Re: AW: Correlation between NOTIFY-Source and AXFR-Source

2023-03-10 Thread Anand Buddhdev
On 09/03/2023 21:25, Klaus Darilion via bind-users wrote: [snip] PS: Latest PowerDNS tries the NOTIFY source first. MAybe someone knows how Knot and NSD behave? Knot DNS only tries to refresh from primaries that sent the NOTIFY. It doesn't even try the other configured primaries. However, if i

Re: Fully automated DNSSEC with BIND 9.16

2023-04-13 Thread Anand Buddhdev
On 13/04/2023 17:17, David Carvalho via bind-users wrote: Hi David, Hello and thanks for the reply. I enabled this repo in Oracle Linux 8 with: dnf copr enable isc/bind Then I tried to install (dnf install isc-bind) but I got: Error: Problem: package isc-bind-1:2-3.el8.x86_64 requires isc-b

Re: bind9 (9.18.14) build / install on macOS Ventura (13.3.1) fails to create dirs or files as expected

2023-05-09 Thread Anand Buddhdev
On 09/05/2023 22:23, Pacific wrote: Hi Pacific, Installing bind9 (9.18.14) on macOS Ventura (13.3.1) — install is not creating a namedb directory nor can I find a boilerplate named.conf. As far as remember, the bind install procedure doesn't create a named.conf. -- Anand -- Visit https://li

Re: Controlling which interface named uses

2023-06-09 Thread Anand Buddhdev
On 09/06/2023 17:26, Alessandro Vesely wrote: Hi Alessandro, Hi, I have two WANs.  As a leftover from the times when I had no IPv6 address, I was running named with -4 option.  I just removed it a couple of minutes ago. However, I still have IPv4 precedence in gai.conf: precedence  ::1/128 

Re: Master file permission denied

2023-06-28 Thread Anand Buddhdev
On 28/06/2023 20:44, Daniel Armando Rodriguez via bind-users wrote: Hi Daniel, [snip] # ls -alh /etc/bind/zonas/ drw-r-S--- 2 bind bind 4,0K jun 28 14:55 . drwxr-sr-x 3 root bind 4,0K jun 28 15:06 .. -rwxr-xr-- 1 bind bind  323 ene 16 10:59 133.45.210.170.in-addr.arpa -rwxr-xr-- 1 bind bind  3

Re: Master file permission denied

2023-06-29 Thread Anand Buddhdev
On 29/06/2023 14:13, Daniel Armando Rodriguez via bind-users wrote: [snip] Error is not the same as before, I see it know (fresh eyes maybe) Jun 29 08:42:37 web kernel: [5679658.761672] audit: type=1400 audit(1688038957.685:548): apparmor="DENIED" operation="mknod" profile="named" name="/etc

Intent and implementation of dig's +crypto option

2023-09-22 Thread Anand Buddhdev
similar records could also be suppressed, but dig currently doesn't. Do you think that dig should be adjusted to suppress cryptographic material from other records such as TLSA, SSHFP, CDNSKEY, CDS, etc, and the man page updated to reflect this? Regards, Anand Buddhdev -- Visit https://

Re: Intent and implementation of dig's +crypto option

2023-09-22 Thread Anand Buddhdev
On 22/09/2023 15:03, Marco Davids (SIDN) via bind-users wrote: Hi Marco, It reminded me that that there is such thing as a .digrc file, that perhaps not all of the readers are familiar with. Mine has this content: +bufsize=1232 +dnssec +nocrypto +multi -t It serves me well, mostly. Som

Re: assertion error while querying?

2023-12-26 Thread Anand Buddhdev
On 25/12/2023 02:56, Francisco Obispo via bind-users wrote: Hi Francisco, [snip] fobispo@mail:~$ host -4 -C id.iq id.iq has no SOA record Nameserver 64.96.1.1: id.iq has SOA record ns.tucowsregistry.net. ops.tucowsregistry.net. 1703469021 1800 900 604800 86400 Nameserver 64.96.2.1:    

Re: dnssec-key 'unknown algorithm RSASHA512'

2024-01-11 Thread Anand Buddhdev
On 11/01/2024 12:58, trgapp16 via bind-users wrote: Hi Mounika, [snip] -->With help of the private key i generated one file with name "named.conf.tsigkeys" at /etc/bind - root@dhcpt:/etc/bind# cat named.conf.tsigkeys key "my-tsig" { algorithm "ECDSAP256SHA256"; secret "ESkrVALONh

