Re: BIND 9.18 unable to successfully transfer zone from axfrdns primary

Right, BIND 9.18 now enforces Section 2.2 of RFC 5936, specifically, this: "The AXFR server MUST copy the Question section from the corresponding AXFR query message into the first response message's Question section. For subsequent messages, it MAY do the same or leave the Question se

Re: Problem upgrading to 9.18 - important feature being removed

On 2/26/24 13:41, Al Whaley wrote: As far as I have been able to determine through some fairly extensive reading, a feature I depend on has fallen out of favor with the BIND developers, and is being removed. DNSSEC in 9.18 has two automatic actions where the original code had just one, and th

Re: dig -- only RRSIG present.

On 02/12/12 09:40, dE . wrote: I'm trying to see DNSSEC response of various sites; my DNS server is 8.8.8.8 (google's public DNS service) Response is as such - dig +dnssec -t SOA org ; <<>> DiG 9.8.1 <<>> +dnssec -t SOA org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,

Re: dig -- only RRSIG present.

On 02/12/12 18:48, Mark Andrews wrote: 8.8.8.8 returns servfail for me. Note a RFC 1035 caching server should be be able to resolve "dig ds org" though it may not return the response from the parent zone. It depends on the cache state when the query is made. Google seems to be okay at lookin

Re: zone transfer with DIG: SOA duplicate

On 03/19/12 10:33, hugo hugoo wrote: Dear all, I have this strange behaviour when I do a zone transfer with the following commande: dig @name_server zone_name AXFR ==> I received 2 SOA records (duplicates). One SOA record is at the end of the received information. Is this normal? Yes. I

Re: Name Resolution issue with one domain

On 03/19/12 13:28, babu dheen wrote: Dear Support, I am trying to resolve www.dubaiairport.com from my GW BIND server as below. But not getting any output $ dig A www.dubaiairport.com ; <<>> DiG 9.3.4-P1 <<>> A www.dubaiairport.com

Re: VMware & Bind

On Tue, 5 Jun 2012, Manson, John wrote: Will bind run on VMware? Yes. I have a few machines running BIND 9.9.x on FreeBSD as a guest os on vmware. michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from t

Re: OpenSSL problem: bind98-base FreeBSD port

On 07/08/12 09:54, Matthew Pounsett wrote: 08-Jul-2012 16:45:00.352 initializing DST: openssl failure 08-Jul-2012 16:45:00.352 exiting (due to fatal error) In particular the logs above suggest that named is unable to find the necessary openssl libraries. In the case where openssl 1.x.x is co

Re: Moving from "type forward" to "type static-stub"

On 9/20/12 5:49 PM, Oscar Ricardo Silva wrote: > If I'm correct, it will send non-recursive queries to the listed servers > and will honor delegations. I've tested this configuration in our lab > and it all appears to be working. Yup, static stub will do exactly that. > With our configuration, a

Re: ISC Bind in Active Directory

On 10/18/12 11:03 AM, Aaron Thompson wrote: > Hi All, > > I'm hopping to get some feedback from people who use ISC Bind and DHCPD > in Active Directory environments. > > Currently we use Bind/DHCPD for dynamic DNS and DHCP. It's been a > pretty stable service, redundant and we are polling statis

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

It appears to me that the NSEC3 record that is denying the existence of the DS record for ic.fbi.gov does not have a corresponding RRSIG. That's based on a fairly cursory glance. This seems to be the case for all of the NSEC3 records in fbi.gov. Something's messed up in fbi.gov. michael PS: Not

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

On 7/17/13 2:38 PM, Mark Andrews wrote: > > In message <1673423961.50595218.1374096753729.javamail.r...@k-state.edu>, > "Lawr > ence K. Chen, P.Eng." writes: >> >> >> - Original Message - >>> On Wed, Jul 17, 2013 at 01:58:25PM -0400, Bill Owens wrote: On Wed, Jul 17, 2013 at 09:49:18

Re: MAcOS X 10.9 upgrade removes BIND

On 10/25/13 1:33 PM, Carsten Strotmann wrote: > Hello Eduardo, > > thanks for confirming that MacOS X removed BIND. > > Our new BIND installers for MacOS X 10.9 are now available at > > > I've build BIND 9.9.4 (with and withou

Re: BIND-9.16.1 memory leak?

