Re: Incremental transfers generate complete zone reloading

2023-01-15 Thread Fred Morris
roof do you have that the CPU usage correlates, and that it's a problem? What are the vendor's recommendations (for provisioning and operational management), and are you following them? -- Fred Morris -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: Correlation between NOTIFY-Source and AXFR-Source

2023-03-11 Thread Fred Morris
I've found myself in situations in the past where NOTIFY has been fetishized as "real time", and nobody ever ever asked which upstream server was being queried as a result. So this has been an eye-opening thread, and if I ever find myself in that situation again it'll give me something else to

Re: BIND 9.16.30 - $INCLUDE file in the rpz zone file not reloading content and dig not working

2023-03-16 Thread Fred Morris
s not picking up the updated include file and *nagesh3.com <http://nagesh3.com>* rpz rule is not working. Are you incrementing the SOA serial number? -- Fred Morris, internet plumber -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds t

Re: Response Policy Zone returns servfail for time.in Trigger

2023-04-08 Thread Fred Morris
Going forward, what is anticipated to be the proper configuration for that scenario? Thanks... -- Fred Morris -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at

Re: Delegation NS-records when zones share an authority server

2023-04-12 Thread Fred Morris
arate zones). In terms of NXDOMAIN and SOA queries, both state.ak.us and challenge.state.ak.us seem to do the right thing in terms of pretending to be separate zones, e.g. in the first case returning the correct domain in the AUTHORITY and in the second case returning the relevant SOA records d

Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

2023-06-16 Thread Fred Morris
orate / mitigate SERVFAIL utilizing RPZ. I'll try to pay more attention and see if I can isolate a test case if the problem recurs. (I was kind of hoping someone would have a solution!) -- Fred Morris On Fri, 16 Jun 2023, Crist Clark wrote: That should return a NXDOMAIN. Returning SERVFAI

Best way to handle multiple retries from BIND?

2023-06-25 Thread Fred Morris
e the best option regardless of the recursive server (BIND, Unbound, etc.)? Thanks in advance... -- Fred Morris -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact u

Re: Best way to handle multiple retries from BIND?

2023-06-26 Thread Fred Morris
has any need to access the data in the zone, whether directly or via BIND. -- Fred Morris -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/co

Re: Dynamic updates to multiple masters

2023-08-02 Thread Fred Morris
the scenario was in someways different, was idempotence: the updaters would continue to attempt to update whatever the master was until it conformed to their ideal image, and their ideal image could change in consideration of what the zone held. -- Fred Morris, internet plumber -- Visit https

Re: Multiple master servers for the same zones

2023-09-05 Thread Fred Morris
Then "the usual" applies: set one of them to be a secondary and the master to allow zone transfers from it. Configure Notify if desired. Make sure it works, i.e. a zone transfer (AXFR / IXFR) occurs and the correct serial number is represented in the SOA. Pause for another scre

Is this KB example backwards? Re: Multiple master servers for the same zones

2023-09-07 Thread Fred Morris
dary in real time: if you store the data in a file, simply redefine the zone type and change type primary; to type secondary;. -- Fred Morris -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support s

Re: Is this KB example backwards? Re: Multiple master servers for the same zones

2023-09-07 Thread Fred Morris
Hi Greg. So somebody referenced this KB article because presumably it was tangentially relevant, but I don't know that the OP is working with standby infrastructure (good question!). All they say is that after an upgrade all servers were masters. The amount of direct relevance of the article

Dnstap Re: Deprecation notice for BIND 9.20+: Unix Domain Sockets for control channel (rndc)

2023-09-12 Thread Fred Morris
could get multicast (without a T/MG), but that doesn't allow for the Dnstap overhead since DNS message sizes are already capped at the maximum possible size of a UDP message. Doing nothing is an option. ;-) Thanks for all the work you do... -- Fred Morris -- Visit https://lists.isc.o

