Re: RPZ and negative answers

[Noel Butler]

On Fri, 2013-04-05 at 08:51 +0200, Torsten Segner wrote:


> $TTL 43200
> @   IN  SOA a.prim-ns.de.   hostmaster.de.easynet.net.   (
> 2012041802  ;
> 28800   ;
> 7200;
> 604800  ;
> 1200;
> )
> 
>   IN  NS  localhost.
> 
> subdomain.domain.de  60 A 172.26.30.231
> 
> 
> 
> 
> 
> The above setting is rewriting NXDOMAIN answers for subdomain.domain.de to 
> the above IP address while every other host still has the information of the 
> customers outside zone.
> 
> Am I doing something substantially wrong here RPZ wise?
> 


to cover the domain and its sub domains you need to enter it twice, once
as absolute and once as dot.domain
using your example  it would then be:

subdomain.domain.de  60 A   172.26.30.231
.subdomain.domain.de  60 A  172.26.30.231


or if you want higher, 

domain.de  60 A 172.26.30.231
.domain.de  60 A172.26.30.231




signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Simple question about zone and CNAME

[Thomas Manson]

Hi,

 I'd like use CNAME record on my zone.

 I'm able to have this config:

for http://www.mysite.com

www IN CNAME  somehost.com

but I can't do

for http://mysite.com
@  IN CNAME somehost.com

How can I achive this configuration ?
Is there another way to specify the address of http://mysite.com ?

I would like to avoid pointing on an IP adress directly as I'm managing a
few hundred of domain and among them, I don't manage some domain of some
client, which is then very painful and time consuming to make them do some
change.

Regards,
Thomas.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Phil Mayers]

On 04/05/2013 10:13 AM, Thomas Manson wrote:


@  IN CNAME somehost.com


Correct. CNAMEs are mutually exclusive with other records (DNSSEC 
signatures excepted) and zone apex requires SOA and NS.


 


How can I achive this configuration ?


You will have to use an A record. Our DNS system allows "CNAME" at zone 
apex, but it resolves it to A/ records when building the DNS zone.



Is there another way to specify the address of http://mysite.com ?

I would like to avoid pointing on an IP adress directly as I'm managing


Can't be avoided.


a few hundred of domain and among them, I don't manage some domain of
some client, which is then very painful and time consuming to make them
do some change.


Automate the zone editing, as above.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Thomas Manson]

Ok thanks for this confirmation.

I already build my zone file from a Database with a php-cgi script, what's
painful is handling the changes for domains I don't manage directly ;)

Thanks for your quick feedback !

Regards,
Thomas.


On Fri, Apr 5, 2013 at 11:25 AM, Howard Wilkinson  wrote:

> The DNS standards preclude you from doing this. What you are trying to do
> is alias a zone. This cannot happen as a zone must have an SOA record and
> at least one valid NS record. The DNS standard states that where a name has
> a an alias i.e. a CNAME record "no other record of any type may exist for
> that name"
>
> SO you will have to add an A record to achieve the same effect.
>
> On Apr 5, 2013, at 10:13 AM, Thomas Manson wrote:
>
> Hi,
>
>  I'd like use CNAME record on my zone.
>
>  I'm able to have this config:
>
> for http://www.mysite.com
>
> www IN CNAME  somehost.com
>
> but I can't do
>
> for http://mysite.com
> @  IN CNAME somehost.com
>
> How can I achive this configuration ?
> Is there another way to specify the address of http://mysite.com ?
>
> I would like to avoid pointing on an IP adress directly as I'm managing a
> few hundred of domain and among them, I don't manage some domain of some
> client, which is then very painful and time consuming to make them do some
> change.
>
> Regards,
> Thomas.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Warren Kumari]

On Apr 5, 2013, at 5:23 AM, Phil Mayers  wrote:

> On 04/05/2013 10:13 AM, Thomas Manson wrote:
> 
>> @  IN CNAME somehost.com
> 
> Correct. CNAMEs are mutually exclusive with other records (DNSSEC signatures 
> excepted) and zone apex requires SOA and NS.
> 
> 
>> 
>> How can I achive this configuration ?
> 
> You will have to use an A record. Our DNS system allows "CNAME" at zone apex, 
> but it resolves it to A/ records when building the DNS zone.
> 
>> Is there another way to specify the address of http://mysite.com ?
>> 
>> I would like to avoid pointing on an IP adress directly as I'm managing
> 
> Can't be avoided.

DNAME? 

W

> 
>> a few hundred of domain and among them, I don't manage some domain of
>> some client, which is then very painful and time consuming to make them
>> do some change.
> 
> Automate the zone editing, as above.
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

--
"Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll 
be warm for the rest of his life." -- Terry Pratchett


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Phil Mayers]

On 05/04/13 14:16, Warren Kumari wrote:


DNAME? 


