnssec-signzone example.com rndc reload example.com Note

Re: How to resign a signed zone

2010-05-27 Thread Alan Clegg
On 5/27/2010 6:36 AM, Alan Clegg wrote: On 5/27/2010 1:43 AM, rams wrote: How do we resign the signed zone? What is the command to do the RESIGNING ? Run dnssec-signzone on the signed zone file. I recommend that you: But, of course my PRIMARY recommendation would be to make the zone

Re: disable dnssec in bind resolver

2010-06-04 Thread Alan Clegg
On 6/4/2010 1:52 PM, R. Kevin Oberman wrote: First, dns-validation is 'off' by default in all BIND versions. It's dnssec-enable that started defaulting to 'yes'. No, it isn't. The only reason that dnssec-validation appears off is that without trust anchors, it doesn't do anything. Insert a

Re: how to resign a zone

2010-06-07 Thread Alan Clegg
On 6/6/2010 11:28 PM, rams wrote: Hi, How to resign a zone? Make it dynamic, allow BIND to have access to the keys and you don't have to do anything manually. If you don't have (or want to use) that option, you need to run dnssec-signzone on the signed data (to refresh existing signatures)

Re: bind-users Digest, Vol 538, Issue 1

2010-06-07 Thread Alan Clegg
On 6/7/2010 9:21 AM, rams wrote: When we resign using dnssec-signzone -o zone name -f new zone file name signed zone file , we don't get SOA incremented . In general AXFR looks for SOA comparison to reload zone file. In this case how will AXFR happen? You probably want to use -N increment.

Re: Nsupdate -l not using session.key

2010-06-30 Thread Alan Clegg
On 6/30/2010 11:13 AM, Kalman Feher wrote: While testing bind 9.7.1 features including automated signing and update-policy local. I encountered some strange behaviour using nsupdate -l. When using nsupdate -l I was not able to update the zone in question and the following error was

Re: Can I start multiple processes(named) in a server?

2010-07-01 Thread Alan Clegg
On 7/1/2010 4:21 AM, ShanyiWan wrote: Multiple processes(named): Can I start multiple processes(named) in a server and each process can provide services normally? See information so that on the internet(I think this may be wrong).How can i do to maximize the ability of concurrent

Re: Help me- Bind9.71 service not start on Windows XP

2010-07-06 Thread Alan Clegg
On 7/5/2010 2:56 AM, Alans wrote: BE CARFUL: my antivirus detects certain .png files on that website as potential viruses, please don't open it in the browser. The Website is: [...] Again, be careful. Due to two replies to un-related threads with this, I've removed the user from the list.

Re: Split view - differing SOA serial number

2010-07-08 Thread Alan Clegg
On 7/8/2010 7:26 AM, John Horne wrote: However, when checking the SOA serial number of our reverse zone we are seeing different values depending on whether we are inside or outside of the campus. This zone is maintained internally by MS Windows servers, and so our main servers (141.163.1.250

Re: Split view - differing SOA serial number

2010-07-08 Thread Alan Clegg
On 7/8/2010 7:58 AM, John Horne wrote: You need to specify different file locations for each of the slaved zones (even if the data is the same) in each view. Okay, but why? As said this generally works, it just seems a bit out of step between the views. Because BIND won't do what you are

Re: Does bind send email?

2010-07-09 Thread Alan Clegg
On 7/9/2010 4:57 AM, Chiesa Stefano wrote: 27/05/2010 17.06.32 1094 C:\bind\bin\named.exe Protezione antivirus standard:Impedisci a worm distribuiti tramite mass-mailing di inviare messaggi 93.49.247.253:25 (translated from italian: Prevent mass mailing worms from sending mail).

Here's trouble -- Was: [Does bind send email?]

2010-07-09 Thread Alan Clegg
2010 12:18:07 +0100 From: tomasz dereszynski toma...@paraklet.net To: Alan Clegg acl...@isc.org CC: bind-users@lists.isc.org On 7/9/2010 4:57 AM, Chiesa Stefano wrote: 27/05/2010 17.06.32 1094 C:\bind\bin\named.exe Protezione antivirus standard:Impedisci a worm distribuiti tramite mass

Re: Here's trouble -- Was: [Does bind send email?]

2010-07-09 Thread Alan Clegg
On 7/9/2010 7:25 AM, Alan Clegg wrote: For those of you that don't follow bind-users closely, this is a bit of troubling news. I'm not surprised that a bad guy would masquerade his malware as BIND, but to actually see it documented is sad. [this was supposed to go to an internal list

Re: newb alert: how to make v4 and v6 A records resolve to same website

2010-07-14 Thread Alan Clegg
On 7/14/2010 4:47 PM, Bill Buhlman wrote: I am just now playing with IPv6 and wondering about how to make an IPv6 record resolve to the same website as the IPv4 A record. Probably a simple thing but how? Assign the to the IPv6 address of the given host... ie:

Re: Signed root - missing RRSIG for delegation?

