date:20101222

ignoring incorrect nameservers in authority section

2010-12-22 Thread Sunil Shetye

Hi,

Some authoritative nameservers add incorrect nameservers in the
authority section of their replies. Due to caching of the incorrect
reply, further queries for that domain go to those incorrect
nameservers. Is there a way to ignore / not cache such replies?

For example, if ns1.realserver.com gives this authoritative reply:

===
$ dig a1.example.com.
;; QUESTION SECTION:
;a1.example.com.  IN   A

;; ANSWER SECTION:
a1.example.com. 3600  IN   A  10.10.10.10

;; AUTHORITY SECTION:
example.com.3600  IN  NS  ns1.fakeserver.com.
example.com.3600  IN  NS  ns2.fakeserver.com.
===

Further queries for example.com go to ns[12].fakeserver.com.

===
$ dig a2.example.com.
;; QUESTION SECTION:
;a2.example.com.  IN   A

unexpected RCODE (REFUSED) resolving 'a2.example.com/A/IN': 
ns1.fakeserver.com#53
===

ns[12].fakeserver.com. are not authoritative for example.com here.

The symptoms are:

1. dig +trace a1.example.com. always works correctly.

2. dig a1.example.com. works correctly the first time.

2. dig a2.example.com. gives an error till the fake NS record expires.

This is obviously a misconfiguration on ns1.realserver.com. The
correct nameservers are listed in domain registration of example.com
along with the correct glue records.

Is there any solution to this problem without contacting the DNS
administrator of that domain? I have seen this problem for many
domains on the internet.

-- 
Sunil Shetye.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ignoring incorrect nameservers in authority section

2010-12-22 Thread Matus UHLAR - fantomas

On 22.12.10 14:01, Sunil Shetye wrote:
> Some authoritative nameservers add incorrect nameservers in the
> authority section of their replies.

Which authority and which domain?

Most of authorities add nameservers domain was registered on.

> Due to caching of the incorrect
> reply, further queries for that domain go to those incorrect
> nameservers. Is there a way to ignore / not cache such replies?

No. There is way to fix what is broken. Either the domain is delegated to
bad servers, or the servers have incorrect/inconsistent data for the domain.

> This is obviously a misconfiguration on ns1.realserver.com. The
> correct nameservers are listed in domain registration of example.com
> along with the correct glue records.

Actually, no. The "correct" servers are configured in the zone itself.
Note that authoritative data from the zone prevail over delegation from
registry.

> Is there any solution to this problem without contacting the DNS
> administrator of that domain? I have seen this problem for many
> domains on the internet.

Well, first find which is the real problem - domain delegated to invalisd
servers, server providing invalid data, and than you have to fix what is
broken.

Give us a real example if we have to provider real solution.
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ignoring incorrect nameservers in authority section

2010-12-22 Thread Sunil Shetye

Quoting from Matus UHLAR - fantomas's mail on Wed, Dec 22, 2010:
> > Is there any solution to this problem without contacting the DNS
> > administrator of that domain? I have seen this problem for many
> > domains on the internet.
> 
> Well, first find which is the real problem - domain delegated to invalisd
> servers, server providing invalid data, and than you have to fix what is
> broken.
> 
> Give us a real example if we have to provider real solution.

Case 1:

Domain: e-nxt.com
Real Nameservers: ns1.webpresenceworld.com. ns2.webpresenceworld.com.
Fake Nameservers: ns5.zenexpress.com. ns6.zenexpress.com.

==
$ dig +norecurse @a.gtld-servers.net. e-nxt.com.
;; QUESTION SECTION:
;e-nxt.com. IN  A

;; AUTHORITY SECTION:
e-nxt.com.  172800  IN  NS  ns1.webpresenceworld.com.
e-nxt.com.  172800  IN  NS  ns2.webpresenceworld.com.
==
  (correct)

==
$ dig +norecurse @ns1.webpresenceworld.com. e-nxt.com.
;; QUESTION SECTION:
;e-nxt.com. IN  A

;; ANSWER SECTION:
e-nxt.com.  3600IN  A   203.201.252.134

;; AUTHORITY SECTION:
e-nxt.com.  3600IN  NS  ns6.zenexpress.com.
e-nxt.com.  3600IN  NS  ns5.zenexpress.com.
==
  (authority section is not correct and should not be cached by named)

==
$ dig +norecurse @ns6.zenexpress.com. e-nxt.com.
;; QUESTION SECTION:
;e-nxt.com. IN  A
==
  (refused, this is correct)

So, the authority section as reported by the tld nameservers is
correct. The authority section as reported by the real nameservers is
incorrect. The problem occurs when sending a mail to e-nxt.com. The
following lookups are triggered:

e-nxt.com A
e-nxt.com MX
mail1.e-nxt.com A
mail2.e-nxt.com A

When the named cache is empty, the first lookup succeeds. After that,
the incorrect authority section is cached by named. Due to this, the
second lookup fails. After the incorrect NS record expires, the second
lookup succeeds during the fresh lookup. The incorrect authority
section again gets cached. Then, the third and fourth lookups fail.

dig +trace always gives a correct answer for all the above lookups.
Clearing the cache gives the correct answer for the first lookup after
that.


Case 2:

Domain: imagesystems.co.in
Real Nameservers: ns1.servershost.net. ns2.servershost.net.
Fake Nameservers: ns1.cyberasiantrade.com. ns2.cyberasiantrade.com.

==
$ dig +norecurse @ns1.servershost.net. imagesystems.co.in.
;; QUESTION SECTION:
;imagesystems.co.in.IN  A

;; ANSWER SECTION:
imagesystems.co.in. 14400   IN  A   205.234.222.71

;; AUTHORITY SECTION:
imagesystems.co.in. 43200   IN  NS  ns1.cyberasiantrade.com.
imagesystems.co.in. 43200   IN  NS  ns2.cyberasiantrade.com.
==

==
$ dig +norecurse @ns1.cyberasiantrade.com. imagesystems.co.in.
==
  (no reply, this is correct)


-- 
Sunil Shetye.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ignoring incorrect nameservers in authority section

2010-12-22 Thread Matus UHLAR - fantomas

> Quoting from Matus UHLAR - fantomas's mail on Wed, Dec 22, 2010:
> > > Is there any solution to this problem without contacting the DNS
> > > administrator of that domain? I have seen this problem for many
> > > domains on the internet.
> > 
> > Well, first find which is the real problem - domain delegated to invalisd
> > servers, server providing invalid data, and than you have to fix what is
> > broken.
> > 
> > Give us a real example if we have to provider real solution.

On 22.12.10 16:53, Sunil Shetye wrote:
> Case 1:
> 
> Domain: e-nxt.com
> Real Nameservers: ns1.webpresenceworld.com. ns2.webpresenceworld.com.
> Fake Nameservers: ns5.zenexpress.com. ns6.zenexpress.com.

Why fake? 

Both ns1.webpresenceworld.com and ns2.webpresenceworld.com - the delegated
nameservers for e-nxt.com provide the same records for a domain, including
NS records for ns5.zenexpress.com and ns6.zenexpress.com.

The fact that ns5.zenexpress.com and ns6.zenexpress.com do not provide the
has nothing to do with this. 

Blame the person who added those NS records to e-nxt.com, someone at
webpresenceworld.com whould know where they get the zone.

> Case 2:
> 
> Domain: imagesystems.co.in
> Real Nameservers: ns1.servershost.net. ns2.servershost.net.
> Fake Nameservers: ns1.cyberasiantrade.com. ns2.cyberasiantrade.com.

Exactly the same applies here, just different domain and servers.

Both domains are delegated to servers that provide DNS for the domain, which
is correct. But both domains themselves contain NS Records to different
servers that do not provide those domains.

In both cases, someone has put a wrong NS records to the domain, causing
their unreachability.

Note that the NS records in the domains always prevail over those in
delegation - the DNS master should always know best which servers are
authoritative for it.

The NS records are not fake, they are misconfigured. Admins of mentioned
nameservers may even now know about the problem, since anyone can point his
domain to their servers.