On 2020-04-17 06:45, sth...@nethelp.no wrote: > We have what appears to be a significant memory leak in BIND-9.16.1. > > Environment: > FreeBSD 12.1-STABLE. > BIND-9.16.1 installed from packages. > Also uses libuv-1.35.0 installed from packages. > Authoritative only. > Around 800 zones of var

Does BIND support "conservative" (RFC 6781, sec 4.1.4) algorithm rollovers?

Hi, I have, in the past, used the "conservative" approach to performing algorithm rollovers for various domains. For many domains, this is probably overkill, but I'd prefer to have the option of doing it, especially for those mission-critical domains where you really don't want to rely simpl

Re: BIND 'max-cache-size' Value on FreeBSD-13.0

On 9/2/21 2:35 PM, Mark Tinka wrote: Not sure if this issue offers some clue: https://gitlab.isc.org/isc-projects/bind9/-/issues/2575 I see its maintainer just closed it 11hrs ago... I have noticed this also and have opened a (similar but different) issue, but it's a bit weird how it manifes

Re: BIND 'max-cache-size' Value on FreeBSD-13.0

On 9/2/21 2:59 PM, Mark Tinka wrote: On 9/2/21 23:51, Michael Sinatra wrote: I have noticed this also and have opened a (similar but different) issue, but it's a bit weird how it manifests itself. On your freebsd installation, make sure that all of your interfaces are configure

Re: Nice new logging feature

On 12/16/21 06:42, Borja Marcos wrote: On 16 Dec 2021, at 14:55, Reindl Harald wrote: Am 16.12.21 um 14:49 schrieb Borja Marcos: bind-9.16.23-1.fc34.x86_64 16-Dec-2021 13:08:10.598 lame-servers: connection refused resolving 'ns2.serverion.eu/A/IN': 94.228.210.122#53 16-Dec-2021 13:11

Re: repository for zone files

On 09/23/10 12:53, Stewart Dean wrote: On AIX, I'm used to /etc/dns. CentOS seems to place in /var/named. Is there any blessed, bestofallpossibleworlds place for the zone files. I'm moving our DNS from from AIX to CentOS/Fedora. I'm inclined to create the /etc/dns dir but maybe it'd be better t

Re: repository for zone files

On 09/23/10 13:14, Greg Whynott wrote: they (the distro maintainers) could not agree to put anything in the same place if the worlds sanity depended on it. /var/named /srv/bind /etc/bind /var/lib/named /usr/local/named it's all over the place. myself i just create links from /var/named (which

Re: Bind and blacklist IP file

On 10/13/10 03:24, Andrey G. Sergeev wrote: Hello David, Mon, 11 Oct 2010 18:38:24 -0400 David Miller wrote: On 10/11/2010 3:26 PM, Andrey G. Sergeev (AKA Andris) wrote: Hello Alans, Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote: Why not? OpenDNS is a good example i think. Good example

Re: DNS Redundancy

On 10/21/10 08:26, Gordon A. Lang wrote: It is actually counter-productive to have two resolvers configured with this architecture, but to circumvent human nature, we publish two. There is absolutely no functional difference between the two, and there is no redundancy value for the second one -

Re: Is DLV still usefull

On 11/16/10 11:17, Thomas Schulz wrote: Now that the root is signed, is DLV still usefull? Yes. Not all TLDs are signed (although we're getting there), and not all registrars support adding DS records, even if the registry supports DNSSEC. Therefore, there are still islands of trust that ca

Re: Almost Ready for DNS-SEC but Slightly Confused in Home Stretch

On 12/10/10 08:17, Martin McCormick wrote: As a reminder, none of this is on our master DNS yet so we are still doing the normal activities. Our firewalls are supposed to be adjusted to allow the 4096-byte DNS packets in the next day or so so all the testing is being done on another box

Re: about nsupdate

On 12/19/10 23:47, Jorg W Young wrote: Hello, We primarily update the DNS records by nsupdate from a web interface. Under this case, if I modified the zone file directly by hand, will nsupdate overwrite the modification? If you attempt to update a dynamic zone by hand, without first "freezing

