Re: caching problems with bind 9.4.3

2009-11-20 Thread Warren Kumari
You haven't provided very much detail (e.g: example domains, your nameservers, config files, versions, dig +trace output, etc), but from first glance it sounds like your secondaries are not updating until you restart named. When you query a random nameserver there is a 50/50 chance (ok,

Re: mysql backend

2010-02-07 Thread Warren Kumari
On Feb 7, 2010, at 4:00 AM, fddi wrote: Hello, is anyone using a mysql backend for bind9 ? how to setup it ? http://lmgtfy.com/?q=mysql+backend+for+bind9 thanks Rick ___ bind-users mailing list bind-users@lists.isc.org

Re: Blacklisting private address range

2010-02-24 Thread Warren Kumari
On Feb 24, 2010, at 11:23 AM, Tony Finch wrote: On Wed, 24 Feb 2010, Stephane Bortzmeyer wrote: On Tue, Feb 23, 2010 at 09:56:55PM -0500, Diosney Sarmiento Herrera diosne...@gmail.com wrote: Have any sense to blacklist the private address ranges on a server that is facing Internet? I am

Re: DNSSEC HW Support

2010-03-16 Thread Warren Kumari
On Mar 16, 2010, at 11:39 AM, Niobos wrote: On 2010-03-16 15:57, prock...@yahoo.com wrote: I'm trying to figure out how many tests I need to run for an individual product (layer 2, 3, 4, and 7) before I can say it is completely DNSSEC compliant. By definition, any layer 2, 3 and 4 product is

Re: PTR format question

2010-03-21 Thread Warren Kumari
On Mar 21, 2010, at 2:22 AM, Barry Margolin wrote: In article mailman.897.1269129914.21153.bind-us...@lists.isc.org, groups gro...@obsd.us wrote: I did not know there were MACROs available.. as I just inheirited this legacy system less than one month ago.. There aren't macros, just one

Re: Error fetching SOA

2010-03-21 Thread Warren Kumari
On Mar 21, 2010, at 11:21 AM, michael peters wrote: Is it a problem to get a message from a DNS checking tool that indicates Error fetching SOA from ns1.example.com? Both of my external BIND 9.6.1 servers respond the same way and I'm assuming that I need to add something to my

Re: Error fetching SOA

2010-03-21 Thread Warren Kumari
38400 ) @ IN NS castor.lazarusalliance.com. 115 IN PTR castor.lazarusalliance.com. 116 IN PTR pollux.lazarusalliance.com. 118 IN PTR lazarusalliance.com. On Sun, Mar 21, 2010 at 2:02 PM, Warren Kumari war...@kumari.net wrote

Re: rndc: unsupported algorithm:

2010-03-30 Thread Warren Kumari
Try add this: options { default-key feld-server.feldland.lan.; default-server 127.0.0.1; default-port 953; }; On Mar 30, 2010, at 4:05 PM, Markus Feldmann wrote: I changed my key to key feld-server.feldland.lan. { algorithm hmac-md5; secret

Re: Load Balancer for DNS

2010-04-05 Thread Warren Kumari
On Apr 5, 2010, at 2:06 AM, sasa sasa wrote: Hello everyone, Any one used any load balancer for DNSs? any recommendation? it's 2 caching-only DNSs, and I'd like to make a load balance between them using software. They all suck, some just seem to suck less than others -- the Foundry

Re: Bind Clustering

2010-04-08 Thread Warren Kumari
On Apr 8, 2010, at 10:52 AM, Stephane Bortzmeyer wrote: On Thu, Apr 08, 2010 at 09:46:04AM -0500, Michael Hare michael.h...@doit.wisc.edu wrote a message of 29 lines which said: Doesn't DDNS rely on a single SOA? If so, is there a best practice on how to deal with this? Are you sure the

Re: rndc usage question

2010-04-12 Thread Warren Kumari
On Apr 12, 2010, at 1:58 PM, Sergiu Bivol wrote: Hi, We need to use rndc commands on a zone in a view with a name containing spaces. For example: sed 's/ /_/g' ?! rndc freeze test.zone.com My Default View So far we were unable to execute a command with such a view name. We tried

Re: Question about message your system is lacking dev/random (or equivalent)

2010-04-13 Thread Warren Kumari
On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote: I just turned on the dnssec-validation today, and I saw lots of messages: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use

Re: Question about message your system is lacking dev/random (or equivalent)

2010-04-19 Thread Warren Kumari
Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Tuesday, April 13, 2010 3:43 PM To: Khuu, Linh MicroTech Cc: 'bind-users@lists.isc.org' Subject: Re: Question about message your system is lacking dev/ random (or equivalent) On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote: I

Re: dig +trace to find all the forwarders?

