nsupdate communication failed

[Christophe]

Hi,I use nsupdate to update each minute some textfields
representingstatus of several kind of information.
The update performs correctly but some times, (once every ten ortwenty
times) nsupdate outputs an error like :

Communication with XX.XX.XX.XX#53 failed: operation canceled could not
talk to specified name server

I have create a file with commands and repeat execution with debug -D
options until I get error.
Content of file is :server XX.XX.XX.XX
update delete {fullyqualifieddomainname} TXT
update add {fullyqualifieddomainname} TXT "data"
send
quit

Then the output is :
setup_system()
reset_system()
user_interaction()
get_next_command()
get_next_command()
evaluate_update()
update_addordelete()
get_next_command()
evaluate_update()
update_addordelete()
get_next_command()
start_update()
recvsoa()
; Communication with XX.XX.XX.XX#53 failed: operation canceled could
not talk to specified name server

Has anybody an idea on what can cause this behaviour ?
Server logs receive no request at this time
Systems are as following :
dns server : win2k3 sp1, running cisco network registrar 6.1.2.1
nsupdate client: same machine with nsupdate.exe, all dll needed and
vcredist installed

As as use the same machine, destination address is the real ip address
I have tryed to set source and destination address as 127.0.0.1 and
the problem persists.

Thanks in advance for your help.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Intermittent NXDOMAIN, Bind 9.2.3 config and PowerDNS problem?

[Richard]

Hello list,

I am trying to diagnose an intermittent DNS failure.  I am not sure
where this problem lies; either with my DNS configuration, the ISP
DNS, or the third-party DNS.  I've reviewed RFCs 1034, 1035 and 2181
to gain a better understanding.  I have a hunch what is (possibly)
wrong.

(This problem involves bind, but it's not about bind strictly
speaking.  Is there a general DNS discussion list somewhere?  If so,
please direct me.)


The problem
---

Queries of "agences.fr.lastminute.com" against two servers of the
French ISP Free.fr, dns{1,2}.proxad.net, fail occasionally with
NXDOMAIN.
Queries against other nameservers do not fail (repeated many times).

I think there is..

1/ an issue with PowerDNS on the Free.fr resolvers, which is
interacting with
2/ a bad configuration of Bind 9.2.3 for lastminute.com


The diagnosis/info
--

Below I've shown provided queries against Free.fr DNS servers for host
"agences.fr.lastminute.com", followed by queries against the
lastminute.com DNS servers.


Queries of "agences.fr.lastminute.com": success, followed by NXDOMAIN,
success again:

Note: In the query responses, the TTL values jump around, therefore I
am guessing there is load balancing behind dns{1,2}.proxad.net.  I
believe PowerDNS 3.7.1 is running on dns{1,2}.proxad.net.  Perhaps the
NXDOMAIN is being returned, then the information is being added to the
proxad cache, and subsequent queries using a resolver with cached data
succeed?  There is discussion of a similar sounding problem with
PowerDNS 3.1.7 here: http://marc.info/?l=pdns-users&m=121942269602306&w=2




[localhost ~]$ dig @dns1.proxad.net agences.fr.lastminute.com

; <<>> DiG 9.6.1-RedHat-9.6.1-3.fc11 <<>> @dns1.proxad.net
agences.fr.lastminute.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61803
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;agences.fr.lastminute.com. IN  A

;; ANSWER SECTION:
agences.fr.lastminute.com. 188  IN  CNAME   pos1.leadformance.com.
pos1.leadformance.com.  3216IN  CNAME   www01.leadformance.com.
www01.leadformance.com. 60  IN  A   88.191.95.212

;; Query time: 59 msec
;; SERVER: 212.27.40.240#53(212.27.40.240)
;; WHEN: Mon Jul 27 10:47:16 2009
;; MSG SIZE  rcvd: 111

[localhost ~]$ dig @dns1.proxad.net agences.fr.lastminute.com

; <<>> DiG 9.6.1-RedHat-9.6.1-3.fc11 <<>> @dns1.proxad.net
agences.fr.lastminute.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61043
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;agences.fr.lastminute.com. IN  A

;; ANSWER SECTION:
agences.fr.lastminute.com. 600  IN  CNAME   pos1.leadformance.com.

;; AUTHORITY SECTION:
com.60  IN  SOA 3dns0.pwg.lastminute.com. 
hostmaster.
3dns0.pwg.lastminute.com. 4 10800 3600 604800 60

;; Query time: 53 msec
;; SERVER: 212.27.40.240#53(212.27.40.240)
;; WHEN: Mon Jul 27 10:47:19 2009
;; MSG SIZE  rcvd: 132

[localhost ~]$ dig @dns1.proxad.net agences.fr.lastminute.com

; <<>> DiG 9.6.1-RedHat-9.6.1-3.fc11 <<>> @dns1.proxad.net
agences.fr.lastminute.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52078
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;agences.fr.lastminute.com. IN  A

;; ANSWER SECTION:
agences.fr.lastminute.com. 580  IN  CNAME   pos1.leadformance.com.
pos1.leadformance.com.  3600IN  CNAME   www01.leadformance.com.
www01.leadformance.com. 60  IN  A   88.191.95.212

;; Query time: 58 msec
;; SERVER: 212.27.40.240#53(212.27.40.240)
;; WHEN: Mon Jul 27 10:47:23 2009
;; MSG SIZE  rcvd: 111



If I find a lastminute.com DNS server (I think they run Bind 9.2.3),
and query it directly:

[localhost ~]$ host -t ns lastminute.com dns1.proxad.net
Using domain server:
Name: dns1.proxad.net
Address: 212.27.40.240#53
Aliases:

lastminute.com name server 3dns0.pwg.lastminute.com.
lastminute.com name server 3dns1.pct.lastminute.com.


Note: What confuses me in the response below is the AUTHORITY
SECTION.  RFCs 1034 and 1035 indicate it is permissible to return an
SOA record here for negative caching, however it should be for the
domain of the queried name.  Therefore, I would expect to see an SOA
record for "lastminute.com.", not "com." (or, if is for "com.", then
one of the root servers, not the lastminute server itself).  This
response appears to indicate that 3dns0.pwg.lastminute.com is
authoritative for "com.".

