Is SpamHaus Feed for RPZ is free or subscription based?

[babu dheen]

Dear All,

 I would like to integrate BIND DNS with Spamhaus Malware DB feed. But i need 
clarity whether Spamhaus offers this feed for free or subscription(cost) based?

Regards
Babu
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Help on DNSSEC

[babu dheen]

Dear All,

 I would like to understand DNSSEC on BIND Recusive DNS server running in RHEL 
5.0. Can you please let me know resource or reference to understand the DNSSEC 
and implement it?

Regards
Babu___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is SpamHaus Feed for RPZ is free or subscription based?

[Steven Carr]

This is all explained clearly on their website...

http://www.spamhaus.org/organization/dnsblusage/



On 6 November 2013 08:52, babu dheen  wrote:
> Dear All,
>
>  I would like to integrate BIND DNS with Spamhaus Malware DB feed. But i
> need clarity whether Spamhaus offers this feed for free or
> subscription(cost) based?
>
> Regards
> Babu
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help on DNSSEC

[Steven Carr]

Start with chapter 11.4 "The DNS Security Extensions" in DNS & BIND
http://www.amazon.com/DNS-BIND-5th-Edition-Cricket/dp/0596100574

Steve

On 6 November 2013 08:54, babu dheen  wrote:
> Dear All,
>
>  I would like to understand DNSSEC on BIND Recusive DNS server running in
> RHEL 5.0. Can you please let me know resource or reference to understand the
> DNSSEC and implement it?
>
> Regards
> Babu
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is SpamHaus Feed for RPZ is free or subscription based?

[Noel Butler]

On 06/11/2013 18:52, babu dheen wrote:


Dear All,

I would like to integrate BIND DNS with Spamhaus Malware DB feed. But i 
need clarity whether Spamhaus offers this feed for free or 
subscription(cost) based?



If you want your local copy it will cost, and they charge like 20 
counties of farms with herding bulls, so forget it, stick to their dns 
based stuff.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is SpamHaus Feed for RPZ is free or subscription based?

[Dave Warren]

On 2013-11-06 01:04, Steven Carr wrote:

This is all explained clearly on their website...

http://www.spamhaus.org/organization/dnsblusage/



Perhaps you can point out where on that page RPZ is mentioned?

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help on DNSSEC

[Tony Finch]

babu dheen  wrote:
>
> I would like to understand DNSSEC on BIND Recusive DNS server running
> in RHEL 5.0.

First upgrade BIND to version 9.8 or newer.

Check your network connectivity isn't funted. See for instance
http://www.cisco.com/web/about/security/intelligence/dnssec.html

Then add the following to your named.conf options section:

dnssec-validation auto;
dnssec-lookaside auto;

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is SpamHaus Feed for RPZ is free or subscription based?

[Steven Carr]

On 6 November 2013 11:19, Dave Warren  wrote:
> Perhaps you can point out where on that page RPZ is mentioned?

The Spamhaus news article announcing the "beta" RPZ service
(http://www.spamhaus.org/news/article/669/) indicates that the
Spamhaus DBL is being repurposed as an RPZ data feed. There is nothing
else on the Spamhaus website regarding RPZ, and since it's using the
DBL as it's basis the logical assumption is the same "licensing"
applies (unless anyone from Spamhaus wants to correct matters).

Steve
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is SpamHaus Feed for RPZ is free or subscription based?

[Simon Forster]

On 6 Nov 2013, at 14:08, Steven Carr  wrote:

> On 6 November 2013 11:19, Dave Warren  wrote:
>> Perhaps you can point out where on that page RPZ is mentioned?
> 
> The Spamhaus news article announcing the "beta" RPZ service
> (http://www.spamhaus.org/news/article/669/) indicates that the
> Spamhaus DBL is being repurposed as an RPZ data feed. There is nothing
> else on the Spamhaus website regarding RPZ, and since it's using the
> DBL as it's basis the logical assumption is the same "licensing"
> applies (unless anyone from Spamhaus wants to correct matters).

Thank you for the invite.