2010-04-25 Thread Warren Kumari
On Apr 25, 2010, at 12:01 AM, Josh Kuo wrote: You need administrative access to see the overides to the normal resolution process. Just so I understand this completely, by administrative access you mean I need to be able to log in to each of the resolvers (not administrative access on

Re: dig +trace to find all the forwarders?

2010-04-26 Thread Warren Kumari
think so, and Mark confirmed it. On Sunday, April 25, 2010, Warren Kumari war...@kumari.net wrote: On Apr 25, 2010, at 12:01 AM, Josh Kuo wrote: You need administrative access to see the overides to the normal resolution process. Just so I understand this completely, by administrative access

Re: dig +trace to find all the forwarders?

2010-04-26 Thread Warren Kumari
also your resolver? Can you check by just going to www.damia.com (or whatismyip.com or ipchicken.com or sshing into something and looking what your source is or or or...) W -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Monday, April 26, 2010 2:20 PM

Re: dig +trace to find all the forwarders?

2010-04-26 Thread Warren Kumari
my my ISP (Verizon), and www.damia.com reports that my IP is: 71.114.43.183 (which it is!) and that the resolver I am using is: 71.252.0.36. Anyway, this has wandered offtopic. W -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Monday, April 26, 2010 3:14

Re: dig +trace to find all the forwarders?

2010-04-27 Thread Warren Kumari
On Apr 27, 2010, at 12:50 AM, Barry Margolin wrote: In article mailman.1278.1272292131.21153.bind-us...@lists.isc.org, Warren Kumari war...@kumari.net wrote: On Apr 26, 2010, at 3:10 AM, Josh Kuo wrote: What is happening is I suspect the DNS resolved IP given by my ISP is actually

Re: DNSSEC

2010-05-05 Thread Warren Kumari
On May 4, 2010, at 11:01 AM, Linux Addict wrote: On Tue, May 4, 2010 at 10:43 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Tue, May 04, 2010 at 10:27:25AM -0400, Linux Addict linuxaddi...@gmail.com wrote a message of 89 lines which said: lacks EDNS, defaults to 512 DNS reply size

Re: UAE punycode in zone

2010-05-09 Thread Warren Kumari
I am *so* not an IDN person (although I did follow the IDNA WG for a while), but I *believe* that the process is just to convert the native UTF8 representation (تامايدوجان.سى) to punycode (xn-- mgbaajmr6mmaps.xn--ygb8b). There are a bunch of tools that will do this for you, I suspect that

Re: UAE punycode in zone

2010-05-10 Thread Warren Kumari
On May 10, 2010, at 6:48 PM, Michelle Konzack wrote: Hello Chris Hills, Am 2010-05-10 09:02:35, hacktest Du folgendes herunter: I sent a requests to isc for a new option in dig, enabled by default:- +[no]idn automatically convert input to IDN So entering:- digتامايدوجان.سى would give

Re: synchronization between maste and slave no working

2010-05-25 Thread Warren Kumari
On May 25, 2010, at 9:57 PM, Yunfeng Xu wrote: Hi, all I tried to add one A record on the master, but the slave did not get the new record. my slave settting is : zone mydomain.com.cn IN { type slave; file mydomain.com.cn.zone; masters {10.69.3.1;}; }; 10.69.3.1

Re: max-cache-size query

2010-06-01 Thread Warren Kumari
One obvious solution to keeping the firewall guys happy would just be to make them not burn state entries for the nameserver at all Firewalls in front of nameservers cause an ungodly amount of issues for no real benefit... Just sayin'... W On Jun 1, 2010, at 8:35 AM, Techi wrote:

Re: bind-users Digest, Vol 538, Issue 1

2010-06-07 Thread Warren Kumari
wkum...@lisa:~$ man dnssec-signzone [SNIP] -N soa-serial-format The SOA serial number format of the signed zone. Possible formats are keep (default), increment and unixtime. keep Do not modify the SOA serial number.

Re: error: isc_socket_create: fcntl/reserved: Too many open files

2010-06-07 Thread Warren Kumari
On Jun 7, 2010, at 12:44 PM, kebba.f...@qcell.gm wrote: Hi list, i keep having this error repeatedly on my bind 9.5.1-P3 and it crash my server am using debian lenny 5.0 and there is not upgrade for bind on thier repository. Install BIND from source -- it's not hard and you'll end up

Re: disable dnssec in bind resolver

2010-06-08 Thread Warren Kumari
On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote: Thanks @all, sorry i was out of office yesterday. I'll discuss the issue this week on the german Linux Tag in Berlin. What your meaning off firewalls, who looks into packets and block them if the filter don´t know a flag. Some high security

Re: why dig +trace does not working?

