Re: ignoring incorrect nameservers in authority section

[pyh]

Sunil Shetye writes: 


Quoting from p...@mail.nsbeta.info's mail on Thu, Dec 30, 2010:

What's the difference between these two flags in the response of
dig? 


< ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0


ra : recursion available
The nameserver is ready to ask other nameservers for the record we
queried. 

As the 'aa' flag is also missing above, the answer is not authoritative. 


>;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0


aa : authoritative answer
The nameserver is authoritative for the zone of the record that we
queried. 


As the 'ra' flag is also missing above, the nameserver will not do a
lookup for you for records it does not know about. 



Thanks a lot.
Where is the document for these flags?
I google'd but got no correct result :) 


Regards.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ignoring incorrect nameservers in authority section

[pyh]

Sunil Shetye writes: 



Case 2: Lame Server Reply 


===
$ dig +norecurse @a.iana-servers.net. example.org.
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 


;; QUESTION SECTION:
;example.org.		IN  A 


;; ANSWER SECTION:
example.org.	172800  IN	A   192.0.32.10 


;; AUTHORITY SECTION:
example.org.172800  IN  NS  ns1.example.org.
example.org.172800  IN  NS  ns2.example.org.
=== 


This is a lame server reply. bind ignores this reply. bind will give a
server fail reply to the client. 




Would you please tell me why this is a lame server reply? why bind will 
give a server fail reply to the client? Thanks again a lot. 


Regards.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ignoring incorrect nameservers in authority section

[Sunil Shetye]

Quoting from p...@mail.nsbeta.info's mail on Thu, Dec 30, 2010:
> Where is the document for these flags?
> I google'd but got no correct result :)

http://www.tcpipguide.com/free/t_DNSMessageHeaderandQuestionSectionFormat.htm

-- 
Sunil Shetye.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ignoring incorrect nameservers in authority section

[Torinthiel]

Dnia 2010-12-30 18:03 p...@mail.nsbeta.info napisał(a):

>Sunil Shetye writes: 
>
>> 
>> Case 2: Lame Server Reply 
>> 
>> ===
>> $ dig +norecurse @a.iana-servers.net. example.org.
>> ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 
>> 
>> ;; QUESTION SECTION:
>> ;example.org.IN  A 
>> 
>> ;; ANSWER SECTION:
>> example.org. 172800  IN  A   192.0.32.10 
>> 
>> ;; AUTHORITY SECTION:
>> example.org. 172800  IN  NS  ns1.example.org.
>> example.org. 172800  IN  NS  ns2.example.org.
>> === 
>> 
>> This is a lame server reply. bind ignores this reply. bind will give a
>> server fail reply to the client. 
>> 
> 
>
>Would you please tell me why this is a lame server reply? why bind will 
>give a server fail reply to the client? Thanks again a lot. 

Because it's contrary to itself.
You've specified norecurse, which means that if nameserver believes it has 
authorative data it should return it, if it doesn't it should return a 
referral (and no answer beside it).

But the server returns answer (which means it believes it has authorative 
data), but in authority section is not listed in nameservers, which states 
it does not have authorative data.

To sum up:
Question: Does the server have authorative data?
Answer 1: Server returns data when asked without recursion ->; YES
Answer 2: Server is not listed in authority section ->; NO
Real answer: Lame server.

Regards,
 Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question on ADDITIONAL SECTION

[pyh]

$ dig www.cnn.com @202.96.128.166 


; <<>> DiG 9.4.2-P2 <<>> www.cnn.com @202.96.128.166
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65353
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 


;; QUESTION SECTION:
;www.cnn.com.   IN  A 


;; ANSWER SECTION:
www.cnn.com.133 IN  A   157.166.226.25
www.cnn.com.133 IN  A   157.166.226.26
www.cnn.com.133 IN  A   157.166.255.18
www.cnn.com.133 IN  A   157.166.255.19
www.cnn.com.133 IN  A   157.166.224.25
www.cnn.com.133 IN  A   157.166.224.26 


;; Query time: 5 msec
;; SERVER: 202.96.128.166#53(202.96.128.166)
;; WHEN: Thu Dec 30 19:07:17 2010
;; MSG SIZE  rcvd: 125 