Re: consolidating in-addr.arpa data

2023-09-15 Thread Fred Morris
over what's in the MS DNS zone, at least as seen when BIND is queried. Rear View RPZ (https://github.com/m3047/rear_view_rpz/) watches (BIND) Dnstap telemetry for A/ queries and uses it to update PTR records in an RPZ, as an example. -- Fred Morris -- Visit https://lists.isc.org/mai

Re: Help about DNS documentation

2023-11-03 Thread Fred Morris
ve knobs in the zone data, the server, the networking stack and all of intermediating routers to twiddle. You can throw "buffer bloat" in there too. It's interesting that Dig automagically tries TCP first with ANY queries, since that is not the default behavior with e.g. A

Re: Help about DNS documentation

2023-11-03 Thread Fred Morris
Internetworking with TCP/IP, Volume 1_. -- Fred Morris -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-use

Re: Deprecation notice for BIND 9: "resolver-nonbackoff-tries", "resolver-retry-interval"

2023-12-06 Thread Fred Morris
ave a lot of them; and is there any problem domain addressed by the DNS where that is more the case than name to address mapping? (Counterexample: PTR records, now more than ever.) I say go ahead, if nothing else consider it a "scream test". But can you take a moment and tell us whi

Re: Deprecation notice for BIND 9: "resolver-nonbackoff-tries", "resolver-retry-interval"

2023-12-07 Thread Fred Morris
I welcome birds of a feather. Need to define / refine the problem statement first. On 12/7/23 12:30 AM, Petr Špaček wrote: > On 07. 12. 23 1:05, Fred Morris wrote: >> On Wed, 6 Dec 2023, Evan Hunt wrote: >> I say go ahead, if nothing else consider it a "scream test". But

Re: Remove PDF-related bits from the build system

2023-12-21 Thread Fred Morris
uild system, you went too far. I looked for this just the other day in the KB. At the least you should have a KB article. At least there's this post to the mailing list. -- Fred Morris -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds th

Re: Remove PDF-related bits from the build system

2023-12-21 Thread Fred Morris
On 12/21/23 10:08 AM, Ondřej Surý wrote: > In the commit you referenced: > > https://gitlab.isc.org/isc-projects/bind9/-/commit/561a83a29182b00bda9237ae30343d76a68dcdf4#8ec9a00bfd09b3190ac6b22251dbb1aa95a0579d_147_147 >> On 21. 12. 2023, at 18:59, Fred Morris wrote: >> >&

version errata Re: Remove PDF-related bits from the build system

2023-12-21 Thread Fred Morris
ference Manual. The checksums correct for that version of README.md. I think I must have mistakenly cut & pasted from the source tree in GitLab for 9.18. On 12/21/23 10:50 AM, Fred Morris wrote: > On 12/21/23 10:08 AM, Ondřej Surý wrote: > >> In the commit you referenced: >> &g

Re: version errata Re: Remove PDF-related bits from the build system

2023-12-21 Thread Fred Morris
No, I was correct the first time, but I had the wrong version. It is a 9.18.9 tarball, not 9.18.21. Checksums are correct for that README.md. On 12/21/23 12:18 PM, Fred Morris wrote: > > I'm sorry 9.18.9 was the version where I discovered that the build > didn't build the PDF,

Re: version errata Re: Remove PDF-related bits from the build system

2023-12-21 Thread Fred Morris
1> sum README.md 37785 11 m3047@sophia:/opt/downloads/bind-9.18.21> md5sum README.md c4e08add5a135ce2573483eb0e5b1207 README.md m3047@sophia:/opt/downloads/bind-9.18.21> sha256sum README.md 080e914decc2ed554d8887b0f719b82736c45380b987f23b3eba4ef7418f03f3 README.md On 12/21/23 12:24 PM, Fre

Re: version errata Re: Remove PDF-related bits from the build system

2023-12-22 Thread Fred Morris
Surý wrote: > Are you really complaining about the lack of handholding because you > want to build the documentation yourself and just can’t download it? > Because it really seems like the case here. I concerned you've lost control of your build. However it does look correct in 9