DNAME doesn't do it, because it directs a sub-tree, not the name itself. 
You'd need the DNAME in the parent zone, and if you can do that, you can 
just put two CNAMES (zone and *.zone).

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ and negative answers

[Vernon Schryver]

> From: Torsten Segner 

> subdomain.domain.de  60 A 172.26.30.231

> The above setting is rewriting NXDOMAIN answers for subdomain.domain.de
> to the above IP address while every other host still has the information
> of the customers outside zone.
>
> Am I doing something substantially wrong here RPZ wise?

If it works the way you want it to work, then you're probably
not doing anything wrong.

In any case, I'm all wet and all wrong.  That example with
subdomain.domain.de works for me too when I add it to a test
zone.  (It might also be necessary to list *.subdomain.domain.de.)
I don't know what I did to make the test I tried fail.

Besides, when trying to rewrite based on names, the code uses the
current state of query name (possibly along a CNAME chain) or
ns.name, the name of a relevant name server.


Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

trouble compiling bind 9.9.2-P2 with rate limit patch rl-9.9.2-P2.patch

[Red Cricket]

I have been attempting to follow the instructions here:
http://ss.vix.su/~vjs/rrlrpz.html
but make fails with this error ...

gcc  -I/users/red/platform/red-bind-beta/BUILD/red-bind-beta-9.9.2
-I./include -I./unix/include -I.
-I/users/red/platform/red-bind-beta/BUILD/red-bind-beta-9.9.2/lib/lwres/include
-I../../lib/lwres/unix/include -I../../lib/lwres/include
-I/users/red/platform/red-bind-beta/BUILD/red-bind-beta-9.9.2/lib/dns/include
-I../../lib/dns/include
-I/users/red/platform/red-bind-beta/BUILD/red-bind-beta-9.9.2/lib/bind9/include
-I../../lib/bind9/include
-I/users/red/platform/red-bind-beta/BUILD/red-bind-beta-9.9.2/lib/isccfg/include
-I../../lib/isccfg/include
-I/users/red/platform/red-bind-beta/BUILD/red-bind-beta-9.9.2/lib/isccc/include
-I../../lib/isccc/include
-I/users/red/platform/red-bind-beta/BUILD/red-bind-beta-9.9.2/lib/isc/include
-I../../lib/isc -I../../lib/isc/include -I../../lib/isc/unix/include
-I../../lib/isc/nothreads/include -I../../lib/isc/x86_32/include
 -DOPENSSL -D_GNU_SOURCE -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64
-mtune=generic  -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings
-Wformat -Wpointer-arith -fno-strict-alia
sing  -c lwsearch.c
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="builtin.o client.o config.o control.o
controlconf.o interfacemgr.o listenlist.o log.o logconf.o main.o notify.o
query.o server.o sortlist.o statschannel.o tkeyconf.o tsigconf.o update.o
xfrout.o zoneconf.o lwaddr.o lwresd.o lwdclient.o lwderror.o lwdgabn.o
lwdgnba.o lwdgrbn.o lwdnoop.o lwsearch.o   unix/os.o
unix/dlz_dlopen_driver.o"; \
if [ X"/usr/local/bin/perl5" = X -o X"${MAKE_SYMTABLE:-}" = X ] ;
thengcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic  -o named
${BASEOBJS} ${LIBS0} ../../lib/lwres/liblwres.a ../../lib/dns/libdns.a
 -lgssapi_krb5 -lcrypto ../../lib/bind9/libbind9.a
../../lib/isccfg/libisccfg.a ../../lib/isccc/libisccc.a
../../lib/isc/libisc.a   -ldl ; else rm -f namedtmp0;gcc -O2 -g -pipe
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic  -o namedtmp0 ${BASEOBJS}
${LIBS0} ../../lib/lwres/liblwres.a ../../lib/dns/libdns.a  -lgssapi_krb5
-lcrypto ../../lib/bind9/libbind9.a ../../lib/isccfg/libisccfg.a
../../lib/isccc/libisccc.a ../../lib/isc/libisc.a   -ldl  || exit 1; rm -f
named-symtbl.c named-symtbl.o; /usr/local/bin/perl5
../../util/mksymtbl.pl-o named-symtbl.c namedtmp0 || exit 1; make
named-symtbl.o || exit 1; rm -f
namedtmp1;gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic  -o
namedtmp1 ${BASEOBJS} named-symtbl.o ${LIBS0} ../../lib/lwres/liblwres.a
../../lib/dns/libdns.a  -lgssapi_krb5 -lcrypto ../../lib/bind9/libbind9.a
../../lib/isccfg/libisccfg.a ../../lib/isccc/libisccc.a
../../lib/isc/libisc-nosymtbl.a   -ldl  || exit 1; rm -f named-symtbl.c
named-symtbl.o; /usr/local/bin/perl5 ../../util/mksymtbl.pl -o
named-symtbl.c namedtmp1 || exit 1; make named-symtbl.o || exit 1;gcc
-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic  -o namedtmp2 ${BASEOBJS}
named-symtbl.o ${LIBS0} ../../lib/lwres/liblwres.a ../../lib/dns/libdns.a
 -lgssapi_krb5 -lcrypto ../../lib/bind9/libbind9.a
../../lib/isccfg/libisccfg.a ../../lib/isccc/libisccc.a
../../lib/isc/libisc-nosymtbl.a   -ldl ; /usr/local/bin/perl5 ../../util/
mksymtbl.pl -o named-symtbl2.c namedtmp2; count=0; until diff
named-symtbl.c named-symtbl2.c > /dev/null ; do count=`expr $count + 1` ;
test $count = 42 && exit 1 ; rm -f named-symtbl.c named-symtbl.o;
/usr/local/bin/perl5 ../../util/mksymtbl.pl -o named-symtbl.c namedtmp2 ||
exit 1; make named-symtbl.o || exit 1;gcc -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic  -o namedtmp2 ${BASEOBJS}
named-symtbl.o ${LIBS0} ../../lib/lwres/liblwres.a ../../lib/dns/libdns.a
 -lgssapi_krb5 -lcrypto ../../lib/bind9/libbind9.a
../../lib/isccfg/libisccfg.a ../../lib/isccc/libisccc.a
../../lib/isc/libisc-nosymtbl.a   -ldl ; /usr/local/bin/perl5 ../../util/
mksymtbl.pl -o named-symtbl2.c namedtmp2; done ; mv namedtmp2 named; rm -f
namedtmp0 namedtmp1 namedtmp2 named-symtbl2.c; fi
client.o: In function
`ns_client_error':/users/red/platform/red-bind-beta/BUILD/red-bind-beta-9.9.2/bin/named/client.c:1153:
undefined reference to `dns_rrl'query.o: In function
`query_find':/users/red/platform/red-bind-beta/BUILD/red-bind-beta-9.9.2/bin/named/query.c:5803:
undefined reference to `dns_rrl'server.o: In function
`configure_rrl':/users/red/platform/red-bind-beta/BUILD/red-bind-beta-9.9.2/bin/named/server.c:1595:
undefined referenc
e to `dns_rrl_init'
/users/red/platform/red-bind-beta/BUILD/red-bind-beta-9.9.2/bin/named/server.c:1753:
undefined reference

