Re: what is a SPF (type 99) record and who do I implement?

Hi there, On Wed, 24 Mar 2010 Security Admin (NetSec) wrote: Struggled to find anything explicit on this subject via google The subject line should probably read how... not who :) It seems that your first language is not English, and unfortunately that is a disadvantage, but you probably

Re: error (broken trust chain) resolving

Hi there, On Thu, 25 Nov 2010 Brian J. Murrell wrote: I am going to bug report with said distro also as I hate varying from the working set because it just causes possible future problems trying to bug report with them. you are not using the version we support, bla, bla, bla. So in the end

Re: auto update signatures dnssec

Hi there, On Wed, 29 Dec 2010 Alan Clegg wrote: In your named.conf, you should have key-directory ...; defined. The keys should be there (and readable by the named process). If you don't have a key-directory statement, then named will look in the working directory from which the process

Re: Dynamic zone...

Hi there, On Fri, 31 Dec 2010 Jeff Justice wrote: ... I have a computer on a remote network that gets its IP dynamically from the ISP. I need to always know where that computer is. ... if my main domain for our company were: abc.com then it would be nice to have: remote.abc.com

Re: I can't resolve one domain: nhs.uk

Hi there, On Fri, 17 Jun 2011 Andrew Benton wrote: I can't resolve one domain: nhs.uk laptop:~$ whois nhs.uk Error for nhs.uk. This domain cannot be registered because it contravenes the Nominet UK naming rules. The reason is: the domain name contains too few parts.

Re: SPF implementation schedule.

Hi there, On Tue, 12 Jul 2011 kalpesh varyani wrote: Looking at zytrix and spf2 sites, it seems that SPF is yet to be implemented at functional level. If my understanding of that sentence is correct, then the sentence is not correct. SPF is implemented by (1) Publication of TXT or SPF

Re: about the dig

Hi there, On Tue, 19 Jul 2011 wrote: When I deleted all the entries in /etc/resolv.conf (I am using Linux), dig can't work. I was thinking since dig is a standard resolver... man resolv.conf If this file doesn't exist the only name server to be queried will be on the local machine;

Re: MX choosing

Hi there, On Fri, 22 Jul 2011 Tony Finch quoted the RFCs thus: The question of whether a sender should attempt retries using the different addresses of a multihomed host has been controversial. ... I know of at least one substantial organization which uses this kind of thing as part of its

Re: nanny (was Re: bind-9.8.1: INSIST(! dns_rdataset_isassociated(sigrdataset)) failed)

Hi there, On Thu, 17 Nov 2011 Jeremy C. Reed wrote: On Wed, 16 Nov 2011, Phil Mayers wrote: It might be good if bind were able to re-start itself, rather than dying outright (e.g. re-exec the process) but that is dangerous too; it's better done by an unrelated supervising process. In

Re: Exercising RFC 5011 rollovers

Hi there, On Sat, 26 Nov 2011 Phil Mayers wrote: Feature suggestion: some sort of synthetic clock option ... They say there's a thin line between genius and insanity. Did you just cross it? -- 73, Ged. ___ Please visit

Re: Suspecious DNS queries dropped by Firewall

Hi there, On Wed, 14 Dec 2011 babu dheen wrote: Can you tell me list of URL which size exceed 514 bytes to verify whether my internal server truncate/return failure code when query such URL using UDP query? You really ought to be able to do this for yourself. Find any domain using DNSSEC

Re: bind-users Digest, Vol 1081, Issue 2

Hi there, On Wed, 4 Jan 2012, With No Name wrote: Where can I find a HOWTO which tell me how to setup my Name Server correctly including DNSEC3 For learning things, HOWTOs are mostly useless. This book might be a good start, but it is some years old now:

RE: fermat primes and dnssec-keygen bug?