Re: tsig key not found

2024-01-17 Thread Anand Buddhdev
s to hmac-md5 (documented in the nsupdate man page). Regards, Anand Buddhdev RIPE NCC -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ f

Re: Update to 9.18 failed due to libuv

2024-03-04 Thread Anand Buddhdev
On 04/03/2024 13:56, Jiaming Zhang wrote: Hi Jiaming, Recently I was trying to upgrade bind from 9.16 to 9.18. However, running `./configure` return an error stating the `libuv` was not found. I have this library installed (version 1.41.1) via dnf, and can can find it using `rpm -ql` which s

Re: Update to 9.18 failed due to libuv

2024-03-04 Thread Anand Buddhdev
On 04/03/2024 14:06, Jiaming Zhang wrote: Then I should download the source, there's no devel package for this one in the repo. That's not necessary. Oracle Linux keeps many of the -devel packages in its "codeready_builder" repository, which is not enabled by default. As root, you need to r

Re: Crafting a NOTIFY message from the command line?

2024-03-19 Thread Anand Buddhdev
Hi John, You can try something like: dig +norec +opcode=notify soa @server Regards, Anand On 19/03/2024 22:24, John Thurston wrote: I can use dig to request a zone transfer: dig AXFR foo.com I am unable to find a simple way to craft a NOTIFY message. Can anyone help me out? -- Visit htt

Re: Secure Active Directory Updates Failing on AlmaLinux 9 with ISC BIND 9.18.28

2024-08-08 Thread Anand Buddhdev
Your logs show error messages about missing Kerberos credentials files. Did you notice and investigate those errors, and compare the state with your CentOS 7 system? On 08/08/2024 14:23, Nagesh Thati wrote: Hello Guys, Any help is much appreciated. Thanks Nagesh -- Visit https://lists.isc.or

Re: Lookup failures

2024-09-13 Thread Anand Buddhdev
On 13/09/2024 16:14, Steven Shockley wrote: Is there a way to tell BIND to listen (and respond) on a specific interface?  I already have listen-on { 10.0.0.1; }; (vlan101 IP) in the config with nothing else listening. BIND will send the response with a source address of 10.0.0.1, and it hand

Re: Query Regarding AKAMAI Working Model

2012-02-17 Thread Anand Buddhdev
On 17/02/2012 20:15, Gaurav kansal wrote: Gaurav, > I want to know how AKAMAI works First of all, don't use so many question marks; one is enough. And use it only if you're actually asking a question, not when stating something. > May be this is not the right forum to ask but I am asking th

Re: purpose of the RIR(for example RIPE) "domain:" object

2012-03-15 Thread Anand Buddhdev
kes the nserver: lines from them, and inserts the records into the appropriate parent zones. Therefore domain objects are not merely informational; they are necessary. Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinf

Re: "rndc reconfig" vs. "rndc reload"

2012-03-16 Thread Anand Buddhdev
or them when they are first added to the configuration. Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: zone transfer with DIG: SOA duplicate

2012-03-19 Thread Anand Buddhdev
On 19/03/2012 18:49, hugo hugoo wrote: > thanks for this quick answer. > I am a liitle bit lost... > > What is the starting and ending SOA record? > > In the original zone, there is ony one SOA record... The SOA record at the end signals the end of the zone transfer. Regards, Anand

Re: Name Resolution issue with one domain

2012-03-19 Thread Anand Buddhdev
stion doesn't provide any useful information for anyone to even begin guessing at the problem. First of all, learn how to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html Next, try looking at the logs of your BIND server; perhaps it has logged the re

Re: Name Resolution issue with one domain

2012-03-21 Thread Anand Buddhdev
On 21/03/2012 09:41, Matus UHLAR - fantomas wrote: > maybe the admin set that up to force local servers using random ports, > instead of 53, for outgoing requests. Nobody should use port 53 for > _ougtoing_ requests. You're wrong. A name server can use any source port from 1 up to 65535 for an ou

Re: A large number of "ANY" query type queries

2012-03-28 Thread Anand Buddhdev
block it, the victim will not be able to > talk to your name servers. As Stéphane says, do not block the address. It's probably better to rate-limit the address. You can do that on your server with iptables (Linux) or ipfw (*BSD) or on your router. Rega

Re: query issue

2012-03-29 Thread Anand Buddhdev
ve any firewalls or router ACLs blocking DNS back to IPv6 addresses in your network? I also note that kingstonmass.org has delegation to 2 name servers in the ORG zone, but 3 name servers at its apex. The additional name server, mns01.domaincontrol.com, gives a REFUSED response to a query for the do

