Re: one record to be redirected to a specific IP

2010-04-25 Thread Phil Mayers
On Sun, Apr 25, 2010 at 09:19:18PM +0100, hugo hugoo wrote: Yes I need more help on this item. Your answer seems to indicate thate there is no way to only redirect www.abcd.comhttp://www.abcd.com to IP 1.2.3.4 toto.www.abcd.com will either be redirected to the same IP (zone file with * A

Re: one record to be redirected to a specific IP

2010-04-26 Thread Phil Mayers
On 26/04/10 12:44, Torsten wrote: Am Mon, 26 Apr 2010 11:30:26 +0200 schrieb Sten Carlsenst...@s-carlsen.dk: I wonder if the following could be done: - make the zone for www.abcd.com, which would also redirect the anything else part. - delegate the anything else back to its original owner.

Splitting off a sub-zone atomically

2010-05-10 Thread Phil Mayers
We're doing some DNSSEC testing with sub-zones of our main zone, and I had a little accident largely due to my own incompetence today where I basically did this: 1. Existing zone example.com; create new zone sub.example.com 2. Run a SQL-DNS update; *.sub.example.com RRs are removed from

Re: Splitting off a sub-zone atomically

2010-05-11 Thread Phil Mayers
On 05/11/2010 09:12 AM, Matus UHLAR - fantomas wrote: On 10.05.10 16:20, Phil Mayers wrote: We're doing some DNSSEC testing with sub-zones of our main zone, and I had a little accident largely due to my own incompetence today where I basically did this: 1. Existing zone example.com; create new

Out-of-zone data mistaken for glue?

2010-05-11 Thread Phil Mayers
Following on from yesterdays query; if I have this zone: test.com. 86400 IN SOA ... test.com. 86400 IN NS ... foo.test.com. 86400 IN NS ns.foo.test.com. ns.foo.test.com.86400 IN A 192.168.254.254

Re: Out-of-zone data mistaken for glue?

2010-05-11 Thread Phil Mayers
On 11/05/10 12:20, Barry Margolin wrote: In articlemailman.1488.1273575364.21153.bind-us...@lists.isc.org, Phil Mayersp.may...@imperial.ac.uk wrote: Following on from yesterdays query; if I have this zone: test.com. 86400 IN SOA ... test.com. 86400

Re: Multi-mastering with dynamic updates

2010-05-17 Thread Phil Mayers
On 17/05/10 16:02, arcan...@free.fr wrote: Hi all, Like a lot of people over the web, I am looking for a clean multi-master (multi-primary) solution that allow dynamic updates. Interesting. What's the use-case for this? And like a lot of people over the web, I haven't found anything

Re: Multi-mastering with dynamic updates

2010-05-17 Thread Phil Mayers
On 17/05/10 16:59, Arcan_- wrote: Thanks for the reply. Interesting. What's the use-case for this? I have a few hundreds of dhcp clients and a two nodes pseudo cluster (for the VIP). I need a solution that enable high availability on the same level of service. That way, if one node fails,

Re: How to resign a signed zone

2010-05-27 Thread Phil Mayers
On 05/27/2010 06:43 AM, rams wrote: Hi, How do we resign the signed zone? What is the command to do the RESIGNING ? Resign with a new ZSK, or resign with the existing ZSK to a avoid signature expiry? Which version of bind are you running? What's the zone statement look like?

Re: bind 9.7, dnssec and multiple key directories and resalt NSEC3

2010-06-04 Thread Phil Mayers
On 04/06/10 11:11, Tim Verhoeven wrote: Hi, I'm currently testing the automatic signing for DNSSEC present in Bind 9.7. I'm currently using Bind 9.7.0 and I have 2 questions. The first one, can I configure multiple key directories? The reasoning for this is that I would like to seperate the

Re: Running both a cache-only and an authoritative server on the same server

2010-06-17 Thread Phil Mayers
On 17/06/10 13:35, Phil Mayers wrote: On 17/06/10 12:39, Jørn Skjerven wrote: Hi! I've tried to search the archive for for this, but could not find anything relevant. We currently run a server with an authoritative set for domains. We want to use the same server as a cache-only DNS for other

Re: Running both a cache-only and an authoritative server on the same server

2010-06-17 Thread Phil Mayers
On 17/06/10 12:39, Jørn Skjerven wrote: Hi! I've tried to search the archive for for this, but could not find anything relevant. We currently run a server with an authoritative set for domains. We want to use the same server as a cache-only DNS for other customers as well on a secondary IP.

Re: What does the following entry mean, in particular, what is SOA -E?