Hi there, On Thu, 8 Mar 2012, Spain, Dr. Jeffry A. wrote: Other posts have alluded to the Debian openssl flaw reported in May 2008 (http://www.debian.org/security/2008/dsa-1571). This led to predictable random primes being used to generate RSA moduli ... Just in case anyone thinks that this

Re: Recursive queries fail after bind has been running for a few hours

B0;261;0cHi there, On Mon, Mar 12, 2012 at 12:05 PM, Mr X xproject...@gmail.com wrote: I'm having a bizarre issue with 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 - recursive queries stop functioning after bind has been running for a few hours. It's a very low volume system (dev), maybe a few queries

Re: nslookup fails if missing PTR record for IPv6 DNS server.

Hi there, On Fri, 16 Mar 2012, Matus UHLAR - fantomas wrote: the main problem is nslookup itself, and this is just one of reasons nslookup is not recommended for use. You didn't tell the OP what to use instead of nslookup! It's 'dig'. -- 73, Ged.

Re: Test

Hi there, On Sun, 18 Mar 2012, Rob Leslie wrote: As the owner of the address forged by the sender, I am particularly annoyed. http://www.openspf.org/ -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: random-device purpose in DNSSEC

Hi there, On Thu, 10 May 2012, Alexander Gurvitz wrote: What random device used for ? Cryptographic operations, loading libraries in random locations to avoid insidious attacks, that kind of thing. This bothers me as I'm implementing DNSSEC now, and I know that my systems are low at

Re: limiting number of requests of a single hosts

Hi there, On Fri, 15 Jun 2012, Holemans Wim wrote: ... Once or twice a day a DNS burst (20K requests/15sec) kills all connections on the firewall. Have you disabled firewall connection tracking for DNS requests? We have 6 dns servers (bind) on our campus, that are all authoritative for our

Re: Possible DDoS?

B0;261;0cHi there, On Wed, 17 Oct 2012, Manson, John wrote: Does this rise to the level of a DDoS attack? 82 queries in a second is modest, but you're in US government and that IP is in China. Given the recent publicity, IMO that's probable cause. I blackhole IPs that behave like this.

Re: ISC Bind in Active Directory

Hi there, On Thu, 18 Oct 2012, bind-users-requ...@lists.isc.org wrote: ISC Bind in Active Directory (Aaron Thompson) I'm hopping Sometimes AD has that effect. :) to get some feedback from people who use ISC Bind and DHCPD in Active Directory environments. I've been working on a client's

Re: Need to improve named performance

Hi there, On Sun, 11 Nov 2012, Ed LaFrance wrote: Running BIND 9.3.6-P1-RedHat-9.3.6-16.P1.el5 ... Somebody already said upgrade. Generally that's the first thing to do in a case like this (before asking on mailing lists:). The issue is that named is not keeping up with rdns requests. The

Re: Need to improve named performance

Hi there, On Mon, 12 Nov 2012, Ed LaFrance wrote: ... No idea on ip_conntrack. How do I check and if so, what setting should I try and how do I do it? Look for something like /proc/sys/net/netfilter/ip_conntrack_tcp_timeout_established and cat it to the terminal. It will just be a number

Re: User wanting to use a .local domain to host DNS

Hi there, On Wed, 14 Nov 2012, Phil Mayers wrote: On 14/11/12 15:39, Kevin Darcy wrote: I stopped reading as soon as I saw the requirement to add a NetBIOS name, being overpowered by the stench of obsolescence. Does anyone As per our recent thread, there's load of (recent, modern) stuff

Re: broken ISP in china

Hi there, On Mon, 18 Feb 2013, Vernon Schryver wrote: ... Recently I moved this domain(lcrcomputer.net) to a registrar that suports DNSSEC and inserted the DS record for this domain. I checked DNSSEC via http://dnsviz.net and http://dnssec-debugger.verisignlabs.com. Both show DNSSEC is

Re: spf ent txt records.

