Hi,
Have a look at nsupdate
(https://bind9.readthedocs.io/en/v9.18.19/manpages.html#nsupdate-dynamic-dns-update-utility)
as well. This can be used to update the zone without direct editing
and thus no need for freezing and thawing.
Thank you,
Darren Ankney
On Fri, Sep 22, 2023 at 3:43 PM Jan
I was just reading yesterday about one way this can be done. If you are using
DNSSEC, the server, in order to sign a negative result, will use an NSEC record
type which will contain some similar record to the missing record since it
can’t sign an empty record. see below where I dig for
>
>
>
>
> Le jeudi 8 décembre 2022 à 01:56:57 UTC+1, Darren Ankney
> a écrit :
>
>
>
>
>
> Is that the entire log message or just part of it? Is this a
> recursive or authoritative name server? What version of bind?
>
> Logging is covered in the manua
Is that the entire log message or just part of it? Is this a
recursive or authoritative name server? What version of bind?
Logging is covered in the manual though I don't really see a
comprehensive explanation of message format (maybe it's there and I'm
just not seeing it).
>
>
> the keys are generated on the master but not on the slaves.
> so I don't understand how the slaves can read their zone file which ends in
> ".signed" because they don't have the keys ? (but it's work with dig, i see
> DS with the right ZSK)
>
> Regards
>
> Adrien
>
Because the zone
The answers to both questions can probably be answered by logs
(possibly a slightly different config than my example below). Have a
look at the manual for logging:
https://bind9.readthedocs.io/en/v9_18_9/reference.html#logging-block-definition-and-usage
My guess is that you can gain insite to
I don't understand why there is no .db.signed file on my slave knowing
> that a dig from a slave does return RRSIG.
>
> zone "**" {
> type slave;
> masters { ** ; };
> file "/ **/ ** / ** .db&q
I have a simple “mylocal” zone setup with a primary and secondary server.
my primary has this .jnl file:
mylocal.jnl
My secondary has this similar .jnl file:
mylocal.saved.jnl
which I believe was distributed via zone transfer. You find no such similar
files on your secondary?
If you
dig
It seems like you might also need "match-destinations" to be defined, at least
that is how i interpret this:
https://bind9.readthedocs.io/en/v9_18_9/reference.html#namedconf-statement-match-destinations
> On Dec 13, 2022, at 5:47 AM, 徐娅 wrote:
>
> 25-Nov-2022 23:30:32.924 running on Linux
I have a sort of similar configuration to this in my home network. I
have two recursive servers and two "authoritative" servers (for a
domain I call "mylocal" which has forward and also in.addr.arpa for my
inside network). These are all running on one Intel NUC. The only
difference is that my
On Tue, Nov 29, 2022 at 5:27 PM Hamid Maadani wrote:
> If I comment out the stale config options, reload and query test.com, I just
> get this in logs:
> 29-Nov-2022 21:57:49.931 queries: info: client @0x7f325e5a2108
> 192.168.56.1#57660 (test.com): query: test.com IN A +E(0) (172.17.0.3)
>
I just noticed another difference between our configurations.
You have:
dnssec-validation yes;
and I have
dnssec-validation auto;
The manual says you need additional configuration if you have "yes" set:
https://bind9.readthedocs.io/en/v9_18_9/dnssec-guide.html#dnssec-validation-explained
You can investigate cookies, if you think that is the issue, by setting
options found in the manual. There are a few options:
https://bind9.readthedocs.io/en/v9_18_9/reference.html#namedconf-statement-require-server-cookie
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to
I looked in logs of my resolver in my home network and see a similar message
from January 6th:
06-Jan-2023 17:09:23.677 dnssec: info: validating in-addr.arpa/SOA: got
insecure response; parent indicates it should be secure
I interpret that to mean that someone’s DNS is misconfigured. I
On Thu, Jan 26, 2023 at 3:26 AM duluxoz wrote:
>
> Hi All,
>
> Sorry for asking what is almost certainly a "noob" question, but I'm
> seeing a lot of "lame-servers: info: no valid RRSIG resolving
> './NS/IN':" messages in our auth_servers.log for the DNS Root Servers'
> IPv4 addresses. Is this
Just a quick question because I ran into this problem before... is it
possible that named was started before the ip was added?