2010-06-12 Thread Warren Kumari
So not awake, may be crazy... wkum...@xxx~$ dig @ns1.dns-diy.com 35.com ; DiG 9.4.2-P2.1 @ns1.dns-diy.com 35.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 3253 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0,

Re: Upgrade path?

2010-06-13 Thread Warren Kumari
Warren Kumari -- Please excuse typing, etc -- This was sent from a device with a tiny keyboard. On Jun 13, 2010, at 9:15 AM, sasa sasa sasasa20...@yahoo.com wrote: Hi list, Is it ok to upgrade from 9.4.2 to 9.7.0-P2 directly? Yup, no worries... i mean i already have 9.4.2, i

TSIG / SIG0 / something for securing stub - recursive server.

2010-06-14 Thread Warren Kumari
Hi all, I'm not sure if I'm just missing something obvious, but I haven't figured out a clean way to accomplish this. For various reasons I would like to be able to query my own nameserver while traveling -- I don't want to make it an open recursive, so I figured I should just be able to

Re: problems resolving domains unser NSxx.DOMAINCONTROL.COM - this problem i have too! :(((((

2010-06-23 Thread Warren Kumari
On Jun 23, 2010, at 2:41 PM, Torsten wrote: Am Wed, 23 Jun 2010 11:01:29 +0200 schrieb Erwin Lansing er...@freebsd.org: On Wed, Jun 23, 2010 at 05:51:24PM +1000, Mark Andrews wrote: In message aanlktinjqorplnyqj5tso2tdwlt_ropzdmrymoiph...@mail.gmail.com, Piff writes: Mark, more than once

Re: How can I fake a part of domain?

2010-06-23 Thread Warren Kumari
On Jun 23, 2010, at 11:06 PM, Peter Macko wrote: How can I fake a part of domain? Explanation of what I mean: - There is example.com domain somewhere on internet (not under my control) that contains: www.example.com IP: 1.2.3.4 www2.example.com ...IP: 11.22.33.44

Re: Can't get hints or outside resolution.

2010-07-08 Thread Warren Kumari
On Jul 8, 2010, at 3:42 PM, Peter Laws wrote: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 From the host itself, a slave for all my zones, I can resolve all my zones. I cannot, however, resolve anything else. For example, if I dig google.com I get a timeout. Further, if I do a blank dig, I

Re: USADOTGOV.NET Root Problems?

2010-07-24 Thread Warren Kumari
On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote: On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote: Thanks for the confirmation that the problem was related to DNSSEC. I didn't see your message until I got home from work; however, I did find the root of the problem late this afternoon.

Re: USADOTGOV.NET Root Problems?

2010-07-25 Thread Warren Kumari
On Jul 25, 2010, at 4:33 AM, Danny Mayer wrote: On 7/24/2010 5:10 AM, Warren Kumari wrote: On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote: On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote: Thanks for the confirmation that the problem was related to DNSSEC. I didn't see your

Re: My ISP's private address space has dns entries available on the public net , is this right ?

2010-08-10 Thread Warren Kumari
On Aug 10, 2010, at 11:01 AM, Matus UHLAR - fantomas wrote: On 09.08.10 20:09, donovan jeffrey j wrote: my isp has some private address space which has dns resolution and can be queried from the outside world. I asked them about this because we use this private address space and it is

Re: I get No mail exchanger (MX) records available for rimm.com error just for a couple of domains

2010-08-19 Thread Warren Kumari
On Aug 19, 2010, at 2:17 PM, Samad Agha wrote: #nslookup set query=mx rimm.com *** No mail exchanger (MX) records available for rimm.com Obviously Rimm's DNS cannot be down! What gives? Any ideas? A: Why obviously? B: Who is rimm.com? Methinks that you mean rim.com, the blackberry

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-21 Thread Warren Kumari
On Sep 21, 2010, at 10:14 PM, Doug Barton wrote: On 9/21/2010 7:46 AM, Kalman Feher wrote: It may well be analogous to that (though I disagree), but the quote does not substantiate why knowing public information is bad. In the example above, you've simply saved your switchboard and the

Re: DNS resolution based on source network

2010-09-27 Thread Warren Kumari
On Sep 27, 2010, at 9:00 AM, Thomas Elsgaard wrote: Hello Is it possible with BIND, to resolve the same name (like test.gl) to different IP's based on the source network of the request? Here is an example A machine in network 10.3.0.0/16 is contacting DNS to lookup test.gl, DNS returns -

Re: Is 10.in-addr.arpa not recommended?

