Re: Connect returns EINPROGRESS

Hi Kalpesh, Isn't the explanation already clear in the code comments? * HP-UX fails to connect a UDP socket and sets errno to * EINPROGRESS if it's non-blocking. We'd rather regard this as * a success and let the user detect it if it's really an error * at the time of sending a packet on the

Re: Modified a zone, so when it becomes available?

Marcos Lorenzo de Santiago wrote: El mar, 15-09-2009 a las 07:04 -0300, Leonardo Rodrigues escribió: Marcos Lorenzo de Santiago escreveu: When I modify a RR or add a new one on an existing zone, I have to restart master server to make the change available. Is there any other way to reload the

Re: nsupdate.exe and IPv6

Chris Hills wrote: Hi It seems nsupdate.exe in 9.6.1-P1 does not properly locate IPv6 nameservers. C:\Temp\bind-9.6.1-P1dig +short ns-v6-1.chaz6.com. in 2001:16d8:dd22:38::2 2001:16d8:ee0f:38::2 C:\Temp\bind-9.6.1-P1nsupdate server 2001:16d8:dd22:38::2 update add

Re: DIG -6 +TCP

Doug Barton wrote: Pamela Rock wrote: For all it's worth, using wireshark, I can see IPv6 UDP queries successfully traversing in/out. Ping6 works successfully. There is no firewall running anywhere(IPv4 or 6). Still get [r...@dig-client ~]# dig -6 a test.domain @bindserver6 +tcp

Re: questions on bind cache with views

Young H. wrote: On Thu, Dec 17, 2009 at 6:59 PM, Mark Andrews ma...@isc.org wrote: In message 35686be10912170139j3d89c414n1da84870b47c9...@mail.gmail.com, Youn g H. writes: Hello, I have config the bind-9.6.1 with multi-views and recursion yes. But I found bind always deny the query to

Re: 9.4.3 oddities

Hi Imri, Do you use any of the following in your configuration: transfer-source transfer-source-v6 notify-source notify-source-v6 query-source query-source-v6 Regards, Cathy Imri Zvik wrote: Hi, We've recently upgraded our caching servers to 9.4.3-P4/P3 (2 of them running 9.4.3-P4 and 2

Re: 9.4.3 oddities

Imri Zvik wrote: On Wednesday 06 January 2010 11:56:13 Cathy Almond wrote: Do you use any of the following in your configuration: transfer-source transfer-source-v6 notify-source notify-source-v6 query-source query-source-v6 No :) my configuration is '*source*' free, And anyhow, even

Re: 9.4.3 oddities

The problem reported below proves to have been resolved by this change: 2797. [bug] Don't decrement the dispatch manager's maxbuffers. [RT #20613] When randomized query ports was implemented, the increase in the number concurrently-used sockets had an equivalent increased usage need of another

Re: ISC BIND 9.6.1-P3 is now available

David Coulthart wrote: On Jan 19, 2010, at 12:28 PM, Evan Hunt wrote: BIND 9.6.1-P3 is a SECURITY PATCH for BIND 9.6.1. It addresses two potential cache poisoning vulnerabilities, both of which could allow a validating recursive nameserver to cache data which had not been authenticated or

Re: Name resolution follows forwarders instead of delegations on master server

Taylor, Gord wrote: I've noticed that if I have default forwarders setup in the options section of my named.conf, then BIND (9.4.1-P1) will forward to these servers rather than following the delegations for zones where it's authoritative (verified via sniffer trace). Is this true of all BIND

Re: Question about rndc flushname

bsfin...@anl.gov wrote: On a mail machine I am running a cache-only DNS - BIND 9.6.1-P3. When I dump the cache I see two lines: ; answer brainpower-austria.at. 6622MX 5 mx1.bon.at. I then enter ./rndc flushname brainpower-austria.at But when I then look at

Re: multiple options{} statements in bind config

Matus UHLAR - fantomas wrote: Hello, I'm updating my configurations for our bind server farm. previously I was using multiple versions of named.conf with different values for statemennts that need to be different (listen-on, notify etc). I would now like to have one main config that