2010-06-25 Thread Phil Mayers
On 25/06/10 16:22, Regid Ichira wrote: What does the following entry mean: 25-Jun-2010 15:32:20.669 queries: info: client 192.168.196.55#53: view remote: query: nik.cyp.net IN SOA -E (192.168.1.1) http://www.isc.org/files/arm96.html#the_category_phrase

Re: What does the following entry mean, in particular, what is SOA -E?

2010-06-25 Thread Phil Mayers
On 25/06/10 16:28, Phil Mayers wrote: On 25/06/10 16:22, Regid Ichira wrote: What does the following entry mean: 25-Jun-2010 15:32:20.669 queries: info: client 192.168.196.55#53: view remote: query: nik.cyp.net IN SOA -E (192.168.1.1) http://www.isc.org/files/arm96.html

Re: rndc: 'sign' failed: permission denied

2010-07-08 Thread Phil Mayers
On 07/07/2010 08:24 PM, L. Gabriel Somlo wrote: view global { zone example.org { type master; file example.org.signed; allow-update { key foo; }; }; The problem is that, when I attempt

Re: Does bind send email?

2010-07-09 Thread Phil Mayers
On 09/07/10 12:18, tomasz dereszynski wrote: check below link apparently viruses (some) hide themselves behind that name/process. http://www.file.net/process/named.exe.html mind you, it might be something else ... Maybe McAfee is triggering on MX lookups?

Re: odbc.ucas.com lookup problem

2010-07-20 Thread Phil Mayers
On 20/07/10 15:10, Chris Thompson wrote: We're having some local reports about delays resolving odbc.ucas.com. The problem is undoubtedly the response of ns-lp.ucas.com, which seems to be some sort of load balancer, to queries. I get log entries from BIND like Jul 20 14:35:12

Re: IPv6 Records on an IPv4 Network

2010-07-22 Thread Phil Mayers
On 07/21/2010 10:10 PM, Martin McCormick wrote: This is admittedly not a bind question, but it has become a major nag factor and I am not sure what to recommend. We delegate our Microsoft Active Directory zone to Microsoft domain controllers and they have stuffed their zone with

Re: connect call failing with EINPROGRESS error code.

2010-07-22 Thread Phil Mayers
On 07/22/2010 07:52 AM, R Juneja wrote: Hi, I am new to socket programming. Please help me with a situation. This is the wrong place to ask. This mailing list is for discussing the Bind DNS server, not socket programming. The function call connect (non -blocking) is failing with

Re: IPv6 Records on an IPv4 Network

2010-07-22 Thread Phil Mayers
On 22/07/10 12:19, Rock July wrote: Windows Vista and 7 clients will query both type A and query even The OS might make the query, but the application will (should) be using getaddrinfo, and this will return the IPv4 addresses first, so it doesn't matter. only IPv4 interface is

Re: IPv6 Records on an IPv4 Network

2010-07-22 Thread Phil Mayers
On 22/07/10 16:45, Alan Clegg wrote: On 7/22/2010 8:33 AM, Phil Mayers wrote: only IPv4 interface is enabled. If I put the option filter--on-v4 {yes;};, will my DNS reject the queries? This option breaks DNSSEC. Actually, it doesn't. If the DO bit is set in the query, the default

Re: Multiple masters expected behavior?

2010-07-22 Thread Phil Mayers
On 07/22/2010 10:59 PM, Peter Laws wrote: I have multiple interfaces on my master and multiple interfaces on most of my slaves. I've got one of the slaves set up so that its masters {}; statement has two of the master's interfaces in it. The preferred is first, with the non-preferred second.

Re: IPv6 Records on an IPv4 Network

2010-07-23 Thread Phil Mayers
On 23/07/10 13:23, Danny Mayer wrote: On 7/22/2010 11:33 AM, Phil Mayers wrote: On 22/07/10 12:19, Rock July wrote: Windows Vista and 7 clients will query both type A and query even The OS might make the query, but the application will (should) be using getaddrinfo, and this will return

Re: DNS update from Linux to Windows DNS Server

2010-07-26 Thread Phil Mayers
On 26/07/10 16:32, Cory Coager wrote: I'm not sure if this is the right place to ask this but I am trying to execute a DNS update using the nsupdate utility to update an A record from a Linux server to a Windows 2008 R2 DNS server. Sending the request using 'nsupdate -o' responds with 'response

Re: DNS update from Linux to Windows DNS Server

2010-07-26 Thread Phil Mayers
On 26/07/10 16:56, Cory Coager wrote: 'nsupdate -g' responds with 'dns_request_getresponse: FORMERR' Sorry then. I don't know. Personally I can't make nsupdate work at all with GSSAPI; I get: dns_tkey_buildgssquery failed: ran out of space ...before it even tries to talk to the network. I