And there is nothing in DNS protocol that would prevent misconfigurations
like that one to appear, and there should not be. It's the domain master who
misconfigured it and has to fix it.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ignoring incorrect nameservers in authority section

2010-12-22 Thread Sunil Shetye

Quoting from Matus UHLAR - fantomas's mail on Wed, Dec 22, 2010:
> > Case 1:
> > 
> > Domain: e-nxt.com
> > Real Nameservers: ns1.webpresenceworld.com. ns2.webpresenceworld.com.
> > Fake Nameservers: ns5.zenexpress.com. ns6.zenexpress.com.
> 
> Why fake? 
> 
> Both ns1.webpresenceworld.com and ns2.webpresenceworld.com - the delegated
> nameservers for e-nxt.com provide the same records for a domain, including
> NS records for ns5.zenexpress.com and ns6.zenexpress.com.
> 
> The fact that ns5.zenexpress.com and ns6.zenexpress.com do not provide the
> has nothing to do with this. 
> 
> Blame the person who added those NS records to e-nxt.com, someone at
> webpresenceworld.com whould know where they get the zone.

Please note that these are not rare cases. I have seen this happen for
so many domains in the past. It is not practical for me to start
communicating with those admininstrators and find out who is to blamed
for that. It is easier for me if:

- named caches the authority section from the reply of the parent
  nameserver only, or

- named does not cache the authority section at all.

> > Case 2:
> > 
> > Domain: imagesystems.co.in
> > Real Nameservers: ns1.servershost.net. ns2.servershost.net.
> > Fake Nameservers: ns1.cyberasiantrade.com. ns2.cyberasiantrade.com.
> 
> Exactly the same applies here, just different domain and servers.
> 
> 
> Both domains are delegated to servers that provide DNS for the domain, which
> is correct. But both domains themselves contain NS Records to different
> servers that do not provide those domains.
> 
> In both cases, someone has put a wrong NS records to the domain, causing
> their unreachability.
> 
> Note that the NS records in the domains always prevail over those in
> delegation - the DNS master should always know best which servers are
> authoritative for it.

Why is that? In fact, it is the parent which knows which servers are
authoritative. After all, any query is eventually routed via the
parent nameserver only. If the parent nameserver did not know the
answer, the domain would anyway have been unreachable.

I agree that the DNS master is supposed to know better than the
parent, but it is safer if the parent nameserver data is cached rather
than the domain nameserver data.

Please note that it is very hard to find the root of this problem when
'dig +trace' works correctly and consistently where as 'dig' does not
give any response or gets a wrong response. All I want to ensure is
that both the commands give the same response. Please help me achieve
that.


Is there any option to make the NS records in the delegation prevail
over the NS records in the domain?


Is there any option to not cache the NS records from the authority
section at all?


Is there any option to add workarounds for specific domains /
nameservers like the ones listed above?

-- 
Sunil Shetye.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not returning A record

2010-12-22 Thread Lyle Giese


Paul Ooi Cong Jen wrote:

kwsp.gov.my.86400   IN  NS  ns3.pttcdc.com.my.
;; Received 109 bytes from 137.189.6.21#53(ns2.cuhk.edu.hk) in 52 ms

www.kwsp.gov.my.43200   IN  CNAME   www.yu.kwsp.gov.my.
;; Received 54 bytes from 202.184.117.10#53(ns3.pttcdc.com.my) in 21 ms
---

If I tried to rndc flush, dig again the record return the result 


--

dig @localhost www.kwsp.gov.my

; <<>> DiG 9.7.0-P3 <<>> @localhost www.kwsp.gov.my
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20092
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.kwsp.gov.my.   IN  A

;; ANSWER SECTION:
www.kwsp.gov.my.43186   IN  CNAME   www.yu.kwsp.gov.my.
www.yu.kwsp.gov.my. 30  IN  A   202.162.21.166

;; AUTHORITY SECTION:
yu.kwsp.gov.my. 43200   IN  NS  ns2.yu.kwsp.gov.my.
yu.kwsp.gov.my. 43200   IN  NS  ns1.yu.kwsp.gov.my.

;; Query time: 829 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 22 15:04:55 2010
;; MSG SIZE  rcvd: 106




>From the debug logs, we see the error message as below

gov.my/IN/A at query.c:4650
22-Dec-2010 14:38:52.845 query-errors: client 211.24.220.233#54055: query 
failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
22-Dec-2010 14:38:52.845 query-errors: client 211.24.220.233#54023: query 
failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
22-Dec-2010 14:40:27.940 query-errors: client 203.121.30.35#52679: query failed 
(SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
22-Dec-2010 14:40:27.940 query-errors: client 211.24.220.233#54143: query 
failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
22-Dec-2010 14:43:48.202 query-errors: client 211.24.177.146#62297: query 
failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
22-Dec-2010 14:43:48.202 query-errors: client 211.24.220.233#54459: query 
failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
22-Dec-2010 14:43:48.202 query-errors: client 211.24.220.233#54473: query 
failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
22-Dec-2010 14:43:48.202 query-errors: client 211.24.177.146#62297: query 
failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
22-Dec-2010 14:44:48.290 query-errors: client 211.24.220.233#54530: query 
failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
22-Dec-2010 14:44:48.290 query-errors: client 127.0.0.1#19009: query failed 
(SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
22-Dec-2010 14:44:48.290 query-errors: client 211.24.220.233#54547: query 
failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650

On the other hand, we notice that the NS record seem like no DNS service 
running, could it be client side or server side problem?
  
Bind is returning the proper answer.  There is no A record for 
www.kwsp.gov.my.  It's been setup as a CNAME to www.yu.kwsp.gov.my and 
you have received that answer.


As far as those errors go, those are probably errors in their setup.

Lyle Giese
LCR Computer Services, Inc.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not returning A record

2010-12-22 Thread Paul Ooi Cong Jen


On 22-Dec-2010, at 9:41 PM, Lyle Giese wrote:

> Paul Ooi Cong Jen wrote:
>> kwsp.gov.my.86400   IN  NS  ns3.pttcdc.com.my.
>> ;; Received 109 bytes from 137.189.6.21#53(ns2.cuhk.edu.hk) in 52 ms
>> 
>> www.kwsp.gov.my.43200   IN  CNAME   www.yu.kwsp.gov.my.
>> ;; Received 54 bytes from 202.184.117.10#53(ns3.pttcdc.com.my) in 21 ms
>> ---
>> 
>> If I tried to rndc flush, dig again the record return the result 
>> --
>> 
>> dig @localhost www.kwsp.gov.my
>> 
>> ; <<>> DiG 9.7.0-P3 <<>> @localhost www.kwsp.gov.my
>> ; (2 servers found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20092
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
>> 
>> ;; QUESTION SECTION:
>> ;www.kwsp.gov.my.   IN  A
>> 
>> ;; ANSWER SECTION:
>> www.kwsp.gov.my.43186   IN  CNAME   www.yu.kwsp.gov.my.
>> www.yu.kwsp.gov.my. 30  IN  A   202.162.21.166
>> 
>> ;; AUTHORITY SECTION:
>> yu.kwsp.gov.my. 43200   IN  NS  ns2.yu.kwsp.gov.my.
>> yu.kwsp.gov.my. 43200   IN  NS  ns1.yu.kwsp.gov.my.
>> 
>> ;; Query time: 829 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Wed Dec 22 15:04:55 2010
>> ;; MSG SIZE  rcvd: 106
>> 
>> 
>> 
>> 
>>> From the debug logs, we see the error message as below
>> 
>> gov.my/IN/A at query.c:4650
>> 22-Dec-2010 14:38:52.845 query-errors: client 211.24.220.233#54055: query 
>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>> 22-Dec-2010 14:38:52.845 query-errors: client 211.24.220.233#54023: query 
>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>> 22-Dec-2010 14:40:27.940 query-errors: client 203.121.30.35#52679: query 
>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>> 22-Dec-2010 14:40:27.940 query-errors: client 211.24.220.233#54143: query 
>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.177.146#62297: query 
>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.220.233#54459: query 
>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.220.233#54473: query 
>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.177.146#62297: query 
>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>> 22-Dec-2010 14:44:48.290 query-errors: client 211.24.220.233#54530: query 
>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>> 22-Dec-2010 14:44:48.290 query-errors: client 127.0.0.1#19009: query failed 
>> (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>> 22-Dec-2010 14:44:48.290 query-errors: client 211.24.220.233#54547: query 
>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>> 
>> On the other hand, we notice that the NS record seem like no DNS service 
>> running, could it be client side or server side problem?
>> 
> Bind is returning the proper answer.  There is no A record for 
> www.kwsp.gov.my.  It's been setup as a CNAME to www.yu.kwsp.gov.my and you 
> have received that answer.
> 
> As far as those errors go, those are probably errors in their setup.