Re: journal rollforward failed: journal out of sync with zone

2012-04-12 Thread Anand Buddhdev
no journal. Both your servers should be setup as masters in this case. Journals are normally created only when a zone is a slave, or receives dynamic updates. Can you show us the configuration of this zone on both servers? Anand Buddhdev RIPE NCC ___ P

Re: Question

2012-04-12 Thread Anand Buddhdev
Hi Dustin, "allow-query { localhost; }" limits queries to localhost. You need to add your users' network(s) to that ACL. On 13/04/2012 00:38, Dustin Moon wrote: > Any Reason people could see why this config would not allow remote > systems that can ping this server to do lookups on it? > > > /

Re: Convice Bind to listen on IP alias with a range of IPs.

2012-04-30 Thread Anand Buddhdev
set of the given range ( > 10.0.0.2 for example ), yet when I configure that IP: > > listen-on { 10.0.0.2; }; > > Bind won't listen on that interface: > > "named[15035]: not listening on any interfaces" That&#x

Re: dynamic update to SOA records

2012-05-01 Thread Anand Buddhdev
iple updates arrive within the same second, then BIND just adds +1 to the existing serial number, so that for brief periods, the unix time will be in the "future". However, as time advances, the serial number will soon be in the past, allowing new updates to set the serial back to curr

Re:

2012-05-07 Thread Anand Buddhdev
CNAME chain from server B back to A to look up records in titi.be. Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC

2012-05-10 Thread Anand Buddhdev
On 10/05/2012 17:20, Daniel Ryšlink wrote: > What's the point of DNSSec when resolver administrators configure > exceptions on regular basis? If you can't be sure when your resolver > does or does not validate, why having signed zones in the first place? > It's just seems to be another "shared ill

Re: TSIG KEY per slave

2012-05-16 Thread Anand Buddhdev
On 16/05/2012 21:52, Saif Ahmed wrote: > Hi, > > We have multiple slaves serve our zone, > > Is it possible to configure different TSIG key for each slave to allow AXFR > our zones. > > anyone could advice if yes and how to configured it. Hi Saif, You can use something like this in your co

Re: Upstart job for BIND9

2012-12-04 Thread Anand Buddhdev
named >/dev/null 2>&1 || true > end script > > exec /usr/sbin/named -u bind Replace this with "exec /usr/sbin/named -f -u bind" > pre-stop exec rndc stop -p > > post-stop exec logger -p user.warning -t upstart-bind "bind stopped" > > e

Re: MAcOS X 10.9 upgrade removes BIND

2013-10-26 Thread Anand Buddhdev
On 26/10/2013 00:53, Michael Sinatra wrote: > I usually maintain the latest BIND on my Mac using MacPorts. It looks > like you can still do that on Mavericks, but there some work > (http://www.ghostwheel.com/merlin/Personal/notes/2013/10/05/macports-on-mavericks/) > you have to do--MacPorts doesn

port number in address_match_list_element

2014-03-22 Thread Anand Buddhdev
Hi people, I'm using BIND 9.9.5 with views. In one of my views, I have something like this: view name { match-destinations { 192.0.2.1; }; If I have a "listen-on port 65353 { 192.0.2.1; };" statement in the options section, can I also get BIND to direct queries into this view bas

Re: GeoIP Patch for 9.9.5

2014-04-30 Thread Anand Buddhdev
On 30/04/2014 22:14, Ali Jawad wrote: > Hi All > > I did compile latest stable 9.9.5 on Centos 6 and it worked just fine. What > I need to do now is enable the geo ip patch. I have done it before for > earlier versions, however for the latest Bind release the available patch > is failing. And 9.

Re: TSIG afxr failed while receiving responses: REFUSED

2014-05-25 Thread Anand Buddhdev
On 25/05/2014 16:58, micah wrote: > zone "example.net" { > type master; > allow-transfer { key tsig.key.; }; Here's your mistake. You've written tsig.key, whereas your key is called tsig-key. Those names don't match. > also-notify { ip.address.here.x; }; > file "/

Re: TSIG afxr failed while receiving responses: REFUSED

2014-05-26 Thread Anand Buddhdev
On 26/05/2014 01:53, Mark Andrews wrote: Hi Mark, > Actually that isn't the mistake as they are both run through > dns_name_fromtext which will normalise them before comparison. I didn't know that. Does this mean that dots and dashes are equivalent or irrelevant in tisg key names? Regards, Anan

Re: Using a DynDNS hostname in master-statement for a bind slave?

