Re: Is it possible to use one KSK for multiple domains?

2008-11-20 Thread Stephane Bortzmeyer
On Wed, Nov 19, 2008 at 09:55:52PM +0100, Adam Tkac [EMAIL PROTECTED] wrote a message of 17 lines which said: If I understand correctly what RFC 4034, section 2.1.1 says ... If bit 7 has value 1, then the DNSKEY record holds a DNS zone key, and the DNSKEY RR's owner name MUST be the name of

Re: Is it possible to use one KSK for multiple domains?

2008-11-20 Thread Stephane Bortzmeyer
On Thu, Nov 20, 2008 at 11:55:17AM +, Chris Thompson [EMAIL PROTECTED] wrote a message of 33 lines which said: The text you quote is for DNS publication. But you typically do not put KSK in the DNS, no? Sure you do. How could a validator use it if you didn't? Because it is published

Re: check Availability before sending response

2008-12-03 Thread Stephane Bortzmeyer
On Wed, Dec 03, 2008 at 10:53:43PM +0800, Ken DBA [EMAIL PROTECTED] wrote a message of 21 lines which said: ie, given the domain name www.site.com was pointed to 1.1.1.1 and 2.2.2.2 in Bind. When a client query for www.site.com, Bind will check the health status for these two servers. If

Re: GTLD servers still promoting glue to answer :-(

2008-12-14 Thread Stephane Bortzmeyer
On Wed, Dec 10, 2008 at 12:26:51PM +, Chris Thompson c...@cam.ac.uk wrote a message of 28 lines which said: As the recent thread (can't see nameserver externally) reminds us -- for edu rather than com/net, but there can't really be a difference, can there? the nameservers are just a

Re: 50 million records under one domain using Bind

2008-12-14 Thread Stephane Bortzmeyer
On Sat, Dec 13, 2008 at 05:09:57PM +0530, Vinay Y S vi...@vys.in wrote a message of 23 lines which said: Also, is there any known deployments of bind of this scale out there? Half of the .de name servers are BIND and .de has 12 millions of domains, which probably means close to 50 millions

Re: Testing my configuration

2008-12-18 Thread Stephane Bortzmeyer
On Wed, Dec 17, 2008 at 12:36:44PM +0100, Holger Honert holger.hon...@signal-iduna.org wrote a message of 113 lines which said: check out dig eith the zone-transfer option (man dig): He asked for information about a DOMAIN NAME, which may or may not be also a ZONE. If it is not a zone, zone

Re: General performance

2008-12-24 Thread Stephane Bortzmeyer
On Tue, Dec 23, 2008 at 08:36:36PM -0800, Scott Haneda talkli...@newgeo.com wrote a message of 35 lines which said: First, if I learn it is in fact true that all 50K zones will be identical, is there any reason to make 50K zone files? No. Is it ok to point different domains to the same

Re: DNS lookups getting blocked , cant trace where is the block

2009-01-16 Thread Stephane Bortzmeyer
On Fri, Jan 16, 2009 at 11:44:06AM +0530, ram r...@netcore.co.in wrote a message of 44 lines which said: [r...@smtpout1 ~]# dig @localhost bsnl.in ; DiG 9.3.3rc2 @localhost bsnl.in ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached

Re: Reverse DNS with delegation

2009-01-16 Thread Stephane Bortzmeyer
On Fri, Jan 16, 2009 at 12:27:54PM +0100, Jérémie Grauer jeremie.gra...@fimasys.fr wrote a message of 282 lines which said: I'm encountering a very strange behavior with our dns server No, it is dig behavior. You never indicate the Resource Record type so dig picks A (IPv4 address). If you

Re: in-addr.arpa delegation failure

2009-01-20 Thread Stephane Bortzmeyer
On Tue, Jan 20, 2009 at 04:14:01PM +, Lars Hecking lheck...@users.sourceforge.net wrote a message of 87 lines which said: This host is set up as a master for 172.30/16. It delegates 172.30 to a subdomain (A record for ns1.sub.domain.com is present elsewhere). Hold on! There is

Re: 512 byte limit

2009-01-23 Thread Stephane Bortzmeyer
On Thu, Jan 22, 2009 at 11:06:38AM +, Chris Thompson c...@cam.ac.uk wrote a message of 28 lines which said: As mentioned by Anton Korotin, the root name servers send answers 512. Well not unless the EDNS flag and buffer size are set in the query, of course. Which BIND does by

[DNSSEC] Validating resolver which is also authoritative: no AD bit set

2009-01-23 Thread Stephane Bortzmeyer
I configure a BIND 9.5.0 P2 which is both a DNSSEC-validating resolver and an authoritative server. With proper trust anchors, it DNSSEC-validates domains like iis.se or sources.org and sets the AD bit in the answers to 'dig +dnssec XXX iis.se'. Except for one domain, generic-nic.net, for which

Re: Manual for Bind-9.5 or 9.6

2009-01-23 Thread Stephane Bortzmeyer
On Fri, Jan 23, 2009 at 11:06:16AM -0500, Peter Fraser petros.fra...@gmail.com wrote a message of 12 lines which said: Can someone please tell me where the manuals are, better yet PDF versions of it. It seems ISC does not put them online but they are included with BIND. To quote the ISC Web

Re: What are these entries in the log file - query: . IN NS +?

