MNAME not a listed NS record

diagnostic tools throw warnings, but as far as I can tell from the RFCs, this is a valid configuration. Is it valid? Are there any operational gotchas to be aware of or can I ignore the warnings? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren

Re: MNAME not a listed NS record

BIND at all right now, the only dynamic zones we currently host are internal-only on Microsoft DNS and update via AD, so I think we'll be safe in this regard. Thanks! -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren

Re: MNAME not a listed NS record

on a somewhat overloaded server, so it just makes more sense to push external traffic to more ideal services. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: broken ISP in china

. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman

Re: Registrar that supports self-run domains and provides DNSSEC support

you need to understand? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: spf ent txt records.

my management interface to encourage SPF records, and to automatically create matching TXT records, but only because it's easier to sanity check when I know the intent is SPF. I almost wouldn't bother with SPF records these days though, except that the code was already written. -- Dave Warren

Re: spf ent txt records.

On 3/13/2013 17:11, Noel Butler wrote: On Wed, 2013-03-13 at 14:43 -0700, Dave Warren wrote: I almost wouldn't bother with SPF records these days though, except that the code was already written. # grep SPF maillog |grep -c '\-all' 2438 # grep SPF maillog |grep -c '\~all' 7509 Can you

Re: How to minimize the downtime in my case

hit the old NS and some would hit the new NS until the records aged out of caches, but as long as the other records are identical, users will hit the same web servers, the same MX, etc. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren

Re: spf ent txt records.

to ignore would help at this point. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: Multiple masters for slave zone

? I've been meaning to test this in the real world, but if anyone can tell me, it would save a bit of time :) -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple masters for slave zone

On 2013-03-18 23:12, Steven Carr wrote: On 18 March 2013 23:08, Dave Warren li...@hireahit.com wrote: Does it actually check each master for a serial number, or does it stop at the first one queried if it has a higher-than-current serial number? It would have to otherwise how would it know who

Re: Simple question about zone and CNAME

this is less of a factor. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: Simple question about zone and CNAME

) and we can just lie to the AD servers and use them as the bare domain name. It's just just the servers though, it's any client that needs to access Active Directory resources that might potentially hit the web server when it's looking for your AD environment. -- Dave Warren http

NS geo-distribution

to return slower results on average since a potential user would have a 1/3 chance of hitting a NS with a higher latency? I realize that the difference isn't very significant in the grand scheme of things, but it's always nice to shave a few ms off of initial page load times. -- Dave Warren http

Re: NS geo-distribution

On 2013-04-29 21:35, Gary L. Burnore wrote: I would contend that fast inititial page load times is achieved through blazing web servers and a wide data path. It sure doesn't hurt, but introducing ~200ms of DNS lookups sure won't make things any faster. -- Dave Warren http://www.hireahit.com

Re: NS geo-distribution

I've probably spent more time thinking about it than I'll possibly save anyone else anyway, so perhaps that's my answer. I appreciate all the input. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https

Re: architecture question

as well with NS delegations. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: architecture question

, at least until they run into enough problems to frustrate them into something more compatible with current practice. I made the same mistake many moons ago and I'm still stuck with it. I wish I'd known better. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren

Re: architecture question

On 2013-05-09 11:27, Jeremy P wrote: I certainly didn't intend to spark off such a firestorm with my original question. I have learned a lot from the debate though. On the question of what to use with students, it is a fine thing to say we should only do things the way they are done in real

Re: architecture question

. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman

Re: architecture question

On 2013-05-10 16:39, b...@bitrate.net wrote: On May 10, 2013, at 01.18, Dave Warren da...@hireahit.com wrote: On 2013-05-08 11:13, btb wrote: it's also mildly humorous that they used to quite religiously endorse .local, in some documents even categorizing use of the same domain name

Re: does zone trump forward?

routing and DNS. You're not taking over their territory just yet, just adding yours to theirs. Politics aside, it solves the technical issues without butchering DNS or adding excessive unreliability. But then I just hate forwards. Burned 1000x times, lesson learned :) -- Dave Warren http

Re: does zone trump forward?

fat nor reliable. See #1 and #2 above. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: any requests

on powerful, well connected boxes. Either way, when you're playing with a single test domain, experimentally, they'll absolutely expire just the way anybody else does. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren

RRL and avoiding contributing to DDoS (Was: How to suppress ADDITIONAL SECTION per zone)

to performance) -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: Bind99 and a slave named server

. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman

Re: Bind99 and a slave named server

On 2013-08-18 16:36, LuKreme wrote: On 18 Aug 2013, at 14:06 , Dave Warren da...@hireahit.com wrote: Change the zones from master to slave in your named.conf? There really isn't much more to it than that, assuming you have a new authoritative master is already configured and serving

Re: Refreshing cache in other DNS Servers

On 2013-10-16 09:47, Manson, John wrote: I would add that Windows PC OSs by default have the dns client cache set to 'enable'. Yes. And like Windows Server's DNS cache, these honour TTLs too, so as long as TTLs are set properly, it's not an issue. -- Dave Warren http://www.hireahit.com

Re: Is SpamHaus Feed for RPZ is free or subscription based?

