BIND Log
Hi All, I'm using BIND 9.3.3rc2, I got the log below. again and again Feb 5 14:24:27 ns01 named[7791]: lame server resolving 'researchcap.com' (in 'researchcap.com'?): 209.115.142.1#53 Feb 5 14:24:27 ns01 named[7791]: lame server resolving 'conztract.com' (in 'conztract.com'?): 67.212.177.42#53 Feb 5 14:24:27 ns01 named[7791]: unexpected RCODE (SERVFAIL) resolving ' smarts.com/MX/IN': 199.245.235.14#53 Feb 5 14:24:27 ns01 named[7791]: lame server resolving 'arinsurance.com' (in 'arinsurance.com'?): 192.42.93.33#53 Feb 5 14:24:27 ns01 named[7791]: lame server resolving 'conztract.com' (in 'conztract.com'?): 99.198.106.66#53 Feb 5 14:24:27 ns01 named[7791]: unexpected RCODE (SERVFAIL) resolving ' sport-style.com/MX/IN': 194.65.14.27#53 Feb 5 14:24:27 ns01 named[7791]: unexpected RCODE (SERVFAIL) resolving ' lendingchannel.com/MX/IN': 66.165.131.1#53 Feb 5 14:24:27 ns01 named[7791]: unexpected RCODE (SERVFAIL) resolving ' smarts.com/MX/IN': 128.222.34.17#53 Feb 5 14:24:27 ns01 named[7791]: lame server resolving 'rwwr.com' (in ' rwwr.com'?): 64.29.149.58#53 Feb 5 14:24:28 ns01 named[7791]: lame server resolving 'armstrongpat.com' (in 'armstrongpat.com'?): 69.63.128.231#53 Feb 5 14:24:28 ns01 named[7791]: lame server resolving 'rwwr.com' (in ' rwwr.com'?): 64.29.149.58#53 Feb 5 14:24:28 ns01 named[7791]: lame server resolving 'armstrongpat.com' (in 'armstrongpat.com'?): 69.63.128.230#53 Feb 5 14:24:28 ns01 named[7791]: unexpected RCODE (SERVFAIL) resolving ' smarts.com/MX/IN': 152.62.108.11#53 Feb 5 14:24:28 ns01 named[7791]: unexpected RCODE (SERVFAIL) resolving ' sport-style.com/MX/IN': 194.65.3.21#53 Feb 5 14:24:29 ns01 named[7791]: unexpected RCODE (SERVFAIL) resolving ' smarts.com/MX/IN': 152.62.108.10#53 Feb 5 14:24:29 ns01 named[7791]: lame server resolving ' ngauge-accessories.com' (in 'ngauge-accessories.com'?): 94.136.39.38#53 Feb 5 14:24:30 ns01 named[7791]: unexpected RCODE (REFUSED) resolving ' cheappaintballgunstore.com/A/IN': 74.53.26.66#53 Feb 5 14:24:30 ns01 named[7791]: lame server resolving ' ngauge-accessories.com' (in 'ngauge-accessories.com'?): 94.136.39.39#53 Feb 5 14:24:30 ns01 named[7791]: unexpected RCODE (REFUSED) resolving ' nodes.com.ua/A/IN': 62.149.19.51#53 Feb 5 14:24:30 ns01 named[7791]: unexpected RCODE (REFUSED) resolving ' cheappaintballgunstore.com/A/IN': 74.53.26.67#53 Feb 5 14:24:30 ns01 named[7791]: unexpected RCODE (SERVFAIL) resolving ' weiden.de/MX/IN': 62.116.129.129#53 Please kindly advise how can I stop that or it's bind error ? -- The person who loves others will also be loved. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries for NSEC3 hashed owner names
On Fri, 05 Feb 2010 08:18:35 +1100, Mark Andrews said: > In message <19306.52059.975062.462...@hadron.switch.ch>, Alexander Gall > writes: >> >> All of those are NSEC3-agnostic. They should not do any DNSSEC >> processing for the ch zone, because they don't support algorithm #7. > Yes and no. Just because you are using a algorithm that is unsupported > doesn't mean that you won't get queries looking for the break point > between supported and unsupported algorithms. DS queries are used > to find that break point. But isn't the break point at the DLV/trusted-key level for ch? -- Alex ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script to delete zone from named.conf
In article , Mark Andrews wrote: > Recent version of named-checkconf have a -p (print) option which > will emit named.conf, sans comments, in a consistent style which > will then be easy to post process. Shame about the "sans comments" - easy comprehension or easy management - take your pick. (Yes, I know it's a difficult task to preserve commenting - BTDT.) Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about "rndc flushname"
bsfin...@anl.gov wrote: > On a mail machine I am running a cache-only DNS - BIND 9.6.1-P3. > When I dump the cache I see two lines: > > ; answer > brainpower-austria.at. 6622MX 5 mx1.bon.at. > > I then enter > > ./rndc flushname brainpower-austria.at > > But when I then look at the cache, I still see the MX record (with a > shorter TTL). Why is the "flushname" command not flushing this MX > record from the cache? Thanks. rndc flushname for an MX record is working for me (it is even working for this MX record). Is perhaps your mailserver's cache-only server forwarding to another nameserver which has this cached still and then your mailserver is querying again in between your rndc flushname and your check of cache? How are you checking cache? Cathy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]