Furthermore, as it rejects recursive queries (makes sense), perhaps it
is confusing the querying server, who then tries to use it (since it's
claimed authority for "com.")?  In any case, I think it would be
preferable to return the helping NS records for
"leadformance.com" (based on th

bind9 behind firewall stopped responding

[Peter Macko]

I have a master DNS (bind9) for a domain. It was working until I put it behind 
firewall on a DMZ private subnet. It is setup in the way that from internet the 
DNS maintains its original IP address, that is SAT translated by firewall to 
the DMZ private subnet. I allowed ports 53 TCP/UDP. Should I allow other ports? 
The IP address of the DNS server was changed by putting it on DMZ private 
subnet, could be this the problem? Any ideas?

For testing, I have used some free dns report webpage, ... it is saying that my 
DNS is not responding.

Maybe I am asking something obvious, but I have to solve this until 
tommorow and I do not know where to start looking.

Than you a lot,
Peter


  ___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Creating a CNAME to another domain.

[Ezra Taylor]

Hello All:
   How can I create a CNAME that points to another domain.
Example below.  Is the below example possible?



stars.mydomain.com INCNAME  stars.otherdomain.com.

-- 
Ezra Taylor
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.6.1: skipping zone transfer, but why ?

[JINMEI Tatuya / 神明達哉]

At Wed, 22 Jul 2009 15:56:38 +0200,
Jan Hansen  wrote:

> As I wrote in the post "Master is unreachable (cached)", I've switched 
> to windows server 2003, which currently *seem* to have a positive 
> effect. I haven't seen the behaviour yet after the switch, but Ian Tait 
> sees this behaviour on 2003. Is it OS specific, or does it affect both 
> 2003/2008? As far as I'm informed, much of the network stack is new in 
> 2008/vista and forward, which maybe could be related to this problem?

I don't know if this is version specific.  Note that this bug is
triggered due to a failure of zone transfer.  So you may just be lucky
when you didn't see the problem.

> When will this fix be out in a "release"? 9.6.2, perhaps? or what is the 
> roadmap for that kind of things?

It will appear in 9.6.2.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Moving an AD Zone from Windows to BIND

[Raul Lopez Nevot]

> What I need is a procedure that I can use to move the base zone
>
> xxx.yyy.example.com
>
> to BIND, while keeping the six AD zones on the Windows DNS Server.
> If I were to define the six AD zones on the Windows DNS Server,
>

I doubt you can do this with elegance. And, if you have two DNS servers and
one of them is Windows (sure you will have DHCP), your 'reverse zones' will
be broken (half of information on each DNS).

Have you wondered about putting all in BIND?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Moving an AD Zone from Windows to BIND

[Michael Milligan]

bsfin...@anl.gov wrote:
> This is not really a BIND-related question, but I thought that maybe
> some people on this list can point me in the right direction.
> Maybe someone has already done what I need to do.
> 
> I have one zone
> 
>  xxx.yyy.example.com
> 
> that is on a Windows DNS server, completely under the control of
> Windows.  This zone is slaved on my BIND servers.  Within these zones
> are the AD records
> 
>  ForestDNSZones.xxx.yyy.example.com
>  DomainDNSZones.xxx.yyy.example.com
>  _msdcs.xxx.yyy.example.com
>  _sites.xxx.yyy.example.com
>  _tcp.xxx.yyy.example.com
>  _udp.xxx.yyy.example.com
> 
> What I need is a procedure that I can use to move the base zone
> 
>  xxx.yyy.example.com
> 
> to BIND, while keeping the six AD zones on the Windows DNS Server.

Is this base zone AD-integrated?  If so, then your domain-joined clients
 (PCs and laptops) are sending dynamic updates for their A records
(forward-mapping), unless you have specifically changed the behavior (at
several touch points).  You need to handle this unless you don't care
about client A records and can stand all the "dynamic update denied"
messages you're gonna see.

And you're completely glossing over the DHCP side of this whole equation.

> If I were to define the six AD zones on the Windows DNS Server,
> would the SRV, CNAME, and other AD records move to the new zones
> automatically?  I have no problem taking the zone file on one of my
> BIND slaves, removing the AD records, adding delegations for the six
> AD zones, and making this file into a master.

It works just fine to define those 6 zones plus the apex zone
(xxx.yyy.example.com) as master on your BIND server and just allow (by
IP address) each of your domain controllers to do dynamic updates to
those zones.  You just create them as empty zones, then on each domain
controller, simply stop and then start the netlogon service to have the
dynamic records that they need added back in (they check and add any
missing records).  Watch syslog to make sure this happens.  You can also
use GSS-TSIG in the latest versions of BIND to allow clients and domain
controllers to do dynamic updates of their DNS records too, but that's
another can of worms.

It works the same if you want to leave just those 6 zones on Microsoft too.

Regards,
Mike

-- 
Michael Milligan   -> mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9 problem with delegation

[bsfinkel]

gui  wrote:

>hello,
>
>i have s strange probleme with my bind server, and i hope someone
>could point out the problem, here is the description,
>
>i have two bind servers (replication, multi-master), bind 9.3.4, same
>version, same configuration (normally).
>I tried to do some PTR delegation, so for example, i have a 104.10.in-
>addr.arpa zone, the master of the zone is my bind server, in this zone
>file i have this :
>
>0.104.10.in-addr.arpa.INNS otherDNSserver.fqdn
>
>on the first server, when i check with dig :
> i get nothing :
>
>dig 0.104.10.in-addr.arpa :
>
>; <<>> DiG 9.3.4-P1.1 <<>> 0.104.10.in-addr.arpa
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60811
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;0.104.10.in-addr.arpa. IN  A
>
>;; Query time: 108 msec
>;; SERVER: 10.x.x.x#53(10.x.x.x)
>;; WHEN: Fri Jul 10 17:17:52 2009
>;; MSG SIZE  rcvd: 39
>
>
>on the other one, it works :
>
>
>; <<>> DiG 9.3.4-P1.1 <<>> 0.104.10.in-addr.arpa
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58295
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;0.104.10.in-addr.arpa. IN  A
>
>;; AUTHORITY SECTION:
>0.104.10.in-addr.arpa.  3600IN  SOA myotherdnsserver.fqdn.
>hostmaster.myotherserver.fqdn. 310 900 600 86400 3600
>
>;; Query time: 4005 msec
>;; SERVER: 10.2.129.9#53(10.2.129.9)
>;; WHEN: Thu Jul 23 09:03:51 2009
>;; MSG SIZE  rcvd: 113
>
>
>and i can't find what to do to make this work correctly on the first
>server
>
>hope you'll have more ideas than me :-))
>
>thank you !

