Re: Unable to transfer IPv4 reverse zone
On 19/12/2013 23:32, Daniel Lintott wrote:
> I have now tried recreating the zone file on the master, removed and
> re-added the configuration for the zone on both master and slave, yet
> still I am unable to transfer the zone.
>
> I have also added the following logging to the master server:
>
> logging {
> channel xfer {
> file "/var/log/named/xfer.log";
> print-category yes;
> print-severity yes;
> print-time yes;
> };
> category xfer-out {
> xfer;
> };
> };
>
> But this fails to log anything, despite transfers taking place. I've
> checked the permissions on the log and it is writeable by the user which
> bind is running under.
>
> As yet... I'm no closer in working this one out.
Noting this in the master zone:
> allow-transfer {
> 192.168.5.2;
> };
Check that the slave actually is using that source address for the TCP
transfer (which I grant would be odd to be different, if your other
zones transfer OK).
Do you have the same ACL on your other zones that transfer OK?
And depending on the 'big' configuration - this might also be relevant:
https://kb.isc.org/article/AA-00904/47/Why-is-my-slave-server-trying-sometimes-to-use-a-different-source-IP-address-for-zone-transfers.html
---
If still unresolved, I think I'd be at the point of doing a network
packet trace on this one to find out which end is dropping it. The
earlier logging messages suggest that the TCP connection for the
transfer did establish (or start to establish - it may not yet have been
'connected' all the way to the named server).
Trace at both ends simultaneously, so that you get both sides of the
'story'. And also trace a good transfer between master and slave for
comparison purposes.
---
It shouldn't be relevant to the problem in-hand, but are you missing
this record from your reverse zone (I didn't see it in the ANY query
result):
2.5.168.192.in-addr.arpa. IN PTR server2.internal.serverb.co.uk.
Cathy
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to transfer IPv4 reverse zone
On 20/12/13 09:16, Cathy Almond wrote:
> Noting this in the master zone:
>> allow-transfer {
>> 192.168.5.2;
>> };
>
> Check that the slave actually is using that source address for the TCP
> transfer (which I grant would be odd to be different, if your other
> zones transfer OK).
>
The slave is using 192.168.5.2 for the TCP transfer, to be sure I have
set the transfer source and confirmed this with a packet trace.
> Do you have the same ACL on your other zones that transfer OK?
>
> And depending on the 'big' configuration - this might also be relevant:
> https://kb.isc.org/article/AA-00904/47/Why-is-my-slave-server-trying-sometimes-to-use-a-different-source-IP-address-for-zone-transfers.html
>
All of the zones have identical ACL's as above.
> ---
>
> If still unresolved, I think I'd be at the point of doing a network
> packet trace on this one to find out which end is dropping it. The
> earlier logging messages suggest that the TCP connection for the
> transfer did establish (or start to establish - it may not yet have been
> 'connected' all the way to the named server).
>
> Trace at both ends simultaneously, so that you get both sides of the
> 'story'. And also trace a good transfer between master and slave for
> comparison purposes.
>
Looking at a packet trace, I can see the TCP session establish, the AXFR
request is sent to the master which responds with 'SERVFAIL'
Pkt 160: Standard query 0x3a9c AXFR 5.168.192.in-addr.arpa
Pkt 173: Standard query response 0x3a9c Server failure
As a thought, I have tried running the AXFR on the master server, which
also fails so it would seem the problem lies on the master server.
[root@server1 ~]# dig 5.168.192.in-addr.arpa @127.0.0.1 AXFR
; <<>> DiG 9.9.4-P1 <<>> 5.168.192.in-addr.arpa @127.0.0.1 AXFR
;; global options: +cmd
; Transfer failed.
> ---
>
> It shouldn't be relevant to the problem in-hand, but are you missing
> this record from your reverse zone (I didn't see it in the ANY query
> result):
>
> 2.5.168.192.in-addr.arpa. IN PTR server2.internal.serverb.co.uk.
