Re: A couple of regression problems between 9.11.7 and 9.14.2

> On 5 Jun 2019, at 14:56, Tony Finch wrote: > > Borja Marcos wrote: > rigol.com is related to DNS cookies as well as the DNS flag day, yes. > > login.repsol.com is a lame delegation that is exposed by qname minimization. Thanks, I missed the second one looking at packet c

A couple of regression problems between 9.11.7 and 9.14.2

. Is all of this part of a collective “DNS Flag Day”? ;) Or is it unintended? Thanks! Borja Marcos. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: bind 9.16.6 on FreeBSD - Assert

> On 2 Sep 2020, at 09:15, Søren Andersen wrote: > > It looks like the same bug to me. - Did you try to patch your source code > with the path isc just made? No, I am not aware of a patch. I have rolled it back to 9.11 for now, it’s a production server. Thanks, Borja.

Re: bind 9.16.6 on FreeBSD - Assert

> On 1 Sep 2020, at 19:48, Søren Andersen wrote: > > hmm.. I think you hit this bug right here: > https://gitlab.isc.org/isc-projects/bind9/-/issues/2104 Looks like that. I compiled bind with debug symbols and it crashed again. No way to append this to your bug report, it’s closed.

Re: bind 9.16.6 on FreeBSD - Assert

> On 3 Sep 2020, at 11:13, Ingeborg Hellemo wrote: > The server is dualstack and serves DNS via both IPv4 and IPv6. > > Has anyone observed something similar? No, I haven’t seen this one. If you have used the ports subsystem, can you recompile the port with the WITH_DEBUG option? Doing

bind 9.16.6 on FreeBSD - Assert

Hi, I had a named process aborting with an assert. <26>1 2020-08-27T15:52:04.00+00:00 host named 6520 - - rbt.c:2355: REQUIRE(newbits <= rbt->maxhashbits) failed, back trace <26>1 2020-08-27T15:52:04.00+00:00 host named 6520 - - #0 0x43d260 in ?? <26>1 2020-08-27T15:52:04.00+00:00

bind 9.16.7 Odd query error

Hello, I have an odd problem running bind at home. Shortly after flushing the cache I get a SRVFAIL asking for 8.8.8.8.in-addr.arpa. PTR ; <<>> DiG 9.14.8 <<>> 8.8.8.8.in-addr.arpa. PTR ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2731 ;; flags: qr

Re: bind 9.16.7 Odd query error (Borja Marcos)

> On 30 Sep 2020, at 22:34, Mark Andrews wrote: > > No, it’s just fetches per query taking effect. With a empty cache there are > just too many queries made looking up addresses of name servers. You can > raise the default slightly. Alright, I think I found this particular issue. I begun

Re: bind 9.16.7 Odd query error (Borja Marcos)

> On 30 Sep 2020, at 22:34, Mark Andrews wrote: > > No, it’s just fetches per query taking effect. With a empty cache there are > just too many queries made looking up addresses of name servers. You can > raise the default slightly. According to the documentation the default values for

Re: bind 9.16.7 Odd query error (Borja Marcos)

> On 1 Oct 2020, at 08:36, Mark Andrews wrote: >> According to the documentation the default values for fetches-per-zone and >> fetches-per-server are zero, >> which means there is no limit. > > Sorry, shouldn’t answer when on a phone. See max-recursion-queries Thanks, yes, I found it

Re: bind 9.16.7 Odd query error (Borja Marcos)

> On 30 Sep 2020, at 15:29, Bob McDonald wrote: > > Same thing here. Here's what I found. > > 1) there's and old version of the root hints file. Nov 2017. Current is sept > 2020. New one didn't change things. I'll look at my other setup which slaves > the root. >Caveat: I'm running

Re: Logging on a Bind server

> On 20 Oct 2020, at 17:28, Rick Dicaire wrote: > > On Tue, Oct 20, 2020 at 10:17 AM wrote: > Dear BIND-Users, > > Does someone has an idea, which log I have to activate. > > > Do you have querylog enabled? Querylog is not enough. It will tell you which clients are sending which