Re: bind 9.7.2-P3 does not resolve www.microsoft.com

On 12/28/10 00:26, Eivind Olsen wrote: So, to recap: at the risk of showing what a fool I am by doing something completely wrong here, I'm betting Microsoft has messed up their DNS - I would have expected queries over TCP to work, and I would not have expected EDNS to give a FORMERR (but ok, if

Re: bind 9.7.2-P3 does not resolve www.microsoft.com

On 12/28/10 06:07, Lightner, Jeff wrote: It's working fine for me from RHEL5 Linux DNS servers and from Windows DNS servers. It's not clear from this thread whether 'dig any microsoft.com @ns[12345].msft.net' works for anyone. I cannot get it to work from any of the msft.net servers on clien

Re: question about multiple queries in a single dns packet

On 12/29/10 14:06, Alan Clegg wrote: On 12/29/2010 2:17 PM, Federico Barbieri wrote: Not sure if this is the right place to ask but I've been trying to dig around and found nothing... reading the dns specification it would seems possible to send multiple request in a single packet. I'm not su

Re: bind 9.7.2-P3 does not resolve www.microsoft.com

On 12/30/10 3:04 PM, Lightner, Jeff wrote: If qmail is open source then YOU can patch it to your heart's content and might even want to fork the project so you're maintaining it for others. Expecting BIND to hold itself back or patch itself for 1998 standards is a bit like expecting people that

Re: [dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

Hi Matt: On 05/19/11 17:08, Matthew Pounsett wrote: While it's possible you have encountered a bug with BIND, it's generally a bad idea to mix recursive and authoritative service in the same process. The RFCs that define the resolution algorithms were never written with mixed service in mind, a

Re: Bug in bind 9.7.3?

On Thu, 26 May 2011, Frank Kloeker wrote: Hi, I using bind 9.7.3 as resolver in a slightly larger server farm with some mail servers that use domain key validation. If a try # host -t TXT _adsp._domainkey.federalreserve.gov bind dies with May 26 19:59:02 resolv04 named[8237]: buffer.c:285:

Re: BIND Security Advisory May 2011: Large RRSIG RRsets and Negative Caching can crash named

On Fri, 27 May 2011, Frank Kloeker wrote: Hello, I would want to say thank you very much for the wonderful work of the ISC team and the quick solution of the problem and a very professional appearance. I have come to expect such performance from everyone at ISC, but yesterday the exceeded ev

Re: [dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

This will be in BIND 9.8.1 final. BIND 9.8.1b1 is already cut and will need this to be applied. I just noticed that the patch for query.c has been added as an extra patch to the FreeBSD port for 9.8.0-P2, so if you build the bind98 port from the latest FreeBSD ports collection, you'll get the

Re: querylog format

On 6/6/11 8:09 PM, Jeff Peng wrote: Hello, The querylog of BIND in my hosts is like: client 58.240.56.18#16768: query: s18.mhxx.game.yy.com IN A -EDC For the last part, I know the '-' means non-recursion，'E' means EDNS. But what are the 'D' and 'C' flags? D = DO (DNSSEC Okay), client is requ

Re: question about thehartford.com domain

On Wed, 15 Jun 2011, M. Meadows wrote: Question : our check of whois indicates that ns1.thehartford.com and ns2.thehartford.com are the authoritative nameservers for thehartford.com. A dig with a +trace for eftc.thehartford.com seems to indicate that they are indeed the auth nameservers. It?