Re: secure statistics page

2024-02-11 Thread Fred Morris
There used to be an example in a directory in the BIND tarball, in contrib/dnspriv/ Here's a link to it from 9.12.3: http://athena.m3047.net/pub/bind/dnspriv/ -- Fred Morris On Sun, 11 Feb 2024, Andrew Latham wrote: I have seen this question a few times so would a note or example in

ANN: Dnstap telemetry agent supports both unicast and multicast

2024-02-19 Thread Fred Morris
love from here on out. If shodohflo/agents/dnstap_agent.py or dnstap2json.py itself don't suit your payload needs, you are of course welcome to subclass dnstap2json.py yourself. I couldn't do it without BIND! Cheers... -- Fred Morris, internet plumber http://consulting.m3047.n

Re: Problem upgrading to 9.18 - important feature being removed

2024-03-01 Thread Fred Morris
vor of removing unused features; emphasis is of course on "unused". -- Fred Morris, internet plumber-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at ht

Caching ANSWER:0

2024-04-05 Thread Fred Morris
hich affects this behavior? NS? SOA? Thanks in advance... -- Fred Morris -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more inf

Solved Re: Caching ANSWER:0

2024-04-06 Thread Fred Morris
SOA record. -- Fred Morris On Fri, 5 Apr 2024, Fred Morris wrote: When people think of "negative response caching" I suspect they're thinking of NXDOMAIN, but there is another negative response: ANSWER:0. To some extent this is indistiguishable from a referral, and I'm no

Observation: BIND 9.18 qname-minimization strict vs dig +trace

2024-04-24 Thread Fred Morris
31 dig -x 131.191.85.31 +trace -- Fred Morris -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing

Re: Observation: BIND 9.18 qname-minimization strict vs dig +trace

2024-04-24 Thread Fred Morris
ke arguing over the particular weasels chosen rather than the decision to stuff rabid weasels down your pants in the first place. -- Fred Morris On Wed, 24 Apr 2024, tale wrote: Hmm, I wonder if qname-minimisation is at issue here. -- Visit https://lists.isc.org/mailman/listinfo/bind-users

Re: Observation: BIND 9.18 qname-minimization strict vs dig +trace

2024-04-26 Thread Fred Morris
tcurve hasn't seen fit to fix it or get back to me in nearly a full business week I suspect they like it this way. However it doesn't comport with the principle of least surprise. The City of Tacoma doesn't seem to care that the licensee operating in a portion of their /16 is impersonat

Re: forward option in dns server

2024-06-28 Thread Fred Morris
Although I see listen-on in your named.conf snippet, I don't see query-source. You can listen on a different interface / address than the one you issue queries from. If you need to issue queries selectively on different interfaces, see the server stanza and put query-source in there. --

Re: Fwd: Re: recursive resolver

2020-03-12 Thread Fred Morris
27;ve ruled out the obvious conclusion you have to start considering scenarios such as someone intentionally interfering in path with port 53 traffic. -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: How to get random subset of large rrset (30+ IPs for round robin)?

2020-03-20 Thread Fred Morris
It's incredibly hacky, but what about setting different nameservers with different sets of addresses for the FQDN in question? -- Fred ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users maili

Best way to force a TC=1 response?

2020-05-26 Thread Fred Morris
did! Instead it reports "Temporary failure in name resolution" in the ping example. -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with p

Re: Fwd: DNS Misconfiguration on- http://cyberia.net.sa/

2020-06-05 Thread Fred Morris
r nonrouting addresses commonly used for gateways, things like that. This is not a DNS problem, it's a problem in what commonly used programs aid and abet in the name of "freedom of commerce" or something. -- Fred Morris -- [0] https://www.bleepingcomputer.com/news/securi

Another DoT client (python)

2020-06-12 Thread Fred Morris
Plain-TCP (DoPT) forwarder (see the README for why), but it was trivial to add TLS support. -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

2020-07-23 Thread Fred Morris
rvers now running on Alpine (because super lightweight), that blurs the lines a bit. -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid su