Hi there, On Wed, 13 Mar 2013, hugo hugoo wrote: I received the following question and I am not able to aswer as spf records are still mysterious to me. We are using BIND 9.7. Does our DNS-server support SPF-type records? Or do we put SPF-info in a TXT-record? My answers would be Yes and

Re: FW: CVE-2013-2266 Question

Hi there, On Wed, 27 Mar 2013, Manson, John wrote: Does 'make clear' affect the running named No. The 'configure' step and the 'make' steps are repsectively configuring the software source files for your environment before the build (more or less compile and link) process, and then the

Re: listen-to clusterIP address

Hi there, On Wed, 5 Jun 2013, paul wrote: I need to automatically listen to the new ip address without manual intervention. Listen on a virtual/alias whatever interface amnd forward ports from the real one(s)? -- 73, Ged. ___ Please visit

Re: DNS Amplification Attacks... and a trivial proposal

B0;261;0cHi there, On Fri, 14 Jun 2013, rfg wrote: [Quite a lot of off-topic stuff, which I've snipped.] For the avoidance of doubt, this is absolutely not a reply to any of Mr. Guilmette's posts, and I neither expect nor even want to see any reply from him. But I am on the digest list, so

Re: SPF record with include:

Hi there, On Tue, 18 Jun 2013, Julie Xu wrote: I be asked to add: include:otheremailsrv.otherdomainhttp://otheremailsrv.otherdomain so the TXT records will be looked like: TXT v=spf1 mx include:otheremailsrv.otherdomainhttp://otheremailsrv.otherdomain ~all Question, from my limited

Re: bind 2.1a3 on centos 6.4

Hi there, On Fri, 21 Jun 2013, Brian Cuttler wrote: # /usr/bin/nslint -ddd -c /etc/dns-source/named.conf-test nslint: doconf: opened /etc/dns-source/named.conf-test nslint: doconf: opened nslint.conf nslint: 0/131072 items used, 0 errors Problem - I know there are errors. It's late and I

Re: BIND Performance with Huge RPZ

Hi there, On Fri, 12 Jul 2013, Arie L. Putra wrote: We are building a server for recursive DNS Server, this server will be acted as a cache for our network. (several user-side DNS Server will forward to this server) Using Ubuntu Server with latest BIND version, we are trying to have RPZ

Re: New warning message...

Hi there, On Mon, 22 Jul 2013, Jason Hellenthal wrote: It's exactly as it says... Instead of ... TXT SPF ... You now do ... SPF SPF ... Caution! The SPF record type is near enough dead. See in particular RFC6686 paragraph 5.6; paragraph 6.2; and Appendix A point 4. -- 73, Ged.

Re: BIND 9.10.0b1 has been released.

Hi there, On Wed, 26 Feb 2014, Michael McNally wrote: At ISC we are quite excited about the long list of new features and ... I don't want to rain on your parade, and I know that this is likely to be contentious, but I would just like to ask all at ISC (and I know it isn't necessary, but

Re: dns firewall, proof of concept howto published, rpz. request for feedback

Hi there, On Sun, 11 May 2014, Hans-Cees Speel wrote: Feedback is welcome! ... pdf at: https://app.younited.com/... Put it somewhere else? -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this

Re: Checking proper SPF record

Hi there, On Tue, 8 Jul 2014, Alex wrote: ... Does this look correct? ... No, it's terrible. Drop a line over at the SPF-users mailing list, they'll sort you out. Use real names and addresses, then it's more than just a conjecture. This will all be published for the world to see anyway,

Re: Checking proper SPF record

Hi there, On Wed, 9 Jul 2014, Alex wrote: Thought I'd try this again. ... You'll get much better help on the right list. spf-h...@listbox.com -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: Log Monitoring

Hi there, On Thu, 7 Aug 2014, Davis, Donald W wrote: I am looking for scripts that can be used to parse and monitor the DNS logs for suspicious activity. If Nagios didn't exist, I'd have to invent it: http://exchange.nagios.org/directory/Plugins/Network-Protocols/DNS

RE: unable-resolving (Mohammed Ejaz)

Hi there, ... we have been receiving complain from our customer that they are unable to open the websites when they use our DNS server ... Does your server allow your customer to make recursive queries? ~$ dig @ns1.cyberia.net.sa www.jubileegroup.co.uk ; DiG 9.8.4-rpz2+rl005.12-P1