Broadly your summation is correct. Fleshing it out a little:

The Spamhaus DROP (Do not Route Or Peer) RPZ will have a maximum annual fee of 
US$500. The DROP (and eDROP) products contain hijacked IPs and those under the 
control of egregiously bad actors.

The $500 fee is to help cover the "repackaging" and delivery costs of the DROP 
lists via RPZ (although make a reasonably cogent argument as to why you should 
get the RPZ DROP without cost and we're likely to agree with you).

For those interested in rolling their own products, the DROP and eDROP lists 
are available free of charge at  and 
. We do not apply a licence to these 
products and creating your own derivative products currently is OK.

The DBL based RPZ has been made available free of charge but is moving towards 
a charged model. Fees will be as per the DBL blocklist product which is based 
on a user volume model. If you're already a subscriber to the rsync service and 
would like to use the Spamhaus RPZ product, there will be a small surcharge on 
your current subscription fees.

At this point in time we're not taking a position with respect to rsync service 
subscribers taking the data and repurposing it themselves for delivery as an 
RPZ via IXFR to the same audience as that benefiting from the protection 
offered by the rsync service. Put another way, if you subscribe to the rsync 
service for 10,000 users and decide to repurpose the data to make it available 
to the same audience via RPZ, your call.

For the record, I work for the commercial arm of Spamhaus[1].

All the best

Simon


[1] As this statement may get some people raising questions, The Spamhaus 
Project Ltd is a non-profit. I work for a smaller Spamhaus company which does 
aim to be profitable in order to cover the costs of the non-profit. Or as I 
prefer to paraphrase it, non-profit does not mean for-massive-great-loss.


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Recursive DNS server cannot resolve the reverse zone records from my IPv6 private network

[Listas]

Hi,

I'm enabling IPv6 dual stack in my network and my Bind authoritative 
servers are working perfectly with the ip6.arpa zones.


But my Recursive DNS server cannot resolve the reverse zone records from 
my private network. I tried to make a setup similar to what I do for my 
private network (IPv4 RFC1918) 10.0.0.0,  but no success.


Can anyone help me?

The configuration of my recursive server is here:
http://adminlinux.com.br/recursive-bind.conf

I have a BIND9.8.1 Recusive DNS server running in Ubuntu 12.04.3 LTS.




My tests:

In my autoritative DNS Master server:
myuser@autoritative_server_dns:/home/myuser# dig +short A mydomain.com 
@localhost

10.10.0.3
myuser@autoritative_server_dns:/home/myuser# dig +short -x 10.10.0.3 
@localhost

mydomain.com.
myuser@autoritative_server_dns:/home/myuser# dig +short  
mydomain.com @localhost

fc00:e3e2:38a5:7::241f
myuser@autoritative_server_dns:/home/myuser# dig +short -x 
fc00:e3e2:38a5:7::241f @localhost

mydomain.com.

In my Recursive Recursive DNS server:
myuser@recursive_server_dns:/home/myuser# dig +short A mydomain.com 
@localhost

10.10.0.3
myuser@recursive_server_dns:/home/myuser# dig +short -x 10.10.0.3 @localhost
mydomain.com.
myuser@recursive_server_dns:/home/myuser# dig +short  mydomain.com 
@localhost

fc00:e3e2:38a5:7::241f
myuser@recursive_server_dns:/home/myuser# dig +short -x 
fc00:e3e2:38a5:7::241f @localhost
myuser@recursive_server_dns:/home/myuser# dig -x fc00:e3e2:38a5:7::241f 
@localhost


; <<>> DiG 9.8.1-P1 <<>> -x fc00:e3e2:38a5:7::241f @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26995
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;f.1.4.2.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.5.a.8.3.2.e.3.e.0.0.c.f.ip6.arpa. 
IN PTR


;; AUTHORITY SECTION:
5.a.8.3.2.e.3.e.0.0.c.f.ip6.arpa. 86400 IN SOA  ns1.mydomain.com. 
dnsmasters.mydomain.com. 1 10800 3600 604800 86400


;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov  6 18:12:09 2013
;; MSG SIZE  rcvd: 151