2009-01-27 Thread Stephane Bortzmeyer
On Tue, Jan 27, 2009 at 11:50:51AM +0100, Jan Buchholz 96de...@googlemail.com wrote a message of 38 lines which said: i think disable queries at the root-zone for not internal networks is another answer for this problem . Good practices about this attack (with specific BIND advice) is

Re: How many nameservers?

2009-02-02 Thread Stephane Bortzmeyer
On Sun, Feb 01, 2009 at 04:51:52PM -0800, shulkae shul...@gmail.com wrote a message of 17 lines which said: How may NS entries typically is allowed per zone? The protocol has no limit. But you may run into problems with old software which still limits the DNS packets to 512 bytes. See all

Re: How many nameservers?

2009-02-02 Thread Stephane Bortzmeyer
On Mon, Feb 02, 2009 at 02:25:35PM -0600, bsfin...@anl.gov bsfin...@anl.gov wrote a message of 41 lines which said: One downside - if you have many NS records, then they might not all fit in one UDP packet Let me demonstrate a bit of pedantism: the correct sentence is rather they might not

Re: NS validation?

2009-02-09 Thread Stephane Bortzmeyer
On Mon, Feb 09, 2009 at 07:32:03AM -0600, Frank Bulk frnk...@iname.com wrote a message of 54 lines which said: Please forgive me for my naivety, but since when did a host name have a WHOIS record? In the registry of .net/.com, many, many years. % whois -h whois.verisign-grs.com

Re: loads of Query denied... is it an attack or a misconfiguration ?

2009-02-11 Thread Stephane Bortzmeyer
On Wed, Feb 11, 2009 at 01:21:35AM +0100, Thomas Manson dev.mansontho...@gmail.com wrote a message of 88 lines which said: I believed I was on bind mailing list, a mailing list is where you usually get some help... isn't it ? You're right, it's a shame. Ask immediately for a refund, both

Re: loads of Query denied... is it an attack or a misconfiguration ?

2009-02-11 Thread Stephane Bortzmeyer
On Wed, Feb 11, 2009 at 01:35:31AM +0100, Thomas Manson dev.mansontho...@gmail.com wrote a message of 80 lines which said: I'll temporray block the ip on my firewall Very bad idea, since it is forged. You do exactly what the attacker wanted you to do. The proper thing to do is:

Re: Multiple SOA

2009-02-12 Thread Stephane Bortzmeyer
On Wed, Feb 11, 2009 at 12:19:20PM -0800, Prabhat Rana prana9...@yahoo.com wrote a message of 16 lines which said: Is it possible to have more than one hosts assigned as SOA in a given zone file? There is no reason to do so. Currently I have host1 as master and host2 configured as slave

Re: Multiple SOA

2009-02-12 Thread Stephane Bortzmeyer
On Thu, Feb 12, 2009 at 06:44:30AM -0800, Prabhat Rana prana9...@yahoo.com wrote a message of 68 lines which said: So as long as named.conf host2 states it as master after the change even if SOA in the zonefile lists host1 as SOA. The file transfer will resume even when host1 is down? May

Re: More than four name server for whois record

2009-03-01 Thread Stephane Bortzmeyer
On Sun, Mar 01, 2009 at 11:41:22AM -0800, Chris Henderson henders...@gmail.com wrote a message of 8 lines which said: I cannot put more than four name servers in the domain management web interface Bad domain management Web interface, use another one (four is a very low limit). What

Re: how to create a private test. zone?

2009-03-01 Thread Stephane Bortzmeyer
On Sun, Mar 01, 2009 at 08:46:11PM +, Rui Lopes r...@ruilopes.com wrote a message of 168 lines which said: I did the delegation by adding the following RR in the test. zone (in the Sun host): example IN NS plesk May be an error prevented the loading of the zone?