Re: BIND integration with windows DNS

2010-07-27 Thread Phil Mayers
On 07/27/2010 07:10 AM, Arnoud Tijssen wrote: I`m facing kind of a challenge. At the moment we have BIND and windows DNS within our corporate network. I would like to get rid of windows DNS and switch completely over to BIND, but since DNS is so intertwined with AD this is not an option since

Re: BIND integration with windows DNS

2010-07-27 Thread Phil Mayers
On 07/27/2010 08:17 AM, Kalman Feher wrote: Since I don`t want all dynamic updates from windows clients polluting my main zone file, but still want one primary DNS serving the main domain instead of two, BIND and windows, what it is the best option if there is one. Create a subdomain for your

Re: BIND integration with windows DNS

2010-07-27 Thread Phil Mayers
On 07/27/2010 08:31 AM, Arnoud Tijssen wrote: From previous mail; Since I don`t want all dynamic updates from windows clients polluting my main zone file, but still want one primary DNS serving the main domain instead of two, BIND and windows, what it is the best option if there is one.

Re: Subnet reverse delagation, RFC 2317

2010-07-29 Thread Phil Mayers
On 07/29/2010 08:58 AM, Jukka Pakkanen wrote: Doing first time the RFC 2317 style subnet reverse DNS, and have a problem with recursion. When doing a query like dig @ns1.qnet.fi -x 62.142.217.200 is succeeds from the local network, but outside I get recursion requested but not available. Our

Re: Subnet reverse delagation, RFC 2317

2010-07-29 Thread Phil Mayers
On 29/07/10 10:00, Jukka Pakkanen wrote: 29.7.2010 11:29, Phil Mayers kirjoitti: On 07/29/2010 08:58 AM, Jukka Pakkanen wrote: Doing first time the RFC 2317 style subnet reverse DNS, and have a problem with recursion. When doing a query like dig @ns1.qnet.fi -x 62.142.217.200 is succeeds from

Re: Subnet reverse delagation, RFC 2317

2010-07-29 Thread Phil Mayers
On 29/07/10 12:34, Jukka Pakkanen wrote: 29.7.2010 14:23, Mark Andrews kirjoitti: In message4c5134af.2080...@qnet.fi, Jukka Pakkanen writes: Doing first time the RFC 2317 style subnet reverse DNS, and have a problem with recursion. When doing a query like dig @ns1.qnet.fi -x 62.142.217.200

Re: list zones

2010-08-03 Thread Phil Mayers
On 03/08/10 10:39, Mihamina Rakotomandimby wrote: Manao ahoana, Hello, Bonjour, Without grepping the configuration files from the system shell, is it possible to lists all the master zones on a running bind9? What tool with? How about this: # add this to named.conf statistics-channels {

Re: dns-sec and Maintaining Human Sanity

2010-08-06 Thread Phil Mayers
On 06/08/10 12:24, Martin McCormick wrote: The one thing that impresses me about dns-sec is that it appears to be one of those things that will probably work fine after installation but getting there may be an adventure to put it mildly. My advice is to investigate upgrading to Bind

Can an NS point to a CNAME

2010-08-12 Thread Phil Mayers
All, We've had a report this morning that a user can't resolve: 71.225.219.134.in-addr.arpa PTR ...I think this is because the parent zone NS records point to CNAMEs. I can see references to (much) older versions of bind not following such delegations, but I'm not getting anything logged at

Re: Can an NS point to a CNAME

2010-08-12 Thread Phil Mayers
On 12/08/10 16:34, Yohann Lepage wrote: 2010/8/12 Phil Mayersp.may...@imperial.ac.uk: Is this still the case (that NS-CNAME is invalid)? http://www.rfc-editor.org/rfc/rfc2181.txt 10.3. MX and NS records The domain name used as the value of a NS resource record, or part of the value

Re: Can an NS point to a CNAME

2010-08-13 Thread Phil Mayers
On 13/08/10 08:49, Matus UHLAR - fantomas wrote: On 12.08.10 17:07, Phil Mayers wrote: Thanks, but perhaps I should be more specific about what I'm asking: Is it still the case that *Bind* will not follow a delegation where an NS record points at a CNAME? In any event, as has been pointed out

Re: Can an NS point to a CNAME

2010-08-13 Thread Phil Mayers
On 13/08/10 14:14, Dave Sparro wrote: On 8/13/2010 6:08 AM, Phil Mayers wrote: Still puzzled that bind didn't seem to log anything. I will have a trawl through the source I think; I'm sure it must be my logging config. I don't know if I'm on the right path, but were you logging lame