2014-06-28 Thread Anand Buddhdev
On 28/06/2014 10:38, Johannes Kastl wrote: > Another idea I had was using stunnel to tunnel just one port from > the home lan to the vserver. But I would need to tell bind to only > use TCP, as stunnel is only able to handle TCP. > > Can I tell bind to only use TCP for zone transfers? Hmm, I'll g

Re: slave zone files unreadable

2014-07-09 Thread Anand Buddhdev
On 09/07/2014 13:21, Reindl Harald wrote: > dunno, but i perfer text-format anyways > > * masterfile-format text; * delete the zone file on the slave * > restart the slave Plain text zone files are fine if you have a small number of zones, or small zones. But for servers with large numbers of zo

Re: Root servers

2014-08-16 Thread Anand Buddhdev
On 16/08/2014 04:55, Bill Christensen wrote: > Interesting. I'm running BIND 9.10.0-P2. Apparently the package system > I'm using (MacPorts) isn't updating the root servers file though. > > I'll report the problem there. Meantime, I'll download the recent one > and see if that makes a differen

Parsing dig output consistently

2014-09-17 Thread Anand Buddhdev
Hello people, I've been trying to figure out how to use dig in a shell script to send a bunch of queries, and then parse the output with awk. I have a file called "myzones" containing the zones I want to query: example.com example.org example.net If I run: dig @server -t soa +norec +noall +ques

Re: Parsing dig output consistently

2014-09-17 Thread Anand Buddhdev
On 17/09/2014 13:57, Mark Andrews wrote: Hi Mark, > awk '$5 == "status:" { rcode = $6 } $3 == "SOA" { print $1, rcode }' So with "+noall +comments +question" and this bit of awk, I can get a pretty list containing ";zone RCODE," pairs :) Thanks! Anand __

Size of libdns between 9.10.0 and 9.10.1

2014-09-24 Thread Anand Buddhdev
Hi BIND developers, I've just downloaded and build BIND 9.10.1, and I noticed something. The size of the generated libdns.so.146.0.2 file is 2046056 bytes. In my previous build of 9.10.0-P2, the size of libdns.so.142.2.2 is 6658892. That's a massive reduction in size. Did you guys suddenly delete

Re: Size of libdns between 9.10.0 and 9.10.1

2014-09-24 Thread Anand Buddhdev
On 24/09/2014 17:56, Evan Hunt wrote: > On Wed, Sep 24, 2014 at 09:23:51AM +0200, Anand Buddhdev wrote: >> I've just downloaded and build BIND 9.10.1, and I noticed something. The >> size of the generated libdns.so.146.0.2 file is 2046056 bytes. In my >> previous build

Re: AXFR root zone

2014-09-28 Thread Anand Buddhdev
#x27;t (?) Speaking as the operator of K-root, I can confirm that K allows zone transfers. That's why this query works. Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

Re: AXFR root zone

2014-09-28 Thread Anand Buddhdev
-servers.net"? Or is there a better choice for > the long term? If you wanted your script to be robust, then you would program it with the names of all 13 root name servers, and have it try the zone transfers from a random server each time, and trying another one in case of failure. H

Re: FYI: adobe.com GSLB DNS servers choking on "nsid"

2015-01-13 Thread Anand Buddhdev
they don't understand, so it's the same with the EXPIRE and SUBNET options as well. Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users ma

Re: Swedish and Danish "ö" conflicts with eachother

2015-01-22 Thread Anand Buddhdev
On 22/01/15 23:30, Tommy Borginger wrote: Hi Tommy, > We get the following error during start of bind. The problem we > suspect is that the machine or bind thinks the Danish and Swedish letter > "ö" is the same. > > This is the error showing up in syslog: > > loading configuration from '/etc/bi

Re: Reload a single view

2015-01-23 Thread Anand Buddhdev
On 23/01/15 14:34, Job wrote: > Hello, > > is there a way to reload a single VIEW (not a zone, but a view), for > example when i change the match-clients directive? > > I notice that, on huge load servers, issuing "rndc reload" is very > heavy for the machine. reload is heavy because it tries t

Why log a failed transfer successfully?