Re: Adding records to a domain I don't control for anyone who uses my nameserver

2009-03-03 Thread Stephane Bortzmeyer
On Mon, Mar 02, 2009 at 01:07:36PM -0500, Matthew Huff mh...@ox.com wrote a message of 62 lines which said: Spoofing the dns zones are the only solution. It won't work when (if) DNSSEC will be deployed (and I assume the banking sector will be one of the first to adopt it)... Why not using

Re: stub zone

2009-03-06 Thread Stephane Bortzmeyer
On Thu, Mar 05, 2009 at 02:06:18PM +0100, squid proxy squidcac...@gmail.com wrote a message of 13 lines which said: Howto create a stub zone instead of slave zone on BIND 9.3.4-P1.1? Read the documentation ? https://www.isc.org/software/bind/documentation/arm95 zone zone_name [class] {

Re: Zonefiles CIDR

2009-03-09 Thread Stephane Bortzmeyer
On Sun, Mar 08, 2009 at 10:20:26AM +, Stephen Ward stephen.usenet.w...@wibblywobblyteapot.co.uk wrote a message of 11 lines which said: Running BIND9 (someone kindly raped to get it to work on windows) but it does not seem to support CIDR ranges. Nothing to do with BIND, it is a

Re: dig error

2009-03-10 Thread Stephane Bortzmeyer
On Tue, Mar 10, 2009 at 05:57:31PM +0700, jittinan suwanrueangsri jittin...@gmail.com wrote a message of 254 lines which said: Dear sir Why sir? There are certainly ladies here, too. [r...@localhost ~]# dig @10.10.91.201 www.test.work +trace I believe that, when using, +trace, the server

Re: dnscap binaries

2009-03-10 Thread Stephane Bortzmeyer
On Tue, Mar 10, 2009 at 09:08:18AM -0400, Josh Smith juice...@gmail.com wrote a message of 21 lines which said: Also is it possible to analyze an existing pcap file with dnscap? Yes (it was apparently broken in some old versions of dnscap) % dnscap -g -r tmp/toto.pcap ... [52] 2009-03-10

Re: question about CNAME

2009-03-11 Thread Stephane Bortzmeyer
On Wed, Mar 11, 2009 at 03:46:14PM +0800, tzqian gelenbert...@gmail.com wrote a message of 148 lines which said: How can I config a zone to respose a CNAME record? Such as Email cname email.xx.xxx.com Your message is very difficult to understand but you are close. Just do not forget

Re: question about CNAME

2009-03-12 Thread Stephane Bortzmeyer
On Thu, Mar 12, 2009 at 12:32:35PM +0800, tzq tang gelenbert...@gmail.com wrote a message of 132 lines which said: I think I should explain the question more clearly, You need first to learn about email. The superior to sign is here to *quote* what you respond to. Do not use it for your

Re: name server zone list

2009-04-06 Thread Stephane Bortzmeyer
On Fri, Apr 03, 2009 at 08:15:16AM -0500, Sandy Mackenzie sa...@masterclyde.ca wrote a message of 23 lines which said: I want to be able to produce a simple list of the zones on my DNS servers. There is work going on at the IETF on that subject. The requirments document is almost done:

Re: [DNSSEC] SERVFAIL when resolving .gov through DLV

2009-05-05 Thread Stephane Bortzmeyer
On Tue, May 05, 2009 at 01:45:40PM -0500, Jeremy C. Reed jeremy_r...@isc.org wrote a message of 6 lines which said: This is a BIND 9.5.1-P1, Debian package. It is configured to use ISC's DLV: https://www.isc.org/node/437 I was aware of this bug, but not that it apparently has not been

Re: [DNSSEC] SERVFAIL when resolving .gov through DLV

2009-05-05 Thread Stephane Bortzmeyer
On Tue, May 05, 2009 at 11:18:05PM +0200, Benedikt Gollatz b...@differentialschokolade.org wrote a message of 15 lines which said: It has. Well, most people do not track XXX-proposed-updates which is supposed to be a bit... untested. I just had lenny and security.debian.org/updates in my

Re: tcp versus udp

2009-05-06 Thread Stephane Bortzmeyer
On Wed, May 06, 2009 at 12:00:12AM -0400, Danny Mayer ma...@gis.net wrote a message of 39 lines which said: That's nonsense. That's Peter Dambier. If you try to fix every mistake he makes, you're not over soon... http://xkcd.com/386/ ___

Re: host unreachable

2009-05-08 Thread Stephane Bortzmeyer
On Fri, May 08, 2009 at 11:22:59AM +0200, Kurt Petersen k...@ache.dk wrote a message of 17 lines which said: named[6379]: client x.x.x.x#59767: error sending response: host unreachable I can ping x.x.x.x so I'm confused. On today's Internet, ping is a poor connectivity test because most

Re: S-NAPTR and lightweight resolver

2009-05-09 Thread Stephane Bortzmeyer
On Sat, May 09, 2009 at 09:38:25AM +1000, Mark Andrews mark_andr...@isc.org wrote a message of 26 lines which said: It is up to the application to sort and process the returned records. But I suspect that this is precisely what the OP wanted (and expected BIND to do). Does

Re: glue record

2009-05-13 Thread Stephane Bortzmeyer
On Wed, May 13, 2009 at 11:46:29AM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 14 lines which said: When an upper DNS returns a domain's authorised DNS server, will it also returns the authorised DNS server's IP address? So glue record works as this way? Why don't you test?