Re: DNS Rebinding Prevention for the Weak Host Model Attacks

2010-08-17 Thread Phil Mayers
On 08/17/2010 04:31 PM, Florian Weimer wrote: * Bradley Falzon: Craig Heffner's version of the DNS Rebinding attack, similar to all DNS Rebinding attacks, requires the DNS Servers to respond with an Attackers IP Address as well as the Victims IP Address, in a typical Round Robin fashion.

www.ncbi.nlm.nih.gov / pubmed

2010-08-18 Thread Phil Mayers
All, It seems this zone is broken as of a couple of days ago. Is anyone else seeing it? Is there an appropriate bind workaround? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: www.ncbi.nlm.nih.gov / pubmed

2010-08-18 Thread Phil Mayers
On 18/08/10 13:30, Phil Mayers wrote: On 18/08/10 13:15, Lightner, Jeff wrote: It comes right up in Firefox but prompts for a username and password. Do you have DNSSEC validation enabled? Because as per my email, it's a DNSSEC problem. Damn - in fact sorry, scratch that. I realise my

Re: www.ncbi.nlm.nih.gov / pubmed

2010-08-18 Thread Phil Mayers
On 18/08/10 13:15, Lightner, Jeff wrote: It comes right up in Firefox but prompts for a username and password. Do you have DNSSEC validation enabled? Because as per my email, it's a DNSSEC problem. After a bit of investigation, it seems that the problem is a missing NSEC/NSEC3 record in

Re: www.ncbi.nlm.nih.gov / pubmed

2010-08-19 Thread Phil Mayers
On 08/18/2010 06:55 PM, Dave Sparro wrote: On 8/18/2010 1:12 PM, Casey Deccio wrote: On Wed, Aug 18, 2010 at 9:48 AM, Dave Sparrodspa...@gmail.com wrote: On 8/18/2010 8:30 AM, Phil Mayers wrote: ...since the ncbi zone is an unsigned child zone, there needs to be an NSEC/NSEC3 record

Re: Multiple CNAME alternantive?

2010-08-19 Thread Phil Mayers
On 19/08/10 15:52, Steve Arntzen wrote: I would like to resolve dns.ourdomain.com to a list of our DNS server names and possibly their IPs. CNAMEs are singleton; this: dns.ourdomain.com. IN CNAME nsdev1.ourdomain.com. dns.ourdomain.com. IN CNAME nsdev2.ourdomain.com. ...is illegal.

Re: Multiple CNAME alternantive?

2010-08-19 Thread Phil Mayers
On 19/08/10 16:18, Phil Mayers wrote: On 19/08/10 15:52, Steve Arntzen wrote: I would like to resolve dns.ourdomain.com to a list of our DNS server names and possibly their IPs. CNAMEs are singleton; this: dns.ourdomain.com. IN CNAME nsdev1.ourdomain.com. dns.ourdomain.com. IN CNAME nsdev2

Re: DNSSEC, views trusted keys...

2010-09-09 Thread Phil Mayers
On 09/09/2010 03:45 PM, Timothe Litt wrote: There is other advice in the ARM that says to put 'your organization's public keys in the trusted-keys list'. That doesn't help - and in fact, confuses me even more since example.net has TWO different public keys - one for each view. And

Re: DNSSEC, views trusted keys...

2010-09-11 Thread Phil Mayers
On 09/10/2010 11:12 PM, Timothe Litt wrote: So it looks like the new (r-internal) view is starting at the root when it resolves -- ignoring what it has data for locally. It sorta works for You'll need a: zone name { type forward; forward only; forwarders { ips; }; }; It won't

Re: DNSSEC, views trusted keys...

2010-09-12 Thread Phil Mayers
On 09/12/2010 03:41 AM, Chris Buxton wrote: Use a stub zone instead of a forward zone, so that the query will actually reach the authoritative view. With a forward zone, the query is recursive, so will be picked up by the recursive view - the view will query itself and not receive an answer.

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-21 Thread Phil Mayers
On 21/09/10 14:43, Niobos wrote: On 2010-09-21 15:32, Kalman Feher wrote: On 21/09/10 8:43 AM, Niobosnio...@dest-unreach.be wrote: I personally find protection against zone enumeration to be a false sense of security. If it's public people will find it. Ask your self what it is that you want

Re: query cache denied in vew statement

2010-09-26 Thread Phil Mayers
On 09/26/2010 09:25 PM, David S. wrote: Dear All, I had problem when trying to use view class on my named.conf, please see attached file and below my query log: You've set additional-from-cache but not allow-query-cache ACL. The default has everyone denied. Do you need to set

Re: query cache denied in vew statement

2010-09-27 Thread Phil Mayers
On 09/26/2010 10:57 PM, David S. wrote: I've removed additional-from-cache and restart bind, below part of named.conf Ok, bad guess on my part :o( Not sure I'm afraid. I don't really understand your config; do you mean to have recursion off in both views? What is sending the queries?