RE: sporatic, noaa.gov SERVFAIL

Hi there, On Thu, 29 Jan 2015, Brad Bendily wrote: Any way for me to pinpoint the specific firewall? ping -s packetsize host or traceroute host packetsize ? -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to

Re: shutting up logs

Hi there, On Fri, 15 May 2015, Reindl Harald wrote: Am 15.05.2015 um 02:01 schrieb Nick Edwards: skipping nameserver 'ns5.concord.org' because it is a CNAME, while resolving '210.128-25.119.138.63.in-addr.arpa/PTR' I have logs grow by about 30 megs a day with pretty much only this in it

Re: bind-users Digest, Vol 2085, Issue 1

Hi there, On Tue, 7 Apr 2015, bind-users-requ...@lists.isc.org wrote: Message: 1 [Snip 51 lines] Message: 2 [Snip 75 lines] Message: 1 [Snip 37 lines] Message: 1 [Snip 45 lines] Message: 2 [Snip 49 lines] Message: 2 [Snip 16 lines] Message: 1 [Snip 49 lines] Message: 3

Re: Again Crashed Bind

Hi there, On Thu, 3 Dec 2015, Re: Again manasa.jamuna wrote: Bind version used is 9.6.2-P2. Named crashed ... No big surprise. I did a google search ... Did you look at the ISC Website? https://www.isc.org/downloads/ 9.6.x has been End Of Life for nearly two years. Upgrade. -- 73,

Re: Allow-Query=any

Hi there, On Thu, 7 Jan 2016, Reindl Harald wrote: ... when somebody wants a information which exists in the DNS he can ask for that information - unconditionally laptop3:~$ >>> dig -t any lloyds.co.uk ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> -t any lloyds.co.uk ;; global options: +cmd ;; Got

Re: bind-users Digest, Vol 2277, Issue 1

Hi there, On Sun, 27 Dec 2015, kev wrote: I am using bind9 with ubuntu 14.04. I was wondering how to log by indivudual IP. Ive googled it but didnt find what i was looking for.Thanks,? I find p0f is a very useful tool, and can be used for more than just OS fingerprinting.

Re: Append a Hard-coded Text Tuple into Additional Section of "dig" Feature

Hi there, On Wed, 15 Jun 2016, Jun Xiang X Tee wrote: ... I wish to append a hard-coded text tuple into end of the section. ... I think what you want to do sounds strange, but if I wanted to do something like that I would not modify an existing perfectly good utility. I would create a new

Re: CVE-2015-7547: getaddrinfo() stack-based buffer overflow

Hi there, On Wed, 17 Feb 2016, Dominique Jullier wrote: Are they any thoughts around, how to handle yesterday's glibc vulnerability[1][2] from the side bind? This is a glibc issue, not a bind issue. It makes no sense to attempt to fix the problem by modifying bind. Firstly, bind is not the

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

Hi there, On Thu, 17 Mar 2016, Ron wrote: ... in this case it's a supplier who is unable to keeps his DNS servers working, and we just want to keep the connectivity. I'd just put something in /etc/hosts and send myself an email every month or so to remind me I'd done that. -- 73, Ged.

Re: *Reminder of the* L-Root IPv6 address renumbering

Hi there, On Tue, 22 Mar 2016, Bob Harold wrote: I appreciate the announcement of the change ahead of time, but I don't feel like it is safe to update my root hints file based on an email ... Hint: the 'hints' file contains hints. :)

Re: installation issues

Hi there, On Sun, 8 May 2016, Rajesh M wrote: i am getting error this is not a valid win32 application. I suspect that you've downloaded the wrong archive. Does the .zip file that you downloaded say 'x86' somewhere in its name? Try

Re: outgoing-traffic

Hi there, On Tue, 26 Jul 2016, Ejaz wrote: There is huge traffic coming out from my DNS server since yesterday and flooding the IP 212.107.121.110 ... Are you able to let us see your bind configuration? This might be IP spoofing, an attempted a DOS attack on the IP. Is there any reason why

Re: Sending extra info in bind dns query packet

Hi there, On Thu, 14 Jul 2016, Sachin Patil wrote: I am just looking into bind and want to send extra information while querying dns bind server. ... Is there an echo in here? -- 73, Ged. ___ Please visit