The first query does not produce "nothing"; it tells you via these lines:

 ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60811
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;0.104.10.in-addr.arpa. IN  A

The return code is NXDOMAIN.  There is no "aa" in the flags, so the
response is not authoritative.  The server knows nothing about this
domain.  Note that you are querying for the address of a class-c
subnet, and that subnet has no address.

The second query "works"; it gives you more information than the first
query:

 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58295
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;0.104.10.in-addr.arpa. IN  A

 ;; AUTHORITY SECTION:
 0.104.10.in-addr.arpa.  3600IN  SOA myotherdnsserver.fqdn.

The return code is NOERROR.  There are 0 answer sections in the
response.  The response is not authoritative.  But the server knows
(and gives) the SOA for the zone.  I am assuming that this server had
the SOA record in its cache.

As to why these two DNS servers do not know about the zone, I cannot
tell.  This is a 10-subnet, so we would not be able to query it.
We would have to see the config files from the two servers to see
how they define the zone.

Here is a query I made for the address of one of our Class-B subnets:

solaris% dig 139.146.in-addr.arpa

; <<>> DiG 8.3 <<>> 139.146.in-addr.arpa 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;  139.146.in-addr.arpa, type = A, class = IN

;; AUTHORITY SECTION:
139.146.in-addr.arpa.   2H IN SOA   dns0.anl.gov. hostmaster.anl.gov. (
2009072402  ; serial
2H  ; refresh
1H  ; retry
2W  ; expiry
2H ); minimum
...
solaris%

Note that the answer has NOERROR, aa, and 0 answer sections.
The response is authoritative, as the server I queried is a slave for
this zone.  The query was for an "A" record that does not exist.
A query for NS records might give you the NS record set for the zone,
depending upon your BIND configuration.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Slave server not using the IP set using transfer-source

[mrkbkr]

I have 3 servers set up using bind 9.2.4-30. I am using 3 different views  
and have an IP address on each slave for each view so that the slaves are  
directed to the correct zone files when contacting the master to refresh a  
zone, etc. I have run into a problem with the slaves not respecting the ip  
address using transfer-source in the zone definitions. The slave uses the  
transfer-source IP when retrieving the zone file for the first time from  
the master & when refreshing the zone file. However when a notify is  
received by the slave from the master, the slave tries to retrieve the new  
zone file using the slave servers default IP. The slave is not directed to  
the correct view on the master causing the slave to not receive the updated  
zone file. Does anyone have an idea on why this would happen?


Thanks,

Mark
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

about tcp port 53

[Tech W.]

Hello,

what's the use of bind's tcp port 53?
is it used for dns update and zone transfer or something else?

If I have not been using dynamic update and transfer, can I block tcp port 53 
using a firewall?

Thanks.

Regards,
Wah.



  

Access Yahoo!7 Mail on your mobile. Anytime. Anywhere.
Show me how: http://au.mobile.yahoo.com/mail

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9 problem with delegation

[Kevin Darcy]

Maybe replication occurred some time between July 10 and July 23.

- Kevin

gui wrote:

hello,

i have s strange probleme with my bind server, and i hope someone
could point out the problem, here is the description,

i have two bind servers (replication, multi-master), bind 9.3.4, same
version, same configuration (normally).
I tried to do some PTR delegation, so for example, i have a 104.10.in-
addr.arpa zone, the master of the zone is my bind server, in this zone
file i have this :

0.104.10.in-addr.arpa.INNS otherDNSserver.fqdn

on the first server, when i check with dig :
 i get nothing :

dig 0.104.10.in-addr.arpa :

; <<>> DiG 9.3.4-P1.1 <<>> 0.104.10.in-addr.arpa
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60811
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;0.104.10.in-addr.arpa. IN  A

;; Query time: 108 msec
;; SERVER: 10.x.x.x#53(10.x.x.x)
;; WHEN: Fri Jul 10 17:17:52 2009
;; MSG SIZE  rcvd: 39


on the other one, it works :


; <<>> DiG 9.3.4-P1.1 <<>> 0.104.10.in-addr.arpa
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58295
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;0.104.10.in-addr.arpa. IN  A

;; AUTHORITY SECTION:
0.104.10.in-addr.arpa.  3600IN  SOA myotherdnsserver.fqdn.
hostmaster.myotherserver.fqdn. 310 900 600 86400 3600

;; Query time: 4005 msec
;; SERVER: 10.2.129.9#53(10.2.129.9)
;; WHEN: Thu Jul 23 09:03:51 2009
;; MSG SIZE  rcvd: 113


and i can't find what to do to make this work correctly on the first
server

hope you'll have more ideas than me :-))

thank you !
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


  


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: about allow-update

[Tech W.]

Hi Evan,

I follow your suggestion to add the corresponding syntax into named.conf, then 
I run "rndc reload", but got:

# sbin/rndc reload
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not syncronized, or
* the key is invalid.

bind version:
# sbin/named -v
BIND 9.6.0-P1


Please help, thanks.

Regards,
Wah.


--- On Thu, 16/7/09, Evan Hunt  wrote:

> From: Evan Hunt 
> Subject: Re: about allow-update
> To: "Tech W." 
> Cc: bind-users@lists.isc.org
> Received: Thursday, 16 July, 2009, 11:26 AM
> 
> > Besides TSIG key, I want to limit the source address
> also.  That's to
> > say, I want the given address with specified key to
> execute the update
> > only.
> > 
> > How can I do it? Is this syntax correct?
> > 
> > allow-update {key "mykey"; 192.168.1.254;};
> 
> Alas, no.  What you want is:
> 
>         allow-update { !{
> !192.168.1.254; any; }; key mykey; } 
> 
> See http://www.mail-archive.com/bind-users@lists.isc.org/msg00045.html
> for my hard-to-read explanation of this painful syntax.
> 
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.
> 


  

Access Yahoo!7 Mail on your mobile. Anytime. Anywhere.
Show me how: http://au.mobile.yahoo.com/mail
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC NS record delegation

[Khuu, Linh MicroTech]

Hi,

I have question about the DNSSEC NS record.