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

2020-07-23 Thread Fred Morris
Perhaps slightly OT, but here's a company which has a whole business model based on one nonobvious (?) reason to compile from source: https://polyverse.com/ -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-use

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

2020-07-23 Thread Fred Morris
loits which work across a large installed base is exactly what they're aiming to prevent. Disclosure: I've heckled their CTO in a friendly fashion for making better idiots, but I paid for my own Old Fashioned. -- Fred Morris ___ Please

Response Policy Zone: disabling "leaking" of lookups

2020-09-02 Thread Fred Morris
my-outhouse-example.com" is NXDOMAIN. In this case: * "my-outhouse-example.com.example.com" will return NXDOMAIN (it does!) * There should be /no/ upstream (pointless) query for my-outhouse-example.com.example.com. (oops!) Let's stop the leaks. -- Fred Morris

Re: Response Policy Zone: disabling "leaking" of lookups

2020-09-03 Thread Fred Morris
Carl Byington wrote: > On Wed, 2020-09-02 at 17:47 -0700, Fred Morris wrote: > > how do I disable the (useless) resolution directed at upstream > > servers? > > Isn't that just "qname-wait-recurse no;" > You are correct! I got confused and the doc didn&#x

Re: rbldnsd and DNSSEC compatibility issues - any suggestions?

2020-09-12 Thread Fred Morris
hat the TLD is, or if that occurs that the choice of TLD mitigates in any fashion whatsoever. There's always a way to make it happen, I just can't imagine it making it sanely into production even by accident. (This applies to DLV.ISC.ORG too, which returns an SOA, but they could make it NX

Re: rbldnsd and DNSSEC compatibility issues - any suggestions?

2020-09-14 Thread Fred Morris
On Mon, 14 Sep 2020, Mark Andrews wrote: [...] All the queries to the recursive server with this configuration not answered by the server will leak. The configuration needs “forward only;” to be added to prevent the leak. We see this all the time. zone “non-existant-tld” { type forward

Re: How can I launch a private Internet DNS server?

2020-10-15 Thread Fred Morris
s. So which is it: * Hi I'm Jason and I want to create a DNS record so that the world can find my web server. How do I do that? (answer #1) * Hi I'm Jason and I want to run my own nameservers for a bunch of irrelevant reasons such as CentOS, web servers and stuff. How

Re: Servfail on Bind -9.16.1

2020-11-21 Thread Fred Morris
Check your clock. Have you got NTP turned on? Is it working? If it's not, flush cache/restart before you test again. -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC fund

Re: dnstap shows little logging at debug 10

2021-03-02 Thread Fred Morris
D problem with the pipe). But my grepping the strace didn't catch anything opening the "dnstap.sock" pipe. The way they did framestream initialization it requires the "optional" handshake. I documented it (pydoc) here: https://gith

Re: Authority and forwarding, but not recursion/iteration

2021-03-16 Thread Fred Morris
rs, although that's perhaps better handled in the mail filtering pipeline, which is where it really seems to matter. -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the

Re: REST API for recursive queries

2021-05-04 Thread Fred Morris
in the QUERY section. -- Fred Morris -- #!/usr/bin/python3 # Copyright (c) 2021 by Fred Morris Tacoma WA # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # #

Minor change req for named.iner shirt

2021-08-26 Thread Fred Morris
didn't have a clever story. I suggest changing it to "953". -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subs

Re: Minor change req for named.iner shirt

2021-08-26 Thread Fred Morris
I suggest changing it to "953". Correction: 853. -- FWM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at http

Re: force nameserver(bind) information exchanges with clients via tcp only

2021-09-30 Thread Fred Morris
e the (UDP) response, they'll never try TCP. (1980s logic) What you can do is force the clients to use TCP... or TLS. https://github.com/m3047/tcp_only_forwarder Good luck... -- Fred Morris ___ Please visit https://lists.isc.org/mailman/lis