2010-09-27 Thread Warren Kumari
On Sep 27, 2010, at 6:55 PM, Sten Carlsen wrote: While a single zone is perfectly fine from a standards point of view, some clients might be served addresses they don't like 10.x.x.0 and 10.x.x.255. But that would be DHCP config, no? Just a reminder that this could be a reason if

Re: AXFR partially timed out

2010-10-07 Thread Warren Kumari
Warren Kumari -- Please excuse typing, etc -- This was sent from a device with a tiny keyboard. On Oct 7, 2010, at 1:55 AM, Beat Jucker b...@juckers.ch wrote: Hello BIND users I have a very strange problem with AXFR. We are using a master and a secondary DNS Server with an internal

Re: DIG Source IP

2010-12-09 Thread Warren Kumari
On Dec 9, 2010, at 9:51 AM, John Williams wrote: If I have a Linux host with multiple IP's, is there a way to utilize the DIG command such that the query appears like it's coming from different IP addresses? So If I have 10 virtual IP's, is there a way to control the source IP of the

Re: vulnerability of bind

2010-12-14 Thread Warren Kumari
A question like this comes along avery few weeks Just download the latest bind source from: http://www.isc.org/software/bind , configure, make, make test, install. This is my cheat sheet (I do this every few months on ~10 servers -- I keep meaning to set up a puppet / similar script to

Re: Tracing Response Packets at the Querying Server

2011-01-13 Thread Warren Kumari
On Jan 13, 2011, at 12:08 PM, Barry Finkel wrote: I am running bind-9.7.2-P3, and I am having a problem with BIND or the network or the Ubuntu operating system. I send a DNS query from one of my DNS servers to another of my DNS servers. I see in a tshark trace that the reply packet is

Re: Clarification on wildcard scenario

2011-01-31 Thread Warren Kumari
I must admit, I'm kinda confused by what you are actually trying to achieve ?A foo.joshfeb1.com. should be getting returning 1.1.1.1 ?A www.joshfeb1.com. should be returning noerror / nodata because: 1: There is a record at www.joshfeb1.com (so it's not NXDOMAIN), but 2: the record is not an

Re: Akadns and Bind

2011-02-04 Thread Warren Kumari
On Feb 4, 2011, at 1:11 PM, Chris Buxton wrote: +trace does not do what you think it does. It does not query the target name server for each successive query. Rather, it causes the 'dig' command to perform recursion on its own, only using the indicated server (@server) to seed its root

Re: A query on dynamic dns through bind 9

2011-02-08 Thread Warren Kumari
On Feb 8, 2011, at 10:56 AM, Nikhil Joshi wrote: Hello, Can any one tell how can I provide a ip dynamically to a DNS query ? In other words, I want the ip to be dynamic and the program should be able to determine it based on a criteria (which varies with runtime ie.dynamic). Sorry, but you

Re: multi-master with mysql backend

2011-02-08 Thread Warren Kumari
On Feb 8, 2011, at 10:47 AM, fddi wrote: I need really something very simple: I have 2 domain name servers, I need them to be multi-master Please explain -- *why* do you need multimaster? so I will put a mysql instance on each one, the two mysql servers in sync whith each other.

Re: multi-master with mysql backend

2011-02-14 Thread Warren Kumari
On Feb 14, 2011, at 12:54 PM, Torinthiel wrote: Dnia 2011-02-14 15:52 Mike Mitchell napisał(a): I'd keep two copies of the BIND config, one that has all the zones as master, and one that has all the zones as slave. When the master dies, run a little script on a slave that freezes the

Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses

2011-02-23 Thread Warren Kumari
In PIX versions 6.3.2 and below you had to do: fixup protocol dns maximum-length 4096 In later versions you need: policy-map type inspect dns preset_dns_map parameters message-length maximum 4096 or to increase the response size length: policy-map global_policy class inspection_default

Re: Help with unresolvable domain (subdomain, actually)

2011-03-02 Thread Warren Kumari
On Mar 1, 2011, at 5:27 PM, Kevin Darcy wrote: See my other post. This is designed-in behavior for Cisco GSSes, since there is no service unavailable, try again later RCODE. Yes[0]. W [0]: there is no service unavailable, try again later RCODE.