Re: glue record

2009-05-13 Thread Stephane Bortzmeyer
On Wed, May 13, 2009 at 03:37:19PM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 39 lines which said: if I understand for it correctly, gdpu.cn is not under b.dns.cn, True, but irrelevant. why b.dns.cn returns glues? Because the name servers of gdpu.cn are under gdpu.cn.

Re: glue record

2009-05-13 Thread Stephane Bortzmeyer
On Wed, May 13, 2009 at 09:04:07PM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 13 lines which said: Remove the allow-update directive. But she is running the windows DNS server not Bind.. Then it is probably off-topic for this list.

Re: dig return values

2009-05-26 Thread Stephane Bortzmeyer
On Fri, May 22, 2009 at 03:15:56PM -0700, Scott Haneda talkli...@newgeo.com wrote a message of 32 lines which said: Does `dig` have return codes that I can use to make some form of automated tests? Not for everything. % dig +short SOA dummy.example echo Success Success % dig +short

RFC2317-style inverse resolution (Was: request for advice

2009-05-27 Thread Stephane Bortzmeyer
On Wed, May 27, 2009 at 11:15:37AM +0800, Myo Than mt...@iaspire.net wrote a message of 59 lines which said: Sirs, There are probably women on this list, also. 129 CNAME 129.128-159.137.166.203.in-addr.arpa. It seems OK. set type=ns 128-159.137.166.203.in-addr.arpa. nslookup has

Re: Doubts about BIND

2009-06-04 Thread Stephane Bortzmeyer
On Wed, Jun 03, 2009 at 12:42:28AM +0200, Christoph Weber-Fahr cwf...@arcor.de wrote a message of 29 lines which said: Does it even compile with current bind versions? Yes and it is even now officially included in BIND (starting from 9.4, I believe), no need to patch.

Re: DNSDigger.com - An announcement and request for feature tips.

2009-06-17 Thread Stephane Bortzmeyer
On Wed, Jun 17, 2009 at 02:19:22AM +0200, Jay Ess li...@netrogenic.com wrote a message of 19 lines which said: DNSDigger.com - A massive reverse resolver that lets you dig deeper into the Net. Congratulations. 2. To ask you for feature requests. IPv6 support is certainly the first thing

Re: Trouble With One Domain

2009-06-26 Thread Stephane Bortzmeyer
On Thu, Jun 25, 2009 at 11:07:06PM +0100, Andy Shellam andy-li...@networkmail.eu wrote a message of 13 lines which said: And not forgetting to change the master server in the SOA record from oxygen, as that server doesn't appear to be accepting DNS requests, which I believe is what's

Re: DNS MX timeouts

2009-06-26 Thread Stephane Bortzmeyer
On Fri, Jun 26, 2009 at 02:40:24PM -0500, Vernon A. Fort vf...@provident-solutions.com wrote a message of 31 lines which said: All versions of bind i have tried (in gentoo portage) have the same problem. Well, my personal dedicated server is a Gentoo using BIND as a resolver and I can say

Re: Trouble With One Domain

2009-06-26 Thread Stephane Bortzmeyer
On Fri, Jun 26, 2009 at 01:16:32PM -0500, bsfin...@anl.gov bsfin...@anl.gov wrote a message of 32 lines which said: If the zonecheck code is able to determine what the reason is, then it should give the reason. If you give only the domain name (not the name servers names and addresses),

Re: Bind9.3.5 or 6 on ubuntu

2009-06-27 Thread Stephane Bortzmeyer
On Fri, Jun 26, 2009 at 04:40:48PM -0500, Martin McCormick mar...@dc.cis.okstate.edu wrote a message of 36 lines which said: I read that it is best for them all to be the same version of bind. Strange assertion. this one needs to be like the rest rather than introducing new unknowns in

Re: domain name length

2009-06-30 Thread Stephane Bortzmeyer
On Mon, Jun 29, 2009 at 08:28:34PM -0500, Dan Letkeman danletke...@gmail.com wrote a message of 11 lines which said: Are there any issues with have domains like location.domain.com No. The limits are in RFC 1034, section 3.1. Each label is 63 characters maximum and the total length is 255

Re: Automating a KSK rollover

2009-07-06 Thread Stephane Bortzmeyer
On Sat, Jul 04, 2009 at 10:36:40PM -0700, Shane W shane-b...@csy.ca wrote a message of 18 lines which said: Is there some sort of standardized way as yet to communicate key changes to an upstream zone or in this case a lookaside provider? There is a standard registrar2registry interface, an

Re: Truncated, retrying in TCP on Reverse lookup

2009-07-10 Thread Stephane Bortzmeyer
On Thu, Jul 09, 2009 at 05:50:02AM -0700, Fr34k freaknet...@yahoo.com wrote a message of 119 lines which said: There should be one and only one PTR for that IP. No. No good reason for such restriction. $ host 196.7.126.38 From a machine with a proper Internet connection (i.e. no stupid

Re: DNSKEY Validation

2009-07-12 Thread Stephane Bortzmeyer
On Sun, Jul 12, 2009 at 08:42:27PM +0200, Mark Elkins m...@posix.co.za wrote a message of 31 lines which said: Arg 3 should be 5 (or maybe 3) - the algorithm. No, you must bnot use a hard-wired list in your code, because the list of algorithmps registered at IANA can change. Can I

Re: Intermittent NXDOMAIN, Bind 9.2.3 config and PowerDNS problem?