2015-04-02 Thread Anand Buddhdev
I'm parsing BIND logs to extract the XFR size in bytes of a zone, and was just bitten by this sequence: 02-Apr-2015 04:27:10.393 xfer-in: transfer of './IN' from 2001:67c:2e8:5::c100:c6#53: failed to connect: timed out 02-Apr-2015 04:27:10.393 xfer-in: transfer of './IN' from 2001:67c:2e8:5::c100:

Re: DNS anycast node monitor

2015-04-09 Thread Anand Buddhdev
r start services under certain condition. I don't have all the URLs handy, but I'm sure you can search for all these things. Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Confusion about "try-tcp-refresh"

2015-04-20 Thread Anand Buddhdev
in the global "options" area? Finally, why is this setting defaulting to "yes"? If it's for BIND8 compatibility, isn't it time it defaulted to "no"? Regards, Anand Buddhdev RIPE NCC -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iEY

Re: EDNS and fallback

2015-05-14 Thread Anand Buddhdev
On 14/05/15 22:02, Bischof, Ralph F. (MSFC-IS40)[NICS] wrote: Hi Ralf, > symptoms I am seeing is that a dig command sends out several queries > with EDNS and bufsize of 4096. The server on the other side of this I think this is the pertinent point. You're testing with dig, but dig doesn't fallba

Slave zone refresh logic

2015-06-08 Thread Anand Buddhdev
how to debug zone transfer failures, and perhaps also tune BIND for more resiliency in the face of poorly configured master servers. Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: Automatic . NS queries from BIND

2015-06-17 Thread Anand Buddhdev
ide a hints file. BIND's built-in list is updated by ISC whenever root name server addresses change, or when IPv6 addresses are added, for example. This makes your configuration a bit simpler, and you don't have to care about keeping your hints file up to date. Regards

Re: Automatic . NS queries from BIND

2015-06-17 Thread Anand Buddhdev
On 17/06/15 15:00, Matus UHLAR - fantomas wrote: Hi Matus, > well, the hard-coded hints file changes whenever new BIND release gets out, > while the bungled hints file may be updated by packagers or manually. > > I'd say that the bundled hints file is likely to be newer than the > hard-coded one

Zone refresh error: refresh: retry limit for master a.b.c.d#53 exceeded

2015-07-13 Thread Anand Buddhdev
ly. So what could cause these SOA lookup failures in BIND on one server, but not another? Could the developers tell me how BIND does SOA queries over UDP, and is there any way to mimic this with dig? Regards, Anand Buddhdev RIPE NCC ___ Please visit

Re: Zone refresh error: refresh: retry limit for master a.b.c.d#53 exceeded

2015-07-13 Thread Anand Buddhdev
On 13/07/15 21:31, Anand Buddhdev wrote: > So what could cause these SOA lookup failures in BIND on one server, but > not another? Could the developers tell me how BIND does SOA queries over > UDP, and is there any way to mimic this with dig? Oops. I just noticed Cathy Almond's res

Re: tsig indicates error

2015-07-27 Thread Anand Buddhdev
On 24/07/15 17:52, Mark Elkins wrote: > TSIG is a step towards better security. Rather learn how to use it than > go backwards. I see TSIG as a step towards DNSSEC... I also agree with this principle. At the RIPE NCC we've been trying to get all the operators we provide secondary for to use TSIG.

Re: ERROR : - writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 - loading configuration: failure

2015-08-03 Thread Anand Buddhdev
On 03/08/15 16:50, Heiko Richter wrote: Hi Heiko, > Why use the "file" option at all on a slave? If you don't use the "file" option on a slave, then BIND does not write the zone to disk. This is okay for a small number of small zones. But if you have many zones, or they are large, then you usual

Re: how to compile bind 9.10 with --with-libjson option

2015-08-09 Thread Anand Buddhdev
On 09/08/15 02:31, Leandro wrote: Hi Leandro, > but after install > yum install json-c > it still complains about : > checking for json library... configure: error: include/json{,-c}/json.h > not found. yum install json-c-devel Regards, Anand ___ Plea

Re: Question about name resolution.

2015-10-26 Thread Anand Buddhdev
On 26/10/15 13:50, Bhangui, Sandeep - BLS CTR wrote: Hi Sandeep, > At this point I am not clear whether this is an issue with our > Internal Network or something beyond our control. First question: have you looked at the BIND logs on your internal resolvers? > A. The following link works fine f

Re: Problem-In-TranferingZone

2015-12-06 Thread Anand Buddhdev
On 06/12/15 06:59, Ejaz wrote: Hi Ejaz, > I have implemented new slave server and wanted to get all the 2000 zones > from primary/master server to the new slave one. But zone file some time > comes with empty records and sometimes appears as below, Any idea Would be > highly appreciated. You

Re: putting several master DNS hosts behind a vip

2015-12-10 Thread Anand Buddhdev
On 10/12/15 00:32, blrmaani wrote: Hi Blr, > I would like to put 4 DNS masters behind a vip and have several > slaves doing the zone transfer from the VIP-IP. Is this normal? > > The usual approach is to have slaves getting zone transfers from > multiple masters. What is the disadvantage of havi