Re: Help with unresolvable domain (subdomain, actually)

2011-03-02 Thread Warren Kumari
On Mar 2, 2011, at 1:20 PM, Kevin Darcy wrote: On 3/2/2011 10:34 AM, David Sparro wrote: On 3/1/2011 5:27 PM, Kevin Darcy wrote: See my other post. This is designed-in behavior for Cisco GSSes, since there is no service unavailable, try again later RCODE. When the question is what is

Re: Help with unresolvable domain (subdomain, actually)

2011-03-02 Thread Warren Kumari
On Mar 2, 2011, at 1:21 PM, Mike Bernhardt wrote: What's really strange is that when we attempt a query, be it DIG or an attempt to browse tools.cisco.com, they send some sort of query back to us from/to UDP 53 Many GSLB solutions attempt to figure out what the best location to serve

Re: dig result whiout ADDITIONAL SECTION,why?

2011-03-02 Thread Warren Kumari
On Mar 2, 2011, at 8:49 PM, ShanyiWan wrote: bind-dlz (BDB as backend) [root@flyinweb ~]# dig @ns1.dnssafe.cn www.djytest.com ; DiG 9.7.0-P2 @ns1.dnssafe.cnwww.djytest.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status:

Re: Having trouble with logging syntax

2011-03-03 Thread Warren Kumari
On Mar 3, 2011, at 3:30 PM, Nate Homier wrote: I got my logging setup but named-checkconf is spitting out an error. $named-checkconf /home/nate/named.conf.local /home/nate/named.conf.local:11: missing ';' before '3' /home/nate/named.conf.local:11: unknown option '3' I'm pretty sure we don't

Re: dots in hostnames problem

2011-03-09 Thread Warren Kumari
On Mar 9, 2011, at 1:09 PM, Matt Rae wrote: Hi, I'm working on setting up a slave dns server. Dots have historically been used in the hostnames here. The dots cause the resulting zone file from a zone transfer to have $ORIGIN automatically set assuming the dots are indicating a subdomain.

Re: RHEL5 BIND in PROD

2011-03-15 Thread Warren Kumari
So, how many servers are you talking about? After having tried to use the distribution supplied packages (for multiple distributions) my opinion is that building from source is the right answer for BIND. The distributions lag more than I'm comfortable with, and BIND builds cleanly from source

Re: Need help to know about ROOT DNS query

2011-03-17 Thread Warren Kumari
Nah, that's fine (and normal). BIND comes configured with the roots so that it can start resolution. I guess I don't fully understand your concern here -- is it that you are worried that the root might see queries and so know your internal hostnames? W Warren Kumari -- Please excuse

Re: Need help on DNS reporter

2011-03-20 Thread Warren Kumari
Enable query logging, then: cat queries.log | grep 'query: example.com' | awk '{print $6}' | sed 's/#.*//' | sort -n | uniq -c | sort -rn | head -100 | more or something similar? W On Mar 20, 2011, at 10:09 AM, babu dheen wrote: Hi, I am getting below status on this command.. Only

Re: priority with A record?

2011-04-05 Thread Warren Kumari
On Apr 5, 2011, at 8:23 AM, iharrathi@orange-ftgroup.com wrote: Hi, can i make priority on a A or NS record? Since with round robin if i put the same record record 2 or 3 time, Bind ignore the duplicates Records, means this: wikipedia NS ns2.wikimedia.org. wikipedia

Re: An Invitation to Neuroscientists and Physicists: Singapore Citizen Mr. Teo En Ming (Zhang Enming) Reports First Hand Account of Mind Intrusion and Mind Reading

2011-05-17 Thread Warren Kumari
On May 17, 2011, at 1:17 PM, Michelle Konzack wrote: 69th Spam/Mailinglist (I am subscribed to 137 lists) How is it possibel, this guy is spaming at least 69 mailinglists where most are subscriber only? Um, maybe his claims are true -- if Mind Intrusion exists and works well, its it

Re: An Invitation to Neuroscientists and Physicists: Singapore Citizen Mr. Teo En Ming (Zhang Enming) Reports First Hand Account of Mind Intrusion and Mind Reading

2011-05-17 Thread Warren Kumari
On May 17, 2011, at 3:11 PM, David Miller wrote: On 5/17/2011 2:07 PM, Warren Kumari wrote: On May 17, 2011, at 1:17 PM, Michelle Konzack wrote: 69th Spam/Mailinglist (I am subscribed to 137 lists) How is it possibel, this guy is spaming at least 69 mailinglists where most