Hi Lyle, 

I guess the same too, because the NS record for the CNAME seems not available.

> 
> Lyle Giese
> LCR Computer Services, Inc.
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not returning A record

2010-12-22 Thread Torsten

Am Wed, 22 Dec 2010 21:53:14 +0800
schrieb Paul Ooi Cong Jen :

> 
> On 22-Dec-2010, at 9:41 PM, Lyle Giese wrote:
> 
> > Paul Ooi Cong Jen wrote:
> >> kwsp.gov.my.86400   IN  NS  ns3.pttcdc.com.my.
> >> ;; Received 109 bytes from 137.189.6.21#53(ns2.cuhk.edu.hk) in 52 ms
> >> 
> >> www.kwsp.gov.my.43200   IN  CNAME   www.yu.kwsp.gov.my.
> >> ;; Received 54 bytes from 202.184.117.10#53(ns3.pttcdc.com.my) in 21 ms
> >> ---
> >> 
> >> If I tried to rndc flush, dig again the record return the result 
> >> --
> >> 
> >> dig @localhost www.kwsp.gov.my
> >> 
> >> ; <<>> DiG 9.7.0-P3 <<>> @localhost www.kwsp.gov.my
> >> ; (2 servers found)
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20092
> >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
> >> 
> >> ;; QUESTION SECTION:
> >> ;www.kwsp.gov.my.   IN  A
> >> 
> >> ;; ANSWER SECTION:
> >> www.kwsp.gov.my.43186   IN  CNAME   www.yu.kwsp.gov.my.
> >> www.yu.kwsp.gov.my. 30  IN  A   202.162.21.166
> >> 
> >> ;; AUTHORITY SECTION:
> >> yu.kwsp.gov.my. 43200   IN  NS  ns2.yu.kwsp.gov.my.
> >> yu.kwsp.gov.my. 43200   IN  NS  ns1.yu.kwsp.gov.my.
> >> 
> >> ;; Query time: 829 msec
> >> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> >> ;; WHEN: Wed Dec 22 15:04:55 2010
> >> ;; MSG SIZE  rcvd: 106
> >> 
> >> 
> >> 
> >> 
> >>> From the debug logs, we see the error message as below
> >> 
> >> gov.my/IN/A at query.c:4650
> >> 22-Dec-2010 14:38:52.845 query-errors: client 211.24.220.233#54055: query 
> >> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> >> 22-Dec-2010 14:38:52.845 query-errors: client 211.24.220.233#54023: query 
> >> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> >> 22-Dec-2010 14:40:27.940 query-errors: client 203.121.30.35#52679: query 
> >> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> >> 22-Dec-2010 14:40:27.940 query-errors: client 211.24.220.233#54143: query 
> >> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> >> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.177.146#62297: query 
> >> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> >> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.220.233#54459: query 
> >> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> >> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.220.233#54473: query 
> >> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> >> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.177.146#62297: query 
> >> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> >> 22-Dec-2010 14:44:48.290 query-errors: client 211.24.220.233#54530: query 
> >> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> >> 22-Dec-2010 14:44:48.290 query-errors: client 127.0.0.1#19009: query 
> >> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> >> 22-Dec-2010 14:44:48.290 query-errors: client 211.24.220.233#54547: query 
> >> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> >> 
> >> On the other hand, we notice that the NS record seem like no DNS service 
> >> running, could it be client side or server side problem?
> >> 
> > Bind is returning the proper answer.  There is no A record for 
> > www.kwsp.gov.my.  It's been setup as a CNAME to www.yu.kwsp.gov.my and you 
> > have received that answer.
> > 
> > As far as those errors go, those are probably errors in their setup.
> 
> Hi Lyle, 
> 
> I guess the same too, because the NS record for the CNAME seems not available.
> 


The DNS operators have borked their configuration for sure.

ns3.pttcdc.com.my knows about both www.kwsp.gov.my AND www.yu.kwsp.gov.my where 
it shouldn't.


dig +norec @ns3.pttcdc.com.my www.kwsp.gov.my a

; <<>> DiG 9.7.2-P3-RedHat-9.7.2-4.P3.fc14 <<>> +norec @ns3.pttcdc.com.my 
www.kwsp.gov.my a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64831
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.kwsp.gov.my.   IN  A

;; ANSWER SECTION:
www.kwsp.gov.my.43200   IN  CNAME   www.yu.kwsp.gov.my.

;; Query time: 360 msec
;; SERVER: 202.184.117.10#53(202.184.117.10)
;; WHEN: Wed Dec 22 15:15:21 2010
;; MSG SIZE  rcvd: 54



dig +norec @ns3.pttcdc.com.my www.yu.kwsp.gov.my a

; <<>> DiG 9.7.2-P3-RedHat-9.7.2-4.P3.fc14 <<>> +norec @ns3.pttcdc.com.my 
www.yu.kwsp.gov.my a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58486
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.yu.kwsp.gov.my.IN  A

;; ANSWER SECTION:
www.yu.kwsp.gov.my. 20  IN  A   202.162.21.166

;; Query time

Re: Bind not returning A record

2010-12-22 Thread Elias

The A records for ns1.yu.kwsp.gov.my and ns2.yu.kwsp.gov.my is missing at the 
authoritative servers for the subdomain yu.kwsp.gov.my, ie :

ns1.yu.kwsp.gov.my. 43200   IN  A   202.162.21.163
ns2.yu.kwsp.gov.my. 43200   IN  A   211.25.56.211

# dig @202.162.21.163 ns1.yu.kwsp.gov.my

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52796
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns1.yu.kwsp.gov.my.IN  A

;; AUTHORITY SECTION:
yu.kwsp.gov.my. 60  IN  SOA rjgtm.kwsp.gov.my. 
hostmaster.rjgtm.kwsp.gov.my. 12 10800 3600 604800 60

;; Query time: 4 msec
;; SERVER: 202.162.21.163#53(202.162.21.163)
;; WHEN: Wed Dec 22 22:13:25 2010
;; MSG SIZE  rcvd: 89


This is probably causing the lookup failures


- Original Message - 
From: "Paul Ooi Cong Jen" 
To: "Lyle Giese" 
Cc: 
Sent: Wednesday, December 22, 2010 9:53 PM
Subject: Re: Bind not returning A record