Re: Logging on a Bind server

> On 20 Oct 2020, at 18:02, Chuck Aurora wrote: > > On 2020-10-20 10:34, Borja Marcos wrote: >>> On 20 Oct 2020, at 17:28, Rick Dicaire wrote: >>> On Tue, Oct 20, 2020 at 10:17 AM wrote: >>> Dear BIND-Users, >>> Does someone has an idea, which

Re: Preventing a particular type of nameserver abuse

> On 13 Apr 2021, at 11:31, Julien Salort wrote: > > Is there really a usefulness to reply with code 5, instead of silently > ignoring the request? Yes, we do it. imagine a customer who uses to connect from different locations (hence different ISPs) and for whatever reason keeps a static

Re: BIND 'max-cache-size' Value on FreeBSD-13.0

> On 9 Sep 2021, at 06:59, Mark Tinka wrote: > > 2.5 days in, and 9.11 is still running good, with no crashing. > > Safe to say that this memory leak is definitely an issue with 9.16. Which version of libuv are you using? I am running 1.41 and the latest is 1.42. I haven’t seen that

Re: BIND 'max-cache-size' Value on FreeBSD-13.0

> On 10 Sep 2021, at 13:30, Mark Tinka wrote: > > > > On 9/10/21 12:35, sth...@nethelp.no wrote: > >> Freebsd 12.2-STABLE here with servers running BIND 9.16.15, 9.16.18 >> and 9.16.20, all using libuv 1.41.0, all installed from ports. Typical >> query load from around 3k qps to around 14k

Re: BIND 'max-cache-size' Value on FreeBSD-13.0

> On 13 Sep 2021, at 09:40, Ondřej Surý wrote: > > Hi, > > if you have reliable reproducer, please fill an issue at > https://gitlab.isc.org/isc-projects/bind9/-/issues > > While this mailing list is monitored by the BIND 9 team, it’s more practical > to have an issue filled by > a person

Re: Nice new logging feature

> On 20 Dec 2021, at 17:56, Reindl Harald wrote: > > > > Am 20.12.21 um 17:53 schrieb Petr Menšík: >> sure I confused that. I read it wrong way and thought they are present >> on *BSD but not on Fedora. I know some messages are removed in Fedora >> builds. I apologize for a confusion. Nobody

Re: DNS cache poisoning - am I safe if I limit recursion to trusted local networks?

> On 30 Dec 2021, at 09:07, Danilo Godec via bind-users > wrote: > > The source is a security audit report, claiming that using a single server > for both authoritative (for public use) and recursive (limited to internal > clients by means of 'allow-recursion' directive) roles increases the

Stale cache feature problems

Hi, I’ve been trying the stale answers feature out of curiosity (seems to be a useful idea) but I have ran into problems. I tried at home, so nobody was actually hurt! I am running BIND 9.16.22 built from ports on FreeBSD 13-STABLE and I didn’t attempt any tuning, I just enabled

Re: Stale cache feature problems

> On 11 Nov 2021, at 10:40, Blažej Krajňák wrote: > > Hi, > > št 11. 11. 2021 o 10:28 Borja Marcos napísal(a): >> First problem: I experienced random SERVFAILS with no apparent reason while >> i had the feature turned on. I think it >> especially affected

Nice new logging feature

Hi, I am trying 9.17 at home and I just noticed a very useful new lame-servers log message: 2021-12-16T08:08:20.505Z lame-servers: timed out resolving ’stupiddomain.com/ANY/IN': X.Y.Z.T#53 I haven’t seen this on 9.16. Are there any plans to include it? It would _really_ be useful. Our setup

Re: Nice new logging feature

> On 16 Dec 2021, at 10:02, Borja Marcos wrote: > > > Hi, > > I am trying 9.17 at home and I just noticed a very useful new lame-servers > log message: > > 2021-12-16T08:08:20.505Z lame-servers: timed out resolving > ’stupiddomain.com/ANY/IN': X.Y.Z.T#53 &g

Re: Nice new logging feature

> On 16 Dec 2021, at 13:15, Reindl Harald wrote: > > > > Am 16.12.21 um 10:02 schrieb Borja Marcos: >> Hi, >> I am trying 9.17 at home and I just noticed a very useful new lame-servers >> log message: >> 2021-12-16T08:08:20.505Z lame-servers: timed