Re: Deny MX query

2011-05-24 Thread Warren Kumari
On May 24, 2011, at 1:55 PM, Igor da Silva Cagnin wrote: Hi list, I have a doubt about querys, as fact I’d like to deny just querys type MX. Other querys types must be available. Is it possible? Yes. 1: Don't list the MX record in your zone. or 2: Have multiple views, one with MX

Re: Getting different name resolution for news.google.com from master and slave BIND

2011-05-24 Thread Warren Kumari
On May 24, 2011, at 2:28 PM, Lightner, Jeff wrote: Is anyone else seeing odd results with news.google.com? My BIND 9 master and slave are getting different results. Presumably your slave and master are in different subnets? Google (and many other large networks) perform geolocation and

Re: Getting different name resolution for news.google.com from master and slave BIND

2011-05-24 Thread Warren Kumari
I'd be getting separate location specific IPs handed to the two servers. -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Tuesday, May 24, 2011 4:06 PM To: Lightner, Jeff Cc: bind-users@lists.isc.org Subject: Re: Getting different name resolution

Re: DNS Racing -Multi ISP load balancing with failover using DNS.

2011-05-29 Thread Warren Kumari
Warren Kumari -- Please excuse typing, etc -- This was sent from a device with a tiny keyboard. On May 29, 2011, at 5:52 PM, Alan Clegg acl...@isc.org wrote: On 5/29/2011 5:12 PM, Maren S. Leizaola wrote: IT is a poor man’s replacement for BGP multihoming and IP anycast. Hey

Re: DNS Racing -Multi ISP load balancing with failover using DNS.

2011-05-29 Thread Warren Kumari
Warren Kumari -- Please excuse typing, etc -- This was sent from a device with a tiny keyboard. On May 29, 2011, at 9:32 PM, Mark Andrews ma...@isc.org wrote: In message 2c591af8-860d-45a5-9f3a-3603f3733...@kumari.net, Warren Kumari writes: Um, how? Surely you can just sign

Re: Compromised BIND?

2011-05-31 Thread Warren Kumari
On May 31, 2011, at 3:22 PM, Kevin Darcy wrote: On 5/31/2011 2:38 PM, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. Doing what, exactly? Resolving internal names only? Resolving Internet names? Acting as an authoritative server for internal

Re: Compromised BIND?

2011-05-31 Thread Warren Kumari
Does anyone else find the bind-users list to be very slow? webster.isc.org (localhost [IPv6:::1]) Tue, 31 May 2011 19:48:30 + - webster.isc.org (webster.isc.org) Tue, 31 May 2011 20:52:09 + Or is it just me seeing this? W On May 31, 2011, at 4:17 PM, Warren Kumari wrote: On May

Re: ns.il cname?

2011-06-03 Thread Warren Kumari
On Jun 3, 2011, at 11:44 AM, Tony Finch wrote: Carl Byington c...@byington.org wrote: ns.il. 86400 IN CNAME relay.huji.ac.il. il. 86400 IN NS nse.ns.il. With that cname, how are NS records like nse.ns.il supposed to work? The

Re: how to check if a slave zone is expired

2011-06-04 Thread Warren Kumari
And I finally gotten enough cycles to write a script to do this and released it on Google Code ( https://code.google.com/p/dns-slave-expire-checker/ ). It is very simple, but if folk find it useful I can add additional functionality... It is a simple Python program: ./dns_expire_checker.py -r

Re: why bind unable to find log files

2011-06-11 Thread Warren Kumari
On Jun 11, 2011, at 4:22 AM, kshitij mali wrote: Hi Mark , Thanks of taking intreast in my case , yes the rhel4 default bind named service is running in chroot jail , know tell we what config changes do i nedd to change. Create a directory inside the chroot jail called var/log/ --

Re: Reverse lookup flood from a single host

2011-07-16 Thread Warren Kumari
processes to see what make it stop is an option, but an annoying one... Any ideas? Warren Kumari -- Please excuse typing, etc -- This was sent from a device with a tiny keyboard. On Jul 15, 2011, at 6:00 PM, Benny Pedersen m...@junc.org wrote: On Fri, 15 Jul 2011 13:24:29 -0600, Joshua

Re: Forward only zones.

2011-07-25 Thread Warren Kumari
On Jul 25, 2011, at 3:15 AM, Matus UHLAR - fantomas wrote: On 24.07.11 09:15, Vbvbrj wrote: zone my_domain.com IN { On 24.07.2011 18:40, Matus UHLAR - fantomas wrote: I would prefer not to using underscores in domain names. While they are allowed, they may cause some stuff not to work.