Re: Help with logrotate and bind

bind-sugg...@isc.org ? I'm not sure how much attention it will get right this moment - it depends on the persuasiveness of the argument for it, and the number of folks popping up to say 'yes please, I need it too!'. But it doesn't on the face of it sound too technically difficult and the code is

Re: PKCS#11 engine implementation

There is a developers list. It is called bind-workers. https://lists.isc.org/mailman/listinfo/bind-workers Maybe the list page needs a couple of words what the list is about. It's not exactly obvious. You know - it isn't exactly obvious is it - I looked at the likely web page routes

Re: bind 9.6.2 with threads hangs

Fabien Seisen wrote: To the OP: do you specify max_cache_size? If not, what does the memory consumption of BIND look like when it gets into the non-functional state? yes, max-cache-size 512M but named process takes ~900MB The extra memory is for keeping track of recursive clients (i.e.

Re: bind 9.6.2 with threads hangs

Fabien Seisen wrote: This doesn't sound like a hugely loaded server, exact, on my own test (with real life queries), the server can handle ~7 queries/s with response time ~1ms at 70% cpu and no packet lost. else it's somewhat throttled (not particularly large cache and probably

Re: How does load balancing operate on 1 forwarders

A long time ago it used to be in turn, but all current versions of BIND sort the forwarders based on a preference value (SRTT) that's derived from the RTT of previous query/query response interactions, with a 'time since we last tried this server' incorporated so that servers that aren't top of

Re: question about bind bug fixed in 9.6.2-P2

Jack Tavares wrote: From the release notes: --- 9.6.2-P2 released --- 2876. [bug] Named could return SERVFAIL for negative responses from unsigned zones. [RT #21131] Question: Does this bug only occur if dnssec is enabled? or only if dnssec

Re: error on start: initializing DST: no engine (v9.7.0-P2)

Greg Whynott wrote: sorry, forgot the subject. not very good on my first posting Hello, I'm seeing an unfamiliar error while attempting to start a newly built from source named instance. I've search on the net and within the bind-user list without luck, DST returns lots of

Re: Bind hang out when named reach to 5-600 Mb

khanh rua wrote: Hi, I install bind as a cache server on Solaris 10, Sun Sparc T5140. It has problem, bind always hang out when named reach to 5-600 Mb ('prstat' check). I have several servers and all have this problem even when i install bind in zone or try with a 64bit version.

Re: AW: Limitation on concurrently handled queries

Dangl, Thomas wrote: First of all thanks for the fast response. Maybe I misunderstood the Bind9 manual. Bind9 ARM says: recursive-clients The maximum number of simultaneous recursive lookups the server will perform on behalf of clients I understand that as recursive lookups that are

Re: Forward map update unsuccessful from windows - IPv6

The named log shows two attempts to add records. The first succeeds the second fails due to the prerequisite check. Looking at the reverse address request that succeeds we have an address of: fd80:1010::de74 While the dhcpd log message has an address of: fd80:1010::f274 Are you perhaps

Re: discrepancy with rndc dumpdb -zones

Hi Gordon, We've not seen this before (and it doesn't sound like anyone else has either). What version of BIND is it? Has it reappeared since? Is this a particularly heavily loaded/busy server? Does it have recursive cache as well as authoritative zones? Kind regards, Cathy Gordon A. Lang

Re: BIND 9.7.2-P2 is now available.

Hi Florian, It's this one which is also in 9.6-ESV-R2: 2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call. RT #20877] Regards, Cathy On 03/10/10 11:06, Florian Weimer wrote: * Mark Andrews: * If BIND, acting as a DNSSEC validating server, has two or more trust

Re: BIND 9.8.0b1 Released Today

On 24/01/11 10:56, Matus UHLAR - fantomas wrote: On 21.01.11 10:45, Sue Graves wrote: * BIND now supports a new zone type, static-stub. This allows the administrator of a recursive nameserver to force queries for a particular zone to go to IP addresses of the administrator's choosing, on