> 
> On 22-Dec-2010, at 9:41 PM, Lyle Giese wrote:
> 
>> Paul Ooi Cong Jen wrote:
>>> kwsp.gov.my.86400   IN  NS  ns3.pttcdc.com.my.
>>> ;; Received 109 bytes from 137.189.6.21#53(ns2.cuhk.edu.hk) in 52 ms
>>> 
>>> www.kwsp.gov.my.43200   IN  CNAME   www.yu.kwsp.gov.my.
>>> ;; Received 54 bytes from 202.184.117.10#53(ns3.pttcdc.com.my) in 21 ms
>>> ---
>>> 
>>> If I tried to rndc flush, dig again the record return the result 
>>> --
>>> 
>>> dig @localhost www.kwsp.gov.my
>>> 
>>> ; <<>> DiG 9.7.0-P3 <<>> @localhost www.kwsp.gov.my
>>> ; (2 servers found)
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20092
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
>>> 
>>> ;; QUESTION SECTION:
>>> ;www.kwsp.gov.my.   IN  A
>>> 
>>> ;; ANSWER SECTION:
>>> www.kwsp.gov.my.43186   IN  CNAME   www.yu.kwsp.gov.my.
>>> www.yu.kwsp.gov.my. 30  IN  A   202.162.21.166
>>> 
>>> ;; AUTHORITY SECTION:
>>> yu.kwsp.gov.my. 43200   IN  NS  ns2.yu.kwsp.gov.my.
>>> yu.kwsp.gov.my. 43200   IN  NS  ns1.yu.kwsp.gov.my.
>>> 
>>> ;; Query time: 829 msec
>>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>>> ;; WHEN: Wed Dec 22 15:04:55 2010
>>> ;; MSG SIZE  rcvd: 106
>>> 
>>> 
>>> 
>>> 
 From the debug logs, we see the error message as below
>>> 
>>> gov.my/IN/A at query.c:4650
>>> 22-Dec-2010 14:38:52.845 query-errors: client 211.24.220.233#54055: query 
>>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>>> 22-Dec-2010 14:38:52.845 query-errors: client 211.24.220.233#54023: query 
>>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>>> 22-Dec-2010 14:40:27.940 query-errors: client 203.121.30.35#52679: query 
>>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>>> 22-Dec-2010 14:40:27.940 query-errors: client 211.24.220.233#54143: query 
>>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>>> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.177.146#62297: query 
>>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>>> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.220.233#54459: query 
>>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>>> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.220.233#54473: query 
>>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>>> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.177.146#62297: query 
>>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>>> 22-Dec-2010 14:44:48.290 query-errors: client 211.24.220.233#54530: query 
>>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>>> 22-Dec-2010 14:44:48.290 query-errors: client 127.0.0.1#19009: query failed 
>>> (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>>> 22-Dec-2010 14:44:48.290 query-errors: client 211.24.220.233#54547: query 
>>> failed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>>> 
>>> On the other hand, we notice that the NS record seem like no DNS service 
>>> running, could it be client side or server side problem?
>>> 
>> Bind is returning the proper answer.  There is no A record for 
>> www.kwsp.gov.my.  It's been setup as a CNAME to www.yu.kwsp.gov.my and you 
>> have received that answer.
>> 
>> As far as those errors go, those are probably errors in their setup.
> 
> Hi Lyle, 
> 
> I guess the same too, because the NS record for the CNAME seems not available.
> 
>> 
>> Lyle Giese
>> LCR Computer Services, Inc.
>> 
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bi

Re: DDNS fails. record allready exists

2010-12-22 Thread magic-bind

Hi,
keep calm ;-) I do not await a solution in 5 minutes ;-)

Am Dienstag, 21. Dezember 2010, 23:38:13 schrieb Bill Larson:
> On Mon, Dec 20, 2010 at 1:34 PM,  wrote:
> > Hi List,
> > I have not yet found a solution for my problem. So I came here:
> > 
> > I use DDNS. Every night my server (in my local network) is shutting down.
> > On
> > the next day I have the problem that DDNS is no longer working, because
> > on update I get the error that the DNS record allready exists. What is
> > the solution?
> > 
> > I use BIND version 9.7.2_p3-r1.
> 
> Well, there have been two questions asked but no more information given.
> That doesn't make it easy for anyone to help you.
> 
> Some questions:
> 
> 1. What is your DHCP server?  H/W and S/W.  Are you talking about a Linux
> box running "dhcpd" or a NetGear router running their DHCP server.  This
> may make just a little difference.

I use the DHCPD from http://www.isc.org/products/DHCP. I run Gentoo Linux on 
that server. This server is the router, dhcp server and dns server in my LAN. 
It is standard x86 hardware.

> 2. Why is your server shutting down?  Is this shutdown expected?  Also,
> which server are you referring to?  Is this the DNS server or the DHCP
> server (or both)?  You may have problems well outside the issue of DHCP and
> DNS.

It is shutting down every night, because I sleep at night ;-) DHCP and Bind 
both are running on this server. It is just an idea of me that bind is dumping 
the journal to the zonefile on shutting down. In primary zone file I have:

coffee  A   192.168.11.35

But I never was writing it there by my own. This must be a result of DDNS.

> 3. Who is trying to perform the DDNS updates?  Is this the client machines
> or the DHCP server?

The DHCP tries to perform a DDNS update if the client sends its hostname (what 
it normaly should do). The client itselfs just performs a DHCP request. The 
DDNS update is done via rndc-key.

> 4. What do you see in your logs?  This may answer your question without any
> more work on anybody's part.

22-Dec-2010 20:35:44.451 update: info: client 192.168.11.1#58646: updating 
zone 'sugarland.local/IN': update unsuccessful: coffee.sugarland.local/A: 
'rrset does not exist' prerequisite not satisfied (YXRRSET)

I was reading that this means that the name/ip already exists. I was confused 
by the message but I found a page which explained why it says "not exist".

As I get the error message "coffee" had a record for 192.168.11.35. But coffee 
was getting 192.168.11.42. BTW: coffee is a notebook in dual boot between 
windows and linux. May this is part of the problem?!

> 5. What is your DNS server configuration?  Who is allowed to perform DDNS
> updates?

include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-
key"; };
};

zone "sugarland.local" IN {
type master;
file "pri/sugarland.zone";
allow-update { key rndc-key; };
};

zone "11.168.192.in-addr.arpa" IN {
type master;
file "pri/11.168.192.zone";
allow-update { key rndc-key; };
};

> 6. When you say that "the DNS record already exists", have you confirmed
> this?  Just query your DNS server for that record and see if it is really
> there.  If it is not, this this message, which I am assuming is from your
> DHCP server or from your client machine, isn't true.  Then again, if it
> really does exist, why would you think that it magically disappears?  If
> you add a record to a zone, why would you think that it shouldn't still be
> there?

It is true. See above.

> 7.  You say you are running "BIND version 9.7.2_p3-r1".  Sorry, I can
> understand the 9.7.2-P3 part, but what is the "r1" you are referring to?
> (I'll bet you are running Gentoo Linux, but this is just an assumption.) 
> Is this built from the BIND sources from ISC or is this some package that
> you got from someone else?

You have win :-) This is a version extension from Gentoo. The package uses the 
sources from ftp://ftp.isc.org/isc/bind9. No patches are applied.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not returning A record

2010-12-22 Thread Mark Andrews


In message <4e9b037f-4c66-460e-b70f-5ce9619ff...@takizo.com>, Paul Ooi Cong Jen 
writes:
> Hi All, 
> 
> I am having problem with Bind query, but not sure is it client error or server
>  error. 
> Below is the server details.
> 
> Server running FreeBSD 8.1
> Bind 9.7.0-P3

Upgrade.  You really don't want to be running Bind 9.7.0-P3 any more.
 