Re: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

2016-03-23 Thread Anand Buddhdev
On 23/03/16 14:51, Tony Finch wrote: >> With systemd the methodology isn't that BIND notifies other things that >> it is up. It is that other things, if dependent upon BIND, have in >> their systemd files a requirement that BIND be up before they start. > > Yes, but how does systemd know when BI

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

2016-04-24 Thread Anand Buddhdev
On 24/04/16 21:04, jaso...@mail-central.com wrote: Hey Jason, > checking with dig, it's NOT in 'TXT' where I expected it > > dig TXT example.net +short > (empty) You added a TXT record for the name test.example.net, but you're looking for it at the name example.net. Of cours

Re: Compiling BIND9 on CentOS 7

2016-04-25 Thread Anand Buddhdev
On 25/04/16 17:59, Sean Son wrote: Hi Sean Son, > I know I emailed the list about compiling BIND on a SystemD distro earlier > last month. This time I have a different question. After I compile BIND9 on > CentOS 7 , how do I get it to start up at boot time and how do I restart > it? I don't want

Re: Reload only ACL

2016-04-25 Thread Anand Buddhdev
On 25/04/16 22:23, Ali Jawad wrote: Hi Ali Jawad, > I do have a very specific requirement for private/public zones and based on > a user tool the users "hundreds in corporate environment" get either public > or private zone, the tool simply writes to an ACL file, my problem is that > the only way

Re: Reverse Zone CIDR

2016-05-25 Thread Anand Buddhdev
Hi Jonathan, If it's a /23, may I suggest creating two reverse zones, for each of the /24s in that prefix? It's much simpler. RFC 2317-style delegation, while possible for a /23, was designed for IPv4 prefixes smaller than a /24. Regards, Anand Buddhdev RIPE NCC On 25/05/16 11:37

Re: Which Domain is picked by Bind Server?

2016-05-27 Thread Anand Buddhdev
On 27/05/16 10:25, Harshith Mulky wrote: Hi Harshith, > If I have the following configuration in Bind server inside named.conf > > zone "e164.arpa" IN { > type master; > file "e164.arpa"; > }; > > zone "1.e164.arpa" IN { > type master; > file "e164.arpa"; > }; >

Re: BIND-RPZ and Views

2016-09-16 Thread Anand Buddhdev
On 16/09/16 09:06, Tom wrote: Hi Tom, > Using BIND 9.10.4-P2: I've a question about configuring DNS-RPZ and views: > I configured view1 and view2. After configuring all rpz-zones in both > views, I had errors like this (slave file in view2 is already in use > from view1): > config: error: /etc/na

Is -DISC_SOCKET_MAXEVENTS still needed in BIND 9.16?

2020-02-20 Thread Anand Buddhdev
Hi BIND developers, We build our own RPMs of BIND, and ever since the 9.9 builds, we have been setting -DISC_SOCKET_MAXEVENTS=256. This is based on advice we received from someone at ISC. Is this setting still relevant in BIND 9.16? Regards, Anand ___

Re: Is -DISC_SOCKET_MAXEVENTS still needed in BIND 9.16?

2020-02-20 Thread Anand Buddhdev
On 20/02/2020 09:08, Ondřej Surý wrote: Ah, thank you for this Ondrej! I've adjusted our spec file, and removed the define. > Hi Anand, > > on the contrary, we set tuning to large by default (it’s default or > small now), so with the define you are actually setting it to lower value: > > #ifnde

BIND 9.16.1 on CentOS 6

2020-03-18 Thread Anand Buddhdev
Hi BIND developers, The 9.16.1 release notes say: "The system-provided POSIX Threads read-write lock implementation is now used by default instead of the native BIND 9 implementation. Please be aware that glibc versions 2.26 through 2.29 had a bug that could cause BIND 9 to deadlock. A fix was re

Re: BIND 9.16.1 on CentOS 6

2020-03-18 Thread Anand Buddhdev
Thank you for your swift and clear response Ondrej! Regards, Anand On 18/03/2020 15:35, Ondřej Surý wrote: > Hi Anand, > > yes, it is. The broken code was introduced in the glibc 2.26, and generally > RedHat/CentOS/Fedora/Debian libc6 already has the required patches. > > Ubuntu 18.04 (and de

Re: Compile errors for Bind 9.16.1 on RHEL7.x and RHEL 6.X

2020-03-24 Thread Anand Buddhdev
On 24/03/2020 20:44, Bhangui, Sandeep - BLS CTR via bind-users wrote: Hi Sandeep, [snip] > As far as I can tell has the libuv library packageis installed on this > RHEL 7.X machine. > > sh-4.2# rpm -qa | grep -i libuv > > libuv-1.34.0-1.el7.x86_64 This package contains just the runtime l

Re: checkzone from stdin?