Re: BIND 9.8.0b1 Released Today

so, iiuc, the difference is that type forward sends queries with RD bit set, while type static-stub sends them with RD cleared... and the forward first option appears to be applicable only in forward zones. did I get it right? Yes I use forward zones for blacklists - while I mirror some

Re: Public Advisory on DNSSEC Failures with New DS Records

Stephane, It looks like something went awry on the website. We've fixed it. Thanks for the heads-up. Cathy On 07/02/11 08:49, Stephane Bortzmeyer wrote: On Fri, Feb 04, 2011 at 04:11:03PM -0800, Larissa Shapiro laris...@isc.org wrote a message of 37 lines which said: The full advisory

Re: bind makes RRSIG disappear?

Hi Gilles, You've identified a corner-case bug - the logic is incorrect in the case where the ACL holds none instead of being empty. There's no compile-time option - but we are treating what you've reported to us as a bug (RT #23120). It is currently under investigation/discussion. Many thanks

Re: Q on clients-per-query, max-clients-per-query

So, does BIND behave the same whether it is a single PC making 100 queries for the same record compared to 555 PCs making queries for the same record? That is, how does BIND treat clients-per-query, max-clients-per-query differently based upon the query requesters' IP address(es)? (I

Re: Resolver issue - drop in qps and memory leak

Hi Dennis, There are some fixes for cache management issues on recursive servers that have been released recently. This sounds like it might have been one of those problems. If you want to stay on 9.6, then I'd recommend 9.6-ESV-R4 to you Otherwise you might like to take a look at 9.7.3. Cathy

Re: EDNS request problem on TTL=0 data

On 27/06/11 16:39, Paul Wouters wrote: On Mon, 27 Jun 2011, Florian Weimer wrote: 1 Is this problem happening because EDNS failure is not remembered for forwarders? There is no realiable way to detect EDNS support in forwarders, so there isn't anything to remember, really. Sadly, the

Re: Fwd: Re: Fwd: Re: Difference between netstat rndc status

On 05/07/11 06:25, Bind wrote: -Original Message- From: Bind b...@dci.ir To: Mark Andrews ma...@isc.org Date: Tue, 05 Jul 2011 09:55:03 +0430 Subject: Re: Fwd: Re: Difference between netstat rndc status Thanks for your best support and answers all the time. Could u explain

Re: BIND 9.6.1-P3 Vulnerabilities

On 07/06/11 16:21, Borgia, Joe A CTR USAF AFMC AFRL/RIOS wrote: BIND 9.6.1-P3 seems to be a somewhat old release of BIND, and yet, I can find no vulnerabilities listed on the ISC Security Advisories pages. Am I missing something? Yes. :-( https://www.isc.org/software/bind/security/matrix

Re: stub zone

On 25/07/11 20:55, ju wusuo wrote: Would like to use the BIND stub zone function, however, heard that ISC considers stopping support to stub zone in the future, is that true? I think we may have confused some people in the past about support for this because of what's written in the ARM about

Re: CVE-2011-1910 vs bind 9.6-ESV-R4-P3

On 03/08/11 10:25, Issam Harrathi wrote: Hi all, when i see this about the affected version by the CVE-2011-1910: 9.6: 9.6.3, 9.6-ESV-R2, -R3, -R4, -R5b1 does this mean that the 9.6-ESV-R4-P1 is affected? I know it's a bit unwieldy and large at the moment (we have thoughts on how to remedy

Re: what does dig +trace do?

On 31/08/11 16:36, Tom Schmitt wrote: What strikes me as odd is that the first query does return 4 (internal) root servers, but no glue records ? I have no idea why this is this way. Because +trace only displays the answer section of the responses by default. Try dig +trace +additional.