2009-07-30 Thread Stephane Bortzmeyer
On Tue, Jul 28, 2009 at 10:40:53AM -0400, Richard Michael rmichael-bi...@edgeofthenet.org wrote a message of 60 lines which said: Indeed, lastminute.com's name servers are severely broken. By this, do you mean the SOA record in the response is incorrect? Yes. the SOA for their own

Re: Dig shows wrong ip

2009-07-30 Thread Stephane Bortzmeyer
On Tue, Jul 28, 2009 at 09:05:44PM +0100, Chris Thompson c...@cam.ac.uk wrote a message of 24 lines which said: This is the wretched glue promoted to answer bug (we can call it a bug by now, surely?) which we are assured that the GTLD servers will be cured of this year, next year, sometime,

Re: dnstop

2009-07-30 Thread Stephane Bortzmeyer
On Thu, Jul 30, 2009 at 10:15:42AM +0300, Alans batpowe...@yahoo.co.uk wrote a message of 141 lines which said: And in the table the first record in both Source and Destination is the local ip of the DNS server itself, is it fine? Yes, if you use both -Q and -R. If you use -Q (the

Re: NAMED.CONF.LOCAL

2009-09-04 Thread Stephane Bortzmeyer
On Fri, Sep 04, 2009 at 11:04:41AM +0200, ric.castell...@alice.it ric.castell...@alice.it wrote a message of 62 lines which said: 1- difference among named.conf and vs named.conf.local named.conf.local is a Debianism: using the ability of BIND to include config files from config files,

Re: NAMED.CONF.LOCAL

2009-09-04 Thread Stephane Bortzmeyer
On Fri, Sep 04, 2009 at 11:50:30AM +0200, ric.castell...@alice.it ric.castell...@alice.it wrote a message of 140 lines which said: I'd like having more info about foe example db.0 file, if it's necessary to change it or it's standard file... No need to change it. Where can I find complete

Re: NAMED.CONF.LOCAL

2009-09-04 Thread Stephane Bortzmeyer
On Fri, Sep 04, 2009 at 12:11:30PM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 16 lines which said: Where can I find complete documentation ? https://www.isc.org/software/bind/documentation/arm95 Or, offline, in the package bind9-doc

Re: root and in-addr.arpa zone transfers

2009-09-10 Thread Stephane Bortzmeyer
On Wed, Sep 09, 2009 at 08:23:23AM +0200, Michael Monnerie michael.monne...@is.it-management.at wrote a message of 54 lines which said: right now I'm using scripts to download root.zone and in-addr.arpa from internic.net. But this is a non-standard way, But a secure way since the files on

Re: root and in-addr.arpa zone transfers

2009-09-10 Thread Stephane Bortzmeyer
On Thu, Sep 10, 2009 at 12:31:45PM +0200, Michael Monnerie michael.monne...@is.it-management.at wrote a message of 70 lines which said: that's a clear statement, so I'll keep the ftp transfers. It would be better to drop them completely and to return to ordinary DNS resolution. What's the

Re: root and in-addr.arpa zone transfers

2009-09-14 Thread Stephane Bortzmeyer
On Fri, Sep 11, 2009 at 07:28:56AM +0200, Michael Monnerie michael.monne...@is.it-management.at wrote a message of 51 lines which said: Faster queries after a named restart. Reverse lookups faster too, good for the spam filters. Did you measure it or is it, like most claims X is faster,

Re: Dig ANY gives SERVFAIL / FORMERR

2009-09-29 Thread Stephane Bortzmeyer
On Thu, Sep 24, 2009 at 07:16:35AM +1000, Mark Andrews ma...@isc.org wrote a message of 77 lines which said: It's a pity registries are not required to verify correct operation of the nameservers they are delegating to before accepting the delegation. Some do!

Re: Problem on CNAME configuration.

2009-10-05 Thread Stephane Bortzmeyer
On Mon, Oct 05, 2009 at 02:40:07PM +0200, Cyril Gaudin - Rodacom c.gau...@rodacom.fr wrote a message of 139 lines which said: Sorry in advance for my very bad english! There is a français mailing list: dns...@cru.fr And why there's a second request without the domain name? Wild guess: the

Re: Problem on CNAME configuration.