> options {
>   query-source address * port *;
>use-v4-udp-ports { range 2048 65535; };
>recursive-clients   2;
>recursion yes;
> 
>allow-recursion {
>any;
>};
> 
>allow-query {
>any;
>};
> 
>allow-transfer {
>trusted;
>};
> }
> 
> When I try to dig the domain name, received SERVFAIL status but when +trace in
> itiate, it seem fine 
> 
> --
> 
> dig @localhost www.kwsp.gov.my 
> 
> ; <<>> DiG 9.7.0-P3 <<>> @localhost www.kwsp.gov.my
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32501
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;www.kwsp.gov.my.   IN  A
> 
> ;; Query time: 384 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Dec 22 15:02:41 2010
> ;; MSG SIZE  rcvd: 33
> 
> -
> 
> -
> dig @localhost www.kwsp.gov.my +trace
> 
> ; <<>> DiG 9.7.0-P3 <<>> @localhost www.kwsp.gov.my +trace
> ; (2 servers found)
> ;; global options: +cmd
> .   518400  IN  NS  k.root-servers.net.
> .   518400  IN  NS  e.root-servers.net.
> .   518400  IN  NS  h.root-servers.net.
> .   518400  IN  NS  c.root-servers.net.
> .   518400  IN  NS  m.root-servers.net.
> .   518400  IN  NS  i.root-servers.net.
> .   518400  IN  NS  d.root-servers.net.
> .   518400  IN  NS  a.root-servers.net.
> .   518400  IN  NS  l.root-servers.net.
> .   518400  IN  NS  b.root-servers.net.
> .   518400  IN  NS  f.root-servers.net.
> .   518400  IN  NS  j.root-servers.net.
> .   518400  IN  NS  g.root-servers.net.
> ;; Received 504 bytes from 127.0.0.1#53(127.0.0.1) in 2 ms
> 
> my. 172800  IN  NS  dns.mynic.net.my.
> my. 172800  IN  NS  ns20.iij.ad.jp.
> my. 172800  IN  NS  ns2.cuhk.edu.hk.
> my. 172800  IN  NS  ns5.jaring.my.
> my. 172800  IN  NS  ns6.jaring.my.
> my. 172800  IN  NS  ns-my.nic.fr.
> my. 172800  IN  NS  dns2.mynic.net.my.
> ;; Received 486 bytes from 192.5.5.241#53(f.root-servers.net) in 5 ms
> 
> gov.my. 86400   IN  NS  ns5.jaring.my.
> gov.my. 86400   IN  NS  ns20.iij.ad.jp.
> gov.my. 86400   IN  NS  ns2.cuhk.edu.hk.
> gov.my. 86400   IN  NS  dns1.mynic.net.my.
> gov.my. 86400   IN  NS  ns6.jaring.my.
> ;; Received 266 bytes from 192.134.0.49#53(ns-my.nic.fr) in 351 ms
> 
> kwsp.gov.my.86400   IN  NS  harimau.skali.com.my.
> kwsp.gov.my.86400   IN  NS  rusa.skali.com.my.
> kwsp.gov.my.86400   IN  NS  ns3.pttcdc.com.my.
> ;; Received 109 bytes from 137.189.6.21#53(ns2.cuhk.edu.hk) in 52 ms
> 
> www.kwsp.gov.my.43200   IN  CNAME   www.yu.kwsp.gov.my.
> ;; Received 54 bytes from 202.184.117.10#53(ns3.pttcdc.com.my) in 21 ms
> ---
> 
> If I tried to rndc flush, dig again the record return the result 
> 
> --
> 
> dig @localhost www.kwsp.gov.my
> 
> ; <<>> DiG 9.7.0-P3 <<>> @localhost www.kwsp.gov.my
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20092
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;www.kwsp.gov.my.   IN  A
> 
> ;; ANSWER SECTION:
> www.kwsp.gov.my.43186   IN  CNAME   www.yu.kwsp.gov.my.
> www.yu.kwsp.gov.my. 30  IN  A   202.162.21.166
> 
> ;; AUTHORITY SECTION:
> yu.kwsp.gov.my. 43200   IN  NS  ns2.yu.kwsp.gov.my.
> yu.kwsp.gov.my. 43200   IN  NS  ns1.yu.kwsp.gov.my.
> 
> ;; Query time: 829 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Dec 22 15:04:55 2010
> ;; MSG SIZE  rcvd: 106
> 
> 
> 
> 
> >From the debug logs, we see the error message as below
> 
> gov.my/IN/A at query.c:4650
> 22-Dec-2010 14:38:52

dnssec subzone not signed question

2010-12-22 Thread jim

Greetings,

Thanks to all for the excellent information on the list and taking the time
to reply.

Upgrading server hardware, RedHat SELinux, bind, dhcp and going for dnssec
on these new machines.
Getting close but still some basic questions before going to a production
island of security.

Signed zone example.edu, seen the zone and inaddr.arpa grow as follows using
key size of 1024:
 58,930  dns.example-dom
11,892,408  dns.example-dom.signed
 3,191 dns.net-example
6,879,841 dns.net-example.signed

This was just for our static configurations, the size increase got me
worried about our dynamic dns zones for wireless and residence hall
machines. Have been running ddns and dhcp on same machine, master for the
ddns zones, i.e.
.wireless1.example.edu  ,   .wireless2.example.edu 
.building1.example.edu  ,   .building2.example.edu 

The master for example.edu is on one machine and a third machine is
secondary for these two.
Lots of ddns traffic on the wireless zones, not much on the hardwired
building zones.
Anyway, do not really need dnssec for these dynamic zones, at least not
right now.

Showing my ignorance, can I
Just not sign the dynamic subzones,  wirelessN/buildingN.example.edu, even
though example.edu is signed?
Testing with dig, do not get SERVFAIL for the dynamic subzones, and do get
the RRSIG for signed example.edu queries.
Worried I am breaking something not signing the subzones under a signed main
zone and will not see it until going live?
 example.edu is signed
 subzone.example.edu is not signed

thanks!
jim
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ignoring incorrect nameservers in authority section

2010-12-22 Thread Benny Pedersen


On ons 22 dec 2010 10:09:10 CET, Matus UHLAR - fantomas wrote


Well, first find which is the real problem - domain delegated to invalisd
servers, server providing invalid data, and than you have to fix what is
broken.

Give us a real example if we have to provider real solution.


zone "rfc-ignorant.org" IN {
type forward;
forward first;  // cache dns
forwarders {
193.162.153.164;// ns1.inet.tele.dk
194.239.134.83; // ns1.tele.dk
};
};


if i remove this zone in my named.conf then domain does not exists

dont know if i have same problem as this thread or if its my fault to  
make a workaround at all, i have contacted sonic but still no usefull  
reply back


sorry if i should have started a new thread

--
xpoint

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named: high memory usage under FreeBSD-7...?

2010-12-22 Thread Chuck Swiger

Hi--

On Dec 21, 2010, at 4:34 PM, Doug Barton wrote:
> You're combining too many variables. Whilst on the same platform (presumably 
> FreeBSD 7) install dns/bind94, run your tests. Then deinstall that, and 
> install dns/bind96; then run your tests.
> 
> I suspect that what you're seeing is actually a problem in BIND 9.4, 
> irrespective of platform. The method described above is the way to verify 
> this.


Start with dns/bind94 port (aka bind94-9.4.4.ESV.4), named.conf contains 
"max-cache-size 10m;".

Initial state after restart (per "ps auxww"):

USER  PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED  TIME COMMAND
bind13954  0.8  1.5 10592  7844  ??  Ss7:47PM   0:00.13 
/usr/local/sbin/named -t /var/named -u bind

Run: /usr/local/bin/adnslogres -c 100 /var/log/httpd-access.log > 
/var/log/httpd-access.log.dns &
Run: while ( true ) { sleep 120 && ps auxww | grep bind }