We have the parent zone, for example, example.net being signed with DNSSEC. We 
have a child zone test.example.net delegating to glbl.example.net as NS record. 
glbl.example.net is not a DNSSEC. Will nslookup for anything in 
test.example.net fail?

Linh Khuu 



PGP.sig
Description: PGP signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind9 behind firewall stopped responding

[Fr34k]

If the DNS server now has a RFC1918 IP address, then one will probably have to 
setup appropriate NAT rules for a publicly accessible/routable IP address.
On some firewalls, there is a NAT rule for incoming traffic and a another rule 
for outgoing traffic  (basically mapping the public IP for both 
incoming/outgoing).

Sounds like this was done, so perhaps double check both incoming and outgoing 
rules and setup?
Maybe something missed with the IP config (gateway, mask, broadcast)?
Can the DNS server ping or traceroute to any public sites?

HTH






From: Peter Macko 
To: bind-users@lists.isc.org
Sent: Monday, July 27, 2009 2:00:24 PM
Subject: bind9 behind firewall stopped responding


I have a master DNS (bind9) for a domain. It was working until I put it behind 
firewall on a DMZ private subnet. It is setup in the way that from internet the 
DNS maintains its original IP address, that is SAT translated by firewall to 
the DMZ private subnet. I allowed ports 53 TCP/UDP. Should I allow other ports? 
The IP address of the DNS server was changed by putting it on DMZ private 
subnet, could be this the problem? Any ideas?
 
For testing, I have used some free dns report webpage, ... it is saying that my 
DNS is not responding.
 
Maybe I am asking something obvious, but I have to solve this until tommorow 
and I do not know where to start looking.
 
Than you a lot,
Peter
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Slave server not using the IP set using transfer-source

[Dixon, Justin]

>I have 3 servers set up using bind 9.2.4-30. I am using 3 different
views and have an IP address on each slave for each view so that the
slaves >are directed to the correct zone files when contacting the
master to refresh a zone, etc. I have run into a problem with the slaves
not respecting >the ip address using transfer-source in the zone
definitions. The slave uses the transfer-source IP when retrieving the
zone file for the first time >from the master & when refreshing the zone
file. However when a notify is received by the slave from the master,
the slave tries to retrieve the >new zone file using the slave servers
default IP. The slave is not directed to the correct view on the master
causing the slave to not receive the >updated zone file. Does anyone
have an idea on why this would happen?
>
>Thanks,
>
>Mark

 

See https://www.isc.org/node/282

 

Justin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: about tcp port 53

[Stephane Bortzmeyer]

On Mon, Jul 27, 2009 at 10:33:56AM +0800,
 Tech W.  wrote 
 a message of 23 lines which said:

> what's the use of bind's tcp port 53?

DNS requests and responses.

> is it used for dns update and zone transfer or something else?

Everything else.

> If I have not been using dynamic update and transfer, can I block
> tcp port 53 using a firewall?

Certainly not.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Intermittent NXDOMAIN, Bind 9.2.3 config and PowerDNS problem?

[Stephane Bortzmeyer]

On Mon, Jul 27, 2009 at 02:36:29AM -0700,
 Richard  wrote 
 a message of 190 lines which said:

> Queries of "agences.fr.lastminute.com" against two servers of the
> French ISP Free.fr,

As a subscriber of Free, and a reader of the various Free users fora,
let me warn you that Free DNS service has a bad reputation. Many Free
subscribers install their own resolver on their machine...

> Note: What confuses me in the response below is the AUTHORITY
> SECTION.  RFCs 1034 and 1035 indicate it is permissible to return an
> SOA record here for negative caching, however it should be for the
> domain of the queried name.  Therefore, I would expect to see an SOA
> record for "lastminute.com.", not "com."

Indeed, lastminute.com's name servers are severely broken.

> (or, if is for "com.", then one of the root servers,

Why the root servers? It should be the ".com" servers.

> Is this bind misconfigured, returning to the public the SOA for
> "com."  as their own lastminute.com server and no NS records?

They have other strange features. My favorite:

% dig @3dns0.pwg.lastminute.com ANY lastminute.com 
;; Got bad packet: extra input data
306 bytes
85 58 85 00 00 01 00 08 00 00 00 03 0a 6c 61 73 
74 6d 69 6e 75 74 65 03 63 6f 6d 00 00 ff 00 01 
c0 0c 00 06 00 01 00 00 02 58 00 53 05 33 64 6e 
...

Clearly, the people at lastminute.com need DNS training.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Creating a CNAME to another domain.

[Stephane Bortzmeyer]

On Fri, Jul 24, 2009 at 02:57:24PM -0400,
 Ezra Taylor  wrote 
 a message of 43 lines which said:

> stars.mydomain.com INCNAME  stars.otherdomain.com.

Yes, except the missing dot at the end of the Left-Hand Side.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Creating a CNAME to another domain.

[Kevin Darcy]

Ezra Taylor wrote:

Hello All:
   How can I create a CNAME that points to another 
domain.  Example below.  Is the below example possible?




stars.mydomain.com  INCNAME  
stars.otherdomain.com .


If stars.mydomain.com is just an ordinary name in the mydomain.com zone, 
then there is no problem with what you show above (except, 
syntactically, you need the trailing dot, as was already pointed out).


If, on the other hand, stars.mydomain.com is a *zone*, then it's not 
possible, because in that case there would be "apex" records (records 
whose name is the same as that of the zone); at a minimum, an SOA and at 
least 2 NS records, which are required for each and every zone. When a 
particular name owns a CNAME record, it cannot also own SOA or NS records.