RE: bind-users Digest, Vol 1727, Issue 1

Hi there, On Mon, 4 Jul 2016, Amit Kumar Gupta wrote: [An entire digest message, which I've snipped] It would be extremely helpful to those of us on the digest list, and generally more polite, if you would NOT include in your posts to the list, simply in order to save yourself the time and

RE: Bind Queries log file format

Hi there, For the avoidance of doubt, It seems to me that the stability of BIND has been improving over the last couple of years. Thank you. Keep it up. If I were hunting some rarely-seen fault condition, I think I'd write any output which is more useful for debugging than anything else to a

Re: Enforce EDNS

Hi there, On Tue, 7 Feb 2017, Mark Andrews wrote: I really don't want to add new automatic work arounds for broken servers but it requires people being willing to accepting that lookups will fail. That manual work arounds will now have to be done. e.g. "server ... { send-cookie no; };" +2

Re: Recognizing remote IP in shared connections

Hi there, On Tue, 28 Feb 2017, Job wrote: for policies purpuose, we need to know which remote site is resolving a Bind 9.x public DNS Server. The problem occurs when some carriers "share" the same IP address between more customers and they surf behind a shared NAT. Sounds like a trial.

Re: lookout timesouts

Hi there, On Mon, 19 Sep 2016, bind-users-requ...@lists.isc.org wrote: We have a customer who has their own cache server, but in the afternoons before they close up for the day, they commit off-site backups, this process takes them about 90 mins, anyone trying to use the internet in this time

Re: Multiple A Records - Followup Question

Hi there, On Sun, 2 Oct 2016, Tim Daneliuk wrote: ... can a given *IP* appear in more than one A record? ... http://serverfault.com/questions/56539/dns-multiple-a-records-or-1-a-record-and-lots-of-cnames -- 73, Ged. ___ Please visit

Re: Slow recursion with ipv6 enabled?

Hi there, On Sat, 19 Nov 2016, Job wrote: on Bind 9.10 (latest version of this stable branch), i notice in some cases a relevant slowdown when resolving (for the first time) hostname, when named is launched with both ipv4 and ipv6. It use recursion to fetch for the first time the information

Re: BIND 9.11.0 RPZ performance issue

Hi there, On Mon, 17 Oct 2016, Daniel Stirnimann wrote: I have upgraded some of our BIND resolvers from BIND 9.9.9-P3 to BIND 9.11.0 and I notice timeouts for 3 - 5 seconds about every 1 to 5 hour. Something to do with dlv.isc.org? -- 73, Ged.

Re: "Jumbo" Security Release of BIND corrects four exploitable vulnerabilities.

Hi there, On Thu, 12 Jan 2017, Michael McNally wrote: ISC has issued new security releases of BIND today [..snip..] These are available via the http://www.isc.org/downloads web page: BIND 9.9.9-P5 BIND 9.10.4-P5 BIND 9.11.0-P2 ... I'm trying to get BIND 9.9.9-P5 from the downloads

Re: "Jumbo" Security Release of BIND corrects four exploitable vulnerabilities.

Hello again, On Thu, 12 Jan 2017, Andrey Fanin wrote: On Thu, 12 Jan 2017, G.W. Haywood wrote: > On Thu, 12 Jan 2017, Michael McNally wrote: > > > ISC has issued new security releases of BIND today [..snip..] > > I'm trying to get BIND 9.9.9-P5 from the downloads pa

Re: BIND 9 windows XP builds

Hi there, On Tue, 18 Apr 2017, Evan Hunt wrote: ... I wanted to find out whether there's a reason for so many people to still be doing this -- even if it wasn't a very good reason -- before I cut them off. Personally I'm more than a bit surprised, and even a little offended that ISC still

Re: designing the DNS from the scratch

Hi there, On Sun, 9 Jul 2017, Abdulhadi Ettwejiri wrote: Re: designing the DNS from the scratch we are ISP company , we are providing Internet to our customer, Recently one of our VIP customer ask for DNS service, and need the response time 3msec, we don't have enough knowledge of DNS ...

