Re: how to read and answer to this mailing list

2010-03-31 Thread Markus Feldmann 

Matthew Pounsett schrieb:

On 2010/03/30, at 19:04, Markus Feldmann wrote:


Warren Kumari schrieb:

In the footer of every message lurks the following link:
https://lists.isc.org/mailman/listinfo/bind-users

Yes ... i read this but you can not answer a mail this way.


You can answer an email this way.  I'm not sure if the list is open-post or 
not.. but if it is then you can get the posting address from there and send 
email to it.  If it isn't, then from that page you can subscribe to the list, 
and then send email to it.


And i mean not this mailing list but the dhcp-users mailing list.


Then you're probably looking for 
.

Matt
I think there is a mistake or comprehension porpblem in my questions. 
Which Newsreader program do you use for answer to a post in the 
dhcp-users mailing list? And which newsgroup do you use?


regards Markus

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to read and answer to this mailing list

2010-03-31 Thread Markus Feldmann 

Matthew Pounsett schrieb:

On 2010/03/30, at 19:04, Markus Feldmann wrote:


Warren Kumari schrieb:

In the footer of every message lurks the following link:
https://lists.isc.org/mailman/listinfo/bind-users

Yes ... i read this but you can not answer a mail this way.


You can answer an email this way.  I'm not sure if the list is open-post or 
not.. but if it is then you can get the posting address from there and send 
email to it.  If it isn't, then from that page you can subscribe to the list, 
and then send email to it.

Thanks Matthew it works, but it is not very comfortable. therefore i 
need 2 programs. first to read and the second to write/answer. The 
modern computer technique says hello. :-)


regards Markus

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Strange domains requested

2010-03-31 Thread Abdulla Bushlaibi 
Recently we are seeing strange domains being requested on the caching 
name servers we are running, sometimes the clients who are requesting 
these domains are sending more than one thousand request per second and 
sometimes it's alot lower than that (maybe 30 or 50 or 100 requests per 
second), examples of the log records are as below


29-Mar-2010 14:18:57.645 client X.X.X.X#53: query: \144\198x IN A +
29-Mar-2010 14:18:57.649 client X.X.X.X#53: query: \144\198x IN A +
29-Mar-2010 14:18:57.649 client X.X.X.X#53: query: \144\198x IN A +
29-Mar-2010 14:18:57.651 client X.X.X.X#53: query: \144\198x IN A +

30-Mar-2010 11:34:36.099 client Y.Y.Y.Y#3074: query: 
powecs1234.51vip.biz IN A +

30-Mar-2010 11:34:37.305 client Y.Y.Y.Y#3074: query: \019 IN A +
30-Mar-2010 11:34:44.419 client Y.Y.Y.Y#3074: query: \019 IN A +
30-Mar-2010 11:34:50.437 client Y.Y.Y.Y#3074: query: \019 IN A +

30-Mar-2010 11:36:02.096 client Z.Z.Z.Z#53: query: acegaceg.vicp.cc IN A +
30-Mar-2010 11:36:02.100 client Z.Z.Z.Z#53: query: \012\194x IN A +
30-Mar-2010 11:36:02.104 client Z.Z.Z.Z#53: query: \012\194x IN A +
30-Mar-2010 11:36:02.108 client Z.Z.Z.Z#53: query: \012\194x IN A +


Most of the time the client's source port is 53 which is mostly used as 
a source port for DNS servers to reply to the client's queries, so I am 
suspecting it might be a virus of some sort.


I did a google search for the mentioned domains but with no luck. Does 
anyone have any idea what would cause such request floods or have faced 
similar issues?


--
Abdulla Ahmad Bushlaibi

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Zone transfer issues on new domain

2010-03-31 Thread Lear, Karen (Evolver) 
I added it to the named.conf on the slave.  Shouldn't it create its own 
db.usptoenews file under the secondaries directory?

From: bind-users-bounces+karen.lear=uspto@lists.isc.org 
[bind-users-bounces+karen.lear=uspto@lists.isc.org] On Behalf Of Sten 
Carlsen [st...@s-carlsen.dk]
Sent: Tuesday, March 30, 2010 9:26 PM
To: bind-users@lists.isc.org
Subject: Re: Zone transfer issues on new domain

Did you add it to the slaves configuration? It does not get automagically 
added; so the slave gets a notify on a zone it can not serve as it is not in 
its config.

On 31/03/10 2:14, Lear, Karen (Evolver) wrote:
Can you tell me why I’m getting the message below on my slave server after 
adding a master zone on the master server for usptoenews.gov:

[kl...@dns2 logs]$ grep enews activity.log
30-Mar-2010 17:17:45.484 notify: notice: client 10.240.6.50#10738: received 
notify for zone 'usptoenews.gov': TSIG 'ns1-ns2.uspto.gov': not authoritative
30-Mar-2010 17:22:47.335 notify: notice: client 10.240.6.50#62593: received 
notify for zone 'usptoenews.gov': TSIG 'ns1-ns2.uspto.gov': not authoritative

email:   karen.l...@uspto.gov



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!"