Re: Nice new logging feature

> On 16 Dec 2021, at 14:55, Reindl Harald wrote: > > > > Am 16.12.21 um 14:49 schrieb Borja Marcos: >>> >>> bind-9.16.23-1.fc34.x86_64 >>> >>> 16-Dec-2021 13:08:10.598 lame-servers: connection refused resolving >>> 'ns2.server

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

> On 9 Jan 2022, at 13:11, Jason Vas Dias wrote: > > Thanks to all who responded ! > Yes, removing my Forwarders list did the trick . > Never trust an ISP's DNS servers! I’m late to the party, but anyway several issues are worth pointing out. - First, there is no Hidden Google Internet, but

Re: Problems building bind 9.18.1 on FreeBSD

> On 17 Mar 2022, at 10:41, Petr Špaček wrote: *** Error code 2 >>> Interesting! >>> >>> How do you build it? >> Pretty straightforward. >> ./configure with some options, >> ./configure --disable-linux-caps --localstatedir=/var >> --sysconfdir=/usr/local/etc/namedb --with-dlopen=yes

Problems building bind 9.18.1 on FreeBSD

Hi Trying to compile bind 9.18.1 on FreeBSD I am stumbling upon a really silly problem. Getting plenty of errors like this building the man pages. building [man]: all source files updating environment: [new config] 34 added, 0 changed, 0 removed reading sources... [100%] tsig-keygen

Re: Problems building bind 9.18.1 on FreeBSD

> On 17 Mar 2022, at 08:59, Petr Špaček wrote: > > Hello, > > On 17. 03. 22 8:49, Borja Marcos wrote: >> Trying to compile bind 9.18.1 on FreeBSD I am stumbling upon a really silly >> problem. Getting plenty of errors like this >> building the man pages. &g

Re: BIND 'max-cache-size' Value on FreeBSD-13.0

> On 16 Feb 2022, at 10:53, Mark Tinka wrote: > > Hi all. > > Just coming back to this... > > I notice that the release notes for 9.16.25 say the memory leak issue on > FreeBSD is now fixed: > > * > > On FreeBSD, TCP connections leaked a small amount of heap memory, leading to > an

Re: ipv6 adoption

> On 16 Feb 2022, at 16:50, Grant Taylor via bind-users > wrote: > > On 2/16/22 7:35 AM, Mark Tinka wrote: >> I was assuming Linux has something similar, where in userland, you have the >> option to install which train of BIND you want, regardless of OS version. > > Most of the -- what I'll

Re: V 9.18.1 not listen on port 853 after rndc reload

> On 21 Mar 2022, at 14:51, MAYER Hans wrote: > > > Looking at the log I see: > network: error: creating TLS socket: permission denied > > Why doesn’t named have the permissions after a „rndc reload“ but it has the > permissions after a start ? And why on one server but not on another ? >

Re: Problems building bind 9.18.1 on FreeBSD

> On 25 Mar 2022, at 14:34, Ondřej Surý wrote: > >> On 25. 3. 2022, at 11:49, Borja Marcos wrote: >> >> Following up on this subject, looks like there were substantial changes to >> the build process for 9.18.1? > > Yes. Thanks. I was just wonderin

Re: Problems building bind 9.18.1 on FreeBSD

Following up on this subject, looks like there were substantial changes to the build process for 9.18.1? The port maintainers seem to be having a hard time with it. Cheers, Borja. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the

Possible bug. Bind 9.18 blocking on dnstap

Hi, I just stumbled upon a problem. It happened on FreeBSD 13.1-RC (going to update to 13.1 today). I am running bind 9.18.3 with dnstap using a Unix socket. Once the socket has been opened by bind, if the process serving the Unix socket blocks and you try to kill named, it fails to stop,

Re: resolving www.ecb.europa.eu tages ages

> On 20 Jun 2022, at 10:22, Borja Marcos wrote: > Looking at it there are also problem affecting the europa.eu domain. Some servers are sometimes unresponsive over TCP (doing some simple queries one of them took 5 seconds to answer). And europa.eu fails to pass the 2020 DNS Flag Day

