DNS 64 and the new domain ipv4only.arpa
I try to understand DNS64 and there is a problem I don't get. I have
BIND configured with:
dns64 2001:db8:1:64::/96 { // Network-Specific Prefix
clients { me; };
};
and it works, synthesis happens when the domain name has no records:
% dig +cd @localhost -p 9053 twitter.com
...
;; ANSWER SECTION:
twitter.com.30 IN 2001:db8:1:64::c710:9c66
twitter.com.30 IN 2001:db8:1:64::c710:9cc6
twitter.com.30 IN 2001:db8:1:64::c710:9c06
I try it now on the new ipv4only.arpa, which has only A and not
and nothing happens:
% dig +cd @localhost -p 9053 ipv4only.arpa
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +cd @localhost -p 9053 ipv4only.arpa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62138
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ipv4only.arpa. IN
;; AUTHORITY SECTION:
ipv4only.arpa. 3038 IN SOA sns.dns.icann.org. noc.dns.icann.org. (
2013053904 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
ipv4only.arpa. 3038 IN RRSIG SOA 8 2 3600 20131028181436 (
20131021083223 33820 ipv4only.arpa.
GEbCQfPa1q8e0qaQTT5S1yrmfRp3Vx+lueUB+i846fCl
/5J3mbew8PI2LMd7stndYwPARIDWjapyzyFk5de6/Yx9
Nyxn0AOVr9wRnRPy14FCH0P05EQFYzklOkC5Fjzn/B+B
z4ngG4hM3RfAkckhj0zZ5zMhiYbxucOK/U8T398= )
ipv4only.arpa. 3038 IN RRSIG NSEC 8 2 3600 20131028191728 (
20131021083223 33820 ipv4only.arpa.
Id6eQDjnvBhqoZSOBsNKywa0yAEiaGmyakGFLG3Mc2/h
lmjAPylP9fDdBORpdgnbV0AMt5JzzzIblDTsfs9sbKby
cCRHkE+Vhchu/NnChM+xslJ15daNNLgYUQHd5xwvdzgP
OdpknW9kyfpjR4Cj3dixxfFhrsFFNvZo2FOyTW0= )
ipv4only.arpa. 3038 IN NSEC ipv4only.arpa. A NS SOA TXT RRSIG NSEC
DNSKEY
;; Query time: 0 msec
;; SERVER: 127.0.0.1#9053(127.0.0.1)
;; WHEN: Mon Oct 21 14:33:52 2013
;; MSG SIZE rcvd: 481
What did I miss?
BIND 9.9.4
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Performance Tuning RHEL 5 and Bind
> From: Alan Clegg > Fix your windows clients. You can't fix stupid. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS 64 and the new domain ipv4only.arpa
In message <20131021123504.ga20...@nic.fr>, Stephane Bortzmeyer writes:
> I try to understand DNS64 and there is a problem I don't get. I have
> BIND configured with:
>
> dns64 2001:db8:1:64::/96 { // Network-Specific Prefix
> clients { me; };
> };
>
> and it works, synthesis happens when the domain name has no records:
>
> % dig +cd @localhost -p 9053 twitter.com
> ...
> ;; ANSWER SECTION:
> twitter.com. 30 IN 2001:db8:1:64::c710:9c66
> twitter.com. 30 IN 2001:db8:1:64::c710:9cc6
> twitter.com. 30 IN 2001:db8:1:64::c710:9c06
>
> I try it now on the new ipv4only.arpa, which has only A and not
> and nothing happens:
>
> % dig +cd @localhost -p 9053 ipv4only.arpa
>
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +cd @localhost -p 9053 ipv4on
> ly.arpa
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62138
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;ipv4only.arpa. IN
>
> ;; AUTHORITY SECTION:
> ipv4only.arpa.3038 IN SOA sns.dns.icann.org. noc.dns.ican
> n.org. (
> 2013053904 ; serial
> 7200 ; refresh (2 hours)
> 3600 ; retry (1 hour)
> 604800 ; expire (1 week)
> 3600 ; minimum (1 hour)
> )
> ipv4only.arpa.3038 IN RRSIG SOA 8 2 3600 20131028181436 (
> 20131021083223 33820 ipv4only.arpa.
> GEbCQfPa1q8e0qaQTT5S1yrmfRp3Vx+lueUB+i846fC
> l
> /5J3mbew8PI2LMd7stndYwPARIDWjapyzyFk5de6/Yx
> 9
> Nyxn0AOVr9wRnRPy14FCH0P05EQFYzklOkC5Fjzn/B+
> B
> z4ngG4hM3RfAkckhj0zZ5zMhiYbxucOK/U8T398= )
> ipv4only.arpa.3038 IN RRSIG NSEC 8 2 3600 20131028191728
> (
> 20131021083223 33820 ipv4only.arpa.
> Id6eQDjnvBhqoZSOBsNKywa0yAEiaGmyakGFLG3Mc2/
> h
> lmjAPylP9fDdBORpdgnbV0AMt5JzzzIblDTsfs9sbKb
> y
> cCRHkE+Vhchu/NnChM+xslJ15daNNLgYUQHd5xwvdzg
> P
> OdpknW9kyfpjR4Cj3dixxfFhrsFFNvZo2FOyTW0= )
> ipv4only.arpa.3038 IN NSEC ipv4only.arpa. A NS SOA TXT RR
> SIG NSEC DNSKEY
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#9053(127.0.0.1)
> ;; WHEN: Mon Oct 21 14:33:52 2013
> ;; MSG SIZE rcvd: 481
>
> What did I miss?
They signed it and you have do=1 set in the query. Named won't lie
to you if you can verify the answer unless you override the defaults.
DNS64 and DNSSEC are incompatible with each other. To have it work
with a signed zone and do=1 you need to tell named to break dnssec.
dns64 {
clients { me; };
break-dnssec yes;
};
Mark
> BIND 9.9.4
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc
> ribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS 64 and the new domain ipv4only.arpa
On Tue, Oct 22, 2013 at 12:47:38AM +1100,
Mark Andrews wrote
a message of 98 lines which said:
> dns64 {
> clients { me; };
> break-dnssec yes;
> };
OK, it works without the DO bit ("dig +nodnssec", I had +dnssec in my
~/.digrc) or with "break-dnssec yes". Thanks.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Performance Tuning RHEL 5 and Bind
Any reason you're using RHEL5 as opposed to RHEL6 if you're building new servers? RHEL5 is very long in the tooth and will go EOL sooner than RHEL6. Since you're using a BIND package not shipped with RHEL5 there's no reason on that account not to move up to RHEL6. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of wbr...@e1b.org Sent: Monday, October 21, 2013 9:47 AM To: bind-users@lists.isc.org Subject: Re: Performance Tuning RHEL 5 and Bind > From: Alan Clegg > Fix your windows clients. You can't fix stupid. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