Re: nameserver registration

On 06/18/11 10:26, David Miller wrote: All domains, at every level, have to configure their records such that the tree can be walked from root to their domain. Follow the "."s. For: this.long.chain.example.com. com. must be delegated by . example.com. must be delegated by com. chain.example.c

Re: nameserver registration

On 06/18/11 15:23, Chris Thompson wrote: On Jun 18 2011, Michael Sinatra wrote: In theory, you can insert glue records anywhere above the zone in question. See RFC 2181, section 5.4.1. As an example, glue for the servers adns1.berkeley.edu and adns2.berkeley.edu exist in the root zone. For

Re: nameserver registration

On 06/18/11 19:22, Casey Deccio wrote: In particular, if the name of the name server is itself in the subzone, we could be faced with the situation where the NS RRs tell us that in order to learn a name server's address, we should contact the server using the address we wish to learn. To fix th

Re: Clients get DNS timeouts because ipv6 means more queries for each lookup

Users are experiencing this problem now in the field, and more users will be experiencing it as BIND is upgraded in more and more places. Every single user relying on a Fedora 15 DNS server, for example, is going to see occasional unnecessary DNS timeouts when trying to resolve host names.

Re: BIND DNSSEC-Validation issue sceggs.nsw.edu.au

On 09/12/11 22:12, Neil wrote: Hi BIND Users I am currently trialing Bind v9.8.1 and have come across a issue with 1 particular domain. For some reason when I query the below domain on bind resolver-cache nothing gets returned.? dig @ sceggs.nsw.edu.au ns The debug logs show 13-Sep-2011 10:11:27.

Re: DNSSEC not populating parent zone files with DS records

On 10/01/11 04:54, Bill Owens wrote: On Fri, Sep 30, 2011 at 10:26:34PM +, Raymond Drew Walker wrote: In our initial implementation of DNSSEC, we chose to try out the "auto" functionalities in version 9.8.0 P4 ie. using "auto-dnssec maintain" in all master zones. When going live, we found t

Re: Problem with ed.gov

Please be aware that RFC 2671, which specifies EDNS0, allows for buffer sizes to reach 64k, not just 4k. Most implementations default to 4k, but the buffer size can easily be set higher. Moreover, the EDNS0 buffer size merely specifies the size where the UDP response becomes truncated and mus

Re: dig query

On 1/6/10 7:10 AM, Alan Clegg wrote: Tony Finch wrote: On Wed, 6 Jan 2010, Pamela Rock wrote: Does that imply that +adflag sets the ad bit on the query and the response where +dnssec only sets the ad bit on the responce? The AD flag is meaningless in a query. In a response it tells you whethe

Re: Has anyone Seen the NANOG post titled "Upcoming DNS behavior changes to .com/.net/.edu name servers"

On 01/19/10 11:36, da...@from525.com wrote: All, Last Friday (Jan 8th 2010) Matt Larson from Verisign started a thread on the NANOG mailing list titled "Upcoming DNS behavior changes to .com/.net/.edu name servers". I haven't seen any chatter on here or NANOG in regards to the post and figured n

Re: Added new master zone, copy .hosts does not replicate properly

On 1/21/10 3:40 PM, Ryan S wrote: So my setup has been working great modifying existing zones adding and removing records. But when I add a new zone, it apparently does not work. So I think I am missing an important file that lists all the zones BIND uses? What BIND file am I needing to copy

Re: DNSSEC DSSET & KEYSET

On 01/28/10 07:57, prock...@yahoo.com wrote: That was very helpful. Thanks. One last query. For signed domains registered with and using ISC.ORG trust anchor, is there a sanity check similar to what you displayed below? If you mean ISC DLV registry, that service continually does sanity chec

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On 02/23/10 18:31, Joe Baptista wrote: Now that OpenDNS the largest provider of public DNS supports DNSCurve http://twitter.com/joebaptista/status/9555178362 Would it be possible to include DNScurve support in bind? thanks joe baptista I'd love to see BIND adopt DNScurve...when it becomes an

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On 02/23/10 19:54, Joe Baptista wrote: It would be nice to see it as an RFC. I agree with that. But from what I know it will be a pretty cold day in hell before it becomes an RFC. I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of wackos. So it is unlikely he will ev

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On 02/24/10 01:25, Jonathan de Boyne Pollard wrote: DNScurve advocates, on the other hand, point out that DNS isn't encrypted. Well, neither is the phone book. So what? So the protocol is vulnerable to both local and remote forgery attacks, just like other unencrypted protocols

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On 3/7/10 10:46 AM, Danny Mayer wrote: Autokey is not a cryptographic signature protocol. It *is* a authentication protocol for the server only and there are a number of exchanges that need to be done to complete the authentication of the server. You cannot compare this with DNSSEC and nothing i