$ dig www.cnn.com @61.144.56.100 


; <<>> DiG 9.4.2-P2 <<>> www.cnn.com @61.144.56.100
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10034
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 3, ADDITIONAL: 3 


;; QUESTION SECTION:
;www.cnn.com.   IN  A 


;; ANSWER SECTION:
www.cnn.com.150 IN  A   157.166.255.18
www.cnn.com.150 IN  A   157.166.255.19
www.cnn.com.150 IN  A   157.166.224.25
www.cnn.com.150 IN  A   157.166.224.26
www.cnn.com.150 IN  A   157.166.226.25
www.cnn.com.150 IN  A   157.166.226.26 


;; AUTHORITY SECTION:
www.cnn.com.86400   IN  NS  dmtns07.turner.com.
www.cnn.com.86400   IN  NS  dmtns01.turner.com.
www.cnn.com.86400   IN  NS  dmtns02.turner.com. 


;; ADDITIONAL SECTION:
dmtns01.turner.com. 3608IN  A   157.166.226.169
dmtns02.turner.com. 3608IN  A   157.166.224.169
dmtns07.turner.com. 3608IN  A   157.166.255.15 


;; Query time: 541 msec
;; SERVER: 61.144.56.100#53(61.144.56.100)
;; WHEN: Thu Dec 30 19:06:58 2010
;; MSG SIZE  rcvd: 246 



For the two queries above, why the second response has a "ADDITIONAL 
SECTION" included, but the first doesn't? 

Thanks in advance. 


Regards.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ignoring incorrect nameservers in authority section

[pyh]

Because it's contrary to itself.
You've specified norecurse, which means that if nameserver believes it has 
authorative data it should return it, if it doesn't it should return a 
referral (and no answer beside it). 

But the server returns answer (which means it believes it has authorative 
data), but in authority section is not listed in nameservers, which states 
it does not have authorative data. 



Thanks a lot. 

Please see this dig: 

$ dig +norec dev.game.yy.com @202.96.128.166 


; <<>> DiG 9.4.2-P2 <<>> +norec dev.game.yy.com @202.96.128.166
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31949
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 


;; QUESTION SECTION:
;dev.game.yy.com.   IN  A 


;; ANSWER SECTION:
dev.game.yy.com.1800IN  A   202.104.186.179 


;; Query time: 5 msec
;; SERVER: 202.96.128.166#53(202.96.128.166)
;; WHEN: Thu Dec 30 19:16:44 2010
;; MSG SIZE  rcvd: 49 



So, is 202.96.128.166 a lame server? 


Regards.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ignoring incorrect nameservers in authority section

[Stacey Jonathan Marshall - Solaris Software]

 On 12/30/10 10:45, Torinthiel wrote:

Dnia 2010-12-30 18:03 p...@mail.nsbeta.info napisał(a):


Sunil Shetye writes:


Case 2: Lame Server Reply

===
$ dig +norecurse @a.iana-servers.net. example.org.
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;example.org.   IN  A

;; ANSWER SECTION:
example.org.172800  IN  A   192.0.32.10

;; AUTHORITY SECTION:
example.org.172800  IN  NS  ns1.example.org.
example.org.172800  IN  NS  ns2.example.org.
===

This is a lame server reply. bind ignores this reply. bind will give a
server fail reply to the client.



Would you please tell me why this is a lame server reply? why bind will
give a server fail reply to the client? Thanks again a lot.

Because it's contrary to itself.
You've specified norecurse, which means that if nameserver believes it has
authorative data it should return it, if it doesn't it should return a
referral (and no answer beside it).


No, the +norecurse asks the server to provide any answer it has, and not to go 
looking for it if it does not have an answer. So from the response above the 
server has already cached an answer.  Note too that the 'aa' (authoritative 
answer) flag is not set.  Which is interesting as the same query for me gets:


$ dig +norecurse @a.iana-servers.net. example.org.

;<<>>  DiG 9.3.6-P1<<>>  +norecurse @a.iana-servers.net. example.org.
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 811
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;example.org.   IN  A

;; ANSWER SECTION:
example.org.172800  IN  A   192.0.32.10

;; AUTHORITY SECTION:
example.org.172800  IN  NS  a.iana-servers.net.
example.org.172800  IN  NS  b.iana-servers.net.