Re: trouble compiling bind 9.9.2-P2 with rate limit patch rl-9.9.2-P2.patch

[Vernon Schryver]

> From: Red Cricket 

> I have been attempting to follow the instructions here:
> http://ss.vix.su/~vjs/rrlrpz.html
> but make fails with this error ...

> undefined reference to `dns_rrl'query.o: In function

I bet that there is are a passle of stray files including rrl.c in
the top of the BIND source pool and that something like this 
patch -s -i FILE.patch
was used instead of this from http://ss.vix.su/~vjs/rrlrpz.html
patch -s -p0 -i FILE.patch

Without "-p0", new files from the patch file are created at the current
directory.  See https://www.google.com/search?q=patch+command


Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: trouble compiling bind 9.9.2-P2 with rate limit patch rl-9.9.2-P2.patch

[Red Cricket]

I used ...

patch -s -p0 -i rl-9.9.2-P2.patch

like it says in the documentation.
I could post the entire set of commands and I am executing and the
resulting outputs, but it is kinda of a lot of text.
Maybe I could sanitize and put on paste.bin ?


On Fri, Apr 5, 2013 at 11:10 AM, Vernon Schryver  wrote:

> > From: Red Cricket 
>
> > I have been attempting to follow the instructions here:
> > http://ss.vix.su/~vjs/rrlrpz.html
> > but make fails with this error ...
>
> > undefined reference to `dns_rrl'query.o: In function
>
> I bet that there is are a passle of stray files including rrl.c in
> the top of the BIND source pool and that something like this
> patch -s -i FILE.patch
> was used instead of this from http://ss.vix.su/~vjs/rrlrpz.html
> patch -s -p0 -i FILE.patch
>
> Without "-p0", new files from the patch file are created at the current
> directory.  See https://www.google.com/search?q=patch+command
>
>
> Vernon Schryverv...@rhyolite.com
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[John Wobus]

DNAME? 


Or SRV records.  Surely browsers are adding support
in the next day or two?