Re: force nameserver(bind) information exchanges with clients via tcp only

2021-10-01 Thread Fred Morris
Exactly! On Thu, 30 Sep 2021, Carl Byington wrote: On Thu, 2021-09-30 at 16:30 -0700, Fred Morris wrote: https://github.com/m3047/tcp_only_forwarder So what exactly are the media devices doing to screw up dns resolution between the osx laptop and the local dns server? Dropping UDP replies

Re: force nameserver(bind) information exchanges with clients via tcp only

2021-10-01 Thread Fred Morris
c. Doesn't bother the media devices, but 1980s stub resolver logic isn't up to competing with 100,000:1 packet contention and doesn't provide any way to do traffic shaping. -- Fred On Fri, 1 Oct 2021, Fred Morris wrote: On Thu, 30 Sep 2021, Carl Byington wrote: On Thu, 2021-0

Re: named service suddenly fails to start

2021-11-04 Thread Fred Morris
Grant Taylor's reply is good, but you might also look at the check-names option. As he says, underscores are frowned on in hostnames but that's about it in theory if not in practice. You could also contemplate changing the logging destination and level... or not. -- Fred Morris

Possible to condition a view based on the interface the query comes in on?

2021-11-18 Thread Fred Morris
Is there a way to do this or should I bite the bullet and run two copies of BIND? Thanks in advance... -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of t

Re: Possible to condition a view based on the interface the query comes in on?

2021-11-18 Thread Fred Morris
are utilized in the second view. and the "lie" is that the "unused" RPZ is dynamically updated in the first view (that's where update requests are sent); I suppose I could jigger that so that the updates happen in the second view. But the stopper is that error message,

Re: Possible to condition a view based on the interface the query comes in on?

2021-11-22 Thread Fred Morris
er to live on a different machine. https://github.com/m3047/rear_view_rpz/blob/main/install/Optional_DNS_Service.md -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the deve

Rear View RPZ: PTR records from local knowledge

2021-12-02 Thread Fred Morris
tion which ships BIND compiled with Dnstap support, please let me know! Cheers... -- Fred Morris This is being posted to the Dnstap, RPZ and BIND Users mailing lists. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: Rear View RPZ: PTR records from local knowledge

2021-12-02 Thread Fred Morris
I posted just such a thing a few weeks ago on the dnsrpz list at redbarn. Hrm, seems to be down at the moment. On 12/2/21 11:00 AM, Grant Taylor via bind-users wrote: > On 12/2/21 9:59 AM, Fred Morris wrote: >> Hello, Rear View RPZ (https://github.com/m3047/rear_view_rpz) is now >

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

2022-01-08 Thread Fred Morris
sponse you get here is going to involve changing your BIND server's configuration and behavior, probably to convert it from forwarding to caching... although grizzled veterans may tell you horror stories about hotels and other public wifi. -- Fred Morris

Best practice for forwarding Dnstap (unix socket) traffic to another address

2022-01-09 Thread Fred Morris
for sending this to another address, presumably via TCP... socat? Too bad about the handshake, any best practices for forwarding there? Thanks in advance... (Pure Python implementation of fstrm: https://github.com/m3047/shodohflo/blob/master/shodohflo/fstrm.py

Re: Best practice for forwarding Dnstap (unix socket) traffic to another address

2022-01-09 Thread Fred Morris
I should have included this in the first message, and I apologize. What I'm looking at is trying to build a BIND kernel, like a nanokernel. Socat won't work in this case, because because there's no "IPC" layer, because there is only one process in the kernel. One process. No users. I need to

Re: Obsoleting keep-response-order option in BIND 9.19/9.20+

2022-02-11 Thread Fred Morris
serve to inform server implementers / operators. (I think the RFC has a number of biases towards server implementers / operators, some plain, some more along the lines of moral hazard.) -- Fred Morris -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

Re: Can an RPZ record be used for a non-existed domain?