   - Kevin


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Moving an AD Zone from Windows to BIND

[bsfinkel]

bsfin...@anl.gov wrote:
>> This is not really a BIND-related question, but I thought that maybe
>> some people on this list can point me in the right direction.
>> Maybe someone has already done what I need to do.
>> 
>> I have one zone
>> 
>>  xxx.yyy.example.com
>> 
>> that is on a Windows DNS server, completely under the control of
>> Windows.  This zone is slaved on my BIND servers.  Within these zones
>> are the AD records
>> 
>>  ForestDNSZones.xxx.yyy.example.com
>>  DomainDNSZones.xxx.yyy.example.com
>>  _msdcs.xxx.yyy.example.com
>>  _sites.xxx.yyy.example.com
>>  _tcp.xxx.yyy.example.com
>>  _udp.xxx.yyy.example.com
>> 
>> What I need is a procedure that I can use to move the base zone
>> 
>>  xxx.yyy.example.com
>> 
>> to BIND, while keeping the six AD zones on the Windows DNS Server.


and Michael Milligan  replied:
>Is this base zone AD-integrated?  If so, then your domain-joined clients
> (PCs and laptops) are sending dynamic updates for their A records
>(forward-mapping), unless you have specifically changed the behavior (at
>several touch points).  You need to handle this unless you don't care
>about client A records and can stand all the "dynamic update denied"
>messages you're gonna see.
>
>And you're completely glossing over the DHCP side of this whole equation.
>
>> If I were to define the six AD zones on the Windows DNS Server,
>> would the SRV, CNAME, and other AD records move to the new zones
>> automatically?  I have no problem taking the zone file on one of my
>> BIND slaves, removing the AD records, adding delegations for the six
>> AD zones, and making this file into a master.
>
>It works just fine to define those 6 zones plus the apex zone
>(xxx.yyy.example.com) as master on your BIND server and just allow (by
>IP address) each of your domain controllers to do dynamic updates to
>those zones.  You just create them as empty zones, then on each domain
>controller, simply stop and then start the netlogon service to have the
>dynamic records that they need added back in (they check and add any
>missing records).  Watch syslog to make sure this happens.  You can also
>use GSS-TSIG in the latest versions of BIND to allow clients and domain
>controllers to do dynamic updates of their DNS records too, but that's
>another can of worms.
>
>It works the same if you want to leave just those 6 zones on Microsoft too.

I am not worried about the DHCP piece.  There are two zones I have to
convert.  One is mostly static and contains Windows Servers.  The
other is dynamic, with client machines under the control of a Windows
DHCP server.  For this zone, we will change DHCP to static leases
before the conversion, and all new machines will be registered via
our host database, which will automatically update DHCP.

I do not want any dynamic DNS to my BIND servers, as I am not sure
how that DDNS would interface with DNSSEC.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Moving an AD Zone from Windows to BIND

[Kevin Darcy]

Raul Lopez Nevot wrote:


What I need is a procedure that I can use to move the base zone

xxx.yyy.example.com 

to BIND, while keeping the six AD zones on the Windows DNS Server.
If I were to define the six AD zones on the Windows DNS Server,


I doubt you can do this with elegance. And, if you have two DNS 
servers and one of them is Windows (sure you will have DHCP), your 
'reverse zones' will be broken (half of information on each DNS).
You're making several assumptions about the 
presence/architecture/configuration of DHCP, its clients and/or servers. 
I'll note Barry didn't mention DHCP at all in his original post.


If all of the clients' address assignments are either "static" (no DHCP) 
or "manual DHCP" (same address to the same client permanently), or if 
the DHCP server, and/or the clients themselves, are authorized to update 
both the forward and reverse zones, in response to lease activity, via 
TSIG key, GSS-TSIG, or some other authentication regime, then there is 
no forward/reverse inconsistency to worry about.



   - Kevin


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dig shows wrong ip

[Bradley Caricofe]

Hi,

I recently migrated our old DNS servers to new hardware and BIND 9.6
installations. One domain is exhibiting some strangeness,
dns3.potomacnetworks.com. Our main DNS servers are authoritative for this
subdomain and it should point to 216.250.231.11, however, the whole world
sees it pointing to 216.250.243.230. Digs against our DNS servers show the
correct information. I'm stumped, please help me.

Thanks,
Brad
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

[sthaug]

> I recently migrated our old DNS servers to new hardware and BIND 9.6
> installations. One domain is exhibiting some strangeness,
> dns3.potomacnetworks.com. Our main DNS servers are authoritative for this
> subdomain and it should point to 216.250.231.11, however, the whole world
> sees it pointing to 216.250.243.230. Digs against our DNS servers show the
> correct information. I'm stumped, please help me.

Here's your 216.250.243.230 address:

% whois dns3.potomacnetworks.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to
http://www.internic.net
for detailed information.

   Server Name: DNS3.POTOMACNETWORKS.COM
   IP Address: 216.250.243.230
   Registrar: REGISTER.COM, INC.
   Whois Server: whois.register.com
   Referral URL: http://www.register.com

So - the GTLD-servers know about this host, and will return it when
asked about A for dns3.potomacnetworks.com.

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

[Bradley Caricofe]

On Tue, Jul 28, 2009 at 2:22 PM,  wrote:

> > I recently migrated our old DNS servers to new hardware and BIND 9.6
> > installations. One domain is exhibiting some strangeness,
> > dns3.potomacnetworks.com. Our main DNS servers are authoritative for
> this
> > subdomain and it should point to 216.250.231.11, however, the whole world
> > sees it pointing to 216.250.243.230. Digs against our DNS servers show
> the
> > correct information. I'm stumped, please help me.
>
> Here's your 216.250.243.230 address:
>
> % whois dns3.potomacnetworks.com
>
> Whois Server Version 2.0
>
> Domain names in the .com and .net domains can now be registered
> with many different competing registrars. Go to
> http://www.internic.net
> for detailed information.
>
>   Server Name: DNS3.POTOMACNETWORKS.COM
>   IP Address: 216.250.243.230
>   Registrar: REGISTER.COM, INC.
>   Whois Server: whois.register.com
>   Referral URL: http://www.register.com
>
> So - the GTLD-servers know about this host, and will return it when
> asked about A for dns3.potomacnetworks.com.
>
> Steinar Haug, Nethelp consulting, sth...@nethelp.no


My DNS servers are authoritative for the domain potomacnetworks.com, and
contain an A record for the dns3 subdomain which should point it to a
different address, 216.250.231.11. Are you saying the problem is with a GTLD
server? Thanks!