John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: trouble compiling bind 9.9.2-P2 with rate limit patch rl-9.9.2-P2.patch

[Red Cricket]

here's a link to pastebin http://pastebin.com/RxcsJMLe


On Fri, Apr 5, 2013 at 11:35 AM, Red Cricket wrote:

> I used ...
>
> patch -s -p0 -i rl-9.9.2-P2.patch
>
> like it says in the documentation.
> I could post the entire set of commands and I am executing and the
> resulting outputs, but it is kinda of a lot of text.
> Maybe I could sanitize and put on paste.bin ?
>
>
> On Fri, Apr 5, 2013 at 11:10 AM, Vernon Schryver  wrote:
>
>> > From: Red Cricket 
>>
>> > I have been attempting to follow the instructions here:
>> > http://ss.vix.su/~vjs/rrlrpz.html
>> > but make fails with this error ...
>>
>> > undefined reference to `dns_rrl'query.o: In function
>>
>> I bet that there is are a passle of stray files including rrl.c in
>> the top of the BIND source pool and that something like this
>> patch -s -i FILE.patch
>> was used instead of this from http://ss.vix.su/~vjs/rrlrpz.html
>> patch -s -p0 -i FILE.patch
>>
>> Without "-p0", new files from the patch file are created at the current
>> directory.  See https://www.google.com/search?q=patch+command
>>
>>
>> Vernon Schryverv...@rhyolite.com
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Chris Thompson]

On Apr 5 2013, John Wobus wrote:


DNAME? 


Or SRV records.  Surely browsers are adding support
in the next day or two?


Come on, April 1 has been over for too long for this.

Incidentally, we have just been asked for an A record for cam.ac.uk to
duplicate www.cam.ac.uk because, and I quote, "all the publicity material
sent out by the nominator [for an award for the web site] gave the URL
as http://cam.ac.uk/ and this has been retweeted around".

--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Sam Wilson]

In article ,
 Chris Thompson  wrote:

> On Apr 5 2013, John Wobus wrote:
> 
> >> DNAME? 
> >
> >Or SRV records.  Surely browsers are adding support
> >in the next day or two?
> 
> Come on, April 1 has been over for too long for this.
> 
> Incidentally, we have just been asked for an A record for cam.ac.uk to
> duplicate www.cam.ac.uk because, and I quote, "all the publicity material
> sent out by the nominator [for an award for the web site] gave the URL
> as http://cam.ac.uk/ and this has been retweeted around".

We're currently prevaricating over putting in an A record for ed.ac.uk.  
Whilst my colleagues who manage active directory assure me that having 
an A record there - pointing at the content-managed web server that has 
difficulty handling arbitrary URLs - won't break anything I'm not going 
to try it except under very controlled conditions and after I've spoken 
to a lot of other people who do it already.

Sam

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Mike Hoskins (michoski)]

-Original Message-

From: Chris Thompson 
Date: Friday, April 5, 2013 3:10 PM
To: Bind Users Mailing List 
Subject: Re: Simple question about zone and CNAME

>On Apr 5 2013, John Wobus wrote:
>
>>> DNAME? 
>>
>>Or SRV records.  Surely browsers are adding support
>>in the next day or two?
>
>Come on, April 1 has been over for too long for this.
>
>Incidentally, we have just been asked for an A record for cam.ac.uk to
>duplicate www.cam.ac.uk because, and I quote, "all the publicity material
>sent out by the nominator [for an award for the web site] gave the URL
>as http://cam.ac.uk/ and this has been retweeted around".

Yes, sadly I've lost that technical battle with marketing several places
now.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[WBrown]

> >Incidentally, we have just been asked for an A record for cam.ac.uk to
> >duplicate www.cam.ac.uk because, and I quote, "all the publicity 
material
> >sent out by the nominator [for an award for the web site] gave the URL
> >as http://cam.ac.uk/ and this has been retweeted around".
> 
> Yes, sadly I've lost that technical battle with marketing several places
> now.

And then there's theses folks:

http://no-www.org/ 



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: trouble compiling bind 9.9.2-P2 with rate limit patch rl-9.9.2-P2.patch

[Vernon Schryver]

> From: Red Cricket 

> here's a link to pastebin http://pastebin.com/RxcsJMLe

> > I used ...
> >
> > patch -s -p0 -i rl-9.9.2-P2.patch
> >
> > like it says in the documentation.

It looks like the patch was applied after running ./configure.
That doesn't work because the some Makefile.in files are changed
by the patch, and those changed Makefile.in files are used by
./configure to generate some change Makefiles.  Those changed 
Makefiles compile rrl.c and other things.

Where does the documentation advise running `./configure` before `patch`?
It needs to be corrected.