I find this important enough to forward on to bind-users. Please not the importance of trust anchor management. AlanC --- Begin Message --- [Apologies for duplicates] Dear Colleagues, We have discovered that recent versions of the Fedora Linux distribution are shipping with a package called "dnssec-conf", which contains the RIPE NCC's DNSSEC trust anchors. This package is installed by default as a dependency of BIND, and it configures BIND to do DNSSEC validation. Unfortunately, the current version of this package (1.21) is outdated and contains old trust anchors. On 16 December 2009, we had a key roll-over event, where we removed the old Key-Signing Keys (KSKs). From that time, BIND resolvers running on Fedora Linux distributions could not validate any signed responses in the RIPE NCC's reverse zones. If you are running Fedora Linux with the standard BIND package, please edit the file "/etc/pki/dnssec-keys//named.dnssec.keys", and comment out all the lines in it containing the directory path "production/reverse". Then restart BIND. This will stop BIND from using the outdated trust anchors. If you do want to use the RIPE NCC's trust anchors to validate our signed zones, we recommend that you fetch the latest trust anchor file from our website and reconfigure BIND to use it instead of the ones distributed in the dnssec-conf package: https://www.ripe.net/projects/disi/keys/index.html Please remember to check frequently for updates to our trust anchor file, as we introduce new Key-Signing Keys (KSKs) every 6 months. Regards, Anand Buddhdev, DNS Services Manager, RIPE NCC --- End Message --- signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]
On Fri, Feb 05, 2010 at 06:22:26AM -0800, Alan Clegg wrote: > I find this important enough to forward on to bind-users. > > Please not the importance of trust anchor management. We (= me and Paul Wouters) are working on dnssec-conf update. Sorry for troubles. Regards, Adam > Date: Fri, 05 Feb 2010 14:25:10 +0100 > From: Anand Buddhdev > To: dnssec-deploym...@dnssec-deployment.org > Subject: [Dnssec-deployment] Outdated RIPE NCC Trust Anchors in Fedora > Linux Repositories > User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-GB; > rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 > > [Apologies for duplicates] > > Dear Colleagues, > > We have discovered that recent versions of the Fedora Linux distribution > are shipping with a package called "dnssec-conf", which contains the > RIPE NCC's DNSSEC trust anchors. This package is installed by default as > a dependency of BIND, and it configures BIND to do DNSSEC validation. > > Unfortunately, the current version of this package (1.21) is outdated > and contains old trust anchors. > > On 16 December 2009, we had a key roll-over event, where we removed the > old Key-Signing Keys (KSKs). From that time, BIND resolvers running on > Fedora Linux distributions could not validate any signed responses in > the RIPE NCC's reverse zones. > > If you are running Fedora Linux with the standard BIND package, please > edit the file "/etc/pki/dnssec-keys//named.dnssec.keys", and comment out > all the lines in it containing the directory path "production/reverse". > Then restart BIND. > > This will stop BIND from using the outdated trust anchors. If you do > want to use the RIPE NCC's trust anchors to validate our signed zones, > we recommend that you fetch the latest trust anchor file from our > website and reconfigure BIND to use it instead of the ones distributed > in the dnssec-conf package: > > https://www.ripe.net/projects/disi/keys/index.html > > Please remember to check frequently for updates to our trust anchor > file, as we introduce new Key-Signing Keys (KSKs) every 6 months. > > Regards, > > Anand Buddhdev, > DNS Services Manager, RIPE NCC -- Adam Tkac, Red Hat, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Having multiple name servers - is it really necessary
Nameservers malfunction and networks in front of them malfunction. When this happens to the secondary, then you suffer what you are reporting. If you have only one nameserver, then such a malfunction can leave you dead in the water. I've run into the issue of updates to secondaries stopping for some reason, and then noticeable symptoms set in much later (after the data expires), making troubleshooting require a look pretty far back in time to identify the failure or change that caused the problem. Setting long expire times lengthens the time you need to look back. Under various circumstances, I've addressed this issue two ways: (1) Instead of using the DNS transfers, devise my own method of keeping the servers' authoritative data in synch. This can be very little trouble if you run all the servers yourself and you maintain the data on a third server, e.g. in your own database: just load the data on all the authoritative nameservers instead of one. But it's either more difficult or impossible if you provide dynamic DNS. (2) Run scripts periodically to check SOA serial numbers and report if they are sitting longer than they should out of synch. John Wobus ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]