>
The record does appear to to be in the zone.
Regards
Daniel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to transfer IPv4 reverse zone
On 19.12.13 19:27, Daniel Lintott wrote: The following is logged on the slave: Dec 19 17:51:48 server2 named[7866]: transfer of '5.168.192.in-addr.arpa/IN' from 192.168.5.1#53: connected using 192.168.5.2#47108 Dec 19 17:51:48 server2 named[7866]: transfer of '5.168.192.in-addr.arpa/IN' from 192.168.5.1#53: failed while receiving responses: SERVFAIL Dec 19 17:51:48 server2 named[7866]: transfer of '5.168.192.in-addr.arpa/IN' from 192.168.5.1#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec) what's in logs on master? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to transfer IPv4 reverse zone
On 20/12/13 11:12, Matus UHLAR - fantomas wrote:
> On 19.12.13 19:27, Daniel Lintott wrote:
>> The following is logged on the slave:
>> Dec 19 17:51:48 server2 named[7866]: transfer of
>> '5.168.192.in-addr.arpa/IN' from 192.168.5.1#53: connected using
>> 192.168.5.2#47108
>>
>> Dec 19 17:51:48 server2 named[7866]: transfer of
>> '5.168.192.in-addr.arpa/IN' from 192.168.5.1#53: failed while receiving
>> responses: SERVFAIL
>>
>> Dec 19 17:51:48 server2 named[7866]: transfer of
>> '5.168.192.in-addr.arpa/IN' from 192.168.5.1#53: Transfer completed: 0
>> messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
>
>
> what's in logs on master?
Nothing seems to be logged for any transfers on the master... even with
the following logging statement added
logging {
channel xfer {
file "/var/log/named/xfer.log";
print-category yes;
print-severity yes;
print-time yes;
};
category xfer-out {
xfer;
};
};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to transfer IPv4 reverse zone
what's in logs on master?
On 20.12.13 11:21, Daniel Lintott wrote:
Nothing seems to be logged for any transfers on the master... even with
the following logging statement added
logging {
channel xfer {
file "/var/log/named/xfer.log";
print-category yes;
print-severity yes;
print-time yes;
};
category xfer-out {
xfer;
};
};
that's why I prefer logging everything somewhere...
maybe it's in other category...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to transfer IPv4 reverse zone
On 20/12/13 11:40, Matus UHLAR - fantomas wrote:
>>> what's in logs on master?
>
> On 20.12.13 11:21, Daniel Lintott wrote:
>> Nothing seems to be logged for any transfers on the master... even with
>> the following logging statement added
>>
>> logging {
>> channel xfer {
>> file "/var/log/named/xfer.log";
>> print-category yes;
>> print-severity yes;
>> print-time yes;
>> };
>> category xfer-out {
>> xfer;
>> };
>> };
>
> that's why I prefer logging everything somewhere...
> maybe it's in other category...
>
Even logging every category each to separate files, doesn't seem to
yield anything.
But... as a way of eliminating the various components, I have setup 2
master zones on the second server (server2).
These both transfer fine to the first server (server1)... and when I add
the logging clause for xfer-out it generates logs.
Which leads to believe that maybe the build of 9.9.4-P1 on server1,
might be at fault. I think I will try and rebuild bind as there seems to
be several issues... that don't exist on the other server, which has an
identical OS.
Regards
Daniel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
FW: missing ‘additional section’
This topic was disscused in 2009. But I don't know the final decision.
Please refer following site:
http://t4605.network-dns-bind9-dlz.dnstalk.us/missing-additional-section-t4605.html
From: houguang...@hotmail.com
To: sjc...@gmail.com
CC: bind-users@lists.isc.org
Subject: RE: missing ‘additional section’
Date: Thu, 19 Dec 2013 14:34:11 +
Dear Steve,
In my first dig, no matter that recursion was enabled or not, 'addtional
section' was returned. In my second dig, no matter that recursion was enabled
or not, 'addtional section' was not returned.