2009-10-06 Thread Stephane Bortzmeyer
On Mon, Oct 05, 2009 at 04:41:24PM +0200, Cyril Gaudin - Rodacom c.gau...@rodacom.fr wrote a message of 72 lines which said: Maybe squid didn't append domainname in the dns request? squid.conf: # TAG: append_domain # Appends local domain name to hostnames without any dots in #

Re: Can I have a *.domain.com A record

2009-10-26 Thread Stephane Bortzmeyer
On Mon, Oct 26, 2009 at 04:01:31PM +0530, ram r...@netcore.co.in wrote a message of 10 lines which said: Is it possible to have a A record for *.domain.com Technically, yes. It is a very bad idea, but it works. I know *.domain records works for MX records , not sure wether they work for A

Re: Can I have a *.domain.com A record

2009-10-26 Thread Stephane Bortzmeyer
On Mon, Oct 26, 2009 at 05:47:57PM +0530, ram r...@netcore.co.in wrote a message of 20 lines which said: If wildcard DNS is a bad idea, Wildcards *address* records (A and ), not all wildcards. See http://www.icann.org/committees/security/ssac-report-09jul04.pdf or

Re: ISC BIND 9.7.0b1 is now available

2009-10-28 Thread Stephane Bortzmeyer
On Tue, Oct 20, 2009 at 08:29:20PM +, Evan Hunt e...@isc.org wrote a message of 836 lines which said: BIND 9.7.0b1 is now available. Apparently, support for the new algorithms RSASHA256 and RSASHA512 is not included? Is it planned for 9.7 or shall I wait 9.8? %

Re: ISC BIND 9.7.0b1 is now available

2009-10-28 Thread Stephane Bortzmeyer
On Wed, Oct 28, 2009 at 03:17:54PM +, Chris Thompson c...@cam.ac.uk wrote a message of 13 lines which said: You aren't going to wait for the RFC? It is in AUTH48 (the last step before publication, theoretically meaning that the people involved have 48 h to make remarks). After all,

Re: ISC BIND 9.7.0b1 is now available

2009-10-29 Thread Stephane Bortzmeyer
On Tue, Oct 20, 2009 at 08:29:20PM +, Evan Hunt e...@isc.org wrote a message of 836 lines which said: - Support for RFC 5011 automated trust anchor maintenance (see README.rfc5011 for additional details). Seems to work fine, thanks. With: managed-keys { se.

Re: Bind sometimes SERVFAIL

2009-11-11 Thread Stephane Bortzmeyer
On Wed, Nov 11, 2009 at 01:27:30PM +0200, Jukka Pakkanen jukka.pakka...@qnet.fi wrote a message of 94 lines which said: I just saw the same thing: There are no less than *four* CNAMEs to resolve to get to the result, while even two is discouraged. It is not suprising that it may fails with

Re: System Resolver Test App?

2009-11-11 Thread Stephane Bortzmeyer
On Wed, Nov 11, 2009 at 05:00:03PM -0600, da...@from525.com da...@from525.com wrote a message of 60 lines which said: I am basically trying to uinderstand why the system resolver was getting stuck on the third entry within the resolv.conf while it should have tried one of the first two

Re: System Resolver Test App?

2009-11-11 Thread Stephane Bortzmeyer
On Wed, Nov 11, 2009 at 07:44:05PM -0500, Barry Margolin bar...@alum.mit.edu wrote a message of 27 lines which said: I'm not sure if there is one, but it should be pretty easy to write a program that calls res_query(). But this calls directly the DNS. The OP wanted something which called

Re: System Resolver Test App?

2009-11-11 Thread Stephane Bortzmeyer
On Wed, Nov 11, 2009 at 05:00:03PM -0600, da...@from525.com da...@from525.com wrote a message of 60 lines which said: I am wondering if anyone knows of an app similar to nslookup or dig that actually uses the system resolver. C source attached. Compile, for instance, with: gcc -o

Re: System Resolver Test App?

2009-11-11 Thread Stephane Bortzmeyer
On Wed, Nov 11, 2009 at 08:14:02PM -0500, Barry Margolin bar...@alum.mit.edu wrote a message of 24 lines which said: If you just want to do a hostname lookup, you can use practically any network application, e.g. ping. It gives you less information than the program I posted. 1) On typical

Re: Non English Domain names

2009-11-18 Thread Stephane Bortzmeyer
On Wed, Nov 18, 2009 at 04:38:22PM +0300, Alans batpowe...@yahoo.co.uk wrote a message of 141 lines which said: I know this is a little bit off topic but I would like to know how BIND will handle non English domain names? Non-English domain names? What's that? Is coca-cola.com an english

Re: Non English Domain names

2009-11-18 Thread Stephane Bortzmeyer
On Wed, Nov 18, 2009 at 03:36:56PM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 25 lines which said: If you are talking about IDN (Internationalized Domain Names), domain names in Unicode, the way they are specified, they don't require a change in the name servers, so