Re: query cache denied in vew statement

2010-09-27 Thread Phil Mayers
On 27/09/10 09:45, David S. wrote: Hi Pil, In that case, don't you want recursion on in view mynetwork? I won't recursion in my network, so recursion is no. Sorry, I don't understand. Perhaps someone else can help you. ___ bind-users mailing list

Re: Auto signing ARM

2010-10-02 Thread Phil Mayers
On 10/01/2010 09:59 PM, Tony Finch wrote: I haven't seen any answers to Timothe's questions below, though I have been keeping an eye out for them. The documentation in this area is a bit thin... A few comments based on what I've observed. Consider this configuration snippet: View internal

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-02 Thread Phil Mayers
On 10/02/2010 10:01 AM, lst_ho...@kwsoft.de wrote: So the problem are not resolvers unaware of DNSSEC but resolvers with inappropriate defaults or configured wrong by accident. Additionally this problem is not easy detectable as it can occur far downstream. So i would say it is a valid concern

Re: Integrating BIND9 with external graphing like Cacti

2010-10-13 Thread Phil Mayers
On 13/10/10 15:16, Eivind Olsen wrote: Has anyone here made use of the XML statistics interface in BIND9, to get some numbers into Cacti (or another similar tool)? If so, how, and which numbers did you feel were worth turning into graphs? Yes. We have a system where local scripts on our

Re: Integrating BIND9 with external graphing like Cacti

2010-10-15 Thread Phil Mayers
On 13/10/10 15:50, Phil Mayers wrote: On 13/10/10 15:16, Eivind Olsen wrote: Has anyone here made use of the XML statistics interface in BIND9, to get some numbers into Cacti (or another similar tool)? If so, how, and which numbers did you feel were worth turning into graphs? Yes. We have

Re: DNS Redundancy

2010-10-21 Thread Phil Mayers
On 21/10/10 12:50, Stephane Bortzmeyer wrote: Unlike the failure of an authoritative name server, the failure of a resolver is not really transparent for the Unix stub resolver, as you have discovered. You may consider solutions using a redundancy at layer 3 such as VRRP or CARP. Yeah, we've

Re: Key ID from DNSKEY - how?

2010-10-27 Thread Phil Mayers
On 10/27/2010 06:46 PM, Mark Elkins wrote: I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to do this in PHP as this is inside some existing PHP (Web) scripts but I guess calling a C program would not be too inconvenient. I use some Python code to do this in our

Re: out of place mx records.

2010-10-28 Thread Phil Mayers
On 28/10/10 11:56, Tony Finch wrote: On Thu, 28 Oct 2010, Gregory Machin wrote: My question is why would INMX10mcvpemr01 and INMX 10mcvpemr02 be repeated trough the zone file surely this is redundant ? Some hostmasters like to ensure that mail is not directed to hosts

Re: DNSSEC with 9.7.2-P2

2010-11-12 Thread Phil Mayers
On 12/11/10 12:49, David Forrest wrote: and, on checking named.conf, I found the entry for br. as: trusted-keys { br. 257 3 5

Re: DNSSEC with 9.7.2-P2

2010-11-12 Thread Phil Mayers
On 12/11/10 14:51, Alan Clegg wrote: On 11/12/2010 7:49 AM, David Forrest wrote: While running BIND 9.7.2-P2 built with defaults on F11 [..] and, on checking named.conf, I found the entry for br. as: trusted-keys { br. 257 3 5

Re: DNSSEC with 9.7.2-P2

2010-11-12 Thread Phil Mayers
On 12/11/10 15:45, Lightner, Jeff wrote: For Production (RPM based system) you should use RHEL or CentOS which has a much longer life cycle. (Speaking of which, RHEL6 was just put in I don't agree with your line of reasoning. RHEL may have longer update cycles, but there's no guarantee a

Re: Is it Possible to Log nxdomain Responses?

2010-11-17 Thread Phil Mayers
On 17/11/10 13:48, Martin McCormick wrote: We are chasing down some problems in which clients are trying to resolve lookups to a domain related to Microsoft Active Directory zones. We were able to determine that clients were querying this AD zone when it was thought they weren't needing to do

Re: Problems with Bind-Kerberos-Windows-Linux

2010-12-06 Thread Phil Mayers
On 12/06/2010 02:20 PM, Jürgen Dietl wrote: I have read that there is a special mode called User-To-User Mode. This mode enables the client to ask for a service direct without asking for a That's not quite how u2u works. TGT before. I found out that my client use this special user-to-user

Re: Problems with Bind-Kerberos-Windows-Linux

2010-12-06 Thread Phil Mayers
On 12/06/2010 04:01 PM, Jürgen Dietl wrote: Hello Phil thanx again for your answer. So I read between the lines that even if there were bugfixes for GSSTSIG in Bind V. 9.7.2 - it dont work. So we have to wait until MS follow the standards? :-) That's not what I said. Forgive me but what is

Re: Silently drop queries for AAAA records

2010-12-08 Thread Phil Mayers
On 12/08/2010 07:40 AM, Niobos wrote: On 2010-12-07 23:31, David A. Evans wrote: I'm in the mood to prove a point. I have a very poorly written application that is generating a few hundred queries per second of completely bogus records before attempting a lookup of the correct

Re: OT: checking subnet delegation?