In message <20100205143439.ga15...@evileye.atkac.englab.brq.redhat.com>, Adam T kac writes: > On Fri, Feb 05, 2010 at 06:22:26AM -0800, Alan Clegg wrote: > > I find this important enough to forward on to bind-users. > > > > Please not the importance of trust anchor management. > > We (= me and Paul Wouters) are working on dnssec-conf update. Sorry > for troubles. > > Regards, Adam The better thing would be a a script to fetch the current keys nightly, perform a sanity check, then update or inform the administator and let them update the keys after inspection. I do something like this myself nightly. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]
On Sat, 6 Feb 2010, Mark Andrews wrote: We (= me and Paul Wouters) are working on dnssec-conf update. Sorry for troubles. The better thing would be a a script to fetch the current keys nightly, perform a sanity check, then update or inform the administator and let them update the keys after inspection. I do something like this myself nightly. With the current success of the DLV, and the root zone deployment half a year away, it is not really required anymore. I think it is much better to get rid of all trust anchors apart from the ISC DLV key. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]
Paul Wouters wrote: > With the current success of the DLV, and the root zone deployment half > a year away, it is not really required anymore. I think it is much better > to get rid of all trust anchors apart from the ISC DLV key. Do remember, however, that the DLV keys also roll, so this does need to be taken into account. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
multi master primary nameserver.
Hello I wanted to ask how could be possible in some way to have 2 or more multi master name servers authoritative for one domain, instead of the classical master slave model. thank you Rick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can bind log the IP of clients requesting lookups to a domain?
Version - bind 9.5.1 on CentOS 5.x. Is there a way to log either the IP of clients requesting lookups of a particular domain? In other words, I'd like to know the IP of clients trying to resolve app01.foocompany.net (for example.) There is probably a logging option but I'm not sure what it might be. Thanks in advance! =Keith ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can bind log the IP of clients requesting lookups to a domain?
On 2/5/2010 3:16 PM, Keith Christian wrote: > Version - bind 9.5.1 on CentOS 5.x. Is there a way to log either the > IP of clients requesting lookups of a particular domain? > > In other words, I'd like to know the IP of clients trying to resolve > app01.foocompany.net (for example.) > > There is probably a logging option but I'm not sure what it might be. When you read the manual for the logging options what part did you find confusing? -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi master primary nameserver.
On 2/5/2010 2:41 PM, fddi wrote: > Hello I wanted to ask how could be possible in some way > to have 2 or more multi master name servers authoritative for one domain, > instead of the classical master slave model. Yes. -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi master primary nameserver.
Doug Barton wrote: On 2/5/2010 2:41 PM, fddi wrote: Hello I wanted to ask how could be possible in some way to have 2 or more multi master name servers authoritative for one domain, instead of the classical master slave model. Yes. so should I use somthing like rsync or cfengine ? is there any hint document to implement a mlti master solution with bind ? thanks Rick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi master primary nameserver.
In article , fddi wrote: > Doug Barton wrote: > > On 2/5/2010 2:41 PM, fddi wrote: > > > >> Hello I wanted to ask how could be possible in some way > >> to have 2 or more multi master name servers authoritative for one domain, > >> instead of the classical master slave model. > >> > > > > Yes. > > > > > so should I use somthing like rsync or cfengine ? Use whatever you want. There's nothing built into BIND to support this, but any kind of file copying should work fine. > is there any hint document to implement a mlti master solution with bind ? What's to document? Copy the files to all the masters, do an "rndc reload". -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: multi master primary nameserver.