2022-03-24 Thread Fred Morris
d if they exist they shouldn't) and I block them (e.g. *.com.com) to prevent information leakage and garbage traffic. HTH... -- Fred Morris, internet plumber -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this softwa

Re: Bind and systemd-resolved

2022-04-18 Thread Fred Morris
ens on 127.0.0.53.) Maybe you should turn it off. -- Fred Morris, internet plumber-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for

Re: getting answers from DNS queries

2022-04-25 Thread Fred Morris
I would expect the information you seek to be available via Dnstap. -- Fred Morris, internet plumber -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://w

Re: DNS traffic tracking

2022-05-09 Thread Fred Morris
his is veering into the realm of what's possible (which is seldom actually technical); this includes your means and ability to analyze the DNS traffic. If you want to discuss further feel free to email me. -- Fred Morris, internet plumber -- Visit https://lists.isc.org/mailman/listinfo/b

Re: Only one DS key comes back in query

2022-05-16 Thread Fred Morris
postfix. Crikey, they can't even be bothered to get an LE cert for the website and catch flak at least monthly. Honey badger don't care. They're very clear about postconf output. If you pasted postconf output from the manual (or Stack Overflow) I think the response would

Re: dnstap to Splunk

2022-05-20 Thread Fred Morris
If you need something for POC / smoke: https://github.com/m3047/shodohflo/blob/master/examples/dnstap2json.py Assuming you can figure out how to get Splunk to consume log oriented json over UDP... -- Fred Morris, internet plumber -- Visit https://lists.isc.org/mailman/listinfo/bind

Specifying EDNS payload size with dig queries

2022-06-22 Thread Fred Morris
Self explanatory? Maybe it's the nomenclature but I can't spot this in the manpage; search engines haven't been much help. I might have to read code! :-o Thanks in advance, whoever you are; I owe you a beer. -- Fred Morris -- Visit https://lists.isc.org/mailman/listinf

Re: How filter with RPZ only A and AAAA type records ?

2022-08-10 Thread Fred Morris
eople give a better answer. -- Fred Morris, internet plumber -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

Re: BINd9 Server for Public Website

2022-09-23 Thread Fred Morris
Nearly identical to what was posted to the unbound list. -- FWM6 On Fri, 23 Sep 2022, JAHANZAIB SYED wrote: I am trying to get some basic ideas on dns/hosting. [...] -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this sof

Re: Seeing lots of DNS issues on OpenWRT

2022-09-23 Thread Fred Morris
Why are you forwarding at all? On Fri, 23 Sep 2022, Philip Prindeville wrote: I've changed locations (moved houses) and consequently ISPs (now on Sparklight, used to have CTC) and I'm seeing a slew of DNS issues I didn't have before [...] As you can see, a LOT of noise. [...] // If y

Re: Question About Internal Recursive Resolvers

2022-10-15 Thread Fred Morris
s which can be queried as well as the types of allowed queries. Here is my contribution to ensuring employment for DNS subject matter experts: * https://github.com/m3047/rkvdns -- DNS proxy for Redis * https://github.com/m3047/rkvdns_examples -- examples -- Fred Morris, internet plumbe

Re: Reverse lookups not working when Internet connection failed.

2022-11-04 Thread Fred Morris
d purposes. -- Fred Morris, internet plumber -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users ma

RE: Reverse lookups not working when Internet connection failed.

2022-11-04 Thread Fred Morris
Ok. This is public address space. Delegation for reverse zones is separate from forward zones. Kind of depends on where the connectivity failure is, as to whether or not clients can walk the delegation tree (or need to). Then there's the effect of TTLs expiring. -- Fred Morris, int

Re: Reverse lookups not working when Internet connection failed.

2022-11-04 Thread Fred Morris
n-addr.arpa.rearview.m3047.net. 600 IN TXT "depth=1,first=1665810308.1564665,last=1667535958.6280398,count=152,trend=11758.670145495724,update=1667540875.2953703,score=5.3302068902418895" ;; AUTHORITY SECTION: REARVIEW.M3047.NET. 600 IN NS LOCALHOST. ;; SERVER: 10.0.0.