Re: resolving www.ecb.europa.eu tages ages

> On 17 Jun 2022, at 13:04, Matus UHLAR - fantomas wrote: > > Hello, > > I encountered case where resolution of www.ecb.europa.eu takes long time and > I can't find out why. > > I'm trying to find the culprit using dig +trace and resolution times change > from < 1 second to > 15 seconds,

Re: FORMERR responses after upgrading resolver from 9.16 to 9.18.8

> On 21 Oct 2022, at 03:51, Mark Andrews wrote: > >> >> Of course I would prefer to upgrade back to 9.18.X, but I guess I won't be able to find all EDNS0 incompatible servers and loosing customers to 8.8.8.8 - which is able to resolve these names.. >>> This is kind of moot

Re: FORMERR responses after upgrading resolver from 9.16 to 9.18.8

> On 21 Oct 2022, at 12:23, Ondřej Surý wrote: > > What you are really saying that we should dance how tech giants whistle, and > I don’t think succumbing to tech giants is a good strategy long term. Not at all and I agree with you. But tell your customer that their email message didn’t

Question about dnstap

Hi, I am not sure this is intended behavior, or maybe I should file a bug. I am doing some tests with dnstap and bind (9.18.6 now but I see the same behavior with older 9.18 versions). I am using dnstap-go. I have configured bind to use dnstap with no other options and using a Unix domain

Re: Question about dnstap

> On 13 Sep 2022, at 14:34, Peter wrote: > > Apparently, the first connect() happens (after chroot but) before > droppings priviledges. > (The FreeBSD integration script does set -u to UID "bind", by default.) > > So, apparently, fstrm_capture should also run as UID "bind" (and would > then

Re: DF-Flag on UDP-based sockets?

> On 30 Nov 2022, at 08:20, Tom wrote: > > Hi list > > Regarding ARM 9.18.9 > (https://bind9.readthedocs.io/en/v9_18_9/reference.html#namedconf-statement-edns-udp-size): > "The named now sets the DON’T FRAGMENT flag on outgoing UDP packets." > > Tested with BIND-9.18.9, I didn't saw any UDP

Re: Dnstap CLIENT_RESPONSE and query time information

> On 23 Nov 2022, at 10:09, Borja Marcos wrote: > > Hi, > > I am working on some DNS monitoring using Dnstap. I have noticed that RR > messages include > *both* the query time and response time but, despite being recommended on the > Protobuf > speci

Dnstap CLIENT_RESPONSE and query time information

Hi, I am working on some DNS monitoring using Dnstap. I have noticed that RR messages include *both* the query time and response time but, despite being recommended on the Protobuf specification (I know, it’s just a recommendation!) the CR messages do not include it. Is there any particular

Re: Bind dns amplification attack

> On 28 Mar 2023, at 09:33, Nyamkhand Buluukhuu wrote: > > Hello, > > We are having slowly increasing dns requests from our customer zones all > asking mXX.krebson.ru. I think this is a DNS amplification attack. > And source zones/IP addresses are different but sending same requests like >

Re: monitoring BIND

> On 3 Aug 2023, at 17:07, sami.ra...@sofrecom.com wrote: > > Hello comunity > please what is the most recommended tool for BIND monitoring and especially > display response time and latency thank you in advance. For latency, your friend is Dnstap. The implementation on Bind is superb. When

Re: Deprecated DSCP support

> On 29 Feb 2024, at 10:21, Petr Špaček wrote: > > On 28. 02. 24 13:50, Balazs Hinel (Nokia) via bind-users wrote: >> I am working on a product in Nokia, and we currently use BIND provided by >> Rocky Linux 8 with security patches. Recently the requirement came that we >> should upgrade to

Re: Insecurity proof failed

> On 12 Mar 2024, at 13:36, Mark Andrews wrote: > > Have you disabled EDNS to these servers in named.conf? DNSSEC responses are > only returned > if DO=1 is set in the request. Named can learn that a server doesn’t support > EDNS if it doesn’t > return EDNS responses consistently to EDNS

Insecurity proof failed

Hi, This is driving me nuts. I have three BIND 9.18.24 running on FreeBSD. Two of them on FreeBSD 14, one on FreeBSD 13.2. Just one of the servers is failing to resolve a single domain compared to the other two: checkpoint.com . I get these errors: <142>1