Instead try:
 1. fetch BIND tarball and matching RPZ/RRL patch
 2. unpack the BIND tarball
 3. change directory (cd) to the unpacked BIND source directory
 4. use `/what/ever/named -V` where /what/ever/named is the currently
   installed version of BIND to get the ./configure parameters from
   the current version for the target platform.
 5. run `./configure stuff` where "stuff" are the parameters from step #4
 6. `make`

I can't help past that point, because it involves installing at
least named-checkconf and named itself.  You might try `make install`
but that might break things.  It certainly should not be done
before saving the currently installed rndc, named-checkconf, and named.

  

Those who are not familiar with building and installing UNIX C programs
from source and don't intend to get that familiarity by fighting
with BIND and the RPZ/RRL patches should wait for BIND releases with RRL.
Currently there are at least FreeBSD ports and a Red Hat Enterprise
Linux Desktop update.  See
https://rhn.redhat.com/errata/RHSA-2013-0550.html
https://bugzilla.redhat.com/show_bug.cgi?id=906312
and 
http://www.freebsd.org/ports/dns.html#bind99-9.9.2.1


Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Dave Warren]

On 2013-04-05 12:18, Sam Wilson wrote:

We're currently prevaricating over putting in an A record for ed.ac.uk.
Whilst my colleagues who manage active directory assure me that having
an A record there - pointing at the content-managed web server that has
difficulty handling arbitrary URLs - won't break anything I'm not going
to try it except under very controlled conditions and after I've spoken
to a lot of other people who do it already.


Is ed.ac.uk your Active Directory root as well? If so, my experience is 
that pointing it at anything but domain controllers will eventually lead 
you to issues.


It's not to say that this totally forbidden, but there is (was?) 
Microsoft best practices documents suggesting avoiding this 
configuration entirely when possible, although there were ways to 
mitigate most of the negative side effects.


Obviously if you can run a split DNS environment this is less of a factor.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: trouble compiling bind 9.9.2-P2 with rate limit patch rl-9.9.2-P2.patch

[Red Cricket]

Ah I think that is what I was doing wrong.  I some how got the idea in my
head that the patch needed to be applied after configure because I was
getting "Patch which file:" prompts when I would run patch ... and that was
actually being caused because I (or rpmbuild) was in the wrong directory
when that patch command was issued.


On Fri, Apr 5, 2013 at 1:02 PM, Vernon Schryver  wrote:

> > From: Red Cricket 
>
> > here's a link to pastebin http://pastebin.com/RxcsJMLe
>
> > > I used ...
> > >
> > > patch -s -p0 -i rl-9.9.2-P2.patch
> > >
> > > like it says in the documentation.
>
> It looks like the patch was applied after running ./configure.
> That doesn't work because the some Makefile.in files are changed
> by the patch, and those changed Makefile.in files are used by
> ./configure to generate some change Makefiles.  Those changed
> Makefiles compile rrl.c and other things.
>
> Where does the documentation advise running `./configure` before `patch`?
> It needs to be corrected.
>
> Instead try:
>  1. fetch BIND tarball and matching RPZ/RRL patch
>  2. unpack the BIND tarball
>  3. change directory (cd) to the unpacked BIND source directory
>  4. use `/what/ever/named -V` where /what/ever/named is the currently
>installed version of BIND to get the ./configure parameters from
>the current version for the target platform.
>  5. run `./configure stuff` where "stuff" are the parameters from step #4
>  6. `make`
>
> I can't help past that point, because it involves installing at
> least named-checkconf and named itself.  You might try `make install`
> but that might break things.  It certainly should not be done
> before saving the currently installed rndc, named-checkconf, and named.
>
>   
>
> Those who are not familiar with building and installing UNIX C programs
> from source and don't intend to get that familiarity by fighting
> with BIND and the RPZ/RRL patches should wait for BIND releases with RRL.
> Currently there are at least FreeBSD ports and a Red Hat Enterprise
> Linux Desktop update.  See
> https://rhn.redhat.com/errata/RHSA-2013-0550.html
> https://bugzilla.redhat.com/show_bug.cgi?id=906312
> and
> http://www.freebsd.org/ports/dns.html#bind99-9.9.2.1
>
>
> Vernon Schryverv...@rhyolite.com
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can two views be layered?

[Novosielski, Ryan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/15/2013 07:11 PM, Joseph S D Yao wrote:
> On Fri, Mar 15, 2013 at 06:56:57PM -0400, Novosielski, Ryan wrote:
>> Hi all. Running BIND 9.6 I believe it is. Not important what
>> version as if there is a version that can do this and I'm not
>> running it, I can go there.
>> 
>> Is it possible to have a view that is in essence a list of
>> exceptions to the main zone? eg. the example.com domain exists,
>> so does www.example.com, but for a small subset of machines I
>> need it to resolve to a different address -- every other address
>> should come from the main zone.
>> 
> 
> 
> It is not possible to have views layered as you describe.  However,
> try this:
> 
> file zonename.shared with all shared records. file
> zone.zonename.for-the-many with the records for the many. $INCLUDE
> "zonename.shared" File zone.zonename.for-the-few with the records
> for the few. $INCLUDE "zonename.shared"

... SNIP...