Cricket Liu documents some stuff around this in section 8.2 of "O'Reilly DNS and BIND" - 5th edition. The info does not exist in 3rd edition. (I happen to have access to both) Not enough info to justify buying the book, but might help you if you're not a UNIX guru, so visit the library or make notes at your local bookstore :) -Original Message- From: bind-users-bounces+gord.taylor=rbc@lists.isc.org [mailto:bind-users-bounces+gord.taylor=rbc@lists.isc.org] On Behalf Of Barry Margolin Sent: 2010, February, 05 9:57 PM To: comp-protocols-dns-b...@isc.org Subject: Re: multi master primary nameserver. In article , fddi wrote: > Doug Barton wrote: > > On 2/5/2010 2:41 PM, fddi wrote: > > > >> Hello I wanted to ask how could be possible in some way to have 2 > >> or more multi master name servers authoritative for one domain, > >> instead of the classical master slave model. > >> > > > > Yes. > > > > > so should I use somthing like rsync or cfengine ? Use whatever you want. There's nothing built into BIND to support this, but any kind of file copying should work fine. > is there any hint document to implement a mlti master solution with bind ? What's to document? Copy the files to all the masters, do an "rndc reload". -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courriel peut contenir des renseignements protégés et confidentiels. Lexpéditeur ne renonce pas aux droits et obligations qui sy rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements quil contient par une personne autre que le destinataire désigné est interdite. Si vous recevez ce courriel par erreur, veuillez men aviser immédiatement, par retour de courriel ou par un autre moyen. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi master primary nameserver.
On Friday 05 February 2010 17:41, fddi wrote: > Hello I wanted to ask how could be possible in some way > to have 2 or more multi master name servers authoritative for one domain, > instead of the classical master slave model. Simple thing to do. I have a test lab here that I did this in a few years ago. 2 masters and 4 slaves. The setup was simple. Configure Master A to be a slave of Master B. Configure Master B to be a slave of Master A. Configure all slaves whit both masters. Depending on how you setup the rest ensure that the Masters notify each other of updates. Now when Master B is updated it will update the slaves and Master A also. Only thing you have to watch out for is that only one zone on one master is being updated at a time. -- Regards Robert Linux User #296285 http://counter.li.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: multi master primary nameserver.
While that particular info might not justify buying the book, there is so much other info in it that does... Everyone who isn't a BIND expert and who touches a BIND nameserver should own a copy: -) W Please excuse top posting, my phone is dumb and has issues doing inline comments. "Taylor, Gord" wrote: >Cricket Liu documents some stuff around this in section 8.2 of "O'Reilly >DNS and BIND" - 5th edition. The info does not exist in 3rd edition. (I >happen to have access to both) > >Not enough info to justify buying the book, but might help you if you're >not a UNIX guru, so visit the library or make notes at your local >bookstore :) > > >-Original Message- >From: bind-users-bounces+gord.taylor=rbc@lists.isc.org >[mailto:bind-users-bounces+gord.taylor=rbc@lists.isc.org] On Behalf >Of Barry Margolin >Sent: 2010, February, 05 9:57 PM >To: comp-protocols-dns-b...@isc.org >Subject: Re: multi master primary nameserver. > >In article , > fddi wrote: > >> Doug Barton wrote: >> > On 2/5/2010 2:41 PM, fddi wrote: >> > >> >> Hello I wanted to ask how could be possible in some way to have 2 >> >> or more multi master name servers authoritative for one domain, >> >> instead of the classical master slave model. >> >> >> > >> > Yes. >> > >> > >> so should I use somthing like rsync or cfengine ? > >Use whatever you want. There's nothing built into BIND to support this, >but any kind of file copying should work fine. > >> is there any hint document to implement a mlti master solution with >bind ? > >What's to document? Copy the files to all the masters, do an "rndc >reload". > >-- >Barry Margolin, bar...@alum.mit.edu >Arlington, MA >*** PLEASE don't copy me on replies, I'll read them in the group *** >___ >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users >___ > >This e-mail may be privileged and/or confidential, and the sender does not >waive >any related rights and obligations. Any distribution, use or copying of this >e-mail or the information >it contains by other than an intended recipient is unauthorized. >If you received this e-mail in error, please advise me (by return e-mail or >otherwise) immediately. > >Ce courriel peut contenir des renseignements protégés et confidentiels. >Lexpéditeur ne renonce pas aux droits et obligations qui sy rapportent. >Toute diffusion, utilisation ou copie de ce courriel ou des renseignements >quil contient >par une personne autre que le destinataire désigné est interdite. >Si vous recevez ce courriel par erreur, veuillez men aviser immédiatement, >par retour de courriel ou par un autre moyen. >___ >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi master primary nameserver.
On Friday 05 February 2010 23:06, Warren Kumari wrote: > Everyone who isn't a BIND expert and who touches a BIND nameserver should > own a copy: -) Could not agree with you more on this point. -- Regards Robert Linux User #296285 http://counter.li.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