On 2013-11-06 01:04, Steven Carr wrote: This is all explained clearly on their website... http://www.spamhaus.org/organization/dnsblusage/ Perhaps you can point out where on that page RPZ is mentioned? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren

Re: Is SpamHaus Feed for RPZ is free or subscription based?

On 2013-11-06 06:08, Steven Carr wrote: On 6 November 2013 11:19, Dave Warren da...@hireahit.com wrote: Perhaps you can point out where on that page RPZ is mentioned? The Spamhaus news article announcing the beta RPZ service (http://www.spamhaus.org/news/article/669/) indicates

Re: Forward zone giving SERVFAIL

memory recalls, there were so many minor disasters during testing on that roll-out that I might have some details off in my brain, but if this doesn't help, I'll ask around and see. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren

Re: Query regardign CNAME

. But this doesn't helps. I want to ask is it possible to have a CNAME configuration by which I can divert all queries for my xyz.gov.in domain to xyz.in domain. That sounds roughly like a possible use for a DNAME record, I believe. -- Dave Warren http://www.hireahit.com/ http

Re: Sites that points their A Record to localhost

that include non-routable IP addresses outside of expected/predictable locations. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: Sites that points their A Record to localhost

. But it's an imperfect world. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: Recursive no; implications?

farms/points, it can potentially assume that that query is part of an attack and rate limit much more drastically than is normally done. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren The cigarette does the smoking, you're just the sucker

Re: Variable SOAs in negative responses

for listing (or at least not candidates for automated listing), why not let DNS caches keep that information for as long as possible? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren Usenet is like a herd of performing elephants with diarrhea -- massive, difficult

Re: Monitoring Zonefiletransfer

are in those recently added/modified records, so if you just plan for 15 minute update times for non-MS secondaries to sync up and ignore the periodic serial is lower than expected warnings, multi-mastering works fine in practice. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com

Re: whois expiration limit?

shall not exceed ten years. In reality, they'll probably issue the renewal automagically once you're under the 9-year mark and the domain is renewal-eligible. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please

Re: whois expiration limit?

party or the other doing something and the other promising to do something later. Luckily registrars don't have much of an incentive to jerk people around, saving themselves $9 isn't worth the lawsuit and potential loss of accreditation. -- Dave Warren http://www.hireahit.com/ http

Re: Internal clients' queries for myhostname. get sent to forwarders. Why?

sense in the high-latency, well maintained DNS server worlds of yester-year, but today, you'll probably do a better job of doing your own recursion if only because most ISPs do a terrible job of their own DNS servers. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com

Re: Bind 9.9.1 forward zone local

with this configuration. Switching BIND to use hints instead of acting as a root seems to work around this (broken) local configuration. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org

Re: How to setup a backup NameServer?

like Google? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: How to setup a backup NameServer?

network might be a good choice in a large environment. If your connectivity is so badly interrupted that you can't pull off DNS queries against authoritative servers, there's little value to keeping DNS up since everything else is basically down at this point. -- Dave Warren http

Re: Multi-master (HA)

expect zones drifting out of sync or having minor differences to be a big factor since it happens in the wild already. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo

Re: Point domain name of my zone to name in somebody else's zone?

at the same level. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: Point domain name of my zone to name in somebody else's zone?

On 2014-05-08 07:45, Barry Margolin wrote: In article mailman.171.1399542062.26362.bind-us...@lists.isc.org, Tony Finch d...@dotat.at wrote: Dave Warren da...@hireahit.com wrote: DNSMadeEasy calls this an ANAME record, internally they just lookup the destination's IP and cache it, updating

Re: Point domain name of my zone to name in somebody else's zone?