Re: syntax error in $GENERATE crashed all nameservers

2011-08-18 Thread Warren Kumari
On Aug 18, 2011, at 10:28 AM, Lightner, Jeff wrote: It was certainly a typo and a user error in that regard. However, he was suggesting it was bug because it should have rejected input of negative numbers and I'll have to say I agree with that viewpoint. If I typed las instead of ls on

Re: syntax error in $GENERATE crashed all nameservers

2011-08-18 Thread Warren Kumari
- that would be pure sophistry.) -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Thursday, August 18, 2011 1:26 PM To: Lightner, Jeff Cc: bind-users@lists.isc.org Subject: Re: syntax error in $GENERATE crashed all nameservers On Aug 18, 2011, at 10:28 AM

Re: Want to know if there is any way to add custom RR type.(like ip ipv6)

2011-09-13 Thread Warren Kumari
On Sep 13, 2011, at 9:49 AM, Onha Choe wrote: Im trying to make a new addressing scheme, and want to use bind to provide name service. The addressing is not compatible with known ones, and thus need to extend to support mine. Is there any way to do this? Yes. preferably innately

Re: slow non-cached quries

2011-09-15 Thread Warren Kumari
On Sep 15, 2011, at 12:04 PM, Michael McNally wrote: On 9/9/11 1:34 PM, TMK wrote: On Sep 9, 2011 10:28 PM, TMK eng...@gmail.com mailto:eng...@gmail.com wrote: On 09.09.11 19:31, TMK wrote: We have find the reason why our network analyzer report that bind is responding to

Re: One IP in multiple zones

2011-09-21 Thread Warren Kumari
On Sep 21, 2011, at 3:56 PM, Adamiec, Lawrence wrote: Hi, Is it possible to have one IP in multiple zone files for forward lookups? Yup, happens all the time: example.com: www.example.com. 600 IN A 192.0.2.1 example.net: www.example.net. 600 IN A 192.0.2.1 foo: www.foo.com.

Re: updating Bind made it slower

2011-09-27 Thread Warren Kumari
On Sep 27, 2011, at 3:52 PM, Tom Schmitt wrote: In this case rndc reconfig should be sufficient. This command tells BIND to re-read config file and load all new zones without touching any previously loaded zones. This was my understanding (after reading the text from rndc) as well. But

Re: resolv record without domain

2011-09-29 Thread Warren Kumari
On Sep 29, 2011, at 9:25 AM, Gabriele Gabriele wrote: Hello dear mailinglist, I have a little problem with my bind configuration, I explain you the situation I have a domain example.com with many record and every things work well, now I need to resolv an name of my servers without specify

Re: NXDOMAIN redirection in BIND 9.9

2011-09-30 Thread Warren Kumari
On Sep 30, 2011, at 1:12 PM, John Wobus wrote: . . . both Evan's blog post http://www.isc.org/community/blog/201109/isc-bind-990a1-feature-preview and the announcement of next week's webinar include NXDOMAIN redirection as the first new feature. I'm really surprised by that - is this

Re: dnssec-keygen not responding

2011-12-01 Thread Warren Kumari
Yeah, a number of motherboards now come with TPMs that include hardware RNGs... My current personal server (Dell R710) has just such a beastie -- there is some info here: http://domsch.com/blog/?p=107 and I *think* that the rng-tools package now supports it natively I spent *many* hours

Re: Help to identify Microsoft DNS version

2012-01-10 Thread Warren Kumari
://lists.isc.org/mailman/listinfo/bind-users --- Don't be impressed with unintelligible stuff said condescendingly . -- Radia Perlman. Warren Kumari war...@kumari.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: allow-query for a zone

2012-01-16 Thread Warren Kumari
. Warren Kumari war...@kumari.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: load balance of DNS

2012-01-16 Thread Warren Kumari
to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --- Don't be impressed with unintelligible stuff said condescendingly . -- Radia Perlman. Warren Kumari war...@kumari.net

Re: load balance of DNS

2012-01-16 Thread Warren Kumari
. Warren Kumari war...@kumari.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: allow-query for a zone

2012-01-17 Thread Warren Kumari
On Jan 17, 2012, at 3:44 AM, Matus UHLAR - fantomas wrote: Whether you set allow-query to none, or remove the zone statement, clients will get an error when they try to query the zone. On 17.01.12 14:13, Jeff Peng wrote: There is a difference when you develop a web interface for DNS

Re: Problem with ed.gov

2012-01-19 Thread Warren Kumari
-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --- Don't be impressed with unintelligible stuff said condescendingly . -- Radia Perlman. Warren Kumari war...@kumari.net ___ Please visit https

Recovering from over enthusiastic key cleanup...