2011-01-04 Thread Phil Mayers
On 04/01/11 15:32, online-reg wrote: Hi All: I have a /28 that was supposed to be delegated to my NS by my ISP. How can I check that it is correctly delegated? I have the in-addr.arpa zone configured in my NS and it resolves properly when I test it locally, but if I test using a remote service

Re: enable a dynamic zone

2011-01-05 Thread Phil Mayers
On 01/05/2011 03:32 AM, Paul Ooi Cong Jen wrote: Hi, Nope. Dynamic zone require keys exchange for zone transfer. This is not correct. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: enable a dynamic zone

2011-01-05 Thread Phil Mayers
On 01/05/2011 03:01 AM, p...@mail.nsbeta.info wrote: Hello, When adding a statement of something like: allow-update { 127.0.0.1; }; to the zone configuration, this zone will become a dynamic zone, is it? Yes. You can also do: allow-update { key NAME; }; ...and in newer versions of bind

Re: nsupdate problem after DNSSEC

2011-01-05 Thread Phil Mayers
On 01/05/2011 08:09 AM, Michelle Konzack wrote: I have update mydns1 to DNSSEC and now I have two probems... Do you mean you have signed your zone? If so, you are aware that bind requires the zone-signing key to be available in order to perform updates - like this: zone $name { type

Re: enable a dynamic zone

2011-01-05 Thread Phil Mayers
On 01/05/2011 11:45 AM, Sten Carlsen wrote: Maybe just a detail without much significance. Will the zone become dynamic when you enable updates OR when you have actually done the first update - i.e. created the .jnl file? A dynamic zone is a zone that allows dynamic updates, so the former.

Re: Confused about /24 in-addr.arpa NS delegation debug problem

2011-01-06 Thread Phil Mayers
On 01/06/2011 11:30 PM, Gary Wallis wrote: (Some dig output lines deleted to keep short) Why does this not work (but below next dig with +trace seems to imply that it should?): The delegation looks invalid: 147.95.81.in-addr.arpa. 172800 IN NS ns1.theplanet.com.

Re: Telling rndc Which IP Address to Use

2011-01-21 Thread Phil Mayers
On 01/20/2011 09:28 PM, Mark Andrews wrote: Or one can not worry about the IP address being used. The addresses are still there for backwards compatibilty with BIND 8 where only the IP address is used. TSIG is really so much stronger than any IP based authentication. It's like putting a

Re: get a domain's dns records

2011-01-21 Thread Phil Mayers
On 21/01/11 13:50, Barry Margolin wrote: In articlemailman.1415.1295616325.555.bind-us...@lists.isc.org, Joseph S D Yaoj...@tux.org wrote: On Fri, Jan 21, 2011 at 02:19:45PM +0800, p...@mail.nsbeta.info wrote: I'm jsut curious, how does who.is know the dns records in my domain

Re: get a domain's dns records

2011-01-21 Thread Phil Mayers
On 21/01/11 14:21, p...@mail.nsbeta.info wrote: Dave Knight writes: I guess the tool just always assumes that there's probably a www worthy asking about But how does the site know I have a sub domain test.nsbeta.info and its name servers? I didn't think that I have got this sub domain be

Re: Bind 9.7 - sanity check or a bug

2011-01-28 Thread Phil Mayers
On 28/01/11 10:50, Din Jo wrote: case 1: # nsupdate server 127.0.0.1 update delete server2.test.com http://server2.test.com A update add server2.test.com http://server2.test.com A 10.0.0.2 send quit case 2: # nsupdate server 127.0.0.1 update delete server2.test.com

Re: Bind 9.7 - sanity check or a bug

2011-01-28 Thread Phil Mayers
In case two, you are sending the delete as one transaction and the add as a 2nd transaction. I'm surprised the 2nd case fails at the 2nd transaction, not the first. Known bug. The version information was not passed down to the checking routines. Interesting; can you be more specific -

Re: bind8 and bind9 installed on the same server: possible?