One followup question to this: are there any limits to how the SOA
section is handled in this case? Can the SOA record be in the
$INCLUDE'd file, or does it have to be in the defined zone files
(which then would mean maintaining I guess two serial numbers)? I was
originally thinking that in that case, whenever changes are made to
the zonename.shared file, all that was really needed to be updated was
the "for-the-many" zone but I believe then the "for-the-few" machines
would begin to see an increasingly out of date version of the shared file.

- -- 
-  _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlFfMu8ACgkQmb+gadEcsb54vACgimqYO1V5TdzpGn7o2WbR224t
QFkAoL+up2JbCAd4LccsMo7d8sRJEOFE
=XqTS
-END PGP SIGNATURE-

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Warren Kumari]

On Apr 5, 2013, at 3:48 PM, wbr...@e1b.org wrote:

>>> Incidentally, we have just been asked for an A record for cam.ac.uk to
>>> duplicate www.cam.ac.uk because, and I quote, "all the publicity 
> material
>>> sent out by the nominator [for an award for the web site] gave the URL
>>> as http://cam.ac.uk/ and this has been retweeted around".
>> 
>> Yes, sadly I've lost that technical battle with marketing several places
>> now.
> 
> And then there's theses folks:
> 
> http://no-www.org/ 
> 

Oh wow!

Gee, thanks for that…

Sad panda,
W



> 
> Confidentiality Notice: 
> This electronic message and any attachments may contain confidential or 
> privileged information, and is intended only for the individual or entity 
> identified above as the addressee. If you are not the addressee (or the 
> employee or agent responsible to deliver it to the addressee), or if this 
> message has been addressed to you in error, you are hereby notified that 
> you may not copy, forward, disclose or use any part of this message or any 
> attachments. Please notify the sender immediately by return e-mail or 
> telephone and delete this message from your system.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

--
"Have you got any previous convictions?"

"Well, I dunno... I suppose I used to believe very firmly that a penny saved is 
a penny earned--"
-- Terry Pratchett



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Lawrence K. Chen, P.Eng.]

- Original Message -
> 
> On Apr 5, 2013, at 3:48 PM, wbr...@e1b.org wrote:
> 
> >>> Incidentally, we have just been asked for an A record for
> >>> cam.ac.uk to
> >>> duplicate www.cam.ac.uk because, and I quote, "all the publicity
> > material
> >>> sent out by the nominator [for an award for the web site] gave
> >>> the URL
> >>> as http://cam.ac.uk/ and this has been retweeted around".
> >> 
> >> Yes, sadly I've lost that technical battle with marketing several
> >> places
> >> now.
> > 
> > And then there's theses folks:
> > 
> > http://no-www.org/
> > 
> 
> Oh wow!
> 
> Gee, thanks for that…
> 
> Sad panda,
> W
> 
> 

Wow...didn't know that site existed  I've thought for a long time that all 
websites have to start with 'www.' was pretty antiquated.  And, such most of 
the sites I have set up don't use are that way.  Especially the domain I got 
for my url shortener

OTOH, our old webmaster is now working in marketingwhen it was mandated 
that all DNS requests would automatically have the www. version created or vice 
versa, depending on what was requestedalso they automatically get both 
ksu.edu and k-state.edu forms, even if they only asked for one.  And, it just 
happens automatically with their request and isn't indicated that it 
happened

So, up until a couple years ago...our webmail address had always been, and only 
"webmail.ksu.edu".  But, under the new directionit has to work as 
"webmail.ksu.edu", "www.webmail.ksu.edu", "webmail.k-state.edu", 
"www.webmail.k-state.edu". and SSL certs to work for all those.

And, then somebody mentioned that m. was the prefix for mobile websites.  So, 
now we support "m.webmail" x2, "www.m.webmail" x2, and "m.www.webmail" x2...and 
ssl for all.  in fact the wholeeverything has to have multiple names is 
causing problems, because now we need ssl certs to work for multiple names  
because people aren't typing just the name and getting redirected to the one 
https:// form that exists.  They'll https to one of the variants and complain 
they got a cert error and demand it be fixed.  Rather than use the one form 
that has always been used to get to the site, and the one form that is 
published.

Of course, sometimes the getting both ksu.edu and k-state.edu form is 
automatic, because their subdomain is an include file that is included in both 
files.  Though there are others, where the information had been entered by hand 
into both zones.  And, occasionally typos have gone undetected for years, 
because they never asked for the k-state.edu form...and it never worked because 
of a typo...until suddenly it does

Of course, there are also places in the files where the ksu.edu form has a 
different IP address than the k-state.edu form (by one)

The use of multiname certs to address this problem has only been a recent thing 
here, and it doesn't seem to be widely known.