;; Query time: 144 msec
;; SERVER: 192.0.34.43#53(192.0.34.43)
;; WHEN: Thu Dec 30 11:29:24 2010
;; MSG SIZE  rcvd: 104



--
--Stacey

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ignoring incorrect nameservers in authority section

[Torinthiel]

Dnia 2010-12-30 19:18 p...@mail.nsbeta.info napisał(a):


>Please see this dig: 
>
>$ dig +norec dev.game.yy.com @202.96.128.166 
>
>; <<>> DiG 9.4.2-P2 <<>> +norec dev.game.yy.com @202.96.128.166
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31949
>;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
>
>;; QUESTION SECTION:
>;dev.game.yy.com.   IN  A 
>
>;; ANSWER SECTION:
>dev.game.yy.com.1800IN  A   202.104.186.179 
>
>;; Query time: 5 msec
>;; SERVER: 202.96.128.166#53(202.96.128.166)
>;; WHEN: Thu Dec 30 19:16:44 2010
>;; MSG SIZE  rcvd: 49 
>
>
>So, is 202.96.128.166 a lame server? 

There's something strange with this one.
You've specified +norec on command line, but the query was sent with 'rd' - 
'recursion desired' flag, as if you haven't given +norec. And with recursion 
giving answer is perfectly legal. If not for that flag, then yes, I'd 
consider it a lame response, although probably someone more knowledgeable 
than me should judge this.
Regards,
 Torinthiel 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ignoring incorrect nameservers in authority section

[Torinthiel]

Dnia 2010-12-30 11:45 Torinthiel napisał(a):

>Dnia 2010-12-30 18:03 p...@mail.nsbeta.info napisał(a):
>
>>Sunil Shetye writes: 
>>
>>> 
>>> Case 2: Lame Server Reply 
>>> 
>>> ===
>>> $ dig +norecurse @a.iana-servers.net. example.org.
>>> ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 
>>> 
>>> ;; QUESTION SECTION:
>>> ;example.org.   IN  A 
>>> 
>>> ;; ANSWER SECTION:
>>> example.org.172800  IN  A   192.0.32.10 
>>> 
>>> ;; AUTHORITY SECTION:
>>> example.org.172800  IN  NS  ns1.example.org.
>>> example.org.172800  IN  NS  ns2.example.org.
>>> === 
>>> 
>>> This is a lame server reply. bind ignores this reply. bind will give a
>>> server fail reply to the client. 
>>> 
>> 
>>
>>Would you please tell me why this is a lame server reply? why bind will 
>>give a server fail reply to the client? Thanks again a lot. 
>
>Because it's contrary to itself.
>You've specified norecurse, which means that if nameserver believes it has 
>authorative data it should return it, if it doesn't it should return a 
>referral (and no answer beside it).
>
>But the server returns answer (which means it believes it has authorative 
>data), but in authority section is not listed in nameservers, which states 
>it does not have authorative data.
>
>To sum up:
>Question: Does the server have authorative data?
>Answer 1: Server returns data when asked without recursion ->; YES
>Answer 2: Server is not listed in authority section ->; NO
>Real answer: Lame server.

And I was wrong about that one.

There are two issues with that one. First, I get a different response from 
that command. different flags (no ra but aa instead), differend authority 
section.

It's much simplier to tell if it's a 'lame nameserver response' although it 
can't be judged by a single query.
Let's say that nameservers for .org domain (there are a lot of them), when 
asked for example.org give a.iana-servers.net and b.iana-servers.net (which 
is true, and by itself nothing special). 
Then lets assume (which is not true, but a good example) that 
a.iana-servers.net when asked for www.example.org gives something (doesn't 
matter if a true answer, or missing record, or anything), but with 'aa' flag 
not set. This, by itself, is still nothing special, no server is required to 
know everything.
But from those two answers you have a contradiction, and this contradiction 
is a real lane nameserver issue. .org servers delegate answers to 
a.iana-servers.net, and a.iana-servers.net fails to deliver authorative 
response. So the delegation is in fact incorrect.
Fortunately, a.iana-servers.net does not behave the way I've described here 
and does set 'aa' flag in it's response.