On Sun, Mar 12, 2023 at 12:55 PM Serg via bind-users
wrote:
>
> Hello, I am trying to bind named listener to an IPv6 from prefix which
> is assigned to a system via
This is failing for me regularly:
$ dig ns3.gpo.gov +dnssec +norecurse @162.140.15.200
;; communications error to 162.140.15.200#53: timed out
;; communications error to 162.140.15.200#53: timed out
;; communications error to 162.140.15.200#53: timed out
; <<>> DiG 9.18.11 <<>> ns3.gpo.gov
Hi Vlad,
Did you specify the socket filename (/tmp/sock from your update-policy
example) when running it? According to the man page:
https://bind9.readthedocs.io/en/v9_18_11/manpages.html#nsupdate-dynamic-dns-update-utility
the final argument for the command line is an optional filename. If
not
Hi Bob,
You could try the ISC packages for BIND on your Debian install. There
are ISC maintained ARM packages available. Have a look at:
https://www.isc.org/bind/ and scroll down to "installation". I am not
familiar with Raspberry pi, but there are a couple different flavors
of ARM packages
Hi David,
You can disable validation on one or more domains using "validate-except" -
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except
Thank you,
Darren Ankney
On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users <
bind-users@
On Tue, Apr 18, 2023 at 3:20 AM Havard Eidnes via bind-users
wrote:
>and if I run straight "upstream" code, it's fairly straight-
>forward to upgrade to this version, modulo, of course, the fact
>that this involves building it from source.
>
It may not be necessary to build from
You would probably need to attach your entire named.conf file (with
sensitive bits (keys and the like) redacted and perhaps subnets
obscured to examples such as 192.0.2.0/24, for example) before anyone
would be able to help you.
That being said, your update policy statements don't look correct to
Since the dig output shows "SERVFAIL" it could also be this bug:
* When an outgoing request timed out, named would retry up to three
times with the same server instead of trying the next available name
server. This has been fixed. [GL #3637]
that was fixed in 9.18.11
Matthias,
This is what I did to force my resolver bind instance to lookup my
internal domain directly on my authoritative bind instance without
asking any other servers (would have failed anyway as it is a fake
domain "mylocal"):
// on resolver (or caching name server)
zone "mylocal" {
type
Hi Håvard,
I was curious about the additional section count dig is reporting. I
had to do a packet capture to prove it to myself, but there is an
additional records section returned in the answer from 183.47.126.169.
It is the edns OPT pseudosection which is also shown in my dig output:
% dig
this is an included file that has your logging configuration?
It would be helpful to see the named configuration. You can get that
with named-checkconf -px which will hide any keys and pull in any
includes.
Thank you,
Darren Ankney
On Mon, Jul 10, 2023 at 3:59 PM Richard T.A. Neal
wrote
log;
};
Thank you,
Darren Ankney
On Sat, Jun 10, 2023 at 1:01 AM Kereszt Vezeték wrote:
>
> Hi
>
> logging {
> channel update_log {
> file "/var/log/bind/updates/update-debug.log" versions
> 5 size 20m;
>
Hi Zoltan,
Can you share your entire logging {} block? Maybe there will be some
clue there.
Thank you,
Darren Ankney
On Fri, Jun 9, 2023 at 8:14 AM Kereszt Vezeték wrote:
>
> Hi Everybody !
>
> I have bind9 server with query logging setup.
> It work well, but all of query regi
,
Darren Ankney
On Mon, Jul 31, 2023 at 11:53 AM Reese Wang wrote:
>
> I didn't find the format specification of in the documentation here
> https://bind9.readthedocs.io/en/latest/reference.html#zone-block-grammar
>
> Can it contain wildcard characters? Will it cause probl
far more
detail. nslookup usage is no longer recommended as it has been
deprecated.
As to this specific issue, I'm not sure. You might get more help from
others, however, if you share your configuration. You can get a
configuration scrubbed of keys using `named-checkconf -px`
Thank you,
Darren
Hi,
You don't need to use the RHEL version of BIND. ISC supplies packages
that you can add as described here:
https://kb.isc.org/docs/isc-packages-for-bind-9
Thank you,
Darren Ankney
On Thu, Feb 15, 2024 at 8:02 AM Marco Moock wrote:
>
> Am 15.02.2024 schrieb Semra Türkkal Nazl
Hi,
Here is a (possibly) helpful guide that might be of use when migrating
from auto-dnssec to dnssec-policy:
https://kb.isc.org/docs/dnssec-key-and-signing-policy
Thank you,
Darren Ankney
On Tue, Feb 27, 2024 at 1:01 AM Nick Tait via bind-users
wrote:
>
> On 27/02/2024 13:22, Michael S
32 matches
Mail list logo