Though apparently, my hosting provider doesn't support theserequiring me to 
buy unique IPs for each certunless I happen to buy my cert from them...in 
which case theirs will work both with and without the 'www.'  Though I have 3 
domains pointed to the same site

Also it seems that if I signup for cloudflare and move my NS to them, I can use 
just my domain name.  Except that my hosting provider has partnered with them, 
so that NS can stay with thembut then I can no longer use just my domain 
name (because they'll then use the CNAME method that cloudflare offerswhich 
can't be done for the apex of my domainso I can't use cloudflare.

Though DoS'ng my site was getting dropped of sharply a few days ago.  My site 
was seeing about 30x more traffic than usual.

I meant to see if there was anything piling on things at work...but guess I was 
busy enough to look, and nobody has asked me about the systems I take care of.

In November our authoritative-only nameservers were getting DoS'dthey saw 1 
gigabit of traffic coming in for each of the IPs of our nameservers.  Only 
thing I could see in the logs was the nameserver couldn't reply to queries 
during the times.

I knew our pipe was big, but didn't realize it was big enough to have a 
sustained and solid 1 gigabit of junk at the my nameservers.

Hopefully they'll continue to exempt my DNS vlan (which has both 
authoritative-only nameservers and the recursive caching servers) from the 
packet inspection device that they say might've helped.  Because it was hard 
enough trying to explain the DNS interference it was causing. (and does cause 
to DNS servers elsewhere on campus) P2P isn't only thing on the Internet that 
are large UDP packets that look encrypted (which is the main purpose of the 
device -- like, they only update the signature file on the device when they see 
an uptick in DMCA notices 8-)

The main thing was there would be messages for managed-keys-zone and then after 
a day or so, bind would stop resolving queries completely.  Restarting it, 
would make it work a

Re: Can two views be layered?

[Joseph S D Yao]

On Fri, Apr 05, 2013 at 04:24:24PM -0400, Novosielski, Ryan wrote:
...
> One followup question to this: are there any limits to how the SOA
> section is handled in this case? Can the SOA record be in the
> $INCLUDE'd file, or does it have to be in the defined zone files
> (which then would mean maintaining I guess two serial numbers)? I was
> originally thinking that in that case, whenever changes are made to
> the zonename.shared file, all that was really needed to be updated was
> the "for-the-many" zone but I believe then the "for-the-few" machines
> would begin to see an increasingly out of date version of the shared file.


The bit stream that the computer "sees" is just what you would see if
you removed the $INCLUDE line and stuck all the bytes from the
$INCLUDE'd there instead.  You can't tell what was $INCUDE'd and what
was not.  Every other line might have been $INCLUDE'd from a different
file, if you wanted to be a bit crazy, and the computer would never
care.

BUT you may ONLY have one SOA record per zone.  That's not a per-file
thing, that's a per-zone thing.  Use RCS archiving and $Version:$
strings in comments [or TXT records] if you want to keep track of file
version numbers.  Or something more recent, if you want.

Just as a logistical thing, the SOA record should be in the zone file
that $INCLUDEs the rest of the information, anmd no SOA record in the
latter.


--
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can two views be layered?

[Joseph S D Yao]

On Sat, Apr 06, 2013 at 01:04:47AM -0400, Joseph S D Yao wrote:
...
> Just as a logistical thing, the SOA record should be in the zone file
> that $INCLUDEs the rest of the information, anmd no SOA record in the
> latter.
...


Which means, I should have added, that any time you update the $INCLUDEd
file, you must update the serial numbers in the zone files doing the
$INCLUDEs.  That's a small disadvantage of this method - but one which
good discipline should overcome.


--
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can two views be layered?

[Novosielski, Ryan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/06/2013 01:05 AM, Joseph S D Yao wrote:
> On Fri, Apr 05, 2013 at 04:24:24PM -0400, Novosielski, Ryan wrote: 
> ...
>> One followup question to this: are there any limits to how the
>> SOA section is handled in this case? Can the SOA record be in
>> the $INCLUDE'd file, or does it have to be in the defined zone
>> files (which then would mean maintaining I guess two serial
>> numbers)? I was originally thinking that in that case, whenever
>> changes are made to the zonename.shared file, all that was really
>> needed to be updated was the "for-the-many" zone but I believe
>> then the "for-the-few" machines would begin to see an
>> increasingly out of date version of the shared file.
> 
> The bit stream that the computer "sees" is just what you would see
> if you removed the $INCLUDE line and stuck all the bytes from the 
> $INCLUDE'd there instead.  You can't tell what was $INCUDE'd and
> what was not.  Every other line might have been $INCLUDE'd from a
> different file, if you wanted to be a bit crazy, and the computer
> would never care.