Best,
Brad
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

[sthaug]

> > Here's your 216.250.243.230 address:
> >
> > % whois dns3.potomacnetworks.com
> >
> > Whois Server Version 2.0
> >
> > Domain names in the .com and .net domains can now be registered
> > with many different competing registrars. Go to
> > http://www.internic.net
> > for detailed information.
> >
> >   Server Name: DNS3.POTOMACNETWORKS.COM
> >   IP Address: 216.250.243.230
> >   Registrar: REGISTER.COM, INC.
> >   Whois Server: whois.register.com
> >   Referral URL: http://www.register.com
> >
> > So - the GTLD-servers know about this host, and will return it when
> > asked about A for dns3.potomacnetworks.com.
> >
> > Steinar Haug, Nethelp consulting, sth...@nethelp.no
> 
> 
> My DNS servers are authoritative for the domain potomacnetworks.com, and
> contain an A record for the dns3 subdomain which should point it to a
> different address, 216.250.231.11. Are you saying the problem is with a GTLD
> server? Thanks!

Yes:

% dig +short a dns3.potomacnetworks.com @a.gtld-servers.net
216.250.243.230

As long as that host record exists, with an IP different from what
your authoritative servers reply with, you are going to have problems,
because queries will be answered by the GTLD servers and not your own
authoritative servers.

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

[Bradley Caricofe]

On Tue, Jul 28, 2009 at 3:00 PM,  wrote:

> > > Here's your 216.250.243.230 address:
> > >
> > > % whois dns3.potomacnetworks.com
> > >
> > > Whois Server Version 2.0
> > >
> > > Domain names in the .com and .net domains can now be registered
> > > with many different competing registrars. Go to
> > > http://www.internic.net
> > > for detailed information.
> > >
> > >   Server Name: DNS3.POTOMACNETWORKS.COM
> > >   IP Address: 216.250.243.230
> > >   Registrar: REGISTER.COM, INC.
> > >   Whois Server: whois.register.com
> > >   Referral URL: http://www.register.com
> > >
> > > So - the GTLD-servers know about this host, and will return it when
> > > asked about A for dns3.potomacnetworks.com.
> > >
> > > Steinar Haug, Nethelp consulting, sth...@nethelp.no
> >
> >
> > My DNS servers are authoritative for the domain potomacnetworks.com, and
> > contain an A record for the dns3 subdomain which should point it to a
> > different address, 216.250.231.11. Are you saying the problem is with a
> GTLD
> > server? Thanks!
>
> Yes:
>
> % dig +short a dns3.potomacnetworks.com @a.gtld-servers.net
> 216.250.243.230
>
> As long as that host record exists, with an IP different from what
> your authoritative servers reply with, you are going to have problems,
> because queries will be answered by the GTLD servers and not your own
> authoritative servers.
>
> Steinar Haug, Nethelp consulting, sth...@nethelp.no
>

Ahh, thank you, my brain understands now... :^ )
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC NS record delegation

[Mark Andrews]

In message <15aeacf110417c4b9d6186fe81fbf2d9091e0...@hq-mbx-03.ba.ad.ssa.gov>, 
"Khuu, Linh MicroTech" writes:
> 
> Hi,
> 
> I have question about the DNSSEC NS record.
> 
> We have the parent zone, for example, example.net being signed with DNSSEC.
>  We have a child zone test.example.net delegating to glbl.example.net as NS
>  record. glbl.example.net is not a DNSSEC. Will nslookup for anything in te
> st.example.net fail?

No.  The servers for a signed zone need to be DNSSEC aware.  The
servers for a unsigned zone do not need to be DNSSEC aware.  As
test.example.net is unsigned the servers for it do not need to be
DNSSEC aware.

Mark
 
> Linh Khuu


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC NS record delegation

[Mark Andrews]

Mark Andrews writes:
> 
> In message <15aeacf110417c4b9d6186fe81fbf2d9091e0...@hq-mbx-03.ba.ad.ssa.gov>
> , 
> "Khuu, Linh MicroTech" writes:
> > 
> > Hi,
> > 
> > I have question about the DNSSEC NS record.
> > 
> > We have the parent zone, for example, example.net being signed with DNSSEC.
> >  We have a child zone test.example.net delegating to glbl.example.net as NS
> >  record. glbl.example.net is not a DNSSEC. Will nslookup for anything in te
> > st.example.net fail?
> 
>   No.  The servers for a signed zone need to be DNSSEC aware.  The
>   servers for a unsigned zone do not need to be DNSSEC aware.  As
>   test.example.net is unsigned the servers for it do not need to be
>   DNSSEC aware.

On re-reading you didn't supply enough information to determine
a yes or no answer.  You should however be able to work the answer
out with the information above.

Mark
 
>   Mark
>  
> > Linh Khuu
> 
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind9 behind firewall stopped responding

[Jay Ess]

> I have a master DNS (bind9) for a domain. It was working until I put it
> behind firewall on a DMZ private subnet. It is setup in the way that
> from internet the DNS maintains its original IP address, that is SAT
> translated by firewall to the DMZ private subnet. I allowed ports 53
> TCP/UDP. Should I allow other ports? The IP address of the DNS server
> was changed by putting it on DMZ private subnet, could be this the
> problem? Any ideas?
>
> For testing, I have used some free dns report webpage, ... it is saying
> that my DNS is not responding.

If you asks it locally and from the LAN does it answer?
ie "dig @localhost www.sgi.com"
So you can rule out anything else than the fw.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

[Chris Thompson]

On Jul 28 2009, sth...@nethelp.no wrote:


% dig +short a dns3.potomacnetworks.com @a.gtld-servers.net
216.250.243.230

As long as that host record exists, with an IP different from what
your authoritative servers reply with, you are going to have problems,
because queries will be answered by the GTLD servers and not your own
authoritative servers.


This is the wretched "glue promoted to answer" bug (we can call it a
bug by now, surely?) which we are assured that the GTLD servers will
be cured of this year, next year, sometime, or ...

... well, they will have to fix it before they can roll out DNSSEC, 
won't they?


--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

nsupdate and an external database

[Simpson, John R]

Greetings all,

We have a number of BIND 9.3.4 servers that are managed by ProBIND.  We would 
like to be able to use nsupdate to generate dynamic DNS updates, but, of 
course, any DDNS updates would be lost the next time the zone was "pushed" 
since they aren't reflected in ProBIND's MySQL database.

Is there any standard way to have BIND notify an external function or program 
that an update has occurred?