2011-02-01 Thread Phil Mayers
On 01/02/11 16:33, hugo hugoo wrote: Dear all, I plan to upgrade my nameservers from bind8 to bind9. I guess I will encounter some compatibility problems notably in the layout of the zone files - can anybody give me the point of attention for this upgrade? Your experience will be appreciated.

Re: Spurious TYPE65534 at the end of a NSEC3, why?

2011-02-13 Thread Phil Mayers
On 02/13/2011 10:07 AM, Stephane Bortzmeyer wrote: Note the TYPE65534, which I cannot explain. Greping bind-users archives, or googling, reveal that other persons saw them but I did not find a final explanation. This is documented in the Bind ARM (at least, the one that comes with the 9.8

Re: Spurious TYPE65534 at the end of a NSEC3, why?

2011-02-13 Thread Phil Mayers
On 02/13/2011 10:40 AM, Stephane Bortzmeyer wrote: On Sun, Feb 13, 2011 at 11:07:31AM +0100, Stephane Bortzmeyerbortzme...@nic.fr wrote a message of 35 lines which said: Here is a master server BIND 9.7.1-P2 (with patches for PKCS#11 and the AEP keyper HSM), with DNSSEC enabled,

Re: Spurious TYPE65534 at the end of a NSEC3, why?

2011-02-13 Thread Phil Mayers
On 02/13/2011 11:30 AM, Stephane Bortzmeyer wrote: On Sun, Feb 13, 2011 at 11:01:48AM +, Phil Mayersp.may...@imperial.ac.uk wrote a message of 23 lines which said: The zone at the moment seems to be signed with NSEC; Hmmm, no, .FR has been signed by NSEC3 from the beginning. Could

Re: Spurious TYPE65534 at the end of a NSEC3, why?

2011-02-13 Thread Phil Mayers
On 02/13/2011 11:35 AM, Stephane Bortzmeyer wrote: On Sun, Feb 13, 2011 at 10:51:30AM +, Phil Mayersp.may...@imperial.ac.uk wrote a message of 31 lines which said: This is documented in the Bind ARM OK, thanks, I missed this section. i.e. the *presence* of the record is normal.

external update policy (was: BIND 9.8.0rc1 is now available.)

2011-02-15 Thread Phil Mayers
On 15/02/11 01:15, Mark Andrews wrote: * There is a new update-policy match type external. This allows named to decide whether to allow a dynamic update by checking with an external daemon. Contributed by Andrew Tridgell of the Samba Project. [RT #22758] This is

Re: Bind9 Log data consistency

2011-03-08 Thread Phil Mayers
On 03/08/2011 09:46 PM, Stefan Certic wrote: Hi Sebastian, Thanks for response. Problem with another log file is that solution is doubling number of I/O transactions. At some point, data needs to be phrased into database and written to disk. I'm afraid doubling operations will cause

Re: dots in hostnames problem

2011-03-09 Thread Phil Mayers
On 03/09/2011 06:09 PM, Matt Rae wrote: Hi, I'm working on setting up a slave dns server. Dots have historically been used in the hostnames here. The dots cause the resulting zone file from a zone transfer to have $ORIGIN automatically set assuming the dots are indicating a subdomain. Oh god,

Re: Bind 9.8 with dlz and dnssec

2011-03-10 Thread Phil Mayers
On 10/03/11 17:26, Christian Laursen wrote: On 03/10/11 17:05, Evan Hunt wrote: Incidentally, we've been expanding DLZ support further. In 9.8.1, the dlopen driver will be part of the default build on unix/linux platforms, no longer requiring a configure option, so you can use the Samba module

Re: dynamically updating the forwarders with bind/rndc

2011-03-29 Thread Phil Mayers
On 29/03/11 12:25, Paul Wouters wrote: Hi, Is there a way for bind9 (or planned for bind10) to dynamically update the forwarders via rndc? I believe currently the only way to do this is to rewrite the config file and then cal rndc reload. I believe there's a DBUS interface that

Re: children whose zones do not reflect the delegation from the parent

2011-03-30 Thread Phil Mayers
On 03/30/2011 04:45 AM, ben thielsen wrote: both fail to do so. so - it would seem to me that at least somehow, in some sense, the delegation is broken. however, if queried further It does seem a bit broken - there's no SOA for 33.50.in-addr.arpa i.e. no zone there. for a /24 within

Re: BIND 9.4.3-P2 doesn't delegate zone!

2011-04-02 Thread Phil Mayers
On 04/02/2011 11:44 AM, Яцко Эллад Геннадьевич wrote: $ORIGIN domain.united-networks.ru. IN NS srvmain IN A 172.16.77.2 srvmain IN A 172.16.77.2 Huh, delegation looks ok. Are you sure you've reloaded the zone? I tried to nslookup from 172.16.77.11: Try a dig on the DNS

Re: shared KSK for static zone and dynamic subzone?