Re: bind unexpectedly quit, how to debug

Hi there, On Tue, 9 May 2017, Paul Seward wrote: ... I'm not so much asking for a fix as asking how I can find more information. ... grep '\(released\|security\)' bind-9.10.5/CHANGES | head -n 90 -- 73, Ged. ___ Please visit

Re: are you using lwres?

Hi there, On Fri, 19 May 2017, Evan Hunt wrote: Do you run lwresd or named-with-lwres? Do you have code that links with liblwres? If so, please let me know. 8<-- mail6:~# >>> cat /etc/debian_version 8.7 mail6:~# >>>

Re: BIND Upgrade

Hi there, On Fri, 16 Feb 2024, Semra T?rkkal Nazl?mo?lu wrote: Our bind version seems below. How can we upgrade bind version? And if we upgrade bind version, is there any problem? Recently I upgraded from 9.11.26 (not 9.11.36) to 9.18.24 using the source from the ISC Website. It's a very

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

Hi there, On Wed, 13 Dec 2023, Greg Choules wrote: If your server can reach the Internet it can recurse all on its own. And for extra information, I recommend you give the '+trace' option to dig. I hope that helps. Ditto. :) -- 73, Ged. -- Visit

Re: Value of a DNSSEC validating resolver

Hi there, On Sat, 2 Dec 2023, Mark Andrews wrote: On Fri, 1 Dec 2023, John Thurston wrote: > Can someone make a good case to me for continuing to perform DNSSEC > validation on my central resolvers? Think of a recursive server as a town water treatment plant. You could filter and treat at

Re: Deprecation notice for BIND 9: "resolver-nonbackoff-tries", "resolver-retry-interval"

Hi there, On Fri, 8 Dec 2023, Fred Morris wrote: I welcome birds of a feather. Need to define / refine the problem statement first. ... ... Er, tweet! Up to my @$$ in aligators and can't afford the time to more than chime in here, but this is all absolutely fascinating. Fwiw I'd love to

Re: Deprecation notice force BIND 9.20+: "rrset-order fixed" and "sortlist"

Hi there, On Fri, 1 Mar 2024, Matus UHLAR wrote: On 01.03.24 08:24, Ond?ej Sur? wrote: > The "sortlist" option allows to define a complicated rules when and > how to reorder the resource records in the responses. The same > caveats as with the "rrset-order" apply - relying on any specific >

Re: Problem upgrading to 9.18 - important feature being removed

Hi there, On Fri, 1 Mar 2024, Ond?ej Sur? wrote: On 26. 2. 2024, at 22:41, Al Whaley wrote: > A lot of pain and suffering in this world comes from people being > sure they have a 'better idea' and everybody needs to do whatever. > This feels a bit like that. ... ... ultimately, the developers

Re: Problem upgrading to 9.18 - important feature being removed

Hi there, On Fri, 1 Mar 2024, Petr ?pa?ek wrote: On 01. 03. 24 12:23, G.W. Haywood wrote: ... Maybe the lesson here is that if you're using BIND other than because it happened to come with your distro, then it's probably a good idea to keep an eye on this list to monitor the plans

Re: Deprecated DSCP support

Hi there, On Thu, 29 Feb 2024, Wolfgang Riedel wrote: In my case it?s dscp 24 in named.conf ... If you don't set it, ... ns9:~# >>> man named.conf | grep dscp dscp ; // obsolete -- 73, Ged. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this

Re: MDLZ user activation

Hi there, On Fri, 7 Jun 2024, Nick Tait wrote: ... Happy to share all the mail headers ... On the face of your description, this sounds like a spammer who has slightly more skill than usual. Another explanation is that you might have been targeted specifically, which could be more worrying.