Re: R: Bind DLZ and Postgres 8.4.8

On 04/10/11 21:38, Job wrote: Hello, everything is fine, i patched the source tree! Thank you, regards! Francesco Whose source tree? Is it the patch something that would be useful/appropriate to share here? Regards, Cathy ___ Please visit

Re: host versus nslookup

On 12/10/11 23:09, Kevin Darcy wrote: As far as I know, only HP-UX has hacked nslookup to look at /etc/hosts. And I don't think it even looks at the switch file or other naming sources (e.g. Yellow Plague). HP-UX's nslookup enhancement is a one-off, I believe. For the record, on HP-UX it does

Re: (Non existing domain) query lookup logs in a seperate log file

On 13/11/11 07:59, babu dheen wrote: Dear Support, Can anyone help me how to enable a seperate log file for NXDOMAIN(Non exististance) DNS query lookup in BIND? Regards Papdheen M BIND doesn't log query responses - only queries received. There are statistics available on how many

Re: Can't compile bind 9.8.1-P1 on Solaris

On 17/11/11 05:33, King, Harold Clyde (Hal) wrote: With great help I got Bind 9.8.1 to compile on solaris but I can not get Bind to start up. I am getting: 17-Nov-2011 00:31:23.609 initializing DST: openssl failure 17-Nov-2011 00:31:23.609 exiting (due to fatal error) Is anyone else

Re: Can I set TTL served to users in bind?

On 09/03/12 08:22, Jeff Peng wrote: 于 2012-3-9 16:11, Drunkard Zhang 写道: I got some bind servers doing iteration resolution, and return the results to users. But I found that some names got too big TTLs, whose RRs can not be replaced correctly by new RRs in time. This leads to user‘s blame,

Re:

On 13/03/12 20:46, Mark Andrews wrote: In message cb84b51a.4a53a%dan.mcdon...@austinenergy.com, Daniel McDonald writ es: On 3/13/12 8:20 AM, hugo hugoo hugo...@hotmail.com wrote: == do I have to create in zone toto.be the following NS record: titi.toto.be. TTL IN

Re: BIND 9.9.0 assertion failure

On 14/03/12 10:11, Eivind Olsen wrote: In BIND 9.9.0(CentOS 4.6) Mar 9 06:58:51 X named[17533]: general: critical: client.c:318: INSIST(client-gt;newstate lt;= 3) failed, back trace

Re: journal rollforward failed: journal out of sync with zone

Is the journal file on the master (the source of the zone files that are transferred via cron jobs) or on the slave (the recipient of the zone files)? Why are you using ixfr-from-differences - what operational purpose does it serve for you? The other thing to consider also is your operational

Re: Moving DNS out of non-cooperative provider

On 19/06/12 11:18, Alexander Gurvitz wrote: 3282. [bug] Restrict the TTL of NS RRset to no more than that of the old NS RRset when replacing it. [RT #27792] [RT #27884] Just to clarify - does this rule applies also while replacing

Re: Bind 9.8.1-P1 is crashing again and again

On 02/07/12 14:32, Gaurav Kansal wrote: Dear Team, My BIND DNS Server is crashing again and again. I am getting these logs: Jul 2 12:03:33 gaurav named[30523]: query.c:5379: INSIST(!is_zone) failed, back trace Jul 2 12:03:33 gaurav named[30523]: #0 0x805a7a5 in

Re: getting edns disabling message in logs

On 04/07/12 07:12, Ben wrote: Hi Tony, Thanks for your kind response. Disabling EDNS due to firewall misconfiguration, raise any problem to DNS activity.? I mean my users face any name resolution problesms or ...?

Re: getting edns disabling message in logs

On 04/07/12 20:14, Michael Hoskins (michoski) wrote: -Original Message- From: Tony Finch d...@dotat.at Date: Wednesday, July 4, 2012 7:54 AM To: Cathy Almond cat...@isc.org Cc: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Re: getting edns disabling message in logs

Re: BIND CPU load problems

On 10/07/12 13:08, Phil Mayers wrote: On 10/07/12 12:56, Shon Stephens wrote: Dear Mike, I am not being hit with a Denial of Service attack and the query logging doesn't appear to be any different from other hosts in the DNS complex. There are no errors in logs or messages files either.

