Re: MAcOS X 10.9 upgrade removes BIND
Hi Sean, Sean Channel writes: > > Thanks for the M&M package, this is fantastic! On the critical side, > the package BOM only lists an extinct tarball instead of the actual > files and directories in the package. Just a nit pick, apologies: yes, that is a historical artifact from the time where our installers detected PPC vs. Intel machines and installed an optimized (not fat-binary) for BIND. I need to redesign the installer now that PPC is not so much requested anymore, it is on my to-do list. -- Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: use bind 9.8 as caching server and authoritative nameserver
On 28 Oct 2013, at 13:10, bind-ch...@telenet.be wrote: > Recently our government obligated all ISP's to block access to child-porn, > illegal betting sites, illegal file share sites etc... > I have been asked now to implement this on our caching DNS servers (serve a > custom zone to all of our customers that points to an IP from the government > that hosts a block-page) You probably understand that this approach is of limited effectiveness, and has arguably significant disadvantages. It may be of interest for you to read the report mentioned at either of the following URIs (in French, English respectively). http://www.afnic.fr/fr/l-afnic-en-bref/actualites/actualites-generales/6573/show/le-conseil-scientifique-de-l-afnic-partage-sur-le-filtrage-internet-par-dns.html http://www.afnic.fr/en/about-afnic/news/general-news/6584/show/the-afnic-scientific-council-shares-its-report-on-dns-based-internet-filtering.html Best regards, Niall O'Reilly Member of AFNIC's Conseil Scientifique PS. I wan't a significant contributor to this report. Credit for that belongs to the colleagues who did the work. /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
intermittent resolution
I recently upgraded to version: 9.8.6. I am having trouble resolving a .gov site. When I reload the name server it will resolve fine for a while then after an hour or two I will get a server fail. I can perform a dig +trace and resolve but dig will fail. If I do an rndc reload it will work for some period of time again. I suspect negative caching but the site has a the ttl set to 60 so I would expect it to resolve again but it doesn't until a reload is preformed, other sites seem to be effected but I don't know. This is a high visibility site. The only configuration change has been to add RPZ which seems to be working fine. Other name servers seem to be unaffected. What am I missing? What else can I check? I can provide more details if it would be helpful. Con Wieland Office of Information Technology University of California at Irvine ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: intermittent resolution
On Oct 30, 2013, at 10:03 AM, Con Wieland wrote: > I recently upgraded to version: 9.8.6. I am having trouble resolving a .gov > site. When I reload the name server it will resolve fine for a while then > after an hour or two I will get a server fail. I can perform a dig +trace and > resolve but dig will fail. If I do an rndc reload it will work for some > period of time again. I suspect negative caching but the site has a the ttl > set to 60 so I would expect it to resolve again but it doesn't until a reload > is preformed, other sites seem to be effected but I don't know. This is a > high visibility site. The only configuration change has been to add RPZ which > seems to be working fine. > > Other name servers seem to be unaffected. What am I missing? What else can I > check? I can provide more details if it would be helpful. Can you tell us _what_ .gov site? Do you see the same problem with 9.9.4? AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: intermittent resolution
The site I am having issues with are a half a dozen sites at noaa.gov. No I have not tried 9.9.4 when I upgraded 9.8.6 was listed as the current stable version so I went with that. con On Oct 30, 2013, at 11:48 AM, Alan Clegg wrote: > > On Oct 30, 2013, at 10:03 AM, Con Wieland wrote: > >> I recently upgraded to version: 9.8.6. I am having trouble resolving a .gov >> site. When I reload the name server it will resolve fine for a while then >> after an hour or two I will get a server fail. I can perform a dig +trace >> and resolve but dig will fail. If I do an rndc reload it will work for some >> period of time again. I suspect negative caching but the site has a the ttl >> set to 60 so I would expect it to resolve again but it doesn't until a >> reload is preformed, other sites seem to be effected but I don't know. This >> is a high visibility site. The only configuration change has been to add RPZ >> which seems to be working fine. >> >> Other name servers seem to be unaffected. What am I missing? What else can I >> check? I can provide more details if it would be helpful. > > Can you tell us _what_ .gov site? Do you see the same problem with 9.9.4? > > AlanC > -- > Alan Clegg | +1-919-355-8851 | a...@clegg.com > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: [External] Re: intermittent resolution