What's the different between the two times of dig is as follows:
--the first server is bind9.8.6 with dlz not enabled
--the seond server is bind9.8.6 with dlz enabled (mysql)
Both servers are authoritative servers, not caching servers.
Now I want to deploy serveral DNS servers using bind DLZ-mysql, and I want to
return additioal sections to internet users in one dns request.
One of my view is as follows:
view "view_ctcbeijing" {
match-clients {CTC_Beijing; };
recursion no;
allow-recursion { none; };
allow-transfer {none;};dlz "Mysql zone" {
database " mysql
{host=127.0.0.1 dbname=cdn ssl=false port=3306 user=cdn pass=cdn }
{select zone from dns_records where zone = '$zone$' and view='CTCBeijing'
limit 1}
{select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"',
data, '\"') when lower(type) = 'soa' then concat_ws(' ', data, resp_person,
serial, refresh, retry, expire, minimum) else data end as mydata from
dns_records where zone = '$zone$' and host = '$record$' and (view='CTCBeijing'
or view='SOA')}
{}
{select ttl, type, host, mx_priority, case when lower(type)='txt' then
concat('\"', data, '\"') else data end as mydata, resp_person, serial, refresh,
retry, expire, minimum from dns_records where zone = '$zone$' and
view='CTCBeijing'}
{select zone from xfr_table where zone = '$zone$' and client = '$client$' and
view='CTCBeijing' limit 1}
{update data_count set count = count + 1 where zone ='$zone$' and
view='CTCBeijing'}";
};
}; All SOA and NS type of records are in the DB is under SOA view. All
A/MX//CNAME type of records are in CTCBeijing view. The database script is
as follows:
#SOA record
INSERT INTO dns_records (zone, host, type, data, ttl, view, mx_priority,
refresh, retry, expire, minimum, serial, resp_person, primary_ns, data_count)
VALUES
('ctyun.cn', '@', 'SOA', 'ns.ctyun.cn.', 3600, 'SOA', NULL, 3600, 3600, 86400,
10, 2008082700, 'root.ctyun.cn.', 'ns1.ctyun.cn.', 0);
# NS
INSERT INTO dns_records (zone, host, type, data, ttl, view, mx_priority,
refresh, retry, expire, minimum, serial, resp_person,
primary_ns, data_count) VALUES
('ctyun.cn', '@', 'NS', 'ns1.ctyun.cn.', 3600, 'SOA', NULL, 3600, 3600, 86400,
3600, 2008082700, 'root.ctyun.cn.', 'ns1.ctyun.cn.', 0);
INSERT INTO dns_records (zone, host, type, data, ttl, view, mx_priority,
refresh, retry, expire, minimum, serial, resp_person,
primary_ns, data_count) VALUES
('ctyun.cn', '@', 'NS', 'ns2.ctyun.cn.', 3600, 'SOA', NULL, 3600, 3600, 86400,
3600, 2008082700, 'root.ctyun.cn.', 'ns1.ctyun.cn.', 0);
# A record
INSERT INTO dns_records (zone,host,type,DATA,view) VALUES ('ctyun.cn', 'ns1',
'A', '124.126.253.202','SOA');
INSERT INTO dns_records (zone,host,type,DATA,view) VALUES ('ctyun.cn', 'ns2',
'A', '124.126.253.203','SOA');
INSERT INTO dns_records (zone,host,type,DATA,view)VALUES ('ctyun.cn', 'www',
'A', '211.162.106.1','CTCBeijing');
INSERT INTO dns_records (zone,host,type,DATA,view)VALUES ('ctyun.cn', 'www',
'A', '211.162.106.2','CTCBeijing');
Regards,
Guanghua
> Date: Thu, 19 Dec 2013 03:07:44 +
> Subject: Re: missing ‘additional section’
> From: sjc...@gmail.com
> To: houguang...@hotmail.com
> CC: bind-users@lists.isc.org
>
> On 19 December 2013 00:48, houguanghua wrote:
> > If DLG isn't enabled (bind9+view + zone file , no DB is used), the
> > additional section is right. Maybe it's a bug of Bind DLG.