Re: BIND 9.9.1-P1 reload bug

This just happened on our nameserver: 11-Jul-2012 13:54:01.711 general: info: received control channel command 'reload' 11-Jul-2012 13:54:01.712 general: info: loading configuration from '/etc/named.conf' 11-Jul-2012 13:54:01.891 general: critical: server.c:4436: fatal error: 11-Jul-2012

Re: BIND 9.9.1-P1 reload bug

On 12/07/12 08:20, Michael Hoskins (michoski) wrote: stupid question: i spent all of five minutes looking around isc.org -- but i did click all the top-level bind-related links, and couldn't find a pointer to rt to search for this ticket. does it require a support contract, is it

ISC Security Advisory: High TCP Query Load Can Trigger a Memory Leak in BIND 9

ISC Security Advisory: Note: This email advisory is provided for your information. The most up to date advisory information will always be at: https://kb.isc.org/article/AA-00730 please use this URL for the most up to date advisory information. Title: High TCP Query Load Can Trigger a Memory

ISC Security Advisory: Heavy DNSSEC Validation Load Can Cause a Bad Cache Assertion Failure in BIND9

Note: This email advisory is provided for your information. The most up to date advisory information will always be at: https://kb.isc.org/article/AA-00729 please use this URL for the most up to date advisory information. Title: Heavy DNSSEC Validation Load Can Cause a Bad Cache Assertion Failure

BIND 9.7.6-P2 is now available

Introduction BIND 9.7.6-P2 is the latest production release of BIND 9.7. This document summarizes changes from BIND 9.7.5 to BIND 9.7.6-P2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can

BIND 9.6-ESV-R7-P2 is now available

Introduction BIND 9.6-ESV-R7-P2 is the latest production release of BIND 9.6-ESV. BIND 9.6-ESV is an Extended Support Version of BIND 9. This document summarizes changes from BIND 9.6-ESV-R6 to BIND 9.6-ESV-R7-P2. Please see the CHANGES file in the source code release for a

BIND 9.8.3-P2 is now available

Introduction BIND 9.8.3-P2 is the latest production release of BIND 9.8. This document summarizes changes from BIND 9.8.2 to BIND 9.8.3-P2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can

BIND 9.9.1-P2 is now available

Introduction BIND 9.9.1-P2 is the latest production release of BIND 9.9. This document summarizes changes from BIND 9.9.0 to BIND 9.9.1-P2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can

Re: BIND 9.8.3-P2 is now available

On 30/07/12 06:50, John Marshall wrote: On 25/07/2012 04:04, Cathy Almond wrote: Introduction BIND 9.8.3-P2 is the latest production release of BIND 9.8. Would whoever is responsible for release announcements please note that this wasn't announced on bind-announce. I haven't had time

Re: What does deleted from unreachable cache mean?

On 19/07/12 00:49, Peter Olsson wrote: Hello! After my latest bind upgrade our slave server started occasionally writing these messages to the log: master 2a02:::::2#53 (source ::#0) deleted from unreachable cache master 62.xxx.xxx.2#53 (source 0.0.0.0#0) deleted from

Re: What does deleted from unreachable cache mean?

On 02/08/12 19:00, Michael Hoskins (michoski) wrote: -Original Message- From: Peter Olsson p...@leissner.se Date: Thursday, August 2, 2012 10:25 AM To: Cathy Almond cat...@isc.org Cc: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Re: What does deleted from unreachable

Re: Problem with ACL in named.conf

On 30/08/12 03:19, GS Bryan wrote: My BIND version, as shown by 'named -v' is BIND 9.9.1-P1-RedHat-9.9.1-2.P1.el6. 'named-checkconf /etc/named.conf' doesn't throw any error messages whatsoever. -- Bryan S.G. You're correct - named-checkconf doesn't see the problem, but named errors

Re: Problem with ACL in named.conf

On 30/08/12 03:17, GS Bryan wrote: hmm... that explains it. Damn, DNSMadeEasy needs to have notify notices sent to a different IP set than their nameserver service. This means that I have to hardcode this myself. Another question then, if zone 'example.net' has the NS records of