For example, registering a callback function that would then make the 
appropriate update to the ProBIND database?  That's not a perfect solution, 
since there's still a chance for the zone and the external database to be out 
of sync if the external database update doesn't exactly match the DNS update, 
or if the serial numbers are mishandled.  But it seems like that would be a 
better solution than trying to monitor zone/journal files for changes, or 
parsing log files.

I've looked at SDB, which would be attractive if ProBIND or an alternative 
management system used SDB instead of their own schema, and I'm investigating 
bind-dlz and NetReg.

Is there a preferred way to handle this?

Thank you for your time,

John

John Simpson
Senior Software Engineer, I. T. Engineering and Operations

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ISC BIND 9.6.1-P1 is now available

[Evan Hunt]

 BIND 9.6.1-P1 is now available.

BIND 9.6.1-P1 is a SECURITY PATCH for BIND 9.6.1.  It addresses a
denial-of-service bug in which a malformed UPDATE packet caused
named to crash.

Bugs should be reported to bind9-b...@isc.org.

BIND 9.6.1-P1 can be downloaded from:

ftp://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz

PGP signatures of the distribution are at:

ftp://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz.sha512.asc

The signatures were generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:

ftp://ftp.isc.org/isc/bind9/9.6.1-P1/BIND9.6.1-P1.zip
ftp://ftp.isc.org/isc/bind9/9.6.1-P1/BIND9.6.1-P1.debug.zip

PGP signatures of the binary kit are at:

ftp://ftp.isc.org/isc/bind9/9.6.1-P1/BIND9.6.1-P1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6.1-P1/BIND9.6.1-P1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.1-P1/BIND9.6.1-P1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.6.1-P1/BIND9.6.1-P1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6.1-P1/BIND9.6.1-P1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.1-P1/BIND9.6.1-P1.debug.zip.sha512.asc

Changes since 9.6.1:

2640.   [security]  A specially crafted update packet will cause named
to exit. [RT #2]

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ISC BIND 9.5.1-P3 is now available

[Evan Hunt]

 BIND 9.5.1-P3 is now available.

BIND 9.5.1-P3 is the THIRD SECURITY PATCH for BIND 9.5.1.  It addresses a
denial-of-service bug in which a malformed UPDATE packet caused named to
crash.

Bugs should be reported to bind9-b...@isc.org.

BIND 9.5.1-P3 can be downloaded from:

ftp://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz

PGP signatures of the distribution are at:

ftp://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz.sha512.asc

The signatures were generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:

ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.zip
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.debug.zip

PGP signatures of the binary kit are at:

ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.debug.zip.sha512.asc

Changes since 9.5.1-P2:

2640.   [security]  A specially crafted update packet will cause named
to exit. [RT #2]

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ISC BIND 9.4.3-P3 is now available

[Evan Hunt]

 BIND 9.4.3-P3 is now available.

BIND 9.4.3-P3 is the THIRD SECURITY PATCH for BIND 9.4.3.  It addresses a
denial-of-service bug in which a malformed UPDATE packet caused named to
crash.

Bugs should be reported to bind9-b...@isc.org.

BIND 9.4.3-P3 can be downloaded from:

ftp://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz

PGP signatures of the distribution are at:

ftp://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz.sha512.asc

The signatures were generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:

ftp://ftp.isc.org/isc/bind9/9.4.3-P3/BIND9.4.3-P3.zip
ftp://ftp.isc.org/isc/bind9/9.4.3-P3/BIND9.4.3-P3.debug.zip

PGP signatures of the binary kit are at:

ftp://ftp.isc.org/isc/bind9/9.4.3-P3/BIND9.4.3-P3.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P3/BIND9.4.3-P3.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P3/BIND9.4.3-P3.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P3/BIND9.4.3-P3.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P3/BIND9.4.3-P3.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P3/BIND9.4.3-P3.debug.zip.sha512.asc

Changes since 9.4.3-P2:

2640.   [security]  A specially crafted update packet will cause named
to exit. [RT #2]

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Moving an AD Zone from Windows to BIND

[Michael Milligan]

bsfin...@anl.gov wrote:
> I am not worried about the DHCP piece.  There are two zones I have to
> convert.  One is mostly static and contains Windows Servers.  The
> other is dynamic, with client machines under the control of a Windows
> DHCP server.  For this zone, we will change DHCP to static leases
> before the conversion, and all new machines will be registered via
> our host database, which will automatically update DHCP.

Alright, that's one way to do it.

> I do not want any dynamic DNS to my BIND servers, as I am not sure
> how that DDNS would interface with DNSSEC.

BIND 9.6 has support for automatically re-signing the zone (incremental
signing) as dynamic updates are processed.

Regards,
Mike

-- 
Michael Milligan   -> mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Moving an AD Zone from Windows to BIND

[Mark Andrews]

In message <20090728175246.bf0a817...@britaine.cis.anl.gov>, bsfin...@anl.gov 
writes:
> I do not want any dynamic DNS to my BIND servers, as I am not sure
> how that DDNS would interface with DNSSEC.

DNSSEC is easier with a DDNS zone than a non-DDNS zone as named
can ensure the signatures get re-generated when required.
9.6.0 onwards.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Moving an AD Zone from Windows to BIND

[Mark Andrews]

Mark Andrews writes:
> 
> In message <20090728175246.bf0a817...@britaine.cis.anl.gov>, bsfin...@anl.gov 
> writes:
> > I do not want any dynamic DNS to my BIND servers, as I am not sure
> > how that DDNS would interface with DNSSEC.
> 
> DNSSEC is easier with a DDNS zone than a non-DDNS zone as named
> can ensure the signatures get re-generated when required.
> 9.6.0 onwards.

The main thing is to tell named where the keys are via
the key-directory statement.

> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Creating a CNAME to another domain.

[Ezra Taylor]

Thanks all.

On Fri, Jul 24, 2009 at 2:57 PM, Ezra Taylor  wrote:

> Hello All:
>How can I create a CNAME that points to another domain.
> Example below.  Is the below example possible?
>
>
>
> stars.mydomain.com INCNAME  stars.otherdomain.com.
>
> --
> Ezra Taylor
>



-- 
Ezra Taylor
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Moving an AD Zone from Windows to BIND

[Gordon A. Lang]

For what it's worth, we moved 100% of all our DNS from MS DNS to BIND.