2011-04-26 Thread Phil Mayers
On 04/26/2011 02:13 AM, /dev/rob0 wrote: I feel like I am understanding the how of this DNSSEC stuff, but I'm not so sure about some of the whys. This post is asking a bit of both. I've got a static zone, nodns4.us., which is now signed. It's the parent zone to dynamic.nodns4.us., a dynamic

Re: shared KSK for static zone and dynamic subzone?

2011-04-27 Thread Phil Mayers
On 04/27/2011 04:40 AM, /dev/rob0 wrote: With one KSK and one ZSK per zone, we're looking at *12* keys to go in the connected sites' trusted-keys. Errr, no, I guess I only need the KSKs, but still, that's 6. I'd prefer that it be fewer than that. One sounds simpler, in fact. But the

Re: AXFR/IN' denied

2011-04-28 Thread Phil Mayers
On 04/28/2011 04:10 AM, jeffrey j donovan wrote: master 192.168.1.2 zone mydomain.com { type master; file domain.db; allow-transfer { 192.168.96.3; }; Ok, you have an allow-transfer so this is working. allow-update {none;}; }; zone 96.168.192.in-addr.arpa {

Re: IPv6 prefix length error

2011-04-29 Thread Phil Mayers
On 04/29/2011 02:17 PM, Khuu, Linh Contractor wrote: Thanks Mark for your recommendation!!! However, in the ifconfig -a output, I have: lo0: flags=e08084bUP,BROADCAST,LOOPBACK,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT inet 127.0.0.1 netmask 0xff00 broadcast 127.255.255.255

Re: IPv6 prefix length error

2011-04-29 Thread Phil Mayers
On 04/29/2011 03:24 PM, Mark Andrews wrote: The fix is likely to be a couple of lines of code to retrieve the value but without access to the correct documentation or kernel source code its hard to work out how to fix it. This code apparently works for AIX 5.3:

Re: proper setup of dnssec-validation to _always_ resolve, and retrieve DATA and status flags ?

2011-05-10 Thread Phil Mayers
On 05/10/2011 07:58 AM, Mark Andrews wrote: date -u may now be correct but is plain date? If it isn't you should correct timezone for the server so that both date and date -u are correct. Otherwise you leave the server open to the accidental misconfiguration that probably caused this problem

Re: no free leases

2011-05-10 Thread Phil Mayers
On 05/10/2011 05:20 PM, Steven Stromer wrote: Hi. I see that there was some discussion in distant past of the no free leases reply when defining a range within a pool, especially I think you've posted to the wrong list... this is the BIND (DNS server) list, not the dhcpd list.

Re: GSS-TSIG update policy identity field

2011-05-11 Thread Phil Mayers
On 11/05/11 12:17, Mark Andrews wrote: {ms,krb5}-subdomain allows updates of *.machinename One note - this isn't so handy if you have a disjoint namespace, where: machinename.*.example.com ...is what you want. We are in this boat, and can't use the built in ACLs for this very reason.

Re: GSS-TSIG update policy identity field

2011-05-11 Thread Phil Mayers
On 11/05/11 14:55, Mark Andrews wrote: In message4dca7893.5060...@imperial.ac.uk, Phil Mayers writes: On 11/05/11 12:17, Mark Andrews wrote: {ms,krb5}-subdomain allows updates of *.machinename One note - this isn't so handy if you have a disjoint namespace, where: machinename

Re: GSS-TSIG update policy identity field

2011-05-12 Thread Phil Mayers
On 12/05/11 09:33, Juergen Dietl wrote: Hello Mark i am not that professional in bind. Normally I am a CISCO expert but now I also do the bind for 6 months. I cannot imagine why this post should help me. It doesn't really. You should only need this: grant EXAMPLE.COM ms-self * any; What

Re: Bind 9.8 DNS recursion dont work from the client side - Bug?

2011-05-16 Thread Phil Mayers
On 16/05/11 11:00, Juergen Dietl wrote: Hello, I try to make an nslookup from the client. The server dont know the zone and for this it should do recursion to another DNS-Server options { dump-file /var/log/named_dump.db; notify-source xx.x.xxx.xxx port 53; notify yes; listen-on port 53 {

Re: [dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

2011-05-20 Thread Phil Mayers
On 05/20/2011 05:56 AM, Matthew Pounsett wrote: If, for some reason, you can't wait for your TTLs to expire, then forwarding the relevant zones to your authoritative servers is a better solution than slaving the zones. How? The whole point of stealth slaving is timely (NOTIFY/IXFR) updates

  1   2   3   4   5   >