Re: Bind 9.9.2 ADB Question Update

On 15/11/12 15:49, Manson, John wrote: The adb grow-names process? does not appear to be related to recursive cache as I cleared cache while monitoring syslog and the counter kept increasing. However a reload did start the adb grow-names process anew. Both shown below . . . Nov 14

Re: Bind 9.9.2 ADB Question Update

On 15/11/12 16:17, Cathy Almond wrote: On 15/11/12 15:49, Manson, John wrote: The adb grow-names process? does not appear to be related to recursive cache as I cleared cache while monitoring syslog and the counter kept increasing. However a reload did start the adb grow-names process anew

Re: rndc sign, auto-dnssec maintain and TYPE65534 record stickyness?

On 26/11/12 14:47, Phil Mayers wrote: All, Up front, I should note that this was on a hidden master server which was running 9.7.0 (since updated). So it may not work this way on current versions of bind. We (well, I) had a little accident recently when rolling a ZSK. We use auto-dnssec

Re: Preference of Master Name Servers

On 06/12/12 14:12, Matus UHLAR - fantomas wrote: On 05.12.12 17:28, David Hall wrote: Question 1: In our secondary / slave name servers we specify the master name servers in the normal manner: zone mysample.me.uk { type slave; file m/y/db.mysample.me.uk; masters { 10.10.100.12;

Re: Named stopped loging?

On 28/12/12 15:54, Manson, John wrote: Good Day Running 9.9.2 for about a month now with no worries. Today I noticed only the reload message in the namedlog and not the zone messages that are usually there after stopping and restarting the named process. Worked fine on the 26th but not

Re: Noisy messages from BIND about root hints change

On 07/01/13 17:14, Chris Thompson wrote: One (but only one) of our recursive nameservers, running BIND 9.8.3-P4 we got a whole lot of messages in the log as a result of last week's change of address for d.root-servers.net: Jan 4 06:24:08 recdns1.csx.cam.ac.uk named[9496]: general: warning:

Re: Define an internal zone with only a couple of A records, then forward to an external dns server

On 17/01/13 15:16, wbr...@e1b.org wrote: Alberto wrote on 01/17/2013 10:09:00 AM: - I want to define in my dns server a zone external_partner.com, which is the domain of our partner who manages it with his dns public server dns.external_partner.com. - I need to define into this zone a

Re: disabling lame server logging

On 26/02/13 21:34, Bryan Harris wrote: Hi Robert, On Feb 26, 2013, at 2:23 PM, Robert Moskowitz r...@htt-consult.com wrote: On 02/26/2013 01:57 PM, Doug Barton wrote: On 02/26/2013 10:38 AM, Robert Moskowitz wrote: I would like a scalpel for lame logging, but probably would not discover

Re: Stalling slave transfers

On 08/05/13 19:15, Tom Sommer wrote: On 5/8/13 12:25 PM, Cathy Almond wrote: On 08/05/13 08:26, Tom Sommer wrote: Hi, I have a problem with one of 3 slave servers, all set up the exact same way, with the exact same bind version and configuration. One slave has a problem transfering zones

Re: Stalling slave transfers

On 15/05/13 15:58, Tony Finch wrote: Tom Sommer m...@tomsommer.dk wrote: That works fine, but I think I figured out the problem, it was due to the server having acquired a 2nd (autodiscovered) IPv6 address, and it was using that as transfer source. It would be very helpful if the logfile

Re: redirecting root hints to fake internal root server

On 27/08/13 21:28, Kevin Darcy wrote: On 8/27/2013 1:07 PM, Colin Harvey wrote: My environment is firewalled from the real world. For queries on zones to which I'm not master, I want to recurse to a corporate server. nslookup some.internal.hostname.com internal.corporate.server works fine.