2020-04-08 Thread Anand Buddhdev
/dev/fd/42 and named-checkzone reads the "file" /dev/fd/42, getting the decompressed data. Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND-9.16.1 memory leak?

2020-04-17 Thread Anand Buddhdev
On 17/04/2020 17:02, Karl Pielorz wrote: Hi Karl, > I seem to remember we got 'bitten' by large memory use when moving from > a previous version of bind - do you have 'max-cache-size' set in your > config? It's an authoritative-only server, so there is (almost) no caching involved. Anand __

Re: Chaining NOTIFY and slave servers - is it supported?

2020-04-21 Thread Anand Buddhdev
On 21/04/2020 17:05, Petr Bena wrote: Hi Petr, > So when someone changes zone on A via nsupdate, NOTIFY and subsequent > IXFR goes like this: A -> B -> C instead of: This is just fine. There are many DNs setups organised like this. Your configuration isn't unique or strange. > What confuses me

Re: BIND installed on a Solaris 11.4 x 86 virtual server

2020-06-01 Thread Anand Buddhdev
On 01/06/2020 20:08, DeCaro, James John (Jim) CIV DISA FE (USA) via bind-users wrote: Hi Jim, Installed BIND 9.16.3 and I discovered that the SMF dns/server is trying to read named.conf from /usr/local/etc/: "/usr/local/etc/named.conf: file not found". I am trying to figure out how point name

Re: bind DoH ANd DoT Implementation

2020-06-08 Thread Anand Buddhdev
On 08/06/2020 07:13, ShubhamGoyal wrote: Hi Shubham, Dear all, I want to ask about bind DoH Implementation by proxy server, Is there any Documentation of DoH Implementation.

BIND 9.16 incoming TCP connection errors

2020-06-16 Thread Anand Buddhdev
Hi folks, I'm running an authoritative server on BIND 9.16. It gets about 3500 q/s, of which around 200 q/s are over TCP. At least, this is what DSC reports (DSC is a libpcap application sniffing traffic independent of BIND). In my named.conf, I have set: reserved-sockets 1000; tcp-clients 9

Re: BIND 9.16 incoming TCP connection errors

2020-06-18 Thread Anand Buddhdev
On 16/06/2020 20:17, Tony Finch wrote: Hi Tony, 16-Jun-2020 15:21:58.815 general: Accepting TCP connection failed: socket is not connected What does this log message mean? I think this error comes from getpeername() and it can occur if the connection is closed between accept() and getpeerna

Re: Bind IPV6 issue

2020-07-09 Thread Anand Buddhdev
On 09/07/2020 11:01, Duleep Thilakarathne wrote: Hi Duleep, I have configured bind with IPV6 support enabled. However bind does not listen to IPV6 address. Any particular reason.is there any place to enable IPV6 support other than named.conf. Version : BIND 9.11.4-P1 (Extended Support Version)

Re: Starting bind 9.16.x with systemctl fails

2020-07-09 Thread Anand Buddhdev
On 09/07/2020 12:08, Adrian van Bloois wrote: Hi Adrian, Run "journalctl -u named" to see any systemd logs for this unit. Also look in /var/log/messages to see what (if anything) BIND has logged to syslog. Finally, you would help yourself and everyone else to help you better if you show your

Re: Bind IPV6 issue

2020-07-09 Thread Anand Buddhdev
On 09/07/2020 12:56, Duleep Thilakarathne wrote: Hi Duleep, After starting BIND, can you examine its log entries? It should print all the addresses it is binding to, eg: 09-Jul-2020 13:50:57.674 listening on IPv4 interface lo0, 127.0.0.1#53 09-Jul-2020 13:50:57.676 IPv6 socket API is incomple

Re: Dumb Question is an A or AAAA record required?

2020-07-09 Thread Anand Buddhdev
On 09/07/2020 14:21, @lbutlr wrote: Given a domain that is hosted and used for email and web, is an A record for that domain actually required? It's not *required*. But see below. That is, if bob.tld is hosted by example.com can you simply have NS ns1.example.com NS ns2.exam

Re: Dumb Question is an A or AAAA record required?