BIND does not listen at all when the interface is temporarily down (only with IPv6)

2009-11-18 Thread Stephane Bortzmeyer
When I listen on one specific address: listen-on-v6 { 2001:db8::53;}; If the interface is not UP at the time BIND starts, and therefore this IP address not local, BIND does not listen: 18-Nov-2009 17:31:24.588 not listening on any interfaces and does not resume if the interface becomes UP

Re: Insecure response BIND 9.7.0b2

2009-11-20 Thread Stephane Bortzmeyer
On Fri, Nov 20, 2009 at 09:27:35AM +1100, Mark Andrews ma...@isc.org wrote a message of 34 lines which said: There are also firewalls that block DNS/UDP responses bigger 512 bytes or block EDNS queries/responses 10 years after the introduction of EDNS. There are also middleware that

Re: manage large dns record

2009-11-20 Thread Stephane Bortzmeyer
On Thu, Nov 19, 2009 at 03:40:32PM +0700, Sokvantha YOUK sokvan...@gmail.com wrote a message of 44 lines which said: Could you advice me what is the good way to manage large dns record in zone file? You mean a large number of records, not a large single record? I'm using bind v9,

Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1

2009-12-15 Thread Stephane Bortzmeyer
On Mon, Dec 14, 2009 at 08:05:40PM -0800, Doug Barton do...@dougbarton.us wrote a message of 44 lines which said: While this reminder is timely and helpful, more welcome would be the news that BIND 9.6.2 is going to have actual support for RSASHA{256|512}. No, it won't. Migrating to =

Re: Host/nslookup/dig queries wrong server

2010-02-03 Thread Stephane Bortzmeyer
On Wed, Feb 03, 2010 at 11:42:19AM -, Duncan Berriman dun...@dcl.co.uk wrote a message of 75 lines which said: How do I check which one it is? I can't see any option to tell me. which host rpm -q -f `which host` ___ bind-users mailing list

Update returns FORMERR: ran out of space

2010-02-23 Thread Stephane Bortzmeyer
Trying to add/delete DNSSEC keys with dynamic update (first time I try that), the nsupdate client gets a FORMERR and BIND logs: Feb 23 14:53:24 jezabel named[10174]: client ::1#29411: updating zone 'bortzmeyer.fr/IN': RRSIG/NSEC/NSEC3 update failed: ran out of space I checked the disk space

Re: nsec3 in bind 9.7

2010-02-23 Thread Stephane Bortzmeyer
On Sat, Feb 20, 2010 at 12:31:38AM +, Evan Hunt e...@isc.org wrote a message of 36 lines which said: To answer the question, those values are the NSEC3PARAM data for the zone, as defined in RFC 5155. [...] flags of 1 means opt-out and 0 means no opt-out; It is not exactly what the RFC

Re: Scripts for zsk rollover in 9.7

2010-02-23 Thread Stephane Bortzmeyer
On Sat, Feb 20, 2010 at 09:15:23PM +, Evan Hunt e...@isc.org wrote a message of 22 lines which said: We have plans to improve this in 9.7.x (where x probably equals 1) in a couple of ways: first, by making it possible to assign each key an explicit successor key and warn the user if a

Re: no hostname become unresolvable.

2010-02-23 Thread Stephane Bortzmeyer
On Tue, Feb 23, 2010 at 10:41:37PM +0800, Cefull Lo cef...@gmail.com wrote a message of 89 lines which said: But when I try to ping the server without hostname, [Technicality: there *is* a hostname, superease.net *is* an hostname.] Here the zone file There is no A or record for @

Re: no hostname become unresolvable.

2010-02-23 Thread Stephane Bortzmeyer
On Tue, Feb 23, 2010 at 09:50:29AM -0500, Lightner, Jeff jlight...@water.com wrote a message of 66 lines which said: superease.net. IN A 202.68.195.36 ... The dot is important Using @ would be simpler and would allow the zone file to be used for other zones as well.

Re: Differences between 9.3 and later versions

2010-02-23 Thread Stephane Bortzmeyer
On Tue, Feb 23, 2010 at 09:53:37AM -0500, jcarrol...@cfl.rr.com jcarrol...@cfl.rr.com wrote a message of 9 lines which said: However, whenever someone tries to nslookup (or dig) an external site (i.e. cnn.com) they get REFUSED. If I back down to the 9.3 version all is well. allow-query and

Cannot use dnssec-settime with old keys

2010-02-23 Thread Stephane Bortzmeyer
I try to play with the new toy, DNSSEC timing meta-data in key files. % dnssec-settime -v 3 Ktoto.fr.+008+42555 dnssec-settime: fatal: Key toto.fr/RSASHA256/42555 has incompatible format version 1.2, use -f to force upgrade to new version. OK, I upgrade: % dnssec-settime -v 3 -f