In the past when I've had issues with certain .gov sites (e.g. noaa.gov, nih.gov, ssa.gov) it was due to application based filtering (layer 4). For some reason the responses from these sites are more often than not fragmented and if you have something doing filtering based on ports it may not be delivering the follow-up fragments because they do not have the tcp headers. Do a tcpdump of your DNS traffic from noaa.gov and check to see if reponses are being fragmented and whether you are receiving all of the fragments. We had to set edns-udp-size to 512 as a workaround until we could identify the problematic piece of hardware. Since the only thing you changed was BIND versions, this may have nothing to do with your issue, but I thought I'd throw it out there. -Dan From: bind-users-bounces+samp_daniel=bah@lists.isc.org [bind-users-bounces+samp_daniel=bah@lists.isc.org] on behalf of Con Wieland [cwiel...@uci.edu] Sent: Wednesday, October 30, 2013 5:28 PM To: BIND List Subject: [External] Re: intermittent resolution The site I am having issues with are a half a dozen sites at noaa.gov. No I have not tried 9.9.4 when I upgraded 9.8.6 was listed as the current stable version so I went with that. con On Oct 30, 2013, at 11:48 AM, Alan Clegg wrote: > > On Oct 30, 2013, at 10:03 AM, Con Wieland wrote: > >> I recently upgraded to version: 9.8.6. I am having trouble resolving a .gov >> site. When I reload the name server it will resolve fine for a while then >> after an hour or two I will get a server fail. I can perform a dig +trace >> and resolve but dig will fail. If I do an rndc reload it will work for some >> period of time again. I suspect negative caching but the site has a the ttl >> set to 60 so I would expect it to resolve again but it doesn't until a >> reload is preformed, other sites seem to be effected but I don't know. This >> is a high visibility site. The only configuration change has been to add RPZ >> which seems to be working fine. >> >> Other name servers seem to be unaffected. What am I missing? What else can I >> check? I can provide more details if it would be helpful. > > Can you tell us _what_ .gov site? Do you see the same problem with 9.9.4? > > AlanC > -- > Alan Clegg | +1-919-355-8851 | a...@clegg.com > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] Re: intermittent resolution
In article , "Samp, Daniel [USA]" wrote: > In the past when I've had issues with certain .gov sites (e.g. noaa.gov, > nih.gov, ssa.gov) it was due to application based filtering (layer 4). For > some reason the responses from these sites are more often than not fragmented > and if you have something doing filtering based on ports it may not be > delivering the follow-up fragments because they do not have the tcp headers. > Do a tcpdump of your DNS traffic from noaa.gov and check to see if reponses > are being fragmented and whether you are receiving all of the fragments. We > had to set edns-udp-size to 512 as a workaround until we could identify the > problematic piece of hardware. > > Since the only thing you changed was BIND versions, this may have nothing to > do with your issue, but I thought I'd throw it out there. .gov was a relatively early adopted of DNSSEC -- it was mandated for all agencies about 3 years ago, I think. But there were lots of teething pains, which caused frequent outages of some domains. And DNSSEC usually results in large responses, so if your firewall doesn't deal well with EDNS0, you would have problems like that. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: intermittent resolution
IF YOU WANT HELP SPECIFY THE FAILING DOMAIN NAME. YES I AM SHOUTING This report is like saying you have a problem with a car manufacture by GM. Mark In message , Con Wieland writes: > I recently upgraded to version: 9.8.6. I am having trouble resolving a .gov s > ite. When I reload the name server it will resolve fine for a while then afte > r an hour or two I will get a server fail. I can perform a dig +trace and res > olve but dig will fail. If I do an rndc reload it will work for some period o > f time again. I suspect negative caching but the site has a the ttl set to 6 > 0 so I would expect it to resolve again but it doesn't until a reload is pref > ormed, other sites seem to be effected but I don't know. This is a high visi > bility site. The only configuration change has been to add RPZ which seems to > be working fine. > > Other name servers seem to be unaffected. What am I missing? What else can I > check? I can provide more details if it would be helpful. > > Con Wieland > Office of Information Technology > University of California at Irvine > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