On 2014-05-08 15:09, Mark Andrews wrote: In message 536bcced.8060...@hireahit.com, Dave Warren writes: On 2014-05-08 07:45, Barry Margolin wrote: In article mailman.171.1399542062.26362.bind-us...@lists.isc.org, Tony Finch d...@dotat.at wrote: Dave Warren da...@hireahit.com wrote

Re: Multi-master (HA)

timestamp for zone serialavoids issues of multiple admins incrementing serial without noticing others and/or collisions with DNSSEC's incrementing of serials.) Dave Warren replied: I wouldn't expect any real issues here, Windows DNS has done multimaster DNS since Windows 2000. In the case

Re: Point domain name of my zone to name in somebody else's zone?

out how to phrase your three wishes to an evil genie. CNAME the apex? As you wish, master... mwahahaha! -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: DMARC Record issue

=DMARC1\; p=reject\; rua=root@dns-test-1.domain\; aspf=s\; rf=afrf\; sp=reject http://www.dmarc.org/faq.html#s_12 has some information on what is happening here. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please

Re: do not stupidly delete ZSK files

in any reasonable level of time, it would be equally feasible to invest in 2x-8x the hardware and start breaking roots in under 3 months. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https

Re: Version Number

on 4.9.4-P1, with a possible reference to Win98SE for some roles (depending on which system manages their configuration), just in case anyone looks. Nobody seems to care. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren

Re: Help DNS

for our typical customer, and we can offer dynamic zones to customers that need it. I don't think we have any of those left anymore. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org

Re: Adding DNS ALG support to Bind?

d, one would probably not enable this functionality. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing lis

Re: DNS Negative Caching

to the legacy use of this field. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: How are DNS Records added dynamically in DNS Servers?

, but there are at least three different serial numbers being returned by those various servers, with different TTLs on the NS records depending on which server you query. I wonder if they're in the process of updating and the records only partially updated? Odd that it was served at all though. -- Dave Warren

Re: root hints operation

On 2015-11-17 14:13, Mark Andrews wrote: In message <564ba3e3.9060...@hireahit.com>, Dave Warren writes: On 2015-11-16 18:09, Grant Taylor wrote: It's my understanding that ALL of the root servers would have to change all of their addresses at the same time for DNS to be impacted. Or,

Re: Overriding a single record with dynamic-dns

m. in a separate zone entirely, allowing you to use views for that that one zone? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

Re: frequent queries to root servers

only violates a "should", and later in that RFC it says that software "should not" fail to handle chains, so even if you take a "should" as gospel, the "should not" should be equally gospel, making CNAME chains supported (although not advised.) -- D

Re: Tuning for lots of SERVFAIL responses

resolvers be as ignorant about internal infrastructure as possible. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users

Re: Tuning for lots of SERVFAIL responses

value took care of it. It's not perfect, it could be better, but it worked with a minimum of hassle. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

that list up to date. It was just faster to code up a sloppy /etc/hosts script to update a handful of critical records. Lame reasons, but it works well enough and hasn't blown up in my face yet. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

On 2016-03-19 19:03, Barry Margolin wrote: In article <mailman.398.1458363747.73610.bind-us...@lists.isc.org>, Dave Warren <da...@hireahit.com> wrote: My current logic is that I do a SOA query and check the serial number, if it has changed, I query every needed hostname into

Re: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

On 2016-03-24 18:28, Barry Margolin wrote: In article <mailman.454.1458858570.73610.bind-us...@lists.isc.org>, Dave Warren <da...@hireahit.com> wrote: On 2016-03-24 15:20, Tony Finch wrote: Dave Warren <da...@hireahit.com> wrote: On 2016-03-24 09:46, Ray Bellis wrote: O

Re: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

On 2016-03-25 07:21, Barry Margolin wrote: In article <mailman.456.1458889802.73610.bind-us...@lists.isc.org>, Dave Warren <da...@hireahit.com> wrote: I'm more interested in the impact from the perspective of an authoritative server operator and in some respects sites that us

Re: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

self" that there are missing records that need to be replaced, what would be the point of keeping any records with a longer TTL? A resolver would still be sending the same queries to refresh the entry with the shortest TTL anyway, so it wouldn't reduce the query volume. -- Dave Warren http://www.hi

Re: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

olvers, what is the longest TTL that has any utility? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailin

Re: g.root-servers.net not reachable anymore

roots, not an absolute list of root servers. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind

Re: getting not authoritative with some notifies - Solved

, or the zone eventually expires? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: getting not authoritative with some notifies - Solved

soon after they move, whether they notify you or not. Or, separate your resolver and authoritative roles, in which case this won't be an issue. One should still monitor for zones for customers who have departed, obviously, but it's not likely to cause any operational issues. -- Dave Warren

Re: Additional Section - TXT Format?