Re: MDLZ user activation

Hi there, On Fri, 7 Jun 2024, Marco Moock wrote: Am 07.06.2024 um 10:58:27 Uhr schrieb G.W. Haywood: > On the face of your description, this sounds like a spammer who has > slightly more skill than usual. The spammer simply used the name in From: after the Nick posted tothe list) (Nic

Re: DNSSEC validation without current time

Hi there, On Fri, 15 Dec 2017, Barry Margolin wrote: In article <mailman.120.1513339585.749.bind-us...@lists.isc.org>, "G.W. Haywood" <b...@jubileegroup.co.uk> wrote: On Fri, 15 Dec 2017, Petr Men??k wrote: ... current time is not available or can be inaccurate

Re: DNSSEC validation without current time

Hi there, On Fri, 15 Dec 2017, Petr Men??k wrote: ... current time is not available or can be inaccurate. ntpdate? -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing

Re: Domain Not Resolving

Hi there, On Tue, 21 Nov 2017, Ron Wingfield wrote: ... our registered domain, archaxis.net, is not resolving ... As has been mentioned, you don't have a nameserver listening on IP 162.202.233.81. At a guess, you need to restart it. We run BIND version 9.10.2 ... Upgrade. See for

Re: Should we bundle the MaxMind GeoIP db?

Hi Victoria, On Wed, 30 May 2018, Victoria Risk wrote: ... would it be useful if we included the GeoLite2 database with the BIND distribution? Since we update at least twice a year, we could keep it fairly well up to date, and it would save users having to go get and update the db themselves.

Re: Test mail to bind-users

Hi Michael, On Wed, 30 May 2018, Michael McNally wrote: We have had reports that posts to bind-users are (in at least some cases) triggering unwelcome direct-to-the-submitter messages from spammers. Please disregard this message while I try to gather some information in the hopes of stopping

Re: disable dnssec for particular domain

Hi there, On Wed, 7 Feb 2018, Michelle Konzack wrote: ... Note: If someone is interested making a slave for me ... Is there a reason you don't use e.g. he.net? https://dns.he.net/ They do say of DNSSEC that they are "exploring this now" but it seems to work for me. -- 73, Ged.

Re: DNS not resolving on google, but is on other services

Hi there, On Sat, 17 Feb 2018, LuKreme wrote: ... Is google just b0rked? ... You might need to look closer to home. You claim three nameservers, but it appears that they're all on the same network segment - a *really* bad idea - and one of them doesn't respond to DNS requests, using IPs

Re: intermittent SERVFAIL for high visible domains such as *.google.com

Hi there, On Tue, 23 Jan 2018, Grant Taylor wrote: ... I'm sure that you could do some networking magic to cause connections to $AlternateIP port 53 to be re-routed to $DifferentIP $AlternatePort. http://netcat.sourceforge.net/ -- 73, Ged. ___

Re: Responding with a subset of an rrset

Hi there, On Wed, 11 Apr 2018, speijnik wrote: I'd need a way of returning a random pick of a limited number of records from a given rrset ... Something like this? 8<-- #!/usr/bin/perl -w use strict; use Net::DNS; use

Re: Fwd: Facing weird issue with DNS-RPZ

Hi there, On Wed, 25 Apr 2018, Blason R wrote: Unfortunately neither RHEL nor CentOS gives RPM for 9.10+ and really compiling and building is really pain and time consuming. Hence I decided to give a try with Ubuntu 16.04 and any ways within few days 18.04 is coming out with 9.11. Date: Wed,

Administrivia.

Hi there, It looks like something has recently changed in the ISC DNS. 8<-- Apr 20 09:00:36 mail6 sm-mta[20203]: NOQUEUE: connect from lists.isc.org [149.20.1.60] Apr 20 13:00:22 mail6 sm-mta[29448]: NOQUEUE: connect from

Re: Separate DNS slaves as internal and external

Hi there, On Mon, 19 Mar 2018, King, Harold Clyde wrote: I have DNS slaves for internal and external entities. I don't know how to work the NS records so that outside users would only get the external slave and internal would only get the internal slave. How can I do this? ... You could use

RE: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

Hi there, On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote: Good morning, I'm trying to make it more difficult for an attacker to get my DNS server version. Waste of time. The attacks are automated, and will be mounted anyway. -- 73, Ged.