Re: Slave displaying all domain info when using $INCLUDE on master

On 05/09/13 09:54, Jobst Schmalenbach wrote: Hi. I have a master/slave combo, the master is ok, displays the correct info when queried, but the slave displays too much info, including the internal stuff. The master uses two zone files (*internal and *external) that each include

Re: caps compiling error

On 26/11/2013 16:56, Paul A wrote: Yeah I have compline Bind on that machine many times currently I'm on BIND 9.8.4-P2. Not sure what header file is missing. -Original Message- From: bind-users-bounces+razor=meganet@lists.isc.org

Re: Unable to transfer IPv4 reverse zone

On 19/12/2013 23:32, Daniel Lintott wrote: I have now tried recreating the zone file on the master, removed and re-added the configuration for the zone on both master and slave, yet still I am unable to transfer the zone. I have also added the following logging to the master server:

Re: Unable to transfer IPv4 reverse zone

It might be a silly question - but have you checked how many instances of named you have running on the master (thinking that you might not be 'talking to' the one you think you are)? Cathy ___ Please visit

Re: changing NSEC3 salt

On 05/02/2014 18:54, David Newman wrote: The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every time a zone's ZSK changes. Is this just a matter of a new 'rndc signing' command, or is some action needed to remove the old salt? thanks dn rndc signing -nsec3param ... I

Re: changing NSEC3 salt

On 06/02/2014 12:58, Timothe Litt wrote: On 06-Feb-14 05:56, Cathy Almond wrote: On 05/02/2014 18:54, David Newman wrote: The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every time a zone's ZSK changes. Is this just a matter of a new 'rndc signing' command, or is some action

Re: how to modify the cache

Use a stub zone if you want to override published NSes _without_ crossing the very-important boundary between iterative and recursive resolution. Actually no - use static-stub (newer versions of BIND) - otherwise the NS records received from the zone may override the NS that you want to use.

Re: Bind vs flood

On 28/02/2014 17:57, Chris Buxton wrote: On Feb 28, 2014, at 2:12 AM, Jason Brown jason.br...@kcom.com mailto:jason.br...@kcom.com wrote: But, it will respond with a valid response (your choice) and therefore not create a servfail due to trying.. that’s my point. ** Nope. RPZ only

Re: Problem dlz_mysql_driver

On 04/06/2014 08:25, Claudia Koch wrote: Hello, I've a installation of bind 9.4.0 with dlz_mysql_driver and I have a zone test.de. In this zone I have a record *.dev IN A 1.2.3.4 With dig a.dev.test.de I've get the answer 1.2.3.4. Now I like to do a update to debian 7.0 and I compile

Re: stub zones

On 02/06/2014 23:38, John Miller wrote: So... without stub zones, you know the drill: your local resolver follows delegation, starting from the root nameservers. Delegation happens, and life is good. If you're running views, then things work fine as well: your view just needs to be

Re: unable to obtain neither an IPv4 nor an IPv6 dispatch

It might have something to do with the number of CPUs that named detects when it starts, which (by default) drives how many listening tasks it starts per listening interface. BIND 9.10 changed the defaults slightly, but you can also control how many listening tasks per interface using the -U

Re: Bind 9.9.5 high CPU and when will Bind9.8 EOL?

Have a look at reducing -n to the number of physical cores (which might be 4 or 8) and then also have a look at -U (number of listening tasks per interface). Multiple listeners defaults to -n (number of worker threads). It's worth trying some tuning experiments from n/2 to n-1. What works best

Re: unable to obtain neither an IPv4 nor an IPv6 dispatch

On 24/07/2014 01:35, Matthew Calder wrote: At the moment I'm limited to using 2 UDP listeners per interface. When stress testing I can see that only 2 out of 4 CPUs are being used, I'm guessing because I'm limited to 2 listeners. Any suggestions for what could be limiting BIND from using a

Re: bind-9.10.0-P2 memory leak?