Hope this clears up the issue a bit, and reduces misinformation caused by my 
previous answer.

Regards,
 Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question on ADDITIONAL SECTION

[Stacey Jonathan Marshall - Solaris Software]

 On 12/30/10 11:12, p...@mail.nsbeta.info wrote:

$ dig www.cnn.com @202.96.128.166
; <<>> DiG 9.4.2-P2 <<>> www.cnn.com @202.96.128.166
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65353
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.cnn.com.   IN  A
;; ANSWER SECTION:
www.cnn.com.133 IN  A   157.166.226.25
www.cnn.com.133 IN  A   157.166.226.26
www.cnn.com.133 IN  A   157.166.255.18
www.cnn.com.133 IN  A   157.166.255.19
www.cnn.com.133 IN  A   157.166.224.25
www.cnn.com.133 IN  A   157.166.224.26
;; Query time: 5 msec
;; SERVER: 202.96.128.166#53(202.96.128.166)
;; WHEN: Thu Dec 30 19:07:17 2010
;; MSG SIZE  rcvd: 125

$ dig www.cnn.com @61.144.56.100
; <<>> DiG 9.4.2-P2 <<>> www.cnn.com @61.144.56.100
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10034
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:
;www.cnn.com.   IN  A
;; ANSWER SECTION:
www.cnn.com.150 IN  A   157.166.255.18
www.cnn.com.150 IN  A   157.166.255.19
www.cnn.com.150 IN  A   157.166.224.25
www.cnn.com.150 IN  A   157.166.224.26
www.cnn.com.150 IN  A   157.166.226.25
www.cnn.com.150 IN  A   157.166.226.26
;; AUTHORITY SECTION:
www.cnn.com.86400   IN  NS  dmtns07.turner.com.
www.cnn.com.86400   IN  NS  dmtns01.turner.com.
www.cnn.com.86400   IN  NS  dmtns02.turner.com.
;; ADDITIONAL SECTION:
dmtns01.turner.com. 3608IN  A   157.166.226.169
dmtns02.turner.com. 3608IN  A   157.166.224.169
dmtns07.turner.com. 3608IN  A   157.166.255.15
;; Query time: 541 msec
;; SERVER: 61.144.56.100#53(61.144.56.100)
;; WHEN: Thu Dec 30 19:06:58 2010
;; MSG SIZE  rcvd: 246

For the two queries above, why the second response has a "ADDITIONAL SECTION" 
included, but the first doesn't?

Thanks in advance.
Regards.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Because the 2nd response also included Authority Section, the additional data 
are the addresses of the authoritative servers.



--
--Stacey

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.7.2-P3 does not resolve www.microsoft.com

[Lazy]

2010/12/28 Dennis Clarke :
>
>>> trying to resolve www.microsoft.com or microsoft.com results in a
>>> "connection timed out; no servers could be reached"
>>
>> Well, for what it's worth - it's not just you having that issue. When
>> testing from home and from work I get the same.
>>
>
> works fine for me on linux and Solaris.

how does dig ANY microsoft.com looks on your site ?

when I query ie google's public dns resolver I get

$ dig ANY microsoft.com @8.8.8.8

; <<>> DiG 9.6-ESV-R3 <<>> ANY microsoft.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52638
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;microsoft.com. IN  ANY

;; ANSWER SECTION:
microsoft.com.  3185IN  A   207.46.197.32
microsoft.com.  3185IN  A   207.46.232.182
microsoft.com.  85985   IN  NS  ns4.msft.net.
microsoft.com.  85985   IN  NS  ns5.msft.net.
microsoft.com.  85985   IN  NS  ns1.msft.net.
microsoft.com.  85985   IN  NS  ns2.msft.net.
microsoft.com.  85985   IN  NS  ns3.msft.net.
microsoft.com.  3185IN  SOA ns1.msft.net.
msnhst.microsoft.com. 2010122201 300 600 2419200 3600
microsoft.com.  3185IN  MX  10 mail.messaging.microsoft.com.
microsoft.com.  3185IN  TXT
"FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ=="

;; Query time: 36 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 30 17:07:20 2010
;; MSG SIZE  rcvd: 336


this is missing second TXT spf record

bind and powerdns-recursor seems to reply with all records for
microsoft.com they have, so if You earlier request for A and TXT you
get A and TXT from your local resolver despite that m$ servers sent
truncated answers for ANY queries that got ignored by bind, and didn't
provide TCP so I guess all you see is Your local cache made form
previous non ANY queries

Response for dig ANY microsoft.com varies significantly across dns
servers, sometimes we get TXT records, sometime we don't, some don't
have SOA ect.