>
> What is DLG?
>
> > What I wanted is as follows :
> > $ dig @10.3.103.177 www.ctyun.cn
> > ; <<>> DiG 9.6-ESV-R10-P1 <<>> @10.3.103.177 www.ctyun.cn
> >
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30600
> > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
> > ;; WARNING: recursion requested but not available
> > ;; QUESTION SECTION:
> > ;www.ctyun.cn. IN A
> > ;; ANSWER SECTION:
> > www.ctyun.cn. 3600IN A 211.162.106.2
> > www.ctyun.cn. 3600IN A 211.162.106.1
> > ;; AUTHORITY SECTION:
> > ctyun.cn. 3600IN NS ns1.ctyun.cn.
> > ctyun.cn. 3600IN NS ns2.ctyun.cn.
> > ;; ADDITIONAL SECTION:
> > ns1.ctyun.cn. 3600IN A 211.16.106.251
> > ns2.ctyun.cn. 3600IN A 211.16.106.252
> >
> > ;; Query ti
Re: FW: missing ‘additional section’
On 20 December 2013 14:18, houguanghua wrote: > This topic was disscused in 2009. But I don't know the final decision. > Please refer following site: > http://t4605.network-dns-bind9-dlz.dnstalk.us/missing-additional-section-t4605.html Looks like it is potentially a "bug" if you want to call it that, since it's to do with DLZ it's probably best taking it up with the team that produce that code... http://bind-dlz.sourceforge.net/mailing_list.html Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Adding DS records
Has anyone been able to get Network Solutions to add DS records for their domain? I am trying to get DS records added for my domain and so far it looks like Network Solutions can not do that. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
On Fri, Dec 20, 2013 at 10:04:59AM -0500, Thomas Schulz wrote: > Has anyone been able to get Network Solutions to add DS records > for their domain? I am trying to get DS records added for my > domain and so far it looks like Network Solutions can not do that. The last time this was asked here was in August: https://lists.isc.org/pipermail/bind-users/2013-August/091340.html If I was a NetSol customer, I would ask them, "Why not?" -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
On Dec 20, 2013, at 10:38 AM, /dev/rob0 wrote: > On Fri, Dec 20, 2013 at 10:04:59AM -0500, Thomas Schulz wrote: >> Has anyone been able to get Network Solutions to add DS records >> for their domain? I am trying to get DS records added for my >> domain and so far it looks like Network Solutions can not do that. > > The last time this was asked here was in August: > > https://lists.isc.org/pipermail/bind-users/2013-August/091340.html > > If I was a NetSol customer, I would ask them, "Why not?” And if I were a NetSol customer, I would ask myself, “Why?” W > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- With Feudalism, it's your Count that votes. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
-Original Message- From: Warren Kumari Date: Friday, December 20, 2013 12:15 PM To: "bind-users@lists.isc.org" Subject: Re: Adding DS records >On Dec 20, 2013, at 10:38 AM, /dev/rob0 wrote: > >> On Fri, Dec 20, 2013 at 10:04:59AM -0500, Thomas Schulz wrote: >>> Has anyone been able to get Network Solutions to add DS records >>> for their domain? I am trying to get DS records added for my >>> domain and so far it looks like Network Solutions can not do that. >> >> The last time this was asked here was in August: >> >> https://lists.isc.org/pipermail/bind-users/2013-August/091340.html >> >> If I was a NetSol customer, I would ask them, "Why not?² > >And if I were a NetSol customer, I would ask myself, ³Why?² If I were a capitalist, I'd vote with my wallet and go somewhere with the features I want. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