2012-02-02 Thread Warren Kumari
Hi all, So, I decided to roll keys on a test zone (af7.org) -- of course, I decided to do this a: late at night and b: while juggling many other things. So, I generated a new key and submitted my DS to my registrar, and deleted an older one - so far, all good, everything working fine. Problem

Re: Recovering from over enthusiastic key cleanup...

2012-02-02 Thread Warren Kumari
On Feb 2, 2012, at 11:43 AM, Spain, Dr. Jeffry A. wrote: So, is there: A: an easy way to figure out what keyfiles are no longer being used / referenced? B: a simpler way to recover from this when one *does* make a boo boo? What a fun evening. For the sake of interest, which version of

Re: Clarification on question and the answer section uppercase lower case mis match

2012-04-10 Thread Warren Kumari
http://www.ietf.org/rfc/rfc4343.txt Some resolvers use 0x20 tricks to encode additional entropy into queries. This works by randomly adding 0x20 to characters in the qname and then making sure they are the same when they come back (e.g: example.com - eXAmpLe.coM)... W On Apr 10, 2012, at

Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.

2012-04-29 Thread Warren Kumari
On Apr 26, 2012, at 2:51 PM, Jan-Piet Mens wrote: Augie, Is there a way to exclude a domain from DNSSEC validation, like Unbound's domain-insecure? That is regrettably not possible at the moment, at least not in BIND 9.9.0. The only (quite impracticable) workaround would be to define

Re: DNSSEC

2012-05-10 Thread Warren Kumari
On May 10, 2012, at 11:20 AM, Daniel Ryšlink wrote: On 05/10/2012 04:33 PM, Barry Margolin wrote: In articlemailman.748.1336659466.63724.bind-us...@lists.isc.org, Tony Finchd...@dotat.at wrote: Barry Margolinbar...@alum.mit.edu wrote: [Validation is] only untroublesome until someone

Re: DNSSEC

2012-05-10 Thread Warren Kumari
On May 10, 2012, at 12:52 PM, wbr...@e1b.org wrote: Warren wrote on 05/10/2012 11:50:30 AM: Nope -- Comcast does a large amount of checking before turning off validation for a failing domain. This is (IMO) more secure than the alternative, which is to simply leave it failing, and have

Re: random-device purpose in DNSSEC

2012-05-10 Thread Warren Kumari
On May 10, 2012, at 3:41 PM, Alexander Gurvitz wrote: Hello all. What random device used for ? ARM says Entropy is primarily needed for DNSSEC operations, such as ... dynamic update of signed zones. I don't get why signing a zone requires any randomness. This bothers me as I'm

Re: bind caching dns

2012-05-15 Thread Warren Kumari
On May 15, 2012, at 4:05 AM, Ben wrote: Hi, Any clue to resolve this. Lets see... You posted a question on May 8th asking for some assistance. You worded your initial question poorly, but within 2 hours you got a complete and well written response from Matthew (and less than 24 hours

Re: Checking for zone expiration?

2012-05-21 Thread Warren Kumari
On May 21, 2012, at 3:16 PM, Alan Batie wrote: We had a rather key zone mysteriously expire on a slave this morning - the log files show a transfer a couple weeks ago, but it hadn't been updated so there was no reason for one since and there were no log entries about failed connection

Re: Monitoring of blackholed DNS servers

2012-06-08 Thread Warren Kumari
If it were me I'd just block access with iptables (and maybe blackhole as well if I were sufficiently concerned) and combine that with the iptables log action… W On Jun 8, 2012, at 1:44 PM, christopher.harring...@emc.com wrote: All, We have a list of DNS servers that we do not want our

Re: limiting number of requests of a single hosts

2012-06-15 Thread Warren Kumari
On Jun 15, 2012, at 4:25 AM, Holemans Wim wrote: We have a problem with one of our firewalls caused by DNS peaks. Yes. EOM W Once or twice a day a DNS burst (20K requests/15sec) kills all connections on the firewall. The firewall is due for replacement but in the mean time we would like

Re: RPM [was: Re: bind dies with assertion failure]

2012-07-03 Thread Warren Kumari
On Jul 3, 2012, at 10:58 AM, wbr...@e1b.org wrote: Jan-Piet wrote on 07/03/2012 10:41:20 AM: Building BIND is easy; turning it into an installable RPM not so. I highly recommend fpm [1] which makes building an RPM trivial. :) Any advice or tricks for making a DEB for Ubuntu? So far my

  1   2   3   >