"Recursive no;" implications?

[LuKreme]

If you set recursion no; in named.conf, you need to set the forwarders as well. 
Is there anything else that must be done so that DNS queries still work?

If you have master/slave servers you should specify allow-recursion for your 
subnet instead, right? I'd you do this, you don't need to set forwarders, yes?

And finally, can you specify a slave DNS against a CNAME or must it have a rDNS 
and an A record?

For example

  NS ns1.example.com.
  NS ns2.example.com.

Ns1.  A  12.34.56.789
Ns2   CNAME name.someothername.tld

Where the server at the CNAME doesn't have rDNS?


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Recursive no;" implications?

[Mark Andrews]

In message <09dcbf8a-3d91-430d-beee-4e7287642...@kreme.com>, LuKreme writes:
> If you set recursion no; in named.conf, you need to set the forwarders as wel
> l. Is there anything else that must be done so that DNS queries still work?

Forwarders will have no effect once recursion no; is set as forwarders only
change the server used when named recurses.

> If you have master/slave servers you should specify allow-recursion for your 
> subnet instead, right? I'd you do this, you don't need to set forwarders, yes?

Allow-recursion has no impact on master / slave zones.
 
> And finally, can you specify a slave DNS against a CNAME or must it have a rD
> NS and an A record?

No.  NS records need to refer to nodes with A and/or  records.  Reverse
DNS is irrelevent to the delegation.
 
> For example
> 
>   NS ns1.example.com.
>   NS ns2.example.com.
> 
> Ns1.  A  12.34.56.789
> Ns2   CNAME name.someothername.tld
> 
> Where the server at the CNAME doesn't have rDNS?
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Recursive no;" implications?

[Steven Carr]

On 21 January 2014 09:03, LuKreme  wrote:
> If you set recursion no; in named.conf, you need to set the forwarders as 
> well. Is there anything else that must be done so that DNS queries still work?

Forwarding will not work if you don't have recursion enabled. With
recursion disabled you are a pure authoritative server, you will only
answer queries to which you are serving data for.

> If you have master/slave servers you should specify allow-recursion for your 
> subnet instead, right? I'd you do this, you don't need to set forwarders, yes?

Recursion has no effect with the master/slave relationship. Recursion
is only needed if clients need to be able to resolve names and you
want your nameserver to lookup that answer for them. If you have
recursion enabled then no you don't need to specify forwarders, but
you do need to ensure your nameservers have full outbound DNS to the
Internet (and all of the Internet) and it isn't blocked by any
firewall.

> And finally, can you specify a slave DNS against a CNAME or must it have a 
> rDNS and an A record?

No, http://tools.ietf.org/html/rfc2181 - Section 10.3: The domain name
used as the value of a NS resource record, or part of the value of a
MX resource record must not be an alias.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Non-responsive name servers when started during boot on OS X Mavericks 10.9

[Carsten Strotmann]

Hi Chris,

Chris Buxton  writes:

> I’d bet that the package from Men & Mice includes this script or an
> equivalent workaround. When I wrote the original script I wrote about
> above, I worked at Men & Mice.

Your script or the sleep timer is not in the package anymore, but maybe
it should be. I did some testing on our MacOS X Systems, and we also did
not receive issue reports from customers using the MacOS X installer
packages. Thanks for reminding me (us).

However I will look into the issue and put the "sleep" back in if needed
(or find a better patch to inform BIND on changes of the network config).

@Larry: let me know if your are using the Men & Mice compiled BIND
installer packages, and if the issue still appears.

Best regards

Carsten (now building the BIND packages @ Men & Mice)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Non-responsive name servers when started during boot on OS X Mavericks 10.9

[Larry Stone]

On Jan 21, 2014, at 5:32 AM, Carsten Strotmann  wrote:

> Hi Chris,
> 
> Chris Buxton  writes:
> 
>> I’d bet that the package from Men & Mice includes this script or an
>> equivalent workaround. When I wrote the original script I wrote about
>> above, I worked at Men & Mice.
> 
> Your script or the sleep timer is not in the package anymore, but maybe
> it should be. I did some testing on our MacOS X Systems, and we also did
> not receive issue reports from customers using the MacOS X installer
> packages. Thanks for reminding me (us).
> 
> However I will look into the issue and put the "sleep" back in if needed
> (or find a better patch to inform BIND on changes of the network config).
> 
> @Larry: let me know if your are using the Men & Mice compiled BIND
> installer packages, and if the issue still appears.

Carsten, no I am not using the Men & Mice compiled BIND (until three days ago, 
I had not even heard of Men & Mice). I might be able to play with it in a test 
environment later in the week. Is there any documentation for it or is it just 
the installer package?