> >> If I was a NetSol customer, I would ask them, "Why not?" > > > >And if I were a NetSol customer, I would ask myself, Why? > > If I were a capitalist, I'd vote with my wallet and go somewhere with the > features I want. Well, we started with them back when they were the only company registering domain names. And up to now there were no problems (other than perhaps price). Any recomendations for another company for a .com domain in the US? I suppose that I could always use the DLV, but I would rather not. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
> Any recomendations for another company for a .com domain in the US Gandi.net Great support, including DNSSEC: http://wiki.gandi.net/en/domains/dnssec http://doc.rpc.gandi.net/domain/reference.html On Fri, Dec 20, 2013 at 9:58 AM, Thomas Schulz wrote: >> >> If I was a NetSol customer, I would ask them, "Why not?" >> > >> >And if I were a NetSol customer, I would ask myself, Why? >> >> If I were a capitalist, I'd vote with my wallet and go somewhere with the >> features I want. > > Well, we started with them back when they were the only company registering > domain names. And up to now there were no problems (other than perhaps price). > > Any recomendations for another company for a .com domain in the US? > I suppose that I could always use the DLV, but I would rather not. > > Tom Schulz > Applied Dynamics Intl. > sch...@adi.com > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Adding DS records
FYI: web.com recently bought NetSol and at least one other Registrar that escapes me at the moment. It might be worthwhile to see if any of their companies do this as you might have an easier time transferring and avoid some of the common games Registrars play to prevent it. I heartily recommend that you NOT go to GoDaddy.Once they have your domain they play all sorts of games to keep it. On that subject. If you DO decided to transfer domains from one registrar to another be sure to do the following at the old Registrar BEFORE requesting the transfer at the new one: 1) Turn off domain lock - most Registrars have this enabled by default now. 2) Turn off private registration if enabled. 3) Insure the administrative contact email is one you can send email to them from and can receive emails from them. 4) Obtain the transfer authorization code. Most Registrar web sites have "transfer" buttons that are easy to find but these are for transferring domains TO them rather than AWAY. Usually you have to do some research on their sites to find how to generate the code. Jeffrey C. Lightner Sr. UNIX Administrator DS Waters of America, Inc. 5660 New Northside Drive NW Suite 250 Atlanta, GA 30328 -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Thomas Schulz Sent: Friday, December 20, 2013 12:59 PM To: bind-users@lists.isc.org Subject: Re: Adding DS records > >> If I was a NetSol customer, I would ask them, "Why not?" > > > >And if I were a NetSol customer, I would ask myself, Why? > > If I were a capitalist, I'd vote with my wallet and go somewhere with > the features I want. Well, we started with them back when they were the only company registering domain names. And up to now there were no problems (other than perhaps price). Any recomendations for another company for a .com domain in the US? I suppose that I could always use the DLV, but I would rather not. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena®, Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
On 20 December 2013 18:10, pgndev wrote: > Gandi.net > Great support, including DNSSEC: Gandi only support DNSSEC if you host the DNS elsewhere, their DNS servers do not support DNSSEC. Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