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Zone transfer issues on new domain

2010-03-31 Thread Lear, Karen (Evolver) 
To clarify, I added this to the named.conf on the slave:

};
zone "usptoenews.gov" {
type slave;
file "secondaries/db.usptoenews";
masters { 10.240.6.50; };
};


From: Lear, Karen (Evolver)
Sent: Wednesday, March 31, 2010 7:25 AM
To: Sten Carlsen; bind-users@lists.isc.org
Subject: RE: Zone transfer issues on new domain

I added it to the named.conf on the slave.  Shouldn't it create its own 
db.usptoenews file under the secondaries directory?

From: bind-users-bounces+karen.lear=uspto@lists.isc.org 
[bind-users-bounces+karen.lear=uspto@lists.isc.org] On Behalf Of Sten 
Carlsen [st...@s-carlsen.dk]
Sent: Tuesday, March 30, 2010 9:26 PM
To: bind-users@lists.isc.org
Subject: Re: Zone transfer issues on new domain

Did you add it to the slaves configuration? It does not get automagically 
added; so the slave gets a notify on a zone it can not serve as it is not in 
its config.

On 31/03/10 2:14, Lear, Karen (Evolver) wrote:
Can you tell me why I’m getting the message below on my slave server after 
adding a master zone on the master server for usptoenews.gov:

[kl...@dns2 logs]$ grep enews activity.log
30-Mar-2010 17:17:45.484 notify: notice: client 10.240.6.50#10738: received 
notify for zone 'usptoenews.gov': TSIG 'ns1-ns2.uspto.gov': not authoritative
30-Mar-2010 17:22:47.335 notify: notice: client 10.240.6.50#62593: received 
notify for zone 'usptoenews.gov': TSIG 'ns1-ns2.uspto.gov': not authoritative

email:   karen.l...@uspto.gov



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!"

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone transfer issues on new domain

2010-03-31 Thread Sten Carlsen 
Hi

This looks ok to me, does the file exist? Is it writable by named.

I am not quite sure but I think named will make the file if it does not
exist, it needs to be able to make the file in the directory etc. Normal
admin stuff.

In general when you add a slave on a master(notify), that does not mean
you always control the slave, so it does not automatically mean that the
slave, you have pointed your notify at, is willing to actually serve the
domain in question. Also if you want to be a slave of some domain, that
does not automatically mean that the domain is willing to be slaved by
you; you may not be granted access to do AXFR or IXFR.

This is at least one of the reasons slaves don't automatically pick up
the domains we think they should automagically start serving.

I hope it starts to work now.


On 31/03/10 13:48, Lear, Karen (Evolver) wrote:
> To clarify, I added this to the named.conf on the slave:
>
> };
> zone "usptoenews.gov" {
> type slave;
> file "secondaries/db.usptoenews";
> masters { 10.240.6.50; };
> };
>
> 
> From: Lear, Karen (Evolver)
> Sent: Wednesday, March 31, 2010 7:25 AM
> To: Sten Carlsen; bind-users@lists.isc.org
> Subject: RE: Zone transfer issues on new domain
>
> I added it to the named.conf on the slave.  Shouldn't it create its own 
> db.usptoenews file under the secondaries directory?
> 
> From: bind-users-bounces+karen.lear=uspto@lists.isc.org 
> [bind-users-bounces+karen.lear=uspto@lists.isc.org] On Behalf Of Sten 
> Carlsen [st...@s-carlsen.dk]
> Sent: Tuesday, March 30, 2010 9:26 PM
> To: bind-users@lists.isc.org
> Subject: Re: Zone transfer issues on new domain
>
> Did you add it to the slaves configuration? It does not get automagically 
> added; so the slave gets a notify on a zone it can not serve as it is not in 
> its config.
>
> On 31/03/10 2:14, Lear, Karen (Evolver) wrote:
> Can you tell me why I’m getting the message below on my slave server after 
> adding a master zone on the master server for usptoenews.gov:
>
> [kl...@dns2 logs]$ grep enews activity.log
> 30-Mar-2010 17:17:45.484 notify: notice: client 10.240.6.50#10738: received 
> notify for zone 'usptoenews.gov': TSIG 'ns1-ns2.uspto.gov': not authoritative
> 30-Mar-2010 17:22:47.335 notify: notice: client 10.240.6.50#62593: received 
> notify for zone 'usptoenews.gov': TSIG 'ns1-ns2.uspto.gov': not authoritative
>
> email:   karen.l...@uspto.gov
>
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> --
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
>
>"MALE BOVINE MANURE!!!"
>
>   

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone transfer issues on new domain

2010-03-31 Thread Kevin Darcy 
TSIG overloaded the NOTAUTH response code to mean "not authorized" 
instead of its traditional meaning of "not authoritative".