So I messed around with this a little before your reply and realized
that almost immediately. So I did things a little differently...

> BUT you may ONLY have one SOA record per zone.  That's not a
> per-file thing, that's a per-zone thing.  Use RCS archiving and
> $Version:$ strings in comments [or TXT records] if you want to keep
> track of file version numbers.  Or something more recent, if you
> want.

Yeah, that I know... but where to place them to me seems less written
in stone...

> Just as a logistical thing, the SOA record should be in the zone
> file that $INCLUDEs the rest of the information, anmd no SOA record
> in the latter.

Is there any reason that that necessarily should be so? What I did was
create two views of the zone, let's call them "few" and "many" like
you did. Those views both contain example.com, with zone files
"db.example.com-few" and "db.example.com-many". Instead of what you
suggested, I flipped the order in the contents of the two files
(honestly, I'm not even certain that was necessary). So for example,
"db.example.com-many":

$INCLUDE db.example.com
@   IN  A   192.168.50.50

...where db.example.com is basically the same zone file I've used for
example.com all along, just with the A record for the domain removed.

> Which means, I should have added, that any time you update the
> $INCLUDEd file, you must update the serial numbers in the zone
> files doing the $INCLUDEs.  That's a small disadvantage of this
> method - but one which good discipline should overcome.

Yeah, this is what caused me to ask the question and, frankly, sounded
annoying, mainly because I was now maintaining three files to edit
just one DNS record, and the other two files contain a record that
will probably not change once in the next 5 years. So is there
anything wrong with doing it the way I've tried? It appears to work
just fine.

- -- 
-  _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlFfsyQACgkQmb+gadEcsb4Z4QCgoZV5PCRPJVrXUPgOhsUFMrW1
p6oAn2Rvj8ecZ4zwLNNWtzpP9zN21vAR
=M+Zf
-END PGP SIGNATURE-

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Phil Mayers]

Sam Wilson  wrote:

>In article ,
> Chris Thompson  wrote:
>
>> On Apr 5 2013, John Wobus wrote:
>> 
>> >> DNAME? 
>> >
>> >Or SRV records.  Surely browsers are adding support
>> >in the next day or two?
>> 
>> Come on, April 1 has been over for too long for this.
>> 
>> Incidentally, we have just been asked for an A record for cam.ac.uk
>to
>> duplicate www.cam.ac.uk because, and I quote, "all the publicity
>material
>> sent out by the nominator [for an award for the web site] gave the
>URL
>> as http://cam.ac.uk/ and this has been retweeted around".
>
>We're currently prevaricating over putting in an A record for ed.ac.uk.
> 
>Whilst my colleagues who manage active directory assure me that having 
>an A record there - pointing at the content-managed web server that has
>
>difficulty handling arbitrary URLs - won't break anything I'm not going
>
>to try it except under very controlled conditions and after I've spoken
>
>to a lot of other people who do it already.
>
>Sam

If your AD realm is also called ed.ac.uk then adding an A record will 
definitely affect things.
-- 
Sent from my phone. Please excuse brevity and typos.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Novosielski, Ryan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/05/2013 04:12 PM, Dave Warren wrote:
> On 2013-04-05 12:18, Sam Wilson wrote:
>> We're currently prevaricating over putting in an A record for
>> ed.ac.uk. Whilst my colleagues who manage active directory assure
>> me that having an A record there - pointing at the
>> content-managed web server that has difficulty handling arbitrary
>> URLs - won't break anything I'm not going to try it except under
>> very controlled conditions and after I've spoken to a lot of
>> other people who do it already.
> 
> Is ed.ac.uk your Active Directory root as well? If so, my
> experience is that pointing it at anything but domain controllers
> will eventually lead you to issues.
> 
> It's not to say that this totally forbidden, but there is (was?) 
> Microsoft best practices documents suggesting avoiding this 
> configuration entirely when possible, although there were ways to 
> mitigate most of the negative side effects.
> 
> Obviously if you can run a split DNS environment this is less of a
> factor.

It is funny you should mention that... my questions about using views
to create a situation where one single record is different happens to
be exactly for this reason. The Active Directory administrators were
saying that not having umdnj.edu point to an Active Directory server
was bothering the AD servers in some fashion. The solution we're going
to test is telling the AD servers that umdnj.edu are them, but telling
everyone else on the planet that it's www. We think this will do it,
but haven't tested yet.

- -- 
-  _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlFfxkgACgkQmb+gadEcsb7w4wCeKJ/dbr6KekRULsz0VnphSDnB
XeoAnjf8tx6zKG7EfpQxnHGWdZSpF1OD
=Ny9k
-END PGP SIGNATURE-

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users