On Fri, 20 Dec 2013, Steven Carr wrote: On 20 December 2013 18:10, pgndev wrote: Gandi.net Great support, including DNSSEC: Gandi only support DNSSEC if you host the DNS elsewhere, their DNS servers do not support DNSSEC. Steve gandi.net +1 I transferred from NS to Gandhi in December 1998. I don't know about their hosting of primary DNS but they do host a secondary of mine and it seems to resolve there with an aa flag: ; <<>> DiG 9.10.0a1 <<>> -t rrsig @ns6.gandi.net maplepark.com +norec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64272 ;; flags: qr aa; QUERY: 1, ANSWER: 11, AUTHORITY: 5, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;maplepark.com. IN RRSIG ;; ANSWER SECTION: maplepark.com. 7200IN RRSIG SPF 5 2 7200 20140117060102 20131220050102 53247 maplepark.com. 37jqijnR2J4+HDefTxLqcbUSshnT5HAWlwJ3XL82ty18UDXJ+excwzWU 6G75VWONF0HIT9Raa8aXeMdhAwgz3KX8+W1WDYs5sIdw59oWSrCw0eWr uT7qjAvlOX5csEBit6YTBYG6ddDnO4MCqAULziKNKGQcNMBcsQeUbgax XkM= maplepark.com. 7200IN RRSIG DNSKEY 5 2 7200 20140117060102 20131220050102 47911 maplepark.com. U/kQ9v9+5W58P22QrWrfB9TDXLETHTWfXuqRMHRdKiK0RfXKFPWY6b8I 4bZaaYwsyJOqK+e+jO9UM53wjZOFrHGC2WAjMldybFY1k5zvjiRu4wY/ FOWeS8moA3IJBTEPG5/mMC5KhI7fGNILh8r/oa3+vFVLB2T8UMpvKKc3 9dfsJEqa0k4AyL5AqqKWF8j9tNlyR2kIXxjHYVw0GP0ef4nWloikiFs9 vwVCoinqM10lXlRMOSu4px3YhMYFZgiDG4RcPOvZ7uQu7vwhxr7OGG/Y A49oLk/gonzcFN5cVTA9sUoWNLiYRhkMavU5z/IskaV1xO4rkZiNcmHB HOwgHw== maplepark.com. 7200IN RRSIG DNSKEY 5 2 7200 20140117060102 20131220050102 53247 maplepark.com. Zi7yCTwBShrjydl4Q0Qg/IKnfdl1Qqj8XJKmYE8+iuoP+VdNDMQ8LPky 4CJSwqygJkAql6ppm8FYXFwPZsCU3GfWAc90lbAMzGPUtu8XngZcrBJx GUeoUndaDOSe2iXd2tws1a2szu6AmE4ku932yvGzlMXR2y4WfH9caAcw fR0= maplepark.com. 600 IN RRSIG NSEC 5 2 600 20140117060102 20131220050102 53247 maplepark.com. qsBEyCopGtmQeQr2+gbpewo646pneaDVnaqnYrx2C4fiwedfiJMIhcx9 xAxgH0fG7TZ7zEJOUwCITlWkj1lrU4rH0xVNQaQKYez2pcF+CnGJzy7C A4SYBRdVXAU/slxu56ahvi7GNS7PHkGJiUVUJh65iEpS2HY3qOdv3CUn jRA= (...) -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
On 20 December 2013 18:37, David Forrest wrote: > gandi.net +1 > > I transferred from NS to Gandhi in December 1998. I don't know about their > hosting of primary DNS but they do host a secondary of mine and it seems to > resolve there with an aa flag: Yep, secondary works, but they can't be a DNSSEC primary. Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
AIUI, it is not their name servers (which clearly support the records when secondary), it's their hefty customer UI and their support/helpdesk folks that would require a non-cheap upgrade. That said, I have spent most of a decade as a happy customer of register.com, which was recently Borged by web.com (of which I know absolutely nothing as a customer). hth, Len On Friday, December 20, 2013 11:25 AM, Steven Carr wrote: On 20 December 2013 18:37, David Forrest wrote: >> gandi.net +1 >> >> I transferred from NS to Gandhi in December 1998. I don't know about their >> hosting of primary DNS but they do host a secondary of mine and it seems to >> resolve there with an aa flag: > >Yep, secondary works, but they can't be a DNSSEC primary. > > >Steve >___ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >from this list > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users > > >___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
> > gandi.net +1 > > > > I transferred from NS to Gandhi in December 1998. I don't know about their > > hosting of primary DNS but they do host a secondary of mine and it seems to > > resolve there with an aa flag: > > Yep, secondary works, but they can't be a DNSSEC primary. > > Steve We host the primary DNS ourselves with our ISP providing the secondary, so no problem there. Just to get going, I entered the records using the DLV. I think that I will get a different registerer early next year, after the rush of the holidays quiets down. Our contract expires in March, so this is a reasonable time to do a switch. Thanks for the advice so far. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 2013-12-20 at 12:08 -0800, Leonard Mills wrote: > That said, I have spent most of a decade as a happy customer of > register.com, which was recently Borged by web.com (of which I know > absolutely nothing as a customer). I moved from register.com to gkg.net because register.com was not (at the time, it may have changed) able to handle DS records, or ipv6 glue. GKG.net does both. GKG.net has an api that allows me to script the upload of DS records when we do KSK key rollovers. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlK0uI8ACgkQL6j7milTFsFQCwCbBJEbDbn7uGuw+nEVpHSnIXg+ ZSYAnR76g9qvMohLx7xgNn00o/Zc3531 =xLMV -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to transfer IPv4 reverse zone