wer, should not be cached in such a way that they would ever be returned as answers to a received query. It'll also, irrespective of caching, break DNSSEC. Whatever you're trying to do, this is not the right way to do it; you cannot arbitrarily add data to zones that are not under your control. What

Re: Guidelines for role separations forwarding vs authoritative

the master, but renumbering the master without any other changes is also moderately trivial as updating the slaves can (and is) scripted. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailma

Re: Need of caching on bind server

> I am trying to understand why caching is required on the bind server, > when the client receiving the responses would be caching based on TTL > values. > > So, > Is caching required on the server, if the client is not able to > cache such responses? Isn't it a overhead on both the client and

Re: Request reverse dns mapping advice

On Mon, Sep 5, 2016, at 09:46, John Levine wrote: > >1. pick a primary domain from the list of virtual hosts (example2.com) > >2. use the "real" host name of the server (juvat.example1.com) > >3. the mail server name (mail.example1.com) > >4. the dns server name (ns2.example1.com) > >5.

Re: Request reverse dns mapping advice

On 2016-09-06 08:01, Bob Harold wrote: I agree with one PTR per IP. But since you have 5 IP's, you can have one PTR record on each, just be sure there is a matching forward "A" record. Your list of 5 names looks good, but only if each service uses the corresponding IP for its outgoing

Re: Forwarding via different external networks

On Sat, Aug 27, 2016, at 11:32, Paul Kosinski wrote: > So my question is, is it possible to configure my forwarding BIND to > have a primary and *secondary* path for sending out DNS queries? As far > as I can tell, the "query-source address" option in named.conf only > allows one outbound

Re: Forwarding via different external networks

On Sun, Aug 28, 2016, at 19:22, Paul Kosinski wrote: > "... whatever else you use to failover from the primary to the > secondary would automatically ensure BIND resolves too." > > That's the root of the problem: there is no automatic failover, and > providing one is a lot of work. I was hoping

Re: SPF and domain keys

The easiest answer is: Whatever you want. Strictly speaking, alphazulu.com can send mail on behalf of foxtrot.com using a alphazulu.com DKIM selector, and that's perfectly valid under DKIM. However, it won't have DMARC alignment, which is becoming more and more important, so if alignment is

Re: The DDOS attack on DYN & RRL ?

On Tue, Nov 1, 2016, at 07:45, Ben Croswell wrote: > The other option being having a master owned by your company and then > setting both external providers to secondary from your master. You to > maintain control over data and hqve diversity. I use this approach here, it's proven to be very

Re: Unable to slave root zones

On Fri, Apr 7, 2017, at 08:22, Thomas Leuxner wrote: > * Mark Knight 2017.04.07 16:36: > > > masters { > > 192.5.5.241;// F.ROOT-SERVERS.NET. > > }; > > Hi Mark, > > I had the same issue basically. Tracing the zone transfers with dig it >

Re: Email & PTR Issues [Solved]

On 2017-11-07 13:09, John Levine wrote: In article you write: I have issues emailing to certain domains. I use my own mail server to deliver mail. It is currently not sending through SMTP Relay. The failure says that I have a

Re: Stopping name server abuse

On Tue, Jun 26, 2018, at 11:27, Reindl Harald wrote: > > > Am 26.06.2018 um 20:18 schrieb Dave Warren: > > At the end of the day, I doubt there is much you can do legally, the only > > real solutions are technical by returning answers that will discourage >

Re: Stopping name server abuse

On Tue, Jun 26, 2018, at 11:54, Reindl Harald wrote: > > > Am 26.06.2018 um 20:50 schrieb Dave Warren: > > On Tue, Jun 26, 2018, at 11:47, Reindl Harald wrote: > >> > >> Am 26.06.2018 um 20:36 schrieb Dave Warren: > >>> On Tue, Jun 26, 2018, at 11:27,

Re: Stopping name server abuse

On Tue, Jun 26, 2018, at 11:47, Reindl Harald wrote: > > Am 26.06.2018 um 20:36 schrieb Dave Warren: > > On Tue, Jun 26, 2018, at 11:27, Reindl Harald wrote: > >> > >> > >> Am 26.06.2018 um 20:18 schrieb Dave Warren: > >>> At the end o

Re: Stopping name server abuse

On Tue, Jun 26, 2018, at 01:28, Matus UHLAR - fantomas wrote: > On 25.06.18 09:06, Dave Warren wrote: > >Absent a situation where the customer has agreed to purchase this service, > > the only result sending an invoice would have is that you have increased > > your loss

Re: Stopping name server abuse

On Sun, Jun 24, 2018, at 15:48, Mukund Sivaraman wrote: > On Sun, Jun 24, 2018 at 04:30:08PM -0400, Alex wrote: > > Hi, > > We had a former customer who parked about 300 domains with his > > registry on our server but is no longer a customer and hasn't moved > > his domains. There aren't any hosts

Re: how two dns bind master sync?