Thank you.
--
Thiago Henrique
www.adminlinux.com.br



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help on DNSSEC

[David Newman]

On 11/6/13 1:06 AM, Steven Carr wrote:
> Start with chapter 11.4 "The DNS Security Extensions" in DNS & BIND
> http://www.amazon.com/DNS-BIND-5th-Edition-Cricket/dp/0596100574

Lucas' "DNSSEC Mastery" is also a useful resource, not only about DNSSEC
concepts but also about required prep work and troubleshooting:

http://www.amazon.com/DNSSEC-Mastery-Securing-Domain-System-ebook/dp/B00CE173KI

dn


> 
> Steve
> 
> On 6 November 2013 08:54, babu dheen  wrote:
>> Dear All,
>>
>>  I would like to understand DNSSEC on BIND Recusive DNS server running in
>> RHEL 5.0. Can you please let me know resource or reference to understand the
>> DNSSEC and implement it?
>>
>> Regards
>> Babu
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help on DNSSEC

[Bryan Irvine]

DNSSEC Mastery
https://www.michaelwlucas.com/nonfiction/dnssec-mastery



On Wed, Nov 6, 2013 at 12:54 AM, babu dheen  wrote:

> Dear All,
>
>  I would like to understand DNSSEC on BIND Recusive DNS server running in
> RHEL 5.0. Can you please let me know resource or reference to understand
> the DNSSEC and implement it?
>
> Regards
> Babu
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

New Versions of BIND Are Available

[Michael McNally]

In connection with CVE-2013-6320, which corrects a possible security
vulnerability on Windows versions of BIND, new releases are available
at http://www.isc.org/downloads

  -  9.9.4-P1
  -  9.8.6-P1
  -  9.6-ESV-R10-P1

The official announcement for this vulnerability has been sent to
the bind-announce mailing list, or you can find CVE-2013-6320 here:

   https://kb.isc.org/article/AA-01062

Michael McNally
ISC Support
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recursive DNS server cannot resolve the reverse zone records from my IPv6 private network

[Mark Andrews]

In message <527a8ac4.3010...@adminlinux.com.br>, Listas writes:
> 
> Hi,
> 
> I'm enabling IPv6 dual stack in my network and my Bind authoritative 
> servers are working perfectly with the ip6.arpa zones.
> 
> But my Recursive DNS server cannot resolve the reverse zone records from 
> my private network. I tried to make a setup similar to what I do for my 
> private network (IPv4 RFC1918) 10.0.0.0,  but no success.
> 
> Can anyone help me?
> 
> The configuration of my recursive server is here:
> http://adminlinux.com.br/recursive-bind.conf

Firstly you are using the wrong addresses range.  You should be using
FD00::/8 for locally assigned addresses.  FC00::/8 is reserved for
centrally assigned local addresses and there isn't yet a registry
to perform those assignments so no one should be using them.

Secondly change "5.a.8.3.2.e.3.e.0.0.c.f.ip6.arpa" into a slave
zone and transfer the contents from the other server.  Add this
server as a nameserver to the zone or configure the master to send
this server notify messages when the zone changes.  Presumably the
existing master zone is just a empty zone which is why you got the
NXDOMAIN.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is SpamHaus Feed for RPZ is free or subscription based?

[Dave Warren]

On 2013-11-06 06:08, Steven Carr wrote:

On 6 November 2013 11:19, Dave Warren  wrote:

Perhaps you can point out where on that page RPZ is mentioned?

The Spamhaus news article announcing the "beta" RPZ service
(http://www.spamhaus.org/news/article/669/) indicates that the
Spamhaus DBL is being repurposed as an RPZ data feed. There is nothing
else on the Spamhaus website regarding RPZ, and since it's using the
DBL as it's basis the logical assumption is the same "licensing"
applies (unless anyone from Spamhaus wants to correct matters).



You're right, if you want to make assumptions based on years-old reports 
of a new service entering beta and assume that it might be licensed 
similarly to other services which are designed and distributed totally 
differently, then it's "explained clearly on their website"


In the real world though, while I suspect you're correct, it's far from 
"explained" "clearly" or "on their website"


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users