I'm thinking that the root cause here is a TSIG validation issue that's 
being misreported as "not authoritative" because a "generic" 
error-printing routine is being used, and it only knows one way to 
represent NOTAUTH.


Of course, it's easy to check whether a nameserver considers itself 
authoritative for a given zone -- just do a query and check for the 
presence/absence of the AA bit...



- Kevin


On 3/31/2010 7:48 AM, Lear, Karen (Evolver) wrote:

To clarify, I added this to the named.conf on the slave:

};
zone "usptoenews.gov" {
 type slave;
 file "secondaries/db.usptoenews";
 masters { 10.240.6.50; };
};


From: Lear, Karen (Evolver)
Sent: Wednesday, March 31, 2010 7:25 AM
To: Sten Carlsen; bind-users@lists.isc.org
Subject: RE: Zone transfer issues on new domain

I added it to the named.conf on the slave.  Shouldn't it create its own 
db.usptoenews file under the secondaries directory?

From: bind-users-bounces+karen.lear=uspto@lists.isc.org 
[bind-users-bounces+karen.lear=uspto@lists.isc.org] On Behalf Of Sten 
Carlsen [st...@s-carlsen.dk]
Sent: Tuesday, March 30, 2010 9:26 PM
To: bind-users@lists.isc.org
Subject: Re: Zone transfer issues on new domain

Did you add it to the slaves configuration? It does not get automagically 
added; so the slave gets a notify on a zone it can not serve as it is not in 
its config.

On 31/03/10 2:14, Lear, Karen (Evolver) wrote:
Can you tell me why I’m getting the message below on my slave server after 
adding a master zone on the master server for usptoenews.gov:

[kl...@dns2 logs]$ grep enews activity.log
30-Mar-2010 17:17:45.484 notify: notice: client 10.240.6.50#10738: received 
notify for zone 'usptoenews.gov': TSIG 'ns1-ns2.uspto.gov': not authoritative
30-Mar-2010 17:22:47.335 notify: notice: client 10.240.6.50#62593: received 
notify for zone 'usptoenews.gov': TSIG 'ns1-ns2.uspto.gov': not authoritative

email:   karen.l...@uspto.gov



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Best regards

Sten Carlsen

No improvements come from shouting:

"MALE BOVINE MANURE!!!"

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




   



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse lookup failing when arpa.dlv.isc.org appeared

2010-03-31 Thread Chris Thompson 

On Mar 27 2010, Michael Sinatra wrote:


On 03/25/10 05:21, Chris Thompson wrote:

I'll be reporting this to bind-bugs, but I thought I would mention it here
in case others can confirm the effect.

Our two main ecursive nameservers used DNSSEC validation via dlv.isc.org.
In the past we have had suspicions that there are glitches when new entries
appear in the DLV zone. For example, we got reports that users were
temporarily unable to access CERN web sites on the morning that "cz"
went into dlv.isc.org.


I saw the same effect within the GOV domain, when the GOV trust-anchor 
was re-added to the ISC DLV last May:


https://lists.dns-oarc.net/pipermail/dns-operations/2009-May/003867.html

This is not a DLV-only issue; my experience is that it also affects 
manually (or semi-automatically via scripts that modify 
named-trustedkeys) updated trust-anchors.  'rndc flush' is necessary to 
fix it.


If that's a requirement it ought to be documented. But of course there
is a difference: at least you know when you are changing trust anchors:
there's no way you can protect yourself against the sudden appearance of
a DLV (or DS) record in someone else's zone!

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Same source port queries dropped by ServerIron load balancer

2010-03-31 Thread Mark Andrews 

In message <4bb1c63b.30...@ies.etisalat.ae>, Abdulla Bushlaibi writes:
> We are facing query drops by using dnsperf tool from ISC testing the DNS 
> service via load balancer. Multiple queries from the same source port 
> are being dropped partially by the load balancer and as per the load 
> balancer vendor feed back, this is a security feature and this situation 
> doesn't happen in real life scenarios.
> 
> Most of the cases, clients are generating unique random source ports for 
> each DNS query, however we are not sure about the option of reusing the 
> same source port for multiple queries and how does it apply in real life 
> scenarios.
> 
> Appreciate your comment on this subject.
> 
> -- 
> Abdulla Ahmad Bushlaibi
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

A load balancer that cannot cope with multiple outstanding queries
that have the same source port is broken.  A server (and that
includes any load balancer in front of it) should not care about
the source port.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users