bind13954 14.4  3.7 23904 18848  ??  Ss7:47PM   0:20.95 named [1]
bind13954  4.0  3.8 23904 19360  ??  Ss7:47PM   0:29.30 named
bind13954 10.0  3.9 24928 19880  ??  Ss7:47PM   0:41.28 named
bind13954 22.4  3.9 24928 20136  ??  Rs7:47PM   0:53.50 named
bind13954 13.2  4.0 25952 20652  ??  Ss7:47PM   1:14.10 named
bind13954  1.2  4.1 25952 20908  ??  Ss7:47PM   1:23.15 named
bind13954  1.2  4.2 26976 21424  ??  Ss7:47PM   1:33.53 named
bind13954  3.2  4.2 26976 21680  ??  Ss7:47PM   1:37.58 named
bind13954  3.2  4.3 28000 21940  ??  Ss7:47PM   1:44.10 named
bind13954  2.4  4.3 28000 21940  ??  Ss7:47PM   1:47.35 named
bind13954  0.8  4.3 28000 22196  ??  Ss7:47PM   1:50.24 named
bind13954 17.6  4.3 28000 22196  ??  Rs7:47PM   1:58.02 named
bind13954  8.8  4.4 29024 22716  ??  Ss7:47PM   2:13.23 named
bind13954 12.8  4.5 29024 22980  ??  Ss7:47PM   2:24.34 named
bind13954 13.2  4.5 29024 23236  ??  Ss7:47PM   2:39.47 named
bind13954  2.8  4.8 31072 24628  ??  Ss7:47PM   2:51.60 named
bind13954  2.0  4.8 31072 24668  ??  Ss7:47PM   2:56.72 named
bind13954  0.4  4.9 31072 24956  ??  Ss7:47PM   3:01.82 named
bind13954 14.0  4.9 31072 25228  ??  Ss7:47PM   3:20.42 named
bind13954  8.8  5.0 32096 25488  ??  Ss7:47PM   3:35.10 named
bind13954 17.6  5.0 32096 25744  ??  Ss7:47PM   3:55.95 named
bind13954  1.2  5.1 32096 26000  ??  Ss7:47PM   4:08.39 named
bind13954  2.4  5.1 33120 26264  ??  Ss7:47PM   4:17.74 named
bind13954 18.4  5.2 33120 26776  ??  Rs7:47PM   4:37.36 named
bind13954  0.4  5.3 34144 27036  ??  Ss7:47PM   4:52.03 named
bind13954  3.6  5.3 34144 27036  ??  Ss7:47PM   5:02.75 named
bind13954  4.4  5.3 34144 27036  ??  Ss7:47PM   5:17.72 named
bind13954 14.4  5.4 34144 27360  ??  Ss7:47PM   5:28.60 named
bind13954 12.8  5.4 34144 27616  ??  Ss7:47PM   5:48.69 named
bind13954  0.8  5.5 35168 27876  ??  Ss7:47PM   5:56.06 named
bind13954  3.6  5.5 35168 27876  ??  Ss7:47PM   6:08.84 named
bind13954 11.2  5.4 35168 27840  ??  Ss7:47PM   6:21.49 named
bind13954  0.0  5.5 35168 28096  ??  Ss7:47PM   6:33.06 named
bind13954 16.8  5.5 36192 28356  ??  Rs7:47PM   6:42.72 named
bind13954  4.8  5.6 36192 28612  ??  Ss7:47PM   6:53.38 named
bind13954  4.4  5.6 36192 28612  ??  Ss7:47PM   6:59.99 named
bind13954  4.4  5.6 36192 28612  ??  Ss7:47PM   7:08.33 named
bind13954 11.2  5.6 36192 28872  ??  Rs7:47PM   7:16.51 named
[ ... ]

--

dns/bind96 port (aka bind96-9.6.3.ESV.3)

Initial state:

USER  PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED  TIME COMMAND
bind32393  0.0  1.3  9760  6480  ??  Ss1:14PM   0:00.13 
/usr/local/sbin/named -t /var/named -u bind

bind32393  2.0  1.9 13856  9720  ??  Ss1:14PM   0:08.08 named
bind32393  8.8  2.1 14880 10748  ??  Ss1:14PM   0:24.26 named
bind32393  4.0  2.1 14880 10748  ??  Ss1:14PM   0:31.18 named
bind32393 15.6  2.3 15904 11520  ??  Ss1:14PM   0:47.61 named
bind32393 16.0  2.4 16928 12296  ??  Ss1:14PM   1:11.23 named
bind32393  0.8  2.5 17952 12844  ??  Ss1:14PM   1:20.38 named
bind32393  3.2  2.6 17952 13104  ??  Ss1:14PM   1:29.30 named
bind32393  1.2  2.6 18976 13476  ??  Ss1:14PM   1:38.06 named
bind32393  4.8  2.6 18976 13476  ??  Ss1:14PM   1:42.38 named
bind32393  0.0  2.6 18976 13476  ??  Ss1:14PM   1:44.87 named
bind32393  1.2  2.7 18976 13732  ??  Ss1:14PM   1:51.82 named
bind32393  2.4  2.7 18976 13732  ??  Ss1:14PM   1:54.28 named
bind32393  1.6  2.7 18976 13748  ??  Ss1:14PM   1:59.01 named
bind32393 11.6  3.0 2 15124  ??  Ss1:14PM   2:19.08 named
bind32393  2.4  3.1 21024 15772  ??  Ss1:14PM   2:31.99 named
bind32393 14.8  3.1 21024 16044  ??  Ss1:14PM   2:49.67 named
bind32393 10.0  3.2 22048 16304  ??  Ss

Re: dnssec subzone not signed question

2010-12-22 Thread Alan Clegg


> Showing my ignorance, can I
> Just not sign the dynamic subzones,  wirelessN/buildingN.example.edu
> , even though example.edu
>  is signed?

Sure.  As long as you don't put a DS record in the parent, you most
certainly don't HAVE to sign the child zones.

AlanC



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.7.3b1 is now available

2010-12-22 Thread Mark Andrews


Introduction

   BIND 9.7.3b1 is the first beta release of BIND 9.7.3.

   This document summarizes changes from BIND 9.7.1 to BIND 9.7.3. Please
   see the CHANGES file in the source code release for a complete list of
   all changes.

Download

   The latest release of BIND 9 software can always be found on our web
   site at http://www.isc.org/software/bind. There you will find
   additional information about each release, source code, and some
   pre-compiled versions for certain operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options. Free
   support is provided by our user community via a mailing list.
   Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

New Features

9.7.2

 * Zones may be dynamically added and removed with the "rndc addzone"
   and "rndc delzone" commands. These dynamically added zones are
   written to a per-view configuration file. Do not rely on the
   configuration file name nor contents as this will change in a
   future release. This is an experimental feature at this time.
 * Added new "filter--on-v4" access control list to select which
   IPv4 clients have  record filtering applied.
 * A new command "rndc secroots" was added to dump a combined summary
   of the currently managed keys combined with statically configured
   trust anchors.
 * Added support to load new keys into managed zones without signing
   immediately with "rndc loadkeys". Added support to link keys with
   "dnssec-keygen -S" and "dnssec-settime -S".

9.7.2-P1

   None.

9.7.2-P2

   None.

9.7.2-P3

   None.

9.7.3

   None.

Feature Changes

9.7.2

 * Documentation improvements
 * ORCHID prefixes were removed from the automatic empty zone list.
 * Improved handling of GSSAPI security contexts. Specifically, better
   memory management of cached contexts, limited lifetime of a context
   to 1 hour, and added a "realm" command to nsupdate to allow
   selection of a non-default realm name.
 * The contributed tool "zkt" was updated to version 1.0.

9.7.2-P1

   None.

9.7.2-P2

   None.

9.7.2-P3

   None.

9.7.3

   None.

Security Fixes

9.7.2

   None.

9.7.2-P1

 * If BIND, acting as a DNSSEC validating server, has two or more
   trust anchors configured in named.conf for the same zone (such as
   example.com) and the response for a record in that zone from the
   authoritative server includes a bad signature, the validating
   server will crash while trying to validate that query.

9.7.2-P2

 * A flaw where the wrong ACL was applied was fixed. This flaw allowed
   access to a cache via recursion even though the ACL disallowed it.

9.7.2-P3

 * Adding a NO DATA signed negative response to cache failed to clear
   any matching RRSIG records already in cache. A subsequent lookup of
   the cached NO DATA entry could crash named (INSIST) when the
   unexpected RRSIG was also returned with the NO DATA cache entry.
   [RT #22288] [CVE-2010-3613] [VU#706148]
 * BIND, acting as a DNSSEC validator, was determining if the NS RRset
   is insecure based on a value that could mean either that the RRset
   is actually insecure or that there wasn't a matching key for the
   RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY
   RRset. This can happen when in the middle of a DNSKEY algorithm
   rollover, when two different algorithms were used to sign a zone
   but only the new set of keys are in the zone DNSKEY RRset. [RT
   #22309] [CVE-2010-3614] [VU#837744]
 * When BIND is running as an authoritative server for a zone and
   receives a query for that zone data, it first checks for
   allow-query acls in the zone statement, then in that view, then in
   global options. If none of these exist, it defaults to allowing any
   query (allow-query {"any"};).
   With this bug, if the allow-query is not set in the zone statement,
   it failed to check in view or global options and fell back to the
   default of allowing any query. This means that queries that the
   zone owner did not wish to allow were incorrectly allowed. [RT
   #22418] [CVE-2010-3615] [VU#510208]

9.7.3

   None.