Re: BIND and UDP tuning

Hi there, On Thu, 27 Sep 2018, Alex wrote This is also only happening on the two identical systems connected to the 165/35mbit cable modem. ... I really hope there is > someone with some additional ideas. Is it the modem? -- 73, Ged. ___ Please

Re: DNSSEC: give KSK from my domain to parent zones

Hi there, On Fri, 5 Oct 2018, Roberto Carna wrote: ... when I check for the DNSEC support with: dig com.uk +dnssec +multi I can see there is no support at all...so use DNSSEC for xxx.com.uk has no sense at allhasn't it? Do you mean "xxx.co.uk" and not "xxx.com.uk"? -- 73, Ged.

Re: Question about visibility

Hi there, On Wed, 24 Oct 2018, Hardy, Andrew wrote: Further to the original post, as well as not creating a DNS record and "possibly" adding robot.txt with appropriate content, as discussed, I presume that if I run the http server on a personally selected unprivileged port then it is very

Re: Question about visibility

Hi there, On Thu, 25 Oct 2018, Grant Taylor wrote: On 10/24/2018 06:15 AM, G.W. Haywood via bind-users wrote: A server on a non-standard port is often neglected.? Its security may be less well maintained than one that is intentionally public. Why and how do you make that correlation

Re: BIND and UDP tuning

Hi there, On Sun, 30 Sep 2018, Alex wrote: Sep 29 14:33:54 mail03 postfix/dnsblog[3290]: warning: dnsblog_query: lookup error for DNS query 123.139.28.66.dnsbl.sorbs.net: Host or domain name not found. Name service error for name=123.139.28.66.dnsbl.sorbs.net type=A: Host not found, try again

Re: BIND and UDP tuning

Hello again, On Mon, 1 Oct 2018, Alex wrote: > Are your requests being dropped by the service(s)? > > (Or: are you inadvertently abusing the said service(s)?) I don't believe so - often times a follow-up host query succeeds without issue. It's also failing for invaluement and spamhaus, both

Re: Operational Notification: Some releases of BIND are too strict when handling referrals containing non-empty answer sections

Hi there, On Wed, 19 Sep 2018, Michael McNally wrote: ... code refactoring ... That phrase always sends shudders through my corpus. -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

Re: allow-update in global options (was Re: bind and certbot with dns-challenge)

because there won't be all those pesky new features to consider. On Mon, 18 Mar 2019, G.W. Haywood wrote: > Apologies for speaking frankly, but that's a lie. I would like an apology for this because I am not a liar. Well the apology was right there in that sentence, but here and now and in publi

Re: allow-update in global options (was Re: bind and certbot with dns-challenge)

--- Date: Wed, 26 Feb 2014 12:44:37 + (GMT) From: "G.W. Haywood" To: bind-users@lists.isc.org Subject: Re: BIND 9.10.0b1 has been released. Hi there, On Wed, 26 Feb 2014, Michael McNally wrote: At ISC we are quite excited about the long lis

Re: Classless Reverse Zones PTR Dig Format Issue

Hi there, On Thu, 7 Feb 2019, Matus UHLAR - fantomas wrote: On 07.02.19 12:53, Nagesh Thati wrote: I have created a network with *199.192.0.0/11 * and created 4 subnets with */13* mask in that network, Network: *199.192.0.0/11 :

Re: A policy for removing named.conf options.

Hi there, On Thu, 13 Jun 2019, Matthijs Mekking wrote: We would like to hear your feedback. Thank you for the timely heads up. | managed-keys | 9.15/9.16 | replaced with dnssec-keys | According to my changelogs for 'named.conf I removed 'managed-keys' and 'trusted-keys' three

Re: A policy for removing named.conf options.

Hi there, On Thu, 13 Jun 2019, Leroy Tennison wrote: On Thu, 13 Jun 2019, Ond?ej Sur? wrote: On 13 Jun 2019, at 15:55, G.W. Haywood via bind-users ... wrote: ... could you not set up an ISC zone which BIND on startup will ping ... we?ve been discussing the ?call home? feature on several

  1   2   >