Doing so solved the problem of the MS DNS servers periodically (randomly) 
losing critical glue records.  It also eliminated the need for 6 pairs of 
DNS servers to support the 6 independent domains, each needing to own the 
reverse domains.  It also allowed us to significantly boost the DNS 
performance and capacity without carrying the weight of domain controller 
functionality.
There were also some other significant manageability gains by moving to 
BIND.


The most significant down side was that we lost SECURE dynamic updates 
because GSS-TSIG was not available in BIND at the time, but I understand it 
is available now.


We also found a problem where, on occasion, when the MS servers perform 
their daily dynamic delete and re-add of there DNS records (which the do to 
prevent aging/scavenging from taking their records away), the ADD part 
doesn't stick, and intervention is necessary to manually re-add the record. 
I believe this is caused by the fact that both the add and delete are issued 
with the same time stamp, and I suspect our version of BIND might be 
processing them out of order -- we still don't know for sure.  But whatever 
this problem turns out to be, I am sure there is or will be a fix for it.


And the only other loss is the multi-master feature of the AD-integrated 
DNS, but that feature was not performing adequately anyway, so it wasn't 
really much of a loss.  If our single BIND master dies, we have the ability 
to move it's ip address to another box and reconstruct the master in much 
less than an hour.


So, from my experience, I would encourage anyone who is considering it to go 
ahead and put 100% of all DNS into BIND, and scrap the MS DNS all together. 
It is much easier to manage than having to split the zones all over the 
place, and it just works better.


--
Gordon A. Lang 


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Binding on addresses

[Chris Hills]

Hi

After changing configuration from "listen-on-v6 { any; };" to using 
specific addresses, I observed the following in the log after issuing 
`rndc reload` (times are CEST):-


29-Jul-2009 04:44:22.893 network: error: binding TCP socket: address in use
29-Jul-2009 04:44:22.893 network: error: binding TCP socket: address in use
29-Jul-2009 04:44:22.893 network: info: no longer listening on ::#53
29-Jul-2009 04:44:22.965 general: info: reloading configuration succeeded
29-Jul-2009 04:44:23.031 general: info: reloading zones succeeded
29-Jul-2009 05:19:10.179 general: info: received control channel command 
'reload'
29-Jul-2009 05:19:10.180 general: info: loading configuration from 
'/usr/local/bind/9.6.1-P1/etc/named.conf'
29-Jul-2009 05:19:10.182 general: info: using default UDP/IPv4 port 
range: [1024, 65535]
29-Jul-2009 05:19:10.182 general: info: using default UDP/IPv6 port 
range: [1024, 65535]

29-Jul-2009 05:19:10.194 general: info: reloading configuration succeeded
29-Jul-2009 05:19:10.194 general: info: reloading zones succeeded

After the reload, BIND no longer listened on tcp sockets, but udp 
sockets worked ok. After restarting named, it was listening on tcp 
sockets once more. Based on the log it looks like it is trying to bind 
to the address-specific tcp sockets before releasing tcp [::]:53.


BIND is 9.6.1-P1 on Linux x86.

Regards,

Chris

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Creating a CNAME to another domain.

[Danny Mayer]

Kevin Darcy wrote:
> Ezra Taylor wrote:
>> Hello All:
>>How can I create a CNAME that points to another
>> domain.  Example below.  Is the below example possible?
>>
>>
>>
>> stars.mydomain.com  INCNAME 
>> stars.otherdomain.com .
>>
> If stars.mydomain.com is just an ordinary name in the mydomain.com zone,
> then there is no problem with what you show above (except,
> syntactically, you need the trailing dot, as was already pointed out).
> 
> If, on the other hand, stars.mydomain.com is a *zone*, then it's not
> possible, because in that case there would be "apex" records (records
> whose name is the same as that of the zone); at a minimum, an SOA and at
> least 2 NS records, which are required for each and every zone. When a
> particular name owns a CNAME record, it cannot also own SOA or NS records.

Not true. For a Domain alias use a DNAME:

mydomain.com.   IN  DNAME   otherdomain.com.

Danny


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: about tcp port 53

[Tech W.]

--- On Tue, 28/7/09, Stephane Bortzmeyer  wrote:

> 
> > what's the use of bind's tcp port 53?
> 
> DNS requests and responses.
> 

oh, I was always thinking dns requests and responses are going with udp 
protocal. under what condition it uses tcp protocal?


Regards,
Wah.


  

Access Yahoo!7 Mail on your mobile. Anytime. Anywhere.
Show me how: http://au.mobile.yahoo.com/mail
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Binding on addresses

[Mark Andrews]

In message , Chris Hills writes:
> Hi
> 
> After changing configuration from "listen-on-v6 { any; };" to using 
> specific addresses, I observed the following in the log after issuing 
> `rndc reload` (times are CEST):-
> 
> 29-Jul-2009 04:44:22.893 network: error: binding TCP socket: address in use
> 29-Jul-2009 04:44:22.893 network: error: binding TCP socket: address in use
> 29-Jul-2009 04:44:22.893 network: info: no longer listening on ::#53
> 29-Jul-2009 04:44:22.965 general: info: reloading configuration succeeded
> 29-Jul-2009 04:44:23.031 general: info: reloading zones succeeded
> 29-Jul-2009 05:19:10.179 general: info: received control channel command 
> 'reload'
> 29-Jul-2009 05:19:10.180 general: info: loading configuration from 
> '/usr/local/bind/9.6.1-P1/etc/named.conf'
> 29-Jul-2009 05:19:10.182 general: info: using default UDP/IPv4 port 
> range: [1024, 65535]
> 29-Jul-2009 05:19:10.182 general: info: using default UDP/IPv6 port 
> range: [1024, 65535]
> 29-Jul-2009 05:19:10.194 general: info: reloading configuration succeeded
> 29-Jul-2009 05:19:10.194 general: info: reloading zones succeeded
> 
> After the reload, BIND no longer listened on tcp sockets, but udp 
> sockets worked ok. After restarting named, it was listening on tcp 
> sockets once more. Based on the log it looks like it is trying to bind 
> to the address-specific tcp sockets before releasing tcp [::]:53.

Linux's IP stack is broken.  Reloading a second time would
have fixed it.
 
> BIND is 9.6.1-P1 on Linux x86.
> 
> Regards,
> 
> Chris
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users