Re: Reverse lookup failing when arpa.dlv.isc.org appeared

On 03/25/10 05:21, Chris Thompson wrote: I'll be reporting this to bind-bugs, but I thought I would mention it here in case others can confirm the effect. Our two main ecursive nameservers used DNSSEC validation via dlv.isc.org. In the past we have had suspicions that there are glitches when new

Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled

On 04/14/10 16:28, Roy Badami wrote: Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and I've seen no repeat of the DNSSEC name resolution issues so far; it's early days yet (only been running DLV for three days) but certainly looking promissing. I spoke too soon. I've now found

Re: Understanding 'format error" Messages

b19...@anl.gov wrote: I am trying to understand "format error" messages like this one from BIND 9.7.0-P1: Apr 15 15:36:02 dnsserver.it.anl.gov named[8662]: [ID 873579 daemon.notice] DNS format error from 209.234.234.42#53 resolving markets.nytimes.wallst.com/ for cl

Re: Resolving .gov w/dnssec

On 04/22/10 10:23, Paul Wouters wrote: On Thu, 22 Apr 2010, Chris Thompson wrote: I have the same problems with our validating unbound instance. I suspect that this has to do with dig +dnssec +norec dnskey uspto.gov @dns1.uspto.gov. dig +dnssec +norec dnskey uspto.gov @sns2.uspto.gov. faili

Re: Resolving .gov w/dnssec

On 4/22/10 8:55 AM, Timothe Litt wrote: So, others are also seeing this, and it's not unique to bind or my corner of the internet. Thanks. It seems to have been going on for weeks, so it isn't going to fix itself. Who do I report this to so that it gets resolved? I have had good luck reporti

Re: Resolving .gov w/dnssec

On 04/22/10 15:22, Casey Deccio wrote: Actually, what seems interesting to me is that the cutoff seems to be at a payload size of 1736, which happens to be the exact size of the complete response. Is this just coincidence? Yes it is. With the bufsize set to 1735, the response that will actu

Re: Resolving .gov w/dnssec

On 04/22/10 18:48, Timothe Litt wrote: I get a "connection timed out; no servers could be reached" after the "Truncated, retrying in TCP mode" even with +bufsiz=512 I get a correct response when I use +bufsiz=512. After "Truncated, retrying in TCP mode" I get a response, but apparently you do

Re: Automated DNSSEC (command line)

On 05/28/10 14:18, Michelle Konzack wrote: Hello DNSSEC Experts, I am ongoing to install 4 new Name Servers and increse my registrar and hosting service... OK, I have tried to make my own 4 domains with 16 zones signed and it took me one hour of my life! Since I have to re-sign the zones i

Re: USADOTGOV.NET Root Problems?

On 07/23/10 05:37, Danny Mayer wrote: On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote: Thanks for the confirmation that the problem was related to DNSSEC. I didn't see your message until I got home from work; however, I did find the root of the problem late this afternoon. At each of our

Re: USADOTGOV.NET Root Problems?

On Sat, 24 Jul 2010, Warren Kumari wrote: On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote: On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote: Thanks for the confirmation that the problem was related to DNSSEC. I didn't see your message until I got home from work; however, I did find the

Re: Unable to slave root zones

On 04/07/17 09:21, Tony Finch wrote: Mark Knight wrote: I've just noticed (after the slave zones expired), that the root name servers have been refusing my zone transfer requests since the end of March. This is because Cloudflare are now helping isc.org to host f.root-servers.net, and the Cl

redundant bump-in-the-wire signers using BIND

Hi all: First, let me explain the trade-off I am trying to manage (as succinctly as possible): My current setup has an DNS/IPAM system that backs up to a redundant one in a different location, a bump-in-the-wire hardware signing appliance (different from the IPAM), and a bunch of authoritative sl

redundant bump-in-the-wire signers using BIND

To close the loop a bit on this... On 05/22/18 03:22, Tony Finch wrote: > Michael Sinatra wrote: >> >> My only concern is that serial numbers might get out of sync between the >> two signers at some point. > > You can avoid this problem with `serial-update-method