Re: Reverse lookups not working when Internet connection failed.

2022-11-07 Thread Fred Morris
ric, or customer centric; I can also make arguments for outright lying. Hey, choose your own adventure; other people will judge you accordingly. -- Fred Morris, internet plumber -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development o

Re: Reverse lookups not working when Internet connection failed.

2022-11-07 Thread Fred Morris
ir ilk the likely use case for resources under in-addr.arpa. There are some things I would avoid as a courtesy to others if I was so inclined: escape, completion and wildcard characters in shells and SQL implementations... -- Fred Morris -- Visit https://lists.isc.org/mailman/listinfo/bind-users

Re: automatic reverse and forwarding zones

2022-11-07 Thread Fred Morris
requested them. From my vantage most PTR records are demonstrably garbage. Caching exists because if you requested it once you might request it again. Who knows, maybe you didn't believe it the first time. In any case, that's why the aphorism "garbage in garbage out" is a thing

copr.fedorainfracloud.org for Fedora 37

2022-11-28 Thread Fred Morris
get ahead of it and bring ShoDoHFlo up to spec. I'll compile from source. (Although it would be nice if somebody from Fedora could speak to support for Dnstap in the available BIND package...) -- Fred Morris, internet plumber -- Visit https://lists.isc.org/mailman/listinfo/bind-users to un

Re: forwarder cache

2022-12-01 Thread Fred Morris
fun arguing about whether or not a server which is "authoritative" should have an NS record in the zone, once you have something which demonstrably works. I don't have a lot of patience for "experts" who can't demonstrate a working system, so I probably won

Re: forwarder cache

2022-12-01 Thread Fred Morris
Errata.. On Thu, 1 Dec 2022, Fred Morris wrote: "authoritative" zone served by an authoritative server configured to return complete 1024/1025 responses look like? 1034/1035 -- FWM -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC

TIL: Restricting DiG to UDP only with +ignore

2022-12-04 Thread Fred Morris
as specified. (The MSG SIZE is also a clue.) Searching the intertubes wasn't much help. When I tried to search the list archives I got a Gateway Timeout. :-( Anyway, it's been a minor personal annoyance for a while; hopefully this helps somebody else with a problem they didn't know th

Re: TIL: Restricting DiG to UDP only with +ignore

2022-12-05 Thread Fred Morris
Hello Petr: On 12/5/22 4:35 AM, Petr Špaček wrote: > On 05. 12. 22 3:49, Fred Morris wrote: >> If the UDP query returns TC=1 DiG retries with TCP. I want to see the >> UDP results and am unable to. Specifying +notcp makes no difference. >> The correct option is +ig

Pure Python Dnstap

2019-06-05 Thread Fred Morris
the modules above (dnspython). If the output of the sample program and the protobuf implementation itself look a bit Scapy-like, that's because I originally implemented it as a Scapy dissector several years ago. Unlike Scapy, this software is released under an Apache license. -- Fred M

Re: Debugging Information Lacking?

2019-11-27 Thread Fred Morris
Look in the BIND ARM for dump-file: dump-file The pathname of the file the server dumps the database to when instructed to do so with rndc dumpdb. If not specified, the default is named_dump.db. Regards... -- Fred Morris On Wed, 27 Nov 2019, isc-bind-us...@ics-il.net wrote

Re: Peculiar DNS queries

2019-12-22 Thread Fred Morris
ss is something to do with NSCD. There is a tension between the protocol ("any octet") vs what you can register ("valid hostnames") vs what's sent to the public DNS ("case insensitive"). -- Fred Morris ___ Pl

Re: Assistance Needed: "Too Many Records" Error When Reloading Zone `example.com`, BIND: 9.18.29

2024-09-23 Thread Fred Morris
ient from the full impact of the large record set. But if you're exposing large rrsets to the public (regardless whether they trigger this particular behavior) it's worth reviewing your server posture to make sure your limits on what's allowed via UDP are reasonable. -- Fred