-- 
Lazy
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.7.2-P3 does not resolve www.microsoft.com

[Lazy]

2010/12/30 Lazy :
> 2010/12/28 Dennis Clarke :
>>
 trying to resolve www.microsoft.com or microsoft.com results in a
 "connection timed out; no servers could be reached"
>>>
>>> Well, for what it's worth - it's not just you having that issue. When
>>> testing from home and from work I get the same.
>>>
>>
>> works fine for me on linux and Solaris.

> bind and powerdns-recursor seems to reply with all records for
> microsoft.com they have, so if You earlier request for A and TXT you

it looks like it's only powerdns, now I can't reproduce it using bind

could someone who has "working" resolver try to restart, and do some
ANY queries without cache ?

--
Lazy
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question on ADDITIONAL SECTION

[David Sparro]

On 12/30/2010 6:12 AM, p...@mail.nsbeta.info wrote:

$ dig www.cnn.com @202.96.128.166
; <<>> DiG 9.4.2-P2 <<>> www.cnn.com @202.96.128.166
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65353
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; SERVER: 202.96.128.166#53(202.96.128.166)
;; WHEN: Thu Dec 30 19:07:17 2010
;; MSG SIZE rcvd: 125

$ dig www.cnn.com @61.144.56.100
; <<>> DiG 9.4.2-P2 <<>> www.cnn.com @61.144.56.100
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10034
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 3, ADDITIONAL: 3

>

For the two queries above, why the second response has a "ADDITIONAL
SECTION" included, but the first doesn't?


Because the servers at 202.96.128.166 and 61.144.56.100 are either 
configured differently or they use different DNS server implementations.


See BIND option "minimal-responses"
or
http://cr.yp.to/djbdns/dnscache.html  (Responses to DNS clients section)
etc.

--
Dave
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.7.2-P3 does not resolve www.microsoft.com

[lst_hoe02]

Zitat von Lazy :


2010/12/30 Lazy :

2010/12/28 Dennis Clarke :



trying to resolve www.microsoft.com or microsoft.com results in a
"connection timed out; no servers could be reached"


Well, for what it's worth - it's not just you having that issue. When
testing from home and from work I get the same.



works fine for me on linux and Solaris.



bind and powerdns-recursor seems to reply with all records for
microsoft.com they have, so if You earlier request for A and TXT you


it looks like it's only powerdns, now I can't reproduce it using bind

could someone who has "working" resolver try to restart, and do some
ANY queries without cache ?


With cache reset
Unbound 1.4.7 --> Timeout
Bind 9.7.2-P3 --> Timeout

After doing some other queries for microsoft.com Bind does infact  
deliever what it has, Unbound does not. Beside the fact that MS will  
get in trouble if there first often used RRset will get bigger then  
512Byte, why do you need ANY queries at all?


Regards

Andreas



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.7.2-P3 does not resolve www.microsoft.com

[fakessh @]

Le jeudi 30 décembre 2010 à 20:29 +0100, lst_ho...@kwsoft.de a écrit :
> Zitat von Lazy :
> 
> > 2010/12/30 Lazy :
> >> 2010/12/28 Dennis Clarke :
> >>>
> > trying to resolve www.microsoft.com or microsoft.com results in a
> > "connection timed out; no servers could be reached"
> 
>  Well, for what it's worth - it's not just you having that issue. When
>  testing from home and from work I get the same.
> 
> >>>
> >>> works fine for me on linux and Solaris.
> >
> >> bind and powerdns-recursor seems to reply with all records for
> >> microsoft.com they have, so if You earlier request for A and TXT you
> >
> > it looks like it's only powerdns, now I can't reproduce it using bind
> >
> > could someone who has "working" resolver try to restart, and do some
> > ANY queries without cache ?
> 
> With cache reset
> Unbound 1.4.7 --> Timeout
> Bind 9.7.2-P3 --> Timeout
> 
> After doing some other queries for microsoft.com Bind does infact  
> deliever what it has, Unbound does not. Beside the fact that MS will  
> get in trouble if there first often used RRset will get bigger then  
> 512Byte, why do you need ANY queries at all?
> 
> Regards
> 
> Andreas
> 
> 
> 