-- 
Larry Stone
lston...@stonejongleux.com
http://www.stonejongleux.com/





smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: classless ptr setup

[Matus UHLAR - fantomas]

On 01/20/2014 11:21 AM, Jim Pazarena wrote:

Thank you for this. I am familiar with the setup; I suppose that my
question was unclear.

Can the SAME named.conf handle BOTH the /24 cname assignments AND
the /25 in-addr.arpa records.

Which sounds like a dumb question, but I thought named may not like it.
But I'll set it up and see if named complains (if at all).


On 20.01.14 14:47, Doug Barton wrote:
There's no reason named cannot do it, but the question is why would 
you want to? It would make sense to split the zone into /25s if you 
were going to delegate them to your customers, but if you're going to 
host it all on the same server you get a lot of extra complexity for 
no real benefit.


he apparently wants to be a slave for those /25's so they work when any of
primaries fail.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

db- files on secondary dns server

[Ayca Taskin (Garanti Teknoloji)]

Hi All,
We're using Bind DNS server  with version BIND 9.9.2 as a secondary (slave) dns 
server. We saw there is a lot of files starting with "db-"  under /var/named 
directory and updating continuously. does anybody  know what it is?


Ayca Taskin
Mimari ve BT Güvenlik Yönetimi
Mühendis

Evren Mahallesi, Koçman Caddesi No:34 Güneşli 34212 İstanbul

Tel

:

+90 212 478 35 35

Direkt

:

56 98

Faks

:

+90 212 657 04 73



Bu mesaj ve ekleri, mesajda gonderildigi belirtilen kisi/kisilere ozeldir ve 
gizlidir. Bu mesajin muhatabi olmamaniza ragmen tarafiniza ulasmis olmasi 
halinde mesaj iceriginin gizliligi ve bu gizlilik yukumlulugune uyulmasi 
zorunlulugu tarafiniz icin de soz konusudur. Mesaj ve eklerinde yer alan 
bilgilerin dogrulugu ve guncelligi konusunda gonderenin ya da sirketimizin 
herhangi bir sorumlulugu bulunmamaktadir. Sirketimiz mesajin ve bilgilerinin 
size degisiklige ugrayarak veya gec ulasmasindan, butunlugunun ve gizliliginin 
korunamamasindan, virus icermesinden ve bilgisayar sisteminize verebilecegi 
herhangi bir zarardan sorumlu tutulamaz.

This message and attachments are confidential and intended solely for the 
individual(s) stated in this message. If you received this message although you 
are not the addressee, you are responsible to keep the message confidential. 
The sender has no responsibility for the accuracy or correctness of the 
information in the message and its attachments. Our company shall have no 
liability for any changes or late receiving, loss of integrity and 
confidentiality, viruses and any damages caused in anyway to your computer 
system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: db- files on secondary dns server

[Steven Carr]

On 21 January 2014 13:41, Ayca Taskin (Garanti Teknoloji) <
ayc...@garanti.com.tr> wrote:

>  We’re using Bind DNS server  with version BIND 9.9.2 as a secondary
> (slave) dns server. We saw there is a lot of files starting with “db-“
>  under /var/named directory and updating continuously. does anybody  know
> what it is?
>

I already responded to this when you posted on dns-operations...

Those files are cached copies of the slave zones you are serving. Bind will
transfer and keep a copy of these zones to enable bind to serve the data
immediately on a restart, otherwise it would have to perform a zone
transfer on start-up and if the master is no longer available then bind
wouldn't be able to serve the zone.

Steve
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrading from 9.8.3 to 9.9.4

[Lawrence K. Chen, P.Eng.]

On 01/16/14 16:39, Mike Hoskins (michoski) wrote:
> -Original Message-
> From: Mike Bernhardt 
> Date: Thursday, January 16, 2014 4:09 PM
> To: "bind-users@lists.isc.org" 
> Subject: RE: Upgrading from 9.8.3 to 9.9.4
> 
>> Sorry for the double post, but I forgot to ask this:
>> And if it is indeed enabled regardless of my RFC1918 ranges, I would
>> imagine
>> that for my internal servers which have those ranges, I would want to add
>> "disable-empty-zone ".";" to my global options? And for my external-facing
>> server which of course has no RFC1918, I would leave it to the default
>> setting?
> 
> 
> You don't have to do this.  BIND won't enable the empty zone if you
> already have it defined.
> 
> 

The problem I was referring to is mentioned in the feedback to this KB
article:

https://kb.isc.org/article/AA-00803/0/Why-are-queries-for-some-PTR-records-no-longer-forwarded-since-upgrading-to-BIND-9.9.0.html

Though, from 9.9.4 Release Notes, that's probably addressed by this bug fix:

Fix forwarding for  forward only "zones" beneath automatic empty zones.
[RT #34583]


-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: additional section policy

[Kevin Darcy]

If the names of the referred nameservers are in the domain of the 
referral (e.g. *.example.com nameservers referred for the example.com 
delegation), then it is *mandatory* to fill in the Additional Section 
with the relevant A/ address records, since there is no other way 
for the referral to work (chicken-and-egg problem).