2020-07-09 Thread Anand Buddhdev
On 09/07/2020 16:06, Matthew Richardson wrote: On a related issues there were (perhaps long ago) issues if the A record for a domain had an SMTP server on it, where email could sometimes be delivered to that A record rather than the MX. I had (again long ago: 10-15 years) actually seen this occ

Re: /etc/bind.keys in a chrooted environment

2020-07-22 Thread Anand Buddhdev
On 22/07/2020 15:06, Josef Moellers wrote: Hi Josef, named complains about the missing file /etc/bind.keys if run chrooted: unable to open '/etc/bind.keys' using built-in keys What is the preferred way around this? Add "/etc/bind-keys" to NAMED_CONF_INCLUDE_FILES? Or just ignore the warning,

Re: /etc/bind.keys in a chrooted environment

2020-07-22 Thread Anand Buddhdev
On 22/07/2020 15:30, Josef Moellers wrote: Or just ignore the warning, and let BIND use its built-in keys. If /etc/bind.keys contains some additional keys, this will not work ;-) Sure, but what additional keys do you expect this file to contain? Are you serving an alternate signed root zone

Re: /etc/bind.keys in a chrooted environment

2020-07-22 Thread Anand Buddhdev
On 22/07/2020 16:51, Josef Moellers wrote: It turns out that it is mainly the warning the partner is irritade about. So, let me put the question the other way round: what would happen if we *always* copied /etc/bind.keys to the chroot environment? If there would be no harm, I could easily add t

Re: Algorithm compatibility between BIND 9.6.2 and 9.16

2020-08-05 Thread Anand Buddhdev
f "tsig-keygen". You will find the answer in there. Regards, Anand Buddhdev ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subsc

Re: Reverse lookup response format

2020-08-25 Thread Anand Buddhdev
On 25/08/2020 16:29, Brad Stevenson wrote: Hi Brad, I would like to have the behavior of the reverse lookup responses to only include the hostname, not the hostname with the reverse zone appended. So for example: # nslookup 192.168.2.206 206.2.168.192.in-addr.arpa name = server1.ctois.lo

Re: Latest bind for centos7

2020-11-05 Thread Anand Buddhdev
On 05/11/2020 14:02, rams wrote: Hi Ramesh, > What is the latest bind version for Centos 7? > Where we can download it? "yum info bind" will give you all the information you need. Regards, Anand Buddhdev ___ Please visit https://lists

Re: Servfail on Bind -9.16.1

2020-11-21 Thread Anand Buddhdev
On 21/11/2020 21:53, upen wrote: Hi Upen, > Could you someone guide me to troubleshoot this further? Thank you for the > list. Your instance of BIND is probably logging to syslog. Look for these logs (usually /var/log/messages), and see what BIND is logging. It may shed a light on the problem.

Filter out TSIG records from zone transfer

2020-12-06 Thread Anand Buddhdev
one through an awk script to filter out these records, but it would be nice if I could tell dig itself to suppress them. Regards, Anand Buddhdev ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC fund

Re: Filter out TSIG records from zone transfer

2020-12-07 Thread Anand Buddhdev
Hey Daniel, That's *exactly* what I was after! Thank you :) On 07/12/2020 08:25, Daniel Stirnimann wrote: > Hello Anand > > this works for me: > > dig -k KEY @PRIMARY ZONE +noall +answer +noidnout +onesoa AXFR ___ Please visit https://lists.isc.org/m

Re: Zonefile Management in git

2020-12-08 Thread Anand Buddhdev
Hi Cameron, We do something like this for our zones. In our zone repository, I have a script called "checkzones". I can run it any time in my checkout of the repository, and it checks all the zones for various things. For example, it checks for implicit owner names, missing TTL, etc. It also runs

Re: Zonefile Management in git

2020-12-08 Thread Anand Buddhdev
Sure, Cameron. However, since it's no longer BIND-related, I'll email you off-list. Anand On 08/12/2020 22:58, Cameron Banowsky wrote: > Thank you Anand, > > Would it be possible to look at your script and gitlab-ci yaml? This is > incredibly helpful. Thank you so much. > Cameron Banowsky > S

Re: Reg - zone data of in-addr.arpa and ip6.arpa

2020-12-12 Thread Anand Buddhdev
Hi Gaurav, You can transfer the "in-addr.arpa" and "ip6.arpa" zones from these servers: iad.xfr.dns.icann.org lax.xfr.dns.icann.org For the full list of zones provided by ICANN, check out this page: https://www.dns.icann.org/services/axfr/ Regards, Anand On 12/12/2020 13:39, Gaurav Kansal wro

  1   2   3   >