hello sysadmins of bind. 
I just launched a test on the form of zonecheck afnic. 
Form air buggy it does not go to the end and is stuck on a problem of
SOA 64.4.59.173








> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7


signature.asc
Description: Ceci est une partie de message	numériquement signée
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.7.2-P3 does not resolve www.microsoft.com

[Lazy]

2010/12/30  :
> Zitat von Lazy :
>
>> 2010/12/30 Lazy :
>>>
>>> 2010/12/28 Dennis Clarke :

>> trying to resolve www.microsoft.com or microsoft.com results in a
>> "connection timed out; no servers could be reached"
>
> Well, for what it's worth - it's not just you having that issue. When
> testing from home and from work I get the same.
>

 works fine for me on linux and Solaris.
>>
>>> bind and powerdns-recursor seems to reply with all records for
>>> microsoft.com they have, so if You earlier request for A and TXT you
>>
>> it looks like it's only powerdns, now I can't reproduce it using bind
>>
>> could someone who has "working" resolver try to restart, and do some
>> ANY queries without cache ?
>
> With cache reset
> Unbound 1.4.7 --> Timeout
> Bind 9.7.2-P3 --> Timeout
>
> After doing some other queries for microsoft.com Bind does infact deliever
> what it has, Unbound does not. Beside the fact that MS will get in trouble
> if there first often used RRset will get bigger then 512Byte, why do you
> need ANY queries at all?
>

qmail uses ANY so m$ is not getting any mail from us, for now I used
zone "microsoft.com" and forward it to some dns that "works"

Regards

Lazy
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.7.2-P3 does not resolve www.microsoft.com

[Tony Finch]

On 30 Dec 2010, at 19:56, Lazy  wrote:
> 
> qmail uses ANY so m$ is not getting any mail from us

This is several bugs in qmail. It is making the query in order to canonicalize 
the domain in outgoing email, which it does not need to do according to the 
current SMTP specs. It should be making an MX query (not CNAME as it originally 
did and not ANY as it has done since about 1998) in order to find out if the 
domain needs to be canonicalized. It also has an undersized DNS packet buffer 
and cannot cope with truncated replies, so even if ANY queries for 
microsoft.com worked, qmail could not handle the reply.

Qmail is buggy and unmaintained and has been abandoned by its author. Best 
avoided.

Tony.
--
f.anthony.n.finchhttp://dotat.at/

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.7.2-P3 does not resolve www.microsoft.com

[Lazy]

2010/12/30 Tony Finch :
> On 30 Dec 2010, at 19:56, Lazy  wrote:
>>
>> qmail uses ANY so m$ is not getting any mail from us
>
> This is several bugs in qmail. It is making the query in order to 
> canonicalize the domain in outgoing email, which it does not need to do 
> according to the current SMTP specs. It should be making an MX query (not 
> CNAME as it originally did and not ANY as it has done since about 1998) in 
> order to find out if the domain needs to be canonicalized. It also has an 
> undersized DNS packet buffer and cannot cope with truncated replies, so even 
> if ANY queries for microsoft.com worked, qmail could not handle the reply.
>
> Qmail is buggy and unmaintained and has been abandoned by its author. Best 
> avoided.

easy for you to say ;)

there are still many more or less happy qmail users, maybe we need
just another patch ;)

Regards

Lazy
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: bind 9.7.2-P3 does not resolve www.microsoft.com

[Lightner, Jeff]

If qmail is open source then YOU can patch it to your heart's content
and might even want to fork the project so you're maintaining it for
others.