Bug Fixes

9.7.2

 * Removed a warning message when running BIND 9 under Windows for
   when a TCP connection was aborted. This is a common occurrence and
   the warning was extraneous.
 * Worked around a race condition in the cache database memory
   handling. Without this fix a DNS cache DB or ADB could incorrectly
   stay in an over memory state, effectively refusing further caching,
   which subsequently made a BIND 9 caching server unworkable.
 * Partially disabled change 2864 because it would cause infinite
   attempts of RRSIG queries.
 * BIND did no

Re: dnssec subzone not signed question

2010-12-22 Thread jim

Hi Alan,

Sorry, still needing spoon fed.
When you say DS record in the parent, would this be .example.edu or my
parent .edu

The end result is get example.edu as a dnssec secured zone by getting a DS
record in .edu

So it sounds like when I do upload the example.edu DS record to .edu, my
subdomain.example.edu will break, I will need to sign every zone inside
example.edu?

thanks!

On Wed, Dec 22, 2010 at 4:14 PM, Alan Clegg  wrote:

>
> > Showing my ignorance, can I
> > Just not sign the dynamic subzones,  wirelessN/buildingN.example.edu
> > , even though example.edu
> >  is signed?
>
> Sure.  As long as you don't put a DS record in the parent, you most
> certainly don't HAVE to sign the child zones.
>
> AlanC
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS fails. record allready exists

2010-12-22 Thread Sten Carlsen

Also be careful about .local, that name is being used by the systems for
"bonjour", so if you also use it, strange things have been known to
happen. May I suggest e.g. .lan, .home, .xyz, ...

On 22/12/10 21:06, magic-b...@damage.devloop.de wrote:
> Hi,
> keep calm ;-) I do not await a solution in 5 minutes ;-)
>
> Am Dienstag, 21. Dezember 2010, 23:38:13 schrieb Bill Larson:
>> On Mon, Dec 20, 2010 at 1:34 PM,  wrote:
>>> Hi List,
>>> I have not yet found a solution for my problem. So I came here:
>>>
>>> I use DDNS. Every night my server (in my local network) is shutting down.
>>> On
>>> the next day I have the problem that DDNS is no longer working, because
>>> on update I get the error that the DNS record allready exists. What is
>>> the solution?
>>>
>>> I use BIND version 9.7.2_p3-r1.
>> Well, there have been two questions asked but no more information given.
>> That doesn't make it easy for anyone to help you.
>>
>> Some questions:
>>
>> 1. What is your DHCP server?  H/W and S/W.  Are you talking about a Linux
>> box running "dhcpd" or a NetGear router running their DHCP server.  This
>> may make just a little difference.
> I use the DHCPD from http://www.isc.org/products/DHCP. I run Gentoo Linux on 
> that server. This server is the router, dhcp server and dns server in my LAN. 
> It is standard x86 hardware.
>
>> 2. Why is your server shutting down?  Is this shutdown expected?  Also,
>> which server are you referring to?  Is this the DNS server or the DHCP
>> server (or both)?  You may have problems well outside the issue of DHCP and
>> DNS.
> It is shutting down every night, because I sleep at night ;-) DHCP and Bind 
> both are running on this server. It is just an idea of me that bind is 
> dumping 
> the journal to the zonefile on shutting down. In primary zone file I have:
>
> coffee  A   192.168.11.35
>
> But I never was writing it there by my own. This must be a result of DDNS.
>
>> 3. Who is trying to perform the DDNS updates?  Is this the client machines
>> or the DHCP server?
> The DHCP tries to perform a DDNS update if the client sends its hostname 
> (what 
> it normaly should do). The client itselfs just performs a DHCP request. The 
> DDNS update is done via rndc-key.
>
>> 4. What do you see in your logs?  This may answer your question without any
>> more work on anybody's part.
> 22-Dec-2010 20:35:44.451 update: info: client 192.168.11.1#58646: updating 
> zone 'sugarland.local/IN': update unsuccessful: coffee.sugarland.local/A: 
> 'rrset does not exist' prerequisite not satisfied (YXRRSET)
>
> I was reading that this means that the name/ip already exists. I was confused 
> by the message but I found a page which explained why it says "not exist".
>
> As I get the error message "coffee" had a record for 192.168.11.35. But 
> coffee 
> was getting 192.168.11.42. BTW: coffee is a notebook in dual boot between 
> windows and linux. May this is part of the problem?!
>
>> 5. What is your DNS server configuration?  Who is allowed to perform DDNS
>> updates?
> include "/etc/bind/rndc.key";
> controls {
> inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-
> key"; };
> };
>
> zone "sugarland.local" IN {
> type master;
> file "pri/sugarland.zone";
> allow-update { key rndc-key; };
> };
>
> zone "11.168.192.in-addr.arpa" IN {
> type master;
> file "pri/11.168.192.zone";
> allow-update { key rndc-key; };
> };
>
>
>> 6. When you say that "the DNS record already exists", have you confirmed
>> this?  Just query your DNS server for that record and see if it is really
>> there.  If it is not, this this message, which I am assuming is from your
>> DHCP server or from your client machine, isn't true.  Then again, if it
>> really does exist, why would you think that it magically disappears?  If
>> you add a record to a zone, why would you think that it shouldn't still be
>> there?
> It is true. See above.
>
>> 7.  You say you are running "BIND version 9.7.2_p3-r1".  Sorry, I can
>> understand the 9.7.2-P3 part, but what is the "r1" you are referring to?
>> (I'll bet you are running Gentoo Linux, but this is just an assumption.) 
>> Is this built from the BIND sources from ISC or is this some package that
>> you got from someone else?
> You have win :-) This is a version extension from Gentoo. The package uses 
> the 
> sources from ftp://ftp.isc.org/isc/bind9. No patches are applied.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS fails. record allready exists

2010-12-22 Thread Mark Andrews


This is a DHCP issue and I would be re-asking on the dhcp list if
the explantion below is not enough.  Named is just honouring what
is in the update requests.

dhcpd trys to ensure it doesn't clobber records it doesn't have
change control for.  From memory it does this with a new lease by
asking is there a A record for the name and having the update abort
if it is there.  If this update fails it makes a second update
request this time looking for a TXT record with known content
specific to the DHCP server and the update succeeds if that is
there.  See below for a example for a example of the TXT record it
looks for.

By shutting down overnight I suspect you are triggering the new
lease processing as the DHCP server isn't running when the lease
expires.  As long as the address record gets added by one of the
update requests there is no problem, just a bit of noise in the
logs.

Mark

; <<>> DiG 9.6.0-APPLE-P2 <<>> any BRNEE8E63.dv.isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8499
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;BRNEE8E63.dv.isc.org.  IN  ANY

;; ANSWER SECTION:
BRNEE8E63.dv.isc.org.   1800IN  A   192.168.191.122
BRNEE8E63.dv.isc.org.   1800IN  RRSIG   A 5 4 1800 20110129005954 
2010113256 14436 dv.isc.org. 
v5G+lPmaHfEJp5qSN0JiJJagrj7HPff5nblelsu/oEB5nXh8MCJVZb9W 
7qGlO3q/Jmj+4N21ADErCKecmipGyQ==
BRNEE8E63.dv.isc.org.   1800IN  TXT 
"3115c8fab3a3b80243bfe8be9b83182565"
BRNEE8E63.dv.isc.org.   1800IN  RRSIG   TXT 5 4 1800 20110129005954 
2010113256 14436 dv.isc.org. 
2bPfwxfWpZ7omD7Vd9VfFrSbV1nCiTfF3ymPhudG+rF6g9ms/81zyEVV 
B+vhzS8KUj3O1AixECdnTMljYI9FYA==
BRNEE8E63.dv.isc.org.   86400   IN  NSECbsdi.dv.isc.org. A TXT RRSIG 
NSEC
BRNEE8E63.dv.isc.org.   86400   IN  RRSIG   NSEC 5 4 86400 20110129005954 
2010113256 14436 dv.isc.org. 
0KHHF6xjPqyo5ps31BP2PI6lQ3AAW8n8gVmoc4ijTFB5/rzUN2gw86Ug 
GFRiCTirEbXdDX5lnJZ9sj3oG4qzeQ==

;; AUTHORITY SECTION:
dv.isc.org. 86400   IN  NS  drugs.dv.isc.org.
dv.isc.org. 86400   IN  NS  bsdi1.dv.isc.org.