In most other cases, the contents of the Additional Section are 
discretionary; the responding nameserver can fill in whatever it thinks 
is "useful" to the requester. For security reasons, though, the 
requester would be wise to only pay attention to those records in the 
Additional Section that are within the "bailiwick" of the original 
question, otherwise they might accept something untrustworthy into their 
cache (the whole "bailiwick" thing is confusing, but 
http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug 
explains it fairly well).


The decision of what nameserver, among several, gets picked for 
resolving iterative queries for a particular domain, is only 
tangentially related to Additional Section processing, since NS records 
can be fetched or seen in a variety of ways, and they are (as Chris 
responded) selected via an adaptive algorithm based on SRTT (smoothed 
round-trip time). Even that, however, has been proven to be somewhat 
susceptible to attack:


http://securityintelligence.com/subverting-binds-srtt-algorithm-derandomizing-ns-selection/

in order to steer traffic to particular nameservers, for purposes, 
presumably, of DoS or to magnify the effect of a subset of nameservers 
having been compromised.


- Kevin

On 1/19/2014 10:30 PM, houguanghua wrote:

Dear all,

Would you please tell me which RFC depicts the policy of 'additional 
section'? and how bind server deals with 'additional section'?


Sometimes the number of 'additional section' is more than numbe of 
 'authority section'. I don't know how local bind server will do when 
receiving  these additional sections.

Local Bind server may:
   -- pick one name server randomly
   -- or use sophisticated policies that "score" name servers and pick 
more often the ones that replied faster


Which is right?

Thanks!
Guanghua


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Recursive no;" implications?

[LuKreme]

On 21 Jan 2014, at 02:12 , Mark Andrews  wrote:

>> If you have master/slave servers you should specify allow-recursion for your 
>> subnet instead, right? I'd you do this, you don't need to set forwarders, 
>> yes?
> 
> Allow-recursion has no impact on master / slave zones.

OK, so in order to lock down your server agains DDOS DNS attacks you need to 
restrict the access to the recursive lookup, yes? But if you set 'recursion 
no;' then your own servers will not lookup IP addresses for, for example, you 
mail server to check reject_unknown_reverse_client_hostname or related.



Looking at that, if I am reading it correctly, I should have

allow-recursion { "localnets"; }

in the options on the master and slave DNS servers (along with any other 
specific IPs that I want to/need to allow). Given the risks in allowing 
recursion for the wilds of the Internet, how are companies like Google able to 
allow access to 8.8.8.8 and 8.8.4.4 without being used for these DDOS attacks?

>> And finally, can you specify a slave DNS against a CNAME or must it have a rD
>> NS and an A record?
> 
> No.  NS records need to refer to nodes with A and/or  records.  Reverse
> DNS is irrelevent to the delegation.

Thanks, I thought that was the case.

-- 
"A thousand years ago we thought the world was a bowl. Five hundred
years ago we knew it was a globe. Today we know it is flat and round
carried through space on the back of a turtle. Don't you wonder what
shape it will turn out to be tomorrow?" [Lord Vetinari]

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Non-responsive name servers when started during boot on OS X Mavericks 10.9

[LuKreme]

On 18 Jan 2014, at 06:52 , Larry Stone  wrote:

> That is not the problem. 

In the launchd plist do you have something like


  NetworkState
  


or maybe

inetdCompatibility

  Wait
  


to tell the system not to start bind until after the network is up?

-- 
IT IS NOT YET MIDNIGHT?  'I shouldn't think it's more than a quarter
past eleven.' THEN WE HAVE THREE-QUARTERS OF AN HOUR 'How can you be
sure?' BECAUSE OF DRAMA, MISS FLITWORTH.. THE KIND OF DEATH WHO POSES
AGAINST THE SKYLINE AND GETS LIT UP BY LIGHTNING FLASHES, said Bill
Door, disapprovingly, DOESN'T TURN UP AT FIVE-AND-TWENTY PAST ELEVEN IF
HE CAN POSSIBLY TURN UP AT MIDNIGHT.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users