... Heh thanks, yeah...initially I was erring on the side of caution and using 9.9.x because it's served us well (~20k recursive clients without any significant problems). Meanwhile we've been keeping a close eye on community comments, and to be honest opinions wax and wane. Just as I think

Re: something about rrl

On 22/09/2014 11:55, 陈超 wrote: Dear developers, I've recently encountered a problem with the response rate limit of bind-9.9.5. That is,after I configured RRL and started named,I noticed for those queries,BIND9 would do recursion first,and check the rate limit to decide whether it

Re: BIND listen backlog too small

On 16/10/2014 23:52, Shawn Zhou wrote: Thanks Mark. That's what I was looking for! On Thursday, October 16, 2014 3:36 PM, Mark Andrews ma...@isc.org wrote: 2fd63cf5 (Mark Andrews 2003-04-10 02:16:11 + 279) tcp-listen-queue integer; More info here too:

Re: named assertion failure

On 06/01/2015 04:11, James Brown wrote: Running BIND 9.10.1-P1 on Mac OS X 10.10.1. It’s been running fine - no problems until this morning, when I got: 06-Jan-2015 01:33:33.356 transfer of 'rpz.spamhaus.org/IN/external' http://rpz.spamhaus.org/IN/external' from 199.168.90.51#53: Transfer

Re: Different answer when querying @server from different clients

On 08/03/2015 16:00, Steven Carr wrote: On 8 March 2015 at 13:50, Barry S. Finkel bsfin...@att.net wrote: Using +trace with @8.8.8.8 ignores the @8.8.8.8, as that server is never queried when the query starts at the root and moves down the DNS tree to authorized servers. Incorrect,

Re: delay between nsupdate and NOTIFY

On 05/06/2015 07:39, Charles Musser wrote: Adjust serial-query-rate. This also controls the notify rate in BIND 9.9. A seperate control notify-rate is coming in BIND 9.11. Today we tried increasing serial-query-rate from our original value of 1000 up to 5000 for a while, and then up to

Re: Issue in calling same zone in more than one VIEW

On 29/05/2015 10:39, Gaurav Kansal wrote: Thanks for information. Is there any other way by which I can define the zone (which are same for all views) outside the view or anything else by which I don't need to replicate the file for all the views. Regards, Gaurav Kansal -Original

Re: Negation in view match-clients ACL doesn't work?

On 04/08/2015 21:29, Darcy Kevin (FCA) wrote: The short answer is that that is how address-match-lists work: a non-negated match allows access, a negated match denies access, and if there is *no* match, access is denied. The only real reason to use a negated match, therefore, is when what

Re: rndc status field meaning please

Hi, I don't think we do document the output from rndc status explicitly line by line in the BIND Administrator Manual, so I'll respond to your questions below, and I'll see about getting the documentation updated. For anything else you need to know, please refer to the manuals

Re: BIND slave server ignoring responses to all UDP-based SOA queries (zone refresh) for hours at a time

What can happen (and this is really really subtle) is that if there are some source ports that named could randomly select, but where intermediate firewalls or filters are just dropping, either the SOA refresh queries, or the responses, then named can 'get stuck' on using and re-using the same

Re: root hints operation

On 17/11/2015 02:31, Grant Taylor wrote: ... > The idea that a (maliciously) blank root.hints file would prevent BIND > from using the compiled in version is new to me. If someone *could* maliciously replace a file on your DNS server with a blank one, you have more problems than just a blank root

Re: Bind bind high recv-q

On 04/12/2015 12:34, Tony Finch wrote: > Søren Andersen wrote: >> >> I'm experiencing some strange problems with my bind installation. - I >> notice my bind recv-q is quite high sometimes.. therefore my DNS clients >> can experience DNS lookup to take 1-4 secs. My bind is running

Notice: scheduled maintenance on lists.isc.org commencing 0200 UTC Thursday June 23 2016

ISC's Operations Team will be performing software upgrades on lists.isc.org commencing on Thursday June 23 2016 at 0200 UTC Our online mailing list information and list archives will be unavailable during this period, and any postings to the lists will be held and distributed once the maintenance

Re: named and use of resolv.conf? - how to "learn" this

On 03/08/2016 14:59, Matthew Pounsett wrote: > > > On 2 August 2016 at 19:50, Evan Hunt > wrote: > > On Tue, Aug 02, 2016 at 05:04:33PM -0400, Matthew Pounsett wrote: > > Yes it will. But, as far as I understand, it uses the recursive code > paths

  1   2   >