Expecting BIND to hold itself back or patch itself for 1998 standards is
a bit like expecting people that maintain websites to keep support for
Mosaic.  It's hard enough to get them to do it for Firefox, Chrome,
Opera et al let alone going back to things ancient browsers did.

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Lazy
Sent: Thursday, December 30, 2010 4:42 PM
To: bind-users@lists.isc.org
Subject: Re: bind 9.7.2-P3 does not resolve www.microsoft.com

2010/12/30 Tony Finch :
> On 30 Dec 2010, at 19:56, Lazy  wrote:
>>
>> qmail uses ANY so m$ is not getting any mail from us
>
> This is several bugs in qmail. It is making the query in order to
canonicalize the domain in outgoing email, which it does not need to do
according to the current SMTP specs. It should be making an MX query
(not CNAME as it originally did and not ANY as it has done since about
1998) in order to find out if the domain needs to be canonicalized. It
also has an undersized DNS packet buffer and cannot cope with truncated
replies, so even if ANY queries for microsoft.com worked, qmail could
not handle the reply.
>
> Qmail is buggy and unmaintained and has been abandoned by its author.
Best avoided.

easy for you to say ;)

there are still many more or less happy qmail users, maybe we need
just another patch ;)

Regards

Lazy
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.7.2-P3 does not resolve www.microsoft.com

[Noel Butler]

On Thu, 2010-12-30 at 22:42 +0100, Lazy wrote:

> 2010/12/30 Tony Finch :
> > On 30 Dec 2010, at 19:56, Lazy  wrote:
> >>
> >> qmail uses ANY so m$ is not getting any mail from us
> >
> > This is several bugs in qmail. It is making the query in order to 
> > canonicalize the domain in outgoing email, which it does not need to do 
> > according to the current SMTP specs. It should be making an MX query (not 
> > CNAME as it originally did and not ANY as it has done since about 1998) in 
> > order to find out if the domain needs to be canonicalized. It also has an 
> > undersized DNS packet buffer and cannot cope with truncated replies, so 
> > even if ANY queries for microsoft.com worked, qmail could not handle the 
> > reply.
> >
> > Qmail is buggy and unmaintained and has been abandoned by its author. Best 
> > avoided.
> 
> easy for you to say ;)
> 
> there are still many more or less happy qmail users, maybe we need
> just another patch ;)
> 


I'm sure there's plenty of winblundaz 9(5|8) users out there who want
some 'moderness' as well.
Bind works as required, qmail does not, never did, and never will.


> Regards
> 
> Lazy


no, I wont say it, I wont, no matter how much I want too!



signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.7.2-P3 does not resolve www.microsoft.com

[Michael Sinatra]

On 12/30/10 3:04 PM, Lightner, Jeff wrote:

If qmail is open source then YOU can patch it to your heart's content
and might even want to fork the project so you're maintaining it for
others.

Expecting BIND to hold itself back or patch itself for 1998 standards is
a bit like expecting people that maintain websites to keep support for
Mosaic.  It's hard enough to get them to do it for Firefox, Chrome,
Opera et al let alone going back to things ancient browsers did.


I think Lazy was suggesting that we need another *qmail* patch, not a 
BIND patch.  Note that qmail previously wouldn't accept any DNS response 
over 512 bytes, even if it was received via TCP.  That is clearly broken 
behavior that has since been patched.  However, there are still a bunch 
of unpatched qmail systems out there.  I have found it much easier to 
tell qmail admins who can't resolve 'ANY berkeley.edu' to go get the 
latest patchset rather than engage them in the usual religious war.


I *do* generally agree with your and Tony's points, but regardless of 
whether you think it's valid for qmail to be doing ANY queries to 
canonicalize email domains, the ANY query is a legitimate DNS query and 
it should be supported by authoritative servers.  Moreover, TCP is 
REQUIRED by the DNS specs and it is NOT okay to block it.  It's not okay 
to say "I don't really think that anyone should be querying for ANY 
microsoft.com, so I will allow such queries to break in an ungraceful 
way."  We should be all the more concerned that a query of "TXT 
microsoft.com" yields a 494-byte answer, just 18 bytes away from being 
broken in the same manner.  Legitimate non-qmail MTAs do need to do TXT 
queries for SPF and other records.