2010-07-16 Thread Alan Clegg
On 7/16/2010 6:25 AM, Niobos wrote: It's probably just my lack of knowledge, but there seems to be a missing RRSIG in the root zone. I try to securely resolve example.net. I obviously get a delegation returned (dig output below), but I can't seem to validate that delegation. The delegation

Re: Signed root - missing RRSIG for delegation?

2010-07-16 Thread Alan Clegg
On 7/16/2010 6:36 AM, Alan Clegg wrote: On 7/16/2010 6:25 AM, Niobos wrote: It's probably just my lack of knowledge, but there seems to be a missing RRSIG in the root zone. I try to securely resolve example.net. I obviously get a delegation returned (dig output below), but I can't seem

Re: Signed root - missing RRSIG for delegation?

2010-07-16 Thread Alan Clegg
On 7/16/2010 7:42 AM, Niobos wrote: On 2010-07-16 12:36, Alan Clegg wrote: .net isn't signed, and you don't sign out-of-zone data (glue and delegation NS records). But org. is signed, and gives the same result. .org does not have a DS record in the root yet. This is an example of a broken

Re: root-anchor.xml anchors.xml in Bind

2010-07-17 Thread Alan Clegg
On 7/17/2010 9:49 AM, Lyle Giese wrote: What is the difference between managed-keys and trusted-keys? Managed keys automatically watch for RFC-5011 roll over and update when new keys are made available. Trusted keys are manually managed and will cause you to have problems if you forget to

Re: IPv6 Records on an IPv4 Network

2010-07-22 Thread Alan Clegg
On 7/22/2010 8:33 AM, Phil Mayers wrote: only IPv4 interface is enabled. If I put the option filter--on-v4 {yes;};, will my DNS reject the queries? This option breaks DNSSEC. Actually, it doesn't. If the DO bit is set in the query, the default behavior (I'll let you dig to find

Re: reject or drop AAAA queries

2010-07-22 Thread Alan Clegg
On 7/22/2010 8:42 PM, Rock July wrote: This is my current setup right now and the reason why I want to reject or drop the queries; PC Clients: XP, Vista and 7 (Vista and 7 clients are sending both A and queries) send queries to DNS A. DNS A: will just forward the query to My DNS

Re: Dynamically add zones

2010-07-28 Thread Alan Clegg
On 7/28/2010 10:41 PM, Mike Flathers wrote: Is there a patch for bind 9 to add new zones dynamically without having to run rndc reconfig? The server stops answering queries when reconfig is loading in the new config as the config grows this timeout increases. I haven't hit the source code

Re: Dynamically add zones

2010-07-29 Thread Alan Clegg
On 7/29/2010 7:19 PM, Dan Durrer wrote: Alan, I was playing around with your example. I can get it to add the zone ( that is no rndc errors or syslog messages). I see it send notifies for the new zone in my log. 29-Jul-2010 23:06:47.063 notify: info: zone exampledomain.com/IN: sending

Re: Dynamically add zones

2010-07-29 Thread Alan Clegg
On 7/29/2010 5:38 PM, Jack Tavares wrote: Will this functionality be available through an api? Or will it just be through rndc ? Not sure what API we would use beyond rndc. If you have recommendations, please e-mail me directly or give me a phone call (+1-919-355-885) and let's talk about

Re: Odd query issue

2010-08-02 Thread Alan Clegg
On 8/2/2010 10:17 AM, Atkins, Brian (GD/VA-NSOC) wrote: Any ideas to point me in the right direction? What do the log files show surrounding the query? AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list

Re: RRSIG for glue records

2010-08-04 Thread Alan Clegg
On 8/4/2010 2:58 AM, rams wrote: I have delegated NS records and those records pointed to A records in signed zone. When I queired for my delgated domain against bind 9.6-p3. Bind is returning NS records and RRSIG for NS in authority section correctly. Glue records are returned correctly

Re: differences between version

2010-08-13 Thread Alan Clegg
On 8/13/2010 8:01 AM, Ram Akuka wrote: hi , i want to know what's the differences between bind 9 version (especially between 9.4 and 9.5/6/7) , where can i find a table that can describe it? i tried to google it but i didn't anything useful , . In the source directory, you will find the

Re: dnssec questions

2010-08-27 Thread Alan Clegg
On 8/27/2010 11:42 AM, CT wrote: Per my isc class and the book I received by Jeremy C. Reid .. you still need to include your keys in the zone file either via $include dir/KSK $include dir/ZSK1 $include dir/ZSK2 or (cat *.key allkeys) which is what I have done.. $include dir/allkeys

  1   2   3   4   >