On 2018-08-23 14:15, Grant Taylor via bind-users wrote: On 08/23/2018 01:20 PM, Barry S. Finkel wrote: Somehow, under the covers, AD synchronizes the zones so that they have the same content. It's my understanding that MS-DNS servers hosting AD Integrated zones are actually functioning as

Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

On 2018-02-28 10:57, G.W. Haywood via bind-users wrote: Hi there, On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote: Good morning, I'm trying to make it more difficult for an attacker to get my DNS server version. Waste of time.  The attacks are automated, and will be mounted

Re: Odd behavior on a secondary server

On Thu, Mar 22, 2018, at 11:01, @lbutlr wrote: > On 2018-03-22 (08:13 MDT), John Miller wrote: > > > > Is this normal or am I missing something. > > It is normal. It is confusing, but it is normal. Think of it as a "freshness" date rather than a "modified" date and it

Re: Question about visibility

On 2018-10-24 07:24, Timothy Metzinger wrote: There's no security in obscurity.  Automated port scanners will sweep your system in a couple of seconds. There is *limited* security in obscurity but it's a valid layer. Obviously insufficient as an only layer... As a trivial example, I get

Re: NTP through DNS?

On Sun, Sep 23, 2018, at 03:24, Ray Bellis wrote: > On 22/09/2018 02:39, Danny Mayer wrote: > > > No, that's not true. Consider what you are doing. You are substituting > > SRV records for CNAME records. There is nothing magical here. NTP can > > use the CNAME records. Either way the records have

Re: Is it possible to use nsupdate with EDNS0?

On 2019-01-17 08:03, Fumiya Obatake wrote: Thank you for your reply. Since it seems very difficult to realize, I will consider other solutions. The obvious solution would be to use TCP. ___ Please visit

Re: BIND DNS Enable audit logs - Authoritative

On 2019-01-11 11:55, Kevin Darcy wrote: I don't believe there is any logging category for this, even when zones are enabled for Dynamic Update, in which case the versioning is done automatically. There used to be a "journalprint" utility that one could run against the .jnl files to show the

Re: ISC Bind stops answering queries

On Mon, Sep 17, 2018, at 06:07, Ian Collins wrote: > I have been runnig various versions of ISC Bind for a number of years > without any issues.> > My current server is a Windows 2012 R2 running 9.3.0 > <...> Does anyone have any idea what could be causing the server to > stop answering

Re: max file size or line count for BIND zone file

On 2019-04-25 17:57, @lbutlr wrote: On 25 Apr 2019, at 06:10, Martin Meadows via bind-users wrote: Wondering if anyone is aware of a max file size or max nu= mber of lines that a given BIND zone file can contain?=C2=A0Thanks,Marty-- Martin MeadowsMTA and= DNS Administrator | Salesforce<=

Re: srv lookup in record

On 2020-08-21 16:26, Marc Roos wrote: Is it possible to use srv lookups, like eg cname. I do not want to create SRV record, I just want to 'get' the ip addresses, that I would get vai srv lookup. I don't think so, nor does it seem to make sense to me that you would want such a thing (in the

Re: getting answers from DNS queries

On 2022-05-03 06:31, Gaurav Kansal wrote: Yup. But if the DNS infra is under my control, then definitely the keys (which i have used for encryption) will also be with me. Am i missing something here ? 類 I'll see your privacy keys and raise you Perfect Forward Secrecy. Although I'm not

Re: Supporting LOC RR's

On 2022-05-02 18:01, Timothe Litt wrote: Still, overall DNS seems to generate more problems than fun, so if LOC provides amusement, it's a good thing. I know one of my users found them quite amusing. I can't recall what location they picked or why, but it had some sort of personal

Re: DNSSEC validation without current time

On 2017-12-15 06:23, Petr Menšík wrote: Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a): Hi there, On Fri, 15 Dec 2017, Petr Men??k wrote: ... current time is not available or can be inaccurate. ntpdate? Sure, of course. What would be default host after installation, that

Re: DNSSEC validation without current time

On 2017-12-18 06:44, Timothe Litt wrote: On 18-Dec-17 01:07, Dave Warren wrote: On 2017-12-15 06:23, Petr Menšík wrote: Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a): Hi there, On Fri, 15 Dec 2017, Petr Men??k wrote: ... current time is not available or can be inaccurate

  1   2   >