At any rate, it may make sense to move this discussion over to 
dns-operations@, since we seem to be in agreement that this isn't a BIND 
problem.


michael
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question on ADDITIONAL SECTION

[pyh]

Because the 2nd response also included Authority Section, the additional 
data are the addresses of the authoritative servers. 



Thanks.
But why the second has an "AUTHORITY SECTION" included? but the first 
doesn't? 


Regards.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

bind replication

[pyh]

Hi, 


Is it a right way to run rsync for bind's zone files replication?
If we have dozons of zones, each zone has more than one view, under this 
case setup the master/slave with standard zone-traff is the hard way IMO. 


Thanks.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dynamic zone...

[Jeff Justice]

I apologize in advance for my limited understanding of BIND.  I know  
just enough to have our primary and secondary running without any  
problems, but I am needing to do something new.  I searched this list  
for anything about dynamically updating a zone, but to be honest, it  
all seems over my head and I was unclear whether I was reading  
something that addressed my need.


Here's what I'm trying to do:

I have a computer on a remote network that gets its IP dynamically  
from the ISP.  I need to always know where that computer is.  I had  
thought that I could simply "scrape" it's public IP, have it sent to  
my primary NS computer (which of course is on a static IP), then use  
that information to keep a zone updated on our DNS.  So, for example,  
if my main domain for our company were:


abc.com

then it would be nice to have:

remote.abc.com

that I could use to always reach that machine no matter what its IP is.

I'm sure this can be done, but can anyone explain in simple terms what  
I need to do?


Jeff
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Best practize to store the ZONE files

[Michelle Konzack]

Hello *,

I am hosting on my 6 NameServers 200.000 Domains and now in the meantime
it becomes  complicate  because  they  are  arround  230.000  files  now
including sub domains.

There are currrently 18 TLs.

My Question is:

How do you handel such amount of files and where is the best
place to store them on a Debian System (Lenny/Squeeze).

Do you recommend to store it on a seperated partition, even
if they have currently only arround 87 MByte?

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

  
 

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic zone...

[Mark Elkins]

I do this for my Laptops. They can pick up an address from the local
network (where ever I am visiting, Airports, Data Centers, friends, work
- etc) and then update the info back home on my own network.

Basics - when DHCPCD gets an IP from upstream - it uses nsupdate to send
this info to a dynamic zone hosted on your side.
Problems: The zone on your side needs to be dynamic - so should be
separate from your normal "static" zone, The comms should really be
secure - so you're going to learn a little about dnssec-keygen and
signatures.

This is actually an exercise that we get students to carry out in a DNS
training lab - but once set up - it works well and totally automated if
DHCP is being used. Ah! - I run Linux on my Laptops. I don't do Windows
- but there could be a way. Does this interest you?
So my assumptions are you are using BIND and some sort of Unix/Linux???

On your home zone, create a new zone called 'dhcp.abc.com'.

Use lowish TTL's, you'll need a 'complete' zone ie SOA and NS records.
Add the name of your machine here with the current A record.
Other stuff like a KEY record can be added later (a SIG(0) public key)
Add this new zone to any Slaves and to your own named.conf.

In your abc.com - add a CNAME record for your machine pointing to the
new zone..

machine   IN   CNAME   machine.dhcp.abc.com

That separates the Dynamic stuff away from the static stuff!
It should also still resolve - but we are not finished.

Let me know if I should carry on.

On Thu, 2010-12-30 at 23:13 -0600, Jeff Justice wrote:

> I have a computer on a remote network that gets its IP dynamically  
> from the ISP.  I need to always know where that computer is.  I had  
> thought that I could simply "scrape" it's public IP, have it sent to  
> my primary NS computer (which of course is on a static IP), then use  
> that information to keep a zone updated on our DNS.  So, for example,  
> if my main domain for our company were:
> 
> abc.com
> 
> then it would be nice to have:
> 
> remote.abc.com
> 
> that I could use to always reach that machine no matter what its IP is.
> 
> I'm sure this can be done, but can anyone explain in simple terms what  
> I need to do?
> 
> Jeff
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users