It might be a silly question - but have you checked how many instances of named you have running on the master (thinking that you might not be 'talking to' the one you think you are)? Cathy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
In message , David Forrest writes: > On Fri, 20 Dec 2013, Steven Carr wrote: > > > On 20 December 2013 18:10, pgndev wrote: > >> Gandi.net > >> Great support, including DNSSEC: > > > > Gandi only support DNSSEC if you host the DNS elsewhere, their DNS > > servers do not support DNSSEC. > > > > Steve > gandi.net +1 > > I transferred from NS to Gandhi in December 1998. I don't know about their > hosting of primary DNS but they do host a secondary of mine and it seems > to resolve there with an aa flag: > > ; <<>> DiG 9.10.0a1 <<>> -t rrsig @ns6.gandi.net maplepark.com +norec > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64272 > ;; flags: qr aa; QUERY: 1, ANSWER: 11, AUTHORITY: 5, ADDITIONAL: 3 You don't test for dnssec support by requesting rrsigs. Nameservers can return rrsigs without supporting dnssec. You test for dnssec support by doing a request for something else with "do=1" set (+dnssec) and seeing if rrsig, nsec/nsec3/ds records are returned along with the rest of the response. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to transfer IPv4 reverse zone
On 20/12/13 21:59, Cathy Almond wrote: > It might be a silly question - but have you checked how many instances > of named you have running on the master (thinking that you might not be > 'talking to' the one you think you are)? > There appears to only be one instance, from what I can see [root@server1 ~]# ps aux | grep named named29523 0.0 0.9 43536 9608 ?Ss 22:01 0:00 /usr/local/sbin/named -u named I'm completely out of ideas on this one now, as I've tried the config on another machine and it worked fine... Something very odd appears to be going on! Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
New development versions of BIND are available: 9.9.5b1, 9.8.7b1, & 9.6-ESV-R11b1
New development versions of BIND are now available from http://www.isc.org/downloads BIND 9.9.5b1 Release Notes -- https://kb.isc.org/article/AA-01074 BIND 9.8.7b1 Release Notes -- https://kb.isc.org/article/AA-01076 BIND 9.6-ESV-R11b1 Release Notes -- https://kb.isc.org/article/AA-01077 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
On Fri, 2013-12-20 at 12:58 -0500, Thomas Schulz wrote: > > Well, we started with them back when they were the only company registering > domain names. And up to now there were no problems (other than perhaps price). > and their highly unethical business practices, OK my experiences with them ended ten years ago, but, that's one book I judged by its cover after what they did to me. > Any recomendations for another company for a .com domain in the US? > I suppose that I could always use the DLV, but I would rather not. > > T I use cheapdomainregistration.com , reseller from wild west domains, owned by godaddy, and despite a lot of peoples opinions, I've not in ten years had one single issue with WWD. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to transfer IPv4 reverse zone
I think this has got to the point of running named in the foreground with debugging on the master. named -g -d 100 This will log everything to stderr. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