;; ADDITIONAL SECTION:
bsdi1.dv.isc.org.   86400   IN  A   192.168.191.233

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Dec 23 11:46:26 2010
;; MSG SIZE  rcvd: 512

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not returning A record

2010-12-22 Thread Paul Ooi Cong Jen


On 23-Dec-2010, at 4:39 AM, Mark Andrews wrote:

> 
> In message <4e9b037f-4c66-460e-b70f-5ce9619ff...@takizo.com>, Paul Ooi Cong 
> Jen 
> writes:
>> Hi All, 
>> 
>> I am having problem with Bind query, but not sure is it client error or 
>> server
>> error. 
>> Below is the server details.
>> 
>> Server running FreeBSD 8.1
>> Bind 9.7.0-P3
> 
> Upgrade.  You really don't want to be running Bind 9.7.0-P3 any more.
> 
>> options {
>>  query-source address * port *;
>>   use-v4-udp-ports { range 2048 65535; };
>>   recursive-clients   2;
>>   recursion yes;
>> 
>>   allow-recursion {
>>   any;
>>   };
>> 
>>   allow-query {
>>   any;
>>   };
>> 
>>   allow-transfer {
>>   trusted;
>>   };
>> }
>> 
>> When I try to dig the domain name, received SERVFAIL status but when +trace 
>> in
>> itiate, it seem fine 
>> 
>> --
>> 
>> dig @localhost www.kwsp.gov.my 
>> 
>> ; <<>> DiG 9.7.0-P3 <<>> @localhost www.kwsp.gov.my
>> ; (2 servers found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32501
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>> 
>> ;; QUESTION SECTION:
>> ;www.kwsp.gov.my.   IN  A
>> 
>> ;; Query time: 384 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Wed Dec 22 15:02:41 2010
>> ;; MSG SIZE  rcvd: 33
>> 
>> -
>> 
>> -
>> dig @localhost www.kwsp.gov.my +trace
>> 
>> ; <<>> DiG 9.7.0-P3 <<>> @localhost www.kwsp.gov.my +trace
>> ; (2 servers found)
>> ;; global options: +cmd
>> .   518400  IN  NS  k.root-servers.net.
>> .   518400  IN  NS  e.root-servers.net.
>> .   518400  IN  NS  h.root-servers.net.
>> .   518400  IN  NS  c.root-servers.net.
>> .   518400  IN  NS  m.root-servers.net.
>> .   518400  IN  NS  i.root-servers.net.
>> .   518400  IN  NS  d.root-servers.net.
>> .   518400  IN  NS  a.root-servers.net.
>> .   518400  IN  NS  l.root-servers.net.
>> .   518400  IN  NS  b.root-servers.net.
>> .   518400  IN  NS  f.root-servers.net.
>> .   518400  IN  NS  j.root-servers.net.
>> .   518400  IN  NS  g.root-servers.net.
>> ;; Received 504 bytes from 127.0.0.1#53(127.0.0.1) in 2 ms
>> 
>> my. 172800  IN  NS  dns.mynic.net.my.
>> my. 172800  IN  NS  ns20.iij.ad.jp.
>> my. 172800  IN  NS  ns2.cuhk.edu.hk.
>> my. 172800  IN  NS  ns5.jaring.my.
>> my. 172800  IN  NS  ns6.jaring.my.
>> my. 172800  IN  NS  ns-my.nic.fr.
>> my. 172800  IN  NS  dns2.mynic.net.my.
>> ;; Received 486 bytes from 192.5.5.241#53(f.root-servers.net) in 5 ms
>> 
>> gov.my. 86400   IN  NS  ns5.jaring.my.
>> gov.my. 86400   IN  NS  ns20.iij.ad.jp.
>> gov.my. 86400   IN  NS  ns2.cuhk.edu.hk.
>> gov.my. 86400   IN  NS  dns1.mynic.net.my.
>> gov.my. 86400   IN  NS  ns6.jaring.my.
>> ;; Received 266 bytes from 192.134.0.49#53(ns-my.nic.fr) in 351 ms
>> 
>> kwsp.gov.my.86400   IN  NS  harimau.skali.com.my.
>> kwsp.gov.my.86400   IN  NS  rusa.skali.com.my.
>> kwsp.gov.my.86400   IN  NS  ns3.pttcdc.com.my.
>> ;; Received 109 bytes from 137.189.6.21#53(ns2.cuhk.edu.hk) in 52 ms
>> 
>> www.kwsp.gov.my.43200   IN  CNAME   www.yu.kwsp.gov.my.
>> ;; Received 54 bytes from 202.184.117.10#53(ns3.pttcdc.com.my) in 21 ms
>> ---
>> 
>> If I tried to rndc flush, dig again the record return the result 
>> 
>> --
>> 
>> dig @localhost www.kwsp.gov.my
>> 
>> ; <<>> DiG 9.7.0-P3 <<>> @localhost www.kwsp.gov.my
>> ; (2 servers found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20092
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
>> 
>> ;; QUESTION SECTION:
>> ;www.kwsp.gov.my.   IN  A
>> 
>> ;; ANSWER SECTION:
>> www.kwsp.gov.my.43186   IN  CNAME   www.yu.kwsp.gov.my.
>> www.yu.kwsp.gov.my. 30  IN  A   202.162.21.166
>> 
>> ;; AUTHORITY SECTION:
>> yu.kwsp.gov.my. 43200   IN  NS  ns2.yu.kwsp.gov.my.
>> yu.kwsp.gov.my. 43200   IN  NS  ns1.yu.kwsp.gov.my.
>> 
>> ;; Query time: 829 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Wed Dec 22 15:04:

Re: dnssec subzone not signed question

2010-12-22 Thread Alan Clegg

On 12/22/2010 6:49 PM, jim wrote:

> Sorry, still needing spoon fed.

No problem.  You might be interested in a presentation that I gave at
NANOG earlier in the year:

  ftp://ftp.isc.org/isc/pubs/pres/NANOG/50/DNSSEC-NANOG50.pdf

> When you say DS record in the parent, would this be .example.edu
>  or my parent .edu
> 
> The end result is get example.edu  as a dnssec
> secured zone by getting a DS record in .edu
> 
> So it sounds like when I do upload the example.edu 
> DS record to .edu, my  subdomain.example.edu
>  will break, I will need to sign every
> zone inside example.edu ?

Consider that right now, the root (.) is signed. There is a DS record in
(.) for edu, but there is not a DS record in edu for example.edu.  You
don't have example.edu signed yet, but it continues to work.

AlanC

signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ignoring incorrect nameservers in authority section

Re: ignoring incorrect nameservers in authority section

Re: ignoring incorrect nameservers in authority section

Re: ignoring incorrect nameservers in authority section

Re: ignoring incorrect nameservers in authority section

Re: Bind not returning A record

Re: Bind not returning A record

Re: Bind not returning A record

Re: Bind not returning A record

Re: DDNS fails. record allready exists

Re: Bind not returning A record

dnssec subzone not signed question

Re: ignoring incorrect nameservers in authority section

Re: named: high memory usage under FreeBSD-7...?

Re: dnssec subzone not signed question

BIND 9.7.3b1 is now available

Re: dnssec subzone not signed question

Re: DDNS fails. record allready exists

Re: DDNS fails. record allready exists

Re: Bind not returning A record

Re: dnssec subzone not signed question

21 matches

Site Navigation

Mail list logo

Footer information