Re: Update returns FORMERR: ran out of space

2010-02-23 Thread Stephane Bortzmeyer
On Tue, Feb 23, 2010 at 02:56:15PM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 17 lines which said: Trying to add/delete DNSSEC keys with dynamic update (first time I try that), the nsupdate client gets a FORMERR and BIND logs: Some details: * I use NSEC3 with opt-out

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-24 Thread Stephane Bortzmeyer
On Tue, Feb 23, 2010 at 07:28:48PM -0800, Michael Sinatra mich...@rancid.berkeley.edu wrote a message of 34 lines which said: While I think the OpenDNS people (especially David U., their founder) have a huge amount of clue, I think they're barking up the wrong tree here. On the other hand,

Re: Blacklisting private address range

2010-02-24 Thread Stephane Bortzmeyer
On Tue, Feb 23, 2010 at 09:56:55PM -0500, Diosney Sarmiento Herrera diosne...@gmail.com wrote a message of 20 lines which said: Have any sense to blacklist the private address ranges on a server that is facing Internet? I am not sure I parse your sentence correctly but may be you refer to

Re: Modifying a response

2010-02-24 Thread Stephane Bortzmeyer
On Wed, Feb 24, 2010 at 01:28:09PM +0300, Peter Andreev andreev.pe...@gmail.com wrote a message of 31 lines which said: Is it possible to modify responses on caching server side? Not with BIND (short of modifying the source code). Other name servers may do it

Re: Update returns FORMERR: ran out of space

2010-02-24 Thread Stephane Bortzmeyer
On Wed, Feb 24, 2010 at 10:18:31AM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 39 lines which said: With 'severity debug 30', all I get is: And, for a successful dynamic update (it works with A records): 24-Feb-2010 14:31:44.803 update: debug 8: client ::1#13202

Re: Update returns FORMERR: ran out of space

2010-02-24 Thread Stephane Bortzmeyer
On Wed, Feb 24, 2010 at 10:18:31AM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 39 lines which said: 24-Feb-2010 10:17:01.057 update: error: client ::1#45986: updating zone 'toto.fr/IN': RRSIG/NSEC/NSEC3 update failed: ran out of space Adding a fair amount of debugging

Re: Modifying a response

2010-02-24 Thread Stephane Bortzmeyer
On Wed, Feb 24, 2010 at 11:37:29AM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 18 lines which said: Other name servers may do it http://www.unbound.net/documentation/pythonmod/index.html http://www.unbound.net/documentation/pythonmod/examples/example3.html

Re: Update returns FORMERR: ran out of space

2010-02-25 Thread Stephane Bortzmeyer
On Thu, Feb 25, 2010 at 10:02:45AM +1100, Mark Andrews ma...@isc.org wrote a message of 68 lines which said: Try this patch. It resets the scratch space 'data' used by dns_dnssec_sign(). It works fine. Many thanks. Sending update to ::1#8053 Outgoing update query: ;; -HEADER- opcode:

Re: Cannot use dnssec-settime with old keys

2010-02-25 Thread Stephane Bortzmeyer
On Tue, Feb 23, 2010 at 05:54:01PM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 18 lines which said: OK, I upgrade: % dnssec-settime -v 3 -f Ktoto.fr.+008+42555 dnssec-settime: toto.fr/RSASHA256/42555 But it changed nothing, ls -l shows that the file did not change

Re: Cannot use dnssec-settime with old keys

2010-02-25 Thread Stephane Bortzmeyer
On Thu, Feb 25, 2010 at 10:47:58AM +0100, Hauke Lampe list+bindus...@hauke-lampe.de wrote a message of 55 lines which said: For example, try: dnssec-settime -P+0 -A+0 -f -v 3 Ktoto.fr.+008+42555 OK, it works, thanks. ___ bind-users mailing list

Re: Question about dig command

2010-02-25 Thread Stephane Bortzmeyer
On Thu, Feb 25, 2010 at 10:58:49AM -0500, Khuu, Linh MicroTech linh.k...@ssa.gov wrote a message of 54 lines which said: client ::1#33086: query (cache) 'dnssec12.datamtn.com//IN' denied Then I switched to use the ???dig??? command from 9.4.1-P1 to query the same record, I got

Re: SERVFAIL for some domains on some servers

2010-03-01 Thread Stephane Bortzmeyer
On Sat, Feb 27, 2010 at 06:51:44PM +0100, Oliver Henriot oliver.henr...@imag.fr wrote a message of 104 lines which said: but my computing skills are scarce and I still have a lot to learn. For instance, that you should always use real names

NSEC3 records not available through a BIND resolver = 9.5?

2010-03-17 Thread Stephane Bortzmeyer
I cannot get the NSEC3 records through a BIND resolver if it is version = 9.5: % dig +dnssec jhfgTCFGD564564.org ; DiG 9.5.1-P3 +dnssec @dnssec.generic-nic.net jhfgTCFGD564564.org ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY,

  1   2   3   >